summaryrefslogtreecommitdiffstats
path: root/iptables/xtables-translate.c
Commit message (Collapse)AuthorAgeFilesLines
* iptables-translate: translate iptables --flushGuruswamy Basavaiah2016-03-221-0/+8
| | | | | | | | | | | | | translation for iptables --flush Examples: $ sudo iptables-translate -F INPUT nft flush chain ip filter INPUT $ sudo iptables-translate -F -t nat nft flush table ip nat Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-2/+4
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: extensions: iptables-translate prints extra "nft" after printing ↵Guruswamy Basavaiah2016-03-011-1/+1
| | | | | | | | | | | | | | | | | | | | any error Output of command "./iptables-translate junk" is Bad argument `junk' Try `iptables-translate -h' or 'iptables-translate --help' for more information. nft Output of command "./iptables-translate -B" is iptables-translate v1.6.0: unknown option "-B" Try `iptables-translate -h' or 'iptables-translate --help' for more information. nft nft should have not been printed in both the cases. Moving the printf call after the do_parse function call Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-15/+15
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: xtables: add the infrastructure to translate from iptables to nftPablo Neira Ayuso2016-02-161-0/+463
This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>