On 6 October 2016 at 19:09, Davide Caratti wrote:
> this series fixes SNAT/DNAT rules where port number translation is
> explicitly configured, but only the L3 address is translated:
>
> # iptables -t nat -A POSTROUTING -o eth1 -p stcp -j SNAT --to-source
> 10.0.0.1:61000
> # tcpdump -s46 -tni et
On Fri, 2016-10-07 at 09:35 +0200, Arturo Borrero Gonzalez wrote:
> Since I can add the same rule in nftables, I wonder if the same problem
> happens:
>
> chain postrouting {
> type nat hook postrouting priority 0; policy accept;
> ip protocol sctp snat 10.0.0.1:61000
> }
>
hello Arturo,
th
On 7 October 2016 at 11:59, Davide Caratti wrote:
> On Fri, 2016-10-07 at 09:35 +0200, Arturo Borrero Gonzalez wrote:
>> Since I can add the same rule in nftables, I wonder if the same problem
>> happens:
>>
>> chain postrouting {
>> type nat hook postrouting priority 0; policy accept;
>> ip p
From: Liping Zhang
For example:
# iptables-translate -A OUTPUT -j DSCP --set-dscp 1
nft add rule ip filter OUTPUT counter ip dscp set 0x01
# ip6tables-translate -A OUTPUT -j DSCP --set-dscp 6
nft add rule ip6 filter OUTPUT counter ip6 dscp set 0x06
Signed-off-by: Liping Zhang
---
exte
From: Liping Zhang
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-grou
From: Liping Zhang
This patch set fixes some bugs related to translation:
* libipt_realm: add a missing space
* libxt_iprange: ip6tables translation's format is not correct
* libxt_iprange & libxt_devgroup: handle the invert flag properly
* libxt_ipcomp: add range support
Also add libxt_
From: Liping Zhang
nft will complain the syntax error if we use "ip saddr" or "ip daddr" in
ip6 family, so the current translation is wrong:
# ip6tables-translate -A OUTPUT -m iprange --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip saddr 2003::1-2003::3 counter
From: Liping Zhang
For example:
# iptables-translate -A OUTPUT -m quota --quota 111
nft add rule ip filter OUTPUT quota 111 bytes counter
# iptables-translate -A OUTPUT -m quota ! --quota 111
nft add rule ip filter OUTPUT quota over 111 bytes counter
Signed-off-by: Liping Zhang
---
ex
From: Liping Zhang
When translate to nft rules, ipcompspi range is not supported, so:
# iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
nft add rule ip filter OUTPUT comp cpi 1 counter
# iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
nft add rule ip filter OUTPUT comp c
From: Liping Zhang
For example:
# iptables-translate -A OUTPUT -m statistic --mode nth --every 10 \
--packet 1
nft add rule ip filter OUTPUT numgen inc mod 10 1 counter
# iptables-translate -A OUTPUT -m statistic --mode nth ! --every 10 \
--packet 5
nft add rule ip filter OUTPUT numg
From: Liping Zhang
We missed a blank space when do translate to nft, so if rt_realm can be
mapped to name, the result looks ugly:
# iptables-translate -A OUTPUT -m realm --realm 0
nft add rule ip filter OUTPUT rtclassidcosmos counter
^
Apply this patc
From: Liping Zhang
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
# ip6tables-translate
Arturo Borrero Gonzalez wrote:
> Unlike in iptables, in nftables we don't know the expected l4 protocol
> at rule setup time.
>
> In the iptables<->nftables compat layer, we have an expression
> attribute which is filled from userspace with the l4 protocol
> (NFTA_RULE_COMPAT_PROTO).
>
> Not sur
Since the code explicilty falls back to a smaller allocation when the
large one fails, we shouldn't complain when that happens.
Signed-off-by: Calvin Owens
---
net/netfilter/nfnetlink_log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_log.c b/net/ne
14 matches
Mail list logo