Breaking down task of adding nft support. On Wed, Jun 08, 2022 at 10:38:16AM -0400, Andrew Cagney wrote: > this week it is https://github.com/libreswan/libreswan/issues/116
I am in favor of adding nft support along with iptable support. Add build variable? Any thoughts on how to add nft support while keeping iptables support? There are different use iptables. Some are easy to replace with nft. May be we can add nft support slowly one by one 1. programs/barf/barf.in : used for diagnostics? this is probably easy to replace. nft list or something. 3. programs/ipsec/ipsec.8.xml : documentation 5. programs/ipsec/ipsec.in : NFLOG and CAT support. I will see if I can figure out the exact syntax. nft sees to support NFLOG. Any nft experts here who would like helpo? How to translate the following rules to nft iptables -I INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec iptables -I INPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec and of course deleting rules. Which I think is one of the biggest difference between nft and iptables? How do I get the "handle"? which is needed to delete the rule. I usually delte the able and re-create:) iptables -D INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 50 --nflog-prefix all-ipsec CAT rules are: iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec \ -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} iptables -t nat -I PREROUTING -m policy --dir in --pol ipsec \ -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ -j DNAT --to-destination ${PLUTO_ME} iptables -t nat -D PREROUTING -m policy --dir in --pol ipsec \ -d ${PLUTO_MY_CLIENT_NET} -s ${PLUTO_PEER_CLIENT} \ -j DNAT --to-destination ${PLUTO_ME} iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec \ -d ${PLUTO_PEER_CLIENT} -j SNAT --to-source ${PLUTO_MY_CLIENT_NET} 4. programs/_updown.xfrm/_updown.xfrm.in it seems similar to the above. I wonder why we need CAT and NFLOG in two places! 5. programs/look/look.in : seems diagnostics only? I not sure why it is adding mangle table. 6. programs/pluto/plutomain.c : just a comment 7. programs/verify/verify.in : a runtime check. May be this what is actually failing in Debian testing/building. I suspect they run "ipsec verify"? _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev