<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables-restore-translate"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1370">bug 1370</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>phil@nwl.cc
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables-restore-translate"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1370#c3">Comment # 3</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables-restore-translate"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1370">bug 1370</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>(In reply to Thomas from <a href="show_bug.cgi?id=1370#c0">comment #0</a>)
<span class="quote">> Created <span class=""><a href="attachment.cgi?id=571" name="attach_571" title="Untranslatable Rules">attachment 571</a> <a href="attachment.cgi?id=571&action=edit" title="Untranslatable Rules">[details]</a></span>
> Untranslatable Rules
>
> There are some rules could not be translated and I don't know enough about
> nftables to translate them by hand, could I get some help with those rules?</span >
Retrying with a current iptables-translate:
<span class="quote">> # -t mangle -A PREROUTING -p tcp -m tcp --sport 53 -j TOS --set-tos 0x04/0xff </span >
nft 'add rule ip mangle PREROUTING tcp sport 53 counter ip6 dscp set 0x01'
<span class="quote">> # -t mangle -A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x10/0xff</span >
nft 'add rule ip mangle PREROUTING tcp sport 512-65535 counter ip6 dscp set
0x04'
<span class="quote">> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 5353 -j TOS --set-tos 0x00/0xff </span >
nft 'add rule ip mangle POSTROUTING tcp dport 5353 counter ip6 dscp set 0x00'
<span class="quote">> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x10/0xff</span >
nft 'add rule ip mangle POSTROUTING tcp dport 512-65535 counter ip6 dscp set
0x04'
<span class="quote">> # -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</span >
nft 'add rule ip filter OUTPUT tcp flags syn / syn,rst counter tcp option
maxseg size set rt mtu'
<span class="quote">> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-option 64 -j DROP</span >
nft 'add rule ip filter IN_SANITY tcp option 64 exists counter drop'
Could you please review the above for correctness?
These remain unsupported:
<span class="quote">> # -t mangle -A POSTROUTING -d 199.201.233.88/32 -p tcp -j ECN --ecn-tcp-remove</span >
ECN extension does not provide a translation, but implementing one should be
trivial since nftables supports manipulating TCP header's ECE and CWR flags.
<span class="quote">> # -t filter -A PZERO -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A RABPSCAN -p tcp -m tcp --dport 1 -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A FRAG_UDP -p udp -f -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A INPUT -m recent --update --seconds 300 --hitcount 1 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP</span >
Recent extension does not provide a translation. Partial support by use of (a)
set(s) with timeout should be possible.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>