[Bug 1370] iptables-restore-translate

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jul 13 16:43:24 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1370

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #3 from Phil Sutter <phil at nwl.cc> ---
(In reply to Thomas from comment #0)
> Created attachment 571 [details]
> Untranslatable Rules
> 
> There are some rules could not be translated and I don't know enough about
> nftables to translate them by hand, could I get some help with those rules?

Retrying with a current iptables-translate:

> # -t mangle -A PREROUTING -p tcp -m tcp --sport 53 -j TOS --set-tos 0x04/0xff 

nft 'add rule ip mangle PREROUTING tcp sport 53 counter ip6 dscp set 0x01'

> # -t mangle -A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x10/0xff

nft 'add rule ip mangle PREROUTING tcp sport 512-65535 counter ip6 dscp set
0x04'

> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 5353 -j TOS --set-tos 0x00/0xff 

nft 'add rule ip mangle POSTROUTING tcp dport 5353 counter ip6 dscp set 0x00'

> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x10/0xff

nft 'add rule ip mangle POSTROUTING tcp dport 512-65535 counter ip6 dscp set
0x04'

> # -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

nft 'add rule ip filter OUTPUT tcp flags syn / syn,rst counter tcp option
maxseg size set rt mtu'

> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-option 64 -j DROP

nft 'add rule ip filter IN_SANITY tcp option 64 exists counter drop'

Could you please review the above for correctness?

These remain unsupported:

> # -t mangle -A POSTROUTING -d 199.201.233.88/32 -p tcp -j ECN --ecn-tcp-remove

ECN extension does not provide a translation, but implementing one should be
trivial since nftables supports manipulating TCP header's ECE and CWR flags.

> # -t filter -A PZERO -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A RABPSCAN -p tcp -m tcp --dport 1 -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A FRAG_UDP -p udp -f -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A INPUT -m recent --update --seconds 300 --hitcount 1 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP

Recent extension does not provide a translation. Partial support by use of (a)
set(s) with timeout should be possible.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230713/60560eef/attachment.html>

More information about the netfilter-buglog mailing list