-
Etienne Champetier authored
according to iptables-nft man page, "These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the nft_compat module." This means that to work, iptables-nft needs the same modules as iptables legacy except the ip(6)table-{filter,mangle,nat,raw} ip_tables, ip6tables. When those modules are loaded iptables-nft-save output contains "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" But as long as it's empty it should not be a problem. To have nft properly display the rules created by ip(6)tables-nft we need all iptables targets and matches to be built as extension and not built-in (/usr/lib/iptables/libip(6)t_*.so) When switching a package to iptables-nft, you need to keep the iptables-mod-* dependencies This patch does minimal changes: - remove the direct iptables-nft -> iptables dependency - and more important add nft-compat dependency The rule iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT becomes table ip filter { chain OUTPUT { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT } } Signed-off-by:Etienne Champetier <champetier.etienne@gmail.com>
Etienne Champetier authoredaccording to iptables-nft man page, "These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the nft_compat module." This means that to work, iptables-nft needs the same modules as iptables legacy except the ip(6)table-{filter,mangle,nat,raw} ip_tables, ip6tables. When those modules are loaded iptables-nft-save output contains "# Warning: iptables-legacy tables present, use iptables-legacy-save to see them" But as long as it's empty it should not be a problem. To have nft properly display the rules created by ip(6)tables-nft we need all iptables targets and matches to be built as extension and not built-in (/usr/lib/iptables/libip(6)t_*.so) When switching a package to iptables-nft, you need to keep the iptables-mod-* dependencies This patch does minimal changes: - remove the direct iptables-nft -> iptables dependency - and more important add nft-compat dependency The rule iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT becomes table ip filter { chain OUTPUT { type filter hook output priority filter; policy accept; ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT } } Signed-off-by:
