pespin has uploaded this change for review. (
https://gerrit.osmocom.org/c/osmo-ggsn/+/38525?usp=email )
Change subject: doc: Update all iptables references with nftables
......................................................................
doc: Update all iptables references with nftables
Change-Id: I3caf316e8ccf1d757b83f7a119271084c55e018c
---
M doc/examples/firewall
M doc/manuals/chapters/mtu.adoc
M doc/manuals/chapters/running.adoc
3 files changed, 23 insertions(+), 23 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-ggsn refs/changes/25/38525/1
diff --git a/doc/examples/firewall b/doc/examples/firewall
index fce735a..d5fadec 100755
--- a/doc/examples/firewall
+++ b/doc/examples/firewall
@@ -13,36 +13,36 @@
# to and from the Gn interface.
# * Masquerede on Gi interface.
-IPTABLES="/sbin/iptables"
+NFT="nft"
IFGN="eth0"
IFGI="eth1"
-$IPTABLES -P INPUT DROP
-$IPTABLES -P FORWARD ACCEPT
-$IPTABLES -P OUTPUT ACCEPT
+$NFT add chain ip filter input '{ policy drop; }'
+$NFT add chain ip filter forward '{ policy accept; }'
+$NFT add chain ip filter output '{ policy accept; }'
#Allow related and established on all interfaces (input)
-$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+$NFT add rule ip filter input ct state related,established counter accept
#Allow releated, established, GTP and ssh on $IFGN. Reject everything else.
-$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT
-$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT
-$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT
-$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT
-$IPTABLES -A INPUT -i $IFGN -j REJECT
+$NFT add rule ip filter input iifname $IFGN tcp dport 22 tcp flags syn /
fin,syn,rst,ack counter accept
+$NFT add rule ip filter input iifname $IFGN udp dport 2123 counter accept
+$NFT add rule ip filter input iifname $IFGN udp dport 2152 counter accept
+$NFT add rule ip filter input iifname $IFGN udp dport 3386 counter accept
+$NFT add rule ip filter input iifname $IFGN counter reject
#Allow related, established and ssh. Drop everything else.
-$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT
-$IPTABLES -A INPUT -i $IFGI -j DROP
+$NFT add rule ip filter input iifname $IFGI tcp dport 22 tcp flags syn /
fin,syn,rst,ack counter accept
+$NFT add rule ip filter input iifname $IFGI counter drop
# Masquerade everything going out on $IFGI
-$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE
+$NFT add rule ip nat POSTROUTING oifname $IFGI counter masquerade
#Allow everything on loopback interface.
-$IPTABLES -A INPUT -i lo -j ACCEPT
+$NFT add rule ip filter input iifname "lo" counter accept
# Drop everything to and from $IFGN (forward)
-$IPTABLES -A FORWARD -i $IFGN -j DROP
-$IPTABLES -A FORWARD -o $IFGN -j DROP
+$NFT add rule ip filter forward iifname $IFGN counter drop
+$NFT add rule ip filter forward oifname $IFGN counter drop
diff --git a/doc/manuals/chapters/mtu.adoc b/doc/manuals/chapters/mtu.adoc
index eb323d6..041219f 100644
--- a/doc/manuals/chapters/mtu.adoc
+++ b/doc/manuals/chapters/mtu.adoc
@@ -146,13 +146,13 @@
MSS = TUNNEL_MTU - IP_HDR - TCP_HDR = 1420 - 60 - 56 = 1304
----
-In linux, the MSS of TCP connections can be clamped using iptables:
+In linux, the MSS of TCP connections can be clamped using nftables:
----
-iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j TCPMSS
--set-mss 1304
-iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j
TCPMSS --set-mss 1304
-ip6tables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j
TCPMSS --set-mss 1304
-ip6tables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j
TCPMSS --set-mss 1304
+nft 'add rule ip nat prerouting iifname "apn0" tcp flags syn / syn,rst counter
tcp option maxseg size set 1304'
+nft 'insert rule ip nat postrouting oifname "apn0" tcp flags syn / syn,rst
counter tcp option maxseg size set 1304'
+nft 'add rule ip6 nat prerouting iifname "apn0" tcp flags syn / syn,rst
counter tcp option maxseg size set 1304'
+nft 'insert rule ip6 nat postrouting oifname "apn0" tcp flags syn / syn,rst
counter tcp option maxseg size set 1304'
----
==== Further Reading
diff --git a/doc/manuals/chapters/running.adoc
b/doc/manuals/chapters/running.adoc
index 386b6b5..99fa11d 100644
--- a/doc/manuals/chapters/running.adoc
+++ b/doc/manuals/chapters/running.adoc
@@ -43,14 +43,14 @@
----
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
-iptables -t nat -A POSTROUTING -o '*' -j MASQUERADE
+nft 'add rule ip nat postrouting oifname "\*" counter masquerade'
----
(You may want to replace `*` with the network device name, like `-o eth0`)
There are various ways to enable these settings persistently, please refer to
your distribution's documentation -- e.g. look for @net.ipv4.ip_forward=1@ in
-@/etc/sysctl.d/@, and https://wiki.debian.org/iptables for masquerading.
+@/etc/sysctl.d/@, and https://wiki.debian.org/nftables for masquerading.
include::{srcdir}/chapters/mtu.adoc[]
--
To view, visit https://gerrit.osmocom.org/c/osmo-ggsn/+/38525?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: osmo-ggsn
Gerrit-Branch: master
Gerrit-Change-Id: I3caf316e8ccf1d757b83f7a119271084c55e018c
Gerrit-Change-Number: 38525
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <[email protected]>
