subject:"\[PATCH iptables 2\/3\] extensions\: libip\[6\]t_SNAT\/DNAT\: use the new nft syntax when do xlate"

Re: [PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

2016-08-30 Thread Pablo Neira Ayuso

On Sun, Aug 28, 2016 at 04:50:47PM +0800, Liping Zhang wrote:
> From: Liping Zhang 
> 
> After commit "src: add 'to' for snat and dnat" in nftables tree,
> we should recommend the end user to use the new syntax.
> 
> Before this patch:
>   # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
>   nft add rule ip nat POSTROUTING counter snat 1.1.1.1
>   # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
>   2001::1
>   nft add rule ip6 nat PREROUTING counter dnat 2001::1
> 
> Apply this patch:
>   # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
>   nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
>   # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
>   2001::1
>   nft add rule ip6 nat PREROUTING counter dnat to 2001::1

Applied, thanks!

BTW, if you have some spare cycles, it would be great to use the
square brackets in the translation output too I think.

# ip6tables-translate -t nat -A PREROUTING -p tcp -j DNAT --to-destination 
[abcd::1]:30
nft add rule ip6 nat PREROUTING meta l4proto tcp counter dnat abcd::1 :30
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

2016-08-28 Thread Liping Zhang

From: Liping Zhang 

After commit "src: add 'to' for snat and dnat" in nftables tree,
we should recommend the end user to use the new syntax.

Before this patch:
  # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
  nft add rule ip nat POSTROUTING counter snat 1.1.1.1
  # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
  2001::1
  nft add rule ip6 nat PREROUTING counter dnat 2001::1

Apply this patch:
  # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1
  nft add rule ip nat POSTROUTING counter snat to 1.1.1.1
  # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination
  2001::1
  nft add rule ip6 nat PREROUTING counter dnat to 2001::1

Signed-off-by: Liping Zhang 
---
 extensions/libip6t_DNAT.c | 2 +-
 extensions/libip6t_SNAT.c | 2 +-
 extensions/libipt_DNAT.c  | 2 +-
 extensions/libipt_SNAT.c  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 3925c3b..97a8b1c 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -259,7 +259,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
bool sep_need = false;
const char *sep = " ";
 
-   xt_xlate_add(xl, "dnat ");
+   xt_xlate_add(xl, "dnat to ");
print_range_xlate(range, xl);
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 4d742ea..c3d8190 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -269,7 +269,7 @@ static int SNAT_xlate(struct xt_xlate *xl,
bool sep_need = false;
const char *sep = " ";
 
-   xt_xlate_add(xl, "snat ");
+   xt_xlate_add(xl, "snat to ");
print_range_xlate(range, xl);
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 7890719..a14d16f 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -271,7 +271,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
const char *sep = " ";
 
for (i = 0; i < info->mr.rangesize; i++) {
-   xt_xlate_add(xl, "dnat ");
+   xt_xlate_add(xl, "dnat to ");
print_range_xlate(>mr.range[i], xl);
if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 5c699d3..e92d811 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -282,7 +282,7 @@ static int SNAT_xlate(struct xt_xlate *xl,
const char *sep = " ";
 
for (i = 0; i < info->mr.rangesize; i++) {
-   xt_xlate_add(xl, "snat ");
+   xt_xlate_add(xl, "snat to ");
print_range_xlate(>mr.range[i], xl);
if (info->mr.range[i].flags & NF_NAT_RANGE_PROTO_RANDOM) {
xt_xlate_add(xl, " random");
-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

[PATCH iptables 2/3] extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlate

2 matches

Site Navigation

Mail list logo

Footer information