thr3ads.net - netfilter buglog - [Bug 1370] iptables-restore-translate [Jul 2023]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2023-Jul-13 14:43 UTC

[Bug 1370] iptables-restore-translate

https://bugzilla.netfilter.org/show_bug.cgi?id=1370

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #3 from Phil Sutter <phil at nwl.cc> ---
(In reply to Thomas from comment #0)> Created attachment 571 [details]
> Untranslatable Rules
> 
> There are some rules could not be translated and I don't know enough
about
> nftables to translate them by hand, could I get some help with those rules?
Retrying with a current iptables-translate:
> # -t mangle -A PREROUTING -p tcp -m tcp --sport 53 -j TOS --set-tos
0x04/0xff
nft 'add rule ip mangle PREROUTING tcp sport 53 counter ip6 dscp set
0x01'
> # -t mangle -A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos
0x10/0xff
nft 'add rule ip mangle PREROUTING tcp sport 512-65535 counter ip6 dscp set
0x04'
> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 5353 -j TOS --set-tos
0x00/0xff
nft 'add rule ip mangle POSTROUTING tcp dport 5353 counter ip6 dscp set
0x00'
> # -t mangle -A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos
0x10/0xff
nft 'add rule ip mangle POSTROUTING tcp dport 512-65535 counter ip6 dscp set
0x04'
> # -t filter -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
nft 'add rule ip filter OUTPUT tcp flags syn / syn,rst counter tcp option
maxseg size set rt mtu'
> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-option 64 -j DROP
nft 'add rule ip filter IN_SANITY tcp option 64 exists counter drop'

Could you please review the above for correctness?

These remain unsupported:
> # -t mangle -A POSTROUTING -d 199.201.233.88/32 -p tcp -j ECN
--ecn-tcp-remove
ECN extension does not provide a translation, but implementing one should be
trivial since nftables supports manipulating TCP header's ECE and CWR flags.
> # -t filter -A PZERO -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT
--mask 255.255.255.255 --rsource -j DROP
> # -t filter -A RABPSCAN -p tcp -m tcp --dport 1 -m recent --set --name
DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A FRAG_UDP -p udp -f -m recent --set --name DEFAULT --mask
255.255.255.255 --rsource -j DROP
> # -t filter -A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
> # -t filter -A INPUT -m recent --update --seconds 300 --hitcount 1 --name
DEFAULT --mask 255.255.255.255 --rsource -j DROP
Recent extension does not provide a translation. Partial support by use of (a)
set(s) with timeout should be possible.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230713/60560eef/attachment.html>

netfilter buglog - Jul 2023 - [Bug 1370] iptables-restore-translate

[Bug 1370] iptables-restore-translate