mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-30 02:29:01 +00:00
b0bd6599e8
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."
This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.
To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)
When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies
This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency
The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
chain OUTPUT {
type filter hook output priority filter; policy accept;
ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
}
}
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
||
|---|---|---|
| .. | ||
| adb-enablemodem | ||
| arptables | ||
| bpftools | ||
| comgt | ||
| ebtables | ||
| ethtool | ||
| iproute2 | ||
| ipset | ||
| iptables | ||
| iw | ||
| iwcap | ||
| iwinfo | ||
| layerscape/restool | ||
| linux-atm | ||
| ltq-dsl-base | ||
| nftables | ||
| resolveip | ||
| rssileds | ||
| tcpdump | ||
| umbim | ||
| uqmi | ||
| wireguard-tools | ||
| wireless-tools | ||
| wpan-tools | ||
| wwan | ||