From patchwork Fri Mar 16 18:24:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 887094 X-Patchwork-Delegate: fw@strlen.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 402v4p1B2hz9sQr for ; Sat, 17 Mar 2018 05:24:42 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751522AbeCPSYl (ORCPT ); Fri, 16 Mar 2018 14:24:41 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:52725 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750806AbeCPSYk (ORCPT ); Fri, 16 Mar 2018 14:24:40 -0400 Received: by mail-wm0-f67.google.com with SMTP id t3so4678349wmc.2 for ; Fri, 16 Mar 2018 11:24:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=Zr1cmpikCHbrOP9dKcuv1A+xlLLKv5wWhyBFNKFpjY0=; b=njVQLm3c4GjfIeSGNtxr5v2yMW0kJs7OsKX7OQpIff8umPwqfpQIvxU0MLzjWBbinp /5eU/AjNaGv9XRZfP+Hzdr1TTmm9l6AxZ8GpidqU9kbmvYRAvN4z/slnF/0TP31q8Gxz m9g3GdyQKlUnUvmpBJKYApCGYDlOUgbKxQK+ejcgVVUtWNeDNS475l3KVWRgOSMuFrET lF0lk6PGkpOEMdUNJNIAobqd40v2yLgDeNnHf1bgZrTR25OgcgO/YwQnrzD9BksNKeB1 qq6y7DPqJ1gHfkA0NGS1cGe6YXnjDAaDY8vkAfm964Z4zwpe09iPSTN2pFzv88UKbycr Zx6Q== X-Gm-Message-State: AElRT7GMiYFEg7XrPleix+W5jVg+8B9uzS8Rr5Xse6KWUwo6g159FdpV OkANHeqwYIkTxat4Ue0WsOvFTNej X-Google-Smtp-Source: AG47ELt4NhtzKlUgQ2lRBmNFOj+uSV0gj1q/YzPjO8tP65sFWsokJVf/86vEm1Q9jjL5tCGx3psaJw== X-Received: by 10.223.131.38 with SMTP id 35mr2477917wrd.197.1521224678621; Fri, 16 Mar 2018 11:24:38 -0700 (PDT) Received: from endurance (227.red-88-9-180.dynamicip.rima-tde.net. [88.9.180.227]) by smtp.gmail.com with ESMTPSA id 5sm9505677wmj.23.2018.03.16.11.24.36 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 16 Mar 2018 11:24:37 -0700 (PDT) Received: by endurance (sSMTP sendmail emulation); Fri, 16 Mar 2018 19:24:36 +0100 Subject: [iptables PATCH] iptables: add xtables-translate.8 manpage From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Fri, 16 Mar 2018 19:24:36 +0100 Message-ID: <152122467622.4386.650170843385715199.stgit@endurance> User-Agent: StGit/0.18 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This new manpage describes how to operate the translation tools for nftables. Signed-off-by: Arturo Borrero Gonzalez --- iptables/Makefile.am | 3 + iptables/xtables-translate.8 | 134 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 iptables/xtables-translate.8 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/iptables/Makefile.am b/iptables/Makefile.am index d0060c60..7fc34830 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -58,7 +58,8 @@ sbin_PROGRAMS += xtables-compat-multi endif man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 iptables-extensions.8 xtables-compat.8 + ip6tables-save.8 iptables-extensions.8 \ + xtables-compat.8 xtables-translate.8 CLEANFILES = iptables.8 \ xtables-config-parser.c xtables-config-syntax.c diff --git a/iptables/xtables-translate.8 b/iptables/xtables-translate.8 new file mode 100644 index 00000000..1968239b --- /dev/null +++ b/iptables/xtables-translate.8 @@ -0,0 +1,134 @@ +.\" +.\" (C) Copyright 2018, Arturo Borrero Gonzalez +.\" +.\" %%%LICENSE_START(GPLv2+_DOC_FULL) +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, see +.\" . +.\" %%%LICENSE_END +.\" +.TH XTABLES-TRANSLATE 8 "Mar 16, 2018" + +.SH NAME +xtables-translate \- translation tools to migrate from iptables to nftables + +.SH DESCRIPTION +There is a set of tools to help the system administrator translate a given +ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP. + +The available commands are: + +.IP \[bu] 2 +iptables-translate +.IP \[bu] +iptables-restore-translate +.IP \[bu] 2 +ip6tables-translate +.IP \[bu] +ip6tables-restore-translate + +.SH USAGE +They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and +output the native \fBnftables(8)\fP syntax. + +The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax +produced by \fBiptables-save(8)\fP. Likewise, the +\fBip6tables-restore-translate\fP tool reads one produced by +\fBip6tables-save(8)\fP. + +The \fBiptables-translate\fP reads a command line as if it was entered to +\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it +was entered to \fBip6tables(8)\fP. + +.SH EXAMPLES +Basic operation examples. + +Single command translation: + +.nf +root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +nft add rule ip filter INPUT tcp dport 22 ct state new counter accept + +root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT +nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept +.fi + +Whole ruleset translation: + +.nf +root@machine:~# iptables-save > save.txt +root@machine:~# cat save.txt +# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016 +*filter +:INPUT ACCEPT [5166:1752111] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [5058:628693] +-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT +COMMIT +# Completed on Sat Dec 24 14:26:40 2016 + +root@machine:~# iptables-restore-translate -f save.txt +# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016 +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; } +add chain ip filter FORWARD { type filter hook forward priority 0; } +add chain ip filter OUTPUT { type filter hook output priority 0; } +add rule ip filter FORWARD tcp dport 22 ct state new counter accept + +root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft +root@machine:~# nft -f ruleset.nft +root@machine:~# nft list ruleset +table ip filter { + chain INPUT { + type filter hook input priority 0; policy accept; + } + + chain FORWARD { + type filter hook forward priority 0; policy accept; + tcp dport ssh ct state new counter packets 0 bytes 0 accept + } + + chain OUTPUT { + type filter hook output priority 0; policy accept; + } +} +.fi + + +.SH LIMITATIONS +Some (few) extensions may be not supported (or fully-supported) for whatever +reason (for example, they were considered obsolete, or we didn't have the time +to work on them). + +There are no translations available for \fBebtables(8)\fP and +\fBarptables(8)\fP. + +To get up-to-date information about this, please head to +\fBhttps://wiki.nftables.org/\fP. + +.SH SEE ALSO +\fBnft(8)\fP, \fBxtables-compat(8)\fP + +.SH AUTHORS +The nftables framework is written by the Netfilter project +(https://www.netfilter.org). + +This manual page was written by Arturo Borrero Gonzalez +. + +This documentation is free/libre under the terms of the GPLv2+.