使用预装的iptables-translate程序即可,例如:
# iptables-translate -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
nft add rule ip filter INPUT icmp type time-exceeded counter accept
nftables默认没有内置的链,可以自己新增
nft flush ruleset
nft add table ip filter
nft flush chain ip filter INPUT
nft add chain ip filter INPUT "{type filter hook input priority 0; policy drop; }"
nft add chain ip filter OUTPUT "{type filter hook output priority 0; policy accept; }"
nft add chain ip filter FORWARD "{type filter hook forward priority 0; policy accept; }"
nft list ruleset
参考
【1】https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/getting-started-with-nftables_firewall-packet-filters
【2】https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_firewalls_and_packet_filters/getting-started-with-nftables_firewall-packet-filters#supported-nftables-script-formats_writing-and-executing-nftables-scripts
3819
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
