| .\" |
| .\" (C) Copyright 2018, Arturo Borrero Gonzalez <arturo@netfilter.org> |
| .\" |
| .\" %%%LICENSE_START(GPLv2+_DOC_FULL) |
| .\" This is free documentation; you can redistribute it and/or |
| .\" modify it under the terms of the GNU General Public License as |
| .\" published by the Free Software Foundation; either version 2 of |
| .\" the License, or (at your option) any later version. |
| .\" |
| .\" The GNU General Public License's references to "object code" |
| .\" and "executables" are to be interpreted as the output of any |
| .\" document formatting or typesetting system, including |
| .\" intermediate and printed output. |
| .\" |
| .\" This manual is distributed in the hope that it will be useful, |
| .\" but WITHOUT ANY WARRANTY; without even the implied warranty of |
| .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| .\" GNU General Public License for more details. |
| .\" |
| .\" You should have received a copy of the GNU General Public |
| .\" License along with this manual; if not, see |
| .\" <http://www.gnu.org/licenses/>. |
| .\" %%%LICENSE_END |
| .\" |
| .TH IPTABLES-TRANSLATE 8 "May 14, 2019" |
| |
| .SH NAME |
| iptables-translate \(em translation tool to migrate from iptables to nftables |
| .P |
| ip6tables-translate \(em translation tool to migrate from ip6tables to nftables |
| .SH DESCRIPTION |
| There is a set of tools to help the system administrator translate a given |
| ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP. |
| |
| The available commands are: |
| |
| .IP \[bu] 2 |
| iptables-translate |
| .IP \[bu] |
| iptables-restore-translate |
| .IP \[bu] 2 |
| ip6tables-translate |
| .IP \[bu] |
| ip6tables-restore-translate |
| |
| .SH USAGE |
| They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and |
| output the native \fBnftables(8)\fP syntax. |
| |
| The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax |
| produced by \fBiptables-save(8)\fP. Likewise, the |
| \fBip6tables-restore-translate\fP tool reads one produced by |
| \fBip6tables-save(8)\fP. No ruleset modifications occur, these tools are |
| text converters only. |
| |
| The \fBiptables-translate\fP reads a command line as if it was entered to |
| \fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it |
| was entered to \fBip6tables(8)\fP. |
| |
| .SH EXAMPLES |
| Basic operation examples. |
| |
| Single command translation: |
| |
| .nf |
| root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT |
| nft add rule ip filter INPUT tcp dport 22 ct state new counter accept |
| |
| root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT |
| nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept |
| .fi |
| |
| Whole ruleset translation: |
| |
| .nf |
| root@machine:~# iptables-save > save.txt |
| root@machine:~# cat save.txt |
| # Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016 |
| *filter |
| :INPUT ACCEPT [5166:1752111] |
| :FORWARD ACCEPT [0:0] |
| :OUTPUT ACCEPT [5058:628693] |
| -A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT |
| COMMIT |
| # Completed on Sat Dec 24 14:26:40 2016 |
| |
| root@machine:~# iptables-restore-translate -f save.txt |
| # Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016 |
| add table ip filter |
| add chain ip filter INPUT { type filter hook input priority 0; } |
| add chain ip filter FORWARD { type filter hook forward priority 0; } |
| add chain ip filter OUTPUT { type filter hook output priority 0; } |
| add rule ip filter FORWARD tcp dport 22 ct state new counter accept |
| |
| root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft |
| root@machine:~# nft -f ruleset.nft |
| root@machine:~# nft list ruleset |
| table ip filter { |
| chain INPUT { |
| type filter hook input priority 0; policy accept; |
| } |
| |
| chain FORWARD { |
| type filter hook forward priority 0; policy accept; |
| tcp dport ssh ct state new counter packets 0 bytes 0 accept |
| } |
| |
| chain OUTPUT { |
| type filter hook output priority 0; policy accept; |
| } |
| } |
| .fi |
| |
| |
| .SH LIMITATIONS |
| Some (few) extensions may be not supported (or fully-supported) for whatever |
| reason (for example, they were considered obsolete, or we didn't have the time |
| to work on them). |
| |
| There are no translations available for \fBebtables(8)\fP and |
| \fBarptables(8)\fP. |
| |
| To get up-to-date information about this, please head to |
| \fBhttps://wiki.nftables.org/\fP. |
| |
| .SH SEE ALSO |
| \fBnft(8)\fP, \fBiptables(8)\fP |
| |
| .SH AUTHORS |
| The nftables framework is written by the Netfilter project |
| (https://www.netfilter.org). |
| |
| This manual page was written by Arturo Borrero Gonzalez |
| <arturo@netfilter.org>. |
| |
| This documentation is free/libre under the terms of the GPLv2+. |