From 623675110fd32740aed82c821a93356fdd19d9ec Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 6 Feb 2022 12:33:58 +0300 Subject: [PATCH] readme: correct iptables-nft patch --- docs/readme.eng.md | 15 ++++++++++++--- docs/readme.txt | 17 +++++++++++++---- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/docs/readme.eng.md b/docs/readme.eng.md index ce2f428..94b6864 100644 --- a/docs/readme.eng.md +++ b/docs/readme.eng.md @@ -439,9 +439,18 @@ In some linux distros its possible to change current ip6tables using this comman If you want to stay with nftables-nft you need to patch and recompile your version. In nft.c find : ``` - name= "PREROUTING", - type = "filter", - prio = -300, /* NF_IP_PRI_RAW */ + { + .name = "PREROUTING", + .type = "filter", + .prio = -300, /* NF_IP_PRI_RAW */ + .hook = NF_INET_PRE_ROUTING, + }, + { + .name = "OUTPUT", + .type = "filter", + .prio = -300, /* NF_IP_PRI_RAW */ + .hook = NF_INET_LOCAL_OUT, + }, ``` and replace -300 to -450. diff --git a/docs/readme.txt b/docs/readme.txt index e03e366..f96996c 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -473,10 +473,19 @@ options ip6table_raw raw_before_defrag=1 В некоторых традиционных дистрибутивах можно изменить текущий ip6tables через : update-alternatives --config ip6tables Если вы хотите оставаться на iptables-nft, вам придется пересобрать патченную версию. Патч совсем небольшой. В nft.c найдите фрагмент : - name= "PREROUTING", - type = "filter", - prio = -300, /* NF_IP_PRI_RAW */ -и замените -300 на -450. + { + .name = "PREROUTING", + .type = "filter", + .prio = -300, /* NF_IP_PRI_RAW */ + .hook = NF_INET_PRE_ROUTING, + }, + { + .name = "OUTPUT", + .type = "filter", + .prio = -300, /* NF_IP_PRI_RAW */ + .hook = NF_INET_LOCAL_OUT, + }, +и замените везде -300 на -450. Это нужно сделать вручную, никакой автоматики в blockcheck.sh нет.