| |||||||||||||
Wasn't there an ipchains ---> iptables compatibility mode?Wasn't there an ipchains ---> iptables compatibility mode?Posted Mar 24, 2009 18:40 UTC (Tue) by wstearns (✭ supporter ✭, #4102)In reply to: Wasn't there an ipchains ---> iptables compatibility mode? by felixfix Parent article: Nftables: a new packet filtering engine
I'm getting rusty (the pun was truly unintentional) on this, but I believe there was an ipchains kernel module that loaded on top of an iptables architecture kernel. You could do most ipchains tasks with it. You could not mix rules (some ipchains rules and some iptables rules); it was an all-or-nothing switch.
I wrote userspace converters that respectively turned an ipfwadm firewall file into an ipchains firewall (ipfwadm2ipchains) or turned an ipchains firewall into an iptables firewall (ipchains2iptables). Neither created a perfect conversion (there are architectural differences in the firewalls that can't be perfectly converted), but both covered the majority of rules correctly.
The tools can be found at www.stearns.org/i2i/ . Like sausage, they're functional but ugly in their implementation.
(Log in to post comments)
Wasn't there an ipchains ---> iptables compatibility mode? Posted Mar 25, 2009 1:00 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
there were a lot over conversion scripts, but nothing in the kernel.
You are totally wrong Posted Mar 26, 2009 7:51 UTC (Thu) by khim (subscriber, #9252) [Link] Google for "ipchains emulation" and you'll find tons of links to messages about problems with said in-kernel emulation. May be this is why you remember only conversion scripts? IPchains emulation was incomplete and ineffective - that's why most admins just converted scripts: it was easier to convert scripts then to fight problems in emulation. But is was there - that's for sure...
|
|||||||||||||