diff options
| author | Miao Wang <shankerwangmiao@gmail.com> | 2025-07-17 16:27:37 +0800 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2025-07-17 12:01:41 +0200 |
| commit | d33c6ad308cf7b9f627aeed48a5163c0374b5035 (patch) | |
| tree | 8deda216ba20e891f70f39d5cc3e44aa1161b384 | |
| parent | 12e6b5ed65fd91ea413a2e45201289c3d01c4e29 (diff) | |
extensions: libebt_redirect: prevent translation
The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.
This patch disables the translation to prevent possible misunderstanding.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | extensions/libebt_redirect.c | 19 | ||||
| -rw-r--r-- | extensions/libebt_redirect.txlate | 8 |
2 files changed, 1 insertions, 26 deletions
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c index a44dbaec..12d87f93 100644 --- a/extensions/libebt_redirect.c +++ b/extensions/libebt_redirect.c @@ -60,27 +60,10 @@ static void brredir_print(const void *ip, const struct xt_entry_target *target, printf("--redirect-target %s", ebt_target_name(redirectinfo->target)); } -static const char* brredir_verdict(int verdict) -{ - switch (verdict) { - case EBT_ACCEPT: return "accept"; - case EBT_DROP: return "drop"; - case EBT_CONTINUE: return "continue"; - case EBT_RETURN: return "return"; - } - - return ""; -} - static int brredir_xlate(struct xt_xlate *xl, const struct xt_xlate_tg_params *params) { - const struct ebt_redirect_info *red = (const void*)params->target->data; - - xt_xlate_add(xl, "meta pkttype set host"); - if (red->target != EBT_CONTINUE) - xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); - return 1; + return 0; } static struct xtables_target brredirect_target = { diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate deleted file mode 100644 index d073ec77..00000000 --- a/extensions/libebt_redirect.txlate +++ /dev/null @@ -1,8 +0,0 @@ -ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept' - -ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return' - -ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host' |