diff options
author | Phil Sutter <phil@nwl.cc> | 2021-03-02 14:50:07 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2021-03-09 09:27:33 +0100 |
commit | 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae (patch) | |
tree | f14a80399d455fe8a40812449decd394021c62de /extensions | |
parent | 330f5df03ad589b46865ceedf2a54cf10a4225ba (diff) |
xtables-translate: Fix translation of odd netmasks
Iptables supports netmasks which are not prefixes to match on (or
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
available for real prefixes only, so translation is not as trivial -
print bitmask syntax for those cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/generic.txlate | 48 | ||||
-rw-r--r-- | extensions/libxt_standard.t | 12 |
2 files changed, 60 insertions, 0 deletions
diff --git a/extensions/generic.txlate b/extensions/generic.txlate index 0e256c37..9ae9a5b5 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter +iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 +nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter + +iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 +nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter + +iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 +nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter + +iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 +nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter + +iptables-translate -I INPUT -s 0.0.0.0/16 +nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter + +iptables-translate -I INPUT -s 0.0.0.0/0 +nft insert rule ip filter INPUT counter + +iptables-translate -I INPUT ! -s 0.0.0.0/0 +nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter + +ip6tables-translate -I INPUT -i iifname -s feed::/16 +nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter + +ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 +nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter + +ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: +nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 +nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter + +ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter + +ip6tables-translate -I INPUT -s ::/16 +nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter + +ip6tables-translate -I INPUT -s ::/0 +nft insert rule ip6 filter INPUT counter + +ip6tables-translate -I INPUT ! -s ::/0 +nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter + ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t index 4313f7b7..56d6da2e 100644 --- a/extensions/libxt_standard.t +++ b/extensions/libxt_standard.t @@ -9,3 +9,15 @@ -j ACCEPT;=;OK -j RETURN;=;OK ! -p 0 -j ACCEPT;=;FAIL +-s 10.11.12.13/8;-s 10.0.0.0/8;OK +-s 10.11.12.13/9;-s 10.0.0.0/9;OK +-s 10.11.12.13/10;-s 10.0.0.0/10;OK +-s 10.11.12.13/11;-s 10.0.0.0/11;OK +-s 10.11.12.13/12;-s 10.0.0.0/12;OK +-s 10.11.12.13/30;-s 10.11.12.12/30;OK +-s 10.11.12.13/31;-s 10.11.12.12/31;OK +-s 10.11.12.13/32;-s 10.11.12.13/32;OK +-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK +-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK +-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK +-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK |