diff options
author | Florian Westphal <fw@strlen.de> | 2018-05-08 10:15:11 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-05-10 02:31:05 +0200 |
commit | 6454d7dc89f83920cd08606fdff43358c7e64a53 (patch) | |
tree | 33294b8d8675aaa706fb12842af294408360bbdf /iptables/nft-bridge.c | |
parent | 07f4ca96816886635acfb9478b2d04929938eb78 (diff) |
ebtables-translate: suppress redundant protocols
kernel would reject ip, ip6 etc. without -p ip, -p ip6.
So add it. On reverse, search the match list to decide if -p
has to be translated or not.
Also, icmp and icmpv6 also imply l3 protocol, so no need to translate
that either.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/nft-bridge.c')
-rw-r--r-- | iptables/nft-bridge.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index bf8949a5..fb19fea3 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -650,9 +650,26 @@ static int nft_bridge_xlate(const void *data, struct xt_xlate *xl) cs->eb.invflags & EBT_ILOGICALOUT); if ((cs->eb.bitmask & EBT_NOPROTO) == 0) { - xt_xlate_add(xl, "ether type %s 0x%x ", - cs->eb.invflags & EBT_IPROTO ? "!= " : "", - ntohs(cs->eb.ethproto)); + const char *implicit = NULL; + + switch (ntohs(cs->eb.ethproto)) { + case ETH_P_IP: + implicit = "ip"; + break; + case ETH_P_IPV6: + implicit = "ip6"; + break; + case ETH_P_8021Q: + implicit = "vlan"; + break; + default: + break; + } + + if (!implicit || !xlate_find_match(cs, implicit)) + xt_xlate_add(xl, "ether type %s 0x%x ", + cs->eb.invflags & EBT_IPROTO ? "!= " : "", + ntohs(cs->eb.ethproto)); } if (cs->eb.bitmask & EBT_802_3) |