diff options
author | Phil Sutter <phil@nwl.cc> | 2024-02-29 17:55:32 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2024-02-29 18:07:19 +0100 |
commit | fcaa99ca9e3c18f831fe523a0ad79fb1da34b0ec (patch) | |
tree | 0150ec243d5b966ac8b58f6a4aefab45a216f31f /extensions/generic.txlate | |
parent | bb1a7a5b297aa271f7f59abbcb891cd94d7fb305 (diff) |
xtables-translate: Leverage stored protocol names
Align output of ip(6)tables-translate for --protocol arguments with that
of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The
latter will consult xtables_chain_protos list first to make sure (the
right) names are used for "common" protocol values and otherwise falls
back to getprotobynumber() which it replaces here.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1738
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/generic.txlate')
-rw-r--r-- | extensions/generic.txlate | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/extensions/generic.txlate b/extensions/generic.txlate index b79239f1..9ad1266d 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -64,6 +64,36 @@ nft 'insert rule ip6 filter INPUT counter' ip6tables-translate -I INPUT ! -s ::/0 nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter' +iptables-translate -A FORWARD -p 132 +nft 'add rule ip filter FORWARD ip protocol sctp counter' + +ip6tables-translate -A FORWARD -p 132 +nft 'add rule ip6 filter FORWARD meta l4proto sctp counter' + +iptables-translate -A FORWARD ! -p 132 +nft 'add rule ip filter FORWARD ip protocol != sctp counter' + +ip6tables-translate -A FORWARD ! -p 132 +nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter' + +iptables-translate -A FORWARD -p 141 +nft 'add rule ip filter FORWARD ip protocol 141 counter' + +ip6tables-translate -A FORWARD -p 141 +nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' + +iptables-translate -A FORWARD ! -p 141 +nft 'add rule ip filter FORWARD ip protocol != 141 counter' + +ip6tables-translate -A FORWARD ! -p 141 +nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' + +iptables-translate -A FORWARD -m tcp --dport 22 -p tcp +nft 'add rule ip filter FORWARD tcp dport 22 counter' + +ip6tables-translate -A FORWARD -m tcp --dport 22 -p tcp +nft 'add rule ip6 filter FORWARD tcp dport 22 counter' + ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 nft 'insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter' |