diff options
author | Phil Sutter <phil@nwl.cc> | 2020-02-06 15:08:41 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-02-11 10:18:37 +0100 |
commit | e179e87a1179e272a9bdabb0220b17d61d099ee3 (patch) | |
tree | 43361dd6db2b1f8e4e34c64db6acfda266533807 /extensions | |
parent | 8560ef29b1b3f8113f31f19fa57d85778c166c90 (diff) |
xtables-translate: Fix for interface name corner-cases
There are two special situations xlate_ifname() didn't cover for:
* Interface name containing '*': This went unchanged, creating a command
nft wouldn't accept. Instead translate into '\*' which doesn't change
semantics.
* Interface name being '+': Can't translate into nft wildcard character
as nft doesn't accept asterisk-only interface names. Instead decide
what to do based on 'invert' value: Skip match creation if false,
match against an invalid interface name if true.
Also add a test to make sure future changes to this behaviour are
noticed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/generic.txlate | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/extensions/generic.txlate b/extensions/generic.txlate index b38fbd1f..c92d082a 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -18,3 +18,15 @@ nft add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oi ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00 nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter + +# asterisk is not special in iptables and it is even a valid interface name +iptables-translate -A FORWARD -i '*' -o 'eth*foo' +nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter + +# skip for always matching interface names +iptables-translate -A FORWARD -i '+' +nft add rule ip filter FORWARD counter + +# match against invalid interface name to simulate never matching rule +iptables-translate -A FORWARD ! -i '+' +nft add rule ip filter FORWARD iifname "INVAL/D" counter |