diff options
author | Phil Sutter <phil@nwl.cc> | 2020-02-13 14:01:50 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-02-14 12:16:41 +0100 |
commit | 94488d4eb912f5af4c88d148b39b38eb8a3c1f0b (patch) | |
tree | 30cbcb685bba41fe8e1eb949d260646f0097256f /extensions | |
parent | 2b2b7948c1960ba4680677664ff58477be869de6 (diff) |
xtables-translate: Fix for iface++
In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/generic.txlate | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/extensions/generic.txlate b/extensions/generic.txlate index c92d082a..0e256c37 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -23,6 +23,10 @@ nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00: iptables-translate -A FORWARD -i '*' -o 'eth*foo' nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter +# escape all asterisks but translate only the first plus character +iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++' +nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter + # skip for always matching interface names iptables-translate -A FORWARD -i '+' nft add rule ip filter FORWARD counter |