authorPhil Sutter <>2020-02-06 15:08:41 +0100
committerPhil Sutter <>2020-02-11 10:18:37 +0100
xtables-translate: Fix for interface name corner-cases
There are two special situations xlate_ifname() didn't cover for: * Interface name containing '*': This went unchanged, creating a command nft wouldn't accept. Instead translate into '\*' which doesn't change semantics. * Interface name being '+': Can't translate into nft wildcard character as nft doesn't accept asterisk-only interface names. Instead decide what to do based on 'invert' value: Skip match creation if false, match against an invalid interface name if true. Also add a test to make sure future changes to this behaviour are noticed. Signed-off-by: Phil Sutter <>
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00
nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter
+# asterisk is not special in iptables and it is even a valid interface name
+iptables-translate -A FORWARD -i '*' -o 'eth*foo'
+nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
+# skip for always matching interface names
+iptables-translate -A FORWARD -i '+'
+nft add rule ip filter FORWARD counter
+# match against invalid interface name to simulate never matching rule
+iptables-translate -A FORWARD ! -i '+'
+nft add rule ip filter FORWARD iifname "INVAL/D" counter