diff options
-rw-r--r-- | extensions/libebt_ip.txlate | 17 | ||||
-rw-r--r-- | extensions/libebt_limit.txlate | 8 | ||||
-rw-r--r-- | extensions/libebt_log.txlate | 15 | ||||
-rw-r--r-- | extensions/libebt_mark.xlate | 11 | ||||
-rw-r--r-- | extensions/libebt_mark_m.c | 8 | ||||
-rw-r--r-- | extensions/libebt_mark_m.txlate | 14 | ||||
-rw-r--r-- | extensions/libebt_nflog.c | 1 | ||||
-rw-r--r-- | extensions/libebt_nflog.txlate | 11 | ||||
-rwxr-xr-x | xlate-test.py | 2 |
9 files changed, 81 insertions, 6 deletions
diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate new file mode 100644 index 00000000..7f08f71d --- /dev/null +++ b/extensions/libebt_ip.txlate @@ -0,0 +1,17 @@ +ebtables-translate -A FORWARD --ip-src ! 192.168.0.0/24 -j ACCEPT +nft add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept + +ebtables-translate -I FORWARD --ip-dst 10.0.0.1 +nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter + +ebtables-translate -I OUTPUT 3 -o eth0 --ip-tos 0xff +nft insert rule bridge filter OUTPUT position 3 ip dscp 0xFC counter + +ebtables-translate -A FORWARD --ip-proto tcp --ip-dport 22 +nft add rule bridge filter FORWARD tcp dport 22 counter + +ebtables-translate -A FORWARD --ip-proto udp --ip-sport 1024:65535 +nft add rule bridge filter FORWARD udp sport 1024-65535 counter + +ebtables-translate -A FORWARD --ip-proto 253 +nft add rule bridge filter FORWARD ip protocol 253 counter diff --git a/extensions/libebt_limit.txlate b/extensions/libebt_limit.txlate new file mode 100644 index 00000000..b6af15d5 --- /dev/null +++ b/extensions/libebt_limit.txlate @@ -0,0 +1,8 @@ +ebtables-translate -A INPUT --limit 3/m --limit-burst 3 +nft add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter + +ebtables-translate -A INPUT --limit 10/s --limit-burst 5 +nft add rule bridge filter INPUT limit rate 10/second burst 5 packets counter + +ebtables-translate -A INPUT --limit 10/s --limit-burst 0 +nft add rule bridge filter INPUT limit rate 10/second counter diff --git a/extensions/libebt_log.txlate b/extensions/libebt_log.txlate new file mode 100644 index 00000000..7ef8d5e1 --- /dev/null +++ b/extensions/libebt_log.txlate @@ -0,0 +1,15 @@ +ebtables-translate -A INPUT --log +nft add rule bridge filter INPUT log level notice flags ether counter + +ebtables-translate -A INPUT --log-level 1 +nft add rule bridge filter INPUT log level alert flags ether counter + +ebtables-translate -A INPUT --log-level crit +nft add rule bridge filter INPUT log level crit flags ether counter + +ebtables-translate -A INPUT --log-level emerg --log-ip --log-arp --log-ip6 +nft add rule bridge filter INPUT log level emerg flags ether counter + +ebtables-translate -A INPUT --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo +nft add rule bridge filter INPUT log prefix "foo" level crit flags ether counter + diff --git a/extensions/libebt_mark.xlate b/extensions/libebt_mark.xlate new file mode 100644 index 00000000..e0982a1e --- /dev/null +++ b/extensions/libebt_mark.xlate @@ -0,0 +1,11 @@ +ebtables-translate -A INPUT --mark-set 42 +nft add rule bridge filter INPUT mark set 0x2a counter + +ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN +nft add rule bridge filter INPUT mark set mark or 0x2a counter return + +ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT +nft add rule bridge filter INPUT mark set mark and 0x2a counter accept + +ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP +nft add rule bridge filter INPUT mark set mark xor 0x2a counter drop diff --git a/extensions/libebt_mark_m.c b/extensions/libebt_mark_m.c index 1e8d21db..244fe12a 100644 --- a/extensions/libebt_mark_m.c +++ b/extensions/libebt_mark_m.c @@ -109,13 +109,13 @@ static int brmark_m_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "meta mark "); if (info->bitmask == EBT_MARK_OR) { - xt_xlate_add(xl, " and %0x%x %s0", info->mask, + xt_xlate_add(xl, "and 0x%x %s0 ", info->mask, info->invert ? "" : "!= "); } else if (info->mask != 0xffffffffU) { - xt_xlate_add(xl, " and 0x%x %s 0x%x", info->mask, - op == XT_OP_EQ ? "==" : "!=", info->mark); + xt_xlate_add(xl, "and 0x%x %s0x%x ", info->mask, + op == XT_OP_EQ ? "" : "!= ", info->mark); } else { - xt_xlate_add(xl, " %s0x%x", + xt_xlate_add(xl, "%s0x%x ", op == XT_OP_EQ ? "" : "!= ", info->mark); } diff --git a/extensions/libebt_mark_m.txlate b/extensions/libebt_mark_m.txlate new file mode 100644 index 00000000..7b44425b --- /dev/null +++ b/extensions/libebt_mark_m.txlate @@ -0,0 +1,14 @@ +ebtables-translate -A INPUT --mark 42 +nft add rule bridge filter INPUT meta mark 0x2a counter + +ebtables-translate -A INPUT ! --mark 42 +nft add rule bridge filter INPUT meta mark != 0x2a counter + +ebtables-translate -A INPUT --mark ! 42 +nft add rule bridge filter INPUT meta mark != 0x2a counter + +ebtables-translate -A INPUT --mark ! 0x1/0xff +nft add rule bridge filter INPUT meta mark and 0xff != 0x1 counter + +ebtables-translate -A INPUT --mark /0x02 +nft add rule bridge filter INPUT meta mark and 0x2 != 0 counter diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c index 57f09291..9801f358 100644 --- a/extensions/libebt_nflog.c +++ b/extensions/libebt_nflog.c @@ -135,7 +135,6 @@ static int brnflog_xlate(struct xt_xlate *xl, xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); else xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); - } xt_xlate_add(xl, "group %u ", info->group); diff --git a/extensions/libebt_nflog.txlate b/extensions/libebt_nflog.txlate new file mode 100644 index 00000000..bc3f5364 --- /dev/null +++ b/extensions/libebt_nflog.txlate @@ -0,0 +1,11 @@ +ebtables-translate -A INPUT --nflog +nft add rule bridge filter INPUT log group 1 counter + +ebtables-translate -A INPUT --nflog-group 42 +nft add rule bridge filter INPUT log group 42 counter + +ebtables-translate -A INPUT --nflog-range 42 +nft add rule bridge filter INPUT log group 1 snaplen 42 counter + +ebtables-translate -A INPUT --nflog-threshold 100 --nflog-prefix foo +nft add rule bridge filter INPUT log prefix "foo" group 1 queue-threshold 100 counter diff --git a/xlate-test.py b/xlate-test.py index dbba1d67..0b371dfd 100755 --- a/xlate-test.py +++ b/xlate-test.py @@ -7,7 +7,7 @@ import shlex import argparse from subprocess import Popen, PIPE -keywords = ("iptables-translate", "ip6tables-translate") +keywords = ("iptables-translate", "ip6tables-translate", "ebtables-translate") if sys.stdout.isatty(): colors = {"magenta": "\033[95m", "green": "\033[92m", "yellow": "\033[93m", |