summaryrefslogtreecommitdiffstats
path: root/extensions/libebt_ip.txlate
Commit message (Collapse)AuthorAgeFilesLines
* ebtables: Default to extrapositioned negationsPhil Sutter2024-01-101-2/+2
| | | | | | | | | | | | | | | ebtables-nft has always supported both intra- and extrapositioned negations but defaulted to intrapositioned when printing/saving rules. With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared") though, it started to warn about intrapositioned negations. So change the default to avoid mandatory warnings when e.g. loading previously dumped rulesets. Also adjust test cases, help texts and ebtables-nft.8 accordingly. Cc: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
* xtables-translate: Support insert with indexPhil Sutter2023-02-171-1/+1
| | | | | | | | | Translation is pretty simple due to nft's 'insert rule ... index' support. Testing the translation is sadly not: index 1 vanishes (as it should), higher indexes are rejected in replay mode since no rules previously exist. Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip: Translation has to match on ether typePhil Sutter2023-02-171-3/+3
| | | | | | | | | | | | | | On one hand, nft refuses th expression in bridge family if layer3 protocol has not been assured by a previous match. On the other, ebt_ip kernel module will only match on IPv4 packets, so there might be a functional change in the translation versus the original. Instead of just always emitting an 'ether type' match, decide whether it's actually needed - explicit "ip <something>" payload matches (or icmp ones) cause implicit creation of a match on IPv4 by nft. Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: libebt_ip: Do not use 'ip dscp' for translationPhil Sutter2023-02-171-1/+1
| | | | | | | | | Converting from TOS field match to DSCP one is irreversible, so replay testing is not possible. Use a raw payload expression to produce something that translates 1:1 back into an 'ip' match. Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") Signed-off-by: Phil Sutter <phil@nwl.cc>
* extensions: change expected output for new formatFlorian Westphal2022-11-301-9/+9
| | | | | | | | Now that xtables-translate encloses the entire command line in ', update the test cases accordingly. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc>
* ebtables-translate: suppress redundant protocolsFlorian Westphal2018-05-101-9/+9
| | | | | | | | | | | kernel would reject ip, ip6 etc. without -p ip, -p ip6. So add it. On reverse, search the match list to decide if -p has to be translated or not. Also, icmp and icmpv6 also imply l3 protocol, so no need to translate that either. Signed-off-by: Florian Westphal <fw@strlen.de>
* libebt_ip: fix translations for tos and icmpFlorian Westphal2018-04-191-4/+4
| | | | | | | tos translation to dscp yielded incorrect value. icmp inserted extra "ip" keyword, remove it. Signed-off-by: Florian Westphal <fw@strlen.de>
* libebt_ip: add icmp supportFlorian Westphal2018-04-191-0/+9
| | | | | | Was added to ebtables recently, so backport this to ebt-compat. Signed-off-by: Florian Westphal <fw@strlen.de>
* xt-translate: quote interface names in translated outputFlorian Westphal2018-04-191-1/+1
| | | | | | | it its good practice as interface names can be virtually any identifier and could clash with nft keywords. Signed-off-by: Florian Westphal <fw@strlen.de>
* ebtables-translate: add initial test casesFlorian Westphal2018-04-131-0/+17
Signed-off-by: Florian Westphal <fw@strlen.de>