From 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 2 Mar 2021 14:50:07 +0100 Subject: xtables-translate: Fix translation of odd netmasks Iptables supports netmasks which are not prefixes to match on (or ignore) arbitrary bits in an address. Yet nftables' prefix notation is available for real prefixes only, so translation is not as trivial - print bitmask syntax for those cases. Signed-off-by: Phil Sutter --- extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++++++++++ extensions/libxt_standard.t | 12 ++++++++++++ 2 files changed, 60 insertions(+) (limited to 'extensions') diff --git a/extensions/generic.txlate b/extensions/generic.txlate index 0e256c37..9ae9a5b5 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter +iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 +nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter + +iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 +nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter + +iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 +nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter + +iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 +nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter + +iptables-translate -I INPUT -s 0.0.0.0/16 +nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter + +iptables-translate -I INPUT -s 0.0.0.0/0 +nft insert rule ip filter INPUT counter + +iptables-translate -I INPUT ! -s 0.0.0.0/0 +nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter + +ip6tables-translate -I INPUT -i iifname -s feed::/16 +nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter + +ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 +nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter + +ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: +nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 +nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter + +ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter + +ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff +nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter + +ip6tables-translate -I INPUT -s ::/16 +nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter + +ip6tables-translate -I INPUT -s ::/0 +nft insert rule ip6 filter INPUT counter + +ip6tables-translate -I INPUT ! -s ::/0 +nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter + ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t index 4313f7b7..56d6da2e 100644 --- a/extensions/libxt_standard.t +++ b/extensions/libxt_standard.t @@ -9,3 +9,15 @@ -j ACCEPT;=;OK -j RETURN;=;OK ! -p 0 -j ACCEPT;=;FAIL +-s 10.11.12.13/8;-s 10.0.0.0/8;OK +-s 10.11.12.13/9;-s 10.0.0.0/9;OK +-s 10.11.12.13/10;-s 10.0.0.0/10;OK +-s 10.11.12.13/11;-s 10.0.0.0/11;OK +-s 10.11.12.13/12;-s 10.0.0.0/12;OK +-s 10.11.12.13/30;-s 10.11.12.12/30;OK +-s 10.11.12.13/31;-s 10.11.12.12/31;OK +-s 10.11.12.13/32;-s 10.11.12.13/32;OK +-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK +-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK +-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK +-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK -- cgit v1.2.3