From f38ed1e59f8d3b62e322563401cabc6dbac5fca5 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 18 Apr 2018 00:09:05 +0200 Subject: xt-translate: quote interface names in translated output it its good practice as interface names can be virtually any identifier and could clash with nft keywords. Signed-off-by: Florian Westphal --- extensions/libebt_ip.txlate | 2 +- extensions/libip6t_DNAT.txlate | 2 +- extensions/libip6t_SNAT.txlate | 8 ++++---- extensions/libipt_DNAT.txlate | 8 ++++---- extensions/libipt_SNAT.txlate | 10 +++++----- extensions/libxt_cluster.txlate | 18 +++++++++--------- extensions/libxt_esp.txlate | 2 +- extensions/libxt_tcp.txlate | 4 ++-- extensions/libxt_udp.txlate | 4 ++-- 9 files changed, 29 insertions(+), 29 deletions(-) (limited to 'extensions') diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate index 7f08f71d..4d31a700 100644 --- a/extensions/libebt_ip.txlate +++ b/extensions/libebt_ip.txlate @@ -5,7 +5,7 @@ ebtables-translate -I FORWARD --ip-dst 10.0.0.1 nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter ebtables-translate -I OUTPUT 3 -o eth0 --ip-tos 0xff -nft insert rule bridge filter OUTPUT position 3 ip dscp 0xFC counter +nft insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0xFC counter ebtables-translate -A FORWARD --ip-proto tcp --ip-dport 22 nft add rule bridge filter FORWARD tcp dport 22 counter diff --git a/extensions/libip6t_DNAT.txlate b/extensions/libip6t_DNAT.txlate index fe26075d..03c4caf7 100644 --- a/extensions/libip6t_DNAT.txlate +++ b/extensions/libip6t_DNAT.txlate @@ -1,5 +1,5 @@ ip6tables-translate -t nat -A prerouting -i eth1 -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80 -nft add rule ip6 nat prerouting iifname eth1 tcp dport 8080 counter dnat to [fec0::1234]:80 +nft add rule ip6 nat prerouting iifname "eth1" tcp dport 8080 counter dnat to [fec0::1234]:80 ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:1-20 nft add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:1-20 diff --git a/extensions/libip6t_SNAT.txlate b/extensions/libip6t_SNAT.txlate index 9793f8d5..44f2fcea 100644 --- a/extensions/libip6t_SNAT.txlate +++ b/extensions/libip6t_SNAT.txlate @@ -1,11 +1,11 @@ ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:80 -nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:80 +nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:80 ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:1-20 -nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:1-20 +nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:1-20 ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random -nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:123 random +nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:123 random ip6tables-translate -t nat -A postrouting -o eth0 -p tcp -j SNAT --to [fec0::1234]:123 --random-fully --persistent -nft add rule ip6 nat postrouting oifname eth0 meta l4proto tcp counter snat to [fec0::1234]:123 fully-random,persistent +nft add rule ip6 nat postrouting oifname "eth0" meta l4proto tcp counter snat to [fec0::1234]:123 fully-random,persistent diff --git a/extensions/libipt_DNAT.txlate b/extensions/libipt_DNAT.txlate index 692358e2..e88314d9 100644 --- a/extensions/libipt_DNAT.txlate +++ b/extensions/libipt_DNAT.txlate @@ -1,14 +1,14 @@ iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 -nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat to 1.2.3.4 +nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10 nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat to 192.168.1.1-192.168.1.10 iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023 -nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat to 1.2.3.4:1-1023 +nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4:1-1023 iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random -nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat to 1.2.3.4 random +nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent -nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat to 1.2.3.4 random,persistent +nft add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent diff --git a/extensions/libipt_SNAT.txlate b/extensions/libipt_SNAT.txlate index 4efd3ad0..01592fad 100644 --- a/extensions/libipt_SNAT.txlate +++ b/extensions/libipt_SNAT.txlate @@ -1,14 +1,14 @@ iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 -nft add rule ip nat postrouting oifname eth0 counter snat to 1.2.3.4 +nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 -nft add rule ip nat postrouting oifname eth0 counter snat to 1.2.3.4-1.2.3.6 +nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4-1.2.3.6 iptables-translate -t nat -A postrouting -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 -nft add rule ip nat postrouting oifname eth0 ip protocol tcp counter snat to 1.2.3.4:1-1023 +nft add rule ip nat postrouting oifname "eth0" ip protocol tcp counter snat to 1.2.3.4:1-1023 iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random -nft add rule ip nat postrouting oifname eth0 counter snat to 1.2.3.4 random +nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random iptables-translate -t nat -A postrouting -o eth0 -j SNAT --to 1.2.3.4 --random --persistent -nft add rule ip nat postrouting oifname eth0 counter snat to 1.2.3.4 random,persistent +nft add rule ip nat postrouting oifname "eth0" counter snat to 1.2.3.4 random,persistent diff --git a/extensions/libxt_cluster.txlate b/extensions/libxt_cluster.txlate index a9d3b51a..9dcf5707 100644 --- a/extensions/libxt_cluster.txlate +++ b/extensions/libxt_cluster.txlate @@ -1,26 +1,26 @@ iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-node 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 32 seed 0xdeadbeef eq 32 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 32 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 32 seed 0xdeadbeef eq 6 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 6 meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 32 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-nodemask 9 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 7 seed 0xdeadbeef { 0, 3 } meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef { 0, 3 } meta pkttype set host counter meta mark set 0xffff iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff -nft add rule ip mangle PREROUTING iifname eth1 jhash ct original saddr mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set 0xffff +nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set 0xffff diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate index a67c6f0e..5e2f18fa 100644 --- a/extensions/libxt_esp.txlate +++ b/extensions/libxt_esp.txlate @@ -2,7 +2,7 @@ iptables-translate -A FORWARD -p esp -j ACCEPT nft add rule ip filter FORWARD ip protocol esp counter accept iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT -nft add rule ip filter INPUT iifname wan ip protocol esp counter accept +nft add rule ip filter INPUT iifname "wan" ip protocol esp counter accept iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP nft add rule ip filter INPUT esp spi 500 counter drop diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate index db099037..ccec4362 100644 --- a/extensions/libxt_tcp.txlate +++ b/extensions/libxt_tcp.txlate @@ -1,8 +1,8 @@ iptables-translate -A INPUT -p tcp -i eth0 --sport 53 -j ACCEPT -nft add rule ip filter INPUT iifname eth0 tcp sport 53 counter accept +nft add rule ip filter INPUT iifname "eth0" tcp sport 53 counter accept iptables-translate -A OUTPUT -p tcp -o eth0 --dport 53:66 -j DROP -nft add rule ip filter OUTPUT oifname eth0 tcp dport 53-66 counter drop +nft add rule ip filter OUTPUT oifname "eth0" tcp dport 53-66 counter drop iptables-translate -I OUTPUT -p tcp -d 8.8.8.8 -j ACCEPT nft insert rule ip filter OUTPUT ip protocol tcp ip daddr 8.8.8.8 counter accept diff --git a/extensions/libxt_udp.txlate b/extensions/libxt_udp.txlate index a9adfcda..fbca5c12 100644 --- a/extensions/libxt_udp.txlate +++ b/extensions/libxt_udp.txlate @@ -1,8 +1,8 @@ iptables-translate -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT -nft add rule ip filter INPUT iifname eth0 udp sport 53 counter accept +nft add rule ip filter INPUT iifname "eth0" udp sport 53 counter accept iptables-translate -A OUTPUT -p udp -o eth0 --dport 53:66 -j DROP -nft add rule ip filter OUTPUT oifname eth0 udp dport 53-66 counter drop +nft add rule ip filter OUTPUT oifname "eth0" udp dport 53-66 counter drop iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept -- cgit v1.2.3