Re: [PATCH iptables] extensions: libebt_redirect: prevent translation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: shankerwangmiao@gmail.com
Cc: netfilter-devel@vger.kernel.org, phil@nwl.cc
Subject: Re: [PATCH iptables] extensions: libebt_redirect: prevent translation
Date: Fri, 25 Apr 2025 11:01:43 +0200	[thread overview]
Message-ID: <aAtPd3QF-2v8TNCe@calendula> (raw)
In-Reply-To: <20250425-xlat-ebt-redir-v1-1-3e11a5925569@gmail.com>

On Fri, Apr 25, 2025 at 04:44:24PM +0800, Miao Wang via B4 Relay wrote:
> From: Miao Wang <shankerwangmiao@gmail.com>
> 
> The redirect target in ebtables do two things: 1. set skb->pkt_type to
> PACKET_HOST, and 2. set the destination mac address to the address of
> the receiving bridge device (when not used in BROUTING chain), or the
> receiving physical device (otherwise). However, the later cannot be
> implemented in nftables not given the translated mac address. So it is
> not appropriate to give a specious translation.
> 
> This patch adds xt target redirect to the translated nft rule, to ensure
> it cannot be later loaded by nft, to prevent possible misunderstanding.
> 
> Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
> Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
> ---
>  extensions/libebt_redirect.c      | 2 +-
>  extensions/libebt_redirect.txlate | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
> index a44dbaec6cc8b12f20acd31dcb1360ac7245e349..83d2b576cea5ae625f3bdf667ad56fc57c1665d9 100644
> --- a/extensions/libebt_redirect.c
> +++ b/extensions/libebt_redirect.c
> @@ -77,7 +77,7 @@ static int brredir_xlate(struct xt_xlate *xl,
>  {
>  	const struct ebt_redirect_info *red = (const void*)params->target->data;
>  
> -	xt_xlate_add(xl, "meta pkttype set host");
> +	xt_xlate_add(xl, "meta pkttype set host xt target redirect");
>  	if (red->target != EBT_CONTINUE)
>  		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
>  	return 1;
> diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
> index d073ec774c4fa817e48422fb99aaf095dd9eab65..abafd8d15aef8349d29ad812a03f0ebeeaea118c 100644
> --- a/extensions/libebt_redirect.txlate
> +++ b/extensions/libebt_redirect.txlate
> @@ -1,8 +1,8 @@
>  ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
> -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
> +nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host xt target redirect accept'

this is not a working translation, I don't think this is leaving this
in a better situation than before.

>  ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
> -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
> +nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host xt target redirect return'
>  
>  ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
> -nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'
> +nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host xt target redirect'
> 
> ---
> base-commit: 192c3a6bc18f206895ec5e38812d648ccfe7e281
> change-id: 20250425-xlat-ebt-redir-aa40928f6fae
> 
> Best regards,
> -- 
> Miao Wang <shankerwangmiao@gmail.com>
> 
> 
>

next prev parent reply	other threads:[~2025-04-25  9:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-25  8:44 [PATCH iptables] extensions: libebt_redirect: prevent translation Miao Wang
2025-04-25  8:44 ` Miao Wang via B4 Relay
2025-04-25  9:01 ` Pablo Neira Ayuso [this message]
2025-04-25  9:07   ` Miao Wang
2025-04-25  9:17     ` Pablo Neira Ayuso
2025-04-25 14:48     ` Phil Sutter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aAtPd3QF-2v8TNCe@calendula \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=phil@nwl.cc \
    --cc=shankerwangmiao@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.