[PATCH iptables v2] extensions: libebt_redirect: prevent translation

[PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Miao Wang]

The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.

This patch disables the translation to prevent possible misunderstanding.

Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
---
Changes in v2:
- Completely remove the translation from the ebtables redirect target to
  nft rule according to Pablo's suggestion.
- Link to v1: https://lore.kernel.org/r/20250425-xlat-ebt-redir-v1-1-3e11a5925569@gmail.com
---
 extensions/libebt_redirect.c      | 19 +------------------
 extensions/libebt_redirect.txlate |  8 --------
 2 files changed, 1 insertion(+), 26 deletions(-)

diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index a44dbaec6cc8b12f20acd31dcb1360ac7245e349..12d87f93df6386cacf4fe257070933cc552b41f4 100644
--- a/extensions/libebt_redirect.c
+++ b/extensions/libebt_redirect.c
@@ -60,27 +60,10 @@ static void brredir_print(const void *ip, const struct xt_entry_target *target,
 	printf("--redirect-target %s", ebt_target_name(redirectinfo->target));
 }
 
-static const char* brredir_verdict(int verdict)
-{
-	switch (verdict) {
-	case EBT_ACCEPT: return "accept";
-	case EBT_DROP: return "drop";
-	case EBT_CONTINUE: return "continue";
-	case EBT_RETURN: return "return";
-	}
-
-	return "";
-}
-
 static int brredir_xlate(struct xt_xlate *xl,
 			 const struct xt_xlate_tg_params *params)
 {
-	const struct ebt_redirect_info *red = (const void*)params->target->data;
-
-	xt_xlate_add(xl, "meta pkttype set host");
-	if (red->target != EBT_CONTINUE)
-		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
-	return 1;
+	return 0;
 }
 
 static struct xtables_target brredirect_target = {
diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
deleted file mode 100644
index d073ec774c4fa817e48422fb99aaf095dd9eab65..0000000000000000000000000000000000000000
--- a/extensions/libebt_redirect.txlate
+++ /dev/null
@@ -1,8 +0,0 @@
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'

---
base-commit: 192c3a6bc18f206895ec5e38812d648ccfe7e281
change-id: 20250425-xlat-ebt-redir-aa40928f6fae

Best regards,
-- 
Miao Wang <shankerwangmiao@gmail.com>

[PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Miao Wang via B4 Relay]

From: Miao Wang <shankerwangmiao@gmail.com>

The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.

This patch disables the translation to prevent possible misunderstanding.

Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
---
Changes in v2:
- Completely remove the translation from the ebtables redirect target to
  nft rule according to Pablo's suggestion.
- Link to v1: https://lore.kernel.org/r/20250425-xlat-ebt-redir-v1-1-3e11a5925569@gmail.com
---
 extensions/libebt_redirect.c      | 19 +------------------
 extensions/libebt_redirect.txlate |  8 --------
 2 files changed, 1 insertion(+), 26 deletions(-)

diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index a44dbaec6cc8b12f20acd31dcb1360ac7245e349..12d87f93df6386cacf4fe257070933cc552b41f4 100644
--- a/extensions/libebt_redirect.c
+++ b/extensions/libebt_redirect.c
@@ -60,27 +60,10 @@ static void brredir_print(const void *ip, const struct xt_entry_target *target,
 	printf("--redirect-target %s", ebt_target_name(redirectinfo->target));
 }
 
-static const char* brredir_verdict(int verdict)
-{
-	switch (verdict) {
-	case EBT_ACCEPT: return "accept";
-	case EBT_DROP: return "drop";
-	case EBT_CONTINUE: return "continue";
-	case EBT_RETURN: return "return";
-	}
-
-	return "";
-}
-
 static int brredir_xlate(struct xt_xlate *xl,
 			 const struct xt_xlate_tg_params *params)
 {
-	const struct ebt_redirect_info *red = (const void*)params->target->data;
-
-	xt_xlate_add(xl, "meta pkttype set host");
-	if (red->target != EBT_CONTINUE)
-		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
-	return 1;
+	return 0;
 }
 
 static struct xtables_target brredirect_target = {
diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
deleted file mode 100644
index d073ec774c4fa817e48422fb99aaf095dd9eab65..0000000000000000000000000000000000000000
--- a/extensions/libebt_redirect.txlate
+++ /dev/null
@@ -1,8 +0,0 @@
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'

---
base-commit: 192c3a6bc18f206895ec5e38812d648ccfe7e281
change-id: 20250425-xlat-ebt-redir-aa40928f6fae

Best regards,
-- 
Miao Wang <shankerwangmiao@gmail.com>

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Phil Sutter]

Hi Wang Miao,

On Thu, Jul 17, 2025 at 04:27:37PM +0800, Miao Wang via B4 Relay wrote:
> From: Miao Wang <shankerwangmiao@gmail.com>
> 
> The redirect target in ebtables do two things: 1. set skb->pkt_type to
> PACKET_HOST, and 2. set the destination mac address to the address of
> the receiving bridge device (when not used in BROUTING chain), or the
> receiving physical device (otherwise). However, the later cannot be
> implemented in nftables not given the translated mac address. So it is
> not appropriate to give a specious translation.
> 
> This patch disables the translation to prevent possible misunderstanding.

ACK, better drop the translation for now if it behaves differently to
the original.

> Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
> Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>

Patch applied, thanks!

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

On Thu, Jul 17, 2025 at 04:27:37PM +0800, Miao Wang via B4 Relay wrote:
> From: Miao Wang <shankerwangmiao@gmail.com>
> 
> The redirect target in ebtables do two things: 1. set skb->pkt_type to
> PACKET_HOST, and 2. set the destination mac address to the address of
> the receiving bridge device (when not used in BROUTING chain), or the
> receiving physical device (otherwise). However, the later cannot be
> implemented in nftables not given the translated mac address. So it is
> not appropriate to give a specious translation.

It should be possible to expose the bridge port device address through
this extension, see (untested) patch.

Then, it should be possible to provide this translation:

ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \
        counter meta pkttype set host ether daddr set meta ibrhwdr accept'

[-- Attachment #2: meta-hwaddr.patch --]
[-- Type: text/x-diff, Size: 1550 bytes --]

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 2beb30be2c5f..a0d9daa05a8f 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -959,6 +959,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_SDIF: slave device interface index
  * @NFT_META_SDIFNAME: slave device interface name
  * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
+ * @NFT_META_BRI_IIFHWADDR: packet input bridge interface ethernet address
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -999,6 +1000,7 @@ enum nft_meta_keys {
 	NFT_META_SDIFNAME,
 	NFT_META_BRI_BROUTE,
 	__NFT_META_IIFTYPE,
+	NFT_META_BRI_IIFHWADDR,
 };
 
 /**
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 5adced1e7d0c..d1ae1a2a59f5 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -59,6 +59,13 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
 		nft_reg_store_be16(dest, htons(p_proto));
 		return;
 	}
+	case NFT_META_BRI_IIFHWADDR:
+		br_dev = nft_meta_get_bridge(in);
+		if (!br_dev)
+			goto err;
+
+		memcpy(dest, br_dev->dev_addr, ETH_ALEN);
+		return;
 	default:
 		return nft_meta_get_eval(expr, regs, pkt);
 	}
@@ -86,6 +93,9 @@ static int nft_meta_bridge_get_init(const struct nft_ctx *ctx,
 	case NFT_META_BRI_IIFVPROTO:
 		len = sizeof(u16);
 		break;
+	case NFT_META_BRI_IIFHWADDR:
+		len = ETH_ALEN;
+		break;
 	default:
 		return nft_meta_get_init(ctx, expr, tb);
 	}

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Phil Sutter]

Hi Pablo,

On Thu, Jul 17, 2025 at 02:01:47PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jul 17, 2025 at 04:27:37PM +0800, Miao Wang via B4 Relay wrote:
> > From: Miao Wang <shankerwangmiao@gmail.com>
> > 
> > The redirect target in ebtables do two things: 1. set skb->pkt_type to
> > PACKET_HOST, and 2. set the destination mac address to the address of
> > the receiving bridge device (when not used in BROUTING chain), or the
> > receiving physical device (otherwise). However, the later cannot be
> > implemented in nftables not given the translated mac address. So it is
> > not appropriate to give a specious translation.
> 
> It should be possible to expose the bridge port device address through
> this extension, see (untested) patch.

Yes, that looks good!

> Then, it should be possible to provide this translation:
> 
> ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
> nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \
>         counter meta pkttype set host ether daddr set meta ibrhwdr accept'

Now in broute table, ebt_redirect.ko sets the ether daddr of the packet
to that of the incoming interface, i.e. the bridge port not the bridge
itself. We'll need an extension for that, too right? I guess just
calling 'redirect' verdict will manipulate the IP header as well which
we don't want.

Cheers, Phil

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> > ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
> > nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \
> >         counter meta pkttype set host ether daddr set meta ibrhwdr accept'
> 
> Now in broute table, ebt_redirect.ko sets the ether daddr of the packet
> to that of the incoming interface, i.e. the bridge port not the bridge
> itself. We'll need an extension for that, too right?

Yes, but i don't think the broute feature is that relevant given the lack
of requests for support in nftables.  Most want to make the packet
enter the bridge input path and not pretend that the bridge didn't exist
in the first place.

> I guess just
> calling 'redirect' verdict will manipulate the IP header as well which
> we don't want

Can you point me to the code that alters the IP header?  I can't find
anything.

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Phil Sutter]

On Sat, Jul 19, 2025 at 05:24:10PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > > ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
> > > nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef \
> > >         counter meta pkttype set host ether daddr set meta ibrhwdr accept'
> > 
> > Now in broute table, ebt_redirect.ko sets the ether daddr of the packet
> > to that of the incoming interface, i.e. the bridge port not the bridge
> > itself. We'll need an extension for that, too right?
> 
> Yes, but i don't think the broute feature is that relevant given the lack
> of requests for support in nftables.  Most want to make the packet
> enter the bridge input path and not pretend that the bridge didn't exist
> in the first place.
> 
> > I guess just
> > calling 'redirect' verdict will manipulate the IP header as well which
> > we don't want
> 
> Can you point me to the code that alters the IP header?  I can't find
> anything.

I guess this is a misunderstanding, but continuing along the lines:
xt_REDIRECT.ko calls nf_nat_redirect() for incoming packets passing the
incoming interface's IP address as 'newdst' parameter. I assume
conntrack then executes, no?

Cheers, Phil

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> > > calling 'redirect' verdict will manipulate the IP header as well which
> > > we don't want
> > 
> > Can you point me to the code that alters the IP header?  I can't find
> > anything.
> 
> I guess this is a misunderstanding, but continuing along the lines:
> xt_REDIRECT.ko calls nf_nat_redirect() for incoming packets passing the
> incoming interface's IP address as 'newdst' parameter. I assume
> conntrack then executes, no?

Hmmm, I was referring to ebt_redirect, not xt/nft redirect.
Whats the concern here?

inet redirect should be fully functional, if thats wanted, for skbs
passed to bridge local in via ebt_redirect (or nft bridge family
with mac dest rewritten to a local address + altered packet type).

At least I don't see why it would not work.

Re: [PATCH iptables v2] extensions: libebt_redirect: prevent translation

[Phil Sutter]

On Wed, Jul 23, 2025 at 01:31:53AM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > > > calling 'redirect' verdict will manipulate the IP header as well which
> > > > we don't want
> > > 
> > > Can you point me to the code that alters the IP header?  I can't find
> > > anything.
> > 
> > I guess this is a misunderstanding, but continuing along the lines:
> > xt_REDIRECT.ko calls nf_nat_redirect() for incoming packets passing the
> > incoming interface's IP address as 'newdst' parameter. I assume
> > conntrack then executes, no?
> 
> Hmmm, I was referring to ebt_redirect, not xt/nft redirect.
> Whats the concern here?

I was considering to use nftables' redirect verdict for translating
ebtables' redirect in broute table, but it's nonsense: On one hand,
nftables' bridge family doesn't support redirect to begin with. On the
other, inet redirect is about IP addresses and doesn't alter MACs at
all. I somehow assumed it would set both to the incoming interface's and
then just realized that ebt_redirect does not change the IP address.

> inet redirect should be fully functional, if thats wanted, for skbs
> passed to bridge local in via ebt_redirect (or nft bridge family
> with mac dest rewritten to a local address + altered packet type).
> 
> At least I don't see why it would not work.

I guess we just need NFT_META_IIFHWADDR in addition to Pablo's suggested
NFT_META_BRI_IIFHWADDR for full translation support.

Sorry for the confusion, Phil