From: Miao Wang <shankerwangmiao@xxxxxxxxx>
The redirect target in ebtables do two things: 1. set skb->pkt_type to
PACKET_HOST, and 2. set the destination mac address to the address of
the receiving bridge device (when not used in BROUTING chain), or the
receiving physical device (otherwise). However, the later cannot be
implemented in nftables not given the translated mac address. So it is
not appropriate to give a specious translation.
This patch disables the translation to prevent possible misunderstanding.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Miao Wang <shankerwangmiao@xxxxxxxxx>
---
Changes in v2:
- Completely remove the translation from the ebtables redirect target to
nft rule according to Pablo's suggestion.
- Link to v1: https://lore.kernel.org/r/20250425-xlat-ebt-redir-v1-1-3e11a5925569@xxxxxxxxx
---
extensions/libebt_redirect.c | 19 +------------------
extensions/libebt_redirect.txlate | 8 --------
2 files changed, 1 insertion(+), 26 deletions(-)
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index a44dbaec6cc8b12f20acd31dcb1360ac7245e349..12d87f93df6386cacf4fe257070933cc552b41f4 100644
--- a/extensions/libebt_redirect.c
+++ b/extensions/libebt_redirect.c
@@ -60,27 +60,10 @@ static void brredir_print(const void *ip, const struct xt_entry_target *target,
printf("--redirect-target %s", ebt_target_name(redirectinfo->target));
}
-static const char* brredir_verdict(int verdict)
-{
- switch (verdict) {
- case EBT_ACCEPT: return "accept";
- case EBT_DROP: return "drop";
- case EBT_CONTINUE: return "continue";
- case EBT_RETURN: return "return";
- }
-
- return "";
-}
-
static int brredir_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
- const struct ebt_redirect_info *red = (const void*)params->target->data;
-
- xt_xlate_add(xl, "meta pkttype set host");
- if (red->target != EBT_CONTINUE)
- xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
- return 1;
+ return 0;
}
static struct xtables_target brredirect_target = {
diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
deleted file mode 100644
index d073ec774c4fa817e48422fb99aaf095dd9eab65..0000000000000000000000000000000000000000
--- a/extensions/libebt_redirect.txlate
+++ /dev/null
@@ -1,8 +0,0 @@
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
-
-ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'
---
base-commit: 192c3a6bc18f206895ec5e38812d648ccfe7e281
change-id: 20250425-xlat-ebt-redir-aa40928f6fae
Best regards,
--
Miao Wang <shankerwangmiao@xxxxxxxxx>
