--- /dev/null
+ebtables-translate -A FORWARD --ip-src ! 192.168.0.0/24 -j ACCEPT
+nft add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept
+
+ebtables-translate -I FORWARD --ip-dst 10.0.0.1
+nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter
+
+ebtables-translate -I OUTPUT 3 -o eth0 --ip-tos 0xff
+nft insert rule bridge filter OUTPUT position 3 ip dscp 0xFC counter
+
+ebtables-translate -A FORWARD --ip-proto tcp --ip-dport 22
+nft add rule bridge filter FORWARD tcp dport 22 counter
+
+ebtables-translate -A FORWARD --ip-proto udp --ip-sport 1024:65535
+nft add rule bridge filter FORWARD udp sport 1024-65535 counter
+
+ebtables-translate -A FORWARD --ip-proto 253
+nft add rule bridge filter FORWARD ip protocol 253 counter
--- /dev/null
+ebtables-translate -A INPUT --limit 3/m --limit-burst 3
+nft add rule bridge filter INPUT limit rate 3/minute burst 3 packets counter
+
+ebtables-translate -A INPUT --limit 10/s --limit-burst 5
+nft add rule bridge filter INPUT limit rate 10/second burst 5 packets counter
+
+ebtables-translate -A INPUT --limit 10/s --limit-burst 0
+nft add rule bridge filter INPUT limit rate 10/second counter
--- /dev/null
+ebtables-translate -A INPUT --log
+nft add rule bridge filter INPUT log level notice flags ether counter
+
+ebtables-translate -A INPUT --log-level 1
+nft add rule bridge filter INPUT log level alert flags ether counter
+
+ebtables-translate -A INPUT --log-level crit
+nft add rule bridge filter INPUT log level crit flags ether counter
+
+ebtables-translate -A INPUT --log-level emerg --log-ip --log-arp --log-ip6
+nft add rule bridge filter INPUT log level emerg flags ether counter
+
+ebtables-translate -A INPUT --log-level crit --log-ip --log-arp --log-ip6 --log-prefix foo
+nft add rule bridge filter INPUT log prefix "foo" level crit flags ether counter
+
--- /dev/null
+ebtables-translate -A INPUT --mark-set 42
+nft add rule bridge filter INPUT mark set 0x2a counter
+
+ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN
+nft add rule bridge filter INPUT mark set mark or 0x2a counter return
+
+ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT
+nft add rule bridge filter INPUT mark set mark and 0x2a counter accept
+
+ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP
+nft add rule bridge filter INPUT mark set mark xor 0x2a counter drop
xt_xlate_add(xl, "meta mark ");
if (info->bitmask == EBT_MARK_OR) {
- xt_xlate_add(xl, " and %0x%x %s0", info->mask,
+ xt_xlate_add(xl, "and 0x%x %s0 ", info->mask,
info->invert ? "" : "!= ");
} else if (info->mask != 0xffffffffU) {
- xt_xlate_add(xl, " and 0x%x %s 0x%x", info->mask,
- op == XT_OP_EQ ? "==" : "!=", info->mark);
+ xt_xlate_add(xl, "and 0x%x %s0x%x ", info->mask,
+ op == XT_OP_EQ ? "" : "!= ", info->mark);
} else {
- xt_xlate_add(xl, " %s0x%x",
+ xt_xlate_add(xl, "%s0x%x ",
op == XT_OP_EQ ? "" : "!= ", info->mark);
}
--- /dev/null
+ebtables-translate -A INPUT --mark 42
+nft add rule bridge filter INPUT meta mark 0x2a counter
+
+ebtables-translate -A INPUT ! --mark 42
+nft add rule bridge filter INPUT meta mark != 0x2a counter
+
+ebtables-translate -A INPUT --mark ! 42
+nft add rule bridge filter INPUT meta mark != 0x2a counter
+
+ebtables-translate -A INPUT --mark ! 0x1/0xff
+nft add rule bridge filter INPUT meta mark and 0xff != 0x1 counter
+
+ebtables-translate -A INPUT --mark /0x02
+nft add rule bridge filter INPUT meta mark and 0x2 != 0 counter
xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
else
xt_xlate_add(xl, "prefix \"%s\" ", info->prefix);
-
}
xt_xlate_add(xl, "group %u ", info->group);
--- /dev/null
+ebtables-translate -A INPUT --nflog
+nft add rule bridge filter INPUT log group 1 counter
+
+ebtables-translate -A INPUT --nflog-group 42
+nft add rule bridge filter INPUT log group 42 counter
+
+ebtables-translate -A INPUT --nflog-range 42
+nft add rule bridge filter INPUT log group 1 snaplen 42 counter
+
+ebtables-translate -A INPUT --nflog-threshold 100 --nflog-prefix foo
+nft add rule bridge filter INPUT log prefix "foo" group 1 queue-threshold 100 counter
import argparse
from subprocess import Popen, PIPE
-keywords = ("iptables-translate", "ip6tables-translate")
+keywords = ("iptables-translate", "ip6tables-translate", "ebtables-translate")
if sys.stdout.isatty():
colors = {"magenta": "\033[95m", "green": "\033[92m", "yellow": "\033[93m",
projects / thirdparty / iptables.git / commitdiff
