extensions: ah: Save/xlate inverted full ranges

While at it, fix xlate output for plain '-m ah' matches: With ip6tables-translate, one should emit an extdhr exists match since ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate, a simple 'meta l4proto ah' was missing. Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'") Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2024-02-01 15:27:03 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-02-02 18:26:14 +0100
commit: c5d75387131e8cb1fc4d22b2e2e264297baf4622 (patch)
tree: af94e429f7c1309aed9afb934ae6a4caee0260e0 /extensions/libip6t_ah.txlate
parent: 9d41421a887f4bc4b3ba10174cf43ee2c6b76956 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/extensions/libip6t_ah.txlate b/extensions/libip6t_ah.txlate
index fc7248ab..32c6b7de 100644
--- a/extensions/libip6t_ah.txlate
+++ b/extensions/libip6t_ah.txlate
@@ -17,7 +17,7 @@ ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT
 nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept'
 
 ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT exthdr ah exists counter'
 
 ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT ah spi != 0-4294967295 counter'
author	Phil Sutter <phil@nwl.cc>	2024-02-01 15:27:03 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-02-02 18:26:14 +0100
commit	c5d75387131e8cb1fc4d22b2e2e264297baf4622 (patch)
tree	af94e429f7c1309aed9afb934ae6a4caee0260e0 /extensions/libip6t_ah.txlate
parent	9d41421a887f4bc4b3ba10174cf43ee2c6b76956 (diff)