xlate: libip6t_mh: Fix and simplify plain '-m mh' match

Since core xlate code now ignores '-p mh' if an mh extension is also present in the rule, mh extension has to emit the l4proto match itself. Therefore emit the exthdr match irrespective of '-p' argument value just like other IPv6 extension header matches do. Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2024-03-05 17:02:56 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-04-09 23:20:36 +0200
commit: 400fb98dde882da4c1d2c763de3f16a8ba1484b4 (patch)
tree: 9d08fa18405d6f86501a2cb6f2d491929100210d /extensions/libip6t_mh.txlate
parent: d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index cc194254..13b4ba88 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -5,7 +5,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
 nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
 
 ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
 
 ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
 nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
author	Phil Sutter <phil@nwl.cc>	2024-03-05 17:02:56 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-04-09 23:20:36 +0200
commit	400fb98dde882da4c1d2c763de3f16a8ba1484b4 (patch)
tree	9d08fa18405d6f86501a2cb6f2d491929100210d /extensions/libip6t_mh.txlate
parent	d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77 (diff)