summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
Diffstat (limited to 'extensions')
-rw-r--r--extensions/iptables.t5
-rw-r--r--extensions/libip6t_mh.c4
-rw-r--r--extensions/libip6t_mh.txlate8
3 files changed, 10 insertions, 7 deletions
diff --git a/extensions/iptables.t b/extensions/iptables.t
index b4b6d677..5d6d3d15 100644
--- a/extensions/iptables.t
+++ b/extensions/iptables.t
@@ -4,3 +4,8 @@
-i eth+ -o alongifacename+;=;OK
! -i eth0;=;OK
! -o eth+;=;OK
+-c "";;FAIL
+-c ,3;;FAIL
+-c 3,;;FAIL
+-c ,;;FAIL
+-c 2,3 -j ACCEPT;-j ACCEPT;OK
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 3f80e28e..1a1cee83 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -214,11 +214,9 @@ static int mh_xlate(struct xt_xlate *xl,
{
const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
- uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
- if (proto != IPPROTO_MH)
- xt_xlate_add(xl, "exthdr mh exists");
+ xt_xlate_add(xl, "exthdr mh exists");
return 1;
}
diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index 3364ce57..13b4ba88 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -1,14 +1,14 @@
ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept'
+nft 'add rule ip6 filter INPUT mh type 1 counter accept'
ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept'
+nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept'
+nft 'add rule ip6 filter INPUT mh type != 0-255 counter accept'