From 400fb98dde882da4c1d2c763de3f16a8ba1484b4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 5 Mar 2024 17:02:56 +0100
Subject: xlate: libip6t_mh: Fix and simplify plain '-m mh' match

Since core xlate code now ignores '-p mh' if an mh extension is also
present in the rule, mh extension has to emit the l4proto match itself.
Therefore emit the exthdr match irrespective of '-p' argument value just
like other IPv6 extension header matches do.

Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libip6t_mh.txlate | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'extensions/libip6t_mh.txlate')

diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index cc194254..13b4ba88 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -5,7 +5,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
 nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
 
 ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
 
 ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
 nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
-- 
cgit v1.2.3