From 83f60fb37d594d1984a4e8a197d8f99eb8b2db30 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 1 Feb 2024 15:42:10 +0100
Subject: extensions: mh: Save/xlate inverted full ranges

Also translate '-m mh' into an exthdr exists match unless '-p mh' is
also present. The latter is converted into 'meta l4proto mh' which might
need fixing itself at a later point.

Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libip6t_mh.txlate | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'extensions/libip6t_mh.txlate')

diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index 825c9569..3364ce57 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -8,7 +8,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
 nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
 
 ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
 
 ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept'
-- 
cgit v1.2.3