From a86eb41ef2987a9f99cb2ef644fbe2a2096d58b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 1 Feb 2024 17:42:12 +0100
Subject: extensions: tcp/udp: Save/xlate inverted full ranges

Also translate a bare '-m tcp/udp' to 'meta l4proto' match.

Fixes: 04f569ded54a7 ("extensions: libxt_udp: add translation to nft")
Fixes: fb2593ebbf656 ("extensions: libxt_tcp: add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_tcp.txlate | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'extensions/libxt_tcp.txlate')

diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index a7e921bf..b3ddcc15 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -32,7 +32,7 @@ iptables-translate -A INPUT -p tcp ! --tcp-option 23
 nft 'add rule ip filter INPUT tcp option 23 missing counter'
 
 iptables-translate -I OUTPUT -p tcp --sport 0:65535 -j ACCEPT
-nft 'insert rule ip filter OUTPUT counter accept'
+nft 'insert rule ip filter OUTPUT meta l4proto tcp counter accept'
 
 iptables-translate -I OUTPUT -p tcp ! --sport 0:65535 -j ACCEPT
-nft 'insert rule ip filter OUTPUT counter accept'
+nft 'insert rule ip filter OUTPUT tcp sport != 0-65535 counter accept'
-- 
cgit v1.2.3