extensions: frag: Save/xlate inverted full ranges

Also translate plain '-m frag' match into an exthdr exists one. Fixes: bd5bbc7a0fbd8 ("extensions: libip6t_frag: Add translation to nft") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2024-02-01 15:39:52 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-02-02 18:26:14 +0100
commit: d71eb186e7d165d7120f122dd07c35cd935a1955 (patch)
tree: 72577b0069bff14ec2426cbe880928726adfb8e4 /extensions/libip6t_frag.txlate
parent: c5d75387131e8cb1fc4d22b2e2e264297baf4622 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate
index 2b6585af..e250587e 100644
--- a/extensions/libip6t_frag.txlate
+++ b/extensions/libip6t_frag.txlate
@@ -17,7 +17,7 @@ ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
 nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept'
 
 ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT exthdr frag exists counter'
 
 ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT frag id != 0-4294967295 counter'
author	Phil Sutter <phil@nwl.cc>	2024-02-01 15:39:52 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-02-02 18:26:14 +0100
commit	d71eb186e7d165d7120f122dd07c35cd935a1955 (patch)
tree	72577b0069bff14ec2426cbe880928726adfb8e4 /extensions/libip6t_frag.txlate
parent	c5d75387131e8cb1fc4d22b2e2e264297baf4622 (diff)