diff options
author | Phil Sutter <phil@nwl.cc> | 2024-03-05 16:28:29 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2024-04-09 23:20:36 +0200 |
commit | d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77 (patch) | |
tree | 7f8643ab3f4d692dbbcbf224e58b82de73893ddb /extensions/libip6t_mh.txlate | |
parent | 681935f6cb5734e120b5efe5aa8512508e2793f4 (diff) |
xlate: Improve redundant l4proto match avoidance
xtables-translate tries to avoid 'ip protocol'/'meta l4proto' matches if
following expressions add this as dependency anyway. E.g.:
| # iptables-translate -A FOO -p tcp -m tcp --dport 22 -j ACCEPT
| nft 'add rule ip filter FOO tcp dport 22 counter accept'
This worked by searching protocol name in loaded matches, but that
approach is flawed as the protocol name and corresponding extension may
differ ("mobility-header" vs. "mh"). Improve this by searching for all
names (cached or resolved) for a given protocol number.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libip6t_mh.txlate')
-rw-r--r-- | extensions/libip6t_mh.txlate | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 3364ce57..cc194254 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -1,8 +1,8 @@ ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept' +nft 'add rule ip6 filter INPUT mh type 1 counter accept' ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept' +nft 'add rule ip6 filter INPUT mh type 1-3 counter accept' ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' @@ -11,4 +11,4 @@ ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept' +nft 'add rule ip6 filter INPUT mh type != 0-255 counter accept' |