From 8a85a148d0a4765cf15b05e2b3088a1a0562bf50 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Thu, 19 Apr 2018 11:00:28 +0200
Subject: libebt_ip: fix translations for tos and icmp

tos translation to dscp yielded incorrect value.
icmp inserted extra "ip" keyword, remove it.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libebt_ip.c      | 6 +++---
 extensions/libebt_ip.txlate | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index 72728542..9b3cd33c 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -561,7 +561,7 @@ static void brip_xlate_icmp(struct xt_xlate *xl,
 	if ((info->bitmask & bit) == 0)
 		return;
 
-	xt_xlate_add(xl, "ip icmp type ");
+	xt_xlate_add(xl, "icmp type ");
 	if (info->invflags & bit)
 		xt_xlate_add(xl, "!= ");
 	if (info->icmp_type[0] == info->icmp_type[1])
@@ -573,7 +573,7 @@ static void brip_xlate_icmp(struct xt_xlate *xl,
 	    info->icmp_code[1] == 0xff)
 		return;
 
-	xt_xlate_add(xl, "ip icmp code ");
+	xt_xlate_add(xl, "icmp code ");
 	if (info->invflags & bit)
 		xt_xlate_add(xl, "!= ");
 	if (info->icmp_code[0] == info->icmp_code[1])
@@ -681,7 +681,7 @@ static int brip_xlate(struct xt_xlate *xl,
 		xt_xlate_add(xl, "ip dscp ");
 		if (info->invflags & EBT_IP_TOS)
 			xt_xlate_add(xl, "!= ");
-		xt_xlate_add(xl, "0x%02X ", info->tos & ~0x3); /* remove ECN bits */
+		xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */
 	}
 	if (info->bitmask & EBT_IP_PROTO) {
 		struct protoent *pe;
diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
index 11594cdc..cbe05f4f 100644
--- a/extensions/libebt_ip.txlate
+++ b/extensions/libebt_ip.txlate
@@ -5,7 +5,7 @@ ebtables-translate -I FORWARD --ip-dst 10.0.0.1
 nft insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter
 
 ebtables-translate -I OUTPUT 3 -o eth0 --ip-tos 0xff
-nft insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0xFC counter
+nft insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter
 
 ebtables-translate -A FORWARD --ip-proto tcp --ip-dport 22
 nft add rule bridge filter FORWARD tcp dport 22 counter
@@ -17,10 +17,10 @@ ebtables-translate -A FORWARD --ip-proto 253
 nft add rule bridge filter FORWARD ip protocol 253 counter
 
 ebtables-translate -A FORWARD --ip-icmp-type "echo-request"
-nft add rule bridge filter FORWARD ip icmp type 8 counter
+nft add rule bridge filter FORWARD icmp type 8 counter
 
 ebtables-translate -A FORWARD --ip-icmp-type 1/1
-nft add rule bridge filter FORWARD ip icmp type 1 ip icmp code 1 counter
+nft add rule bridge filter FORWARD icmp type 1 icmp code 1 counter
 
 ebtables-translate -A FORWARD --ip-icmp-type ! 1:10
-nft add rule bridge filter FORWARD ip icmp type != 1-10 counter
+nft add rule bridge filter FORWARD icmp type != 1-10 counter
-- 
cgit v1.2.3