From c5d75387131e8cb1fc4d22b2e2e264297baf4622 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 1 Feb 2024 15:27:03 +0100
Subject: extensions: ah: Save/xlate inverted full ranges

While at it, fix xlate output for plain '-m ah' matches: With
ip6tables-translate, one should emit an extdhr exists match since
ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate,
a simple 'meta l4proto ah' was missing.

Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'")
Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libipt_ah.txlate | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'extensions/libipt_ah.txlate')

diff --git a/extensions/libipt_ah.txlate b/extensions/libipt_ah.txlate
index e35ac17a..baf5a0ae 100644
--- a/extensions/libipt_ah.txlate
+++ b/extensions/libipt_ah.txlate
@@ -8,7 +8,7 @@ iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
 nft 'add rule ip filter INPUT ah spi != 50 counter drop'
 
 iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT meta l4proto ah counter drop'
 
 iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT ah spi != 0-4294967295 counter drop'
-- 
cgit v1.2.3