Also translate '-m mh' into an exthdr exists match unless '-p mh' is
also present. The latter is converted into 'meta l4proto mh' which might
need fixing itself at a later point.
Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libip6t_mh.c | 20 ++++++++++++++++----
extensions/libip6t_mh.t | 2 +-
extensions/libip6t_mh.txlate | 4 ++--
3 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 1410d324b5d42..3f80e28ec94c8 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -17,6 +17,7 @@
#include <stdlib.h>
#include <xtables.h>
#include <linux/netfilter_ipv6/ip6t_mh.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
enum {
O_MH_TYPE = 0,
@@ -154,11 +155,16 @@ static void print_type(uint8_t type, int numeric)
printf("%s", name);
}
+static bool skip_types_match(uint8_t min, uint8_t max, bool inv)
+{
+ return min == 0 && max == UINT8_MAX && !inv;
+}
+
static void print_types(uint8_t min, uint8_t max, int invert, int numeric)
{
const char *inv = invert ? "!" : "";
- if (min != 0 || max != 0xFF || invert) {
+ if (!skip_types_match(min, max, invert)) {
printf(" ");
if (min == max) {
printf("%s", inv);
@@ -189,11 +195,12 @@ static void mh_print(const void *ip, const struct xt_entry_match *match,
static void mh_save(const void *ip, const struct xt_entry_match *match)
{
const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
+ bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
- if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
+ if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type))
return;
- if (mhinfo->invflags & IP6T_MH_INV_TYPE)
+ if (inv_type)
printf(" !");
if (mhinfo->types[0] != mhinfo->types[1])
@@ -206,9 +213,14 @@ static int mh_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
+ bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
+ uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
- if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xff)
+ if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
+ if (proto != IPPROTO_MH)
+ xt_xlate_add(xl, "exthdr mh exists");
return 1;
+ }
if (mhinfo->types[0] != mhinfo->types[1])
xt_xlate_add(xl, "mh type %s%u-%u",
diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t
index 151eabe631f58..b628e9e33fd3e 100644
--- a/extensions/libip6t_mh.t
+++ b/extensions/libip6t_mh.t
@@ -5,7 +5,7 @@
-p mobility-header -m mh ! --mh-type 4;=;OK
-p mobility-header -m mh --mh-type 4:123;=;OK
-p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK
--p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK
+-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh ! --mh-type 0:255;OK
-p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK
-p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK
-p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK
diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index 825c956905c22..3364ce574468f 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -8,7 +8,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept'
--
2.43.0
