Since core xlate code now ignores '-p mh' if an mh extension is also
present in the rule, mh extension has to emit the l4proto match itself.
Therefore emit the exthdr match irrespective of '-p' argument value just
like other IPv6 extension header matches do.
Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libip6t_mh.c | 4 +---
extensions/libip6t_mh.txlate | 2 +-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 3f80e28ec94c8..1a1cee832b584 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -214,11 +214,9 @@ static int mh_xlate(struct xt_xlate *xl,
{
const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
- uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
- if (proto != IPPROTO_MH)
- xt_xlate_add(xl, "exthdr mh exists");
+ xt_xlate_add(xl, "exthdr mh exists");
return 1;
}
diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index cc194254951e9..13b4ba882c948 100644
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -5,7 +5,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
--
2.43.0
