Avoid playing games with /etc/protocols lookups, especially in the context of the testsuite. Instead make use of the stored protocol name (which is merely sanitized to lower-case) and use that for output. Invalid protocol names will still be rejected by the proto_parse callback call during option parsing. Signed-off-by: Phil Sutter <phil@xxxxxx> --- extensions/generic.txlate | 14 ++++++++++---- iptables/nft-ipv4.c | 2 +- iptables/nft-ipv6.c | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/extensions/generic.txlate b/extensions/generic.txlate index 9ad1266dc623c..5823a64b328da 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -65,16 +65,22 @@ ip6tables-translate -I INPUT ! -s ::/0 nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter' iptables-translate -A FORWARD -p 132 -nft 'add rule ip filter FORWARD ip protocol sctp counter' +nft 'add rule ip filter FORWARD ip protocol 132 counter' ip6tables-translate -A FORWARD -p 132 -nft 'add rule ip6 filter FORWARD meta l4proto sctp counter' +nft 'add rule ip6 filter FORWARD meta l4proto 132 counter' iptables-translate -A FORWARD ! -p 132 -nft 'add rule ip filter FORWARD ip protocol != sctp counter' +nft 'add rule ip filter FORWARD ip protocol != 132 counter' ip6tables-translate -A FORWARD ! -p 132 -nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter' +nft 'add rule ip6 filter FORWARD meta l4proto != 132 counter' + +iptables-translate -A FORWARD -p sctp +nft 'add rule ip filter FORWARD ip protocol sctp counter' + +ip6tables-translate -A FORWARD -p sctp +nft 'add rule ip6 filter FORWARD meta l4proto sctp counter' iptables-translate -A FORWARD -p 141 nft 'add rule ip filter FORWARD ip protocol 141 counter' diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 740928757b7e2..d58efe8d8f1db 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -215,7 +215,7 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs, } if (proto != 0 && !xlate_find_protomatch(cs, proto)) { - const char *pname = proto_to_name(proto, 0); + const char *pname = cs->protocol; xt_xlate_add(xl, "ip protocol"); if (cs->fw.ip.invflags & IPT_INV_PROTO) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index b184f8af3e6ed..b655130b661bc 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -194,7 +194,7 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs, cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT); if (proto != 0 && !xlate_find_protomatch(cs, proto)) { - const char *pname = proto_to_name(proto, 0); + const char *pname = cs->protocol; xt_xlate_add(xl, "meta l4proto"); if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) -- 2.47.0