Hi Jeremy, On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote: > Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating > Security Payload. This is listed in Debian's /etc/protocols, which leads to > test failures: > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' > > Replace it with 253, which IANA reserves for testing and experimentation. An interesting solution, thanks! We noticed the problem while preparing for the release already. It should have been clear that people integrating the new release will run the testsuite and require a solution, therefore working around it locally wasn't a feasible way to deal with the situation. Some other options which came up: * Make xtables-translate behave like xtables-save, i.e. avoid /etc/protocol lookups altogether and print names only if known internally (iptables needs some for automatic "protocol extension" lookup, like with e.g. '-p 6 --dport 23'). * Print whatever the user specified (we store the -p argument and only make it all lower-case). so '-p 6' remains 'ip protocol 6' and '-p tcp' remains 'ip protocol tcp'. * Support --numeric option in iptables-translate to make behaviour configurable. Needs quite some hacking as the option is only allowed with iptables --list. What's your take on this? Thanks, Phil
