On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote:
> Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
> Security Payload. This is listed in Debian's /etc/protocols, which leads to
> test failures:
>
> ./extensions/generic.txlate: Fail
> src: iptables-translate -A FORWARD -p 141
> exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
> res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
>
> ./extensions/generic.txlate: Fail
> src: ip6tables-translate -A FORWARD -p 141
> exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
> res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
>
> ./extensions/generic.txlate: Fail
> src: iptables-translate -A FORWARD ! -p 141
> exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
> res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
>
> ./extensions/generic.txlate: Fail
> src: ip6tables-translate -A FORWARD ! -p 141
> exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
> res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
>
> Replace it with 253, which IANA reserves for testing and experimentation.
>
> Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
> Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
