]> git.ipfire.org Git - thirdparty/iptables.git/commit
projects / thirdparty / iptables.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 681935f) | patch
xlate: Improve redundant l4proto match avoidance
authorPhil Sutter <phil@nwl.cc>
Tue, 5 Mar 2024 15:28:29 +0000 (16:28 +0100)
committerPhil Sutter <phil@nwl.cc>
Tue, 9 Apr 2024 21:20:36 +0000 (23:20 +0200)
commitd45fb0a4077304a7e3f2c44bbac1bde3a9b49a77
tree7f8643ab3f4d692dbbcbf224e58b82de73893ddbtree | snapshot
parent681935f6cb5734e120b5efe5aa8512508e2793f4commit | diff
xlate: Improve redundant l4proto match avoidance

xtables-translate tries to avoid 'ip protocol'/'meta l4proto' matches if
following expressions add this as dependency anyway. E.g.:

| # iptables-translate -A FOO -p tcp -m tcp --dport 22 -j ACCEPT
| nft 'add rule ip filter FOO tcp dport 22 counter accept'

This worked by searching protocol name in loaded matches, but that
approach is flawed as the protocol name and corresponding extension may
differ ("mobility-header" vs. "mh"). Improve this by searching for all
names (cached or resolved) for a given protocol number.

Signed-off-by: Phil Sutter <phil@nwl.cc>
extensions/libip6t_mh.txlate diff | blob | blame | history
iptables/nft-ipv4.c diff | blob | blame | history
iptables/nft-ipv6.c diff | blob | blame | history
iptables/nft.h diff | blob | blame | history
iptables/xtables-translate.c diff | blob | blame | history
Mirror of git://git.netfilter.org/iptables