-p IPv4 ! --ip-tos 0xFF;=;OK
-p IPv4 --ip-proto tcp --ip-dport 22;=;OK
-p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK
+-p IPv4 --ip-proto udp --ip-sport :;-p IPv4 --ip-proto udp --ip-sport 0:65535;OK
+-p IPv4 --ip-proto udp --ip-sport :4;-p IPv4 --ip-proto udp --ip-sport 0:4;OK
+-p IPv4 --ip-proto udp --ip-sport 4:;-p IPv4 --ip-proto udp --ip-sport 4:65535;OK
+-p IPv4 --ip-proto udp --ip-sport 3:4;=;OK
+-p IPv4 --ip-proto udp --ip-sport 4:4;-p IPv4 --ip-proto udp --ip-sport 4;OK
+-p IPv4 --ip-proto udp --ip-sport 4:3;;FAIL
+-p IPv4 --ip-proto udp --ip-dport :;-p IPv4 --ip-proto udp --ip-dport 0:65535;OK
+-p IPv4 --ip-proto udp --ip-dport :4;-p IPv4 --ip-proto udp --ip-dport 0:4;OK
+-p IPv4 --ip-proto udp --ip-dport 4:;-p IPv4 --ip-proto udp --ip-dport 4:65535;OK
+-p IPv4 --ip-proto udp --ip-dport 3:4;=;OK
+-p IPv4 --ip-proto udp --ip-dport 4:4;-p IPv4 --ip-proto udp --ip-dport 4;OK
+-p IPv4 --ip-proto udp --ip-dport 4:3;;FAIL
-p IPv4 --ip-proto 253;=;OK
-p IPv4 ! --ip-proto 253;=;OK
-p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK
-p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK
-p IPv6 --ip6-proto tcp ! --ip6-sport 22 --ip6-dport 22;=;OK
-p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK
+-p IPv6 --ip6-proto udp --ip6-sport :;-p IPv6 --ip6-proto udp --ip6-sport 0:65535;OK
+-p IPv6 --ip6-proto udp --ip6-sport :4;-p IPv6 --ip6-proto udp --ip6-sport 0:4;OK
+-p IPv6 --ip6-proto udp --ip6-sport 4:;-p IPv6 --ip6-proto udp --ip6-sport 4:65535;OK
+-p IPv6 --ip6-proto udp --ip6-sport 3:4;=;OK
+-p IPv6 --ip6-proto udp --ip6-sport 4:4;-p IPv6 --ip6-proto udp --ip6-sport 4;OK
+-p IPv6 --ip6-proto udp --ip6-sport 4:3;;FAIL
+-p IPv6 --ip6-proto udp --ip6-dport :;-p IPv6 --ip6-proto udp --ip6-dport 0:65535;OK
+-p IPv6 --ip6-proto udp --ip6-dport :4;-p IPv6 --ip6-proto udp --ip6-dport 0:4;OK
+-p IPv6 --ip6-proto udp --ip6-dport 4:;-p IPv6 --ip6-proto udp --ip6-dport 4:65535;OK
+-p IPv6 --ip6-proto udp --ip6-dport 3:4;=;OK
+-p IPv6 --ip6-proto udp --ip6-dport 4:4;-p IPv6 --ip6-proto udp --ip6-dport 4;OK
+-p IPv6 --ip6-proto udp --ip6-dport 4:3;;FAIL
-p IPv6 --ip6-proto 253;=;OK
-p IPv6 ! --ip6-proto 253;=;OK
-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK
! --stp-hello-time 1;=;OK
--stp-forward-delay 1;=;OK
! --stp-forward-delay 1;=;OK
+--stp-root-prio :2;--stp-root-prio 0:2;OK
+--stp-root-prio 2:;--stp-root-prio 2:65535;OK
+--stp-root-prio 1:2;=;OK
+--stp-root-prio 1:1;--stp-root-prio 1;OK
+--stp-root-prio 2:1;;FAIL
+--stp-root-cost :2;--stp-root-cost 0:2;OK
+--stp-root-cost 2:;--stp-root-cost 2:4294967295;OK
+--stp-root-cost 1:2;=;OK
+--stp-root-cost 1:1;--stp-root-cost 1;OK
+--stp-root-cost 2:1;;FAIL
+--stp-sender-prio :2;--stp-sender-prio 0:2;OK
+--stp-sender-prio 2:;--stp-sender-prio 2:65535;OK
+--stp-sender-prio 1:2;=;OK
+--stp-sender-prio 1:1;--stp-sender-prio 1;OK
+--stp-sender-prio 2:1;;FAIL
+--stp-port :;--stp-port 0:65535;OK
+--stp-port :2;--stp-port 0:2;OK
+--stp-port 2:;--stp-port 2:65535;OK
+--stp-port 1:2;=;OK
+--stp-port 1:1;--stp-port 1;OK
+--stp-port 2:1;;FAIL
+--stp-msg-age :;--stp-msg-age 0:65535;OK
+--stp-msg-age :2;--stp-msg-age 0:2;OK
+--stp-msg-age 2:;--stp-msg-age 2:65535;OK
+--stp-msg-age 1:2;=;OK
+--stp-msg-age 1:1;--stp-msg-age 1;OK
+--stp-msg-age 2:1;;FAIL
+--stp-max-age :;--stp-max-age 0:65535;OK
+--stp-max-age :2;--stp-max-age 0:2;OK
+--stp-max-age 2:;--stp-max-age 2:65535;OK
+--stp-max-age 1:2;=;OK
+--stp-max-age 1:1;--stp-max-age 1;OK
+--stp-max-age 2:1;;FAIL
+--stp-hello-time :;--stp-hello-time 0:65535;OK
+--stp-hello-time :2;--stp-hello-time 0:2;OK
+--stp-hello-time 2:;--stp-hello-time 2:65535;OK
+--stp-hello-time 1:2;=;OK
+--stp-hello-time 1:1;--stp-hello-time 1;OK
+--stp-hello-time 2:1;;FAIL
+--stp-forward-delay :;--stp-forward-delay 0:65535;OK
+--stp-forward-delay :2;--stp-forward-delay 0:2;OK
+--stp-forward-delay 2:;--stp-forward-delay 2:65535;OK
+--stp-forward-delay 1:2;=;OK
+--stp-forward-delay 1:1;--stp-forward-delay 1;OK
+--stp-forward-delay 2:1;;FAIL
-m ah --ahspi 0:invalid;;FAIL
-m ah --ahspi;;FAIL
-m ah;=;OK
+-m ah --ahspi :;-m ah;OK
+-m ah ! --ahspi :;-m ah;OK
+-m ah --ahspi :3;-m ah --ahspi 0:3;OK
+-m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK
+-m ah --ahspi 3:3;-m ah --ahspi 3;OK
+-m ah --ahspi 4:3;=;OK
ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT
nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept'
+
+ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295
+nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+
+ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295
+nft 'add rule ip6 filter INPUT meta l4proto ah counter'
:INPUT,FORWARD,OUTPUT
+-m frag --fragid :;-m frag;OK
+-m frag ! --fragid :;-m frag;OK
+-m frag --fragid :42;-m frag --fragid 0:42;OK
+-m frag --fragid 42:;-m frag --fragid 42:4294967295;OK
-m frag --fragid 1:42;=;OK
+-m frag --fragid 3:3;-m frag --fragid 3;OK
+-m frag --fragid 4:3;=;OK
-m frag --fraglen 42;=;OK
-m frag --fragres;=;OK
-m frag --fragfirst;=;OK
ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept'
+
+ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295
+nft 'add rule ip6 filter INPUT counter'
+
+ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295
+nft 'add rule ip6 filter INPUT counter'
-p mobility-header -m mh --mh-type 1;=;OK
-p mobility-header -m mh ! --mh-type 4;=;OK
-p mobility-header -m mh --mh-type 4:123;=;OK
+-p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK
+-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK
+-p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK
+-p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK
+-p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK
+-p mobility-header -m mh --mh-type 4:3;;FAIL
ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept'
+
+ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
+nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+
+ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
+nft 'add rule ip6 filter INPUT counter accept'
+
+ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT
+nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
-m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
-m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
-m rt;=;OK
+-m rt --rt-segsleft :;-m rt;OK
+-m rt ! --rt-segsleft :;-m rt;OK
+-m rt --rt-segsleft :3;-m rt --rt-segsleft 0:3;OK
+-m rt --rt-segsleft 3:;-m rt --rt-segsleft 3:4294967295;OK
+-m rt --rt-segsleft 3:3;-m rt --rt-segsleft 3;OK
+-m rt --rt-segsleft 4:3;=;OK
ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT
nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept'
+
+ip6tables-translate -A INPUT -m rt --rt-segsleft 13:42 -j ACCEPT
+nft 'add rule ip6 filter INPUT rt seg-left 13-42 counter accept'
+
+ip6tables-translate -A INPUT -m rt --rt-segsleft 0:4294967295 -j ACCEPT
+nft 'add rule ip6 filter INPUT counter accept'
+
+ip6tables-translate -A INPUT -m rt ! --rt-segsleft 0:4294967295 -j ACCEPT
+nft 'add rule ip6 filter INPUT counter accept'
-m ah --ahspi;;FAIL
-m ah;;FAIL
-p ah -m ah;=;OK
+-p ah -m ah --ahspi :;-p ah -m ah;OK
+-p ah -m ah ! --ahspi :;-p ah -m ah;OK
+-p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK
+-p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK
+-p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK
+-p ah -m ah --ahspi 4:3;=;OK
iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
nft 'add rule ip filter INPUT ah spi != 50 counter drop'
+
+iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP
+nft 'add rule ip filter INPUT counter drop'
+
+iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP
+nft 'add rule ip filter INPUT counter drop'
-j NFQUEUE --queue-balance 0:65535;;FAIL
-j NFQUEUE --queue-balance 0:65536;;FAIL
-j NFQUEUE --queue-balance -1:65535;;FAIL
+-j NFQUEUE --queue-balance 4;;FAIL
+-j NFQUEUE --queue-balance :;;FAIL
+-j NFQUEUE --queue-balance :4;-j NFQUEUE --queue-balance 0:4;OK
+-j NFQUEUE --queue-balance 4:;-j NFQUEUE --queue-balance 4:65535;OK
+-j NFQUEUE --queue-balance 3:4;=;OK
+-j NFQUEUE --queue-balance 4:4;;FAIL
+-j NFQUEUE --queue-balance 4:3;;FAIL
-j NFQUEUE --queue-num 10 --queue-bypass;=;OK
-j NFQUEUE --queue-balance 0:6 --queue-cpu-fanout --queue-bypass;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK
-j NFQUEUE --queue-bypass --queue-balance 0:6 --queue-cpu-fanout;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK
-m connbytes --connbytes 0:1000 --connbytes-mode avgpkt --connbytes-dir both;=;OK
-m connbytes --connbytes -1:0 --connbytes-mode packets --connbytes-dir original;;FAIL
-m connbytes --connbytes 0:-1 --connbytes-mode packets --connbytes-dir original;;FAIL
+-m connbytes --connbytes : --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0 --connbytes-mode packets --connbytes-dir original;OK
+-m connbytes --connbytes :1000 --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 0:1000 --connbytes-mode packets --connbytes-dir original;OK
+-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;=;OK
+-m connbytes --connbytes 1000: --connbytes-mode packets --connbytes-dir original;-m connbytes --connbytes 1000 --connbytes-mode packets --connbytes-dir original;OK
+-m connbytes --connbytes 1000:1000 --connbytes-mode packets --connbytes-dir original;=;OK
+-m connbytes --connbytes 1000:0 --connbytes-mode packets --connbytes-dir original;;FAIL
# ERROR: cannot find: iptables -I INPUT -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both
# -m connbytes --connbytes 0:18446744073709551615 --connbytes-mode avgpkt --connbytes-dir both;=;OK
-m connbytes --connbytes 0:18446744073709551616 --connbytes-mode avgpkt --connbytes-dir both;;FAIL
-m conntrack --ctexpire 0:4294967295;=;OK
-m conntrack --ctexpire 42949672956;;FAIL
-m conntrack --ctexpire -1;;FAIL
+-m conntrack --ctexpire 3:3;-m conntrack --ctexpire 3;OK
+-m conntrack --ctexpire 4:3;=;OK
-m conntrack --ctdir ORIGINAL;=;OK
-m conntrack --ctdir REPLY;=;OK
-m conntrack --ctstatus NONE;=;OK
-m conntrack;;FAIL
-m conntrack --ctproto 0;;FAIL
-m conntrack ! --ctproto 0;;FAIL
+-m conntrack --ctorigsrcport :;-m conntrack --ctorigsrcport 0:65535;OK
+-m conntrack --ctorigsrcport :4;-m conntrack --ctorigsrcport 0:4;OK
+-m conntrack --ctorigsrcport 4:;-m conntrack --ctorigsrcport 4:65535;OK
+-m conntrack --ctorigsrcport 3:4;=;OK
+-m conntrack --ctorigsrcport 4:4;-m conntrack --ctorigsrcport 4;OK
+-m conntrack --ctorigsrcport 4:3;=;OK
+-m conntrack --ctreplsrcport :;-m conntrack --ctreplsrcport 0:65535;OK
+-m conntrack --ctreplsrcport :4;-m conntrack --ctreplsrcport 0:4;OK
+-m conntrack --ctreplsrcport 4:;-m conntrack --ctreplsrcport 4:65535;OK
+-m conntrack --ctreplsrcport 3:4;=;OK
+-m conntrack --ctreplsrcport 4:4;-m conntrack --ctreplsrcport 4;OK
+-m conntrack --ctreplsrcport 4:3;=;OK
+-m conntrack --ctorigdstport :;-m conntrack --ctorigdstport 0:65535;OK
+-m conntrack --ctorigdstport :4;-m conntrack --ctorigdstport 0:4;OK
+-m conntrack --ctorigdstport 4:;-m conntrack --ctorigdstport 4:65535;OK
+-m conntrack --ctorigdstport 3:4;=;OK
+-m conntrack --ctorigdstport 4:4;-m conntrack --ctorigdstport 4;OK
+-m conntrack --ctorigdstport 4:3;=;OK
+-m conntrack --ctrepldstport :;-m conntrack --ctrepldstport 0:65535;OK
+-m conntrack --ctrepldstport :4;-m conntrack --ctrepldstport 0:4;OK
+-m conntrack --ctrepldstport 4:;-m conntrack --ctrepldstport 4:65535;OK
+-m conntrack --ctrepldstport 3:4;=;OK
+-m conntrack --ctrepldstport 4:4;-m conntrack --ctrepldstport 4;OK
+-m conntrack --ctrepldstport 4:3;=;OK
-p dccp -m dccp --sport 1:1023;=;OK
-p dccp -m dccp --sport 1024:65535;=;OK
-p dccp -m dccp --sport 1024:;-p dccp -m dccp --sport 1024:65535;OK
+-p dccp -m dccp --sport :;-p dccp -m dccp --sport 0:65535;OK
+-p dccp -m dccp --sport :4;-p dccp -m dccp --sport 0:4;OK
+-p dccp -m dccp --sport 4:;-p dccp -m dccp --sport 4:65535;OK
+-p dccp -m dccp --sport 4:4;-p dccp -m dccp --sport 4;OK
+-p dccp -m dccp --sport 4:3;=;OK
+-p dccp -m dccp --dport :;-p dccp -m dccp --dport 0:65535;OK
+-p dccp -m dccp --dport :4;-p dccp -m dccp --dport 0:4;OK
+-p dccp -m dccp --dport 4:;-p dccp -m dccp --dport 4:65535;OK
+-p dccp -m dccp --dport 4:4;-p dccp -m dccp --dport 4;OK
+-p dccp -m dccp --dport 4:3;=;OK
-p dccp -m dccp ! --sport 1;=;OK
-p dccp -m dccp ! --sport 65535;=;OK
-p dccp -m dccp ! --dport 1;=;OK
-p esp -m esp --espspi 0:4294967295;-p esp -m esp;OK
-p esp -m esp ! --espspi 0:4294967294;=;OK
-p esp -m esp --espspi -1;;FAIL
+-p esp -m esp --espspi :;-p esp -m esp;OK
+-p esp -m esp ! --espspi :;-p esp -m esp;OK
+-p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK
+-p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK
+-p esp -m esp --espspi 3:4;=;OK
+-p esp -m esp --espspi 4:4;-p esp -m esp --espspi 4;OK
+-p esp -m esp --espspi 4:3;=;OK
-p esp -m esp;=;OK
-m esp;;FAIL
iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
nft 'add rule ip filter INPUT esp spi 500-600 counter drop'
+
+iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP
+nft 'add rule ip filter INPUT counter drop'
+
+iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP
+nft 'add rule ip filter INPUT counter drop'
+
+ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP
+nft 'add rule ip6 filter INPUT counter drop'
+
+ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP
+nft 'add rule ip6 filter INPUT counter drop'
:INPUT,OUTPUT
-p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK
-p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK
+-p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK
+-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK
+-p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK
+-p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK
+-p ipcomp -m ipcomp --ipcompspi 3:4;=;OK
+-p ipcomp -m ipcomp --ipcompspi 4:4;-p ipcomp -m ipcomp --ipcompspi 4;OK
+-p ipcomp -m ipcomp --ipcompspi 4:3;=;OK
-m length --length :2;-m length --length 0:2;OK
-m length --length 0:3;=;OK
-m length --length 4:;-m length --length 4:65535;OK
+-m length --length :;-m length --length 0:65535;OK
-m length --length 0:65535;=;OK
-m length ! --length 0:65535;=;OK
-m length --length 0:65536;;FAIL
-m length --length -1:65535;;FAIL
+-m length --length 4:4;-m length --length 4;OK
+-m length --length 4:3;=;OK
-m length;;FAIL
-p tcp -m tcp --sport 1:1023;=;OK
-p tcp -m tcp --sport 1024:65535;=;OK
-p tcp -m tcp --sport 1024:;-p tcp -m tcp --sport 1024:65535;OK
+-p tcp -m tcp --sport :;-p tcp -m tcp;OK
+-p tcp -m tcp ! --sport :;-p tcp -m tcp;OK;LEGACY;-p tcp
+-p tcp -m tcp --sport :4;-p tcp -m tcp --sport 0:4;OK
+-p tcp -m tcp --sport 4:;-p tcp -m tcp --sport 4:65535;OK
+-p tcp -m tcp --sport 4:4;-p tcp -m tcp --sport 4;OK
+-p tcp -m tcp --sport 4:3;;FAIL
+-p tcp -m tcp --dport :;-p tcp -m tcp;OK
+-p tcp -m tcp ! --dport :;-p tcp -m tcp;OK;LEGACY;-p tcp
+-p tcp -m tcp --dport :4;-p tcp -m tcp --dport 0:4;OK
+-p tcp -m tcp --dport 4:;-p tcp -m tcp --dport 4:65535;OK
+-p tcp -m tcp --dport 4:4;-p tcp -m tcp --dport 4;OK
+-p tcp -m tcp --dport 4:3;;FAIL
-p tcp -m tcp ! --sport 1;=;OK
-p tcp -m tcp ! --sport 65535;=;OK
-p tcp -m tcp ! --dport 1;=;OK
iptables-translate -A INPUT -p tcp ! --tcp-option 23
nft 'add rule ip filter INPUT tcp option 23 missing counter'
+
+iptables-translate -I OUTPUT -p tcp --sport 0:65535 -j ACCEPT
+nft 'insert rule ip filter OUTPUT counter accept'
+
+iptables-translate -I OUTPUT -p tcp ! --sport 0:65535 -j ACCEPT
+nft 'insert rule ip filter OUTPUT counter accept'
:INPUT,FORWARD,OUTPUT
-m tcpmss --mss 42;;FAIL
-p tcp -m tcpmss --mss 42;=;OK
+-p tcp -m tcpmss --mss :;-p tcp -m tcpmss --mss 0:65535;OK
+-p tcp -m tcpmss --mss :42;-p tcp -m tcpmss --mss 0:42;OK
+-p tcp -m tcpmss --mss 42:;-p tcp -m tcpmss --mss 42:65535;OK
+-p tcp -m tcpmss --mss 42:42;-p tcp -m tcpmss --mss 42;OK
-p tcp -m tcpmss --mss 42:12345;=;OK
-p tcp -m tcpmss --mss 42:65536;;FAIL
-p tcp -m tcpmss --mss 65535:1000;;FAIL
-p udp -m udp --sport 1:1023;=;OK
-p udp -m udp --sport 1024:65535;=;OK
-p udp -m udp --sport 1024:;-p udp -m udp --sport 1024:65535;OK
+-p udp -m udp --sport :;-p udp -m udp;OK
+-p udp -m udp ! --sport :;-p udp -m udp;OK;LEGACY;-p udp
+-p udp -m udp --sport :4;-p udp -m udp --sport 0:4;OK
+-p udp -m udp --sport 4:;-p udp -m udp --sport 4:65535;OK
+-p udp -m udp --sport 4:4;-p udp -m udp --sport 4;OK
+-p udp -m udp --sport 4:3;=;OK
+-p udp -m udp --dport :;-p udp -m udp;OK
+-p udp -m udp ! --dport :;-p udp -m udp;OK;LEGACY;-p udp
+-p udp -m udp --dport :4;-p udp -m udp --dport 0:4;OK
+-p udp -m udp --dport 4:;-p udp -m udp --dport 4:65535;OK
+-p udp -m udp --dport 4:4;-p udp -m udp --dport 4;OK
+-p udp -m udp --dport 4:3;=;OK
-p udp -m udp ! --sport 1;=;OK
-p udp -m udp ! --sport 65535;=;OK
-p udp -m udp ! --dport 1;=;OK
iptables-translate -I OUTPUT -p udp --dport 1020:1023 --sport 53 -j ACCEPT
nft 'insert rule ip filter OUTPUT udp sport 53 udp dport 1020-1023 counter accept'
+
+iptables-translate -I OUTPUT -p udp --sport 0:65535 -j ACCEPT
+nft 'insert rule ip filter OUTPUT counter accept'
+
+iptables-translate -I OUTPUT -p udp ! --sport 0:65535 -j ACCEPT
+nft 'insert rule ip filter OUTPUT counter accept'
projects / thirdparty / iptables.git / commitdiff
