xlate: libip6t_mh: Fix and simplify plain '-m mh' match

Since core xlate code now ignores '-p mh' if an mh extension is also
present in the rule, mh extension has to emit the l4proto match itself.
Therefore emit the exthdr match irrespective of '-p' argument value just
like other IPv6 extension header matches do.

Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 3f80e28ec94c8a4da94279eee98b428c01e7eafa..1a1cee832b584d827e676475f53dbfe22d5bddbc 100644 (file)
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -214,11 +214,9 @@ static int mh_xlate(struct xt_xlate *xl,
 {
        const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
        bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
-       uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
 
        if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
-               if (proto != IPPROTO_MH)
-                       xt_xlate_add(xl, "exthdr mh exists");
+               xt_xlate_add(xl, "exthdr mh exists");
                return 1;
        }
 

diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index cc194254951e9a536e991aaec5f81757257dbaeb..13b4ba882c94809b824d48c4485c2c9d7ab2b57f 100644 (file)
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -5,7 +5,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
 nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
 
 ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
 
 ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
 nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'