git.ipfire.org Git - thirdparty/iptables.git/commit

author	Jeremy Sowden <jeremy@azazel.net>
	Fri, 8 Nov 2024 17:34:43 +0000 (17:34 +0000)
committer	Phil Sutter <phil@nwl.cc>
	Tue, 12 Nov 2024 13:53:52 +0000 (14:53 +0100)
commit	e6e232d0ae252b0b86278455b18d9475b95db8f0
tree	a978c58a44ad7fa61a16fed48b6f386aa1a1b6d1	tree
parent	0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269	commit \| diff

ip[6]tables-translate: fix test failures when WESP is defined

Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload.  This is listed in Debian's /etc/protocols, which leads to
test failures:

  ./extensions/generic.txlate: Fail
  src: iptables-translate -A FORWARD -p 141
  exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
  res: nft 'add rule ip filter FORWARD ip protocol wesp counter'

  ./extensions/generic.txlate: Fail
  src: ip6tables-translate -A FORWARD -p 141
  exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
  res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'

  ./extensions/generic.txlate: Fail
  src: iptables-translate -A FORWARD ! -p 141
  exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
  res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'

  ./extensions/generic.txlate: Fail
  src: ip6tables-translate -A FORWARD ! -p 141
  exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
  res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'

Replace it with 253, which IANA reserves for testing and experimentation.

Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>