diff mbox series

[iptables] xtables-translate: Use protocol name/value as user specified it

Message ID 20241108131508.6706-1-phil@nwl.cc
State Deferred
Headers show
Series [iptables] xtables-translate: Use protocol name/value as user specified it | expand

Commit Message

Phil Sutter Nov. 8, 2024, 1:15 p.m. UTC
Avoid playing games with /etc/protocols lookups, especially in the
context of the testsuite. Instead make use of the stored protocol name
(which is merely sanitized to lower-case) and use that for output.
Invalid protocol names will still be rejected by the proto_parse
callback call during option parsing.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/generic.txlate | 14 ++++++++++----
 iptables/nft-ipv4.c       |  2 +-
 iptables/nft-ipv6.c       |  2 +-
 3 files changed, 12 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ad1266dc623c..5823a64b328da 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -65,16 +65,22 @@  ip6tables-translate -I INPUT ! -s ::/0
 nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter'
 
 iptables-translate -A FORWARD -p 132
-nft 'add rule ip filter FORWARD ip protocol sctp counter'
+nft 'add rule ip filter FORWARD ip protocol 132 counter'
 
 ip6tables-translate -A FORWARD -p 132
-nft 'add rule ip6 filter FORWARD meta l4proto sctp counter'
+nft 'add rule ip6 filter FORWARD meta l4proto 132 counter'
 
 iptables-translate -A FORWARD ! -p 132
-nft 'add rule ip filter FORWARD ip protocol != sctp counter'
+nft 'add rule ip filter FORWARD ip protocol != 132 counter'
 
 ip6tables-translate -A FORWARD ! -p 132
-nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
+nft 'add rule ip6 filter FORWARD meta l4proto != 132 counter'
+
+iptables-translate -A FORWARD -p sctp
+nft 'add rule ip filter FORWARD ip protocol sctp counter'
+
+ip6tables-translate -A FORWARD -p sctp
+nft 'add rule ip6 filter FORWARD meta l4proto sctp counter'
 
 iptables-translate -A FORWARD -p 141
 nft 'add rule ip filter FORWARD ip protocol 141 counter'
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 740928757b7e2..d58efe8d8f1db 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -215,7 +215,7 @@  static int nft_ipv4_xlate(const struct iptables_command_state *cs,
 	}
 
 	if (proto != 0 && !xlate_find_protomatch(cs, proto)) {
-		const char *pname = proto_to_name(proto, 0);
+		const char *pname = cs->protocol;
 
 		xt_xlate_add(xl, "ip protocol");
 		if (cs->fw.ip.invflags & IPT_INV_PROTO)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index b184f8af3e6ed..b655130b661bc 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -194,7 +194,7 @@  static int nft_ipv6_xlate(const struct iptables_command_state *cs,
 		     cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT);
 
 	if (proto != 0 && !xlate_find_protomatch(cs, proto)) {
-		const char *pname = proto_to_name(proto, 0);
+		const char *pname = cs->protocol;
 
 		xt_xlate_add(xl, "meta l4proto");
 		if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO)