Message ID | 20241108173443.4146022-1-jeremy@azazel.net |
---|---|
State | Accepted |
Headers | show |
Series | [iptables] ip[6]tables-translate: fix test failures when WESP is defined | expand |
Hi Jeremy, On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote: > Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating > Security Payload. This is listed in Debian's /etc/protocols, which leads to > test failures: > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' > > Replace it with 253, which IANA reserves for testing and experimentation. An interesting solution, thanks! We noticed the problem while preparing for the release already. It should have been clear that people integrating the new release will run the testsuite and require a solution, therefore working around it locally wasn't a feasible way to deal with the situation. Some other options which came up: * Make xtables-translate behave like xtables-save, i.e. avoid /etc/protocol lookups altogether and print names only if known internally (iptables needs some for automatic "protocol extension" lookup, like with e.g. '-p 6 --dport 23'). * Print whatever the user specified (we store the -p argument and only make it all lower-case). so '-p 6' remains 'ip protocol 6' and '-p tcp' remains 'ip protocol tcp'. * Support --numeric option in iptables-translate to make behaviour configurable. Needs quite some hacking as the option is only allowed with iptables --list. What's your take on this? Thanks, Phil
On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote: > Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating > Security Payload. This is listed in Debian's /etc/protocols, which leads to > test failures: > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' > > Replace it with 253, which IANA reserves for testing and experimentation. > > Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names") > Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote: > Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating > Security Payload. This is listed in Debian's /etc/protocols, which leads to > test failures: > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' > > ./extensions/generic.txlate: Fail > src: iptables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' > res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' > > ./extensions/generic.txlate: Fail > src: ip6tables-translate -A FORWARD ! -p 141 > exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' > res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' > > Replace it with 253, which IANA reserves for testing and experimentation. > > Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names") > Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Patch applied, thanks!
diff --git a/extensions/generic.txlate b/extensions/generic.txlate index 9ad1266dc623..64bc59a8611e 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter' ip6tables-translate -A FORWARD ! -p 132 nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter' -iptables-translate -A FORWARD -p 141 -nft 'add rule ip filter FORWARD ip protocol 141 counter' +iptables-translate -A FORWARD -p 253 +nft 'add rule ip filter FORWARD ip protocol 253 counter' -ip6tables-translate -A FORWARD -p 141 -nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' +ip6tables-translate -A FORWARD -p 253 +nft 'add rule ip6 filter FORWARD meta l4proto 253 counter' -iptables-translate -A FORWARD ! -p 141 -nft 'add rule ip filter FORWARD ip protocol != 141 counter' +iptables-translate -A FORWARD ! -p 253 +nft 'add rule ip filter FORWARD ip protocol != 253 counter' -ip6tables-translate -A FORWARD ! -p 141 -nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' +ip6tables-translate -A FORWARD ! -p 253 +nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter' iptables-translate -A FORWARD -m tcp --dport 22 -p tcp nft 'add rule ip filter FORWARD tcp dport 22 counter'
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating Security Payload. This is listed in Debian's /etc/protocols, which leads to test failures: ./extensions/generic.txlate: Fail src: iptables-translate -A FORWARD -p 141 exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' res: nft 'add rule ip filter FORWARD ip protocol wesp counter' ./extensions/generic.txlate: Fail src: ip6tables-translate -A FORWARD -p 141 exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' ./extensions/generic.txlate: Fail src: iptables-translate -A FORWARD ! -p 141 exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' ./extensions/generic.txlate: Fail src: ip6tables-translate -A FORWARD ! -p 141 exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' Replace it with 253, which IANA reserves for testing and experimentation. Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> --- extensions/generic.txlate | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)