diff mbox series

[iptables] ip[6]tables-translate: fix test failures when WESP is defined

Message ID 20241108173443.4146022-1-jeremy@azazel.net
State Accepted
Headers show
Series [iptables] ip[6]tables-translate: fix test failures when WESP is defined | expand

Commit Message

Jeremy Sowden Nov. 8, 2024, 5:34 p.m. UTC
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload.  This is listed in Debian's /etc/protocols, which leads to
test failures:

  ./extensions/generic.txlate: Fail
  src: iptables-translate -A FORWARD -p 141
  exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
  res: nft 'add rule ip filter FORWARD ip protocol wesp counter'

  ./extensions/generic.txlate: Fail
  src: ip6tables-translate -A FORWARD -p 141
  exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
  res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'

  ./extensions/generic.txlate: Fail
  src: iptables-translate -A FORWARD ! -p 141
  exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
  res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'

  ./extensions/generic.txlate: Fail
  src: ip6tables-translate -A FORWARD ! -p 141
  exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
  res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'

Replace it with 253, which IANA reserves for testing and experimentation.

Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 extensions/generic.txlate | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Comments

Phil Sutter Nov. 8, 2024, 10:45 p.m. UTC | #1
Hi Jeremy,

On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote:
> Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
> Security Payload.  This is listed in Debian's /etc/protocols, which leads to
> test failures:
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
> 
> Replace it with 253, which IANA reserves for testing and experimentation.

An interesting solution, thanks!

We noticed the problem while preparing for the release already. It
should have been clear that people integrating the new release will run
the testsuite and require a solution, therefore working around it
locally wasn't a feasible way to deal with the situation.

Some other options which came up:

* Make xtables-translate behave like xtables-save, i.e. avoid
  /etc/protocol lookups altogether and print names only if known
  internally (iptables needs some for automatic "protocol extension"
  lookup, like with e.g. '-p 6 --dport 23').

* Print whatever the user specified (we store the -p argument and only
  make it all lower-case). so '-p 6' remains 'ip protocol 6' and '-p
  tcp' remains 'ip protocol tcp'.

* Support --numeric option in iptables-translate to make behaviour
  configurable. Needs quite some hacking as the option is only allowed
  with iptables --list.

What's your take on this?

Thanks, Phil
Pablo Neira Ayuso Nov. 11, 2024, 9:59 a.m. UTC | #2
On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote:
> Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
> Security Payload.  This is listed in Debian's /etc/protocols, which leads to
> test failures:
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
> 
> Replace it with 253, which IANA reserves for testing and experimentation.
> 
> Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
> Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Phil Sutter Nov. 12, 2024, 2:11 p.m. UTC | #3
On Fri, Nov 08, 2024 at 05:34:43PM +0000, Jeremy Sowden wrote:
> Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
> Security Payload.  This is listed in Debian's /etc/protocols, which leads to
> test failures:
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: iptables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
>   res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
> 
>   ./extensions/generic.txlate: Fail
>   src: ip6tables-translate -A FORWARD ! -p 141
>   exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
>   res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
> 
> Replace it with 253, which IANA reserves for testing and experimentation.
> 
> Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
> Signed-off-by: Jeremy Sowden <jeremy@azazel.net>

Patch applied, thanks!
diff mbox series

Patch

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ad1266dc623..64bc59a8611e 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -76,17 +76,17 @@  nft 'add rule ip filter FORWARD ip protocol != sctp counter'
 ip6tables-translate -A FORWARD ! -p 132
 nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
 
-iptables-translate -A FORWARD -p 141
-nft 'add rule ip filter FORWARD ip protocol 141 counter'
+iptables-translate -A FORWARD -p 253
+nft 'add rule ip filter FORWARD ip protocol 253 counter'
 
-ip6tables-translate -A FORWARD -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+ip6tables-translate -A FORWARD -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
 
-iptables-translate -A FORWARD ! -p 141
-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+iptables-translate -A FORWARD ! -p 253
+nft 'add rule ip filter FORWARD ip protocol != 253 counter'
 
-ip6tables-translate -A FORWARD ! -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+ip6tables-translate -A FORWARD ! -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
 
 iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
 nft 'add rule ip filter FORWARD tcp dport 22 counter'