@@ -214,11 +214,9 @@ static int mh_xlate(struct xt_xlate *xl,
{
const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
- uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
- if (proto != IPPROTO_MH)
- xt_xlate_add(xl, "exthdr mh exists");
+ xt_xlate_add(xl, "exthdr mh exists");
return 1;
}
@@ -5,7 +5,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft 'add rule ip6 filter INPUT mh type 1-3 counter accept'
ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
Since core xlate code now ignores '-p mh' if an mh extension is also present in the rule, mh extension has to emit the l4proto match itself. Therefore emit the exthdr match irrespective of '-p' argument value just like other IPv6 extension header matches do. Fixes: 83f60fb37d594 ("extensions: mh: Save/xlate inverted full ranges") Signed-off-by: Phil Sutter <phil@nwl.cc> --- extensions/libip6t_mh.c | 4 +--- extensions/libip6t_mh.txlate | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-)