iptables/0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch

From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Nov 2024 16:21:04 +0100
Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined

JIRA: https://issues.redhat.com/browse/RHEL-66725
Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0

commit e6e232d0ae252b0b86278455b18d9475b95db8f0
Author: Jeremy Sowden <jeremy@azazel.net>
Date:   Fri Nov 8 17:34:43 2024 +0000

    ip[6]tables-translate: fix test failures when WESP is defined

    Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
    Security Payload.  This is listed in Debian's /etc/protocols, which leads to
    test failures:

      ./extensions/generic.txlate: Fail
      src: iptables-translate -A FORWARD -p 141
      exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
      res: nft 'add rule ip filter FORWARD ip protocol wesp counter'

      ./extensions/generic.txlate: Fail
      src: ip6tables-translate -A FORWARD -p 141
      exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
      res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'

      ./extensions/generic.txlate: Fail
      src: iptables-translate -A FORWARD ! -p 141
      exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
      res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'

      ./extensions/generic.txlate: Fail
      src: ip6tables-translate -A FORWARD ! -p 141
      exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
      res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'

    Replace it with 253, which IANA reserves for testing and experimentation.

    Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
    Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 extensions/generic.txlate | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ad1266..64bc59a 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'
 ip6tables-translate -A FORWARD ! -p 132
 nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
 
-iptables-translate -A FORWARD -p 141
-nft 'add rule ip filter FORWARD ip protocol 141 counter'
+iptables-translate -A FORWARD -p 253
+nft 'add rule ip filter FORWARD ip protocol 253 counter'
 
-ip6tables-translate -A FORWARD -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+ip6tables-translate -A FORWARD -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
 
-iptables-translate -A FORWARD ! -p 141
-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+iptables-translate -A FORWARD ! -p 253
+nft 'add rule ip filter FORWARD ip protocol != 253 counter'
 
-ip6tables-translate -A FORWARD ! -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+ip6tables-translate -A FORWARD ! -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
 
 iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
 nft 'add rule ip filter FORWARD tcp dport 22 counter'
iptables-1.8.11-5.el10 * Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10] - ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725] Resolves: RHEL-66725 2024-11-14 15:46:36 +00:00			`From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001`
			`From: Phil Sutter <psutter@redhat.com>`
			`Date: Thu, 14 Nov 2024 16:21:04 +0100`
			`Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined`

			`JIRA: https://issues.redhat.com/browse/RHEL-66725`
			`Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0`

			`commit e6e232d0ae252b0b86278455b18d9475b95db8f0`
			`Author: Jeremy Sowden <jeremy@azazel.net>`
			`Date: Fri Nov 8 17:34:43 2024 +0000`

			`ip[6]tables-translate: fix test failures when WESP is defined`

			`Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating`
			`Security Payload. This is listed in Debian's /etc/protocols, which leads to`
			`test failures:`

			`./extensions/generic.txlate: Fail`
			`src: iptables-translate -A FORWARD -p 141`
			`exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'`
			`res: nft 'add rule ip filter FORWARD ip protocol wesp counter'`

			`./extensions/generic.txlate: Fail`
			`src: ip6tables-translate -A FORWARD -p 141`
			`exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'`
			`res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'`

			`./extensions/generic.txlate: Fail`
			`src: iptables-translate -A FORWARD ! -p 141`
			`exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'`
			`res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'`

			`./extensions/generic.txlate: Fail`
			`src: ip6tables-translate -A FORWARD ! -p 141`
			`exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'`
			`res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'`

			`Replace it with 253, which IANA reserves for testing and experimentation.`

			`Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")`
			`Signed-off-by: Jeremy Sowden <jeremy@azazel.net>`
			`Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>`
			`Signed-off-by: Phil Sutter <phil@nwl.cc>`

			`Signed-off-by: Phil Sutter <psutter@redhat.com>`
			`---`
			`extensions/generic.txlate \| 16 ++++++++--------`
			`1 file changed, 8 insertions(+), 8 deletions(-)`

			`diff --git a/extensions/generic.txlate b/extensions/generic.txlate`
			`index 9ad1266..64bc59a 100644`
			`--- a/extensions/generic.txlate`
			`+++ b/extensions/generic.txlate`
			`@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'`
			`ip6tables-translate -A FORWARD ! -p 132`
			`nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'`

			`-iptables-translate -A FORWARD -p 141`
			`-nft 'add rule ip filter FORWARD ip protocol 141 counter'`
			`+iptables-translate -A FORWARD -p 253`
			`+nft 'add rule ip filter FORWARD ip protocol 253 counter'`

			`-ip6tables-translate -A FORWARD -p 141`
			`-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'`
			`+ip6tables-translate -A FORWARD -p 253`
			`+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'`

			`-iptables-translate -A FORWARD ! -p 141`
			`-nft 'add rule ip filter FORWARD ip protocol != 141 counter'`
			`+iptables-translate -A FORWARD ! -p 253`
			`+nft 'add rule ip filter FORWARD ip protocol != 253 counter'`

			`-ip6tables-translate -A FORWARD ! -p 141`
			`-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'`
			`+ip6tables-translate -A FORWARD ! -p 253`
			`+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'`

			`iptables-translate -A FORWARD -m tcp --dport 22 -p tcp`
			`nft 'add rule ip filter FORWARD tcp dport 22 counter'`