From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Nov 2024 16:21:04 +0100
Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined

JIRA: https://issues.redhat.com/browse/RHEL-66725
Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0

commit e6e232d0ae252b0b86278455b18d9475b95db8f0
Author: Jeremy Sowden <jeremy@azazel.net>
Date:   Fri Nov 8 17:34:43 2024 +0000

    ip[6]tables-translate: fix test failures when WESP is defined

    Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
    Security Payload.  This is listed in Debian's /etc/protocols, which leads to
    test failures:

      ./extensions/generic.txlate: Fail
      src: iptables-translate -A FORWARD -p 141
      exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
      res: nft 'add rule ip filter FORWARD ip protocol wesp counter'

      ./extensions/generic.txlate: Fail
      src: ip6tables-translate -A FORWARD -p 141
      exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
      res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'

      ./extensions/generic.txlate: Fail
      src: iptables-translate -A FORWARD ! -p 141
      exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
      res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'

      ./extensions/generic.txlate: Fail
      src: ip6tables-translate -A FORWARD ! -p 141
      exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
      res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'

    Replace it with 253, which IANA reserves for testing and experimentation.

    Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
    Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 extensions/generic.txlate | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ad1266..64bc59a 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'
 ip6tables-translate -A FORWARD ! -p 132
 nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
 
-iptables-translate -A FORWARD -p 141
-nft 'add rule ip filter FORWARD ip protocol 141 counter'
+iptables-translate -A FORWARD -p 253
+nft 'add rule ip filter FORWARD ip protocol 253 counter'
 
-ip6tables-translate -A FORWARD -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+ip6tables-translate -A FORWARD -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
 
-iptables-translate -A FORWARD ! -p 141
-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+iptables-translate -A FORWARD ! -p 253
+nft 'add rule ip filter FORWARD ip protocol != 253 counter'
 
-ip6tables-translate -A FORWARD ! -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+ip6tables-translate -A FORWARD ! -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
 
 iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
 nft 'add rule ip filter FORWARD tcp dport 22 counter'