| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| translation-test-fixes.patch | fix translation test failures Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating Security Payload. This is listed in Debian's /etc/protocols, which leads to test failures: . ./extensions/generic.txlate: Fail src: iptables-translate -A FORWARD -p 141 exp: nft 'add rule ip filter FORWARD ip protocol 141 counter' res: nft 'add rule ip filter FORWARD ip protocol wesp counter' . ./extensions/generic.txlate: Fail src: ip6tables-translate -A FORWARD -p 141 exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter' . ./extensions/generic.txlate: Fail src: iptables-translate -A FORWARD ! -p 141 exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter' res: nft 'add rule ip filter FORWARD ip protocol != wesp counter' . ./extensions/generic.txlate: Fail src: ip6tables-translate -A FORWARD ! -p 141 exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter' . Replace it with 253, which IANA reserves for testing and experimentation. |
Jeremy Sowden <jeremy@azazel.net> | yes | 2024-11-20 | ||
| fix-interface-comparisons.patch | Fix interface comparisons in `-C` commands Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") removed code which explicitly set interface masks to all ones. The result of this is that they are zero. However, they are used to mask interfaces in `is_same_interfaces`. Consequently, the masked values are alway zero, the comparisons are always true, and check commands which ought to fail succeed: . # iptables -N test # iptables -A test -i lo \! -o lo -j REJECT # iptables -v -L test Chain test (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable . Remove the mask parameters from `is_same_interfaces`. Add a test-case. |
Jeremy Sowden <jeremy@azazel.net> | yes | debian | 2024-11-20 |