Merge tag 'v1.8.10' of https://git.netfilter.org/iptables

iptables 1.8.10 release

* tag 'v1.8.10' of https://git.netfilter.org/iptables:
  configure: Bump version for 1.8.10 release
  build: Bump dependency on libnftnl
  include: linux: Update kernel.h
  nft: Fix for useless meta expressions in rule
  tests: shell: Fix for ineffective 0007-mid-restore-flush_0
  extensions: Fix checking of conntrack --ctproto 0
  Revert --compat option related commits
  doc: fix example of xt_cpu
  tests: Test compat mode
  Add --compat option to *tables-nft and *-nft-restore commands
  nft: Introduce and use bool nft_handle::compat
  nft: Pass nft_handle to add_{target,action}()
  Use SOCK_CLOEXEC/O_CLOEXEC where available
  tests: shell: Test chain policy counter behaviour
  Revert "libiptc: fix wrong maptype of base chain counters on restore"
  nft: Create builtin chains with counters enabled
  tests: iptables-test: Fix command segfault reports
  nft-ruleparse: parse meta mark set as MARK target
  nft-ruleparse: Introduce nft_create_target()
  extensions: libip6t_icmp: Add names for mld-listener types
  nft: move processing logic out of asserts
  man: iptables-save.8: Start paragraphs in upper-case
  man: iptables-save.8: Fix --modprobe description
  man: iptables-save.8: Clarify 'available tables'
  man: Trivial: Missing space after comma
  man: iptables-restore.8: Start paragraphs in upper-case
  man: iptables-restore.8: Put 'file' in italics in synopsis
  man: iptables-restore.8: Drop -W option from synopsis
  man: iptables-restore.8: Consistently document -w option
  man: iptables-restore.8: Fix --modprobe description
  man: iptables.8: Trivial font fixes
  man: Use HTTPS for links to netfilter.org
  man: iptables.8: Clarify --goto description
  man: iptables.8: Fix intra page reference
  man: iptables.8: Trivial spelling fixes
  man: iptables.8: Extend exit code description
  tests: libipt_icmp.t: Enable tests with numeric output
  extensions: libipt_icmp: Fix confusion between 255/255 and any
  iptables-apply: Eliminate shellcheck warnings
  iptables-restore: Drop dead code
  tests: shell: Fix and extend chain rename test
  ebtables: Improve invalid chain name detection
  *tables: Reject invalid chain names when renaming
  *tables-restore: Enforce correct counters syntax if present
  nft: Include sets in debug output
  nft: Do not pass nft_rule_ctx to add_nft_among()
  nft: More verbose extension comparison debugging
  nft: Special casing for among match in compare_matches()
  tests: shell: Sanitize nft-only/0009-needless-bitwise_0
  nft-bridge: pass context structure to ops->add() to improve anonymous set support
  iptables: Fix handling of non-existent chains
  iptables: Fix setting of ipv6 counters
  xshared: dissolve should_load_proto
  nft: use payload matching for layer 4 protocol
  man: string: document BM false negatives
  nft: check for source and destination address in first place
  nft: ruleparse: Create family-specific source files
  nft: Extract rule parsing callbacks from nft_family_ops
  nft: Introduce nft-ruleparse.{c,h}
  xshared: Fix parsing of option arguments in same word
  arptables: Don't omit standard matches if inverted
  arptables: Fix parsing of inverted 'arp operation' match
  nft-shared: Drop unused include
  utils: nfbpf_compile: Replace pcap_compile_nopcap()
  tests: shell: Test for false-positive rule check
  ebtables-nft: add broute table emulation
  include: update nf_tables uapi header
  build: use pkg-config for libpcap
  ip6tables: Fix checking existence of rule
  iptables-test.py: make explicit use of python3
  iptables-nft: remove unused function argument
  iptables-nft: make builtin tables static
  xtables-eb: fix crash when opts isn't reallocated
  nft-restore: Fix for deletion of new, referenced rule
  include: Add missing linux/netfilter/xt_LOG.h
  xt_sctp: add the missing chunk types in sctp_help
  xtables-translate: Support insert with index
  ebtables: ip and ip6 matches depend on protocol match
  extensions: libebt_ip: Translation has to match on ether type
  extensions: libebt_ip: Do not use 'ip dscp' for translation
  extensions: libebt_redirect: Fix for wrong syntax in translation
  extensions: libebt_redirect: Fix target translation
  tests: xlate: Print file names even if specified
  tests: xlate: Properly split input in replay mode
  nft-shared: Simplify using nft_create_match()
  nft-shared: Use nft_create_match() in one more spot
  nft-shared: Lookup matches in iptables_command_state
  tests: CLUSTERIP: Drop test file
  tests: xlate: Support testing multiple individual files
  ebtables-translate: Print flush command after parsing is finished
  ebtables-translate: Ignore '-j CONTINUE'
  ebtables-translate: Use OPT_* from xshared.h
  ebtables-translate: Drop exec_style
  ebtables: Refuse unselected targets' options
  Proper fix for "unknown argument" error message
  etc: Drop xtables.conf

Generated via:
  git fetch git://git.netfilter.org/iptables v1.8.10
  git merge --log=999 FETCH_HEAD

Test: with follow up
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ia4ce7e3670706ee0905228cfd147fa6499ca08bb

1 files changed, 2 insertions, 1 deletions

diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index b0318aeb..171b3b39 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -108,7 +108,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
 		printf(" !");
 
 	/* special hack for 'any' case */
-	if (icmp->type == 0xFF) {
+	if (icmp->type == 0xFF &&
+	    icmp->code[0] == 0 && icmp->code[1] == 0xFF) {
 		printf(" --icmp-type any");
 	} else {
 		printf(" --icmp-type %u", icmp->type);