From 49b5927c0f833c5917fc4b6be47ed7b7452495ec Mon Sep 17 00:00:00 2001
From: Stephen Kitt <skitt@redhat.com>
Date: Fri, 17 Nov 2023 09:47:13 +0100
Subject: [PATCH] Fix the 1.8.9 version check

The current version check fails for any version where the patch
version is 9 or greater. 1.4.21 is still in use e.g. on RHEL 7:

    ipt.v1 == 1 && ipt.v2 <= 8 && ipt.v3 < 9

fails there because 21 >= 9.

To handle this, the check needs to distinguish ipt.v2 < 8 (v3 is not
significant then) and ipt.v2 == 8 (v3 needs to be compared).

Signed-off-by: Stephen Kitt <skitt@redhat.com>
---
 iptables/iptables_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/iptables_test.go b/iptables/iptables_test.go
index 18ffa43..f341e2c 100644
--- a/iptables/iptables_test.go
+++ b/iptables/iptables_test.go
@@ -422,14 +422,14 @@ func runRulesTests(t *testing.T, ipt *IPTables) {
 	opt := "--"
 	prot := "0"
 	if ipt.proto == ProtocolIPv6 &&
-		ipt.v1 == 1 && ipt.v2 <= 8 && ipt.v3 < 9 {
+		ipt.v1 == 1 && (ipt.v2 < 8 || (ipt.v2 == 8 && ipt.v3 < 9)) {
 		// this is fixed in iptables 1.8.9 via iptables/6e41c2d874
 		opt = "  "
 		// this is fixed in iptables 1.8.9 via iptables/da8ecc62dd
 		prot = "all"
 	}
 	if ipt.proto == ProtocolIPv4 &&
-		ipt.v1 == 1 && ipt.v2 <= 8 && ipt.v3 < 9 {
+		ipt.v1 == 1 && (ipt.v2 < 8 || (ipt.v2 == 8 && ipt.v3 < 9)) {
 		// this is fixed in iptables 1.8.9 via iptables/da8ecc62dd
 		prot = "all"
 	}