* [iptables PATCH] extensions: sctp: Translate bare '-m sctp' match
@ 2025-07-02 14:47 Phil Sutter
2025-07-04 8:31 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Phil Sutter @ 2025-07-02 14:47 UTC (permalink / raw)
To: netfilter-devel
Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.
Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/libxt_sctp.c | 6 ++++--
extensions/libxt_sctp.txlate | 6 ++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index e8312f0c8abe9..6b0024023cd26 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl,
const struct xt_sctp_info *einfo =
(const struct xt_sctp_info *)params->match->data;
- if (!einfo->flags)
- return 0;
+ if (!einfo->flags) {
+ xt_xlate_add(xl, "meta l4proto sctp");
+ return 1;
+ }
if (einfo->flags & XT_SCTP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 0aa7371d08a13..67eb327915097 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -1,3 +1,9 @@
+iptables-translate -A INPUT -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+iptables-translate -A INPUT -p sctp -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft 'add rule ip filter INPUT sctp dport 80 counter drop'
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [iptables PATCH] extensions: sctp: Translate bare '-m sctp' match
2025-07-02 14:47 [iptables PATCH] extensions: sctp: Translate bare '-m sctp' match Phil Sutter
@ 2025-07-04 8:31 ` Florian Westphal
2025-07-04 12:57 ` Phil Sutter
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2025-07-04 8:31 UTC (permalink / raw)
To: Phil Sutter; +Cc: netfilter-devel
Phil Sutter <phil@nwl.cc> wrote:
> Just like with TCP and UDP protocol matches, emit a simple 'meta
> l4proto' match if no specific header detail is to be matched.
>
> Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
> sctp' is not and the translation is deferred to the extension in that
> case. Keep things stu^Wsimple and translate unconditionally.
Reviewed-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [iptables PATCH] extensions: sctp: Translate bare '-m sctp' match
2025-07-04 8:31 ` Florian Westphal
@ 2025-07-04 12:57 ` Phil Sutter
0 siblings, 0 replies; 3+ messages in thread
From: Phil Sutter @ 2025-07-04 12:57 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Fri, Jul 04, 2025 at 10:31:21AM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Just like with TCP and UDP protocol matches, emit a simple 'meta
> > l4proto' match if no specific header detail is to be matched.
> >
> > Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
> > sctp' is not and the translation is deferred to the extension in that
> > case. Keep things stu^Wsimple and translate unconditionally.
>
> Reviewed-by: Florian Westphal <fw@strlen.de>
Patch applied, thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-04 12:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-02 14:47 [iptables PATCH] extensions: sctp: Translate bare '-m sctp' match Phil Sutter
2025-07-04 8:31 ` Florian Westphal
2025-07-04 12:57 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).