extensions: sctp: Fix nftables translation

If both sport and dport was present, incorrect nft syntax was generated.

Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 140de2653b1ef1a61d7e2730b4d0ff59c0932602..ee4e99ebf11bf42db5f49a83641ca3036ae91e2c 100644 (file)
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
        if (!einfo->flags)
                return 0;
 
-       xt_xlate_add(xl, "sctp ");
-
        if (einfo->flags & XT_SCTP_SRC_PORTS) {
                if (einfo->spts[0] != einfo->spts[1])
-                       xt_xlate_add(xl, "sport%s %u-%u",
+                       xt_xlate_add(xl, "sctp sport%s %u-%u",
                                     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
                                     einfo->spts[0], einfo->spts[1]);
                else
-                       xt_xlate_add(xl, "sport%s %u",
+                       xt_xlate_add(xl, "sctp sport%s %u",
                                     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
                                     einfo->spts[0]);
                space = " ";
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
 
        if (einfo->flags & XT_SCTP_DEST_PORTS) {
                if (einfo->dpts[0] != einfo->dpts[1])
-                       xt_xlate_add(xl, "%sdport%s %u-%u", space,
+                       xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
                                     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
                                     einfo->dpts[0], einfo->dpts[1]);
                else
-                       xt_xlate_add(xl, "%sdport%s %u", space,
+                       xt_xlate_add(xl, "%ssctp dport%s %u", space,
                                     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
                                     einfo->dpts[0]);
        }

diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 72f4641ab021cc88e3418840fcd15fb76b80f80a..0d6c59e183675677accfe23897e1ea113f6d0c65 100644 (file)
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
 nft add rule ip filter INPUT sctp dport != 50-56 counter accept
 
 iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
 
 iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
 
 iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
 
 iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
 
 iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept