From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jul 2025 14:20:06 +0000 (+0200)
Subject: extensions: sctp: Translate bare '-m sctp' match
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fiptables.git

extensions: sctp: Translate bare '-m sctp' match

Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.

Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.

Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index e8312f0c..6b002402 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl,
 	const struct xt_sctp_info *einfo =
 		(const struct xt_sctp_info *)params->match->data;
 
-	if (!einfo->flags)
-		return 0;
+	if (!einfo->flags) {
+		xt_xlate_add(xl, "meta l4proto sctp");
+		return 1;
+	}
 
 	if (einfo->flags & XT_SCTP_SRC_PORTS) {
 		if (einfo->spts[0] != einfo->spts[1])
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 0aa7371d..67eb3279 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -1,3 +1,9 @@
+iptables-translate -A INPUT -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+iptables-translate -A INPUT -p sctp -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
 iptables-translate -A INPUT -p sctp --dport 80 -j DROP
 nft 'add rule ip filter INPUT sctp dport 80 counter drop'