extensions: sctp: Translate bare '-m sctp' match

Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.

Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.

Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index e8312f0c8abe99d4894a2f259afcb992302a6fdf..6b0024023cd262f4e4088aa02b3e529272664fb2 100644 (file)
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl,
        const struct xt_sctp_info *einfo =
                (const struct xt_sctp_info *)params->match->data;
 
-       if (!einfo->flags)
-               return 0;
+       if (!einfo->flags) {
+               xt_xlate_add(xl, "meta l4proto sctp");
+               return 1;
+       }
 
        if (einfo->flags & XT_SCTP_SRC_PORTS) {
                if (einfo->spts[0] != einfo->spts[1])

diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 0aa7371d08a13f217fec78e80515d250a97870f9..67eb327915097d04f179d2fc4c0f8f54a1ad8eee 100644 (file)
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -1,3 +1,9 @@
+iptables-translate -A INPUT -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+iptables-translate -A INPUT -p sctp -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
 iptables-translate -A INPUT -p sctp --dport 80 -j DROP
 nft 'add rule ip filter INPUT sctp dport 80 counter drop'