Just like with TCP and UDP protocol matches, emit a simple 'meta
l4proto' match if no specific header detail is to be matched.
Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
sctp' is not and the translation is deferred to the extension in that
case. Keep things stu^Wsimple and translate unconditionally.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libxt_sctp.c | 6 ++++--
extensions/libxt_sctp.txlate | 6 ++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index e8312f0c8abe9..6b0024023cd26 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl,
const struct xt_sctp_info *einfo =
(const struct xt_sctp_info *)params->match->data;
- if (!einfo->flags)
- return 0;
+ if (!einfo->flags) {
+ xt_xlate_add(xl, "meta l4proto sctp");
+ return 1;
+ }
if (einfo->flags & XT_SCTP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 0aa7371d08a13..67eb327915097 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -1,3 +1,9 @@
+iptables-translate -A INPUT -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+iptables-translate -A INPUT -p sctp -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft 'add rule ip filter INPUT sctp dport 80 counter drop'
--
2.49.0
