On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: >> > Add translation for sctp to nftables. >> > Full translation of this match awaits the support for --chunk-types >> > option. >> >> Please, keep this documented in the wiki too so we remember there is a >> partial translation for this. >> >> > Examples: >> > >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP >> > nft add rule ip filter INPUT sctp dport 80 counter drop >> > >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept >> >> Applied, thanks Shivani. > > Sorry, I have to keep this back. > > This crazy thing seems to be valid: > > iptables -I INPUT -p sctp -m sctp > > and this will be translated as: > > nft add rule filter INPUT ip protocol sctp sctp dmesg shows me x_tables: ip_tables: sctp match: only valid for protocol 132 means sctp match is valid for sctp protocol. There should not be an sctp match (correct me if I am wrong here), should this be on bugzilla? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
