On Wed, Mar 02, 2016 at 07:44:51PM +0530, Shivani Bhardwaj wrote:
> On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote:
> >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote:
> >> > Add translation for sctp to nftables.
> >> > Full translation of this match awaits the support for --chunk-types
> >> > option.
> >>
> >> Please, keep this documented in the wiki too so we remember there is a
> >> partial translation for this.
> >>
> >> > Examples:
> >> >
> >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
> >> > nft add rule ip filter INPUT sctp dport 80 counter drop
> >> >
> >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
> >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept
> >>
> >> Applied, thanks Shivani.
> >
> > Sorry, I have to keep this back.
> >
> > This crazy thing seems to be valid:
> >
> > iptables -I INPUT -p sctp -m sctp
> >
> > and this will be translated as:
> >
> > nft add rule filter INPUT ip protocol sctp sctp
>
> dmesg shows me
>
> x_tables: ip_tables: sctp match: only valid for protocol 132
This happens when:
iptables -I INPUT -m sctp
> means sctp match is valid for sctp protocol. There should not be an
> sctp match (correct me if I am wrong here), should this be on
> bugzilla?
What I suggest is this:
const struct xt_sctp_info *einfo =
(const struct xt_sctp_info *)match->data;
if (!einfo->flags) <------
return 0;
xt_xlate_add(xl, "sctp ");
if (einfo->flags & XT_SCTP_SRC_PORTS) {
Just skip if there is not flags set.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
