On Wed, Jun 29, 2022 at 4:07 PM Yuxuan Luo <luoyuxuan.carl@xxxxxxxxx> wrote:
>
> There are new chunks added in Linux SCTP not being traced by iptables.
>
> This patch introduces the following chunks for tracing:
> I_DATA, I_FORWARD_TSN (RFC8260), RE_CONFIG(RFC6525) and PAD(RFC4820)
>
> Signed-off-by: Yuxuan Luo <luoyuxuan.carl@xxxxxxxxx>
> ---
> extensions/libxt_sctp.c | 4 ++++
> extensions/libxt_sctp.man | 4 +++-
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
> index a4c5415f..3fb6cf1a 100644
> --- a/extensions/libxt_sctp.c
> +++ b/extensions/libxt_sctp.c
> @@ -112,9 +112,13 @@ static const struct sctp_chunk_names sctp_chunk_names[]
> { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" },
> { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" },
> { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" },
> + { .name = "I_DATA", .chunk_type = 64, .valid_flags = "----IUBE", .nftname = "i-data"},
> + { .name = "RE_CONFIG", .chunk_type = 130, .valid_flags = "--------", .nftname = "re-config"},
> + { .name = "PAD", .chunk_type = 132, .valid_flags = "--------", .nftname = "pad"},
> { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" },
> { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" },
> { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" },
> + { .name = "I_FORWARD_TSN", .chunk_type = 194, .valid_flags = "--------", .nftname = "i-forward-tsn" },
> };
>
> static void
> diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
> index 3e5ffa09..06da04f8 100644
> --- a/extensions/libxt_sctp.man
> +++ b/extensions/libxt_sctp.man
> @@ -19,12 +19,14 @@ Match if any of the given chunk types is present with given flags.
> only
> Match if only the given chunk types are present with given flags and none are missing.
>
> -Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN
> +Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN
>
> chunk type available flags
> .br
> DATA I U B E i u b e
> .br
> +I_DATA I U B E i u b e
> +.br
> ABORT T t
> .br
> SHUTDOWN_COMPLETE T t
> --
> 2.31.1
>
Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
(This is a patch for iptables.)
