|
|
926f74 |
From b675a15b70215deab520ef1a8e52edad9129328e Mon Sep 17 00:00:00 2001
|
|
|
926f74 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
926f74 |
Date: Tue, 4 May 2021 16:03:24 +0200
|
|
|
926f74 |
Subject: [PATCH] extensions: sctp: Fix nftables translation
|
|
|
926f74 |
|
|
|
926f74 |
If both sport and dport was present, incorrect nft syntax was generated.
|
|
|
926f74 |
|
|
|
926f74 |
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
|
|
|
926f74 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
926f74 |
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
|
|
|
926f74 |
---
|
|
|
926f74 |
extensions/libxt_sctp.c | 10 ++++------
|
|
|
926f74 |
extensions/libxt_sctp.txlate | 10 +++++-----
|
|
|
926f74 |
2 files changed, 9 insertions(+), 11 deletions(-)
|
|
|
926f74 |
|
|
|
926f74 |
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
|
|
926f74 |
index 140de2653b1ef..ee4e99ebf11bf 100644
|
|
|
926f74 |
--- a/extensions/libxt_sctp.c
|
|
|
926f74 |
+++ b/extensions/libxt_sctp.c
|
|
|
926f74 |
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
|
|
|
926f74 |
if (!einfo->flags)
|
|
|
926f74 |
return 0;
|
|
|
926f74 |
|
|
|
926f74 |
- xt_xlate_add(xl, "sctp ");
|
|
|
926f74 |
-
|
|
|
926f74 |
if (einfo->flags & XT_SCTP_SRC_PORTS) {
|
|
|
926f74 |
if (einfo->spts[0] != einfo->spts[1])
|
|
|
926f74 |
- xt_xlate_add(xl, "sport%s %u-%u",
|
|
|
926f74 |
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
|
|
|
926f74 |
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
|
|
926f74 |
einfo->spts[0], einfo->spts[1]);
|
|
|
926f74 |
else
|
|
|
926f74 |
- xt_xlate_add(xl, "sport%s %u",
|
|
|
926f74 |
+ xt_xlate_add(xl, "sctp sport%s %u",
|
|
|
926f74 |
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
|
|
926f74 |
einfo->spts[0]);
|
|
|
926f74 |
space = " ";
|
|
|
926f74 |
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
|
|
|
926f74 |
|
|
|
926f74 |
if (einfo->flags & XT_SCTP_DEST_PORTS) {
|
|
|
926f74 |
if (einfo->dpts[0] != einfo->dpts[1])
|
|
|
926f74 |
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
|
|
|
926f74 |
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
|
|
|
926f74 |
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
|
|
926f74 |
einfo->dpts[0], einfo->dpts[1]);
|
|
|
926f74 |
else
|
|
|
926f74 |
- xt_xlate_add(xl, "%sdport%s %u", space,
|
|
|
926f74 |
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
|
|
|
926f74 |
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
|
|
926f74 |
einfo->dpts[0]);
|
|
|
926f74 |
}
|
|
|
926f74 |
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
|
|
|
926f74 |
index 72f4641ab021c..0d6c59e183675 100644
|
|
|
926f74 |
--- a/extensions/libxt_sctp.txlate
|
|
|
926f74 |
+++ b/extensions/libxt_sctp.txlate
|
|
|
926f74 |
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
|
|
|
926f74 |
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
|
|
|
926f74 |
|
|
|
926f74 |
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
|
|
|
926f74 |
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
|
|
|
926f74 |
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
|
|
|
926f74 |
|
|
|
926f74 |
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
|
|
|
926f74 |
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
|
|
|
926f74 |
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
|
|
|
926f74 |
|
|
|
926f74 |
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
|
|
|
926f74 |
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
|
|
|
926f74 |
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
|
|
|
926f74 |
|
|
|
926f74 |
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
|
|
|
926f74 |
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
|
|
|
926f74 |
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
|
|
|
926f74 |
|
|
|
926f74 |
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
|
|
|
926f74 |
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
|
|
|
926f74 |
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
|
|
|
926f74 |
--
|
|
|
926f74 |
2.31.1
|
|
|
926f74 |
|