From 5a8d6197929e30520bb3839c9165d89930888daf Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Tue, 13 Jul 2021 13:54:42 +0200

Subject: [PATCH] exthdr: Implement SCTP Chunk matching

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1979334

Upstream Status: nftables commit 0e3871cfd9a1e

Conflicts:

 * Context changes due to missing other scopes.

 * Context change due to missing commit 6e6ef00028f1c

   ("exthdr: remove tcp dependency for tcp option matching").

commit 0e3871cfd9a1e32a4ac041ce87a8057b11a89924

Author: Phil Sutter <phil@nwl.cc>

Date:   Tue May 4 13:41:38 2021 +0200

    exthdr: Implement SCTP Chunk matching

    Extend exthdr expression to support scanning through SCTP packet chunks

    and matching on fixed fields' values.

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Acked-by: Florian Westphal <fw@strlen.de>

---

 doc/libnftables-json.adoc           |  13 +

 doc/payload-expression.txt          |  53 +++

 include/linux/netfilter/nf_tables.h |   2 +

 include/parser.h                    |   1 +

 include/sctp_chunk.h                |  87 +++++

 src/Makefile.am                     |   1 +

 src/evaluate.c                      |   2 +

 src/exthdr.c                        |   8 +

 src/json.c                          |   2 +

 src/parser_bison.y                  | 148 ++++++++-

 src/parser_json.c                   |  49 +++

 src/scanner.l                       |  38 +++

 src/sctp_chunk.c                    | 261 +++++++++++++++

 tests/py/inet/sctp.t                |  37 +++

 tests/py/inet/sctp.t.json           | 478 ++++++++++++++++++++++++++++

 tests/py/inet/sctp.t.payload        | 155 +++++++++

 16 files changed, 1333 insertions(+), 2 deletions(-)

 create mode 100644 include/sctp_chunk.h

 create mode 100644 src/sctp_chunk.c

diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc

index 858abbf..fba4cb0 100644

--- a/doc/libnftables-json.adoc

+++ b/doc/libnftables-json.adoc

@@ -1200,6 +1200,19 @@ Create a reference to a field (*field*) of a TCP option header (*name*).

 If the *field* property is not given, the expression is to be used as a TCP option

 existence check in a *match* statement with a boolean on the right hand side.

+=== SCTP CHUNK

+[verse]

+*{ "sctp chunk": {

+	"name":* 'STRING'*,

+	"field":* 'STRING'

+*}}*

+

+Create a reference to a field (*field*) of an SCTP chunk (*name*).

+

+If the *field* property is not given, the expression is to be used as an SCTP

+chunk existence check in a *match* statement with a boolean on the right hand

+side.

+

 === META

 [verse]

 ____

diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt

index b6d2a28..bd03ca2 100644

--- a/doc/payload-expression.txt

+++ b/doc/payload-expression.txt

@@ -369,7 +369,33 @@ integer (16 bit)

 SCTP HEADER EXPRESSION

 ~~~~~~~~~~~~~~~~~~~~~~~

 [verse]

+____

 *sctp* {*sport* | *dport* | *vtag* | *checksum*}

+*sctp chunk* 'CHUNK' [ 'FIELD' ]

+

+'CHUNK' := *data* | *init* | *init-ack* | *sack* | *heartbeat* |

+	   *heartbeat-ack* | *abort* | *shutdown* | *shutdown-ack* | *error* |

+	   *cookie-echo* | *cookie-ack* | *ecne* | *cwr* | *shutdown-complete*

+	   | *asconf-ack* | *forward-tsn* | *asconf*

+

+'FIELD' := 'COMMON_FIELD' | 'DATA_FIELD' | 'INIT_FIELD' | 'INIT_ACK_FIELD' |

+	   'SACK_FIELD' | 'SHUTDOWN_FIELD' | 'ECNE_FIELD' | 'CWR_FIELD' |

+	   'ASCONF_ACK_FIELD' | 'FORWARD_TSN_FIELD' | 'ASCONF_FIELD'

+

+'COMMON_FIELD' := *type* | *flags* | *length*

+'DATA_FIELD' := *tsn* | *stream* | *ssn* | *ppid*

+'INIT_FIELD' := *init-tag* | *a-rwnd* | *num-outbound-streams* |

+		*num-inbound-streams* | *initial-tsn*

+'INIT_ACK_FIELD' := 'INIT_FIELD'

+'SACK_FIELD' := *cum-tsn-ack* | *a-rwnd* | *num-gap-ack-blocks* |

+		*num-dup-tsns*

+'SHUTDOWN_FIELD' := *cum-tsn-ack*

+'ECNE_FIELD' := *lowest-tsn*

+'CWR_FIELD' := *lowest-tsn*

+'ASCONF_ACK_FIELD' := *seqno*

+'FORWARD_TSN_FIELD' := *new-cum-tsn*

+'ASCONF_FIELD' := *seqno*

+____

 .SCTP header expression

 [options="header"]

@@ -387,8 +413,35 @@ integer (32 bit)

 |checksum|

 Checksum|

 integer (32 bit)

+|chunk|

+Search chunk in packet|

+without 'FIELD', boolean indicating existence

 |================

+.SCTP chunk fields

+[options="header"]

+|==================

+|Name| Width in bits | Chunk | Notes

+|type| 8 | all | not useful, defined by chunk type

+|flags| 8 | all | semantics defined on per-chunk basis

+|length| 16 | all | length of this chunk in bytes excluding padding

+|tsn| 32 | data | transmission sequence number

+|stream| 16 | data | stream identifier

+|ssn| 16 | data | stream sequence number

+|ppid| 32 | data | payload protocol identifier

+|init-tag| 32 | init, init-ack | initiate tag

+|a-rwnd| 32 | init, init-ack, sack | advertised receiver window credit

+|num-outbound-streams| 16 | init, init-ack | number of outbound streams

+|num-inbound-streams| 16 | init, init-ack | number of inbound streams

+|initial-tsn| 32 | init, init-ack | initial transmit sequence number

+|cum-tsn-ack| 32 | sack, shutdown | cumulative transmission sequence number acknowledged

+|num-gap-ack-blocks| 16 | sack | number of Gap Ack Blocks included

+|num-dup-tsns| 16 | sack | number of duplicate transmission sequence numbers received

+|lowest-tsn| 32 | ecne, cwr | lowest transmission sequence number

+|seqno| 32 | asconf-ack, asconf | sequence number

+|new-cum-tsn| 32 | forward-tsn | new cumulative transmission sequence number

+|==================

+

 DCCP HEADER EXPRESSION

 ~~~~~~~~~~~~~~~~~~~~~~

 [verse]

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h

index 1328b8e..960a5b4 100644

--- a/include/linux/netfilter/nf_tables.h

+++ b/include/linux/netfilter/nf_tables.h

@@ -755,11 +755,13 @@ enum nft_exthdr_flags {

  * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers

  * @NFT_EXTHDR_OP_TCP: match against tcp options

  * @NFT_EXTHDR_OP_IPV4: match against ipv4 options

+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks

  */

 enum nft_exthdr_op {

 	NFT_EXTHDR_OP_IPV6,

 	NFT_EXTHDR_OP_TCPOPT,

 	NFT_EXTHDR_OP_IPV4,

+	NFT_EXTHDR_OP_SCTP,

 	__NFT_EXTHDR_OP_MAX

 };

 #define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)

diff --git a/include/parser.h b/include/parser.h

index 2e6ef4d..99bed3c 100644

--- a/include/parser.h

+++ b/include/parser.h

@@ -33,6 +33,7 @@ enum startcond_type {

 	PARSER_SC_SCTP,

 	PARSER_SC_EXPR_HASH,

 	PARSER_SC_EXPR_NUMGEN,

+	PARSER_SC_EXPR_SCTP_CHUNK,

 };

 struct mnl_socket;

diff --git a/include/sctp_chunk.h b/include/sctp_chunk.h

new file mode 100644

index 0000000..3819200

--- /dev/null

+++ b/include/sctp_chunk.h

@@ -0,0 +1,87 @@

+/*

+ * Copyright Red Hat

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License version 2 (or any

+ * later) as published by the Free Software Foundation.

+ */

+

+#ifndef NFTABLES_SCTP_CHUNK_H

+#define NFTABLES_SCTP_CHUNK_H

+

+/* SCTP chunk types used on wire */

+enum sctp_hdr_chunk_types {

+	SCTP_CHUNK_TYPE_DATA			= 0,

+	SCTP_CHUNK_TYPE_INIT			= 1,

+	SCTP_CHUNK_TYPE_INIT_ACK		= 2,

+	SCTP_CHUNK_TYPE_SACK			= 3,

+	SCTP_CHUNK_TYPE_HEARTBEAT		= 4,

+	SCTP_CHUNK_TYPE_HEARTBEAT_ACK		= 5,

+	SCTP_CHUNK_TYPE_ABORT			= 6,

+	SCTP_CHUNK_TYPE_SHUTDOWN		= 7,

+	SCTP_CHUNK_TYPE_SHUTDOWN_ACK		= 8,

+	SCTP_CHUNK_TYPE_ERROR			= 9,

+	SCTP_CHUNK_TYPE_COOKIE_ECHO		= 10,

+	SCTP_CHUNK_TYPE_COOKIE_ACK		= 11,

+	SCTP_CHUNK_TYPE_ECNE			= 12,

+	SCTP_CHUNK_TYPE_CWR			= 13,

+	SCTP_CHUNK_TYPE_SHUTDOWN_COMPLETE	= 14,

+	SCTP_CHUNK_TYPE_ASCONF_ACK		= 128,

+	SCTP_CHUNK_TYPE_FORWARD_TSN		= 192,

+	SCTP_CHUNK_TYPE_ASCONF			= 193,

+};

+

+enum sctp_hdr_chunk_common_fields {

+	SCTP_CHUNK_COMMON_TYPE,

+	SCTP_CHUNK_COMMON_FLAGS,

+	SCTP_CHUNK_COMMON_LENGTH,

+	__SCTP_CHUNK_COMMON_MAX,

+};

+

+#define SCTP_CHUNK_START_INDEX	__SCTP_CHUNK_COMMON_MAX

+

+enum sctp_hdr_chunk_data_fields {

+	SCTP_CHUNK_DATA_TSN = SCTP_CHUNK_START_INDEX,

+	SCTP_CHUNK_DATA_STREAM,

+	SCTP_CHUNK_DATA_SSN,

+	SCTP_CHUNK_DATA_PPID,

+};

+

+enum sctp_hdr_chunk_init_fields {

+	SCTP_CHUNK_INIT_TAG = SCTP_CHUNK_START_INDEX,

+	SCTP_CHUNK_INIT_RWND,

+	SCTP_CHUNK_INIT_OSTREAMS,

+	SCTP_CHUNK_INIT_ISTREAMS,

+	SCTP_CHUNK_INIT_TSN,

+};

+

+enum sctp_hdr_chunk_sack_fields {

+	SCTP_CHUNK_SACK_CTSN_ACK = SCTP_CHUNK_START_INDEX,

+	SCTP_CHUNK_SACK_RWND,

+	SCTP_CHUNK_SACK_GACK_BLOCKS,

+	SCTP_CHUNK_SACK_DUP_TSNS,

+};

+

+enum sctp_hdr_chunk_shutdown_fields {

+	SCTP_CHUNK_SHUTDOWN_CTSN_ACK = SCTP_CHUNK_START_INDEX,

+};

+

+enum sctp_hdr_chunk_ecne_cwr_fields {

+	SCTP_CHUNK_ECNE_CWR_MIN_TSN = SCTP_CHUNK_START_INDEX,

+};

+

+enum sctp_hdr_chunk_asconf_fields {

+	SCTP_CHUNK_ASCONF_SEQNO = SCTP_CHUNK_START_INDEX,

+};

+

+enum sctp_hdr_chunk_fwd_tsn_fields {

+	SCTP_CHUNK_FORWARD_TSN_NCTSN = SCTP_CHUNK_START_INDEX,

+};

+

+struct expr *sctp_chunk_expr_alloc(const struct location *loc,

+				   unsigned int type, unsigned int field);

+void sctp_chunk_init_raw(struct expr *expr, uint8_t type, unsigned int off,

+			 unsigned int len, uint32_t flags);

+const struct exthdr_desc *sctp_chunk_protocol_find(const char *name);

+

+#endif /* NFTABLES_SCTP_CHUNK_H */

diff --git a/src/Makefile.am b/src/Makefile.am

index 740c21f..366820b 100644

--- a/src/Makefile.am

+++ b/src/Makefile.am

@@ -64,6 +64,7 @@ libnftables_la_SOURCES =			\

 		tcpopt.c			\

 		socket.c			\

 		print.c				\

+		sctp_chunk.c			\

 		libnftables.c			\

 		libnftables.map

diff --git a/src/evaluate.c b/src/evaluate.c

index 99a66c2..00ec20b 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -579,6 +579,8 @@ static int expr_evaluate_exthdr(struct eval_ctx *ctx, struct expr **exprp)

 		dependency = &proto_tcp;

 		pb = PROTO_BASE_TRANSPORT_HDR;

 		break;

+	case NFT_EXTHDR_OP_SCTP:

+		return __expr_evaluate_exthdr(ctx, exprp);

 	case NFT_EXTHDR_OP_IPV4:

 		dependency = &proto_ip;

 		break;

diff --git a/src/exthdr.c b/src/exthdr.c

index 5c75720..f5689e7 100644

--- a/src/exthdr.c

+++ b/src/exthdr.c

@@ -22,6 +22,7 @@

 #include <headers.h>

 #include <expression.h>

 #include <statement.h>

+#include <sctp_chunk.h>

 static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)

 {

@@ -55,6 +56,11 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)

 		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)

 			return;

 		nft_print(octx, " %s", expr->exthdr.tmpl->token);

+	} else if (expr->exthdr.op == NFT_EXTHDR_OP_SCTP) {

+		nft_print(octx, "sctp chunk %s", expr->exthdr.desc->name);

+		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)

+			return;

+		nft_print(octx, " %s", expr->exthdr.tmpl->token);

 	} else {

 		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)

 			nft_print(octx, "exthdr %s", expr->exthdr.desc->name);

@@ -197,6 +203,8 @@ void exthdr_init_raw(struct expr *expr, uint8_t type,

 		return tcpopt_init_raw(expr, type, offset, len, flags);

 	if (op == NFT_EXTHDR_OP_IPV4)

 		return ipopt_init_raw(expr, type, offset, len, flags, true);

+	if (op == NFT_EXTHDR_OP_SCTP)

+		return sctp_chunk_init_raw(expr, type, offset, len, flags);

 	expr->len = len;

 	expr->exthdr.flags = flags;

diff --git a/src/json.c b/src/json.c

index a6d0716..dfc9031 100644

--- a/src/json.c

+++ b/src/json.c

@@ -692,6 +692,8 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)

 	switch (expr->exthdr.op) {

 	case NFT_EXTHDR_OP_IPV4:

 		return json_pack("{s:o}", "ip option", root);

+	case NFT_EXTHDR_OP_SCTP:

+		return json_pack("{s:o}", "sctp chunk", root);

 	default:

 		return json_pack("{s:o}", "exthdr", root);

 	}

diff --git a/src/parser_bison.y b/src/parser_bison.y

index beb5995..5ab5744 100644

--- a/src/parser_bison.y

+++ b/src/parser_bison.y

@@ -38,6 +38,7 @@

 #include <utils.h>

 #include <parser.h>

 #include <erec.h>

+#include <sctp_chunk.h>

 #include "parser_bison.h"

@@ -402,6 +403,40 @@ int nft_lex(void *, void *, void *);

 %token DCCP			"dccp"

 %token SCTP			"sctp"

+%token CHUNK			"chunk"

+%token DATA			"data"

+%token INIT			"init"

+%token INIT_ACK			"init-ack"

+%token HEARTBEAT		"heartbeat"

+%token HEARTBEAT_ACK		"heartbeat-ack"

+%token ABORT			"abort"

+%token SHUTDOWN			"shutdown"

+%token SHUTDOWN_ACK		"shutdown-ack"

+%token ERROR			"error"

+%token COOKIE_ECHO		"cookie-echo"

+%token COOKIE_ACK		"cookie-ack"

+%token ECNE			"ecne"

+%token CWR			"cwr"

+%token SHUTDOWN_COMPLETE	"shutdown-complete"

+%token ASCONF_ACK		"asconf-ack"

+%token FORWARD_TSN		"forward-tsn"

+%token ASCONF			"asconf"

+%token TSN			"tsn"

+%token STREAM			"stream"

+%token SSN			"ssn"

+%token PPID			"ppid"

+%token INIT_TAG			"init-tag"

+%token A_RWND			"a-rwnd"

+%token NUM_OSTREAMS		"num-outbound-streams"

+%token NUM_ISTREAMS		"num-inbound-streams"

+%token INIT_TSN			"initial-tsn"

+%token CUM_TSN_ACK		"cum-tsn-ack"

+%token NUM_GACK_BLOCKS		"num-gap-ack-blocks"

+%token NUM_DUP_TSNS		"num-dup-tsns"

+%token LOWEST_TSN		"lowest-tsn"

+%token SEQNO			"seqno"

+%token NEW_CUM_TSN		"new-cum-tsn"

+

 %token VTAG			"vtag"

 %token RT			"rt"

@@ -746,9 +781,12 @@ int nft_lex(void *, void *, void *);

 %type <expr>			udp_hdr_expr	udplite_hdr_expr

 %destructor { expr_free($$); }	udp_hdr_expr	udplite_hdr_expr

 %type <val>			udp_hdr_field	udplite_hdr_field

-%type <expr>			dccp_hdr_expr	sctp_hdr_expr

-%destructor { expr_free($$); }	dccp_hdr_expr	sctp_hdr_expr

+%type <expr>			dccp_hdr_expr	sctp_hdr_expr sctp_chunk_alloc

+%destructor { expr_free($$); }	dccp_hdr_expr	sctp_hdr_expr sctp_chunk_alloc

 %type <val>			dccp_hdr_field	sctp_hdr_field

+%type <val>			sctp_chunk_type sctp_chunk_common_field

+%type <val>			sctp_chunk_data_field sctp_chunk_init_field

+%type <val>			sctp_chunk_sack_field

 %type <expr>			th_hdr_expr

 %destructor { expr_free($$); }	th_hdr_expr

 %type <val>			th_hdr_field

@@ -843,6 +881,7 @@ opt_newline		:	NEWLINE

 close_scope_hash	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };

 close_scope_numgen	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };

 close_scope_sctp	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };

+close_scope_sctp_chunk	: { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_SCTP_CHUNK); };

 common_block		:	INCLUDE		QUOTED_STRING	stmt_separator

 			{

@@ -4783,10 +4822,115 @@ dccp_hdr_field		:	SPORT		{ $$ = DCCPHDR_SPORT; }

 			|	TYPE		{ $$ = DCCPHDR_TYPE; }

 			;

+sctp_chunk_type		:	DATA		{ $$ = SCTP_CHUNK_TYPE_DATA; }

+			|	INIT		{ $$ = SCTP_CHUNK_TYPE_INIT; }

+			|	INIT_ACK	{ $$ = SCTP_CHUNK_TYPE_INIT_ACK; }

+			|	SACK		{ $$ = SCTP_CHUNK_TYPE_SACK; }

+			|	HEARTBEAT	{ $$ = SCTP_CHUNK_TYPE_HEARTBEAT; }

+			|	HEARTBEAT_ACK	{ $$ = SCTP_CHUNK_TYPE_HEARTBEAT_ACK; }

+			|	ABORT		{ $$ = SCTP_CHUNK_TYPE_ABORT; }

+			|	SHUTDOWN	{ $$ = SCTP_CHUNK_TYPE_SHUTDOWN; }

+			|	SHUTDOWN_ACK	{ $$ = SCTP_CHUNK_TYPE_SHUTDOWN_ACK; }

+			|	ERROR		{ $$ = SCTP_CHUNK_TYPE_ERROR; }

+			|	COOKIE_ECHO	{ $$ = SCTP_CHUNK_TYPE_COOKIE_ECHO; }

+			|	COOKIE_ACK	{ $$ = SCTP_CHUNK_TYPE_COOKIE_ACK; }

+			|	ECNE		{ $$ = SCTP_CHUNK_TYPE_ECNE; }

+			|	CWR		{ $$ = SCTP_CHUNK_TYPE_CWR; }

+			|	SHUTDOWN_COMPLETE { $$ = SCTP_CHUNK_TYPE_SHUTDOWN_COMPLETE; }

+			|	ASCONF_ACK	{ $$ = SCTP_CHUNK_TYPE_ASCONF_ACK; }

+			|	FORWARD_TSN	{ $$ = SCTP_CHUNK_TYPE_FORWARD_TSN; }

+			|	ASCONF		{ $$ = SCTP_CHUNK_TYPE_ASCONF; }

+			;

+

+sctp_chunk_common_field	:	TYPE	{ $$ = SCTP_CHUNK_COMMON_TYPE; }

+			|	FLAGS	{ $$ = SCTP_CHUNK_COMMON_FLAGS; }

+			|	LENGTH	{ $$ = SCTP_CHUNK_COMMON_LENGTH; }

+			;

+

+sctp_chunk_data_field	:	TSN	{ $$ = SCTP_CHUNK_DATA_TSN; }

+			|	STREAM	{ $$ = SCTP_CHUNK_DATA_STREAM; }

+			|	SSN	{ $$ = SCTP_CHUNK_DATA_SSN; }

+			|	PPID	{ $$ = SCTP_CHUNK_DATA_PPID; }

+			;

+

+sctp_chunk_init_field	:	INIT_TAG	{ $$ = SCTP_CHUNK_INIT_TAG; }

+			|	A_RWND		{ $$ = SCTP_CHUNK_INIT_RWND; }

+			|	NUM_OSTREAMS	{ $$ = SCTP_CHUNK_INIT_OSTREAMS; }

+			|	NUM_ISTREAMS	{ $$ = SCTP_CHUNK_INIT_ISTREAMS; }

+			|	INIT_TSN	{ $$ = SCTP_CHUNK_INIT_TSN; }

+			;

+

+sctp_chunk_sack_field	:	CUM_TSN_ACK	{ $$ = SCTP_CHUNK_SACK_CTSN_ACK; }

+			|	A_RWND		{ $$ = SCTP_CHUNK_SACK_RWND; }

+			|	NUM_GACK_BLOCKS	{ $$ = SCTP_CHUNK_SACK_GACK_BLOCKS; }

+			|	NUM_DUP_TSNS	{ $$ = SCTP_CHUNK_SACK_DUP_TSNS; }

+			;

+

+sctp_chunk_alloc	:	sctp_chunk_type

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, $1, SCTP_CHUNK_COMMON_TYPE);

+				$$->exthdr.flags = NFT_EXTHDR_F_PRESENT;

+			}

+			|	sctp_chunk_type	sctp_chunk_common_field

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, $1, $2);

+			}

+			|	DATA	sctp_chunk_data_field

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_DATA, $2);

+			}

+			|	INIT	sctp_chunk_init_field

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_INIT, $2);

+			}

+			|	INIT_ACK	sctp_chunk_init_field

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_INIT_ACK, $2);

+			}

+			|	SACK	sctp_chunk_sack_field

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_SACK, $2);

+			}

+			|	SHUTDOWN	CUM_TSN_ACK

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_SHUTDOWN,

+							   SCTP_CHUNK_SHUTDOWN_CTSN_ACK);

+			}

+			|	ECNE	LOWEST_TSN

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ECNE,

+							   SCTP_CHUNK_ECNE_CWR_MIN_TSN);

+			}

+			|	CWR	LOWEST_TSN

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_CWR,

+							   SCTP_CHUNK_ECNE_CWR_MIN_TSN);

+			}

+			|	ASCONF_ACK	SEQNO

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ASCONF_ACK,

+							   SCTP_CHUNK_ASCONF_SEQNO);

+			}

+			|	FORWARD_TSN	NEW_CUM_TSN

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_FORWARD_TSN,

+							   SCTP_CHUNK_FORWARD_TSN_NCTSN);

+			}

+			|	ASCONF	SEQNO

+			{

+				$$ = sctp_chunk_expr_alloc(&@$, SCTP_CHUNK_TYPE_ASCONF,

+							   SCTP_CHUNK_ASCONF_SEQNO);

+			}

+			;

+

 sctp_hdr_expr		:	SCTP	sctp_hdr_field	close_scope_sctp

 			{

 				$$ = payload_expr_alloc(&@$, &proto_sctp, $2);

 			}

+			|	SCTP	CHUNK	sctp_chunk_alloc close_scope_sctp_chunk close_scope_sctp

+			{

+				$$ = $3;

+			}

 			;

 sctp_hdr_field		:	SPORT		{ $$ = SCTPHDR_SPORT; }

diff --git a/src/parser_json.c b/src/parser_json.c

index fbf7db5..a069a89 100644

--- a/src/parser_json.c

+++ b/src/parser_json.c

@@ -11,6 +11,7 @@

 #include <netlink.h>

 #include <parser.h>

 #include <rule.h>

+#include <sctp_chunk.h>

 #include <socket.h>

 #include <netdb.h>

@@ -705,6 +706,53 @@ static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx,

 	return ipopt_expr_alloc(int_loc, descval, fieldval, 0);

 }

+static int json_parse_sctp_chunk_field(const struct exthdr_desc *desc,

+				       const char *name, int *val)

+{

+	unsigned int i;

+

+	for (i = 0; i < array_size(desc->templates); i++) {

+		if (desc->templates[i].token &&

+		    !strcmp(desc->templates[i].token, name)) {

+			if (val)

+				*val = i;

+			return 0;

+		}

+	}

+	return 1;

+}

+

+static struct expr *json_parse_sctp_chunk_expr(struct json_ctx *ctx,

+					       const char *type, json_t *root)

+{

+	const struct exthdr_desc *desc;

+	const char *name, *field;

+	struct expr *expr;

+	int fieldval;

+

+	if (json_unpack_err(ctx, root, "{s:s}", "name", &name))

+		return NULL;

+

+	desc = sctp_chunk_protocol_find(name);

+	if (!desc) {

+		json_error(ctx, "Unknown sctp chunk name '%s'.", name);

+		return NULL;

+	}

+

+	if (json_unpack(root, "{s:s}", "field", &field)) {

+		expr = sctp_chunk_expr_alloc(int_loc, desc->type,

+					     SCTP_CHUNK_COMMON_TYPE);

+		expr->exthdr.flags = NFT_EXTHDR_F_PRESENT;

+

+		return expr;

+	}

+	if (json_parse_sctp_chunk_field(desc, field, &fieldval)) {

+		json_error(ctx, "Unknown sctp chunk field '%s'.", field);

+		return NULL;

+	}

+	return sctp_chunk_expr_alloc(int_loc, desc->type, fieldval);

+}

+

 static const struct exthdr_desc *exthdr_lookup_byname(const char *name)

 {

 	const struct exthdr_desc *exthdr_tbl[] = {

@@ -1410,6 +1458,7 @@ static struct expr *json_parse_expr(struct json_ctx *ctx, json_t *root)

 		{ "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },

 		{ "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },

 		{ "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },

+		{ "sctp chunk", json_parse_sctp_chunk_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },

 		{ "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },

 		{ "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },

 		{ "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },

diff --git a/src/scanner.l b/src/scanner.l

index b79ae55..fe1b8ad 100644

--- a/src/scanner.l

+++ b/src/scanner.l

@@ -199,6 +199,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})

 %s SCANSTATE_SCTP

 %s SCANSTATE_EXPR_HASH

 %s SCANSTATE_EXPR_NUMGEN

+%s SCANSTATE_EXPR_SCTP_CHUNK

 %%

@@ -492,9 +493,46 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})

 "sctp"			{ scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }

 <SCANSTATE_SCTP>{

+	"chunk"			{ scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_SCTP_CHUNK); return CHUNK; }

 	"vtag"			{ return VTAG; }

 }

+<SCANSTATE_EXPR_SCTP_CHUNK>{

+	"data"			{ return DATA; }

+	"init"			{ return INIT; }

+	"init-ack"		{ return INIT_ACK; }

+	"heartbeat"		{ return HEARTBEAT; }

+	"heartbeat-ack"		{ return HEARTBEAT_ACK; }

+	"abort"			{ return ABORT; }

+	"shutdown"		{ return SHUTDOWN; }

+	"shutdown-ack"		{ return SHUTDOWN_ACK; }

+	"error"			{ return ERROR; }

+	"cookie-echo"		{ return COOKIE_ECHO; }

+	"cookie-ack"		{ return COOKIE_ACK; }

+	"ecne"			{ return ECNE; }

+	"cwr"			{ return CWR; }

+	"shutdown-complete"	{ return SHUTDOWN_COMPLETE; }

+	"asconf-ack"		{ return ASCONF_ACK; }

+	"forward-tsn"		{ return FORWARD_TSN; }

+	"asconf"		{ return ASCONF; }

+

+	"tsn"			{ return TSN; }

+	"stream"		{ return STREAM; }

+	"ssn"			{ return SSN; }

+	"ppid"			{ return PPID; }

+	"init-tag"		{ return INIT_TAG; }

+	"a-rwnd"		{ return A_RWND; }

+	"num-outbound-streams"	{ return NUM_OSTREAMS; }

+	"num-inbound-streams"	{ return NUM_ISTREAMS; }

+	"initial-tsn"		{ return INIT_TSN; }

+	"cum-tsn-ack"		{ return CUM_TSN_ACK; }

+	"num-gap-ack-blocks"	{ return NUM_GACK_BLOCKS; }

+	"num-dup-tsns"		{ return NUM_DUP_TSNS; }

+	"lowest-tsn"		{ return LOWEST_TSN; }

+	"seqno"			{ return SEQNO; }

+	"new-cum-tsn"		{ return NEW_CUM_TSN; }

+}

+

 "rt"			{ return RT; }

 "rt0"			{ return RT0; }

 "rt2"			{ return RT2; }

diff --git a/src/sctp_chunk.c b/src/sctp_chunk.c

new file mode 100644

index 0000000..6e73e72

--- /dev/null

+++ b/src/sctp_chunk.c

@@ -0,0 +1,261 @@

+/*

+ * Copyright Red Hat

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License version 2 (or any

+ * later) as published by the Free Software Foundation.

+ */

+

+#include <exthdr.h>

+#include <sctp_chunk.h>

+

+#include <string.h>

+

+#define PHT(__token, __offset, __len) \

+	PROTO_HDR_TEMPLATE(__token, &integer_type, BYTEORDER_BIG_ENDIAN, \

+			   __offset, __len)

+

+static const struct exthdr_desc sctp_chunk_data = {

+	.name	= "data",

+	.type	= SCTP_CHUNK_TYPE_DATA,

+	.templates = {

+		[SCTP_CHUNK_COMMON_TYPE]	= PHT("type", 0, 8),

+		[SCTP_CHUNK_COMMON_FLAGS]	= PHT("flags", 8, 8),

+		[SCTP_CHUNK_COMMON_LENGTH]	= PHT("length", 16, 16),

+		[SCTP_CHUNK_DATA_TSN]		= PHT("tsn", 32, 32),

+		[SCTP_CHUNK_DATA_STREAM]	= PHT("stream", 64, 16),

+		[SCTP_CHUNK_DATA_SSN]		= PHT("ssn", 80, 16),

+		[SCTP_CHUNK_DATA_PPID]		= PHT("ppid", 96, 32),

+	},

+};

+

+static const struct exthdr_desc sctp_chunk_init = {

+	.name	= "init",

+	.type	= SCTP_CHUNK_TYPE_INIT,

+	.templates = {

+		[SCTP_CHUNK_COMMON_TYPE]	= PHT("type", 0, 8),

+		[SCTP_CHUNK_COMMON_FLAGS]	= PHT("flags", 8, 8),

+		[SCTP_CHUNK_COMMON_LENGTH]	= PHT("length", 16, 16),

+		[SCTP_CHUNK_INIT_TAG]		= PHT("init-tag", 32, 32),

+		[SCTP_CHUNK_INIT_RWND]		= PHT("a-rwnd", 64, 32),

+		[SCTP_CHUNK_INIT_OSTREAMS]	= PHT("num-outbound-streams", 96, 16),

+		[SCTP_CHUNK_INIT_ISTREAMS]	= PHT("num-inbound-streams", 112, 16),

+		[SCTP_CHUNK_INIT_TSN]		= PHT("initial-tsn", 128, 32),

+	},

+};

+

+static const struct exthdr_desc sctp_chunk_init_ack = {

+	.name	= "init-ack",

+	.type	= SCTP_CHUNK_TYPE_INIT_ACK,

+	.templates = {

+		[SCTP_CHUNK_COMMON_TYPE]	= PHT("type", 0, 8),

+		[SCTP_CHUNK_COMMON_FLAGS]	= PHT("flags", 8, 8),