diff options
| author | Phil Sutter <phil@nwl.cc> | 2021-05-04 16:26:42 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2021-05-19 09:53:41 +0200 |
| commit | 5818be177110a09120dd8fe4bd2533acbf8da301 (patch) | |
| tree | 5ebeb7513dea995986ba596d2165ba3c87686e7d /extensions/libxt_sctp.txlate | |
| parent | a61282ec6a1697bfb40f19d13a28a74559050167 (diff) | |
extensions: sctp: Translate --chunk-types option
The translation is not fully complete as it is not possible to map 'any'
match type into nft syntax with a single rule. Also, 'only' match type
translation is a bit poor as it explicitly lists all chunk types that
are supposed to be missing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libxt_sctp.txlate')
| -rw-r--r-- | extensions/libxt_sctp.txlate | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate index 0d6c59e1..bb817525 100644 --- a/extensions/libxt_sctp.txlate +++ b/extensions/libxt_sctp.txlate @@ -36,3 +36,9 @@ nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept + +iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT +nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept + +iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT +nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept |