iptables-1.8.11-11.el10

* Tue Jul 15 2025 Phil Sutter <psutter@redhat.com> [1.8.11-11.el10] - extensions: sctp: Translate bare '-m sctp' match (Phil Sutter) [RHEL-101502] Resolves: RHEL-101502
2025-07-15 19:27:44 +02:00 · 2025-07-15 19:27:44 +02:00 · 681c78dce0
commit 681c78dce0
parent 90a623180c
2 changed files with 66 additions and 1 deletions
--- a/0008-extensions-sctp-Translate-bare-m-sctp-match.patch
+++ b/0008-extensions-sctp-Translate-bare-m-sctp-match.patch
@ -0,0 +1,61 @@
+From 9f0ed27832c48fcde5c08b2352bd8b921d99e9e6 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 15 Jul 2025 19:26:35 +0200
+Subject: [PATCH] extensions: sctp: Translate bare '-m sctp' match
+
+JIRA: https://issues.redhat.com/browse/RHEL-101502
+Upstream Status: iptables commit 12e6b5ed65fd91ea413a2e45201289c3d01c4e29
+
+commit 12e6b5ed65fd91ea413a2e45201289c3d01c4e29
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Jul 2 16:20:06 2025 +0200
+
+    extensions: sctp: Translate bare '-m sctp' match
+
+    Just like with TCP and UDP protocol matches, emit a simple 'meta
+    l4proto' match if no specific header detail is to be matched.
+
+    Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m
+    sctp' is not and the translation is deferred to the extension in that
+    case. Keep things stu^Wsimple and translate unconditionally.
+
+    Reviewed-by: Florian Westphal <fw@strlen.de>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libxt_sctp.c      | 6 ++++--
+ extensions/libxt_sctp.txlate | 6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index e8312f0..6b00240 100644
+--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
+@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 	const struct xt_sctp_info *einfo =
+ 		(const struct xt_sctp_info *)params->match->data;
+ 
+-	if (!einfo->flags)
+-		return 0;
+	if (!einfo->flags) {
+		xt_xlate_add(xl, "meta l4proto sctp");
+		return 1;
+	}
+ 
+ 	if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ 		if (einfo->spts[0] != einfo->spts[1])
+diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
+index 0aa7371..67eb327 100644
+--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
+@@ -1,3 +1,9 @@
+iptables-translate -A INPUT -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+iptables-translate -A INPUT -p sctp -m sctp -j DROP
+nft 'add rule ip filter INPUT meta l4proto sctp counter drop'
+
+ iptables-translate -A INPUT -p sctp --dport 80 -j DROP
+ nft 'add rule ip filter INPUT sctp dport 80 counter drop'
+ 
--- a/iptables.spec
+++ b/iptables.spec
@ -14,7 +14,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.11
-Release: 10%{?dist}
+Release: 11%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@ -35,6 +35,7 @@ Patch4:             0004-nft-fix-interface-comparisons-in-C-commands.patch
 Patch5:             0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch
 Patch6:             0006-extensions-icmp-Support-info-request-reply-type-name.patch
 Patch7:             0007-xshared-Accept-an-option-if-any-given-command-allows.patch
+Patch8:             0008-extensions-sctp-Translate-bare-m-sctp-match.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -520,6 +521,9 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Tue Jul 15 2025 Phil Sutter <psutter@redhat.com> [1.8.11-11.el10]
+- extensions: sctp: Translate bare '-m sctp' match (Phil Sutter) [RHEL-101502]
+
 * Wed Jun 04 2025 Phil Sutter <psutter@redhat.com> [1.8.11-10.el10]
 - spec: Require kernel-modules-extra-matched meta package (Phil Sutter) [RHEL-87455]