diff --git a/0008-extensions-sctp-Translate-bare-m-sctp-match.patch b/0008-extensions-sctp-Translate-bare-m-sctp-match.patch new file mode 100644 index 0000000..28724d0 --- /dev/null +++ b/0008-extensions-sctp-Translate-bare-m-sctp-match.patch @@ -0,0 +1,61 @@ +From 9f0ed27832c48fcde5c08b2352bd8b921d99e9e6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 15 Jul 2025 19:26:35 +0200 +Subject: [PATCH] extensions: sctp: Translate bare '-m sctp' match + +JIRA: https://issues.redhat.com/browse/RHEL-101502 +Upstream Status: iptables commit 12e6b5ed65fd91ea413a2e45201289c3d01c4e29 + +commit 12e6b5ed65fd91ea413a2e45201289c3d01c4e29 +Author: Phil Sutter +Date: Wed Jul 2 16:20:06 2025 +0200 + + extensions: sctp: Translate bare '-m sctp' match + + Just like with TCP and UDP protocol matches, emit a simple 'meta + l4proto' match if no specific header detail is to be matched. + + Note that plain '-m sctp' should be a NOP in kernel, but '-p sctp -m + sctp' is not and the translation is deferred to the extension in that + case. Keep things stu^Wsimple and translate unconditionally. + + Reviewed-by: Florian Westphal + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + extensions/libxt_sctp.c | 6 ++++-- + extensions/libxt_sctp.txlate | 6 ++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index e8312f0..6b00240 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -535,8 +535,10 @@ static int sctp_xlate(struct xt_xlate *xl, + const struct xt_sctp_info *einfo = + (const struct xt_sctp_info *)params->match->data; + +- if (!einfo->flags) +- return 0; ++ if (!einfo->flags) { ++ xt_xlate_add(xl, "meta l4proto sctp"); ++ return 1; ++ } + + if (einfo->flags & XT_SCTP_SRC_PORTS) { + if (einfo->spts[0] != einfo->spts[1]) +diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate +index 0aa7371..67eb327 100644 +--- a/extensions/libxt_sctp.txlate ++++ b/extensions/libxt_sctp.txlate +@@ -1,3 +1,9 @@ ++iptables-translate -A INPUT -m sctp -j DROP ++nft 'add rule ip filter INPUT meta l4proto sctp counter drop' ++ ++iptables-translate -A INPUT -p sctp -m sctp -j DROP ++nft 'add rule ip filter INPUT meta l4proto sctp counter drop' ++ + iptables-translate -A INPUT -p sctp --dport 80 -j DROP + nft 'add rule ip filter INPUT sctp dport 80 counter drop' + diff --git a/iptables.spec b/iptables.spec index 3199e19..f3f332f 100644 --- a/iptables.spec +++ b/iptables.spec @@ -14,7 +14,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.11 -Release: 10%{?dist} +Release: 11%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -35,6 +35,7 @@ Patch4: 0004-nft-fix-interface-comparisons-in-C-commands.patch Patch5: 0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch Patch6: 0006-extensions-icmp-Support-info-request-reply-type-name.patch Patch7: 0007-xshared-Accept-an-option-if-any-given-command-allows.patch +Patch8: 0008-extensions-sctp-Translate-bare-m-sctp-match.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -520,6 +521,9 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Tue Jul 15 2025 Phil Sutter [1.8.11-11.el10] +- extensions: sctp: Translate bare '-m sctp' match (Phil Sutter) [RHEL-101502] + * Wed Jun 04 2025 Phil Sutter [1.8.11-10.el10] - spec: Require kernel-modules-extra-matched meta package (Phil Sutter) [RHEL-87455]