diff mbox

iptables: allow IPv6 port NAT without address NAT

Message ID 20130102155244.GB5133@uweber-WS
State Superseded
Headers show

Commit Message

Ulrich Weber Jan. 2, 2013, 3:52 p.m. UTC 
correct parsing of IPv6 port NAT without address NAT
and also print brackets for port only IPv6 NAT.

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
---
 extensions/libip6t_DNAT.c | 12 +++++-------
 extensions/libip6t_SNAT.c | 12 +++++-------
 2 files changed, 10 insertions(+), 14 deletions(-)

Comments

Pablo Neira Ayuso Jan. 3, 2013, 12:13 a.m. UTC | #1 
Hi Ulrich,

On Wed, Jan 02, 2013 at 04:52:44PM +0100, Ulrich Weber wrote:
> correct parsing of IPv6 port NAT without address NAT
> and also print brackets for port only IPv6 NAT.

I think we can go further with some extra sanity checkings, something
like:

parse_to(...)
[...]
        start = strchr(arg, '[');
        if (start == NULL)
                xtables_error(PARAMETER_PROBLEM,
                              "IPv6 address has to be enclosed in brackets");

That will help users that expect a similar syntax than IPv4 DNAT.

The current error shows misleading error reporting if brackets are
missing:

# ip6tables -D PREROUTING -p tcp -t nat -j DNAT --to :80-110
ip6tables v1.4.17: Bad IP address ":80"

Would you send me a new version of this patch?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ulrich Weber Jan. 3, 2013, 10:17 a.m. UTC | #2 
Hi Pablo,

On 01/03/13 01:13, Pablo Neira Ayuso wrote:
> Hi Ulrich,
>
> On Wed, Jan 02, 2013 at 04:52:44PM +0100, Ulrich Weber wrote:
>> correct parsing of IPv6 port NAT without address NAT
>> and also print brackets for port only IPv6 NAT.
> I think we can go further with some extra sanity checkings, something
> like:
>
> parse_to(...)
> [...]
>          start = strchr(arg, '[');
>          if (start == NULL)
>                  xtables_error(PARAMETER_PROBLEM,
>                                "IPv6 address has to be enclosed in brackets");

That will force the use of [] and might break existing scripts.
Lets try another way and relax the parsing,
by assuming one colon as port only information.

Will send another patch...

Cheers
Ulrich
diff mbox

Patch

diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index a5969c3..6f11d52 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -105,8 +105,8 @@  parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
 			range->min_proto.tcp.port = htons(port);
 			range->max_proto.tcp.port = htons(maxport);
 		}
-		/* Starts with a colon? No IP info...*/
-		if (colon == arg) {
+		/* Starts with [] colon? No IP info...*/
+		if (colon == arg+2) {
 			free(arg);
 			return;
 		}
@@ -183,18 +183,16 @@  static void DNAT_fcheck(struct xt_fcheck_call *cb)
 
 static void print_range(const struct nf_nat_range *range)
 {
+	if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+		printf("[");
 	if (range->flags & NF_NAT_RANGE_MAP_IPS) {
-		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
-			printf("[");
 		printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6));
 		if (memcmp(&range->min_addr, &range->max_addr,
 			   sizeof(range->min_addr)))
 			printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6));
-		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
-			printf("]");
 	}
 	if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
-		printf(":");
+		printf("]:");
 		printf("%hu", ntohs(range->min_proto.tcp.port));
 		if (range->max_proto.tcp.port != range->min_proto.tcp.port)
 			printf("-%hu", ntohs(range->max_proto.tcp.port));
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 307be70..8d2c87e 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -105,8 +105,8 @@  parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
 			range->min_proto.tcp.port = htons(port);
 			range->max_proto.tcp.port = htons(maxport);
 		}
-		/* Starts with a colon? No IP info...*/
-		if (colon == arg) {
+		/* Starts with [] colon? No IP info...*/
+		if (colon == arg+2) {
 			free(arg);
 			return;
 		}
@@ -183,18 +183,16 @@  static void SNAT_fcheck(struct xt_fcheck_call *cb)
 
 static void print_range(const struct nf_nat_range *range)
 {
+	if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
+		printf("[");
 	if (range->flags & NF_NAT_RANGE_MAP_IPS) {
-		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
-			printf("[");
 		printf("%s", xtables_ip6addr_to_numeric(&range->min_addr.in6));
 		if (memcmp(&range->min_addr, &range->max_addr,
 			   sizeof(range->min_addr)))
 			printf("-%s", xtables_ip6addr_to_numeric(&range->max_addr.in6));
-		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)
-			printf("]");
 	}
 	if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
-		printf(":");
+		printf("]:");
 		printf("%hu", ntohs(range->min_proto.tcp.port));
 		if (range->max_proto.tcp.port != range->min_proto.tcp.port)
 			printf("-%hu", ntohs(range->max_proto.tcp.port));