iptables: allow service names in [DS]NAT targets

Message ID	20130627155409.GA8638@gmail.com
State	Changes Requested
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Date: Thu, 27 Jun 2013 11:54:09 -0400 From: Phil Oester <kernel@linuxace.com> To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org Subject: [PATCH] iptables: allow service names in [DS]NAT targets Message-ID: <20130627155409.GA8638@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index ff18799..e452cfc 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -67,7 +67,7 @@ static struct xt_entry_target * parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) { struct nf_nat_ipv4_range range; - char *arg, *colon, *dash, *error; + char *arg, *colon, *dash; const struct in_addr *ip; arg = strdup(orig_arg); @@ -77,7 +77,8 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) colon = strchr(arg, ':'); if (colon) { - int port; + char *end = ""; + unsigned int port, maxport; if (!portok) xtables_error(PARAMETER_PROBLEM, @@ -85,34 +86,29 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); + if (!xtables_strtoui(colon + 1, &end, &port, 0, UINT16_MAX) && + (port = xtables_service_to_port(colon + 1, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "DNAT", "--to", arg); - dash = strchr(colon, '-'); - if (!dash) { + switch (*end) { + case '\0': range.min.tcp.port = range.max.tcp.port = htons(port); - } else { - int maxport; + break; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && + (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "DNAT", "--to", arg); - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); + xtables_param_act(XTF_BAD_VALUE, "DNAT", "--to", arg); + range.min.tcp.port = htons(port); range.max.tcp.port = htons(maxport); + break; + default: + xtables_param_act(XTF_BAD_VALUE, "DNAT", "--to", arg); } /* Starts with a colon? No IP info...*/ if (colon == arg) { diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c index 1a24f3d..01be677 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -67,7 +67,7 @@ static struct xt_entry_target * parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) { struct nf_nat_ipv4_range range; - char *arg, *colon, *dash, *error; + char *arg, *colon, *dash; const struct in_addr *ip; arg = strdup(orig_arg); @@ -77,7 +77,8 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) colon = strchr(arg, ':'); if (colon) { - int port; + char *end = ""; + unsigned int port, maxport; if (!portok) xtables_error(PARAMETER_PROBLEM, @@ -85,34 +86,29 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info) range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; - port = atoi(colon+1); - if (port <= 0 || port > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); - - error = strchr(colon+1, ':'); - if (error) - xtables_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); + if (!xtables_strtoui(colon + 1, &end, &port, 0, UINT16_MAX) && + (port = xtables_service_to_port(colon + 1, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "SNAT", "--to", arg); - dash = strchr(colon, '-'); - if (!dash) { + switch (*end) { + case '\0': range.min.tcp.port = range.max.tcp.port = htons(port); - } else { - int maxport; + break; + case '-': + if (!xtables_strtoui(end + 1, NULL, &maxport, 0, UINT16_MAX) && + (maxport = xtables_service_to_port(end + 1, NULL)) == (unsigned)-1) + xtables_param_act(XTF_BAD_VALUE, "SNAT", "--to", arg); - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - xtables_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); if (maxport < port) - /* People are stupid. */ - xtables_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); + xtables_param_act(XTF_BAD_VALUE, "SNAT", "--to", arg); + range.min.tcp.port = htons(port); range.max.tcp.port = htons(maxport); + break; + default: + xtables_param_act(XTF_BAD_VALUE, "SNAT", "--to", arg); } /* Starts with a colon? No IP info...*/ if (colon == arg) {

iptables: allow service names in [DS]NAT targets

Commit Message

Comments

Patch