Kernels higher than 2.6.10 don't support multiple --to arguments in

DNAT and SNAT targets.  At present, the error is somewhat vague:

# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables: Invalid argument

But if we want current iptables to work with kernels <= 2.6.10, we
cannot simply disallow this in all cases.

So the below patch adds kernel version checking to iptables, and
utilizes it in [DS]NAT.  Now, users will see a more informative error:

# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables v1.3.3: Multiple --to-source not supported

This generic infrastructure (shamelessly lifted from procps btw) may
come in handy in the future for other changes.

This fixes bugzilla #367. (Phil Oester)

2 files changed, 14 insertions, 0 deletions

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 3b0d146..bdc15eb 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -155,6 +155,13 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 			exit_error(PARAMETER_PROBLEM,
 				   "Unexpected `!' after --to-destination");
 
+		if (*flags) {
+			if (!kernel_version)
+				get_kernel_version();
+			if (kernel_version > LINUX_VERSION(2, 6, 10))
+				exit_error(PARAMETER_PROBLEM,
+					   "Multiple --to-destination not supported");
+		}
 		*target = parse_to(optarg, portok, info);
 		*flags = 1;
 		return 1;
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 7460760..867c9d0 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -155,6 +155,13 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 			exit_error(PARAMETER_PROBLEM,
 				   "Unexpected `!' after --to-source");
 
+		if (*flags) {
+			if (!kernel_version)
+				get_kernel_version();
+			if (kernel_version > LINUX_VERSION(2, 6, 10))
+				exit_error(PARAMETER_PROBLEM,
+					   "Multiple --to-source not supported");
+		}
 		*target = parse_to(optarg, portok, info);
 		*flags = 1;
 		return 1;