summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-05-10 21:47:30 +0200
committerFlorian Westphal <fw@strlen.de>2018-05-11 20:54:45 +0200
commitbb436ceb489c77c81074b3460ff11b62e8704695 (patch)
treefd12753b79d7ff5827406aa2b575162f85b34d7d
parent6454d7dc89f83920cd08606fdff43358c7e64a53 (diff)
xtables-compat: ip6table-save: fix save of ip6 address masks
ip6tables-save didn't include the masks. Furhermore, mask decoding used the ipv4 struct which caused it to write into parts of ipv6 saddr. Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r--extensions/libip6t_frag.t2
-rw-r--r--iptables/nft-ipv6.c22
2 files changed, 17 insertions, 7 deletions
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t
index dab49894..299fa03f 100644
--- a/extensions/libip6t_frag.t
+++ b/extensions/libip6t_frag.t
@@ -9,3 +9,5 @@
-m frag --fragfirst --fragmore;=;OK
-m frag --fragfirst --fraglast;=;OK
-m frag --fraglast --fragmore;;FAIL
+-d ff02::fb/128 -p udp -m udp --dport 5353 -m frag --fragmore;=;OK
+-d fe80::/64 -p udp --dport 546 -m frag --fraglast;-d fe80::/64 -p udp -m udp --dport 546 -m frag --fraglast;OK
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 10c81d95..79c02e44 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -141,7 +141,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk);
ctx->flags &= ~NFT_XT_CTX_BITWISE;
} else {
- memset(&cs->fw.ip.smsk, 0xff, sizeof(struct in6_addr));
+ memset(&cs->fw6.ipv6.smsk, 0xff, sizeof(struct in6_addr));
}
if (inv)
@@ -154,7 +154,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk);
ctx->flags &= ~NFT_XT_CTX_BITWISE;
} else {
- memset(&cs->fw.ip.dmsk, 0xff, sizeof(struct in6_addr));
+ memset(&cs->fw6.ipv6.dmsk, 0xff, sizeof(struct in6_addr));
}
if (inv)
@@ -257,24 +257,32 @@ static void nft_ipv6_print_firewall(struct nftnl_rule *r, unsigned int num,
}
static void save_ipv6_addr(char letter, const struct in6_addr *addr,
+ const struct in6_addr *mask,
int invert)
{
char addr_str[INET6_ADDRSTRLEN];
+ int l = xtables_ip6mask_to_cidr(mask);
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
+ if (!invert && l == 0)
return;
- inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
- printf("%s-%c %s ", invert ? "! " : "", letter, addr_str);
+ printf("%s-%c %s",
+ invert ? " !" : "", letter,
+ inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
+
+ if (l == -1)
+ printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
+ else
+ printf("/%d ", l);
}
static void nft_ipv6_save_firewall(const void *data, unsigned int format)
{
const struct iptables_command_state *cs = data;
- save_ipv6_addr('s', &cs->fw6.ipv6.src,
+ save_ipv6_addr('s', &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,
cs->fw6.ipv6.invflags & IP6T_INV_SRCIP);
- save_ipv6_addr('d', &cs->fw6.ipv6.dst,
+ save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,