diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-08 10:50:39 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:51 +0100 |
commit | 4b7a4afaa240e5d2039e612e125b045d5d1cb7fa (patch) | |
tree | 21f637d3047580ea76617af38e6fad82c9d7a5c0 /iptables/xtables.c | |
parent | e8cbd65dcef62333b5e461cb264c844065b33e9a (diff) |
xtables: fix missing ipt_entry for MASQUERADE target
The MASQUERADE target relies on the ipt_entry information that is
set in ->post_parse, which is too late.
Add a new hook called ->pre_parse, that sets the protocol
information accordingly.
Thus:
xtables -4 -A POSTROUTING -t nat -p tcp \
-j MASQUERADE --to-ports 1024
works again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables.c')
-rw-r--r-- | iptables/xtables.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/iptables/xtables.c b/iptables/xtables.c index 279b77bf..c49b4a2f 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -715,6 +715,11 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) demand-load a protocol. */ opterr = 0; + /* Default on AF_INET */ + h->ops = nft_family_ops_lookup(AF_INET); + if (h->ops == NULL) + xtables_error(PARAMETER_PROBLEM, "Unknown family"); + opts = xt_params->orig_opts; while ((cs.c = getopt_long(argc, argv, "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", @@ -894,6 +899,9 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) if (args.proto == 0 && (args.invflags & XT_INV_PROTO)) xtables_error(PARAMETER_PROBLEM, "rule would never match protocol"); + + /* This needs to happen here to parse extensions */ + h->ops->proto_parse(&cs, &args); break; case 's': @@ -1033,11 +1041,18 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) case '4': if (args.family != AF_INET) exit_tryhelp(2); + + h->ops = nft_family_ops_lookup(args.family); break; case '6': args.family = AF_INET6; xtables_set_nfproto(AF_INET6); + + h->ops = nft_family_ops_lookup(args.family); + if (h->ops == NULL) + xtables_error(PARAMETER_PROBLEM, + "Unknown family"); break; case 1: /* non option */ @@ -1089,10 +1104,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) if (h->family == AF_UNSPEC) h->family = args.family; - h->ops = nft_family_ops_lookup(h->family); - if (h->ops == NULL) - xtables_error(PARAMETER_PROBLEM, "Unknown family"); - h->ops->post_parse(command, &cs, &args); if (command == CMD_REPLACE && |