From 4b7a4afaa240e5d2039e612e125b045d5d1cb7fa Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 8 Oct 2013 10:50:39 +0200 Subject: xtables: fix missing ipt_entry for MASQUERADE target The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv6.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index e3784a8b..b02d9526 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -243,15 +243,11 @@ static int is_exthdr(uint16_t proto) proto == IPPROTO_DSTOPTS); } -static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, - struct xtables_args *args) +static void nft_ipv6_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args) { - if (args->proto != 0) - args->flags |= IP6T_F_PROTO; - cs->fw6.ipv6.proto = args->proto; cs->fw6.ipv6.invflags = args->invflags; - cs->fw6.ipv6.flags = args->flags; if (is_exthdr(cs->fw6.ipv6.proto) && (cs->fw6.ipv6.invflags & XT_INV_PROTO) == 0) @@ -259,6 +255,15 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, "Warning: never matched protocol: %s. " "use extension match instead.\n", cs->protocol); +} + +static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, + struct xtables_args *args) +{ + if (args->proto != 0) + args->flags |= IP6T_F_PROTO; + + cs->fw6.ipv6.flags = args->flags; strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); memcpy(cs->fw6.ipv6.iniface_mask, @@ -323,6 +328,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .parse_immediate = nft_ipv6_parse_immediate, .print_firewall = nft_ipv6_print_firewall, .save_firewall = nft_ipv6_save_firewall, + .proto_parse = nft_ipv6_proto_parse, .post_parse = nft_ipv6_post_parse, .parse_target = nft_ipv6_parse_target, .rule_find = nft_ipv6_rule_find, -- cgit v1.2.3