diff options
| author | Florian Westphal <fw@strlen.de> | 2018-05-10 21:47:30 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-05-11 20:54:45 +0200 |
| commit | bb436ceb489c77c81074b3460ff11b62e8704695 (patch) | |
| tree | fd12753b79d7ff5827406aa2b575162f85b34d7d | |
| parent | 6454d7dc89f83920cd08606fdff43358c7e64a53 (diff) | |
xtables-compat: ip6table-save: fix save of ip6 address masks
ip6tables-save didn't include the masks.
Furhermore, mask decoding used the ipv4 struct which caused it to write
into parts of ipv6 saddr.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | extensions/libip6t_frag.t | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 22 |
2 files changed, 17 insertions, 7 deletions
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t index dab49894..299fa03f 100644 --- a/extensions/libip6t_frag.t +++ b/extensions/libip6t_frag.t @@ -9,3 +9,5 @@ -m frag --fragfirst --fragmore;=;OK -m frag --fragfirst --fraglast;=;OK -m frag --fraglast --fragmore;;FAIL +-d ff02::fb/128 -p udp -m udp --dport 5353 -m frag --fragmore;=;OK +-d fe80::/64 -p udp --dport 546 -m frag --fraglast;-d fe80::/64 -p udp -m udp --dport 546 -m frag --fraglast;OK diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 10c81d95..79c02e44 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -141,7 +141,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk); ctx->flags &= ~NFT_XT_CTX_BITWISE; } else { - memset(&cs->fw.ip.smsk, 0xff, sizeof(struct in6_addr)); + memset(&cs->fw6.ipv6.smsk, 0xff, sizeof(struct in6_addr)); } if (inv) @@ -154,7 +154,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk); ctx->flags &= ~NFT_XT_CTX_BITWISE; } else { - memset(&cs->fw.ip.dmsk, 0xff, sizeof(struct in6_addr)); + memset(&cs->fw6.ipv6.dmsk, 0xff, sizeof(struct in6_addr)); } if (inv) @@ -257,24 +257,32 @@ static void nft_ipv6_print_firewall(struct nftnl_rule *r, unsigned int num, } static void save_ipv6_addr(char letter, const struct in6_addr *addr, + const struct in6_addr *mask, int invert) { char addr_str[INET6_ADDRSTRLEN]; + int l = xtables_ip6mask_to_cidr(mask); - if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) + if (!invert && l == 0) return; - inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); - printf("%s-%c %s ", invert ? "! " : "", letter, addr_str); + printf("%s-%c %s", + invert ? " !" : "", letter, + inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); + + if (l == -1) + printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str))); + else + printf("/%d ", l); } static void nft_ipv6_save_firewall(const void *data, unsigned int format) { const struct iptables_command_state *cs = data; - save_ipv6_addr('s', &cs->fw6.ipv6.src, + save_ipv6_addr('s', &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, cs->fw6.ipv6.invflags & IP6T_INV_SRCIP); - save_ipv6_addr('d', &cs->fw6.ipv6.dst, + save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, cs->fw6.ipv6.invflags & IP6T_INV_DSTIP); save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto, |