diff options
| author | Thierry Du Tre <thierry@dtsystems.be> | 2018-01-16 13:44:37 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-16 16:17:30 +0100 |
| commit | 88fa4543f8085e52606c776d47e4420896dd561b (patch) | |
| tree | e6db0980042ed5ffbc26c1ef4d1abde7b5e93896 /extensions/libip6t_DNAT.c | |
| parent | 64a0e09894e528d7920900028abee0afd601f9a1 (diff) | |
extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.
The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before. It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true. The check is probably also
coming from the IPv4 copy-paste.
Add tests to cover this too, including the IPv4 side.
Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libip6t_DNAT.c')
| -rw-r--r-- | extensions/libip6t_DNAT.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c index 08d920db..8e478b21 100644 --- a/extensions/libip6t_DNAT.c +++ b/extensions/libip6t_DNAT.c @@ -163,13 +163,11 @@ static void DNAT_parse(struct xt_option_call *cb) switch (cb->entry->id) { case O_TO_DEST: if (cb->xflags & F_X_TO_DEST) { - if (!kernel_version) - get_kernel_version(); - if (kernel_version > LINUX_VERSION(2, 6, 10)) - xtables_error(PARAMETER_PROBLEM, - "DNAT: Multiple --to-destination not supported"); + xtables_error(PARAMETER_PROBLEM, + "DNAT: Multiple --to-destination not supported"); } parse_to(cb->arg, portok, range); + cb->xflags |= F_X_TO_DEST; break; case O_PERSISTENT: range->flags |= NF_NAT_RANGE_PERSISTENT; @@ -281,7 +279,7 @@ static int DNAT_xlate(struct xt_xlate *xl, return 1; } -static struct xtables_target snat_tg_reg = { +static struct xtables_target dnat_tg_reg = { .name = "DNAT", .version = XTABLES_VERSION, .family = NFPROTO_IPV6, @@ -299,5 +297,5 @@ static struct xtables_target snat_tg_reg = { void _init(void) { - xtables_register_target(&snat_tg_reg); + xtables_register_target(&dnat_tg_reg); } |