path: root/extensions/libip6t_DNAT.c
diff options
authorThierry Du Tre <>2018-01-16 13:44:37 +0100
committerPablo Neira Ayuso <>2018-01-16 16:17:30 +0100
commit88fa4543f8085e52606c776d47e4420896dd561b (patch)
treee6db0980042ed5ffbc26c1ef4d1abde7b5e93896 /extensions/libip6t_DNAT.c
parent64a0e09894e528d7920900028abee0afd601f9a1 (diff)
extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
This patch is fixing the detection of multiple '--to-destination' in a DNAT rule and '--to-source' in SNAT rule for IPv6. Currently, when defining multiple values for these, only the last will be used and others ignored silently. The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the flags are never set before. It seems to be a copy-paste artefact since introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code. I also removed the kernel_version checks because they seem useless. Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1. That seems only added since kernel version 3.7-rc1 and therefore the check for > v2.6.10 will always return true. The check is probably also coming from the IPv4 copy-paste. Add tests to cover this too, including the IPv4 side. Signed-off-by: Thierry Du Tre <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'extensions/libip6t_DNAT.c')
1 files changed, 5 insertions, 7 deletions
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 08d920db..8e478b21 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -163,13 +163,11 @@ static void DNAT_parse(struct xt_option_call *cb)
switch (cb->entry->id) {
case O_TO_DEST:
if (cb->xflags & F_X_TO_DEST) {
- if (!kernel_version)
- get_kernel_version();
- if (kernel_version > LINUX_VERSION(2, 6, 10))
- xtables_error(PARAMETER_PROBLEM,
- "DNAT: Multiple --to-destination not supported");
+ xtables_error(PARAMETER_PROBLEM,
+ "DNAT: Multiple --to-destination not supported");
parse_to(cb->arg, portok, range);
+ cb->xflags |= F_X_TO_DEST;
range->flags |= NF_NAT_RANGE_PERSISTENT;
@@ -281,7 +279,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
return 1;
-static struct xtables_target snat_tg_reg = {
+static struct xtables_target dnat_tg_reg = {
.name = "DNAT",
.family = NFPROTO_IPV6,
@@ -299,5 +297,5 @@ static struct xtables_target snat_tg_reg = {
void _init(void)
- xtables_register_target(&snat_tg_reg);
+ xtables_register_target(&dnat_tg_reg);