diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-08 10:50:39 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:51 +0100 |
commit | 4b7a4afaa240e5d2039e612e125b045d5d1cb7fa (patch) | |
tree | 21f637d3047580ea76617af38e6fad82c9d7a5c0 /iptables/nft-ipv4.c | |
parent | e8cbd65dcef62333b5e461cb264c844065b33e9a (diff) |
xtables: fix missing ipt_entry for MASQUERADE target
The MASQUERADE target relies on the ipt_entry information that is
set in ->post_parse, which is too late.
Add a new hook called ->pre_parse, that sets the protocol
information accordingly.
Thus:
xtables -4 -A POSTROUTING -t nat -p tcp \
-j MASQUERADE --to-ports 1024
works again.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 3be801d3..2ac823fc 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -331,12 +331,17 @@ static uint8_t nft_ipv4_save_firewall(const struct iptables_command_state *cs, return cs->fw.ip.flags; } +static void nft_ipv4_proto_parse(struct iptables_command_state *cs, + struct xtables_args *args) +{ + cs->fw.ip.proto = args->proto; + cs->fw.ip.invflags = args->invflags; +} + static void nft_ipv4_post_parse(int command, struct iptables_command_state *cs, struct xtables_args *args) { - cs->fw.ip.proto = args->proto; - cs->fw.ip.invflags = args->invflags; cs->fw.ip.flags = args->flags; strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); @@ -400,6 +405,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .parse_immediate = nft_ipv4_parse_immediate, .print_firewall = nft_ipv4_print_firewall, .save_firewall = nft_ipv4_save_firewall, + .proto_parse = nft_ipv4_proto_parse, .post_parse = nft_ipv4_post_parse, .parse_target = nft_ipv4_parse_target, .rule_find = nft_ipv4_rule_find, |