From d4bc5a38598b479b124973a821324ce867e87760 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Fri, 2 Nov 2018 10:47:25 +0100 Subject: iptables-nft: fix bogus handling of zero saddr/daddr rule for 0.0.0.0/8 is added as 0.0.0.0/0, because we did not check mask (or negation, for that matter). Fix this and add test cases too. This also revealed an ip6tables-nft-save bug, it would print ' !-d', not '! -d'. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1287 Signed-off-by: Florian Westphal --- iptables/nft-ipv6.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 1952164e..7bacee4a 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -47,13 +47,17 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) add_l4proto(r, cs->fw6.ipv6.proto, op); } - if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)) { + if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src) || + !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.smsk) || + (cs->fw6.ipv6.invflags & IPT_INV_SRCIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_SRCIP); add_addr(r, offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, sizeof(struct in6_addr), op); } - if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dst)) { + if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dst) || + !IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dmsk) || + (cs->fw6.ipv6.invflags & IPT_INV_DSTIP)) { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_DSTIP); add_addr(r, offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, @@ -235,7 +239,7 @@ static void save_ipv6_addr(char letter, const struct in6_addr *addr, return; printf("%s-%c %s", - invert ? " !" : "", letter, + invert ? "! " : "", letter, inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str))); if (l == -1) -- cgit v1.2.3