extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported

This patch is fixing the detection of multiple '--to-destination' in a
DNAT rule and '--to-source' in SNAT rule for IPv6.  Currently, when
defining multiple values for these, only the last will be used and
others ignored silently.

The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the
flags are never set before.  It seems to be a copy-paste artefact since
introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.

I also removed the kernel_version checks because they seem useless.
Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1.  That
seems only added since kernel version 3.7-rc1 and therefore the check
for > v2.6.10 will always return true.  The check is probably also
coming from the IPv4 copy-paste.

Add tests to cover this too, including the IPv4 side.

Signed-off-by: Thierry Du Tre <thierry@dtsystems.be>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 08d920db0513b5aa408529c87bc414b35759ee74..8e478b215ef942ff7de9c90fca11e3256548667f 100644 (file)
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -163,13 +163,11 @@ static void DNAT_parse(struct xt_option_call *cb)
        switch (cb->entry->id) {
        case O_TO_DEST:
                if (cb->xflags & F_X_TO_DEST) {
-                       if (!kernel_version)
-                               get_kernel_version();
-                       if (kernel_version > LINUX_VERSION(2, 6, 10))
-                               xtables_error(PARAMETER_PROBLEM,
-                                          "DNAT: Multiple --to-destination not supported");
+                       xtables_error(PARAMETER_PROBLEM,
+                                     "DNAT: Multiple --to-destination not supported");
                }
                parse_to(cb->arg, portok, range);
+               cb->xflags |= F_X_TO_DEST;
                break;
        case O_PERSISTENT:
                range->flags |= NF_NAT_RANGE_PERSISTENT;
@@ -281,7 +279,7 @@ static int DNAT_xlate(struct xt_xlate *xl,
        return 1;
 }
 
-static struct xtables_target snat_tg_reg = {
+static struct xtables_target dnat_tg_reg = {
        .name           = "DNAT",
        .version        = XTABLES_VERSION,
        .family         = NFPROTO_IPV6,
@@ -299,5 +297,5 @@ static struct xtables_target snat_tg_reg = {
 
 void _init(void)
 {
-       xtables_register_target(&snat_tg_reg);
+       xtables_register_target(&dnat_tg_reg);
 }

diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
index 3141c2994d5cac3e03d9e5310d65926c2dedbb8c..0ba96bfbd99878b3ddd8e53e93ff622780939f6a 100644 (file)
--- a/extensions/libip6t_DNAT.t
+++ b/extensions/libip6t_DNAT.t
@@ -2,7 +2,9 @@
 *nat
 -j DNAT --to-destination dead::beef;=;OK
 -j DNAT --to-destination dead::beef-dead::fee7;=;OK
+-j DNAT --to-destination [dead::beef]:1025-65535;;FAIL
 -p tcp -j DNAT --to-destination [dead::beef]:1025-65535;=;OK
 -p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535;=;OK
 -p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65536;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef-dead::fee7]:1025-65535 --to-destination [dead::beef-dead::fee8]:1025-65535;;FAIL
 -j DNAT;;FAIL

diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 671ac61a93bf13876ccf248cde08e8d6959b074a..7d74b3d76a93c159814eedbcf296c4c5d896ea6f 100644 (file)
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -166,13 +166,11 @@ static void SNAT_parse(struct xt_option_call *cb)
        switch (cb->entry->id) {
        case O_TO_SRC:
                if (cb->xflags & F_X_TO_SRC) {
-                       if (!kernel_version)
-                               get_kernel_version();
-                       if (kernel_version > LINUX_VERSION(2, 6, 10))
-                               xtables_error(PARAMETER_PROBLEM,
-                                          "SNAT: Multiple --to-source not supported");
+                       xtables_error(PARAMETER_PROBLEM,
+                                     "SNAT: Multiple --to-source not supported");
                }
                parse_to(cb->arg, portok, range);
+               cb->xflags |= F_X_TO_SRC;
                break;
        case O_PERSISTENT:
                range->flags |= NF_NAT_RANGE_PERSISTENT;

diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t
index bb080497c0930fdefc9297f0111fb47fb39a8d5b..0f14894dd81108dc6ba6f30ffa81591f95403f68 100644 (file)
--- a/extensions/libip6t_SNAT.t
+++ b/extensions/libip6t_SNAT.t
@@ -2,7 +2,9 @@
 *nat
 -j SNAT --to-source dead::beef;=;OK
 -j SNAT --to-source dead::beef-dead::fee7;=;OK
+-j SNAT --to-source [dead::beef]:1025-65535;;FAIL
 -p tcp -j SNAT --to-source [dead::beef]:1025-65535;=;OK
 -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
 -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
+-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535 --to-source [dead::beef-dead::fee8]:1025-65535;;FAIL
 -j SNAT;;FAIL

diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t
index e3fd5632439bb861b8c2b356cb04aae9de38f460..a7a45e9e18599a7fb379b5800210e9ea455262d3 100644 (file)
--- a/extensions/libipt_DNAT.t
+++ b/extensions/libipt_DNAT.t
@@ -2,7 +2,9 @@
 *nat
 -j DNAT --to-destination 1.1.1.1;=;OK
 -j DNAT --to-destination 1.1.1.1-1.1.1.10;=;OK
+-j DNAT --to-destination 1.1.1.1:1025-65535;;FAIL
 -p tcp -j DNAT --to-destination 1.1.1.1:1025-65535;=;OK
 -p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65535;=;OK
 -p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65536;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.10:1025-65535 --to-destination 2.2.2.2-2.2.2.20:1025-65535;;FAIL
 -j DNAT;;FAIL

diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t
index 73071bb0559b9a91998a334b8687d6d9da4f00a5..34c582259b692170c069ecbde7dda8c83eca5463 100644 (file)
--- a/extensions/libipt_SNAT.t
+++ b/extensions/libipt_SNAT.t
@@ -2,7 +2,9 @@
 *nat
 -j SNAT --to-source 1.1.1.1;=;OK
 -j SNAT --to-source 1.1.1.1-1.1.1.10;=;OK
+-j SNAT --to-source 1.1.1.1:1025-65535;;FAIL
 -p tcp -j SNAT --to-source 1.1.1.1:1025-65535;=;OK
 -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
 -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL
 -j SNAT;;FAIL