xtables-compat: ip6table-save: fix save of ip6 address masks

author Florian Westphal <fw@strlen.de>

Thu, 10 May 2018 19:47:30 +0000 (21:47 +0200)

committer Florian Westphal <fw@strlen.de>

Fri, 11 May 2018 18:54:45 +0000 (20:54 +0200)
author Florian Westphal <fw@strlen.de>
Thu, 10 May 2018 19:47:30 +0000 (21:47 +0200)
committer Florian Westphal <fw@strlen.de>
Fri, 11 May 2018 18:54:45 +0000 (20:54 +0200)
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t

index dab498949f3ce79c6ec28870bd707b55a72a8608..299fa03f8845bd66c99ab20e0d6d483cb2f90dc8 100644 (file)
--- a/extensions/libip6t_frag.t
+++ b/extensions/libip6t_frag.t
@@ -9,3 +9,5 @@
  -m frag --fragfirst --fragmore;=;OK
  -m frag --fragfirst --fraglast;=;OK
  -m frag --fraglast --fragmore;;FAIL
+-d ff02::fb/128 -p udp -m udp --dport 5353 -m frag --fragmore;=;OK
+-d fe80::/64 -p udp --dport 546 -m frag --fraglast;-d fe80::/64 -p udp -m udp --dport 546 -m frag --fraglast;OK
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c

index 10c81d9549a2f50a6012991bcce6de25c7be222e..79c02e44122518325598bcc4eed3f8fff4d2b630 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -141,7 +141,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
                         parse_mask_ipv6(ctx, &cs->fw6.ipv6.smsk);
                         ctx->flags &= ~NFT_XT_CTX_BITWISE;
                 } else {
-                       memset(&cs->fw.ip.smsk, 0xff, sizeof(struct in6_addr));
+                       memset(&cs->fw6.ipv6.smsk, 0xff, sizeof(struct in6_addr));
                 }
  
                 if (inv)
@@ -154,7 +154,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
                         parse_mask_ipv6(ctx, &cs->fw6.ipv6.dmsk);
                         ctx->flags &= ~NFT_XT_CTX_BITWISE;
                 } else {
-                       memset(&cs->fw.ip.dmsk, 0xff, sizeof(struct in6_addr));
+                       memset(&cs->fw6.ipv6.dmsk, 0xff, sizeof(struct in6_addr));
                 }
  
                 if (inv)
@@ -257,24 +257,32 @@ static void nft_ipv6_print_firewall(struct nftnl_rule *r, unsigned int num,
  }
  
  static void save_ipv6_addr(char letter, const struct in6_addr *addr,
+                          const struct in6_addr *mask,
                            int invert)
  {
         char addr_str[INET6_ADDRSTRLEN];
+       int l = xtables_ip6mask_to_cidr(mask);
  
-       if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
+       if (!invert && l == 0)
                 return;
  
-       inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
-       printf("%s-%c %s ", invert ? "! " : "", letter, addr_str);
+       printf("%s-%c %s",
+               invert ? " !" : "", letter,
+               inet_ntop(AF_INET6, addr, addr_str, sizeof(addr_str)));
+
+       if (l == -1)
+               printf("/%s ", inet_ntop(AF_INET6, mask, addr_str, sizeof(addr_str)));
+       else
+               printf("/%d ", l);
  }
  
  static void nft_ipv6_save_firewall(const void *data, unsigned int format)
  {
         const struct iptables_command_state *cs = data;
  
-       save_ipv6_addr('s', &cs->fw6.ipv6.src,
+       save_ipv6_addr('s', &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,
                        cs->fw6.ipv6.invflags & IP6T_INV_SRCIP);
-       save_ipv6_addr('d', &cs->fw6.ipv6.dst,
+       save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
                        cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
  
         save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
author	Florian Westphal <fw@strlen.de>
	Thu, 10 May 2018 19:47:30 +0000 (21:47 +0200)
committer	Florian Westphal <fw@strlen.de>
	Fri, 11 May 2018 18:54:45 +0000 (20:54 +0200)
extensions/libip6t_frag.t		patch \| blob \| blame \| history
iptables/nft-ipv6.c		patch \| blob \| blame \| history