src: Add support for IPv6 NAT

This patch adds support for IPv6 NAT. It adds IPv6 support in
evaluation and in delinearization which were the only missing parts.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 29fa32bd4aabf841af639d0372b07dd4f1a22722..94fee64b2b149d3b584e25507a8b1ddcb64b3f04 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1121,8 +1121,12 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
        int err;
 
        if (stmt->nat.addr != NULL) {
-               expr_set_context(&ctx->ectx, &ipaddr_type,
-                                4 * BITS_PER_BYTE);
+               if (pctx && (pctx->family == AF_INET))
+                       expr_set_context(&ctx->ectx, &ipaddr_type,
+                                       4 * BITS_PER_BYTE);
+               else
+                       expr_set_context(&ctx->ectx, &ip6addr_type,
+                                        16 * BITS_PER_BYTE);
                err = expr_evaluate(ctx, &stmt->nat.addr);
                if (err < 0)
                        return err;

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4aacbbde74315c6671b094957cd01a94a8c677c1..d80fc78d35e8671df1f2866b4919f6b6abc25ac2 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -21,6 +21,7 @@
 #include <gmputil.h>
 #include <utils.h>
 #include <erec.h>
+#include <sys/socket.h>
 
 struct netlink_parse_ctx {
        struct list_head        *msgs;
@@ -406,10 +407,13 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
        struct stmt *stmt;
        struct expr *addr, *proto;
        enum nft_registers reg1, reg2;
+       int family;
 
        stmt = nat_stmt_alloc(loc);
        stmt->nat.type = nft_rule_expr_get_u32(nle, NFT_EXPR_NAT_TYPE);
 
+       family = nft_rule_expr_get_u32(nle, NFT_EXPR_NAT_FAMILY);
+
        reg1 = nft_rule_expr_get_u32(nle, NFT_EXPR_NAT_REG_ADDR_MIN);
        if (reg1) {
                addr = netlink_get_register(ctx, loc, reg1);
@@ -418,7 +422,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
                                             "NAT statement has no address "
                                             "expression");
 
-               expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+               if (family == AF_INET)
+                       expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+               else
+                       expr_set_type(addr, &ip6addr_type,
+                                     BYTEORDER_BIG_ENDIAN);
                stmt->nat.addr = addr;
        }
 
@@ -430,7 +438,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
                                             "NAT statement has no address "
                                             "expression");
 
-               expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+               if (family == AF_INET)
+                       expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+               else
+                       expr_set_type(addr, &ip6addr_type,
+                                     BYTEORDER_BIG_ENDIAN);
                if (stmt->nat.addr != NULL)
                        addr = range_expr_alloc(loc, stmt->nat.addr, addr);
                stmt->nat.addr = addr;