extension: libip6t_DNAT: allow port DNAT without address

correct parsing of IPv6 port NAT without address NAT,
assume one colon as port information.

Allows:
* address only:
 -j DNAT --to affe::1
 -j DNAT --to [affe::1]

* port only
 -j DNAT --to :80
 -j DNAT --to :80-110
 -j DNAT --to []:80
 -j DNAT --to []:80-110

* address and port
 -j DNAT --to [affe::1]:80
 -j DNAT --to [affe::1]:80-110

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index a5969c362d663dda26b2dc66b530024583822b3f..1bba37e2a19c23621222e01f31469638efe69909 100644 (file)
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -54,8 +54,13 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
                xtables_error(RESOURCE_PROBLEM, "strdup");
 
        start = strchr(arg, '[');
-       if (start == NULL)
+       if (start == NULL) {
                start = arg;
+               /* Lets assume one colon is port information. Otherwise its an IPv6 address */
+               colon = strchr(arg, ':');
+               if (colon && strchr(colon+1, ':'))
+                       colon = NULL;
+       }
        else {
                start++;
                end = strchr(start, ']');
@@ -105,8 +110,8 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
                        range->min_proto.tcp.port = htons(port);
                        range->max_proto.tcp.port = htons(maxport);
                }
-               /* Starts with a colon? No IP info...*/
-               if (colon == arg) {
+               /* Starts with colon or [] colon? No IP info...*/
+               if (colon == arg || colon == arg+2) {
                        free(arg);
                        return;
                }

diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 307be70ea48c1acf220e1a3faa79179a1d4e2c80..7382ad0660c53bc7db5356676840cbbd0f056025 100644 (file)
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -54,8 +54,13 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
                xtables_error(RESOURCE_PROBLEM, "strdup");
 
        start = strchr(arg, '[');
-       if (start == NULL)
+       if (start == NULL) {
                start = arg;
+               /* Lets assume one colon is port information. Otherwise its an IPv6 address */
+               colon = strchr(arg, ':');
+               if (colon && strchr(colon+1, ':'))
+                       colon = NULL;
+       }
        else {
                start++;
                end = strchr(start, ']');
@@ -105,8 +110,8 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
                        range->min_proto.tcp.port = htons(port);
                        range->max_proto.tcp.port = htons(maxport);
                }
-               /* Starts with a colon? No IP info...*/
-               if (colon == arg) {
+               /* Starts with colon or [] colon? No IP info...*/
+               if (colon == arg || colon == arg+2) {
                        free(arg);
                        return;
                }