firewall-util: reject NULL source or address with prefixlen 0

Make sure we don't add masquerading rules without a explicitly
specified network range we should be masquerading for.

The only caller aside from test case is
networkd-address.c which never passes a NULL source.

As it also passes the network prefix, that should always be > 0 as well.

This causes expected test failure:
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available

The failing test cases are amended to expect failure on
NULL source or prefix instead of success.

diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 974803903d9c734d0c77a57ddede53fb02ac3965..df020ba7a2c7b4971f5f662c3db9e791a1c8a6e8 100644 (file)
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -98,6 +98,9 @@ int fw_add_masquerade(
         if (af != AF_INET)
                 return -EOPNOTSUPP;
 
+        if (!source || source_prefixlen == 0)
+                return -EINVAL;
+
         h = iptc_init("nat");
         if (!h)
                 return -errno;

diff --git a/src/test/test-firewall-util.c b/src/test/test-firewall-util.c
index 25c5a6cbf5d013b5ea327dd160386e579ba5dcf6..f223c0a4d91cb0bd55baef724bd11fc739fd7d96 100644 (file)
--- a/src/test/test-firewall-util.c
+++ b/src/test/test-firewall-util.c
@@ -9,16 +9,30 @@
 int main(int argc, char *argv[]) {
         int r;
         test_setup_logging(LOG_DEBUG);
+        uint8_t prefixlen = 32;
 
         r = fw_add_masquerade(true, AF_INET, NULL, 0);
+        if (r == 0)
+                log_error("Expected failure: NULL source");
+
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,0), 0);
+        if (r == 0)
+                log_error("Expected failure: 0 prefixlen");
+
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), prefixlen);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");
 
-        r = fw_add_masquerade(true, AF_INET, NULL, 0);
+        prefixlen = 28;
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
+        if (r < 0)
+                log_error_errno(r, "Failed to modify firewall: %m");
+
+        r = fw_add_masquerade(false, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");
 
-        r = fw_add_masquerade(false, AF_INET, NULL, 0);
+        r = fw_add_masquerade(false, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), 32);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");