From: Florian Westphal <fw@strlen.de>
Date: Wed, 24 Jun 2020 09:55:14 +0000 (+0200)
Subject: firewall-util: reject NULL source or address with prefixlen 0
X-Git-Tag: v248-rc1~483^2~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=47ed20e1e08d800e722b05a3fb33ba6be4b48afc;p=thirdparty%2Fsystemd.git

firewall-util: reject NULL source or address with prefixlen 0

Make sure we don't add masquerading rules without a explicitly
specified network range we should be masquerading for.

The only caller aside from test case is
networkd-address.c which never passes a NULL source.

As it also passes the network prefix, that should always be > 0 as well.

This causes expected test failure:
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Invalid argument
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available
Failed to modify firewall: Protocol not available

The failing test cases are amended to expect failure on
NULL source or prefix instead of success.
---

diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 974803903d9..df020ba7a2c 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -98,6 +98,9 @@ int fw_add_masquerade(
         if (af != AF_INET)
                 return -EOPNOTSUPP;
 
+        if (!source || source_prefixlen == 0)
+                return -EINVAL;
+
         h = iptc_init("nat");
         if (!h)
                 return -errno;
diff --git a/src/test/test-firewall-util.c b/src/test/test-firewall-util.c
index 25c5a6cbf5d..f223c0a4d91 100644
--- a/src/test/test-firewall-util.c
+++ b/src/test/test-firewall-util.c
@@ -9,16 +9,30 @@
 int main(int argc, char *argv[]) {
         int r;
         test_setup_logging(LOG_DEBUG);
+        uint8_t prefixlen = 32;
 
         r = fw_add_masquerade(true, AF_INET, NULL, 0);
+        if (r == 0)
+                log_error("Expected failure: NULL source");
+
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,0), 0);
+        if (r == 0)
+                log_error("Expected failure: 0 prefixlen");
+
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), prefixlen);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");
 
-        r = fw_add_masquerade(true, AF_INET, NULL, 0);
+        prefixlen = 28;
+        r = fw_add_masquerade(true, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
+        if (r < 0)
+                log_error_errno(r, "Failed to modify firewall: %m");
+
+        r = fw_add_masquerade(false, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");
 
-        r = fw_add_masquerade(false, AF_INET, NULL, 0);
+        r = fw_add_masquerade(false, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), 32);
         if (r < 0)
                 log_error_errno(r, "Failed to modify firewall: %m");