From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
It is better to add square brackets to ip6 address in nft translation
output when the port is specified. This is keep consistent with the
nft syntax.
Before this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to 123::4 :1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 123::4-123::8 :1
Apply this patch:
# ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \
[123::4]:1
nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to [123::4]:1
# ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \
[123::4-123::8]:1
nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to [123::4]-[123::8]:1
Signed-off-by: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
---
extensions/libip6t_DNAT.c | 21 ++++++++++++++-------
extensions/libip6t_SNAT.c | 21 ++++++++++++++-------
2 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 97a8b1c..08d920d 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -234,17 +234,24 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
static void print_range_xlate(const struct nf_nat_range *range,
struct xt_xlate *xl)
{
+ bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED;
+
if (range->flags & NF_NAT_RANGE_MAP_IPS) {
- xt_xlate_add(xl, "%s",
- xtables_ip6addr_to_numeric(&range->min_addr.in6));
+ xt_xlate_add(xl, "%s%s%s",
+ proto_specified ? "[" : "",
+ xtables_ip6addr_to_numeric(&range->min_addr.in6),
+ proto_specified ? "]" : "");
if (memcmp(&range->min_addr, &range->max_addr,
- sizeof(range->min_addr)))
- xt_xlate_add(xl, "-%s",
- xtables_ip6addr_to_numeric(&range->max_addr.in6));
+ sizeof(range->min_addr))) {
+ xt_xlate_add(xl, "-%s%s%s",
+ proto_specified ? "[" : "",
+ xtables_ip6addr_to_numeric(&range->max_addr.in6),
+ proto_specified ? "]" : "");
+ }
}
- if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
- xt_xlate_add(xl, " :%hu", ntohs(range->min_proto.tcp.port));
+ if (proto_specified) {
+ xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port));
if (range->max_proto.tcp.port != range->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu",
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index c3d8190..671ac61 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -244,17 +244,24 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target)
static void print_range_xlate(const struct nf_nat_range *range,
struct xt_xlate *xl)
{
+ bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED;
+
if (range->flags & NF_NAT_RANGE_MAP_IPS) {
- xt_xlate_add(xl, "%s",
- xtables_ip6addr_to_numeric(&range->min_addr.in6));
+ xt_xlate_add(xl, "%s%s%s",
+ proto_specified ? "[" : "",
+ xtables_ip6addr_to_numeric(&range->min_addr.in6),
+ proto_specified ? "]" : "");
if (memcmp(&range->min_addr, &range->max_addr,
- sizeof(range->min_addr)))
- xt_xlate_add(xl, "-%s",
- xtables_ip6addr_to_numeric(&range->max_addr.in6));
+ sizeof(range->min_addr))) {
+ xt_xlate_add(xl, "-%s%s%s",
+ proto_specified ? "[" : "",
+ xtables_ip6addr_to_numeric(&range->max_addr.in6),
+ proto_specified ? "]" : "");
+ }
}
- if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
- xt_xlate_add(xl, " :%hu", ntohs(range->min_proto.tcp.port));
+ if (proto_specified) {
+ xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port));
if (range->max_proto.tcp.port != range->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu",
--
2.5.5
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
