Re: [PATCH] extensions : multiple to-dst/to-src arguments for ip6t_DNAT/SNAT not reported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 16, 2018 at 04:06:27PM +0100, Thierry Du Tre wrote:
> Op 16/01/2018 om 14:06 schreef Pablo Neira Ayuso:
> > Hi Thierry,
> > 
> > On Tue, Jan 16, 2018 at 01:44:37PM +0100, Thierry Du Tre wrote:
> >> This patch is fixing the detection of multiple '--to-destination' in a DNAT rule and '--to-source' in SNAT rule for IPv6.
> >> Currently, when defining multiple values for these, only the last will be used and others ignored silently.
> >>
> >> The checks for (cb->xflags & F_X_TO_[DEST/SRC]) always fails because the flags are never set before.
> >> It seems to be a copy-paste artefact since introduction of the IPv6 DNAT/SNAT extensions based on IPv4 code.
> >>
> >> I also removed the kernel_version checks because they seem useless. Extensions for IPv6 DNAT/SNAT are using xt_target with revision 1.
> >> That seems only added since kernel version 3.7-rc1 and therefore the check for > v2.6.10 will always return true.
> >> The check is probably also coming from the IPv4 copy-paste.
> > 
> > Thanks for fixing up this.
> > 
> > Would you also send us a patch to add tests:
> > 
> >         extensions/libip6t_DNAT.t
> > 
> 
> The following should cover this patch.
> (without patch, libip6t_SNAT.t and libip6t_DNAT.t will fail)

Folded to your patch to fix this.

> ---
>  extensions/libip6t_DNAT.t | 2 ++
>  extensions/libip6t_SNAT.t | 2 ++
>  extensions/libipt_DNAT.t  | 2 ++
>  extensions/libipt_SNAT.t  | 2 ++
>  4 files changed, 8 insertions(+)
> 
> diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
> index 3141c29..4a6d09a 100644
> --- a/extensions/libip6t_DNAT.t
> +++ b/extensions/libip6t_DNAT.t
> @@ -2,7 +2,9 @@
>  *nat
>  -j DNAT --to-destination dead::beef;=;OK
>  -j DNAT --to-destination dead::beef-dead::fee7;=;OK
> +-j DNAT --to-destination [dead::beef]:1025-65535;FAIL
                                                   ^
No problem, just a missing semicolon here. I have fixed it, please
run:

        python iptables-test.py

next time.

Applied!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux