From: Liping Zhang <[email protected]> It is better to add square brackets to ip6 address in nft translation output when the port is specified. This is keep consistent with the nft syntax.
Before this patch: # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \ [123::4]:1 nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to 123::4 :1 # ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \ [123::4-123::8]:1 nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to 123::4-123::8 :1 Apply this patch: # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \ [123::4]:1 nft add rule ip6 nat OUTPUT meta l4proto tcp counter dnat to [123::4]:1 # ip6tables-translate -t nat -A POSTROUTING -p tcp -j SNAT --to-source \ [123::4-123::8]:1 nft add rule ip6 nat POSTROUTING meta l4proto tcp counter snat to [123::4]-[123::8]:1 Signed-off-by: Liping Zhang <[email protected]> --- extensions/libip6t_DNAT.c | 21 ++++++++++++++------- extensions/libip6t_SNAT.c | 21 ++++++++++++++------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c index 97a8b1c..08d920d 100644 --- a/extensions/libip6t_DNAT.c +++ b/extensions/libip6t_DNAT.c @@ -234,17 +234,24 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target) static void print_range_xlate(const struct nf_nat_range *range, struct xt_xlate *xl) { + bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED; + if (range->flags & NF_NAT_RANGE_MAP_IPS) { - xt_xlate_add(xl, "%s", - xtables_ip6addr_to_numeric(&range->min_addr.in6)); + xt_xlate_add(xl, "%s%s%s", + proto_specified ? "[" : "", + xtables_ip6addr_to_numeric(&range->min_addr.in6), + proto_specified ? "]" : ""); if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) - xt_xlate_add(xl, "-%s", - xtables_ip6addr_to_numeric(&range->max_addr.in6)); + sizeof(range->min_addr))) { + xt_xlate_add(xl, "-%s%s%s", + proto_specified ? "[" : "", + xtables_ip6addr_to_numeric(&range->max_addr.in6), + proto_specified ? "]" : ""); + } } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, " :%hu", ntohs(range->min_proto.tcp.port)); + if (proto_specified) { + xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port)); if (range->max_proto.tcp.port != range->min_proto.tcp.port) xt_xlate_add(xl, "-%hu", diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c index c3d8190..671ac61 100644 --- a/extensions/libip6t_SNAT.c +++ b/extensions/libip6t_SNAT.c @@ -244,17 +244,24 @@ static void SNAT_save(const void *ip, const struct xt_entry_target *target) static void print_range_xlate(const struct nf_nat_range *range, struct xt_xlate *xl) { + bool proto_specified = range->flags & NF_NAT_RANGE_PROTO_SPECIFIED; + if (range->flags & NF_NAT_RANGE_MAP_IPS) { - xt_xlate_add(xl, "%s", - xtables_ip6addr_to_numeric(&range->min_addr.in6)); + xt_xlate_add(xl, "%s%s%s", + proto_specified ? "[" : "", + xtables_ip6addr_to_numeric(&range->min_addr.in6), + proto_specified ? "]" : ""); if (memcmp(&range->min_addr, &range->max_addr, - sizeof(range->min_addr))) - xt_xlate_add(xl, "-%s", - xtables_ip6addr_to_numeric(&range->max_addr.in6)); + sizeof(range->min_addr))) { + xt_xlate_add(xl, "-%s%s%s", + proto_specified ? "[" : "", + xtables_ip6addr_to_numeric(&range->max_addr.in6), + proto_specified ? "]" : ""); + } } - if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { - xt_xlate_add(xl, " :%hu", ntohs(range->min_proto.tcp.port)); + if (proto_specified) { + xt_xlate_add(xl, ":%hu", ntohs(range->min_proto.tcp.port)); if (range->max_proto.tcp.port != range->min_proto.tcp.port) xt_xlate_add(xl, "-%hu", -- 2.5.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
