Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e0212033 authored by Florian Westphal's avatar Florian Westphal Committed by Greg Kroah-Hartman
Browse files

netfilter: nat: really support inet nat without l3 address 



[ Upstream commit 282e5f8fe907dc3f2fbf9f2103b0e62ffc3a68a5 ]

When no l3 address is given, priv->family is set to NFPROTO_INET and
the evaluation function isn't called.

Call it too so l4-only rewrite can work.
Also add a test case for this.

Fixes: a33f387ecd5aa ("netfilter: nft_nat: allow to specify layer 4 protocol NAT only")
Reported-by: default avatarYi Chen <yiche@redhat.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent da99331f

net/netfilter/nft_nat.c

+2 −1
Original line number Diff line number Diff line
@@ -283,7 +283,8 @@ static void nft_nat_inet_eval(const struct nft_expr *expr, 
{

	const struct nft_nat *priv = nft_expr_priv(expr);



	if (priv->family == nft_pf(pkt))

	if (priv->family == nft_pf(pkt) ||

	    priv->family == NFPROTO_INET)

		nft_nat_eval(expr, regs, pkt);

}

tools/testing/selftests/netfilter/nft_nat.sh

+43 −0
Original line number Diff line number Diff line
@@ -374,6 +374,45 @@ EOF 
	return $lret

}



test_local_dnat_portonly()

{

	local family=$1

	local daddr=$2

	local lret=0

	local sr_s

	local sr_r



ip netns exec "$ns0" nft -f /dev/stdin <<EOF

table $family nat {

	chain output {

		type nat hook output priority 0; policy accept;

		meta l4proto tcp dnat to :2000



	}

}

EOF

	if [ $? -ne 0 ]; then

		if [ $family = "inet" ];then

			echo "SKIP: inet port test"

			test_inet_nat=false

			return

		fi

		echo "SKIP: Could not add $family dnat hook"

		return

	fi



	echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 &

	sc_s=$!



	result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT)



	if [ "$result" = "SERVER-inet" ];then

		echo "PASS: inet port rewrite without l3 address"

	else

		echo "ERROR: inet port rewrite"

		ret=1

	fi

}



test_masquerade6()

{
@@ -841,6 +880,10 @@ fi 
reset_counters

test_local_dnat ip

test_local_dnat6 ip6



reset_counters

test_local_dnat_portonly inet 10.0.1.99



reset_counters

$test_inet_nat && test_local_dnat inet

$test_inet_nat && test_local_dnat6 inet