Log an error on attempts to add a NAT rule for non-IPv4 addresses

Although the upper-layer code protected against it, it was possible to
call iptablesForwardMasquerade() with an IPv6 address and have it
attempt to add a rule to the MASQUERADE chain of ip6tables (which
doesn't exist).

This patch changes that function to check the protocol of the given
address, generate an error log if it's not IPv4 (AF_INET), and finally
hardcodes all the family parameters sent down to lower-level functions.

diff --git a/src/util/iptables.c b/src/util/iptables.c
index 6770fe003c51925c6ecf897a94f40a1189fd2c1e..59f5cc7a51c2bbe6d1fd9b538e01523628bd7ef3 100644 (file)
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -761,10 +761,19 @@ iptablesForwardMasquerade(iptablesContext *ctx,
     if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
         return -1;
 
+    if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) {
+        /* Higher level code *should* guaranteee it's impossible to get here. */
+        iptablesError(VIR_ERR_INTERNAL_ERROR,
+                      _("Attempted to NAT '%s'. NAT is only supported for IPv4."),
+                      networkstr);
+        VIR_FREE(networkstr);
+        return -1;
+    }
+
     if (protocol && protocol[0]) {
         if (physdev && physdev[0]) {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "-p", protocol,
@@ -775,7 +784,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
                                         NULL);
         } else {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "-p", protocol,
@@ -787,7 +796,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
     } else {
         if (physdev && physdev[0]) {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "!", "--destination", networkstr,
@@ -796,7 +805,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
                                         NULL);
         } else {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "!", "--destination", networkstr,