From cd6a8f9ce2f365115da7fa5902c7e14d9ed941bc Mon Sep 17 00:00:00 2001
From: Laine Stump <laine@laine.org>
Date: Tue, 4 Jan 2011 12:31:40 -0500
Subject: [PATCH] Log an error on attempts to add a NAT rule for non-IPv4
 addresses

Although the upper-layer code protected against it, it was possible to
call iptablesForwardMasquerade() with an IPv6 address and have it
attempt to add a rule to the MASQUERADE chain of ip6tables (which
doesn't exist).

This patch changes that function to check the protocol of the given
address, generate an error log if it's not IPv4 (AF_INET), and finally
hardcodes all the family parameters sent down to lower-level functions.
---
 src/util/iptables.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/util/iptables.c b/src/util/iptables.c
index 6770fe003c..59f5cc7a51 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -761,10 +761,19 @@ iptablesForwardMasquerade(iptablesContext *ctx,
     if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
         return -1;
 
+    if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) {
+        /* Higher level code *should* guaranteee it's impossible to get here. */
+        iptablesError(VIR_ERR_INTERNAL_ERROR,
+                      _("Attempted to NAT '%s'. NAT is only supported for IPv4."),
+                      networkstr);
+        VIR_FREE(networkstr);
+        return -1;
+    }
+
     if (protocol && protocol[0]) {
         if (physdev && physdev[0]) {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "-p", protocol,
@@ -775,7 +784,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
                                         NULL);
         } else {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "-p", protocol,
@@ -787,7 +796,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
     } else {
         if (physdev && physdev[0]) {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "!", "--destination", networkstr,
@@ -796,7 +805,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
                                         NULL);
         } else {
             ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        VIR_SOCKET_FAMILY(netaddr),
+                                        AF_INET,
                                         action,
                                         "--source", networkstr,
                                         "!", "--destination", networkstr,
-- 
2.39.5