From dc727615d7fb0f06dbaeb926ed236e75d47f157a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 1 Jul 2010 13:11:38 +0200
Subject: conntrack: add testsuite for NAT filtering options

This patch adds the testsuite for the NAT filtering options.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 qa/testsuite/03nat | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 qa/testsuite/03nat

(limited to 'qa/testsuite/03nat')

diff --git a/qa/testsuite/03nat b/qa/testsuite/03nat
new file mode 100644
index 0000000..8043af6
--- /dev/null
+++ b/qa/testsuite/03nat
@@ -0,0 +1,36 @@
+# create dummy
+-I -s 1.1.1.1 -d 2.2.2.2 --dst-nat 3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# show
+-L --dst-nat ; OK
+# show
+-L --dst-nat 3.3.3.3 ; OK
+# show
+-L --src-nat ; OK
+# delete
+-D -s 1.1.1.1 ; OK
+# create dummy again
+-I -s 1.1.1.1 -d 2.2.2.2 --src-nat 3.3.3.3 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# show
+-L --src-nat ; OK
+# show
+-L --src-nat 3.3.3.3 ; OK
+# show
+-L --dst-nat ; OK
+# show any-nat
+-L --any-nat ; OK
+# delete
+-D -s 1.1.1.1 ; OK
+# bad combination
+-L --dst-nat --any-nat ; BAD
+# bad combination
+-L --src-nat --any-nat ; BAD
+# bad combination
+-L --src-nat --dst-nat --any-nat ; BAD
+# create
+-I -s 1.1.1.1 -d 2.2.2.2 --dst-nat 3.3.3.3:80 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
+# show
+-L --dst-nat :80 ; OK
+# show
+-L --any-nat :80 ; OK
+# delete
+-D -s 1.1.1.1 ; OK
-- 
cgit v1.2.3


From c4413a601ba46e336e624b035a1b69f7aa1a9318 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 1 Jul 2010 16:45:26 +0200
Subject: conntrack: --[src|dst|any]-nat requires IP:PORT as argument

This patch restricts the behaviour that we previously introduced
in 142606c60808b3ab0496155ac3d086765e6baef3.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 qa/testsuite/03nat | 4 ++--
 src/conntrack.c    | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'qa/testsuite/03nat')

diff --git a/qa/testsuite/03nat b/qa/testsuite/03nat
index 8043af6..69fbff7 100644
--- a/qa/testsuite/03nat
+++ b/qa/testsuite/03nat
@@ -29,8 +29,8 @@
 # create
 -I -s 1.1.1.1 -d 2.2.2.2 --dst-nat 3.3.3.3:80 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
 # show
--L --dst-nat :80 ; OK
+-L --dst-nat 3.3.3.3:80 ; OK
 # show
--L --any-nat :80 ; OK
+-L --any-nat 3.3.3.3:80 ; OK
 # delete
 -D -s 1.1.1.1 ; OK
diff --git a/src/conntrack.c b/src/conntrack.c
index 82fe844..a5b49dd 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -816,6 +816,8 @@ nat_parse(char *arg, int portok, struct nf_conntrack *obj, int type)
 	if (colon) {
 		uint16_t port;
 
+		*colon = '\0';
+
 		if (!portok)
 			exit_error(PARAMETER_PROBLEM,
 				   "Need TCP or UDP with port specification");
@@ -841,7 +843,7 @@ nat_parse(char *arg, int portok, struct nf_conntrack *obj, int type)
 	}
 
 	if (parse_addr(arg, &parse) == AF_UNSPEC)
-		return;
+		exit_error(PARAMETER_PROBLEM, "Invalid IP address `%s'", arg);
 
 	if (type == CT_OPT_SRC_NAT || type == CT_OPT_ANY_NAT)
 		nfct_set_attr_u32(obj, ATTR_SNAT_IPV4, parse.v4);
-- 
cgit v1.2.3


From 0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 1 Jul 2010 16:52:41 +0200
Subject: conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port
 mismatches

This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 qa/testsuite/03nat |  4 ++++
 src/conntrack.c    | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

(limited to 'qa/testsuite/03nat')

diff --git a/qa/testsuite/03nat b/qa/testsuite/03nat
index 69fbff7..f94e8ff 100644
--- a/qa/testsuite/03nat
+++ b/qa/testsuite/03nat
@@ -32,5 +32,9 @@
 -L --dst-nat 3.3.3.3:80 ; OK
 # show
 -L --any-nat 3.3.3.3:80 ; OK
+# show
+-L --dst-nat 3.3.3.3:81 ; OK
+# show
+-L --dst-nat 1.1.1.1:80 ; OK
 # delete
 -D -s 1.1.1.1 ; OK
diff --git a/src/conntrack.c b/src/conntrack.c
index a5b49dd..6fdd1b4 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -890,10 +890,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 				has_srcnat = 1;
 		}
 		if (nfct_attr_is_set(obj, ATTR_SNAT_PORT)) {
+			int ret = 0;
+
 			check_port = 1;
 			port = nfct_get_attr_u16(obj, ATTR_SNAT_PORT);
 			if (nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT) &&
 			    port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST))
+				ret = 1;
+
+			/* the address matches but the port does not. */
+			if (check_address && has_srcnat && !ret)
+				has_srcnat = 0;
+			if (!check_address && ret)
 				has_srcnat = 1;
 		}
 		if (!check_address && !check_port &&
@@ -912,10 +920,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 				has_dstnat = 1;
 		}
 		if (nfct_attr_is_set(obj, ATTR_DNAT_PORT)) {
+			int ret = 0;
+
 			check_port = 1;
 			port = nfct_get_attr_u16(obj, ATTR_DNAT_PORT);
 			if (nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT) &&
 			    port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC))
+				ret = 1;
+
+			/* the address matches but the port does not. */
+			if (check_address && has_dstnat && !ret)
+				has_dstnat = 0;
+			if (!check_address && ret)
 				has_dstnat = 1;
 		}
 		if (!check_address && !check_port &&
-- 
cgit v1.2.3