Although the upper-layer code protected against it, it was possible to call iptablesForwardMasquerade() with an IPv6 address and have it attempt to add a rule to the MASQUERADE chain of ip6tables (which doesn't exist). This patch changes that function to check the protocol of the given address, generate an error log if it's not IPv4 (AF_INET), and finally hardcodes all the family parameters sent down to lower-level functions. --- src/util/iptables.c | 17 +++++++++++++---- 1 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/util/iptables.c b/src/util/iptables.c index 6770fe0..59f5cc7 100644 --- a/src/util/iptables.c +++ b/src/util/iptables.c @@ -761,10 +761,19 @@ iptablesForwardMasquerade(iptablesContext *ctx, if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; + if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET)) { + /* Higher level code *should* guaranteee it's impossible to get here. */ + iptablesError(VIR_ERR_INTERNAL_ERROR, + _("Attempted to NAT '%s'. NAT is only supported for IPv4."), + networkstr); + VIR_FREE(networkstr); + return -1; + } + if (protocol && protocol[0]) { if (physdev && physdev[0]) { ret = iptablesAddRemoveRule(ctx->nat_postrouting, - VIR_SOCKET_FAMILY(netaddr), + AF_INET, action, "--source", networkstr, "-p", protocol, @@ -775,7 +784,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, NULL); } else { ret = iptablesAddRemoveRule(ctx->nat_postrouting, - VIR_SOCKET_FAMILY(netaddr), + AF_INET, action, "--source", networkstr, "-p", protocol, @@ -787,7 +796,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, } else { if (physdev && physdev[0]) { ret = iptablesAddRemoveRule(ctx->nat_postrouting, - VIR_SOCKET_FAMILY(netaddr), + AF_INET, action, "--source", networkstr, "!", "--destination", networkstr, @@ -796,7 +805,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, NULL); } else { ret = iptablesAddRemoveRule(ctx->nat_postrouting, - VIR_SOCKET_FAMILY(netaddr), + AF_INET, action, "--source", networkstr, "!", "--destination", networkstr, -- 1.7.3.4