From 11feddff95a47f292d84784112a71b69cfa951b6 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 2 Apr 2022 20:06:11 +0200 Subject: [PATCH] fw4: bracketize IPv6 addresses in dnat addr:port notation Ref: https://github.com/openwrt/openwrt/issues/9624 Signed-off-by: Jo-Philipp Wich --- root/usr/share/firewall4/templates/redirect.uc | 2 +- root/usr/share/ucode/fw4.uc | 4 ++-- tests/03_rules/07_redirect | 15 +++++++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc index a77e3d5..5369430 100644 --- a/root/usr/share/firewall4/templates/redirect.uc +++ b/root/usr/share/firewall4/templates/redirect.uc @@ -66,6 +66,6 @@ {%- elif (redirect.target == "accept" || redirect.target == "masquerade"): -%} {{ redirect.target }} {%- else -%} - {{ redirect.target }} {{ redirect.raddr ? fw4.host(redirect.raddr) : '' }} + {{ redirect.target }} {{ redirect.raddr ? fw4.host(redirect.raddr, redirect.rport != null) : '' }} {%- if (redirect.rport): %}:{{ fw4.port(redirect.rport) }}{% endif %} {% endif %} comment {{ fw4.quote("!fw4: " + redirect.name, true) }} diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 8a4277b..8e38a5c 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -1565,10 +1565,10 @@ return { return sprintf("%s/%s", a.addr, a.mask); }, - host: function(a) { + host: function(a, v6brackets) { return a.range ? sprintf("%s-%s", a.addr, a.addr2) - : apply_mask(a.addr, a.bits); + : sprintf((a.family == 6 && v6brackets) ? "[%s]" : "%s", apply_mask(a.addr, a.bits)); }, port: function(p) { diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 094a5b0..f9292ea 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -85,6 +85,18 @@ Test various address selection rules in redirect rules. "proto": "tcp", "src_dport": "24", "dest_ip": "192.168.26.100" + }, + { + ".description": "Ensure that the rewrite IPv6 address is using bracket notation when a port is specified", + "name": "Redirect test #6", + "family": "ipv6", + "src": "wan", + "dest": "lan", + "proto": "tcp", + "src_dport": "25", + "dest_ip": "2001:db8:1000:1::1234", + "dest_port": "25", + "target": "dnat" } ] } @@ -255,6 +267,7 @@ table inet fw4 { chain dstnat_wan { meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3" meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4" + meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6" } chain srcnat_wan { @@ -267,11 +280,13 @@ table inet fw4 { udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #2" ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100:22 comment "!fw4: Redirect test #3 (reflection)" ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 23 dnat 192.168.26.100:23 comment "!fw4: Redirect test #4 (reflection)" + ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:54:321::2 tcp dport 25 dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6 (reflection)" } chain srcnat_lan { ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 22 snat 192.168.26.1 comment "!fw4: Redirect test #3 (reflection)" ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 23 snat 10.11.12.194 comment "!fw4: Redirect test #4 (reflection)" + ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:1000:1::1234 tcp dport 25 snat 2001:db8:1000:1::1 comment "!fw4: Redirect test #6 (reflection)" } chain dstnat_noaddr { -- 2.30.2