fw4: bracketize IPv6 addresses in dnat addr:port notation

Ref: https://github.com/openwrt/openwrt/issues/9624
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc
index a77e3d59747d2edf8db62bd6018d03ce5e31cde8..5369430e0ea5b934ec6d5721537133f01b78d4a7 100644 (file)
--- a/root/usr/share/firewall4/templates/redirect.uc
+++ b/root/usr/share/firewall4/templates/redirect.uc
@@ -66,6 +66,6 @@
 {%- elif (redirect.target == "accept" || redirect.target == "masquerade"): -%}
        {{ redirect.target }}
 {%- else -%}
-       {{ redirect.target }} {{ redirect.raddr ? fw4.host(redirect.raddr) : '' }}
+       {{ redirect.target }} {{ redirect.raddr ? fw4.host(redirect.raddr, redirect.rport != null) : '' }}
        {%- if (redirect.rport): %}:{{ fw4.port(redirect.rport) }}{% endif %}
 {% endif %} comment {{ fw4.quote("!fw4: " + redirect.name, true) }}

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 8a4277baa8b8cd72fe379ae27f736a22afeea052..8e38a5cc15fe26ca35ba24d93010eaaa22958c39 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1565,10 +1565,10 @@ return {
                return sprintf("%s/%s", a.addr, a.mask);
        },
 
-       host: function(a) {
+       host: function(a, v6brackets) {
                return a.range
                        ? sprintf("%s-%s", a.addr, a.addr2)
-                       : apply_mask(a.addr, a.bits);
+                       : sprintf((a.family == 6 && v6brackets) ? "[%s]" : "%s", apply_mask(a.addr, a.bits));
        },
 
        port: function(p) {

diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 094a5b0b1f76b905bb66be14655948ed389c7da8..f9292ea154bdcc648ec3f2dced0575e2e0c72e10 100644 (file)
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -85,6 +85,18 @@ Test various address selection rules in redirect rules.
                        "proto": "tcp",
                        "src_dport": "24",
                        "dest_ip": "192.168.26.100"
+               },
+               {
+                       ".description": "Ensure that the rewrite IPv6 address is using bracket notation when a port is specified",
+                       "name": "Redirect test #6",
+                       "family": "ipv6",
+                       "src": "wan",
+                       "dest": "lan",
+                       "proto": "tcp",
+                       "src_dport": "25",
+                       "dest_ip": "2001:db8:1000:1::1234",
+                       "dest_port": "25",
+                       "target": "dnat"
                }
        ]
 }
@@ -255,6 +267,7 @@ table inet fw4 {
        chain dstnat_wan {
                meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3"
                meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4"
+               meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6"
        }
 
        chain srcnat_wan {
@@ -267,11 +280,13 @@ table inet fw4 {
                udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #2"
                ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100:22 comment "!fw4: Redirect test #3 (reflection)"
                ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 23 dnat 192.168.26.100:23 comment "!fw4: Redirect test #4 (reflection)"
+               ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:54:321::2 tcp dport 25 dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6 (reflection)"
        }
 
        chain srcnat_lan {
                ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 22 snat 192.168.26.1 comment "!fw4: Redirect test #3 (reflection)"
                ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 23 snat 10.11.12.194 comment "!fw4: Redirect test #4 (reflection)"
+               ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:1000:1::1234 tcp dport 25 snat 2001:db8:1000:1::1 comment "!fw4: Redirect test #6 (reflection)"
        }
 
        chain dstnat_noaddr {