netfilter: use ipv4 iptables rules to block IPv4-mapped IPv6 addresses

Submitted by Andrei Vagin on Nov. 27, 2017, 10:15 p.m.

Details

Message ID 20171127221530.8383-1-avagin@openvz.org
State Accepted
Series "netfilter: use ipv4 iptables rules to block IPv4-mapped IPv6 addresses"
Headers show

Commit Message

Andrei Vagin Nov. 27, 2017, 10:15 p.m.
From: Andrei Vagin <avagin@virtuozzo.com>

If ipv6 socket has an IPv4-mapped address, it is used to handle ipv4
connection, so we have to use ipv4 iptables rules to block this
connection.

Reported-by: Mr Jenkins
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
---
 criu/netfilter.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Patch hide | download patch | download mbox

diff --git a/criu/netfilter.c b/criu/netfilter.c
index 5942eb0f1..991c7181f 100644
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -47,6 +47,12 @@  void preload_netfilter_modules(void)
 	close_safe(&fd);
 }
 
+/* IPv4-Mapped IPv6 Addresses */
+static int ipv6_addr_mapped(u32 *addr)
+{
+	return (addr[2] == htonl(0x0000ffff));
+}
+
 static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 						u32 *dst_addr, u16 dst_port,
 						bool input, bool lock)
@@ -56,6 +62,12 @@  static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 	char *argv[4] = { "sh", "-c", buf, NULL };
 	int ret;
 
+	if (family == AF_INET6 && ipv6_addr_mapped(dst_addr)) {
+		family = AF_INET;
+		src_addr = &src_addr[3];
+		dst_addr = &dst_addr[3];
+	}
+
 	switch (family) {
 	case AF_INET:
 		cmd = iptable_cmd_ipv4;