Correctly express "any address" to iptables.

Iptables interprets "-d 0.0.0.0" as "-d 0.0.0.0/32", not /0. This results in the DNAT rule never matching any traffic if not bound to a specific host IP. Fixes #2598
2022-11-09 12:21:53 -05:00 · 2013-11-09 19:31:08 -08:00 · 2013-11-09 19:31:08 -08:00 · 8ba8783bcc
commit 8ba8783bcc
parent f26da9638f
1 changed files with 8 additions and 1 deletions
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@ -55,9 +55,16 @@ func RemoveExistingChain(name string) error {
 }

 func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr string, dest_port int) error {
+	daddr := ip.String()
+	if ip.IsUnspecified() {
+		// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we
+		// want "0.0.0.0/0". "0/0" is correctly interpreted as "any
+		// value" by both iptables and ip6tables.
+		daddr = "0/0"
+	}
 	if output, err := Raw("-t", "nat", fmt.Sprint(action), c.Name,
 		"-p", proto,
-		"-d", ip.String(),
+		"-d", daddr,
 		"--dport", strconv.Itoa(port),
 		"!", "-i", c.Bridge,
 		"-j", "DNAT",