netfilter: use ipv4 iptables rules to block IPv4-mapped IPv6 addresses

If ipv6 socket has an IPv4-mapped address, it is used to handle ipv4 connection, so we have to use ipv4 iptables rules to block this connection. Reported-by: Mr Jenkins Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>

netfilter: use ipv4 iptables rules to block IPv4-mapped IPv6 addresses
If ipv6 socket has an IPv4-mapped address, it is used to handle ipv4 connection, so we have to use ipv4 iptables rules to block this connection. Reported-by: Mr Jenkins Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
dc384c0e · Andrei Vagin · c31d423e · dc384c0e
Commit dc384c0e authored Nov 27, 2017 by Andrei Vagin
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

netfilter.c criu/netfilter.c +12 -0

No files found.
--- a/criu/netfilter.c
+++ b/criu/netfilter.c
@@ -47,6 +47,12 @@ void preload_netfilter_modules(void)
 	close_safe(&fd);
 }
+/* IPv4-Mapped IPv6 Addresses */
+static int ipv6_addr_mapped(u32 *addr)
+{
+	return (addr[2] == htonl(0x0000ffff));
+}
 static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 						u32 *dst_addr, u16 dst_port,
 						bool input, bool lock)
@@ -56,6 +62,12 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
 	char *argv[4] = { "sh", "-c", buf, NULL };
 	int ret;
+	if (family == AF_INET6 && ipv6_addr_mapped(dst_addr)) {
+		family = AF_INET;
+		src_addr = &src_addr[3];
+		dst_addr = &dst_addr[3];
+	}
 	switch (family) {
 	case AF_INET:
 		cmd = iptable_cmd_ipv4;