From 4d33cd57a4a2c51fe30249aa5bc4f6137f8962bb Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Feb 2020 12:58:54 -0500
Subject: [PATCH 149/154] fix: ipXtables: remove square brackets from IPv6
 addresses

(cherry picked from commit 75f198ad73915567e1fd9df50104f55da209d06a)
(cherry picked from commit f47eae6a61f24784588741e5517889201d796e42)
---
 src/firewall/core/ipXtables.py | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 8f39fecc6132..f68b2bae8f3a 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -26,7 +26,7 @@ from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET
 from firewall.core.prog import runProg
 from firewall.core.logger import log
 from firewall.functions import tempFile, readfile, splitArgs, check_mac, portStr, \
-                               check_single_address
+                               check_single_address, check_address, normalizeIP6
 from firewall import config
 from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE
 from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark
@@ -752,6 +752,11 @@ class ip4tables(object):
                          "-m", "mac", "--mac-source", address.upper(),
                          action, target ]
             else:
+                if check_single_address("ipv6", address):
+                    address = normalizeIP6(address)
+                elif check_address("ipv6", address):
+                    addr_split = address.split("/")
+                    address = normalizeIP6(addr_split[0]) + "/" + addr_split[1]
                 rule = [ add_del, zone_dispatch_chain,
                          "%%ZONE_SOURCE%%", zone,
                          "-t", table,
@@ -883,7 +888,13 @@ class ip4tables(object):
         rule_fragment = []
         if rich_dest.invert:
             rule_fragment.append("!")
-        rule_fragment += [ "-d", rich_dest.addr ]
+        if check_single_address("ipv6", rich_dest.addr):
+            rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ]
+        elif check_address("ipv6", rich_dest.addr):
+            addr_split = rich_dest.addr.split("/")
+            rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
+        else:
+            rule_fragment += [ "-d", rich_dest.addr ]
 
         return rule_fragment
 
@@ -895,7 +906,13 @@ class ip4tables(object):
         if rich_source.addr:
             if rich_source.invert:
                 rule_fragment.append("!")
-            rule_fragment += [ "-s", rich_source.addr ]
+            if check_single_address("ipv6", rich_source.addr):
+                rule_fragment += [ "-s", normalizeIP6(rich_source.addr) ]
+            elif check_address("ipv6", rich_source.addr):
+                addr_split = rich_source.addr.split("/")
+                rule_fragment += [ "-s", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
+            else:
+                rule_fragment += [ "-s", rich_source.addr ]
         elif hasattr(rich_source, "mac") and rich_source.mac:
             rule_fragment += [ "-m", "mac" ]
             if rich_source.invert:
@@ -1042,7 +1059,7 @@ class ip4tables(object):
         to = ""
         if toaddr:
             if check_single_address("ipv6", toaddr):
-                to += "[%s]" % toaddr
+                to += "[%s]" % normalizeIP6(toaddr)
             else:
                 to += toaddr
         if toport and toport != "":
-- 
2.25.2