From 8ba8783bcc0ec3a0c5391445d52e2b2a9d0a3f8a Mon Sep 17 00:00:00 2001
From: David Anderson <dave@natulte.net>
Date: Sat, 9 Nov 2013 19:31:08 -0800
Subject: [PATCH] Correctly express "any address" to iptables.

Iptables interprets "-d 0.0.0.0" as "-d 0.0.0.0/32", not /0. This
results in the DNAT rule never matching any traffic if not bound
to a specific host IP.

Fixes #2598
---
 iptables/iptables.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/iptables/iptables.go b/iptables/iptables.go
index 82ecf8bb5b..0438bcbd88 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -55,9 +55,16 @@ func RemoveExistingChain(name string) error {
 }
 
 func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr string, dest_port int) error {
+	daddr := ip.String()
+	if ip.IsUnspecified() {
+		// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we
+		// want "0.0.0.0/0". "0/0" is correctly interpreted as "any
+		// value" by both iptables and ip6tables.
+		daddr = "0/0"
+	}
 	if output, err := Raw("-t", "nat", fmt.Sprint(action), c.Name,
 		"-p", proto,
-		"-d", ip.String(),
+		"-d", daddr,
 		"--dport", strconv.Itoa(port),
 		"!", "-i", c.Bridge,
 		"-j", "DNAT",