summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2009-01-14 13:50:58 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2009-01-14 13:50:58 +0100
commitb176d7178aa929c4644bdfd0752cf531384447c9 (patch)
treee6c9f3c82c409c104a6b8df7a5584fc1e5846f99
parenta6281c6f10110bf64e51c04a37c0fe9f9508482e (diff)
filter: skip filtering by state if the event has no state info
This patch fixes a bug that may result in wrong filtering of destroy events which usually don't contain the state information. In that case, skip the filtering. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/filter.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/filter.c b/src/filter.c
index 4e24fb5..218ba0c 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -318,7 +318,8 @@ static int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct)
if (f->logic[CT_FILTER_STATE] != -1) {
ret = __ct_filter_test_state(f, ct);
- if (ret ^ f->logic[CT_FILTER_STATE])
+ /* ret is -1 if we don't know what to do */
+ if (ret != -1 && ret ^ f->logic[CT_FILTER_STATE])
return 0;
}