diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-27 13:28:23 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-10-27 15:12:42 +0100 |
commit | 4edc838408a34a8958671103e7446ddc2dae918b (patch) | |
tree | a6859c5dc14f4bdb54695e85fd1927fc1a99e95e /src | |
parent | a08af5d26297eb85218a3c3a9e0991001a88cf10 (diff) |
conntrack: default to unspec family for dualstack setups
2bcbae4c14b2 ("conntrack: -f family filter does not work") restored the
fallback to IPv4 if -f is not specified, which was the original
behaviour.
This patch modifies the default to use the unspec family if -f is not
specified for the following ct commands:
- list
- update
- delete
- get
(these two commands below do not support for -f though, but in case this is
extended in the future to support it):
- flush
- event
The existing code that parses IPv4 and IPv6 addresses already infers the
family, which simplifies the introduction of this update.
The expect commands are not updated, they still require many mandatory
options for filtering.
This patch includes a few test updates too.
Based on patch from Mikhail Sennikovsky.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/conntrack.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/conntrack.c b/src/conntrack.c index a26fa60..db35b07 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -41,6 +41,7 @@ #include "conntrack.h" #include <stdio.h> +#include <assert.h> #include <getopt.h> #include <stdlib.h> #include <ctype.h> @@ -2171,6 +2172,7 @@ nfct_filter_init(const int family) { filter_family = family; if (options & CT_OPT_MASK_SRC) { + assert(family != AF_UNSPEC); if (!(options & CT_OPT_ORIG_SRC)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-src without --src"); @@ -2178,6 +2180,7 @@ nfct_filter_init(const int family) } if (options & CT_OPT_MASK_DST) { + assert(family != AF_UNSPEC); if (!(options & CT_OPT_ORIG_DST)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-dst without --dst"); @@ -2574,9 +2577,22 @@ int main(int argc, char *argv[]) } } - /* default family */ - if (family == AF_UNSPEC) - family = AF_INET; + /* default family only for the following commands */ + if (family == AF_UNSPEC) { + switch (command) { + case CT_LIST: + case CT_UPDATE: + case CT_DELETE: + case CT_GET: + case CT_FLUSH: + case CT_EVENT: + break; + default: + family = AF_INET; + break; + } + } + /* we cannot check this combination with generic_opt_check. */ if (options & CT_OPT_ANY_NAT && |