diff options
| -rw-r--r-- | Make_global.am | 2 | ||||
| -rw-r--r-- | src/ctnl.c | 31 | ||||
| -rw-r--r-- | src/filter.c | 8 |
3 files changed, 30 insertions, 11 deletions
diff --git a/Make_global.am b/Make_global.am index 23c7dd0..8084249 100644 --- a/Make_global.am +++ b/Make_global.am @@ -1,7 +1,7 @@ AM_CPPFLAGS = -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 -W -Wall \ - -Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef \ + -Wmissing-prototypes -Wwrite-strings -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef \ -Wno-unused-parameter ${LIBNFNETLINK_CFLAGS} ${LIBMNL_CFLAGS} \ ${LIBNETFILTER_CONNTRACK_CFLAGS} \ ${LIBNETFILTER_CTTIMEOUT_CFLAGS} \ @@ -211,14 +211,35 @@ out: return NFCT_CB_CONTINUE; } +static const struct nf_conntrack *exp_get_master_ct(struct nf_expect *exp) +{ + struct nf_conntrack *master = + (struct nf_conntrack *)nfexp_get_attr(exp, ATTR_EXP_MASTER); + + /* The function ct_filter_conntrack needs the source address of the + * reply tuple, emulate it. + */ + switch (nfct_get_attr_u8(master, ATTR_L3PROTO)) { + case AF_INET: + nfct_set_attr_u32(master, ATTR_REPL_IPV4_SRC, + nfct_get_attr_u32(master, ATTR_IPV4_DST)); + break; + case AF_INET6: + nfct_set_attr(master, ATTR_REPL_IPV6_SRC, + nfct_get_attr(master, ATTR_IPV6_DST)); + break; + } + + return master; +} + static int exp_event_handler(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { int origin_type; - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); STATE(stats).nl_events_received++; @@ -275,8 +296,7 @@ static int dump_handler(enum nf_conntrack_msg_type type, static int exp_dump_handler(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); if (!exp_filter_find(STATE(exp_filter), exp)) return NFCT_CB_CONTINUE; @@ -309,8 +329,7 @@ static int get_handler(enum nf_conntrack_msg_type type, static int exp_get_handler(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); if (!exp_filter_find(STATE(exp_filter), exp)) return NFCT_CB_CONTINUE; diff --git a/src/filter.c b/src/filter.c index 02a8078..e21cfde 100644 --- a/src/filter.c +++ b/src/filter.c @@ -373,8 +373,8 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct) switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { case AF_INET: - if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV4_DST)) { + if (!nfct_attr_is_set(ct, ATTR_ORIG_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC)) { dlog(LOG_ERR, "missing IPv4 address. " "You forgot to load " "nf_conntrack_ipv4?"); @@ -382,8 +382,8 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct) } break; case AF_INET6: - if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV6_DST)) { + if (!nfct_attr_is_set(ct, ATTR_ORIG_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC)) { dlog(LOG_ERR, "missing IPv6 address. " "You forgot to load " "nf_conntrack_ipv6?"); |