diff options
-rw-r--r-- | src/conntrack.c | 22 | ||||
-rw-r--r-- | tests/conntrack/testsuite/01delete | 5 | ||||
-rw-r--r-- | tests/conntrack/testsuite/02filter | 8 |
3 files changed, 32 insertions, 3 deletions
diff --git a/src/conntrack.c b/src/conntrack.c index a26fa60..db35b07 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -41,6 +41,7 @@ #include "conntrack.h" #include <stdio.h> +#include <assert.h> #include <getopt.h> #include <stdlib.h> #include <ctype.h> @@ -2171,6 +2172,7 @@ nfct_filter_init(const int family) { filter_family = family; if (options & CT_OPT_MASK_SRC) { + assert(family != AF_UNSPEC); if (!(options & CT_OPT_ORIG_SRC)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-src without --src"); @@ -2178,6 +2180,7 @@ nfct_filter_init(const int family) } if (options & CT_OPT_MASK_DST) { + assert(family != AF_UNSPEC); if (!(options & CT_OPT_ORIG_DST)) exit_error(PARAMETER_PROBLEM, "Can't use --mask-dst without --dst"); @@ -2574,9 +2577,22 @@ int main(int argc, char *argv[]) } } - /* default family */ - if (family == AF_UNSPEC) - family = AF_INET; + /* default family only for the following commands */ + if (family == AF_UNSPEC) { + switch (command) { + case CT_LIST: + case CT_UPDATE: + case CT_DELETE: + case CT_GET: + case CT_FLUSH: + case CT_EVENT: + break; + default: + family = AF_INET; + break; + } + } + /* we cannot check this combination with generic_opt_check. */ if (options & CT_OPT_ANY_NAT && diff --git a/tests/conntrack/testsuite/01delete b/tests/conntrack/testsuite/01delete index 2755491..64dbb10 100644 --- a/tests/conntrack/testsuite/01delete +++ b/tests/conntrack/testsuite/01delete @@ -30,3 +30,8 @@ -D -s 1.1.1.0/24 -d 2.2.2.0/24 ; OK # try same command again but with CIDR (no matching found) -D -s 1.1.1.0/24 -d 2.2.2.0/24 ; BAD +# try to delete mismatching address family +-D -s ::1 -d 2.2.2.2 ; BAD +# try to delete IPv6 address without specifying IPv6 family +-I -s ::1 -d ::2 -p tcp --sport 20 --dport 10 --state LISTEN -u SEEN_REPLY -t 40 ; OK +-D -s ::1 ; OK diff --git a/tests/conntrack/testsuite/02filter b/tests/conntrack/testsuite/02filter index 91a75eb..d58637f 100644 --- a/tests/conntrack/testsuite/02filter +++ b/tests/conntrack/testsuite/02filter @@ -23,5 +23,13 @@ conntrack -L --mark 0/0xffffffff; OK conntrack -L -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.0.0.0 --mask-dst 255.0.0.0 ; OK conntrack -L -s 1.1.1.4/24 -d 2.3.4.5/8 ; OK conntrack -L -s 1.1.2.0/24 -d 2.3.4.5/8 ; OK +# filter filter mismatching address family +conntrack -L -s 2.2.2.2 -d ::1 ; BAD +# filter by IPv6 address, it implicitly sets IPv6 family +conntrack -L -s ::1 ; OK +# filter by IPv6 address mask, it implicitly sets IPv6 family +conntrack -L -s abcd:abcd:abcd:: --mask-src ffff:ffff:ffff:: ; OK +# filter filter mismatching address family +conntrack -L --mask-src ffff:ffff:ffff:: --mask-dst 255.0.0.0 ; BAD # delete dummy conntrack -D -d 2.2.2.2 ; OK |