summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/conntrack.c22
-rw-r--r--tests/conntrack/testsuite/01delete5
-rw-r--r--tests/conntrack/testsuite/02filter8
3 files changed, 32 insertions, 3 deletions
diff --git a/src/conntrack.c b/src/conntrack.c
index a26fa60..db35b07 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -41,6 +41,7 @@
#include "conntrack.h"
#include <stdio.h>
+#include <assert.h>
#include <getopt.h>
#include <stdlib.h>
#include <ctype.h>
@@ -2171,6 +2172,7 @@ nfct_filter_init(const int family)
{
filter_family = family;
if (options & CT_OPT_MASK_SRC) {
+ assert(family != AF_UNSPEC);
if (!(options & CT_OPT_ORIG_SRC))
exit_error(PARAMETER_PROBLEM,
"Can't use --mask-src without --src");
@@ -2178,6 +2180,7 @@ nfct_filter_init(const int family)
}
if (options & CT_OPT_MASK_DST) {
+ assert(family != AF_UNSPEC);
if (!(options & CT_OPT_ORIG_DST))
exit_error(PARAMETER_PROBLEM,
"Can't use --mask-dst without --dst");
@@ -2574,9 +2577,22 @@ int main(int argc, char *argv[])
}
}
- /* default family */
- if (family == AF_UNSPEC)
- family = AF_INET;
+ /* default family only for the following commands */
+ if (family == AF_UNSPEC) {
+ switch (command) {
+ case CT_LIST:
+ case CT_UPDATE:
+ case CT_DELETE:
+ case CT_GET:
+ case CT_FLUSH:
+ case CT_EVENT:
+ break;
+ default:
+ family = AF_INET;
+ break;
+ }
+ }
+
/* we cannot check this combination with generic_opt_check. */
if (options & CT_OPT_ANY_NAT &&
diff --git a/tests/conntrack/testsuite/01delete b/tests/conntrack/testsuite/01delete
index 2755491..64dbb10 100644
--- a/tests/conntrack/testsuite/01delete
+++ b/tests/conntrack/testsuite/01delete
@@ -30,3 +30,8 @@
-D -s 1.1.1.0/24 -d 2.2.2.0/24 ; OK
# try same command again but with CIDR (no matching found)
-D -s 1.1.1.0/24 -d 2.2.2.0/24 ; BAD
+# try to delete mismatching address family
+-D -s ::1 -d 2.2.2.2 ; BAD
+# try to delete IPv6 address without specifying IPv6 family
+-I -s ::1 -d ::2 -p tcp --sport 20 --dport 10 --state LISTEN -u SEEN_REPLY -t 40 ; OK
+-D -s ::1 ; OK
diff --git a/tests/conntrack/testsuite/02filter b/tests/conntrack/testsuite/02filter
index 91a75eb..d58637f 100644
--- a/tests/conntrack/testsuite/02filter
+++ b/tests/conntrack/testsuite/02filter
@@ -23,5 +23,13 @@ conntrack -L --mark 0/0xffffffff; OK
conntrack -L -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.0.0.0 --mask-dst 255.0.0.0 ; OK
conntrack -L -s 1.1.1.4/24 -d 2.3.4.5/8 ; OK
conntrack -L -s 1.1.2.0/24 -d 2.3.4.5/8 ; OK
+# filter filter mismatching address family
+conntrack -L -s 2.2.2.2 -d ::1 ; BAD
+# filter by IPv6 address, it implicitly sets IPv6 family
+conntrack -L -s ::1 ; OK
+# filter by IPv6 address mask, it implicitly sets IPv6 family
+conntrack -L -s abcd:abcd:abcd:: --mask-src ffff:ffff:ffff:: ; OK
+# filter filter mismatching address family
+conntrack -L --mask-src ffff:ffff:ffff:: --mask-dst 255.0.0.0 ; BAD
# delete dummy
conntrack -D -d 2.2.2.2 ; OK