diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/ctnl.c | 31 | ||||
-rw-r--r-- | src/filter.c | 8 |
2 files changed, 29 insertions, 10 deletions
@@ -211,14 +211,35 @@ out: return NFCT_CB_CONTINUE; } +static const struct nf_conntrack *exp_get_master_ct(struct nf_expect *exp) +{ + struct nf_conntrack *master = + (struct nf_conntrack *)nfexp_get_attr(exp, ATTR_EXP_MASTER); + + /* The function ct_filter_conntrack needs the source address of the + * reply tuple, emulate it. + */ + switch (nfct_get_attr_u8(master, ATTR_L3PROTO)) { + case AF_INET: + nfct_set_attr_u32(master, ATTR_REPL_IPV4_SRC, + nfct_get_attr_u32(master, ATTR_IPV4_DST)); + break; + case AF_INET6: + nfct_set_attr(master, ATTR_REPL_IPV6_SRC, + nfct_get_attr(master, ATTR_IPV6_DST)); + break; + } + + return master; +} + static int exp_event_handler(const struct nlmsghdr *nlh, enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { int origin_type; - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); STATE(stats).nl_events_received++; @@ -275,8 +296,7 @@ static int dump_handler(enum nf_conntrack_msg_type type, static int exp_dump_handler(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); if (!exp_filter_find(STATE(exp_filter), exp)) return NFCT_CB_CONTINUE; @@ -309,8 +329,7 @@ static int get_handler(enum nf_conntrack_msg_type type, static int exp_get_handler(enum nf_conntrack_msg_type type, struct nf_expect *exp, void *data) { - const struct nf_conntrack *master = - nfexp_get_attr(exp, ATTR_EXP_MASTER); + const struct nf_conntrack *master = exp_get_master_ct(exp); if (!exp_filter_find(STATE(exp_filter), exp)) return NFCT_CB_CONTINUE; diff --git a/src/filter.c b/src/filter.c index 02a8078..e21cfde 100644 --- a/src/filter.c +++ b/src/filter.c @@ -373,8 +373,8 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct) switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { case AF_INET: - if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV4_DST)) { + if (!nfct_attr_is_set(ct, ATTR_ORIG_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC)) { dlog(LOG_ERR, "missing IPv4 address. " "You forgot to load " "nf_conntrack_ipv4?"); @@ -382,8 +382,8 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct) } break; case AF_INET6: - if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) || - !nfct_attr_is_set(ct, ATTR_IPV6_DST)) { + if (!nfct_attr_is_set(ct, ATTR_ORIG_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC)) { dlog(LOG_ERR, "missing IPv6 address. " "You forgot to load " "nf_conntrack_ipv6?"); |