From 2719bd93ad5f589139d8ede0726fa6a2ef2eb321 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 14 Dec 2011 23:55:47 +0100
Subject: conntrackd: relax checkings in ct_filter_sanity_check

This is required to prepare the expectation support.

The master, expect and mask objects that are part of the
conntrack object do not have any reply information. This
allows the expectation support to re-use the existing
filtering infrastructure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/filter.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/filter.c b/src/filter.c
index 7c4ddc1..746a9bb 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -373,9 +373,7 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct)
 	switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
 	case AF_INET:
 		if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
-		    !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
-		    !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
-		    !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+		    !nfct_attr_is_set(ct, ATTR_IPV4_DST)) {
 		    	dlog(LOG_ERR, "missing IPv4 address. "
 				      "You forgot to load "
 				      "nf_conntrack_ipv4?");
@@ -384,9 +382,7 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct)
 		break;
 	case AF_INET6:
 		if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
-		    !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
-		    !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
-		    !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+		    !nfct_attr_is_set(ct, ATTR_IPV6_DST)) {
 		    	dlog(LOG_ERR, "missing IPv6 address. "
 				      "You forgot to load "
 				      "nf_conntrack_ipv6?");
-- 
cgit v1.2.3