From 73da80df0c3cf4175662b3da4dfbd3574d34f96a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 11 Feb 2010 11:56:37 +0100
Subject: conntrackd: fix UDP filtering in configuration file

UDP filtering was broken during the addition of the UDP-based
synchronization protocol that was introduced in 0.9.14. This
patch fixes the problem.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/stats/conntrackd.conf        |  1 +
 doc/sync/alarm/conntrackd.conf   |  1 +
 doc/sync/ftfw/conntrackd.conf    |  1 +
 doc/sync/notrack/conntrackd.conf |  1 +
 src/read_config_yy.y             | 19 +++++++++++++++++++
 5 files changed, 23 insertions(+)

diff --git a/doc/stats/conntrackd.conf b/doc/stats/conntrackd.conf
index 0941f64..22556a0 100644
--- a/doc/stats/conntrackd.conf
+++ b/doc/stats/conntrackd.conf
@@ -81,6 +81,7 @@ General {
 		#
 		Protocol Accept {
 			TCP
+			# UDP
 		}
 
 		#
diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 3424e39..9b7d8c6 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -332,6 +332,7 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index df10aca..877ed68 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -357,6 +357,7 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index f8bccc4..693209a 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -394,6 +394,7 @@ General {
 			TCP
 			SCTP
 			DCCP
+			# UDP
 			# ICMP # This requires a Linux kernel >= 2.6.31
 		}
 
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 6dfca98..5f4e6be 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1221,6 +1221,25 @@ filter_protocol_item : T_TCP
 				 pent->p_proto);
 };
 
+filter_protocol_item : T_UDP
+{
+	struct protoent *pent;
+
+	pent = getprotobyname("udp");
+	if (pent == NULL) {
+		print_err(CTD_CFG_WARN, "getprotobyname() cannot find "
+					"protocol `udp' in /etc/protocols");
+		break;
+	}
+	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
+
+	__kernel_filter_start();
+
+	nfct_filter_add_attr_u32(STATE(filter),
+				 NFCT_FILTER_L4PROTO,
+				 pent->p_proto);
+};
+
 filter_item : T_ADDRESS T_ACCEPT '{' filter_address_list '}'
 {
 	ct_filter_set_logic(STATE(us_filter),
-- 
cgit v1.2.3