From cda212571533762c525df18fdcf361a93a1a2c31 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 11 Dec 2008 19:58:55 +0100
Subject: netlink: build TCP flags/mask only if this is a TCP connection

This patch includes the TCP flag/mask attributes if this is a TCP
connection, otherwise do not include.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'src/netlink.c')

diff --git a/src/netlink.c b/src/netlink.c
index 29281f4..2fabd8d 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -192,7 +192,6 @@ int nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct)
 int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig)
 {
 	int ret;
-	uint8_t flags;
 	struct nf_conntrack *ct;
 
 	ct = nfct_clone(orig);
@@ -211,11 +210,14 @@ int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig)
 	/*
 	 * TCP flags to overpass window tracking for recovered connections
 	 */
-	flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM;
-	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
-	nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
-	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
-	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
+	if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) {
+		uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL |
+				IP_CT_TCP_FLAG_SACK_PERM;
+		nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
+		nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
+		nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
+		nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
+	}
 
 	ret = nfct_query(h, NFCT_Q_CREATE, ct);
 	nfct_destroy(ct);
-- 
cgit v1.2.3