summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--extensions/libxt_conntrack.c17
-rw-r--r--extensions/libxt_conntrack.t2
2 files changed, 10 insertions, 9 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 09548c29..ffbc7467 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -346,14 +346,13 @@ static void conntrack_parse(struct xt_option_call *cb)
sinfo->invflags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ if (cb->val.protocol == 0)
+ xtables_error(PARAMETER_PROBLEM, cb->invert ?
+ "condition would always match protocol" :
+ "rule would never match protocol");
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
if (cb->invert)
sinfo->invflags |= XT_CONNTRACK_PROTO;
- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
- && (sinfo->invflags & XT_INV_PROTO))
- xtables_error(PARAMETER_PROBLEM,
- "rule would never match protocol");
-
sinfo->flags |= XT_CONNTRACK_PROTO;
break;
case O_CTORIGSRC:
@@ -411,11 +410,11 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
info->invert_flags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ if (cb->val.protocol == 0)
+ xtables_error(PARAMETER_PROBLEM, cb->invert ?
+ "conntrack: condition would always match protocol" :
+ "conntrack: rule would never match protocol");
info->l4proto = cb->val.protocol;
- if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
- xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
- "never match protocol");
-
info->match_flags |= XT_CONNTRACK_PROTO;
if (cb->invert)
info->invert_flags |= XT_CONNTRACK_PROTO;
diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
index db531475..2b3c5de9 100644
--- a/extensions/libxt_conntrack.t
+++ b/extensions/libxt_conntrack.t
@@ -25,3 +25,5 @@
-m conntrack --ctstatus EXPECTED;=;OK
-m conntrack --ctstatus SEEN_REPLY;=;OK
-m conntrack;;FAIL
+-m conntrack --ctproto 0;;FAIL
+-m conntrack ! --ctproto 0;;FAIL