diff options
| author | Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> | 2013-06-26 13:37:07 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-27 19:36:31 +0200 |
| commit | a88ee46645f4c5db0bf5653c5f2df8eff573e534 (patch) | |
| tree | 3e9d62e936b46996f58344894a72176a4d3369a6 /src | |
| parent | 6257f80b75f39730721df88256b698a8522f8857 (diff) | |
ct: xml: add extra dir check
This patch adds an extra dir check.
0 means original.
1 means a reply.
Pablo decided not to include nf_conntrack_tuple_common.h, instead internally
defined them.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/expr/ct.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/expr/ct.c b/src/expr/ct.c index 61a8fef..c6d11c9 100644 --- a/src/expr/ct.c +++ b/src/expr/ct.c @@ -27,6 +27,9 @@ struct nft_expr_ct { uint8_t dir; }; +#define IP_CT_DIR_ORIGINAL 0 +#define IP_CT_DIR_REPLY 1 + static int nft_rule_expr_ct_set(struct nft_rule_expr *e, uint16_t type, const void *data, size_t data_len) @@ -202,6 +205,9 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml) if (tmp > UINT8_MAX || tmp < 0 || *endptr) goto err; + if (tmp != IP_CT_DIR_ORIGINAL && tmp != IP_CT_DIR_REPLY) + goto err; + ct->dir = tmp; e->flags |= (1 << NFT_EXPR_CT_DIR); |