summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2011-12-14 23:55:47 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2012-01-10 01:54:45 +0100
commit2719bd93ad5f589139d8ede0726fa6a2ef2eb321 (patch)
tree225497562af288b6d763811c6ddb1887219d470c
parentf33b72ca969994384a5db6122f8c85e62cfc46ce (diff)
conntrackd: relax checkings in ct_filter_sanity_check
This is required to prepare the expectation support. The master, expect and mask objects that are part of the conntrack object do not have any reply information. This allows the expectation support to re-use the existing filtering infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/filter.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/src/filter.c b/src/filter.c
index 7c4ddc1..746a9bb 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -373,9 +373,7 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
- !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+ !nfct_attr_is_set(ct, ATTR_IPV4_DST)) {
dlog(LOG_ERR, "missing IPv4 address. "
"You forgot to load "
"nf_conntrack_ipv4?");
@@ -384,9 +382,7 @@ static inline int ct_filter_sanity_check(const struct nf_conntrack *ct)
break;
case AF_INET6:
if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
- !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
- !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+ !nfct_attr_is_set(ct, ATTR_IPV6_DST)) {
dlog(LOG_ERR, "missing IPv6 address. "
"You forgot to load "
"nf_conntrack_ipv6?");