diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 15:11:47 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 15:11:47 +0200 |
| commit | f29be5ece1f9a0381afc9d58027b0bc4509ba479 (patch) | |
| tree | 64cda2d666b678d6be6d6df9b65a22ba62f25b57 | |
| parent | dfbc66f375e1945e7f65a0478cd25f851efae355 (diff) | |
conntrack: fix bogus NATted flows in filtering
With this patch, conntrack does not show bogus entries that have no NAT
applied due to a relaxed checking.
conntrack -L --src-nat :80
tcp 6 342824 ESTABLISHED src=XX.214.188.80 dst=66.XX.7.180 sport=80 dport=13749 packets=4 bytes=6000 [UNREPLIED] src=66.XX.7.180 dst=XX.214.188.80 sport=13749 dport=80 packets=0 bytes=0 mark=0 secmark=0 use=1
conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/conntrack.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/conntrack.c b/src/conntrack.c index 7a06519..0c23657 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -880,12 +880,14 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) if (check_srcnat) { if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) { ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4); - if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST)) + if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && + ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST)) has_srcnat = 1; } if (nfct_attr_is_set(obj, ATTR_SNAT_PORT)) { port = nfct_get_attr_u16(obj, ATTR_SNAT_PORT); - if (port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST)) + if (nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT) && + port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST)) has_srcnat = 1; } if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) || @@ -895,12 +897,14 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) if (check_dstnat) { if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) { ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4); - if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) + if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT) && + ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) has_dstnat = 1; } if (nfct_attr_is_set(obj, ATTR_DNAT_PORT)) { port = nfct_get_attr_u16(obj, ATTR_DNAT_PORT); - if (port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC)) + if (nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT) && + port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC)) has_dstnat = 1; } if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT) || |