sync-notrack: Apply userspace filter on resync with internal cache disabled

Always apply the userspace filter when doing a direct sync from the kernel when internal cache is disabled, since a dump does not apply a kernelspace filter. Signed-off-by: Robin Geuze <robing@transip.nl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Robin Geuze <robing@transip.nl> 2019-05-28 09:24:18 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-30 16:45:47 +0200
commit: e7f00c77119ad54ceeb87be025b6e3ac2f0c81b0 (patch)
tree: 2cdf6cc243238cdee79dc234026fdc4bf2960760 /src/sync-notrack.c
parent: 6abd0b7efdcd808167b95242d2f8cfdbd51f7e8e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/src/sync-notrack.c b/src/sync-notrack.c
index 1b53e1b..b765c1a 100644
--- a/src/sync-notrack.c
+++ b/src/sync-notrack.c
@@ -72,6 +72,9 @@ static int kernel_resync_cb(enum nf_conntrack_msg_type type,
 {
 	struct nethdr *net;
 
+	if (ct_filter_conntrack(ct, 1))
+		return NFCT_CB_CONTINUE;
+
 	net = BUILD_NETMSG_FROM_CT(ct, NET_T_STATE_CT_NEW);
 	multichannel_send(STATE_SYNC(channel), net);
author	Robin Geuze <robing@transip.nl>	2019-05-28 09:24:18 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-05-30 16:45:47 +0200
commit	e7f00c77119ad54ceeb87be025b6e3ac2f0c81b0 (patch)
tree	2cdf6cc243238cdee79dc234026fdc4bf2960760 /src/sync-notrack.c
parent	6abd0b7efdcd808167b95242d2f8cfdbd51f7e8e (diff)