summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/cache.c8
-rw-r--r--src/netlink.c38
2 files changed, 38 insertions, 8 deletions
diff --git a/src/cache.c b/src/cache.c
index c72afd8..a73854f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -75,14 +75,6 @@ static uint32_t hash(const void *data, struct hashtable *table)
ret = __hash4(u->ct, table);
break;
case AF_INET6:
- if (!nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_SRC) ||
- !nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_DST)) {
- dlog(LOG_ERR, "missing IPv6 address. "
- "You forgot to load "
- "nf_conntrack_ipv6?");
- return 0;
- }
-
ret = __hash6(u->ct, table);
break;
default:
diff --git a/src/netlink.c b/src/netlink.c
index 1287454..a8a5503 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -26,8 +26,46 @@
#include <string.h>
#include <errno.h>
+static int sanity_check(struct nf_conntrack *ct)
+{
+ if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) {
+ dlog(LOG_ERR, "missing layer 3 protocol");
+ return 0;
+ }
+
+ switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
+ case AF_INET:
+ if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV4_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) {
+ dlog(LOG_ERR, "missing IPv4 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv4?");
+ return 0;
+ }
+ break;
+ case AF_INET6:
+ if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_IPV6_DST) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) ||
+ !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) {
+ dlog(LOG_ERR, "missing IPv6 address. "
+ "You forgot to load "
+ "nf_conntrack_ipv6?");
+ return 0;
+ }
+ break;
+ }
+ return 1;
+}
+
int ignore_conntrack(struct nf_conntrack *ct)
{
+ /* missing mandatory attributes in object */
+ if (!sanity_check(ct))
+ return 1;
+
/* Accept DNAT'ed traffic: not really coming to the local machine */
if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
debug_ct(ct, "DNAT");