From 2bcbae4c14b253176d7570e6f6acc56e521ceb5e Mon Sep 17 00:00:00 2001
From: Ronald Wahl <ronald.wahl@raritan.com>
Date: Wed, 9 May 2018 10:32:19 +0200
Subject: conntrack: -f family filter does not work

"conntrack -L -f ipv4" and "conntrack -L -f ipv6" each prints both
protocols. This is because the family filtering is now enabled only if
filter_mark_kernel_set is true.

Fixes: 8b8377163697 ("conntrack: send mark filter to kernel iff set")
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index 06f60e8..d638a6a 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2608,10 +2608,10 @@ int main(int argc, char *argv[])
 			nfct_filter_dump_set_attr(filter_dump,
 						  NFCT_FILTER_DUMP_MARK,
 						  &tmpl.filter_mark_kernel);
-			nfct_filter_dump_set_attr_u8(filter_dump,
-						     NFCT_FILTER_DUMP_L3NUM,
-						     family);
 		}
+		nfct_filter_dump_set_attr_u8(filter_dump,
+					     NFCT_FILTER_DUMP_L3NUM,
+					     family);
 
 		if (options & CT_OPT_ZERO)
 			res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
@@ -2714,10 +2714,10 @@ int main(int argc, char *argv[])
 			nfct_filter_dump_set_attr(filter_dump,
 						  NFCT_FILTER_DUMP_MARK,
 						  &tmpl.filter_mark_kernel);
-			nfct_filter_dump_set_attr_u8(filter_dump,
-						     NFCT_FILTER_DUMP_L3NUM,
-						     family);
 		}
+		nfct_filter_dump_set_attr_u8(filter_dump,
+					     NFCT_FILTER_DUMP_L3NUM,
+					     family);
 
 		res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
 
-- 
cgit v1.2.3