From 85f94171a71880c744f265268f33ad58819caa74 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 17 Jun 2010 11:55:59 +0200 Subject: conntrack: `-L --src-nat --dst-nat' filter using AND, not OR logic The patch that I committed in 2e06d62d341fdf936dbc1fa944d5e03f761aaf0e was incomplete. With it, `-L --src-nat --dst-nat' shows source-natted OR destination-natted flows. This patch changes the behaviour to show source-natted AND destination-natted flows. This is the consistent behaviour that we expect from conntrack (this is how it works for other options indeed). Signed-off-by: Pablo Neira Ayuso --- src/conntrack.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/conntrack.c b/src/conntrack.c index 706fe50..b8806bd 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -634,15 +634,29 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) { uint32_t ip; - if (options & CT_OPT_SRC_NAT) { + if ((options & CT_OPT_SRC_NAT) && (options & CT_OPT_DST_NAT)) { + if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4) && + nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) { + uint32_t ip2; + + ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4); + ip2 = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4); + if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST) && + ip2 == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) { + return 0; + } + } else if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) && + nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { + return 0; + } + } else if (options & CT_OPT_SRC_NAT) { if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) { ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4); if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST)) return 0; } else if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) return 0; - } - if (options & CT_OPT_DST_NAT) { + } else if (options & CT_OPT_DST_NAT) { if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) { ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4); if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC)) -- cgit v1.2.3