From b8ed29727d24862523d57066ede86635d8dbacbf Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 16 Oct 2008 15:40:49 +0200
Subject: conntrack: cleanup for NAT filtering

This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.

Now, we check if src NAT is set or if dst NAT is set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

(limited to 'src/conntrack.c')

diff --git a/src/conntrack.c b/src/conntrack.c
index 0051639..152f94e 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -597,28 +597,12 @@ usage(char *prog)
 
 static unsigned int output_mask;
 
-static int ignore_nat(const struct nf_conntrack *obj,
-		      const struct nf_conntrack *ct)
+static int 
+filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 {
 	uint32_t ip;
 
-	if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
-		    !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
-			return 1;
-
-		if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) {
-			ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
-				return 1;
-		}
-
-		if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) {
-			ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
-				return 1;
-		}
-	} else if (options & CT_OPT_SRC_NAT) {
+	if (options & CT_OPT_SRC_NAT) {
 		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
 		  	return 1;
 
@@ -627,7 +611,8 @@ static int ignore_nat(const struct nf_conntrack *obj,
 			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
 				return 1;
 		}
-	} else if (options & CT_OPT_DST_NAT) {
+	}
+	if (options & CT_OPT_DST_NAT) {
 		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
 			return 1;
 
@@ -667,7 +652,7 @@ static int event_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -714,7 +699,7 @@ static int dump_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -752,7 +737,7 @@ static int delete_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -812,7 +797,7 @@ static int update_cb(enum nf_conntrack_msg_type type,
 
 	memset(tmp, 0, sizeof(__tmp));
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) &&
-- 
cgit v1.2.3