From b176d7178aa929c4644bdfd0752cf531384447c9 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 14 Jan 2009 13:50:58 +0100
Subject: filter: skip filtering by state if the event has no state info

This patch fixes a bug that may result in wrong filtering of
destroy events which usually don't contain the state information.
In that case, skip the filtering.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/filter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/filter.c b/src/filter.c
index 4e24fb5..218ba0c 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -318,7 +318,8 @@ static int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct)
 
 	if (f->logic[CT_FILTER_STATE] != -1) {
 		ret = __ct_filter_test_state(f, ct);
-		if (ret ^ f->logic[CT_FILTER_STATE])
+		/* ret is -1 if we don't know what to do */
+		if (ret != -1 && ret ^ f->logic[CT_FILTER_STATE])
 			return 0;
 	}
 
-- 
cgit v1.2.3