setobjopt: don't autocomplete the reply tuple for ICMP[v6]

This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 15 insertions, 2 deletions

diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c
index 4b36817..7e6e5e2 100644
--- a/src/conntrack/objopt.c
+++ b/src/conntrack/objopt.c
@@ -21,8 +21,21 @@ static void __autocomplete(struct nf_conntrack *ct, int dir)
 	       &ct->tuple[other].src.v6,
 	       sizeof(union __nfct_address));
 
-	ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
-	ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+	switch(ct->tuple[dir].protonum) {
+	case IPPROTO_UDP:
+	case IPPROTO_TCP:
+	case IPPROTO_SCTP:
+	case IPPROTO_DCCP:
+	case IPPROTO_GRE:
+	case IPPROTO_UDPLITE:
+		ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
+		ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+		break;
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+		/* the setter already autocompletes the reply tuple. */
+		break;
+	}
 
 	/* XXX: this is safe but better convert bitset to uint64_t */
         ct->set[0] |= TS_ORIG | TS_REPL;