From 0f2017b930a312f693950fd14c987805d9bf6a48 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 21 Dec 2009 13:25:04 +0100
Subject: setobjopt: don't autocomplete the reply tuple for ICMP[v6]

This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack/objopt.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'src/conntrack')

diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c
index 4b36817..7e6e5e2 100644
--- a/src/conntrack/objopt.c
+++ b/src/conntrack/objopt.c
@@ -21,8 +21,21 @@ static void __autocomplete(struct nf_conntrack *ct, int dir)
 	       &ct->tuple[other].src.v6,
 	       sizeof(union __nfct_address));
 
-	ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
-	ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+	switch(ct->tuple[dir].protonum) {
+	case IPPROTO_UDP:
+	case IPPROTO_TCP:
+	case IPPROTO_SCTP:
+	case IPPROTO_DCCP:
+	case IPPROTO_GRE:
+	case IPPROTO_UDPLITE:
+		ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
+		ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+		break;
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+		/* the setter already autocompletes the reply tuple. */
+		break;
+	}
 
 	/* XXX: this is safe but better convert bitset to uint64_t */
         ct->set[0] |= TS_ORIG | TS_REPL;
-- 
cgit v1.2.3