From a88ee46645f4c5db0bf5653c5f2df8eff573e534 Mon Sep 17 00:00:00 2001
From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Date: Wed, 26 Jun 2013 13:37:07 +0200
Subject: ct: xml: add extra dir check

This patch adds an extra dir check.

0 means original.
1 means a reply.

Pablo decided not to include nf_conntrack_tuple_common.h, instead internally
defined them.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/expr/ct.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/expr/ct.c b/src/expr/ct.c
index 61a8fef..c6d11c9 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -27,6 +27,9 @@ struct nft_expr_ct {
 	uint8_t			dir;
 };
 
+#define IP_CT_DIR_ORIGINAL	0
+#define IP_CT_DIR_REPLY		1
+
 static int
 nft_rule_expr_ct_set(struct nft_rule_expr *e, uint16_t type,
 		       const void *data, size_t data_len)
@@ -202,6 +205,9 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml)
 	if (tmp > UINT8_MAX || tmp < 0 || *endptr)
 		goto err;
 
+	if (tmp != IP_CT_DIR_ORIGINAL && tmp != IP_CT_DIR_REPLY)
+		goto err;
+
 	ct->dir = tmp;
 	e->flags |= (1 << NFT_EXPR_CT_DIR);
 
-- 
cgit v1.2.3