summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2010-07-01 16:52:41 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2010-07-01 16:52:41 +0200
commit0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7 (patch)
treef0604c07112ca56e32b4a3253f2559860617daae
parentc4413a601ba46e336e624b035a1b69f7aa1a9318 (diff)
downloadconntrack-tools-0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7.tar.gz
conntrack-tools-0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7.zip
conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port mismatches
This patch fixes the filtering if the IP matches an entry but the PORT does not matches. Without this patch, the entry is shown when it should be not. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--qa/testsuite/03nat4
-rw-r--r--src/conntrack.c16
2 files changed, 20 insertions, 0 deletions
diff --git a/qa/testsuite/03nat b/qa/testsuite/03nat
index 69fbff7..f94e8ff 100644
--- a/qa/testsuite/03nat
+++ b/qa/testsuite/03nat
@@ -32,5 +32,9 @@
-L --dst-nat 3.3.3.3:80 ; OK
# show
-L --any-nat 3.3.3.3:80 ; OK
+# show
+-L --dst-nat 3.3.3.3:81 ; OK
+# show
+-L --dst-nat 1.1.1.1:80 ; OK
# delete
-D -s 1.1.1.1 ; OK
diff --git a/src/conntrack.c b/src/conntrack.c
index a5b49dd..6fdd1b4 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -890,10 +890,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
has_srcnat = 1;
}
if (nfct_attr_is_set(obj, ATTR_SNAT_PORT)) {
+ int ret = 0;
+
check_port = 1;
port = nfct_get_attr_u16(obj, ATTR_SNAT_PORT);
if (nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT) &&
port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST))
+ ret = 1;
+
+ /* the address matches but the port does not. */
+ if (check_address && has_srcnat && !ret)
+ has_srcnat = 0;
+ if (!check_address && ret)
has_srcnat = 1;
}
if (!check_address && !check_port &&
@@ -912,10 +920,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
has_dstnat = 1;
}
if (nfct_attr_is_set(obj, ATTR_DNAT_PORT)) {
+ int ret = 0;
+
check_port = 1;
port = nfct_get_attr_u16(obj, ATTR_DNAT_PORT);
if (nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT) &&
port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC))
+ ret = 1;
+
+ /* the address matches but the port does not. */
+ if (check_address && has_dstnat && !ret)
+ has_dstnat = 0;
+ if (!check_address && ret)
has_dstnat = 1;
}
if (!check_address && !check_port &&