diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 16:52:41 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 16:52:41 +0200 |
commit | 0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7 (patch) | |
tree | f0604c07112ca56e32b4a3253f2559860617daae | |
parent | c4413a601ba46e336e624b035a1b69f7aa1a9318 (diff) | |
download | conntrack-tools-0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7.tar.gz conntrack-tools-0b3f6c9538da47d546a0bc12c8bf5d8dd8fc2fa7.zip |
conntrack: fix `conntrack --[src|dst|any]-nat IP:PORT' if port mismatches
This patch fixes the filtering if the IP matches an entry but the PORT
does not matches. Without this patch, the entry is shown when it
should be not.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | qa/testsuite/03nat | 4 | ||||
-rw-r--r-- | src/conntrack.c | 16 |
2 files changed, 20 insertions, 0 deletions
diff --git a/qa/testsuite/03nat b/qa/testsuite/03nat index 69fbff7..f94e8ff 100644 --- a/qa/testsuite/03nat +++ b/qa/testsuite/03nat @@ -32,5 +32,9 @@ -L --dst-nat 3.3.3.3:80 ; OK # show -L --any-nat 3.3.3.3:80 ; OK +# show +-L --dst-nat 3.3.3.3:81 ; OK +# show +-L --dst-nat 1.1.1.1:80 ; OK # delete -D -s 1.1.1.1 ; OK diff --git a/src/conntrack.c b/src/conntrack.c index a5b49dd..6fdd1b4 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -890,10 +890,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) has_srcnat = 1; } if (nfct_attr_is_set(obj, ATTR_SNAT_PORT)) { + int ret = 0; + check_port = 1; port = nfct_get_attr_u16(obj, ATTR_SNAT_PORT); if (nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT) && port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST)) + ret = 1; + + /* the address matches but the port does not. */ + if (check_address && has_srcnat && !ret) + has_srcnat = 0; + if (!check_address && ret) has_srcnat = 1; } if (!check_address && !check_port && @@ -912,10 +920,18 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) has_dstnat = 1; } if (nfct_attr_is_set(obj, ATTR_DNAT_PORT)) { + int ret = 0; + check_port = 1; port = nfct_get_attr_u16(obj, ATTR_DNAT_PORT); if (nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT) && port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC)) + ret = 1; + + /* the address matches but the port does not. */ + if (check_address && has_dstnat && !ret) + has_dstnat = 0; + if (!check_address && ret) has_dstnat = 1; } if (!check_address && !check_port && |