summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-10-16 15:40:49 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2008-10-16 15:40:49 +0200
commitb8ed29727d24862523d57066ede86635d8dbacbf (patch)
treed207bb94dacdb7553128462950b00612f347feae
parenta557f4a9c5dfae272660e58500386be65274adeb (diff)
downloadconntrack-tools-b8ed29727d24862523d57066ede86635d8dbacbf.tar.gz
conntrack-tools-b8ed29727d24862523d57066ede86635d8dbacbf.zip
conntrack: cleanup for NAT filtering
This patch cleanups the NAT filtering. The former code had three branches, one if src and dst NAT are set, else one if src NAT is set, else one if dst NAT is set. Now, we check if src NAT is set or if dst NAT is set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/conntrack.c33
1 files changed, 9 insertions, 24 deletions
diff --git a/src/conntrack.c b/src/conntrack.c
index 0051639..152f94e 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -597,28 +597,12 @@ usage(char *prog)
static unsigned int output_mask;
-static int ignore_nat(const struct nf_conntrack *obj,
- const struct nf_conntrack *ct)
+static int
+filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
{
uint32_t ip;
- if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
- if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
- !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
- return 1;
-
- if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) {
- ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4);
- if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
- return 1;
- }
-
- if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) {
- ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4);
- if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
- return 1;
- }
- } else if (options & CT_OPT_SRC_NAT) {
+ if (options & CT_OPT_SRC_NAT) {
if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
return 1;
@@ -627,7 +611,8 @@ static int ignore_nat(const struct nf_conntrack *obj,
if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
return 1;
}
- } else if (options & CT_OPT_DST_NAT) {
+ }
+ if (options & CT_OPT_DST_NAT) {
if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
return 1;
@@ -667,7 +652,7 @@ static int event_cb(enum nf_conntrack_msg_type type,
unsigned int op_type = NFCT_O_DEFAULT;
unsigned int op_flags = 0;
- if (ignore_nat(obj, ct))
+ if (filter_nat(obj, ct))
return NFCT_CB_CONTINUE;
if (options & CT_COMPARISON &&
@@ -714,7 +699,7 @@ static int dump_cb(enum nf_conntrack_msg_type type,
unsigned int op_type = NFCT_O_DEFAULT;
unsigned int op_flags = 0;
- if (ignore_nat(obj, ct))
+ if (filter_nat(obj, ct))
return NFCT_CB_CONTINUE;
if (options & CT_COMPARISON &&
@@ -752,7 +737,7 @@ static int delete_cb(enum nf_conntrack_msg_type type,
unsigned int op_type = NFCT_O_DEFAULT;
unsigned int op_flags = 0;
- if (ignore_nat(obj, ct))
+ if (filter_nat(obj, ct))
return NFCT_CB_CONTINUE;
if (options & CT_COMPARISON &&
@@ -812,7 +797,7 @@ static int update_cb(enum nf_conntrack_msg_type type,
memset(tmp, 0, sizeof(__tmp));
- if (ignore_nat(obj, ct))
+ if (filter_nat(obj, ct))
return NFCT_CB_CONTINUE;
if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) &&