diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-01-14 13:50:58 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-01-14 13:50:58 +0100 |
commit | b176d7178aa929c4644bdfd0752cf531384447c9 (patch) | |
tree | e6c9f3c82c409c104a6b8df7a5584fc1e5846f99 | |
parent | a6281c6f10110bf64e51c04a37c0fe9f9508482e (diff) | |
download | conntrack-tools-b176d7178aa929c4644bdfd0752cf531384447c9.tar.gz conntrack-tools-b176d7178aa929c4644bdfd0752cf531384447c9.zip |
filter: skip filtering by state if the event has no state info
This patch fixes a bug that may result in wrong filtering of
destroy events which usually don't contain the state information.
In that case, skip the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/filter.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/filter.c b/src/filter.c index 4e24fb5..218ba0c 100644 --- a/src/filter.c +++ b/src/filter.c @@ -318,7 +318,8 @@ static int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct) if (f->logic[CT_FILTER_STATE] != -1) { ret = __ct_filter_test_state(f, ct); - if (ret ^ f->logic[CT_FILTER_STATE]) + /* ret is -1 if we don't know what to do */ + if (ret != -1 && ret ^ f->logic[CT_FILTER_STATE]) return 0; } |