diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-09-16 21:11:37 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-09-16 21:11:37 +0200 |
commit | 587a85e0603d514656a434d44c82d1fdacd5e326 (patch) | |
tree | 69df265143a342ca59c2cde27c4472a5a5db0a0b /src/filter.c | |
parent | 406737e5aa38f90b01aebe2f6295e7b4ef828220 (diff) | |
download | conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.tar.gz conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.zip |
filter: fix NAT detection tweak
With this patch, we rely on the real source and destination of the
packet to perform the filter. The current NAT detection tweak is broken
for certain situations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/filter.c')
-rw-r--r-- | src/filter.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/src/filter.c b/src/filter.c index eaf0a93..33fe30e 100644 --- a/src/filter.c +++ b/src/filter.c @@ -167,10 +167,9 @@ __ct_filter_test_ipv4(struct ct_filter *f, struct nf_conntrack *ct) if (!f->h) return 0; + /* we only use the real source and destination address */ return (hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_SRC)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_DST)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_DST))); + hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC))); } static int @@ -180,9 +179,7 @@ __ct_filter_test_ipv6(struct ct_filter *f, struct nf_conntrack *ct) return 0; return (hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_DST)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_DST))); + hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC))); } static int __ct_filter_test_state(struct ct_filter *f, struct nf_conntrack *ct) |