diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-12-11 19:58:55 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2008-12-11 19:58:55 +0100 |
| commit | cda212571533762c525df18fdcf361a93a1a2c31 (patch) | |
| tree | 6714830501eec4941fb5e2a500ddb558ab810b87 /src/netlink.c | |
| parent | 9369fe5370341f72c15de8d72917d014a6c7e460 (diff) | |
| download | conntrack-tools-cda212571533762c525df18fdcf361a93a1a2c31.tar.gz conntrack-tools-cda212571533762c525df18fdcf361a93a1a2c31.zip | |
netlink: build TCP flags/mask only if this is a TCP connection
This patch includes the TCP flag/mask attributes if this is a TCP
connection, otherwise do not include.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
| -rw-r--r-- | src/netlink.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/netlink.c b/src/netlink.c index 29281f4..2fabd8d 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -192,7 +192,6 @@ int nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct) int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig) { int ret; - uint8_t flags; struct nf_conntrack *ct; ct = nfct_clone(orig); @@ -211,11 +210,14 @@ int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *orig) /* * TCP flags to overpass window tracking for recovered connections */ - flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM; - nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); - nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); - nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); - nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); + if (nfct_attr_is_set(ct, ATTR_TCP_STATE)) { + uint8_t flags = IP_CT_TCP_FLAG_BE_LIBERAL | + IP_CT_TCP_FLAG_SACK_PERM; + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags); + nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags); + nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags); + } ret = nfct_query(h, NFCT_Q_CREATE, ct); nfct_destroy(ct); |