filter: fix NAT detection tweak

With this patch, we rely on the real source and destination of the packet to perform the filter. The current NAT detection tweak is broken for certain situations. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2008-09-16 21:11:37 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2008-09-16 21:11:37 +0200
commit: 587a85e0603d514656a434d44c82d1fdacd5e326 (patch)
tree: 69df265143a342ca59c2cde27c4472a5a5db0a0b /src/netlink.c
parent: 406737e5aa38f90b01aebe2f6295e7b4ef828220 (diff)
download: conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.tar.gz
conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.zip
1 files changed, 0 insertions, 12 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 8b02ac5..a4b94dd 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -66,18 +66,6 @@ int ignore_conntrack(struct nf_conntrack *ct)
 	if (!sanity_check(ct))
 		return 1;
 
-	/* Accept DNAT'ed traffic: not really coming to the local machine */
-	if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) {
-		debug_ct(ct, "DNAT");
-		return 0;
-	}
-
-	/* Accept SNAT'ed traffic: not really coming to the local machine */
-	if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) {
-		debug_ct(ct, "SNAT");
-		return 0;
-	}
-
 	/* Ignore traffic */
 	if (!ct_filter_check(STATE(us_filter), ct)) {
 		debug_ct(ct, "ignore traffic");
author	Pablo Neira Ayuso <pablo@netfilter.org>	2008-09-16 21:11:37 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2008-09-16 21:11:37 +0200
commit	587a85e0603d514656a434d44c82d1fdacd5e326 (patch)
tree	69df265143a342ca59c2cde27c4472a5a5db0a0b /src/netlink.c
parent	406737e5aa38f90b01aebe2f6295e7b4ef828220 (diff)
download	conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.tar.gz conntrack-tools-587a85e0603d514656a434d44c82d1fdacd5e326.zip