summaryrefslogtreecommitdiff
path: root/src/netlink.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-12-07 12:03:37 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2008-12-07 12:03:37 +0100
commit2676982afacd502f3119cd323d060bbb88446057 (patch)
treef05fdb50245b30c94e2d6cf95176816ba258d658 /src/netlink.c
parent65ad316d921930c9d5c1c8640fbf2f05ecd0ca49 (diff)
downloadconntrack-tools-2676982afacd502f3119cd323d060bbb88446057.tar.gz
conntrack-tools-2676982afacd502f3119cd323d060bbb88446057.zip
netlink: use NFCT_Q_[CREATE|UPDATE] instead of NFCT_Q_CREATE_UPDATE
This patch uses NFCT_Q_CREATE in nl_create_conntrack() and NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE query does not set the NLM_F_EXCL flag, so that it tries to update the entry if we fail to create. Under several scenarios, this may lead to problems. For example, the creation of related conntracks contain the master information. This is fine to create an entry, but an update will hit EOPNOTSUPP as ctnetlink considers that you are trying to change the master of an existing conntrack - and this is not a supported operation, of course. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r--src/netlink.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 1a86a21..5929232 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -211,7 +211,7 @@ int nl_create_conntrack(const struct nf_conntrack *orig)
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
- ret = nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
+ ret = nfct_query(STATE(dump), NFCT_Q_CREATE, ct);
nfct_destroy(ct);
return ret;
@@ -262,7 +262,7 @@ int nl_update_conntrack(const struct nf_conntrack *orig)
nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
- ret = nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
+ ret = nfct_query(STATE(dump), NFCT_Q_UPDATE, ct);
nfct_destroy(ct);
return ret;