diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 16:22:52 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2010-07-01 16:22:52 +0200 |
commit | 6c0096535ea7900c190d8456eeb2307a26776141 (patch) | |
tree | d88103f2ac86a5a778e07130a2018c94de57c260 /src | |
parent | fb41cec58a9428d834aa5c14e6614d2abc585e6b (diff) | |
download | conntrack-tools-6c0096535ea7900c190d8456eeb2307a26776141.tar.gz conntrack-tools-6c0096535ea7900c190d8456eeb2307a26776141.zip |
conntrack: fix `conntrack --src-nat 1.1.1.1' if PAT applied
This patch fixes another scenario in which the flow has some
PAT mangling and we passed the src-nat address that we want
to use to perform the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/conntrack.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/conntrack.c b/src/conntrack.c index af6adf2..93844c5 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -894,9 +894,9 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_DST)) has_srcnat = 1; } - if (!check_address && nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) - has_srcnat = 1; - if (!check_port && nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT)) + if (!check_address && !check_port && + (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) || + nfct_getobjopt(ct, NFCT_GOPT_IS_SPAT))) has_srcnat = 1; } if (check_dstnat) { @@ -916,9 +916,9 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct) port == nfct_get_attr_u16(ct, ATTR_REPL_PORT_SRC)) has_dstnat = 1; } - if (!check_address && nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) - has_dstnat = 1; - if (!check_port && nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT)) + if (!check_address && !check_port && + (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT) || + nfct_getobjopt(ct, NFCT_GOPT_IS_DPAT))) has_dstnat = 1; } if (options & CT_OPT_ANY_NAT) |