netlink: use NFCT_Q_[CREATE|UPDATE] instead of NFCT_Q_CREATE_UPDATE

This patch uses NFCT_Q_CREATE in nl_create_conntrack() and
NFCT_Q_UPDATE in nl_update_conntrack(). The NFCT_Q_CREATE_UPDATE
query does not set the NLM_F_EXCL flag, so that it tries to update
the entry if we fail to create.

Under several scenarios, this may lead to problems. For example,
the creation of related conntracks contain the master information.
This is fine to create an entry, but an update will hit
EOPNOTSUPP as ctnetlink considers that you are trying to change
the master of an existing conntrack - and this is not a supported
operation, of course.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/netlink.c b/src/netlink.c
index 1a86a21..5929232 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -211,7 +211,7 @@ int nl_create_conntrack(const struct nf_conntrack *orig)
 	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
 	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
 
-	ret = nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
+	ret = nfct_query(STATE(dump), NFCT_Q_CREATE, ct);
 	nfct_destroy(ct);
 
 	return ret;
@@ -262,7 +262,7 @@ int nl_update_conntrack(const struct nf_conntrack *orig)
 	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
 	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
 
-	ret = nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
+	ret = nfct_query(STATE(dump), NFCT_Q_UPDATE, ct);
 	nfct_destroy(ct);
 
 	return ret;