conntrack: fix mark-based filtering for event display

The mark-based filtering for events does not work if the mark is not
present in the event message. This happens because nfct_cmp() skips
the comparison of the compared objects since it they do not have the
same attributes set. This patch make use of the new NFCT_CMP_MASK
flag that returns false if the first object passed as parameter is
set and the second is not.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 6 insertions, 3 deletions

diff --git a/src/conntrack.c b/src/conntrack.c
index f7b9363..73c102b 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -634,7 +634,8 @@ static int event_cb(enum nf_conntrack_msg_type type,
 	if (ignore_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
-	if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL))
+	if (options & CT_COMPARISON &&
+	    !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK))
 		return NFCT_CB_CONTINUE;
 
 	if (output_mask & _O_XML) {
@@ -680,7 +681,8 @@ static int dump_cb(enum nf_conntrack_msg_type type,
 	if (ignore_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
-	if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL))
+	if (options & CT_COMPARISON &&
+	    !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK))
 		return NFCT_CB_CONTINUE;
 
 	if (output_mask & _O_XML) {
@@ -717,7 +719,8 @@ static int delete_cb(enum nf_conntrack_msg_type type,
 	if (ignore_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
-	if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL))
+	if (options & CT_COMPARISON &&
+	    !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK))
 		return NFCT_CB_CONTINUE;
 
 	res = nfct_query(ith, NFCT_Q_DESTROY, ct);