diff options
-rw-r--r-- | src/cache.c | 8 | ||||
-rw-r--r-- | src/netlink.c | 38 |
2 files changed, 38 insertions, 8 deletions
diff --git a/src/cache.c b/src/cache.c index c72afd8..a73854f 100644 --- a/src/cache.c +++ b/src/cache.c @@ -75,14 +75,6 @@ static uint32_t hash(const void *data, struct hashtable *table) ret = __hash4(u->ct, table); break; case AF_INET6: - if (!nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_SRC) || - !nfct_attr_is_set(u->ct, ATTR_ORIG_IPV6_DST)) { - dlog(LOG_ERR, "missing IPv6 address. " - "You forgot to load " - "nf_conntrack_ipv6?"); - return 0; - } - ret = __hash6(u->ct, table); break; default: diff --git a/src/netlink.c b/src/netlink.c index 1287454..a8a5503 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -26,8 +26,46 @@ #include <string.h> #include <errno.h> +static int sanity_check(struct nf_conntrack *ct) +{ + if (!nfct_attr_is_set(ct, ATTR_L3PROTO)) { + dlog(LOG_ERR, "missing layer 3 protocol"); + return 0; + } + + switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) { + case AF_INET: + if (!nfct_attr_is_set(ct, ATTR_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_IPV4_DST) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV4_DST)) { + dlog(LOG_ERR, "missing IPv4 address. " + "You forgot to load " + "nf_conntrack_ipv4?"); + return 0; + } + break; + case AF_INET6: + if (!nfct_attr_is_set(ct, ATTR_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_IPV6_DST) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_SRC) || + !nfct_attr_is_set(ct, ATTR_REPL_IPV6_DST)) { + dlog(LOG_ERR, "missing IPv6 address. " + "You forgot to load " + "nf_conntrack_ipv6?"); + return 0; + } + break; + } + return 1; +} + int ignore_conntrack(struct nf_conntrack *ct) { + /* missing mandatory attributes in object */ + if (!sanity_check(ct)) + return 1; + /* Accept DNAT'ed traffic: not really coming to the local machine */ if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { debug_ct(ct, "DNAT"); |