From 587a85e0603d514656a434d44c82d1fdacd5e326 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 16 Sep 2008 21:11:37 +0200 Subject: filter: fix NAT detection tweak With this patch, we rely on the real source and destination of the packet to perform the filter. The current NAT detection tweak is broken for certain situations. Signed-off-by: Pablo Neira Ayuso --- src/filter.c | 9 +++------ src/netlink.c | 12 ------------ 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/src/filter.c b/src/filter.c index eaf0a93..33fe30e 100644 --- a/src/filter.c +++ b/src/filter.c @@ -167,10 +167,9 @@ __ct_filter_test_ipv4(struct ct_filter *f, struct nf_conntrack *ct) if (!f->h) return 0; + /* we only use the real source and destination address */ return (hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_SRC)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_ORIG_IPV4_DST)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC)) || - hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_DST))); + hashtable_test(f->h, nfct_get_attr(ct, ATTR_REPL_IPV4_SRC))); } static int @@ -180,9 +179,7 @@ __ct_filter_test_ipv6(struct ct_filter *f, struct nf_conntrack *ct) return 0; return (hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_ORIG_IPV6_DST)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC)) || - hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_DST))); + hashtable_test(f->h6, nfct_get_attr(ct, ATTR_REPL_IPV6_SRC))); } static int __ct_filter_test_state(struct ct_filter *f, struct nf_conntrack *ct) diff --git a/src/netlink.c b/src/netlink.c index 8b02ac5..a4b94dd 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -66,18 +66,6 @@ int ignore_conntrack(struct nf_conntrack *ct) if (!sanity_check(ct)) return 1; - /* Accept DNAT'ed traffic: not really coming to the local machine */ - if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT)) { - debug_ct(ct, "DNAT"); - return 0; - } - - /* Accept SNAT'ed traffic: not really coming to the local machine */ - if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT)) { - debug_ct(ct, "SNAT"); - return 0; - } - /* Ignore traffic */ if (!ct_filter_check(STATE(us_filter), ct)) { debug_ct(ct, "ignore traffic"); -- cgit v1.2.3