[conntrack-tools] conntrack: cleanup for NAT filtering

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Thu Oct 16 15:46:15 CEST 2008 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=b8ed29727d24862523d57066ede86635d8dbacbf
commit b8ed29727d24862523d57066ede86635d8dbacbf
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Oct 16 15:40:49 2008 +0200
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Oct 16 15:40:49 2008 +0200

    conntrack: cleanup for NAT filtering
    
    This patch cleanups the NAT filtering. The former code had three
    branches, one if src and dst NAT are set, else one if src NAT is
    set, else one if dst NAT is set.
    
    Now, we check if src NAT is set or if dst NAT is set.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  b8ed29727d24862523d57066ede86635d8dbacbf (commit)
      from  a557f4a9c5dfae272660e58500386be65274adeb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b8ed29727d24862523d57066ede86635d8dbacbf
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Thu Oct 16 15:40:49 2008 +0200

    conntrack: cleanup for NAT filtering
    
    This patch cleanups the NAT filtering. The former code had three
    branches, one if src and dst NAT are set, else one if src NAT is
    set, else one if dst NAT is set.
    
    Now, we check if src NAT is set or if dst NAT is set.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 src/conntrack.c |   33 +++++++++------------------------
 1 files changed, 9 insertions(+), 24 deletions(-)
This patch cleanups the NAT filtering. The former code had three
branches, one if src and dst NAT are set, else one if src NAT is
set, else one if dst NAT is set.

Now, we check if src NAT is set or if dst NAT is set.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/conntrack.c b/src/conntrack.c
index 0051639..152f94e 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -597,28 +597,12 @@ usage(char *prog)
 
 static unsigned int output_mask;
 
-static int ignore_nat(const struct nf_conntrack *obj,
-		      const struct nf_conntrack *ct)
+static int 
+filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 {
 	uint32_t ip;
 
-	if (options & CT_OPT_SRC_NAT && options & CT_OPT_DST_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT) &&
-		    !nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
-			return 1;
-
-		if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) {
-			ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
-				return 1;
-		}
-
-		if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) {
-			ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
-				return 1;
-		}
-	} else if (options & CT_OPT_SRC_NAT) {
+	if (options & CT_OPT_SRC_NAT) {
 		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
 		  	return 1;
 
@@ -627,7 +611,8 @@ static int ignore_nat(const struct nf_conntrack *obj,
 			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
 				return 1;
 		}
-	} else if (options & CT_OPT_DST_NAT) {
+	}
+	if (options & CT_OPT_DST_NAT) {
 		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
 			return 1;
 
@@ -667,7 +652,7 @@ static int event_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -714,7 +699,7 @@ static int dump_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -752,7 +737,7 @@ static int delete_cb(enum nf_conntrack_msg_type type,
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (options & CT_COMPARISON &&
@@ -812,7 +797,7 @@ static int update_cb(enum nf_conntrack_msg_type type,
 
 	memset(tmp, 0, sizeof(__tmp));
 
-	if (ignore_nat(obj, ct))
+	if (filter_nat(obj, ct))
 		return NFCT_CB_CONTINUE;
 
 	if (nfct_attr_is_set(obj, ATTR_ID) && nfct_attr_is_set(ct, ATTR_ID) &&

More information about the netfilter-cvslog mailing list