[libnetfilter_conntrack] setobjopt: don't autocomplete the reply tuple for ICMP[v6]

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Mon Dec 21 13:34:55 CET 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_conntrack.git;a=commit;h=0f2017b930a312f693950fd14c987805d9bf6a48
commit 0f2017b930a312f693950fd14c987805d9bf6a48
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Mon Dec 21 13:25:04 2009 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Mon Dec 21 13:25:04 2009 +0100

    setobjopt: don't autocomplete the reply tuple for ICMP[v6]
    
    This patch fixes the autocomplete feature for ICMP[v6] entries
    that makes the kernel return EINVAL. Basically, we skip the
    autocomplete since this is already done in the setter.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  0f2017b930a312f693950fd14c987805d9bf6a48 (commit)
      from  fab03af67c659c54043aab13581a19dead5718dd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0f2017b930a312f693950fd14c987805d9bf6a48
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Mon Dec 21 13:25:04 2009 +0100

    setobjopt: don't autocomplete the reply tuple for ICMP[v6]
    
    This patch fixes the autocomplete feature for ICMP[v6] entries
    that makes the kernel return EINVAL. Basically, we skip the
    autocomplete since this is already done in the setter.
    
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 src/conntrack/objopt.c |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)
This patch fixes the autocomplete feature for ICMP[v6] entries
that makes the kernel return EINVAL. Basically, we skip the
autocomplete since this is already done in the setter.

Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c
index 4b36817..7e6e5e2 100644
--- a/src/conntrack/objopt.c
+++ b/src/conntrack/objopt.c
@@ -21,8 +21,21 @@ static void __autocomplete(struct nf_conntrack *ct, int dir)
 	       &ct->tuple[other].src.v6,
 	       sizeof(union __nfct_address));
 
-	ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
-	ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+	switch(ct->tuple[dir].protonum) {
+	case IPPROTO_UDP:
+	case IPPROTO_TCP:
+	case IPPROTO_SCTP:
+	case IPPROTO_DCCP:
+	case IPPROTO_GRE:
+	case IPPROTO_UDPLITE:
+		ct->tuple[dir].l4src.all = ct->tuple[other].l4dst.all;
+		ct->tuple[dir].l4dst.all = ct->tuple[other].l4src.all;
+		break;
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+		/* the setter already autocompletes the reply tuple. */
+		break;
+	}
 
 	/* XXX: this is safe but better convert bitset to uint64_t */
         ct->set[0] |= TS_ORIG | TS_REPL;

More information about the netfilter-cvslog mailing list