Patchwork [libnftables,09/21] ct: xml: add extra dir check

login
register
mail settings
Submitter Arturo Borrero
Date June 26, 2013, 11:37 a.m.
Message ID <20130626113707.23511.14221.stgit@nfdev.cica.es>
Download mbox | patch
Permalink /patch/254712/
State Accepted
Headers show

Comments

Arturo Borrero - June 26, 2013, 11:37 a.m.
This patch adds an extra dir check.

0 means original.
1 means a reply.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/expr/ct.c |    4 ++++
 1 file changed, 4 insertions(+)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/src/expr/ct.c b/src/expr/ct.c
index 61a8fef..3605ecc 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -14,6 +14,7 @@ 
 #include <arpa/inet.h>
 #include <errno.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
 
 #include "internal.h"
 #include <libmnl/libmnl.h>
@@ -202,6 +203,9 @@  static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml)
 	if (tmp > UINT8_MAX || tmp < 0 || *endptr)
 		goto err;
 
+	if (tmp != IP_CT_DIR_ORIGINAL && tmp != IP_CT_DIR_REPLY)
+		goto err;
+
 	ct->dir = tmp;
 	e->flags |= (1 << NFT_EXPR_CT_DIR);