Message ID | 20130705020312.25783ccd.billfink@mindspring.com |
---|---|
State | Superseded |
Headers | show |
Bill Fink <billfink@mindspring.com> wrote: > 230 Anonymous login ok, restrictions apply. > EPSV > 229 Entering Extended Passive Mode (|||1584|) > > As soon as I enter the EPSV command, I get the following > conntrackd segfault: > > Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 99 a += k[0]; (gdb) bt f #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 a = 2654435769 b = 2654435769 c = 0 len = 4 #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57 #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63 #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265 id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0 NULL deref in __ct_filter_test_ipv6. Doesn't happen for ipv4 because nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead. @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const struct nf_conntrack *ct) src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC); dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC); - id_src = hashtable_hash(f->h6, src); - id_dst = hashtable_hash(f->h6, dst); + id_src = src ? hashtable_hash(f->h6, src) : 0; + id_dst = dst ? hashtable_hash(f->h6, dst) : 0; Not sure if this is enough, there are other callers of nfct_get_attr() that don't check for NULL. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[Please Cc: me on replies as I am not subscribed] Florian, First, many thanks for the quick fix! On Fri, 5 Jul 2013, Florian Westphal wrote: > Bill Fink <billfink@xxxxxxxxxxxxxx> wrote: > > 230 Anonymous login ok, restrictions apply. > > EPSV > > 229 Entering Extended Passive Mode (|||1584|) > > > > As soon as I enter the EPSV command, I get the following > > conntrackd segfault: > > > > Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] > > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at > ../include/jhash.h:99 > 99 a += k[0]; > (gdb) bt f > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 > a = 2654435769 b = 2654435769 c = 0 len = 4 > #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57 > #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63 > #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265 > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0 > > NULL deref in __ct_filter_test_ipv6. Doesn't happen for ipv4 because > nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead. > > @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const > struct nf_conntrack *ct) > src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC); > dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC); > > - id_src = hashtable_hash(f->h6, src); > - id_dst = hashtable_hash(f->h6, dst); > + id_src = src ? hashtable_hash(f->h6, src) : 0; > + id_dst = dst ? hashtable_hash(f->h6, dst) : 0; > > > Not sure if this is enough, there are other callers > of nfct_get_attr() that don't check for NULL. This cured my immediate problem. conntrackd no longer segfaults and I now get IPv6 expectations. [root@sen-fw1 ~]# conntrackd -i expect proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s] I will now continue further testing. I did need my patch to successfully resync the IPv6 expectations from the kernel via "conntrackd -R" after flushing the conntrackd cache via "conntrackd -f". I guess I should submit my patch as an RFC patch to get comments on it. -Thanks -Bill -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, 5 Jul 2013, Bill Fink wrote: > [Please Cc: me on replies as I am not subscribed] > > On Fri, 5 Jul 2013, Florian Westphal wrote: > > > Bill Fink <billfink@xxxxxxxxxxxxxx> wrote: > > > 230 Anonymous login ok, restrictions apply. > > > EPSV > > > 229 Entering Extended Passive Mode (|||1584|) > > > > > > As soon as I enter the EPSV command, I get the following > > > conntrackd segfault: > > > > > > Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] > > > > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at > > ../include/jhash.h:99 > > 99 a += k[0]; > > (gdb) bt f > > #0 0x000000000040f217 in jhash2 (k=0x0, length=4, initval=0) at ../include/jhash.h:99 > > a = 2654435769 b = 2654435769 c = 0 len = 4 > > #1 0x000000000040f564 in ct_filter_hash6 (data=0x0, table=0x16ef630) at filter.c:57 > > #2 0x000000000040ad34 in hashtable_hash (table=0x16ef630, data=0x0) at hash.c:63 > > #3 0x000000000040fd19 in __ct_filter_test_ipv6 (f=0x16eeba0, ct=0x1703760) at filter.c:265 > > id_src = 51 id_dst = 24051376 src = 0x1703760 dst = 0x0 > > > > NULL deref in __ct_filter_test_ipv6. Doesn't happen for ipv4 because > > nfct_get_attr_u32() return 0, but nfct_get_attr() returns NULL instead. > > > > @@ -261,8 +264,8 @@ __ct_filter_test_ipv6(struct ct_filter *f, const > > struct nf_conntrack *ct) > > src = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC); > > dst = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC); > > > > - id_src = hashtable_hash(f->h6, src); > > - id_dst = hashtable_hash(f->h6, dst); > > + id_src = src ? hashtable_hash(f->h6, src) : 0; > > + id_dst = dst ? hashtable_hash(f->h6, dst) : 0; > > > > > > Not sure if this is enough, there are other callers > > of nfct_get_attr() that don't check for NULL. > > This cured my immediate problem. conntrackd no longer segfaults > and I now get IPv6 expectations. > > [root@sen-fw1 ~]# conntrackd -i expect > proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=23046 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=38142 dport=21 class=0 helper=ftp [active since 44s] > > I will now continue further testing. While definitely making progress, the next problem is that while the active firewall sees the IPv6 ftp expectation, it is not successfully synced to the backup firewall, and the following error appears in the conntrackd.log on the backup firewall: [Fri Jul 5 16:28:50 2013] (pid=5128) [ERROR] inject-add2: Invalid argument Fri Jul 5 16:28:50 2013 300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp I don't see anything wrong with the above, which matches exactly the IPv6 ftp expectation seen on the primary firewall: [root@sen-fw1 ~]# conntrackd -i expect proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=11645 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=46231 dport=21 class=0 helper=ftp [active since 185s] I started looking at external_inject_exp_new() in external_inject.c, where the inject-add2 error presumably comes from, but I haven't gotten too far yet since I'm not that familiar with the code. Anyone have any ideas about what might be wrong? -Thanks -Bill -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi, On Fri, Jul 05, 2013 at 02:03:12AM -0400, Bill Fink wrote: > [not sure whether to send to netfilter or netfilter-devel, > so sending to both, but trim replies as appropriate] > > I am trying to use the ftp ExpectationSync capability of conntrackd > for both IPv4 and IPv6 for connections through a pair of bridged > firewalls (primary / hot backup). I have the following config > snippet in conntrackd.conf: > > Options { > ExpectationSync { > ftp > sip > ras # for H.323 > q.931 # for H.323 > h.245 # for H.323 > } > } > > For IPv4, things work as expected. But when I try the basic > analogous IPv6 test to the suggested IPv4 test from the > documentation: > > x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21 > 220 FTP Server ready. > USER anonymous > 331 Anonymous login ok, send your complete email address as your password > PASS bill@ > 230- > *** Welcome to this anonymous ftp server! *** > > You are user 1 out of a maximum of 10 authorized anonymous logins. > The current time here is Thu Jul 04 23:40:51 2013. > If you experience any problems here, contact : root@localhost > > > 230 Anonymous login ok, restrictions apply. > EPSV > 229 Entering Extended Passive Mode (|||1584|) > > As soon as I enter the EPSV command, I get the following > conntrackd segfault: > > Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] I have pushed this patch to fix this issue. http://git.netfilter.org/conntrack-tools/commit/?id=479a37a549abf197ce59a4ae1666d8cba80fe977 Thanks Florian for diagnosing this, and you for reporting. > I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with > conntrack-tools-1.4.0-1.fc17.x86_64. > > I had to use the attached patch to get "conntrackd -R" to resync > both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in > conntrackd.conf). It works well for me for the basic ct table, > but I'm not sure about the expect table part since I can't really > exercise it due to the segfault. Note the segfault also occurs > with the original unpatched conntrackd, so it's not related to > my patch. For this, I have applied the following patch: http://git.netfilter.org/conntrack-tools/commit/?id=e2c6576e775652c35d336afa0551676339c6a793 Let me know. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 6 Jul 2013, Pablo Neira Ayuso wrote: > On Fri, Jul 05, 2013 at 02:03:12AM -0400, Bill Fink wrote: > > [not sure whether to send to netfilter or netfilter-devel, > > so sending to both, but trim replies as appropriate] > > > > I am trying to use the ftp ExpectationSync capability of conntrackd > > for both IPv4 and IPv6 for connections through a pair of bridged > > firewalls (primary / hot backup). I have the following config > > snippet in conntrackd.conf: > > > > Options { > > ExpectationSync { > > ftp > > sip > > ras # for H.323 > > q.931 # for H.323 > > h.245 # for H.323 > > } > > } > > > > For IPv4, things work as expected. But when I try the basic > > analogous IPv6 test to the suggested IPv4 test from the > > documentation: > > > > x100ssd2% nc 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 21 > > 220 FTP Server ready. > > USER anonymous > > 331 Anonymous login ok, send your complete email address as your password > > PASS bill@ > > 230- > > *** Welcome to this anonymous ftp server! *** > > > > You are user 1 out of a maximum of 10 authorized anonymous logins. > > The current time here is Thu Jul 04 23:40:51 2013. > > If you experience any problems here, contact : root@localhost > > > > > > 230 Anonymous login ok, restrictions apply. > > EPSV > > 229 Entering Extended Passive Mode (|||1584|) > > > > As soon as I enter the EPSV command, I get the following > > conntrackd segfault: > > > > Jul 5 00:41:06 sen-fw1 kernel: [274422.060695] conntrackd[4821]: segfault at 0 ip 000000000040c660 sp 00007fffebb098a8 error 4 in conntrackd[400000+3d000] > > I have pushed this patch to fix this issue. > > http://git.netfilter.org/conntrack-tools/commit/?id=479a37a549abf197ce59a4ae1666d8cba80fe977 > > Thanks Florian for diagnosing this, and you for reporting. Thanks! I have tested this and it does fix the segfault. > > I am using a Fedora 17 3.7.3-101.fc17.x86_64 kernel with > > conntrack-tools-1.4.0-1.fc17.x86_64. > > > > I had to use the attached patch to get "conntrackd -R" to resync > > both IPv4 and IPv6 (enabled with a "Family IPv4-IPv6" entry in > > conntrackd.conf). It works well for me for the basic ct table, > > but I'm not sure about the expect table part since I can't really > > exercise it due to the segfault. Note the segfault also occurs > > with the original unpatched conntrackd, so it's not related to > > my patch. > > For this, I have applied the following patch: > > http://git.netfilter.org/conntrack-tools/commit/?id=e2c6576e775652c35d336afa0551676339c6a793 I also tested this and it fixes the IPv6 kernel resync issue. > Let me know. I still have the remaining problem that the IPv6 expectation is not successfully synced from the primary firewall to the backup firewall. I see the following error in conntrackd.log on the backup firewall: [Sun Jul 7 01:56:38 2013] (pid=24763) [ERROR] inject-add2: Invalid argument Sun Jul 7 01:56:38 2013 300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp This exactly matches the IPv6 expectation on the primary firewall: [root@sen-fw1 ~]# conntrackd -i expect proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp [active since 9s] IPv4 expectations are working fine. I tried to track down the error, and followed the error path: external_inject_exp_new() -> nl_create_expect()-> nfexp_query() -> nfnl_query() -> nfnl_catch() -> nfnl_process() -> nfnl_step() -> nfnl_is_error() because nlh->nlmsg_type == NLMSG_ERROR but I wasn't sure how to proceed further. -Thanks -Bill -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, 7 Jul 2013, Bill Fink wrote: > I still have the remaining problem that the IPv6 expectation > is not successfully synced from the primary firewall to the > backup firewall. I see the following error in conntrackd.log > on the backup firewall: > > [Sun Jul 7 01:56:38 2013] (pid=24763) [ERROR] inject-add2: Invalid argument > Sun Jul 7 01:56:38 2013 300 proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp > > This exactly matches the IPv6 expectation on the primary firewall: > > [root@sen-fw1 ~]# conntrackd -i expect > proto=6 src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=0 dport=39767 mask-src=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mask-dst=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff sport=0 dport=65535 master-src=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx master-dst=2001:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy sport=37484 dport=21 class=0 helper=ftp [active since 9s] > > IPv4 expectations are working fine. > > I tried to track down the error, and followed the error path: > > external_inject_exp_new() -> > nl_create_expect()-> > nfexp_query() -> > nfnl_query() -> > nfnl_catch() -> > nfnl_process() -> > nfnl_step() -> > nfnl_is_error() because > nlh->nlmsg_type == NLMSG_ERROR > > but I wasn't sure how to proceed further. I made some more progress, but still haven't found the root cause. I put some printks in the nf_conntrack_netlink and nf_conntrack_ipv6 modules and tracked the error path there: ctnetlink_new_expect() -> ctnetlink_create_expect() -> ctnetlink_parse_expect_nat() -> ctnetlink_parse_tuple() -> ctnetlink_parse_tuple_ip() -> l3proto->nlattr_to_tuple() -> ipv6_nlattr_to_tuple() which fails because tb[CTA_IP_V6_SRC] and tb[CTA_IP_V6_DST] are null. But I'm currently stuck there. Where are tb[CTA_IP_V6_SRC] and tb[CTA_IP_V6_DST] supposed to be set? Is it in conntrackd during the build of the netlink message, or somewhere in one of the conntrack kernel modules during processing of the netlink message? Is there a map somewhere of the control flow betwwen conntrackd and the conntrack kernel modules? I was also a little confused by the call to ctnetlink_parse_expect_nat() since I'm not using NAT. -Thanks -Bill -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff -Nurp conntrack-tools-1.4.0.orig/src/netlink.c conntrack-tools-1.4.0/src/netlink.c --- conntrack-tools-1.4.0.orig/src/netlink.c 2012-09-21 10:06:07.000000000 -0400 +++ conntrack-tools-1.4.0/src/netlink.c 2013-07-04 23:32:36.302310719 -0400 @@ -148,7 +148,16 @@ void nl_resize_socket_buffer(struct nfct int nl_dump_conntrack_table(struct nfct_handle *h) { - return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family)); + int fam, ret; + + if (!CONFIG(both_ipv4_ipv6)) + return nfct_query(h, NFCT_Q_DUMP, &CONFIG(family)); + fam = AF_INET; + ret = nfct_query(h, NFCT_Q_DUMP, &fam); + if (ret < 0) + return ret; + fam = AF_INET6; + return nfct_query(h, NFCT_Q_DUMP, &fam); } static int @@ -380,7 +389,16 @@ int nl_get_expect(struct nfct_handle *h, int nl_dump_expect_table(struct nfct_handle *h) { - return nfexp_query(h, NFCT_Q_DUMP, &CONFIG(family)); + int fam, ret; + + if (!CONFIG(both_ipv4_ipv6)) + return nfexp_query(h, NFCT_Q_DUMP, &CONFIG(family)); + fam = AF_INET; + ret = nfexp_query(h, NFCT_Q_DUMP, &fam); + if (ret < 0) + return ret; + fam = AF_INET6; + return nfexp_query(h, NFCT_Q_DUMP, &fam); } int nl_flush_expect_table(struct nfct_handle *h) diff -Nurp conntrack-tools-1.4.0.orig/src/read_config_yy.y conntrack-tools-1.4.0/src/read_config_yy.y --- conntrack-tools-1.4.0.orig/src/read_config_yy.y 2012-09-21 10:06:07.000000000 -0400 +++ conntrack-tools-1.4.0/src/read_config_yy.y 2013-03-20 18:47:36.391160857 -0400 @@ -1193,10 +1193,27 @@ scheduler_line : T_PRIO T_NUMBER family : T_FAMILY T_STRING { - if (strncmp($2, "IPv6", strlen("IPv6")) == 0) + if (strncmp($2, "IPv6-IPv4", strlen("IPv6-IPv4")) == 0) { conf.family = AF_INET6; - else + conf.both_ipv4_ipv6 = 1; + } + else if (strncmp($2, "IPv6", strlen("IPv6")) == 0) { + conf.family = AF_INET6; + conf.both_ipv4_ipv6 = 0; + } + else if (strncmp($2, "IPv4-IPv6", strlen("IPv4-IPv6")) == 0) { + conf.family = AF_INET; + conf.both_ipv4_ipv6 = 1; + } + else if (strncmp($2, "IPv4", strlen("IPv4")) == 0) { conf.family = AF_INET; + conf.both_ipv4_ipv6 = 0; + } + else { + print_err(CTD_CFG_WARN, "%s is not a valid Family, " + "ignoring", $2); + break; + } }; event_iterations_limit : T_EVENT_ITER_LIMIT T_NUMBER @@ -1864,8 +1881,10 @@ init_config(char *filename) fclose(fp); /* default to IPv4 */ - if (CONFIG(family) == 0) + if (CONFIG(family) == 0) { CONFIG(family) = AF_INET; + CONFIG(both_ipv4_ipv6) = 0; + } /* set to default is not specified */ if (strcmp(CONFIG(lockfile), "") == 0)