Re: `conntrack -L --src-nat --dst-nat` doesn't work with version 0.9.14

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 10 Jun 2010 14:43:24 +0200

Mohit Mehta wrote:
> Hi Everyone,
> 
> With previous versions of conntrack [for eg. version 0.9.6]; you could list conntrack entries and have them filtered for both source and destination NAT. This was great for looking at all NAT entries at the same time.
> 
> However, it seems that in the current version that doesn't work i.e. you cannot filter entries for both source and destination NAT together. Filtering on either of the two types still works fine. I'm not quite sure about the history of this if any; so can someone point out whether this change was intentional or an oversight?

Could you test if this patch helps?
conntrack: fix `-L --src-nat --dst-nat'

From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.

Reported-by: Mohit Mehta <mohit.mehta@xxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/conntrack.c |   22 +++++++++-------------
 1 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index eec3868..7d413c7 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -635,27 +635,23 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 	uint32_t ip;
 
 	if (options & CT_OPT_SRC_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
-		  	return 1;
-
 		if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) {
 			ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
-				return 1;
-		}
+			if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
+				return 0;
+		} else if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
+		  	return 0;
 	}
 	if (options & CT_OPT_DST_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
-			return 1;
-
 		if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) {
 			ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
-				return 1;
-		}
+			if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
+				return 0;
+		} else if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+			return 0;
 	}
 
-	return 0;
+	return 1;
 }
 
 static int counter;




