This patch adds an extra dir check. 0 means original. 1 means a reply. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> --- src/expr/ct.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/expr/ct.c b/src/expr/ct.c index 61a8fef..3605ecc 100644 --- a/src/expr/ct.c +++ b/src/expr/ct.c @@ -14,6 +14,7 @@ #include <arpa/inet.h> #include <errno.h> #include <linux/netfilter/nf_tables.h> +#include <linux/netfilter/nf_conntrack_tuple_common.h> #include "internal.h" #include <libmnl/libmnl.h> @@ -202,6 +203,9 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml) if (tmp > UINT8_MAX || tmp < 0 || *endptr) goto err; + if (tmp != IP_CT_DIR_ORIGINAL && tmp != IP_CT_DIR_REPLY) + goto err; + ct->dir = tmp; e->flags |= (1 << NFT_EXPR_CT_DIR); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
