[PATCH] netfilter: Only call ftp alg when needed

[Felix Jia <felix.jia@xxxxxxxxxxxxxxxxxxx>]

From: Jason Rippon <jason.rippon@xxxxxxxxxxxxxxxxxxx>

This ensures that port range masquerade rules work with the ftp alg.
Previously the tfp data flow was not following the iptables rules.

Signed-off-by: Jason Rippon <jason.rippon@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Felix Jia <felix.jia@xxxxxxxxxxxxxxxxxxx>
---
 net/netfilter/nf_conntrack_ftp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index a11c304fb771..33324c67036c 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -521,7 +521,8 @@ static int help(struct sk_buff *skb,
 	/* Now, NAT might want to mangle the packet, and register the
 	 * (possibly changed) expectation itself. */
 	nf_nat_ftp = rcu_dereference(nf_nat_ftp_hook);
-	if (nf_nat_ftp && ct->status & IPS_NAT_MASK)
+	if (nf_nat_ftp && (((ct->status & IPS_DST_NAT) && dir) ||
+			   ((ct->status & IPS_SRC_NAT) && !dir)))
 		ret = nf_nat_ftp(skb, ctinfo, search[dir][i].ftptype,
 				 protoff, matchoff, matchlen, exp);
 	else {
-- 
2.19.1