|
@@ -1062,6 +1062,10 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
|
|
|
{
|
|
{
|
|
|
int err;
|
|
int err;
|
|
|
|
|
|
|
|
|
|
+ /* only allow NAT changes and master assignation for new conntracks */
|
|
|
|
|
+ if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
|
|
|
|
|
+ return -EOPNOTSUPP;
|
|
|
|
|
+
|
|
|
if (cda[CTA_HELP]) {
|
|
if (cda[CTA_HELP]) {
|
|
|
err = ctnetlink_change_helper(ct, cda);
|
|
err = ctnetlink_change_helper(ct, cda);
|
|
|
if (err < 0)
|
|
if (err < 0)
|
|
@@ -1323,17 +1327,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
|
|
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
|
|
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
|
|
|
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
|
|
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
|
|
|
|
|
|
|
|
- /* we only allow nat config for new conntracks */
|
|
|
|
|
- if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
|
|
|
|
- err = -EOPNOTSUPP;
|
|
|
|
|
- goto out_unlock;
|
|
|
|
|
- }
|
|
|
|
|
- /* can't link an existing conntrack to a master */
|
|
|
|
|
- if (cda[CTA_TUPLE_MASTER]) {
|
|
|
|
|
- err = -EOPNOTSUPP;
|
|
|
|
|
- goto out_unlock;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
err = ctnetlink_change_conntrack(ct, cda);
|
|
err = ctnetlink_change_conntrack(ct, cda);
|
|
|
if (err == 0) {
|
|
if (err == 0) {
|
|
|
nf_conntrack_get(&ct->ct_general);
|
|
nf_conntrack_get(&ct->ct_general);
|
Pablo Neira Ayuso