ct: xml: add extra dir check

This patch adds an extra dir check.

0 means original.
1 means a reply.

Pablo decided not to include nf_conntrack_tuple_common.h, instead internally
defined them.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/expr/ct.c b/src/expr/ct.c
index 61a8fef79607a950e7d71306cc9532058854b4de..c6d11c9aa04ac783cc7cb12ef4c4a53ce6630bac 100644 (file)
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -27,6 +27,9 @@ struct nft_expr_ct {
        uint8_t                 dir;
 };
 
+#define IP_CT_DIR_ORIGINAL     0
+#define IP_CT_DIR_REPLY                1
+
 static int
 nft_rule_expr_ct_set(struct nft_rule_expr *e, uint16_t type,
                       const void *data, size_t data_len)
@@ -202,6 +205,9 @@ static int nft_rule_expr_ct_xml_parse(struct nft_rule_expr *e, char *xml)
        if (tmp > UINT8_MAX || tmp < 0 || *endptr)
                goto err;
 
+       if (tmp != IP_CT_DIR_ORIGINAL && tmp != IP_CT_DIR_REPLY)
+               goto err;
+
        ct->dir = tmp;
        e->flags |= (1 << NFT_EXPR_CT_DIR);