`conntrack -L --src-nat --dst-nat` doesn't work with version 0.9.14

`conntrack -L --src-nat --dst-nat` doesn't work with version 0.9.14

[Mohit Mehta]

Hi Everyone,

With previous versions of conntrack [for eg. version 0.9.6]; you could list conntrack entries and have them filtered for both source and destination NAT. This was great for looking at all NAT entries at the same time.

However, it seems that in the current version that doesn't work i.e. you cannot filter entries for both source and destination NAT together. Filtering on either of the two types still works fine. I'm not quite sure about the history of this if any; so can someone point out whether this change was intentional or an oversight?

Thanks,
Mohit

Re: `conntrack -L --src-nat --dst-nat` doesn't work with version 0.9.14

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

Mohit Mehta wrote:
> Hi Everyone,
> 
> With previous versions of conntrack [for eg. version 0.9.6]; you could list conntrack entries and have them filtered for both source and destination NAT. This was great for looking at all NAT entries at the same time.
> 
> However, it seems that in the current version that doesn't work i.e. you cannot filter entries for both source and destination NAT together. Filtering on either of the two types still works fine. I'm not quite sure about the history of this if any; so can someone point out whether this change was intentional or an oversight?

Could you test if this patch helps?

[-- Attachment #2: nat.patch --]
[-- Type: text/x-patch, Size: 1538 bytes --]

conntrack: fix `-L --src-nat --dst-nat'

From: Pablo Neira Ayuso <pablo@netfilter.org>

Since > 0.9.6, the conntrack listing with the options --src-nat
and --dst-nat does not work. This patch fixes the problem.

Reported-by: Mohit Mehta <mohit.mehta@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c |   22 +++++++++-------------
 1 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index eec3868..7d413c7 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -635,27 +635,23 @@ filter_nat(const struct nf_conntrack *obj, const struct nf_conntrack *ct)
 	uint32_t ip;
 
 	if (options & CT_OPT_SRC_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
-		  	return 1;
-
 		if (nfct_attr_is_set(obj, ATTR_SNAT_IPV4)) {
 			ip = nfct_get_attr_u32(obj, ATTR_SNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
-				return 1;
-		}
+			if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_DST))
+				return 0;
+		} else if (nfct_getobjopt(ct, NFCT_GOPT_IS_SNAT))
+		  	return 0;
 	}
 	if (options & CT_OPT_DST_NAT) {
-		if (!nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
-			return 1;
-
 		if (nfct_attr_is_set(obj, ATTR_DNAT_IPV4)) {
 			ip = nfct_get_attr_u32(obj, ATTR_DNAT_IPV4);
-			if (ip != nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
-				return 1;
-		}
+			if (ip == nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC))
+				return 0;
+		} else if (nfct_getobjopt(ct, NFCT_GOPT_IS_DNAT))
+			return 0;
 	}
 
-	return 0;
+	return 1;
 }
 
 static int counter;

Re: `conntrack -L --src-nat --dst-nat` doesn't work with version 0.9.14

[Mohit Mehta]

----- "Pablo Neira Ayuso" <pablo@netfilter.org> wrote:

> Mohit Mehta wrote:
> > Hi Everyone,
> > 
> > With previous versions of conntrack [for eg. version 0.9.6]; you
> could list conntrack entries and have them filtered for both source
> and destination NAT. This was great for looking at all NAT entries at
> the same time.
> > 
> > However, it seems that in the current version that doesn't work i.e.
> you cannot filter entries for both source and destination NAT
> together. Filtering on either of the two types still works fine. I'm
> not quite sure about the history of this if any; so can someone point
> out whether this change was intentional or an oversight?
> 
> Could you test if this patch helps?

Works Great! 

Thanks Pablo.