netfilter: ctnetlink: fix filtering with CTA_TUPLE_REPLY

filter->orig_flags was used for a reply context.

Fixes: cb8aa9a3affb ("netfilter: ctnetlink: add kernel side filtering for dump")
Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f1e5443fe7c74cde3f5f0a1a01bcbe530bedb75c..2663764d0b6eeba368e65f5fc6d1e7fd3689a0db 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1011,7 +1011,7 @@ ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
                                                   CTA_TUPLE_REPLY,
                                                   filter->family,
                                                   &filter->zone,
-                                                  filter->orig_flags);
+                                                  filter->reply_flags);
                if (err < 0) {
                        err = -EINVAL;
                        goto err_filter;