Move libipt_conntrack to xt_conntrack.
Spice up the manpage.
Build with regular kernel headers (not that ipt_conntrack sauce).
Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
---
extensions/Makefile | 2
extensions/libipt_conntrack.c | 514 ---------------------------
extensions/libipt_conntrack.man | 49 --
extensions/libxt_conntrack.c | 512 ++++++++++++++++++++++++++
extensions/libxt_conntrack.man | 48 ++
include/linux/netfilter/xt_conntrack.h | 77 ++++
include/linux/netfilter_ipv4/ipt_conntrack.h | 77 ----
7 files changed, 638 insertions(+), 641 deletions(-)
Index: iptables-modules/extensions/Makefile
===================================================================
--- iptables-modules.orig/extensions/Makefile
+++ iptables-modules/extensions/Makefile
@@ -21,7 +21,6 @@ a += TTL
a += ULOG
a += addrtype
a += ah
-a += conntrack
a += ecn
a += icmp
a += iprange
@@ -62,6 +61,7 @@ a += comment
a += connbytes
a += connlimit
a += connmark
+a += conntrack
a += dccp
a += dscp
a += esp
Index: iptables-modules/extensions/libipt_conntrack.c
===================================================================
--- iptables-modules.orig/extensions/libipt_conntrack.c
+++ /dev/null
@@ -1,514 +0,0 @@
-/* Shared library add-on to iptables for conntrack matching support.
- * GPL (C) 2001 Marc Boucher (marc@xxxxxxx).
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <iptables.h>
-#include <linux/netfilter/nf_conntrack_common.h>
-/* For 64bit kernel / 32bit userspace */
-#include "../include/linux/netfilter_ipv4/ipt_conntrack.h"
-
-#ifndef IPT_CONNTRACK_STATE_UNTRACKED
-#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-#endif
-
-/* Function which prints out usage message. */
-static void conntrack_help(void)
-{
- printf(
-"conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
-" State(s) to match\n"
-" [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'\n"
-" --ctorigsrc [!] address[/mask]\n"
-" Original source specification\n"
-" --ctorigdst [!] address[/mask]\n"
-" Original destination specification\n"
-" --ctreplsrc [!] address[/mask]\n"
-" Reply source specification\n"
-" --ctrepldst [!] address[/mask]\n"
-" Reply destination specification\n"
-" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n"
-" Status(es) to match\n"
-" [!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
-" value or range of values (inclusive)\n"
-"\n", IPTABLES_VERSION);
-}
-
-static const struct option conntrack_opts[] = {
- { "ctstate", 1, NULL, '1' },
- { "ctproto", 1, NULL, '2' },
- { "ctorigsrc", 1, NULL, '3' },
- { "ctorigdst", 1, NULL, '4' },
- { "ctreplsrc", 1, NULL, '5' },
- { "ctrepldst", 1, NULL, '6' },
- { "ctstatus", 1, NULL, '7' },
- { "ctexpire", 1, NULL, '8' },
- { }
-};
-
-static int
-parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo)
-{
- if (strncasecmp(state, "INVALID", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_INVALID;
- else if (strncasecmp(state, "NEW", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_NEW);
- else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
- else if (strncasecmp(state, "RELATED", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
- else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_UNTRACKED;
- else if (strncasecmp(state, "SNAT", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
- else if (strncasecmp(state, "DNAT", strlen) == 0)
- sinfo->statemask |= IPT_CONNTRACK_STATE_DNAT;
- else
- return 0;
- return 1;
-}
-
-static void
-parse_states(const char *arg, struct ipt_conntrack_info *sinfo)
-{
- const char *comma;
-
- while ((comma = strchr(arg, ',')) != NULL) {
- if (comma == arg || !parse_state(arg, comma-arg, sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
- arg = comma+1;
- }
-
- if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
-}
-
-static int
-parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo)
-{
- if (strncasecmp(status, "NONE", strlen) == 0)
- sinfo->statusmask |= 0;
- else if (strncasecmp(status, "EXPECTED", strlen) == 0)
- sinfo->statusmask |= IPS_EXPECTED;
- else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
- sinfo->statusmask |= IPS_SEEN_REPLY;
- else if (strncasecmp(status, "ASSURED", strlen) == 0)
- sinfo->statusmask |= IPS_ASSURED;
-#ifdef IPS_CONFIRMED
- else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
- sinfo->stausmask |= IPS_CONFIRMED;
-#endif
- else
- return 0;
- return 1;
-}
-
-static void
-parse_statuses(const char *arg, struct ipt_conntrack_info *sinfo)
-{
- const char *comma;
-
- while ((comma = strchr(arg, ',')) != NULL) {
- if (comma == arg || !parse_status(arg, comma-arg, sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
- arg = comma+1;
- }
-
- if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
- exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
-}
-
-static unsigned long
-parse_expire(const char *s)
-{
- unsigned int len;
-
- if (string_to_number(s, 0, 0, &len) == -1)
- exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
- else
- return len;
-}
-
-/* If a single value is provided, min and max are both set to the value */
-static void
-parse_expires(const char *s, struct ipt_conntrack_info *sinfo)
-{
- char *buffer;
- char *cp;
-
- buffer = strdup(s);
- if ((cp = strchr(buffer, ':')) == NULL)
- sinfo->expires_min = sinfo->expires_max = parse_expire(buffer);
- else {
- *cp = '\0';
- cp++;
-
- sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
- sinfo->expires_max = cp[0] ? parse_expire(cp) : -1;
- }
- free(buffer);
-
- if (sinfo->expires_min > sinfo->expires_max)
- exit_error(PARAMETER_PROBLEM,
- "expire min. range value `%lu' greater than max. "
- "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
-}
-
-/* Function which parses command options; returns true if it
- ate an option */
-static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
- const void *entry, struct xt_entry_match **match)
-{
- struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)(*match)->data;
- char *protocol = NULL;
- unsigned int naddrs = 0;
- struct in_addr *addrs = NULL;
-
-
- switch (c) {
- case '1':
- check_inverse(optarg, &invert, &optind, 0);
-
- parse_states(argv[optind-1], sinfo);
- if (invert) {
- sinfo->invflags |= IPT_CONNTRACK_STATE;
- }
- sinfo->flags |= IPT_CONNTRACK_STATE;
- break;
-
- case '2':
- check_inverse(optarg, &invert, &optind, 0);
-
- if(invert)
- sinfo->invflags |= IPT_CONNTRACK_PROTO;
-
- /* Canonicalize into lower case */
- for (protocol = argv[optind-1]; *protocol; protocol++)
- *protocol = tolower(*protocol);
-
- protocol = argv[optind-1];
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
-
- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
- && (sinfo->invflags & IPT_INV_PROTO))
- exit_error(PARAMETER_PROBLEM,
- "rule would never match protocol");
-
- sinfo->flags |= IPT_CONNTRACK_PROTO;
- break;
-
- case '3':
- check_inverse(optarg, &invert, &optind, 0);
-
- if (invert)
- sinfo->invflags |= IPT_CONNTRACK_ORIGSRC;
-
- parse_hostnetworkmask(argv[optind-1], &addrs,
- &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
- &naddrs);
- if(naddrs > 1)
- exit_error(PARAMETER_PROBLEM,
- "multiple IP addresses not allowed");
-
- if(naddrs == 1) {
- sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
- }
-
- sinfo->flags |= IPT_CONNTRACK_ORIGSRC;
- break;
-
- case '4':
- check_inverse(optarg, &invert, &optind, 0);
-
- if (invert)
- sinfo->invflags |= IPT_CONNTRACK_ORIGDST;
-
- parse_hostnetworkmask(argv[optind-1], &addrs,
- &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
- &naddrs);
- if(naddrs > 1)
- exit_error(PARAMETER_PROBLEM,
- "multiple IP addresses not allowed");
-
- if(naddrs == 1) {
- sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
- }
-
- sinfo->flags |= IPT_CONNTRACK_ORIGDST;
- break;
-
- case '5':
- check_inverse(optarg, &invert, &optind, 0);
-
- if (invert)
- sinfo->invflags |= IPT_CONNTRACK_REPLSRC;
-
- parse_hostnetworkmask(argv[optind-1], &addrs,
- &sinfo->sipmsk[IP_CT_DIR_REPLY],
- &naddrs);
- if(naddrs > 1)
- exit_error(PARAMETER_PROBLEM,
- "multiple IP addresses not allowed");
-
- if(naddrs == 1) {
- sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
- }
-
- sinfo->flags |= IPT_CONNTRACK_REPLSRC;
- break;
-
- case '6':
- check_inverse(optarg, &invert, &optind, 0);
-
- if (invert)
- sinfo->invflags |= IPT_CONNTRACK_REPLDST;
-
- parse_hostnetworkmask(argv[optind-1], &addrs,
- &sinfo->dipmsk[IP_CT_DIR_REPLY],
- &naddrs);
- if(naddrs > 1)
- exit_error(PARAMETER_PROBLEM,
- "multiple IP addresses not allowed");
-
- if(naddrs == 1) {
- sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
- }
-
- sinfo->flags |= IPT_CONNTRACK_REPLDST;
- break;
-
- case '7':
- check_inverse(optarg, &invert, &optind, 0);
-
- parse_statuses(argv[optind-1], sinfo);
- if (invert) {
- sinfo->invflags |= IPT_CONNTRACK_STATUS;
- }
- sinfo->flags |= IPT_CONNTRACK_STATUS;
- break;
-
- case '8':
- check_inverse(optarg, &invert, &optind, 0);
-
- parse_expires(argv[optind-1], sinfo);
- if (invert) {
- sinfo->invflags |= IPT_CONNTRACK_EXPIRES;
- }
- sinfo->flags |= IPT_CONNTRACK_EXPIRES;
- break;
-
- default:
- return 0;
- }
-
- *flags = sinfo->flags;
- return 1;
-}
-
-static void conntrack_check(unsigned int flags)
-{
- if (!flags)
- exit_error(PARAMETER_PROBLEM, "You must specify one or more options");
-}
-
-static void
-print_state(unsigned int statemask)
-{
- const char *sep = "";
-
- if (statemask & IPT_CONNTRACK_STATE_INVALID) {
- printf("%sINVALID", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
- printf("%sNEW", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
- printf("%sRELATED", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
- printf("%sESTABLISHED", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_UNTRACKED) {
- printf("%sUNTRACKED", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_SNAT) {
- printf("%sSNAT", sep);
- sep = ",";
- }
- if (statemask & IPT_CONNTRACK_STATE_DNAT) {
- printf("%sDNAT", sep);
- sep = ",";
- }
- printf(" ");
-}
-
-static void
-print_status(unsigned int statusmask)
-{
- const char *sep = "";
-
- if (statusmask & IPS_EXPECTED) {
- printf("%sEXPECTED", sep);
- sep = ",";
- }
- if (statusmask & IPS_SEEN_REPLY) {
- printf("%sSEEN_REPLY", sep);
- sep = ",";
- }
- if (statusmask & IPS_ASSURED) {
- printf("%sASSURED", sep);
- sep = ",";
- }
-#ifdef IPS_CONFIRMED
- if (statusmask & IPS_CONFIRMED) {
- printf("%sCONFIRMED", sep);
- sep =",";
- }
-#endif
- if (statusmask == 0) {
- printf("%sNONE", sep);
- sep = ",";
- }
- printf(" ");
-}
-
-static void
-print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
-{
- char buf[BUFSIZ];
-
- if (inv)
- printf("! ");
-
- if (mask->s_addr == 0L && !numeric)
- printf("%s ", "anywhere");
- else {
- if (numeric)
- sprintf(buf, "%s", addr_to_dotted(addr));
- else
- sprintf(buf, "%s", addr_to_anyname(addr));
- strcat(buf, mask_to_dotted(mask));
- printf("%s ", buf);
- }
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void
-matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
-{
- struct ipt_conntrack_info *sinfo = (struct ipt_conntrack_info *)match->data;
-
- if(sinfo->flags & IPT_CONNTRACK_STATE) {
- printf("%sctstate ", optpfx);
- if (sinfo->invflags & IPT_CONNTRACK_STATE)
- printf("! ");
- print_state(sinfo->statemask);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_PROTO) {
- printf("%sctproto ", optpfx);
- if (sinfo->invflags & IPT_CONNTRACK_PROTO)
- printf("! ");
- printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) {
- printf("%sctorigsrc ", optpfx);
-
- print_addr(
- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
- &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
- sinfo->invflags & IPT_CONNTRACK_ORIGSRC,
- numeric);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_ORIGDST) {
- printf("%sctorigdst ", optpfx);
-
- print_addr(
- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
- &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
- sinfo->invflags & IPT_CONNTRACK_ORIGDST,
- numeric);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_REPLSRC) {
- printf("%sctreplsrc ", optpfx);
-
- print_addr(
- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
- &sinfo->sipmsk[IP_CT_DIR_REPLY],
- sinfo->invflags & IPT_CONNTRACK_REPLSRC,
- numeric);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_REPLDST) {
- printf("%sctrepldst ", optpfx);
-
- print_addr(
- (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
- &sinfo->dipmsk[IP_CT_DIR_REPLY],
- sinfo->invflags & IPT_CONNTRACK_REPLDST,
- numeric);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_STATUS) {
- printf("%sctstatus ", optpfx);
- if (sinfo->invflags & IPT_CONNTRACK_STATUS)
- printf("! ");
- print_status(sinfo->statusmask);
- }
-
- if(sinfo->flags & IPT_CONNTRACK_EXPIRES) {
- printf("%sctexpire ", optpfx);
- if (sinfo->invflags & IPT_CONNTRACK_EXPIRES)
- printf("! ");
-
- if (sinfo->expires_max == sinfo->expires_min)
- printf("%lu ", sinfo->expires_min);
- else
- printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
- }
-}
-
-/* Prints out the matchinfo. */
-static void conntrack_print(const void *ip, const struct xt_entry_match *match,
- int numeric)
-{
- matchinfo_print(ip, match, numeric, "");
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void conntrack_save(const void *ip, const struct xt_entry_match *match)
-{
- matchinfo_print(ip, match, 1, "--");
-}
-
-static struct iptables_match conntrack_match = {
- .name = "conntrack",
- .version = IPTABLES_VERSION,
- .size = IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
- .userspacesize = IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
- .help = conntrack_help,
- .parse = conntrack_parse,
- .final_check = conntrack_check,
- .print = conntrack_print,
- .save = conntrack_save,
- .extra_opts = conntrack_opts,
-};
-
-void _init(void)
-{
- register_match(&conntrack_match);
-}
Index: iptables-modules/extensions/libipt_conntrack.man
===================================================================
--- iptables-modules.orig/extensions/libipt_conntrack.man
+++ /dev/null
@@ -1,49 +0,0 @@
-This module, when combined with connection tracking, allows access to
-more connection tracking information than the "state" match.
-(this module is present only if iptables was compiled under a kernel
-supporting this feature)
-.TP
-.BI "--ctstate " "state"
-Where state is a comma separated list of the connection states to
-match. Possible states are
-.B INVALID
-meaning that the packet is associated with no known connection,
-.B ESTABLISHED
-meaning that the packet is associated with a connection which has seen
-packets in both directions,
-.B NEW
-meaning that the packet has started a new connection, or otherwise
-associated with a connection which has not seen packets in both
-directions, and
-.B RELATED
-meaning that the packet is starting a new connection, but is
-associated with an existing connection, such as an FTP data transfer,
-or an ICMP error.
-.B SNAT
-A virtual state, matching if the original source address differs from
-the reply destination.
-.B DNAT
-A virtual state, matching if the original destination differs from the
-reply source.
-.TP
-.BI "--ctproto " "proto"
-Protocol to match (by number or name)
-.TP
-.BI "--ctorigsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original source address
-.TP
-.BI "--ctorigdst " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against original destination address
-.TP
-.BI "--ctreplsrc " "[!] \fIaddress\fP[/\fImask\fP]"
-Match against reply source address
-.TP
-.BI "--ctrepldst " "[!] \fIaddress\fB[/\fImask\fP]"
-Match against reply destination address
-.TP
-.BI "--ctstatus " "[\fINONE|EXPECTED|SEEN_REPLY|ASSURED\fP][,...]"
-Match against internal conntrack states
-.TP
-.BI "--ctexpire " "\fItime\fP[\fI:time\fP]"
-Match remaining lifetime in seconds against given value
-or range of values (inclusive)
Index: iptables-modules/extensions/libxt_conntrack.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_conntrack.c
@@ -0,0 +1,512 @@
+/* Shared library add-on to iptables for conntrack matching support.
+ * GPL (C) 2001 Marc Boucher (marc@xxxxxxx).
+ */
+
+#include <ctype.h>
+#include <getopt.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <iptables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_conntrack.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+
+/* Function which prints out usage message. */
+static void conntrack_mt_help(void)
+{
+ printf(
+"conntrack match v%s options:\n"
+"[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
+" State(s) to match\n"
+"[!] --ctproto proto Protocol to match; by number or name, e.g. \"tcp\"\n"
+"[!] --ctorigsrc address[/mask]\n"
+" Original source specification\n"
+"[!] --ctorigdst address[/mask]\n"
+" Original destination specification\n"
+"[!] --ctreplsrc address[/mask]\n"
+" Reply source specification\n"
+"[!] --ctrepldst address[/mask]\n"
+" Reply destination specification\n"
+"[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n"
+" Status(es) to match\n"
+"[!] --ctexpire time[:time] Match remaining lifetime in seconds against\n"
+" value or range of values (inclusive)\n"
+"\n", IPTABLES_VERSION);
+}
+
+static const struct option conntrack_mt_opts[] = {
+ {.name = "ctstate", .has_arg = true, .val = '1'},
+ {.name = "ctproto", .has_arg = true, .val = '2'},
+ {.name = "ctorigsrc", .has_arg = true, .val = '3'},
+ {.name = "ctorigdst", .has_arg = true, .val = '4'},
+ {.name = "ctreplsrc", .has_arg = true, .val = '5'},
+ {.name = "ctrepldst", .has_arg = true, .val = '6'},
+ {.name = "ctstatus", .has_arg = true, .val = '7'},
+ {.name = "ctexpire", .has_arg = true, .val = '8'},
+ {},
+};
+
+static int
+parse_state(const char *state, size_t strlen, struct xt_conntrack_info *sinfo)
+{
+ if (strncasecmp(state, "INVALID", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_INVALID;
+ else if (strncasecmp(state, "NEW", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_NEW);
+ else if (strncasecmp(state, "ESTABLISHED", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
+ else if (strncasecmp(state, "RELATED", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_UNTRACKED;
+ else if (strncasecmp(state, "SNAT", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_SNAT;
+ else if (strncasecmp(state, "DNAT", strlen) == 0)
+ sinfo->statemask |= XT_CONNTRACK_STATE_DNAT;
+ else
+ return 0;
+ return 1;
+}
+
+static void
+parse_states(const char *arg, struct xt_conntrack_info *sinfo)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_state(arg, comma-arg, sinfo))
+ exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
+ arg = comma+1;
+ }
+
+ if (strlen(arg) == 0 || !parse_state(arg, strlen(arg), sinfo))
+ exit_error(PARAMETER_PROBLEM, "Bad ctstate `%s'", arg);
+}
+
+static int
+parse_status(const char *status, size_t strlen, struct xt_conntrack_info *sinfo)
+{
+ if (strncasecmp(status, "NONE", strlen) == 0)
+ sinfo->statusmask |= 0;
+ else if (strncasecmp(status, "EXPECTED", strlen) == 0)
+ sinfo->statusmask |= IPS_EXPECTED;
+ else if (strncasecmp(status, "SEEN_REPLY", strlen) == 0)
+ sinfo->statusmask |= IPS_SEEN_REPLY;
+ else if (strncasecmp(status, "ASSURED", strlen) == 0)
+ sinfo->statusmask |= IPS_ASSURED;
+#ifdef IPS_CONFIRMED
+ else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+ sinfo->stausmask |= IPS_CONFIRMED;
+#endif
+ else
+ return 0;
+ return 1;
+}
+
+static void
+parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
+{
+ const char *comma;
+
+ while ((comma = strchr(arg, ',')) != NULL) {
+ if (comma == arg || !parse_status(arg, comma-arg, sinfo))
+ exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
+ arg = comma+1;
+ }
+
+ if (strlen(arg) == 0 || !parse_status(arg, strlen(arg), sinfo))
+ exit_error(PARAMETER_PROBLEM, "Bad ctstatus `%s'", arg);
+}
+
+static unsigned long
+parse_expire(const char *s)
+{
+ unsigned int len;
+
+ if (string_to_number(s, 0, 0, &len) == -1)
+ exit_error(PARAMETER_PROBLEM, "expire value invalid: `%s'\n", s);
+ else
+ return len;
+}
+
+/* If a single value is provided, min and max are both set to the value */
+static void
+parse_expires(const char *s, struct xt_conntrack_info *sinfo)
+{
+ char *buffer;
+ char *cp;
+
+ buffer = strdup(s);
+ if ((cp = strchr(buffer, ':')) == NULL)
+ sinfo->expires_min = sinfo->expires_max = parse_expire(buffer);
+ else {
+ *cp = '\0';
+ cp++;
+
+ sinfo->expires_min = buffer[0] ? parse_expire(buffer) : 0;
+ sinfo->expires_max = cp[0] ? parse_expire(cp) : -1;
+ }
+ free(buffer);
+
+ if (sinfo->expires_min > sinfo->expires_max)
+ exit_error(PARAMETER_PROBLEM,
+ "expire min. range value `%lu' greater than max. "
+ "range value `%lu'", sinfo->expires_min, sinfo->expires_max);
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_conntrack_info *sinfo = (void *)(*match)->data;
+ char *protocol = NULL;
+ unsigned int naddrs = 0;
+ struct in_addr *addrs = NULL;
+
+
+ switch (c) {
+ case '1':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ parse_states(argv[optind-1], sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_STATE;
+ }
+ sinfo->flags |= XT_CONNTRACK_STATE;
+ break;
+
+ case '2':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if(invert)
+ sinfo->invflags |= XT_CONNTRACK_PROTO;
+
+ /* Canonicalize into lower case */
+ for (protocol = argv[optind-1]; *protocol; protocol++)
+ *protocol = tolower(*protocol);
+
+ protocol = argv[optind-1];
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = parse_protocol(protocol);
+
+ if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
+ && (sinfo->invflags & XT_INV_PROTO))
+ exit_error(PARAMETER_PROBLEM,
+ "rule would never match protocol");
+
+ sinfo->flags |= XT_CONNTRACK_PROTO;
+ break;
+
+ case '3':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_ORIGSRC;
+
+ parse_hostnetworkmask(argv[optind-1], &addrs,
+ &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+ &naddrs);
+ if(naddrs > 1)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_ORIGSRC;
+ break;
+
+ case '4':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_ORIGDST;
+
+ parse_hostnetworkmask(argv[optind-1], &addrs,
+ &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+ &naddrs);
+ if(naddrs > 1)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_ORIGDST;
+ break;
+
+ case '5':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_REPLSRC;
+
+ parse_hostnetworkmask(argv[optind-1], &addrs,
+ &sinfo->sipmsk[IP_CT_DIR_REPLY],
+ &naddrs);
+ if(naddrs > 1)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_REPLY].src.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_REPLSRC;
+ break;
+
+ case '6':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if (invert)
+ sinfo->invflags |= XT_CONNTRACK_REPLDST;
+
+ parse_hostnetworkmask(argv[optind-1], &addrs,
+ &sinfo->dipmsk[IP_CT_DIR_REPLY],
+ &naddrs);
+ if(naddrs > 1)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple IP addresses not allowed");
+
+ if(naddrs == 1) {
+ sinfo->tuple[IP_CT_DIR_REPLY].dst.ip = addrs[0].s_addr;
+ }
+
+ sinfo->flags |= XT_CONNTRACK_REPLDST;
+ break;
+
+ case '7':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ parse_statuses(argv[optind-1], sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_STATUS;
+ }
+ sinfo->flags |= XT_CONNTRACK_STATUS;
+ break;
+
+ case '8':
+ check_inverse(optarg, &invert, &optind, 0);
+
+ parse_expires(argv[optind-1], sinfo);
+ if (invert) {
+ sinfo->invflags |= XT_CONNTRACK_EXPIRES;
+ }
+ sinfo->flags |= XT_CONNTRACK_EXPIRES;
+ break;
+
+ default:
+ return 0;
+ }
+
+ *flags = sinfo->flags;
+ return 1;
+}
+
+static void conntrack_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM, "You must specify one or more options");
+}
+
+static void
+print_state(unsigned int statemask)
+{
+ const char *sep = "";
+
+ if (statemask & XT_CONNTRACK_STATE_INVALID) {
+ printf("%sINVALID", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
+ printf("%sNEW", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
+ printf("%sRELATED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
+ printf("%sESTABLISHED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
+ printf("%sUNTRACKED", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_SNAT) {
+ printf("%sSNAT", sep);
+ sep = ",";
+ }
+ if (statemask & XT_CONNTRACK_STATE_DNAT) {
+ printf("%sDNAT", sep);
+ sep = ",";
+ }
+ printf(" ");
+}
+
+static void
+print_status(unsigned int statusmask)
+{
+ const char *sep = "";
+
+ if (statusmask & IPS_EXPECTED) {
+ printf("%sEXPECTED", sep);
+ sep = ",";
+ }
+ if (statusmask & IPS_SEEN_REPLY) {
+ printf("%sSEEN_REPLY", sep);
+ sep = ",";
+ }
+ if (statusmask & IPS_ASSURED) {
+ printf("%sASSURED", sep);
+ sep = ",";
+ }
+#ifdef IPS_CONFIRMED
+ if (statusmask & IPS_CONFIRMED) {
+ printf("%sCONFIRMED", sep);
+ sep =",";
+ }
+#endif
+ if (statusmask == 0) {
+ printf("%sNONE", sep);
+ sep = ",";
+ }
+ printf(" ");
+}
+
+static void
+print_addr(struct in_addr *addr, struct in_addr *mask, int inv, int numeric)
+{
+ char buf[BUFSIZ];
+
+ if (inv)
+ printf("! ");
+
+ if (mask->s_addr == 0L && !numeric)
+ printf("%s ", "anywhere");
+ else {
+ if (numeric)
+ sprintf(buf, "%s", addr_to_dotted(addr));
+ else
+ sprintf(buf, "%s", addr_to_anyname(addr));
+ strcat(buf, mask_to_dotted(mask));
+ printf("%s ", buf);
+ }
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void
+matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, const char *optpfx)
+{
+ struct xt_conntrack_info *sinfo = (void *)match->data;
+
+ if(sinfo->flags & XT_CONNTRACK_STATE) {
+ if (sinfo->invflags & XT_CONNTRACK_STATE)
+ printf("! ");
+ printf("%sctstate ", optpfx);
+ print_state(sinfo->statemask);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_PROTO) {
+ if (sinfo->invflags & XT_CONNTRACK_PROTO)
+ printf("! ");
+ printf("%sctproto ", optpfx);
+ printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
+ printf("%sctorigsrc ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
+ &sinfo->sipmsk[IP_CT_DIR_ORIGINAL],
+ sinfo->invflags & XT_CONNTRACK_ORIGSRC,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
+ printf("%sctorigdst ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
+ &sinfo->dipmsk[IP_CT_DIR_ORIGINAL],
+ sinfo->invflags & XT_CONNTRACK_ORIGDST,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
+ printf("%sctreplsrc ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
+ &sinfo->sipmsk[IP_CT_DIR_REPLY],
+ sinfo->invflags & XT_CONNTRACK_REPLSRC,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_REPLDST) {
+ printf("%sctrepldst ", optpfx);
+
+ print_addr(
+ (struct in_addr *)&sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
+ &sinfo->dipmsk[IP_CT_DIR_REPLY],
+ sinfo->invflags & XT_CONNTRACK_REPLDST,
+ numeric);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_STATUS) {
+ if (sinfo->invflags & XT_CONNTRACK_STATUS)
+ printf("! ");
+ printf("%sctstatus ", optpfx);
+ print_status(sinfo->statusmask);
+ }
+
+ if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
+ if (sinfo->invflags & XT_CONNTRACK_EXPIRES)
+ printf("! ");
+ printf("%sctexpire ", optpfx);
+
+ if (sinfo->expires_max == sinfo->expires_min)
+ printf("%lu ", sinfo->expires_min);
+ else
+ printf("%lu:%lu ", sinfo->expires_min, sinfo->expires_max);
+ }
+}
+
+/* Prints out the matchinfo. */
+static void conntrack_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ matchinfo_print(ip, match, numeric, "");
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void conntrack_save(const void *ip, const struct xt_entry_match *match)
+{
+ matchinfo_print(ip, match, 1, "--");
+}
+
+static struct xtables_match conntrack_match = {
+ .version = IPTABLES_VERSION,
+ .name = "conntrack",
+ .revision = 0,
+ .family = AF_INET,
+ .size = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_info)),
+ .help = conntrack_mt_help,
+ .parse = conntrack_parse,
+ .final_check = conntrack_mt_check,
+ .print = conntrack_print,
+ .save = conntrack_save,
+ .extra_opts = conntrack_mt_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&conntrack_match);
+}
Index: iptables-modules/extensions/libxt_conntrack.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_conntrack.man
@@ -0,0 +1,48 @@
+This module, when combined with connection tracking, allows access to the
+connection tracking state for this packet/connection.
+.TP
+\fB--ctstate\fR \fIstate\fR
+Where \fIstate\fR is a comma separated list of the connection states to match.
+Possible states are listed below.
+.TP
+\fB--ctproto\fR \fIl4proto\fR
+Layer-4 protocol to match (by number or name)
+.TP
+[\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against original source address
+.TP
+[\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against original destination address
+.TP
+[\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against reply source address
+.TP
+[\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
+Match against reply destination address
+.TP
+\fB--ctstatus\fR [\fINONE\fR|\fIEXPECTED\fR|\fISEEN_REPLY\fR|\fIASSURED\fR][\fB,\fR...]
+Match against internal conntrack states
+.TP
+\fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR]
+Match remaining lifetime in seconds against given value or range of values
+(inclusive)
+.PP
+States for \fB--ctstate\fR:
+.TP
+\fBINVALID\fR
+meaning that the packet is associated with no known connection
+\fBNEW\fR
+meaning that the packet has started a new connection, or otherwise associated
+with a connection which has not seen packets in both directions, and
+\fBESTABLISHED\fR
+meaning that the packet is associated with a connection which has seen packets
+in both directions,
+\fBRELATED\fR
+meaning that the packet is starting a new connection, but is associated with an
+existing connection, such as an FTP data transfer, or an ICMP error.
+\fBSNAT\fR
+A virtual state, matching if the original source address differs from the reply
+destination.
+\fBDNAT\fR
+A virtual state, matching if the original destination differs from the reply
+source.
Index: iptables-modules/include/linux/netfilter/xt_conntrack.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,77 @@
+/* Header file for kernel module to match connection tracking information.
+ * GPL (C) 2001 Marc Boucher (marc@xxxxxxx).
+ */
+
+#ifndef _XT_CONNTRACK_H
+#define _XT_CONNTRACK_H
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#ifdef __KERNEL_
+# include <linux/in.h>
+#endif
+
+#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_CONNTRACK_STATE_INVALID (1 << 0)
+
+#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+/* flags, invflags: */
+#define XT_CONNTRACK_STATE 0x01
+#define XT_CONNTRACK_PROTO 0x02
+#define XT_CONNTRACK_ORIGSRC 0x04
+#define XT_CONNTRACK_ORIGDST 0x08
+#define XT_CONNTRACK_REPLSRC 0x10
+#define XT_CONNTRACK_REPLDST 0x20
+#define XT_CONNTRACK_STATUS 0x40
+#define XT_CONNTRACK_EXPIRES 0x80
+
+/* This is exposed to userspace, so remains frozen in time. */
+struct ip_conntrack_old_tuple
+{
+ struct {
+ __be32 ip;
+ union {
+ __u16 all;
+ } u;
+ } src;
+
+ struct {
+ __be32 ip;
+ union {
+ __u16 all;
+ } u;
+
+ /* The protocol. */
+ __u16 protonum;
+ } dst;
+};
+
+struct xt_conntrack_info
+{
+ unsigned int statemask, statusmask;
+
+ struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
+ struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
+
+ unsigned long expires_min, expires_max;
+
+ /* Flags word */
+ u_int8_t flags;
+ /* Inverse flags */
+ u_int8_t invflags;
+};
+
+struct xt_conntrack_match_info {
+ union nf_inet_addr origsrc_addr, origsrc_mask;
+ union nf_inet_addr origdst_addr, origdst_mask;
+ union nf_inet_addr replsrc_addr, replsrc_mask;
+ union nf_inet_addr repldst_addr, repldst_mask;
+ u_int32_t expires_min, expires_max;
+ u_int16_t l4proto;
+ u_int8_t state_mask, status_mask;
+ u_int8_t match_flags, invert_flags;
+};
+
+#endif /*_XT_CONNTRACK_H*/
Index: iptables-modules/include/linux/netfilter_ipv4/ipt_conntrack.h
===================================================================
--- iptables-modules.orig/include/linux/netfilter_ipv4/ipt_conntrack.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/* Header file for kernel module to match connection tracking information.
- * GPL (C) 2001 Marc Boucher (marc@xxxxxxx).
- */
-
-#ifndef _IPT_CONNTRACK_H
-#define _IPT_CONNTRACK_H
-
-#include <linux/netfilter/nf_conntrack_common.h>
-
-/* backwards compatibility crap. only exists in userspace - HW */
-#include <linux/version.h>
-#ifndef KERNEL_VERSION
-#define KERNEL_VERSION(a,b,c) (((a) << 16) | ((b) << 8) | (c))
-#endif
-
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,4,18)) || !defined IPS_EXPECTED
-#define IPS_EXPECTED (1 << 0)
-#define IPS_SEEN_REPLY (1 << 1)
-#define IPS_ASSURED (1 << 2)
-#define IP_CT_DIR_ORIGINAL 0
-#define IP_CT_DIR_REPLY 1
-#define IP_CT_DIR_MAX 2
-#endif
-
-#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
-
-#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
-#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
-#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
-
-/* flags, invflags: */
-#define IPT_CONNTRACK_STATE 0x01
-#define IPT_CONNTRACK_PROTO 0x02
-#define IPT_CONNTRACK_ORIGSRC 0x04
-#define IPT_CONNTRACK_ORIGDST 0x08
-#define IPT_CONNTRACK_REPLSRC 0x10
-#define IPT_CONNTRACK_REPLDST 0x20
-#define IPT_CONNTRACK_STATUS 0x40
-#define IPT_CONNTRACK_EXPIRES 0x80
-
-/* This is exposed to userspace, so remains frozen in time. */
-struct ip_conntrack_old_tuple
-{
- struct {
- u_int32_t ip;
- union {
- u_int16_t all;
- } u;
- } src;
-
- struct {
- u_int32_t ip;
- union {
- u_int16_t all;
- } u;
-
- /* The protocol. */
- u_int16_t protonum;
- } dst;
-};
-
-struct ipt_conntrack_info
-{
- unsigned int statemask, statusmask;
-
- struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
- struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
-
- unsigned long expires_min, expires_max;
-
- /* Flags word */
- u_int8_t flags;
- /* Inverse flags */
- u_int8_t invflags;
-};
-#endif /*_IPT_CONNTRACK_H*/
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
