# iptables -I INPUT -m conntrack --ctstate UNTRACKED
# iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
all -- anywhere anywhere ctstate
(ctstate isn't matching anything.)
The problem is that state_mask in 'struct xt_conntrack_mtinfo1' is
only 8 bit, but XT_CONNTRACK_STATE_UNTRACKED == 256.
Unfortunately, gcc doesn't warn about this for '|=', only for '='.
A workaround is to use -m state --state UNTRACKED
Looks like we need a conntrack match v2 to fix this?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
