summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--extensions/libipt_conntrack.c12
-rw-r--r--extensions/libipt_state.c12
-rw-r--r--libiptc/libip4tc.c13
3 files changed, 35 insertions, 2 deletions
diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c
index ccb78ea1..63b38e98 100644
--- a/extensions/libipt_conntrack.c
+++ b/extensions/libipt_conntrack.c
@@ -13,13 +13,17 @@
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#include <linux/netfilter_ipv4/ipt_conntrack.h>
+#ifndef IPT_CONNTRACK_STATE_UNTRACKED
+#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+#endif
+
/* Function which prints out usage message. */
static void
help(void)
{
printf(
"conntrack match v%s options:\n"
-" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]\n"
+" [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]\n"
" State(s) to match\n"
" [!] --ctproto proto Protocol to match; by number or name, eg. `tcp'\n"
" --ctorigsrc [!] address[/mask]\n"
@@ -70,6 +74,8 @@ parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo)
sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED);
else if (strncasecmp(state, "RELATED", strlen) == 0)
sinfo->statemask |= IPT_CONNTRACK_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ sinfo->statemask |= IPT_CONNTRACK_STATE_UNTRACKED;
else if (strncasecmp(state, "SNAT", strlen) == 0)
sinfo->statemask |= IPT_CONNTRACK_STATE_SNAT;
else if (strncasecmp(state, "DNAT", strlen) == 0)
@@ -349,6 +355,10 @@ print_state(unsigned int statemask)
printf("%sESTABLISHED", sep);
sep = ",";
}
+ if (statemask & IPT_CONNTRACK_STATE_UNTRACKED) {
+ printf("%sUNTRACKED", sep);
+ sep = ",";
+ }
if (statemask & IPT_CONNTRACK_STATE_SNAT) {
printf("%sSNAT", sep);
sep = ",";
diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c
index ac3c0ba3..3662d949 100644
--- a/extensions/libipt_state.c
+++ b/extensions/libipt_state.c
@@ -8,13 +8,17 @@
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ipt_state.h>
+#ifndef IPT_STATE_UNTRACKED
+#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+#endif
+
/* Function which prints out usage message. */
static void
help(void)
{
printf(
"state v%s options:\n"
-" [!] --state [INVALID|ESTABLISHED|NEW|RELATED][,...]\n"
+" [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]\n"
" State(s) to match\n"
"\n", IPTABLES_VERSION);
}
@@ -43,6 +47,8 @@ parse_state(const char *state, size_t strlen, struct ipt_state_info *sinfo)
sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED);
else if (strncasecmp(state, "RELATED", strlen) == 0)
sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED);
+ else if (strncasecmp(state, "UNTRACKED", strlen) == 0)
+ sinfo->statemask |= IPT_STATE_UNTRACKED;
else
return 0;
return 1;
@@ -117,6 +123,10 @@ static void print_state(unsigned int statemask)
printf("%sESTABLISHED", sep);
sep = ",";
}
+ if (statemask & IPT_STATE_UNTRACKED) {
+ printf("%sUNTRACKED", sep);
+ sep = ",";
+ }
printf(" ");
}
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index e012c088..76a8281b 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -436,6 +436,19 @@ do_check(TC_HANDLE_T h, unsigned int line)
assert(h->info.hook_entry[NF_IP_POST_ROUTING] == n);
user_offset = h->info.hook_entry[NF_IP_POST_ROUTING];
}
+ } else if (strcmp(h->info.name, "raw") == 0) {
+ assert(h->info.valid_hooks
+ == (1 << NF_IP_PRE_ROUTING
+ | 1 << NF_IP_LOCAL_OUT));
+
+ /* Hooks should be first three */
+ assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0);
+
+ n = get_chain_end(h, n);
+ n += get_entry(h, n)->next_offset;
+ assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n);
+
+ user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT];
#ifdef NF_IP_DROPPING
} else if (strcmp(h->info.name, "drop") == 0) {