The conntrack match does not print any info for --ctproto, thus

breaking iptables-restore of any rules using this option.  Below
patch adds output and closes bug #398. (Phil Oester)

1 files changed, 7 insertions, 0 deletions

diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c
index 27870b1e..cdb86c4e 100644
--- a/extensions/libipt_conntrack.c
+++ b/extensions/libipt_conntrack.c
@@ -442,6 +442,13 @@ matchinfo_print(const struct ipt_ip *ip, const struct ipt_entry_match *match, in
 		print_state(sinfo->statemask);
 	}
 
+	if(sinfo->flags & IPT_CONNTRACK_PROTO) {
+		printf("%sctproto ", optpfx);
+        	if (sinfo->invflags & IPT_CONNTRACK_PROTO)
+                	printf("! ");
+		printf("%u ", sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum);
+	}
+
 	if(sinfo->flags & IPT_CONNTRACK_ORIGSRC) {
 		printf("%sctorigsrc ", optpfx);