add support for matching the IPS_CONFIRMED bit (Harald Welte)

diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c
index 3f322d0125e67fd281c6809c4b438af4c3b584bd..ccb78ea1f8a3e6b03f1476970d91fd61268c2b08 100644 (file)
--- a/extensions/libipt_conntrack.c
+++ b/extensions/libipt_conntrack.c
@@ -30,7 +30,7 @@ help(void)
 "                              Reply source specification\n"
 "     --ctrepldst  [!] address[/mask]\n"
 "                              Reply destination specification\n"
-" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]\n"
+" [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]\n"
 "                              Status(es) to match\n"
 " [!] --ctexpire time[:time]   Match remaining lifetime in seconds against\n"
 "                              value or range of values (inclusive)\n"
@@ -105,6 +105,10 @@ parse_status(const char *status, size_t strlen, struct ipt_conntrack_info *sinfo
                sinfo->statusmask |= IPS_SEEN_REPLY;
        else if (strncasecmp(status, "ASSURED", strlen) == 0)
                sinfo->statusmask |= IPS_ASSURED;
+#ifdef IPS_CONFIRMED
+       else if (strncasecmp(status, "CONFIRMED", strlen) == 0)
+               sinfo->stausmask |= IPS_CONFIRMED;
+#endif
        else
                return 0;
        return 1;
@@ -373,6 +377,12 @@ print_status(unsigned int statusmask)
                printf("%sASSURED", sep);
                sep = ",";
        }
+#ifdef IPS_CONFIRMED
+       if (statusmask & IPS_CONFIRMED) {
+               printf("%sCONFIRMED", sep);
+               sep =",";
+       }
+#endif
        if (statusmask == 0) {
                printf("%sNONE", sep);
                sep = ",";