netfilter: xtables: conntrack match revision 2

As reported by Philip, the UNTRACKED state bit does not fit within
the 8-bit state_mask member. Enlarge state_mask and give status_mask
a few more bits too.

Reported-by: Philip Craig <philipc@snapgear.com>
References: http://markmail.org/thread/b7eg6aovfh4agyz7
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 13 insertions, 0 deletions

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c7751948..7ae05338e94c 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
         __u8 state_mask, status_mask;
 };
 
+struct xt_conntrack_mtinfo2 {
+        union nf_inet_addr origsrc_addr, origsrc_mask;
+        union nf_inet_addr origdst_addr, origdst_mask;
+        union nf_inet_addr replsrc_addr, replsrc_mask;
+        union nf_inet_addr repldst_addr, repldst_mask;
+        __u32 expires_min, expires_max;
+        __u16 l4proto;
+        __be16 origsrc_port, origdst_port;
+        __be16 replsrc_port, repldst_port;
+        __u16 match_flags, invert_flags;
+        __u16 state_mask, status_mask;
+};
+
 #endif /*_XT_CONNTRACK_H*/