From e8f7f4ecad342c37a22c65d784d066dc171ee316 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Tue, 25 Jun 2013 15:41:01 +0200
Subject: [PATCH] support netfilter target module "CT"

---
 NEWS                   | 1 +
 src/ferm               | 1 +
 test/targets/ct.ferm   | 5 +++++
 test/targets/ct.result | 3 +++
 4 files changed, 10 insertions(+)
 create mode 100644 test/targets/ct.ferm
 create mode 100644 test/targets/ct.result

diff --git a/NEWS b/NEWS
index 9632405..94756f9 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@
 
 v2.1.3 - not yet released
   - support netfilter modules:
+    * CT
     * TEE
 
 
diff --git a/src/ferm b/src/ferm
index 92a4d88..c5498de 100755
--- a/src/ferm
+++ b/src/ferm
@@ -297,6 +297,7 @@ add_target_def 'CLASSIFY', qw(set-class);
 add_target_def 'CLUSTERIP', qw(new*0 hashmode clustermac total-nodes local-node hash-init);
 add_target_def 'CONNMARK', qw(set-mark save-mark*0 restore-mark*0 mask);
 add_target_def 'CONNSECMARK', qw(save*0 restore*0);
+add_target_def 'CT', qw(notrack*0 helper ctevents=c expevents=c zone timeout);
 add_target_def 'DNAT', qw(to-destination=m to:=to-destination persistent*0 random*0);
 add_target_def 'DSCP', qw(set-dscp set-dscp-class);
 add_target_def 'ECN', qw(ecn-tcp-remove*0);
diff --git a/test/targets/ct.ferm b/test/targets/ct.ferm
new file mode 100644
index 0000000..e8b2c81
--- /dev/null
+++ b/test/targets/ct.ferm
@@ -0,0 +1,5 @@
+table filter chain INPUT {
+    proto udp CT notrack helper foo zone 42 timeout 60;
+    proto tcp CT ctevents new expevents new;
+    proto udp CT ctevents (assured mark);
+}
diff --git a/test/targets/ct.result b/test/targets/ct.result
new file mode 100644
index 0000000..c38f9d6
--- /dev/null
+++ b/test/targets/ct.result
@@ -0,0 +1,3 @@
+iptables -t filter -A INPUT -p udp -j CT --notrack --helper foo --zone 42 --timeout 60
+iptables -t filter -A INPUT -p tcp -j CT --ctevents new --expevents new
+iptables -t filter -A INPUT -p udp -j CT --ctevents assured,mark
-- 
2.11.4.GIT