From f44413ef8f8d21e7ad1d35f6f2a39824310a1fed Mon Sep 17 00:00:00 2001
From: Max Kellermann <mk@cm4all.com>
Date: Tue, 8 Dec 2009 17:12:33 +0100
Subject: [PATCH] conntrack: support negation and --ctdir

---
 NEWS     | 1 +
 src/ferm | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 58ce781..901935e 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ v2.0.7 - not yet released
   - always prefix the negation operator
   - updated netfilter modules:
     * addrtype: support negation and --limit-iface-{in,out}
+    * conntrack: support negation and --ctdir
     * owner: support negation
 
 
diff --git a/src/ferm b/src/ferm
index a922fa3..6149f64 100755
--- a/src/ferm
+++ b/src/ferm
@@ -233,8 +233,8 @@ add_match_def 'condition', qw(condition!);
 add_match_def 'connbytes', qw(!connbytes connbytes-dir connbytes-mode);
 add_match_def 'connlimit', qw(!connlimit-above connlimit-mask);
 add_match_def 'connmark', qw(!mark);
-add_match_def 'conntrack', qw(ctstate=c ctproto ctorigsrc! ctorigdst!),
-  qw(ctreplsrc! ctrepldst! ctstatus ctexpire=s);
+add_match_def 'conntrack', qw(!ctstate=c !ctproto ctorigsrc! ctorigdst!),
+  qw(ctreplsrc! ctrepldst! !ctstatus !ctexpire=s ctdir=s);
 add_match_def 'dscp', qw(dscp dscp-class);
 add_match_def 'ecn', qw(ecn-tcp-cwr*0 ecn-tcp-ece*0 ecn-ip-ect);
 add_match_def 'esp', qw(espspi!);
-- 
2.11.4.GIT