conntrack untracked match is broken

conntrack untracked match is broken

[Philip Craig]

# iptables -I INPUT -m conntrack --ctstate UNTRACKED
# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
           all  --  anywhere             anywhere            ctstate
(ctstate isn't matching anything.)

The problem is that state_mask in 'struct xt_conntrack_mtinfo1' is
only 8 bit, but XT_CONNTRACK_STATE_UNTRACKED == 256.
Unfortunately, gcc doesn't warn about this for '|=', only for '='.

A workaround is to use -m state --state UNTRACKED

Looks like we need a conntrack match v2 to fix this?

Re: conntrack untracked match is broken (kernel patch)

[Jan Engelhardt]

On Monday 2009-06-22 08:31, Philip Craig wrote:
>
>The problem is that state_mask in 'struct xt_conntrack_mtinfo1' is
>only 8 bit, but XT_CONNTRACK_STATE_UNTRACKED == 256.
>Unfortunately, gcc doesn't warn about this for '|=', only for '='.

I smell a gcc-missing-feature there.

>Looks like we need a conntrack match v2 to fix this?


Here is the kernel patch, please apply. Userspace as a reply.

-----8<-----
parent deb9f8e170eff8fd0476536bac3bf9bdc222d4ed (v2.6.30-5372-gdeb9f8e)
commit 366d5a252fd0de33d7b3ef669551a8771748c9e3
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Thu Jun 25 18:35:39 2009 +0200

netfilter: xtables: conntrack revision 2

As reported by Philip, the UNTRACKED state bit does not fit within
the 8-bit state_mask member. Enlarge state_mask and give status_mask
a few more bits too.

Reported-by: Philip Craig <philipc@snapgear.com>
References: http://markmail.org/thread/b7eg6aovfh4agyz7
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/linux/netfilter/xt_conntrack.h |   13 +++++
 net/netfilter/xt_conntrack.c           |   66 +++++++++++++++++++++--
 2 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c77..7ae0533 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
 	__u8 state_mask, status_mask;
 };
 
+struct xt_conntrack_mtinfo2 {
+	union nf_inet_addr origsrc_addr, origsrc_mask;
+	union nf_inet_addr origdst_addr, origdst_mask;
+	union nf_inet_addr replsrc_addr, replsrc_mask;
+	union nf_inet_addr repldst_addr, repldst_mask;
+	__u32 expires_min, expires_max;
+	__u16 l4proto;
+	__be16 origsrc_port, origdst_port;
+	__be16 replsrc_port, repldst_port;
+	__u16 match_flags, invert_flags;
+	__u16 state_mask, status_mask;
+};
+
 #endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f..fc58180 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -129,7 +129,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
 
 static inline bool
 conntrack_mt_origsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
@@ -138,7 +138,7 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_origdst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
@@ -147,7 +147,7 @@ conntrack_mt_origdst(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_replsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
@@ -156,7 +156,7 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_repldst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
 		     u_int8_t family)
 {
 	return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
@@ -164,7 +164,7 @@ conntrack_mt_repldst(const struct nf_conn *ct,
 }
 
 static inline bool
-ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
                     const struct nf_conn *ct)
 {
 	const struct nf_conntrack_tuple *tuple;
@@ -204,7 +204,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
 static bool
 conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+	const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
 	enum ip_conntrack_info ctinfo;
 	const struct nf_conn *ct;
 	unsigned int statebit;
@@ -278,6 +278,16 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 	return true;
 }
 
+static bool
+conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
+	struct xt_match_param newpar = *par;
+
+	newpar.matchinfo = *info;
+	return conntrack_mt(skb, &newpar);
+}
+
 static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 {
 	if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -288,11 +298,45 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
 
+static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
+{
+	struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+	struct xt_conntrack_mtinfo2 *up;
+	int ret = conntrack_mt_check(par);
+
+	if (ret < 0)
+		return ret;
+
+	up = kmalloc(sizeof(*up), GFP_KERNEL);
+	if (up == NULL) {
+		nf_ct_l3proto_module_put(par->family);
+		return -ENOMEM;
+	}
+
+	/*
+	 * The strategy here is to minimize the overhead of v1 matching,
+	 * by prebuilding a v2 struct and putting the pointer into the
+	 * v1 dataspace.
+	 */
+	memcpy(up, info, offsetof(typeof(*info), state_mask));
+	up->state_mask  = info->state_mask;
+	up->status_mask = info->status_mask;
+	*(void **)info  = up;
+	return true;
+}
+
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
 {
 	nf_ct_l3proto_module_put(par->family);
 }
 
+static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
+{
+	struct xt_conntrack_mtinfo2 **info = par->matchinfo;
+	kfree(*info);
+	conntrack_mt_destroy(par);
+}
+
 #ifdef CONFIG_COMPAT
 struct compat_xt_conntrack_info
 {
@@ -363,6 +407,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
 		.revision   = 1,
 		.family     = NFPROTO_UNSPEC,
 		.matchsize  = sizeof(struct xt_conntrack_mtinfo1),
+		.match      = conntrack_mt_v1,
+		.checkentry = conntrack_mt_check_v1,
+		.destroy    = conntrack_mt_destroy_v1,
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "conntrack",
+		.revision   = 2,
+		.family     = NFPROTO_UNSPEC,
+		.matchsize  = sizeof(struct xt_conntrack_mtinfo2),
 		.match      = conntrack_mt,
 		.checkentry = conntrack_mt_check,
 		.destroy    = conntrack_mt_destroy,
-- 
# Created with git-export-patch

Re: conntrack untracked match is broken (userspace patch)

[Jan Engelhardt]

Can be pulled from
	git://dev.medozas.de/stable


-----8<-----
parent f9bf812aed50949db584cdf93752193c802fefcb (v1.4.4)
commit b97b42147ea65d7d24d70a2ffe925dbf091f26bc
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Thu Jun 25 18:46:37 2009 +0200

xt_conntrack: revision 2 for enlarged state_mask member

This complements the xt_conntrack revision 2 code added to the kenrel.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_conntrack.c           |  175 ++++++++++++++++++++----
 include/linux/netfilter/xt_conntrack.h |   13 ++
 2 files changed, 161 insertions(+), 27 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 96ea3ec..68d40f8 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -12,6 +12,7 @@
 #include <getopt.h>
 #include <netdb.h>
 #include <stdbool.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -115,7 +116,7 @@ parse_states(const char *arg, struct xt_conntrack_info *sinfo)
 }
 
 static bool
-conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state,
+conntrack_ps_state(struct xt_conntrack_mtinfo2 *info, const char *state,
                    size_t z)
 {
 	if (strncasecmp(state, "INVALID", z) == 0)
@@ -138,7 +139,7 @@ conntrack_ps_state(struct xt_conntrack_mtinfo1 *info, const char *state,
 }
 
 static void
-conntrack_ps_states(struct xt_conntrack_mtinfo1 *info, const char *arg)
+conntrack_ps_states(struct xt_conntrack_mtinfo2 *info, const char *arg)
 {
 	const char *comma;
 
@@ -189,7 +190,7 @@ parse_statuses(const char *arg, struct xt_conntrack_info *sinfo)
 }
 
 static bool
-conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status,
+conntrack_ps_status(struct xt_conntrack_mtinfo2 *info, const char *status,
                     size_t z)
 {
 	if (strncasecmp(status, "NONE", z) == 0)
@@ -208,7 +209,7 @@ conntrack_ps_status(struct xt_conntrack_mtinfo1 *info, const char *status,
 }
 
 static void
-conntrack_ps_statuses(struct xt_conntrack_mtinfo1 *info, const char *arg)
+conntrack_ps_statuses(struct xt_conntrack_mtinfo2 *info, const char *arg)
 {
 	const char *comma;
 
@@ -263,7 +264,7 @@ parse_expires(const char *s, struct xt_conntrack_info *sinfo)
 }
 
 static void
-conntrack_ps_expires(struct xt_conntrack_mtinfo1 *info, const char *s)
+conntrack_ps_expires(struct xt_conntrack_mtinfo2 *info, const char *s)
 {
 	unsigned int min, max;
 	char *end;
@@ -437,10 +438,9 @@ static int conntrack_parse(int c, char **argv, int invert, unsigned int *flags,
 }
 
 static int
-conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags,
-                   struct xt_entry_match **match)
+conntrack_mt_parse(int c, bool invert, unsigned int *flags,
+                   struct xt_conntrack_mtinfo2 *info)
 {
-	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
 	unsigned int port;
 	char *p;
 
@@ -543,10 +543,9 @@ conntrack_mt_parse(int c, char **argv, int invert, unsigned int *flags,
 }
 
 static int
-conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
-                    const void *entry, struct xt_entry_match **match)
+conntrack_mt4_parse(int c, bool invert, unsigned int *flags,
+                    struct xt_conntrack_mtinfo2 *info)
 {
-	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
 	struct in_addr *addr = NULL;
 	unsigned int naddrs = 0;
 
@@ -605,7 +604,7 @@ conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
 
 
 	default:
-		return conntrack_mt_parse(c, argv, invert, flags, match);
+		return conntrack_mt_parse(c, invert, flags, info);
 	}
 
 	*flags = info->match_flags;
@@ -613,10 +612,9 @@ conntrack_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
 }
 
 static int
-conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
-                    const void *entry, struct xt_entry_match **match)
+conntrack_mt6_parse(int c, bool invert, unsigned int *flags,
+                    struct xt_conntrack_mtinfo2 *info)
 {
-	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
 	struct in6_addr *addr = NULL;
 	unsigned int naddrs = 0;
 
@@ -675,13 +673,62 @@ conntrack_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
 
 
 	default:
-		return conntrack_mt_parse(c, argv, invert, flags, match);
+		return conntrack_mt_parse(c, invert, flags, info);
 	}
 
 	*flags = info->match_flags;
 	return true;
 }
 
+#define cinfo_transform(r, l) \
+	do { \
+		memcpy((r), (l), offsetof(typeof(*(l)), state_mask)); \
+		(r)->state_mask  = (l)->state_mask; \
+		(r)->status_mask = (l)->status_mask; \
+	} while (false);
+
+static int
+conntrack1_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	if (!conntrack_mt4_parse(c, invert, flags, &up))
+		return false;
+	cinfo_transform(info, &up);
+	return true;
+}
+
+static int
+conntrack1_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	struct xt_conntrack_mtinfo1 *info = (void *)(*match)->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	if (!conntrack_mt6_parse(c, invert, flags, &up))
+		return false;
+	cinfo_transform(info, &up);
+	return true;
+}
+
+static int
+conntrack2_mt4_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	return conntrack_mt4_parse(c, invert, flags, (void *)(*match)->data);
+}
+
+static int
+conntrack2_mt6_parse(int c, char **argv, int invert, unsigned int *flags,
+                     const void *entry, struct xt_entry_match **match)
+{
+	return conntrack_mt6_parse(c, invert, flags, (void *)(*match)->data);
+}
+
 static void conntrack_mt_check(unsigned int flags)
 {
 	if (flags == 0)
@@ -894,7 +941,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
 }
 
 static void
-conntrack_dump(const struct xt_conntrack_mtinfo1 *info, const char *prefix,
+conntrack_dump(const struct xt_conntrack_mtinfo2 *info, const char *prefix,
                unsigned int family, bool numeric)
 {
 	if (info->match_flags & XT_CONNTRACK_STATE) {
@@ -1004,6 +1051,28 @@ static void conntrack_print(const void *ip, const struct xt_entry_match *match,
 }
 
 static void
+conntrack1_mt4_print(const void *ip, const struct xt_entry_match *match,
+                     int numeric)
+{
+	const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	conntrack_dump(&up, "", NFPROTO_IPV4, numeric);
+}
+
+static void
+conntrack1_mt6_print(const void *ip, const struct xt_entry_match *match,
+                     int numeric)
+{
+	const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	conntrack_dump(&up, "", NFPROTO_IPV6, numeric);
+}
+
+static void
 conntrack_mt_print(const void *ip, const struct xt_entry_match *match,
                    int numeric)
 {
@@ -1034,7 +1103,27 @@ static void conntrack_mt6_save(const void *ip,
 	conntrack_dump((const void *)match->data, "--", NFPROTO_IPV6, true);
 }
 
-static struct xtables_match conntrack_match = {
+static void
+conntrack1_mt4_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	conntrack_dump(&up, "--", NFPROTO_IPV4, true);
+}
+
+static void
+conntrack1_mt6_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_conntrack_mtinfo1 *info = (void *)match->data;
+	struct xt_conntrack_mtinfo2 up;
+
+	cinfo_transform(&up, info);
+	conntrack_dump(&up, "--", NFPROTO_IPV6, true);
+}
+
+static struct xtables_match conntrack_mt_v0_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "conntrack",
 	.revision      = 0,
@@ -1049,7 +1138,7 @@ static struct xtables_match conntrack_match = {
 	.extra_opts    = conntrack_mt_opts_v0,
 };
 
-static struct xtables_match conntrack_mt_reg = {
+static struct xtables_match conntrack_mt_v1_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "conntrack",
 	.revision      = 1,
@@ -1057,14 +1146,14 @@ static struct xtables_match conntrack_mt_reg = {
 	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
 	.help          = conntrack_mt_help,
-	.parse         = conntrack_mt4_parse,
+	.parse         = conntrack1_mt4_parse,
 	.final_check   = conntrack_mt_check,
-	.print         = conntrack_mt_print,
-	.save          = conntrack_mt_save,
+	.print         = conntrack1_mt4_print,
+	.save          = conntrack1_mt4_save,
 	.extra_opts    = conntrack_mt_opts,
 };
 
-static struct xtables_match conntrack_mt6_reg = {
+static struct xtables_match conntrack_mt6_v1_reg = {
 	.version       = XTABLES_VERSION,
 	.name          = "conntrack",
 	.revision      = 1,
@@ -1072,7 +1161,37 @@ static struct xtables_match conntrack_mt6_reg = {
 	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
 	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo1)),
 	.help          = conntrack_mt_help,
-	.parse         = conntrack_mt6_parse,
+	.parse         = conntrack1_mt6_parse,
+	.final_check   = conntrack_mt_check,
+	.print         = conntrack1_mt6_print,
+	.save          = conntrack1_mt6_save,
+	.extra_opts    = conntrack_mt_opts,
+};
+
+static struct xtables_match conntrack_mt_v2_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "conntrack",
+	.revision      = 2,
+	.family        = NFPROTO_IPV4,
+	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+	.help          = conntrack_mt_help,
+	.parse         = conntrack2_mt4_parse,
+	.final_check   = conntrack_mt_check,
+	.print         = conntrack_mt_print,
+	.save          = conntrack_mt_save,
+	.extra_opts    = conntrack_mt_opts,
+};
+
+static struct xtables_match conntrack_mt6_v2_reg = {
+	.version       = XTABLES_VERSION,
+	.name          = "conntrack",
+	.revision      = 2,
+	.family        = NFPROTO_IPV6,
+	.size          = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_conntrack_mtinfo2)),
+	.help          = conntrack_mt_help,
+	.parse         = conntrack2_mt6_parse,
 	.final_check   = conntrack_mt_check,
 	.print         = conntrack_mt6_print,
 	.save          = conntrack_mt6_save,
@@ -1081,7 +1200,9 @@ static struct xtables_match conntrack_mt6_reg = {
 
 void _init(void)
 {
-	xtables_register_match(&conntrack_match);
-	xtables_register_match(&conntrack_mt_reg);
-	xtables_register_match(&conntrack_mt6_reg);
+	xtables_register_match(&conntrack_mt_v0_reg);
+	xtables_register_match(&conntrack_mt_v1_reg);
+	xtables_register_match(&conntrack_mt6_v1_reg);
+	xtables_register_match(&conntrack_mt_v2_reg);
+	xtables_register_match(&conntrack_mt6_v2_reg);
 }
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 8f53452..21b222e 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
 	u_int8_t state_mask, status_mask;
 };
 
+struct xt_conntrack_mtinfo2 {
+	union nf_inet_addr origsrc_addr, origsrc_mask;
+	union nf_inet_addr origdst_addr, origdst_mask;
+	union nf_inet_addr replsrc_addr, replsrc_mask;
+	union nf_inet_addr repldst_addr, repldst_mask;
+	__u32 expires_min, expires_max;
+	__u16 l4proto;
+	__be16 origsrc_port, origdst_port;
+	__be16 replsrc_port, repldst_port;
+	__u16 match_flags, invert_flags;
+	__u16 state_mask, status_mask;
+};
+
 #endif /*_XT_CONNTRACK_H*/
-- 
# Created with git-export-patch

Re: conntrack untracked match is broken (kernel patch)

[Philip Craig]

Jan Engelhardt wrote:
> On Monday 2009-06-22 08:31, Philip Craig wrote:
>> Looks like we need a conntrack match v2 to fix this?
> 
> 
> Here is the kernel patch, please apply. Userspace as a reply.

Thank you, works fine with both patches applied.  I didn't
test old/new combinations.

Re: conntrack untracked match is broken (kernel patch)

[Patrick McHardy]

Jan Engelhardt wrote:
> On Monday 2009-06-22 08:31, Philip Craig wrote:
>> The problem is that state_mask in 'struct xt_conntrack_mtinfo1' is
>> only 8 bit, but XT_CONNTRACK_STATE_UNTRACKED == 256.
>> Unfortunately, gcc doesn't warn about this for '|=', only for '='.
> 
> I smell a gcc-missing-feature there.
> 
>> Looks like we need a conntrack match v2 to fix this?

Sigh.

> Here is the kernel patch, please apply. Userspace as a reply.
> 
> -----8<-----
> parent deb9f8e170eff8fd0476536bac3bf9bdc222d4ed (v2.6.30-5372-gdeb9f8e)
> commit 366d5a252fd0de33d7b3ef669551a8771748c9e3
> Author: Jan Engelhardt <jengelh@medozas.de>
> Date:   Thu Jun 25 18:35:39 2009 +0200
> 
> netfilter: xtables: conntrack revision 2
> 
> As reported by Philip, the UNTRACKED state bit does not fit within
> the 8-bit state_mask member. Enlarge state_mask and give status_mask
> a few more bits too.

Applied.