From 224d93afe97f575777fee3fdb22e0995cfd5704b Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Wed, 14 Aug 2013 16:58:04 +0200
Subject: [PATCH] Reorganize chain layout for raw/NOTRACK rules to fix support
 for custom rules with target "NOTRACK"

---
 defaults.c |  4 ++--
 zones.c    | 20 +++++++++++++++-----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/defaults.c b/defaults.c
index 127f750..0746887 100644
--- a/defaults.c
+++ b/defaults.c
@@ -40,7 +40,7 @@ static const struct fw3_chain_spec default_chains[] = {
 	C(ANY, MANGLE, UNSPEC,        "mssfix"),
 	C(ANY, MANGLE, UNSPEC,        "fwmark"),
 
-	C(ANY, RAW,    UNSPEC,        "notrack"),
+	C(ANY, RAW,    UNSPEC,        "delegate_notrack"),
 
 	{ }
 };
@@ -208,7 +208,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 		{ FW3_TABLE_MANGLE, "FORWARD",     "mssfix" },
 		{ FW3_TABLE_MANGLE, "PREROUTING",  "fwmark" },
 
-		{ FW3_TABLE_RAW,    "PREROUTING",  "notrack" },
+		{ FW3_TABLE_RAW,    "PREROUTING",  "delegate_notrack" },
 
 		{ 0, NULL },
 	};
diff --git a/zones.c b/zones.c
index fc6d11e..04784c7 100644
--- a/zones.c
+++ b/zones.c
@@ -39,6 +39,8 @@ static const struct fw3_chain_spec zone_chains[] = {
 	C(V4,  NAT,    SNAT,          "zone_%s_postrouting"),
 	C(V4,  NAT,    DNAT,          "zone_%s_prerouting"),
 
+	C(ANY, RAW,    NOTRACK,       "zone_%s_notrack"),
+
 	C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
@@ -317,7 +319,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 					 bool reload, struct fw3_zone *zone,
                      struct fw3_device *dev, struct fw3_address *sub)
 {
-	bool disable_notrack = state->defaults.drop_invalid;
 	struct fw3_protocol tcp = { .protocol = 6 };
 	struct fw3_ipt_rule *r;
 	enum fw3_flag t;
@@ -422,13 +423,12 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	}
 	else if (handle->table == FW3_TABLE_RAW)
 	{
-		if (!zone->conntrack && !disable_notrack)
+		if (has(zone->flags, handle->family, FW3_FLAG_NOTRACK))
 		{
 			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
-			fw3_ipt_rule_target(r, "CT");
-			fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
+			fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_append(r, "notrack");
+			fw3_ipt_rule_append(r, "delegate_notrack");
 		}
 	}
 }
@@ -457,6 +457,7 @@ static void
 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                 bool reload, struct fw3_zone *zone)
 {
+	bool disable_notrack = state->defaults.drop_invalid;
 	struct fw3_address *msrc;
 	struct fw3_address *mdest;
 	struct fw3_ipt_rule *r;
@@ -539,6 +540,15 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		break;
 
 	case FW3_TABLE_RAW:
+		if (!zone->conntrack && !disable_notrack)
+		{
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_target(r, "CT");
+			fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
+			fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name);
+		}
+		break;
+
 	case FW3_TABLE_MANGLE:
 		break;
 	}
-- 
2.11.0