Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* This is a module which is used for setting up fake conntracks
2 * on packets so that they are not seen by the conntrack/NAT code.
3 */
4#include <linux/module.h>
5#include <linux/skbuff.h>
6
7#include <linux/netfilter/x_tables.h>
8#include <net/netfilter/nf_conntrack_compat.h>
9
10MODULE_LICENSE("GPL");
11MODULE_ALIAS("ipt_NOTRACK");
12
13static unsigned int
14target(struct sk_buff **pskb,
15 const struct net_device *in,
16 const struct net_device *out,
17 unsigned int hooknum,
18 const struct xt_target *target,
19 const void *targinfo,
20 void *userinfo)
21{
22 /* Previously seen (loopback)? Ignore. */
23 if ((*pskb)->nfct != NULL)
24 return XT_CONTINUE;
25
26 /* Attach fake conntrack entry.
27 If there is a real ct entry correspondig to this packet,
28 it'll hang aroun till timing out. We don't deal with it
29 for performance reasons. JK */
30 nf_ct_untrack(*pskb);
31 (*pskb)->nfctinfo = IP_CT_NEW;
32 nf_conntrack_get((*pskb)->nfct);
33
34 return XT_CONTINUE;
35}
36
37static struct xt_target notrack_reg = {
38 .name = "NOTRACK",
39 .target = target,
40 .targetsize = 0,
41 .table = "raw",
42 .family = AF_INET,
43 .me = THIS_MODULE,
44};
45
46static struct xt_target notrack6_reg = {
47 .name = "NOTRACK",
48 .target = target,
49 .targetsize = 0,
50 .table = "raw",
51 .family = AF_INET6,
52 .me = THIS_MODULE,
53};
54
55static int __init xt_notrack_init(void)
56{
57 int ret;
58
59 ret = xt_register_target(¬rack_reg);
60 if (ret)
61 return ret;
62
63 ret = xt_register_target(¬rack6_reg);
64 if (ret)
65 xt_unregister_target(¬rack_reg);
66
67 return ret;
68}
69
70static void __exit xt_notrack_fini(void)
71{
72 xt_unregister_target(¬rack6_reg);
73 xt_unregister_target(¬rack_reg);
74}
75
76module_init(xt_notrack_init);
77module_exit(xt_notrack_fini);