tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1/* This is a module which is used for setting up fake conntracks
2 * on packets so that they are not seen by the conntrack/NAT code.
3 */
4#include <linux/module.h>
5#include <linux/skbuff.h>
6
7#include <linux/netfilter/x_tables.h>
8#include <net/netfilter/nf_conntrack_compat.h>
9
10MODULE_LICENSE("GPL");
11MODULE_ALIAS("ipt_NOTRACK");
12
13static unsigned int
14target(struct sk_buff **pskb,
15 const struct net_device *in,
16 const struct net_device *out,
17 unsigned int hooknum,
18 const struct xt_target *target,
19 const void *targinfo)
20{
21 /* Previously seen (loopback)? Ignore. */
22 if ((*pskb)->nfct != NULL)
23 return XT_CONTINUE;
24
25 /* Attach fake conntrack entry.
26 If there is a real ct entry correspondig to this packet,
27 it'll hang aroun till timing out. We don't deal with it
28 for performance reasons. JK */
29 nf_ct_untrack(*pskb);
30 (*pskb)->nfctinfo = IP_CT_NEW;
31 nf_conntrack_get((*pskb)->nfct);
32
33 return XT_CONTINUE;
34}
35
36static struct xt_target xt_notrack_target[] = {
37 {
38 .name = "NOTRACK",
39 .family = AF_INET,
40 .target = target,
41 .table = "raw",
42 .me = THIS_MODULE,
43 },
44 {
45 .name = "NOTRACK",
46 .family = AF_INET6,
47 .target = target,
48 .table = "raw",
49 .me = THIS_MODULE,
50 },
51};
52
53static int __init xt_notrack_init(void)
54{
55 return xt_register_targets(xt_notrack_target,
56 ARRAY_SIZE(xt_notrack_target));
57}
58
59static void __exit xt_notrack_fini(void)
60{
61 xt_unregister_targets(xt_notrack_target, ARRAY_SIZE(xt_notrack_target));
62}
63
64module_init(xt_notrack_init);
65module_exit(xt_notrack_fini);