tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: xt_CT: add alias flag

This patch adds the alias flag to support full NOTRACK target
aliasing.

Based on initial patch from Jozsef Kadlecsik.

Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 5474f57f d52ed437

+34 -4
+5 -1
include/uapi/linux/netfilter/xt_CT.h
··· 3 3 4 4 #include <linux/types.h> 5 5 6 - #define XT_CT_NOTRACK 0x1 6 + enum { 7 + XT_CT_NOTRACK = 1 << 0, 8 + XT_CT_NOTRACK_ALIAS = 1 << 1, 9 + XT_CT_MASK = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS, 10 + }; 7 11 8 12 struct xt_ct_target_info { 9 13 __u16 flags;
+29 -3
net/netfilter/xt_CT.c
··· 185 185 struct nf_conn *ct; 186 186 int ret = -EOPNOTSUPP; 187 187 188 - if (info->flags & ~XT_CT_NOTRACK) 189 - return -EINVAL; 190 - 191 188 if (info->flags & XT_CT_NOTRACK) { 192 189 ct = nf_ct_untracked_get(); 193 190 atomic_inc(&ct->ct_general.use); ··· 253 256 }; 254 257 int ret; 255 258 259 + if (info->flags & ~XT_CT_NOTRACK) 260 + return -EINVAL; 261 + 256 262 memcpy(info_v1.helper, info->helper, sizeof(info->helper)); 257 263 258 264 ret = xt_ct_tg_check(par, &info_v1); ··· 269 269 270 270 static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par) 271 271 { 272 + struct xt_ct_target_info_v1 *info = par->targinfo; 273 + 274 + if (info->flags & ~XT_CT_NOTRACK) 275 + return -EINVAL; 276 + 277 + return xt_ct_tg_check(par, par->targinfo); 278 + } 279 + 280 + static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par) 281 + { 282 + struct xt_ct_target_info_v1 *info = par->targinfo; 283 + 284 + if (info->flags & ~XT_CT_MASK) 285 + return -EINVAL; 286 + 272 287 return xt_ct_tg_check(par, par->targinfo); 273 288 } 274 289 ··· 360 345 .revision = 1, 361 346 .targetsize = sizeof(struct xt_ct_target_info_v1), 362 347 .checkentry = xt_ct_tg_check_v1, 348 + .destroy = xt_ct_tg_destroy_v1, 349 + .target = xt_ct_target_v1, 350 + .table = "raw", 351 + .me = THIS_MODULE, 352 + }, 353 + { 354 + .name = "CT", 355 + .family = NFPROTO_UNSPEC, 356 + .revision = 2, 357 + .targetsize = sizeof(struct xt_ct_target_info_v1), 358 + .checkentry = xt_ct_tg_check_v2, 363 359 .destroy = xt_ct_tg_destroy_v1, 364 360 .target = xt_ct_target_v1, 365 361 .table = "raw",