[net-next-2.6.git] / net / ipv4 / netfilter / ipt_NOTRACK.c

/* This is a module which is used for setting up fake conntracks
 * on packets so that they are not seen by the conntrack/NAT code.
 */
#include <linux/module.h>
#include <linux/skbuff.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/netfilter/nf_conntrack_compat.h>

static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const void *targinfo,
       void *userinfo)
{
	/* Previously seen (loopback)? Ignore. */
	if ((*pskb)->nfct != NULL)
		return IPT_CONTINUE;

	/* Attach fake conntrack entry. 
	   If there is a real ct entry correspondig to this packet, 
	   it'll hang aroun till timing out. We don't deal with it
	   for performance reasons. JK */
	nf_ct_untrack(*pskb);
	(*pskb)->nfctinfo = IP_CT_NEW;
	nf_conntrack_get((*pskb)->nfct);

	return IPT_CONTINUE;
}

static int
checkentry(const char *tablename,
	   const struct ipt_entry *e,
           void *targinfo,
           unsigned int targinfosize,
           unsigned int hook_mask)
{
	if (targinfosize != 0) {
		printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
		       targinfosize);
		return 0;
	}

	if (strcmp(tablename, "raw") != 0) {
		printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
		return 0;
	}

	return 1;
}

static struct ipt_target ipt_notrack_reg = { 
	.name = "NOTRACK", 
	.target = target, 
	.checkentry = checkentry,
	.me = THIS_MODULE 
};

static int __init init(void)
{
	if (ipt_register_target(&ipt_notrack_reg))
		return -EINVAL;

	return 0;
}

static void __exit fini(void)
{
	ipt_unregister_target(&ipt_notrack_reg);
}

module_init(init);
module_exit(fini);
MODULE_LICENSE("GPL");
Commit	Line	Data
1da177e4 LT	1	/* This is a module which is used for setting up fake conntracks
	2	* on packets so that they are not seen by the conntrack/NAT code.
	3	*/
	4	#include <linux/module.h>
	5	#include <linux/skbuff.h>
	6
	7	#include <linux/netfilter_ipv4/ip_tables.h>
9fb9cbb1	8	#include <net/netfilter/nf_conntrack_compat.h>
1da177e4 LT	9
	10	static unsigned int
	11	target(struct sk_buff **pskb,
	12	const struct net_device *in,
	13	const struct net_device *out,
	14	unsigned int hooknum,
	15	const void *targinfo,
	16	void *userinfo)
	17	{
	18	/* Previously seen (loopback)? Ignore. */
	19	if ((*pskb)->nfct != NULL)
	20	return IPT_CONTINUE;
	21
	22	/* Attach fake conntrack entry.
	23	If there is a real ct entry correspondig to this packet,
	24	it'll hang aroun till timing out. We don't deal with it
	25	for performance reasons. JK */
9fb9cbb1	26	nf_ct_untrack(*pskb);
1da177e4 LT	27	(*pskb)->nfctinfo = IP_CT_NEW;
	28	nf_conntrack_get((*pskb)->nfct);
	29
	30	return IPT_CONTINUE;
	31	}
	32
	33	static int
	34	checkentry(const char *tablename,
	35	const struct ipt_entry *e,
	36	void *targinfo,
	37	unsigned int targinfosize,
	38	unsigned int hook_mask)
	39	{
	40	if (targinfosize != 0) {
	41	printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
	42	targinfosize);
	43	return 0;
	44	}
	45
	46	if (strcmp(tablename, "raw") != 0) {
	47	printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
	48	return 0;
	49	}
	50
	51	return 1;
	52	}
	53
	54	static struct ipt_target ipt_notrack_reg = {
	55	.name = "NOTRACK",
	56	.target = target,
	57	.checkentry = checkentry,
	58	.me = THIS_MODULE
	59	};
	60
	61	static int __init init(void)
	62	{
	63	if (ipt_register_target(&ipt_notrack_reg))
	64	return -EINVAL;
	65
	66	return 0;
	67	}
	68
	69	static void __exit fini(void)
	70	{
	71	ipt_unregister_target(&ipt_notrack_reg);
	72	}
	73
	74	module_init(init);
	75	module_exit(fini);
	76	MODULE_LICENSE("GPL");