[net-next-2.6.git] / net / netfilter / xt_NOTRACK.c

/* This is a module which is used for setting up fake conntracks
 * on packets so that they are not seen by the conntrack/NAT code.
 */
#include <linux/module.h>
#include <linux/skbuff.h>

#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_conntrack.h>

MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");

static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const struct xt_target *target,
       const void *targinfo)
{
	/* Previously seen (loopback)? Ignore. */
	if ((*pskb)->nfct != NULL)
		return XT_CONTINUE;

	/* Attach fake conntrack entry.
	   If there is a real ct entry correspondig to this packet,
	   it'll hang aroun till timing out. We don't deal with it
	   for performance reasons. JK */
	(*pskb)->nfct = &nf_conntrack_untracked.ct_general;
	(*pskb)->nfctinfo = IP_CT_NEW;
	nf_conntrack_get((*pskb)->nfct);

	return XT_CONTINUE;
}

static struct xt_target xt_notrack_target[] __read_mostly = {
	{
		.name		= "NOTRACK",
		.family		= AF_INET,
		.target		= target,
		.table		= "raw",
		.me		= THIS_MODULE,
	},
	{
		.name		= "NOTRACK",
		.family		= AF_INET6,
		.target		= target,
		.table		= "raw",
		.me		= THIS_MODULE,
	},
};

static int __init xt_notrack_init(void)
{
	return xt_register_targets(xt_notrack_target,
				   ARRAY_SIZE(xt_notrack_target));
}

static void __exit xt_notrack_fini(void)
{
	xt_unregister_targets(xt_notrack_target, ARRAY_SIZE(xt_notrack_target));
}

module_init(xt_notrack_init);
module_exit(xt_notrack_fini);
Commit	Line	Data
1da177e4 LT	1	/* This is a module which is used for setting up fake conntracks
	2	* on packets so that they are not seen by the conntrack/NAT code.
	3	*/
	4	#include <linux/module.h>
	5	#include <linux/skbuff.h>
	6
2e4e6a17	7	#include <linux/netfilter/x_tables.h>
587aa641	8	#include <net/netfilter/nf_conntrack.h>
1da177e4	9
2e4e6a17 HW	10	MODULE_LICENSE("GPL");
2e4e6a17 HW	11	MODULE_ALIAS("ipt_NOTRACK");
73aaf935	12	MODULE_ALIAS("ip6t_NOTRACK");
2e4e6a17	13
1da177e4 LT	14	static unsigned int
	15	target(struct sk_buff **pskb,
	16	const struct net_device *in,
	17	const struct net_device *out,
	18	unsigned int hooknum,
c4986734	19	const struct xt_target *target,
fe1cb108	20	const void *targinfo)
1da177e4 LT	21	{
	22	/* Previously seen (loopback)? Ignore. */
	23	if ((*pskb)->nfct != NULL)
2e4e6a17	24	return XT_CONTINUE;
1da177e4	25
601e68e1 YH	26	/* Attach fake conntrack entry.
601e68e1 YH	27	If there is a real ct entry correspondig to this packet,
1da177e4 LT	28	it'll hang aroun till timing out. We don't deal with it
1da177e4 LT	29	for performance reasons. JK */
587aa641	30	(*pskb)->nfct = &nf_conntrack_untracked.ct_general;
1da177e4 LT	31	(*pskb)->nfctinfo = IP_CT_NEW;
	32	nf_conntrack_get((*pskb)->nfct);
	33
2e4e6a17	34	return XT_CONTINUE;
1da177e4 LT	35	}
1da177e4 LT	36
9f15c530	37	static struct xt_target xt_notrack_target[] __read_mostly = {
4470bbc7 PM	38	{
	39	.name = "NOTRACK",
	40	.family = AF_INET,
	41	.target = target,
	42	.table = "raw",
	43	.me = THIS_MODULE,
	44	},
	45	{
	46	.name = "NOTRACK",
	47	.family = AF_INET6,
	48	.target = target,
	49	.table = "raw",
	50	.me = THIS_MODULE,
	51	},
1da177e4 LT	52	};
1da177e4 LT	53
65b4b4e8	54	static int __init xt_notrack_init(void)
1da177e4	55	{
4470bbc7 PM	56	return xt_register_targets(xt_notrack_target,
4470bbc7 PM	57	ARRAY_SIZE(xt_notrack_target));
1da177e4 LT	58	}
1da177e4 LT	59
65b4b4e8	60	static void __exit xt_notrack_fini(void)
1da177e4	61	{
4470bbc7	62	xt_unregister_targets(xt_notrack_target, ARRAY_SIZE(xt_notrack_target));
1da177e4 LT	63	}
1da177e4 LT	64
65b4b4e8 AM	65	module_init(xt_notrack_init);
65b4b4e8 AM	66	module_exit(xt_notrack_fini);