aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/net/netns/x_tables.h1
-rw-r--r--net/netfilter/Kconfig4
-rw-r--r--net/netfilter/xt_CT.c50
3 files changed, 54 insertions, 1 deletions
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 591db7d657a3..c24060ee411e 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -8,6 +8,7 @@ struct ebt_table;
8 8
9struct netns_xt { 9struct netns_xt {
10 struct list_head tables[NFPROTO_NUMPROTO]; 10 struct list_head tables[NFPROTO_NUMPROTO];
11 bool notrack_deprecated_warning;
11#if defined(CONFIG_BRIDGE_NF_EBTABLES) || \ 12#if defined(CONFIG_BRIDGE_NF_EBTABLES) || \
12 defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE) 13 defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)
13 struct ebt_table *broute_table; 14 struct ebt_table *broute_table;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index fefa514b9917..390f96cc8ed4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -680,6 +680,10 @@ config NETFILTER_XT_TARGET_NFQUEUE
680 680
681 To compile it as a module, choose M here. If unsure, say N. 681 To compile it as a module, choose M here. If unsure, say N.
682 682
683config NETFILTER_XT_TARGET_NOTRACK
684 tristate '"NOTRACK" target support (DEPRECATED)'
685 select NETFILTER_XT_TARGET_CT
686
683config NETFILTER_XT_TARGET_RATEEST 687config NETFILTER_XT_TARGET_RATEEST
684 tristate '"RATEEST" target support' 688 tristate '"RATEEST" target support'
685 depends on NETFILTER_ADVANCED 689 depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 1668f41acc6e..2a0843081840 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -385,14 +385,60 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
385 }, 385 },
386}; 386};
387 387
388static unsigned int
389notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
390{
391 /* Previously seen (loopback)? Ignore. */
392 if (skb->nfct != NULL)
393 return XT_CONTINUE;
394
395 skb->nfct = &nf_ct_untracked_get()->ct_general;
396 skb->nfctinfo = IP_CT_NEW;
397 nf_conntrack_get(skb->nfct);
398
399 return XT_CONTINUE;
400}
401
402static int notrack_chk(const struct xt_tgchk_param *par)
403{
404 if (!par->net->xt.notrack_deprecated_warning) {
405 pr_info("netfilter: NOTRACK target is deprecated, "
406 "use CT instead or upgrade iptables\n");
407 par->net->xt.notrack_deprecated_warning = true;
408 }
409 return 0;
410}
411
412static struct xt_target notrack_tg_reg __read_mostly = {
413 .name = "NOTRACK",
414 .revision = 0,
415 .family = NFPROTO_UNSPEC,
416 .checkentry = notrack_chk,
417 .target = notrack_tg,
418 .table = "raw",
419 .me = THIS_MODULE,
420};
421
388static int __init xt_ct_tg_init(void) 422static int __init xt_ct_tg_init(void)
389{ 423{
390 return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); 424 int ret;
425
426 ret = xt_register_target(&notrack_tg_reg);
427 if (ret < 0)
428 return ret;
429
430 ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
431 if (ret < 0) {
432 xt_unregister_target(&notrack_tg_reg);
433 return ret;
434 }
435 return 0;
391} 436}
392 437
393static void __exit xt_ct_tg_exit(void) 438static void __exit xt_ct_tg_exit(void)
394{ 439{
395 xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); 440 xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
441 xt_unregister_target(&notrack_tg_reg);
396} 442}
397 443
398module_init(xt_ct_tg_init); 444module_init(xt_ct_tg_init);
@@ -402,3 +448,5 @@ MODULE_LICENSE("GPL");
402MODULE_DESCRIPTION("Xtables: connection tracking target"); 448MODULE_DESCRIPTION("Xtables: connection tracking target");
403MODULE_ALIAS("ipt_CT"); 449MODULE_ALIAS("ipt_CT");
404MODULE_ALIAS("ip6t_CT"); 450MODULE_ALIAS("ip6t_CT");
451MODULE_ALIAS("ipt_NOTRACK");
452MODULE_ALIAS("ip6t_NOTRACK");