diff options
-rw-r--r-- | include/net/netns/x_tables.h | 1 | ||||
-rw-r--r-- | net/netfilter/Kconfig | 4 | ||||
-rw-r--r-- | net/netfilter/xt_CT.c | 50 |
3 files changed, 54 insertions, 1 deletions
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h index 591db7d657a3..c24060ee411e 100644 --- a/include/net/netns/x_tables.h +++ b/include/net/netns/x_tables.h | |||
@@ -8,6 +8,7 @@ struct ebt_table; | |||
8 | 8 | ||
9 | struct netns_xt { | 9 | struct netns_xt { |
10 | struct list_head tables[NFPROTO_NUMPROTO]; | 10 | struct list_head tables[NFPROTO_NUMPROTO]; |
11 | bool notrack_deprecated_warning; | ||
11 | #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \ | 12 | #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \ |
12 | defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE) | 13 | defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE) |
13 | struct ebt_table *broute_table; | 14 | struct ebt_table *broute_table; |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index fefa514b9917..390f96cc8ed4 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
@@ -680,6 +680,10 @@ config NETFILTER_XT_TARGET_NFQUEUE | |||
680 | 680 | ||
681 | To compile it as a module, choose M here. If unsure, say N. | 681 | To compile it as a module, choose M here. If unsure, say N. |
682 | 682 | ||
683 | config NETFILTER_XT_TARGET_NOTRACK | ||
684 | tristate '"NOTRACK" target support (DEPRECATED)' | ||
685 | select NETFILTER_XT_TARGET_CT | ||
686 | |||
683 | config NETFILTER_XT_TARGET_RATEEST | 687 | config NETFILTER_XT_TARGET_RATEEST |
684 | tristate '"RATEEST" target support' | 688 | tristate '"RATEEST" target support' |
685 | depends on NETFILTER_ADVANCED | 689 | depends on NETFILTER_ADVANCED |
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 1668f41acc6e..2a0843081840 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c | |||
@@ -385,14 +385,60 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = { | |||
385 | }, | 385 | }, |
386 | }; | 386 | }; |
387 | 387 | ||
388 | static unsigned int | ||
389 | notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) | ||
390 | { | ||
391 | /* Previously seen (loopback)? Ignore. */ | ||
392 | if (skb->nfct != NULL) | ||
393 | return XT_CONTINUE; | ||
394 | |||
395 | skb->nfct = &nf_ct_untracked_get()->ct_general; | ||
396 | skb->nfctinfo = IP_CT_NEW; | ||
397 | nf_conntrack_get(skb->nfct); | ||
398 | |||
399 | return XT_CONTINUE; | ||
400 | } | ||
401 | |||
402 | static int notrack_chk(const struct xt_tgchk_param *par) | ||
403 | { | ||
404 | if (!par->net->xt.notrack_deprecated_warning) { | ||
405 | pr_info("netfilter: NOTRACK target is deprecated, " | ||
406 | "use CT instead or upgrade iptables\n"); | ||
407 | par->net->xt.notrack_deprecated_warning = true; | ||
408 | } | ||
409 | return 0; | ||
410 | } | ||
411 | |||
412 | static struct xt_target notrack_tg_reg __read_mostly = { | ||
413 | .name = "NOTRACK", | ||
414 | .revision = 0, | ||
415 | .family = NFPROTO_UNSPEC, | ||
416 | .checkentry = notrack_chk, | ||
417 | .target = notrack_tg, | ||
418 | .table = "raw", | ||
419 | .me = THIS_MODULE, | ||
420 | }; | ||
421 | |||
388 | static int __init xt_ct_tg_init(void) | 422 | static int __init xt_ct_tg_init(void) |
389 | { | 423 | { |
390 | return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); | 424 | int ret; |
425 | |||
426 | ret = xt_register_target(¬rack_tg_reg); | ||
427 | if (ret < 0) | ||
428 | return ret; | ||
429 | |||
430 | ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); | ||
431 | if (ret < 0) { | ||
432 | xt_unregister_target(¬rack_tg_reg); | ||
433 | return ret; | ||
434 | } | ||
435 | return 0; | ||
391 | } | 436 | } |
392 | 437 | ||
393 | static void __exit xt_ct_tg_exit(void) | 438 | static void __exit xt_ct_tg_exit(void) |
394 | { | 439 | { |
395 | xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); | 440 | xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); |
441 | xt_unregister_target(¬rack_tg_reg); | ||
396 | } | 442 | } |
397 | 443 | ||
398 | module_init(xt_ct_tg_init); | 444 | module_init(xt_ct_tg_init); |
@@ -402,3 +448,5 @@ MODULE_LICENSE("GPL"); | |||
402 | MODULE_DESCRIPTION("Xtables: connection tracking target"); | 448 | MODULE_DESCRIPTION("Xtables: connection tracking target"); |
403 | MODULE_ALIAS("ipt_CT"); | 449 | MODULE_ALIAS("ipt_CT"); |
404 | MODULE_ALIAS("ip6t_CT"); | 450 | MODULE_ALIAS("ip6t_CT"); |
451 | MODULE_ALIAS("ipt_NOTRACK"); | ||
452 | MODULE_ALIAS("ip6t_NOTRACK"); | ||