diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2013-01-28 21:32:55 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-07-24 20:45:07 +0200 |
| commit | 7b26bafb9be05a23b47653640aadbb61d0032665 (patch) | |
| tree | cdcda0225300f4f3a773bcd1322b2c299fedb598 | |
| parent | 33b529a7208952c250f245557d248e50ce533c7d (diff) | |
libxt_CT: Add the "NOTRACK" alias
Available since Linux kernel 3.8.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libxt_CT.c | 48 | ||||
| -rw-r--r-- | extensions/libxt_NOTRACK.man | 4 | ||||
| -rw-r--r-- | include/linux/netfilter/xt_CT.h | 5 |
3 files changed, 54 insertions, 3 deletions
diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index c8437b6c..6b28fe1b 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -195,6 +195,10 @@ ct_print_v1(const void *ip, const struct xt_entry_target *target, int numeric) const struct xt_ct_target_info_v1 *info = (const struct xt_ct_target_info_v1 *)target->data; + if (info->flags & XT_CT_NOTRACK_ALIAS) { + printf (" NOTRACK"); + return; + } printf(" CT"); if (info->flags & XT_CT_NOTRACK) printf(" notrack"); @@ -217,6 +221,8 @@ static void ct_save(const void *ip, const struct xt_entry_target *target) const struct xt_ct_target_info *info = (const struct xt_ct_target_info *)target->data; + if (info->flags & XT_CT_NOTRACK_ALIAS) + return; if (info->flags & XT_CT_NOTRACK) printf(" --notrack"); if (info->helper[0]) @@ -236,6 +242,8 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target) const struct xt_ct_target_info_v1 *info = (const struct xt_ct_target_info_v1 *)target->data; + if (info->flags & XT_CT_NOTRACK_ALIAS) + return; if (info->flags & XT_CT_NOTRACK) printf(" --notrack"); if (info->helper[0]) @@ -252,6 +260,14 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target) printf(" --zone %u", info->zone); } +static const char * +ct_print_name_alias(const struct xt_entry_target *target) +{ + struct xt_ct_target_info *info = (void *)target->data; + + return info->flags & XT_CT_NOTRACK_ALIAS ? "NOTRACK" : "CT"; +} + static void notrack_ct0_tg_init(struct xt_entry_target *target) { struct xt_ct_target_info *info = (void *)target->data; @@ -266,6 +282,13 @@ static void notrack_ct1_tg_init(struct xt_entry_target *target) info->flags = XT_CT_NOTRACK; } +static void notrack_ct2_tg_init(struct xt_entry_target *target) +{ + struct xt_ct_target_info_v1 *info = (void *)target->data; + + info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS; +} + static struct xtables_target ct_target_reg[] = { { .family = NFPROTO_UNSPEC, @@ -293,6 +316,20 @@ static struct xtables_target ct_target_reg[] = { .x6_options = ct_opts_v1, }, { + .family = NFPROTO_UNSPEC, + .name = "CT", + .revision = 2, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .help = ct_help_v1, + .print = ct_print_v1, + .save = ct_save_v1, + .alias = ct_print_name_alias, + .x6_parse = ct_parse_v1, + .x6_options = ct_opts_v1, + }, + { .family = NFPROTO_UNSPEC, .name = "NOTRACK", .real_name = "CT", @@ -315,6 +352,17 @@ static struct xtables_target ct_target_reg[] = { { .family = NFPROTO_UNSPEC, .name = "NOTRACK", + .real_name = "CT", + .revision = 2, + .ext_flags = XTABLES_EXT_ALIAS, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .init = notrack_ct2_tg_init, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", .revision = 0, .version = XTABLES_VERSION, }, diff --git a/extensions/libxt_NOTRACK.man b/extensions/libxt_NOTRACK.man index 633b965e..4302b93a 100644 --- a/extensions/libxt_NOTRACK.man +++ b/extensions/libxt_NOTRACK.man @@ -1,3 +1,3 @@ -This target disables connection tracking for all packets matching that rule. -It is obsoleted by \-j CT \-\-notrack. Like CT, NOTRACK can only be used in +This extension disables connection tracking for all packets matching that rule. +It is equivalent with \-j CT \-\-notrack. Like CT, NOTRACK can only be used in the \fBraw\fP table. diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h index a064b8af..54528fdd 100644 --- a/include/linux/netfilter/xt_CT.h +++ b/include/linux/netfilter/xt_CT.h @@ -3,7 +3,10 @@ #include <linux/types.h> -#define XT_CT_NOTRACK 0x1 +enum { + XT_CT_NOTRACK = 1 << 0, + XT_CT_NOTRACK_ALIAS = 1 << 1, +}; struct xt_ct_target_info { __u16 flags; |