netfilter: xt_CT: recover NOTRACK target support (10db9069) · Commits · 戴 / test

include/net/netns/x_tables.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,7 @@ struct ebt_table;

		struct netns_xt {
		struct list_head tables[NFPROTO_NUMPROTO];
		bool notrack_deprecated_warning;
		#if defined(CONFIG_BRIDGE_NF_EBTABLES) \|\| \
		defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE)
		struct ebt_table *broute_table;

net/netfilter/Kconfig

+4 −0

Original line number	Diff line number	Diff line
		@@ -680,6 +680,10 @@ config NETFILTER_XT_TARGET_NFQUEUE

		To compile it as a module, choose M here. If unsure, say N.

		config NETFILTER_XT_TARGET_NOTRACK
		tristate '"NOTRACK" target support (DEPRECATED)'
		select NETFILTER_XT_TARGET_CT

		config NETFILTER_XT_TARGET_RATEEST
		tristate '"RATEEST" target support'
		depends on NETFILTER_ADVANCED

net/netfilter/xt_CT.c

+49 −1

Original line number	Diff line number	Diff line
		@@ -385,14 +385,60 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
		},
		};

		static unsigned int
		notrack_tg(struct sk_buff skb, const struct xt_action_param par)
		{
		/* Previously seen (loopback)? Ignore. */
		if (skb->nfct != NULL)
		return XT_CONTINUE;

		skb->nfct = &nf_ct_untracked_get()->ct_general;
		skb->nfctinfo = IP_CT_NEW;
		nf_conntrack_get(skb->nfct);

		return XT_CONTINUE;
		}

		static int notrack_chk(const struct xt_tgchk_param *par)
		{
		if (!par->net->xt.notrack_deprecated_warning) {
		pr_info("netfilter: NOTRACK target is deprecated, "
		"use CT instead or upgrade iptables\n");
		par->net->xt.notrack_deprecated_warning = true;
		}
		return 0;
		}

		static struct xt_target notrack_tg_reg __read_mostly = {
		.name = "NOTRACK",
		.revision = 0,
		.family = NFPROTO_UNSPEC,
		.checkentry = notrack_chk,
		.target = notrack_tg,
		.table = "raw",
		.me = THIS_MODULE,
		};

		static int __init xt_ct_tg_init(void)
		{
		return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
		int ret;

		ret = xt_register_target(&notrack_tg_reg);
		if (ret < 0)
		return ret;

		ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
		if (ret < 0) {
		xt_unregister_target(&notrack_tg_reg);
		return ret;
		}
		return 0;
		}

		static void __exit xt_ct_tg_exit(void)
		{
		xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
		xt_unregister_target(&notrack_tg_reg);
		}

		module_init(xt_ct_tg_init);
		@@ -402,3 +448,5 @@ MODULE_LICENSE("GPL");
		MODULE_DESCRIPTION("Xtables: connection tracking target");
		MODULE_ALIAS("ipt_CT");
		MODULE_ALIAS("ip6t_CT");
		MODULE_ALIAS("ipt_NOTRACK");
		MODULE_ALIAS("ip6t_NOTRACK");

Admin message