1/* This is a module which is used for setting up fake conntracks 2 * on packets so that they are not seen by the conntrack/NAT code. 3 */ 4#include <linux/module.h> 5#include <linux/skbuff.h> 6 7#include <linux/netfilter/x_tables.h> 8#include <net/netfilter/nf_conntrack.h> 9 10MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets"); 11MODULE_LICENSE("GPL"); 12MODULE_ALIAS("ipt_NOTRACK"); 13MODULE_ALIAS("ip6t_NOTRACK"); 14 15static unsigned int 16notrack_tg(struct sk_buff *skb, const struct xt_target_param *par) 17{ 18 /* Previously seen (loopback)? Ignore. */ 19 if (skb->nfct != NULL) 20 return XT_CONTINUE; 21 22 /* Attach fake conntrack entry. 23 If there is a real ct entry correspondig to this packet, 24 it'll hang aroun till timing out. We don't deal with it 25 for performance reasons. JK */ 26 skb->nfct = &nf_conntrack_untracked.ct_general; 27 skb->nfctinfo = IP_CT_NEW; 28 nf_conntrack_get(skb->nfct); 29 30 return XT_CONTINUE; 31} 32 33static struct xt_target notrack_tg_reg __read_mostly = { 34 .name = "NOTRACK", 35 .revision = 0, 36 .family = NFPROTO_UNSPEC, 37 .target = notrack_tg, 38 .table = "raw", 39 .me = THIS_MODULE, 40}; 41 42static int __init notrack_tg_init(void) 43{ 44 return xt_register_target(¬rack_tg_reg); 45} 46 47static void __exit notrack_tg_exit(void) 48{ 49 xt_unregister_target(¬rack_tg_reg); 50} 51 52module_init(notrack_tg_init); 53module_exit(notrack_tg_exit); 54