LXR linux/net/netfilter/xt

   1/* Kernel module to match connection tracking information. */
   2
   3/* (C) 1999-2001 Paul `Rusty' Russell
   4 * (C) 2002-2005 Netfilter Core Team <coreteam@netfilter.org>
   5 *
   6 * This program is free software; you can redistribute it and/or modify
   7 * it under the terms of the GNU General Public License version 2 as
   8 * published by the Free Software Foundation.
   9 */
  10
  11#include <linux/module.h>
  12#include <linux/skbuff.h>
  13#include <net/netfilter/nf_conntrack.h>
  14#include <linux/netfilter/x_tables.h>
  15#include <linux/netfilter/xt_state.h>
  16
  17MODULE_LICENSE("GPL");
  18MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
  19MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module");
  20MODULE_ALIAS("ipt_state");
  21MODULE_ALIAS("ip6t_state");
  22
  23static bool
  24state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
  25{
  26        const struct xt_state_info *sinfo = par->matchinfo;
  27        enum ip_conntrack_info ctinfo;
  28        unsigned int statebit;
  29
  30        if (nf_ct_is_untracked(skb))
  31                statebit = XT_STATE_UNTRACKED;
  32        else if (!nf_ct_get(skb, &ctinfo))
  33                statebit = XT_STATE_INVALID;
  34        else
  35                statebit = XT_STATE_BIT(ctinfo);
  36
  37        return (sinfo->statemask & statebit);
  38}
  39
  40static bool state_mt_check(const struct xt_mtchk_param *par)
  41{
  42        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
  43                printk(KERN_WARNING "can't load conntrack support for "
  44                                    "proto=%u\n", par->match->family);
  45                return false;
  46        }
  47        return true;
  48}
  49
  50static void state_mt_destroy(const struct xt_mtdtor_param *par)
  51{
  52        nf_ct_l3proto_module_put(par->match->family);
  53}
  54
  55static struct xt_match state_mt_reg[] __read_mostly = {
  56        {
  57                .name           = "state",
  58                .family         = NFPROTO_IPV4,
  59                .checkentry     = state_mt_check,
  60                .match          = state_mt,
  61                .destroy        = state_mt_destroy,
  62                .matchsize      = sizeof(struct xt_state_info),
  63                .me             = THIS_MODULE,
  64        },
  65        {
  66                .name           = "state",
  67                .family         = NFPROTO_IPV6,
  68                .checkentry     = state_mt_check,
  69                .match          = state_mt,
  70                .destroy        = state_mt_destroy,
  71                .matchsize      = sizeof(struct xt_state_info),
  72                .me             = THIS_MODULE,
  73        },
  74};
  75
  76static int __init state_mt_init(void)
  77{
  78        return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
  79}
  80
  81static void __exit state_mt_exit(void)
  82{
  83        xt_unregister_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
  84}
  85
  86module_init(state_mt_init);
  87module_exit(state_mt_exit);
  88