1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/skbuff.h>
13#include <net/netfilter/nf_conntrack.h>
14#include <linux/netfilter/x_tables.h>
15#include <linux/netfilter/xt_state.h>
16
17MODULE_LICENSE("GPL");
18MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
19MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module");
20MODULE_ALIAS("ipt_state");
21MODULE_ALIAS("ip6t_state");
22
23static bool
24state_mt(const struct sk_buff *skb, struct xt_action_param *par)
25{
26 const struct xt_state_info *sinfo = par->matchinfo;
27 enum ip_conntrack_info ctinfo;
28 unsigned int statebit;
29 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
30
31 if (!ct)
32 statebit = XT_STATE_INVALID;
33 else {
34 if (nf_ct_is_untracked(ct))
35 statebit = XT_STATE_UNTRACKED;
36 else
37 statebit = XT_STATE_BIT(ctinfo);
38 }
39 return (sinfo->statemask & statebit);
40}
41
42static int state_mt_check(const struct xt_mtchk_param *par)
43{
44 int ret;
45
46 ret = nf_ct_l3proto_try_module_get(par->family);
47 if (ret < 0)
48 pr_info("cannot load conntrack support for proto=%u\n",
49 par->family);
50 return ret;
51}
52
53static void state_mt_destroy(const struct xt_mtdtor_param *par)
54{
55 nf_ct_l3proto_module_put(par->family);
56}
57
58static struct xt_match state_mt_reg __read_mostly = {
59 .name = "state",
60 .family = NFPROTO_UNSPEC,
61 .checkentry = state_mt_check,
62 .match = state_mt,
63 .destroy = state_mt_destroy,
64 .matchsize = sizeof(struct xt_state_info),
65 .me = THIS_MODULE,
66};
67
68static int __init state_mt_init(void)
69{
70 return xt_register_match(&state_mt_reg);
71}
72
73static void __exit state_mt_exit(void)
74{
75 xt_unregister_match(&state_mt_reg);
76}
77
78module_init(state_mt_init);
79module_exit(state_mt_exit);
80
