1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/skbuff.h>
10#include <net/netfilter/nf_conntrack.h>
11#include <linux/netfilter/x_tables.h>
12#include <linux/netfilter/xt_state.h>
13
14MODULE_LICENSE("GPL");
15MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
16MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module");
17MODULE_ALIAS("ipt_state");
18MODULE_ALIAS("ip6t_state");
19
20static bool
21state_mt(const struct sk_buff *skb, struct xt_action_param *par)
22{
23 const struct xt_state_info *sinfo = par->matchinfo;
24 enum ip_conntrack_info ctinfo;
25 unsigned int statebit;
26 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
27
28 if (ct)
29 statebit = XT_STATE_BIT(ctinfo);
30 else if (ctinfo == IP_CT_UNTRACKED)
31 statebit = XT_STATE_UNTRACKED;
32 else
33 statebit = XT_STATE_INVALID;
34
35 return (sinfo->statemask & statebit);
36}
37
38static int state_mt_check(const struct xt_mtchk_param *par)
39{
40 int ret;
41
42 ret = nf_ct_netns_get(par->net, par->family);
43 if (ret < 0)
44 pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
45 par->family);
46 return ret;
47}
48
49static void state_mt_destroy(const struct xt_mtdtor_param *par)
50{
51 nf_ct_netns_put(par->net, par->family);
52}
53
54static struct xt_match state_mt_reg __read_mostly = {
55 .name = "state",
56 .family = NFPROTO_UNSPEC,
57 .checkentry = state_mt_check,
58 .match = state_mt,
59 .destroy = state_mt_destroy,
60 .matchsize = sizeof(struct xt_state_info),
61 .me = THIS_MODULE,
62};
63
64static int __init state_mt_init(void)
65{
66 return xt_register_match(&state_mt_reg);
67}
68
69static void __exit state_mt_exit(void)
70{
71 xt_unregister_match(&state_mt_reg);
72}
73
74module_init(state_mt_init);
75module_exit(state_mt_exit);
76
