/* This is a module which is used for setting up fake conntracks * on packets so that they are not seen by the conntrack/NAT code. */ #include <linux/module.h> #include <linux/skbuff.h> #include <linux/netfilter/x_tables.h> #include <net/netfilter/nf_conntrack.h> MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ipt_NOTRACK"); MODULE_ALIAS("ip6t_NOTRACK"); static unsigned int notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) { /* Previously seen (loopback)? Ignore. */ if (skb->nfct != NULL) return XT_CONTINUE; /* Attach fake conntrack entry. If there is a real ct entry correspondig to this packet, it'll hang aroun till timing out. We don't deal with it for performance reasons. JK */ skb->nfct = &nf_ct_untracked_get()->ct_general; skb->nfctinfo = IP_CT_NEW; nf_conntrack_get(skb->nfct); return XT_CONTINUE; } static struct xt_target notrack_tg_reg __read_mostly = { .name = "NOTRACK", .revision = 0, .family = NFPROTO_UNSPEC, .target = notrack_tg, .table = "raw", .me = THIS_MODULE, }; static int __init notrack_tg_init(void) { return xt_register_target(¬rack_tg_reg); } static void __exit notrack_tg_exit(void) { xt_unregister_target(¬rack_tg_reg); } module_init(notrack_tg_init); module_exit(notrack_tg_exit);