]>
Commit | Line | Data |
---|---|---|
d7cf13cc | 1 | --- userspace/iptables.8.orig Wed May 8 15:28:35 2002 |
2 | +++ userspace/iptables.8 Wed May 8 15:31:54 2002 | |
3 | @@ -104,6 +104,11 @@ | |
4 | (for altering packets as soon as they come in), OUTPUT (for altering | |
5 | locally-generated packets before routing), and POSTROUTING (for | |
6 | altering packets as they are about to go out). | |
3ec39b81 JR |
7 | +.BR "prestate" |
8 | +This table is consulted first as a packet enters the netfilter framework. | |
9 | +It contains two built-in chains: PREROUTING (for selecting incoming | |
10 | +packets) and OUTPUT (for selecting locally-generated packets). It can | |
11 | +be used to force conntrack/NAT to ignore the selected packets. | |
d7cf13cc | 12 | .TP |
13 | .B "mangle" | |
14 | This table is used for specialized packet alteration. Until kernel | |
15 | @@ -556,6 +561,13 @@ | |
3ec39b81 JR |
16 | meaning that the packet is starting a new connection, but is |
17 | associated with an existing connection, such as an FTP data transfer, | |
18 | or an ICMP error. | |
19 | +.B NONE | |
20 | +meaning that the connection tracking code was forced to ignore the | |
21 | +packet by the | |
22 | +.B NOTRACK | |
23 | +target of the | |
24 | +.B prestate | |
25 | +table and thus there is no state information available. | |
d7cf13cc | 26 | .SS tos |
27 | This module matches the 8 bits of Type of Service field in the IP | |
28 | header (ie. including the precedence bits). | |
29 | @@ -812,6 +824,23 @@ | |
3ec39b81 | 30 | accumulates ten packets inside the kernel and transmits them as one |
d7cf13cc | 31 | netlink multipart message to userspace. Default is 1 (for backwards |
32 | compatibility). | |
3ec39b81 JR |
33 | +.SS NOTRACK |
34 | +This target extension is built into the | |
35 | +.B prestate | |
36 | +table extension. It can be used to mark packets, so that those are | |
37 | +ignored by the underlying conntrack module and the | |
38 | +.B nat | |
39 | +table. In consequence, those packets are not seen by the conntrack/NAT | |
40 | +helpers and the state of their related packets (if those are not marked | |
41 | +by | |
42 | +.B | |
43 | +NOTRACK | |
44 | +as well) are | |
45 | +.B | |
46 | +INVALID | |
47 | +(!) instead of | |
48 | +.B | |
49 | +RELATED. | |
d7cf13cc | 50 | .SS TCPMSS |
51 | This target allows to alter the MSS value of TCP SYN packets, to control | |
52 | the maximum size for that connection (usually limiting it to your | |
3ec39b81 JR |
53 | diff -urN --exclude-from=diff.exclude userspace/extensions.orig/.NOTRACK-test userspace/extensions/.NOTRACK-test |
54 | --- userspace/extensions.orig/.NOTRACK-test Thu Jan 1 01:00:00 1970 | |
55 | +++ userspace/extensions/.NOTRACK-test Wed May 9 22:05:17 2001 | |
56 | @@ -0,0 +1,2 @@ | |
57 | +#! /bin/sh | |
58 | +[ -n "`grep NFC_NOTRACK $KERNEL_DIR/include/linux/netfilter.h 2>/dev/null`" ] && echo NOTRACK | |
59 | diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_NOTRACK.c userspace/extensions/libipt_NOTRACK.c | |
60 | --- userspace/extensions.orig/libipt_NOTRACK.c Thu Jan 1 01:00:00 1970 | |
61 | +++ userspace/extensions/libipt_NOTRACK.c Wed May 9 22:05:17 2001 | |
62 | @@ -0,0 +1,75 @@ | |
63 | +/* Shared library add-on to iptables for the NOTRACK target, | |
64 | + * the simplest target ever added to netfilter... | |
65 | + * | |
66 | + * (C) 2001 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
67 | + * | |
68 | + * This program is distributed under the terms of GNU GPL | |
69 | + */ | |
70 | +#include <stdio.h> | |
71 | +#include <string.h> | |
72 | +#include <stdlib.h> | |
73 | +#include <getopt.h> | |
74 | +#include <iptables.h> | |
75 | + | |
76 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
77 | + | |
78 | +static void init(struct ipt_entry_target *t, unsigned int *nfcache) | |
79 | +{ | |
80 | +} | |
81 | + | |
82 | +static void help(void) | |
83 | +{ | |
84 | + printf( | |
85 | +"NOTRACK target\n" "No options\n" | |
86 | +); | |
87 | +} | |
88 | + | |
89 | +static int parse(int c, char **argv, int invert, unsigned int *flags, | |
90 | + const struct ipt_entry *entry, | |
91 | + struct ipt_entry_target **target) | |
92 | +{ | |
93 | + if (optarg) | |
94 | + exit_error(PARAMETER_PROBLEM, | |
95 | + "NOTRACK: You must not speficy an option"); | |
96 | + | |
d7cf13cc | 97 | + if (check_inverse(optarg, &invert, NULL, 0)) |
3ec39b81 JR |
98 | + exit_error(PARAMETER_PROBLEM, |
99 | + "NOTRACK: unexpected `!'"); | |
100 | + | |
101 | + return 1; | |
102 | +} | |
103 | + | |
104 | +static void final_check(unsigned int flags) | |
105 | +{ | |
106 | +} | |
107 | + | |
108 | +static void save(const struct ipt_ip *ip, | |
109 | + const struct ipt_entry_target *target) | |
110 | +{ | |
111 | +} | |
112 | + | |
113 | +static void print(const struct ipt_ip *ip, | |
114 | + const struct ipt_entry_target *target, int numeric) | |
115 | +{ | |
116 | +} | |
117 | + | |
118 | +static struct option opts[] = { }; | |
119 | + | |
120 | +struct iptables_target NOTRACK = { NULL, | |
121 | + "NOTRACK", | |
122 | + NETFILTER_VERSION, | |
123 | + IPT_ALIGN(0), | |
124 | + IPT_ALIGN(0), | |
125 | + &help, | |
126 | + &init, | |
127 | + &parse, | |
128 | + &final_check, | |
129 | + &print, | |
130 | + &save, | |
131 | + opts | |
132 | +}; | |
133 | + | |
134 | +void _init(void) | |
135 | +{ | |
136 | + register_target(&NOTRACK); | |
137 | +} | |
138 | diff -urN --exclude-from=diff.exclude userspace/extensions.orig/libipt_state.c userspace/extensions/libipt_state.c | |
139 | --- userspace/extensions.orig/libipt_state.c Mon Jul 3 12:17:58 2000 | |
140 | +++ userspace/extensions/libipt_state.c Thu May 10 07:38:24 2001 | |
141 | @@ -43,6 +43,8 @@ | |
142 | sinfo->statemask |= IPT_STATE_BIT(IP_CT_ESTABLISHED); | |
143 | else if (strncasecmp(state, "RELATED", strlen) == 0) | |
144 | sinfo->statemask |= IPT_STATE_BIT(IP_CT_RELATED); | |
145 | + else if (strncasecmp(state, "NONE", strlen) == 0) | |
146 | + sinfo->statemask |= IPT_STATE_NONE; | |
147 | else | |
148 | return 0; | |
149 | return 1; | |
150 | @@ -116,6 +118,10 @@ | |
151 | } | |
152 | if (statemask & IPT_STATE_BIT(IP_CT_ESTABLISHED)) { | |
153 | printf("%sESTABLISHED", sep); | |
154 | + sep = ","; | |
155 | + } | |
156 | + if (statemask & IPT_STATE_NONE) { | |
157 | + printf("%sNONE", sep); | |
158 | sep = ","; | |
159 | } | |
160 | printf(" "); | |
161 | diff -urN --exclude-from=diff.exclude userspace/libiptc.orig/libip4tc.c userspace/libiptc/libip4tc.c | |
162 | --- userspace/libiptc.orig/libip4tc.c Fri Jan 5 16:22:59 2001 | |
163 | +++ userspace/libiptc/libip4tc.c Wed May 9 22:05:17 2001 | |
164 | @@ -401,6 +401,19 @@ | |
165 | assert(h->info.hook_entry[NF_IP_DROPPING] == 0); | |
166 | user_offset = 0; | |
167 | #endif | |
168 | + } else if (strcmp(h->info.name, "prestate") == 0) { | |
169 | + assert(h->info.valid_hooks | |
170 | + == (1 << NF_IP_PRE_ROUTING | |
171 | + | 1 << NF_IP_LOCAL_OUT)); | |
172 | + | |
173 | + /* Hooks should be first two */ | |
174 | + assert(h->info.hook_entry[NF_IP_PRE_ROUTING] == 0); | |
175 | + | |
176 | + n = get_chain_end(h, 0); | |
177 | + n += get_entry(h, n)->next_offset; | |
178 | + assert(h->info.hook_entry[NF_IP_LOCAL_OUT] == n); | |
179 | + | |
180 | + user_offset = h->info.hook_entry[NF_IP_LOCAL_OUT]; | |
181 | } else { | |
182 | fprintf(stderr, "Unknown table `%s'\n", h->info.name); | |
183 | abort(); |