On Mon, Sep 03, 2012 at 05:31:21PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 03, 2012 at 03:57:53PM +0800, Cong Wang wrote:
> > On Mon, Aug 27, 2012 at 4:04 AM, Jan Engelhardt <jengelh@xxxxxxx> wrote:
> > > On Sunday 2012-08-26 12:42, Maciej Żenczykowski wrote:
> > >
> > >>Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j
> > >>CT --notrack.
> > >>Will -j NOTRACK continue to work? Could it be added as an alias to CT?
> > >
> > > No, and, dunno. There are currently no provisions for aliasing in the
> > > userspace side.
> >
> > So no objections from you, right? :)
>
> Applied, thanks.
>
> I think it can be possible to rewrite the iptables NOTRACK user-space
> extension to use the CT target. Still I would need to check if some
> more sophisticated aliasing can be possible.
>
> And iptables-save will show the CT target though, but that shouldn't
> be a problem.
I've made the following patch. It adds some simple aliasing to
iptables. Now NOTRACK uses the CT target, it also spots a warning
telling that it's been deprecated.
diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c
index ca58700..a6b66af 100644
--- a/extensions/libxt_NOTRACK.c
+++ b/extensions/libxt_NOTRACK.c
@@ -1,15 +1,78 @@
-/* Shared library add-on to iptables to add NOTRACK target support. */
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/*
+ * Shared library add-on to iptables to add NOTRACK target support: This
+ * is an alias of the CT target, since it has been deprecated.
+ */
+
+#include <stdio.h>
#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_CT.h>
+
+static void ct_tg_init_v0(struct xt_entry_target *target)
+{
+ struct xt_ct_target_info *info = (void *)target->data;
+
+ fprintf(stderr, "warning: NOTRACK target is deprecated, "
+ "use CT target instead\n");
+ info->flags |= XT_CT_NOTRACK;
+}
+
+static void ct_tg_init_v1(struct xt_entry_target *target)
+{
+ struct xt_ct_target_info_v1 *info = (void *)target->data;
+
+ fprintf(stderr, "warning: NOTRACK target is deprecated, "
+ "use CT target instead\n");
+ info->flags |= XT_CT_NOTRACK;
+}
+
+static void
+ct_tg_print(const void *ip, const struct xt_entry_target *target, int numeric)
+{
+ printf(" CT notrack");
+}
+
+static void ct_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+ printf(" --notrack");
+}
-static struct xtables_target notrack_target = {
- .family = NFPROTO_UNSPEC,
- .name = "NOTRACK",
- .version = XTABLES_VERSION,
- .size = XT_ALIGN(0),
- .userspacesize = XT_ALIGN(0),
+static struct xtables_target ct_tg_target_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "NOTRACK",
+ .alias = "CT",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_ct_target_info)),
+ .userspacesize = offsetof(struct xt_ct_target_info, ct),
+ .print = ct_tg_print,
+ .save = ct_tg_save,
+ .init = ct_tg_init_v0,
+ },
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "NOTRACK",
+ .alias = "CT",
+ .revision = 1,
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
+ .userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
+ .print = ct_tg_print,
+ .save = ct_tg_save,
+ .init = ct_tg_init_v1,
+ },
};
void _init(void)
{
- xtables_register_target(¬rack_target);
+ xtables_register_targets(ct_tg_target_reg, ARRAY_SIZE(ct_tg_target_reg));
}
diff --git a/include/xtables.h.in b/include/xtables.h.in
index db69c03..99a71a7 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -280,9 +280,11 @@ struct xtables_target
struct xtables_target *next;
-
const char *name;
+ /* Real target behind this, if any. */
+ const char *alias;
+
/* Revision of target (0 by default). */
u_int8_t revision;
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index b191d5d..cc708cd 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1286,7 +1286,11 @@ static void command_jump(struct iptables_command_state *cs)
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
- strcpy(cs->target->t->u.user.name, cs->jumpto);
+ if (cs->target->alias == NULL)
+ strcpy(cs->target->t->u.user.name, cs->jumpto);
+ else
+ strcpy(cs->target->t->u.user.name, cs->target->alias);
+
cs->target->t->u.user.revision = cs->target->revision;
xs_init_target(cs->target);
if (cs->target->x6_options != NULL)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 03ac63b..eb58b8c 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1295,7 +1295,11 @@ static void command_jump(struct iptables_command_state *cs)
cs->target->t = xtables_calloc(1, size);
cs->target->t->u.target_size = size;
- strcpy(cs->target->t->u.user.name, cs->jumpto);
+ if (cs->target->alias == NULL)
+ strcpy(cs->target->t->u.user.name, cs->jumpto);
+ else
+ strcpy(cs->target->t->u.user.name, cs->target->alias);
+
cs->target->t->u.user.revision = cs->target->revision;
xs_init_target(cs->target);
