* [Patch net-next] netfilter: remove xt_NOTRACK @ 2012-08-26 6:23 Cong Wang 2012-08-26 10:42 ` Maciej Żenczykowski 0 siblings, 1 reply; 15+ messages in thread From: Cong Wang @ 2012-08-26 6:23 UTC (permalink / raw) To: netfilter-devel Cc: Cong Wang, Pablo Neira Ayuso, Patrick McHardy, David S. Miller, netfilter From: Cong Wang <xiyou.wangcong@gmail.com> It was scheduled to be removed for a long time. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Patrick McHardy <kaber@trash.net> Cc: "David S. Miller" <davem@davemloft.net> Cc: netfilter@vger.kernel.org Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> --- diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt index afaff31..b4aab82 100644 --- a/Documentation/feature-removal-schedule.txt +++ b/Documentation/feature-removal-schedule.txt @@ -353,14 +353,6 @@ Why: Internal alias support has been present in module-init-tools for some Who: Wey-Yi Guy <wey-yi.w.guy@intel.com> ---------------------------- - -What: xt_NOTRACK -Files: net/netfilter/xt_NOTRACK.c -When: April 2011 -Why: Superseded by xt_CT -Who: Netfilter developer team <netfilter-devel@vger.kernel.org> - ---------------------------- What: IRQF_DISABLED diff --git a/arch/m68k/configs/amiga_defconfig b/arch/m68k/configs/amiga_defconfig index e93fdae..90d3109 100644 --- a/arch/m68k/configs/amiga_defconfig +++ b/arch/m68k/configs/amiga_defconfig @@ -67,7 +67,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/apollo_defconfig b/arch/m68k/configs/apollo_defconfig index 66b26c1..8f4f657 100644 --- a/arch/m68k/configs/apollo_defconfig +++ b/arch/m68k/configs/apollo_defconfig @@ -67,7 +67,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/atari_defconfig b/arch/m68k/configs/atari_defconfig index 1513325..4571d33 100644 --- a/arch/m68k/configs/atari_defconfig +++ b/arch/m68k/configs/atari_defconfig @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/bvme6000_defconfig b/arch/m68k/configs/bvme6000_defconfig index 67bb6fc..12f2117 100644 --- a/arch/m68k/configs/bvme6000_defconfig +++ b/arch/m68k/configs/bvme6000_defconfig @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/hp300_defconfig b/arch/m68k/configs/hp300_defconfig index 3e35ce5..215389a 100644 --- a/arch/m68k/configs/hp300_defconfig +++ b/arch/m68k/configs/hp300_defconfig @@ -66,7 +66,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/mac_defconfig b/arch/m68k/configs/mac_defconfig index ae81e2d..cb9dfb3 100644 --- a/arch/m68k/configs/mac_defconfig +++ b/arch/m68k/configs/mac_defconfig @@ -61,7 +61,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/multi_defconfig b/arch/m68k/configs/multi_defconfig index 55d394e..8d5def4 100644 --- a/arch/m68k/configs/multi_defconfig +++ b/arch/m68k/configs/multi_defconfig @@ -80,7 +80,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/mvme147_defconfig b/arch/m68k/configs/mvme147_defconfig index af77374..e2af46f 100644 --- a/arch/m68k/configs/mvme147_defconfig +++ b/arch/m68k/configs/mvme147_defconfig @@ -64,7 +64,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/mvme16x_defconfig b/arch/m68k/configs/mvme16x_defconfig index cdb70d6..7c9402b 100644 --- a/arch/m68k/configs/mvme16x_defconfig +++ b/arch/m68k/configs/mvme16x_defconfig @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/q40_defconfig b/arch/m68k/configs/q40_defconfig index 46bed78..19d23db 100644 --- a/arch/m68k/configs/q40_defconfig +++ b/arch/m68k/configs/q40_defconfig @@ -61,7 +61,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/sun3_defconfig b/arch/m68k/configs/sun3_defconfig index 86f7772..ca6c0b4 100644 --- a/arch/m68k/configs/sun3_defconfig +++ b/arch/m68k/configs/sun3_defconfig @@ -62,7 +62,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/m68k/configs/sun3x_defconfig b/arch/m68k/configs/sun3x_defconfig index 2882614..c80941c 100644 --- a/arch/m68k/configs/sun3x_defconfig +++ b/arch/m68k/configs/sun3x_defconfig @@ -62,7 +62,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/mips/configs/ar7_defconfig b/arch/mips/configs/ar7_defconfig index 6cd5a51..80e012f 100644 --- a/arch/mips/configs/ar7_defconfig +++ b/arch/mips/configs/ar7_defconfig @@ -56,7 +56,6 @@ CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_TFTP=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m diff --git a/arch/mips/configs/bcm47xx_defconfig b/arch/mips/configs/bcm47xx_defconfig index ad15fb1..b6fde2b 100644 --- a/arch/mips/configs/bcm47xx_defconfig +++ b/arch/mips/configs/bcm47xx_defconfig @@ -96,7 +96,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m diff --git a/arch/mips/configs/ip22_defconfig b/arch/mips/configs/ip22_defconfig index d160656..936ec5a 100644 --- a/arch/mips/configs/ip22_defconfig +++ b/arch/mips/configs/ip22_defconfig @@ -87,7 +87,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m diff --git a/arch/mips/configs/jazz_defconfig b/arch/mips/configs/jazz_defconfig index 92a60ae..0315ee3 100644 --- a/arch/mips/configs/jazz_defconfig +++ b/arch/mips/configs/jazz_defconfig @@ -60,7 +60,6 @@ CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m diff --git a/arch/mips/configs/malta_defconfig b/arch/mips/configs/malta_defconfig index 5527abb..cd732e5 100644 --- a/arch/mips/configs/malta_defconfig +++ b/arch/mips/configs/malta_defconfig @@ -86,7 +86,6 @@ CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m diff --git a/arch/mips/configs/markeins_defconfig b/arch/mips/configs/markeins_defconfig index 9c9a123..636f82b 100644 --- a/arch/mips/configs/markeins_defconfig +++ b/arch/mips/configs/markeins_defconfig @@ -59,7 +59,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m diff --git a/arch/mips/configs/nlm_xlp_defconfig b/arch/mips/configs/nlm_xlp_defconfig index 28c6b27..84624b1 100644 --- a/arch/mips/configs/nlm_xlp_defconfig +++ b/arch/mips/configs/nlm_xlp_defconfig @@ -108,7 +108,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m diff --git a/arch/mips/configs/nlm_xlr_defconfig b/arch/mips/configs/nlm_xlr_defconfig index 138f698..44b4734 100644 --- a/arch/mips/configs/nlm_xlr_defconfig +++ b/arch/mips/configs/nlm_xlr_defconfig @@ -109,7 +109,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m diff --git a/arch/mips/configs/rm200_defconfig b/arch/mips/configs/rm200_defconfig index 2c0230e..59d9d2f 100644 --- a/arch/mips/configs/rm200_defconfig +++ b/arch/mips/configs/rm200_defconfig @@ -68,7 +68,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m diff --git a/arch/powerpc/configs/pmac32_defconfig b/arch/powerpc/configs/pmac32_defconfig index f8b394a..29767a8 100644 --- a/arch/powerpc/configs/pmac32_defconfig +++ b/arch/powerpc/configs/pmac32_defconfig @@ -55,7 +55,6 @@ CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m diff --git a/arch/powerpc/configs/ppc64_defconfig b/arch/powerpc/configs/ppc64_defconfig index db27c82..06b5624 100644 --- a/arch/powerpc/configs/ppc64_defconfig +++ b/arch/powerpc/configs/ppc64_defconfig @@ -92,7 +92,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m diff --git a/arch/powerpc/configs/ppc64e_defconfig b/arch/powerpc/configs/ppc64e_defconfig index 7bd1763..f55c276 100644 --- a/arch/powerpc/configs/ppc64e_defconfig +++ b/arch/powerpc/configs/ppc64e_defconfig @@ -66,7 +66,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig index c47f2be..be1cb6e 100644 --- a/arch/powerpc/configs/ppc6xx_defconfig +++ b/arch/powerpc/configs/ppc6xx_defconfig @@ -167,7 +167,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m diff --git a/arch/tile/configs/tilegx_defconfig b/arch/tile/configs/tilegx_defconfig index 0270620..8c5eff6 100644 --- a/arch/tile/configs/tilegx_defconfig +++ b/arch/tile/configs/tilegx_defconfig @@ -134,7 +134,6 @@ CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TEE=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m diff --git a/arch/tile/configs/tilepro_defconfig b/arch/tile/configs/tilepro_defconfig index c11de27..e7a3dfc 100644 --- a/arch/tile/configs/tilepro_defconfig +++ b/arch/tile/configs/tilepro_defconfig @@ -132,7 +132,6 @@ CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TEE=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index c19b214..22ac60d 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -621,19 +621,6 @@ config NETFILTER_XT_TARGET_NFQUEUE To compile it as a module, choose M here. If unsure, say N. -config NETFILTER_XT_TARGET_NOTRACK - tristate '"NOTRACK" target support' - depends on IP_NF_RAW || IP6_NF_RAW - depends on NF_CONNTRACK - help - The NOTRACK target allows a select rule to specify - which packets *not* to enter the conntrack/NAT - subsystem with all the consequences (no ICMP error tracking, - no protocol helpers for the selected packets). - - If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. - config NETFILTER_XT_TARGET_RATEEST tristate '"RATEEST" target support' depends on NETFILTER_ADVANCED diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 1c5160f..d0b13f9 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -67,7 +67,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o -obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c deleted file mode 100644 index 9d78218..0000000 --- a/net/netfilter/xt_NOTRACK.c +++ /dev/null @@ -1,53 +0,0 @@ -/* This is a module which is used for setting up fake conntracks - * on packets so that they are not seen by the conntrack/NAT code. - */ -#include <linux/module.h> -#include <linux/skbuff.h> - -#include <linux/netfilter/x_tables.h> -#include <net/netfilter/nf_conntrack.h> - -MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets"); -MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_NOTRACK"); -MODULE_ALIAS("ip6t_NOTRACK"); - -static unsigned int -notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) -{ - /* Previously seen (loopback)? Ignore. */ - if (skb->nfct != NULL) - return XT_CONTINUE; - - /* Attach fake conntrack entry. - If there is a real ct entry correspondig to this packet, - it'll hang aroun till timing out. We don't deal with it - for performance reasons. JK */ - skb->nfct = &nf_ct_untracked_get()->ct_general; - skb->nfctinfo = IP_CT_NEW; - nf_conntrack_get(skb->nfct); - - return XT_CONTINUE; -} - -static struct xt_target notrack_tg_reg __read_mostly = { - .name = "NOTRACK", - .revision = 0, - .family = NFPROTO_UNSPEC, - .target = notrack_tg, - .table = "raw", - .me = THIS_MODULE, -}; - -static int __init notrack_tg_init(void) -{ - return xt_register_target(¬rack_tg_reg); -} - -static void __exit notrack_tg_exit(void) -{ - xt_unregister_target(¬rack_tg_reg); -} - -module_init(notrack_tg_init); -module_exit(notrack_tg_exit); ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-08-26 6:23 [Patch net-next] netfilter: remove xt_NOTRACK Cong Wang @ 2012-08-26 10:42 ` Maciej Żenczykowski 2012-08-26 20:04 ` Jan Engelhardt 0 siblings, 1 reply; 15+ messages in thread From: Maciej Żenczykowski @ 2012-08-26 10:42 UTC (permalink / raw) To: Cong Wang Cc: netfilter-devel, Cong Wang, Pablo Neira Ayuso, Patrick McHardy, David S. Miller, netfilter Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j CT --notrack. Will -j NOTRACK continue to work? Could it be added as an alias to CT? On Sat, Aug 25, 2012 at 11:23 PM, Cong Wang <amwang@redhat.com> wrote: > From: Cong Wang <xiyou.wangcong@gmail.com> > > It was scheduled to be removed for a long time. > > Cc: Pablo Neira Ayuso <pablo@netfilter.org> > Cc: Patrick McHardy <kaber@trash.net> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: netfilter@vger.kernel.org > Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> > > --- > diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt > index afaff31..b4aab82 100644 > --- a/Documentation/feature-removal-schedule.txt > +++ b/Documentation/feature-removal-schedule.txt > @@ -353,14 +353,6 @@ Why: Internal alias support has been present in module-init-tools for some > > Who: Wey-Yi Guy <wey-yi.w.guy@intel.com> > > ---------------------------- > - > -What: xt_NOTRACK > -Files: net/netfilter/xt_NOTRACK.c > -When: April 2011 > -Why: Superseded by xt_CT > -Who: Netfilter developer team <netfilter-devel@vger.kernel.org> > - > ---------------------------- > > What: IRQF_DISABLED > diff --git a/arch/m68k/configs/amiga_defconfig b/arch/m68k/configs/amiga_defconfig > index e93fdae..90d3109 100644 > --- a/arch/m68k/configs/amiga_defconfig > +++ b/arch/m68k/configs/amiga_defconfig > @@ -67,7 +67,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/apollo_defconfig b/arch/m68k/configs/apollo_defconfig > index 66b26c1..8f4f657 100644 > --- a/arch/m68k/configs/apollo_defconfig > +++ b/arch/m68k/configs/apollo_defconfig > @@ -67,7 +67,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/atari_defconfig b/arch/m68k/configs/atari_defconfig > index 1513325..4571d33 100644 > --- a/arch/m68k/configs/atari_defconfig > +++ b/arch/m68k/configs/atari_defconfig > @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/bvme6000_defconfig b/arch/m68k/configs/bvme6000_defconfig > index 67bb6fc..12f2117 100644 > --- a/arch/m68k/configs/bvme6000_defconfig > +++ b/arch/m68k/configs/bvme6000_defconfig > @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/hp300_defconfig b/arch/m68k/configs/hp300_defconfig > index 3e35ce5..215389a 100644 > --- a/arch/m68k/configs/hp300_defconfig > +++ b/arch/m68k/configs/hp300_defconfig > @@ -66,7 +66,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/mac_defconfig b/arch/m68k/configs/mac_defconfig > index ae81e2d..cb9dfb3 100644 > --- a/arch/m68k/configs/mac_defconfig > +++ b/arch/m68k/configs/mac_defconfig > @@ -61,7 +61,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/multi_defconfig b/arch/m68k/configs/multi_defconfig > index 55d394e..8d5def4 100644 > --- a/arch/m68k/configs/multi_defconfig > +++ b/arch/m68k/configs/multi_defconfig > @@ -80,7 +80,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/mvme147_defconfig b/arch/m68k/configs/mvme147_defconfig > index af77374..e2af46f 100644 > --- a/arch/m68k/configs/mvme147_defconfig > +++ b/arch/m68k/configs/mvme147_defconfig > @@ -64,7 +64,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/mvme16x_defconfig b/arch/m68k/configs/mvme16x_defconfig > index cdb70d6..7c9402b 100644 > --- a/arch/m68k/configs/mvme16x_defconfig > +++ b/arch/m68k/configs/mvme16x_defconfig > @@ -65,7 +65,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/q40_defconfig b/arch/m68k/configs/q40_defconfig > index 46bed78..19d23db 100644 > --- a/arch/m68k/configs/q40_defconfig > +++ b/arch/m68k/configs/q40_defconfig > @@ -61,7 +61,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/sun3_defconfig b/arch/m68k/configs/sun3_defconfig > index 86f7772..ca6c0b4 100644 > --- a/arch/m68k/configs/sun3_defconfig > +++ b/arch/m68k/configs/sun3_defconfig > @@ -62,7 +62,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/m68k/configs/sun3x_defconfig b/arch/m68k/configs/sun3x_defconfig > index 2882614..c80941c 100644 > --- a/arch/m68k/configs/sun3x_defconfig > +++ b/arch/m68k/configs/sun3x_defconfig > @@ -62,7 +62,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/mips/configs/ar7_defconfig b/arch/mips/configs/ar7_defconfig > index 6cd5a51..80e012f 100644 > --- a/arch/mips/configs/ar7_defconfig > +++ b/arch/mips/configs/ar7_defconfig > @@ -56,7 +56,6 @@ CONFIG_NF_CONNTRACK_MARK=y > CONFIG_NF_CONNTRACK_FTP=m > CONFIG_NF_CONNTRACK_IRC=m > CONFIG_NF_CONNTRACK_TFTP=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_LIMIT=m > CONFIG_NETFILTER_XT_MATCH_MAC=m > diff --git a/arch/mips/configs/bcm47xx_defconfig b/arch/mips/configs/bcm47xx_defconfig > index ad15fb1..b6fde2b 100644 > --- a/arch/mips/configs/bcm47xx_defconfig > +++ b/arch/mips/configs/bcm47xx_defconfig > @@ -96,7 +96,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > diff --git a/arch/mips/configs/ip22_defconfig b/arch/mips/configs/ip22_defconfig > index d160656..936ec5a 100644 > --- a/arch/mips/configs/ip22_defconfig > +++ b/arch/mips/configs/ip22_defconfig > @@ -87,7 +87,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > diff --git a/arch/mips/configs/jazz_defconfig b/arch/mips/configs/jazz_defconfig > index 92a60ae..0315ee3 100644 > --- a/arch/mips/configs/jazz_defconfig > +++ b/arch/mips/configs/jazz_defconfig > @@ -60,7 +60,6 @@ CONFIG_NETFILTER_XT_TARGET_CONNMARK=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_COMMENT=m > diff --git a/arch/mips/configs/malta_defconfig b/arch/mips/configs/malta_defconfig > index 5527abb..cd732e5 100644 > --- a/arch/mips/configs/malta_defconfig > +++ b/arch/mips/configs/malta_defconfig > @@ -86,7 +86,6 @@ CONFIG_NETFILTER_XT_TARGET_CONNMARK=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > diff --git a/arch/mips/configs/markeins_defconfig b/arch/mips/configs/markeins_defconfig > index 9c9a123..636f82b 100644 > --- a/arch/mips/configs/markeins_defconfig > +++ b/arch/mips/configs/markeins_defconfig > @@ -59,7 +59,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_COMMENT=m > diff --git a/arch/mips/configs/nlm_xlp_defconfig b/arch/mips/configs/nlm_xlp_defconfig > index 28c6b27..84624b1 100644 > --- a/arch/mips/configs/nlm_xlp_defconfig > +++ b/arch/mips/configs/nlm_xlp_defconfig > @@ -108,7 +108,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > diff --git a/arch/mips/configs/nlm_xlr_defconfig b/arch/mips/configs/nlm_xlr_defconfig > index 138f698..44b4734 100644 > --- a/arch/mips/configs/nlm_xlr_defconfig > +++ b/arch/mips/configs/nlm_xlr_defconfig > @@ -109,7 +109,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > diff --git a/arch/mips/configs/rm200_defconfig b/arch/mips/configs/rm200_defconfig > index 2c0230e..59d9d2f 100644 > --- a/arch/mips/configs/rm200_defconfig > +++ b/arch/mips/configs/rm200_defconfig > @@ -68,7 +68,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_COMMENT=m > diff --git a/arch/powerpc/configs/pmac32_defconfig b/arch/powerpc/configs/pmac32_defconfig > index f8b394a..29767a8 100644 > --- a/arch/powerpc/configs/pmac32_defconfig > +++ b/arch/powerpc/configs/pmac32_defconfig > @@ -55,7 +55,6 @@ CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m > diff --git a/arch/powerpc/configs/ppc64_defconfig b/arch/powerpc/configs/ppc64_defconfig > index db27c82..06b5624 100644 > --- a/arch/powerpc/configs/ppc64_defconfig > +++ b/arch/powerpc/configs/ppc64_defconfig > @@ -92,7 +92,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > diff --git a/arch/powerpc/configs/ppc64e_defconfig b/arch/powerpc/configs/ppc64e_defconfig > index 7bd1763..f55c276 100644 > --- a/arch/powerpc/configs/ppc64e_defconfig > +++ b/arch/powerpc/configs/ppc64e_defconfig > @@ -66,7 +66,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig > index c47f2be..be1cb6e 100644 > --- a/arch/powerpc/configs/ppc6xx_defconfig > +++ b/arch/powerpc/configs/ppc6xx_defconfig > @@ -167,7 +167,6 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > diff --git a/arch/tile/configs/tilegx_defconfig b/arch/tile/configs/tilegx_defconfig > index 0270620..8c5eff6 100644 > --- a/arch/tile/configs/tilegx_defconfig > +++ b/arch/tile/configs/tilegx_defconfig > @@ -134,7 +134,6 @@ CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TEE=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > diff --git a/arch/tile/configs/tilepro_defconfig b/arch/tile/configs/tilepro_defconfig > index c11de27..e7a3dfc 100644 > --- a/arch/tile/configs/tilepro_defconfig > +++ b/arch/tile/configs/tilepro_defconfig > @@ -132,7 +132,6 @@ CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > -CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TEE=m > CONFIG_NETFILTER_XT_TARGET_TPROXY=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > index c19b214..22ac60d 100644 > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -621,19 +621,6 @@ config NETFILTER_XT_TARGET_NFQUEUE > > To compile it as a module, choose M here. If unsure, say N. > > -config NETFILTER_XT_TARGET_NOTRACK > - tristate '"NOTRACK" target support' > - depends on IP_NF_RAW || IP6_NF_RAW > - depends on NF_CONNTRACK > - help > - The NOTRACK target allows a select rule to specify > - which packets *not* to enter the conntrack/NAT > - subsystem with all the consequences (no ICMP error tracking, > - no protocol helpers for the selected packets). > - > - If you want to compile it as a module, say M here and read > - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. > - > config NETFILTER_XT_TARGET_RATEEST > tristate '"RATEEST" target support' > depends on NETFILTER_ADVANCED > diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile > index 1c5160f..d0b13f9 100644 > --- a/net/netfilter/Makefile > +++ b/net/netfilter/Makefile > @@ -67,7 +67,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o > obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o > obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o > obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o > -obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o > obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o > obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o > obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o > diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c > deleted file mode 100644 > index 9d78218..0000000 > --- a/net/netfilter/xt_NOTRACK.c > +++ /dev/null > @@ -1,53 +0,0 @@ > -/* This is a module which is used for setting up fake conntracks > - * on packets so that they are not seen by the conntrack/NAT code. > - */ > -#include <linux/module.h> > -#include <linux/skbuff.h> > - > -#include <linux/netfilter/x_tables.h> > -#include <net/netfilter/nf_conntrack.h> > - > -MODULE_DESCRIPTION("Xtables: Disabling connection tracking for packets"); > -MODULE_LICENSE("GPL"); > -MODULE_ALIAS("ipt_NOTRACK"); > -MODULE_ALIAS("ip6t_NOTRACK"); > - > -static unsigned int > -notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) > -{ > - /* Previously seen (loopback)? Ignore. */ > - if (skb->nfct != NULL) > - return XT_CONTINUE; > - > - /* Attach fake conntrack entry. > - If there is a real ct entry correspondig to this packet, > - it'll hang aroun till timing out. We don't deal with it > - for performance reasons. JK */ > - skb->nfct = &nf_ct_untracked_get()->ct_general; > - skb->nfctinfo = IP_CT_NEW; > - nf_conntrack_get(skb->nfct); > - > - return XT_CONTINUE; > -} > - > -static struct xt_target notrack_tg_reg __read_mostly = { > - .name = "NOTRACK", > - .revision = 0, > - .family = NFPROTO_UNSPEC, > - .target = notrack_tg, > - .table = "raw", > - .me = THIS_MODULE, > -}; > - > -static int __init notrack_tg_init(void) > -{ > - return xt_register_target(¬rack_tg_reg); > -} > - > -static void __exit notrack_tg_exit(void) > -{ > - xt_unregister_target(¬rack_tg_reg); > -} > - > -module_init(notrack_tg_init); > -module_exit(notrack_tg_exit); > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-08-26 10:42 ` Maciej Żenczykowski @ 2012-08-26 20:04 ` Jan Engelhardt 2012-09-03 7:57 ` Cong Wang 0 siblings, 1 reply; 15+ messages in thread From: Jan Engelhardt @ 2012-08-26 20:04 UTC (permalink / raw) To: Maciej Żenczykowski Cc: Cong Wang, netfilter-devel, Cong Wang, Pablo Neira Ayuso, Patrick McHardy, David S. Miller, netfilter On Sunday 2012-08-26 12:42, Maciej Żenczykowski wrote: >Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j >CT --notrack. >Will -j NOTRACK continue to work? Could it be added as an alias to CT? No, and, dunno. There are currently no provisions for aliasing in the userspace side. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-08-26 20:04 ` Jan Engelhardt @ 2012-09-03 7:57 ` Cong Wang 2012-09-03 8:33 ` Oliver 2012-09-03 15:31 ` Pablo Neira Ayuso 0 siblings, 2 replies; 15+ messages in thread From: Cong Wang @ 2012-09-03 7:57 UTC (permalink / raw) To: Jan Engelhardt Cc: Maciej Żenczykowski, Cong Wang, netfilter-devel, Pablo Neira Ayuso, Patrick McHardy, David S. Miller, netfilter On Mon, Aug 27, 2012 at 4:04 AM, Jan Engelhardt <jengelh@inai.de> wrote: > On Sunday 2012-08-26 12:42, Maciej Żenczykowski wrote: > >>Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j >>CT --notrack. >>Will -j NOTRACK continue to work? Could it be added as an alias to CT? > > No, and, dunno. There are currently no provisions for aliasing in the > userspace side. So no objections from you, right? :) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-03 7:57 ` Cong Wang @ 2012-09-03 8:33 ` Oliver 2012-09-03 11:50 ` Maciej Żenczykowski 2012-09-03 15:31 ` Pablo Neira Ayuso 1 sibling, 1 reply; 15+ messages in thread From: Oliver @ 2012-09-03 8:33 UTC (permalink / raw) To: Cong Wang; +Cc: netfilter-devel On Monday 03 September 2012 15:57:53 you wrote: > So no objections from you, right? :) Meanwhile, -m state lives on. In all honesty, if you're going to obliterate things like this, it's arguably only fair to also implement something in your userland tools to catch the change, throw a deprecated warning and appropriately modify it to use CT instead. I would argue the same for those who wish to see the death of -m state (myself included) Regards, Oliver ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-03 8:33 ` Oliver @ 2012-09-03 11:50 ` Maciej Żenczykowski 0 siblings, 0 replies; 15+ messages in thread From: Maciej Żenczykowski @ 2012-09-03 11:50 UTC (permalink / raw) To: Oliver; +Cc: Cong Wang, netfilter-devel I'm not a huge fan of changing userspace visible API... Deleting this doesn't seem to gain much. If anything I'd add this into the CT code as just one more thing it registers. That said, I don't really have a vote here, and don't really want to do the work... And cleanup is really good... OTOH, this cleanup doesn't really help much - it is pretty much entirely self contained. (I don't see a clean way to do maintain backward compatibility in the userspace tool... it's easy enough to convert to CT on load, but how do you know what to print it out as afterwards? Do you just print as the new format?) On Mon, Sep 3, 2012 at 1:33 AM, Oliver <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> wrote: > On Monday 03 September 2012 15:57:53 you wrote: >> So no objections from you, right? :) > > Meanwhile, -m state lives on. > > In all honesty, if you're going to obliterate things like this, it's arguably > only fair to also implement something in your userland tools to catch the > change, throw a deprecated warning and appropriately modify it to use CT > instead. > > I would argue the same for those who wish to see the death of -m state (myself > included) > > Regards, > Oliver > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-03 7:57 ` Cong Wang 2012-09-03 8:33 ` Oliver @ 2012-09-03 15:31 ` Pablo Neira Ayuso 2012-09-03 19:24 ` Pablo Neira Ayuso 1 sibling, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2012-09-03 15:31 UTC (permalink / raw) To: Cong Wang Cc: Jan Engelhardt, Maciej Żenczykowski, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Mon, Sep 03, 2012 at 03:57:53PM +0800, Cong Wang wrote: > On Mon, Aug 27, 2012 at 4:04 AM, Jan Engelhardt <jengelh@inai.de> wrote: > > On Sunday 2012-08-26 12:42, Maciej Żenczykowski wrote: > > > >>Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j > >>CT --notrack. > >>Will -j NOTRACK continue to work? Could it be added as an alias to CT? > > > > No, and, dunno. There are currently no provisions for aliasing in the > > userspace side. > > So no objections from you, right? :) Applied, thanks. I think it can be possible to rewrite the iptables NOTRACK user-space extension to use the CT target. Still I would need to check if some more sophisticated aliasing can be possible. And iptables-save will show the CT target though, but that shouldn't be a problem. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-03 15:31 ` Pablo Neira Ayuso @ 2012-09-03 19:24 ` Pablo Neira Ayuso 2012-09-04 0:14 ` Maciej Żenczykowski 0 siblings, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2012-09-03 19:24 UTC (permalink / raw) To: Cong Wang Cc: Jan Engelhardt, Maciej Żenczykowski, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter [-- Attachment #1: Type: text/plain, Size: 1067 bytes --] On Mon, Sep 03, 2012 at 05:31:21PM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 03, 2012 at 03:57:53PM +0800, Cong Wang wrote: > > On Mon, Aug 27, 2012 at 4:04 AM, Jan Engelhardt <jengelh@inai.de> wrote: > > > On Sunday 2012-08-26 12:42, Maciej Żenczykowski wrote: > > > > > >>Sounds like the old -t raw ... -j NOTRACK is replaced by -t raw ... -j > > >>CT --notrack. > > >>Will -j NOTRACK continue to work? Could it be added as an alias to CT? > > > > > > No, and, dunno. There are currently no provisions for aliasing in the > > > userspace side. > > > > So no objections from you, right? :) > > Applied, thanks. > > I think it can be possible to rewrite the iptables NOTRACK user-space > extension to use the CT target. Still I would need to check if some > more sophisticated aliasing can be possible. > > And iptables-save will show the CT target though, but that shouldn't > be a problem. I've made the following patch. It adds some simple aliasing to iptables. Now NOTRACK uses the CT target, it also spots a warning telling that it's been deprecated. [-- Attachment #2: alias.patch --] [-- Type: text/x-diff, Size: 4176 bytes --] diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c index ca58700..a6b66af 100644 --- a/extensions/libxt_NOTRACK.c +++ b/extensions/libxt_NOTRACK.c @@ -1,15 +1,78 @@ -/* Shared library add-on to iptables to add NOTRACK target support. */ +/* + * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* + * Shared library add-on to iptables to add NOTRACK target support: This + * is an alias of the CT target, since it has been deprecated. + */ + +#include <stdio.h> #include <xtables.h> +#include <linux/netfilter/nf_conntrack_common.h> +#include <linux/netfilter/xt_CT.h> + +static void ct_tg_init_v0(struct xt_entry_target *target) +{ + struct xt_ct_target_info *info = (void *)target->data; + + fprintf(stderr, "warning: NOTRACK target is deprecated, " + "use CT target instead\n"); + info->flags |= XT_CT_NOTRACK; +} + +static void ct_tg_init_v1(struct xt_entry_target *target) +{ + struct xt_ct_target_info_v1 *info = (void *)target->data; + + fprintf(stderr, "warning: NOTRACK target is deprecated, " + "use CT target instead\n"); + info->flags |= XT_CT_NOTRACK; +} + +static void +ct_tg_print(const void *ip, const struct xt_entry_target *target, int numeric) +{ + printf(" CT notrack"); +} + +static void ct_tg_save(const void *ip, const struct xt_entry_target *target) +{ + printf(" --notrack"); +} -static struct xtables_target notrack_target = { - .family = NFPROTO_UNSPEC, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), +static struct xtables_target ct_tg_target_reg[] = { + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .alias = "CT", + .revision = 0, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info)), + .userspacesize = offsetof(struct xt_ct_target_info, ct), + .print = ct_tg_print, + .save = ct_tg_save, + .init = ct_tg_init_v0, + }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .alias = "CT", + .revision = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .print = ct_tg_print, + .save = ct_tg_save, + .init = ct_tg_init_v1, + }, }; void _init(void) { - xtables_register_target(¬rack_target); + xtables_register_targets(ct_tg_target_reg, ARRAY_SIZE(ct_tg_target_reg)); } diff --git a/include/xtables.h.in b/include/xtables.h.in index db69c03..99a71a7 100644 --- a/include/xtables.h.in +++ b/include/xtables.h.in @@ -280,9 +280,11 @@ struct xtables_target struct xtables_target *next; - const char *name; + /* Real target behind this, if any. */ + const char *alias; + /* Revision of target (0 by default). */ u_int8_t revision; diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index b191d5d..cc708cd 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1286,7 +1286,11 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + if (cs->target->alias == NULL) + strcpy(cs->target->t->u.user.name, cs->jumpto); + else + strcpy(cs->target->t->u.user.name, cs->target->alias); + cs->target->t->u.user.revision = cs->target->revision; xs_init_target(cs->target); if (cs->target->x6_options != NULL) diff --git a/iptables/iptables.c b/iptables/iptables.c index 03ac63b..eb58b8c 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1295,7 +1295,11 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); + if (cs->target->alias == NULL) + strcpy(cs->target->t->u.user.name, cs->jumpto); + else + strcpy(cs->target->t->u.user.name, cs->target->alias); + cs->target->t->u.user.revision = cs->target->revision; xs_init_target(cs->target); ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-03 19:24 ` Pablo Neira Ayuso @ 2012-09-04 0:14 ` Maciej Żenczykowski 2012-09-04 3:57 ` Jan Engelhardt 0 siblings, 1 reply; 15+ messages in thread From: Maciej Żenczykowski @ 2012-09-04 0:14 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Cong Wang, Jan Engelhardt, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter +<----->if (cs->target->alias == NULL)^M +<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M +<----->else^M +<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto) doesn't this all really belong in the CT files now? ie. libxt_CT.c not libxt_NOTRACK.c Either way, LGTM. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 0:14 ` Maciej Żenczykowski @ 2012-09-04 3:57 ` Jan Engelhardt 2012-09-04 5:29 ` Maciej Żenczykowski 2012-09-04 13:58 ` Pablo Neira Ayuso 0 siblings, 2 replies; 15+ messages in thread From: Jan Engelhardt @ 2012-09-04 3:57 UTC (permalink / raw) To: Maciej Żenczykowski Cc: Pablo Neira Ayuso, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote: >+<----->if (cs->target->alias == NULL)^M >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M >+<----->else^M >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M > >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto) > >doesn't this all really belong in the CT files now? >ie. libxt_CT.c not libxt_NOTRACK.c I think so too. Furthermore, I have refined Pablo's patch. 0. vcurrent was not updated, now done. 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0 (function "compatible_revision"), now addressed. 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0. 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by providing a symlink. Not solved: 4. Since NOTRACK now always maps to CT, "-j NOTRACK" has become unusable on sufficiently old kernels. Should we even bother? [ Agglomeration of two patches in git://git.inai.de/iptables master ] diff --git a/configure.ac b/configure.ac index 861f5b3..a45d9ab 100644 --- a/configure.ac +++ b/configure.ac @@ -2,8 +2,8 @@ AC_INIT([iptables], [1.4.15]) # See libtool.info "Libtool's versioning system" -libxtables_vcurrent=8 -libxtables_vage=1 +libxtables_vcurrent=9 +libxtables_vage=0 AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in index 218dc3a..92ac63d 100644 --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in @@ -39,6 +39,7 @@ endif # Wildcard module list # pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) +pfx_build_mod += NOTRACK @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c xt_RATEEST_LIBADD = -lm xt_statistic_LIBADD = -lm +libxt_NOTRACK.so: libxt_CT.so + ln -s $< $@ # # Static bits diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index 27a20e2..8012a59 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target) printf(" --zone %u", info->zone); } +static void notrack_tg_init(struct xt_entry_target *target) +{ + struct xt_ct_target_info_v1 *info = (void *)target->data; + + info->flags |= XT_CT_NOTRACK; +} + static struct xtables_target ct_target_reg[] = { { .family = NFPROTO_UNSPEC, @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = { .x6_parse = ct_parse_v1, .x6_options = ct_opts_v1, }, + { + .family = NFPROTO_UNSPEC, + .name = "NOTRACK", + .revision = 0, + .real_name = "CT", + .real_rev = 1, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), + .print = ct_print_v1, + .save = ct_save_v1, + .init = notrack_tg_init, + }, }; void _init(void) diff --git a/extensions/libxt_NOTRACK.c b/extensions/libxt_NOTRACK.c deleted file mode 100644 index ca58700..0000000 --- a/extensions/libxt_NOTRACK.c +++ /dev/null @@ -1,15 +0,0 @@ -/* Shared library add-on to iptables to add NOTRACK target support. */ -#include <xtables.h> - -static struct xtables_target notrack_target = { - .family = NFPROTO_UNSPEC, - .name = "NOTRACK", - .version = XTABLES_VERSION, - .size = XT_ALIGN(0), - .userspacesize = XT_ALIGN(0), -}; - -void _init(void) -{ - xtables_register_target(¬rack_target); -} diff --git a/include/xtables.h.in b/include/xtables.h.in index db69c03..7993414 100644 --- a/include/xtables.h.in +++ b/include/xtables.h.in @@ -280,11 +280,13 @@ struct xtables_target struct xtables_target *next; - const char *name; + /* Real target behind this, if any. */ + const char *real_name; + /* Revision of target (0 by default). */ - u_int8_t revision; + u_int8_t revision, real_rev; u_int16_t family; diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index b191d5d..f0ebe15 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1286,8 +1286,17 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); - cs->target->t->u.user.revision = cs->target->revision; + if (cs->target->real_name == NULL) { + strcpy(cs->target->t->u.user.name, cs->jumpto); + cs->target->t->u.user.revision = cs->target->revision; + } else { + strcpy(cs->target->t->u.user.name, cs->target->real_name); + cs->target->t->u.user.revision = cs->target->real_rev; + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + } + xs_init_target(cs->target); if (cs->target->x6_options != NULL) opts = xtables_options_xfrm(ip6tables_globals.orig_opts, opts, diff --git a/iptables/iptables.c b/iptables/iptables.c index 03ac63b..5d8698d 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1295,8 +1295,18 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - strcpy(cs->target->t->u.user.name, cs->jumpto); - cs->target->t->u.user.revision = cs->target->revision; + if (cs->target->real_name == NULL) { + strcpy(cs->target->t->u.user.name, cs->jumpto); + cs->target->t->u.user.revision = cs->target->revision; + } else { + /* Alias support for userspace side */ + strcpy(cs->target->t->u.user.name, cs->target->real_name); + cs->target->t->u.user.revision = cs->target->real_rev; + fprintf(stderr, "WARNING: The %s target is obsolete. " + "Use %s instead.\n", + cs->jumpto, cs->target->real_name); + } + xs_init_target(cs->target); if (cs->target->x6_options != NULL) diff --git a/libxtables/xtables.c b/libxtables/xtables.c index d818579..4758ddc 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -944,6 +944,10 @@ void xtables_register_target(struct xtables_target *me) xt_params->program_name, me->name); exit(1); } + if (me->real_name == NULL) { + me->real_name = me->name; + me->real_rev = me->revision; + } if (me->x6_options != NULL) xtables_option_metavalidate(me->name, me->x6_options); @@ -976,16 +980,16 @@ static void xtables_fully_register_pending_target(struct xtables_target *me) } /* Now we have two (or more) options, check compatibility. */ - if (compatible_target_revision(old->name, old->revision) - && old->revision > me->revision) + if (compatible_target_revision(old->real_name, old->real_rev) + && old->real_rev > me->real_rev) return; /* See if new target can be used. */ - if (!compatible_target_revision(me->name, me->revision)) + if (!compatible_target_revision(me->real_name, me->real_rev)) return; /* Prefer !AF_UNSPEC over AF_UNSPEC for same revision. */ - if (old->revision == me->revision && me->family == AF_UNSPEC) + if (old->real_rev == me->real_rev && me->family == AF_UNSPEC) return; /* Delete old one. */ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 3:57 ` Jan Engelhardt @ 2012-09-04 5:29 ` Maciej Żenczykowski 2012-09-04 8:58 ` Pablo Neira Ayuso 2012-09-04 13:58 ` Pablo Neira Ayuso 1 sibling, 1 reply; 15+ messages in thread From: Maciej Żenczykowski @ 2012-09-04 5:29 UTC (permalink / raw) To: Jan Engelhardt Cc: Pablo Neira Ayuso, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter > I think so too. > Furthermore, I have refined Pablo's patch. > > 0. vcurrent was not updated, now done. > 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0 > (function "compatible_revision"), now addressed. > 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0. > 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by > providing a symlink. Nice. > Not solved: > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" > has become unusable on sufficiently old kernels. > Should we even bother? Yes, we must, otherwise distros can't upgrade to latest iptables without either patching or upgrading kernel. It's really nice that the two aren't that tightly coupled. Unless by old kernels you mean pre-RHEL5 kernels. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 5:29 ` Maciej Żenczykowski @ 2012-09-04 8:58 ` Pablo Neira Ayuso 2012-09-04 15:15 ` Jan Engelhardt 0 siblings, 1 reply; 15+ messages in thread From: Pablo Neira Ayuso @ 2012-09-04 8:58 UTC (permalink / raw) To: Maciej Żenczykowski Cc: Jan Engelhardt, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote: [...] > > Not solved: > > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" > > has become unusable on sufficiently old kernels. > > Should we even bother? > > Yes, we must, otherwise distros can't upgrade to latest iptables > without either patching or upgrading kernel. Why not? They will upgrade and they will start using the CT target sooner than any other, which seems good to me. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 8:58 ` Pablo Neira Ayuso @ 2012-09-04 15:15 ` Jan Engelhardt 2012-09-04 15:58 ` Pablo Neira Ayuso 0 siblings, 1 reply; 15+ messages in thread From: Jan Engelhardt @ 2012-09-04 15:15 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Maciej Żenczykowski, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote: >On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote: >[...] >> > Not solved: >> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" >> > has become unusable on sufficiently old kernels. >> > Should we even bother? >> >> Yes, we must, otherwise distros can't upgrade to latest iptables >> without either patching or upgrading kernel. > >Why not? They will upgrade and they will start using the CT target >sooner than any other, which seems good to me. > >We also need to add support for real_rev 0 of the CT target. Just to >make sure that we don't break with old kernels. Right; but is that not what might be described as "hypocritic"? Even after adding support for CT.0, people still need >= 2.6.34. Where is the non-breakage for them? (I can't say I feel /too/ bad for the RHEL folks stuck with their ancient 2.6.32 :-P ) (And don't tell me about backports, because in general, they don't do that for NF.) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 15:15 ` Jan Engelhardt @ 2012-09-04 15:58 ` Pablo Neira Ayuso 0 siblings, 0 replies; 15+ messages in thread From: Pablo Neira Ayuso @ 2012-09-04 15:58 UTC (permalink / raw) To: Jan Engelhardt Cc: Maciej Żenczykowski, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Tue, Sep 04, 2012 at 05:15:17PM +0200, Jan Engelhardt wrote: > On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote: > > >On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote: > >[...] > >> > Not solved: > >> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" > >> > has become unusable on sufficiently old kernels. > >> > Should we even bother? > >> > >> Yes, we must, otherwise distros can't upgrade to latest iptables > >> without either patching or upgrading kernel. > > > >Why not? They will upgrade and they will start using the CT target > >sooner than any other, which seems good to me. > > > >We also need to add support for real_rev 0 of the CT target. Just to > >make sure that we don't break with old kernels. > > Right; but is that not what might be described as "hypocritic"? > Even after adding support for CT.0, people still need >= 2.6.34. > Where is the non-breakage for them? Well yes, we have break at some point, but better if we break for kernels before 2.6.34 than before 3.4 (CT.1 was added there) ;-). So we're doing is just to trying to do our best to avoid the sure breakage that will happen in upcoming 3.7 where NOTRACK will be gone. There's only one single -stable branch that would break using recent iptables + old kernel. > (I can't say I feel /too/ bad for the RHEL folks stuck with their > ancient 2.6.32 :-P ) > (And don't tell me about backports, because in general, they don't > do that for NF.) I'm mostly thinking of embedded people, that usually stick to really old kernels. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [Patch net-next] netfilter: remove xt_NOTRACK 2012-09-04 3:57 ` Jan Engelhardt 2012-09-04 5:29 ` Maciej Żenczykowski @ 2012-09-04 13:58 ` Pablo Neira Ayuso 1 sibling, 0 replies; 15+ messages in thread From: Pablo Neira Ayuso @ 2012-09-04 13:58 UTC (permalink / raw) To: Jan Engelhardt Cc: Maciej Żenczykowski, Cong Wang, Cong Wang, netfilter-devel, Patrick McHardy, David S. Miller, netfilter On Tue, Sep 04, 2012 at 05:57:28AM +0200, Jan Engelhardt wrote: > > On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote: > > >+<----->if (cs->target->alias == NULL)^M > >+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M > >+<----->else^M > >+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M > > > >I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto) > > > >doesn't this all really belong in the CT files now? > >ie. libxt_CT.c not libxt_NOTRACK.c > > I think so too. > Furthermore, I have refined Pablo's patch. > > 0. vcurrent was not updated, now done. > 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0 > (function "compatible_revision"), now addressed. > 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0. > 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by > providing a symlink. > > Not solved: > 4. Since NOTRACK now always maps to CT, "-j NOTRACK" > has become unusable on sufficiently old kernels. > Should we even bother? > > [ Agglomeration of two patches in git://git.inai.de/iptables master ] > diff --git a/configure.ac b/configure.ac > index 861f5b3..a45d9ab 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -2,8 +2,8 @@ > AC_INIT([iptables], [1.4.15]) > > # See libtool.info "Libtool's versioning system" > -libxtables_vcurrent=8 > -libxtables_vage=1 > +libxtables_vcurrent=9 > +libxtables_vage=0 > > AC_CONFIG_AUX_DIR([build-aux]) > AC_CONFIG_HEADERS([config.h]) > diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in > index 218dc3a..92ac63d 100644 > --- a/extensions/GNUmakefile.in > +++ b/extensions/GNUmakefile.in > @@ -39,6 +39,7 @@ endif > # Wildcard module list > # > pfx_build_mod := $(patsubst ${srcdir}/libxt_%.c,%,$(sort $(wildcard ${srcdir}/libxt_*.c))) > +pfx_build_mod += NOTRACK > @ENABLE_IPV4_TRUE@ pf4_build_mod := $(patsubst ${srcdir}/libipt_%.c,%,$(sort $(wildcard ${srcdir}/libipt_*.c))) > @ENABLE_IPV6_TRUE@ pf6_build_mod := $(patsubst ${srcdir}/libip6t_%.c,%,$(sort $(wildcard ${srcdir}/libip6t_*.c))) > pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod}) > @@ -100,6 +101,8 @@ lib%.oo: ${srcdir}/lib%.c > xt_RATEEST_LIBADD = -lm > xt_statistic_LIBADD = -lm > > +libxt_NOTRACK.so: libxt_CT.so > + ln -s $< $@ > > # > # Static bits > diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c > index 27a20e2..8012a59 100644 > --- a/extensions/libxt_CT.c > +++ b/extensions/libxt_CT.c > @@ -248,6 +248,13 @@ static void ct_save_v1(const void *ip, const struct xt_entry_target *target) > printf(" --zone %u", info->zone); > } > > +static void notrack_tg_init(struct xt_entry_target *target) > +{ > + struct xt_ct_target_info_v1 *info = (void *)target->data; > + > + info->flags |= XT_CT_NOTRACK; > +} > + > static struct xtables_target ct_target_reg[] = { > { > .family = NFPROTO_UNSPEC, > @@ -274,6 +281,19 @@ static struct xtables_target ct_target_reg[] = { > .x6_parse = ct_parse_v1, > .x6_options = ct_opts_v1, > }, > + { > + .family = NFPROTO_UNSPEC, > + .name = "NOTRACK", > + .revision = 0, > + .real_name = "CT", > + .real_rev = 1, > + .version = XTABLES_VERSION, > + .size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)), > + .userspacesize = offsetof(struct xt_ct_target_info_v1, ct), > + .print = ct_print_v1, > + .save = ct_save_v1, > + .init = notrack_tg_init, > + }, We also need to add support for real_rev 0 of the CT target. Just to make sure that we don't break with old kernels. I've pulled this and pushed out to the notrack-removal branch of iptables. The idea would be to fix this issue above and to merge that that couple of patches once 3.7-rc1 is released. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2012-09-04 15:58 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-08-26 6:23 [Patch net-next] netfilter: remove xt_NOTRACK Cong Wang 2012-08-26 10:42 ` Maciej Żenczykowski 2012-08-26 20:04 ` Jan Engelhardt 2012-09-03 7:57 ` Cong Wang 2012-09-03 8:33 ` Oliver 2012-09-03 11:50 ` Maciej Żenczykowski 2012-09-03 15:31 ` Pablo Neira Ayuso 2012-09-03 19:24 ` Pablo Neira Ayuso 2012-09-04 0:14 ` Maciej Żenczykowski 2012-09-04 3:57 ` Jan Engelhardt 2012-09-04 5:29 ` Maciej Żenczykowski 2012-09-04 8:58 ` Pablo Neira Ayuso 2012-09-04 15:15 ` Jan Engelhardt 2012-09-04 15:58 ` Pablo Neira Ayuso 2012-09-04 13:58 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).