aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-02-19 01:36:47 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-02-19 01:36:47 +0000
commit15c4e22d31c1d46a5fd19823499b812c2629dbaa (patch)
treea39b6d9d1264d3d6dece98fb7076015c4af6753a
parent31cfd93be4261e7bc0d3577e4c85d39d73ccf881 (diff)
downloadupstream-15c4e22d31c1d46a5fd19823499b812c2629dbaa.tar.gz
upstream-15c4e22d31c1d46a5fd19823499b812c2629dbaa.tar.bz2
upstream-15c4e22d31c1d46a5fd19823499b812c2629dbaa.zip
netfilter: add support for raw table and NOTRACK target (#5504)
SVN-Revision: 19721
-rw-r--r--include/netfilter.mk1
-rw-r--r--target/linux/generic-2.4/config-default3
-rw-r--r--target/linux/generic-2.4/patches/628-netfilter_raw.patch707
3 files changed, 711 insertions, 0 deletions
diff --git a/include/netfilter.mk b/include/netfilter.mk
index 9eeee4f6e1..c8347936d4 100644
--- a/include/netfilter.mk
+++ b/include/netfilter.mk
@@ -91,6 +91,7 @@ $(eval $(if $(NF_KMOD),$(call nf_add,IPT_CONNTRACK,CONFIG_NF_CONNTRACK_IPV4, $(P
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_MATCH_STATE, $(P_V4)ipt_state))
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_MATCH_STATE, $(P_XT)xt_state))
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_RAW, $(P_V4)iptable_raw))
+$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_IP_NF_TARGET_NOTRACK, $(P_V4)ipt_NOTRACK))
$(eval $(call nf_add,IPT_CONNTRACK,CONFIG_NETFILTER_XT_TARGET_NOTRACK, $(P_XT)xt_NOTRACK))
diff --git a/target/linux/generic-2.4/config-default b/target/linux/generic-2.4/config-default
index 869e4f4cc4..5dce4279cd 100644
--- a/target/linux/generic-2.4/config-default
+++ b/target/linux/generic-2.4/config-default
@@ -203,6 +203,7 @@ CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_RANDOM=m
# CONFIG_IP6_NF_MATCH_RT is not set
# CONFIG_IP6_NF_QUEUE is not set
+CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_TARGET_IMQ=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_MARK=m
@@ -277,6 +278,7 @@ CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_QUEUE=m
+CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_RTSP=m
CONFIG_IP_NF_SET_HASHSIZE=1024
CONFIG_IP_NF_SET_IPHASH=m
@@ -297,6 +299,7 @@ CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_TARGET_NETMAP=m
+CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SET=m
diff --git a/target/linux/generic-2.4/patches/628-netfilter_raw.patch b/target/linux/generic-2.4/patches/628-netfilter_raw.patch
new file mode 100644
index 0000000000..419fb01e58
--- /dev/null
+++ b/target/linux/generic-2.4/patches/628-netfilter_raw.patch
@@ -0,0 +1,707 @@
+--- a/Documentation/Configure.help
++++ b/Documentation/Configure.help
+@@ -3057,6 +3057,34 @@
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/modules.txt>. If unsure, say `N'.
+
++raw table support (required for NOTRACK/TRACE)
++CONFIG_IP_NF_RAW
++ This option adds a `raw' table to iptables. This table is the very
++ first in the netfilter framework and hooks in at the PREROUTING
++ and OUTPUT chains.
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. If unsure, say `N'.
++
++NOTRACK target support
++CONFIG_IP_NF_TARGET_NOTRACK
++ The NOTRACK target allows a select rule to specify
++ which packets *not* to enter the conntrack/NAT
++ subsystem with all the consequences (no ICMP error tracking,
++ no protocol helpers for the selected packets).
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. If unsure, say `N'.
++
++raw table support (required for TRACE)
++CONFIG_IP6_NF_RAW
++ This option adds a `raw' table to ip6tables. This table is the very
++ first in the netfilter framework and hooks in at the PREROUTING
++ and OUTPUT chains.
++
++ If you want to compile it as a module, say M here and read
++ <file:Documentation/modules.txt>. If unsure, say `N'.
++
+ REJECT target support
+ CONFIG_IP_NF_TARGET_REJECT
+ The REJECT target allows a filtering rule to specify that an ICMP
+--- a/include/linux/netfilter_ipv4/ip_conntrack.h
++++ b/include/linux/netfilter_ipv4/ip_conntrack.h
+@@ -286,6 +286,9 @@
+ /* Call me when a conntrack is destroyed. */
+ extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
+
++/* Fake conntrack entry for untracked connections */
++extern struct ip_conntrack ip_conntrack_untracked;
++
+ /* Returns new sk_buff, or NULL */
+ struct sk_buff *
+ ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
+--- a/include/linux/netfilter_ipv4/ipt_conntrack.h
++++ b/include/linux/netfilter_ipv4/ipt_conntrack.h
+@@ -10,6 +10,7 @@
+
+ #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+ #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
++#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+ /* flags, invflags: */
+ #define IPT_CONNTRACK_STATE 0x01
+--- a/include/linux/netfilter_ipv4/ipt_state.h
++++ b/include/linux/netfilter_ipv4/ipt_state.h
+@@ -4,6 +4,8 @@
+ #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+ #define IPT_STATE_INVALID (1 << 0)
+
++#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
++
+ struct ipt_state_info
+ {
+ unsigned int statemask;
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -51,6 +51,8 @@
+
+ enum nf_ip_hook_priorities {
+ NF_IP_PRI_FIRST = INT_MIN,
++ NF_IP_PRI_CONNTRACK_DEFRAG = -400,
++ NF_IP_PRI_RAW = -300,
+ NF_IP_PRI_CONNTRACK = -200,
+ NF_IP_PRI_MANGLE = -150,
+ NF_IP_PRI_NAT_DST = -100,
+--- a/net/ipv4/netfilter/Config.in
++++ b/net/ipv4/netfilter/Config.in
+@@ -153,6 +153,15 @@
+ dep_tristate ' TTL target support' CONFIG_IP_NF_TARGET_TTL $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' ULOG target support' CONFIG_IP_NF_TARGET_ULOG $CONFIG_IP_NF_IPTABLES
+ dep_tristate ' TCPMSS target support' CONFIG_IP_NF_TARGET_TCPMSS $CONFIG_IP_NF_IPTABLES
++ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
++ tristate ' raw table support (required for NOTRACK/TRACE)' CONFIG_IP_NF_RAW $CONFIG_IP_NF_IPTABLES
++ fi
++ if [ "$CONFIG_IP_NF_RAW" != "n" ]; then
++ if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
++ dep_tristate ' NOTRACK target support' CONFIG_IP_NF_TARGET_NOTRACK $CONFIG_IP_NF_RAW
++ fi
++ # Marker for TRACE target
++ fi
+ fi
+
+ tristate 'ARP tables support' CONFIG_IP_NF_ARPTABLES
+--- a/net/ipv4/netfilter/ip_conntrack_core.c
++++ b/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -64,6 +64,7 @@
+ static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
+ struct list_head *ip_conntrack_hash;
+ static kmem_cache_t *ip_conntrack_cachep;
++struct ip_conntrack ip_conntrack_untracked;
+ static LIST_HEAD(unconfirmed);
+
+ extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
+@@ -834,6 +835,15 @@
+ int set_reply;
+ int ret;
+
++ /* Never happen */
++ if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
++ if (net_ratelimit()) {
++ printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
++ (*pskb)->nh.iph->protocol, hooknum);
++ }
++ return NF_DROP;
++ }
++
+ /* FIXME: Do this right please. --RR */
+ (*pskb)->nfcache |= NFC_UNKNOWN;
+
+@@ -1489,6 +1499,18 @@
+
+ /* For use by ipt_REJECT */
+ ip_ct_attach = ip_conntrack_attach;
++
++ /* Set up fake conntrack:
++ - to never be deleted, not in any hashes */
++ atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
++ /* - and look it like as a confirmed connection */
++ set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
++ /* - and prepare the ctinfo field for REJECT/NAT. */
++ ip_conntrack_untracked.infos[IP_CT_NEW].master =
++ ip_conntrack_untracked.infos[IP_CT_RELATED].master =
++ ip_conntrack_untracked.infos[IP_CT_RELATED + IP_CT_IS_REPLY].master =
++ &ip_conntrack_untracked.ct_general;
++
+ return ret;
+
+ err_free_hash:
+--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
++++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
+@@ -218,6 +218,29 @@
+ return ip_conntrack_confirm(*pskb);
+ }
+
++static unsigned int ip_conntrack_defrag(unsigned int hooknum,
++ struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ int (*okfn)(struct sk_buff *))
++{
++ /* Previously seen (loopback)? Ignore. Do this before
++ fragment check. */
++ if ((*pskb)->nfct)
++ return NF_ACCEPT;
++
++ /* Gather fragments. */
++ if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
++ *pskb = ip_ct_gather_frags(*pskb,
++ hooknum == NF_IP_PRE_ROUTING ?
++ IP_DEFRAG_CONNTRACK_IN :
++ IP_DEFRAG_CONNTRACK_OUT);
++ if (!*pskb)
++ return NF_STOLEN;
++ }
++ return NF_ACCEPT;
++}
++
+ static unsigned int ip_refrag(unsigned int hooknum,
+ struct sk_buff **pskb,
+ const struct net_device *in,
+@@ -259,9 +282,15 @@
+
+ /* Connection tracking may drop packets, but never alters them, so
+ make it the first hook. */
++static struct nf_hook_ops ip_conntrack_defrag_ops
++= { { NULL, NULL }, ip_conntrack_defrag, PF_INET, NF_IP_PRE_ROUTING,
++ NF_IP_PRI_CONNTRACK_DEFRAG };
+ static struct nf_hook_ops ip_conntrack_in_ops
+ = { { NULL, NULL }, ip_conntrack_in, PF_INET, NF_IP_PRE_ROUTING,
+ NF_IP_PRI_CONNTRACK };
++static struct nf_hook_ops ip_conntrack_defrag_local_out_ops
++= { { NULL, NULL }, ip_conntrack_defrag, PF_INET, NF_IP_LOCAL_OUT,
++ NF_IP_PRI_CONNTRACK_DEFRAG };
+ static struct nf_hook_ops ip_conntrack_local_out_ops
+ = { { NULL, NULL }, ip_conntrack_local, PF_INET, NF_IP_LOCAL_OUT,
+ NF_IP_PRI_CONNTRACK };
+@@ -382,10 +411,20 @@
+ if (!proc) goto cleanup_init;
+ proc->owner = THIS_MODULE;
+
++ ret = nf_register_hook(&ip_conntrack_defrag_ops);
++ if (ret < 0) {
++ printk("ip_conntrack: can't register pre-routing defrag hook.\n");
++ goto cleanup_proc;
++ }
++ ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
++ if (ret < 0) {
++ printk("ip_conntrack: can't register local_out defrag hook.\n");
++ goto cleanup_defragops;
++ }
+ ret = nf_register_hook(&ip_conntrack_in_ops);
+ if (ret < 0) {
+ printk("ip_conntrack: can't register pre-routing hook.\n");
+- goto cleanup_proc;
++ goto cleanup_defraglocalops;
+ }
+ ret = nf_register_hook(&ip_conntrack_local_out_ops);
+ if (ret < 0) {
+@@ -423,6 +462,10 @@
+ nf_unregister_hook(&ip_conntrack_local_out_ops);
+ cleanup_inops:
+ nf_unregister_hook(&ip_conntrack_in_ops);
++ cleanup_defraglocalops:
++ nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
++ cleanup_defragops:
++ nf_unregister_hook(&ip_conntrack_defrag_ops);
+ cleanup_proc:
+ proc_net_remove("ip_conntrack");
+ cleanup_init:
+@@ -512,5 +555,6 @@
+ EXPORT_SYMBOL(ip_conntrack_expect_list);
+ EXPORT_SYMBOL(ip_conntrack_lock);
+ EXPORT_SYMBOL(ip_conntrack_hash);
++EXPORT_SYMBOL(ip_conntrack_untracked);
+ EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
+ EXPORT_SYMBOL_GPL(ip_conntrack_put);
+--- a/net/ipv4/netfilter/ip_nat_core.c
++++ b/net/ipv4/netfilter/ip_nat_core.c
+@@ -1023,6 +1023,10 @@
+ /* FIXME: Man, this is a hack. <SIGH> */
+ IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
+ ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
++
++ /* Initialize fake conntrack so that NAT will skip it */
++ ip_conntrack_untracked.nat.info.initialized |=
++ (1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
+
+ return 0;
+ }
+--- /dev/null
++++ b/net/ipv4/netfilter/iptable_raw.c
+@@ -0,0 +1,149 @@
++/*
++ * 'raw' table, which is the very first hooked in at PRE_ROUTING and LOCAL_OUT .
++ *
++ * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
++ */
++#include <linux/module.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++
++#define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
++
++/* Standard entry. */
++struct ipt_standard
++{
++ struct ipt_entry entry;
++ struct ipt_standard_target target;
++};
++
++struct ipt_error_target
++{
++ struct ipt_entry_target target;
++ char errorname[IPT_FUNCTION_MAXNAMELEN];
++};
++
++struct ipt_error
++{
++ struct ipt_entry entry;
++ struct ipt_error_target target;
++};
++
++static struct
++{
++ struct ipt_replace repl;
++ struct ipt_standard entries[2];
++ struct ipt_error term;
++} initial_table __initdata
++= { { "raw", RAW_VALID_HOOKS, 3,
++ sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
++ { [NF_IP_PRE_ROUTING] 0,
++ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
++ { [NF_IP_PRE_ROUTING] 0,
++ [NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
++ 0, NULL, { } },
++ {
++ /* PRE_ROUTING */
++ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ipt_entry),
++ sizeof(struct ipt_standard),
++ 0, { 0, 0 }, { } },
++ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
++ -NF_ACCEPT - 1 } },
++ /* LOCAL_OUT */
++ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ipt_entry),
++ sizeof(struct ipt_standard),
++ 0, { 0, 0 }, { } },
++ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
++ -NF_ACCEPT - 1 } }
++ },
++ /* ERROR */
++ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ipt_entry),
++ sizeof(struct ipt_error),
++ 0, { 0, 0 }, { } },
++ { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
++ { } },
++ "ERROR"
++ }
++ }
++};
++
++static struct ipt_table packet_raw = {
++ .name = "raw",
++ .table = &initial_table.repl,
++ .valid_hooks = RAW_VALID_HOOKS,
++ .lock = RW_LOCK_UNLOCKED,
++ .me = THIS_MODULE
++};
++
++/* The work comes in here from netfilter.c. */
++static unsigned int
++ipt_hook(unsigned int hook,
++ struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ int (*okfn)(struct sk_buff *))
++{
++ return ipt_do_table(pskb, hook, in, out, &packet_raw, NULL);
++}
++
++/* 'raw' is the very first table. */
++static struct nf_hook_ops ipt_ops[] = {
++ {
++ .hook = ipt_hook,
++ .pf = PF_INET,
++ .hooknum = NF_IP_PRE_ROUTING,
++ .priority = NF_IP_PRI_RAW
++ },
++ {
++ .hook = ipt_hook,
++ .pf = PF_INET,
++ .hooknum = NF_IP_LOCAL_OUT,
++ .priority = NF_IP_PRI_RAW
++ },
++};
++
++static int __init init(void)
++{
++ int ret;
++
++ /* Register table */
++ ret = ipt_register_table(&packet_raw);
++ if (ret < 0)
++ return ret;
++
++ /* Register hooks */
++ ret = nf_register_hook(&ipt_ops[0]);
++ if (ret < 0)
++ goto cleanup_table;
++
++ ret = nf_register_hook(&ipt_ops[1]);
++ if (ret < 0)
++ goto cleanup_hook0;
++
++ return ret;
++
++ cleanup_hook0:
++ nf_unregister_hook(&ipt_ops[0]);
++ cleanup_table:
++ ipt_unregister_table(&packet_raw);
++
++ return ret;
++}
++
++static void __exit fini(void)
++{
++ unsigned int i;
++
++ for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
++ nf_unregister_hook(&ipt_ops[i]);
++
++ ipt_unregister_table(&packet_raw);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
+--- a/net/ipv4/netfilter/ipt_conntrack.c
++++ b/net/ipv4/netfilter/ipt_conntrack.c
+@@ -27,11 +27,13 @@
+
+ #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
+
+- if (ct)
+- statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
+- else
+- statebit = IPT_CONNTRACK_STATE_INVALID;
+-
++ if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
++ statebit = IPT_CONNTRACK_STATE_UNTRACKED;
++ else if (ct)
++ statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
++ else
++ statebit = IPT_CONNTRACK_STATE_INVALID;
++
+ if(sinfo->flags & IPT_CONNTRACK_STATE) {
+ if (ct) {
+ if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
+--- /dev/null
++++ b/net/ipv4/netfilter/ipt_NOTRACK.c
+@@ -0,0 +1,75 @@
++/* This is a module which is used for setting up fake conntracks
++ * on packets so that they are not seen by the conntrack/NAT code.
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++
++static unsigned int
++target(struct sk_buff **pskb,
++ unsigned int hooknum,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *targinfo,
++ void *userinfo)
++{
++ /* Previously seen (loopback)? Ignore. */
++ if ((*pskb)->nfct != NULL)
++ return IPT_CONTINUE;
++
++ /* Attach fake conntrack entry.
++ If there is a real ct entry correspondig to this packet,
++ it'll hang aroun till timing out. We don't deal with it
++ for performance reasons. JK */
++ (*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW];
++ nf_conntrack_get((*pskb)->nfct);
++
++ return IPT_CONTINUE;
++}
++
++static int
++checkentry(const char *tablename,
++ const struct ipt_entry *e,
++ void *targinfo,
++ unsigned int targinfosize,
++ unsigned int hook_mask)
++{
++ if (targinfosize != 0) {
++ printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
++ targinfosize);
++ return 0;
++ }
++
++ if (strcmp(tablename, "raw") != 0) {
++ printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
++ return 0;
++ }
++
++ return 1;
++}
++
++static struct ipt_target ipt_notrack_reg = {
++ .name = "NOTRACK",
++ .target = target,
++ .checkentry = checkentry,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ if (ipt_register_target(&ipt_notrack_reg))
++ return -EINVAL;
++
++ return 0;
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_target(&ipt_notrack_reg);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
+--- a/net/ipv4/netfilter/ipt_state.c
++++ b/net/ipv4/netfilter/ipt_state.c
+@@ -21,7 +21,9 @@
+ enum ip_conntrack_info ctinfo;
+ unsigned int statebit;
+
+- if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
++ if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
++ statebit = IPT_STATE_UNTRACKED;
++ else if (!ip_conntrack_get((struct sk_buff *)skb, &ctinfo))
+ statebit = IPT_STATE_INVALID;
+ else
+ statebit = IPT_STATE_BIT(ctinfo);
+--- a/net/ipv4/netfilter/Makefile
++++ b/net/ipv4/netfilter/Makefile
+@@ -77,6 +77,7 @@
+ obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
+ obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
+ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
++obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
+
+ # matches
+ obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
+@@ -131,6 +132,7 @@
+ obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+ obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
+ obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
++obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
+
+ # generic ARP tables
+ obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
+--- a/net/ipv6/netfilter/Config.in
++++ b/net/ipv6/netfilter/Config.in
+@@ -79,6 +79,10 @@
+ dep_tristate ' IMQ target support' CONFIG_IP6_NF_TARGET_IMQ $CONFIG_IP6_NF_MANGLE
+ fi
+ #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
++ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
++ tristate ' raw table support (required for TRACE)' CONFIG_IP6_NF_RAW $CONFIG_IP6_NF_IPTABLES
++ fi
++ # Marker for TRACE target
+ fi
+
+ endmenu
+--- /dev/null
++++ b/net/ipv6/netfilter/ip6table_raw.c
+@@ -0,0 +1,154 @@
++/*
++ * IPv6 raw table, a port of the IPv4 raw table to IPv6
++ *
++ * Copyright (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
++ */
++#include <linux/module.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++
++#define RAW_VALID_HOOKS ((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT))
++
++#if 0
++#define DEBUGP(x, args...) printk(KERN_DEBUG x, ## args)
++#else
++#define DEBUGP(x, args...)
++#endif
++
++/* Standard entry. */
++struct ip6t_standard
++{
++ struct ip6t_entry entry;
++ struct ip6t_standard_target target;
++};
++
++struct ip6t_error_target
++{
++ struct ip6t_entry_target target;
++ char errorname[IP6T_FUNCTION_MAXNAMELEN];
++};
++
++struct ip6t_error
++{
++ struct ip6t_entry entry;
++ struct ip6t_error_target target;
++};
++
++static struct
++{
++ struct ip6t_replace repl;
++ struct ip6t_standard entries[2];
++ struct ip6t_error term;
++} initial_table __initdata
++= { { "raw", RAW_VALID_HOOKS, 3,
++ sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
++ { [NF_IP6_PRE_ROUTING] 0,
++ [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
++ { [NF_IP6_PRE_ROUTING] 0,
++ [NF_IP6_LOCAL_OUT] sizeof(struct ip6t_standard) },
++ 0, NULL, { } },
++ {
++ /* PRE_ROUTING */
++ { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ip6t_entry),
++ sizeof(struct ip6t_standard),
++ 0, { 0, 0 }, { } },
++ { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
++ -NF_ACCEPT - 1 } },
++ /* LOCAL_OUT */
++ { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ip6t_entry),
++ sizeof(struct ip6t_standard),
++ 0, { 0, 0 }, { } },
++ { { { { IP6T_ALIGN(sizeof(struct ip6t_standard_target)), "" } }, { } },
++ -NF_ACCEPT - 1 } },
++ },
++ /* ERROR */
++ { { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, "", "", { 0 }, { 0 }, 0, 0, 0 },
++ 0,
++ sizeof(struct ip6t_entry),
++ sizeof(struct ip6t_error),
++ 0, { 0, 0 }, { } },
++ { { { { IP6T_ALIGN(sizeof(struct ip6t_error_target)), IP6T_ERROR_TARGET } },
++ { } },
++ "ERROR"
++ }
++ }
++};
++
++static struct ip6t_table packet_raw = {
++ .name = "raw",
++ .table = &initial_table.repl,
++ .valid_hooks = RAW_VALID_HOOKS,
++ .lock = RW_LOCK_UNLOCKED,
++ .me = THIS_MODULE
++};
++
++/* The work comes in here from netfilter.c. */
++static unsigned int
++ip6t_hook(unsigned int hook,
++ struct sk_buff **pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ int (*okfn)(struct sk_buff *))
++{
++ return ip6t_do_table(pskb, hook, in, out, &packet_raw, NULL);
++}
++
++static struct nf_hook_ops ip6t_ops[] = {
++ {
++ .hook = ip6t_hook,
++ .pf = PF_INET6,
++ .hooknum = NF_IP6_PRE_ROUTING,
++ .priority = NF_IP6_PRI_FIRST
++ },
++ {
++ .hook = ip6t_hook,
++ .pf = PF_INET6,
++ .hooknum = NF_IP6_LOCAL_OUT,
++ .priority = NF_IP6_PRI_FIRST
++ },
++};
++
++static int __init init(void)
++{
++ int ret;
++
++ /* Register table */
++ ret = ip6t_register_table(&packet_raw);
++ if (ret < 0)
++ return ret;
++
++ /* Register hooks */
++ ret = nf_register_hook(&ip6t_ops[0]);
++ if (ret < 0)
++ goto cleanup_table;
++
++ ret = nf_register_hook(&ip6t_ops[1]);
++ if (ret < 0)
++ goto cleanup_hook0;
++
++ return ret;
++
++ cleanup_hook0:
++ nf_unregister_hook(&ip6t_ops[0]);
++ cleanup_table:
++ ip6t_unregister_table(&packet_raw);
++
++ return ret;
++}
++
++static void __exit fini(void)
++{
++ unsigned int i;
++
++ for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
++ nf_unregister_hook(&ip6t_ops[i]);
++
++ ip6t_unregister_table(&packet_raw);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
+--- a/net/ipv6/netfilter/Makefile
++++ b/net/ipv6/netfilter/Makefile
+@@ -32,6 +32,7 @@
+ obj-$(CONFIG_IP6_NF_TARGET_IMQ) += ip6t_IMQ.o
+ obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
+ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
++obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
+ obj-$(CONFIG_IP6_NF_MATCH_RANDOM) += ip6t_random.o
+ obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
+ obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o