[linux.git] / net / netfilter / xt_conntrack.c

/* Kernel module to match connection tracking information.
 * Superset of Rusty's minimalistic state match.
 *
 * (C) 2001  Marc Boucher ([email protected]).
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/module.h>
#include <linux/skbuff.h>

#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
#else
#include <net/netfilter/nf_conntrack.h>
#endif

#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_conntrack.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <[email protected]>");
MODULE_DESCRIPTION("iptables connection tracking match module");
MODULE_ALIAS("ipt_conntrack");

#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)

static int
match(const struct sk_buff *skb,
      const struct net_device *in,
      const struct net_device *out,
      const struct xt_match *match,
      const void *matchinfo,
      int offset,
      unsigned int protoff,
      int *hotdrop)
{
	const struct xt_conntrack_info *sinfo = matchinfo;
	struct ip_conntrack *ct;
	enum ip_conntrack_info ctinfo;
	unsigned int statebit;

	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);

#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))

	if (ct == &ip_conntrack_untracked)
		statebit = XT_CONNTRACK_STATE_UNTRACKED;
	else if (ct)
 		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
 	else
 		statebit = XT_CONNTRACK_STATE_INVALID;
 
	if(sinfo->flags & XT_CONNTRACK_STATE) {
		if (ct) {
			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip)
				statebit |= XT_CONNTRACK_STATE_SNAT;

			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
				statebit |= XT_CONNTRACK_STATE_DNAT;
		}

		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_PROTO) {
		if (!ct || FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO))
                	return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_REPLDST) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_STATUS) {
		if (!ct || FWINV((ct->status & sinfo->statusmask) == 0, XT_CONNTRACK_STATUS))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
		unsigned long expires;

		if(!ct)
			return 0;

		expires = timer_pending(&ct->timeout) ? (ct->timeout.expires - jiffies)/HZ : 0;

		if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), XT_CONNTRACK_EXPIRES))
			return 0;
	}

	return 1;
}

#else /* CONFIG_IP_NF_CONNTRACK */
static int
match(const struct sk_buff *skb,
      const struct net_device *in,
      const struct net_device *out,
      const struct xt_match *match,
      const void *matchinfo,
      int offset,
      unsigned int protoff,
      int *hotdrop)
{
	const struct xt_conntrack_info *sinfo = matchinfo;
	struct nf_conn *ct;
	enum ip_conntrack_info ctinfo;
	unsigned int statebit;

	ct = nf_ct_get((struct sk_buff *)skb, &ctinfo);

#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))

	if (ct == &nf_conntrack_untracked)
		statebit = XT_CONNTRACK_STATE_UNTRACKED;
	else if (ct)
 		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
 	else
 		statebit = XT_CONNTRACK_STATE_INVALID;
 
	if(sinfo->flags & XT_CONNTRACK_STATE) {
		if (ct) {
			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip !=
			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip)
				statebit |= XT_CONNTRACK_STATE_SNAT;

			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip !=
			    ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip)
				statebit |= XT_CONNTRACK_STATE_DNAT;
		}

		if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_PROTO) {
		if (!ct || FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO))
                	return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip&sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip&sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip&sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_REPLDST) {
		if (!ct || FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip&sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_STATUS) {
		if (!ct || FWINV((ct->status & sinfo->statusmask) == 0, XT_CONNTRACK_STATUS))
			return 0;
	}

	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
		unsigned long expires;

		if(!ct)
			return 0;

		expires = timer_pending(&ct->timeout) ? (ct->timeout.expires - jiffies)/HZ : 0;

		if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), XT_CONNTRACK_EXPIRES))
			return 0;
	}

	return 1;
}

#endif /* CONFIG_NF_IP_CONNTRACK */

static int
checkentry(const char *tablename,
	   const void *ip,
	   const struct xt_match *match,
	   void *matchinfo,
	   unsigned int matchsize,
	   unsigned int hook_mask)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
		printk(KERN_WARNING "can't load nf_conntrack support for "
				    "proto=%d\n", match->family);
		return 0;
	}
#endif
	return 1;
}

static void
destroy(const struct xt_match *match, void *matchinfo, unsigned int matchsize)
{
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
	nf_ct_l3proto_module_put(match->family);
#endif
}

static struct xt_match conntrack_match = {
	.name		= "conntrack",
	.match		= match,
	.checkentry	= checkentry,
	.destroy	= destroy,
	.matchsize	= sizeof(struct xt_conntrack_info),
	.family		= AF_INET,
	.me		= THIS_MODULE,
};

static int __init init(void)
{
	int ret;
	need_conntrack();
	ret = xt_register_match(&conntrack_match);

	return ret;
}

static void __exit fini(void)
{
	xt_unregister_match(&conntrack_match);
}

module_init(init);
module_exit(fini);
Commit	Line	Data
1da177e4 LT	1	/* Kernel module to match connection tracking information.
	2	* Superset of Rusty's minimalistic state match.
	3	*
	4	* (C) 2001 Marc Boucher ([email protected]).
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License version 2 as
	8	* published by the Free Software Foundation.
	9	*/
	10
	11	#include <linux/module.h>
	12	#include <linux/skbuff.h>
9fb9cbb1 YK	13
9fb9cbb1 YK	14	#if defined(CONFIG_IP_NF_CONNTRACK) \|\| defined(CONFIG_IP_NF_CONNTRACK_MODULE)
1da177e4	15	#include <linux/netfilter_ipv4/ip_conntrack.h>
9fb9cbb1 YK	16	#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
	17	#else
	18	#include <net/netfilter/nf_conntrack.h>
	19	#endif
	20
2e4e6a17 HW	21	#include <linux/netfilter/x_tables.h>
2e4e6a17 HW	22	#include <linux/netfilter/xt_conntrack.h>
1da177e4 LT	23
	24	MODULE_LICENSE("GPL");
	25	MODULE_AUTHOR("Marc Boucher <[email protected]>");
	26	MODULE_DESCRIPTION("iptables connection tracking match module");
2e4e6a17	27	MODULE_ALIAS("ipt_conntrack");
1da177e4	28
9fb9cbb1 YK	29	#if defined(CONFIG_IP_NF_CONNTRACK) \|\| defined(CONFIG_IP_NF_CONNTRACK_MODULE)
9fb9cbb1 YK	30
1da177e4 LT	31	static int
	32	match(const struct sk_buff *skb,
	33	const struct net_device *in,
	34	const struct net_device *out,
c4986734	35	const struct xt_match *match,
1da177e4 LT	36	const void *matchinfo,
1da177e4 LT	37	int offset,
2e4e6a17	38	unsigned int protoff,
1da177e4 LT	39	int *hotdrop)
1da177e4 LT	40	{
2e4e6a17	41	const struct xt_conntrack_info *sinfo = matchinfo;
1da177e4 LT	42	struct ip_conntrack *ct;
	43	enum ip_conntrack_info ctinfo;
	44	unsigned int statebit;
	45
	46	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
	47
	48	#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
	49
	50	if (ct == &ip_conntrack_untracked)
2e4e6a17	51	statebit = XT_CONNTRACK_STATE_UNTRACKED;
1da177e4	52	else if (ct)
2e4e6a17	53	statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
1da177e4	54	else
2e4e6a17	55	statebit = XT_CONNTRACK_STATE_INVALID;
1da177e4	56
2e4e6a17	57	if(sinfo->flags & XT_CONNTRACK_STATE) {
1da177e4 LT	58	if (ct) {
	59	if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
	60	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip)
2e4e6a17	61	statebit \|= XT_CONNTRACK_STATE_SNAT;
1da177e4 LT	62
	63	if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip !=
	64	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip)
2e4e6a17	65	statebit \|= XT_CONNTRACK_STATE_DNAT;
1da177e4 LT	66	}
1da177e4 LT	67
2e4e6a17	68	if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
1da177e4 LT	69	return 0;
	70	}
	71
2e4e6a17 HW	72	if(sinfo->flags & XT_CONNTRACK_PROTO) {
2e4e6a17 HW	73	if (!ct \|\| FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO))
1da177e4 LT	74	return 0;
	75	}
	76
2e4e6a17 HW	77	if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
2e4e6a17 HW	78	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC))
1da177e4 LT	79	return 0;
	80	}
	81
2e4e6a17 HW	82	if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
2e4e6a17 HW	83	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST))
1da177e4 LT	84	return 0;
	85	}
	86
2e4e6a17 HW	87	if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
2e4e6a17 HW	88	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip&sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC))
1da177e4 LT	89	return 0;
	90	}
	91
2e4e6a17 HW	92	if(sinfo->flags & XT_CONNTRACK_REPLDST) {
2e4e6a17 HW	93	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip&sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST))
1da177e4 LT	94	return 0;
	95	}
	96
2e4e6a17 HW	97	if(sinfo->flags & XT_CONNTRACK_STATUS) {
2e4e6a17 HW	98	if (!ct \|\| FWINV((ct->status & sinfo->statusmask) == 0, XT_CONNTRACK_STATUS))
1da177e4 LT	99	return 0;
	100	}
	101
2e4e6a17	102	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
1da177e4 LT	103	unsigned long expires;
	104
	105	if(!ct)
	106	return 0;
	107
	108	expires = timer_pending(&ct->timeout) ? (ct->timeout.expires - jiffies)/HZ : 0;
	109
2e4e6a17	110	if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), XT_CONNTRACK_EXPIRES))
1da177e4 LT	111	return 0;
	112	}
	113
	114	return 1;
	115	}
	116
9fb9cbb1 YK	117	#else /* CONFIG_IP_NF_CONNTRACK */
	118	static int
	119	match(const struct sk_buff *skb,
	120	const struct net_device *in,
	121	const struct net_device *out,
c4986734	122	const struct xt_match *match,
9fb9cbb1 YK	123	const void *matchinfo,
9fb9cbb1 YK	124	int offset,
2e4e6a17	125	unsigned int protoff,
9fb9cbb1 YK	126	int *hotdrop)
9fb9cbb1 YK	127	{
2e4e6a17	128	const struct xt_conntrack_info *sinfo = matchinfo;
9fb9cbb1 YK	129	struct nf_conn *ct;
	130	enum ip_conntrack_info ctinfo;
	131	unsigned int statebit;
	132
	133	ct = nf_ct_get((struct sk_buff *)skb, &ctinfo);
	134
	135	#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
	136
	137	if (ct == &nf_conntrack_untracked)
2e4e6a17	138	statebit = XT_CONNTRACK_STATE_UNTRACKED;
9fb9cbb1	139	else if (ct)
2e4e6a17	140	statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
9fb9cbb1	141	else
2e4e6a17	142	statebit = XT_CONNTRACK_STATE_INVALID;
9fb9cbb1	143
2e4e6a17	144	if(sinfo->flags & XT_CONNTRACK_STATE) {
9fb9cbb1 YK	145	if (ct) {
	146	if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip !=
	147	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip)
2e4e6a17	148	statebit \|= XT_CONNTRACK_STATE_SNAT;
9fb9cbb1 YK	149
	150	if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip !=
	151	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip)
2e4e6a17	152	statebit \|= XT_CONNTRACK_STATE_DNAT;
9fb9cbb1 YK	153	}
9fb9cbb1 YK	154
2e4e6a17	155	if (FWINV((statebit & sinfo->statemask) == 0, XT_CONNTRACK_STATE))
9fb9cbb1 YK	156	return 0;
	157	}
	158
2e4e6a17 HW	159	if(sinfo->flags & XT_CONNTRACK_PROTO) {
2e4e6a17 HW	160	if (!ct \|\| FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, XT_CONNTRACK_PROTO))
9fb9cbb1 YK	161	return 0;
	162	}
	163
2e4e6a17 HW	164	if(sinfo->flags & XT_CONNTRACK_ORIGSRC) {
2e4e6a17 HW	165	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip&sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, XT_CONNTRACK_ORIGSRC))
9fb9cbb1 YK	166	return 0;
	167	}
	168
2e4e6a17 HW	169	if(sinfo->flags & XT_CONNTRACK_ORIGDST) {
2e4e6a17 HW	170	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip&sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, XT_CONNTRACK_ORIGDST))
9fb9cbb1 YK	171	return 0;
	172	}
	173
2e4e6a17 HW	174	if(sinfo->flags & XT_CONNTRACK_REPLSRC) {
2e4e6a17 HW	175	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip&sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].src.ip, XT_CONNTRACK_REPLSRC))
9fb9cbb1 YK	176	return 0;
	177	}
	178
2e4e6a17 HW	179	if(sinfo->flags & XT_CONNTRACK_REPLDST) {
2e4e6a17 HW	180	if (!ct \|\| FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip&sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, XT_CONNTRACK_REPLDST))
9fb9cbb1 YK	181	return 0;
	182	}
	183
2e4e6a17 HW	184	if(sinfo->flags & XT_CONNTRACK_STATUS) {
2e4e6a17 HW	185	if (!ct \|\| FWINV((ct->status & sinfo->statusmask) == 0, XT_CONNTRACK_STATUS))
9fb9cbb1 YK	186	return 0;
	187	}
	188
2e4e6a17	189	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
9fb9cbb1 YK	190	unsigned long expires;
	191
	192	if(!ct)
	193	return 0;
	194
	195	expires = timer_pending(&ct->timeout) ? (ct->timeout.expires - jiffies)/HZ : 0;
	196
2e4e6a17	197	if (FWINV(!(expires >= sinfo->expires_min && expires <= sinfo->expires_max), XT_CONNTRACK_EXPIRES))
9fb9cbb1 YK	198	return 0;
	199	}
	200
	201	return 1;
	202	}
	203
	204	#endif /* CONFIG_NF_IP_CONNTRACK */
	205
b9f78f9f PNA	206	static int
	207	checkentry(const char *tablename,
	208	const void *ip,
	209	const struct xt_match *match,
	210	void *matchinfo,
	211	unsigned int matchsize,
	212	unsigned int hook_mask)
	213	{
	214	#if defined(CONFIG_NF_CONNTRACK) \|\| defined(CONFIG_NF_CONNTRACK_MODULE)
	215	if (nf_ct_l3proto_try_module_get(match->family) < 0) {
	216	printk(KERN_WARNING "can't load nf_conntrack support for "
	217	"proto=%d\n", match->family);
	218	return 0;
	219	}
	220	#endif
	221	return 1;
	222	}
	223
	224	static void
	225	destroy(const struct xt_match match, void matchinfo, unsigned int matchsize)
	226	{
	227	#if defined(CONFIG_NF_CONNTRACK) \|\| defined(CONFIG_NF_CONNTRACK_MODULE)
	228	nf_ct_l3proto_module_put(match->family);
	229	#endif
	230	}
	231
2e4e6a17	232	static struct xt_match conntrack_match = {
1da177e4	233	.name = "conntrack",
5d04bff0	234	.match = match,
b9f78f9f PNA	235	.checkentry = checkentry,
b9f78f9f PNA	236	.destroy = destroy,
5d04bff0	237	.matchsize = sizeof(struct xt_conntrack_info),
a45049c5	238	.family = AF_INET,
1da177e4 LT	239	.me = THIS_MODULE,
	240	};
	241
	242	static int __init init(void)
	243	{
2e4e6a17 HW	244	int ret;
2e4e6a17 HW	245	need_conntrack();
a45049c5	246	ret = xt_register_match(&conntrack_match);
2e4e6a17 HW	247
2e4e6a17 HW	248	return ret;
1da177e4 LT	249	}
	250
	251	static void __exit fini(void)
	252	{
a45049c5	253	xt_unregister_match(&conntrack_match);
1da177e4 LT	254	}
	255
	256	module_init(init);
	257	module_exit(fini);