| 1 | --- a/Documentation/Configure.help |
| 2 | +++ b/Documentation/Configure.help |
| 3 | @@ -2888,6 +2888,13 @@ CONFIG_IP_NF_MATCH_LIMIT |
| 4 | If you want to compile it as a module, say M here and read |
| 5 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 6 | |
| 7 | +quota match support |
| 8 | +CONFIG_IP_NF_MATCH_QUOTA |
| 9 | + This match implements network quotas. |
| 10 | + |
| 11 | + If you want to compile it as a module, say M here and read |
| 12 | + Documentation/modules.txt. If unsure, say `N'. |
| 13 | + |
| 14 | skb->pkt_type packet match support |
| 15 | CONFIG_IP_NF_MATCH_PKTTYPE |
| 16 | This patch allows you to match packet in accrodance |
| 17 | --- /dev/null |
| 18 | +++ b/include/linux/netfilter_ipv4/ipt_quota.h |
| 19 | @@ -0,0 +1,12 @@ |
| 20 | +#ifndef _IPT_QUOTA_H |
| 21 | +#define _IPT_QUOTA_H |
| 22 | + |
| 23 | +/* print debug info in both kernel/netfilter module & iptable library */ |
| 24 | +//#define DEBUG_IPT_QUOTA |
| 25 | + |
| 26 | +struct ipt_quota_info { |
| 27 | + u_int64_t quota; |
| 28 | + struct ipt_quota_info *master; |
| 29 | +}; |
| 30 | + |
| 31 | +#endif /*_IPT_QUOTA_H*/ |
| 32 | --- a/net/ipv4/netfilter/Config.in |
| 33 | +++ b/net/ipv4/netfilter/Config.in |
| 34 | @@ -22,6 +22,7 @@ tristate 'IP tables support (required fo |
| 35 | if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then |
| 36 | # The simple matches. |
| 37 | dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES |
| 38 | + dep_tristate ' quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES |
| 39 | dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC $CONFIG_IP_NF_IPTABLES |
| 40 | dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE $CONFIG_IP_NF_IPTABLES |
| 41 | dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK $CONFIG_IP_NF_IPTABLES |
| 42 | --- a/net/ipv4/netfilter/Makefile |
| 43 | +++ b/net/ipv4/netfilter/Makefile |
| 44 | @@ -65,6 +65,7 @@ obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o |
| 45 | # matches |
| 46 | obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o |
| 47 | obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o |
| 48 | +obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o |
| 49 | obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o |
| 50 | obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o |
| 51 | obj-$(CONFIG_IP_NF_MATCH_IPP2P) += ipt_ipp2p.o |
| 52 | --- /dev/null |
| 53 | +++ b/net/ipv4/netfilter/ipt_quota.c |
| 54 | @@ -0,0 +1,88 @@ |
| 55 | +/* |
| 56 | + * netfilter module to enforce network quotas |
| 57 | + * |
| 58 | + * Sam Johnston <samj@samj.net> |
| 59 | + * |
| 60 | + * 30/01/05: Fixed on SMP --Pablo Neira <pablo@eurodev.net> |
| 61 | + */ |
| 62 | +#include <linux/module.h> |
| 63 | +#include <linux/skbuff.h> |
| 64 | +#include <linux/spinlock.h> |
| 65 | +#include <linux/interrupt.h> |
| 66 | + |
| 67 | +#include <linux/netfilter_ipv4/ip_tables.h> |
| 68 | +#include <linux/netfilter_ipv4/ipt_quota.h> |
| 69 | + |
| 70 | +MODULE_LICENSE("GPL"); |
| 71 | + |
| 72 | +static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED; |
| 73 | + |
| 74 | +static int |
| 75 | +match(const struct sk_buff *skb, |
| 76 | + const struct net_device *in, |
| 77 | + const struct net_device *out, |
| 78 | + const void *matchinfo, |
| 79 | + int offset, const void *hdr, u_int16_t datalen, int *hotdrop) |
| 80 | +{ |
| 81 | + struct ipt_quota_info *q = |
| 82 | + ((struct ipt_quota_info *) matchinfo)->master; |
| 83 | + |
| 84 | + spin_lock_bh("a_lock); |
| 85 | + |
| 86 | + if (q->quota >= datalen) { |
| 87 | + /* we can afford this one */ |
| 88 | + q->quota -= datalen; |
| 89 | + spin_unlock_bh("a_lock); |
| 90 | + |
| 91 | +#ifdef DEBUG_IPT_QUOTA |
| 92 | + printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen); |
| 93 | +#endif |
| 94 | + return 1; |
| 95 | + } |
| 96 | + |
| 97 | + /* so we do not allow even small packets from now on */ |
| 98 | + q->quota = 0; |
| 99 | + |
| 100 | +#ifdef DEBUG_IPT_QUOTA |
| 101 | + printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen); |
| 102 | +#endif |
| 103 | + |
| 104 | + spin_unlock_bh("a_lock); |
| 105 | + return 0; |
| 106 | +} |
| 107 | + |
| 108 | +static int |
| 109 | +checkentry(const char *tablename, |
| 110 | + const struct ipt_ip *ip, |
| 111 | + void *matchinfo, unsigned int matchsize, unsigned int hook_mask) |
| 112 | +{ |
| 113 | + /* TODO: spinlocks? sanity checks? */ |
| 114 | + struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo; |
| 115 | + |
| 116 | + if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info))) |
| 117 | + return 0; |
| 118 | + |
| 119 | + /* For SMP, we only want to use one set of counters. */ |
| 120 | + q->master = q; |
| 121 | + |
| 122 | + return 1; |
| 123 | +} |
| 124 | + |
| 125 | +static struct ipt_match quota_match |
| 126 | + = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE }; |
| 127 | + |
| 128 | +static int __init |
| 129 | +init(void) |
| 130 | +{ |
| 131 | + return ipt_register_match("a_match); |
| 132 | +} |
| 133 | + |
| 134 | +static void __exit |
| 135 | +fini(void) |
| 136 | +{ |
| 137 | + ipt_unregister_match("a_match); |
| 138 | +} |
| 139 | + |
| 140 | +module_init(init); |
| 141 | +module_exit(fini); |
| 142 | + |
| 143 | |
