1 /* Kernel module to match connection tracking byte counter.
2 * GPL (C) 2002 Martin Devera (devik@cdi.cz).
4 #include <linux/module.h>
5 #include <linux/bitops.h>
6 #include <linux/skbuff.h>
7 #include <linux/math64.h>
8 #include <linux/netfilter/x_tables.h>
9 #include <linux/netfilter/xt_connbytes.h>
10 #include <net/netfilter/nf_conntrack.h>
11 #include <net/netfilter/nf_conntrack_acct.h>
13 MODULE_LICENSE("GPL");
14 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
15 MODULE_DESCRIPTION("Xtables: Number of packets/bytes per connection matching");
16 MODULE_ALIAS("ipt_connbytes");
17 MODULE_ALIAS("ip6t_connbytes");
20 connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22 const struct xt_connbytes_info *sinfo = par->matchinfo;
23 const struct nf_conn *ct;
24 enum ip_conntrack_info ctinfo;
25 u_int64_t what = 0; /* initialize to make gcc happy */
28 const struct nf_conn_counter *counters;
30 ct = nf_ct_get(skb, &ctinfo);
34 counters = nf_conn_acct_find(ct);
38 switch (sinfo->what) {
39 case XT_CONNBYTES_PKTS:
40 switch (sinfo->direction) {
41 case XT_CONNBYTES_DIR_ORIGINAL:
42 what = counters[IP_CT_DIR_ORIGINAL].packets;
44 case XT_CONNBYTES_DIR_REPLY:
45 what = counters[IP_CT_DIR_REPLY].packets;
47 case XT_CONNBYTES_DIR_BOTH:
48 what = counters[IP_CT_DIR_ORIGINAL].packets;
49 what += counters[IP_CT_DIR_REPLY].packets;
53 case XT_CONNBYTES_BYTES:
54 switch (sinfo->direction) {
55 case XT_CONNBYTES_DIR_ORIGINAL:
56 what = counters[IP_CT_DIR_ORIGINAL].bytes;
58 case XT_CONNBYTES_DIR_REPLY:
59 what = counters[IP_CT_DIR_REPLY].bytes;
61 case XT_CONNBYTES_DIR_BOTH:
62 what = counters[IP_CT_DIR_ORIGINAL].bytes;
63 what += counters[IP_CT_DIR_REPLY].bytes;
67 case XT_CONNBYTES_AVGPKT:
68 switch (sinfo->direction) {
69 case XT_CONNBYTES_DIR_ORIGINAL:
70 bytes = counters[IP_CT_DIR_ORIGINAL].bytes;
71 pkts = counters[IP_CT_DIR_ORIGINAL].packets;
73 case XT_CONNBYTES_DIR_REPLY:
74 bytes = counters[IP_CT_DIR_REPLY].bytes;
75 pkts = counters[IP_CT_DIR_REPLY].packets;
77 case XT_CONNBYTES_DIR_BOTH:
78 bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
79 counters[IP_CT_DIR_REPLY].bytes;
80 pkts = counters[IP_CT_DIR_ORIGINAL].packets +
81 counters[IP_CT_DIR_REPLY].packets;
85 what = div64_u64(bytes, pkts);
90 return what <= sinfo->count.to && what >= sinfo->count.from;
92 return what >= sinfo->count.from;
96 connbytes_mt_check(const char *tablename, const void *ip,
97 const struct xt_match *match, void *matchinfo,
98 unsigned int hook_mask)
100 const struct xt_connbytes_info *sinfo = matchinfo;
102 if (sinfo->what != XT_CONNBYTES_PKTS &&
103 sinfo->what != XT_CONNBYTES_BYTES &&
104 sinfo->what != XT_CONNBYTES_AVGPKT)
107 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
108 sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
109 sinfo->direction != XT_CONNBYTES_DIR_BOTH)
112 if (nf_ct_l3proto_try_module_get(match->family) < 0) {
113 printk(KERN_WARNING "can't load conntrack support for "
114 "proto=%u\n", match->family);
122 connbytes_mt_destroy(const struct xt_match *match, void *matchinfo)
124 nf_ct_l3proto_module_put(match->family);
127 static struct xt_match connbytes_mt_reg[] __read_mostly = {
130 .family = NFPROTO_IPV4,
131 .checkentry = connbytes_mt_check,
132 .match = connbytes_mt,
133 .destroy = connbytes_mt_destroy,
134 .matchsize = sizeof(struct xt_connbytes_info),
139 .family = NFPROTO_IPV6,
140 .checkentry = connbytes_mt_check,
141 .match = connbytes_mt,
142 .destroy = connbytes_mt_destroy,
143 .matchsize = sizeof(struct xt_connbytes_info),
148 static int __init connbytes_mt_init(void)
150 return xt_register_matches(connbytes_mt_reg,
151 ARRAY_SIZE(connbytes_mt_reg));
154 static void __exit connbytes_mt_exit(void)
156 xt_unregister_matches(connbytes_mt_reg, ARRAY_SIZE(connbytes_mt_reg));
159 module_init(connbytes_mt_init);
160 module_exit(connbytes_mt_exit);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob