1 /* Kernel module to match connection tracking byte counter.
2 * GPL (C) 2002 Martin Devera (devik@cdi.cz).
4 * 2004-07-20 Harald Welte <laforge@netfilter.org>
5 * - reimplemented to use per-connection accounting counters
6 * - add functionality to match number of packets
7 * - add functionality to match average packet size
8 * - add support to match directions seperately
9 * 2005-10-16 Harald Welte <laforge@netfilter.org>
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <net/netfilter/nf_conntrack_compat.h>
16 #include <linux/netfilter/x_tables.h>
17 #include <linux/netfilter/xt_connbytes.h>
19 #include <asm/div64.h>
20 #include <asm/bitops.h>
22 MODULE_LICENSE("GPL");
23 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
24 MODULE_DESCRIPTION("iptables match for matching number of pkts/bytes per connection");
25 MODULE_ALIAS("ipt_connbytes");
27 /* 64bit divisor, dividend and result. dynamic precision */
28 static u_int64_t div64_64(u_int64_t dividend, u_int64_t divisor)
30 u_int32_t d = divisor;
32 if (divisor > 0xffffffffULL) {
33 unsigned int shift = fls(divisor >> 32);
44 match(const struct sk_buff *skb,
45 const struct net_device *in,
46 const struct net_device *out,
47 const struct xt_match *match,
48 const void *matchinfo,
53 const struct xt_connbytes_info *sinfo = matchinfo;
54 u_int64_t what = 0; /* initialize to make gcc happy */
55 const struct ip_conntrack_counter *counters;
57 if (!(counters = nf_ct_get_counters(skb)))
58 return 0; /* no match */
60 switch (sinfo->what) {
61 case XT_CONNBYTES_PKTS:
62 switch (sinfo->direction) {
63 case XT_CONNBYTES_DIR_ORIGINAL:
64 what = counters[IP_CT_DIR_ORIGINAL].packets;
66 case XT_CONNBYTES_DIR_REPLY:
67 what = counters[IP_CT_DIR_REPLY].packets;
69 case XT_CONNBYTES_DIR_BOTH:
70 what = counters[IP_CT_DIR_ORIGINAL].packets;
71 what += counters[IP_CT_DIR_REPLY].packets;
75 case XT_CONNBYTES_BYTES:
76 switch (sinfo->direction) {
77 case XT_CONNBYTES_DIR_ORIGINAL:
78 what = counters[IP_CT_DIR_ORIGINAL].bytes;
80 case XT_CONNBYTES_DIR_REPLY:
81 what = counters[IP_CT_DIR_REPLY].bytes;
83 case XT_CONNBYTES_DIR_BOTH:
84 what = counters[IP_CT_DIR_ORIGINAL].bytes;
85 what += counters[IP_CT_DIR_REPLY].bytes;
89 case XT_CONNBYTES_AVGPKT:
90 switch (sinfo->direction) {
91 case XT_CONNBYTES_DIR_ORIGINAL:
92 what = div64_64(counters[IP_CT_DIR_ORIGINAL].bytes,
93 counters[IP_CT_DIR_ORIGINAL].packets);
95 case XT_CONNBYTES_DIR_REPLY:
96 what = div64_64(counters[IP_CT_DIR_REPLY].bytes,
97 counters[IP_CT_DIR_REPLY].packets);
99 case XT_CONNBYTES_DIR_BOTH:
103 bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
104 counters[IP_CT_DIR_REPLY].bytes;
105 pkts = counters[IP_CT_DIR_ORIGINAL].packets+
106 counters[IP_CT_DIR_REPLY].packets;
108 /* FIXME_THEORETICAL: what to do if sum
111 what = div64_64(bytes, pkts);
119 return (what <= sinfo->count.to && what >= sinfo->count.from);
121 return (what >= sinfo->count.from);
124 static int check(const char *tablename,
126 const struct xt_match *match,
128 unsigned int hook_mask)
130 const struct xt_connbytes_info *sinfo = matchinfo;
132 if (sinfo->what != XT_CONNBYTES_PKTS &&
133 sinfo->what != XT_CONNBYTES_BYTES &&
134 sinfo->what != XT_CONNBYTES_AVGPKT)
137 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
138 sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
139 sinfo->direction != XT_CONNBYTES_DIR_BOTH)
145 static struct xt_match xt_connbytes_match[] = {
151 .matchsize = sizeof(struct xt_connbytes_info),
159 .matchsize = sizeof(struct xt_connbytes_info),
164 static int __init xt_connbytes_init(void)
166 return xt_register_matches(xt_connbytes_match,
167 ARRAY_SIZE(xt_connbytes_match));
170 static void __exit xt_connbytes_fini(void)
172 xt_unregister_matches(xt_connbytes_match,
173 ARRAY_SIZE(xt_connbytes_match));
176 module_init(xt_connbytes_init);
177 module_exit(xt_connbytes_fini);