1 /* Kernel module to match connection tracking byte counter.
2 * GPL (C) 2002 Martin Devera (devik@cdi.cz).
4 * 2004-07-20 Harald Welte <laforge@netfilter.org>
5 * - reimplemented to use per-connection accounting counters
6 * - add functionality to match number of packets
7 * - add functionality to match average packet size
8 * - add support to match directions seperately
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/netfilter_ipv4/ip_conntrack.h>
14 #include <linux/netfilter_ipv4/ip_tables.h>
15 #include <linux/netfilter_ipv4/ipt_connbytes.h>
17 #include <asm/div64.h>
18 #include <asm/bitops.h>
20 MODULE_LICENSE("GPL");
21 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
22 MODULE_DESCRIPTION("iptables match for matching number of pkts/bytes per connection");
24 /* 64bit divisor, dividend and result. dynamic precision */
25 static u_int64_t div64_64(u_int64_t dividend, u_int64_t divisor)
27 u_int32_t d = divisor;
29 if (divisor > 0xffffffffULL) {
30 unsigned int shift = fls(divisor >> 32);
41 match(const struct sk_buff *skb,
42 const struct net_device *in,
43 const struct net_device *out,
44 const void *matchinfo,
48 const struct ipt_connbytes_info *sinfo = matchinfo;
49 enum ip_conntrack_info ctinfo;
50 struct ip_conntrack *ct;
51 u_int64_t what = 0; /* initialize to make gcc happy */
53 if (!(ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)))
54 return 0; /* no match */
56 switch (sinfo->what) {
57 case IPT_CONNBYTES_PKTS:
58 switch (sinfo->direction) {
59 case IPT_CONNBYTES_DIR_ORIGINAL:
60 what = ct->counters[IP_CT_DIR_ORIGINAL].packets;
62 case IPT_CONNBYTES_DIR_REPLY:
63 what = ct->counters[IP_CT_DIR_REPLY].packets;
65 case IPT_CONNBYTES_DIR_BOTH:
66 what = ct->counters[IP_CT_DIR_ORIGINAL].packets;
67 what += ct->counters[IP_CT_DIR_REPLY].packets;
71 case IPT_CONNBYTES_BYTES:
72 switch (sinfo->direction) {
73 case IPT_CONNBYTES_DIR_ORIGINAL:
74 what = ct->counters[IP_CT_DIR_ORIGINAL].bytes;
76 case IPT_CONNBYTES_DIR_REPLY:
77 what = ct->counters[IP_CT_DIR_REPLY].bytes;
79 case IPT_CONNBYTES_DIR_BOTH:
80 what = ct->counters[IP_CT_DIR_ORIGINAL].bytes;
81 what += ct->counters[IP_CT_DIR_REPLY].bytes;
85 case IPT_CONNBYTES_AVGPKT:
86 switch (sinfo->direction) {
87 case IPT_CONNBYTES_DIR_ORIGINAL:
88 what = div64_64(ct->counters[IP_CT_DIR_ORIGINAL].bytes,
89 ct->counters[IP_CT_DIR_ORIGINAL].packets);
91 case IPT_CONNBYTES_DIR_REPLY:
92 what = div64_64(ct->counters[IP_CT_DIR_REPLY].bytes,
93 ct->counters[IP_CT_DIR_REPLY].packets);
95 case IPT_CONNBYTES_DIR_BOTH:
99 bytes = ct->counters[IP_CT_DIR_ORIGINAL].bytes +
100 ct->counters[IP_CT_DIR_REPLY].bytes;
101 pkts = ct->counters[IP_CT_DIR_ORIGINAL].packets+
102 ct->counters[IP_CT_DIR_REPLY].packets;
104 /* FIXME_THEORETICAL: what to do if sum
107 what = div64_64(bytes, pkts);
115 return (what <= sinfo->count.to && what >= sinfo->count.from);
117 return (what >= sinfo->count.from);
120 static int check(const char *tablename,
121 const struct ipt_ip *ip,
123 unsigned int matchsize,
124 unsigned int hook_mask)
126 const struct ipt_connbytes_info *sinfo = matchinfo;
128 if (matchsize != IPT_ALIGN(sizeof(struct ipt_connbytes_info)))
131 if (sinfo->what != IPT_CONNBYTES_PKTS &&
132 sinfo->what != IPT_CONNBYTES_BYTES &&
133 sinfo->what != IPT_CONNBYTES_AVGPKT)
136 if (sinfo->direction != IPT_CONNBYTES_DIR_ORIGINAL &&
137 sinfo->direction != IPT_CONNBYTES_DIR_REPLY &&
138 sinfo->direction != IPT_CONNBYTES_DIR_BOTH)
144 static struct ipt_match state_match = {
147 .checkentry = &check,
151 static int __init init(void)
153 return ipt_register_match(&state_match);
156 static void __exit fini(void)
158 ipt_unregister_match(&state_match);
projects / linux-2.6 / blob