Bug#310581: updated diff against 2.4.27

Michael Ablassmeier Fri, 27 May 2005 02:11:38 -0700

tags 310581 + patch
thanks

hi,


attached an updated diff which should cleanly apply against
kernel-source-2.4.27. I didnt test compile nor its functionality.

bye,
    - michael

diff -ruN kernel-source-2.4.27/Documentation/Configure.help 
kernel-source-2.4.27-quota/Documentation/Configure.help
--- kernel-source-2.4.27/Documentation/Configure.help   2005-05-27 
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/Documentation/Configure.help     2005-05-27 
10:59:46.000000000 +0200
@@ -2885,6 +2885,13 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+quota match support
+CONFIG_IP_NF_MATCH_QUOTA
+  This match implements network quotas.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 skb->pkt_type packet match support
 CONFIG_IP_NF_MATCH_PKTTYPE
   This patch allows you to match packet in accrodance
diff -ruN kernel-source-2.4.27/include/linux/netfilter_ipv4/ipt_quota.h 
kernel-source-2.4.27-quota/include/linux/netfilter_ipv4/ipt_quota.h
--- kernel-source-2.4.27/include/linux/netfilter_ipv4/ipt_quota.h       
1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.27-quota/include/linux/netfilter_ipv4/ipt_quota.h 
2005-05-27 10:59:46.000000000 +0200
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/Config.in 
kernel-source-2.4.27-quota/net/ipv4/netfilter/Config.in
--- kernel-source-2.4.27/net/ipv4/netfilter/Config.in   2005-05-27 
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/Config.in     2005-05-27 
10:59:46.000000000 +0200
@@ -19,6 +19,7 @@
 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
 # The simple matches.
   dep_tristate '  limit match support' CONFIG_IP_NF_MATCH_LIMIT 
$CONFIG_IP_NF_IPTABLES
+  dep_tristate '  quota match support' CONFIG_IP_NF_MATCH_QUOTA 
$CONFIG_IP_NF_IPTABLES
   dep_tristate '  MAC address match support' CONFIG_IP_NF_MATCH_MAC 
$CONFIG_IP_NF_IPTABLES
   dep_tristate '  Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE 
$CONFIG_IP_NF_IPTABLES
   dep_tristate '  netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK 
$CONFIG_IP_NF_IPTABLES
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/Makefile 
kernel-source-2.4.27-quota/net/ipv4/netfilter/Makefile
--- kernel-source-2.4.27/net/ipv4/netfilter/Makefile    2005-05-27 
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/Makefile      2005-05-27 
10:59:46.000000000 +0200
@@ -65,6 +65,7 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/ipt_quota.c 
kernel-source-2.4.27-quota/net/ipv4/netfilter/ipt_quota.c
--- kernel-source-2.4.27/net/ipv4/netfilter/ipt_quota.c 1970-01-01 
01:00:00.000000000 +0100
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/ipt_quota.c   2005-05-27 
10:59:46.000000000 +0200
@@ -0,0 +1,81 @@
+/* 
+ * netfilter module to enforce network quotas
+ *
+ * Sam Johnston <[EMAIL PROTECTED]>
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <linux/interrupt.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_quota.h>
+
+MODULE_LICENSE("GPL");
+
+static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
+{
+
+        struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
+
+        spin_lock_bh(&quota_lock);
+
+        if (q->quota >= datalen) {
+                /* we can afford this one */
+                q->quota -= datalen;
+                spin_unlock_bh(&quota_lock);
+
+#ifdef DEBUG_IPT_QUOTA
+                printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen);
+#endif
+                return 1;
+        }
+
+        /* so we do not allow even small packets from now on */
+        q->quota = 0;
+
+#ifdef DEBUG_IPT_QUOTA
+        printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen);
+#endif
+
+        spin_unlock_bh(&quota_lock);
+        return 0;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
+{
+        /* TODO: spinlocks? sanity checks? */
+        if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
+                return 0;
+
+        return 1;
+}
+
+static struct ipt_match quota_match
+    = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init
+init(void)
+{
+        return ipt_register_match(&quota_match);
+}
+
+static void __exit
+fini(void)
+{
+        ipt_unregister_match(&quota_match);
+}
+
+module_init(init);
+module_exit(fini);
+

Bug#310581: updated diff against 2.4.27

Reply via email to