1 /***************************************************************************
2 * This is a module which is used for counting packets. *
3 * See http://www.intra2net.com/opensource/ipt_account *
4 * for further information *
6 * Copyright (C) 2004 by Intra2net AG *
7 * opensource@intra2net.com *
9 * This program is free software; you can redistribute it and/or modify *
10 * it under the terms of the GNU General Public License *
11 * version 2 as published by the Free Software Foundation; *
13 ***************************************************************************/
15 #include <linux/module.h>
16 #include <linux/skbuff.h>
18 #include <linux/spinlock.h>
22 #include <linux/netfilter_ipv4/ip_tables.h>
25 #include <net/route.h>
26 #include <linux/netfilter_ipv4/ipt_ACCOUNT.h>
31 #define DEBUGP(format, args...)
34 struct ipt_account_table *ipt_account_tables = NULL;
35 struct ipt_account_handle *ipt_account_handles = NULL;
36 void *ipt_account_tmpbuf = NULL;
38 // Spinlock used for manipulating the current accounting tables/data
39 static spinlock_t ipt_account_lock = SPIN_LOCK_UNLOCKED;
40 // Spinlock used for manipulating userspace handles/snapshot data
41 static spinlock_t ipt_account_userspace_lock = SPIN_LOCK_UNLOCKED;
44 /* Recursive free of all data structures */
45 void ipt_account_data_free(void *data, unsigned char depth)
51 // Free for 8 bit network
54 free_page((unsigned long)data);
59 // Free for 16 bit network
62 struct ipt_account_mask_16 *mask_16 = (struct ipt_account_mask_16 *)data;
64 for (b=0; b <= 255; b++)
66 if (mask_16->mask_24[b] != 0)
68 free_page((unsigned long)mask_16->mask_24[b]);
69 mask_16->mask_24[b] = NULL;
72 free_page((unsigned long)data);
77 // Free for 24 bit network
81 for (a=0; a <= 255; a++)
83 if (((struct ipt_account_mask_8 *)data)->mask_16[a])
85 struct ipt_account_mask_16 *mask_16 = (struct ipt_account_mask_16*)((struct ipt_account_mask_8 *)data)->mask_16[a];
86 for (b=0; b <= 255; b++)
88 if (mask_16->mask_24[b]) {
89 free_page((unsigned long)mask_16->mask_24[b]);
90 mask_16->mask_24[b] = NULL;
93 free_page((unsigned long)mask_16);
97 free_page((unsigned long)data);
102 printk("ACCOUNT: ipt_account_data_free called with unknown depth: %d\n", depth);
106 /* Look for existing table / insert new one. Return internal ID or -1 on error */
107 int ipt_account_table_insert(char *name, unsigned int ip, unsigned int netmask)
111 DEBUGP("ACCOUNT: ipt_account_table_insert: %s, %u.%u.%u.%u/%u.%u.%u.%u\n", name, NIPQUAD(ip), NIPQUAD(netmask));
113 // Look for existing table
114 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
116 if (strncmp(ipt_account_tables[i].name, name, ACCOUNT_TABLE_NAME_LEN) == 0)
118 DEBUGP("ACCOUNT: Found existing slot: %d - %u.%u.%u.%u/%u.%u.%u.%u\n", i,
119 NIPQUAD(ipt_account_tables[i].ip), NIPQUAD(ipt_account_tables[i].netmask));
121 if (ipt_account_tables[i].ip != ip || ipt_account_tables[i].netmask != netmask)
123 printk("ACCOUNT: Table %s found, but IP/netmask mismatch. IP/netmask found: %u.%u.%u.%u/%u.%u.%u.%u\n",
124 name, NIPQUAD(ipt_account_tables[i].ip), NIPQUAD(ipt_account_tables[i].netmask));
128 ipt_account_tables[i].refcount++;
129 DEBUGP("ACCOUNT: Refcount: %d\n", ipt_account_tables[i].refcount);
135 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
138 if (ipt_account_tables[i].name[0] == 0)
140 DEBUGP("ACCOUNT: Found free slot: %d\n", i);
142 strncpy (ipt_account_tables[i].name, name, ACCOUNT_TABLE_NAME_LEN-1);
144 ipt_account_tables[i].ip = ip;
145 ipt_account_tables[i].netmask = netmask;
148 unsigned int j, calc_mask, netsize=0;
149 calc_mask = htonl(netmask);
150 for (j = 31; j > 0; j--)
152 if (calc_mask&(1<<j))
158 // Calculate depth from netsize
160 ipt_account_tables[i].depth = 0;
161 else if (netsize >= 16)
162 ipt_account_tables[i].depth = 1;
163 else if(netsize >= 8)
164 ipt_account_tables[i].depth = 2;
166 printk("ACCOUNT: calculated netsize: %u -> ipt_account_table depth %u\n", netsize, ipt_account_tables[i].depth);
168 ipt_account_tables[i].refcount++;
169 if ((ipt_account_tables[i].data = (void *)get_zeroed_page(GFP_KERNEL)) == NULL)
171 printk("ACCOUNT: out of memory for data of table: %s\n", name);
172 memset(&ipt_account_tables[i], 0, sizeof(struct ipt_account_table));
180 // No free slot found
181 printk("ACCOUNT: No free table slot found (max: %d). Please increase ACCOUNT_MAX_TABLES.\n", ACCOUNT_MAX_TABLES);
185 static int ipt_account_checkentry(const char *tablename,
186 const struct ipt_entry *e,
188 unsigned int targinfosize,
189 unsigned int hook_mask)
191 struct ipt_account_info *info = targinfo;
193 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_account_info))) {
194 DEBUGP("ACCOUNT: targinfosize %u != %u\n",
195 targinfosize, IPT_ALIGN(sizeof(struct ipt_account_info)));
199 spin_lock_bh(&ipt_account_lock);
200 int table_nr = ipt_account_table_insert(info->table_name, info->net_ip, info->net_mask);
203 printk("ACCOUNT: Table insert problem. Aborting\n");
204 spin_unlock_bh(&ipt_account_lock);
207 // Table nr caching so we don't have to do an extra string compare for every packet
208 info->table_nr = table_nr;
210 spin_unlock_bh(&ipt_account_lock);
215 void ipt_account_deleteentry(void *targinfo, unsigned int targinfosize)
218 struct ipt_account_info *info = targinfo;
220 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_account_info))) {
221 DEBUGP("ACCOUNT: targinfosize %u != %u\n",
222 targinfosize, IPT_ALIGN(sizeof(struct ipt_account_info)));
225 spin_lock_bh(&ipt_account_lock);
227 DEBUGP("ACCOUNT: ipt_account_deleteentry called for table: %s (#%d)\n", info->table_name, info->table_nr);
229 info->table_nr = -1; // Set back to original state
232 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
234 if (strncmp(ipt_account_tables[i].name, info->table_name, ACCOUNT_TABLE_NAME_LEN) == 0)
236 DEBUGP("ACCOUNT: Found table at slot: %d\n", i);
238 ipt_account_tables[i].refcount--;
239 DEBUGP("ACCOUNT: Refcount left: %d\n", ipt_account_tables[i].refcount);
241 // Table not needed anymore?
242 if (ipt_account_tables[i].refcount == 0)
244 DEBUGP("ACCOUNT: Destroying table at slot: %d\n", i);
245 ipt_account_data_free(ipt_account_tables[i].data, ipt_account_tables[i].depth);
246 memset(&ipt_account_tables[i], 0, sizeof(struct ipt_account_table));
249 spin_unlock_bh(&ipt_account_lock);
255 printk("ACCOUNT: Table %s not found for destroy\n", info->table_name);
256 spin_unlock_bh(&ipt_account_lock);
259 void ipt_account_depth0_insert(struct ipt_account_mask_24 *mask_24, unsigned int net_ip, unsigned int netmask,
260 unsigned int src_ip, unsigned int dst_ip, unsigned int size, unsigned int *itemcount)
262 unsigned char is_src = 0, is_dst = 0;
264 DEBUGP("ACCOUNT: ipt_account_depth0_insert: %u.%u.%u.%u/%u.%u.%u.%u for net %u.%u.%u.%u/%u.%u.%u.%u, size: %u\n",
265 NIPQUAD(src_ip), NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask), size);
267 // Check if src/dst is inside our network.
268 // Special: net_ip = 0.0.0.0/0 gets stored as src in slot 0
271 if ((net_ip&netmask) == (src_ip&netmask))
273 if ((net_ip&netmask) == (dst_ip&netmask) && netmask)
276 if (!is_src && !is_dst)
278 DEBUGP("ACCOUNT: Skipping packet %u.%u.%u.%u/%u.%u.%u.%u for net %u.%u.%u.%u/%u.%u.%u.%u\n",
279 NIPQUAD(src_ip), NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask));
283 // Check if this entry is new
284 char is_src_new_ip = 0, is_dst_new_ip = 0;
286 // Calculate array positions
287 unsigned char src_slot = (unsigned char)((src_ip&0xFF000000) >> 24);
288 unsigned char dst_slot = (unsigned char)((dst_ip&0xFF000000) >> 24);
290 // Increase size counters
293 // Calculate network slot
294 DEBUGP("ACCOUNT: Calculated SRC 8 bit network slot: %d\n", src_slot);
295 if (!mask_24->ip[src_slot].src_packets && !mask_24->ip[src_slot].dst_packets)
298 mask_24->ip[src_slot].src_packets++;
299 mask_24->ip[src_slot].src_bytes+=size;
303 DEBUGP("ACCOUNT: Calculated DST 8 bit network slot: %d\n", dst_slot);
304 if (!mask_24->ip[dst_slot].src_packets && !mask_24->ip[dst_slot].dst_packets)
307 mask_24->ip[dst_slot].dst_packets++;
308 mask_24->ip[dst_slot].dst_bytes+=size;
311 // Increase itemcounter
312 DEBUGP("ACCOUNT: Itemcounter before: %d\n", *itemcount);
313 if (src_slot == dst_slot)
315 if (is_src_new_ip || is_dst_new_ip) {
316 DEBUGP("ACCOUNT: src_slot == dst_slot: %d, %d\n", is_src_new_ip, is_dst_new_ip);
321 DEBUGP("ACCOUNT: New src_ip: %u.%u.%u.%u\n", NIPQUAD(src_ip));
325 DEBUGP("ACCOUNT: New dst_ip: %u.%u.%u.%u\n", NIPQUAD(dst_ip));
329 DEBUGP("ACCOUNT: Itemcounter after: %d\n", *itemcount);
332 void ipt_account_depth1_insert(struct ipt_account_mask_16 *mask_16, unsigned int net_ip, unsigned int netmask,
333 unsigned int src_ip, unsigned int dst_ip, unsigned int size, unsigned int *itemcount)
335 // Do we need to process src IP?
336 if ((net_ip&netmask) == (src_ip&netmask))
338 unsigned char slot = (unsigned char)((src_ip&0x00FF0000) >> 16);
339 DEBUGP("ACCOUNT: Calculated SRC 16 bit network slot: %d\n", slot);
341 // Do we need to create a new mask_24 bucket?
342 if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot] = (void *)get_zeroed_page(GFP_KERNEL)) == NULL)
344 printk("ACCOUNT: Can't process packet because out of memory!\n");
348 ipt_account_depth0_insert((struct ipt_account_mask_24 *)mask_16->mask_24[slot], net_ip, netmask,
349 src_ip, 0, size, itemcount);
352 // Do we need to process dst IP?
353 if ((net_ip&netmask) == (dst_ip&netmask))
355 unsigned char slot = (unsigned char)((dst_ip&0x00FF0000) >> 16);
356 DEBUGP("ACCOUNT: Calculated DST 16 bit network slot: %d\n", slot);
358 // Do we need to create a new mask_24 bucket?
359 if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot] = (void *)get_zeroed_page(GFP_KERNEL)) == NULL)
361 printk("ACCOUT: Can't process packet because out of memory!\n");
365 ipt_account_depth0_insert((struct ipt_account_mask_24 *)mask_16->mask_24[slot], net_ip, netmask,
366 0, dst_ip, size, itemcount);
370 void ipt_account_depth2_insert(struct ipt_account_mask_8 *mask_8, unsigned int net_ip, unsigned int netmask,
371 unsigned int src_ip, unsigned int dst_ip, unsigned int size, unsigned int *itemcount)
373 // Do we need to process src IP?
374 if ((net_ip&netmask) == (src_ip&netmask))
376 unsigned char slot = (unsigned char)((src_ip&0x0000FF00) >> 8);
377 DEBUGP("ACCOUNT: Calculated SRC 24 bit network slot: %d\n", slot);
379 // Do we need to create a new mask_24 bucket?
380 if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot] = (void *)get_zeroed_page(GFP_KERNEL)) == NULL)
382 printk("ACCOUNT: Can't process packet because out of memory!\n");
386 ipt_account_depth1_insert((struct ipt_account_mask_16 *)mask_8->mask_16[slot], net_ip, netmask,
387 src_ip, 0, size, itemcount);
390 // Do we need to process dst IP?
391 if ((net_ip&netmask) == (dst_ip&netmask))
393 unsigned char slot = (unsigned char)((dst_ip&0x0000FF00) >> 8);
394 DEBUGP("ACCOUNT: Calculated DST 24 bit network slot: %d\n", slot);
396 // Do we need to create a new mask_24 bucket?
397 if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot] = (void *)get_zeroed_page(GFP_KERNEL)) == NULL)
399 printk("ACCOUNT: Can't process packet because out of memory!\n");
403 ipt_account_depth1_insert((struct ipt_account_mask_16 *)mask_8->mask_16[slot], net_ip, netmask,
404 0, dst_ip, size, itemcount);
408 static unsigned int ipt_account_target(struct sk_buff **pskb,
409 unsigned int hooknum,
410 const struct net_device *in,
411 const struct net_device *out,
412 const void *targinfo,
415 const struct ipt_account_info *info = (const struct ipt_account_info *)targinfo;
416 unsigned int src_ip = (*pskb)->nh.iph->saddr;
417 unsigned int dst_ip = (*pskb)->nh.iph->daddr;
418 unsigned int size = ntohs((*pskb)->nh.iph->tot_len);
420 spin_lock_bh(&ipt_account_lock);
422 if (ipt_account_tables[info->table_nr].name[0] == 0)
424 printk("ACCOUNT: ipt_account_target: Invalid table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
425 info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
426 spin_unlock_bh(&ipt_account_lock);
430 // 8 bit network or "any" network
431 if (ipt_account_tables[info->table_nr].depth == 0)
433 // Count packet and check if the IP is new
434 ipt_account_depth0_insert((struct ipt_account_mask_24 *)ipt_account_tables[info->table_nr].data,
435 ipt_account_tables[info->table_nr].ip, ipt_account_tables[info->table_nr].netmask,
436 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
437 spin_unlock_bh(&ipt_account_lock);
442 if (ipt_account_tables[info->table_nr].depth == 1)
444 ipt_account_depth1_insert((struct ipt_account_mask_16 *)ipt_account_tables[info->table_nr].data,
445 ipt_account_tables[info->table_nr].ip, ipt_account_tables[info->table_nr].netmask,
446 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
447 spin_unlock_bh(&ipt_account_lock);
452 if (ipt_account_tables[info->table_nr].depth == 2)
454 ipt_account_depth2_insert((struct ipt_account_mask_8 *)ipt_account_tables[info->table_nr].data,
455 ipt_account_tables[info->table_nr].ip, ipt_account_tables[info->table_nr].netmask,
456 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
457 spin_unlock_bh(&ipt_account_lock);
461 printk("ACCOUNT: ipt_account_target: Unable to process packet. Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
462 info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
464 spin_unlock_bh(&ipt_account_lock);
469 Functions dealing with "handles":
470 Handles are snapshots of a accounting state.
472 read snapshots are only for debugging the code
473 and are very expensive concerning speed/memory
474 compared to read_and_flush.
476 The functions aren't protected by spinlocks themselves
477 as this is done in the ioctl part of the code.
481 Find a free handle slot. Normally only one should be used,
482 but there could be two or more applications accessing the data
485 int ipt_account_handle_find_slot(void)
489 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
492 if (ipt_account_handles[i].data == NULL)
494 // Don't "mark" data as used as we are protected by a spinlock by the calling function.
495 // handle_find_slot() is only a function to prevent code duplication.
500 // No free slot found
501 printk("ACCOUNT: No free handle slot found (max: %u). Please increase ACCOUNT_MAX_HANDLES.\n", ACCOUNT_MAX_HANDLES);
505 int ipt_account_handle_free(unsigned int handle)
507 if (handle >= ACCOUNT_MAX_HANDLES)
509 printk("ACCOUNT: Invalid handle for ipt_account_handle_free() specified: %u\n", handle);
513 ipt_account_data_free(ipt_account_handles[handle].data, ipt_account_handles[handle].depth);
514 memset (&ipt_account_handles[handle], 0, sizeof (struct ipt_account_handle));
518 /* Prepare data for read without flush. Use only for debugging!
519 Real applications should use read&flush as it's way more efficent */
520 int ipt_account_handle_prepare_read(char *tablename, unsigned int *count)
522 int handle, i, table_nr=-1;
524 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
525 if (strncmp(ipt_account_tables[i].name, tablename, ACCOUNT_TABLE_NAME_LEN) == 0)
533 printk("ACCOUNT: ipt_account_handle_prepare_read(): Table %s not found\n", tablename);
537 // Can't find a free handle slot?
538 if ((handle = ipt_account_handle_find_slot()) == -1)
541 // Fill up handle structure
542 ipt_account_handles[handle].ip = ipt_account_tables[table_nr].ip;
543 ipt_account_handles[handle].depth = ipt_account_tables[table_nr].depth;
544 ipt_account_handles[handle].itemcount = ipt_account_tables[table_nr].itemcount;
546 // allocate "root" table
547 if ((ipt_account_handles[handle].data = (void*)get_zeroed_page(GFP_KERNEL)) == NULL)
549 printk("ACCOUNT: out of memory for root table in ipt_account_handle_prepare_read()\n");
550 memset (&ipt_account_handles[handle], 0, sizeof(struct ipt_account_handle));
554 // Recursive copy of complete data structure
555 unsigned int depth = ipt_account_handles[handle].depth;
558 memcpy(ipt_account_handles[handle].data, ipt_account_tables[table_nr].data, sizeof(struct ipt_account_mask_24));
559 } else if (depth == 1) {
560 struct ipt_account_mask_16 *src_16 = (struct ipt_account_mask_16 *)ipt_account_tables[table_nr].data;
561 struct ipt_account_mask_16 *network_16 = (struct ipt_account_mask_16 *)ipt_account_handles[handle].data;
564 for (b = 0; b <= 255; b++)
566 if (src_16->mask_24[b])
568 if ((network_16->mask_24[b] = (void*)get_zeroed_page(GFP_KERNEL)) == NULL)
570 printk("ACCOUNT: out of memory during copy of 16 bit network in ipt_account_handle_prepare_read()\n");
571 ipt_account_data_free(ipt_account_handles[handle].data, depth);
572 memset (&ipt_account_handles[handle], 0, sizeof(struct ipt_account_handle));
576 memcpy(network_16->mask_24[b], src_16->mask_24[b], sizeof(struct ipt_account_mask_24));
579 } else if(depth == 2) {
580 struct ipt_account_mask_8 *src_8 = (struct ipt_account_mask_8 *)ipt_account_tables[table_nr].data;
581 struct ipt_account_mask_8 *network_8 = (struct ipt_account_mask_8 *)ipt_account_handles[handle].data;
584 for (a = 0; a <= 255; a++)
586 if (src_8->mask_16[a])
588 if ((network_8->mask_16[a] = (void*)get_zeroed_page(GFP_KERNEL)) == NULL)
590 printk("ACCOUNT: out of memory during copy of 24 bit network in ipt_account_handle_prepare_read()\n");
591 ipt_account_data_free(ipt_account_handles[handle].data, depth);
592 memset (&ipt_account_handles[handle], 0, sizeof(struct ipt_account_handle));
596 memcpy(network_8->mask_16[a], src_8->mask_16[a], sizeof(struct ipt_account_mask_16));
598 struct ipt_account_mask_16 *src_16 = src_8->mask_16[a];
599 struct ipt_account_mask_16 *network_16 = network_8->mask_16[a];
602 for (b = 0; b <= 255; b++)
604 if (src_16->mask_24[b])
606 if ((network_16->mask_24[b] = (void*)get_zeroed_page(GFP_KERNEL)) == NULL)
608 printk("ACCOUNT: out of memory during copy of 16 bit network in ipt_account_handle_prepare_read()\n");
609 ipt_account_data_free(ipt_account_handles[handle].data, depth);
610 memset (&ipt_account_handles[handle], 0, sizeof(struct ipt_account_handle));
614 memcpy(network_16->mask_24[b], src_16->mask_24[b], sizeof(struct ipt_account_mask_24));
621 *count = ipt_account_tables[table_nr].itemcount;
625 /* Prepare data for read and flush it */
626 int ipt_account_handle_prepare_read_flush(char *tablename, unsigned int *count)
628 int handle, i, table_nr=-1;
630 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
631 if (strncmp(ipt_account_tables[i].name, tablename, ACCOUNT_TABLE_NAME_LEN) == 0)
639 printk("ACCOUNT: ipt_account_handle_prepare_read_flush(): Table %s not found\n", tablename);
643 // Can't find a free handle slot?
644 if ((handle = ipt_account_handle_find_slot()) == -1)
647 // Fill up handle structure
648 ipt_account_handles[handle].ip = ipt_account_tables[table_nr].ip;
649 ipt_account_handles[handle].depth = ipt_account_tables[table_nr].depth;
650 ipt_account_handles[handle].itemcount = ipt_account_tables[table_nr].itemcount;
651 ipt_account_handles[handle].data = ipt_account_tables[table_nr].data;
652 *count = ipt_account_tables[table_nr].itemcount;
654 // "Flush" table data
655 ipt_account_tables[table_nr].data = (void*)get_zeroed_page(GFP_KERNEL);
656 ipt_account_tables[table_nr].itemcount = 0;
661 /* Copy the actual that into a prepared buffer.
662 We only copy entries != 0 to increase performance.
663 The memory gets freed again in ipt_account_handle_free().
665 int ipt_account_handle_get_data(unsigned int handle, void *buffer)
667 struct ipt_account_handle_ip handle_ip;
668 unsigned int handle_ip_size = sizeof (struct ipt_account_handle_ip);
669 unsigned int i, tmpbuf_pos=0;
671 if (handle >= ACCOUNT_MAX_HANDLES)
673 printk("ACCOUNT: invalid handle for ipt_account_handle_get_data() specified: %u\n", handle);
677 if (ipt_account_handles[handle].data == NULL)
679 printk("ACCOUNT: handle %u is BROKEN: Contains no data\n", handle);
683 unsigned int net_ip = ipt_account_handles[handle].ip;
684 unsigned int depth = ipt_account_handles[handle].depth;
689 struct ipt_account_mask_24 *network = (struct ipt_account_mask_24*)ipt_account_handles[handle].data;
690 for (i = 0; i <= 255; i++)
692 if (network->ip[i].src_packets || network->ip[i].dst_packets)
694 handle_ip.ip = net_ip | (i<<24);
695 handle_ip.src_packets = network->ip[i].src_packets;
696 handle_ip.src_bytes = network->ip[i].src_bytes;
697 handle_ip.dst_packets = network->ip[i].dst_packets;
698 handle_ip.dst_bytes = network->ip[i].dst_bytes;
700 // Temporary buffer full? Flush to userspace
701 if (tmpbuf_pos+handle_ip_size >= PAGE_SIZE)
703 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
706 memcpy(ipt_account_tmpbuf+tmpbuf_pos, &handle_ip, handle_ip_size);
707 tmpbuf_pos += handle_ip_size;
711 // Flush remaining data to userspace
713 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
721 struct ipt_account_mask_16 *network_16 = (struct ipt_account_mask_16*)ipt_account_handles[handle].data;
723 for (b = 0; b <= 255; b++)
725 if (network_16->mask_24[b])
727 struct ipt_account_mask_24 *network = (struct ipt_account_mask_24*)network_16->mask_24[b];
728 for (i = 0; i <= 255; i++)
730 if (network->ip[i].src_packets || network->ip[i].dst_packets)
732 handle_ip.ip = net_ip | (b << 16) | (i<<24);
733 handle_ip.src_packets = network->ip[i].src_packets;
734 handle_ip.src_bytes = network->ip[i].src_bytes;
735 handle_ip.dst_packets = network->ip[i].dst_packets;
736 handle_ip.dst_bytes = network->ip[i].dst_bytes;
738 // Temporary buffer full? Flush to userspace
739 if (tmpbuf_pos+handle_ip_size >= PAGE_SIZE)
741 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
744 memcpy(ipt_account_tmpbuf+tmpbuf_pos, &handle_ip, handle_ip_size);
745 tmpbuf_pos += handle_ip_size;
751 // Flush remaining data to userspace
753 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
761 struct ipt_account_mask_8 *network_8 = (struct ipt_account_mask_8*)ipt_account_handles[handle].data;
763 for (a = 0; a <= 255; a++)
765 if (network_8->mask_16[a])
767 struct ipt_account_mask_16 *network_16 = (struct ipt_account_mask_16*)network_8->mask_16[a];
768 for (b = 0; b <= 255; b++)
770 if (network_16->mask_24[b])
772 struct ipt_account_mask_24 *network = (struct ipt_account_mask_24*)network_16->mask_24[b];
773 for (i = 0; i <= 255; i++)
775 if (network->ip[i].src_packets || network->ip[i].dst_packets)
777 handle_ip.ip = net_ip | (a << 8) | (b << 16) | (i<<24);
778 handle_ip.src_packets = network->ip[i].src_packets;
779 handle_ip.src_bytes = network->ip[i].src_bytes;
780 handle_ip.dst_packets = network->ip[i].dst_packets;
781 handle_ip.dst_bytes = network->ip[i].dst_bytes;
783 // Temporary buffer full? Flush to userspace
784 if (tmpbuf_pos+handle_ip_size >= PAGE_SIZE)
786 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
789 memcpy(ipt_account_tmpbuf+tmpbuf_pos, &handle_ip, handle_ip_size);
790 tmpbuf_pos += handle_ip_size;
798 // Flush remaining data to userspace
800 copy_to_user(buffer, ipt_account_tmpbuf, tmpbuf_pos);
808 static int ipt_account_set_ctl(struct sock *sk, int cmd, void *user, unsigned int len)
810 struct ipt_account_handle_sockopt handle;
813 if (!capable(CAP_NET_ADMIN))
818 case IPT_SO_SET_ACCOUNT_HANDLE_FREE:
819 if (len != sizeof(struct ipt_account_handle_sockopt))
821 printk("ACCOUNT: ipt_account_set_ctl: wrong data size (%u != %u) for IPT_SO_SET_HANDLE_FREE\n", len, sizeof(struct ipt_account_handle_sockopt));
825 if (copy_from_user (&handle, user, len))
827 printk("ACCOUNT: ipt_account_set_ctl: copy_from_user failed for IPT_SO_SET_HANDLE_FREE\n");
831 spin_lock_bh(&ipt_account_userspace_lock);
832 ret = ipt_account_handle_free(handle.handle_nr);
833 spin_unlock_bh(&ipt_account_userspace_lock);
835 case IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL:
838 spin_lock_bh(&ipt_account_userspace_lock);
839 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
840 ipt_account_handle_free(i);
841 spin_unlock_bh(&ipt_account_userspace_lock);
846 printk("ACCOUNT: ipt_account_set_ctl: unknown request %i\n", cmd);
852 static int ipt_account_get_ctl(struct sock *sk, int cmd, void *user, int *len)
854 struct ipt_account_handle_sockopt handle;
857 if (!capable(CAP_NET_ADMIN))
862 case IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH:
863 case IPT_SO_GET_ACCOUNT_PREPARE_READ:
864 if (*len < sizeof(struct ipt_account_handle_sockopt))
866 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u) for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n",
867 *len, sizeof(struct ipt_account_handle_sockopt));
871 if (copy_from_user (&handle, user, sizeof(struct ipt_account_handle_sockopt)))
873 printk("ACCOUNT: ipt_account_get_ctl: copy_from_user failed for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n");
877 spin_lock_bh(&ipt_account_lock);
878 spin_lock_bh(&ipt_account_userspace_lock);
879 if (cmd == IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH)
880 handle.handle_nr = ipt_account_handle_prepare_read_flush(handle.name, &handle.itemcount);
882 handle.handle_nr = ipt_account_handle_prepare_read(handle.name, &handle.itemcount);
883 spin_unlock_bh(&ipt_account_userspace_lock);
884 spin_unlock_bh(&ipt_account_lock);
886 if (handle.handle_nr == -1)
888 printk("ACCOUNT: ipt_account_get_ctl: ipt_account_handle_prepare_read failed\n");
892 if (copy_to_user(user, &handle, sizeof(struct ipt_account_handle_sockopt)))
894 printk("ACCOUNT: ipt_account_set_ctl: copy_to_user failed for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n");
899 case IPT_SO_GET_ACCOUNT_GET_DATA:
900 if (*len < sizeof(struct ipt_account_handle_sockopt))
902 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u) for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n",
903 *len, sizeof(struct ipt_account_handle_sockopt));
907 if (copy_from_user (&handle, user, sizeof(struct ipt_account_handle_sockopt)))
909 printk("ACCOUNT: ipt_account_get_ctl: copy_from_user failed for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n");
913 if (handle.handle_nr >= ACCOUNT_MAX_HANDLES)
915 printk("ACCOUNT: Invalid handle for IPT_SO_GET_ACCOUNT_GET_DATA: %u\n", handle.handle_nr);
919 if (*len < ipt_account_handles[handle.handle_nr].itemcount*sizeof(struct ipt_account_handle_ip))
921 printk("ACCOUNT: ipt_account_get_ctl: not enough space (%u < %u) to store data from IPT_SO_GET_ACCOUNT_GET_DATA\n",
922 *len, ipt_account_handles[handle.handle_nr].itemcount*sizeof(struct ipt_account_handle_ip));
927 spin_lock_bh(&ipt_account_userspace_lock);
928 ret = ipt_account_handle_get_data(handle.handle_nr, user);
929 spin_unlock_bh(&ipt_account_userspace_lock);
932 printk("ACCOUNT: ipt_account_get_ctl: ipt_account_handle_get_data failed for handle %u\n", handle.handle_nr);
938 case IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE:
940 if (*len < sizeof(struct ipt_account_handle_sockopt))
942 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u) for IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE\n",
943 *len, sizeof(struct ipt_account_handle_sockopt));
947 // Find out how many handles are in use
949 handle.itemcount = 0;
950 spin_lock_bh(&ipt_account_userspace_lock);
951 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
952 if (ipt_account_handles[i].data)
954 spin_unlock_bh(&ipt_account_userspace_lock);
956 if (copy_to_user(user, &handle, sizeof(struct ipt_account_handle_sockopt)))
958 printk("ACCOUNT: ipt_account_set_ctl: copy_to_user failed for IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE\n");
964 case IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES:
966 spin_lock_bh(&ipt_account_lock);
968 // Determine size of table names
969 unsigned int size = 0, i;
970 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
972 if (ipt_account_tables[i].name[0] != 0)
973 size += strlen (ipt_account_tables[i].name) + 1;
975 size += 1; // Terminating NULL character
979 spin_unlock_bh(&ipt_account_lock);
980 printk("ACCOUNT: ipt_account_get_ctl: not enough space (%u < %u) to store table names\n", *len, size);
984 // Copy table names to userspace
986 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
988 if (ipt_account_tables[i].name[0] != 0)
990 int len = strlen (ipt_account_tables[i].name) + 1;
991 copy_to_user(tnames, ipt_account_tables[i].name, len); // copy string + terminating zero
995 // Append terminating zero
997 copy_to_user(tnames, &i, 1);
998 spin_unlock_bh(&ipt_account_lock);
1003 printk("ACCOUNT: ipt_account_get_ctl: unknown request %i\n", cmd);
1009 static struct ipt_target ipt_account_reg
1010 = { { NULL, NULL }, "ACCOUNT", ipt_account_target, ipt_account_checkentry, ipt_account_deleteentry,
1013 static struct nf_sockopt_ops ipt_account_sockopts
1014 = { { NULL, NULL }, PF_INET, IPT_SO_SET_ACCOUNT_HANDLE_FREE, IPT_SO_SET_ACCOUNT_MAX+1, ipt_account_set_ctl,
1015 IPT_SO_GET_ACCOUNT_PREPARE_READ, IPT_SO_GET_ACCOUNT_MAX+1, ipt_account_get_ctl, 0, NULL };
1017 static int __init init(void)
1019 if (PAGE_SIZE < 4096)
1021 printk("ACCOUNT: Sorry we need at least a PAGE_SIZE of 4096. Found: %lu\n", PAGE_SIZE);
1025 if ((ipt_account_tables = kmalloc(ACCOUNT_MAX_TABLES*sizeof(struct ipt_account_table), GFP_KERNEL)) == NULL)
1027 printk("ACCOUNT: Out of memory allocating account_tables structure");
1030 memset(ipt_account_tables, 0, ACCOUNT_MAX_TABLES*sizeof(struct ipt_account_table));
1032 if ((ipt_account_handles = kmalloc(ACCOUNT_MAX_HANDLES*sizeof(struct ipt_account_handle), GFP_KERNEL)) == NULL)
1034 printk("ACCOUNT: Out of memory allocating account_handles structure");
1035 kfree (ipt_account_tables);
1036 ipt_account_tables = NULL;
1039 memset(ipt_account_handles, 0, ACCOUNT_MAX_HANDLES*sizeof(struct ipt_account_handle));
1041 // Allocate one page as temporary storage
1042 if ((ipt_account_tmpbuf = (void*)__get_free_page(GFP_KERNEL)) == NULL)
1044 printk("ACCOUNT: Out of memory for temporary buffer page\n");
1045 kfree(ipt_account_tables);
1046 kfree(ipt_account_handles);
1047 ipt_account_tables = NULL;
1048 ipt_account_handles = NULL;
1052 /* Register setsockopt */
1053 if (nf_register_sockopt(&ipt_account_sockopts) < 0)
1055 printk("ACCOUNT: Can't register sockopts. Aborting\n");
1057 kfree(ipt_account_tables);
1058 kfree(ipt_account_handles);
1059 free_page((unsigned long)ipt_account_tmpbuf);
1060 ipt_account_tables = NULL;
1061 ipt_account_handles = NULL;
1062 ipt_account_tmpbuf = NULL;
1067 if (ipt_register_target(&ipt_account_reg))
1073 static void __exit fini(void)
1075 ipt_unregister_target(&ipt_account_reg);
1077 nf_unregister_sockopt(&ipt_account_sockopts);
1079 kfree(ipt_account_tables);
1080 kfree(ipt_account_handles);
1081 free_page((unsigned long)ipt_account_tmpbuf);
1083 ipt_account_tables = NULL;
1084 ipt_account_handles = NULL;
1085 ipt_account_tmpbuf = NULL;
1090 MODULE_LICENSE("GPL");
git://developer.intra2net.com / ipt_ACCOUNT / blob