1 /***************************************************************************
2 * This is a module which is used for counting packets. *
3 * See http://www.intra2net.com/opensource/ipt_account *
4 * for further information *
6 * Copyright (C) 2004 by Intra2net AG *
7 * opensource@intra2net.com *
9 * This program is free software; you can redistribute it and/or modify *
10 * it under the terms of the GNU General Public License *
11 * version 2 as published by the Free Software Foundation; *
13 ***************************************************************************/
15 #include <linux/module.h>
16 #include <linux/skbuff.h>
18 #include <linux/spinlock.h>
22 #include <linux/netfilter_ipv4/ip_tables.h>
25 #include <net/route.h>
26 #include <linux/netfilter_ipv4/ipt_ACCOUNT.h>
31 #define DEBUGP(format, args...)
34 #if (PAGE_SIZE < 4096)
35 #error "ipt_ACCOUNT needs at least a PAGE_SIZE of 4096"
38 struct ipt_account_table *ipt_account_tables = NULL;
39 struct ipt_account_handle *ipt_account_handles = NULL;
40 void *ipt_account_tmpbuf = NULL;
42 /* Spinlock used for manipulating the current accounting tables/data */
43 static spinlock_t ipt_account_lock = SPIN_LOCK_UNLOCKED;
44 /* Spinlock used for manipulating userspace handles/snapshot data */
45 static spinlock_t ipt_account_userspace_lock = SPIN_LOCK_UNLOCKED;
48 /* Recursive free of all data structures */
49 void ipt_account_data_free(void *data, unsigned char depth)
55 /* Free for 8 bit network */
57 free_page((unsigned long)data);
62 /* Free for 16 bit network */
64 struct ipt_account_mask_16 *mask_16 = (struct ipt_account_mask_16 *)data;
66 for (b=0; b <= 255; b++) {
67 if (mask_16->mask_24[b] != 0) {
68 free_page((unsigned long)mask_16->mask_24[b]);
69 mask_16->mask_24[b] = NULL;
72 free_page((unsigned long)data);
77 /* Free for 24 bit network */
80 for (a=0; a <= 255; a++) {
81 if (((struct ipt_account_mask_8 *)data)->mask_16[a]) {
82 struct ipt_account_mask_16 *mask_16 = (struct ipt_account_mask_16*)
83 ((struct ipt_account_mask_8 *)data)->mask_16[a];
85 for (b=0; b <= 255; b++) {
86 if (mask_16->mask_24[b]) {
87 free_page((unsigned long)mask_16->mask_24[b]);
88 mask_16->mask_24[b] = NULL;
91 free_page((unsigned long)mask_16);
95 free_page((unsigned long)data);
100 printk("ACCOUNT: ipt_account_data_free called with unknown depth: %d\n",
105 /* Look for existing table / insert new one.
106 Return internal ID or -1 on error */
107 int ipt_account_table_insert(char *name, unsigned int ip, unsigned int netmask)
111 DEBUGP("ACCOUNT: ipt_account_table_insert: %s, %u.%u.%u.%u/%u.%u.%u.%u\n",
112 name, NIPQUAD(ip), NIPQUAD(netmask));
114 /* Look for existing table */
115 for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
116 if (strncmp(ipt_account_tables[i].name, name,
117 ACCOUNT_TABLE_NAME_LEN) == 0) {
118 DEBUGP("ACCOUNT: Found existing slot: %d - "
119 "%u.%u.%u.%u/%u.%u.%u.%u\n", i,
120 NIPQUAD(ipt_account_tables[i].ip),
121 NIPQUAD(ipt_account_tables[i].netmask));
123 if (ipt_account_tables[i].ip != ip
124 || ipt_account_tables[i].netmask != netmask) {
125 printk("ACCOUNT: Table %s found, but IP/netmask mismatch. "
126 "IP/netmask found: %u.%u.%u.%u/%u.%u.%u.%u\n",
127 name, NIPQUAD(ipt_account_tables[i].ip),
128 NIPQUAD(ipt_account_tables[i].netmask));
132 ipt_account_tables[i].refcount++;
133 DEBUGP("ACCOUNT: Refcount: %d\n", ipt_account_tables[i].refcount);
138 /* Insert new table */
139 for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
140 /* Found free slot */
141 if (ipt_account_tables[i].name[0] == 0) {
142 DEBUGP("ACCOUNT: Found free slot: %d\n", i);
144 strncpy (ipt_account_tables[i].name, name, ACCOUNT_TABLE_NAME_LEN-1);
146 ipt_account_tables[i].ip = ip;
147 ipt_account_tables[i].netmask = netmask;
149 /* Calculate netsize */
150 unsigned int j, calc_mask, netsize=0;
151 calc_mask = htonl(netmask);
152 for (j = 31; j > 0; j--) {
153 if (calc_mask&(1<<j))
159 /* Calculate depth from netsize */
161 ipt_account_tables[i].depth = 0;
162 else if (netsize >= 16)
163 ipt_account_tables[i].depth = 1;
164 else if(netsize >= 8)
165 ipt_account_tables[i].depth = 2;
167 DEBUGP("ACCOUNT: calculated netsize: %u -> "
168 "ipt_account_table depth %u\n", netsize,
169 ipt_account_tables[i].depth);
171 ipt_account_tables[i].refcount++;
172 if ((ipt_account_tables[i].data
173 = (void *)get_zeroed_page(GFP_ATOMIC)) == NULL) {
174 printk("ACCOUNT: out of memory for data of table: %s\n", name);
175 memset(&ipt_account_tables[i], 0,
176 sizeof(struct ipt_account_table));
184 /* No free slot found */
185 printk("ACCOUNT: No free table slot found (max: %d). "
186 "Please increase ACCOUNT_MAX_TABLES.\n", ACCOUNT_MAX_TABLES);
190 static int ipt_account_checkentry(const char *tablename,
191 const struct ipt_entry *e,
193 unsigned int targinfosize,
194 unsigned int hook_mask)
196 struct ipt_account_info *info = targinfo;
198 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_account_info))) {
199 DEBUGP("ACCOUNT: targinfosize %u != %u\n",
200 targinfosize, IPT_ALIGN(sizeof(struct ipt_account_info)));
204 spin_lock_bh(&ipt_account_lock);
205 int table_nr = ipt_account_table_insert(info->table_name, info->net_ip,
207 if (table_nr == -1) {
208 printk("ACCOUNT: Table insert problem. Aborting\n");
209 spin_unlock_bh(&ipt_account_lock);
212 /* Table nr caching so we don't have to do an extra string compare
214 info->table_nr = table_nr;
216 spin_unlock_bh(&ipt_account_lock);
221 void ipt_account_deleteentry(void *targinfo, unsigned int targinfosize)
224 struct ipt_account_info *info = targinfo;
226 if (targinfosize != IPT_ALIGN(sizeof(struct ipt_account_info))) {
227 DEBUGP("ACCOUNT: targinfosize %u != %u\n",
228 targinfosize, IPT_ALIGN(sizeof(struct ipt_account_info)));
231 spin_lock_bh(&ipt_account_lock);
233 DEBUGP("ACCOUNT: ipt_account_deleteentry called for table: %s (#%d)\n",
234 info->table_name, info->table_nr);
236 info->table_nr = -1; /* Set back to original state */
239 for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
240 if (strncmp(ipt_account_tables[i].name, info->table_name,
241 ACCOUNT_TABLE_NAME_LEN) == 0) {
242 DEBUGP("ACCOUNT: Found table at slot: %d\n", i);
244 ipt_account_tables[i].refcount--;
245 DEBUGP("ACCOUNT: Refcount left: %d\n",
246 ipt_account_tables[i].refcount);
248 /* Table not needed anymore? */
249 if (ipt_account_tables[i].refcount == 0) {
250 DEBUGP("ACCOUNT: Destroying table at slot: %d\n", i);
251 ipt_account_data_free(ipt_account_tables[i].data,
252 ipt_account_tables[i].depth);
253 memset(&ipt_account_tables[i], 0,
254 sizeof(struct ipt_account_table));
257 spin_unlock_bh(&ipt_account_lock);
262 /* Table not found */
263 printk("ACCOUNT: Table %s not found for destroy\n", info->table_name);
264 spin_unlock_bh(&ipt_account_lock);
267 void ipt_account_depth0_insert(struct ipt_account_mask_24 *mask_24,
268 unsigned int net_ip, unsigned int netmask,
269 unsigned int src_ip, unsigned int dst_ip,
270 unsigned int size, unsigned int *itemcount)
272 unsigned char is_src = 0, is_dst = 0;
274 DEBUGP("ACCOUNT: ipt_account_depth0_insert: %u.%u.%u.%u/%u.%u.%u.%u "
275 "for net %u.%u.%u.%u/%u.%u.%u.%u, size: %u\n", NIPQUAD(src_ip),
276 NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask), size);
278 /* Check if src/dst is inside our network. */
279 /* Special: net_ip = 0.0.0.0/0 gets stored as src in slot 0 */
282 if ((net_ip&netmask) == (src_ip&netmask))
284 if ((net_ip&netmask) == (dst_ip&netmask) && netmask)
287 if (!is_src && !is_dst) {
288 DEBUGP("ACCOUNT: Skipping packet %u.%u.%u.%u/%u.%u.%u.%u "
289 "for net %u.%u.%u.%u/%u.%u.%u.%u\n", NIPQUAD(src_ip),
290 NIPQUAD(dst_ip), NIPQUAD(net_ip), NIPQUAD(netmask));
294 /* Check if this entry is new */
295 char is_src_new_ip = 0, is_dst_new_ip = 0;
297 /* Calculate array positions */
298 unsigned char src_slot = (unsigned char)((src_ip&0xFF000000) >> 24);
299 unsigned char dst_slot = (unsigned char)((dst_ip&0xFF000000) >> 24);
301 /* Increase size counters */
303 /* Calculate network slot */
304 DEBUGP("ACCOUNT: Calculated SRC 8 bit network slot: %d\n", src_slot);
305 if (!mask_24->ip[src_slot].src_packets
306 && !mask_24->ip[src_slot].dst_packets)
309 mask_24->ip[src_slot].src_packets++;
310 mask_24->ip[src_slot].src_bytes+=size;
313 DEBUGP("ACCOUNT: Calculated DST 8 bit network slot: %d\n", dst_slot);
314 if (!mask_24->ip[dst_slot].src_packets
315 && !mask_24->ip[dst_slot].dst_packets)
318 mask_24->ip[dst_slot].dst_packets++;
319 mask_24->ip[dst_slot].dst_bytes+=size;
322 /* Increase itemcounter */
323 DEBUGP("ACCOUNT: Itemcounter before: %d\n", *itemcount);
324 if (src_slot == dst_slot) {
325 if (is_src_new_ip || is_dst_new_ip) {
326 DEBUGP("ACCOUNT: src_slot == dst_slot: %d, %d\n",
327 is_src_new_ip, is_dst_new_ip);
332 DEBUGP("ACCOUNT: New src_ip: %u.%u.%u.%u\n", NIPQUAD(src_ip));
336 DEBUGP("ACCOUNT: New dst_ip: %u.%u.%u.%u\n", NIPQUAD(dst_ip));
340 DEBUGP("ACCOUNT: Itemcounter after: %d\n", *itemcount);
343 void ipt_account_depth1_insert(struct ipt_account_mask_16 *mask_16,
344 unsigned int net_ip, unsigned int netmask,
345 unsigned int src_ip, unsigned int dst_ip,
346 unsigned int size, unsigned int *itemcount)
348 /* Do we need to process src IP? */
349 if ((net_ip&netmask) == (src_ip&netmask)) {
350 unsigned char slot = (unsigned char)((src_ip&0x00FF0000) >> 16);
351 DEBUGP("ACCOUNT: Calculated SRC 16 bit network slot: %d\n", slot);
353 /* Do we need to create a new mask_24 bucket? */
354 if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot] =
355 (void *)get_zeroed_page(GFP_ATOMIC)) == NULL) {
356 printk("ACCOUNT: Can't process packet because out of memory!\n");
360 ipt_account_depth0_insert((struct ipt_account_mask_24 *)mask_16->mask_24[slot],
361 net_ip, netmask, src_ip, 0, size, itemcount);
364 /* Do we need to process dst IP? */
365 if ((net_ip&netmask) == (dst_ip&netmask)) {
366 unsigned char slot = (unsigned char)((dst_ip&0x00FF0000) >> 16);
367 DEBUGP("ACCOUNT: Calculated DST 16 bit network slot: %d\n", slot);
369 /* Do we need to create a new mask_24 bucket? */
370 if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot]
371 = (void *)get_zeroed_page(GFP_ATOMIC)) == NULL) {
372 printk("ACCOUT: Can't process packet because out of memory!\n");
376 ipt_account_depth0_insert((struct ipt_account_mask_24 *)mask_16->mask_24[slot],
377 net_ip, netmask, 0, dst_ip, size, itemcount);
381 void ipt_account_depth2_insert(struct ipt_account_mask_8 *mask_8,
382 unsigned int net_ip, unsigned int netmask,
383 unsigned int src_ip, unsigned int dst_ip,
384 unsigned int size, unsigned int *itemcount)
386 /* Do we need to process src IP? */
387 if ((net_ip&netmask) == (src_ip&netmask)) {
388 unsigned char slot = (unsigned char)((src_ip&0x0000FF00) >> 8);
389 DEBUGP("ACCOUNT: Calculated SRC 24 bit network slot: %d\n", slot);
391 /* Do we need to create a new mask_24 bucket? */
392 if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot]
393 = (void *)get_zeroed_page(GFP_ATOMIC)) == NULL) {
394 printk("ACCOUNT: Can't process packet because out of memory!\n");
398 ipt_account_depth1_insert((struct ipt_account_mask_16 *)mask_8->mask_16[slot],
399 net_ip, netmask, src_ip, 0, size, itemcount);
402 /* Do we need to process dst IP? */
403 if ((net_ip&netmask) == (dst_ip&netmask)) {
404 unsigned char slot = (unsigned char)((dst_ip&0x0000FF00) >> 8);
405 DEBUGP("ACCOUNT: Calculated DST 24 bit network slot: %d\n", slot);
407 /* Do we need to create a new mask_24 bucket? */
408 if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot]
409 = (void *)get_zeroed_page(GFP_ATOMIC)) == NULL) {
410 printk("ACCOUNT: Can't process packet because out of memory!\n");
414 ipt_account_depth1_insert((struct ipt_account_mask_16 *)mask_8->mask_16[slot],
415 net_ip, netmask, 0, dst_ip, size, itemcount);
419 static unsigned int ipt_account_target(struct sk_buff **pskb,
420 unsigned int hooknum,
421 const struct net_device *in,
422 const struct net_device *out,
423 const void *targinfo,
426 const struct ipt_account_info *info =
427 (const struct ipt_account_info *)targinfo;
428 unsigned int src_ip = (*pskb)->nh.iph->saddr;
429 unsigned int dst_ip = (*pskb)->nh.iph->daddr;
430 unsigned int size = ntohs((*pskb)->nh.iph->tot_len);
432 spin_lock_bh(&ipt_account_lock);
434 if (ipt_account_tables[info->table_nr].name[0] == 0) {
435 printk("ACCOUNT: ipt_account_target: Invalid table id %u. "
436 "IPs %u.%u.%u.%u/%u.%u.%u.%u\n", info->table_nr,
437 NIPQUAD(src_ip), NIPQUAD(dst_ip));
438 spin_unlock_bh(&ipt_account_lock);
442 /* 8 bit network or "any" network */
443 if (ipt_account_tables[info->table_nr].depth == 0) {
444 /* Count packet and check if the IP is new */
445 ipt_account_depth0_insert(
446 (struct ipt_account_mask_24 *)ipt_account_tables[info->table_nr].data,
447 ipt_account_tables[info->table_nr].ip,
448 ipt_account_tables[info->table_nr].netmask,
449 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
450 spin_unlock_bh(&ipt_account_lock);
455 if (ipt_account_tables[info->table_nr].depth == 1) {
456 ipt_account_depth1_insert(
457 (struct ipt_account_mask_16 *)ipt_account_tables[info->table_nr].data,
458 ipt_account_tables[info->table_nr].ip,
459 ipt_account_tables[info->table_nr].netmask,
460 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
461 spin_unlock_bh(&ipt_account_lock);
466 if (ipt_account_tables[info->table_nr].depth == 2) {
467 ipt_account_depth2_insert(
468 (struct ipt_account_mask_8 *)ipt_account_tables[info->table_nr].data,
469 ipt_account_tables[info->table_nr].ip,
470 ipt_account_tables[info->table_nr].netmask,
471 src_ip, dst_ip, size, &ipt_account_tables[info->table_nr].itemcount);
472 spin_unlock_bh(&ipt_account_lock);
476 printk("ACCOUNT: ipt_account_target: Unable to process packet. "
477 "Table id %u. IPs %u.%u.%u.%u/%u.%u.%u.%u\n",
478 info->table_nr, NIPQUAD(src_ip), NIPQUAD(dst_ip));
480 spin_unlock_bh(&ipt_account_lock);
485 Functions dealing with "handles":
486 Handles are snapshots of a accounting state.
488 read snapshots are only for debugging the code
489 and are very expensive concerning speed/memory
490 compared to read_and_flush.
492 The functions aren't protected by spinlocks themselves
493 as this is done in the ioctl part of the code.
497 Find a free handle slot. Normally only one should be used,
498 but there could be two or more applications accessing the data
501 int ipt_account_handle_find_slot(void)
504 /* Insert new table */
505 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++) {
506 /* Found free slot */
507 if (ipt_account_handles[i].data == NULL) {
508 /* Don't "mark" data as used as we are protected by a spinlock
509 by the calling function. handle_find_slot() is only a function
510 to prevent code duplication. */
515 /* No free slot found */
516 printk("ACCOUNT: No free handle slot found (max: %u). "
517 "Please increase ACCOUNT_MAX_HANDLES.\n", ACCOUNT_MAX_HANDLES);
521 int ipt_account_handle_free(unsigned int handle)
523 if (handle >= ACCOUNT_MAX_HANDLES) {
524 printk("ACCOUNT: Invalid handle for ipt_account_handle_free() specified:"
529 ipt_account_data_free(ipt_account_handles[handle].data,
530 ipt_account_handles[handle].depth);
531 memset (&ipt_account_handles[handle], 0, sizeof (struct ipt_account_handle));
535 /* Prepare data for read without flush. Use only for debugging!
536 Real applications should use read&flush as it's way more efficent */
537 int ipt_account_handle_prepare_read(char *tablename, unsigned int *count)
539 int handle, i, table_nr=-1;
541 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
542 if (strncmp(ipt_account_tables[i].name, tablename,
543 ACCOUNT_TABLE_NAME_LEN) == 0) {
548 if (table_nr == -1) {
549 printk("ACCOUNT: ipt_account_handle_prepare_read(): "
550 "Table %s not found\n", tablename);
554 /* Can't find a free handle slot? */
555 if ((handle = ipt_account_handle_find_slot()) == -1)
558 /* Fill up handle structure */
559 ipt_account_handles[handle].ip = ipt_account_tables[table_nr].ip;
560 ipt_account_handles[handle].depth = ipt_account_tables[table_nr].depth;
561 ipt_account_handles[handle].itemcount = ipt_account_tables[table_nr].itemcount;
563 /* allocate "root" table */
564 if ((ipt_account_handles[handle].data =
565 (void*)get_zeroed_page(GFP_ATOMIC)) == NULL) {
566 printk("ACCOUNT: out of memory for root table "
567 "in ipt_account_handle_prepare_read()\n");
568 memset (&ipt_account_handles[handle], 0,
569 sizeof(struct ipt_account_handle));
573 /* Recursive copy of complete data structure */
574 unsigned int depth = ipt_account_handles[handle].depth;
576 memcpy(ipt_account_handles[handle].data,
577 ipt_account_tables[table_nr].data,
578 sizeof(struct ipt_account_mask_24));
579 } else if (depth == 1) {
580 struct ipt_account_mask_16 *src_16 =
581 (struct ipt_account_mask_16 *)ipt_account_tables[table_nr].data;
582 struct ipt_account_mask_16 *network_16 =
583 (struct ipt_account_mask_16 *)ipt_account_handles[handle].data;
586 for (b = 0; b <= 255; b++) {
587 if (src_16->mask_24[b]) {
588 if ((network_16->mask_24[b] =
589 (void*)get_zeroed_page(GFP_ATOMIC)) == NULL) {
590 printk("ACCOUNT: out of memory during copy of 16 bit "
591 "network in ipt_account_handle_prepare_read()\n");
592 ipt_account_data_free(ipt_account_handles[handle].data, depth);
593 memset (&ipt_account_handles[handle], 0,
594 sizeof(struct ipt_account_handle));
598 memcpy(network_16->mask_24[b], src_16->mask_24[b],
599 sizeof(struct ipt_account_mask_24));
602 } else if(depth == 2) {
603 struct ipt_account_mask_8 *src_8 =
604 (struct ipt_account_mask_8 *)ipt_account_tables[table_nr].data;
605 struct ipt_account_mask_8 *network_8 =
606 (struct ipt_account_mask_8 *)ipt_account_handles[handle].data;
609 for (a = 0; a <= 255; a++) {
610 if (src_8->mask_16[a]) {
611 if ((network_8->mask_16[a] =
612 (void*)get_zeroed_page(GFP_ATOMIC)) == NULL) {
613 printk("ACCOUNT: out of memory during copy of 24 bit network"
614 " in ipt_account_handle_prepare_read()\n");
615 ipt_account_data_free(ipt_account_handles[handle].data, depth);
616 memset (&ipt_account_handles[handle], 0,
617 sizeof(struct ipt_account_handle));
621 memcpy(network_8->mask_16[a], src_8->mask_16[a],
622 sizeof(struct ipt_account_mask_16));
624 struct ipt_account_mask_16 *src_16 = src_8->mask_16[a];
625 struct ipt_account_mask_16 *network_16 = network_8->mask_16[a];
628 for (b = 0; b <= 255; b++) {
629 if (src_16->mask_24[b]) {
630 if ((network_16->mask_24[b] =
631 (void*)get_zeroed_page(GFP_ATOMIC)) == NULL) {
632 printk("ACCOUNT: out of memory during copy of 16 bit"
633 " network in ipt_account_handle_prepare_read()\n");
634 ipt_account_data_free(ipt_account_handles[handle].data,
636 memset (&ipt_account_handles[handle], 0,
637 sizeof(struct ipt_account_handle));
641 memcpy(network_16->mask_24[b], src_16->mask_24[b],
642 sizeof(struct ipt_account_mask_24));
649 *count = ipt_account_tables[table_nr].itemcount;
653 /* Prepare data for read and flush it */
654 int ipt_account_handle_prepare_read_flush(char *tablename, unsigned int *count)
656 int handle, i, table_nr=-1;
658 for (i = 0; i < ACCOUNT_MAX_TABLES; i++)
659 if (strncmp(ipt_account_tables[i].name, tablename,
660 ACCOUNT_TABLE_NAME_LEN) == 0) {
665 if (table_nr == -1) {
666 printk("ACCOUNT: ipt_account_handle_prepare_read_flush(): "
667 "Table %s not found\n", tablename);
671 /* Can't find a free handle slot? */
672 if ((handle = ipt_account_handle_find_slot()) == -1)
675 /* Try to allocate memory */
676 void *new_data_page = (void*)get_zeroed_page(GFP_ATOMIC);
679 printk("ACCOUNT: ipt_account_handle_prepare_read_flush(): "
684 /* Fill up handle structure */
685 ipt_account_handles[handle].ip = ipt_account_tables[table_nr].ip;
686 ipt_account_handles[handle].depth = ipt_account_tables[table_nr].depth;
687 ipt_account_handles[handle].itemcount = ipt_account_tables[table_nr].itemcount;
688 ipt_account_handles[handle].data = ipt_account_tables[table_nr].data;
689 *count = ipt_account_tables[table_nr].itemcount;
691 /* "Flush" table data */
692 ipt_account_tables[table_nr].data = new_data_page;
693 ipt_account_tables[table_nr].itemcount = 0;
698 /* Copy 8 bit network data into a prepared buffer.
699 We only copy entries != 0 to increase performance.
701 void ipt_account_handle_copy_data(void *to_user, int *pos,
702 struct ipt_account_mask_24 *data,
703 unsigned int net_ip, unsigned int net_OR_mask)
705 struct ipt_account_handle_ip handle_ip;
706 unsigned int handle_ip_size = sizeof (struct ipt_account_handle_ip);
710 for (i = 0; i <= 255; i++) {
711 if (data->ip[i].src_packets || data->ip[i].dst_packets) {
712 handle_ip.ip = net_ip | net_OR_mask | (i<<24);
714 handle_ip.src_packets = data->ip[i].src_packets;
715 handle_ip.src_bytes = data->ip[i].src_bytes;
716 handle_ip.dst_packets = data->ip[i].dst_packets;
717 handle_ip.dst_bytes = data->ip[i].dst_bytes;
719 /* Temporary buffer full? Flush to userspace */
720 if (*pos+handle_ip_size >= PAGE_SIZE) {
721 copy_to_user(to_user, ipt_account_tmpbuf, *pos);
724 memcpy(ipt_account_tmpbuf+*pos, &handle_ip, handle_ip_size);
725 *pos += handle_ip_size;
730 /* Copy the data from our internal structure
731 We only copy entries != 0 to increase performance.
732 Overwrites ipt_account_tmpbuf.
734 int ipt_account_handle_get_data(unsigned int handle, void *to_user)
736 unsigned int tmpbuf_pos=0;
738 if (handle >= ACCOUNT_MAX_HANDLES) {
739 printk("ACCOUNT: invalid handle for ipt_account_handle_get_data() "
740 "specified: %u\n", handle);
744 if (ipt_account_handles[handle].data == NULL) {
745 printk("ACCOUNT: handle %u is BROKEN: Contains no data\n", handle);
749 unsigned int net_ip = ipt_account_handles[handle].ip;
750 unsigned int depth = ipt_account_handles[handle].depth;
754 struct ipt_account_mask_24 *network =
755 (struct ipt_account_mask_24*)ipt_account_handles[handle].data;
756 ipt_account_handle_copy_data(to_user, &tmpbuf_pos, network, net_ip, 0);
758 /* Flush remaining data to userspace */
760 copy_to_user(to_user, ipt_account_tmpbuf, tmpbuf_pos);
767 struct ipt_account_mask_16 *network_16 =
768 (struct ipt_account_mask_16*)ipt_account_handles[handle].data;
770 for (b = 0; b <= 255; b++) {
771 if (network_16->mask_24[b]) {
772 struct ipt_account_mask_24 *network =
773 (struct ipt_account_mask_24*)network_16->mask_24[b];
774 ipt_account_handle_copy_data(to_user, &tmpbuf_pos, network,
779 /* Flush remaining data to userspace */
781 copy_to_user(to_user, ipt_account_tmpbuf, tmpbuf_pos);
788 struct ipt_account_mask_8 *network_8 =
789 (struct ipt_account_mask_8*)ipt_account_handles[handle].data;
791 for (a = 0; a <= 255; a++) {
792 if (network_8->mask_16[a]) {
793 struct ipt_account_mask_16 *network_16 =
794 (struct ipt_account_mask_16*)network_8->mask_16[a];
795 for (b = 0; b <= 255; b++) {
796 if (network_16->mask_24[b]) {
797 struct ipt_account_mask_24 *network =
798 (struct ipt_account_mask_24*)network_16->mask_24[b];
799 ipt_account_handle_copy_data(to_user, &tmpbuf_pos, network,
800 net_ip, (a << 8) | (b << 16));
806 /* Flush remaining data to userspace */
808 copy_to_user(to_user, ipt_account_tmpbuf, tmpbuf_pos);
816 static int ipt_account_set_ctl(struct sock *sk, int cmd,
817 void *user, unsigned int len)
819 struct ipt_account_handle_sockopt handle;
822 if (!capable(CAP_NET_ADMIN))
826 case IPT_SO_SET_ACCOUNT_HANDLE_FREE:
827 if (len != sizeof(struct ipt_account_handle_sockopt)) {
828 printk("ACCOUNT: ipt_account_set_ctl: wrong data size (%u != %u) "
829 "for IPT_SO_SET_HANDLE_FREE\n",
830 len, sizeof(struct ipt_account_handle_sockopt));
834 if (copy_from_user (&handle, user, len)) {
835 printk("ACCOUNT: ipt_account_set_ctl: copy_from_user failed for "
836 "IPT_SO_SET_HANDLE_FREE\n");
840 spin_lock_bh(&ipt_account_userspace_lock);
841 ret = ipt_account_handle_free(handle.handle_nr);
842 spin_unlock_bh(&ipt_account_userspace_lock);
844 case IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL: {
846 spin_lock_bh(&ipt_account_userspace_lock);
847 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
848 ipt_account_handle_free(i);
849 spin_unlock_bh(&ipt_account_userspace_lock);
854 printk("ACCOUNT: ipt_account_set_ctl: unknown request %i\n", cmd);
860 static int ipt_account_get_ctl(struct sock *sk, int cmd, void *user, int *len)
862 struct ipt_account_handle_sockopt handle;
865 if (!capable(CAP_NET_ADMIN))
869 case IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH:
870 case IPT_SO_GET_ACCOUNT_PREPARE_READ:
871 if (*len < sizeof(struct ipt_account_handle_sockopt)) {
872 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u) "
873 "for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n",
874 *len, sizeof(struct ipt_account_handle_sockopt));
878 if (copy_from_user (&handle, user,
879 sizeof(struct ipt_account_handle_sockopt))) {
884 spin_lock_bh(&ipt_account_lock);
885 spin_lock_bh(&ipt_account_userspace_lock);
886 if (cmd == IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH)
887 handle.handle_nr = ipt_account_handle_prepare_read_flush(
888 handle.name, &handle.itemcount);
890 handle.handle_nr = ipt_account_handle_prepare_read(
891 handle.name, &handle.itemcount);
892 spin_unlock_bh(&ipt_account_userspace_lock);
893 spin_unlock_bh(&ipt_account_lock);
895 if (handle.handle_nr == -1) {
900 if (copy_to_user(user, &handle,
901 sizeof(struct ipt_account_handle_sockopt))) {
907 case IPT_SO_GET_ACCOUNT_GET_DATA:
908 if (*len < sizeof(struct ipt_account_handle_sockopt)) {
909 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u)"
910 " for IPT_SO_GET_ACCOUNT_PREPARE_READ/READ_FLUSH\n",
911 *len, sizeof(struct ipt_account_handle_sockopt));
915 if (copy_from_user (&handle, user,
916 sizeof(struct ipt_account_handle_sockopt))) {
921 if (handle.handle_nr >= ACCOUNT_MAX_HANDLES) {
926 if (*len < ipt_account_handles[handle.handle_nr].itemcount
927 * sizeof(struct ipt_account_handle_ip)) {
928 printk("ACCOUNT: ipt_account_get_ctl: not enough space (%u < %u)"
929 " to store data from IPT_SO_GET_ACCOUNT_GET_DATA\n",
930 *len, ipt_account_handles[handle.handle_nr].itemcount
931 * sizeof(struct ipt_account_handle_ip));
936 spin_lock_bh(&ipt_account_userspace_lock);
937 ret = ipt_account_handle_get_data(handle.handle_nr, user);
938 spin_unlock_bh(&ipt_account_userspace_lock);
940 printk("ACCOUNT: ipt_account_get_ctl: ipt_account_handle_get_data"
941 " failed for handle %u\n", handle.handle_nr);
947 case IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE: {
948 if (*len < sizeof(struct ipt_account_handle_sockopt)) {
949 printk("ACCOUNT: ipt_account_get_ctl: wrong data size (%u != %u)"
950 " for IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE\n",
951 *len, sizeof(struct ipt_account_handle_sockopt));
955 /* Find out how many handles are in use */
957 handle.itemcount = 0;
958 spin_lock_bh(&ipt_account_userspace_lock);
959 for (i = 0; i < ACCOUNT_MAX_HANDLES; i++)
960 if (ipt_account_handles[i].data)
962 spin_unlock_bh(&ipt_account_userspace_lock);
964 if (copy_to_user(user, &handle,
965 sizeof(struct ipt_account_handle_sockopt))) {
972 case IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES: {
973 spin_lock_bh(&ipt_account_lock);
975 /* Determine size of table names */
976 unsigned int size = 0, i;
977 for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
978 if (ipt_account_tables[i].name[0] != 0)
979 size += strlen (ipt_account_tables[i].name) + 1;
981 size += 1; /* Terminating NULL character */
984 spin_unlock_bh(&ipt_account_lock);
985 printk("ACCOUNT: ipt_account_get_ctl: not enough space (%u < %u)"
986 " to store table names\n", *len, size);
990 /* Copy table names to userspace */
992 for (i = 0; i < ACCOUNT_MAX_TABLES; i++) {
993 if (ipt_account_tables[i].name[0] != 0) {
994 int len = strlen (ipt_account_tables[i].name) + 1;
995 /* copy string + terminating zero */
996 copy_to_user(tnames, ipt_account_tables[i].name, len);
1000 /* Append terminating zero */
1002 copy_to_user(tnames, &i, 1);
1003 spin_unlock_bh(&ipt_account_lock);
1008 printk("ACCOUNT: ipt_account_get_ctl: unknown request %i\n", cmd);
1014 static struct ipt_target ipt_account_reg = {
1020 ipt_account_checkentry,
1021 ipt_account_deleteentry,
1025 static struct nf_sockopt_ops ipt_account_sockopts = {
1030 IPT_SO_SET_ACCOUNT_HANDLE_FREE,
1031 IPT_SO_SET_ACCOUNT_MAX+1,
1032 ipt_account_set_ctl,
1033 IPT_SO_GET_ACCOUNT_PREPARE_READ,
1034 IPT_SO_GET_ACCOUNT_MAX+1,
1035 ipt_account_get_ctl,
1040 static int __init init(void)
1042 if ((ipt_account_tables =
1043 kmalloc(ACCOUNT_MAX_TABLES *
1044 sizeof(struct ipt_account_table), GFP_KERNEL)) == NULL) {
1045 printk("ACCOUNT: Out of memory allocating account_tables structure");
1048 memset(ipt_account_tables, 0,
1049 ACCOUNT_MAX_TABLES * sizeof(struct ipt_account_table));
1051 if ((ipt_account_handles =
1052 kmalloc(ACCOUNT_MAX_HANDLES *
1053 sizeof(struct ipt_account_handle), GFP_KERNEL)) == NULL) {
1054 printk("ACCOUNT: Out of memory allocating account_handles structure");
1055 kfree (ipt_account_tables);
1056 ipt_account_tables = NULL;
1059 memset(ipt_account_handles, 0,
1060 ACCOUNT_MAX_HANDLES * sizeof(struct ipt_account_handle));
1062 /* Allocate one page as temporary storage */
1063 if ((ipt_account_tmpbuf = (void*)__get_free_page(GFP_KERNEL)) == NULL) {
1064 printk("ACCOUNT: Out of memory for temporary buffer page\n");
1065 kfree(ipt_account_tables);
1066 kfree(ipt_account_handles);
1067 ipt_account_tables = NULL;
1068 ipt_account_handles = NULL;
1072 /* Register setsockopt */
1073 if (nf_register_sockopt(&ipt_account_sockopts) < 0) {
1074 printk("ACCOUNT: Can't register sockopts. Aborting\n");
1076 kfree(ipt_account_tables);
1077 kfree(ipt_account_handles);
1078 free_page((unsigned long)ipt_account_tmpbuf);
1079 ipt_account_tables = NULL;
1080 ipt_account_handles = NULL;
1081 ipt_account_tmpbuf = NULL;
1086 if (ipt_register_target(&ipt_account_reg))
1092 static void __exit fini(void)
1094 ipt_unregister_target(&ipt_account_reg);
1096 nf_unregister_sockopt(&ipt_account_sockopts);
1098 kfree(ipt_account_tables);
1099 kfree(ipt_account_handles);
1100 free_page((unsigned long)ipt_account_tmpbuf);
1102 ipt_account_tables = NULL;
1103 ipt_account_handles = NULL;
1104 ipt_account_tmpbuf = NULL;
1109 MODULE_LICENSE("GPL");
git://developer.intra2net.com / ipt_ACCOUNT / blob