anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-07 13:15:12 +02:00
Code Issues Releases Wiki Activity

geoip: use tabs not spaces and indent

Browse Source
This commit is contained in:
Jan Engelhardt
2008-03-17 13:35:17 +01:00
parent 9f45aa737a
commit 205a006ac9
3 changed files with 382 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

445
extensions/libxt_geoip.c
View File

@@ -1,5 +1,5 @@
/* Shared library add-on to iptables to add geoip match support. /* Shared library add-on to iptables to add geoip match support.
*
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
@@ -29,288 +29,293 @@
static void geoip_help(void) static void geoip_help(void)
{ {
printf ( printf (
"GeoIP v%s options:\n" "GeoIP v%s options:\n"
" [!] --src-cc, --source-country country[,country,country,...]\n" " [!] --src-cc, --source-country country[,country,country,...]\n"
" Match packet coming from (one of)\n" " Match packet coming from (one of)\n"
" the specified country(ies)\n" " the specified country(ies)\n"
"\n" "\n"
" [!] --dst-cc, --destination-country country[,country,country,...]\n" " [!] --dst-cc, --destination-country country[,country,country,...]\n"
" Match packet going to (one of)\n" " Match packet going to (one of)\n"
" the specified country(ies)\n" " the specified country(ies)\n"
"\n" "\n"
" NOTE: The country is inputed by its ISO3166 code.\n" " NOTE: The country is inputed by its ISO3166 code.\n"
"\n" "\n"
"\n", XTABLES_VERSION "\n", XTABLES_VERSION
); );
} }
static struct option geoip_opts[] = { static struct option geoip_opts[] = {
{ "dst-cc", 1, 0, '2' }, /* Alias for --destination-country */ { "dst-cc", 1, 0, '2' }, /* Alias for --destination-country */
{ "destination-country", 1, 0, '2' }, { "destination-country", 1, 0, '2' },
{ "src-cc", 1, 0, '1' }, /* Alias for --source-country */ { "src-cc", 1, 0, '1' }, /* Alias for --source-country */
{ "source-country", 1, 0, '1' }, { "source-country", 1, 0, '1' },
{ 0 }, { 0 },
}; };
struct geoip_index { struct geoip_index {
u_int16_t cc; u_int16_t cc;
u_int32_t offset; u_int32_t offset;
} __attribute__ ((packed)); } __attribute__ ((packed));
struct geoip_subnet * struct geoip_subnet *
get_country_subnets(u_int16_t cc, u_int32_t *count) get_country_subnets(u_int16_t cc, u_int32_t *count)
{ {
FILE *ixfd, *dbfd; FILE *ixfd, *dbfd;
struct geoip_subnet *subnets; struct geoip_subnet *subnets;
struct geoip_index *index; struct geoip_index *index;
struct stat buf; struct stat buf;
size_t idxsz;
u_int16_t i;
u_int16_t db_cc = 0;
u_int16_t db_nsubnets = 0;
if ((ixfd = fopen("/var/geoip/geoipdb.idx", "r")) == NULL) { size_t idxsz;
perror("/var/geoip/geoipdb.idx"); u_int16_t i;
exit_error(OTHER_PROBLEM,
"geoip: cannot open geoip's database index file");
}
stat("/var/geoip/geoipdb.idx", &buf);
idxsz = buf.st_size/sizeof(struct geoip_index);
index = malloc(buf.st_size);
fread(index, buf.st_size, 1, ixfd); u_int16_t db_cc = 0;
u_int16_t db_nsubnets = 0;
for (i = 0; i < idxsz; i++) if ((ixfd = fopen("/var/geoip/geoipdb.idx", "r")) == NULL) {
if (cc == index[i].cc) perror("/var/geoip/geoipdb.idx");
break; exit_error(OTHER_PROBLEM,
"geoip: cannot open geoip's database index file");
if (cc != index[i].cc) }
exit_error(OTHER_PROBLEM,
"geoip match: sorry, '%c%c' isn't in the database\n", COUNTRY(cc));
fclose(ixfd); stat("/var/geoip/geoipdb.idx", &buf);
idxsz = buf.st_size/sizeof(struct geoip_index);
index = malloc(buf.st_size);
if ((dbfd = fopen("/var/geoip/geoipdb.bin", "r")) == NULL) { fread(index, buf.st_size, 1, ixfd);
perror("/var/geoip/geoipdb.bin");
exit_error(OTHER_PROBLEM,
"geoip: cannot open geoip's database file");
}
fseek(dbfd, index[i].offset, SEEK_SET); for (i = 0; i < idxsz; i++)
fread(&db_cc, sizeof(u_int16_t), 1, dbfd); if (cc == index[i].cc)
break;
if (db_cc != cc) if (cc != index[i].cc)
exit_error(OTHER_PROBLEM, exit_error(OTHER_PROBLEM,
"geoip: this shouldn't happened, the database might be corrupted, or there's a bug.\n" "geoip match: sorry, '%c%c' isn't in the database\n", COUNTRY(cc));
"you should contact maintainers");
fread(&db_nsubnets, sizeof(u_int16_t), 1, dbfd);
subnets = malloc(db_nsubnets * sizeof(struct geoip_subnet)); fclose(ixfd);
if (!subnets) if ((dbfd = fopen("/var/geoip/geoipdb.bin", "r")) == NULL) {
exit_error(OTHER_PROBLEM, perror("/var/geoip/geoipdb.bin");
"geoip: insufficient memory available"); exit_error(OTHER_PROBLEM,
"geoip: cannot open geoip's database file");
fread(subnets, db_nsubnets * sizeof(struct geoip_subnet), 1, dbfd); }
fclose(dbfd); fseek(dbfd, index[i].offset, SEEK_SET);
free(index); fread(&db_cc, sizeof(u_int16_t), 1, dbfd);
*count = db_nsubnets;
return subnets; if (db_cc != cc)
exit_error(OTHER_PROBLEM,
"geoip: this shouldn't happened, the database might be corrupted, or there's a bug.\n"
"you should contact maintainers");
fread(&db_nsubnets, sizeof(u_int16_t), 1, dbfd);
subnets = malloc(db_nsubnets * sizeof(struct geoip_subnet));
if (!subnets)
exit_error(OTHER_PROBLEM,
"geoip: insufficient memory available");
fread(subnets, db_nsubnets * sizeof(struct geoip_subnet), 1, dbfd);
fclose(dbfd);
free(index);
*count = db_nsubnets;
return subnets;
} }
static struct geoip_info * static struct geoip_info *
load_geoip_cc(u_int16_t cc) load_geoip_cc(u_int16_t cc)
{ {
static struct geoip_info *ginfo; static struct geoip_info *ginfo;
ginfo = malloc(sizeof(struct geoip_info)); ginfo = malloc(sizeof(struct geoip_info));
if (!ginfo) if (!ginfo)
return NULL; return NULL;
ginfo->subnets = get_country_subnets(cc, &ginfo->count); ginfo->subnets = get_country_subnets(cc, &ginfo->count);
ginfo->cc = cc; ginfo->cc = cc;
return ginfo; return ginfo;
} }
static u_int16_t static u_int16_t
check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count) check_geoip_cc(char *cc, u_int16_t cc_used[], u_int8_t count)
{ {
u_int8_t i; u_int8_t i;
u_int16_t cc_int16; u_int16_t cc_int16;
if (strlen(cc) != 2) /* Country must be 2 chars long according if (strlen(cc) != 2) /* Country must be 2 chars long according
to the ISO3166 standard */ to the ISO3166 standard */
exit_error(PARAMETER_PROBLEM, exit_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc); "geoip: invalid country code '%s'", cc);
// Verification will fail if chars aren't uppercased. // Verification will fail if chars aren't uppercased.
// Make sure they are.. // Make sure they are..
for (i = 0; i < 2; i++) for (i = 0; i < 2; i++)
if (isalnum(cc[i]) != 0) if (isalnum(cc[i]) != 0)
cc[i] = toupper(cc[i]); cc[i] = toupper(cc[i]);
else else
exit_error(PARAMETER_PROBLEM, exit_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc); "geoip: invalid country code '%s'", cc);
/* Convert chars into a single 16 bit integer. /* Convert chars into a single 16 bit integer.
* FIXME: This assumes that a country code is * FIXME: This assumes that a country code is
* exactly 2 chars long. If this is * exactly 2 chars long. If this is
* going to change someday, this whole * going to change someday, this whole
* match will need to be rewritten, anyway. * match will need to be rewritten, anyway.
* - SJ */ * - SJ */
cc_int16 = (cc[0]<<8) + cc[1]; cc_int16 = (cc[0]<<8) + cc[1];
// Check for presence of value in cc_used // Check for presence of value in cc_used
for (i = 0; i < count; i++) for (i = 0; i < count; i++)
if (cc_int16 == cc_used[i]) if (cc_int16 == cc_used[i])
return 0; // Present, skip it! return 0; // Present, skip it!
return cc_int16; return cc_int16;
} }
/* Based on libipt_multiport.c parsing code. */ /* Based on libipt_multiport.c parsing code. */
static u_int8_t static u_int8_t
parse_geoip_cc(const char *ccstr, u_int16_t *cc, struct geoip_info **mem) parse_geoip_cc(const char *ccstr, u_int16_t *cc, struct geoip_info **mem)
{ {
char *buffer, *cp, *next; char *buffer, *cp, *next;
u_int8_t i, count = 0; u_int8_t i, count = 0;
u_int16_t cctmp; u_int16_t cctmp;
buffer = strdup(ccstr); buffer = strdup(ccstr);
if (!buffer) exit_error(OTHER_PROBLEM, if (!buffer)
"geoip: insufficient memory available"); exit_error(OTHER_PROBLEM,
"geoip: insufficient memory available");
for (cp = buffer, i = 0; cp && i < XT_GEOIP_MAX; cp = next, i++) for (cp = buffer, i = 0; cp && i < XT_GEOIP_MAX; cp = next, i++)
{ {
next = strchr(cp, ','); next = strchr(cp, ',');
if (next) *next++ = '\0'; if (next) *next++ = '\0';
if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
if ((mem[count++] = load_geoip_cc(cctmp)) == NULL)
exit_error(OTHER_PROBLEM,
"geoip: insufficient memory available");
cc[count-1] = cctmp;
}
}
if (cp) exit_error(PARAMETER_PROBLEM,
"geoip: too many countries specified");
free(buffer);
if (count == 0) exit_error(PARAMETER_PROBLEM, if ((cctmp = check_geoip_cc(cp, cc, count)) != 0) {
"geoip: don't know what happened"); if ((mem[count++] = load_geoip_cc(cctmp)) == NULL)
exit_error(OTHER_PROBLEM,
return count; "geoip: insufficient memory available");
cc[count-1] = cctmp;
}
}
if (cp)
exit_error(PARAMETER_PROBLEM,
"geoip: too many countries specified");
free(buffer);
if (count == 0)
exit_error(PARAMETER_PROBLEM,
"geoip: don't know what happened");
return count;
} }
static int static int geoip_parse(int c, char **argv, int invert, unsigned int *flags,
geoip_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_match **match)
const void *entry, struct xt_entry_match **match)
{ {
struct xt_geoip_match_info *info = (void *)(*match)->data; struct xt_geoip_match_info *info = (void *)(*match)->data;
switch(c) { switch(c) {
case '1': case '1':
// Ensure that XT_GEOIP_SRC *OR* XT_GEOIP_DST haven't been used yet. // Ensure that XT_GEOIP_SRC *OR* XT_GEOIP_DST haven't been used yet.
if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST)) if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
exit_error(PARAMETER_PROBLEM, exit_error(PARAMETER_PROBLEM,
"geoip: only use --source-country *OR* --destination-country once!"); "geoip: only use --source-country *OR* --destination-country once!");
*flags |= XT_GEOIP_SRC; *flags |= XT_GEOIP_SRC;
break; break;
case '2': case '2':
// Ensure that XT_GEOIP_SRC *OR* XT_GEOIP_DST haven't been used yet. // Ensure that XT_GEOIP_SRC *OR* XT_GEOIP_DST haven't been used yet.
if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST)) if (*flags & (XT_GEOIP_SRC | XT_GEOIP_DST))
exit_error(PARAMETER_PROBLEM, exit_error(PARAMETER_PROBLEM,
"geoip: only use --source-country *OR* --destination-country once!"); "geoip: only use --source-country *OR* --destination-country once!");
*flags |= XT_GEOIP_DST; *flags |= XT_GEOIP_DST;
break; break;
default: default:
return 0; return 0;
} }
if (invert) if (invert)
*flags |= XT_GEOIP_INV; *flags |= XT_GEOIP_INV;
info->count = parse_geoip_cc(argv[optind-1], info->cc, info->mem); info->count = parse_geoip_cc(argv[optind-1], info->cc, info->mem);
info->flags = *flags; info->flags = *flags;
return 1; return 1;
} }
static void static void
geoip_final_check(unsigned int flags) geoip_final_check(unsigned int flags)
{ {
if (!flags) if (!flags)
exit_error(PARAMETER_PROBLEM, exit_error(PARAMETER_PROBLEM,
"geoip: missing arguments"); "geoip: missing arguments");
} }
static void static void
geoip_print(const void *ip, const struct xt_entry_match *match, int numeric) geoip_print(const void *ip, const struct xt_entry_match *match, int numeric)
{ {
const struct xt_geoip_match_info *info = (void*)match->data; const struct xt_geoip_match_info *info = (void*)match->data;
u_int8_t i; u_int8_t i;
if (info->flags & XT_GEOIP_SRC) if (info->flags & XT_GEOIP_SRC)
printf("Source "); printf("Source ");
else printf("Destination "); else
printf("Destination ");
if (info->count > 1)
printf("countries: "); if (info->count > 1)
else printf("country: "); printf("countries: ");
else
if (info->flags & XT_GEOIP_INV) printf("country: ");
printf("! ");
if (info->flags & XT_GEOIP_INV)
for (i = 0; i < info->count; i++) printf("! ");
printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i]));
printf(" "); for (i = 0; i < info->count; i++)
printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i]));
printf(" ");
} }
static void static void
geoip_save(const void *ip, const struct xt_entry_match *match) geoip_save(const void *ip, const struct xt_entry_match *match)
{ {
const struct xt_geoip_match_info *info = (void *)match->data; const struct xt_geoip_match_info *info = (void *)match->data;
u_int8_t i; u_int8_t i;
if (info->flags & XT_GEOIP_INV) if (info->flags & XT_GEOIP_INV)
printf("! "); printf("! ");
if (info->flags & XT_GEOIP_SRC) if (info->flags & XT_GEOIP_SRC)
printf("--source-country "); printf("--source-country ");
else printf("--destination-country "); else
printf("--destination-country ");
for (i = 0; i < info->count; i++)
printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i])); for (i = 0; i < info->count; i++)
printf(" "); printf("%s%c%c", i ? "," : "", COUNTRY(info->cc[i]));
printf(" ");
} }
static struct xtables_match geoip_match = { static struct xtables_match geoip_match = {
.family = AF_INET, .family = AF_INET,
.name = "geoip", .name = "geoip",
.version = XTABLES_VERSION, .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_geoip_match_info)), .size = XT_ALIGN(sizeof(struct xt_geoip_match_info)),
.userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)), .userspacesize = XT_ALIGN(offsetof(struct xt_geoip_match_info, mem)),
.help = geoip_help, .help = geoip_help,
.parse = geoip_parse, .parse = geoip_parse,
.final_check = geoip_final_check, .final_check = geoip_final_check,
.print = geoip_print, .print = geoip_print,
.save = geoip_save, .save = geoip_save,
.extra_opts = geoip_opts .extra_opts = geoip_opts,
}; };
void _init(void) static void _init(void)
{ {
xtables_register_match(&geoip_match); xtables_register_match(&geoip_match);
} }

289
extensions/xt_geoip.c
View File

@@ -1,5 +1,5 @@
/* iptables kernel module for the geoip match /* iptables kernel module for the geoip match
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
@@ -32,194 +32,185 @@ static spinlock_t geoip_lock = SPIN_LOCK_UNLOCKED;
static struct geoip_info *add_node(struct geoip_info *memcpy) static struct geoip_info *add_node(struct geoip_info *memcpy)
{ {
struct geoip_info *p = kmalloc(sizeof(struct geoip_info), GFP_KERNEL); struct geoip_info *p = kmalloc(sizeof(struct geoip_info), GFP_KERNEL);
struct geoip_subnet *s; struct geoip_subnet *s;
if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
return NULL;
s = kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL); if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0)) return NULL;
return NULL;
spin_lock_bh(&geoip_lock);
p->subnets = s; s = kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
p->ref = 1; if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
p->next = head; return NULL;
p->prev = NULL;
if (p->next) p->next->prev = p;
head = p;
spin_unlock_bh(&geoip_lock); spin_lock_bh(&geoip_lock);
return p;
p->subnets = s;
p->ref = 1;
p->next = head;
p->prev = NULL;
if (p->next)
p->next->prev = p;
head = p;
spin_unlock_bh(&geoip_lock);
return p;
} }
static void remove_node(struct geoip_info *p) static void remove_node(struct geoip_info *p)
{ {
spin_lock_bh(&geoip_lock); spin_lock_bh(&geoip_lock);
if (p->next) { /* Am I following a node ? */
p->next->prev = p->prev;
if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */
else head = p->next; /* No? Then I was the head */
}
else
if (p->prev) /* Is there a node behind me ? */
p->prev->next = NULL;
else
head = NULL; /* No, we're alone */
/* So now am unlinked or the only one alive, right ? if (p->next) { /* Am I following a node ? */
* What are you waiting ? Free up some memory! p->next->prev = p->prev;
*/ if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */
else head = p->next; /* No? Then I was the head */
}
kfree(p->subnets); else
kfree(p); if (p->prev) /* Is there a node behind me ? */
p->prev->next = NULL;
spin_unlock_bh(&geoip_lock); else
return; head = NULL; /* No, we're alone */
/* So now am unlinked or the only one alive, right ?
* What are you waiting ? Free up some memory!
*/
kfree(p->subnets);
kfree(p);
spin_unlock_bh(&geoip_lock);
return;
} }
static struct geoip_info *find_node(u_int16_t cc) static struct geoip_info *find_node(u_int16_t cc)
{ {
struct geoip_info *p = head; struct geoip_info *p = head;
spin_lock_bh(&geoip_lock); spin_lock_bh(&geoip_lock);
while (p) { while (p) {
if (p->cc == cc) { if (p->cc == cc) {
spin_unlock_bh(&geoip_lock); spin_unlock_bh(&geoip_lock);
return p; return p;
} }
p = p->next; p = p->next;
} }
spin_unlock_bh(&geoip_lock); spin_unlock_bh(&geoip_lock);
return NULL; return NULL;
} }
static bool xt_geoip_mt(const struct sk_buff *skb, static bool xt_geoip_mt(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *in, const struct net_device *out, const struct xt_match *match,
const struct net_device *out, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
bool *hotdrop)
{ {
const struct xt_geoip_match_info *info = matchinfo; const struct xt_geoip_match_info *info = matchinfo;
const struct geoip_info *node; /* This keeps the code sexy */ const struct geoip_info *node; /* This keeps the code sexy */
const struct iphdr *iph = ip_hdr(skb); const struct iphdr *iph = ip_hdr(skb);
u_int32_t ip, i, j; u_int32_t ip, i, j;
if (info->flags & XT_GEOIP_SRC) if (info->flags & XT_GEOIP_SRC)
ip = ntohl(iph->saddr); ip = ntohl(iph->saddr);
else else
ip = ntohl(iph->daddr); ip = ntohl(iph->daddr);
spin_lock_bh(&geoip_lock); spin_lock_bh(&geoip_lock);
for (i = 0; i < info->count; i++) { for (i = 0; i < info->count; i++) {
if ((node = info->mem[i]) == NULL) { if ((node = info->mem[i]) == NULL) {
printk(KERN_ERR "xt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n", printk(KERN_ERR "xt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n",
COUNTRY(info->cc[i])); COUNTRY(info->cc[i]));
continue;
}
for (j = 0; j < node->count; j++) continue;
if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) { }
spin_unlock_bh(&geoip_lock);
return (info->flags & XT_GEOIP_INV) ? 0 : 1; for (j = 0; j < node->count; j++)
} if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) {
} spin_unlock_bh(&geoip_lock);
return (info->flags & XT_GEOIP_INV) ? 0 : 1;
spin_unlock_bh(&geoip_lock); }
return (info->flags & XT_GEOIP_INV) ? 1 : 0; }
spin_unlock_bh(&geoip_lock);
return (info->flags & XT_GEOIP_INV) ? 1 : 0;
} }
static bool xt_geoip_mt_checkentry(const char *tablename, static bool xt_geoip_mt_checkentry(const char *table, const void *entry,
const void *ip, const struct xt_match *match, void *matchinfo, unsigned int hook_mask)
const struct xt_match *match,
void *matchinfo,
unsigned int hook_mas)
{ {
struct xt_geoip_match_info *info = matchinfo;
struct xt_geoip_match_info *info = matchinfo; struct geoip_info *node;
struct geoip_info *node; u_int8_t i;
u_int8_t i;
for (i = 0; i < info->count; i++) { for (i = 0; i < info->count; i++) {
if ((node = find_node(info->cc[i])) != NULL)
atomic_inc((atomic_t *)&node->ref); //increase the reference
else
if ((node = add_node(info->mem[i])) == NULL) {
printk(KERN_ERR
"xt_geoip: unable to load '%c%c' into memory\n",
COUNTRY(info->cc[i]));
return 0;
}
/* Overwrite the now-useless pointer info->mem[i] with if ((node = find_node(info->cc[i])) != NULL)
* a pointer to the node's kernelspace structure. atomic_inc((atomic_t *)&node->ref); //increase the reference
* This avoids searching for a node in the match() and else
* destroy() functions. if ((node = add_node(info->mem[i])) == NULL) {
*/ printk(KERN_ERR
info->mem[i] = node; "xt_geoip: unable to load '%c%c' into memory\n",
} COUNTRY(info->cc[i]));
return 0;
}
return 1; /* Overwrite the now-useless pointer info->mem[i] with
* a pointer to the node's kernelspace structure.
* This avoids searching for a node in the match() and
* destroy() functions.
*/
info->mem[i] = node;
}
return 1;
} }
static void xt_geoip_mt_destroy(const struct xt_match *matcn, static void xt_geoip_mt_destroy(const struct xt_match *match, void *matchinfo)
void *matchinfo)
{ {
struct xt_geoip_match_info *info = matchinfo; struct xt_geoip_match_info *info = matchinfo;
struct geoip_info *node; /* this keeps the code sexy */ struct geoip_info *node; /* this keeps the code sexy */
u_int8_t i; u_int8_t i;
/* This entry has been removed from the table so
* decrease the refcount of all countries it is
* using.
*/
for (i = 0; i < info->count; i++)
if ((node = info->mem[i]) != NULL) {
atomic_dec((atomic_t *)&node->ref);
/* Free up some memory if that node isn't used /* This entry has been removed from the table so
* anymore. */ * decrease the refcount of all countries it is
if (node->ref < 1) * using.
remove_node(node); */
}
else for (i = 0; i < info->count; i++)
/* Something strange happened. There's no memory allocated for this if ((node = info->mem[i]) != NULL) {
* country. Please send this bug to the mailing list. */ atomic_dec((atomic_t *)&node->ref);
printk(KERN_ERR
"xt_geoip: What happened peejix ? What happened acidfu ?\n" /* Free up some memory if that node isn't used
"xt_geoip: please report this bug to the maintainers\n"); * anymore. */
return; if (node->ref < 1)
remove_node(node);
}
else
/* Something strange happened. There's no memory allocated for this
* country. Please send this bug to the mailing list. */
printk(KERN_ERR
"xt_geoip: What happened peejix ? What happened acidfu ?\n"
"xt_geoip: please report this bug to the maintainers\n");
return;
} }
static struct xt_match xt_geoip_match __read_mostly = { static struct xt_match xt_geoip_match __read_mostly = {
.family = AF_INET, .family = AF_INET,
.name = "geoip", .name = "geoip",
.match = &xt_geoip_mt, .match = xt_geoip_mt,
.checkentry = &xt_geoip_mt_checkentry, .checkentry = xt_geoip_mt_checkentry,
.destroy = &xt_geoip_mt_destroy, .destroy = xt_geoip_mt_destroy,
.matchsize = sizeof(struct xt_geoip_match_info), .matchsize = sizeof(struct xt_geoip_match_info),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
static int __init xt_geoip_mt_init(void) static int __init xt_geoip_mt_init(void)
{ {
return xt_register_match(&xt_geoip_match); return xt_register_match(&xt_geoip_match);
} }
static void __exit xt_geoip_mt_fini(void) static void __exit xt_geoip_mt_fini(void)
{ {
xt_unregister_match(&xt_geoip_match); xt_unregister_match(&xt_geoip_match);
} }
module_init(xt_geoip_mt_init); module_init(xt_geoip_mt_init);

35
extensions/xt_geoip.h
View File

@@ -1,5 +1,5 @@
/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c /* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or * the Free Software Foundation; either version 2 of the License, or
@@ -10,8 +10,8 @@
* Samuel Jean * Samuel Jean
* Nicolas Bouliane * Nicolas Bouliane
*/ */
#ifndef _XT_GEOIP_H #ifndef _LINUX_NETFILTER_XT_GEOIP_H
#define _XT_GEOIP_H #define _LINUX_NETFILTER_XT_GEOIP_H 1
#define XT_GEOIP_SRC 0x01 /* Perform check on Source IP */ #define XT_GEOIP_SRC 0x01 /* Perform check on Source IP */
#define XT_GEOIP_DST 0x02 /* Perform check on Destination IP */ #define XT_GEOIP_DST 0x02 /* Perform check on Destination IP */
@@ -20,29 +20,28 @@
#define XT_GEOIP_MAX 15 /* Maximum of countries */ #define XT_GEOIP_MAX 15 /* Maximum of countries */
struct geoip_subnet { struct geoip_subnet {
u_int32_t begin; u_int32_t begin;
u_int32_t end; u_int32_t end;
}; };
struct geoip_info { struct geoip_info {
struct geoip_subnet *subnets; struct geoip_subnet *subnets;
u_int32_t count; u_int32_t count;
u_int32_t ref; u_int32_t ref;
u_int16_t cc; u_int16_t cc;
struct geoip_info *next; struct geoip_info *next;
struct geoip_info *prev; struct geoip_info *prev;
}; };
struct xt_geoip_match_info { struct xt_geoip_match_info {
u_int8_t flags; u_int8_t flags;
u_int8_t count; u_int8_t count;
u_int16_t cc[XT_GEOIP_MAX]; u_int16_t cc[XT_GEOIP_MAX];
/* Used internally by the kernel */ /* Used internally by the kernel */
struct geoip_info *mem[XT_GEOIP_MAX]; struct geoip_info *mem[XT_GEOIP_MAX];
}; };
#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF) #define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
#endif #endif /* _LINUX_NETFILTER_XT_GEOIP_H */