Merge branch 'ACCOUNT'

extensions/Kbuild

@@ -5,6 +5,7 @@ include ${XA_TOPSRCDIR}/mconfig
 
 obj-m                    += compat_xtables.o
 
+obj-${build_ACCOUNT}     += xt_ACCOUNT.o
 obj-${build_CHAOS}       += xt_CHAOS.o
 obj-${build_DELUDE}      += xt_DELUDE.o
 obj-${build_DHCPMAC}     += xt_DHCPMAC.o

extensions/Mbuild

@@ -1,3 +1,4 @@
+obj-${build_ACCOUNT}     += libxt_ACCOUNT.so
 obj-${build_CHAOS}       += libxt_CHAOS.so
 obj-${build_DELUDE}      += libxt_DELUDE.so
 obj-${build_DHCPMAC}     += libxt_DHCPMAC.so libxt_dhcpmac.so

extensions/libxt_ACCOUNT.c

@@ -0,0 +1,168 @@
+/* Shared library add-on to iptables to add ACCOUNT(ing) support.
+   Author: Intra2net AG <opensource@intra2net.com>
+*/
+
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <xtables.h>
+#include "xt_ACCOUNT.h"
+
+static struct option account_tg_opts[] = {
+	{ .name = "addr",        .has_arg = 1, .flag = 0, .val = 'a' },
+	{ .name = "tname",       .has_arg = 1, .flag = 0, .val = 't' },
+	{ .name = 0 }
+};
+
+/* Function which prints out usage message. */
+static void account_tg_help(void)
+{
+	printf(
+"ACCOUNT target options:\n"
+" --%s ip/netmask\t\tBase network IP and netmask used for this table\n"
+" --%s name\t\t\tTable name for the userspace library\n",
+account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+/* Initialize the target. */
+static void
+account_tg_init(struct xt_entry_target *t)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)t->data;
+
+	accountinfo->table_nr = -1;
+}
+
+#define IPT_ACCOUNT_OPT_ADDR 0x01
+#define IPT_ACCOUNT_OPT_TABLE 0x02
+
+/* Function which parses command options; returns true if it
+   ate an option */
+
+static int account_tg_parse(int c, char **argv, int invert, unsigned int *flags,
+		const void *entry, struct xt_entry_target **target)
+{
+	struct ipt_acc_info *accountinfo = (struct ipt_acc_info *)(*target)->data;
+	struct in_addr *addrs = NULL, mask;
+	unsigned int naddrs = 0;
+
+	switch (c) {
+	case 'a':
+		if (*flags & IPT_ACCOUNT_OPT_ADDR)
+			xtables_error(PARAMETER_PROBLEM, "Can't specify --%s twice",
+				account_tg_opts[0].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM, "Unexpected `!' after --%s",
+				account_tg_opts[0].name);
+
+		xtables_ipparse_any(optarg, &addrs, &mask, &naddrs);
+		if (naddrs > 1)
+			xtables_error(PARAMETER_PROBLEM, "multiple IP addresses not allowed");
+
+		accountinfo->net_ip = addrs[0].s_addr;
+		accountinfo->net_mask = mask.s_addr;
+
+		*flags |= IPT_ACCOUNT_OPT_ADDR;
+		break;
+
+	case 't':
+		if (*flags & IPT_ACCOUNT_OPT_TABLE)
+			xtables_error(PARAMETER_PROBLEM,
+				"Can't specify --%s twice",
+				account_tg_opts[1].name);
+
+		if (xtables_check_inverse(optarg, &invert, NULL, 0))
+			xtables_error(PARAMETER_PROBLEM,
+				"Unexpected `!' after --%s",
+				account_tg_opts[1].name);
+
+		if (strlen(optarg) > ACCOUNT_TABLE_NAME_LEN - 1)
+			xtables_error(PARAMETER_PROBLEM,
+				"Maximum table name length %u for --%s",
+				ACCOUNT_TABLE_NAME_LEN - 1,
+				account_tg_opts[1].name);
+
+		strcpy(accountinfo->table_name, optarg);
+		*flags |= IPT_ACCOUNT_OPT_TABLE;
+		break;
+
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void account_tg_check(unsigned int flags)
+{
+	if (!(flags & IPT_ACCOUNT_OPT_ADDR) || !(flags & IPT_ACCOUNT_OPT_TABLE))
+		xtables_error(PARAMETER_PROBLEM, "ACCOUNT: needs --%s and --%s",
+			account_tg_opts[0].name, account_tg_opts[1].name);
+}
+
+static void account_tg_print_it(const void *ip,
+		const struct xt_entry_target *target, char do_prefix)
+{
+	const struct ipt_acc_info *accountinfo
+		= (const struct ipt_acc_info *)target->data;
+	struct in_addr a;
+
+	if (!do_prefix)
+		printf("ACCOUNT ");
+
+	// Network information
+	if (do_prefix)
+		printf("--");
+	printf("%s ", account_tg_opts[0].name);
+
+	a.s_addr = accountinfo->net_ip;
+	printf("%s", xtables_ipaddr_to_numeric(&a));
+	a.s_addr = accountinfo->net_mask;
+	printf("%s", xtables_ipmask_to_numeric(&a));
+
+	printf(" ");
+	if (do_prefix)
+		printf("--");
+
+	printf("%s %s", account_tg_opts[1].name, accountinfo->table_name);
+}
+
+
+static void
+account_tg_print(const void *ip,
+	const struct xt_entry_target *target,
+	int numeric)
+{
+	account_tg_print_it(ip, target, 0);
+}
+
+/* Saves the union ipt_targinfo in parsable form to stdout. */
+static void
+account_tg_save(const void *ip, const struct xt_entry_target *target)
+{
+	account_tg_print_it(ip, target, 1);
+}
+
+static struct xtables_target account_tg_reg = {
+	.name          = "ACCOUNT",
+	.family        = AF_INET,
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof(struct ipt_acc_info)),
+	.userspacesize = offsetof(struct ipt_acc_info, table_nr),
+	.help          = account_tg_help,
+	.init          = account_tg_init,
+	.parse         = account_tg_parse,
+	.final_check   = account_tg_check,
+	.print         = account_tg_print,
+	.save          = account_tg_save,
+	.extra_opts    = account_tg_opts,
+};
+
+static __attribute__((constructor)) void account_tg_ldr(void)
+{
+	xtables_register_target(&account_tg_reg);
+}

extensions/libxt_ACCOUNT.man

@@ -0,0 +1,72 @@
+The ACCOUNT target is a high performance accounting system for large
+local networks. It allows per-IP accounting in whole prefixes of IPv4
+addresses with size of up to /8 without the need to add individual
+accouting rule for each IP address.
+.PP
+The ACCOUNT is designed to be queried for data every second or at
+least every ten seconds. It is written as kernel module to handle high
+bandwidths without packet loss.
+.PP
+The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
+network. ACCOUNT uses fixed internal data structures
+which speeds up the processing of each packet. Furthermore,
+accounting data for one complete 192.168.1.X/24 network takes 4 KB of
+memory. Memory for 16 or 24 bit networks is only allocated when
+needed.
+.PP
+To optimize the kernel<->userspace data transfer a bit more, the
+kernel module only transfers information about IPs, where the src/dst
+packet counter is not 0. This saves precious kernel time.
+.PP
+There is no /proc interface as it would be too slow for continuous access.
+The read-and-flush query operation is the fastest, as no internal data
+snapshot needs to be created&copied for all data. Use the "read"
+operation without flush only for debugging purposes!
+.PP
+Usage:
+.PP
+ACCOUNT takes two mandatory parameters:
+.TP
+\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
+where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
+.TP
+\fB\-\-tname\fP \fINAME\fP
+where \fINAME\fP is the name of the table where the accounting information
+should be stored
+.PP
+The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
+and src_packets structure of slot "0". This is useful if you want
+to account the overall traffic to/from your internet provider.
+.PP
+The data can be queried using the userspace libxt_ACCOUNT_cl library,
+and by the reference implementation to show usage of this library,
+the \fBiptaccount\fP(8) tool, which features following options:
+.PP
+[\fB\-u\fP] show kernel handle usage
+.PP
+[\fB\-h\fP] free all kernel handles (experts only!)
+.PP
+[\fB\-a\fP] list all table names
+.PP
+[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
+.PP
+[\fB\-f\fP] flush data after showing
+.PP
+[\fB\-c\fP] loop every second (abort with CTRL+C)
+.PP
+Here is an example of use:
+.PP
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
+iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
+.PP
+This creates two tables called "all_outgoing" and "sales" which can be
+queried using the userspace library/iptaccount tool.
+.PP
+Note that this target is non-terminating \(em the packet destined to it
+will continue traversing the chain in which it has been used.
+.PP
+Also note that once a table has been defined for specific CIDR address/netmask
+block, it can be referenced multiple times using \-j ACCOUNT, provided
+that both the original table name and address/netmask block are specified.
+.PP
+For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/

extensions/xt_ACCOUNT.h

@@ -0,0 +1,118 @@
+/***************************************************************************
+ *   Copyright (C) 2004-2006 by Intra2net AG                               *
+ *   opensource@intra2net.com                                              *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License                  *
+ *   version 2 as published by the Free Software Foundation;               *
+ *                                                                         *
+ ***************************************************************************/
+
+#ifndef _IPT_ACCOUNT_H
+#define _IPT_ACCOUNT_H
+
+/*
+ * Socket option interface shared between kernel (xt_ACCOUNT) and userspace
+ * library (libxt_ACCOUNT_cl). Hopefully we are unique at least within our
+ * kernel & xtables-addons space.
+ */
+#define SO_ACCOUNT_BASE_CTL 90
+
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (SO_ACCOUNT_BASE_CTL + 1)
+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (SO_ACCOUNT_BASE_CTL + 2)
+#define IPT_SO_SET_ACCOUNT_MAX		 IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (SO_ACCOUNT_BASE_CTL + 4)
+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (SO_ACCOUNT_BASE_CTL + 5)
+#define IPT_SO_GET_ACCOUNT_GET_DATA (SO_ACCOUNT_BASE_CTL + 6)
+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (SO_ACCOUNT_BASE_CTL + 7)
+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (SO_ACCOUNT_BASE_CTL + 8)
+#define IPT_SO_GET_ACCOUNT_MAX	  IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
+#define ACCOUNT_MAX_TABLES 128
+#define ACCOUNT_TABLE_NAME_LEN 32
+#define ACCOUNT_MAX_HANDLES 10
+
+/* Structure for the userspace part of ipt_ACCOUNT */
+struct ipt_acc_info {
+	uint32_t net_ip;
+	uint32_t net_mask;
+	char table_name[ACCOUNT_TABLE_NAME_LEN];
+	int32_t table_nr;
+};
+
+/* Internal table structure, generated by check_entry() */
+struct ipt_acc_table {
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* name of the table */
+	uint32_t ip;						  /* base IP of network */
+	uint32_t netmask;					 /* netmask of the network */
+	unsigned char depth;				   /* size of network:
+												 0: 8 bit, 1: 16bit, 2: 24 bit */
+	uint32_t refcount;					/* refcount of this table.
+												 if zero, destroy it */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on netmask */
+};
+
+/* Internal handle structure */
+struct ipt_acc_handle {
+	uint32_t ip;						  /* base IP of network. Used for
+												 caculating the final IP during
+												 get_data() */
+	unsigned char depth;				   /* size of network. See above for
+												 details */
+	uint32_t itemcount;				   /* number of IPs in this table */
+	void *data;							/* pointer to the actual data,
+												 depending on size */
+};
+
+/* Handle structure for communication with the userspace library */
+struct ipt_acc_handle_sockopt {
+	uint32_t handle_nr;				   /* Used for HANDLE_FREE */
+	char name[ACCOUNT_TABLE_NAME_LEN];	 /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+	uint32_t itemcount;				   /* Used for HANDLE_PREPARE_READ/
+												 HANDLE_READ_FLUSH */
+};
+
+/* Used for every IP entry
+   Size is 16 bytes so that 256 (class C network) * 16
+   fits in one kernel (zero) page */
+struct ipt_acc_ip {
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	Used for every IP when returning data
+*/
+struct ipt_acc_handle_ip {
+	uint32_t ip;
+	uint32_t src_packets;
+	uint32_t src_bytes;
+	uint32_t dst_packets;
+	uint32_t dst_bytes;
+};
+
+/*
+	The IPs are organized as an array so that direct slot
+	calculations are possible.
+	Only 8 bit networks are preallocated, 16/24 bit networks
+	allocate their slots when needed -> very efficent.
+*/
+struct ipt_acc_mask_24 {
+	struct ipt_acc_ip ip[256];
+};
+
+struct ipt_acc_mask_16 {
+	struct ipt_acc_mask_24 *mask_24[256];
+};
+
+struct ipt_acc_mask_8 {
+	struct ipt_acc_mask_16 *mask_16[256];
+};
+
+#endif /* _IPT_ACCOUNT_H */

mconfig

@@ -1,5 +1,6 @@
 # -*- Makefile -*-
 #
+build_ACCOUNT=m
 build_CHAOS=m
 build_DELUDE=m
 build_DHCPMAC=m