Merge branch 'quota2'

extensions/Kbuild

@@ -16,6 +16,7 @@ obj-${build_condition} += xt_condition.o
 obj-${build_geoip}    += xt_geoip.o
 obj-${build_ipp2p}    += xt_ipp2p.o
 obj-${build_portscan} += xt_portscan.o
+obj-${build_quota2}    += xt_quota2.o
 
 -include ${M}/*.Kbuild
 -include ${M}/Kbuild.*

extensions/Mbuild

@@ -9,3 +9,4 @@ obj-${build_condition} += libxt_condition.so
 obj-${build_geoip}    += libxt_geoip.so
 obj-${build_ipp2p}    += libxt_ipp2p.so
 obj-${build_portscan} += libxt_portscan.so
+obj-${build_quota2}    += libxt_quota2.so

extensions/compat_xtables.h

@@ -44,8 +44,10 @@
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23)
 #	define init_net               xtnu_ip_route_output_key /* yes */
 #	define init_net__loopback_dev (&loopback_dev)
+#	define init_net__proc_net     proc_net
 #else
 #	define init_net__loopback_dev init_net.loopback_dev
+#	define init_net__proc_net     init_net.proc_net
 #endif
 
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22)

extensions/libxt_quota2.c

@@ -0,0 +1,135 @@
+/*
+ * Shared library add-on to iptables to add quota support
+ *
+ * Sam Johnston <samj@samj.net>
+ * Copyright © Jan Engelhardt <jengelh@medozas.de>, 2008
+ */
+#include <getopt.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_quota2.h"
+
+enum {
+	FL_QUOTA  = 1 << 0,
+	FL_NAME   = 1 << 1,
+	FL_GROW   = 1 << 2,
+	FL_PACKET = 1 << 3,
+};
+
+static const struct option quota_mt2_opts[] = {
+	{.name = "grow",    .has_arg = false, .val = 'g'},
+	{.name = "name",    .has_arg = true,  .val = 'n'},
+	{.name = "quota",   .has_arg = true,  .val = 'q'},
+	{.name = "packets", .has_arg = false, .val = 'p'},
+	{NULL},
+};
+
+static void quota_mt2_help(void)
+{
+	printf(
+	"quota match options:\n"
+	"    --grow           provide an increasing counter\n"
+	"    --name name      name for the file in sysfs\n"
+	"[!] --quota quota    initial quota (bytes or packets)\n"
+	"    --packets        count packets instead of bytes\n"
+	);
+}
+
+static int
+quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags,
+	        const void *entry, struct xt_entry_match **match)
+{
+	struct xt_quota_mtinfo2 *info = (void *)(*match)->data;
+	char *end;
+
+	switch (c) {
+	case 'g':
+		param_act(P_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW);
+		param_act(P_NO_INVERT, "quota", "--grow", invert);
+		info->flags |= XT_QUOTA_GROW;
+		*flags |= FL_GROW;
+		return true;
+	case 'n':
+		/* zero termination done on behalf of the kernel module */
+		param_act(P_ONLY_ONCE, "quota", "--name", *flags & FL_NAME);
+		param_act(P_NO_INVERT, "quota", "--name", invert);
+		strncpy(info->name, optarg, sizeof(info->name));
+		*flags |= FL_NAME;
+		return true;
+	case 'p':
+		param_act(P_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET);
+		param_act(P_NO_INVERT, "quota", "--packets", invert);
+		info->flags |= XT_QUOTA_PACKET;
+		*flags |= FL_PACKET;
+		return true;
+	case 'q':
+		param_act(P_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA);
+		if (invert)
+			info->flags |= XT_QUOTA_INVERT;
+		info->quota = strtoull(optarg, &end, 0);
+		if (*end != '\0')
+			exit_error(PARAMETER_PROBLEM, "quota match: "
+			           "invalid value for --quota");
+		*flags |= FL_QUOTA;
+		return true;
+	}
+	return false;
+}
+
+static void
+quota_mt2_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_quota_mtinfo2 *q = (void *)match->data;
+
+	if (q->flags & XT_QUOTA_INVERT)
+		printf("! ");
+	if (q->flags & XT_QUOTA_GROW)
+		printf("--grow ");
+	if (q->flags & XT_QUOTA_PACKET)
+		printf("--packets ");
+	if (*q->name != '\0')
+		printf("--name %s ", q->name);
+	printf("--quota %llu ", (unsigned long long)q->quota);
+}
+
+static void quota_mt2_print(const void *ip, const struct xt_entry_match *match,
+                            int numeric)
+{
+	const struct xt_quota_mtinfo2 *q = (const void *)match->data;
+
+	if (q->flags & XT_QUOTA_INVERT)
+		printf("! ");
+	if (q->flags & XT_QUOTA_GROW)
+		printf("counter");
+	else
+		printf("quota");
+	if (*q->name != '\0')
+		printf(" %s:", q->name);
+	printf(" %llu ", (unsigned long long)q->quota);
+	if (q->flags & XT_QUOTA_PACKET)
+		printf("packets ");
+	else
+		printf("bytes ");
+}
+
+static struct xtables_match quota_mt2_reg = {
+	.family        = AF_UNSPEC,
+	.revision      = 2,
+	.name          = "quota2",
+	.version       = XTABLES_VERSION,
+	.size          = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)),
+	.userspacesize = offsetof(struct xt_quota_mtinfo2, quota),
+	.help          = quota_mt2_help,
+	.parse         = quota_mt2_parse,
+	.print         = quota_mt2_print,
+	.save          = quota_mt2_save,
+	.extra_opts    = quota_mt2_opts,
+};
+
+static void _init(void)
+{
+	xtables_register_match(&quota_mt2_reg);
+}

extensions/libxt_quota2.man

@@ -0,0 +1,31 @@
+The "quota2" implements a named counter which can be increased or decreased
+on a per-match basis. Available modes are packet counting or byte counting.
+The value of the counter can be read and reset through procfs, thereby making
+this match a minimalist accounting tool.
+.PP
+When counting down from the initial quota, the counter will stop at 0 and
+the match will return false, just like the original "quota" match. In growing
+(upcounting) mode, it will always return true.
+.TP
+\fB--grow\fP
+Count upwards instead of downwards.
+.TP
+\fB--name\fP \fIname\fP
+Assign the counter a specific name. This option must be present, as an empty
+name is not allowed. Names starting with a dot or names containing a slash are
+prohibited.
+.TP
+[\fB!\fP] \fB--quota\fP \fIiq\fP
+Specify the initial quota for this counter. If the counter already exists,
+it is not reset. An "!" may be used to invert the result of the match. The
+negation has no effect when \fB--grow\fP is used.
+.TP
+\fB--packets\fP
+Count packets instead of bytes that passed the quota2 match.
+.PP
+Because counters in quota2 can be shared, you can combine them for various
+purposes, for example, a bytebucket filter that only lets as much traffic go
+out as has come in:
+.PP
+-A INPUT -p tcp --dport 6881 -m quota --name bt --grow
+-A OUTPUT -p tcp --sport 6881 -m quota --name bt

extensions/xt_quota2.c

@@ -0,0 +1,244 @@
+/*
+ * xt_quota2 - enhanced xt_quota that can count upwards and in packets
+ * as a minimal accounting match.
+ * by Jan Engelhardt <jengelh@medozas.de>, 2008
+ *
+ * Originally based on xt_quota.c:
+ * 	netfilter module to enforce network quotas
+ * 	Sam Johnston <samj@samj.net>
+ */
+#include <linux/list.h>
+#include <linux/proc_fs.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <asm/atomic.h>
+
+#include <linux/netfilter/x_tables.h>
+#include "xt_quota2.h"
+#include "compat_xtables.h"
+
+struct quota_counter {
+	u_int64_t quota;
+	spinlock_t lock;
+	struct list_head list;
+	atomic_t ref;
+	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	struct proc_dir_entry *procfs_entry;
+};
+
+static LIST_HEAD(counter_list);
+static DEFINE_SPINLOCK(counter_list_lock);
+
+static struct proc_dir_entry *proc_xt_quota;
+static unsigned int quota_list_perms = S_IRUGO | S_IWUSR;
+static unsigned int quota_list_uid   = 0;
+static unsigned int quota_list_gid   = 0;
+module_param_named(perms, quota_list_perms, uint, S_IRUGO | S_IWUSR);
+module_param_named(uid, quota_list_uid, uint, S_IRUGO | S_IWUSR);
+module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR);
+
+static int quota_proc_read(char *page, char **start, off_t offset,
+                           int count, int *eof, void *data)
+{
+	struct quota_counter *e = data;
+	int ret;
+
+	spin_lock_bh(&e->lock);
+	ret = snprintf(page, PAGE_SIZE, "%llu\n", e->quota);
+	spin_unlock_bh(&e->lock);
+	return ret;
+}
+
+static int quota_proc_write(struct file *file, const char __user *input,
+                            unsigned long size, void *data)
+{
+	struct quota_counter *e = data;
+	char buf[sizeof("18446744073709551616")];
+
+	if (size > sizeof(buf))
+		size = sizeof(buf);
+	if (copy_from_user(buf, input, size) != 0)
+		return -EFAULT;
+	buf[sizeof(buf)-1] = '\0';
+
+	spin_lock_bh(&e->lock);
+	e->quota = simple_strtoul(buf, NULL, 0);
+	spin_unlock_bh(&e->lock);
+	return size;
+}
+
+/**
+ * q2_get_counter - get ref to counter or create new
+ * @name:	name of counter
+ */
+static struct quota_counter *q2_get_counter(const struct xt_quota_mtinfo2 *q)
+{
+	struct proc_dir_entry *p;
+	struct quota_counter *e;
+
+	spin_lock_bh(&counter_list_lock);
+	list_for_each_entry(e, &counter_list, list) {
+		if (strcmp(e->name, q->name) == 0) {
+			atomic_inc(&e->ref);
+			spin_unlock_bh(&counter_list_lock);
+			return e;
+		}
+	}
+
+	e = kmalloc(sizeof(struct quota_counter), GFP_KERNEL);
+	if (e == NULL)
+		goto out;
+
+	e->quota = q->quota;
+	spin_lock_init(&e->lock);
+	INIT_LIST_HEAD(&e->list);
+	atomic_set(&e->ref, 1);
+	strncpy(e->name, q->name, sizeof(e->name));
+
+	p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms,
+	                      proc_xt_quota);
+	if (p == NULL || IS_ERR(p))
+		goto out;
+		
+	p->owner        = THIS_MODULE;
+	p->data         = e;
+	p->read_proc    = quota_proc_read;
+	p->write_proc   = quota_proc_write;
+	p->uid          = quota_list_uid;
+	p->gid          = quota_list_gid;
+	list_add_tail(&e->list, &counter_list);
+	spin_unlock_bh(&counter_list_lock);
+	return e;
+
+ out:
+	spin_unlock_bh(&counter_list_lock);
+	kfree(e);
+	return NULL;
+}
+
+static bool
+quota_mt2_check(const char *tablename, const void *entry,
+                const struct xt_match *match, void *matchinfo,
+                unsigned int hook_mask)
+{
+	struct xt_quota_mtinfo2 *q = matchinfo;
+
+	if (q->flags & ~XT_QUOTA_MASK)
+		return false;
+
+	q->name[sizeof(q->name)-1] = '\0';
+	if (*q->name == '\0' || *q->name == '.' ||
+	    strchr(q->name, '/') != NULL) {
+		printk(KERN_ERR "xt_quota.2: illegal name\n");
+		return false;
+	}
+
+	q->master = q2_get_counter(q);
+	if (q->master == NULL) {
+		printk(KERN_ERR "xt_quota.2: memory alloc failure\n");
+		return false;
+	}
+
+	return true;
+}
+
+static void quota_mt2_destroy(const struct xt_match *match, void *matchinfo)
+{
+	struct xt_quota_mtinfo2 *q = matchinfo;
+	struct quota_counter *e = q->master;
+
+	spin_lock_bh(&counter_list_lock);
+	if (!atomic_dec_and_test(&e->ref)) {
+		spin_unlock_bh(&counter_list_lock);
+		return;
+	}
+
+	list_del(&e->list);
+	spin_unlock_bh(&counter_list_lock);
+	remove_proc_entry(e->name, proc_xt_quota);
+	kfree(e);
+}
+
+static bool
+quota_mt2(const struct sk_buff *skb, const struct net_device *in,
+          const struct net_device *out, const struct xt_match *match,
+          const void *matchinfo, int offset, unsigned int protoff,
+          bool *hotdrop)
+{
+	struct xt_quota_mtinfo2 *q = (void *)matchinfo;
+	struct quota_counter *e = q->master;
+	bool ret = q->flags & XT_QUOTA_INVERT;
+
+	if (q->flags & XT_QUOTA_GROW) {
+		spin_lock_bh(&e->lock);
+		e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+		q->quota = e->quota;
+		spin_unlock_bh(&e->lock);
+		ret = true;
+	} else {
+		spin_lock_bh(&e->lock);
+		if (e->quota >= skb->len) {
+			e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len;
+			ret = !ret;
+		} else {
+			/* we do not allow even small packets from now on */
+			e->quota = 0;
+		}
+		q->quota = e->quota;
+		spin_unlock_bh(&e->lock);
+	}
+
+	return ret;
+}
+
+static struct xt_match quota_mt2_reg[] __read_mostly = {
+	{
+		.name       = "quota2",
+		.revision   = 2,
+		.family     = AF_INET,
+		.checkentry = quota_mt2_check,
+		.match      = quota_mt2,
+		.destroy    = quota_mt2_destroy,  
+		.matchsize  = sizeof(struct xt_quota_mtinfo2),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "quota2",
+		.revision   = 2,
+		.family     = AF_INET6,
+		.checkentry = quota_mt2_check,
+		.match      = quota_mt2,
+		.destroy    = quota_mt2_destroy,  
+		.matchsize  = sizeof(struct xt_quota_mtinfo2),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init quota_mt2_init(void)
+{
+	int ret;
+
+	proc_xt_quota = proc_mkdir("xt_quota", init_net__proc_net);
+	if (proc_xt_quota == NULL)
+		return -EACCES;
+
+	ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
+	if (ret < 0)
+		remove_proc_entry("xt_quota", init_net__proc_net);
+	return ret;
+}
+
+static void __exit quota_mt2_exit(void)
+{
+	xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg));
+	remove_proc_entry("xt_quota", init_net__proc_net);
+}
+
+module_init(quota_mt2_init);
+module_exit(quota_mt2_exit);
+MODULE_DESCRIPTION("Xtables: countdown quota match; up counter");
+MODULE_AUTHOR("Sam Johnston <samj@samj.net>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_quota2");
+MODULE_ALIAS("ip6t_quota2");

extensions/xt_quota2.h

@@ -0,0 +1,26 @@
+#ifndef _XT_QUOTA_H
+#define _XT_QUOTA_H
+
+enum xt_quota_flags {
+	XT_QUOTA_INVERT = 1 << 0,
+	XT_QUOTA_GROW   = 1 << 1,
+	XT_QUOTA_PACKET = 1 << 2,
+	XT_QUOTA_MASK   = 0x7,
+
+	XT_QUOTA_COUNTER_NAME_LENGTH = 31,
+};
+
+struct quota_counter;
+
+struct xt_quota_mtinfo2 {
+	char name[XT_QUOTA_COUNTER_NAME_LENGTH];
+	u_int8_t flags;
+
+	/* Comparison-invariant */
+	aligned_u64 quota;
+
+	/* Used internally by the kernel */
+	struct quota_counter *master __attribute__((aligned(8)));
+};
+
+#endif /* _XT_QUOTA_H */

mconfig

@@ -11,3 +11,4 @@ build_condition=m
 build_geoip=m
 build_ipp2p=m
 build_portscan=m
+build_quota2=m