diff --git a/extensions/Kbuild b/extensions/Kbuild index 3dc08f9..540699b 100644 --- a/extensions/Kbuild +++ b/extensions/Kbuild @@ -16,6 +16,7 @@ obj-${build_condition} += xt_condition.o obj-${build_geoip} += xt_geoip.o obj-${build_ipp2p} += xt_ipp2p.o obj-${build_portscan} += xt_portscan.o +obj-${build_quota2} += xt_quota2.o -include ${M}/*.Kbuild -include ${M}/Kbuild.* diff --git a/extensions/Mbuild b/extensions/Mbuild index 0ab79bc..dbc25b0 100644 --- a/extensions/Mbuild +++ b/extensions/Mbuild @@ -9,3 +9,4 @@ obj-${build_condition} += libxt_condition.so obj-${build_geoip} += libxt_geoip.so obj-${build_ipp2p} += libxt_ipp2p.so obj-${build_portscan} += libxt_portscan.so +obj-${build_quota2} += libxt_quota2.so diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h index 42357bb..52b723b 100644 --- a/extensions/compat_xtables.h +++ b/extensions/compat_xtables.h @@ -44,8 +44,10 @@ #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 23) # define init_net xtnu_ip_route_output_key /* yes */ # define init_net__loopback_dev (&loopback_dev) +# define init_net__proc_net proc_net #else # define init_net__loopback_dev init_net.loopback_dev +# define init_net__proc_net init_net.proc_net #endif #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 22) diff --git a/extensions/libxt_quota2.c b/extensions/libxt_quota2.c new file mode 100644 index 0000000..858c60d --- /dev/null +++ b/extensions/libxt_quota2.c @@ -0,0 +1,135 @@ +/* + * Shared library add-on to iptables to add quota support + * + * Sam Johnston + * Copyright © Jan Engelhardt , 2008 + */ +#include +#include +#include +#include +#include +#include +#include "xt_quota2.h" + +enum { + FL_QUOTA = 1 << 0, + FL_NAME = 1 << 1, + FL_GROW = 1 << 2, + FL_PACKET = 1 << 3, +}; + +static const struct option quota_mt2_opts[] = { + {.name = "grow", .has_arg = false, .val = 'g'}, + {.name = "name", .has_arg = true, .val = 'n'}, + {.name = "quota", .has_arg = true, .val = 'q'}, + {.name = "packets", .has_arg = false, .val = 'p'}, + {NULL}, +}; + +static void quota_mt2_help(void) +{ + printf( + "quota match options:\n" + " --grow provide an increasing counter\n" + " --name name name for the file in sysfs\n" + "[!] --quota quota initial quota (bytes or packets)\n" + " --packets count packets instead of bytes\n" + ); +} + +static int +quota_mt2_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_quota_mtinfo2 *info = (void *)(*match)->data; + char *end; + + switch (c) { + case 'g': + param_act(P_ONLY_ONCE, "quota", "--grow", *flags & FL_GROW); + param_act(P_NO_INVERT, "quota", "--grow", invert); + info->flags |= XT_QUOTA_GROW; + *flags |= FL_GROW; + return true; + case 'n': + /* zero termination done on behalf of the kernel module */ + param_act(P_ONLY_ONCE, "quota", "--name", *flags & FL_NAME); + param_act(P_NO_INVERT, "quota", "--name", invert); + strncpy(info->name, optarg, sizeof(info->name)); + *flags |= FL_NAME; + return true; + case 'p': + param_act(P_ONLY_ONCE, "quota", "--packets", *flags & FL_PACKET); + param_act(P_NO_INVERT, "quota", "--packets", invert); + info->flags |= XT_QUOTA_PACKET; + *flags |= FL_PACKET; + return true; + case 'q': + param_act(P_ONLY_ONCE, "quota", "--quota", *flags & FL_QUOTA); + if (invert) + info->flags |= XT_QUOTA_INVERT; + info->quota = strtoull(optarg, &end, 0); + if (*end != '\0') + exit_error(PARAMETER_PROBLEM, "quota match: " + "invalid value for --quota"); + *flags |= FL_QUOTA; + return true; + } + return false; +} + +static void +quota_mt2_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_quota_mtinfo2 *q = (void *)match->data; + + if (q->flags & XT_QUOTA_INVERT) + printf("! "); + if (q->flags & XT_QUOTA_GROW) + printf("--grow "); + if (q->flags & XT_QUOTA_PACKET) + printf("--packets "); + if (*q->name != '\0') + printf("--name %s ", q->name); + printf("--quota %llu ", (unsigned long long)q->quota); +} + +static void quota_mt2_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + const struct xt_quota_mtinfo2 *q = (const void *)match->data; + + if (q->flags & XT_QUOTA_INVERT) + printf("! "); + if (q->flags & XT_QUOTA_GROW) + printf("counter"); + else + printf("quota"); + if (*q->name != '\0') + printf(" %s:", q->name); + printf(" %llu ", (unsigned long long)q->quota); + if (q->flags & XT_QUOTA_PACKET) + printf("packets "); + else + printf("bytes "); +} + +static struct xtables_match quota_mt2_reg = { + .family = AF_UNSPEC, + .revision = 2, + .name = "quota2", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof (struct xt_quota_mtinfo2)), + .userspacesize = offsetof(struct xt_quota_mtinfo2, quota), + .help = quota_mt2_help, + .parse = quota_mt2_parse, + .print = quota_mt2_print, + .save = quota_mt2_save, + .extra_opts = quota_mt2_opts, +}; + +static void _init(void) +{ + xtables_register_match("a_mt2_reg); +} diff --git a/extensions/libxt_quota2.man b/extensions/libxt_quota2.man new file mode 100644 index 0000000..e18c681 --- /dev/null +++ b/extensions/libxt_quota2.man @@ -0,0 +1,31 @@ +The "quota2" implements a named counter which can be increased or decreased +on a per-match basis. Available modes are packet counting or byte counting. +The value of the counter can be read and reset through procfs, thereby making +this match a minimalist accounting tool. +.PP +When counting down from the initial quota, the counter will stop at 0 and +the match will return false, just like the original "quota" match. In growing +(upcounting) mode, it will always return true. +.TP +\fB--grow\fP +Count upwards instead of downwards. +.TP +\fB--name\fP \fIname\fP +Assign the counter a specific name. This option must be present, as an empty +name is not allowed. Names starting with a dot or names containing a slash are +prohibited. +.TP +[\fB!\fP] \fB--quota\fP \fIiq\fP +Specify the initial quota for this counter. If the counter already exists, +it is not reset. An "!" may be used to invert the result of the match. The +negation has no effect when \fB--grow\fP is used. +.TP +\fB--packets\fP +Count packets instead of bytes that passed the quota2 match. +.PP +Because counters in quota2 can be shared, you can combine them for various +purposes, for example, a bytebucket filter that only lets as much traffic go +out as has come in: +.PP +-A INPUT -p tcp --dport 6881 -m quota --name bt --grow +-A OUTPUT -p tcp --sport 6881 -m quota --name bt diff --git a/extensions/xt_quota2.c b/extensions/xt_quota2.c new file mode 100644 index 0000000..78dc677 --- /dev/null +++ b/extensions/xt_quota2.c @@ -0,0 +1,244 @@ +/* + * xt_quota2 - enhanced xt_quota that can count upwards and in packets + * as a minimal accounting match. + * by Jan Engelhardt , 2008 + * + * Originally based on xt_quota.c: + * netfilter module to enforce network quotas + * Sam Johnston + */ +#include +#include +#include +#include +#include + +#include +#include "xt_quota2.h" +#include "compat_xtables.h" + +struct quota_counter { + u_int64_t quota; + spinlock_t lock; + struct list_head list; + atomic_t ref; + char name[XT_QUOTA_COUNTER_NAME_LENGTH]; + struct proc_dir_entry *procfs_entry; +}; + +static LIST_HEAD(counter_list); +static DEFINE_SPINLOCK(counter_list_lock); + +static struct proc_dir_entry *proc_xt_quota; +static unsigned int quota_list_perms = S_IRUGO | S_IWUSR; +static unsigned int quota_list_uid = 0; +static unsigned int quota_list_gid = 0; +module_param_named(perms, quota_list_perms, uint, S_IRUGO | S_IWUSR); +module_param_named(uid, quota_list_uid, uint, S_IRUGO | S_IWUSR); +module_param_named(gid, quota_list_gid, uint, S_IRUGO | S_IWUSR); + +static int quota_proc_read(char *page, char **start, off_t offset, + int count, int *eof, void *data) +{ + struct quota_counter *e = data; + int ret; + + spin_lock_bh(&e->lock); + ret = snprintf(page, PAGE_SIZE, "%llu\n", e->quota); + spin_unlock_bh(&e->lock); + return ret; +} + +static int quota_proc_write(struct file *file, const char __user *input, + unsigned long size, void *data) +{ + struct quota_counter *e = data; + char buf[sizeof("18446744073709551616")]; + + if (size > sizeof(buf)) + size = sizeof(buf); + if (copy_from_user(buf, input, size) != 0) + return -EFAULT; + buf[sizeof(buf)-1] = '\0'; + + spin_lock_bh(&e->lock); + e->quota = simple_strtoul(buf, NULL, 0); + spin_unlock_bh(&e->lock); + return size; +} + +/** + * q2_get_counter - get ref to counter or create new + * @name: name of counter + */ +static struct quota_counter *q2_get_counter(const struct xt_quota_mtinfo2 *q) +{ + struct proc_dir_entry *p; + struct quota_counter *e; + + spin_lock_bh(&counter_list_lock); + list_for_each_entry(e, &counter_list, list) { + if (strcmp(e->name, q->name) == 0) { + atomic_inc(&e->ref); + spin_unlock_bh(&counter_list_lock); + return e; + } + } + + e = kmalloc(sizeof(struct quota_counter), GFP_KERNEL); + if (e == NULL) + goto out; + + e->quota = q->quota; + spin_lock_init(&e->lock); + INIT_LIST_HEAD(&e->list); + atomic_set(&e->ref, 1); + strncpy(e->name, q->name, sizeof(e->name)); + + p = e->procfs_entry = create_proc_entry(e->name, quota_list_perms, + proc_xt_quota); + if (p == NULL || IS_ERR(p)) + goto out; + + p->owner = THIS_MODULE; + p->data = e; + p->read_proc = quota_proc_read; + p->write_proc = quota_proc_write; + p->uid = quota_list_uid; + p->gid = quota_list_gid; + list_add_tail(&e->list, &counter_list); + spin_unlock_bh(&counter_list_lock); + return e; + + out: + spin_unlock_bh(&counter_list_lock); + kfree(e); + return NULL; +} + +static bool +quota_mt2_check(const char *tablename, const void *entry, + const struct xt_match *match, void *matchinfo, + unsigned int hook_mask) +{ + struct xt_quota_mtinfo2 *q = matchinfo; + + if (q->flags & ~XT_QUOTA_MASK) + return false; + + q->name[sizeof(q->name)-1] = '\0'; + if (*q->name == '\0' || *q->name == '.' || + strchr(q->name, '/') != NULL) { + printk(KERN_ERR "xt_quota.2: illegal name\n"); + return false; + } + + q->master = q2_get_counter(q); + if (q->master == NULL) { + printk(KERN_ERR "xt_quota.2: memory alloc failure\n"); + return false; + } + + return true; +} + +static void quota_mt2_destroy(const struct xt_match *match, void *matchinfo) +{ + struct xt_quota_mtinfo2 *q = matchinfo; + struct quota_counter *e = q->master; + + spin_lock_bh(&counter_list_lock); + if (!atomic_dec_and_test(&e->ref)) { + spin_unlock_bh(&counter_list_lock); + return; + } + + list_del(&e->list); + spin_unlock_bh(&counter_list_lock); + remove_proc_entry(e->name, proc_xt_quota); + kfree(e); +} + +static bool +quota_mt2(const struct sk_buff *skb, const struct net_device *in, + const struct net_device *out, const struct xt_match *match, + const void *matchinfo, int offset, unsigned int protoff, + bool *hotdrop) +{ + struct xt_quota_mtinfo2 *q = (void *)matchinfo; + struct quota_counter *e = q->master; + bool ret = q->flags & XT_QUOTA_INVERT; + + if (q->flags & XT_QUOTA_GROW) { + spin_lock_bh(&e->lock); + e->quota += (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len; + q->quota = e->quota; + spin_unlock_bh(&e->lock); + ret = true; + } else { + spin_lock_bh(&e->lock); + if (e->quota >= skb->len) { + e->quota -= (q->flags & XT_QUOTA_PACKET) ? 1 : skb->len; + ret = !ret; + } else { + /* we do not allow even small packets from now on */ + e->quota = 0; + } + q->quota = e->quota; + spin_unlock_bh(&e->lock); + } + + return ret; +} + +static struct xt_match quota_mt2_reg[] __read_mostly = { + { + .name = "quota2", + .revision = 2, + .family = AF_INET, + .checkentry = quota_mt2_check, + .match = quota_mt2, + .destroy = quota_mt2_destroy, + .matchsize = sizeof(struct xt_quota_mtinfo2), + .me = THIS_MODULE, + }, + { + .name = "quota2", + .revision = 2, + .family = AF_INET6, + .checkentry = quota_mt2_check, + .match = quota_mt2, + .destroy = quota_mt2_destroy, + .matchsize = sizeof(struct xt_quota_mtinfo2), + .me = THIS_MODULE, + }, +}; + +static int __init quota_mt2_init(void) +{ + int ret; + + proc_xt_quota = proc_mkdir("xt_quota", init_net__proc_net); + if (proc_xt_quota == NULL) + return -EACCES; + + ret = xt_register_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg)); + if (ret < 0) + remove_proc_entry("xt_quota", init_net__proc_net); + return ret; +} + +static void __exit quota_mt2_exit(void) +{ + xt_unregister_matches(quota_mt2_reg, ARRAY_SIZE(quota_mt2_reg)); + remove_proc_entry("xt_quota", init_net__proc_net); +} + +module_init(quota_mt2_init); +module_exit(quota_mt2_exit); +MODULE_DESCRIPTION("Xtables: countdown quota match; up counter"); +MODULE_AUTHOR("Sam Johnston "); +MODULE_AUTHOR("Jan Engelhardt "); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_quota2"); +MODULE_ALIAS("ip6t_quota2"); diff --git a/extensions/xt_quota2.h b/extensions/xt_quota2.h new file mode 100644 index 0000000..cb13c79 --- /dev/null +++ b/extensions/xt_quota2.h @@ -0,0 +1,26 @@ +#ifndef _XT_QUOTA_H +#define _XT_QUOTA_H + +enum xt_quota_flags { + XT_QUOTA_INVERT = 1 << 0, + XT_QUOTA_GROW = 1 << 1, + XT_QUOTA_PACKET = 1 << 2, + XT_QUOTA_MASK = 0x7, + + XT_QUOTA_COUNTER_NAME_LENGTH = 31, +}; + +struct quota_counter; + +struct xt_quota_mtinfo2 { + char name[XT_QUOTA_COUNTER_NAME_LENGTH]; + u_int8_t flags; + + /* Comparison-invariant */ + aligned_u64 quota; + + /* Used internally by the kernel */ + struct quota_counter *master __attribute__((aligned(8))); +}; + +#endif /* _XT_QUOTA_H */ diff --git a/mconfig b/mconfig index 7b50b1a..a68d4c4 100644 --- a/mconfig +++ b/mconfig @@ -11,3 +11,4 @@ build_condition=m build_geoip=m build_ipp2p=m build_portscan=m +build_quota2=m