netfilter-2.6/patch-o-matic-ng/trunk: include/linux/netfilter_ipv4/ip_tables.h
include/linux/netfilt...
pluto
cvs at pld-linux.org
Thu Jul 28 10:29:36 CEST 2005
Author: pluto
Date: Thu Jul 28 10:29:31 2005
New Revision: 6246
Added:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_fuzzy.h
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_geoip.h
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_fuzzy.h
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_fuzzy.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_geoip.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_fuzzy.c
Modified:
netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_tables.h
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_tables.c
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
netfilter-2.6/patch-o-matic-ng/trunk/status
Log:
- fuzzy, geoip, goto.
Modified: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_tables.h
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_tables.h (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ip_tables.h Thu Jul 28 10:29:31 2005
@@ -109,7 +109,8 @@
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_F_FRAG 0x01 /* Set if rule is a fragment rule */
-#define IPT_F_MASK 0x01 /* All possible flag bits mask. */
+#define IPT_F_GOTO 0x02 /* Set if jump is a goto */
+#define IPT_F_MASK 0x03 /* All possible flag bits mask. */
/* Values for "inv" field in struct ipt_ip. */
#define IPT_INV_VIA_IN 0x01 /* Invert the sense of IN IFACE. */
Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_fuzzy.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_fuzzy.h Thu Jul 28 10:29:31 2005
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ipt_fuzzy_info {
+ u_int32_t minimum_rate;
+ u_int32_t maximum_rate;
+ u_int32_t packets_total;
+ u_int32_t bytes_total;
+ u_int32_t previous_time;
+ u_int32_t present_time;
+ u_int32_t mean_rate;
+ u_int8_t acceptance_rate;
+};
+
+#endif /*_IPT_FUZZY_H*/
Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_geoip.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv4/ipt_geoip.h Thu Jul 28 10:29:31 2005
@@ -0,0 +1,50 @@
+/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Copyright (c) 2004 Cookinglinux
+ */
+#ifndef _IPT_GEOIP_H
+#define _IPT_GEOIP_H
+
+#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
+#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
+#define IPT_GEOIP_INV 0x04 /* Negate the condition */
+
+#define IPT_GEOIP_MAX 15 /* Maximum of countries */
+
+struct geoip_subnet {
+ u_int32_t begin;
+ u_int32_t end;
+};
+
+struct geoip_info {
+ struct geoip_subnet *subnets;
+ u_int32_t count;
+ u_int32_t ref;
+ u_int16_t cc;
+ struct geoip_info *next;
+ struct geoip_info *prev;
+};
+
+struct ipt_geoip_info {
+ u_int8_t flags;
+ u_int8_t count;
+ u_int16_t cc[IPT_GEOIP_MAX];
+
+ /* Used internally by the kernel */
+ struct geoip_info *mem[IPT_GEOIP_MAX];
+ u_int8_t *refcount;
+
+ /* not implemented yet:
+ void *fini;
+ */
+};
+
+#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
+
+#endif
+
Added: netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_fuzzy.h
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/include/linux/netfilter_ipv6/ip6t_fuzzy.h Thu Jul 28 10:29:31 2005
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ip6t_fuzzy_info {
+ u_int32_t minimum_rate;
+ u_int32_t maximum_rate;
+ u_int32_t packets_total;
+ u_int32_t bytes_total;
+ u_int32_t previous_time;
+ u_int32_t present_time;
+ u_int32_t mean_rate;
+ u_int8_t acceptance_rate;
+};
+
+#endif /*_IP6T_FUZZY_H*/
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Kconfig Thu Jul 28 10:29:31 2005
@@ -818,5 +818,31 @@
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
+config IP_NF_MATCH_FUZZY
+ tristate 'fuzzy match support'
+ depends on IP_NF_IPTABLES
+ help
+ This option adds a `fuzzy' match, which allows you to match
+ packets according to a fuzzy logic based law.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
+config IP_NF_MATCH_GEOIP
+ tristate 'geoip match support'
+ depends on IP_NF_IPTABLES
+ help
+ This option allows you to match a packet by its source or
+ destination country. Basically, you need a country's
+ database containing all subnets and associated countries.
+
+ For the complete procedure and understanding, read :
+ http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
+
+
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/modules.txt>. If unsure, say `N'.
+
+
endmenu
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/Makefile Thu Jul 28 10:29:31 2005
@@ -51,6 +51,8 @@
# matches
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o
+
obj-$(CONFIG_IP_NF_MATCH_HASHLIMIT) += ipt_hashlimit.o
obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
@@ -61,6 +63,8 @@
obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
+obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o
+
obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_tables.c
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_tables.c (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ip_tables.c Thu Jul 28 10:29:31 2005
@@ -343,7 +343,7 @@
continue;
}
if (table_base + v
- != (void *)e + e->next_offset) {
+ != (void *)e + e->next_offset && !(e->ip.flags & IPT_F_GOTO)) {
/* Save old back ptr in next entry */
struct ipt_entry *next
= (void *)e + e->next_offset;
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_fuzzy.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_fuzzy.c Thu Jul 28 10:29:31 2005
@@ -0,0 +1,185 @@
+/*
+ * This module implements a simple TSK FLC
+ * (Takagi-Sugeno-Kang Fuzzy Logic Controller) that aims
+ * to limit , in an adaptive and flexible way , the packet rate crossing
+ * a given stream . It serves as an initial and very simple (but effective)
+ * example of how Fuzzy Logic techniques can be applied to defeat DoS attacks.
+ * As a matter of fact , Fuzzy Logic can help us to insert any "behavior"
+ * into our code in a precise , adaptive and efficient manner.
+ * The goal is very similar to that of "limit" match , but using techniques of
+ * Fuzzy Control , that allow us to shape the transfer functions precisely ,
+ * avoiding over and undershoots - and stuff like that .
+ *
+ *
+ * 2002-08-10 Hime Aguiar e Oliveira Jr. <hime at engineer.com> : Initial version.
+ * 2002-08-17 : Changed to eliminate floating point operations .
+ * 2002-08-23 : Coding style changes .
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/random.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_fuzzy.h>
+
+/*
+ Packet Acceptance Rate - LOW and Packet Acceptance Rate - HIGH
+ Expressed in percentage
+*/
+
+#define PAR_LOW 1/100
+#define PAR_HIGH 1
+
+static spinlock_t fuzzy_lock = SPIN_LOCK_UNLOCKED ;
+
+MODULE_AUTHOR("Hime Aguiar e Oliveira Junior <hime at engineer.com>");
+MODULE_DESCRIPTION("IP tables Fuzzy Logic Controller match module");
+MODULE_LICENSE("GPL");
+
+static u_int8_t mf_high(u_int32_t tx,u_int32_t mini,u_int32_t maxi)
+{
+ if (tx >= maxi)
+ return 100;
+
+ if (tx <= mini)
+ return 0;
+
+ return ( (100*(tx-mini)) / (maxi-mini) );
+}
+
+static u_int8_t mf_low(u_int32_t tx,u_int32_t mini,u_int32_t maxi)
+{
+ if (tx <= mini)
+ return 100;
+
+ if (tx >= maxi)
+ return 0;
+
+ return ( (100*( maxi - tx )) / ( maxi - mini ) );
+}
+
+static int
+ipt_fuzzy_match(const struct sk_buff *pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ int *hotdrop)
+{
+ /* From userspace */
+
+ struct ipt_fuzzy_info *info = (struct ipt_fuzzy_info *) matchinfo;
+
+ u_int8_t random_number;
+ unsigned long amount;
+ u_int8_t howhigh, howlow;
+
+
+ spin_lock_bh(&fuzzy_lock); /* Rise the lock */
+
+ info->bytes_total += pskb->len;
+ info->packets_total++;
+
+ info->present_time = jiffies;
+
+ if (info->present_time >= info->previous_time)
+ amount = info->present_time - info->previous_time;
+ else {
+ /* There was a transition : I choose to re-sample
+ and keep the old acceptance rate...
+ */
+
+ amount = 0;
+ info->previous_time = info->present_time;
+ info->bytes_total = info->packets_total = 0;
+ };
+
+ if (amount > HZ/10) /* More than 100 ms elapsed ... */
+ {
+
+ info->mean_rate = (u_int32_t) ((HZ*info->packets_total) \
+ / amount );
+
+ info->previous_time = info->present_time;
+ info->bytes_total = info->packets_total = 0;
+
+ howhigh = mf_high(info->mean_rate,info->minimum_rate,info->maximum_rate);
+ howlow = mf_low(info->mean_rate,info->minimum_rate,info->maximum_rate);
+
+ info->acceptance_rate = (u_int8_t) \
+ (howhigh*PAR_LOW + PAR_HIGH*howlow);
+
+ /* In fact , the above defuzzification would require a denominator
+ proportional to (howhigh+howlow) but , in this particular case ,
+ that expression is constant .
+ An imediate consequence is that it isn't necessary to call
+ both mf_high and mf_low - but to keep things understandable ,
+ I did so . */
+
+ }
+
+ spin_unlock_bh(&fuzzy_lock); /* Release the lock */
+
+
+ if ( info->acceptance_rate < 100 )
+ {
+ get_random_bytes((void *)(&random_number), 1);
+
+ /* If within the acceptance , it can pass => don't match */
+ if (random_number <= (255 * info->acceptance_rate) / 100)
+ return 0;
+ else
+ return 1; /* It can't pass ( It matches ) */
+ } ;
+
+ return 0; /* acceptance_rate == 100 % => Everything passes ... */
+
+}
+
+static int
+ipt_fuzzy_checkentry(const char *tablename,
+ const struct ipt_ip *e,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+
+ const struct ipt_fuzzy_info *info = matchinfo;
+
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_fuzzy_info))) {
+ printk("ipt_fuzzy: matchsize %u != %zu\n", matchsize,
+ IPT_ALIGN(sizeof(struct ipt_fuzzy_info)));
+ return 0;
+ }
+
+ if ((info->minimum_rate < MINFUZZYRATE ) || (info->maximum_rate > MAXFUZZYRATE)
+ || (info->minimum_rate >= info->maximum_rate )) {
+ printk("ipt_fuzzy: BAD limits , please verify !!!\n");
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ipt_match ipt_fuzzy_reg = {
+ .name = "fuzzy",
+ .match = ipt_fuzzy_match,
+ .checkentry = ipt_fuzzy_checkentry,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ipt_register_match(&ipt_fuzzy_reg);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ipt_fuzzy_reg);
+}
+
+module_init(init);
+module_exit(fini);
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_geoip.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv4/netfilter/ipt_geoip.c Thu Jul 28 10:29:31 2005
@@ -0,0 +1,275 @@
+/* netfilter's kernel module for the geoip match
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Copyright (c) 2004 Cookinglinux
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <asm/uaccess.h>
+#include <asm/atomic.h>
+
+#include <linux/netfilter_ipv4/ipt_geoip.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Samuel Jean, Nicolas Bouliane");
+MODULE_DESCRIPTION("iptables/netfilter's geoip match");
+
+struct geoip_info *head = NULL;
+static spinlock_t geoip_lock = SPIN_LOCK_UNLOCKED;
+
+static struct geoip_info *add_node(struct geoip_info *memcpy)
+{
+ struct geoip_info *p =
+ (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL);
+
+ struct geoip_subnet *s;
+
+ if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
+ return NULL;
+
+ s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
+ if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
+ return NULL;
+
+ spin_lock_bh(&geoip_lock);
+
+ p->subnets = s;
+ p->ref = 1;
+ p->next = head;
+ p->prev = NULL;
+ if (p->next) p->next->prev = p;
+ head = p;
+
+ spin_unlock_bh(&geoip_lock);
+ return p;
+}
+
+static void remove_node(struct geoip_info *p)
+ {
+ spin_lock_bh(&geoip_lock);
+
+ if (p->next) { /* Am I following a node ? */
+ p->next->prev = p->prev;
+ if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */
+ else head = p->next; /* No? Then I was the head */
+ }
+
+ else
+ if (p->prev) /* Is there a node behind me ? */
+ p->prev->next = NULL;
+ else
+ head = NULL; /* No, we're alone */
+
+ /* So now am unlinked or the only one alive, right ?
+ * What are you waiting ? Free up some memory!
+ */
+
+ kfree(p->subnets);
+ kfree(p);
+
+ spin_unlock_bh(&geoip_lock);
+ return;
+}
+
+static struct geoip_info *find_node(u_int16_t cc)
+{
+ struct geoip_info *p = head;
+ spin_lock_bh(&geoip_lock);
+
+ while (p) {
+ if (p->cc == cc) {
+ spin_unlock_bh(&geoip_lock);
+ return p;
+ }
+ p = p->next;
+ }
+ spin_unlock_bh(&geoip_lock);
+ return NULL;
+}
+
+static int match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ int *hotdrop)
+{
+ const struct ipt_geoip_info *info = matchinfo;
+ const struct geoip_info *node; /* This keeps the code sexy */
+ const struct iphdr *iph = skb->nh.iph;
+ u_int32_t ip, j;
+ u_int8_t i;
+
+ if (info->flags & IPT_GEOIP_SRC)
+ ip = ntohl(iph->saddr);
+ else
+ ip = ntohl(iph->daddr);
+
+ spin_lock_bh(&geoip_lock);
+ for (i = 0; i < info->count; i++) {
+ if ((node = info->mem[i]) == NULL) {
+ printk(KERN_ERR "ipt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n",
+ COUNTRY(info->cc[i]));
+
+ continue;
+ }
+
+ for (j = 0; j < node->count; j++)
+ if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) {
+ spin_unlock_bh(&geoip_lock);
+ return (info->flags & IPT_GEOIP_INV) ? 0 : 1;
+ }
+ }
+
+ spin_unlock_bh(&geoip_lock);
+ return (info->flags & IPT_GEOIP_INV) ? 1 : 0;
+}
+
+static int geoip_checkentry(const char *tablename,
+ const struct ipt_ip *ip,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ struct ipt_geoip_info *info = matchinfo;
+ struct geoip_info *node;
+ u_int8_t i;
+
+ /* FIXME: Call a function to free userspace allocated memory.
+ * As Martin J. said; this match might eat lot of memory
+ * if commited with iptables-restore --noflush
+ void (*gfree)(struct geoip_info *oldmem);
+ gfree = info->fini;
+ */
+
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_geoip_info))) {
+ printk(KERN_ERR "ipt_geoip: matchsize differ, you may have forgotten to recompile me\n");
+ return 0;
+ }
+
+ /* If info->refcount isn't NULL, then
+ * it means that checkentry() already
+ * initialized this entry. Increase a
+ * refcount to prevent destroy() of
+ * this entry. */
+ if (info->refcount != NULL) {
+ atomic_inc((atomic_t *)info->refcount);
+ return 1;
+ }
+
+
+ for (i = 0; i < info->count; i++) {
+
+ if ((node = find_node(info->cc[i])) != NULL)
+ atomic_inc((atomic_t *)&node->ref); //increase the reference
+ else
+ if ((node = add_node(info->mem[i])) == NULL) {
+ printk(KERN_ERR
+ "ipt_geoip: unable to load '%c%c' into memory\n",
+ COUNTRY(info->cc[i]));
+ return 0;
+ }
+
+ /* Free userspace allocated memory for that country.
+ * FIXME: It's a bit odd to call this function everytime
+ * we process a country. Would be nice to call
+ * it once after all countries've been processed.
+ * - SJ
+ * *not implemented for now*
+ gfree(info->mem[i]);
+ */
+
+ /* Overwrite the now-useless pointer info->mem[i] with
+ * a pointer to the node's kernelspace structure.
+ * This avoids searching for a node in the match() and
+ * destroy() functions.
+ */
+ info->mem[i] = node;
+ }
+
+ /* We allocate some memory and give info->refcount a pointer
+ * to this memory. This prevents checkentry() from increasing a refcount
+ * different from the one used by destroy().
+ * For explanation, see http://www.mail-archive.com/netfilter-devel@lists.samba.org/msg00625.html
+ */
+ info->refcount = kmalloc(sizeof(u_int8_t), GFP_KERNEL);
+ if (info->refcount == NULL) {
+ printk(KERN_ERR "ipt_geoip: failed to allocate `refcount' memory\n");
+ return 0;
+ }
+ *(info->refcount) = 1;
+
+ return 1;
+}
+
+static void geoip_destroy(void *matchinfo, unsigned int matchsize)
+{
+ u_int8_t i;
+ struct geoip_info *node; /* this keeps the code sexy */
+
+ struct ipt_geoip_info *info = matchinfo;
+ /* Decrease the previously increased refcount in checkentry()
+ * If it's equal to 1, we know this entry is just moving
+ * but not removed. We simply return to avoid useless destroy()
+ * processing.
+ */
+ atomic_dec((atomic_t *)info->refcount);
+ if (*info->refcount)
+ return;
+
+ /* Don't leak my memory, you idiot.
+ * Bug found with nfsim.. the netfilter's best
+ * friend. --peejix */
+ kfree(info->refcount);
+
+ /* This entry has been removed from the table so
+ * decrease the refcount of all countries it is
+ * using.
+ */
+
+ for (i = 0; i < info->count; i++)
+ if ((node = info->mem[i]) != NULL) {
+ atomic_dec((atomic_t *)&node->ref);
+
+ /* Free up some memory if that node isn't used
+ * anymore. */
+ if (node->ref < 1)
+ remove_node(node);
+ }
+ else
+ /* Something strange happened. There's no memory allocated for this
+ * country. Please send this bug to the mailing list. */
+ printk(KERN_ERR
+ "ipt_geoip: What happened peejix ? What happened acidmen ?\n"
+ "ipt_geoip: please report this bug to the maintainers\n");
+ return;
+}
+
+static struct ipt_match geoip_match = {
+ .name = "geoip",
+ .match = &match,
+ .checkentry = &geoip_checkentry,
+ .destroy = &geoip_destroy,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ipt_register_match(&geoip_match);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&geoip_match);
+ return;
+}
+
+module_init(init);
+module_exit(fini);
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Kconfig Thu Jul 28 10:29:31 2005
@@ -252,5 +252,15 @@
To compile it as a module, choose M here. If unsure, say N.
+config IP6_NF_MATCH_FUZZY
+ tristate 'Fuzzy match support'
+ depends on IP6_NF_FILTER
+ help
+ This option adds a `fuzzy' match, which allows you to match
+ packets according to a fuzzy logic based law.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
endmenu
Modified: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/Makefile Thu Jul 28 10:29:31 2005
@@ -8,6 +8,7 @@
obj-$(CONFIG_IP6_NF_MATCH_MARK) += ip6t_mark.o
obj-$(CONFIG_IP6_NF_MATCH_LENGTH) += ip6t_length.o
obj-$(CONFIG_IP6_NF_MATCH_MAC) += ip6t_mac.o
+obj-$(CONFIG_IP6_NF_MATCH_FUZZY) += ip6t_fuzzy.o
obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
Added: netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_fuzzy.c
==============================================================================
--- (empty file)
+++ netfilter-2.6/patch-o-matic-ng/trunk/net/ipv6/netfilter/ip6t_fuzzy.c Thu Jul 28 10:29:31 2005
@@ -0,0 +1,188 @@
+/*
+ * This module implements a simple TSK FLC
+ * (Takagi-Sugeno-Kang Fuzzy Logic Controller) that aims
+ * to limit , in an adaptive and flexible way , the packet rate crossing
+ * a given stream . It serves as an initial and very simple (but effective)
+ * example of how Fuzzy Logic techniques can be applied to defeat DoS attacks.
+ * As a matter of fact , Fuzzy Logic can help us to insert any "behavior"
+ * into our code in a precise , adaptive and efficient manner.
+ * The goal is very similar to that of "limit" match , but using techniques of
+ * Fuzzy Control , that allow us to shape the transfer functions precisely ,
+ * avoiding over and undershoots - and stuff like that .
+ *
+ *
+ * 2002-08-10 Hime Aguiar e Oliveira Jr. <hime at engineer.com> : Initial version.
+ * 2002-08-17 : Changed to eliminate floating point operations .
+ * 2002-08-23 : Coding style changes .
+ * 2003-04-08 Maciej Soltysiak <solt at dns.toxicilms.tv> : IPv6 Port
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ipv6.h>
+#include <linux/random.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_fuzzy.h>
+
+/*
+ Packet Acceptance Rate - LOW and Packet Acceptance Rate - HIGH
+ Expressed in percentage
+*/
+
+#define PAR_LOW 1/100
+#define PAR_HIGH 1
+
+static spinlock_t fuzzy_lock = SPIN_LOCK_UNLOCKED;
+
+MODULE_AUTHOR("Hime Aguiar e Oliveira Junior <hime at engineer.com>");
+MODULE_DESCRIPTION("IP tables Fuzzy Logic Controller match module");
+MODULE_LICENSE("GPL");
+
+static u_int8_t mf_high(u_int32_t tx,u_int32_t mini,u_int32_t maxi)
+{
+ if (tx >= maxi) return 100;
+
+ if (tx <= mini) return 0;
+
+ return ((100 * (tx-mini)) / (maxi-mini));
+}
+
+static u_int8_t mf_low(u_int32_t tx,u_int32_t mini,u_int32_t maxi)
+{
+ if (tx <= mini) return 100;
+
+ if (tx >= maxi) return 0;
+
+ return ((100 * (maxi - tx)) / (maxi - mini));
+
+}
+
+static int
+ip6t_fuzzy_match(const struct sk_buff *pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset,
+ unsigned int protoff,
+ int *hotdrop)
+{
+ /* From userspace */
+
+ struct ip6t_fuzzy_info *info = (struct ip6t_fuzzy_info *) matchinfo;
+
+ u_int8_t random_number;
+ unsigned long amount;
+ u_int8_t howhigh, howlow;
+
+
+ spin_lock_bh(&fuzzy_lock); /* Rise the lock */
+
+ info->bytes_total += pskb->len;
+ info->packets_total++;
+
+ info->present_time = jiffies;
+
+ if (info->present_time >= info->previous_time)
+ amount = info->present_time - info->previous_time;
+ else {
+ /* There was a transition : I choose to re-sample
+ and keep the old acceptance rate...
+ */
+
+ amount = 0;
+ info->previous_time = info->present_time;
+ info->bytes_total = info->packets_total = 0;
+ };
+
+ if ( amount > HZ/10) {/* More than 100 ms elapsed ... */
+
+ info->mean_rate = (u_int32_t) ((HZ * info->packets_total) \
+ / amount);
+
+ info->previous_time = info->present_time;
+ info->bytes_total = info->packets_total = 0;
+
+ howhigh = mf_high(info->mean_rate,info->minimum_rate,info->maximum_rate);
+ howlow = mf_low(info->mean_rate,info->minimum_rate,info->maximum_rate);
+
+ info->acceptance_rate = (u_int8_t) \
+ (howhigh * PAR_LOW + PAR_HIGH * howlow);
+
+ /* In fact, the above defuzzification would require a denominator
+ * proportional to (howhigh+howlow) but, in this particular case,
+ * that expression is constant.
+ * An imediate consequence is that it is not necessary to call
+ * both mf_high and mf_low - but to keep things understandable,
+ * I did so.
+ */
+
+ }
+
+ spin_unlock_bh(&fuzzy_lock); /* Release the lock */
+
+
+ if (info->acceptance_rate < 100)
+ {
+ get_random_bytes((void *)(&random_number), 1);
+
+ /* If within the acceptance , it can pass => don't match */
+ if (random_number <= (255 * info->acceptance_rate) / 100)
+ return 0;
+ else
+ return 1; /* It can't pass (It matches) */
+ };
+
+ return 0; /* acceptance_rate == 100 % => Everything passes ... */
+
+}
+
+static int
+ip6t_fuzzy_checkentry(const char *tablename,
+ const struct ip6t_ip6 *ip,
+ void *matchinfo,
+ unsigned int matchsize,
+ unsigned int hook_mask)
+{
+
+ const struct ip6t_fuzzy_info *info = matchinfo;
+
+ if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info))) {
+ printk("ip6t_fuzzy: matchsize %u != %zu\n", matchsize,
+ IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)));
+ return 0;
+ }
+
+ if ((info->minimum_rate < MINFUZZYRATE) || (info->maximum_rate > MAXFUZZYRATE)
+ || (info->minimum_rate >= info->maximum_rate)) {
+ printk("ip6t_fuzzy: BAD limits , please verify !!!\n");
+ return 0;
+ }
+
+ return 1;
+}
+
+static struct ip6t_match ip6t_fuzzy_reg = {
+ {NULL, NULL},
+ "fuzzy",
+ ip6t_fuzzy_match,
+ ip6t_fuzzy_checkentry,
+ NULL,
+ THIS_MODULE };
+
+static int __init init(void)
+{
+ if (ip6t_register_match(&ip6t_fuzzy_reg))
+ return -EINVAL;
+
+ return 0;
+}
+
+static void __exit fini(void)
+{
+ ip6t_unregister_match(&ip6t_fuzzy_reg);
+}
+
+module_init(init);
+module_exit(fini);
Modified: netfilter-2.6/patch-o-matic-ng/trunk/status
==============================================================================
--- netfilter-2.6/patch-o-matic-ng/trunk/status (original)
+++ netfilter-2.6/patch-o-matic-ng/trunk/status Thu Jul 28 10:29:31 2005
@@ -8,9 +8,9 @@
connlimit added
conntrack-event-api 2005/07/27 updated
ctnetlink added (v0.60)
-fuzzy added
-geoip added
-goto added
+fuzzy 2005/07/27 added
+geoip 2005/07/27 added
+goto 2005/07/27 added
h323-conntrack-nat 2005/07/27 updated
hashlimit updated
HOPLIMIT added
More information about the pld-cvs-commit
mailing list