SOURCES (LINUX_2_6): linux-2.6-nf-nth.patch (NEW) - [base] nth match.
pluto
pluto at pld-linux.org
Thu Sep 15 10:14:14 CEST 2005
Author: pluto Date: Thu Sep 15 08:14:14 2005 GMT
Module: SOURCES Tag: LINUX_2_6
---- Log message:
- [base] nth match.
---- Files affected:
SOURCES:
linux-2.6-nf-nth.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-nf-nth.patch
diff -u /dev/null SOURCES/linux-2.6-nf-nth.patch:1.1.2.1
--- /dev/null Thu Sep 15 10:14:14 2005
+++ SOURCES/linux-2.6-nf-nth.patch Thu Sep 15 10:14:09 2005
@@ -0,0 +1,479 @@
+ include/linux/netfilter_ipv4/ipt_nth.h | 19 +++
+ include/linux/netfilter_ipv6/ip6t_nth.h | 19 +++
+ net/ipv4/netfilter/Kconfig | 24 ++++
+ net/ipv4/netfilter/Makefile | 2
+ net/ipv4/netfilter/ipt_nth.c | 166 ++++++++++++++++++++++++++++++
+ net/ipv6/netfilter/Kconfig | 24 ++++
+ net/ipv6/netfilter/Makefile | 2
+ net/ipv6/netfilter/ip6t_nth.c | 173 ++++++++++++++++++++++++++++++++
+ 8 files changed, 429 insertions(+)
+
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_nth.h linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_nth.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_nth.h 2005-09-15 10:12:52.293374250 +0200
+@@ -0,0 +1,19 @@
++#ifndef _IPT_NTH_H
++#define _IPT_NTH_H
++
++#include <linux/param.h>
++#include <linux/types.h>
++
++#ifndef IPT_NTH_NUM_COUNTERS
++#define IPT_NTH_NUM_COUNTERS 16
++#endif
++
++struct ipt_nth_info {
++ u_int8_t every;
++ u_int8_t not;
++ u_int8_t startat;
++ u_int8_t counter;
++ u_int8_t packet;
++};
++
++#endif /*_IPT_NTH_H*/
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_nth.h linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_nth.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv6/ip6t_nth.h 2005-09-15 10:12:52.293374250 +0200
+@@ -0,0 +1,19 @@
++#ifndef _IP6T_NTH_H
++#define _IP6T_NTH_H
++
++#include <linux/param.h>
++#include <linux/types.h>
++
++#ifndef IP6T_NTH_NUM_COUNTERS
++#define IP6T_NTH_NUM_COUNTERS 16
++#endif
++
++struct ip6t_nth_info {
++ u_int8_t every;
++ u_int8_t not;
++ u_int8_t startat;
++ u_int8_t counter;
++ u_int8_t packet;
++};
++
++#endif /*_IP6T_NTH_H*/
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_nth.c linux-2.6.13.1/net/ipv4/netfilter/ipt_nth.c
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_nth.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_nth.c 2005-09-15 10:12:52.293374250 +0200
+@@ -0,0 +1,166 @@
++/*
++ This is a module which is used for match support for every Nth packet
++ This file is distributed under the terms of the GNU General Public
++ License (GPL). Copies of the GPL can be obtained from:
++ ftp://prep.ai.mit.edu/pub/gnu/GPL
++
++ 2001-07-18 Fabrice MARIE <fabrice at netfilter.org> : initial implementation.
++ 2001-09-20 Richard Wagner (rwagner at cloudnet.com)
++ * added support for multiple counters
++ * added support for matching on individual packets
++ in the counter cycle
++ 2004-02-19 Harald Welte <laforge at netfilter.org>
++ * port to 2.6.x
++
++*/
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <net/tcp.h>
++#include <linux/spinlock.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_nth.h>
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Fabrice Marie <fabrice at netfilter.org>");
++
++/*
++ * State information.
++ */
++struct state {
++ spinlock_t lock;
++ u_int16_t number;
++};
++
++static struct state states[IPT_NTH_NUM_COUNTERS];
++
++static int
++ipt_nth_match(const struct sk_buff *pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ int *hotdrop)
++{
++ /* Parameters from userspace */
++ const struct ipt_nth_info *info = matchinfo;
++ unsigned counter = info->counter;
++ if((counter < 0) || (counter >= IPT_NTH_NUM_COUNTERS))
++ {
++ printk(KERN_WARNING "nth: invalid counter %u. counter between 0 and %u\n", counter, IPT_NTH_NUM_COUNTERS-1);
++ return 0;
++ };
++
++ spin_lock(&states[counter].lock);
++
++ /* Are we matching every nth packet?*/
++ if (info->packet == 0xFF)
++ {
++ /* We're matching every nth packet and only every nth packet*/
++ /* Do we match or invert match? */
++ if (info->not == 0)
++ {
++ if (states[counter].number == 0)
++ {
++ ++states[counter].number;
++ goto match;
++ }
++ if (states[counter].number >= info->every)
++ states[counter].number = 0; /* reset the counter */
++ else
++ ++states[counter].number;
++ goto dontmatch;
++ }
++ else
++ {
++ if (states[counter].number == 0)
++ {
++ ++states[counter].number;
++ goto dontmatch;
++ }
++ if (states[counter].number >= info->every)
++ states[counter].number = 0;
++ else
++ ++states[counter].number;
++ goto match;
++ }
++ }
++ else
++ {
++ /* We're using the --packet, so there must be a rule for every value */
++ if (states[counter].number == info->packet)
++ {
++ /* only increment the counter when a match happens */
++ if (states[counter].number >= info->every)
++ states[counter].number = 0; /* reset the counter */
++ else
++ ++states[counter].number;
++ goto match;
++ }
++ else
++ goto dontmatch;
++ }
++
++ dontmatch:
++ /* don't match */
++ spin_unlock(&states[counter].lock);
++ return 0;
++
++ match:
++ spin_unlock(&states[counter].lock);
++ return 1;
++}
++
++static int
++ipt_nth_checkentry(const char *tablename,
++ const struct ipt_ip *e,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ /* Parameters from userspace */
++ const struct ipt_nth_info *info = matchinfo;
++ unsigned counter = info->counter;
++ if((counter < 0) || (counter >= IPT_NTH_NUM_COUNTERS))
++ {
++ printk(KERN_WARNING "nth: invalid counter %u. counter between 0 and %u\n", counter, IPT_NTH_NUM_COUNTERS-1);
++ return 0;
++ };
++
++ if (matchsize != IPT_ALIGN(sizeof(struct ipt_nth_info))) {
++ printk("nth: matchsize %u != %zu\n", matchsize,
++ IPT_ALIGN(sizeof(struct ipt_nth_info)));
++ return 0;
++ }
++
++ states[counter].number = info->startat;
++
++ return 1;
++}
++
++static struct ipt_match ipt_nth_reg = {
++ .name = "nth",
++ .match = ipt_nth_match,
++ .checkentry = ipt_nth_checkentry,
++ .me = THIS_MODULE
++};
++
++static int __init init(void)
++{
++ unsigned counter;
++
++ memset(&states, 0, sizeof(states));
++ for (counter = 0; counter < IPT_NTH_NUM_COUNTERS; counter++)
++ spin_lock_init(&(states[counter].lock));
++
++ return ipt_register_match(&ipt_nth_reg);
++}
++
++static void __exit fini(void)
++{
++ ipt_unregister_match(&ipt_nth_reg);
++}
++
++module_init(init);
++module_exit(fini);
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig linux-2.6.13.1/net/ipv4/netfilter/Kconfig
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig 2005-09-10 04:42:58.000000000 +0200
++++ linux-2.6.13.1/net/ipv4/netfilter/Kconfig 2005-09-15 10:12:52.301374750 +0200
+@@ -692,5 +692,29 @@
+ Allows altering the ARP packet payload: source and destination
+ hardware and network addresses.
+
++config IP_NF_MATCH_NTH
++ tristate 'Nth match support'
++ depends on IP_NF_IPTABLES
++ help
++ This option adds a `Nth' match, which allow you to make
++ rules that match every Nth packet. By default there are
++ 16 different counters.
++
++ [options]
++ --every Nth Match every Nth packet
++ [--counter] num Use counter 0-15 (default:0)
++ [--start] num Initialize the counter at the number 'num'
++ instead of 0. Must be between 0 and Nth-1
++ [--packet] num Match on 'num' packet. Must be between 0
++ and Nth-1.
++
++ If --packet is used for a counter than
++ there must be Nth number of --packet
++ rules, covering all values between 0 and
++ Nth-1 inclusively.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile linux-2.6.13.1/net/ipv4/netfilter/Makefile
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile 2005-09-10 04:42:58.000000000 +0200
++++ linux-2.6.13.1/net/ipv4/netfilter/Makefile 2005-09-15 10:12:52.305375000 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_MATCH_NTH) += ipt_nth.o
+diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/ip6t_nth.c linux-2.6.13.1/net/ipv6/netfilter/ip6t_nth.c
+--- linux-2.6.13.1/net.orig/ipv6/netfilter/ip6t_nth.c 1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/net/ipv6/netfilter/ip6t_nth.c 2005-09-15 10:12:52.297374500 +0200
+@@ -0,0 +1,173 @@
++/*
++ This is a module which is used for match support for every Nth packet
++ This file is distributed under the terms of the GNU General Public
++ License (GPL). Copies of the GPL can be obtained from:
++ ftp://prep.ai.mit.edu/pub/gnu/GPL
++
++ 2001-07-18 Fabrice MARIE <fabrice at netfilter.org> : initial implementation.
++ 2001-09-20 Richard Wagner (rwagner at cloudnet.com)
++ * added support for multiple counters
++ * added support for matching on individual packets
++ in the counter cycle
++ 2003-04-30 Maciej Soltysiak <solt at dns.toxicfilms.tv> : IPv6 Port
++ 2005-06-27 Harald Welte <laforg at netfilter.org>: API update
++
++*/
++
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/ip.h>
++#include <net/tcp.h>
++#include <linux/spinlock.h>
++#include <linux/netfilter_ipv6/ip6_tables.h>
++#include <linux/netfilter_ipv6/ip6t_nth.h>
++
++MODULE_LICENSE("GPL");
++
++/*
++ * State information.
++ */
++struct state {
++ spinlock_t lock;
++ u_int16_t number;
++};
++
++static struct state states[IP6T_NTH_NUM_COUNTERS];
++
++static int
++ip6t_nth_match(const struct sk_buff *pskb,
++ const struct net_device *in,
++ const struct net_device *out,
++ const void *matchinfo,
++ int offset,
++ unsigned int protoff,
++ int *hotdrop)
++{
++ /* Parameters from userspace */
++ const struct ip6t_nth_info *info = matchinfo;
++ unsigned counter = info->counter;
++ if((counter < 0) || (counter >= IP6T_NTH_NUM_COUNTERS))
++ {
++ printk(KERN_WARNING "nth: invalid counter %u. counter between 0 and %u\n", counter, IP6T_NTH_NUM_COUNTERS-1);
++ return 0;
++ };
++
++ spin_lock(&states[counter].lock);
++
++ /* Are we matching every nth packet?*/
++ if (info->packet == 0xFF)
++ {
++ /* We're matching every nth packet and only every nth packet*/
++ /* Do we match or invert match? */
++ if (info->not == 0)
++ {
++ if (states[counter].number == 0)
++ {
++ ++states[counter].number;
++ goto match;
++ }
++ if (states[counter].number >= info->every)
++ states[counter].number = 0; /* reset the counter */
++ else
++ ++states[counter].number;
++ goto dontmatch;
++ }
++ else
++ {
++ if (states[counter].number == 0)
++ {
++ ++states[counter].number;
++ goto dontmatch;
++ }
++ if (states[counter].number >= info->every)
++ states[counter].number = 0;
++ else
++ ++states[counter].number;
++ goto match;
++ }
++ }
++ else
++ {
++ /* We're using the --packet, so there must be a rule for every value */
++ if (states[counter].number == info->packet)
++ {
++ /* only increment the counter when a match happens */
++ if (states[counter].number >= info->every)
++ states[counter].number = 0; /* reset the counter */
++ else
++ ++states[counter].number;
++ goto match;
++ }
++ else
++ goto dontmatch;
++ }
++
++ dontmatch:
++ /* don't match */
++ spin_unlock(&states[counter].lock);
++ return 0;
++
++ match:
++ spin_unlock(&states[counter].lock);
++ return 1;
++}
++
++static int
++ip6t_nth_checkentry(const char *tablename,
++ const struct ip6t_ip6 *e,
++ void *matchinfo,
++ unsigned int matchsize,
++ unsigned int hook_mask)
++{
++ /* Parameters from userspace */
++ const struct ip6t_nth_info *info = matchinfo;
++ unsigned counter = info->counter;
++ if((counter < 0) || (counter >= IP6T_NTH_NUM_COUNTERS))
++ {
++ printk(KERN_WARNING "nth: invalid counter %u. counter between 0 and %u\n", counter, IP6T_NTH_NUM_COUNTERS-1);
++ return 0;
++ };
++
++ if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_nth_info))) {
++ printk("nth: matchsize %u != %zu\n", matchsize,
++ IP6T_ALIGN(sizeof(struct ip6t_nth_info)));
++ return 0;
++ }
++
++ states[counter].number = info->startat;
++
++ return 1;
++}
++
++static struct ip6t_match ip6t_nth_reg = {
++ {NULL, NULL},
++ "nth",
++ ip6t_nth_match,
++ ip6t_nth_checkentry,
++ NULL,
++ THIS_MODULE };
++
++static int __init init(void)
++{
++ unsigned counter;
++ memset(&states, 0, sizeof(states));
++ if (ip6t_register_match(&ip6t_nth_reg))
++ return -EINVAL;
++
++ for(counter = 0; counter < IP6T_NTH_NUM_COUNTERS; counter++)
++ {
++ spin_lock_init(&(states[counter].lock));
++ };
++
++ printk("ip6t_nth match loaded\n");
++ return 0;
++}
++
++static void __exit fini(void)
++{
++ ip6t_unregister_match(&ip6t_nth_reg);
++ printk("ip6t_nth match unloaded\n");
++}
++
++module_init(init);
++module_exit(fini);
+diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/Kconfig linux-2.6.13.1/net/ipv6/netfilter/Kconfig
+--- linux-2.6.13.1/net.orig/ipv6/netfilter/Kconfig 2005-09-10 04:42:58.000000000 +0200
++++ linux-2.6.13.1/net/ipv6/netfilter/Kconfig 2005-09-15 10:12:52.309375250 +0200
+@@ -238,5 +238,29 @@
+ If you want to compile it as a module, say M here and read
+ <file:Documentation/modules.txt>. If unsure, say `N'.
+
++config IP6_NF_MATCH_NTH
++ tristate 'Nth match support'
++ depends on IP6_NF_IPTABLES
++ help
++ This option adds a `Nth' match, which allow you to make
++ rules that match every Nth packet. By default there are
++ 16 different counters.
++
++ [options]
++ --every Nth Match every Nth packet
++ [--counter] num Use counter 0-15 (default:0)
++ [--start] num Initialize the counter at the number 'num'
++ instead of 0. Must be between 0 and Nth-1
++ [--packet] num Match on 'num' packet. Must be between 0
++ and Nth-1.
++
++ If --packet is used for a counter than
++ there must be Nth number of --packet
++ rules, covering all values between 0 and
++ Nth-1 inclusively.
++
++ If you want to compile it as a module, say M here and read
++ Documentation/modules.txt. If unsure, say `N'.
++
+ endmenu
+
+diff -uNr linux-2.6.13.1/net.orig/ipv6/netfilter/Makefile linux-2.6.13.1/net/ipv6/netfilter/Makefile
+--- linux-2.6.13.1/net.orig/ipv6/netfilter/Makefile 2005-09-10 04:42:58.000000000 +0200
++++ linux-2.6.13.1/net/ipv6/netfilter/Makefile 2005-09-15 10:12:52.309375250 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP6_NF_MATCH_NTH) += ip6t_nth.o
================================================================
More information about the pld-cvs-commit
mailing list