SOURCES (LINUX_2_6): linux-2.6-nf-quota.patch (NEW) - [base] quota...

pluto pluto at pld-linux.org
Thu Sep 15 10:27:13 CEST 2005 

Author: pluto                        Date: Thu Sep 15 08:27:13 2005 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- [base] quota match.

---- Files affected:
SOURCES:
   linux-2.6-nf-quota.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-nf-quota.patch
diff -u /dev/null SOURCES/linux-2.6-nf-quota.patch:1.1.2.1
--- /dev/null	Thu Sep 15 10:27:13 2005
+++ SOURCES/linux-2.6-nf-quota.patch	Thu Sep 15 10:27:08 2005
@@ -0,0 +1,146 @@
+ include/linux/netfilter_ipv4/ipt_quota.h |   12 +++
+ net/ipv4/netfilter/Kconfig               |   10 +++
+ net/ipv4/netfilter/Makefile              |    1 
+ net/ipv4/netfilter/ipt_quota.c           |   96 +++++++++++++++++++++++++++++++
+ 4 files changed, 119 insertions(+)
+
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_quota.h linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_quota.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ipt_quota.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ipt_quota.h	2005-09-15 10:25:42.481508000 +0200
+@@ -0,0 +1,12 @@
++#ifndef _IPT_QUOTA_H
++#define _IPT_QUOTA_H
++
++/* print debug info in both kernel/netfilter module & iptable library */
++//#define DEBUG_IPT_QUOTA
++
++struct ipt_quota_info {
++        u_int64_t quota;
++	struct ipt_quota_info *master;
++};
++
++#endif /*_IPT_QUOTA_H*/
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_quota.c linux-2.6.13.1/net/ipv4/netfilter/ipt_quota.c
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/ipt_quota.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/net/ipv4/netfilter/ipt_quota.c	2005-09-15 10:25:42.485508250 +0200
+@@ -0,0 +1,96 @@
++/* 
++ * netfilter module to enforce network quotas
++ *
++ * Sam Johnston <samj at samj.net>
++ *
++ * 30/01/05: Fixed on SMP --Pablo Neira <pablo at eurodev.net>
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/spinlock.h>
++#include <linux/interrupt.h>
++
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_quota.h>
++
++MODULE_LICENSE("GPL");
++MODULE_AUTHOR("Sam Johnston <samj at samj.net>");
++
++static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
++
++static int
++match(const struct sk_buff *skb,
++      const struct net_device *in,
++      const struct net_device *out,
++      const void *matchinfo,
++      int offset, int *hotdrop)
++{
++        struct ipt_quota_info *q = 
++		((struct ipt_quota_info *) matchinfo)->master;
++
++	if (skb->len < sizeof(struct iphdr))
++		return NF_ACCEPT;
++	
++        spin_lock_bh(&quota_lock);
++
++        if (q->quota >= skb->len) {
++                /* we can afford this one */
++                q->quota -= skb->len;
++                spin_unlock_bh(&quota_lock);
++
++#ifdef DEBUG_IPT_QUOTA
++                printk("IPT Quota OK: %llu datlen %d \n", q->quota, skb->len);
++#endif
++                return 1;
++        }
++
++        /* so we do not allow even small packets from now on */
++        q->quota = 0;
++
++#ifdef DEBUG_IPT_QUOTA
++        printk("IPT Quota Failed: %llu datlen %d \n", q->quota, skb->len);
++#endif
++
++        spin_unlock_bh(&quota_lock);
++        return 0;
++}
++
++static int
++checkentry(const char *tablename,
++           const struct ipt_ip *ip,
++           void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
++{
++        /* TODO: spinlocks? sanity checks? */
++	struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
++
++        if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
++                return 0;
++	
++	/* For SMP, we only want to use one set of counters. */
++	q->master = q;
++
++        return 1;
++}
++
++static struct ipt_match quota_match = {
++	.name = "quota",
++	.match = match,
++	.checkentry = checkentry,
++	.me = THIS_MODULE
++};
++
++static int __init
++init(void)
++{
++        return ipt_register_match(&quota_match);
++}
++
++static void __exit
++fini(void)
++{
++        ipt_unregister_match(&quota_match);
++}
++
++module_init(init);
++module_exit(fini);
++
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig linux-2.6.13.1/net/ipv4/netfilter/Kconfig
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/Kconfig	2005-09-15 10:21:06.000000000 +0200
++++ linux-2.6.13.1/net/ipv4/netfilter/Kconfig	2005-09-15 10:25:42.489508500 +0200
+@@ -748,5 +748,15 @@
+ 	  If you want to compile it as a module, say M here and read
+ 	  Documentation/modules.txt.  If unsure, say `N'.
+ 
++config IP_NF_MATCH_QUOTA
++	tristate  'quota match support'
++	depends on IP_NF_IPTABLES
++	help
++	  This match implements network quotas.
++	
++	  If you want to compile it as a module, say M here and read
++	  Documentation/modules.txt.  If unsure, say `N'.
++	
++
+ endmenu
+ 
+diff -uNr linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile linux-2.6.13.1/net/ipv4/netfilter/Makefile
+--- linux-2.6.13.1/net.orig/ipv4/netfilter/Makefile	2005-09-15 10:21:06.000000000 +0200
++++ linux-2.6.13.1/net/ipv4/netfilter/Makefile	2005-09-15 10:25:42.493508750 +0200
+@@ -0,0 +0,1 @@
++obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
================================================================

More information about the pld-cvs-commit mailing list