Add ipt_connbytes, closes #660

SVN-Revision: 4596

diff --git a/openwrt/target/linux/Config.in b/openwrt/target/linux/Config.in
index 3fda2c03ff5101ac26c7b04183e284ccacf22f34..78c40f8ec427d33742ab7b9a1e2ba8110f325f85 100644 (file)
--- a/openwrt/target/linux/Config.in
+++ b/openwrt/target/linux/Config.in
@@ -72,6 +72,7 @@ config BR2_PACKAGE_KMOD_IPT_CONNTRACK
            * ipt_conntrack
            * ipt_helper
            * ipt_connmark/CONNMARK
+           * ipt_connbytes
 
 config BR2_PACKAGE_KMOD_IPT_FILTER
        tristate "Netfilter modules for packet content inspection"

diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm
index 20a95fcb03ebd0f799827e26c7e7bb54d455519b..ad0491ea8daf6909e9de366c558b89efe48b89ca 100644 (file)
--- a/openwrt/target/linux/linux-2.4/config/brcm
+++ b/openwrt/target/linux/linux-2.4/config/brcm
@@ -381,6 +381,7 @@ CONFIG_IP_NF_MATCH_HELPER=m
 CONFIG_IP_NF_MATCH_STATE=y
 CONFIG_IP_NF_MATCH_CONNTRACK=m
 CONFIG_IP_NF_MATCH_CONNMARK=m
+CONFIG_IP_NF_MATCH_CONNBYTES=m
 CONFIG_IP_NF_MATCH_UNCLEAN=m
 CONFIG_IP_NF_MATCH_OWNER=m
 CONFIG_IP_NF_MATCH_LAYER7=m

diff --git a/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch b/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch
new file mode 100644 (file)
index 0000000..9375b59
--- /dev/null
+++ b/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch
@@ -0,0 +1,148 @@
+diff -urN linux-2.4.30/net/ipv4/netfilter/Config.in linux-2.4.30.new/net/ipv4/netfilter/Config.in
+--- linux-2.4.30/net/ipv4/netfilter/Config.in  2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/Config.in      2006-08-18 15:44:51.000000000 +0200
+@@ -48,6 +48,7 @@
+       if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
+         dep_tristate '  Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
+       fi
++    dep_tristate '  Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+   fi
+   if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+     dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
+diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_core.c
+--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c        2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_core.c    2006-08-18 15:55:59.000000000 +0200
+@@ -821,7 +821,15 @@
+               }
+               *set_reply = 0;
+       }
++
+       skb->nfct = &h->ctrack->infos[*ctinfo];
++
++      /* devik: increment bytes in connection here */
++      if (h->ctrack->bytes + skb->len >= 0xffff0000)
++              h->ctrack->bytes = 0xffff0000;
++      else
++              h->ctrack->bytes += skb->len;
++
+       return h->ctrack;
+ }
+ 
+diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c  2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_standalone.c      2006-08-18 15:49:58.000000000 +0200
+@@ -116,7 +116,9 @@
+               len += sprintf(buffer + len, "l7proto=%s ",
+                               conntrack->layer7.app_proto); 
+       #endif
+-
++      #if defined(CONFIG_IP_NF_MATCH_CONNBYTES)
++      len += sprintf(buffer + len, "bytes=%lu ",conntrack->bytes); /* devik */
++      #endif
+       len += sprintf(buffer + len, "\n");
+ 
+       return len;
+diff -urN linux-2.4.30/net/ipv4/netfilter/ipt_connbytes.c linux-2.4.30.new/net/ipv4/netfilter/ipt_connbytes.c
+--- linux-2.4.30/net/ipv4/netfilter/ipt_connbytes.c    1970-01-01 01:00:00.000000000 +0100
++++ linux-2.4.30.new/net/ipv4/netfilter/ipt_connbytes.c        2006-08-18 16:23:40.000000000 +0200
+@@ -0,0 +1,61 @@
++/* Kernel module to match connection tracking byte counter.
++ * GPL (C) 2002 Martin Devera (devik@cdi.cz).
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_connbytes.h>
++
++static int
++match(const struct sk_buff *skb,
++      const struct net_device *in,
++      const struct net_device *out,
++      const void *matchinfo,
++      int offset,
++      const void *hdr,
++      u_int16_t datalen,
++      int *hotdrop)
++{
++      const struct ipt_connbytes_info *sinfo = matchinfo;
++      enum ip_conntrack_info ctinfo;
++      struct ip_conntrack *ct;
++
++      if (!(ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)))
++              return 0; /* no match */
++      
++      if (sinfo->from > sinfo->to)
++              return (ct->bytes < sinfo->to || ct->bytes > sinfo->from);
++      else
++              return (ct->bytes >= sinfo->from && ct->bytes <= sinfo->to);
++}
++
++static int check(const char *tablename,
++               const struct ipt_ip *ip,
++               void *matchinfo,
++               unsigned int matchsize,
++               unsigned int hook_mask)
++{
++      if (matchsize != IPT_ALIGN(sizeof(struct ipt_connbytes_info)))
++              return 0;
++
++      return 1;
++}
++
++static struct ipt_match state_match
++= { { NULL, NULL }, "connbytes", &match, &check, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++      /* NULL if ip_conntrack not a module */
++      return ipt_register_match(&state_match);
++}
++
++static void __exit fini(void)
++{
++      ipt_unregister_match(&state_match);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
+diff -urN linux-2.4.30/net/ipv4/netfilter/Makefile linux-2.4.30.new/net/ipv4/netfilter/Makefile
+--- linux-2.4.30/net/ipv4/netfilter/Makefile   2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/Makefile       2006-08-18 15:45:26.000000000 +0200
+@@ -109,6 +109,7 @@
+ obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+ obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
++obj-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes.o
+ 
+ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+ 
+diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30.new/include/linux/netfilter_ipv4/ip_conntrack.h
+--- linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h   2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/include/linux/netfilter_ipv4/ip_conntrack.h       2006-08-18 15:52:29.000000000 +0200
+@@ -205,7 +205,9 @@
+       struct nf_ct_info infos[IP_CT_NUMBER];
+ 
+       /* Storage reserved for other modules: */
+-
++      /* devik: store num of bytes transfered; counter uses saturated incr. */
++      unsigned long bytes;
++      
+       union ip_conntrack_proto proto;
+ 
+       union ip_conntrack_help help;
+diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ipt_connbytes.h linux-2.4.30.new/include/linux/netfilter_ipv4/ipt_connbytes.h
+--- linux-2.4.30/include/linux/netfilter_ipv4/ipt_connbytes.h  1970-01-01 01:00:00.000000000 +0100
++++ linux-2.4.30.new/include/linux/netfilter_ipv4/ipt_connbytes.h      2006-08-18 15:56:43.000000000 +0200
+@@ -0,0 +1,10 @@
++#ifndef _IPT_CONNBYTES_H
++#define _IPT_CONNBYTES_H
++
++struct ipt_connbytes_info
++{
++       /* if from<=to then it matches the range; if from>to then
++          inverse range is matched */
++       unsigned long from,to;
++};
++#endif

diff --git a/openwrt/target/linux/netfilter.mk b/openwrt/target/linux/netfilter.mk
index c2d318d0709e2d3144d105ea6d949d74bb0d69ce..b1ed2378bb25f71242d404ef76b367ea28acd4f1 100644 (file)
--- a/openwrt/target/linux/netfilter.mk
+++ b/openwrt/target/linux/netfilter.mk
@@ -6,6 +6,7 @@ IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper
 IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark
 IPT_CONNTRACK-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK
 IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state
+IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes
 
 IPT_EXTRA-m :=
 IPT_EXTRA-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit