From 453bff4f6322368588b5c65f133a5723a1a84319 Mon Sep 17 00:00:00 2001
From: Florian Fainelli <florian@openwrt.org>
Date: Fri, 18 Aug 2006 15:01:51 +0000
Subject: [PATCH] Add ipt_connbytes, closes #660

SVN-Revision: 4596
---
 openwrt/target/linux/Config.in                |   1 +
 openwrt/target/linux/linux-2.4/config/brcm    |   1 +
 .../generic/118-netfilter_connbytes.patch     | 148 ++++++++++++++++++
 openwrt/target/linux/netfilter.mk             |   1 +
 4 files changed, 151 insertions(+)
 create mode 100644 openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch

diff --git a/openwrt/target/linux/Config.in b/openwrt/target/linux/Config.in
index 3fda2c03ff..78c40f8ec4 100644
--- a/openwrt/target/linux/Config.in
+++ b/openwrt/target/linux/Config.in
@@ -72,6 +72,7 @@ config BR2_PACKAGE_KMOD_IPT_CONNTRACK
 	    * ipt_conntrack
 	    * ipt_helper
 	    * ipt_connmark/CONNMARK
+	    * ipt_connbytes
 
 config BR2_PACKAGE_KMOD_IPT_FILTER
 	tristate "Netfilter modules for packet content inspection"
diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm
index 20a95fcb03..ad0491ea8d 100644
--- a/openwrt/target/linux/linux-2.4/config/brcm
+++ b/openwrt/target/linux/linux-2.4/config/brcm
@@ -381,6 +381,7 @@ CONFIG_IP_NF_MATCH_HELPER=m
 CONFIG_IP_NF_MATCH_STATE=y
 CONFIG_IP_NF_MATCH_CONNTRACK=m
 CONFIG_IP_NF_MATCH_CONNMARK=m
+CONFIG_IP_NF_MATCH_CONNBYTES=m
 CONFIG_IP_NF_MATCH_UNCLEAN=m
 CONFIG_IP_NF_MATCH_OWNER=m
 CONFIG_IP_NF_MATCH_LAYER7=m
diff --git a/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch b/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch
new file mode 100644
index 0000000000..9375b5960e
--- /dev/null
+++ b/openwrt/target/linux/linux-2.4/patches/generic/118-netfilter_connbytes.patch
@@ -0,0 +1,148 @@
+diff -urN linux-2.4.30/net/ipv4/netfilter/Config.in linux-2.4.30.new/net/ipv4/netfilter/Config.in
+--- linux-2.4.30/net/ipv4/netfilter/Config.in	2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/Config.in	2006-08-18 15:44:51.000000000 +0200
+@@ -48,6 +48,7 @@
+ 	if [ "$CONFIG_IP_NF_CONNTRACK_MARK" != "n" ]; then
+ 	  dep_tristate '  Connection mark match support' CONFIG_IP_NF_MATCH_CONNMARK $CONFIG_IP_NF_IPTABLES
+ 	fi
++    dep_tristate '  Connection byte counter support' CONFIG_IP_NF_MATCH_CONNBYTES $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES
+   fi
+   if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+     dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_UNCLEAN $CONFIG_IP_NF_IPTABLES
+diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_core.c
+--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_core.c	2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_core.c	2006-08-18 15:55:59.000000000 +0200
+@@ -821,7 +821,15 @@
+ 		}
+ 		*set_reply = 0;
+ 	}
++
+ 	skb->nfct = &h->ctrack->infos[*ctinfo];
++
++	/* devik: increment bytes in connection here */
++	if (h->ctrack->bytes + skb->len >= 0xffff0000)
++		h->ctrack->bytes = 0xffff0000;
++	else
++		h->ctrack->bytes += skb->len;
++
+ 	return h->ctrack;
+ }
+ 
+diff -urN linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- linux-2.4.30/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/ip_conntrack_standalone.c	2006-08-18 15:49:58.000000000 +0200
+@@ -116,7 +116,9 @@
+ 		len += sprintf(buffer + len, "l7proto=%s ",
+ 				conntrack->layer7.app_proto); 
+ 	#endif
+-
++	#if defined(CONFIG_IP_NF_MATCH_CONNBYTES)
++	len += sprintf(buffer + len, "bytes=%lu ",conntrack->bytes); /* devik */
++	#endif
+ 	len += sprintf(buffer + len, "\n");
+ 
+ 	return len;
+diff -urN linux-2.4.30/net/ipv4/netfilter/ipt_connbytes.c linux-2.4.30.new/net/ipv4/netfilter/ipt_connbytes.c
+--- linux-2.4.30/net/ipv4/netfilter/ipt_connbytes.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.4.30.new/net/ipv4/netfilter/ipt_connbytes.c	2006-08-18 16:23:40.000000000 +0200
+@@ -0,0 +1,61 @@
++/* Kernel module to match connection tracking byte counter.
++ * GPL (C) 2002 Martin Devera (devik@cdi.cz).
++ */
++#include <linux/module.h>
++#include <linux/skbuff.h>
++#include <linux/netfilter_ipv4/ip_conntrack.h>
++#include <linux/netfilter_ipv4/ip_tables.h>
++#include <linux/netfilter_ipv4/ipt_connbytes.h>
++
++static int
++match(const struct sk_buff *skb,
++      const struct net_device *in,
++      const struct net_device *out,
++      const void *matchinfo,
++      int offset,
++      const void *hdr,
++      u_int16_t datalen,
++      int *hotdrop)
++{
++	const struct ipt_connbytes_info *sinfo = matchinfo;
++	enum ip_conntrack_info ctinfo;
++	struct ip_conntrack *ct;
++
++	if (!(ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo)))
++		return 0; /* no match */
++	
++	if (sinfo->from > sinfo->to)
++		return (ct->bytes < sinfo->to || ct->bytes > sinfo->from);
++	else
++		return (ct->bytes >= sinfo->from && ct->bytes <= sinfo->to);
++}
++
++static int check(const char *tablename,
++		 const struct ipt_ip *ip,
++		 void *matchinfo,
++		 unsigned int matchsize,
++		 unsigned int hook_mask)
++{
++	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connbytes_info)))
++		return 0;
++
++	return 1;
++}
++
++static struct ipt_match state_match
++= { { NULL, NULL }, "connbytes", &match, &check, NULL, THIS_MODULE };
++
++static int __init init(void)
++{
++	/* NULL if ip_conntrack not a module */
++	return ipt_register_match(&state_match);
++}
++
++static void __exit fini(void)
++{
++	ipt_unregister_match(&state_match);
++}
++
++module_init(init);
++module_exit(fini);
++MODULE_LICENSE("GPL");
+diff -urN linux-2.4.30/net/ipv4/netfilter/Makefile linux-2.4.30.new/net/ipv4/netfilter/Makefile
+--- linux-2.4.30/net/ipv4/netfilter/Makefile	2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/net/ipv4/netfilter/Makefile	2006-08-18 15:45:26.000000000 +0200
+@@ -109,6 +109,7 @@
+ obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
+ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+ obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
++obj-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes.o
+ 
+ obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+ 
+diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.30.new/include/linux/netfilter_ipv4/ip_conntrack.h
+--- linux-2.4.30/include/linux/netfilter_ipv4/ip_conntrack.h	2006-08-18 15:42:55.000000000 +0200
++++ linux-2.4.30.new/include/linux/netfilter_ipv4/ip_conntrack.h	2006-08-18 15:52:29.000000000 +0200
+@@ -205,7 +205,9 @@
+ 	struct nf_ct_info infos[IP_CT_NUMBER];
+ 
+ 	/* Storage reserved for other modules: */
+-
++	/* devik: store num of bytes transfered; counter uses saturated incr. */
++	unsigned long bytes;
++	
+ 	union ip_conntrack_proto proto;
+ 
+ 	union ip_conntrack_help help;
+diff -urN linux-2.4.30/include/linux/netfilter_ipv4/ipt_connbytes.h linux-2.4.30.new/include/linux/netfilter_ipv4/ipt_connbytes.h
+--- linux-2.4.30/include/linux/netfilter_ipv4/ipt_connbytes.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.4.30.new/include/linux/netfilter_ipv4/ipt_connbytes.h	2006-08-18 15:56:43.000000000 +0200
+@@ -0,0 +1,10 @@
++#ifndef _IPT_CONNBYTES_H
++#define _IPT_CONNBYTES_H
++
++struct ipt_connbytes_info
++{
++       /* if from<=to then it matches the range; if from>to then
++          inverse range is matched */
++       unsigned long from,to;
++};
++#endif
diff --git a/openwrt/target/linux/netfilter.mk b/openwrt/target/linux/netfilter.mk
index c2d318d070..b1ed2378bb 100644
--- a/openwrt/target/linux/netfilter.mk
+++ b/openwrt/target/linux/netfilter.mk
@@ -6,6 +6,7 @@ IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper
 IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark
 IPT_CONNTRACK-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK
 IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state
+IPT_CONNTRACK-$(CONFIG_IP_NF_MATCH_CONNBYTES) += ipt_connbytes
 
 IPT_EXTRA-m :=
 IPT_EXTRA-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit
-- 
2.30.2