tags 310581 + patch
thanks
hi,
attached an updated diff which should cleanly apply against
kernel-source-2.4.27. I didnt test compile nor its functionality.
bye,
- michael
diff -ruN kernel-source-2.4.27/Documentation/Configure.help
kernel-source-2.4.27-quota/Documentation/Configure.help
--- kernel-source-2.4.27/Documentation/Configure.help 2005-05-27
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/Documentation/Configure.help 2005-05-27
10:59:46.000000000 +0200
@@ -2885,6 +2885,13 @@
If you want to compile it as a module, say M here and read
<file:Documentation/modules.txt>. If unsure, say `N'.
+quota match support
+CONFIG_IP_NF_MATCH_QUOTA
+ This match implements network quotas.
+
+ If you want to compile it as a module, say M here and read
+ Documentation/modules.txt. If unsure, say `N'.
+
skb->pkt_type packet match support
CONFIG_IP_NF_MATCH_PKTTYPE
This patch allows you to match packet in accrodance
diff -ruN kernel-source-2.4.27/include/linux/netfilter_ipv4/ipt_quota.h
kernel-source-2.4.27-quota/include/linux/netfilter_ipv4/ipt_quota.h
--- kernel-source-2.4.27/include/linux/netfilter_ipv4/ipt_quota.h
1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.27-quota/include/linux/netfilter_ipv4/ipt_quota.h
2005-05-27 10:59:46.000000000 +0200
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+ u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/Config.in
kernel-source-2.4.27-quota/net/ipv4/netfilter/Config.in
--- kernel-source-2.4.27/net/ipv4/netfilter/Config.in 2005-05-27
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/Config.in 2005-05-27
10:59:46.000000000 +0200
@@ -19,6 +19,7 @@
if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
# The simple matches.
dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT
$CONFIG_IP_NF_IPTABLES
+ dep_tristate ' quota match support' CONFIG_IP_NF_MATCH_QUOTA
$CONFIG_IP_NF_IPTABLES
dep_tristate ' MAC address match support' CONFIG_IP_NF_MATCH_MAC
$CONFIG_IP_NF_IPTABLES
dep_tristate ' Packet type match support' CONFIG_IP_NF_MATCH_PKTTYPE
$CONFIG_IP_NF_IPTABLES
dep_tristate ' netfilter MARK match support' CONFIG_IP_NF_MATCH_MARK
$CONFIG_IP_NF_IPTABLES
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/Makefile
kernel-source-2.4.27-quota/net/ipv4/netfilter/Makefile
--- kernel-source-2.4.27/net/ipv4/netfilter/Makefile 2005-05-27
10:59:09.000000000 +0200
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/Makefile 2005-05-27
10:59:46.000000000 +0200
@@ -65,6 +65,7 @@
# matches
obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
diff -ruN kernel-source-2.4.27/net/ipv4/netfilter/ipt_quota.c
kernel-source-2.4.27-quota/net/ipv4/netfilter/ipt_quota.c
--- kernel-source-2.4.27/net/ipv4/netfilter/ipt_quota.c 1970-01-01
01:00:00.000000000 +0100
+++ kernel-source-2.4.27-quota/net/ipv4/netfilter/ipt_quota.c 2005-05-27
10:59:46.000000000 +0200
@@ -0,0 +1,81 @@
+/*
+ * netfilter module to enforce network quotas
+ *
+ * Sam Johnston <[EMAIL PROTECTED]>
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <linux/interrupt.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_quota.h>
+
+MODULE_LICENSE("GPL");
+
+static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
+
+static int
+match(const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out,
+ const void *matchinfo,
+ int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
+{
+
+ struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
+
+ spin_lock_bh("a_lock);
+
+ if (q->quota >= datalen) {
+ /* we can afford this one */
+ q->quota -= datalen;
+ spin_unlock_bh("a_lock);
+
+#ifdef DEBUG_IPT_QUOTA
+ printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen);
+#endif
+ return 1;
+ }
+
+ /* so we do not allow even small packets from now on */
+ q->quota = 0;
+
+#ifdef DEBUG_IPT_QUOTA
+ printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen);
+#endif
+
+ spin_unlock_bh("a_lock);
+ return 0;
+}
+
+static int
+checkentry(const char *tablename,
+ const struct ipt_ip *ip,
+ void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
+{
+ /* TODO: spinlocks? sanity checks? */
+ if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
+ return 0;
+
+ return 1;
+}
+
+static struct ipt_match quota_match
+ = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init
+init(void)
+{
+ return ipt_register_match("a_match);
+}
+
+static void __exit
+fini(void)
+{
+ ipt_unregister_match("a_match);
+}
+
+module_init(init);
+module_exit(fini);
+