search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux-2.6.12-rc2
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / net / ipv4 / netfilter / ipt_recent.c
blob25ab9fabdcba3d66cb4bbf015514b6d671e6ed8f
1 /* Kernel module to check if the source address has been seen recently. */
2 /* Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org */
3 /* Author: Stephen Frost <sfrost@snowman.net> */
4 /* Project Page: http://snowman.net/projects/ipt_recent/ */
5 /* This software is distributed under the terms of the GPL, Version 2 */
6 /* This copyright does not cover user programs that use kernel services
7 * by normal system calls. */
8
9 #include <linux/module.h>
10 #include <linux/skbuff.h>
11 #include <linux/proc_fs.h>
12 #include <linux/spinlock.h>
13 #include <linux/interrupt.h>
14 #include <asm/uaccess.h>
15 #include <linux/ctype.h>
16 #include <linux/ip.h>
17 #include <linux/vmalloc.h>
18 #include <linux/moduleparam.h>
19
20 #include <linux/netfilter_ipv4/ip_tables.h>
21 #include <linux/netfilter_ipv4/ipt_recent.h>
22
23 #undef DEBUG
24 #define HASH_LOG 9
25
26 /* Defaults, these can be overridden on the module command-line. */
27 static int ip_list_tot = 100;
28 static int ip_pkt_list_tot = 20;
29 static int ip_list_hash_size = 0;
30 static int ip_list_perms = 0644;
31 #ifdef DEBUG
32 static int debug = 1;
33 #endif
34
35 static char version[] =
36 KERN_INFO RECENT_NAME " " RECENT_VER ": Stephen Frost <sfrost@snowman.net>. http://snowman.net/projects/ipt_recent/\n";
37
38 MODULE_AUTHOR("Stephen Frost <sfrost@snowman.net>");
39 MODULE_DESCRIPTION("IP tables recently seen matching module " RECENT_VER);
40 MODULE_LICENSE("GPL");
41 module_param(ip_list_tot, int, 0400);
42 module_param(ip_pkt_list_tot, int, 0400);
43 module_param(ip_list_hash_size, int, 0400);
44 module_param(ip_list_perms, int, 0400);
45 #ifdef DEBUG
46 module_param(debug, int, 0600);
47 MODULE_PARM_DESC(debug,"debugging level, defaults to 1");
48 #endif
49 MODULE_PARM_DESC(ip_list_tot,"number of IPs to remember per list");
50 MODULE_PARM_DESC(ip_pkt_list_tot,"number of packets per IP to remember");
51 MODULE_PARM_DESC(ip_list_hash_size,"size of hash table used to look up IPs");
52 MODULE_PARM_DESC(ip_list_perms,"permissions on /proc/net/ipt_recent/* files");
53
54 /* Structure of our list of recently seen addresses. */
55 struct recent_ip_list {
56 u_int32_t addr;
57 u_int8_t ttl;
58 unsigned long last_seen;
59 unsigned long *last_pkts;
60 u_int32_t oldest_pkt;
61 u_int32_t hash_entry;
62 u_int32_t time_pos;
63 };
64
65 struct time_info_list {
66 u_int32_t position;
67 u_int32_t time;
68 };
69
70 /* Structure of our linked list of tables of recent lists. */
71 struct recent_ip_tables {
72 char name[IPT_RECENT_NAME_LEN];
73 int count;
74 int time_pos;
75 struct recent_ip_list *table;
76 struct recent_ip_tables *next;
77 spinlock_t list_lock;
78 int *hash_table;
79 struct time_info_list *time_info;
80 #ifdef CONFIG_PROC_FS
81 struct proc_dir_entry *status_proc;
82 #endif /* CONFIG_PROC_FS */
83 };
84
85 /* Our current list of addresses we have recently seen.
86 * Only added to on a --set, and only updated on --set || --update
87 */
88 static struct recent_ip_tables *r_tables = NULL;
89
90 /* We protect r_list with this spinlock so two processors are not modifying
91 * the list at the same time.
92 */
93 static DEFINE_SPINLOCK(recent_lock);
94
95 #ifdef CONFIG_PROC_FS
96 /* Our /proc/net/ipt_recent entry */
97 static struct proc_dir_entry *proc_net_ipt_recent = NULL;
98 #endif
99
100 /* Function declaration for later. */
101 static int
102 match(const struct sk_buff *skb,
103 const struct net_device *in,
104 const struct net_device *out,
105 const void *matchinfo,
106 int offset,
107 int *hotdrop);
108
109 /* Function to hash a given address into the hash table of table_size size */
110 static int hash_func(unsigned int addr, int table_size)
111 {
112 int result = 0;
113 unsigned int value = addr;
114 do { result ^= value; } while((value >>= HASH_LOG));
115
116 #ifdef DEBUG
117 if(debug) printk(KERN_INFO RECENT_NAME ": %d = hash_func(%u,%d)\n",
118 result & (table_size - 1),
119 addr,
120 table_size);
121 #endif
122
123 return(result & (table_size - 1));
124 }
125
126 #ifdef CONFIG_PROC_FS
127 /* This is the function which produces the output for our /proc output
128 * interface which lists each IP address, the last seen time and the
129 * other recent times the address was seen.
130 */
131
132 static int ip_recent_get_info(char *buffer, char **start, off_t offset, int length, int *eof, void *data)
133 {
134 int len = 0, count, last_len = 0, pkt_count;
135 off_t pos = 0;
136 off_t begin = 0;
137 struct recent_ip_tables *curr_table;
138
139 curr_table = (struct recent_ip_tables*) data;
140
141 spin_lock_bh(&curr_table->list_lock);
142 for(count = 0; count < ip_list_tot; count++) {
143 if(!curr_table->table[count].addr) continue;
144 last_len = len;
145 len += sprintf(buffer+len,"src=%u.%u.%u.%u ",NIPQUAD(curr_table->table[count].addr));
146 len += sprintf(buffer+len,"ttl: %u ",curr_table->table[count].ttl);
147 len += sprintf(buffer+len,"last_seen: %lu ",curr_table->table[count].last_seen);
148 len += sprintf(buffer+len,"oldest_pkt: %u ",curr_table->table[count].oldest_pkt);
149 len += sprintf(buffer+len,"last_pkts: %lu",curr_table->table[count].last_pkts[0]);
150 for(pkt_count = 1; pkt_count < ip_pkt_list_tot; pkt_count++) {
151 if(!curr_table->table[count].last_pkts[pkt_count]) break;
152 len += sprintf(buffer+len,", %lu",curr_table->table[count].last_pkts[pkt_count]);
153 }
154 len += sprintf(buffer+len,"\n");
155 pos = begin + len;
156 if(pos < offset) { len = 0; begin = pos; }
157 if(pos > offset + length) { len = last_len; break; }
158 }
159
160 *start = buffer + (offset - begin);
161 len -= (offset - begin);
162 if(len > length) len = length;
163
164 spin_unlock_bh(&curr_table->list_lock);
165 return len;
166 }
167
168 /* ip_recent_ctrl provides an interface for users to modify the table
169 * directly. This allows adding entries, removing entries, and
170 * flushing the entire table.
171 * This is done by opening up the appropriate table for writing and
172 * sending one of:
173 * xx.xx.xx.xx -- Add entry to table with current time
174 * +xx.xx.xx.xx -- Add entry to table with current time
175 * -xx.xx.xx.xx -- Remove entry from table
176 * clear -- Flush table, remove all entries
177 */
178
179 static int ip_recent_ctrl(struct file *file, const char __user *input, unsigned long size, void *data)
180 {
181 static const u_int32_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
182 u_int32_t val;
183 int base, used = 0;
184 char c, *cp;
185 union iaddr {
186 uint8_t bytes[4];
187 uint32_t word;
188 } res;
189 uint8_t *pp = res.bytes;
190 int digit;
191
192 char buffer[20];
193 int len, check_set = 0, count;
194 u_int32_t addr = 0;
195 struct sk_buff *skb;
196 struct ipt_recent_info *info;
197 struct recent_ip_tables *curr_table;
198
199 curr_table = (struct recent_ip_tables*) data;
200
201 if(size > 20) len = 20; else len = size;
202
203 if(copy_from_user(buffer,input,len)) return -EFAULT;
204
205 if(len < 20) buffer[len] = '\0';
206
207 #ifdef DEBUG
208 if(debug) printk(KERN_INFO RECENT_NAME ": ip_recent_ctrl len: %d, input: `%.20s'\n",len,buffer);
209 #endif
210
211 cp = buffer;
212 while(isspace(*cp)) { cp++; used++; if(used >= len-5) return used; }
213
214 /* Check if we are asked to flush the entire table */
215 if(!memcmp(cp,"clear",5)) {
216 used += 5;
217 spin_lock_bh(&curr_table->list_lock);
218 curr_table->time_pos = 0;
219 for(count = 0; count < ip_list_hash_size; count++) {
220 curr_table->hash_table[count] = -1;
221 }
222 for(count = 0; count < ip_list_tot; count++) {
223 curr_table->table[count].last_seen = 0;
224 curr_table->table[count].addr = 0;
225 curr_table->table[count].ttl = 0;
226 memset(curr_table->table[count].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
227 curr_table->table[count].oldest_pkt = 0;
228 curr_table->table[count].time_pos = 0;
229 curr_table->time_info[count].position = count;
230 curr_table->time_info[count].time = 0;
231 }
232 spin_unlock_bh(&curr_table->list_lock);
233 return used;
234 }
235
236 check_set = IPT_RECENT_SET;
237 switch(*cp) {
238 case '+': check_set = IPT_RECENT_SET; cp++; used++; break;
239 case '-': check_set = IPT_RECENT_REMOVE; cp++; used++; break;
240 default: if(!isdigit(*cp)) return (used+1); break;
241 }
242
243 #ifdef DEBUG
244 if(debug) printk(KERN_INFO RECENT_NAME ": ip_recent_ctrl cp: `%c', check_set: %d\n",*cp,check_set);
245 #endif
246 /* Get addr (effectively inet_aton()) */
247 /* Shamelessly stolen from libc, a function in the kernel for doing
248 * this would, of course, be greatly preferred, but our options appear
249 * to be rather limited, so we will just do it ourselves here.
250 */
251 res.word = 0;
252
253 c = *cp;
254 for(;;) {
255 if(!isdigit(c)) return used;
256 val = 0; base = 10; digit = 0;
257 if(c == '0') {
258 c = *++cp;
259 if(c == 'x' || c == 'X') base = 16, c = *++cp;
260 else { base = 8; digit = 1; }
261 }
262 for(;;) {
263 if(isascii(c) && isdigit(c)) {
264 if(base == 8 && (c == '8' || c == '0')) return used;
265 val = (val * base) + (c - '0');
266 c = *++cp;
267 digit = 1;
268 } else if(base == 16 && isascii(c) && isxdigit(c)) {
269 val = (val << 4) | (c + 10 - (islower(c) ? 'a' : 'A'));
270 c = *++cp;
271 digit = 1;
272 } else break;
273 }
274 if(c == '.') {
275 if(pp > res.bytes + 2 || val > 0xff) return used;
276 *pp++ = val;
277 c = *++cp;
278 } else break;
279 }
280 used = cp - buffer;
281 if(c != '\0' && (!isascii(c) || !isspace(c))) return used;
282 if(c == '\n') used++;
283 if(!digit) return used;
284
285 if(val > max[pp - res.bytes]) return used;
286 addr = res.word | htonl(val);
287
288 if(!addr && check_set == IPT_RECENT_SET) return used;
289
290 #ifdef DEBUG
291 if(debug) printk(KERN_INFO RECENT_NAME ": ip_recent_ctrl c: %c, addr: %u used: %d\n",c,addr,used);
292 #endif
293
294 /* Set up and just call match */
295 info = kmalloc(sizeof(struct ipt_recent_info),GFP_KERNEL);
296 if(!info) { return -ENOMEM; }
297 info->seconds = 0;
298 info->hit_count = 0;
299 info->check_set = check_set;
300 info->invert = 0;
301 info->side = IPT_RECENT_SOURCE;
302 strncpy(info->name,curr_table->name,IPT_RECENT_NAME_LEN);
303 info->name[IPT_RECENT_NAME_LEN-1] = '\0';
304
305 skb = kmalloc(sizeof(struct sk_buff),GFP_KERNEL);
306 if (!skb) {
307 used = -ENOMEM;
308 goto out_free_info;
309 }
310 skb->nh.iph = kmalloc(sizeof(struct iphdr),GFP_KERNEL);
311 if (!skb->nh.iph) {
312 used = -ENOMEM;
313 goto out_free_skb;
314 }
315
316 skb->nh.iph->saddr = addr;
317 skb->nh.iph->daddr = 0;
318 /* Clear ttl since we have no way of knowing it */
319 skb->nh.iph->ttl = 0;
320 match(skb,NULL,NULL,info,0,NULL);
321
322 kfree(skb->nh.iph);
323 out_free_skb:
324 kfree(skb);
325 out_free_info:
326 kfree(info);
327
328 #ifdef DEBUG
329 if(debug) printk(KERN_INFO RECENT_NAME ": Leaving ip_recent_ctrl addr: %u used: %d\n",addr,used);
330 #endif
331 return used;
332 }
333
334 #endif /* CONFIG_PROC_FS */
335
336 /* 'match' is our primary function, called by the kernel whenever a rule is
337 * hit with our module as an option to it.
338 * What this function does depends on what was specifically asked of it by
339 * the user:
340 * --set -- Add or update last seen time of the source address of the packet
341 * -- matchinfo->check_set == IPT_RECENT_SET
342 * --rcheck -- Just check if the source address is in the list
343 * -- matchinfo->check_set == IPT_RECENT_CHECK
344 * --update -- If the source address is in the list, update last_seen
345 * -- matchinfo->check_set == IPT_RECENT_UPDATE
346 * --remove -- If the source address is in the list, remove it
347 * -- matchinfo->check_set == IPT_RECENT_REMOVE
348 * --seconds -- Option to --rcheck/--update, only match if last_seen within seconds
349 * -- matchinfo->seconds
350 * --hitcount -- Option to --rcheck/--update, only match if seen hitcount times
351 * -- matchinfo->hit_count
352 * --seconds and --hitcount can be combined
353 */
354 static int
355 match(const struct sk_buff *skb,
356 const struct net_device *in,
357 const struct net_device *out,
358 const void *matchinfo,
359 int offset,
360 int *hotdrop)
361 {
362 int pkt_count, hits_found, ans;
363 unsigned long now;
364 const struct ipt_recent_info *info = matchinfo;
365 u_int32_t addr = 0, time_temp;
366 u_int8_t ttl = skb->nh.iph->ttl;
367 int *hash_table;
368 int orig_hash_result, hash_result, temp, location = 0, time_loc, end_collision_chain = -1;
369 struct time_info_list *time_info;
370 struct recent_ip_tables *curr_table;
371 struct recent_ip_tables *last_table;
372 struct recent_ip_list *r_list;
373
374 #ifdef DEBUG
375 if(debug) printk(KERN_INFO RECENT_NAME ": match() called\n");
376 #endif
377
378 /* Default is false ^ info->invert */
379 ans = info->invert;
380
381 #ifdef DEBUG
382 if(debug) printk(KERN_INFO RECENT_NAME ": match(): name = '%s'\n",info->name);
383 #endif
384
385 /* if out != NULL then routing has been done and TTL changed.
386 * We change it back here internally for match what came in before routing. */
387 if(out) ttl++;
388
389 /* Find the right table */
390 spin_lock_bh(&recent_lock);
391 curr_table = r_tables;
392 while( (last_table = curr_table) && strncmp(info->name,curr_table->name,IPT_RECENT_NAME_LEN) && (curr_table = curr_table->next) );
393
394 #ifdef DEBUG
395 if(debug) printk(KERN_INFO RECENT_NAME ": match(): table found('%s')\n",info->name);
396 #endif
397
398 spin_unlock_bh(&recent_lock);
399
400 /* Table with this name not found, match impossible */
401 if(!curr_table) { return ans; }
402
403 /* Make sure no one is changing the list while we work with it */
404 spin_lock_bh(&curr_table->list_lock);
405
406 r_list = curr_table->table;
407 if(info->side == IPT_RECENT_DEST) addr = skb->nh.iph->daddr; else addr = skb->nh.iph->saddr;
408
409 if(!addr) {
410 #ifdef DEBUG
411 if(debug) printk(KERN_INFO RECENT_NAME ": match() address (%u) invalid, leaving.\n",addr);
412 #endif
413 spin_unlock_bh(&curr_table->list_lock);
414 return ans;
415 }
416
417 #ifdef DEBUG
418 if(debug) printk(KERN_INFO RECENT_NAME ": match(): checking table, addr: %u, ttl: %u, orig_ttl: %u\n",addr,ttl,skb->nh.iph->ttl);
419 #endif
420
421 /* Get jiffies now in case they changed while we were waiting for a lock */
422 now = jiffies;
423 hash_table = curr_table->hash_table;
424 time_info = curr_table->time_info;
425
426 orig_hash_result = hash_result = hash_func(addr,ip_list_hash_size);
427 /* Hash entry at this result used */
428 /* Check for TTL match if requested. If TTL is zero then a match would never
429 * happen, so match regardless of existing TTL in that case. Zero means the
430 * entry was added via the /proc interface anyway, so we will just use the
431 * first TTL we get for that IP address. */
432 if(info->check_set & IPT_RECENT_TTL) {
433 while(hash_table[hash_result] != -1 && !(r_list[hash_table[hash_result]].addr == addr &&
434 (!r_list[hash_table[hash_result]].ttl || r_list[hash_table[hash_result]].ttl == ttl))) {
435 /* Collision in hash table */
436 hash_result = (hash_result + 1) % ip_list_hash_size;
437 }
438 } else {
439 while(hash_table[hash_result] != -1 && r_list[hash_table[hash_result]].addr != addr) {
440 /* Collision in hash table */
441 hash_result = (hash_result + 1) % ip_list_hash_size;
442 }
443 }
444
445 if(hash_table[hash_result] == -1 && !(info->check_set & IPT_RECENT_SET)) {
446 /* IP not in list and not asked to SET */
447 spin_unlock_bh(&curr_table->list_lock);
448 return ans;
449 }
450
451 /* Check if we need to handle the collision, do not need to on REMOVE */
452 if(orig_hash_result != hash_result && !(info->check_set & IPT_RECENT_REMOVE)) {
453 #ifdef DEBUG
454 if(debug) printk(KERN_INFO RECENT_NAME ": match(): Collision in hash table. (or: %d,hr: %d,oa: %u,ha: %u)\n",
455 orig_hash_result,
456 hash_result,
457 r_list[hash_table[orig_hash_result]].addr,
458 addr);
459 #endif
460
461 /* We had a collision.
462 * orig_hash_result is where we started, hash_result is where we ended up.
463 * So, swap them because we are likely to see the same guy again sooner */
464 #ifdef DEBUG
465 if(debug) {
466 printk(KERN_INFO RECENT_NAME ": match(): Collision; hash_table[orig_hash_result] = %d\n",hash_table[orig_hash_result]);
467 printk(KERN_INFO RECENT_NAME ": match(): Collision; r_list[hash_table[orig_hash_result]].hash_entry = %d\n",
468 r_list[hash_table[orig_hash_result]].hash_entry);
469 }
470 #endif
471
472 r_list[hash_table[orig_hash_result]].hash_entry = hash_result;
473
474
475 temp = hash_table[orig_hash_result];
476 #ifdef DEBUG
477 if(debug) printk(KERN_INFO RECENT_NAME ": match(): Collision; hash_table[hash_result] = %d\n",hash_table[hash_result]);
478 #endif
479 hash_table[orig_hash_result] = hash_table[hash_result];
480 hash_table[hash_result] = temp;
481 temp = hash_result;
482 hash_result = orig_hash_result;
483 orig_hash_result = temp;
484 time_info[r_list[hash_table[orig_hash_result]].time_pos].position = hash_table[orig_hash_result];
485 if(hash_table[hash_result] != -1) {
486 r_list[hash_table[hash_result]].hash_entry = hash_result;
487 time_info[r_list[hash_table[hash_result]].time_pos].position = hash_table[hash_result];
488 }
489
490 #ifdef DEBUG
491 if(debug) printk(KERN_INFO RECENT_NAME ": match(): Collision handled.\n");
492 #endif
493 }
494
495 if(hash_table[hash_result] == -1) {
496 #ifdef DEBUG
497 if(debug) printk(KERN_INFO RECENT_NAME ": match(): New table entry. (hr: %d,ha: %u)\n",
498 hash_result, addr);
499 #endif
500
501 /* New item found and IPT_RECENT_SET, so we need to add it */
502 location = time_info[curr_table->time_pos].position;
503 hash_table[r_list[location].hash_entry] = -1;
504 hash_table[hash_result] = location;
505 memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
506 r_list[location].time_pos = curr_table->time_pos;
507 r_list[location].addr = addr;
508 r_list[location].ttl = ttl;
509 r_list[location].last_seen = now;
510 r_list[location].oldest_pkt = 1;
511 r_list[location].last_pkts[0] = now;
512 r_list[location].hash_entry = hash_result;
513 time_info[curr_table->time_pos].time = r_list[location].last_seen;
514 curr_table->time_pos = (curr_table->time_pos + 1) % ip_list_tot;
515
516 ans = !info->invert;
517 } else {
518 #ifdef DEBUG
519 if(debug) printk(KERN_INFO RECENT_NAME ": match(): Existing table entry. (hr: %d,ha: %u)\n",
520 hash_result,
521 addr);
522 #endif
523
524 /* Existing item found */
525 location = hash_table[hash_result];
526 /* We have a match on address, now to make sure it meets all requirements for a
527 * full match. */
528 if(info->check_set & IPT_RECENT_CHECK || info->check_set & IPT_RECENT_UPDATE) {
529 if(!info->seconds && !info->hit_count) ans = !info->invert; else ans = info->invert;
530 if(info->seconds && !info->hit_count) {
531 if(time_before_eq(now,r_list[location].last_seen+info->seconds*HZ)) ans = !info->invert; else ans = info->invert;
532 }
533 if(info->seconds && info->hit_count) {
534 for(pkt_count = 0, hits_found = 0; pkt_count < ip_pkt_list_tot; pkt_count++) {
535 if(time_before_eq(now,r_list[location].last_pkts[pkt_count]+info->seconds*HZ)) hits_found++;
536 }
537 if(hits_found >= info->hit_count) ans = !info->invert; else ans = info->invert;
538 }
539 if(info->hit_count && !info->seconds) {
540 for(pkt_count = 0, hits_found = 0; pkt_count < ip_pkt_list_tot; pkt_count++) {
541 if(r_list[location].last_pkts[pkt_count] == 0) break;
542 hits_found++;
543 }
544 if(hits_found >= info->hit_count) ans = !info->invert; else ans = info->invert;
545 }
546 }
547 #ifdef DEBUG
548 if(debug) {
549 if(ans)
550 printk(KERN_INFO RECENT_NAME ": match(): match addr: %u\n",addr);
551 else
552 printk(KERN_INFO RECENT_NAME ": match(): no match addr: %u\n",addr);
553 }
554 #endif
555
556 /* If and only if we have been asked to SET, or to UPDATE (on match) do we add the
557 * current timestamp to the last_seen. */
558 if((info->check_set & IPT_RECENT_SET && (ans = !info->invert)) || (info->check_set & IPT_RECENT_UPDATE && ans)) {
559 #ifdef DEBUG
560 if(debug) printk(KERN_INFO RECENT_NAME ": match(): SET or UPDATE; updating time info.\n");
561 #endif
562 /* Have to update our time info */
563 time_loc = r_list[location].time_pos;
564 time_info[time_loc].time = now;
565 time_info[time_loc].position = location;
566 while((time_info[(time_loc+1) % ip_list_tot].time < time_info[time_loc].time) && ((time_loc+1) % ip_list_tot) != curr_table->time_pos) {
567 time_temp = time_info[time_loc].time;
568 time_info[time_loc].time = time_info[(time_loc+1)%ip_list_tot].time;
569 time_info[(time_loc+1)%ip_list_tot].time = time_temp;
570 time_temp = time_info[time_loc].position;
571 time_info[time_loc].position = time_info[(time_loc+1)%ip_list_tot].position;
572 time_info[(time_loc+1)%ip_list_tot].position = time_temp;
573 r_list[time_info[time_loc].position].time_pos = time_loc;
574 r_list[time_info[(time_loc+1)%ip_list_tot].position].time_pos = (time_loc+1)%ip_list_tot;
575 time_loc = (time_loc+1) % ip_list_tot;
576 }
577 r_list[location].time_pos = time_loc;
578 r_list[location].ttl = ttl;
579 r_list[location].last_pkts[r_list[location].oldest_pkt] = now;
580 r_list[location].oldest_pkt = ++r_list[location].oldest_pkt % ip_pkt_list_tot;
581 r_list[location].last_seen = now;
582 }
583 /* If we have been asked to remove the entry from the list, just set it to 0 */
584 if(info->check_set & IPT_RECENT_REMOVE) {
585 #ifdef DEBUG
586 if(debug) printk(KERN_INFO RECENT_NAME ": match(): REMOVE; clearing entry (or: %d, hr: %d).\n",orig_hash_result,hash_result);
587 #endif
588 /* Check if this is part of a collision chain */
589 while(hash_table[(orig_hash_result+1) % ip_list_hash_size] != -1) {
590 orig_hash_result++;
591 if(hash_func(r_list[hash_table[orig_hash_result]].addr,ip_list_hash_size) == hash_result) {
592 /* Found collision chain, how deep does this rabbit hole go? */
593 #ifdef DEBUG
594 if(debug) printk(KERN_INFO RECENT_NAME ": match(): REMOVE; found collision chain.\n");
595 #endif
596 end_collision_chain = orig_hash_result;
597 }
598 }
599 if(end_collision_chain != -1) {
600 #ifdef DEBUG
601 if(debug) printk(KERN_INFO RECENT_NAME ": match(): REMOVE; part of collision chain, moving to end.\n");
602 #endif
603 /* Part of a collision chain, swap it with the end of the chain
604 * before removing. */
605 r_list[hash_table[end_collision_chain]].hash_entry = hash_result;
606 temp = hash_table[end_collision_chain];
607 hash_table[end_collision_chain] = hash_table[hash_result];
608 hash_table[hash_result] = temp;
609 time_info[r_list[hash_table[hash_result]].time_pos].position = hash_table[hash_result];
610 hash_result = end_collision_chain;
611 r_list[hash_table[hash_result]].hash_entry = hash_result;
612 time_info[r_list[hash_table[hash_result]].time_pos].position = hash_table[hash_result];
613 }
614 location = hash_table[hash_result];
615 hash_table[r_list[location].hash_entry] = -1;
616 time_loc = r_list[location].time_pos;
617 time_info[time_loc].time = 0;
618 time_info[time_loc].position = location;
619 while((time_info[(time_loc+1) % ip_list_tot].time < time_info[time_loc].time) && ((time_loc+1) % ip_list_tot) != curr_table->time_pos) {
620 time_temp = time_info[time_loc].time;
621 time_info[time_loc].time = time_info[(time_loc+1)%ip_list_tot].time;
622 time_info[(time_loc+1)%ip_list_tot].time = time_temp;
623 time_temp = time_info[time_loc].position;
624 time_info[time_loc].position = time_info[(time_loc+1)%ip_list_tot].position;
625 time_info[(time_loc+1)%ip_list_tot].position = time_temp;
626 r_list[time_info[time_loc].position].time_pos = time_loc;
627 r_list[time_info[(time_loc+1)%ip_list_tot].position].time_pos = (time_loc+1)%ip_list_tot;
628 time_loc = (time_loc+1) % ip_list_tot;
629 }
630 r_list[location].time_pos = time_loc;
631 r_list[location].last_seen = 0;
632 r_list[location].addr = 0;
633 r_list[location].ttl = 0;
634 memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
635 r_list[location].oldest_pkt = 0;
636 ans = !info->invert;
637 }
638 spin_unlock_bh(&curr_table->list_lock);
639 return ans;
640 }
641
642 spin_unlock_bh(&curr_table->list_lock);
643 #ifdef DEBUG
644 if(debug) printk(KERN_INFO RECENT_NAME ": match() left.\n");
645 #endif
646 return ans;
647 }
648
649 /* This function is to verify that the rule given during the userspace iptables
650 * command is correct.
651 * If the command is valid then we check if the table name referred to by the
652 * rule exists, if not it is created.
653 */
654 static int
655 checkentry(const char *tablename,
656 const struct ipt_ip *ip,
657 void *matchinfo,
658 unsigned int matchsize,
659 unsigned int hook_mask)
660 {
661 int flag = 0, c;
662 unsigned long *hold;
663 const struct ipt_recent_info *info = matchinfo;
664 struct recent_ip_tables *curr_table, *find_table, *last_table;
665
666 #ifdef DEBUG
667 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() entered.\n");
668 #endif
669
670 if (matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return 0;
671
672 /* seconds and hit_count only valid for CHECK/UPDATE */
673 if(info->check_set & IPT_RECENT_SET) { flag++; if(info->seconds || info->hit_count) return 0; }
674 if(info->check_set & IPT_RECENT_REMOVE) { flag++; if(info->seconds || info->hit_count) return 0; }
675 if(info->check_set & IPT_RECENT_CHECK) flag++;
676 if(info->check_set & IPT_RECENT_UPDATE) flag++;
677
678 /* One and only one of these should ever be set */
679 if(flag != 1) return 0;
680
681 /* Name must be set to something */
682 if(!info->name || !info->name[0]) return 0;
683
684 /* Things look good, create a list for this if it does not exist */
685 /* Lock the linked list while we play with it */
686 spin_lock_bh(&recent_lock);
687
688 /* Look for an entry with this name already created */
689 /* Finds the end of the list and the entry before the end if current name does not exist */
690 find_table = r_tables;
691 while( (last_table = find_table) && strncmp(info->name,find_table->name,IPT_RECENT_NAME_LEN) && (find_table = find_table->next) );
692
693 /* If a table already exists just increment the count on that table and return */
694 if(find_table) {
695 #ifdef DEBUG
696 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: table found (%s), incrementing count.\n",info->name);
697 #endif
698 find_table->count++;
699 spin_unlock_bh(&recent_lock);
700 return 1;
701 }
702
703 spin_unlock_bh(&recent_lock);
704
705 /* Table with this name not found */
706 /* Allocate memory for new linked list item */
707
708 #ifdef DEBUG
709 if(debug) {
710 printk(KERN_INFO RECENT_NAME ": checkentry: no table found (%s)\n",info->name);
711 printk(KERN_INFO RECENT_NAME ": checkentry: Allocationg %d for link-list entry.\n",sizeof(struct recent_ip_tables));
712 }
713 #endif
714
715 curr_table = vmalloc(sizeof(struct recent_ip_tables));
716 if(curr_table == NULL) return 0;
717
718 spin_lock_init(&curr_table->list_lock);
719 curr_table->next = NULL;
720 curr_table->count = 1;
721 curr_table->time_pos = 0;
722 strncpy(curr_table->name,info->name,IPT_RECENT_NAME_LEN);
723 curr_table->name[IPT_RECENT_NAME_LEN-1] = '\0';
724
725 /* Allocate memory for this table and the list of packets in each entry. */
726 #ifdef DEBUG
727 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: Allocating %d for table (%s).\n",
728 sizeof(struct recent_ip_list)*ip_list_tot,
729 info->name);
730 #endif
731
732 curr_table->table = vmalloc(sizeof(struct recent_ip_list)*ip_list_tot);
733 if(curr_table->table == NULL) { vfree(curr_table); return 0; }
734 memset(curr_table->table,0,sizeof(struct recent_ip_list)*ip_list_tot);
735 #ifdef DEBUG
736 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: Allocating %d for pkt_list.\n",
737 sizeof(u_int32_t)*ip_pkt_list_tot*ip_list_tot);
738 #endif
739
740 hold = vmalloc(sizeof(u_int32_t)*ip_pkt_list_tot*ip_list_tot);
741 #ifdef DEBUG
742 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: After pkt_list allocation.\n");
743 #endif
744 if(hold == NULL) {
745 printk(KERN_INFO RECENT_NAME ": checkentry: unable to allocate for pkt_list.\n");
746 vfree(curr_table->table);
747 vfree(curr_table);
748 return 0;
749 }
750 for(c = 0; c < ip_list_tot; c++) {
751 curr_table->table[c].last_pkts = hold + c*ip_pkt_list_tot;
752 }
753
754 /* Allocate memory for the hash table */
755 #ifdef DEBUG
756 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: Allocating %d for hash_table.\n",
757 sizeof(int)*ip_list_hash_size);
758 #endif
759
760 curr_table->hash_table = vmalloc(sizeof(int)*ip_list_hash_size);
761 if(!curr_table->hash_table) {
762 printk(KERN_INFO RECENT_NAME ": checkentry: unable to allocate for hash_table.\n");
763 vfree(hold);
764 vfree(curr_table->table);
765 vfree(curr_table);
766 return 0;
767 }
768
769 for(c = 0; c < ip_list_hash_size; c++) {
770 curr_table->hash_table[c] = -1;
771 }
772
773 /* Allocate memory for the time info */
774 #ifdef DEBUG
775 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: Allocating %d for time_info.\n",
776 sizeof(struct time_info_list)*ip_list_tot);
777 #endif
778
779 curr_table->time_info = vmalloc(sizeof(struct time_info_list)*ip_list_tot);
780 if(!curr_table->time_info) {
781 printk(KERN_INFO RECENT_NAME ": checkentry: unable to allocate for time_info.\n");
782 vfree(curr_table->hash_table);
783 vfree(hold);
784 vfree(curr_table->table);
785 vfree(curr_table);
786 return 0;
787 }
788 for(c = 0; c < ip_list_tot; c++) {
789 curr_table->time_info[c].position = c;
790 curr_table->time_info[c].time = 0;
791 }
792
793 /* Put the new table in place */
794 spin_lock_bh(&recent_lock);
795 find_table = r_tables;
796 while( (last_table = find_table) && strncmp(info->name,find_table->name,IPT_RECENT_NAME_LEN) && (find_table = find_table->next) );
797
798 /* If a table already exists just increment the count on that table and return */
799 if(find_table) {
800 find_table->count++;
801 spin_unlock_bh(&recent_lock);
802 #ifdef DEBUG
803 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: table found (%s), created by other process.\n",info->name);
804 #endif
805 vfree(curr_table->time_info);
806 vfree(curr_table->hash_table);
807 vfree(hold);
808 vfree(curr_table->table);
809 vfree(curr_table);
810 return 1;
811 }
812 if(!last_table) r_tables = curr_table; else last_table->next = curr_table;
813
814 spin_unlock_bh(&recent_lock);
815
816 #ifdef CONFIG_PROC_FS
817 /* Create our proc 'status' entry. */
818 curr_table->status_proc = create_proc_entry(curr_table->name, ip_list_perms, proc_net_ipt_recent);
819 if (!curr_table->status_proc) {
820 printk(KERN_INFO RECENT_NAME ": checkentry: unable to allocate for /proc entry.\n");
821 /* Destroy the created table */
822 spin_lock_bh(&recent_lock);
823 last_table = NULL;
824 curr_table = r_tables;
825 if(!curr_table) {
826 #ifdef DEBUG
827 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() create_proc failed, no tables.\n");
828 #endif
829 spin_unlock_bh(&recent_lock);
830 return 0;
831 }
832 while( strncmp(info->name,curr_table->name,IPT_RECENT_NAME_LEN) && (last_table = curr_table) && (curr_table = curr_table->next) );
833 if(!curr_table) {
834 #ifdef DEBUG
835 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() create_proc failed, table already destroyed.\n");
836 #endif
837 spin_unlock_bh(&recent_lock);
838 return 0;
839 }
840 if(last_table) last_table->next = curr_table->next; else r_tables = curr_table->next;
841 spin_unlock_bh(&recent_lock);
842 vfree(curr_table->time_info);
843 vfree(curr_table->hash_table);
844 vfree(hold);
845 vfree(curr_table->table);
846 vfree(curr_table);
847 return 0;
848 }
849
850 curr_table->status_proc->owner = THIS_MODULE;
851 curr_table->status_proc->data = curr_table;
852 wmb();
853 curr_table->status_proc->read_proc = ip_recent_get_info;
854 curr_table->status_proc->write_proc = ip_recent_ctrl;
855 #endif /* CONFIG_PROC_FS */
856
857 #ifdef DEBUG
858 if(debug) printk(KERN_INFO RECENT_NAME ": checkentry() left.\n");
859 #endif
860
861 return 1;
862 }
863
864 /* This function is called in the event that a rule matching this module is
865 * removed.
866 * When this happens we need to check if there are no other rules matching
867 * the table given. If that is the case then we remove the table and clean
868 * up its memory.
869 */
870 static void
871 destroy(void *matchinfo, unsigned int matchsize)
872 {
873 const struct ipt_recent_info *info = matchinfo;
874 struct recent_ip_tables *curr_table, *last_table;
875
876 #ifdef DEBUG
877 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() entered.\n");
878 #endif
879
880 if(matchsize != IPT_ALIGN(sizeof(struct ipt_recent_info))) return;
881
882 /* Lock the linked list while we play with it */
883 spin_lock_bh(&recent_lock);
884
885 /* Look for an entry with this name already created */
886 /* Finds the end of the list and the entry before the end if current name does not exist */
887 last_table = NULL;
888 curr_table = r_tables;
889 if(!curr_table) {
890 #ifdef DEBUG
891 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() No tables found, leaving.\n");
892 #endif
893 spin_unlock_bh(&recent_lock);
894 return;
895 }
896 while( strncmp(info->name,curr_table->name,IPT_RECENT_NAME_LEN) && (last_table = curr_table) && (curr_table = curr_table->next) );
897
898 /* If a table does not exist then do nothing and return */
899 if(!curr_table) {
900 #ifdef DEBUG
901 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() table not found, leaving.\n");
902 #endif
903 spin_unlock_bh(&recent_lock);
904 return;
905 }
906
907 curr_table->count--;
908
909 /* If count is still non-zero then there are still rules referenceing it so we do nothing */
910 if(curr_table->count) {
911 #ifdef DEBUG
912 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() table found, non-zero count, leaving.\n");
913 #endif
914 spin_unlock_bh(&recent_lock);
915 return;
916 }
917
918 #ifdef DEBUG
919 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() table found, zero count, removing.\n");
920 #endif
921
922 /* Count must be zero so we remove this table from the list */
923 if(last_table) last_table->next = curr_table->next; else r_tables = curr_table->next;
924
925 spin_unlock_bh(&recent_lock);
926
927 /* lock to make sure any late-runners still using this after we removed it from
928 * the list finish up then remove everything */
929 spin_lock_bh(&curr_table->list_lock);
930 spin_unlock_bh(&curr_table->list_lock);
931
932 #ifdef CONFIG_PROC_FS
933 if(curr_table->status_proc) remove_proc_entry(curr_table->name,proc_net_ipt_recent);
934 #endif /* CONFIG_PROC_FS */
935 vfree(curr_table->table[0].last_pkts);
936 vfree(curr_table->table);
937 vfree(curr_table->hash_table);
938 vfree(curr_table->time_info);
939 vfree(curr_table);
940
941 #ifdef DEBUG
942 if(debug) printk(KERN_INFO RECENT_NAME ": destroy() left.\n");
943 #endif
944
945 return;
946 }
947
948 /* This is the structure we pass to ipt_register to register our
949 * module with iptables.
950 */
951 static struct ipt_match recent_match = {
952 .name = "recent",
953 .match = &match,
954 .checkentry = &checkentry,
955 .destroy = &destroy,
956 .me = THIS_MODULE
957 };
958
959 /* Kernel module initialization. */
960 static int __init init(void)
961 {
962 int err, count;
963
964 printk(version);
965 #ifdef CONFIG_PROC_FS
966 proc_net_ipt_recent = proc_mkdir("ipt_recent",proc_net);
967 if(!proc_net_ipt_recent) return -ENOMEM;
968 #endif
969
970 if(ip_list_hash_size && ip_list_hash_size <= ip_list_tot) {
971 printk(KERN_WARNING RECENT_NAME ": ip_list_hash_size too small, resetting to default.\n");
972 ip_list_hash_size = 0;
973 }
974
975 if(!ip_list_hash_size) {
976 ip_list_hash_size = ip_list_tot*3;
977 count = 2*2;
978 while(ip_list_hash_size > count) count = count*2;
979 ip_list_hash_size = count;
980 }
981
982 #ifdef DEBUG
983 if(debug) printk(KERN_INFO RECENT_NAME ": ip_list_hash_size: %d\n",ip_list_hash_size);
984 #endif
985
986 err = ipt_register_match(&recent_match);
987 if (err)
988 remove_proc_entry("ipt_recent", proc_net);
989 return err;
990 }
991
992 /* Kernel module destruction. */
993 static void __exit fini(void)
994 {
995 ipt_unregister_match(&recent_match);
996
997 remove_proc_entry("ipt_recent",proc_net);
998 }
999
1000 /* Register our module with the kernel. */
1001 module_init(init);
1002 module_exit(fini);
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree