release/src/router/iptables/extensions/libip6t_connlimit.c

   1 /* Shared library add-on to iptables to add connection limit support. */
   2 #include <stdio.h>
   3 #include <netdb.h>
   4 #include <string.h>
   5 #include <stdlib.h>
   6 #include <stddef.h>
   7 #include <getopt.h>
   8 #include <ip6tables.h>
   9 #include <linux/netfilter/xt_connlimit.h>
  10
  11 /* Function which prints out usage message. */
  12 static void connlimit_help(void)
  13 {
  14         printf(
  15 "connlimit v%s options:\n"
  16 "[!] --connlimit-above n        match if the number of existing "
  17 "                               connections is (not) above n\n"
  18 "    --connlimit-mask n         group hosts using mask\n"
  19 "\n", IPTABLES_VERSION);
  20 }
  21
  22 static const struct option connlimit_opts[] = {
  23         {"connlimit-above", 1, 0, '1'},
  24         {"connlimit-mask",  1, 0, '2'},
  25         {0},
  26 };
  27
  28 static void connlimit_init(struct ip6t_entry_match *match, unsigned int *nfc)
  29 {
  30         struct xt_connlimit_info *info = (void *)match->data;
  31         info->v6_mask[0] =
  32         info->v6_mask[1] =
  33         info->v6_mask[2] =
  34         info->v6_mask[3] = 0xFFFFFFFF;
  35 }
  36
  37 static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len)
  38 {
  39         if (prefix_len == 0) {
  40                 mask[0] = mask[1] = mask[2] = mask[3] = 0;
  41         } else if (prefix_len <= 32) {
  42                 mask[0] <<= 32 - prefix_len;
  43                 mask[1] = mask[2] = mask[3] = 0;
  44         } else if (prefix_len <= 64) {
  45                 mask[1] <<= 32 - (prefix_len - 32);
  46                 mask[2] = mask[3] = 0;
  47         } else if (prefix_len <= 96) {
  48                 mask[2] <<= 32 - (prefix_len - 64);
  49                 mask[3] = 0;
  50         } else if (prefix_len <= 128) {
  51                 mask[3] <<= 32 - (prefix_len - 96);
  52         }
  53         mask[0] = htonl(mask[0]);
  54         mask[1] = htonl(mask[1]);
  55         mask[2] = htonl(mask[2]);
  56         mask[3] = htonl(mask[3]);
  57 }
  58
  59 static int connlimit_parse(int c, char **argv, int invert, unsigned int *flags,
  60                            const struct ip6t_entry *entry,
  61                            unsigned int *nfcache,
  62                            struct ip6t_entry_match **match)
  63 {
  64         struct xt_connlimit_info *info = (void *)(*match)->data;
  65         char *err;
  66         int i;
  67
  68         if (*flags & c)
  69                 exit_error(PARAMETER_PROBLEM,
  70                            "--connlimit-above and/or --connlimit-mask may "
  71                            "only be given once");
  72
  73         switch (c) {
  74         case 1:
  75                 check_inverse(optarg, &invert, &optind, 0);
  76                 info->limit   = strtoul(argv[optind-1], NULL, 0);
  77                 info->inverse = invert;
  78                 break;
  79         case 2:
  80                 i = strtoul(argv[optind-1], &err, 0);
  81                 if (i > 128 || *err != '\0')
  82                         exit_error(PARAMETER_PROBLEM,
  83                                 "--connlimit-mask must be between 0 and 128");
  84                 prefix_to_netmask(info->v6_mask, i);
  85                 break;
  86         default:
  87                 return 0;
  88         }
  89
  90         *flags |= c;
  91         return 1;
  92 }
  93
  94 /* Final check */
  95 static void connlimit_check(unsigned int flags)
  96 {
  97         if (!(flags & 1))
  98                 exit_error(PARAMETER_PROBLEM,
  99                            "You must specify \"--connlimit-above\"");
 100 }
 101
 102 static unsigned int count_bits(const u_int32_t *mask)
 103 {
 104         unsigned int bits = 0, i;
 105         u_int32_t tmp[4];
 106
 107         for (i = 0; i < 4; ++i)
 108                 for (tmp[i] = ~ntohl(mask[i]); tmp[i] != 0; tmp[i] >>= 1)
 109                         ++bits;
 110         return 128 - bits;
 111 }
 112
 113 /* Prints out the matchinfo. */
 114 static void connlimit_print(const struct ip6t_ip6 *ip,
 115                             const struct ip6t_entry_match *match, int numeric)
 116 {
 117         const struct xt_connlimit_info *info = (const void *)match->data;
 118
 119         printf("#conn/%u %s %u ", count_bits(info->v6_mask),
 120                info->inverse ? "<=" : ">", info->limit);
 121 }
 122
 123 /* Saves the matchinfo in parsable form to stdout. */
 124 static void connlimit_save(const struct ip6t_ip6 *ip,
 125                            const struct ip6t_entry_match *match)
 126 {
 127         const struct xt_connlimit_info *info = (const void *)match->data;
 128
 129         printf("%s--connlimit-above %u --connlimit-mask %u ",
 130                info->inverse ? "! " : "", info->limit,
 131                count_bits(info->v6_mask));
 132 }
 133
 134 static struct ip6tables_match connlimit_reg = {
 135         .name          = "connlimit",
 136         .version       = IPTABLES_VERSION,
 137         .size          = IP6T_ALIGN(sizeof(struct xt_connlimit_info)),
 138         .userspacesize = offsetof(struct xt_connlimit_info, data),
 139         .help          = connlimit_help,
 140         .init          = connlimit_init,
 141         .parse         = connlimit_parse,
 142         .final_check   = connlimit_check,
 143         .print         = connlimit_print,
 144         .save          = connlimit_save,
 145         .extra_opts    = connlimit_opts,
 146 };
 147
 148 void _init(void)
 149 {
 150         register_match6(&connlimit_reg);
 151 }