1 /* Shared library add-on to iptables to add connection rate tracking
4 * Copyright (c) 2004 Nuutti Kotivuori <naked@iki.fi>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
16 #include <linux/netfilter/nf_conntrack_common.h>
17 #include <linux/netfilter_ipv4/ipt_connrate.h>
19 /* Function which prints out usage message. */
24 "connrate v%s options:\n"
25 " --connrate [!] [from]:[to]\n"
26 " Match connection transfer rate in bytes\n"
27 " per second. `inf' can be used for maximum\n"
28 " expressible value.\n"
29 "\n", IPTABLES_VERSION
);
32 static struct option opts
[] = {
33 { "connrate", 1, 0, '1' },
38 parse_value(const char *arg
, u_int32_t def
)
47 if(strcmp(arg
, "inf") == 0)
49 value
= strtoul(arg
, &end
, 0);
51 exit_error(PARAMETER_PROBLEM
,
52 "Bad value in range `%s'", arg
);
57 parse_range(const char *arg
, struct ipt_connrate_info
*si
)
63 if ((colon
= strchr(buffer
, ':')) == NULL
)
64 exit_error(PARAMETER_PROBLEM
, "Bad range `%s'", arg
);
66 si
->from
= parse_value(buffer
, 0);
67 si
->to
= parse_value(colon
+1, 0xFFFFFFFF);
68 if (si
->from
> si
->to
)
69 exit_error(PARAMETER_PROBLEM
, "%u should be less than %u", si
->from
,si
->to
);
73 #define CONNRATE_OPT 0x01
75 /* Function which parses command options; returns true if it
78 parse(int c
, char **argv
, int invert
, unsigned int *flags
,
79 const struct ipt_entry
*entry
,
80 unsigned int *nfcache
,
81 struct ipt_entry_match
**match
)
83 struct ipt_connrate_info
*sinfo
= (struct ipt_connrate_info
*)(*match
)->data
;
88 if (*flags
& CONNRATE_OPT
)
89 exit_error(PARAMETER_PROBLEM
,
90 "Only one `--connrate' allowed");
91 check_inverse(optarg
, &invert
, &optind
, 0);
92 parse_range(argv
[optind
-1], sinfo
);
95 sinfo
->from
= sinfo
->to
;
98 *flags
|= CONNRATE_OPT
;
108 static void final_check(unsigned int flags
)
110 if (!(flags
& CONNRATE_OPT
))
111 exit_error(PARAMETER_PROBLEM
,
112 "connrate match: You must specify `--connrate'");
116 print_value(u_int32_t value
)
118 if(value
== 0xFFFFFFFF)
125 print_range(struct ipt_connrate_info
*sinfo
)
127 if (sinfo
->from
> sinfo
->to
) {
129 print_value(sinfo
->to
);
131 print_value(sinfo
->from
);
133 print_value(sinfo
->from
);
135 print_value(sinfo
->to
);
139 /* Prints out the matchinfo. */
141 print(const struct ipt_ip
*ip
,
142 const struct ipt_entry_match
*match
,
145 struct ipt_connrate_info
*sinfo
= (struct ipt_connrate_info
*)match
->data
;
152 /* Saves the matchinfo in parsable form to stdout. */
153 static void save(const struct ipt_ip
*ip
, const struct ipt_entry_match
*match
)
155 struct ipt_connrate_info
*sinfo
= (struct ipt_connrate_info
*)match
->data
;
157 printf("--connrate ");
162 static struct iptables_match state
= {
165 .version
= IPTABLES_VERSION
,
166 .size
= IPT_ALIGN(sizeof(struct ipt_connrate_info
)),
167 .userspacesize
= IPT_ALIGN(sizeof(struct ipt_connrate_info
)),
170 .final_check
= &final_check
,
178 register_match(&state
);