232 lines
5.4 KiB
C
232 lines
5.4 KiB
C
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <xtables.h>
|
|
#include <linux/netfilter/xt_connbytes.h>
|
|
|
|
enum {
|
|
O_CONNBYTES = 0,
|
|
O_CONNBYTES_DIR,
|
|
O_CONNBYTES_MODE,
|
|
};
|
|
|
|
static void connbytes_help(void)
|
|
{
|
|
printf(
|
|
"connbytes match options:\n"
|
|
" [!] --connbytes from:[to]\n"
|
|
" --connbytes-dir [original, reply, both]\n"
|
|
" --connbytes-mode [packets, bytes, avgpkt]\n");
|
|
}
|
|
|
|
static const struct xt_option_entry connbytes_opts[] = {
|
|
{.name = "connbytes", .id = O_CONNBYTES, .type = XTTYPE_UINT64RC,
|
|
.flags = XTOPT_MAND | XTOPT_INVERT},
|
|
{.name = "connbytes-dir", .id = O_CONNBYTES_DIR, .type = XTTYPE_STRING,
|
|
.flags = XTOPT_MAND},
|
|
{.name = "connbytes-mode", .id = O_CONNBYTES_MODE,
|
|
.type = XTTYPE_STRING, .flags = XTOPT_MAND},
|
|
XTOPT_TABLEEND,
|
|
};
|
|
|
|
static void connbytes_parse(struct xt_option_call *cb)
|
|
{
|
|
struct xt_connbytes_info *sinfo = cb->data;
|
|
unsigned long long i;
|
|
|
|
xtables_option_parse(cb);
|
|
switch (cb->entry->id) {
|
|
case O_CONNBYTES:
|
|
sinfo->count.from = cb->val.u64_range[0];
|
|
sinfo->count.to = UINT64_MAX;
|
|
if (cb->nvals == 2)
|
|
sinfo->count.to = cb->val.u64_range[1];
|
|
|
|
if (sinfo->count.to < sinfo->count.from)
|
|
xtables_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
|
|
(unsigned long long)sinfo->count.from,
|
|
(unsigned long long)sinfo->count.to);
|
|
if (cb->invert) {
|
|
i = sinfo->count.from;
|
|
sinfo->count.from = sinfo->count.to;
|
|
sinfo->count.to = i;
|
|
}
|
|
break;
|
|
case O_CONNBYTES_DIR:
|
|
if (strcmp(cb->arg, "original") == 0)
|
|
sinfo->direction = XT_CONNBYTES_DIR_ORIGINAL;
|
|
else if (strcmp(cb->arg, "reply") == 0)
|
|
sinfo->direction = XT_CONNBYTES_DIR_REPLY;
|
|
else if (strcmp(cb->arg, "both") == 0)
|
|
sinfo->direction = XT_CONNBYTES_DIR_BOTH;
|
|
else
|
|
xtables_error(PARAMETER_PROBLEM,
|
|
"Unknown --connbytes-dir `%s'", cb->arg);
|
|
break;
|
|
case O_CONNBYTES_MODE:
|
|
if (strcmp(cb->arg, "packets") == 0)
|
|
sinfo->what = XT_CONNBYTES_PKTS;
|
|
else if (strcmp(cb->arg, "bytes") == 0)
|
|
sinfo->what = XT_CONNBYTES_BYTES;
|
|
else if (strcmp(cb->arg, "avgpkt") == 0)
|
|
sinfo->what = XT_CONNBYTES_AVGPKT;
|
|
else
|
|
xtables_error(PARAMETER_PROBLEM,
|
|
"Unknown --connbytes-mode `%s'", cb->arg);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_mode(const struct xt_connbytes_info *sinfo)
|
|
{
|
|
switch (sinfo->what) {
|
|
case XT_CONNBYTES_PKTS:
|
|
fputs(" packets", stdout);
|
|
break;
|
|
case XT_CONNBYTES_BYTES:
|
|
fputs(" bytes", stdout);
|
|
break;
|
|
case XT_CONNBYTES_AVGPKT:
|
|
fputs(" avgpkt", stdout);
|
|
break;
|
|
default:
|
|
fputs(" unknown", stdout);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_direction(const struct xt_connbytes_info *sinfo)
|
|
{
|
|
switch (sinfo->direction) {
|
|
case XT_CONNBYTES_DIR_ORIGINAL:
|
|
fputs(" original", stdout);
|
|
break;
|
|
case XT_CONNBYTES_DIR_REPLY:
|
|
fputs(" reply", stdout);
|
|
break;
|
|
case XT_CONNBYTES_DIR_BOTH:
|
|
fputs(" both", stdout);
|
|
break;
|
|
default:
|
|
fputs(" unknown", stdout);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void print_from_to(const struct xt_connbytes_info *sinfo, const char *prefix)
|
|
{
|
|
unsigned long long from, to;
|
|
|
|
if (sinfo->count.from > sinfo->count.to) {
|
|
fputs(" !", stdout);
|
|
from = sinfo->count.to;
|
|
to = sinfo->count.from;
|
|
} else {
|
|
to = sinfo->count.to;
|
|
from = sinfo->count.from;
|
|
}
|
|
printf(" %sconnbytes %llu", prefix, from);
|
|
if (to && to < UINT64_MAX)
|
|
printf(":%llu", to);
|
|
}
|
|
|
|
static void
|
|
connbytes_print(const void *ip, const struct xt_entry_match *match, int numeric)
|
|
{
|
|
const struct xt_connbytes_info *sinfo = (const void *)match->data;
|
|
|
|
print_from_to(sinfo, "");
|
|
|
|
fputs(" connbytes mode", stdout);
|
|
print_mode(sinfo);
|
|
|
|
fputs(" connbytes direction", stdout);
|
|
print_direction(sinfo);
|
|
}
|
|
|
|
static void connbytes_save(const void *ip, const struct xt_entry_match *match)
|
|
{
|
|
const struct xt_connbytes_info *sinfo = (const void *)match->data;
|
|
|
|
print_from_to(sinfo, "--");
|
|
|
|
fputs(" --connbytes-mode", stdout);
|
|
print_mode(sinfo);
|
|
|
|
fputs(" --connbytes-dir", stdout);
|
|
print_direction(sinfo);
|
|
}
|
|
|
|
|
|
static int connbytes_xlate(struct xt_xlate *xl,
|
|
const struct xt_xlate_mt_params *params)
|
|
{
|
|
const struct xt_connbytes_info *info = (void *)params->match->data;
|
|
unsigned long long from, to;
|
|
bool invert = false;
|
|
|
|
xt_xlate_add(xl, "ct ");
|
|
|
|
switch (info->direction) {
|
|
case XT_CONNBYTES_DIR_ORIGINAL:
|
|
xt_xlate_add(xl, "original ");
|
|
break;
|
|
case XT_CONNBYTES_DIR_REPLY:
|
|
xt_xlate_add(xl, "reply ");
|
|
break;
|
|
case XT_CONNBYTES_DIR_BOTH:
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
switch (info->what) {
|
|
case XT_CONNBYTES_PKTS:
|
|
xt_xlate_add(xl, "packets ");
|
|
break;
|
|
case XT_CONNBYTES_BYTES:
|
|
xt_xlate_add(xl, "bytes ");
|
|
break;
|
|
case XT_CONNBYTES_AVGPKT:
|
|
xt_xlate_add(xl, "avgpkt ");
|
|
break;
|
|
default:
|
|
return 0;
|
|
}
|
|
|
|
if (info->count.from > info->count.to) {
|
|
invert = true;
|
|
from = info->count.to;
|
|
to = info->count.from;
|
|
} else {
|
|
to = info->count.to;
|
|
from = info->count.from;
|
|
}
|
|
|
|
if (from == to)
|
|
xt_xlate_add(xl, "%llu", from);
|
|
else if (to == UINT64_MAX)
|
|
xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from);
|
|
else
|
|
xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to);
|
|
return 1;
|
|
}
|
|
|
|
static struct xtables_match connbytes_match = {
|
|
.family = NFPROTO_UNSPEC,
|
|
.name = "connbytes",
|
|
.version = XTABLES_VERSION,
|
|
.size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
|
|
.userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
|
|
.help = connbytes_help,
|
|
.print = connbytes_print,
|
|
.save = connbytes_save,
|
|
.x6_parse = connbytes_parse,
|
|
.x6_options = connbytes_opts,
|
|
.xlate = connbytes_xlate,
|
|
};
|
|
|
|
void _init(void)
|
|
{
|
|
xtables_register_match(&connbytes_match);
|
|
}
|