1 diff -ruN linux-2.4.30-old/Documentation/Configure.help linux-2.4.30-new/Documentation/Configure.help
2 --- linux-2.4.30-old/Documentation/Configure.help 2005-11-13 22:30:42.000000000 +0100
3 +++ linux-2.4.30-new/Documentation/Configure.help 2005-11-13 22:31:17.000000000 +0100
5 If you want to compile it as a module, say M here and read
6 <file:Documentation/modules.txt>. If unsure, say `N'.
9 +CONFIG_IP_NF_MATCH_QUOTA
10 + This match implements network quotas.
12 + If you want to compile it as a module, say M here and read
13 + Documentation/modules.txt. If unsure, say `N'.
15 skb->pkt_type packet match support
16 CONFIG_IP_NF_MATCH_PKTTYPE
17 This patch allows you to match packet in accrodance
18 diff -ruN linux-2.4.30-old/include/linux/netfilter_ipv4/ipt_quota.h linux-2.4.30-new/include/linux/netfilter_ipv4/ipt_quota.h
19 --- linux-2.4.30-old/include/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
20 +++ linux-2.4.30-new/include/linux/netfilter_ipv4/ipt_quota.h 2005-11-13 22:31:17.000000000 +0100
25 +/* print debug info in both kernel/netfilter module & iptable library */
26 +//#define DEBUG_IPT_QUOTA
28 +struct ipt_quota_info {
30 + struct ipt_quota_info *master;
33 +#endif /*_IPT_QUOTA_H*/
34 diff -ruN linux-2.4.30-old/net/ipv4/netfilter/Config.in linux-2.4.30-new/net/ipv4/netfilter/Config.in
35 --- linux-2.4.30-old/net/ipv4/netfilter/Config.in 2005-11-13 22:30:42.000000000 +0100
36 +++ linux-2.4.30-new/net/ipv4/netfilter/Config.in 2005-11-13 22:31:17.000000000 +0100
38 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
40 dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
41 + dep_tristate ' quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES
43 dep_tristate ' IP set support' CONFIG_IP_NF_SET $CONFIG_IP_NF_IPTABLES
44 if [ "$CONFIG_IP_NF_SET" != "n" ]; then
45 diff -ruN linux-2.4.30-old/net/ipv4/netfilter/Makefile linux-2.4.30-new/net/ipv4/netfilter/Makefile
46 --- linux-2.4.30-old/net/ipv4/netfilter/Makefile 2005-11-13 22:30:42.000000000 +0100
47 +++ linux-2.4.30-new/net/ipv4/netfilter/Makefile 2005-11-13 22:31:17.000000000 +0100
50 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
51 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
52 +obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
53 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
54 obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o
55 obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o
56 diff -ruN linux-2.4.30-old/net/ipv4/netfilter/ipt_quota.c linux-2.4.30-new/net/ipv4/netfilter/ipt_quota.c
57 --- linux-2.4.30-old/net/ipv4/netfilter/ipt_quota.c 1970-01-01 01:00:00.000000000 +0100
58 +++ linux-2.4.30-new/net/ipv4/netfilter/ipt_quota.c 2005-11-13 22:31:17.000000000 +0100
61 + * netfilter module to enforce network quotas
63 + * Sam Johnston <samj@samj.net>
65 + * 30/01/05: Fixed on SMP --Pablo Neira <pablo@eurodev.net>
67 +#include <linux/module.h>
68 +#include <linux/skbuff.h>
69 +#include <linux/spinlock.h>
70 +#include <linux/interrupt.h>
72 +#include <linux/netfilter_ipv4/ip_tables.h>
73 +#include <linux/netfilter_ipv4/ipt_quota.h>
75 +MODULE_LICENSE("GPL");
77 +static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
80 +match(const struct sk_buff *skb,
81 + const struct net_device *in,
82 + const struct net_device *out,
83 + const void *matchinfo,
84 + int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
86 + struct ipt_quota_info *q =
87 + ((struct ipt_quota_info *) matchinfo)->master;
89 + spin_lock_bh("a_lock);
91 + if (q->quota >= datalen) {
92 + /* we can afford this one */
93 + q->quota -= datalen;
94 + spin_unlock_bh("a_lock);
96 +#ifdef DEBUG_IPT_QUOTA
97 + printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen);
102 + /* so we do not allow even small packets from now on */
105 +#ifdef DEBUG_IPT_QUOTA
106 + printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen);
109 + spin_unlock_bh("a_lock);
114 +checkentry(const char *tablename,
115 + const struct ipt_ip *ip,
116 + void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
118 + /* TODO: spinlocks? sanity checks? */
119 + struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
121 + if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
124 + /* For SMP, we only want to use one set of counters. */
130 +static struct ipt_match quota_match
131 + = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE };
136 + return ipt_register_match("a_match);
142 + ipt_unregister_match("a_match);