1 Index: linux-2.4.35.4/Documentation/Configure.help
2 ===================================================================
3 --- linux-2.4.35.4.orig/Documentation/Configure.help 2007-12-15 05:20:09.280369103 +0100
4 +++ linux-2.4.35.4/Documentation/Configure.help 2007-12-15 05:20:09.632389161 +0100
6 If you want to compile it as a module, say M here and read
7 <file:Documentation/modules.txt>. If unsure, say `N'.
10 +CONFIG_IP_NF_MATCH_QUOTA
11 + This match implements network quotas.
13 + If you want to compile it as a module, say M here and read
14 + Documentation/modules.txt. If unsure, say `N'.
16 skb->pkt_type packet match support
17 CONFIG_IP_NF_MATCH_PKTTYPE
18 This patch allows you to match packet in accrodance
19 Index: linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_quota.h
20 ===================================================================
21 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
22 +++ linux-2.4.35.4/include/linux/netfilter_ipv4/ipt_quota.h 2007-12-15 05:20:09.636389390 +0100
27 +/* print debug info in both kernel/netfilter module & iptable library */
28 +//#define DEBUG_IPT_QUOTA
30 +struct ipt_quota_info {
32 + struct ipt_quota_info *master;
35 +#endif /*_IPT_QUOTA_H*/
36 Index: linux-2.4.35.4/net/ipv4/netfilter/Config.in
37 ===================================================================
38 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Config.in 2007-12-15 05:20:09.300370243 +0100
39 +++ linux-2.4.35.4/net/ipv4/netfilter/Config.in 2007-12-15 05:20:09.644389846 +0100
41 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
43 dep_tristate ' limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
44 + dep_tristate ' quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES
46 dep_tristate ' IP set support' CONFIG_IP_NF_SET $CONFIG_IP_NF_IPTABLES
47 if [ "$CONFIG_IP_NF_SET" != "n" ]; then
48 Index: linux-2.4.35.4/net/ipv4/netfilter/Makefile
49 ===================================================================
50 --- linux-2.4.35.4.orig/net/ipv4/netfilter/Makefile 2007-12-15 05:20:09.300370243 +0100
51 +++ linux-2.4.35.4/net/ipv4/netfilter/Makefile 2007-12-15 05:20:09.644389846 +0100
54 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
55 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
56 +obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
57 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
58 obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o
59 obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o
60 Index: linux-2.4.35.4/net/ipv4/netfilter/ipt_quota.c
61 ===================================================================
62 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
63 +++ linux-2.4.35.4/net/ipv4/netfilter/ipt_quota.c 2007-12-15 05:20:09.644389846 +0100
66 + * netfilter module to enforce network quotas
68 + * Sam Johnston <samj@samj.net>
70 + * 30/01/05: Fixed on SMP --Pablo Neira <pablo@eurodev.net>
72 +#include <linux/module.h>
73 +#include <linux/skbuff.h>
74 +#include <linux/spinlock.h>
75 +#include <linux/interrupt.h>
77 +#include <linux/netfilter_ipv4/ip_tables.h>
78 +#include <linux/netfilter_ipv4/ipt_quota.h>
80 +MODULE_LICENSE("GPL");
82 +static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
85 +match(const struct sk_buff *skb,
86 + const struct net_device *in,
87 + const struct net_device *out,
88 + const void *matchinfo,
89 + int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
91 + struct ipt_quota_info *q =
92 + ((struct ipt_quota_info *) matchinfo)->master;
94 + spin_lock_bh("a_lock);
96 + if (q->quota >= datalen) {
97 + /* we can afford this one */
98 + q->quota -= datalen;
99 + spin_unlock_bh("a_lock);
101 +#ifdef DEBUG_IPT_QUOTA
102 + printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen);
107 + /* so we do not allow even small packets from now on */
110 +#ifdef DEBUG_IPT_QUOTA
111 + printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen);
114 + spin_unlock_bh("a_lock);
119 +checkentry(const char *tablename,
120 + const struct ipt_ip *ip,
121 + void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
123 + /* TODO: spinlocks? sanity checks? */
124 + struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
126 + if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
129 + /* For SMP, we only want to use one set of counters. */
135 +static struct ipt_match quota_match
136 + = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE };
141 + return ipt_register_match("a_match);
147 + ipt_unregister_match("a_match);