iptables-1.3.2-20050720

[iptables.git] / extensions / libipt_connlimit.c

/* Shared library add-on to iptables to add connection limit support. */
#include <stdio.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <stddef.h>
#include <getopt.h>
#include <iptables.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ipt_connlimit.h>

/* Function which prints out usage message. */
static void
help(void)
{
        printf(
"connlimit v%s options:\n"
"[!] --connlimit-above n                match if the number of existing tcp connections is (not) above n\n"
" --connlimit-mask n            group hosts using mask\n"
"\n", IPTABLES_VERSION);
}

static struct option opts[] = {
        { "connlimit-above", 1, 0, '1' },
        { "connlimit-mask",  1, 0, '2' },
        {0}
};

/* Function which parses command options; returns true if it
   ate an option */
static int
parse(int c, char **argv, int invert, unsigned int *flags,
      const struct ipt_entry *entry,
      unsigned int *nfcache,
      struct ipt_entry_match **match)
{
        struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
        int i;

        if (0 == (*flags & 2)) {
                /* set default mask unless we've already seen a mask option */
                info->mask = htonl(0xFFFFFFFF);
        }

        switch (c) {
        case '1':
                check_inverse(optarg, &invert, &optind, 0);
                info->limit = atoi(argv[optind-1]);
                info->inverse = invert;
                *flags |= 1;
                break;

        case '2':
                i = atoi(argv[optind-1]);
                if ((i < 0) || (i > 32))
                        exit_error(PARAMETER_PROBLEM,
                                "--connlimit-mask must be between 0 and 32");

                if (i == 0)
                        info->mask = 0;
                else
                        info->mask = htonl(0xFFFFFFFF << (32 - i));
                *flags |= 2;
                break;

        default:
                return 0;
        }

        return 1;
}

/* Final check */
static void final_check(unsigned int flags)
{
        if (!flags & 1)
                exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
}

static int
count_bits(u_int32_t mask)
{
        int i, bits;

        for (bits = 0, i = 31; i >= 0; i--) {
                if (mask & htonl((u_int32_t)1 << i)) {
                        bits++;
                        continue;
                }
                break;
        }
        return bits;
}

/* Prints out the matchinfo. */
static void
print(const struct ipt_ip *ip,
      const struct ipt_entry_match *match,
      int numeric)
{
        struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;

        printf("#conn/%d %s %d ", count_bits(info->mask),
               info->inverse ? "<" : ">", info->limit);
}

/* Saves the matchinfo in parsable form to stdout. */
static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
{
        struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;

        printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
        printf("--connlimit-mask %d ",count_bits(info->mask));
}

static struct iptables_match connlimit = {
        .name           = "connlimit",
        .version        = IPTABLES_VERSION,
        .size           = IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
        .userspacesize  = offsetof(struct ipt_connlimit_info,data),
        .help           = help,
        .parse          = parse,
        .final_check    = final_check,
        .print          = print,
        .save           = save,
        .extra_opts     = opts
};

void _init(void)
{
        register_match(&connlimit);
}