--- /dev/null
+/* Shared library add-on to iptables to add byte tracking support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <xtables.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/xt_connbytes.h>
+
+/* Function which prints out usage message. */
+static void connbytes_help(void)
+{
+ printf(
+"connbytes match options:\n"
+" [!] --connbytes from:[to]\n"
+" --connbytes-dir [original, reply, both]\n"
+" --connbytes-mode [packets, bytes, avgpkt]\n");
+}
+
+static const struct option connbytes_opts[] = {
+ { "connbytes", 1, NULL, '1' },
+ { "connbytes-dir", 1, NULL, '2' },
+ { "connbytes-mode", 1, NULL, '3' },
+ { .name = NULL }
+};
+
+static void
+parse_range(const char *arg, struct xt_connbytes_info *si)
+{
+ char *colon,*p;
+
+ si->count.from = strtoul(arg,&colon,10);
+ if (*colon != ':')
+ exit_error(PARAMETER_PROBLEM, "Bad range `%s'", arg);
+ si->count.to = strtoul(colon+1,&p,10);
+ if (p == colon+1) {
+ /* second number omited */
+ si->count.to = 0xffffffff;
+ }
+ if (si->count.from > si->count.to)
+ exit_error(PARAMETER_PROBLEM, "%llu should be less than %llu",
+ (unsigned long long)si->count.from,
+ (unsigned long long)si->count.to);
+}
+
+/* Function which parses command options; returns true if it
+ ate an option */
+static int
+connbytes_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)(*match)->data;
+ unsigned long i;
+
+ switch (c) {
+ case '1':
+ if (check_inverse(optarg, &invert, &optind, 0))
+ optind++;
+
+ parse_range(argv[optind-1], sinfo);
+ if (invert) {
+ i = sinfo->count.from;
+ sinfo->count.from = sinfo->count.to;
+ sinfo->count.to = i;
+ }
+ *flags |= 1;
+ break;
+ case '2':
+ if (!strcmp(optarg, "original"))
+ sinfo->direction = XT_CONNBYTES_DIR_ORIGINAL;
+ else if (!strcmp(optarg, "reply"))
+ sinfo->direction = XT_CONNBYTES_DIR_REPLY;
+ else if (!strcmp(optarg, "both"))
+ sinfo->direction = XT_CONNBYTES_DIR_BOTH;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-dir `%s'", optarg);
+
+ *flags |= 2;
+ break;
+ case '3':
+ if (!strcmp(optarg, "packets"))
+ sinfo->what = XT_CONNBYTES_PKTS;
+ else if (!strcmp(optarg, "bytes"))
+ sinfo->what = XT_CONNBYTES_BYTES;
+ else if (!strcmp(optarg, "avgpkt"))
+ sinfo->what = XT_CONNBYTES_AVGPKT;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown --connbytes-mode `%s'", optarg);
+ *flags |= 4;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void connbytes_check(unsigned int flags)
+{
+ if (flags != 7)
+ exit_error(PARAMETER_PROBLEM, "You must specify `--connbytes'"
+ "`--connbytes-dir' and `--connbytes-mode'");
+}
+
+static void print_mode(struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->what) {
+ case XT_CONNBYTES_PKTS:
+ fputs("packets ", stdout);
+ break;
+ case XT_CONNBYTES_BYTES:
+ fputs("bytes ", stdout);
+ break;
+ case XT_CONNBYTES_AVGPKT:
+ fputs("avgpkt ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+static void print_direction(struct xt_connbytes_info *sinfo)
+{
+ switch (sinfo->direction) {
+ case XT_CONNBYTES_DIR_ORIGINAL:
+ fputs("original ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_REPLY:
+ fputs("reply ", stdout);
+ break;
+ case XT_CONNBYTES_DIR_BOTH:
+ fputs("both ", stdout);
+ break;
+ default:
+ fputs("unknown ", stdout);
+ break;
+ }
+}
+
+/* Prints out the matchinfo. */
+static void
+connbytes_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("connbytes ! %llu:%llu ",
+ (unsigned long long)sinfo->count.to,
+ (unsigned long long)sinfo->count.from);
+ else
+ printf("connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.from,
+ (unsigned long long)sinfo->count.to);
+
+ fputs("connbytes mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("connbytes direction ", stdout);
+ print_direction(sinfo);
+}
+
+/* Saves the matchinfo in parsable form to stdout. */
+static void connbytes_save(const void *ip, const struct xt_entry_match *match)
+{
+ struct xt_connbytes_info *sinfo = (struct xt_connbytes_info *)match->data;
+
+ if (sinfo->count.from > sinfo->count.to)
+ printf("! --connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.to,
+ (unsigned long long)sinfo->count.from);
+ else
+ printf("--connbytes %llu:%llu ",
+ (unsigned long long)sinfo->count.from,
+ (unsigned long long)sinfo->count.to);
+
+ fputs("--connbytes-mode ", stdout);
+ print_mode(sinfo);
+
+ fputs("--connbytes-dir ", stdout);
+ print_direction(sinfo);
+}
+
+static struct xtables_match connbytes_match = {
+ .family = AF_INET,
+ .name = "connbytes",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .help = connbytes_help,
+ .parse = connbytes_parse,
+ .final_check = connbytes_check,
+ .print = connbytes_print,
+ .save = connbytes_save,
+ .extra_opts = connbytes_opts,
+};
+
+static struct xtables_match connbytes_match6 = {
+ .family = AF_INET6,
+ .name = "connbytes",
+ .version = XTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connbytes_info)),
+ .help = connbytes_help,
+ .parse = connbytes_parse,
+ .final_check = connbytes_check,
+ .print = connbytes_print,
+ .save = connbytes_save,
+ .extra_opts = connbytes_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&connbytes_match);
+ xtables_register_match(&connbytes_match6);
+}