[NETFILTER]: x_tables: add quota match

#ifndef _XT_QUOTA_H

#define _XT_QUOTA_H

enum xt_quota_flags {

	XT_QUOTA_INVERT		= 0x1,

};

#define XT_QUOTA_MASK		0x1

struct xt_quota_info {

	u_int32_t		flags;

	u_int32_t		pad;

	aligned_u64		quota;

	struct xt_quota_info	*master;

};

#endif /* _XT_QUOTA_H */

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_QUOTA

	tristate '"quota" match support'

	depends on NETFILTER_XTABLES

	help

	  This option adds a `quota' match, which allows to match on a

	  byte counter.

	  If you want to compile it as a module, say M here and read

	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_REALM

	tristate  '"realm" match support'

	depends on NETFILTER_XTABLES

obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o

obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o

obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o

obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o

obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o

obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o

/*

 * netfilter module to enforce network quotas

 *

 * Sam Johnston <samj@samj.net>

 */

#include <linux/skbuff.h>

#include <linux/spinlock.h>

#include <linux/netfilter/x_tables.h>

#include <linux/netfilter/xt_quota.h>

MODULE_LICENSE("GPL");

MODULE_AUTHOR("Sam Johnston <samj@samj.net>");

static DEFINE_SPINLOCK(quota_lock);

static int

match(const struct sk_buff *skb,

      const struct net_device *in, const struct net_device *out,

      const struct xt_match *match, const void *matchinfo,

      int offset, unsigned int protoff, int *hotdrop)

{

	struct xt_quota_info *q = ((struct xt_quota_info *)matchinfo)->master;

	int ret = q->flags & XT_QUOTA_INVERT ? 1 : 0;

	spin_lock_bh(&quota_lock);

	if (q->quota >= skb->len) {

		q->quota -= skb->len;

		ret ^= 1;

	} else {

	        /* we do not allow even small packets from now on */

	        q->quota = 0;

	}

	spin_unlock_bh(&quota_lock);

	return ret;

}

static int

checkentry(const char *tablename, const void *entry,

	   const struct xt_match *match, void *matchinfo,

	   unsigned int matchsize, unsigned int hook_mask)

{

	struct xt_quota_info *q = (struct xt_quota_info *)matchinfo;

	if (q->flags & ~XT_QUOTA_MASK)

		return 0;

	/* For SMP, we only want to use one set of counters. */

	q->master = q;

	return 1;

}

static struct xt_match quota_match = {

	.name		= "quota",

	.family		= AF_INET,

	.match		= match,

	.matchsize	= sizeof(struct xt_quota_info),

	.checkentry	= checkentry,

	.me		= THIS_MODULE

};

static struct xt_match quota_match6 = {

	.name		= "quota",

	.family		= AF_INET6,

	.match		= match,

	.matchsize	= sizeof(struct xt_quota_info),

	.checkentry	= checkentry,

	.me		= THIS_MODULE

};

static int __init xt_quota_init(void)

{

	int ret;

	ret = xt_register_match(&quota_match);

	if (ret)

		goto err1;

	ret = xt_register_match(&quota_match6);

	if (ret)

		goto err2;

	return ret;

err2:

	xt_unregister_match(&quota_match);

err1:

	return ret;

}

static void __exit xt_quota_fini(void)

{

	xt_unregister_match(&quota_match6);

	xt_unregister_match(&quota_match);

}

module_init(xt_quota_init);

module_exit(xt_quota_fini);