netfilter: xtables: add nfacct match to support extended accounting

This patch adds the match that allows to perform extended accounting. It requires the new nfnetlink_acct infrastructure. # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2011-12-23 08:28:59 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2011-12-24 20:43:17 -0500
commit: ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 (patch)
tree: ae01b67bc105d3d8039b9dd53b893215407866c2
parent: 9413902796f56f6209e19dd54e840ed46950612c (diff)
5 files changed, 101 insertions, 0 deletions
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 6785246e6e62..e630a2ed4f18 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -23,6 +23,7 @@ header-y += xt_DSCP.h
 header-y += xt_IDLETIMER.h
 header-y += xt_LED.h
 header-y += xt_MARK.h
+header-y += xt_nfacct.h
 header-y += xt_NFLOG.h
 header-y += xt_NFQUEUE.h
 header-y += xt_RATEEST.h
diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h
new file mode 100644
index 000000000000..3e19c8a86576
--- /dev/null
+++ b/include/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
+#ifndef _XT_NFACCT_MATCH_H
+#define _XT_NFACCT_MATCH_H
+#include <linux/netfilter/nfnetlink_acct.h>
+struct nf_acct;
+struct xt_nfacct_match_info {
+        char            name[NFACCT_NAME_MAX];
+        struct nf_acct  *nfacct;
+};
+#endif /* _XT_NFACCT_MATCH_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 77326acd1f57..bac93ba60778 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -887,6 +887,16 @@ config NETFILTER_XT_MATCH_MULTIPORT
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_MATCH_NFACCT
+        tristate '"nfacct" match support'
+        default m if NETFILTER_ADVANCED=n
+        select NETFILTER_NETLINK_ACCT
+        help
+          This option allows you to use the extended accounting through
+          nfnetlink_acct.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_OSF
        tristate '"osf" Passive OS fingerprint match'
        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 4da1c879644f..b2eee4df8168 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -91,6 +91,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
new file mode 100644
index 000000000000..b3be0ef21f19
--- /dev/null
+++ b/net/netfilter/xt_nfacct.c
@@ -0,0 +1,76 @@
+/*
+ * (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2011 Intra2net AG <http://www.intra2net.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or any
+ * later at your option) as published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/nfnetlink_acct.h>
+#include <linux/netfilter/xt_nfacct.h>
+MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("Xtables: match for the extended accounting infrastructure");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_nfacct");
+MODULE_ALIAS("ip6t_nfacct");
+static bool nfacct_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_nfacct_match_info *info = par->targinfo;
+        nfnl_acct_update(skb, info->nfacct);
+        return true;
+}
+static int
+nfacct_mt_checkentry(const struct xt_mtchk_param *par)
+{
+        struct xt_nfacct_match_info *info = par->matchinfo;
+        struct nf_acct *nfacct;
+        nfacct = nfnl_acct_find_get(info->name);
+        if (nfacct == NULL) {
+                pr_info("xt_nfacct: accounting object with name `%s' "
+                        "does not exists\n", info->name);
+                return -ENOENT;
+        }
+        info->nfacct = nfacct;
+        return 0;
+}
+static void
+nfacct_mt_destroy(const struct xt_mtdtor_param *par)
+{
+        const struct xt_nfacct_match_info *info = par->matchinfo;
+        nfnl_acct_put(info->nfacct);
+}
+static struct xt_match nfacct_mt_reg __read_mostly = {
+        .name       = "nfacct",
+        .family     = NFPROTO_UNSPEC,
+        .checkentry = nfacct_mt_checkentry,
+        .match      = nfacct_mt,
+        .destroy    = nfacct_mt_destroy,
+        .matchsize  = sizeof(struct xt_nfacct_match_info),
+        .me         = THIS_MODULE,
+};
+static int __init nfacct_mt_init(void)
+{
+        return xt_register_match(&nfacct_mt_reg);
+}
+static void __exit nfacct_mt_exit(void)
+{
+        xt_unregister_match(&nfacct_mt_reg);
+}
+module_init(nfacct_mt_init);
+module_exit(nfacct_mt_exit);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2011-12-23 08:28:59 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2011-12-24 20:43:17 -0500
commit	ceb98d03eac5704820f2ac1f370c9ff385e3a9f5 (patch)
tree	ae01b67bc105d3d8039b9dd53b893215407866c2
parent	9413902796f56f6209e19dd54e840ed46950612c (diff)

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild index 6785246e6e62..e630a2ed4f18 100644 --- a/include/linux/netfilter/Kbuild +++ b/include/linux/netfilter/Kbuild
@@ -23,6 +23,7 @@ header-y += xt_DSCP.h
23	header-y += xt_IDLETIMER.h	23	header-y += xt_IDLETIMER.h
24	header-y += xt_LED.h	24	header-y += xt_LED.h
25	header-y += xt_MARK.h	25	header-y += xt_MARK.h
		26	header-y += xt_nfacct.h
26	header-y += xt_NFLOG.h	27	header-y += xt_NFLOG.h
27	header-y += xt_NFQUEUE.h	28	header-y += xt_NFQUEUE.h
28	header-y += xt_RATEEST.h	29	header-y += xt_RATEEST.h


diff --git a/include/linux/netfilter/xt_nfacct.h b/include/linux/netfilter/xt_nfacct.h new file mode 100644 index 000000000000..3e19c8a86576 --- /dev/null +++ b/include/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
		1	#ifndef _XT_NFACCT_MATCH_H
		2	#define _XT_NFACCT_MATCH_H
		3
		4	#include <linux/netfilter/nfnetlink_acct.h>
		5
		6	struct nf_acct;
		7
		8	struct xt_nfacct_match_info {
		9	char name[NFACCT_NAME_MAX];
		10	struct nf_acct *nfacct;
		11	};
		12
		13	#endif /* _XT_NFACCT_MATCH_H */


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 77326acd1f57..bac93ba60778 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -887,6 +887,16 @@ config NETFILTER_XT_MATCH_MULTIPORT
887		887
888	To compile it as a module, choose M here. If unsure, say N.	888	To compile it as a module, choose M here. If unsure, say N.
889		889
		890	config NETFILTER_XT_MATCH_NFACCT
		891	tristate '"nfacct" match support'
		892	default m if NETFILTER_ADVANCED=n
		893	select NETFILTER_NETLINK_ACCT
		894	help
		895	This option allows you to use the extended accounting through
		896	nfnetlink_acct.
		897
		898	To compile it as a module, choose M here. If unsure, say N.
		899
890	config NETFILTER_XT_MATCH_OSF	900	config NETFILTER_XT_MATCH_OSF
891	tristate '"osf" Passive OS fingerprint match'	901	tristate '"osf" Passive OS fingerprint match'
892	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK	902	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 4da1c879644f..b2eee4df8168 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -91,6 +91,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
91	obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o	91	obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
92	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o	92	obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
93	obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o	93	obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
		94	obj-$(CONFIG_NETFILTER_XT_MATCH_NFACCT) += xt_nfacct.o
94	obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o	95	obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
95	obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o	96	obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
96	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o	97	obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o


diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c new file mode 100644 index 000000000000..b3be0ef21f19 --- /dev/null +++ b/net/netfilter/xt_nfacct.c
@@ -0,0 +1,76 @@
		1	/*
		2	* (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org>
		3	* (C) 2011 Intra2net AG <http://www.intra2net.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 (or any
		7	* later at your option) as published by the Free Software Foundation.
		8	*/
		9	#include <linux/module.h>
		10	#include <linux/skbuff.h>
		11
		12	#include <linux/netfilter/x_tables.h>
		13	#include <linux/netfilter/nfnetlink_acct.h>
		14	#include <linux/netfilter/xt_nfacct.h>
		15
		16	MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
		17	MODULE_DESCRIPTION("Xtables: match for the extended accounting infrastructure");
		18	MODULE_LICENSE("GPL");
		19	MODULE_ALIAS("ipt_nfacct");
		20	MODULE_ALIAS("ip6t_nfacct");
		21
		22	static bool nfacct_mt(const struct sk_buff skb, struct xt_action_param par)
		23	{
		24	const struct xt_nfacct_match_info *info = par->targinfo;
		25
		26	nfnl_acct_update(skb, info->nfacct);
		27
		28	return true;
		29	}
		30
		31	static int
		32	nfacct_mt_checkentry(const struct xt_mtchk_param *par)
		33	{
		34	struct xt_nfacct_match_info *info = par->matchinfo;
		35	struct nf_acct *nfacct;
		36
		37	nfacct = nfnl_acct_find_get(info->name);
		38	if (nfacct == NULL) {
		39	pr_info("xt_nfacct: accounting object with name `%s' "
		40	"does not exists\n", info->name);
		41	return -ENOENT;
		42	}
		43	info->nfacct = nfacct;
		44	return 0;
		45	}
		46
		47	static void
		48	nfacct_mt_destroy(const struct xt_mtdtor_param *par)
		49	{
		50	const struct xt_nfacct_match_info *info = par->matchinfo;
		51
		52	nfnl_acct_put(info->nfacct);
		53	}
		54
		55	static struct xt_match nfacct_mt_reg __read_mostly = {
		56	.name = "nfacct",
		57	.family = NFPROTO_UNSPEC,
		58	.checkentry = nfacct_mt_checkentry,
		59	.match = nfacct_mt,
		60	.destroy = nfacct_mt_destroy,
		61	.matchsize = sizeof(struct xt_nfacct_match_info),
		62	.me = THIS_MODULE,
		63	};
		64
		65	static int __init nfacct_mt_init(void)
		66	{
		67	return xt_register_match(&nfacct_mt_reg);
		68	}
		69
		70	static void __exit nfacct_mt_exit(void)
		71	{
		72	xt_unregister_match(&nfacct_mt_reg);
		73	}
		74
		75	module_init(nfacct_mt_init);
		76	module_exit(nfacct_mt_exit);