conntrack flush module
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

170 lines
4.9KB

  1. diff -uNr linux-2.6.11/net/ipv4/netfilter/Kconfig linux-2.6.11-work/net/ipv4/netfilter/Kconfig
  2. --- linux-2.6.11/net/ipv4/netfilter/Kconfig 2005-03-12 16:48:12.000000000 +0100
  3. +++ linux-2.6.11-work/net/ipv4/netfilter/Kconfig 2005-03-09 21:11:14.000000000 +0100
  4. @@ -99,6 +99,12 @@
  5. To compile it as a module, choose M here. If unsure, say Y.
  6. +config IP_NF_CT_FLUSH
  7. + tristate "Conntrack userspace flush"
  8. + depends on IP_NF_CONNTRACK
  9. + help
  10. + To compile it as a module, choose M here. If unsure, say N.
  11. +
  12. config IP_NF_QUEUE
  13. tristate "Userspace queueing via NETLINK"
  14. help
  15. diff -uNr linux-2.6.11/net/ipv4/netfilter/Makefile linux-2.6.11-work/net/ipv4/netfilter/Makefile
  16. --- linux-2.6.11/net/ipv4/netfilter/Makefile 2005-03-12 16:48:21.000000000 +0100
  17. +++ linux-2.6.11-work/net/ipv4/netfilter/Makefile 2005-03-09 21:18:03.000000000 +0100
  18. @@ -88,3 +88,5 @@
  19. obj-$(CONFIG_IP_NF_ARPFILTER) += arptable_filter.o
  20. obj-$(CONFIG_IP_NF_QUEUE) += ip_queue.o
  21. +
  22. +obj-$(CONFIG_IP_NF_CT_FLUSH) += ct_flush.o
  23. diff -uNr linux-2.6.11/net/ipv4/netfilter/ct_flush.c linux-2.6.11-work/net/ipv4/netfilter/ct_flush.c
  24. --- linux-2.6.11/net/ipv4/netfilter/ct_flush.c 1970-01-01 01:00:00.000000000 +0100
  25. +++ linux-2.6.11-work/net/ipv4/netfilter/ct_flush.c 2005-03-12 13:56:25.000000000 +0100
  26. @@ -0,0 +1,118 @@
  27. +#include <linux/config.h>
  28. +#include <linux/types.h>
  29. +#include <linux/ip.h>
  30. +#include <linux/netfilter.h>
  31. +#include <linux/netfilter_ipv4.h>
  32. +#include <linux/module.h>
  33. +#include <net/checksum.h>
  34. +#include <net/ip.h>
  35. +#include <linux/fs.h>
  36. +#include <linux/miscdevice.h>
  37. +
  38. +#include <linux/netfilter_ipv4/ip_conntrack.h>
  39. +#include <linux/netfilter_ipv4/ip_conntrack_core.h>
  40. +
  41. +#include "ct_flush.h"
  42. +
  43. +MODULE_LICENSE("GPL");
  44. +MODULE_AUTHOR("Olaf Rempel <razzor@kopf-tisch.de>");
  45. +MODULE_DESCRIPTION("connection tracking flush module");
  46. +
  47. +//#define DEBUG
  48. +
  49. +static int ct_flush_match_real(struct ip_conntrack_tuple *tp, struct search_pattern *pat) {
  50. + /* compare proto only if one is given */
  51. + if (pat->proto != 0 && tp->dst.protonum != pat->proto)
  52. + return 0;
  53. +
  54. + /* compare src-ip */
  55. + if ((tp->src.ip ^ pat->src.ip) & pat->src.mask)
  56. + return 0;
  57. +
  58. + /* compare dst-ip */
  59. + if ((tp->dst.ip ^ pat->dst.ip) & pat->dst.mask)
  60. + return 0;
  61. +
  62. + /* check ports only if tcp/udp */
  63. + if (pat->proto != IPPROTO_TCP && pat->proto != IPPROTO_UDP)
  64. + return 1;
  65. +
  66. + /* compare src-portrange */
  67. + if (tp->src.u.all < pat->src.portlo || tp->src.u.all > pat->src.porthi)
  68. + return 0;
  69. +
  70. + /* compare dst-portrange */
  71. + if (tp->dst.u.all < pat->dst.portlo || tp->dst.u.all > pat->dst.porthi)
  72. + return 0;
  73. +
  74. + return 1;
  75. +}
  76. +
  77. +static int ct_flush_match(struct ip_conntrack *ct, void *data) {
  78. + if (ct_flush_match_real(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, data) ||
  79. + ct_flush_match_real(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, data)) {
  80. + ((struct search_pattern *)data)->count++;
  81. + return 1;
  82. + }
  83. + return 0;
  84. +}
  85. +
  86. +static int ct_flush_open(struct inode *inode, struct file *file) {
  87. + return 0;
  88. +}
  89. +
  90. +static int ct_flush_close(struct inode *inode, struct file *file) {
  91. + return 0;
  92. +}
  93. +
  94. +static int ct_flush_ioctl(struct inode *inode, struct file *file, unsigned int cmd, unsigned long arg) {
  95. + struct search_pattern pat;
  96. + int ret = 0;
  97. +
  98. + switch (cmd) {
  99. + case IOCTL_CT_FLUSH:
  100. + if (copy_from_user(&pat, (struct search_pattern *)arg, sizeof(pat)))
  101. + return -EFAULT;
  102. +
  103. + ip_ct_iterate_cleanup(ct_flush_match, &pat);
  104. +#ifdef DEBUG
  105. + printk(KERN_DEBUG "ct_flush: proto: %u src: %u.%u.%u.%u/%u.%u.%u.%u %u:%u dst: %u.%u.%u.%u/%u.%u.%u.%u %u:%u found: %u\n",
  106. + pat.proto,
  107. + NIPQUAD(pat.src.ip), NIPQUAD(pat.src.mask), ntohs(pat.src.portlo), ntohs(pat.src.porthi),
  108. + NIPQUAD(pat.dst.ip), NIPQUAD(pat.dst.mask), ntohs(pat.dst.portlo), ntohs(pat.dst.porthi),
  109. + pat.count);
  110. +#endif
  111. + if (copy_to_user((void *)arg, &pat, sizeof(pat)))
  112. + return -EFAULT;
  113. + break;
  114. + }
  115. + return ret;
  116. +}
  117. +
  118. +static struct file_operations ct_flush_fops =
  119. +{
  120. + .owner = THIS_MODULE,
  121. + .llseek = no_llseek,
  122. + .ioctl = ct_flush_ioctl,
  123. + .open = ct_flush_open,
  124. + .release = ct_flush_close,
  125. +};
  126. +
  127. +static struct miscdevice ct_flush_miscdev =
  128. +{
  129. + .minor = CT_FLUSH_MINOR,
  130. + .name = "ct_flush",
  131. + .fops = &ct_flush_fops,
  132. +};
  133. +
  134. +static int __init init(void) {
  135. + misc_register(&ct_flush_miscdev);
  136. + return 0;
  137. +}
  138. +
  139. +static void __exit fini(void) {
  140. + misc_deregister(&ct_flush_miscdev);
  141. +}
  142. +
  143. +module_init(init);
  144. +module_exit(fini);
  145. diff -uNr linux-2.6.11/net/ipv4/netfilter/ct_flush.h linux-2.6.11-work/net/ipv4/netfilter/ct_flush.h
  146. --- linux-2.6.11/net/ipv4/netfilter/ct_flush.h 1970-01-01 01:00:00.000000000 +0100
  147. +++ linux-2.6.11-work/net/ipv4/netfilter/ct_flush.h 2005-03-12 14:29:47.000000000 +0100
  148. @@ -0,0 +1,18 @@
  149. +#ifndef _IP_CT_FLUSH_H
  150. +#define _IP_CT_FLUSH_H
  151. +
  152. +struct search_pattern {
  153. + struct {
  154. + u_int32_t ip;
  155. + u_int32_t mask;
  156. + u_int16_t portlo;
  157. + u_int16_t porthi;
  158. + } src, dst;
  159. + u_int8_t proto;
  160. + u_int32_t count;
  161. +};
  162. +
  163. +#define CT_FLUSH_MINOR 243
  164. +#define IOCTL_CT_FLUSH _IOWR('W', 0, struct search_pattern)
  165. +
  166. +#endif