[deliverable/linux.git] / net / ipv4 / netfilter / ipt_recent.c

/*
 * Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * This is a replacement of the old ipt_recent module, which carried the
 * following copyright notice:
 *
 * Author: Stephen Frost <sfrost@snowman.net>
 * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
 */
#include <linux/init.h>
#include <linux/moduleparam.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/string.h>
#include <linux/ctype.h>
#include <linux/list.h>
#include <linux/random.h>
#include <linux/jhash.h>
#include <linux/bitops.h>
#include <linux/skbuff.h>
#include <linux/inet.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_recent.h>

MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("IP tables recently seen matching module");
MODULE_LICENSE("GPL");

static unsigned int ip_list_tot = 100;
static unsigned int ip_pkt_list_tot = 20;
static unsigned int ip_list_hash_size = 0;
static unsigned int ip_list_perms = 0644;
module_param(ip_list_tot, uint, 0400);
module_param(ip_pkt_list_tot, uint, 0400);
module_param(ip_list_hash_size, uint, 0400);
module_param(ip_list_perms, uint, 0400);
MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");


struct recent_entry {
	struct list_head	list;
	struct list_head	lru_list;
	u_int32_t		addr;
	u_int8_t		ttl;
	u_int8_t		index;
	u_int16_t		nstamps;
	unsigned long		stamps[0];
};

struct recent_table {
	struct list_head	list;
	char			name[IPT_RECENT_NAME_LEN];
#ifdef CONFIG_PROC_FS
	struct proc_dir_entry	*proc;
#endif
	unsigned int		refcnt;
	unsigned int		entries;
	struct list_head	lru_list;
	struct list_head	iphash[0];
};

static LIST_HEAD(tables);
static DEFINE_SPINLOCK(recent_lock);

#ifdef CONFIG_PROC_FS
static struct proc_dir_entry	*proc_dir;
static struct file_operations	recent_fops;
#endif

static u_int32_t hash_rnd;
static int hash_rnd_initted;

static unsigned int recent_entry_hash(u_int32_t addr)
{
	if (!hash_rnd_initted) {
		get_random_bytes(&hash_rnd, 4);
		hash_rnd_initted = 1;
	}
	return jhash_1word(addr, hash_rnd) & (ip_list_hash_size - 1);
}

static struct recent_entry *
recent_entry_lookup(const struct recent_table *table, u_int32_t addr, u_int8_t ttl)
{
	struct recent_entry *e;
	unsigned int h;

	h = recent_entry_hash(addr);
	list_for_each_entry(e, &table->iphash[h], list)
		if (e->addr == addr && (ttl == e->ttl || !ttl || !e->ttl))
			return e;
	return NULL;
}

static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
{
	list_del(&e->list);
	list_del(&e->lru_list);
	kfree(e);
	t->entries--;
}

static struct recent_entry *
recent_entry_init(struct recent_table *t, u_int32_t addr, u_int8_t ttl)
{
	struct recent_entry *e;

	if (t->entries >= ip_list_tot) {
		e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
		recent_entry_remove(t, e);
	}
	e = kmalloc(sizeof(*e) + sizeof(e->stamps[0]) * ip_pkt_list_tot,
		    GFP_ATOMIC);
	if (e == NULL)
		return NULL;
	e->addr      = addr;
	e->ttl       = ttl;
	e->stamps[0] = jiffies;
	e->nstamps   = 1;
	e->index     = 1;
	list_add_tail(&e->list, &t->iphash[recent_entry_hash(addr)]);
	list_add_tail(&e->lru_list, &t->lru_list);
	t->entries++;
	return e;
}

static void recent_entry_update(struct recent_table *t, struct recent_entry *e)
{
	e->stamps[e->index++] = jiffies;
	if (e->index > e->nstamps)
		e->nstamps = e->index;
	e->index %= ip_pkt_list_tot;
	list_move_tail(&e->lru_list, &t->lru_list);
}

static struct recent_table *recent_table_lookup(const char *name)
{
	struct recent_table *t;

	list_for_each_entry(t, &tables, list)
		if (!strcmp(t->name, name))
			return t;
	return NULL;
}

static void recent_table_flush(struct recent_table *t)
{
	struct recent_entry *e, *next;
	unsigned int i;

	for (i = 0; i < ip_list_hash_size; i++) {
		list_for_each_entry_safe(e, next, &t->iphash[i], list)
			recent_entry_remove(t, e);
	}
}

static int
ipt_recent_match(const struct sk_buff *skb,
		 const struct net_device *in, const struct net_device *out,
		 const struct xt_match *match, const void *matchinfo,
		 int offset, unsigned int protoff, int *hotdrop)
{
	const struct ipt_recent_info *info = matchinfo;
	struct recent_table *t;
	struct recent_entry *e;
	u_int32_t addr;
	u_int8_t ttl;
	int ret = info->invert;

	if (info->side == IPT_RECENT_DEST)
		addr = skb->nh.iph->daddr;
	else
		addr = skb->nh.iph->saddr;

	ttl = skb->nh.iph->ttl;
	/* use TTL as seen before forwarding */
	if (out && !skb->sk)
		ttl++;

	spin_lock_bh(&recent_lock);
	t = recent_table_lookup(info->name);
	e = recent_entry_lookup(t, addr,
				info->check_set & IPT_RECENT_TTL ? ttl : 0);
	if (e == NULL) {
		if (!(info->check_set & IPT_RECENT_SET))
			goto out;
		e = recent_entry_init(t, addr, ttl);
		if (e == NULL)
			*hotdrop = 1;
		ret ^= 1;
		goto out;
	}

	if (info->check_set & IPT_RECENT_SET)
		ret ^= 1;
	else if (info->check_set & IPT_RECENT_REMOVE) {
		recent_entry_remove(t, e);
		ret ^= 1;
	} else if (info->check_set & (IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) {
		unsigned long t = jiffies - info->seconds * HZ;
		unsigned int i, hits = 0;

		for (i = 0; i < e->nstamps; i++) {
			if (info->seconds && time_after(t, e->stamps[i]))
				continue;
			if (++hits >= info->hit_count) {
				ret ^= 1;
				break;
			}
		}
	}

	if (info->check_set & IPT_RECENT_SET ||
	    (info->check_set & IPT_RECENT_UPDATE && ret)) {
		recent_entry_update(t, e);
		e->ttl = ttl;
	}
out:
	spin_unlock_bh(&recent_lock);
	return ret;
}

static int
ipt_recent_checkentry(const char *tablename, const void *ip,
		      const struct xt_match *match, void *matchinfo,
		      unsigned int matchsize, unsigned int hook_mask)
{
	const struct ipt_recent_info *info = matchinfo;
	struct recent_table *t;
	unsigned i;
	int ret = 0;

	if (hweight8(info->check_set &
		     (IPT_RECENT_SET | IPT_RECENT_REMOVE |
		      IPT_RECENT_CHECK | IPT_RECENT_UPDATE)) != 1)
		return 0;
	if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) &&
	    (info->seconds || info->hit_count))
		return 0;
	if (info->name[0] == '\0' ||
	    strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
		return 0;

	spin_lock_bh(&recent_lock);
	t = recent_table_lookup(info->name);
	if (t != NULL) {
		t->refcnt++;
		ret = 1;
		goto out;
	}

	t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
		    GFP_ATOMIC);
	if (t == NULL)
		goto out;
	strcpy(t->name, info->name);
	INIT_LIST_HEAD(&t->lru_list);
	for (i = 0; i < ip_list_hash_size; i++)
		INIT_LIST_HEAD(&t->iphash[i]);
#ifdef CONFIG_PROC_FS
	t->proc = create_proc_entry(t->name, ip_list_perms, proc_dir);
	if (t->proc == NULL) {
		kfree(t);
		goto out;
	}
	t->proc->proc_fops = &recent_fops;
	t->proc->data      = t;
#endif
	list_add_tail(&t->list, &tables);
	ret = 1;
out:
	spin_unlock_bh(&recent_lock);
	return ret;
}

static void
ipt_recent_destroy(const struct xt_match *match, void *matchinfo,
		   unsigned int matchsize)
{
	const struct ipt_recent_info *info = matchinfo;
	struct recent_table *t;

	spin_lock_bh(&recent_lock);
	t = recent_table_lookup(info->name);
	if (--t->refcnt == 0) {
		list_del(&t->list);
		recent_table_flush(t);
#ifdef CONFIG_PROC_FS
		remove_proc_entry(t->name, proc_dir);
#endif
		kfree(t);
	}
	spin_unlock_bh(&recent_lock);
}

#ifdef CONFIG_PROC_FS
struct recent_iter_state {
	struct recent_table	*table;
	unsigned int		bucket;
};

static void *recent_seq_start(struct seq_file *seq, loff_t *pos)
{
	struct recent_iter_state *st = seq->private;
	struct recent_table *t = st->table;
	struct recent_entry *e;
	loff_t p = *pos;

	spin_lock_bh(&recent_lock);

	for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++) {
		list_for_each_entry(e, &t->iphash[st->bucket], list) {
			if (p-- == 0)
				return e;
		}
	}
	return NULL;
}

static void *recent_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
	struct recent_iter_state *st = seq->private;
	struct recent_table *t = st->table;
	struct recent_entry *e = v;
	struct list_head *head = e->list.next;

	while (head == &t->iphash[st->bucket]) {
		if (++st->bucket >= ip_list_hash_size)
			return NULL;
		head = t->iphash[st->bucket].next;
	}
	(*pos)++;
	return list_entry(head, struct recent_entry, list);
}

static void recent_seq_stop(struct seq_file *s, void *v)
{
	spin_unlock_bh(&recent_lock);
}

static int recent_seq_show(struct seq_file *seq, void *v)
{
	struct recent_entry *e = v;
	unsigned int i;

	i = (e->index - 1) % ip_pkt_list_tot;
	seq_printf(seq, "src=%u.%u.%u.%u ttl: %u last_seen: %lu oldest_pkt: %u",
		   NIPQUAD(e->addr), e->ttl, e->stamps[i], e->index);
	for (i = 0; i < e->nstamps; i++)
		seq_printf(seq, "%s %lu", i ? "," : "", e->stamps[i]);
	seq_printf(seq, "\n");
	return 0;
}

static struct seq_operations recent_seq_ops = {
	.start		= recent_seq_start,
	.next		= recent_seq_next,
	.stop		= recent_seq_stop,
	.show		= recent_seq_show,
};

static int recent_seq_open(struct inode *inode, struct file *file)
{
	struct proc_dir_entry *pde = PDE(inode);
	struct seq_file *seq;
	struct recent_iter_state *st;
	int ret;

	st = kzalloc(sizeof(*st), GFP_KERNEL);
	if (st == NULL)
		return -ENOMEM;
	ret = seq_open(file, &recent_seq_ops);
	if (ret)
		kfree(st);
	st->table    = pde->data;
	seq          = file->private_data;
	seq->private = st;
	return ret;
}

static ssize_t recent_proc_write(struct file *file, const char __user *input,
				 size_t size, loff_t *loff)
{
	struct proc_dir_entry *pde = PDE(file->f_dentry->d_inode);
	struct recent_table *t = pde->data;
	struct recent_entry *e;
	char buf[sizeof("+255.255.255.255")], *c = buf;
	u_int32_t addr;
	int add;

	if (size > sizeof(buf))
		size = sizeof(buf);
	if (copy_from_user(buf, input, size))
		return -EFAULT;
	while (isspace(*c))
		c++;

	if (size - (c - buf) < 5)
		return c - buf;
	if (!strncmp(c, "clear", 5)) {
		c += 5;
		spin_lock_bh(&recent_lock);
		recent_table_flush(t);
		spin_unlock_bh(&recent_lock);
		return c - buf;
	}

	switch (*c) {
	case '-':
		add = 0;
		c++;
		break;
	case '+':
		c++;
	default:
		add = 1;
		break;
	}
	addr = in_aton(c);

	spin_lock_bh(&recent_lock);
	e = recent_entry_lookup(t, addr, 0);
	if (e == NULL) {
		if (add)
			recent_entry_init(t, addr, 0);
	} else {
		if (add)
			recent_entry_update(t, e);
		else
			recent_entry_remove(t, e);
	}
	spin_unlock_bh(&recent_lock);
	return size;
}

static struct file_operations recent_fops = {
	.open		= recent_seq_open,
	.read		= seq_read,
	.write		= recent_proc_write,
	.release	= seq_release_private,
	.owner		= THIS_MODULE,
};
#endif /* CONFIG_PROC_FS */

static struct ipt_match recent_match = {
	.name		= "recent",
	.match		= ipt_recent_match,
	.matchsize	= sizeof(struct ipt_recent_info),
	.checkentry	= ipt_recent_checkentry,
	.destroy	= ipt_recent_destroy,
	.me		= THIS_MODULE,
};

static int __init ipt_recent_init(void)
{
	int err;

	if (!ip_list_tot || !ip_pkt_list_tot || ip_pkt_list_tot > 255)
		return -EINVAL;
	ip_list_hash_size = 1 << fls(ip_list_tot);

	err = ipt_register_match(&recent_match);
#ifdef CONFIG_PROC_FS
	if (err)
		return err;
	proc_dir = proc_mkdir("ipt_recent", proc_net);
	if (proc_dir == NULL) {
		ipt_unregister_match(&recent_match);
		err = -ENOMEM;
	}
#endif
	return err;
}

static void __exit ipt_recent_exit(void)
{
	BUG_ON(!list_empty(&tables));
	ipt_unregister_match(&recent_match);
#ifdef CONFIG_PROC_FS
	remove_proc_entry("ipt_recent", proc_net);
#endif
}

module_init(ipt_recent_init);
module_exit(ipt_recent_exit);
Commit	Line	Data
404bdbfd PM	1	/*
	2	* Copyright (c) 2006 Patrick McHardy <kaber@trash.net>
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License version 2 as
	6	* published by the Free Software Foundation.
	7	*
	8	* This is a replacement of the old ipt_recent module, which carried the
	9	* following copyright notice:
	10	*
	11	* Author: Stephen Frost <sfrost@snowman.net>
	12	* Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
	13	*/
	14	#include <linux/init.h>
	15	#include <linux/moduleparam.h>
1da177e4	16	#include <linux/proc_fs.h>
404bdbfd PM	17	#include <linux/seq_file.h>
404bdbfd PM	18	#include <linux/string.h>
1da177e4	19	#include <linux/ctype.h>
404bdbfd PM	20	#include <linux/list.h>
	21	#include <linux/random.h>
	22	#include <linux/jhash.h>
	23	#include <linux/bitops.h>
	24	#include <linux/skbuff.h>
	25	#include <linux/inet.h>
1da177e4 LT	26
	27	#include <linux/netfilter_ipv4/ip_tables.h>
	28	#include <linux/netfilter_ipv4/ipt_recent.h>
	29
404bdbfd PM	30	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
	31	MODULE_DESCRIPTION("IP tables recently seen matching module");
	32	MODULE_LICENSE("GPL");
1da177e4	33
e7be6994 PM	34	static unsigned int ip_list_tot = 100;
	35	static unsigned int ip_pkt_list_tot = 20;
	36	static unsigned int ip_list_hash_size = 0;
	37	static unsigned int ip_list_perms = 0644;
e7be6994 PM	38	module_param(ip_list_tot, uint, 0400);
	39	module_param(ip_pkt_list_tot, uint, 0400);
	40	module_param(ip_list_hash_size, uint, 0400);
	41	module_param(ip_list_perms, uint, 0400);
404bdbfd PM	42	MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
	43	MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP to remember (max. 255)");
	44	MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
	45	MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/ipt_recent/* files");
	46
	47
	48	struct recent_entry {
	49	struct list_head list;
	50	struct list_head lru_list;
	51	u_int32_t addr;
	52	u_int8_t ttl;
	53	u_int8_t index;
	54	u_int16_t nstamps;
	55	unsigned long stamps[0];
1da177e4 LT	56	};
1da177e4 LT	57
404bdbfd PM	58	struct recent_table {
	59	struct list_head list;
	60	char name[IPT_RECENT_NAME_LEN];
1da177e4	61	#ifdef CONFIG_PROC_FS
404bdbfd PM	62	struct proc_dir_entry *proc;
	63	#endif
	64	unsigned int refcnt;
	65	unsigned int entries;
	66	struct list_head lru_list;
	67	struct list_head iphash[0];
1da177e4 LT	68	};
1da177e4 LT	69
404bdbfd	70	static LIST_HEAD(tables);
1da177e4 LT	71	static DEFINE_SPINLOCK(recent_lock);
	72
	73	#ifdef CONFIG_PROC_FS
404bdbfd PM	74	static struct proc_dir_entry *proc_dir;
404bdbfd PM	75	static struct file_operations recent_fops;
1da177e4 LT	76	#endif
1da177e4 LT	77
404bdbfd PM	78	static u_int32_t hash_rnd;
404bdbfd PM	79	static int hash_rnd_initted;
1da177e4	80
404bdbfd	81	static unsigned int recent_entry_hash(u_int32_t addr)
1da177e4	82	{
404bdbfd PM	83	if (!hash_rnd_initted) {
	84	get_random_bytes(&hash_rnd, 4);
	85	hash_rnd_initted = 1;
1da177e4	86	}
404bdbfd	87	return jhash_1word(addr, hash_rnd) & (ip_list_hash_size - 1);
1da177e4 LT	88	}
1da177e4 LT	89
404bdbfd PM	90	static struct recent_entry *
404bdbfd PM	91	recent_entry_lookup(const struct recent_table *table, u_int32_t addr, u_int8_t ttl)
1da177e4	92	{
404bdbfd PM	93	struct recent_entry *e;
	94	unsigned int h;
	95
	96	h = recent_entry_hash(addr);
	97	list_for_each_entry(e, &table->iphash[h], list)
	98	if (e->addr == addr && (ttl == e->ttl \|\| !ttl \|\| !e->ttl))
	99	return e;
	100	return NULL;
	101	}
1da177e4	102
404bdbfd PM	103	static void recent_entry_remove(struct recent_table t, struct recent_entry e)
	104	{
	105	list_del(&e->list);
	106	list_del(&e->lru_list);
	107	kfree(e);
	108	t->entries--;
	109	}
1da177e4	110
404bdbfd PM	111	static struct recent_entry *
	112	recent_entry_init(struct recent_table *t, u_int32_t addr, u_int8_t ttl)
	113	{
	114	struct recent_entry *e;
1da177e4	115
404bdbfd PM	116	if (t->entries >= ip_list_tot) {
	117	e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
	118	recent_entry_remove(t, e);
1da177e4	119	}
404bdbfd PM	120	e = kmalloc(sizeof(e) + sizeof(e->stamps[0]) ip_pkt_list_tot,
	121	GFP_ATOMIC);
	122	if (e == NULL)
	123	return NULL;
	124	e->addr = addr;
	125	e->ttl = ttl;
	126	e->stamps[0] = jiffies;
	127	e->nstamps = 1;
	128	e->index = 1;
	129	list_add_tail(&e->list, &t->iphash[recent_entry_hash(addr)]);
	130	list_add_tail(&e->lru_list, &t->lru_list);
	131	t->entries++;
	132	return e;
	133	}
1da177e4	134
404bdbfd PM	135	static void recent_entry_update(struct recent_table t, struct recent_entry e)
	136	{
	137	e->stamps[e->index++] = jiffies;
	138	if (e->index > e->nstamps)
	139	e->nstamps = e->index;
	140	e->index %= ip_pkt_list_tot;
	141	list_move_tail(&e->lru_list, &t->lru_list);
	142	}
1da177e4	143
404bdbfd PM	144	static struct recent_table recent_table_lookup(const char name)
	145	{
	146	struct recent_table *t;
1da177e4	147
404bdbfd PM	148	list_for_each_entry(t, &tables, list)
	149	if (!strcmp(t->name, name))
	150	return t;
	151	return NULL;
	152	}
1da177e4	153
404bdbfd PM	154	static void recent_table_flush(struct recent_table *t)
	155	{
	156	struct recent_entry e, next;
	157	unsigned int i;
1da177e4	158
404bdbfd PM	159	for (i = 0; i < ip_list_hash_size; i++) {
	160	list_for_each_entry_safe(e, next, &t->iphash[i], list)
	161	recent_entry_remove(t, e);
1da177e4	162	}
1da177e4 LT	163	}
1da177e4 LT	164
1da177e4	165	static int
404bdbfd PM	166	ipt_recent_match(const struct sk_buff *skb,
	167	const struct net_device in, const struct net_device out,
	168	const struct xt_match match, const void matchinfo,
	169	int offset, unsigned int protoff, int *hotdrop)
1da177e4	170	{
1da177e4	171	const struct ipt_recent_info *info = matchinfo;
404bdbfd PM	172	struct recent_table *t;
	173	struct recent_entry *e;
	174	u_int32_t addr;
	175	u_int8_t ttl;
	176	int ret = info->invert;
1da177e4	177
404bdbfd PM	178	if (info->side == IPT_RECENT_DEST)
	179	addr = skb->nh.iph->daddr;
	180	else
	181	addr = skb->nh.iph->saddr;
1da177e4	182
404bdbfd PM	183	ttl = skb->nh.iph->ttl;
	184	/* use TTL as seen before forwarding */
	185	if (out && !skb->sk)
	186	ttl++;
1da177e4	187
1da177e4	188	spin_lock_bh(&recent_lock);
404bdbfd PM	189	t = recent_table_lookup(info->name);
	190	e = recent_entry_lookup(t, addr,
	191	info->check_set & IPT_RECENT_TTL ? ttl : 0);
	192	if (e == NULL) {
	193	if (!(info->check_set & IPT_RECENT_SET))
	194	goto out;
	195	e = recent_entry_init(t, addr, ttl);
	196	if (e == NULL)
	197	*hotdrop = 1;
	198	ret ^= 1;
	199	goto out;
1da177e4 LT	200	}
1da177e4 LT	201
404bdbfd PM	202	if (info->check_set & IPT_RECENT_SET)
	203	ret ^= 1;
	204	else if (info->check_set & IPT_RECENT_REMOVE) {
	205	recent_entry_remove(t, e);
	206	ret ^= 1;
	207	} else if (info->check_set & (IPT_RECENT_CHECK \| IPT_RECENT_UPDATE)) {
	208	unsigned long t = jiffies - info->seconds * HZ;
	209	unsigned int i, hits = 0;
	210
	211	for (i = 0; i < e->nstamps; i++) {
	212	if (info->seconds && time_after(t, e->stamps[i]))
	213	continue;
	214	if (++hits >= info->hit_count) {
	215	ret ^= 1;
	216	break;
1da177e4	217	}
1da177e4	218	}
1da177e4 LT	219	}
1da177e4 LT	220
404bdbfd PM	221	if (info->check_set & IPT_RECENT_SET \|\|
	222	(info->check_set & IPT_RECENT_UPDATE && ret)) {
	223	recent_entry_update(t, e);
	224	e->ttl = ttl;
	225	}
	226	out:
	227	spin_unlock_bh(&recent_lock);
	228	return ret;
1da177e4 LT	229	}
1da177e4 LT	230
1da177e4	231	static int
404bdbfd PM	232	ipt_recent_checkentry(const char tablename, const void ip,
	233	const struct xt_match match, void matchinfo,
	234	unsigned int matchsize, unsigned int hook_mask)
1da177e4	235	{
1da177e4	236	const struct ipt_recent_info *info = matchinfo;
404bdbfd PM	237	struct recent_table *t;
	238	unsigned i;
	239	int ret = 0;
1da177e4	240
404bdbfd PM	241	if (hweight8(info->check_set &
	242	(IPT_RECENT_SET \| IPT_RECENT_REMOVE \|
	243	IPT_RECENT_CHECK \| IPT_RECENT_UPDATE)) != 1)
	244	return 0;
	245	if ((info->check_set & (IPT_RECENT_SET \| IPT_RECENT_REMOVE)) &&
	246	(info->seconds \|\| info->hit_count))
	247	return 0;
	248	if (info->name[0] == '\0' \|\|
	249	strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
	250	return 0;
1da177e4	251
1da177e4	252	spin_lock_bh(&recent_lock);
404bdbfd PM	253	t = recent_table_lookup(info->name);
	254	if (t != NULL) {
	255	t->refcnt++;
	256	ret = 1;
	257	goto out;
1da177e4 LT	258	}
1da177e4 LT	259
404bdbfd PM	260	t = kzalloc(sizeof(t) + sizeof(t->iphash[0]) ip_list_hash_size,
	261	GFP_ATOMIC);
	262	if (t == NULL)
	263	goto out;
	264	strcpy(t->name, info->name);
	265	INIT_LIST_HEAD(&t->lru_list);
	266	for (i = 0; i < ip_list_hash_size; i++)
	267	INIT_LIST_HEAD(&t->iphash[i]);
	268	#ifdef CONFIG_PROC_FS
	269	t->proc = create_proc_entry(t->name, ip_list_perms, proc_dir);
	270	if (t->proc == NULL) {
	271	kfree(t);
	272	goto out;
1da177e4	273	}
404bdbfd PM	274	t->proc->proc_fops = &recent_fops;
404bdbfd PM	275	t->proc->data = t;
1da177e4	276	#endif
404bdbfd PM	277	list_add_tail(&t->list, &tables);
	278	ret = 1;
	279	out:
	280	spin_unlock_bh(&recent_lock);
	281	return ret;
	282	}
1da177e4	283
404bdbfd PM	284	static void
	285	ipt_recent_destroy(const struct xt_match match, void matchinfo,
	286	unsigned int matchsize)
	287	{
	288	const struct ipt_recent_info *info = matchinfo;
	289	struct recent_table *t;
1da177e4	290
404bdbfd PM	291	spin_lock_bh(&recent_lock);
	292	t = recent_table_lookup(info->name);
	293	if (--t->refcnt == 0) {
	294	list_del(&t->list);
	295	recent_table_flush(t);
	296	#ifdef CONFIG_PROC_FS
	297	remove_proc_entry(t->name, proc_dir);
1da177e4	298	#endif
404bdbfd	299	kfree(t);
1da177e4	300	}
404bdbfd PM	301	spin_unlock_bh(&recent_lock);
404bdbfd PM	302	}
1da177e4	303
404bdbfd PM	304	#ifdef CONFIG_PROC_FS
	305	struct recent_iter_state {
	306	struct recent_table *table;
	307	unsigned int bucket;
	308	};
1da177e4	309
404bdbfd PM	310	static void recent_seq_start(struct seq_file seq, loff_t *pos)
	311	{
	312	struct recent_iter_state *st = seq->private;
	313	struct recent_table *t = st->table;
	314	struct recent_entry *e;
	315	loff_t p = *pos;
1da177e4	316
1da177e4	317	spin_lock_bh(&recent_lock);
1da177e4	318
404bdbfd PM	319	for (st->bucket = 0; st->bucket < ip_list_hash_size; st->bucket++) {
	320	list_for_each_entry(e, &t->iphash[st->bucket], list) {
	321	if (p-- == 0)
	322	return e;
1da177e4	323	}
1da177e4	324	}
404bdbfd PM	325	return NULL;
404bdbfd PM	326	}
1da177e4	327
404bdbfd PM	328	static void recent_seq_next(struct seq_file seq, void v, loff_t pos)
	329	{
	330	struct recent_iter_state *st = seq->private;
	331	struct recent_table *t = st->table;
	332	struct recent_entry *e = v;
	333	struct list_head *head = e->list.next;
	334
	335	while (head == &t->iphash[st->bucket]) {
	336	if (++st->bucket >= ip_list_hash_size)
	337	return NULL;
	338	head = t->iphash[st->bucket].next;
	339	}
	340	(*pos)++;
	341	return list_entry(head, struct recent_entry, list);
1da177e4 LT	342	}
1da177e4 LT	343
404bdbfd	344	static void recent_seq_stop(struct seq_file s, void v)
1da177e4	345	{
404bdbfd PM	346	spin_unlock_bh(&recent_lock);
404bdbfd PM	347	}
1da177e4	348
404bdbfd PM	349	static int recent_seq_show(struct seq_file seq, void v)
	350	{
	351	struct recent_entry *e = v;
	352	unsigned int i;
	353
	354	i = (e->index - 1) % ip_pkt_list_tot;
	355	seq_printf(seq, "src=%u.%u.%u.%u ttl: %u last_seen: %lu oldest_pkt: %u",
	356	NIPQUAD(e->addr), e->ttl, e->stamps[i], e->index);
	357	for (i = 0; i < e->nstamps; i++)
	358	seq_printf(seq, "%s %lu", i ? "," : "", e->stamps[i]);
	359	seq_printf(seq, "\n");
	360	return 0;
	361	}
1da177e4	362
404bdbfd PM	363	static struct seq_operations recent_seq_ops = {
	364	.start = recent_seq_start,
	365	.next = recent_seq_next,
	366	.stop = recent_seq_stop,
	367	.show = recent_seq_show,
	368	};
1da177e4	369
404bdbfd PM	370	static int recent_seq_open(struct inode inode, struct file file)
	371	{
	372	struct proc_dir_entry *pde = PDE(inode);
	373	struct seq_file *seq;
	374	struct recent_iter_state *st;
	375	int ret;
	376
	377	st = kzalloc(sizeof(*st), GFP_KERNEL);
	378	if (st == NULL)
	379	return -ENOMEM;
	380	ret = seq_open(file, &recent_seq_ops);
	381	if (ret)
	382	kfree(st);
	383	st->table = pde->data;
	384	seq = file->private_data;
	385	seq->private = st;
	386	return ret;
	387	}
1da177e4	388
404bdbfd PM	389	static ssize_t recent_proc_write(struct file file, const char __user input,
	390	size_t size, loff_t *loff)
	391	{
	392	struct proc_dir_entry *pde = PDE(file->f_dentry->d_inode);
	393	struct recent_table *t = pde->data;
	394	struct recent_entry *e;
	395	char buf[sizeof("+255.255.255.255")], *c = buf;
	396	u_int32_t addr;
	397	int add;
	398
	399	if (size > sizeof(buf))
	400	size = sizeof(buf);
	401	if (copy_from_user(buf, input, size))
	402	return -EFAULT;
	403	while (isspace(*c))
	404	c++;
	405
	406	if (size - (c - buf) < 5)
	407	return c - buf;
	408	if (!strncmp(c, "clear", 5)) {
	409	c += 5;
	410	spin_lock_bh(&recent_lock);
	411	recent_table_flush(t);
1da177e4	412	spin_unlock_bh(&recent_lock);
404bdbfd	413	return c - buf;
1da177e4	414	}
1da177e4	415
404bdbfd PM	416	switch (*c) {
	417	case '-':
	418	add = 0;
	419	c++;
	420	break;
	421	case '+':
	422	c++;
	423	default:
	424	add = 1;
	425	break;
1da177e4	426	}
404bdbfd	427	addr = in_aton(c);
1da177e4	428
404bdbfd PM	429	spin_lock_bh(&recent_lock);
	430	e = recent_entry_lookup(t, addr, 0);
	431	if (e == NULL) {
	432	if (add)
	433	recent_entry_init(t, addr, 0);
	434	} else {
	435	if (add)
	436	recent_entry_update(t, e);
	437	else
	438	recent_entry_remove(t, e);
1da177e4	439	}
1da177e4	440	spin_unlock_bh(&recent_lock);
404bdbfd PM	441	return size;
404bdbfd PM	442	}
1da177e4	443
404bdbfd PM	444	static struct file_operations recent_fops = {
	445	.open = recent_seq_open,
	446	.read = seq_read,
	447	.write = recent_proc_write,
	448	.release = seq_release_private,
	449	.owner = THIS_MODULE,
	450	};
1da177e4	451	#endif /* CONFIG_PROC_FS */
1da177e4	452
1d5cd909 PM	453	static struct ipt_match recent_match = {
1d5cd909 PM	454	.name = "recent",
404bdbfd	455	.match = ipt_recent_match,
1d5cd909	456	.matchsize = sizeof(struct ipt_recent_info),
404bdbfd PM	457	.checkentry = ipt_recent_checkentry,
	458	.destroy = ipt_recent_destroy,
	459	.me = THIS_MODULE,
1da177e4 LT	460	};
1da177e4 LT	461
65b4b4e8	462	static int __init ipt_recent_init(void)
1da177e4	463	{
404bdbfd	464	int err;
1da177e4	465
404bdbfd PM	466	if (!ip_list_tot \|\| !ip_pkt_list_tot \|\| ip_pkt_list_tot > 255)
	467	return -EINVAL;
	468	ip_list_hash_size = 1 << fls(ip_list_tot);
1da177e4 LT	469
1da177e4 LT	470	err = ipt_register_match(&recent_match);
404bdbfd	471	#ifdef CONFIG_PROC_FS
1da177e4	472	if (err)
404bdbfd PM	473	return err;
	474	proc_dir = proc_mkdir("ipt_recent", proc_net);
	475	if (proc_dir == NULL) {
	476	ipt_unregister_match(&recent_match);
	477	err = -ENOMEM;
	478	}
	479	#endif
1da177e4 LT	480	return err;
	481	}
	482
404bdbfd	483	static void __exit ipt_recent_exit(void)
1da177e4	484	{
404bdbfd	485	BUG_ON(!list_empty(&tables));
1da177e4	486	ipt_unregister_match(&recent_match);
404bdbfd PM	487	#ifdef CONFIG_PROC_FS
	488	remove_proc_entry("ipt_recent", proc_net);
	489	#endif
1da177e4 LT	490	}
1da177e4 LT	491
65b4b4e8	492	module_init(ipt_recent_init);
404bdbfd	493	module_exit(ipt_recent_exit);