1 diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h
2 --- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
3 +++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h 2007-05-30 12:08:43.000000000 +0200
5 +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
7 + * This program is free software; you can redistribute it and/or modify
8 + * it under the terms of the GNU General Public License as published by
9 + * the Free Software Foundation; either version 2 of the License, or
10 + * (at your option) any later version.
12 + * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane
17 +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */
18 +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */
19 +#define IPT_GEOIP_INV 0x04 /* Negate the condition */
21 +#define IPT_GEOIP_MAX 15 /* Maximum of countries */
23 +struct geoip_subnet {
29 + struct geoip_subnet *subnets;
33 + struct geoip_info *next;
34 + struct geoip_info *prev;
37 +struct ipt_geoip_info {
40 + u_int16_t cc[IPT_GEOIP_MAX];
42 + /* Used internally by the kernel */
43 + struct geoip_info *mem[IPT_GEOIP_MAX];
46 + /* not implemented yet:
51 +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
55 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig
56 --- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:07:14.000000000 +0200
57 +++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:08:43.000000000 +0200
58 @@ -921,5 +921,21 @@ config IP_NF_MATCH_CONNLIMIT
59 If you want to compile it as a module, say M here and read
60 Documentation/modules.txt. If unsure, say `N'.
62 +config IP_NF_MATCH_GEOIP
63 + tristate 'geoip match support'
64 + depends on IP_NF_IPTABLES
66 + This option allows you to match a packet by its source or
67 + destination country. Basically, you need a country's
68 + database containing all subnets and associated countries.
70 + For the complete procedure and understanding, read :
71 + http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
73 + If you want to compile it as a module, say M here and read
74 + <file:Documentation/modules.txt>. The module will be
75 + called `ipt_geoip'. If unsure, say `N'.
80 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile
81 --- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:07:14.000000000 +0200
82 +++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:08:43.000000000 +0200
83 @@ -95,6 +95,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += i
84 obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
86 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
87 +obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o
88 obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o
89 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
90 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
91 diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c
92 --- linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c 1970-01-01 01:00:00.000000000 +0100
93 +++ linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c 2007-05-30 12:08:43.000000000 +0200
95 +/* iptables kernel module for the geoip match
97 + * This program is free software; you can redistribute it and/or modify
98 + * it under the terms of the GNU General Public License as published by
99 + * the Free Software Foundation; either version 2 of the License, or
100 + * (at your option) any later version.
102 + * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane
104 +#include <linux/module.h>
105 +#include <linux/kernel.h>
106 +#include <linux/version.h>
107 +#include <linux/skbuff.h>
108 +#include <linux/netdevice.h>
109 +#include <asm/uaccess.h>
110 +#include <asm/atomic.h>
111 +#include <linux/netfilter/x_tables.h>
112 +#include <linux/netfilter_ipv4/ipt_geoip.h>
113 +#include <linux/netfilter_ipv4/ip_tables.h>
115 +MODULE_LICENSE("GPL");
116 +MODULE_AUTHOR("Samuel Jean, Nicolas Bouliane");
117 +MODULE_DESCRIPTION("iptables module for geoip match");
119 +struct geoip_info *head = NULL;
120 +static spinlock_t geoip_lock = SPIN_LOCK_UNLOCKED;
122 +static struct geoip_info *add_node(struct geoip_info *memcpy)
124 + struct geoip_info *p =
125 + (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL);
127 + struct geoip_subnet *s;
129 + if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0))
132 + s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL);
133 + if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0))
136 + spin_lock_bh(&geoip_lock);
142 + if (p->next) p->next->prev = p;
145 + spin_unlock_bh(&geoip_lock);
149 +static void remove_node(struct geoip_info *p)
151 + spin_lock_bh(&geoip_lock);
153 + if (p->next) { /* Am I following a node ? */
154 + p->next->prev = p->prev;
155 + if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */
156 + else head = p->next; /* No? Then I was the head */
160 + if (p->prev) /* Is there a node behind me ? */
161 + p->prev->next = NULL;
163 + head = NULL; /* No, we're alone */
165 + /* So now am unlinked or the only one alive, right ?
166 + * What are you waiting ? Free up some memory!
172 + spin_unlock_bh(&geoip_lock);
176 +static struct geoip_info *find_node(u_int16_t cc)
178 + struct geoip_info *p = head;
179 + spin_lock_bh(&geoip_lock);
183 + spin_unlock_bh(&geoip_lock);
188 + spin_unlock_bh(&geoip_lock);
192 +static int match(const struct sk_buff *skb,
193 + const struct net_device *in,
194 + const struct net_device *out,
195 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
196 + const struct xt_match *match,
198 + const void *matchinfo,
200 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
201 + unsigned int protoff,
205 + const struct ipt_geoip_info *info = matchinfo;
206 + const struct geoip_info *node; /* This keeps the code sexy */
207 + const struct iphdr *iph = ip_hdr(skb);
211 + if (info->flags & IPT_GEOIP_SRC)
212 + ip = ntohl(iph->saddr);
214 + ip = ntohl(iph->daddr);
216 + spin_lock_bh(&geoip_lock);
217 + for (i = 0; i < info->count; i++) {
218 + if ((node = info->mem[i]) == NULL) {
219 + printk(KERN_ERR "ipt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n",
220 + COUNTRY(info->cc[i]));
225 + for (j = 0; j < node->count; j++)
226 + if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) {
227 + spin_unlock_bh(&geoip_lock);
228 + return (info->flags & IPT_GEOIP_INV) ? 0 : 1;
232 + spin_unlock_bh(&geoip_lock);
233 + return (info->flags & IPT_GEOIP_INV) ? 1 : 0;
236 +static int geoip_checkentry(const char *tablename,
237 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
240 + const struct ipt_ip *ip,
242 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
243 + const struct xt_match *match,
246 +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
247 + unsigned int matchsize,
249 + unsigned int hook_mask)
251 + struct ipt_geoip_info *info = matchinfo;
252 + struct geoip_info *node;
255 + /* FIXME: Call a function to free userspace allocated memory.
256 + * As Martin J. said; this match might eat lot of memory
257 + * if commited with iptables-restore --noflush
258 + void (*gfree)(struct geoip_info *oldmem);
259 + gfree = info->fini;
262 +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
263 + if (matchsize != IPT_ALIGN(sizeof(struct ipt_geoip_info))) {
264 + printk(KERN_ERR "ipt_geoip: matchsize differ, you may have forgotten to recompile me\n");
269 + /* If info->refcount isn't NULL, then
270 + * it means that checkentry() already
271 + * initialized this entry. Increase a
272 + * refcount to prevent destroy() of
274 + if (info->refcount != NULL) {
275 + atomic_inc((atomic_t *)info->refcount);
280 + for (i = 0; i < info->count; i++) {
282 + if ((node = find_node(info->cc[i])) != NULL)
283 + atomic_inc((atomic_t *)&node->ref); //increase the reference
285 + if ((node = add_node(info->mem[i])) == NULL) {
287 + "ipt_geoip: unable to load '%c%c' into memory\n",
288 + COUNTRY(info->cc[i]));
292 + /* Free userspace allocated memory for that country.
293 + * FIXME: It's a bit odd to call this function everytime
294 + * we process a country. Would be nice to call
295 + * it once after all countries've been processed.
297 + * *not implemented for now*
298 + gfree(info->mem[i]);
301 + /* Overwrite the now-useless pointer info->mem[i] with
302 + * a pointer to the node's kernelspace structure.
303 + * This avoids searching for a node in the match() and
304 + * destroy() functions.
306 + info->mem[i] = node;
309 + /* We allocate some memory and give info->refcount a pointer
310 + * to this memory. This prevents checkentry() from increasing a refcount
311 + * different from the one used by destroy().
312 + * For explanation, see http://www.mail-archive.com/netfilter-devel@lists.samba.org/msg00625.html
314 + info->refcount = kmalloc(sizeof(u_int8_t), GFP_KERNEL);
315 + if (info->refcount == NULL) {
316 + printk(KERN_ERR "ipt_geoip: failed to allocate `refcount' memory\n");
319 + *(info->refcount) = 1;
324 +static void geoip_destroy(
325 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
326 + const struct xt_match *match, void *matchinfo)
328 + void *matchinfo, unsigned int matchsize)
332 + struct geoip_info *node; /* this keeps the code sexy */
334 + struct ipt_geoip_info *info = matchinfo;
335 + /* Decrease the previously increased refcount in checkentry()
336 + * If it's equal to 1, we know this entry is just moving
337 + * but not removed. We simply return to avoid useless destroy()
340 + atomic_dec((atomic_t *)info->refcount);
341 + if (*info->refcount)
344 + /* Don't leak my memory, you idiot.
345 + * Bug found with nfsim.. the netfilter's best
346 + * friend. --peejix */
347 + kfree(info->refcount);
349 + /* This entry has been removed from the table so
350 + * decrease the refcount of all countries it is
354 + for (i = 0; i < info->count; i++)
355 + if ((node = info->mem[i]) != NULL) {
356 + atomic_dec((atomic_t *)&node->ref);
358 + /* Free up some memory if that node isn't used
364 + /* Something strange happened. There's no memory allocated for this
365 + * country. Please send this bug to the mailing list. */
367 + "ipt_geoip: What happened peejix ? What happened acidmen ?\n"
368 + "ipt_geoip: please report this bug to the maintainers\n");
372 +static struct xt_match geoip_match = {
376 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
377 + .matchsize = sizeof (struct ipt_geoip_info),
379 + .checkentry = &geoip_checkentry,
380 + .destroy = &geoip_destroy,
384 +static int __init init(void)
386 + return xt_register_match(&geoip_match);
389 +static void __exit fini(void)
391 + xt_unregister_match(&geoip_match);