diff -NurpP --minimal linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h --- linux-2.6.21.a/include/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.21.b/include/linux/netfilter_ipv4/ipt_geoip.h 2007-05-30 12:08:43.000000000 +0200 @@ -0,0 +1,50 @@ +/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane + */ +#ifndef _IPT_GEOIP_H +#define _IPT_GEOIP_H + +#define IPT_GEOIP_SRC 0x01 /* Perform check on Source IP */ +#define IPT_GEOIP_DST 0x02 /* Perform check on Destination IP */ +#define IPT_GEOIP_INV 0x04 /* Negate the condition */ + +#define IPT_GEOIP_MAX 15 /* Maximum of countries */ + +struct geoip_subnet { + u_int32_t begin; + u_int32_t end; +}; + +struct geoip_info { + struct geoip_subnet *subnets; + u_int32_t count; + u_int32_t ref; + u_int16_t cc; + struct geoip_info *next; + struct geoip_info *prev; +}; + +struct ipt_geoip_info { + u_int8_t flags; + u_int8_t count; + u_int16_t cc[IPT_GEOIP_MAX]; + + /* Used internally by the kernel */ + struct geoip_info *mem[IPT_GEOIP_MAX]; + u_int8_t *refcount; + + /* not implemented yet: + void *fini; + */ +}; + +#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF) + +#endif + diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Kconfig linux-2.6.21.b/net/ipv4/netfilter/Kconfig --- linux-2.6.21.a/net/ipv4/netfilter/Kconfig 2007-05-30 12:07:14.000000000 +0200 +++ linux-2.6.21.b/net/ipv4/netfilter/Kconfig 2007-05-30 12:08:43.000000000 +0200 @@ -921,5 +921,21 @@ config IP_NF_MATCH_CONNLIMIT If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'. +config IP_NF_MATCH_GEOIP + tristate 'geoip match support' + depends on IP_NF_IPTABLES + help + This option allows you to match a packet by its source or + destination country. Basically, you need a country's + database containing all subnets and associated countries. + + For the complete procedure and understanding, read : + http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html + + If you want to compile it as a module, say M here and read + . The module will be + called `ipt_geoip'. If unsure, say `N'. + + endmenu diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/Makefile linux-2.6.21.b/net/ipv4/netfilter/Makefile --- linux-2.6.21.a/net/ipv4/netfilter/Makefile 2007-05-30 12:07:14.000000000 +0200 +++ linux-2.6.21.b/net/ipv4/netfilter/Makefile 2007-05-30 12:08:43.000000000 +0200 @@ -95,6 +95,7 @@ obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += i obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o +obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o diff -NurpP --minimal linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c --- linux-2.6.21.a/net/ipv4/netfilter/ipt_geoip.c 1970-01-01 01:00:00.000000000 +0100 +++ linux-2.6.21.b/net/ipv4/netfilter/ipt_geoip.c 2007-05-30 12:08:43.000000000 +0200 @@ -0,0 +1,302 @@ +/* iptables kernel module for the geoip match + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Copyright (c) 2004, 2005, 2006 Samuel Jean & Nicolas Bouliane + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Samuel Jean, Nicolas Bouliane"); +MODULE_DESCRIPTION("iptables module for geoip match"); + +struct geoip_info *head = NULL; +static spinlock_t geoip_lock = SPIN_LOCK_UNLOCKED; + +static struct geoip_info *add_node(struct geoip_info *memcpy) +{ + struct geoip_info *p = + (struct geoip_info *)kmalloc(sizeof(struct geoip_info), GFP_KERNEL); + + struct geoip_subnet *s; + + if ((p == NULL) || (copy_from_user(p, memcpy, sizeof(struct geoip_info)) != 0)) + return NULL; + + s = (struct geoip_subnet *)kmalloc(p->count * sizeof(struct geoip_subnet), GFP_KERNEL); + if ((s == NULL) || (copy_from_user(s, p->subnets, p->count * sizeof(struct geoip_subnet)) != 0)) + return NULL; + + spin_lock_bh(&geoip_lock); + + p->subnets = s; + p->ref = 1; + p->next = head; + p->prev = NULL; + if (p->next) p->next->prev = p; + head = p; + + spin_unlock_bh(&geoip_lock); + return p; +} + +static void remove_node(struct geoip_info *p) + { + spin_lock_bh(&geoip_lock); + + if (p->next) { /* Am I following a node ? */ + p->next->prev = p->prev; + if (p->prev) p->prev->next = p->next; /* Is there a node behind me ? */ + else head = p->next; /* No? Then I was the head */ + } + + else + if (p->prev) /* Is there a node behind me ? */ + p->prev->next = NULL; + else + head = NULL; /* No, we're alone */ + + /* So now am unlinked or the only one alive, right ? + * What are you waiting ? Free up some memory! + */ + + kfree(p->subnets); + kfree(p); + + spin_unlock_bh(&geoip_lock); + return; +} + +static struct geoip_info *find_node(u_int16_t cc) +{ + struct geoip_info *p = head; + spin_lock_bh(&geoip_lock); + + while (p) { + if (p->cc == cc) { + spin_unlock_bh(&geoip_lock); + return p; + } + p = p->next; + } + spin_unlock_bh(&geoip_lock); + return NULL; +} + +static int match(const struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + const struct xt_match *match, +#endif + const void *matchinfo, + int offset, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + unsigned int protoff, +#endif + int *hotdrop) +{ + const struct ipt_geoip_info *info = matchinfo; + const struct geoip_info *node; /* This keeps the code sexy */ + const struct iphdr *iph = ip_hdr(skb); + u_int32_t ip, j; + u_int8_t i; + + if (info->flags & IPT_GEOIP_SRC) + ip = ntohl(iph->saddr); + else + ip = ntohl(iph->daddr); + + spin_lock_bh(&geoip_lock); + for (i = 0; i < info->count; i++) { + if ((node = info->mem[i]) == NULL) { + printk(KERN_ERR "ipt_geoip: what the hell ?? '%c%c' isn't loaded into memory... skip it!\n", + COUNTRY(info->cc[i])); + + continue; + } + + for (j = 0; j < node->count; j++) + if ((ip > node->subnets[j].begin) && (ip < node->subnets[j].end)) { + spin_unlock_bh(&geoip_lock); + return (info->flags & IPT_GEOIP_INV) ? 0 : 1; + } + } + + spin_unlock_bh(&geoip_lock); + return (info->flags & IPT_GEOIP_INV) ? 1 : 0; +} + +static int geoip_checkentry(const char *tablename, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) + const void *ip, +#else + const struct ipt_ip *ip, +#endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + const struct xt_match *match, +#endif + void *matchinfo, +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + unsigned int matchsize, +#endif + unsigned int hook_mask) +{ + struct ipt_geoip_info *info = matchinfo; + struct geoip_info *node; + u_int8_t i; + + /* FIXME: Call a function to free userspace allocated memory. + * As Martin J. said; this match might eat lot of memory + * if commited with iptables-restore --noflush + void (*gfree)(struct geoip_info *oldmem); + gfree = info->fini; + */ + +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) + if (matchsize != IPT_ALIGN(sizeof(struct ipt_geoip_info))) { + printk(KERN_ERR "ipt_geoip: matchsize differ, you may have forgotten to recompile me\n"); + return 0; + } +#endif + + /* If info->refcount isn't NULL, then + * it means that checkentry() already + * initialized this entry. Increase a + * refcount to prevent destroy() of + * this entry. */ + if (info->refcount != NULL) { + atomic_inc((atomic_t *)info->refcount); + return 1; + } + + + for (i = 0; i < info->count; i++) { + + if ((node = find_node(info->cc[i])) != NULL) + atomic_inc((atomic_t *)&node->ref); //increase the reference + else + if ((node = add_node(info->mem[i])) == NULL) { + printk(KERN_ERR + "ipt_geoip: unable to load '%c%c' into memory\n", + COUNTRY(info->cc[i])); + return 0; + } + + /* Free userspace allocated memory for that country. + * FIXME: It's a bit odd to call this function everytime + * we process a country. Would be nice to call + * it once after all countries've been processed. + * - SJ + * *not implemented for now* + gfree(info->mem[i]); + */ + + /* Overwrite the now-useless pointer info->mem[i] with + * a pointer to the node's kernelspace structure. + * This avoids searching for a node in the match() and + * destroy() functions. + */ + info->mem[i] = node; + } + + /* We allocate some memory and give info->refcount a pointer + * to this memory. This prevents checkentry() from increasing a refcount + * different from the one used by destroy(). + * For explanation, see http://www.mail-archive.com/netfilter-devel@lists.samba.org/msg00625.html + */ + info->refcount = kmalloc(sizeof(u_int8_t), GFP_KERNEL); + if (info->refcount == NULL) { + printk(KERN_ERR "ipt_geoip: failed to allocate `refcount' memory\n"); + return 0; + } + *(info->refcount) = 1; + + return 1; +} + +static void geoip_destroy( +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + const struct xt_match *match, void *matchinfo) +#else + void *matchinfo, unsigned int matchsize) +#endif +{ + u_int8_t i; + struct geoip_info *node; /* this keeps the code sexy */ + + struct ipt_geoip_info *info = matchinfo; + /* Decrease the previously increased refcount in checkentry() + * If it's equal to 1, we know this entry is just moving + * but not removed. We simply return to avoid useless destroy() + * processing. + */ + atomic_dec((atomic_t *)info->refcount); + if (*info->refcount) + return; + + /* Don't leak my memory, you idiot. + * Bug found with nfsim.. the netfilter's best + * friend. --peejix */ + kfree(info->refcount); + + /* This entry has been removed from the table so + * decrease the refcount of all countries it is + * using. + */ + + for (i = 0; i < info->count; i++) + if ((node = info->mem[i]) != NULL) { + atomic_dec((atomic_t *)&node->ref); + + /* Free up some memory if that node isn't used + * anymore. */ + if (node->ref < 1) + remove_node(node); + } + else + /* Something strange happened. There's no memory allocated for this + * country. Please send this bug to the mailing list. */ + printk(KERN_ERR + "ipt_geoip: What happened peejix ? What happened acidmen ?\n" + "ipt_geoip: please report this bug to the maintainers\n"); + return; +} + +static struct xt_match geoip_match = { + .name = "geoip", + .family = AF_INET, + .match = &match, +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) + .matchsize = sizeof (struct ipt_geoip_info), +#endif + .checkentry = &geoip_checkentry, + .destroy = &geoip_destroy, + .me = THIS_MODULE +}; + +static int __init init(void) +{ + return xt_register_match(&geoip_match); +} + +static void __exit fini(void) +{ + xt_unregister_match(&geoip_match); + return; +} + +module_init(init); +module_exit(fini);