📄 140-netfilter_time.patch
字号:
Index: linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_time.h===================================================================--- /dev/null+++ linux-2.6.21.7/include/linux/netfilter_ipv4/ipt_time.h@@ -0,0 +1,18 @@+#ifndef __ipt_time_h_included__+#define __ipt_time_h_included__+++struct ipt_time_info {+ u_int8_t days_match; /* 1 bit per day. -SMTWTFS */+ u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */+ u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */++ /* FIXME: Keep this one for userspace iptables binary compability: */+ u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */++ time_t date_start;+ time_t date_stop;+};+++#endif /* __ipt_time_h_included__ */Index: linux-2.6.21.7/net/ipv4/netfilter/ipt_time.c===================================================================--- /dev/null+++ linux-2.6.21.7/net/ipv4/netfilter/ipt_time.c@@ -0,0 +1,178 @@+/*+ This is a module which is used for time matching+ It is using some modified code from dietlibc (localtime() function)+ that you can find at http://www.fefe.de/dietlibc/+ This file is distributed under the terms of the GNU General Public+ License (GPL). Copies of the GPL can be obtained from: ftp://prep.ai.mit.edu/pub/gnu/GPL+ 2001-05-04 Fabrice MARIE <fabrice@netfilter.org> : initial development.+ 2001-21-05 Fabrice MARIE <fabrice@netfilter.org> : bug fix in the match code,+ thanks to "Zeng Yu" <zengy@capitel.com.cn> for bug report.+ 2001-26-09 Fabrice MARIE <fabrice@netfilter.org> : force the match to be in LOCAL_IN or PRE_ROUTING only.+ 2001-30-11 Fabrice : added the possibility to use the match in FORWARD/OUTPUT with a little hack,+ added Nguyen Dang Phuoc Dong <dongnd@tlnet.com.vn> patch to support timezones.+ 2004-05-02 Fabrice : added support for date matching, from an idea of Fabien COELHO.+*/++#include <linux/module.h>+#include <linux/skbuff.h>+#include <linux/netfilter_ipv4/ip_tables.h>+#include <linux/netfilter_ipv4/ipt_time.h>+#include <linux/time.h>++MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");+MODULE_DESCRIPTION("Match arrival timestamp/date");+MODULE_LICENSE("GPL");++struct tm+{+ int tm_sec; /* Seconds. [0-60] (1 leap second) */+ int tm_min; /* Minutes. [0-59] */+ int tm_hour; /* Hours. [0-23] */+ int tm_mday; /* Day. [1-31] */+ int tm_mon; /* Month. [0-11] */+ int tm_year; /* Year - 1900. */+ int tm_wday; /* Day of week. [0-6] */+ int tm_yday; /* Days in year.[0-365] */+ int tm_isdst; /* DST. [-1/0/1]*/++ long int tm_gmtoff; /* we don't care, we count from GMT */+ const char *tm_zone; /* we don't care, we count from GMT */+};++void+localtime(const u32 time, struct tm *r);++static int+match(const struct sk_buff *skb,+ const struct net_device *in,+ const struct net_device *out,+ const struct xt_match *match,+ const void *matchinfo,+ int offset,+ unsigned int protoff,+ int *hotdrop)+{+ const struct ipt_time_info *info = matchinfo; /* match info for rule */+ struct tm currenttime; /* time human readable */+ u_int8_t days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};+ u_int16_t packet_time;++ /* We might not have a timestamp, get one */+ if (skb->tstamp.off_sec == 0)+ __net_timestamp((struct sk_buff *)skb);++ /* First we make sure we are in the date start-stop boundaries */+ if ((skb->tstamp.off_sec < info->date_start) || (skb->tstamp.off_sec > info->date_stop))+ return 0; /* We are outside the date boundaries */++ /* Transform the timestamp of the packet, in a human readable form */+ localtime(skb->tstamp.off_sec, ¤ttime);++ /* check if we match this timestamp, we start by the days... */+ if ((days_of_week[currenttime.tm_wday] & info->days_match) != days_of_week[currenttime.tm_wday])+ return 0; /* the day doesn't match */++ /* ... check the time now */+ packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;+ if ((packet_time < info->time_start) || (packet_time > info->time_stop))+ return 0;++ /* here we match ! */+ return 1;+}++static int+checkentry(const char *tablename,+ const void *ip,+ const struct xt_match *match,+ void *matchinfo,+ unsigned int hook_mask)+{+ struct ipt_time_info *info = matchinfo; /* match info for rule */++ /* First, check that we are in the correct hooks */+ if (hook_mask+ & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) | (1 << NF_IP_LOCAL_OUT)))+ {+ printk("ipt_time: error, only valid for PRE_ROUTING, LOCAL_IN, FORWARD and OUTPUT)\n");+ return 0;+ }++ /* Now check the coherence of the data ... */+ if ((info->time_start > 1439) || /* 23*60+59 = 1439*/+ (info->time_stop > 1439))+ {+ printk(KERN_WARNING "ipt_time: invalid argument\n");+ return 0;+ }++ return 1;+}++static struct ipt_match time_match = {+ .name = "time",+ .match = &match,+ .matchsize = sizeof(struct ipt_time_info),+ .checkentry = &checkentry,+ .me = THIS_MODULE+};++static int __init init(void)+{+ printk("ipt_time loading\n");+ return xt_register_match(&time_match);+}++static void __exit fini(void)+{+ xt_unregister_match(&time_match);+ printk("ipt_time unloaded\n");+}++module_init(init);+module_exit(fini);+++/* The part below is borowed and modified from dietlibc */++/* seconds per day */+#define SPD 24*60*60++void+localtime(const u32 time, struct tm *r) {+ u32 i, timep;+ extern struct timezone sys_tz;+ const unsigned int __spm[12] =+ { 0,+ (31),+ (31+28),+ (31+28+31),+ (31+28+31+30),+ (31+28+31+30+31),+ (31+28+31+30+31+30),+ (31+28+31+30+31+30+31),+ (31+28+31+30+31+30+31+31),+ (31+28+31+30+31+30+31+31+30),+ (31+28+31+30+31+30+31+31+30+31),+ (31+28+31+30+31+30+31+31+30+31+30),+ };+ register u32 work;++ timep = time - (sys_tz.tz_minuteswest * 60);+ work=timep%(SPD);+ r->tm_sec=work%60; work/=60;+ r->tm_min=work%60; r->tm_hour=work/60;+ work=timep/(SPD);+ r->tm_wday=(4+work)%7;+ for (i=1970; ; ++i) {+ register time_t k= (!(i%4) && ((i%100) || !(i%400)))?366:365;+ if (work>k)+ work-=k;+ else+ break;+ }+ r->tm_year=i-1900;+ for (i=11; i && __spm[i]>work; --i) ;+ r->tm_mon=i;+ r->tm_mday=work-__spm[i]+1;+}Index: linux-2.6.21.7/net/ipv4/netfilter/Kconfig===================================================================--- linux-2.6.21.7.orig/net/ipv4/netfilter/Kconfig+++ linux-2.6.21.7/net/ipv4/netfilter/Kconfig@@ -260,6 +260,22 @@ config IP_NF_MATCH_TOS To compile it as a module, choose M here. If unsure, say N. ++config IP_NF_MATCH_TIME+ tristate 'TIME match support'+ depends on IP_NF_IPTABLES+ help+ This option adds a `time' match, which allows you+ to match based on the packet arrival time/date+ (arrival time/date at the machine which netfilter is running on) or+ departure time/date (for locally generated packets).++ If you say Y here, try iptables -m time --help for more information.+ If you want to compile it as a module, say M here and read++ Documentation/modules.txt. If unsure, say `N'.++ config IP_NF_MATCH_RECENT tristate "recent match support" depends on IP_NF_IPTABLESIndex: linux-2.6.21.7/net/ipv4/netfilter/Makefile===================================================================--- linux-2.6.21.7.orig/net/ipv4/netfilter/Makefile+++ linux-2.6.21.7/net/ipv4/netfilter/Makefile@@ -86,6 +86,7 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o+obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -