iptables匹配quota

2023-12-19 09:18

文章标签 匹配 iptables quota

本文主要是介绍iptables匹配quota，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

quota匹配帮助信息如下。

# iptables -m quota -h
quota match options:
[!] --quota quota               quota (bytes)

如下，当主机192.168.1.111发送的报文总量超过1024000字节之后，阻断其报文。

# iptables -t filter -I INPUT -p tcp -s 192.168.1.105 -m quota --quota 1024000 -j ACCEPT
# iptables -t filter -A INPUT -p tcp -s 192.168.1.105 -j DROP
#
# iptables -L -v -n  
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         0     0 ACCEPT     tcp  --  *      *       192.168.1.105        0.0.0.0/0            quota: 1024000 bytes0     0 DROP       tcp  --  *      *       192.168.1.105        0.0.0.0/0

在主机192.168.1.105上使用ssh访问192.168.1.111，如下，在报文量达到1024k之后，将匹配下一条DROP策略，连接断开。

# iptables -L -v -n
Chain INPUT (policy ACCEPT 717 packets, 115K bytes)pkts bytes target     prot opt in     out     source               destination         
19491 1024K ACCEPT     tcp  --  *      *       192.168.1.105        0.0.0.0/0            quota: 1024000 bytes105  5772 DROP       tcp  --  *      *       192.168.1.105        0.0.0.0/0

quota匹配

函数xt_register_matche注册匹配结构quota_mt_reg。

static struct xt_match quota_mt_reg __read_mostly = {.name       = "quota",.revision   = 0,.family     = NFPROTO_UNSPEC,.match      = quota_mt,.checkentry = quota_mt_check,.destroy    = quota_mt_destroy,.matchsize  = sizeof(struct xt_quota_info),.usersize   = offsetof(struct xt_quota_info, master),.me         = THIS_MODULE,
};
static int __init quota_mt_init(void)
{return xt_register_match(&quota_mt_reg);

在配置检查函数中，分配xt_quota_priv结构，初始化其中的自旋锁和保存quota值。

static int quota_mt_check(const struct xt_mtchk_param *par)
{struct xt_quota_info *q = par->matchinfo;if (q->flags & ~XT_QUOTA_MASK)return -EINVAL;q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);if (q->master == NULL)return -ENOMEM;spin_lock_init(&q->master->lock);q->master->quota = q->quota;

匹配函数quota_mt如下，如果quota值大于报文长度，将quota减去报文长度；否则，当小于报文长度时，quota设置为零。

static bool
quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
{struct xt_quota_info *q = (void *)par->matchinfo;struct xt_quota_priv *priv = q->master;bool ret = q->flags & XT_QUOTA_INVERT;spin_lock_bh(&priv->lock);if (priv->quota >= skb->len) {priv->quota -= skb->len;ret = !ret;} else {/* we do not allow even small packets from now on */priv->quota = 0;}spin_unlock_bh(&priv->lock);return ret;

内核版本 5.10

这篇关于iptables匹配quota的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！