Add rateest match extension
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c
new file mode 100644
index 0000000..cf78703
--- /dev/null
+++ b/extensions/libxt_rateest.c
@@ -0,0 +1,461 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <getopt.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_rateest.h>
+
+/* Ugly hack to pass info to final_check function. We should fix the API */
+static struct xt_rateest_match_info *rateest_info;
+
+static void rateest_help(void)
+{
+ printf(
+"rateest match v%s options:\n"
+" --rateest1 name Rate estimator name\n"
+" --rateest2 name Rate estimator name\n"
+" --rateest-delta Compare difference(s) to given rate(s)\n"
+" --rateest-bps1 [bps] Compare bps\n"
+" --rateest-pps1 [pps] Compare pps\n"
+" --rateest-bps2 [bps] Compare bps\n"
+" --rateest-pps2 [pps] Compare pps\n"
+" [!] --rateest-lt Match if rate is less than given rate/estimator\n"
+" [!] --rateest-gt Match if rate is greater than given rate/estimator\n"
+" [!] --rateest-eq Match if rate is equal to given rate/estimator\n"
+"\n",
+ IPTABLES_VERSION);
+}
+
+enum rateest_options {
+ OPT_RATEEST1,
+ OPT_RATEEST2,
+ OPT_RATEEST_BPS1,
+ OPT_RATEEST_PPS1,
+ OPT_RATEEST_BPS2,
+ OPT_RATEEST_PPS2,
+ OPT_RATEEST_DELTA,
+ OPT_RATEEST_LT,
+ OPT_RATEEST_GT,
+ OPT_RATEEST_EQ,
+};
+
+static const struct option rateest_opts[] = {
+ { "rateest1", 1, NULL, OPT_RATEEST1 },
+ { "rateest", 1, NULL, OPT_RATEEST1 }, /* alias for absolute mode */
+ { "rateest2", 1, NULL, OPT_RATEEST2 },
+ { "rateest-bps1", 0, NULL, OPT_RATEEST_BPS1 },
+ { "rateest-pps1", 0, NULL, OPT_RATEEST_PPS1 },
+ { "rateest-bps2", 0, NULL, OPT_RATEEST_BPS2 },
+ { "rateest-pps2", 0, NULL, OPT_RATEEST_PPS2 },
+ { "rateest-bps", 0, NULL, OPT_RATEEST_BPS2 }, /* alias for absolute mode */
+ { "rateest-pps", 0, NULL, OPT_RATEEST_PPS2 }, /* alias for absolute mode */
+ { "rateest-delta", 0, NULL, OPT_RATEEST_DELTA },
+ { "rateest-lt", 0, NULL, OPT_RATEEST_LT },
+ { "rateest-gt", 0, NULL, OPT_RATEEST_GT },
+ { "rateest-eq", 0, NULL, OPT_RATEEST_EQ },
+ { },
+};
+
+/* Copied from iproute. See http://physics.nist.gov/cuu/Units/binary.html */
+static const struct rate_suffix {
+ const char *name;
+ double scale;
+} suffixes[] = {
+ { "bit", 1. },
+ { "Kibit", 1024. },
+ { "kbit", 1000. },
+ { "mibit", 1024.*1024. },
+ { "mbit", 1000000. },
+ { "gibit", 1024.*1024.*1024. },
+ { "gbit", 1000000000. },
+ { "tibit", 1024.*1024.*1024.*1024. },
+ { "tbit", 1000000000000. },
+ { "Bps", 8. },
+ { "KiBps", 8.*1024. },
+ { "KBps", 8000. },
+ { "MiBps", 8.*1024*1024. },
+ { "MBps", 8000000. },
+ { "GiBps", 8.*1024.*1024.*1024. },
+ { "GBps", 8000000000. },
+ { "TiBps", 8.*1024.*1024.*1024.*1024. },
+ { "TBps", 8000000000000. },
+ { }
+};
+
+static int
+rateest_get_rate(u_int32_t *rate, const char *str)
+{
+ char *p;
+ double bps = strtod(str, &p);
+ const struct rate_suffix *s;
+
+ if (p == str)
+ return -1;
+
+ if (*p == '\0') {
+ *rate = bps / 8.; /* assume bytes/sec */
+ return 0;
+ }
+
+ for (s = suffixes; s->name; ++s) {
+ if (strcasecmp(s->name, p) == 0) {
+ *rate = (bps * s->scale) / 8.;
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
+static int
+rateest_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_rateest_match_info *info = (void *)(*match)->data;
+
+ rateest_info = info;
+
+ switch (c) {
+ case OPT_RATEEST1:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest1 twice");
+ *flags |= 1 << c;
+
+ strncpy(info->name1, optarg, sizeof(info->name1) - 1);
+ break;
+
+ case OPT_RATEEST2:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest2 twice");
+ *flags |= 1 << c;
+
+ strncpy(info->name2, optarg, sizeof(info->name2) - 1);
+ info->flags |= XT_RATEEST_MATCH_REL;
+ break;
+
+ case OPT_RATEEST_BPS1:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest-bps can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-bps1 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_BPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (rateest_get_rate(&info->bps1, argv[optind]) < 0)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: could not parse rate `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_PPS1:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest-pps can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-pps1 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_PPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (string_to_number(argv[optind], 0, 0, &info->pps1) < 0)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: could not parse pps `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_BPS2:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest-bps can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-bps2 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_BPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (rateest_get_rate(&info->bps2, argv[optind]) < 0)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: could not parse rate `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_PPS2:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest-pps can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-pps2 twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_PPS;
+
+ /* The rate is optional and only required in absolute mode */
+ if (!argv[optind] || *argv[optind] == '-' || *argv[optind] == '!')
+ break;
+
+ if (string_to_number(argv[optind], 0, 0, &info->pps2) < 0)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: could not parse pps `%s'",
+ argv[optind]);
+ optind++;
+ break;
+
+ case OPT_RATEEST_DELTA:
+ check_inverse(optarg, &invert, &optind, 0);
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: rateest-delta can't be inverted");
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify --rateest-delta twice");
+ *flags |= 1 << c;
+
+ info->flags |= XT_RATEEST_MATCH_DELTA;
+ break;
+
+ case OPT_RATEEST_EQ:
+ check_inverse(argv[optind-1], &invert, &optind, 0);
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_EQ;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ case OPT_RATEEST_LT:
+ check_inverse(argv[optind-1], &invert, &optind, 0);
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_LT;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ case OPT_RATEEST_GT:
+ check_inverse(argv[optind-1], &invert, &optind, 0);
+
+ if (*flags & (1 << c))
+ exit_error(PARAMETER_PROBLEM,
+ "rateest: can't specify lt/gt/eq twice");
+ *flags |= 1 << c;
+
+ info->mode = XT_RATEEST_MATCH_GT;
+ if (invert)
+ info->flags |= XT_RATEEST_MATCH_INVERT;
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void
+rateest_final_check(unsigned int flags)
+{
+ struct xt_rateest_match_info *info = rateest_info;
+
+ if (!(info->flags & XT_RATEEST_MATCH_REL))
+ info->flags |= XT_RATEEST_MATCH_ABS;
+}
+
+static void
+rateest_print_rate(u_int32_t rate, int numeric)
+{
+ double tmp = (double)rate*8;
+
+ if (numeric)
+ printf("%u ", rate);
+ else if (tmp >= 1000.0*1000000.0)
+ printf("%.0fMbit ", tmp/1000000.0);
+ else if (tmp >= 1000.0 * 1000.0)
+ printf("%.0fKbit ", tmp/1000.0);
+ else
+ printf("%.0fbit ", tmp);
+}
+
+static void
+rateest_print_mode(struct xt_rateest_match_info *info, const char *prefix)
+{
+ if (info->flags & XT_RATEEST_MATCH_INVERT)
+ printf("! ");
+
+ switch (info->mode) {
+ case XT_RATEEST_MATCH_EQ:
+ printf("%seq ", prefix);
+ break;
+ case XT_RATEEST_MATCH_LT:
+ printf("%slt ", prefix);
+ break;
+ case XT_RATEEST_MATCH_GT:
+ printf("%sgt ", prefix);
+ break;
+ default:
+ exit(1);
+ }
+}
+
+static void
+rateest_print(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+ struct xt_rateest_match_info *info = (void *)match->data;
+
+ printf("rateest match ");
+
+ printf("%s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("delta ");
+
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("bps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ rateest_print_rate(info->bps1, numeric);
+ if (info->flags & XT_RATEEST_MATCH_ABS) {
+ rateest_print_mode(info, "");
+ rateest_print_rate(info->bps2, numeric);
+ }
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("pps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("%u ", info->pps1);
+ if (info->flags & XT_RATEEST_MATCH_ABS) {
+ rateest_print_mode(info, "");
+ printf("%u ", info->pps2);
+ }
+ }
+
+ if (info->flags & XT_RATEEST_MATCH_REL) {
+ rateest_print_mode(info, "");
+
+ printf("%s ", info->name2);
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("delta ");
+
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("bps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ rateest_print_rate(info->bps2, numeric);
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("pps ");
+ if (info->flags & XT_RATEEST_MATCH_DELTA)
+ printf("%u ", info->pps2);
+ }
+ }
+}
+
+static void
+rateest_save(const void *ip, const struct xt_entry_match *match)
+{
+ struct xt_rateest_match_info *info = (void *)match->data;
+
+ if (info->flags & XT_RATEEST_MATCH_REL) {
+ printf("--rateest1 %s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_BPS)
+ printf("--rateest-bps ");
+ if (info->flags & XT_RATEEST_MATCH_PPS)
+ printf("--rateest-pps ");
+ rateest_print_mode(info, "--rateest-");
+ printf("--rateest2 %s ", info->name2);
+ } else {
+ printf("--rateest %s ", info->name1);
+ if (info->flags & XT_RATEEST_MATCH_BPS) {
+ printf("--rateest-bps ");
+ rateest_print_mode(info, "--rateest-");
+ rateest_print_rate(info->bps2, 0);
+ }
+ if (info->flags & XT_RATEEST_MATCH_PPS) {
+ printf("--rateest-pps ");
+ rateest_print_mode(info, "--rateest-");
+ printf("%u ", info->pps2);
+ }
+ }
+}
+
+static struct xtables_match rateest_match4 = {
+ .family = AF_INET,
+ .name = "rateest",
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
+ .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
+ .help = rateest_help,
+ .parse = rateest_parse,
+ .final_check = rateest_final_check,
+ .print = rateest_print,
+ .save = rateest_save,
+ .extra_opts = rateest_opts,
+};
+
+static struct xtables_match rateest_match6 = {
+ .family = AF_INET6,
+ .name = "rateest",
+ .version = IPTABLES_VERSION,
+ .size = XT_ALIGN(sizeof(struct xt_rateest_match_info)),
+ .userspacesize = XT_ALIGN(offsetof(struct xt_rateest_match_info, est1)),
+ .help = rateest_help,
+ .parse = rateest_parse,
+ .final_check = rateest_final_check,
+ .print = rateest_print,
+ .save = rateest_save,
+ .extra_opts = rateest_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&rateest_match4);
+ xtables_register_match(&rateest_match6);
+}