the right directory. (If not, you need to install something.)
For RPM building, it should be ``/usr/src/linux-obj/...``
- or whatever location the distro makes use of.
+ or whatever location the distribution makes use of.
``--with-xtlibdir=``
Specifies the path to where the newly built extensions should
Xtables/iptables is required. However, do see the INSTALL file for
the minimum requirements of Xtables-addons.
+See also https://inai.de/projects/xtables-addons/
+
Included in this package
========================
List all (accounting) table names.
.PP
\fB\-c\fP
-Loop every second (abort with CTRL+C).
+Loop every second (abort with Ctrl+C).
.PP
\fB\-f\fP
Flush data after display.
static void show_usage(void)
{
- printf("Unknown command line option. Try: [-u] [-h] [-a] [-f] [-c] [-s] [-l name]\n");
+ printf("Unknown command-line option. Try: [-u] [-h] [-a] [-f] [-c] [-s] [-l name]\n");
printf("[-u] show kernel handle usage\n");
printf("[-h] free all kernel handles (experts only!)\n\n");
printf("[-a] list all table names\n");
printf("[-l name] show data in table <name>\n");
printf("[-f] flush data after showing\n");
- printf("[-c] loop every second (abort with CTRL+C)\n");
+ printf("[-c] loop every second (abort with Ctrl+C)\n");
printf("[-s] CSV output (for spreadsheet import)\n");
printf("\n");
}
network. ACCOUNT uses fixed internal data structures
which speeds up the processing of each packet. Furthermore,
accounting data for one complete 192.168.1.X/24 network takes 4 KB of
-memory. Memory for 16 or 24 bit networks is only allocated when
+memory. Memory for 16-bit or 24-bit networks is only allocated when
needed.
.PP
To optimize the kernel<->userspace data transfer a bit more, the
/**
* Internal handle structure
- * @ip: base IP address of the network. Used for caculating the final
+ * @ip: base IP address of the network. Used for calculating the final
* address during get_data().
* @depth: size of the network; see above
* @itemcount: number of addresses in this table
/* Used for every IP entry
Size is 32 bytes so that 256 (class C network) * 16
- fits in a double kernel (zero) page (two consecutive kernel pages)*/
+ fits in a double kernel (zero) page (two consecutive kernel pages) */
struct ipt_acc_ip {
uint64_t src_packets;
uint64_t src_bytes;
/*
* The IP addresses are organized as an array so that direct slot
* calculations are possible.
- * Only 8-bit networks are preallocated, 16/24-bit networks
- * allocate their slots when needed -> very efficent.
+ * Only 8-bit networks are preallocated, 16-bit and 24-bit networks
+ * allocate their slots when needed -> very efficient.
*/
struct ipt_acc_mask_24 {
struct ipt_acc_ip ip[256];
if (!data)
return;
- /* Free for 8 bit network */
+ /* Free for 8-bit network */
if (depth == 0) {
free_pages((unsigned long)data, 2);
return;
}
- /* Free for 16 bit network */
+ /* Free for 16-bit network */
if (depth == 1) {
struct ipt_acc_mask_16 *mask_16 = data;
unsigned int b;
return;
}
- /* Free for 24 bit network */
+ /* Free for 24-bit network */
if (depth == 2) {
unsigned int a, b;
for (a = 0; a <= 255; a++) {
/* Increase size counters */
if (is_src) {
/* Calculate network slot */
- pr_debug("ACCOUNT: Calculated SRC 8 bit network slot: %d\n", src_slot);
+ pr_debug("ACCOUNT: Calculated SRC 8-bit network slot: %d\n", src_slot);
if (!mask_24->ip[src_slot].src_packets
&& !mask_24->ip[src_slot].dst_packets)
is_src_new_ip = true;
mask_24->ip[src_slot].src_bytes += size;
}
if (is_dst) {
- pr_debug("ACCOUNT: Calculated DST 8 bit network slot: %d\n", dst_slot);
+ pr_debug("ACCOUNT: Calculated DST 8-bit network slot: %d\n", dst_slot);
if (!mask_24->ip[dst_slot].src_packets
&& !mask_24->ip[dst_slot].dst_packets)
is_dst_new_ip = true;
/* Do we need to process src IP? */
if ((net_ip & netmask) == (src_ip & netmask)) {
uint8_t slot = (ntohl(src_ip) & 0xFF00) >> 8;
- pr_debug("ACCOUNT: Calculated SRC 16 bit network slot: %d\n", slot);
+ pr_debug("ACCOUNT: Calculated SRC 16-bit network slot: %d\n", slot);
/* Do we need to create a new mask_24 bucket? */
if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot] =
/* Do we need to process dst IP? */
if ((net_ip & netmask) == (dst_ip & netmask)) {
uint8_t slot = (ntohl(dst_ip) & 0xFF00) >> 8;
- pr_debug("ACCOUNT: Calculated DST 16 bit network slot: %d\n", slot);
+ pr_debug("ACCOUNT: Calculated DST 16-bit network slot: %d\n", slot);
/* Do we need to create a new mask_24 bucket? */
if (!mask_16->mask_24[slot] && (mask_16->mask_24[slot]
/* Do we need to process src IP? */
if ((net_ip & netmask) == (src_ip & netmask)) {
uint8_t slot = (ntohl(src_ip) & 0xFF0000) >> 16;
- pr_debug("ACCOUNT: Calculated SRC 24 bit network slot: %d\n", slot);
+ pr_debug("ACCOUNT: Calculated SRC 24-bit network slot: %d\n", slot);
/* Do we need to create a new mask_24 bucket? */
if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot]
/* Do we need to process dst IP? */
if ((net_ip & netmask) == (dst_ip & netmask)) {
uint8_t slot = (ntohl(dst_ip) & 0xFF0000) >> 16;
- pr_debug("ACCOUNT: Calculated DST 24 bit network slot: %d\n", slot);
+ pr_debug("ACCOUNT: Calculated DST 24-bit network slot: %d\n", slot);
/* Do we need to create a new mask_24 bucket? */
if (!mask_8->mask_16[slot] && (mask_8->mask_16[slot]
return XT_CONTINUE;
}
- /* 8 bit network or "any" network */
+ /* 8-bit network or "any" network */
if (ipt_acc_tables[info->table_nr].depth == 0) {
/* Count packet and check if the IP is new */
ipt_acc_depth0_insert(
return XT_CONTINUE;
}
- /* 16 bit network */
+ /* 16-bit network */
if (ipt_acc_tables[info->table_nr].depth == 1) {
ipt_acc_depth1_insert(
ipt_acc_tables[info->table_nr].data,
return XT_CONTINUE;
}
- /* 24 bit network */
+ /* 24-bit network */
if (ipt_acc_tables[info->table_nr].depth == 2) {
ipt_acc_depth2_insert(
ipt_acc_tables[info->table_nr].data,
continue;
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
- printk("ACCOUNT: out of memory during copy of 16 bit "
+ printk("ACCOUNT: out of memory during copy of 16-bit "
"network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
continue;
if ((network_8->mask_16[a] =
ipt_acc_zalloc_page()) == NULL) {
- printk("ACCOUNT: out of memory during copy of 24 bit network"
+ printk("ACCOUNT: out of memory during copy of 24-bit network"
" in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
continue;
if ((network_16->mask_24[b] =
ipt_acc_zalloc_page()) == NULL) {
- printk("ACCOUNT: out of memory during copy of 16 bit"
+ printk("ACCOUNT: out of memory during copy of 16-bit"
" network in ipt_acc_handle_prepare_read()\n");
ipt_acc_data_free(dest->data, depth);
return -1;
return 0;
}
-/* Copy 8 bit network data into a prepared buffer.
+/* Copy 8-bit network data into a prepared buffer.
We only copy entries != 0 to increase performance.
*/
static int ipt_acc_handle_copy_data(struct ipt_acc_net *ian,
net_ip = ntohl(ian->ipt_acc_handles[handle].ip);
depth = ian->ipt_acc_handles[handle].depth;
- /* 8 bit network */
+ /* 8-bit network */
if (depth == 0) {
struct ipt_acc_mask_24 *network =
ian->ipt_acc_handles[handle].data;
return 0;
}
- /* 16 bit network */
+ /* 16-bit network */
if (depth == 1) {
struct ipt_acc_mask_16 *network_16 =
ian->ipt_acc_handles[handle].data;
return 0;
}
- /* 24 bit network */
+ /* 24-bit network */
if (depth == 2) {
struct ipt_acc_mask_8 *network_8 =
ian->ipt_acc_handles[handle].data;
.PP
\fB* Logging\fR
.PP
-The module logs binding add/timeout events to klog. This behaviour can be
+The module logs binding add/timeout events to klog. This behavior can be
disabled using the \fBdisable_log\fR module parameter.
.PP
\fB* Examples\fR
authentication extension header will be seen as a non-extension header.
.PP
For IPv4 packets, the \fBProtocol\fP field is modified and the checksum is
-re-calculated.
+recalculated.
.PP
For IPv6 packets, the scenario can be more complex due to the introduction of
the extension headers mechanism. By default, the PROTO target will scan the IPv6
.PP
The SYSRQ target allows one to remotely trigger sysrq on the local machine over
the network. This can be useful when vital parts of the machine hang, for
-example an oops in a filesystem causing locks to be not released and processes
+example an oops in a file system causing locks to be not released and processes
to get stuck as a result \(em if still possible, use /proc/sysrq-trigger. Even
when processes are stuck, interrupts are likely to be still processed, and as
such, sysrq can be triggered through incoming network packets.
.fi
.PP
See the Linux docs for possible sysrq keys. Important ones are: re(b)oot,
-power(o)ff, (s)ync filesystems, (u)mount and remount readonly. More than one
+power(o)ff, (s)ync file systems, (u)mount and remount readonly. More than one
sysrq key can be used at once, but bear in mind that, for example, a sync may
not complete before a subsequent reboot or poweroff.
.PP
"[!] --dst-asn, --destination-number number[,number...]\n"
" Match packet going to (one of) the specified ASN(s)\n"
"\n"
- "NOTE: The number is inputed by its ISO3166 code.\n"
+ "NOTE: The number is inputed by its ISO 3166 code.\n"
"\n"
);
}
.TP
.PP
The extra files you will need are the binary database files. They are generated
-from a ASN-subnet database with the asn_build_db.pl tool that is shipped
+from an ASN-subnet database with the asn_build_db.pl tool that is shipped
with the source package, and which should be available in compiled packages in
/usr/lib(exec)/xtables-addons/. The first command retrieves CSV files from
MaxMind, while the other two build packed bisectable range files:
"[!] --dst-cc, --destination-country country[,country...]\n"
" Match packet going to (one of) the specified country(ies)\n"
"\n"
- "NOTE: The country is inputed by its ISO3166 code.\n"
+ "NOTE: The country is inputed by its ISO 3166 code.\n"
"\n"
);
}
u_int16_t cc_int16;
if (strlen(cc) != 2) /* Country must be 2 chars long according
- to the ISO3166 standard */
+ to the ISO 3166 standard */
xtables_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc);
xtables_error(PARAMETER_PROBLEM,
"geoip: invalid country code '%s'", cc);
- /* Convert chars into a single 16 bit integer.
+ /* Convert chars into a single 16-bit integer.
* FIXME: This assumes that a country code is
* exactly 2 chars long. If this is
* going to change someday, this whole
Match packet going to (one of) the specified country(ies)
.TP
NOTE:
-The country is inputed by its ISO-3166 code.
+The country is inputed by its ISO 3166 code.
.PP
The extra files you will need is the binary database files. They are generated
from a country-subnet database with the geoip_build_db.pl tool that is shipped
The rule will allow tcp port 22 for the attempting IP address after the successful reception of TCP SYN packets
to ports 4002, 4001 and 4004, in this order (a.k.a. port-knocking).
Port numbers in the connect sequence must follow the exact specification, no
-other ports may be "knocked" inbetween. The rule is named '\fBSSH\fP' \(em a file of
+other ports may be "knocked" in between. The rule is named '\fBSSH\fP' \(em a file of
the same name for tracking port knocking states will be created in
\fB/proc/net/xt_pknock\fP .
Successive port knocks must occur with delay of at most 10 seconds. Port 22 (from the example) will
* @len: length
* @initval
* @max
- * @return: a 32 bits index
+ * @return: a 32-bit index
*/
static inline uint32_t
pknock_hash(const void *key, uint32_t len, uint32_t initval, uint32_t max)
}
/**
- * Garbage collector. It removes the old entries after tis timers have expired.
+ * Garbage collector. It removes the old entries after its timers have expired.
*
* @r: rule
*/
amount = info->present_time - info->previous_time;
} else {
/*
- * There was a transition: I choose to re-sample
+ * There was a transition: I choose to resample
* and keep the old acceptance rate...
*/
amount = 0;
* denominator proportional to (howhigh+howlow) but, in this
* particular case, that expression is constant.
*
- * An imediate consequence is that it is not necessary to call
+ * An immediate consequence is that it is not necessary to call
* both mf_high and mf_low - but to keep things understandable,
* I did so.
*/
}
}
- /* Overwrite the now-useless pointer info->mem[i] with
+ /* Overwrite the, now useless, pointer info->mem[i] with
* a pointer to the node's kernelspace structure.
* This avoids searching for a node in the match() and
* destroy() functions.
switch (t[0]) {
case 0xe3:
- /* edonkey */
+ /* eDonkey */
switch (t[1]) {
/* client -> server status request */
case 0x96:
/* packetlen must be bigger than 32 */
/* first 4 bytes are zero */
if (packet_len > 32 && get_u32(haystack, 0) == 0x00000000) {
- /* first rule: 00 00 00 00 01 00 00 xx xx xx xx 00 00 00 00*/
+ /* first rule: 00 00 00 00 01 00 00 xx xx xx xx 00 00 00 00 */
if (get_u32(haystack, 4) == 0x00000000 &&
get_u32(haystack, 8) == 0x00010000 &&
get_u32(haystack, 16) == 0x00000000)
return IPP2P_BIT * 100 + 71;
- /* 00 01 00 00 0d 00 00 xx xx xx xx 00 00 00 00*/
+ /* 00 01 00 00 0d 00 00 xx xx xx xx 00 00 00 00 */
if (get_u32(haystack, 4) == 0x00000001 &&
get_u32(haystack, 8) == 0x000d0000 &&
get_u32(haystack, 16) == 0x00000000)
return IPP2P_ARES * 100 + 1;
if (plen == 60)
- /* possible download command*/
+ /* possible download command */
if (payload[59] == 0x0a && payload[58] == 0x0a)
if (memcmp(t, "PUSH SHA1:", 10) == 0)
/* found download command */
}
/* match 14 00 00 00 01 yy 00 00 00 STRING(YY) 01 00 00 00 00 46|50 00 00 00 00 */
- /* without size at the beginning !!! */
+ /* without size at the beginning! */
if (get_u32(payload, 0) == 0x14 && get_u8(payload, 4) == 0x01) {
uint32_t y = get_u32(payload, 5);
return 0;
}
-/* check for gnutella get command */
+/* check for Gnutella get command */
static unsigned int
search_gnu(const unsigned char *payload, const unsigned int plen)
{
return 0;
}
-/* check for gnutella get commands and other typical data */
+/* check for Gnutella get commands and other typical data */
static unsigned int
search_all_gnu(const unsigned char *payload, const unsigned int plen)
{
return 0;
}
-/* fast check for edonkey file segment transfer command */
+/* fast check for eDonkey file segment transfer command */
static unsigned int
search_edk(const unsigned char *payload, const unsigned int plen)
{
}
}
-/* intensive but slower search for some edonkey packets including size-check */
+/* intensive but slower search for some eDonkey packets including size check */
static unsigned int
search_all_edk(const unsigned char *payload, const unsigned int plen)
{
const uint16_t end = plen - 13;
/*
- * is seems to be a irc private massage, chedck for
+ * is seems to be an IRC private massage, check for
* xdcc command
*/
while (x < end) {
struct host *h, *last = NULL;
/*
- * We are going to re-use the oldest list entry, so remove it from the
+ * We are going to reuse the oldest list entry, so remove it from the
* hash table first, if it is really already in use.
*/
h = *head;
/* We know this address, but the entry is outdated. Mark it unused, and
* remove from the hash table. We'll allocate a new entry instead since
- * this one might get re-used too soon. */
+ * this one might get reused too soon. */
curr4 = host_to_host4(curr);
curr4->saddr = 0;
ht_unlink(head, last);
Specifies IPv6 data only.
.TP
\fIcc\fP [ \fIcc\fP ... ]
-The ISO-3166 country code names of the desired countries' databases.
+The ISO 3166 country code names of the desired countries' databases.
.SH Application
.PP
Shell command to dump the list of Swiss IPv6 address ranges:
__be16 port;
} sctp;
struct {
- __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
+ __be16 key; /* GRE key is 32-bit, PPtP only uses 16-bit */
} gre;
};