#ifndef _KERNEL_
#define _KENNEL_
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/config.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4.h>
struct
{
struct timeval time;
__u8 nNUM;
u_int32 ipaddr;
u_int16 port;
}IP_FILTER_TAB[5000];
struct
{
struct timeval time;
u_int32 ipaddr;
}IP_OUT_TAB[100];
static unsigned int my_firewall(unsigned int hooknum,struct sk_buff ** skb,const struct net_device *in,const struct net_device *out,int(*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
/*取出IP头,源IP地址,目的IP地址*/
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
/*如果是TCP协议*/
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*防止land攻击*/
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
printk("maybe land attack/n");
/*抵御syn flood攻击模块*/
}
}
}
static struct nf_hook_ops iplimitfilter=
{
{NULL,NULL},
my_firewall,
PF_INET,
NF_IP_LOCAL_IN,
NF_IP_LOCAL_OUT,
NF_IP_PRI_FILTER-1
};
int init_module(void)
{
return nf_register_hook(&iplimitfilter);
}
void cleanup_module(void)
{
nf_unregister_hook(&iplimitfilter);
}
#define _KENNEL_
#endif
#ifndef MODULE
#define MODULE
#endif
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/config.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4.h>
struct
{
struct timeval time;
__u8 nNUM;
u_int32 ipaddr;
u_int16 port;
}IP_FILTER_TAB[5000];
struct
{
struct timeval time;
u_int32 ipaddr;
}IP_OUT_TAB[100];
static unsigned int my_firewall(unsigned int hooknum,struct sk_buff ** skb,const struct net_device *in,const struct net_device *out,int(*okfn)(struct sk_buff *))
{
struct iphdr *iph;
struct tcphdr *tcph;
struct udphdr *udph;
__u32 sip;
__u32 dip;
__u16 sport;
__u16 dport;
/*取出IP头,源IP地址,目的IP地址*/
iph=(*skb)->nh.iph;
sip=iph->saddr;
dip=iph->daddr;
/*如果是TCP协议*/
if(iph->protocol==6){
tcph=(struct tcphdr*)((__u32 *)iph+iph->ihl);
sport=tcph->source;
dport=tcph->dest;
/*防止land攻击*/
if((tcph->syn)&&(sport==dport)&&(sip==dip)){
printk("maybe land attack/n");
/*抵御syn flood攻击模块*/
}
}
}
static struct nf_hook_ops iplimitfilter=
{
{NULL,NULL},
my_firewall,
PF_INET,
NF_IP_LOCAL_IN,
NF_IP_LOCAL_OUT,
NF_IP_PRI_FILTER-1
};
int init_module(void)
{
return nf_register_hook(&iplimitfilter);
}
void cleanup_module(void)
{
nf_unregister_hook(&iplimitfilter);
}