From 59feee37095dc76a68ccd6aab19586d81067f8ba Mon Sep 17 00:00:00 2001
From: "destan19@126.com" <destan19@126.com>
Date: Fri, 11 Oct 2019 16:02:32 +0800
Subject: [PATCH] =?UTF-8?q?=E6=AF=8F=E6=9D=A1=E6=B5=81=E5=8F=AA=E5=88=86?=
 =?UTF-8?q?=E6=9E=90=E9=83=A8=E5=88=86=E6=95=B0=E6=8D=AE,=E6=8F=90?=
 =?UTF-8?q?=E9=AB=98=E5=90=9E=E5=90=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 oaf/src/app_filter.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/oaf/src/app_filter.c b/oaf/src/app_filter.c
index b4587c8..9d7a5e4 100755
--- a/oaf/src/app_filter.c
+++ b/oaf/src/app_filter.c
@@ -11,6 +11,7 @@
 #include <net/tcp.h>
 #include <linux/netfilter.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_acct.h>
 #include <linux/skbuff.h>
 #include <net/ip.h>
 #include <linux/types.h>
@@ -36,7 +37,8 @@ DEFINE_RWLOCK(af_feature_lock);
 #define feature_list_read_unlock() 		read_unlock_bh(&af_feature_lock);
 #define feature_list_write_lock() 		write_lock_bh(&af_feature_lock);
 #define feature_list_write_unlock()		write_unlock_bh(&af_feature_lock);
-
+// 注意有重传报文
+#define MAX_PARSE_PKT_NUM 16
 #define MIN_HTTP_DATA_LEN 16
 #define MAX_APP_NAME_LEN 64
 #define MAX_FEATURE_NUM_PER_APP 16 
@@ -771,6 +773,7 @@ int app_filter_match(flow_info_t *flow)
 	return AF_FALSE;
 }
 
+#define APP_FILTER_DROP_BITS 0xf0000000
 
 /* 在netfilter框架注册的钩子 */
 
@@ -792,18 +795,43 @@ static u_int32_t app_filter_hook(unsigned int hook,
 #else
 	struct nf_conn *ct = (struct nf_conn *)skb->nfct;
 #endif
+	unsigned long long total_packets = 0;
+
 	if (ct == NULL) {
 		//AF_ERROR("ct is null\n");
         return NF_ACCEPT;
     }
+
+#if defined(CONFIG_NF_CONNTRACK_MARK)
+	if (ct->mark != 0)
+	if (APP_FILTER_DROP_BITS == (ct->mark & APP_FILTER_DROP_BITS)){
+		return NF_DROP;
+	}
+#endif
+
+	struct nf_conn_counter *acct;
+	acct = nf_conn_acct_find(ct);
+	if (!acct)
+		return NF_ACCEPT;
+
+	total_packets = (unsigned long long)atomic64_read(&acct[IP_CT_DIR_ORIGINAL].packets) 
+		+ (unsigned long long)atomic64_read(&acct[IP_CT_DIR_REPLY].packets);
+	if (total_packets > MAX_PARSE_PKT_NUM){
+		return NF_ACCEPT;
+	}
 	flow_info_t flow;
 	memset((char *)&flow, 0x0, sizeof(flow_info_t));
 	parse_flow_base(skb, &flow);
 	parse_http_proto(&flow);
 	parse_https_proto(&flow);
 	//dump_flow_info(&flow);
-	if (app_filter_match(&flow))
+	if (app_filter_match(&flow)){
+		
+#if defined(CONFIG_NF_CONNTRACK_MARK)
+		ct->mark |= APP_FILTER_DROP_BITS;
+#endif
 		return NF_DROP;
+	}
 	return NF_ACCEPT;
 }