1 // SPDX-License-Identifier: GPL-2.0-only
3 * xt_hashlimit - Netfilter module to limit the number of packets per time
4 * separately for each hashbucket (sourceip/sourceport/dstip/dstport)
6 * (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
7 * (C) 2006-2012 Patrick McHardy <kaber@trash.net>
8 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
10 * Development of this code was funded by Astaro AG, http://www.astaro.com/
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 #include <linux/module.h>
14 #include <linux/spinlock.h>
15 #include <linux/random.h>
16 #include <linux/jhash.h>
17 #include <linux/slab.h>
18 #include <linux/vmalloc.h>
19 #include <linux/proc_fs.h>
20 #include <linux/seq_file.h>
21 #include <linux/list.h>
22 #include <linux/skbuff.h>
26 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
27 #include <linux/ipv6.h>
31 #include <net/net_namespace.h>
32 #include <net/netns/generic.h>
34 #include <linux/netfilter/x_tables.h>
35 #include <linux/netfilter_ipv4/ip_tables.h>
36 #include <linux/netfilter_ipv6/ip6_tables.h>
37 #include <linux/mutex.h>
38 #include <linux/kernel.h>
39 #include <uapi/linux/netfilter/xt_hashlimit.h>
41 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
42 XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
43 XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES |\
44 XT_HASHLIMIT_RATE_MATCH)
46 MODULE_LICENSE("GPL");
47 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
48 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
49 MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
50 MODULE_ALIAS("ipt_hashlimit");
51 MODULE_ALIAS("ip6t_hashlimit");
53 struct hashlimit_net {
54 struct hlist_head htables;
55 struct proc_dir_entry *ipt_hashlimit;
56 struct proc_dir_entry *ip6t_hashlimit;
59 static unsigned int hashlimit_net_id;
60 static inline struct hashlimit_net *hashlimit_pernet(struct net *net)
62 return net_generic(net, hashlimit_net_id);
65 /* need to declare this at the top */
66 static const struct seq_operations dl_seq_ops_v2;
67 static const struct seq_operations dl_seq_ops_v1;
68 static const struct seq_operations dl_seq_ops;
77 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
89 /* static / read-only parts in the beginning */
90 struct hlist_node node;
91 struct dsthash_dst dst;
93 /* modified structure members in the end */
95 unsigned long expires; /* precalculated expiry time */
97 unsigned long prev; /* last modification */
101 u_int64_t credit_cap;
105 u_int32_t interval, prev_window;
106 u_int64_t current_rate;
115 struct xt_hashlimit_htable {
116 struct hlist_node node; /* global list of all htables */
119 bool rnd_initialized;
121 struct hashlimit_cfg3 cfg; /* config */
123 /* used internally */
124 spinlock_t lock; /* lock for list_head */
125 u_int32_t rnd; /* random seed for hash */
126 unsigned int count; /* number entries in table */
127 struct delayed_work gc_work;
130 struct proc_dir_entry *pde;
134 struct hlist_head hash[0]; /* hashtable itself */
138 cfg_copy(struct hashlimit_cfg3 *to, const void *from, int revision)
141 struct hashlimit_cfg1 *cfg = (struct hashlimit_cfg1 *)from;
143 to->mode = cfg->mode;
145 to->burst = cfg->burst;
146 to->size = cfg->size;
148 to->gc_interval = cfg->gc_interval;
149 to->expire = cfg->expire;
150 to->srcmask = cfg->srcmask;
151 to->dstmask = cfg->dstmask;
152 } else if (revision == 2) {
153 struct hashlimit_cfg2 *cfg = (struct hashlimit_cfg2 *)from;
155 to->mode = cfg->mode;
157 to->burst = cfg->burst;
158 to->size = cfg->size;
160 to->gc_interval = cfg->gc_interval;
161 to->expire = cfg->expire;
162 to->srcmask = cfg->srcmask;
163 to->dstmask = cfg->dstmask;
164 } else if (revision == 3) {
165 memcpy(to, from, sizeof(struct hashlimit_cfg3));
173 static DEFINE_MUTEX(hashlimit_mutex); /* protects htables list */
174 static struct kmem_cache *hashlimit_cachep __read_mostly;
176 static inline bool dst_cmp(const struct dsthash_ent *ent,
177 const struct dsthash_dst *b)
179 return !memcmp(&ent->dst, b, sizeof(ent->dst));
183 hash_dst(const struct xt_hashlimit_htable *ht, const struct dsthash_dst *dst)
185 u_int32_t hash = jhash2((const u32 *)dst,
186 sizeof(*dst)/sizeof(u32),
189 * Instead of returning hash % ht->cfg.size (implying a divide)
190 * we return the high 32 bits of the (hash * ht->cfg.size) that will
191 * give results between [0 and cfg.size-1] and same hash distribution,
192 * but using a multiply, less expensive than a divide
194 return reciprocal_scale(hash, ht->cfg.size);
197 static struct dsthash_ent *
198 dsthash_find(const struct xt_hashlimit_htable *ht,
199 const struct dsthash_dst *dst)
201 struct dsthash_ent *ent;
202 u_int32_t hash = hash_dst(ht, dst);
204 if (!hlist_empty(&ht->hash[hash])) {
205 hlist_for_each_entry_rcu(ent, &ht->hash[hash], node)
206 if (dst_cmp(ent, dst)) {
207 spin_lock(&ent->lock);
214 /* allocate dsthash_ent, initialize dst, put in htable and lock it */
215 static struct dsthash_ent *
216 dsthash_alloc_init(struct xt_hashlimit_htable *ht,
217 const struct dsthash_dst *dst, bool *race)
219 struct dsthash_ent *ent;
221 spin_lock(&ht->lock);
223 /* Two or more packets may race to create the same entry in the
224 * hashtable, double check if this packet lost race.
226 ent = dsthash_find(ht, dst);
228 spin_unlock(&ht->lock);
233 /* initialize hash with random val at the time we allocate
234 * the first hashtable entry */
235 if (unlikely(!ht->rnd_initialized)) {
236 get_random_bytes(&ht->rnd, sizeof(ht->rnd));
237 ht->rnd_initialized = true;
240 if (ht->cfg.max && ht->count >= ht->cfg.max) {
241 /* FIXME: do something. question is what.. */
242 net_err_ratelimited("max count of %u reached\n", ht->cfg.max);
245 ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
247 memcpy(&ent->dst, dst, sizeof(ent->dst));
248 spin_lock_init(&ent->lock);
250 spin_lock(&ent->lock);
251 hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
254 spin_unlock(&ht->lock);
258 static void dsthash_free_rcu(struct rcu_head *head)
260 struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
262 kmem_cache_free(hashlimit_cachep, ent);
266 dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
268 hlist_del_rcu(&ent->node);
269 call_rcu(&ent->rcu, dsthash_free_rcu);
272 static void htable_gc(struct work_struct *work);
274 static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
275 const char *name, u_int8_t family,
276 struct xt_hashlimit_htable **out_hinfo,
279 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
280 struct xt_hashlimit_htable *hinfo;
281 const struct seq_operations *ops;
282 unsigned int size, i;
283 unsigned long nr_pages = totalram_pages();
289 size = (nr_pages << PAGE_SHIFT) / 16384 /
290 sizeof(struct hlist_head);
291 if (nr_pages > 1024 * 1024 * 1024 / PAGE_SIZE)
296 /* FIXME: don't use vmalloc() here or anywhere else -HW */
297 hinfo = vmalloc(struct_size(hinfo, hash, size));
302 /* copy match config into hashtable config */
303 ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3);
309 hinfo->cfg.size = size;
310 if (hinfo->cfg.max == 0)
311 hinfo->cfg.max = 8 * hinfo->cfg.size;
312 else if (hinfo->cfg.max < hinfo->cfg.size)
313 hinfo->cfg.max = hinfo->cfg.size;
315 for (i = 0; i < hinfo->cfg.size; i++)
316 INIT_HLIST_HEAD(&hinfo->hash[i]);
320 hinfo->family = family;
321 hinfo->rnd_initialized = false;
322 hinfo->name = kstrdup(name, GFP_KERNEL);
327 spin_lock_init(&hinfo->lock);
331 ops = &dl_seq_ops_v1;
334 ops = &dl_seq_ops_v2;
340 hinfo->pde = proc_create_seq_data(name, 0,
341 (family == NFPROTO_IPV4) ?
342 hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
344 if (hinfo->pde == NULL) {
351 INIT_DEFERRABLE_WORK(&hinfo->gc_work, htable_gc);
352 queue_delayed_work(system_power_efficient_wq, &hinfo->gc_work,
353 msecs_to_jiffies(hinfo->cfg.gc_interval));
355 hlist_add_head(&hinfo->node, &hashlimit_net->htables);
360 static bool select_all(const struct xt_hashlimit_htable *ht,
361 const struct dsthash_ent *he)
366 static bool select_gc(const struct xt_hashlimit_htable *ht,
367 const struct dsthash_ent *he)
369 return time_after_eq(jiffies, he->expires);
372 static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
373 bool (*select)(const struct xt_hashlimit_htable *ht,
374 const struct dsthash_ent *he))
378 for (i = 0; i < ht->cfg.size; i++) {
379 struct dsthash_ent *dh;
380 struct hlist_node *n;
382 spin_lock_bh(&ht->lock);
383 hlist_for_each_entry_safe(dh, n, &ht->hash[i], node) {
384 if ((*select)(ht, dh))
385 dsthash_free(ht, dh);
387 spin_unlock_bh(&ht->lock);
392 static void htable_gc(struct work_struct *work)
394 struct xt_hashlimit_htable *ht;
396 ht = container_of(work, struct xt_hashlimit_htable, gc_work.work);
398 htable_selective_cleanup(ht, select_gc);
400 queue_delayed_work(system_power_efficient_wq,
401 &ht->gc_work, msecs_to_jiffies(ht->cfg.gc_interval));
404 static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo)
406 struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net);
407 struct proc_dir_entry *parent;
409 if (hinfo->family == NFPROTO_IPV4)
410 parent = hashlimit_net->ipt_hashlimit;
412 parent = hashlimit_net->ip6t_hashlimit;
415 remove_proc_entry(hinfo->name, parent);
418 static void htable_destroy(struct xt_hashlimit_htable *hinfo)
420 cancel_delayed_work_sync(&hinfo->gc_work);
421 htable_remove_proc_entry(hinfo);
422 htable_selective_cleanup(hinfo, select_all);
427 static struct xt_hashlimit_htable *htable_find_get(struct net *net,
431 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
432 struct xt_hashlimit_htable *hinfo;
434 hlist_for_each_entry(hinfo, &hashlimit_net->htables, node) {
435 if (!strcmp(name, hinfo->name) &&
436 hinfo->family == family) {
444 static void htable_put(struct xt_hashlimit_htable *hinfo)
446 mutex_lock(&hashlimit_mutex);
447 if (--hinfo->use == 0) {
448 hlist_del(&hinfo->node);
449 htable_destroy(hinfo);
451 mutex_unlock(&hashlimit_mutex);
454 /* The algorithm used is the Simple Token Bucket Filter (TBF)
455 * see net/sched/sch_tbf.c in the linux source tree
458 /* Rusty: This is my (non-mathematically-inclined) understanding of
459 this algorithm. The `average rate' in jiffies becomes your initial
460 amount of credit `credit' and the most credit you can ever have
461 `credit_cap'. The `peak rate' becomes the cost of passing the
464 `prev' tracks the last packet hit: you gain one credit per jiffy.
465 If you get credit balance more than this, the extra credit is
466 discarded. Every time the match passes, you lose `cost' credits;
467 if you don't have that many, the test fails.
469 See Alexey's formal explanation in net/sched/sch_tbf.c.
471 To get the maximum range, we multiply by this factor (ie. you get N
472 credits per jiffy). We want to allow a rate as low as 1 per day
473 (slowest userspace tool allows), which means
474 CREDITS_PER_JIFFY*HZ*60*60*24 < 2^32 ie.
476 #define MAX_CPJ_v1 (0xFFFFFFFF / (HZ*60*60*24))
477 #define MAX_CPJ (0xFFFFFFFFFFFFFFFFULL / (HZ*60*60*24))
479 /* Repeated shift and or gives us all 1s, final shift and add 1 gives
480 * us the power of 2 below the theoretical max, so GCC simply does a
482 #define _POW2_BELOW2(x) ((x)|((x)>>1))
483 #define _POW2_BELOW4(x) (_POW2_BELOW2(x)|_POW2_BELOW2((x)>>2))
484 #define _POW2_BELOW8(x) (_POW2_BELOW4(x)|_POW2_BELOW4((x)>>4))
485 #define _POW2_BELOW16(x) (_POW2_BELOW8(x)|_POW2_BELOW8((x)>>8))
486 #define _POW2_BELOW32(x) (_POW2_BELOW16(x)|_POW2_BELOW16((x)>>16))
487 #define _POW2_BELOW64(x) (_POW2_BELOW32(x)|_POW2_BELOW32((x)>>32))
488 #define POW2_BELOW32(x) ((_POW2_BELOW32(x)>>1) + 1)
489 #define POW2_BELOW64(x) ((_POW2_BELOW64(x)>>1) + 1)
491 #define CREDITS_PER_JIFFY POW2_BELOW64(MAX_CPJ)
492 #define CREDITS_PER_JIFFY_v1 POW2_BELOW32(MAX_CPJ_v1)
494 /* in byte mode, the lowest possible rate is one packet/second.
495 * credit_cap is used as a counter that tells us how many times we can
496 * refill the "credits available" counter when it becomes empty.
498 #define MAX_CPJ_BYTES (0xFFFFFFFF / HZ)
499 #define CREDITS_PER_JIFFY_BYTES POW2_BELOW32(MAX_CPJ_BYTES)
501 static u32 xt_hashlimit_len_to_chunks(u32 len)
503 return (len >> XT_HASHLIMIT_BYTE_SHIFT) + 1;
506 /* Precision saver. */
507 static u64 user2credits(u64 user, int revision)
509 u64 scale = (revision == 1) ?
510 XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
511 u64 cpj = (revision == 1) ?
512 CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
514 /* Avoid overflow: divide the constant operands first */
515 if (scale >= HZ * cpj)
516 return div64_u64(user, div64_u64(scale, HZ * cpj));
518 return user * div64_u64(HZ * cpj, scale);
521 static u32 user2credits_byte(u32 user)
524 us *= HZ * CREDITS_PER_JIFFY_BYTES;
525 return (u32) (us >> 32);
528 static u64 user2rate(u64 user)
531 return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
533 pr_info_ratelimited("invalid rate from userspace: %llu\n",
539 static u64 user2rate_bytes(u32 user)
543 r = user ? U32_MAX / user : U32_MAX;
544 return (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
547 static void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now,
548 u32 mode, int revision)
550 unsigned long delta = now - dh->rateinfo.prev;
556 if (revision >= 3 && mode & XT_HASHLIMIT_RATE_MATCH) {
557 u64 interval = dh->rateinfo.interval * HZ;
559 if (delta < interval)
562 dh->rateinfo.prev = now;
563 dh->rateinfo.prev_window =
564 ((dh->rateinfo.current_rate * interval) >
565 (delta * dh->rateinfo.rate));
566 dh->rateinfo.current_rate = 0;
571 dh->rateinfo.prev = now;
573 if (mode & XT_HASHLIMIT_BYTES) {
574 u64 tmp = dh->rateinfo.credit;
575 dh->rateinfo.credit += CREDITS_PER_JIFFY_BYTES * delta;
576 cap = CREDITS_PER_JIFFY_BYTES * HZ;
577 if (tmp >= dh->rateinfo.credit) {/* overflow */
578 dh->rateinfo.credit = cap;
582 cpj = (revision == 1) ?
583 CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
584 dh->rateinfo.credit += delta * cpj;
585 cap = dh->rateinfo.credit_cap;
587 if (dh->rateinfo.credit > cap)
588 dh->rateinfo.credit = cap;
591 static void rateinfo_init(struct dsthash_ent *dh,
592 struct xt_hashlimit_htable *hinfo, int revision)
594 dh->rateinfo.prev = jiffies;
595 if (revision >= 3 && hinfo->cfg.mode & XT_HASHLIMIT_RATE_MATCH) {
596 dh->rateinfo.prev_window = 0;
597 dh->rateinfo.current_rate = 0;
598 if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
600 user2rate_bytes((u32)hinfo->cfg.avg);
601 if (hinfo->cfg.burst)
603 hinfo->cfg.burst * dh->rateinfo.rate;
605 dh->rateinfo.burst = dh->rateinfo.rate;
607 dh->rateinfo.rate = user2rate(hinfo->cfg.avg);
609 hinfo->cfg.burst + dh->rateinfo.rate;
611 dh->rateinfo.interval = hinfo->cfg.interval;
612 } else if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
613 dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
614 dh->rateinfo.cost = user2credits_byte(hinfo->cfg.avg);
615 dh->rateinfo.credit_cap = hinfo->cfg.burst;
617 dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
618 hinfo->cfg.burst, revision);
619 dh->rateinfo.cost = user2credits(hinfo->cfg.avg, revision);
620 dh->rateinfo.credit_cap = dh->rateinfo.credit;
624 static inline __be32 maskl(__be32 a, unsigned int l)
626 return l ? htonl(ntohl(a) & ~0 << (32 - l)) : 0;
629 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
630 static void hashlimit_ipv6_mask(__be32 *i, unsigned int p)
634 i[0] = maskl(i[0], p);
635 i[1] = i[2] = i[3] = 0;
638 i[1] = maskl(i[1], p - 32);
642 i[2] = maskl(i[2], p - 64);
646 i[3] = maskl(i[3], p - 96);
655 hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
656 struct dsthash_dst *dst,
657 const struct sk_buff *skb, unsigned int protoff)
659 __be16 _ports[2], *ports;
663 memset(dst, 0, sizeof(*dst));
665 switch (hinfo->family) {
667 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
668 dst->ip.dst = maskl(ip_hdr(skb)->daddr,
670 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
671 dst->ip.src = maskl(ip_hdr(skb)->saddr,
674 if (!(hinfo->cfg.mode &
675 (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
677 nexthdr = ip_hdr(skb)->protocol;
679 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
684 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
685 memcpy(&dst->ip6.dst, &ipv6_hdr(skb)->daddr,
686 sizeof(dst->ip6.dst));
687 hashlimit_ipv6_mask(dst->ip6.dst, hinfo->cfg.dstmask);
689 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
690 memcpy(&dst->ip6.src, &ipv6_hdr(skb)->saddr,
691 sizeof(dst->ip6.src));
692 hashlimit_ipv6_mask(dst->ip6.src, hinfo->cfg.srcmask);
695 if (!(hinfo->cfg.mode &
696 (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
698 nexthdr = ipv6_hdr(skb)->nexthdr;
699 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);
700 if ((int)protoff < 0)
710 poff = proto_ports_offset(nexthdr);
712 ports = skb_header_pointer(skb, protoff + poff, sizeof(_ports),
715 _ports[0] = _ports[1] = 0;
720 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SPT)
721 dst->src_port = ports[0];
722 if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DPT)
723 dst->dst_port = ports[1];
727 static u32 hashlimit_byte_cost(unsigned int len, struct dsthash_ent *dh)
729 u64 tmp = xt_hashlimit_len_to_chunks(len);
730 tmp = tmp * dh->rateinfo.cost;
732 if (unlikely(tmp > CREDITS_PER_JIFFY_BYTES * HZ))
733 tmp = CREDITS_PER_JIFFY_BYTES * HZ;
735 if (dh->rateinfo.credit < tmp && dh->rateinfo.credit_cap) {
736 dh->rateinfo.credit_cap--;
737 dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
743 hashlimit_mt_common(const struct sk_buff *skb, struct xt_action_param *par,
744 struct xt_hashlimit_htable *hinfo,
745 const struct hashlimit_cfg3 *cfg, int revision)
747 unsigned long now = jiffies;
748 struct dsthash_ent *dh;
749 struct dsthash_dst dst;
753 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
757 dh = dsthash_find(hinfo, &dst);
759 dh = dsthash_alloc_init(hinfo, &dst, &race);
764 /* Already got an entry, update expiration timeout */
765 dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
766 rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
768 dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
769 rateinfo_init(dh, hinfo, revision);
772 /* update expiration timeout */
773 dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
774 rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
777 if (cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
778 cost = (cfg->mode & XT_HASHLIMIT_BYTES) ? skb->len : 1;
779 dh->rateinfo.current_rate += cost;
781 if (!dh->rateinfo.prev_window &&
782 (dh->rateinfo.current_rate <= dh->rateinfo.burst)) {
783 spin_unlock(&dh->lock);
785 return !(cfg->mode & XT_HASHLIMIT_INVERT);
791 if (cfg->mode & XT_HASHLIMIT_BYTES)
792 cost = hashlimit_byte_cost(skb->len, dh);
794 cost = dh->rateinfo.cost;
796 if (dh->rateinfo.credit >= cost) {
797 /* below the limit */
798 dh->rateinfo.credit -= cost;
799 spin_unlock(&dh->lock);
801 return !(cfg->mode & XT_HASHLIMIT_INVERT);
805 spin_unlock(&dh->lock);
807 /* default match is underlimit - so over the limit, we need to invert */
808 return cfg->mode & XT_HASHLIMIT_INVERT;
816 hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
818 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
819 struct xt_hashlimit_htable *hinfo = info->hinfo;
820 struct hashlimit_cfg3 cfg = {};
823 ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
827 return hashlimit_mt_common(skb, par, hinfo, &cfg, 1);
831 hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
833 const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
834 struct xt_hashlimit_htable *hinfo = info->hinfo;
835 struct hashlimit_cfg3 cfg = {};
838 ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
842 return hashlimit_mt_common(skb, par, hinfo, &cfg, 2);
846 hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
848 const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
849 struct xt_hashlimit_htable *hinfo = info->hinfo;
851 return hashlimit_mt_common(skb, par, hinfo, &info->cfg, 3);
854 static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
855 struct xt_hashlimit_htable **hinfo,
856 struct hashlimit_cfg3 *cfg,
857 const char *name, int revision)
859 struct net *net = par->net;
862 if (cfg->gc_interval == 0 || cfg->expire == 0)
864 if (par->family == NFPROTO_IPV4) {
865 if (cfg->srcmask > 32 || cfg->dstmask > 32)
868 if (cfg->srcmask > 128 || cfg->dstmask > 128)
872 if (cfg->mode & ~XT_HASHLIMIT_ALL) {
873 pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n",
878 /* Check for overflow. */
879 if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
880 if (cfg->avg == 0 || cfg->avg > U32_MAX) {
881 pr_info_ratelimited("invalid rate\n");
885 if (cfg->interval == 0) {
886 pr_info_ratelimited("invalid interval\n");
889 } else if (cfg->mode & XT_HASHLIMIT_BYTES) {
890 if (user2credits_byte(cfg->avg) == 0) {
891 pr_info_ratelimited("overflow, rate too high: %llu\n",
895 } else if (cfg->burst == 0 ||
896 user2credits(cfg->avg * cfg->burst, revision) <
897 user2credits(cfg->avg, revision)) {
898 pr_info_ratelimited("overflow, try lower: %llu/%llu\n",
899 cfg->avg, cfg->burst);
903 mutex_lock(&hashlimit_mutex);
904 *hinfo = htable_find_get(net, name, par->family);
905 if (*hinfo == NULL) {
906 ret = htable_create(net, cfg, name, par->family,
909 mutex_unlock(&hashlimit_mutex);
913 mutex_unlock(&hashlimit_mutex);
918 static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
920 struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
921 struct hashlimit_cfg3 cfg = {};
924 ret = xt_check_proc_name(info->name, sizeof(info->name));
928 ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
932 return hashlimit_mt_check_common(par, &info->hinfo,
933 &cfg, info->name, 1);
936 static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
938 struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
939 struct hashlimit_cfg3 cfg = {};
942 ret = xt_check_proc_name(info->name, sizeof(info->name));
946 ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
950 return hashlimit_mt_check_common(par, &info->hinfo,
951 &cfg, info->name, 2);
954 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
956 struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
959 ret = xt_check_proc_name(info->name, sizeof(info->name));
963 return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
967 static void hashlimit_mt_destroy_v2(const struct xt_mtdtor_param *par)
969 const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
971 htable_put(info->hinfo);
974 static void hashlimit_mt_destroy_v1(const struct xt_mtdtor_param *par)
976 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
978 htable_put(info->hinfo);
981 static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
983 const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
985 htable_put(info->hinfo);
988 static struct xt_match hashlimit_mt_reg[] __read_mostly = {
992 .family = NFPROTO_IPV4,
993 .match = hashlimit_mt_v1,
994 .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
995 .usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
996 .checkentry = hashlimit_mt_check_v1,
997 .destroy = hashlimit_mt_destroy_v1,
1001 .name = "hashlimit",
1003 .family = NFPROTO_IPV4,
1004 .match = hashlimit_mt_v2,
1005 .matchsize = sizeof(struct xt_hashlimit_mtinfo2),
1006 .usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
1007 .checkentry = hashlimit_mt_check_v2,
1008 .destroy = hashlimit_mt_destroy_v2,
1012 .name = "hashlimit",
1014 .family = NFPROTO_IPV4,
1015 .match = hashlimit_mt,
1016 .matchsize = sizeof(struct xt_hashlimit_mtinfo3),
1017 .usersize = offsetof(struct xt_hashlimit_mtinfo3, hinfo),
1018 .checkentry = hashlimit_mt_check,
1019 .destroy = hashlimit_mt_destroy,
1022 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
1024 .name = "hashlimit",
1026 .family = NFPROTO_IPV6,
1027 .match = hashlimit_mt_v1,
1028 .matchsize = sizeof(struct xt_hashlimit_mtinfo1),
1029 .usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
1030 .checkentry = hashlimit_mt_check_v1,
1031 .destroy = hashlimit_mt_destroy_v1,
1035 .name = "hashlimit",
1037 .family = NFPROTO_IPV6,
1038 .match = hashlimit_mt_v2,
1039 .matchsize = sizeof(struct xt_hashlimit_mtinfo2),
1040 .usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
1041 .checkentry = hashlimit_mt_check_v2,
1042 .destroy = hashlimit_mt_destroy_v2,
1046 .name = "hashlimit",
1048 .family = NFPROTO_IPV6,
1049 .match = hashlimit_mt,
1050 .matchsize = sizeof(struct xt_hashlimit_mtinfo3),
1051 .usersize = offsetof(struct xt_hashlimit_mtinfo3, hinfo),
1052 .checkentry = hashlimit_mt_check,
1053 .destroy = hashlimit_mt_destroy,
1060 static void *dl_seq_start(struct seq_file *s, loff_t *pos)
1061 __acquires(htable->lock)
1063 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1064 unsigned int *bucket;
1066 spin_lock_bh(&htable->lock);
1067 if (*pos >= htable->cfg.size)
1070 bucket = kmalloc(sizeof(unsigned int), GFP_ATOMIC);
1072 return ERR_PTR(-ENOMEM);
1078 static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
1080 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1081 unsigned int *bucket = v;
1084 if (*pos >= htable->cfg.size) {
1091 static void dl_seq_stop(struct seq_file *s, void *v)
1092 __releases(htable->lock)
1094 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1095 unsigned int *bucket = v;
1097 if (!IS_ERR(bucket))
1099 spin_unlock_bh(&htable->lock);
1102 static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family,
1107 seq_printf(s, "%ld %pI4:%u->%pI4:%u %llu %llu %llu\n",
1108 (long)(ent->expires - jiffies)/HZ,
1110 ntohs(ent->dst.src_port),
1112 ntohs(ent->dst.dst_port),
1113 ent->rateinfo.credit, ent->rateinfo.credit_cap,
1114 ent->rateinfo.cost);
1116 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
1118 seq_printf(s, "%ld %pI6:%u->%pI6:%u %llu %llu %llu\n",
1119 (long)(ent->expires - jiffies)/HZ,
1121 ntohs(ent->dst.src_port),
1123 ntohs(ent->dst.dst_port),
1124 ent->rateinfo.credit, ent->rateinfo.credit_cap,
1125 ent->rateinfo.cost);
1133 static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
1136 struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
1138 spin_lock(&ent->lock);
1139 /* recalculate to show accurate numbers */
1140 rateinfo_recalc(ent, jiffies, ht->cfg.mode, 2);
1142 dl_seq_print(ent, family, s);
1144 spin_unlock(&ent->lock);
1145 return seq_has_overflowed(s);
1148 static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
1151 struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
1153 spin_lock(&ent->lock);
1154 /* recalculate to show accurate numbers */
1155 rateinfo_recalc(ent, jiffies, ht->cfg.mode, 1);
1157 dl_seq_print(ent, family, s);
1159 spin_unlock(&ent->lock);
1160 return seq_has_overflowed(s);
1163 static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
1166 struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
1168 spin_lock(&ent->lock);
1169 /* recalculate to show accurate numbers */
1170 rateinfo_recalc(ent, jiffies, ht->cfg.mode, 3);
1172 dl_seq_print(ent, family, s);
1174 spin_unlock(&ent->lock);
1175 return seq_has_overflowed(s);
1178 static int dl_seq_show_v2(struct seq_file *s, void *v)
1180 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1181 unsigned int *bucket = (unsigned int *)v;
1182 struct dsthash_ent *ent;
1184 if (!hlist_empty(&htable->hash[*bucket])) {
1185 hlist_for_each_entry(ent, &htable->hash[*bucket], node)
1186 if (dl_seq_real_show_v2(ent, htable->family, s))
1192 static int dl_seq_show_v1(struct seq_file *s, void *v)
1194 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1195 unsigned int *bucket = v;
1196 struct dsthash_ent *ent;
1198 if (!hlist_empty(&htable->hash[*bucket])) {
1199 hlist_for_each_entry(ent, &htable->hash[*bucket], node)
1200 if (dl_seq_real_show_v1(ent, htable->family, s))
1206 static int dl_seq_show(struct seq_file *s, void *v)
1208 struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
1209 unsigned int *bucket = v;
1210 struct dsthash_ent *ent;
1212 if (!hlist_empty(&htable->hash[*bucket])) {
1213 hlist_for_each_entry(ent, &htable->hash[*bucket], node)
1214 if (dl_seq_real_show(ent, htable->family, s))
1220 static const struct seq_operations dl_seq_ops_v1 = {
1221 .start = dl_seq_start,
1222 .next = dl_seq_next,
1223 .stop = dl_seq_stop,
1224 .show = dl_seq_show_v1
1227 static const struct seq_operations dl_seq_ops_v2 = {
1228 .start = dl_seq_start,
1229 .next = dl_seq_next,
1230 .stop = dl_seq_stop,
1231 .show = dl_seq_show_v2
1234 static const struct seq_operations dl_seq_ops = {
1235 .start = dl_seq_start,
1236 .next = dl_seq_next,
1237 .stop = dl_seq_stop,
1241 static int __net_init hashlimit_proc_net_init(struct net *net)
1243 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
1245 hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net);
1246 if (!hashlimit_net->ipt_hashlimit)
1248 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
1249 hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net);
1250 if (!hashlimit_net->ip6t_hashlimit) {
1251 remove_proc_entry("ipt_hashlimit", net->proc_net);
1258 static void __net_exit hashlimit_proc_net_exit(struct net *net)
1260 struct xt_hashlimit_htable *hinfo;
1261 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
1263 /* hashlimit_net_exit() is called before hashlimit_mt_destroy().
1264 * Make sure that the parent ipt_hashlimit and ip6t_hashlimit proc
1265 * entries is empty before trying to remove it.
1267 mutex_lock(&hashlimit_mutex);
1268 hlist_for_each_entry(hinfo, &hashlimit_net->htables, node)
1269 htable_remove_proc_entry(hinfo);
1270 hashlimit_net->ipt_hashlimit = NULL;
1271 hashlimit_net->ip6t_hashlimit = NULL;
1272 mutex_unlock(&hashlimit_mutex);
1274 remove_proc_entry("ipt_hashlimit", net->proc_net);
1275 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
1276 remove_proc_entry("ip6t_hashlimit", net->proc_net);
1280 static int __net_init hashlimit_net_init(struct net *net)
1282 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
1284 INIT_HLIST_HEAD(&hashlimit_net->htables);
1285 return hashlimit_proc_net_init(net);
1288 static void __net_exit hashlimit_net_exit(struct net *net)
1290 hashlimit_proc_net_exit(net);
1293 static struct pernet_operations hashlimit_net_ops = {
1294 .init = hashlimit_net_init,
1295 .exit = hashlimit_net_exit,
1296 .id = &hashlimit_net_id,
1297 .size = sizeof(struct hashlimit_net),
1300 static int __init hashlimit_mt_init(void)
1304 err = register_pernet_subsys(&hashlimit_net_ops);
1307 err = xt_register_matches(hashlimit_mt_reg,
1308 ARRAY_SIZE(hashlimit_mt_reg));
1313 hashlimit_cachep = kmem_cache_create("xt_hashlimit",
1314 sizeof(struct dsthash_ent), 0, 0,
1316 if (!hashlimit_cachep) {
1317 pr_warn("unable to create slab cache\n");
1323 xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
1325 unregister_pernet_subsys(&hashlimit_net_ops);
1330 static void __exit hashlimit_mt_exit(void)
1332 xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
1333 unregister_pernet_subsys(&hashlimit_net_ops);
1336 kmem_cache_destroy(hashlimit_cachep);
1339 module_init(hashlimit_mt_init);
1340 module_exit(hashlimit_mt_exit);