net/netfilter/nft_connlimit.c

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 #include <linux/kernel.h>
   3 #include <linux/init.h>
   4 #include <linux/module.h>
   5 #include <linux/spinlock.h>
   6 #include <linux/netlink.h>
   7 #include <linux/netfilter.h>
   8 #include <linux/netfilter/nf_tables.h>
   9 #include <net/netfilter/nf_tables.h>
  10 #include <net/netfilter/nf_conntrack.h>
  11 #include <net/netfilter/nf_conntrack_count.h>
  12 #include <net/netfilter/nf_conntrack_core.h>
  13 #include <net/netfilter/nf_conntrack_tuple.h>
  14 #include <net/netfilter/nf_conntrack_zones.h>
  15
  16 struct nft_connlimit {
  17         struct nf_conncount_list        *list;
  18         u32                             limit;
  19         bool                            invert;
  20 };
  21
  22 static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
  23                                          struct nft_regs *regs,
  24                                          const struct nft_pktinfo *pkt,
  25                                          const struct nft_set_ext *ext)
  26 {
  27         const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
  28         const struct nf_conntrack_tuple *tuple_ptr;
  29         struct nf_conntrack_tuple tuple;
  30         enum ip_conntrack_info ctinfo;
  31         const struct nf_conn *ct;
  32         unsigned int count;
  33
  34         tuple_ptr = &tuple;
  35
  36         ct = nf_ct_get(pkt->skb, &ctinfo);
  37         if (ct != NULL) {
  38                 tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
  39                 zone = nf_ct_zone(ct);
  40         } else if (!nf_ct_get_tuplepr(pkt->skb, skb_network_offset(pkt->skb),
  41                                       nft_pf(pkt), nft_net(pkt), &tuple)) {
  42                 regs->verdict.code = NF_DROP;
  43                 return;
  44         }
  45
  46         if (nf_conncount_add(nft_net(pkt), priv->list, tuple_ptr, zone)) {
  47                 regs->verdict.code = NF_DROP;
  48                 return;
  49         }
  50
  51         count = priv->list->count;
  52
  53         if ((count > priv->limit) ^ priv->invert) {
  54                 regs->verdict.code = NFT_BREAK;
  55                 return;
  56         }
  57 }
  58
  59 static int nft_connlimit_do_init(const struct nft_ctx *ctx,
  60                                  const struct nlattr * const tb[],
  61                                  struct nft_connlimit *priv)
  62 {
  63         bool invert = false;
  64         u32 flags, limit;
  65         int err;
  66
  67         if (!tb[NFTA_CONNLIMIT_COUNT])
  68                 return -EINVAL;
  69
  70         limit = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_COUNT]));
  71
  72         if (tb[NFTA_CONNLIMIT_FLAGS]) {
  73                 flags = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_FLAGS]));
  74                 if (flags & ~NFT_CONNLIMIT_F_INV)
  75                         return -EOPNOTSUPP;
  76                 if (flags & NFT_CONNLIMIT_F_INV)
  77                         invert = true;
  78         }
  79
  80         priv->list = kmalloc(sizeof(*priv->list), GFP_KERNEL_ACCOUNT);
  81         if (!priv->list)
  82                 return -ENOMEM;
  83
  84         nf_conncount_list_init(priv->list);
  85         priv->limit     = limit;
  86         priv->invert    = invert;
  87
  88         err = nf_ct_netns_get(ctx->net, ctx->family);
  89         if (err < 0)
  90                 goto err_netns;
  91
  92         return 0;
  93 err_netns:
  94         kfree(priv->list);
  95
  96         return err;
  97 }
  98
  99 static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
 100                                      struct nft_connlimit *priv)
 101 {
 102         nf_ct_netns_put(ctx->net, ctx->family);
 103         nf_conncount_cache_free(priv->list);
 104         kfree(priv->list);
 105 }
 106
 107 static int nft_connlimit_do_dump(struct sk_buff *skb,
 108                                  struct nft_connlimit *priv)
 109 {
 110         if (nla_put_be32(skb, NFTA_CONNLIMIT_COUNT, htonl(priv->limit)))
 111                 goto nla_put_failure;
 112         if (priv->invert &&
 113             nla_put_be32(skb, NFTA_CONNLIMIT_FLAGS, htonl(NFT_CONNLIMIT_F_INV)))
 114                 goto nla_put_failure;
 115
 116         return 0;
 117
 118 nla_put_failure:
 119         return -1;
 120 }
 121
 122 static inline void nft_connlimit_obj_eval(struct nft_object *obj,
 123                                         struct nft_regs *regs,
 124                                         const struct nft_pktinfo *pkt)
 125 {
 126         struct nft_connlimit *priv = nft_obj_data(obj);
 127
 128         nft_connlimit_do_eval(priv, regs, pkt, NULL);
 129 }
 130
 131 static int nft_connlimit_obj_init(const struct nft_ctx *ctx,
 132                                 const struct nlattr * const tb[],
 133                                 struct nft_object *obj)
 134 {
 135         struct nft_connlimit *priv = nft_obj_data(obj);
 136
 137         return nft_connlimit_do_init(ctx, tb, priv);
 138 }
 139
 140 static void nft_connlimit_obj_destroy(const struct nft_ctx *ctx,
 141                                       struct nft_object *obj)
 142 {
 143         struct nft_connlimit *priv = nft_obj_data(obj);
 144
 145         nft_connlimit_do_destroy(ctx, priv);
 146 }
 147
 148 static int nft_connlimit_obj_dump(struct sk_buff *skb,
 149                                   struct nft_object *obj, bool reset)
 150 {
 151         struct nft_connlimit *priv = nft_obj_data(obj);
 152
 153         return nft_connlimit_do_dump(skb, priv);
 154 }
 155
 156 static const struct nla_policy nft_connlimit_policy[NFTA_CONNLIMIT_MAX + 1] = {
 157         [NFTA_CONNLIMIT_COUNT]  = { .type = NLA_U32 },
 158         [NFTA_CONNLIMIT_FLAGS]  = { .type = NLA_U32 },
 159 };
 160
 161 static struct nft_object_type nft_connlimit_obj_type;
 162 static const struct nft_object_ops nft_connlimit_obj_ops = {
 163         .type           = &nft_connlimit_obj_type,
 164         .size           = sizeof(struct nft_connlimit),
 165         .eval           = nft_connlimit_obj_eval,
 166         .init           = nft_connlimit_obj_init,
 167         .destroy        = nft_connlimit_obj_destroy,
 168         .dump           = nft_connlimit_obj_dump,
 169 };
 170
 171 static struct nft_object_type nft_connlimit_obj_type __read_mostly = {
 172         .type           = NFT_OBJECT_CONNLIMIT,
 173         .ops            = &nft_connlimit_obj_ops,
 174         .maxattr        = NFTA_CONNLIMIT_MAX,
 175         .policy         = nft_connlimit_policy,
 176         .owner          = THIS_MODULE,
 177 };
 178
 179 static void nft_connlimit_eval(const struct nft_expr *expr,
 180                                struct nft_regs *regs,
 181                                const struct nft_pktinfo *pkt)
 182 {
 183         struct nft_connlimit *priv = nft_expr_priv(expr);
 184
 185         nft_connlimit_do_eval(priv, regs, pkt, NULL);
 186 }
 187
 188 static int nft_connlimit_dump(struct sk_buff *skb,
 189                               const struct nft_expr *expr, bool reset)
 190 {
 191         struct nft_connlimit *priv = nft_expr_priv(expr);
 192
 193         return nft_connlimit_do_dump(skb, priv);
 194 }
 195
 196 static int nft_connlimit_init(const struct nft_ctx *ctx,
 197                               const struct nft_expr *expr,
 198                               const struct nlattr * const tb[])
 199 {
 200         struct nft_connlimit *priv = nft_expr_priv(expr);
 201
 202         return nft_connlimit_do_init(ctx, tb, priv);
 203 }
 204
 205 static void nft_connlimit_destroy(const struct nft_ctx *ctx,
 206                                 const struct nft_expr *expr)
 207 {
 208         struct nft_connlimit *priv = nft_expr_priv(expr);
 209
 210         nft_connlimit_do_destroy(ctx, priv);
 211 }
 212
 213 static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp)
 214 {
 215         struct nft_connlimit *priv_dst = nft_expr_priv(dst);
 216         struct nft_connlimit *priv_src = nft_expr_priv(src);
 217
 218         priv_dst->list = kmalloc(sizeof(*priv_dst->list), gfp);
 219         if (!priv_dst->list)
 220                 return -ENOMEM;
 221
 222         nf_conncount_list_init(priv_dst->list);
 223         priv_dst->limit  = priv_src->limit;
 224         priv_dst->invert = priv_src->invert;
 225
 226         return 0;
 227 }
 228
 229 static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
 230                                         const struct nft_expr *expr)
 231 {
 232         struct nft_connlimit *priv = nft_expr_priv(expr);
 233
 234         nf_conncount_cache_free(priv->list);
 235         kfree(priv->list);
 236 }
 237
 238 static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
 239 {
 240         struct nft_connlimit *priv = nft_expr_priv(expr);
 241         bool ret;
 242
 243         local_bh_disable();
 244         ret = nf_conncount_gc_list(net, priv->list);
 245         local_bh_enable();
 246
 247         return ret;
 248 }
 249
 250 static struct nft_expr_type nft_connlimit_type;
 251 static const struct nft_expr_ops nft_connlimit_ops = {
 252         .type           = &nft_connlimit_type,
 253         .size           = NFT_EXPR_SIZE(sizeof(struct nft_connlimit)),
 254         .eval           = nft_connlimit_eval,
 255         .init           = nft_connlimit_init,
 256         .destroy        = nft_connlimit_destroy,
 257         .clone          = nft_connlimit_clone,
 258         .destroy_clone  = nft_connlimit_destroy_clone,
 259         .dump           = nft_connlimit_dump,
 260         .gc             = nft_connlimit_gc,
 261         .reduce         = NFT_REDUCE_READONLY,
 262 };
 263
 264 static struct nft_expr_type nft_connlimit_type __read_mostly = {
 265         .name           = "connlimit",
 266         .ops            = &nft_connlimit_ops,
 267         .policy         = nft_connlimit_policy,
 268         .maxattr        = NFTA_CONNLIMIT_MAX,
 269         .flags          = NFT_EXPR_STATEFUL | NFT_EXPR_GC,
 270         .owner          = THIS_MODULE,
 271 };
 272
 273 static int __init nft_connlimit_module_init(void)
 274 {
 275         int err;
 276
 277         err = nft_register_obj(&nft_connlimit_obj_type);
 278         if (err < 0)
 279                 return err;
 280
 281         err = nft_register_expr(&nft_connlimit_type);
 282         if (err < 0)
 283                 goto err1;
 284
 285         return 0;
 286 err1:
 287         nft_unregister_obj(&nft_connlimit_obj_type);
 288         return err;
 289 }
 290
 291 static void __exit nft_connlimit_module_exit(void)
 292 {
 293         nft_unregister_expr(&nft_connlimit_type);
 294         nft_unregister_obj(&nft_connlimit_obj_type);
 295 }
 296
 297 module_init(nft_connlimit_module_init);
 298 module_exit(nft_connlimit_module_exit);
 299
 300 MODULE_LICENSE("GPL");
 301 MODULE_AUTHOR("Pablo Neira Ayuso");
 302 MODULE_ALIAS_NFT_EXPR("connlimit");
 303 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT);
 304 MODULE_DESCRIPTION("nftables connlimit rule support");