1 /* Kernel module to control the rate
3 * 2 September 1999: Changed from the target RATE to the match
4 * `limit', removed logging. Did I mention that
5 * Alexey is a fucking genius?
6 * Rusty Russell (rusty@rustcorp.com.au). */
8 /* (C) 1999 Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
9 * (C) 1999 Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2 as
13 * published by the Free Software Foundation.
16 #include <linux/module.h>
17 #include <linux/skbuff.h>
18 #include <linux/spinlock.h>
19 #include <linux/interrupt.h>
21 #include <linux/netfilter_ipv6/ip6_tables.h>
22 #include <linux/netfilter_ipv6/ip6t_limit.h>
24 MODULE_LICENSE("GPL");
25 MODULE_AUTHOR("Herve Eychenne <rv@wallfire.org>");
26 MODULE_DESCRIPTION("rate limiting within ip6tables");
28 /* The algorithm used is the Simple Token Bucket Filter (TBF)
29 * see net/sched/sch_tbf.c in the linux source tree
32 static DEFINE_SPINLOCK(limit_lock
);
34 /* Rusty: This is my (non-mathematically-inclined) understanding of
35 this algorithm. The `average rate' in jiffies becomes your initial
36 amount of credit `credit' and the most credit you can ever have
37 `credit_cap'. The `peak rate' becomes the cost of passing the
40 `prev' tracks the last packet hit: you gain one credit per jiffy.
41 If you get credit balance more than this, the extra credit is
42 discarded. Every time the match passes, you lose `cost' credits;
43 if you don't have that many, the test fails.
45 See Alexey's formal explanation in net/sched/sch_tbf.c.
47 To avoid underflow, we multiply by 128 (ie. you get 128 credits per
48 jiffy). Hence a cost of 2^32-1, means one pass per 32768 seconds
49 at 1024HZ (or one every 9 hours). A cost of 1 means 12800 passes
50 per second at 100HZ. */
52 #define CREDITS_PER_JIFFY 128
55 ip6t_limit_match(const struct sk_buff
*skb
,
56 const struct net_device
*in
,
57 const struct net_device
*out
,
58 const void *matchinfo
,
63 struct ip6t_rateinfo
*r
= ((struct ip6t_rateinfo
*)matchinfo
)->master
;
64 unsigned long now
= jiffies
;
66 spin_lock_bh(&limit_lock
);
67 r
->credit
+= (now
- xchg(&r
->prev
, now
)) * CREDITS_PER_JIFFY
;
68 if (r
->credit
> r
->credit_cap
)
69 r
->credit
= r
->credit_cap
;
71 if (r
->credit
>= r
->cost
) {
72 /* We're not limited. */
74 spin_unlock_bh(&limit_lock
);
78 spin_unlock_bh(&limit_lock
);
82 /* Precision saver. */
84 user2credits(u_int32_t user
)
86 /* If multiplying would overflow... */
87 if (user
> 0xFFFFFFFF / (HZ
*CREDITS_PER_JIFFY
))
89 return (user
/ IP6T_LIMIT_SCALE
) * HZ
* CREDITS_PER_JIFFY
;
91 return (user
* HZ
* CREDITS_PER_JIFFY
) / IP6T_LIMIT_SCALE
;
95 ip6t_limit_checkentry(const char *tablename
,
96 const struct ip6t_ip6
*ip
,
98 unsigned int matchsize
,
99 unsigned int hook_mask
)
101 struct ip6t_rateinfo
*r
= matchinfo
;
103 if (matchsize
!= IP6T_ALIGN(sizeof(struct ip6t_rateinfo
)))
106 /* Check for overflow. */
108 || user2credits(r
->avg
* r
->burst
) < user2credits(r
->avg
)) {
109 printk("Call rusty: overflow in ip6t_limit: %u/%u\n",
114 /* User avg in seconds * IP6T_LIMIT_SCALE: convert to jiffies *
117 r
->credit
= user2credits(r
->avg
* r
->burst
); /* Credits full. */
118 r
->credit_cap
= user2credits(r
->avg
* r
->burst
); /* Credits full. */
119 r
->cost
= user2credits(r
->avg
);
121 /* For SMP, we only want to use one set of counters. */
127 static struct ip6t_match ip6t_limit_reg
= {
129 .match
= ip6t_limit_match
,
130 .checkentry
= ip6t_limit_checkentry
,
134 static int __init
init(void)
136 if (ip6t_register_match(&ip6t_limit_reg
))
141 static void __exit
fini(void)
143 ip6t_unregister_match(&ip6t_limit_reg
);