Merge tag 'io_uring-5.11-2021-01-16' of git://git.kernel.dk/linux-block
[linux/fpc-iii.git] / net / netfilter / nft_connlimit.c
blob7d0761fad37ef560af1b299007497ce1049a6a3c
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #include <linux/kernel.h>
3 #include <linux/init.h>
4 #include <linux/module.h>
5 #include <linux/spinlock.h>
6 #include <linux/netlink.h>
7 #include <linux/netfilter.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <net/netfilter/nf_tables.h>
10 #include <net/netfilter/nf_conntrack.h>
11 #include <net/netfilter/nf_conntrack_count.h>
12 #include <net/netfilter/nf_conntrack_core.h>
13 #include <net/netfilter/nf_conntrack_tuple.h>
14 #include <net/netfilter/nf_conntrack_zones.h>
16 struct nft_connlimit {
17 struct nf_conncount_list list;
18 u32 limit;
19 bool invert;
22 static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
23 struct nft_regs *regs,
24 const struct nft_pktinfo *pkt,
25 const struct nft_set_ext *ext)
27 const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
28 const struct nf_conntrack_tuple *tuple_ptr;
29 struct nf_conntrack_tuple tuple;
30 enum ip_conntrack_info ctinfo;
31 const struct nf_conn *ct;
32 unsigned int count;
34 tuple_ptr = &tuple;
36 ct = nf_ct_get(pkt->skb, &ctinfo);
37 if (ct != NULL) {
38 tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
39 zone = nf_ct_zone(ct);
40 } else if (!nf_ct_get_tuplepr(pkt->skb, skb_network_offset(pkt->skb),
41 nft_pf(pkt), nft_net(pkt), &tuple)) {
42 regs->verdict.code = NF_DROP;
43 return;
46 if (nf_conncount_add(nft_net(pkt), &priv->list, tuple_ptr, zone)) {
47 regs->verdict.code = NF_DROP;
48 return;
51 count = priv->list.count;
53 if ((count > priv->limit) ^ priv->invert) {
54 regs->verdict.code = NFT_BREAK;
55 return;
59 static int nft_connlimit_do_init(const struct nft_ctx *ctx,
60 const struct nlattr * const tb[],
61 struct nft_connlimit *priv)
63 bool invert = false;
64 u32 flags, limit;
66 if (!tb[NFTA_CONNLIMIT_COUNT])
67 return -EINVAL;
69 limit = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_COUNT]));
71 if (tb[NFTA_CONNLIMIT_FLAGS]) {
72 flags = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_FLAGS]));
73 if (flags & ~NFT_CONNLIMIT_F_INV)
74 return -EOPNOTSUPP;
75 if (flags & NFT_CONNLIMIT_F_INV)
76 invert = true;
79 nf_conncount_list_init(&priv->list);
80 priv->limit = limit;
81 priv->invert = invert;
83 return nf_ct_netns_get(ctx->net, ctx->family);
86 static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
87 struct nft_connlimit *priv)
89 nf_ct_netns_put(ctx->net, ctx->family);
90 nf_conncount_cache_free(&priv->list);
93 static int nft_connlimit_do_dump(struct sk_buff *skb,
94 struct nft_connlimit *priv)
96 if (nla_put_be32(skb, NFTA_CONNLIMIT_COUNT, htonl(priv->limit)))
97 goto nla_put_failure;
98 if (priv->invert &&
99 nla_put_be32(skb, NFTA_CONNLIMIT_FLAGS, htonl(NFT_CONNLIMIT_F_INV)))
100 goto nla_put_failure;
102 return 0;
104 nla_put_failure:
105 return -1;
108 static inline void nft_connlimit_obj_eval(struct nft_object *obj,
109 struct nft_regs *regs,
110 const struct nft_pktinfo *pkt)
112 struct nft_connlimit *priv = nft_obj_data(obj);
114 nft_connlimit_do_eval(priv, regs, pkt, NULL);
117 static int nft_connlimit_obj_init(const struct nft_ctx *ctx,
118 const struct nlattr * const tb[],
119 struct nft_object *obj)
121 struct nft_connlimit *priv = nft_obj_data(obj);
123 return nft_connlimit_do_init(ctx, tb, priv);
126 static void nft_connlimit_obj_destroy(const struct nft_ctx *ctx,
127 struct nft_object *obj)
129 struct nft_connlimit *priv = nft_obj_data(obj);
131 nft_connlimit_do_destroy(ctx, priv);
134 static int nft_connlimit_obj_dump(struct sk_buff *skb,
135 struct nft_object *obj, bool reset)
137 struct nft_connlimit *priv = nft_obj_data(obj);
139 return nft_connlimit_do_dump(skb, priv);
142 static const struct nla_policy nft_connlimit_policy[NFTA_CONNLIMIT_MAX + 1] = {
143 [NFTA_CONNLIMIT_COUNT] = { .type = NLA_U32 },
144 [NFTA_CONNLIMIT_FLAGS] = { .type = NLA_U32 },
147 static struct nft_object_type nft_connlimit_obj_type;
148 static const struct nft_object_ops nft_connlimit_obj_ops = {
149 .type = &nft_connlimit_obj_type,
150 .size = sizeof(struct nft_connlimit),
151 .eval = nft_connlimit_obj_eval,
152 .init = nft_connlimit_obj_init,
153 .destroy = nft_connlimit_obj_destroy,
154 .dump = nft_connlimit_obj_dump,
157 static struct nft_object_type nft_connlimit_obj_type __read_mostly = {
158 .type = NFT_OBJECT_CONNLIMIT,
159 .ops = &nft_connlimit_obj_ops,
160 .maxattr = NFTA_CONNLIMIT_MAX,
161 .policy = nft_connlimit_policy,
162 .owner = THIS_MODULE,
165 static void nft_connlimit_eval(const struct nft_expr *expr,
166 struct nft_regs *regs,
167 const struct nft_pktinfo *pkt)
169 struct nft_connlimit *priv = nft_expr_priv(expr);
171 nft_connlimit_do_eval(priv, regs, pkt, NULL);
174 static int nft_connlimit_dump(struct sk_buff *skb, const struct nft_expr *expr)
176 struct nft_connlimit *priv = nft_expr_priv(expr);
178 return nft_connlimit_do_dump(skb, priv);
181 static int nft_connlimit_init(const struct nft_ctx *ctx,
182 const struct nft_expr *expr,
183 const struct nlattr * const tb[])
185 struct nft_connlimit *priv = nft_expr_priv(expr);
187 return nft_connlimit_do_init(ctx, tb, priv);
190 static void nft_connlimit_destroy(const struct nft_ctx *ctx,
191 const struct nft_expr *expr)
193 struct nft_connlimit *priv = nft_expr_priv(expr);
195 nft_connlimit_do_destroy(ctx, priv);
198 static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
200 struct nft_connlimit *priv_dst = nft_expr_priv(dst);
201 struct nft_connlimit *priv_src = nft_expr_priv(src);
203 nf_conncount_list_init(&priv_dst->list);
204 priv_dst->limit = priv_src->limit;
205 priv_dst->invert = priv_src->invert;
207 return 0;
210 static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
211 const struct nft_expr *expr)
213 struct nft_connlimit *priv = nft_expr_priv(expr);
215 nf_conncount_cache_free(&priv->list);
218 static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
220 struct nft_connlimit *priv = nft_expr_priv(expr);
221 bool ret;
223 local_bh_disable();
224 ret = nf_conncount_gc_list(net, &priv->list);
225 local_bh_enable();
227 return ret;
230 static struct nft_expr_type nft_connlimit_type;
231 static const struct nft_expr_ops nft_connlimit_ops = {
232 .type = &nft_connlimit_type,
233 .size = NFT_EXPR_SIZE(sizeof(struct nft_connlimit)),
234 .eval = nft_connlimit_eval,
235 .init = nft_connlimit_init,
236 .destroy = nft_connlimit_destroy,
237 .clone = nft_connlimit_clone,
238 .destroy_clone = nft_connlimit_destroy_clone,
239 .dump = nft_connlimit_dump,
240 .gc = nft_connlimit_gc,
243 static struct nft_expr_type nft_connlimit_type __read_mostly = {
244 .name = "connlimit",
245 .ops = &nft_connlimit_ops,
246 .policy = nft_connlimit_policy,
247 .maxattr = NFTA_CONNLIMIT_MAX,
248 .flags = NFT_EXPR_STATEFUL | NFT_EXPR_GC,
249 .owner = THIS_MODULE,
252 static int __init nft_connlimit_module_init(void)
254 int err;
256 err = nft_register_obj(&nft_connlimit_obj_type);
257 if (err < 0)
258 return err;
260 err = nft_register_expr(&nft_connlimit_type);
261 if (err < 0)
262 goto err1;
264 return 0;
265 err1:
266 nft_unregister_obj(&nft_connlimit_obj_type);
267 return err;
270 static void __exit nft_connlimit_module_exit(void)
272 nft_unregister_expr(&nft_connlimit_type);
273 nft_unregister_obj(&nft_connlimit_obj_type);
276 module_init(nft_connlimit_module_init);
277 module_exit(nft_connlimit_module_exit);
279 MODULE_LICENSE("GPL");
280 MODULE_AUTHOR("Pablo Neira Ayuso");
281 MODULE_ALIAS_NFT_EXPR("connlimit");
282 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT);
283 MODULE_DESCRIPTION("nftables connlimit rule support");