2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/spinlock.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_tables.h>
20 static DEFINE_SPINLOCK(limit_lock
);
29 static void nft_limit_eval(const struct nft_expr
*expr
,
30 struct nft_regs
*regs
,
31 const struct nft_pktinfo
*pkt
)
33 struct nft_limit
*priv
= nft_expr_priv(expr
);
35 spin_lock_bh(&limit_lock
);
36 if (time_after_eq(jiffies
, priv
->stamp
)) {
37 priv
->tokens
= priv
->rate
;
38 priv
->stamp
= jiffies
+ priv
->unit
* HZ
;
41 if (priv
->tokens
>= 1) {
43 spin_unlock_bh(&limit_lock
);
46 spin_unlock_bh(&limit_lock
);
48 regs
->verdict
.code
= NFT_BREAK
;
51 static const struct nla_policy nft_limit_policy
[NFTA_LIMIT_MAX
+ 1] = {
52 [NFTA_LIMIT_RATE
] = { .type
= NLA_U64
},
53 [NFTA_LIMIT_UNIT
] = { .type
= NLA_U64
},
56 static int nft_limit_init(const struct nft_ctx
*ctx
,
57 const struct nft_expr
*expr
,
58 const struct nlattr
* const tb
[])
60 struct nft_limit
*priv
= nft_expr_priv(expr
);
62 if (tb
[NFTA_LIMIT_RATE
] == NULL
||
63 tb
[NFTA_LIMIT_UNIT
] == NULL
)
66 priv
->rate
= be64_to_cpu(nla_get_be64(tb
[NFTA_LIMIT_RATE
]));
67 priv
->unit
= be64_to_cpu(nla_get_be64(tb
[NFTA_LIMIT_UNIT
]));
68 priv
->stamp
= jiffies
+ priv
->unit
* HZ
;
69 priv
->tokens
= priv
->rate
;
73 static int nft_limit_dump(struct sk_buff
*skb
, const struct nft_expr
*expr
)
75 const struct nft_limit
*priv
= nft_expr_priv(expr
);
77 if (nla_put_be64(skb
, NFTA_LIMIT_RATE
, cpu_to_be64(priv
->rate
)))
79 if (nla_put_be64(skb
, NFTA_LIMIT_UNIT
, cpu_to_be64(priv
->unit
)))
87 static struct nft_expr_type nft_limit_type
;
88 static const struct nft_expr_ops nft_limit_ops
= {
89 .type
= &nft_limit_type
,
90 .size
= NFT_EXPR_SIZE(sizeof(struct nft_limit
)),
91 .eval
= nft_limit_eval
,
92 .init
= nft_limit_init
,
93 .dump
= nft_limit_dump
,
96 static struct nft_expr_type nft_limit_type __read_mostly
= {
98 .ops
= &nft_limit_ops
,
99 .policy
= nft_limit_policy
,
100 .maxattr
= NFTA_LIMIT_MAX
,
101 .flags
= NFT_EXPR_STATEFUL
,
102 .owner
= THIS_MODULE
,
105 static int __init
nft_limit_module_init(void)
107 return nft_register_expr(&nft_limit_type
);
110 static void __exit
nft_limit_module_exit(void)
112 nft_unregister_expr(&nft_limit_type
);
115 module_init(nft_limit_module_init
);
116 module_exit(nft_limit_module_exit
);
118 MODULE_LICENSE("GPL");
119 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
120 MODULE_ALIAS_NFT_EXPR("limit");