1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/spinlock.h>
12 #include <linux/netlink.h>
13 #include <linux/netfilter.h>
14 #include <linux/netfilter/nf_tables.h>
15 #include <net/netfilter/nf_tables.h>
16
17 struct nft_limit {
18 spinlock_t lock;
19 u64 last;
20 u64 tokens;
21 };
22
23 struct nft_limit_priv {
24 struct nft_limit *limit;
25 u64 tokens_max;
26 u64 rate;
27 u64 nsecs;
28 u32 burst;
29 bool invert;
30 };
31
nft_limit_eval(struct nft_limit_priv * priv,u64 cost)32 static inline bool nft_limit_eval(struct nft_limit_priv *priv, u64 cost)
33 {
34 u64 now, tokens;
35 s64 delta;
36
37 spin_lock_bh(&priv->limit->lock);
38 now = ktime_get_ns();
39 tokens = priv->limit->tokens + now - priv->limit->last;
40 if (tokens > priv->tokens_max)
41 tokens = priv->tokens_max;
42
43 priv->limit->last = now;
44 delta = tokens - cost;
45 if (delta >= 0) {
46 priv->limit->tokens = delta;
47 spin_unlock_bh(&priv->limit->lock);
48 return priv->invert;
49 }
50 priv->limit->tokens = tokens;
51 spin_unlock_bh(&priv->limit->lock);
52 return !priv->invert;
53 }
54
55 /* Use same default as in iptables. */
56 #define NFT_LIMIT_PKT_BURST_DEFAULT 5
57
nft_limit_init(struct nft_limit_priv * priv,const struct nlattr * const tb[],bool pkts)58 static int nft_limit_init(struct nft_limit_priv *priv,
59 const struct nlattr * const tb[], bool pkts)
60 {
61 u64 unit, tokens, rate_with_burst;
62 bool invert = false;
63
64 if (tb[NFTA_LIMIT_RATE] == NULL ||
65 tb[NFTA_LIMIT_UNIT] == NULL)
66 return -EINVAL;
67
68 priv->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
69 if (priv->rate == 0)
70 return -EINVAL;
71
72 unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
73 if (check_mul_overflow(unit, NSEC_PER_SEC, &priv->nsecs))
74 return -EOVERFLOW;
75
76 if (tb[NFTA_LIMIT_BURST])
77 priv->burst = ntohl(nla_get_be32(tb[NFTA_LIMIT_BURST]));
78
79 if (pkts && priv->burst == 0)
80 priv->burst = NFT_LIMIT_PKT_BURST_DEFAULT;
81
82 if (check_add_overflow(priv->rate, priv->burst, &rate_with_burst))
83 return -EOVERFLOW;
84
85 if (pkts) {
86 u64 tmp = div64_u64(priv->nsecs, priv->rate);
87
88 if (check_mul_overflow(tmp, priv->burst, &tokens))
89 return -EOVERFLOW;
90 } else {
91 u64 tmp;
92
93 /* The token bucket size limits the number of tokens can be
94 * accumulated. tokens_max specifies the bucket size.
95 * tokens_max = unit * (rate + burst) / rate.
96 */
97 if (check_mul_overflow(priv->nsecs, rate_with_burst, &tmp))
98 return -EOVERFLOW;
99
100 tokens = div64_u64(tmp, priv->rate);
101 }
102
103 if (tb[NFTA_LIMIT_FLAGS]) {
104 u32 flags = ntohl(nla_get_be32(tb[NFTA_LIMIT_FLAGS]));
105
106 if (flags & ~NFT_LIMIT_F_INV)
107 return -EOPNOTSUPP;
108
109 if (flags & NFT_LIMIT_F_INV)
110 invert = true;
111 }
112
113 priv->limit = kmalloc(sizeof(*priv->limit), GFP_KERNEL_ACCOUNT);
114 if (!priv->limit)
115 return -ENOMEM;
116
117 priv->limit->tokens = tokens;
118 priv->tokens_max = priv->limit->tokens;
119 priv->invert = invert;
120 priv->limit->last = ktime_get_ns();
121 spin_lock_init(&priv->limit->lock);
122
123 return 0;
124 }
125
nft_limit_dump(struct sk_buff * skb,const struct nft_limit_priv * priv,enum nft_limit_type type)126 static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit_priv *priv,
127 enum nft_limit_type type)
128 {
129 u32 flags = priv->invert ? NFT_LIMIT_F_INV : 0;
130 u64 secs = div_u64(priv->nsecs, NSEC_PER_SEC);
131
132 if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(priv->rate),
133 NFTA_LIMIT_PAD) ||
134 nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs),
135 NFTA_LIMIT_PAD) ||
136 nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(priv->burst)) ||
137 nla_put_be32(skb, NFTA_LIMIT_TYPE, htonl(type)) ||
138 nla_put_be32(skb, NFTA_LIMIT_FLAGS, htonl(flags)))
139 goto nla_put_failure;
140 return 0;
141
142 nla_put_failure:
143 return -1;
144 }
145
nft_limit_destroy(const struct nft_ctx * ctx,const struct nft_limit_priv * priv)146 static void nft_limit_destroy(const struct nft_ctx *ctx,
147 const struct nft_limit_priv *priv)
148 {
149 kfree(priv->limit);
150 }
151
nft_limit_clone(struct nft_limit_priv * priv_dst,const struct nft_limit_priv * priv_src)152 static int nft_limit_clone(struct nft_limit_priv *priv_dst,
153 const struct nft_limit_priv *priv_src)
154 {
155 priv_dst->tokens_max = priv_src->tokens_max;
156 priv_dst->rate = priv_src->rate;
157 priv_dst->nsecs = priv_src->nsecs;
158 priv_dst->burst = priv_src->burst;
159 priv_dst->invert = priv_src->invert;
160
161 priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), GFP_ATOMIC);
162 if (!priv_dst->limit)
163 return -ENOMEM;
164
165 spin_lock_init(&priv_dst->limit->lock);
166 priv_dst->limit->tokens = priv_src->tokens_max;
167 priv_dst->limit->last = ktime_get_ns();
168
169 return 0;
170 }
171
172 struct nft_limit_priv_pkts {
173 struct nft_limit_priv limit;
174 u64 cost;
175 };
176
nft_limit_pkts_eval(const struct nft_expr * expr,struct nft_regs * regs,const struct nft_pktinfo * pkt)177 static void nft_limit_pkts_eval(const struct nft_expr *expr,
178 struct nft_regs *regs,
179 const struct nft_pktinfo *pkt)
180 {
181 struct nft_limit_priv_pkts *priv = nft_expr_priv(expr);
182
183 if (nft_limit_eval(&priv->limit, priv->cost))
184 regs->verdict.code = NFT_BREAK;
185 }
186
187 static const struct nla_policy nft_limit_policy[NFTA_LIMIT_MAX + 1] = {
188 [NFTA_LIMIT_RATE] = { .type = NLA_U64 },
189 [NFTA_LIMIT_UNIT] = { .type = NLA_U64 },
190 [NFTA_LIMIT_BURST] = { .type = NLA_U32 },
191 [NFTA_LIMIT_TYPE] = { .type = NLA_U32 },
192 [NFTA_LIMIT_FLAGS] = { .type = NLA_U32 },
193 };
194
nft_limit_pkts_init(const struct nft_ctx * ctx,const struct nft_expr * expr,const struct nlattr * const tb[])195 static int nft_limit_pkts_init(const struct nft_ctx *ctx,
196 const struct nft_expr *expr,
197 const struct nlattr * const tb[])
198 {
199 struct nft_limit_priv_pkts *priv = nft_expr_priv(expr);
200 int err;
201
202 err = nft_limit_init(&priv->limit, tb, true);
203 if (err < 0)
204 return err;
205
206 priv->cost = div64_u64(priv->limit.nsecs, priv->limit.rate);
207 return 0;
208 }
209
nft_limit_pkts_dump(struct sk_buff * skb,const struct nft_expr * expr)210 static int nft_limit_pkts_dump(struct sk_buff *skb, const struct nft_expr *expr)
211 {
212 const struct nft_limit_priv_pkts *priv = nft_expr_priv(expr);
213
214 return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
215 }
216
nft_limit_pkts_destroy(const struct nft_ctx * ctx,const struct nft_expr * expr)217 static void nft_limit_pkts_destroy(const struct nft_ctx *ctx,
218 const struct nft_expr *expr)
219 {
220 const struct nft_limit_priv_pkts *priv = nft_expr_priv(expr);
221
222 nft_limit_destroy(ctx, &priv->limit);
223 }
224
nft_limit_pkts_clone(struct nft_expr * dst,const struct nft_expr * src)225 static int nft_limit_pkts_clone(struct nft_expr *dst, const struct nft_expr *src)
226 {
227 struct nft_limit_priv_pkts *priv_dst = nft_expr_priv(dst);
228 struct nft_limit_priv_pkts *priv_src = nft_expr_priv(src);
229
230 priv_dst->cost = priv_src->cost;
231
232 return nft_limit_clone(&priv_dst->limit, &priv_src->limit);
233 }
234
235 static struct nft_expr_type nft_limit_type;
236 static const struct nft_expr_ops nft_limit_pkts_ops = {
237 .type = &nft_limit_type,
238 .size = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv_pkts)),
239 .eval = nft_limit_pkts_eval,
240 .init = nft_limit_pkts_init,
241 .destroy = nft_limit_pkts_destroy,
242 .clone = nft_limit_pkts_clone,
243 .dump = nft_limit_pkts_dump,
244 };
245
nft_limit_bytes_eval(const struct nft_expr * expr,struct nft_regs * regs,const struct nft_pktinfo * pkt)246 static void nft_limit_bytes_eval(const struct nft_expr *expr,
247 struct nft_regs *regs,
248 const struct nft_pktinfo *pkt)
249 {
250 struct nft_limit_priv *priv = nft_expr_priv(expr);
251 u64 cost = div64_u64(priv->nsecs * pkt->skb->len, priv->rate);
252
253 if (nft_limit_eval(priv, cost))
254 regs->verdict.code = NFT_BREAK;
255 }
256
nft_limit_bytes_init(const struct nft_ctx * ctx,const struct nft_expr * expr,const struct nlattr * const tb[])257 static int nft_limit_bytes_init(const struct nft_ctx *ctx,
258 const struct nft_expr *expr,
259 const struct nlattr * const tb[])
260 {
261 struct nft_limit_priv *priv = nft_expr_priv(expr);
262
263 return nft_limit_init(priv, tb, false);
264 }
265
nft_limit_bytes_dump(struct sk_buff * skb,const struct nft_expr * expr)266 static int nft_limit_bytes_dump(struct sk_buff *skb,
267 const struct nft_expr *expr)
268 {
269 const struct nft_limit_priv *priv = nft_expr_priv(expr);
270
271 return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES);
272 }
273
nft_limit_bytes_destroy(const struct nft_ctx * ctx,const struct nft_expr * expr)274 static void nft_limit_bytes_destroy(const struct nft_ctx *ctx,
275 const struct nft_expr *expr)
276 {
277 const struct nft_limit_priv *priv = nft_expr_priv(expr);
278
279 nft_limit_destroy(ctx, priv);
280 }
281
nft_limit_bytes_clone(struct nft_expr * dst,const struct nft_expr * src)282 static int nft_limit_bytes_clone(struct nft_expr *dst, const struct nft_expr *src)
283 {
284 struct nft_limit_priv *priv_dst = nft_expr_priv(dst);
285 struct nft_limit_priv *priv_src = nft_expr_priv(src);
286
287 return nft_limit_clone(priv_dst, priv_src);
288 }
289
290 static const struct nft_expr_ops nft_limit_bytes_ops = {
291 .type = &nft_limit_type,
292 .size = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv)),
293 .eval = nft_limit_bytes_eval,
294 .init = nft_limit_bytes_init,
295 .dump = nft_limit_bytes_dump,
296 .clone = nft_limit_bytes_clone,
297 .destroy = nft_limit_bytes_destroy,
298 };
299
300 static const struct nft_expr_ops *
nft_limit_select_ops(const struct nft_ctx * ctx,const struct nlattr * const tb[])301 nft_limit_select_ops(const struct nft_ctx *ctx,
302 const struct nlattr * const tb[])
303 {
304 if (tb[NFTA_LIMIT_TYPE] == NULL)
305 return &nft_limit_pkts_ops;
306
307 switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
308 case NFT_LIMIT_PKTS:
309 return &nft_limit_pkts_ops;
310 case NFT_LIMIT_PKT_BYTES:
311 return &nft_limit_bytes_ops;
312 }
313 return ERR_PTR(-EOPNOTSUPP);
314 }
315
316 static struct nft_expr_type nft_limit_type __read_mostly = {
317 .name = "limit",
318 .select_ops = nft_limit_select_ops,
319 .policy = nft_limit_policy,
320 .maxattr = NFTA_LIMIT_MAX,
321 .flags = NFT_EXPR_STATEFUL,
322 .owner = THIS_MODULE,
323 };
324
nft_limit_obj_pkts_eval(struct nft_object * obj,struct nft_regs * regs,const struct nft_pktinfo * pkt)325 static void nft_limit_obj_pkts_eval(struct nft_object *obj,
326 struct nft_regs *regs,
327 const struct nft_pktinfo *pkt)
328 {
329 struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
330
331 if (nft_limit_eval(&priv->limit, priv->cost))
332 regs->verdict.code = NFT_BREAK;
333 }
334
nft_limit_obj_pkts_init(const struct nft_ctx * ctx,const struct nlattr * const tb[],struct nft_object * obj)335 static int nft_limit_obj_pkts_init(const struct nft_ctx *ctx,
336 const struct nlattr * const tb[],
337 struct nft_object *obj)
338 {
339 struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
340 int err;
341
342 err = nft_limit_init(&priv->limit, tb, true);
343 if (err < 0)
344 return err;
345
346 priv->cost = div64_u64(priv->limit.nsecs, priv->limit.rate);
347 return 0;
348 }
349
nft_limit_obj_pkts_dump(struct sk_buff * skb,struct nft_object * obj,bool reset)350 static int nft_limit_obj_pkts_dump(struct sk_buff *skb,
351 struct nft_object *obj,
352 bool reset)
353 {
354 const struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
355
356 return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
357 }
358
nft_limit_obj_pkts_destroy(const struct nft_ctx * ctx,struct nft_object * obj)359 static void nft_limit_obj_pkts_destroy(const struct nft_ctx *ctx,
360 struct nft_object *obj)
361 {
362 struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
363
364 nft_limit_destroy(ctx, &priv->limit);
365 }
366
367 static struct nft_object_type nft_limit_obj_type;
368 static const struct nft_object_ops nft_limit_obj_pkts_ops = {
369 .type = &nft_limit_obj_type,
370 .size = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv_pkts)),
371 .init = nft_limit_obj_pkts_init,
372 .destroy = nft_limit_obj_pkts_destroy,
373 .eval = nft_limit_obj_pkts_eval,
374 .dump = nft_limit_obj_pkts_dump,
375 };
376
nft_limit_obj_bytes_eval(struct nft_object * obj,struct nft_regs * regs,const struct nft_pktinfo * pkt)377 static void nft_limit_obj_bytes_eval(struct nft_object *obj,
378 struct nft_regs *regs,
379 const struct nft_pktinfo *pkt)
380 {
381 struct nft_limit_priv *priv = nft_obj_data(obj);
382 u64 cost = div64_u64(priv->nsecs * pkt->skb->len, priv->rate);
383
384 if (nft_limit_eval(priv, cost))
385 regs->verdict.code = NFT_BREAK;
386 }
387
nft_limit_obj_bytes_init(const struct nft_ctx * ctx,const struct nlattr * const tb[],struct nft_object * obj)388 static int nft_limit_obj_bytes_init(const struct nft_ctx *ctx,
389 const struct nlattr * const tb[],
390 struct nft_object *obj)
391 {
392 struct nft_limit_priv *priv = nft_obj_data(obj);
393
394 return nft_limit_init(priv, tb, false);
395 }
396
nft_limit_obj_bytes_dump(struct sk_buff * skb,struct nft_object * obj,bool reset)397 static int nft_limit_obj_bytes_dump(struct sk_buff *skb,
398 struct nft_object *obj,
399 bool reset)
400 {
401 const struct nft_limit_priv *priv = nft_obj_data(obj);
402
403 return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES);
404 }
405
nft_limit_obj_bytes_destroy(const struct nft_ctx * ctx,struct nft_object * obj)406 static void nft_limit_obj_bytes_destroy(const struct nft_ctx *ctx,
407 struct nft_object *obj)
408 {
409 struct nft_limit_priv *priv = nft_obj_data(obj);
410
411 nft_limit_destroy(ctx, priv);
412 }
413
414 static struct nft_object_type nft_limit_obj_type;
415 static const struct nft_object_ops nft_limit_obj_bytes_ops = {
416 .type = &nft_limit_obj_type,
417 .size = sizeof(struct nft_limit_priv),
418 .init = nft_limit_obj_bytes_init,
419 .destroy = nft_limit_obj_bytes_destroy,
420 .eval = nft_limit_obj_bytes_eval,
421 .dump = nft_limit_obj_bytes_dump,
422 };
423
424 static const struct nft_object_ops *
nft_limit_obj_select_ops(const struct nft_ctx * ctx,const struct nlattr * const tb[])425 nft_limit_obj_select_ops(const struct nft_ctx *ctx,
426 const struct nlattr * const tb[])
427 {
428 if (!tb[NFTA_LIMIT_TYPE])
429 return &nft_limit_obj_pkts_ops;
430
431 switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
432 case NFT_LIMIT_PKTS:
433 return &nft_limit_obj_pkts_ops;
434 case NFT_LIMIT_PKT_BYTES:
435 return &nft_limit_obj_bytes_ops;
436 }
437 return ERR_PTR(-EOPNOTSUPP);
438 }
439
440 static struct nft_object_type nft_limit_obj_type __read_mostly = {
441 .select_ops = nft_limit_obj_select_ops,
442 .type = NFT_OBJECT_LIMIT,
443 .maxattr = NFTA_LIMIT_MAX,
444 .policy = nft_limit_policy,
445 .owner = THIS_MODULE,
446 };
447
nft_limit_module_init(void)448 static int __init nft_limit_module_init(void)
449 {
450 int err;
451
452 err = nft_register_obj(&nft_limit_obj_type);
453 if (err < 0)
454 return err;
455
456 err = nft_register_expr(&nft_limit_type);
457 if (err < 0)
458 goto err1;
459
460 return 0;
461 err1:
462 nft_unregister_obj(&nft_limit_obj_type);
463 return err;
464 }
465
nft_limit_module_exit(void)466 static void __exit nft_limit_module_exit(void)
467 {
468 nft_unregister_expr(&nft_limit_type);
469 nft_unregister_obj(&nft_limit_obj_type);
470 }
471
472 module_init(nft_limit_module_init);
473 module_exit(nft_limit_module_exit);
474
475 MODULE_LICENSE("GPL");
476 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
477 MODULE_ALIAS_NFT_EXPR("limit");
478 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_LIMIT);
479 MODULE_DESCRIPTION("nftables limit expression support");
480