2008-01-31 05:48:13 -07:00
|
|
|
/*
|
|
|
|
|
* xt_hashlimit - Netfilter module to limit the number of packets per time
|
tree-wide: Assorted spelling fixes
In particular, several occurances of funny versions of 'success',
'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address',
'beginning', 'desirable', 'separate' and 'necessary' are fixed.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Joe Perches <joe@perches.com>
Cc: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2010-02-02 17:01:28 -07:00
|
|
|
* separately for each hashbucket (sourceip/sourceport/dstip/dstport)
|
2005-04-16 16:20:36 -06:00
|
|
|
*
|
2008-01-31 05:48:13 -07:00
|
|
|
* (C) 2003-2004 by Harald Welte <laforge@netfilter.org>
|
2013-04-06 07:24:29 -06:00
|
|
|
* (C) 2006-2012 Patrick McHardy <kaber@trash.net>
|
2008-01-31 05:48:13 -07:00
|
|
|
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
|
2005-04-16 16:20:36 -06:00
|
|
|
*
|
|
|
|
|
* Development of this code was funded by Astaro AG, http://www.astaro.com/
|
|
|
|
|
*/
|
2010-03-17 09:04:40 -06:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/random.h>
|
|
|
|
|
#include <linux/jhash.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/vmalloc.h>
|
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
|
#include <linux/list.h>
|
2006-11-28 18:35:36 -07:00
|
|
|
#include <linux/skbuff.h>
|
2006-12-03 21:15:30 -07:00
|
|
|
#include <linux/mm.h>
|
2006-11-28 18:35:36 -07:00
|
|
|
#include <linux/in.h>
|
|
|
|
|
#include <linux/ip.h>
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2006-11-28 18:35:36 -07:00
|
|
|
#include <linux/ipv6.h>
|
2007-12-05 00:51:48 -07:00
|
|
|
#include <net/ipv6.h>
|
2007-12-17 23:45:28 -07:00
|
|
|
#endif
|
|
|
|
|
|
2007-09-12 04:01:34 -06:00
|
|
|
#include <net/net_namespace.h>
|
2010-01-18 00:33:28 -07:00
|
|
|
#include <net/netns/generic.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
#include <linux/netfilter/x_tables.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
2006-11-28 18:35:36 -07:00
|
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
|
|
|
#include <linux/netfilter/xt_hashlimit.h>
|
2006-03-26 02:37:14 -07:00
|
|
|
#include <linux/mutex.h>
|
2017-09-07 23:38:58 -06:00
|
|
|
#include <linux/kernel.h>
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
|
2010-02-28 15:19:52 -07:00
|
|
|
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
2008-01-15 00:42:28 -07:00
|
|
|
MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
|
2006-11-28 18:35:36 -07:00
|
|
|
MODULE_ALIAS("ipt_hashlimit");
|
|
|
|
|
MODULE_ALIAS("ip6t_hashlimit");
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-01-18 00:33:28 -07:00
|
|
|
struct hashlimit_net {
|
|
|
|
|
struct hlist_head htables;
|
|
|
|
|
struct proc_dir_entry *ipt_hashlimit;
|
|
|
|
|
struct proc_dir_entry *ip6t_hashlimit;
|
|
|
|
|
};
|
|
|
|
|
|
netns: make struct pernet_operations::id unsigned int
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.
2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data.
"int" being used as an array index needs to be sign-extended
to 64-bit before being used.
void f(long *p, int i)
{
g(p[i]);
}
roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call g
MOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.
Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:
static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}
And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]
However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-16 18:58:21 -07:00
|
|
|
static unsigned int hashlimit_net_id;
|
2010-01-18 00:33:28 -07:00
|
|
|
static inline struct hashlimit_net *hashlimit_pernet(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
return net_generic(net, hashlimit_net_id);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* need to declare this at the top */
|
2017-08-18 12:58:59 -06:00
|
|
|
static const struct file_operations dl_file_ops_v2;
|
2016-09-22 10:42:46 -06:00
|
|
|
static const struct file_operations dl_file_ops_v1;
|
2016-09-22 10:43:44 -06:00
|
|
|
static const struct file_operations dl_file_ops;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* hash table crap */
|
|
|
|
|
struct dsthash_dst {
|
2006-11-28 18:35:36 -07:00
|
|
|
union {
|
|
|
|
|
struct {
|
|
|
|
|
__be32 src;
|
|
|
|
|
__be32 dst;
|
|
|
|
|
} ip;
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2006-11-28 18:35:36 -07:00
|
|
|
struct {
|
|
|
|
|
__be32 src[4];
|
|
|
|
|
__be32 dst[4];
|
|
|
|
|
} ip6;
|
2007-12-17 23:45:28 -07:00
|
|
|
#endif
|
2008-01-31 05:48:13 -07:00
|
|
|
};
|
2006-09-28 15:22:24 -06:00
|
|
|
__be16 src_port;
|
|
|
|
|
__be16 dst_port;
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct dsthash_ent {
|
|
|
|
|
/* static / read-only parts in the beginning */
|
|
|
|
|
struct hlist_node node;
|
|
|
|
|
struct dsthash_dst dst;
|
|
|
|
|
|
|
|
|
|
/* modified structure members in the end */
|
2010-04-01 06:35:56 -06:00
|
|
|
spinlock_t lock;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned long expires; /* precalculated expiry time */
|
|
|
|
|
struct {
|
|
|
|
|
unsigned long prev; /* last modification */
|
2017-08-18 12:58:59 -06:00
|
|
|
union {
|
|
|
|
|
struct {
|
|
|
|
|
u_int64_t credit;
|
|
|
|
|
u_int64_t credit_cap;
|
|
|
|
|
u_int64_t cost;
|
|
|
|
|
};
|
|
|
|
|
struct {
|
|
|
|
|
u_int32_t interval, prev_window;
|
|
|
|
|
u_int64_t current_rate;
|
|
|
|
|
u_int64_t rate;
|
|
|
|
|
int64_t burst;
|
|
|
|
|
};
|
|
|
|
|
};
|
2005-04-16 16:20:36 -06:00
|
|
|
} rateinfo;
|
2010-04-01 06:35:56 -06:00
|
|
|
struct rcu_head rcu;
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
struct xt_hashlimit_htable {
|
2005-04-16 16:20:36 -06:00
|
|
|
struct hlist_node node; /* global list of all htables */
|
2010-02-03 05:24:54 -07:00
|
|
|
int use;
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t family;
|
2010-01-04 08:26:03 -07:00
|
|
|
bool rnd_initialized;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 cfg; /* config */
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* used internally */
|
|
|
|
|
spinlock_t lock; /* lock for list_head */
|
|
|
|
|
u_int32_t rnd; /* random seed for hash */
|
2006-11-28 18:35:36 -07:00
|
|
|
unsigned int count; /* number entries in table */
|
2014-07-23 22:36:50 -06:00
|
|
|
struct delayed_work gc_work;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* seq_file stuff */
|
|
|
|
|
struct proc_dir_entry *pde;
|
2013-04-19 04:43:33 -06:00
|
|
|
const char *name;
|
2010-01-18 00:33:28 -07:00
|
|
|
struct net *net;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
struct hlist_head hash[0]; /* hashtable itself */
|
|
|
|
|
};
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static int
|
2017-08-18 12:58:59 -06:00
|
|
|
cfg_copy(struct hashlimit_cfg3 *to, const void *from, int revision)
|
2016-09-22 10:43:44 -06:00
|
|
|
{
|
|
|
|
|
if (revision == 1) {
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg1 *cfg = (struct hashlimit_cfg1 *)from;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
to->mode = cfg->mode;
|
|
|
|
|
to->avg = cfg->avg;
|
|
|
|
|
to->burst = cfg->burst;
|
|
|
|
|
to->size = cfg->size;
|
|
|
|
|
to->max = cfg->max;
|
|
|
|
|
to->gc_interval = cfg->gc_interval;
|
|
|
|
|
to->expire = cfg->expire;
|
|
|
|
|
to->srcmask = cfg->srcmask;
|
|
|
|
|
to->dstmask = cfg->dstmask;
|
|
|
|
|
} else if (revision == 2) {
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg2 *cfg = (struct hashlimit_cfg2 *)from;
|
|
|
|
|
|
|
|
|
|
to->mode = cfg->mode;
|
|
|
|
|
to->avg = cfg->avg;
|
|
|
|
|
to->burst = cfg->burst;
|
|
|
|
|
to->size = cfg->size;
|
|
|
|
|
to->max = cfg->max;
|
|
|
|
|
to->gc_interval = cfg->gc_interval;
|
|
|
|
|
to->expire = cfg->expire;
|
|
|
|
|
to->srcmask = cfg->srcmask;
|
|
|
|
|
to->dstmask = cfg->dstmask;
|
|
|
|
|
} else if (revision == 3) {
|
|
|
|
|
memcpy(to, from, sizeof(struct hashlimit_cfg3));
|
2016-09-22 10:43:44 -06:00
|
|
|
} else {
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-03 05:24:54 -07:00
|
|
|
static DEFINE_MUTEX(hashlimit_mutex); /* protects htables list */
|
2006-12-06 21:33:20 -07:00
|
|
|
static struct kmem_cache *hashlimit_cachep __read_mostly;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2007-07-07 23:15:35 -06:00
|
|
|
static inline bool dst_cmp(const struct dsthash_ent *ent,
|
2007-07-07 23:16:55 -06:00
|
|
|
const struct dsthash_dst *b)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-11-28 18:35:36 -07:00
|
|
|
return !memcmp(&ent->dst, b, sizeof(ent->dst));
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static u_int32_t
|
|
|
|
|
hash_dst(const struct xt_hashlimit_htable *ht, const struct dsthash_dst *dst)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2007-12-17 23:45:13 -07:00
|
|
|
u_int32_t hash = jhash2((const u32 *)dst,
|
|
|
|
|
sizeof(*dst)/sizeof(u32),
|
|
|
|
|
ht->rnd);
|
|
|
|
|
/*
|
|
|
|
|
* Instead of returning hash % ht->cfg.size (implying a divide)
|
|
|
|
|
* we return the high 32 bits of the (hash * ht->cfg.size) that will
|
|
|
|
|
* give results between [0 and cfg.size-1] and same hash distribution,
|
|
|
|
|
* but using a multiply, less expensive than a divide
|
|
|
|
|
*/
|
2014-08-23 12:58:54 -06:00
|
|
|
return reciprocal_scale(hash, ht->cfg.size);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static struct dsthash_ent *
|
2007-07-07 23:16:55 -06:00
|
|
|
dsthash_find(const struct xt_hashlimit_htable *ht,
|
|
|
|
|
const struct dsthash_dst *dst)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
struct dsthash_ent *ent;
|
|
|
|
|
u_int32_t hash = hash_dst(ht, dst);
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
if (!hlist_empty(&ht->hash[hash])) {
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
hlist_for_each_entry_rcu(ent, &ht->hash[hash], node)
|
2010-04-01 06:35:56 -06:00
|
|
|
if (dst_cmp(ent, dst)) {
|
|
|
|
|
spin_lock(&ent->lock);
|
2005-04-16 16:20:36 -06:00
|
|
|
return ent;
|
2010-04-01 06:35:56 -06:00
|
|
|
}
|
2006-11-28 18:35:36 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* allocate dsthash_ent, initialize dst, put in htable and lock it */
|
|
|
|
|
static struct dsthash_ent *
|
2007-07-07 23:16:55 -06:00
|
|
|
dsthash_alloc_init(struct xt_hashlimit_htable *ht,
|
2012-12-24 05:09:25 -07:00
|
|
|
const struct dsthash_dst *dst, bool *race)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
struct dsthash_ent *ent;
|
|
|
|
|
|
2010-04-01 06:35:56 -06:00
|
|
|
spin_lock(&ht->lock);
|
2012-12-24 05:09:25 -07:00
|
|
|
|
|
|
|
|
/* Two or more packets may race to create the same entry in the
|
|
|
|
|
* hashtable, double check if this packet lost race.
|
|
|
|
|
*/
|
|
|
|
|
ent = dsthash_find(ht, dst);
|
|
|
|
|
if (ent != NULL) {
|
|
|
|
|
spin_unlock(&ht->lock);
|
|
|
|
|
*race = true;
|
|
|
|
|
return ent;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* initialize hash with random val at the time we allocate
|
|
|
|
|
* the first hashtable entry */
|
2010-04-01 06:35:56 -06:00
|
|
|
if (unlikely(!ht->rnd_initialized)) {
|
2009-02-20 02:48:06 -07:00
|
|
|
get_random_bytes(&ht->rnd, sizeof(ht->rnd));
|
2010-01-04 08:26:03 -07:00
|
|
|
ht->rnd_initialized = true;
|
2006-06-09 13:18:47 -06:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
if (ht->cfg.max && ht->count >= ht->cfg.max) {
|
2005-04-16 16:20:36 -06:00
|
|
|
/* FIXME: do something. question is what.. */
|
2012-05-13 15:56:26 -06:00
|
|
|
net_err_ratelimited("max count of %u reached\n", ht->cfg.max);
|
2010-04-01 06:35:56 -06:00
|
|
|
ent = NULL;
|
|
|
|
|
} else
|
|
|
|
|
ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
|
2011-08-29 15:17:25 -06:00
|
|
|
if (ent) {
|
2010-04-01 06:35:56 -06:00
|
|
|
memcpy(&ent->dst, dst, sizeof(ent->dst));
|
|
|
|
|
spin_lock_init(&ent->lock);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-04-01 06:35:56 -06:00
|
|
|
spin_lock(&ent->lock);
|
|
|
|
|
hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
|
|
|
|
|
ht->count++;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&ht->lock);
|
2005-04-16 16:20:36 -06:00
|
|
|
return ent;
|
|
|
|
|
}
|
|
|
|
|
|
2010-04-01 06:35:56 -06:00
|
|
|
static void dsthash_free_rcu(struct rcu_head *head)
|
|
|
|
|
{
|
|
|
|
|
struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
|
|
|
|
|
|
|
|
|
|
kmem_cache_free(hashlimit_cachep, ent);
|
|
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static inline void
|
|
|
|
|
dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-04-01 06:35:56 -06:00
|
|
|
hlist_del_rcu(&ent->node);
|
|
|
|
|
call_rcu_bh(&ent->rcu, dsthash_free_rcu);
|
2006-11-28 18:35:36 -07:00
|
|
|
ht->count--;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2014-07-23 22:36:50 -06:00
|
|
|
static void htable_gc(struct work_struct *work);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
|
2016-09-22 10:43:44 -06:00
|
|
|
const char *name, u_int8_t family,
|
|
|
|
|
struct xt_hashlimit_htable **out_hinfo,
|
|
|
|
|
int revision)
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
2010-01-18 00:33:28 -07:00
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
|
2008-01-31 05:48:13 -07:00
|
|
|
struct xt_hashlimit_htable *hinfo;
|
2017-08-18 12:58:59 -06:00
|
|
|
const struct file_operations *fops;
|
2016-09-22 10:43:44 -06:00
|
|
|
unsigned int size, i;
|
|
|
|
|
int ret;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->size) {
|
|
|
|
|
size = cfg->size;
|
2008-01-31 05:48:13 -07:00
|
|
|
} else {
|
2009-09-21 18:03:05 -06:00
|
|
|
size = (totalram_pages << PAGE_SHIFT) / 16384 /
|
2017-09-07 21:00:16 -06:00
|
|
|
sizeof(struct hlist_head);
|
2009-09-21 18:03:05 -06:00
|
|
|
if (totalram_pages > 1024 * 1024 * 1024 / PAGE_SIZE)
|
2008-01-31 05:48:13 -07:00
|
|
|
size = 8192;
|
|
|
|
|
if (size < 16)
|
|
|
|
|
size = 16;
|
|
|
|
|
}
|
|
|
|
|
/* FIXME: don't use vmalloc() here or anywhere else -HW */
|
|
|
|
|
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
|
2017-09-07 21:00:16 -06:00
|
|
|
sizeof(struct hlist_head) * size);
|
2010-03-17 17:27:03 -06:00
|
|
|
if (hinfo == NULL)
|
2010-03-19 10:32:59 -06:00
|
|
|
return -ENOMEM;
|
2016-09-22 10:43:44 -06:00
|
|
|
*out_hinfo = hinfo;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
|
|
|
|
/* copy match config into hashtable config */
|
2017-08-18 12:58:59 -06:00
|
|
|
ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3);
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2008-01-31 05:48:13 -07:00
|
|
|
hinfo->cfg.size = size;
|
|
|
|
|
if (hinfo->cfg.max == 0)
|
|
|
|
|
hinfo->cfg.max = 8 * hinfo->cfg.size;
|
|
|
|
|
else if (hinfo->cfg.max < hinfo->cfg.size)
|
|
|
|
|
hinfo->cfg.max = hinfo->cfg.size;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < hinfo->cfg.size; i++)
|
|
|
|
|
INIT_HLIST_HEAD(&hinfo->hash[i]);
|
|
|
|
|
|
2010-02-03 05:24:54 -07:00
|
|
|
hinfo->use = 1;
|
2008-01-31 05:48:13 -07:00
|
|
|
hinfo->count = 0;
|
|
|
|
|
hinfo->family = family;
|
2010-01-04 08:26:03 -07:00
|
|
|
hinfo->rnd_initialized = false;
|
2016-09-22 10:43:44 -06:00
|
|
|
hinfo->name = kstrdup(name, GFP_KERNEL);
|
2013-04-19 04:43:33 -06:00
|
|
|
if (!hinfo->name) {
|
|
|
|
|
vfree(hinfo);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
2008-01-31 05:48:13 -07:00
|
|
|
spin_lock_init(&hinfo->lock);
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
switch (revision) {
|
|
|
|
|
case 1:
|
|
|
|
|
fops = &dl_file_ops_v1;
|
|
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
fops = &dl_file_ops_v2;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
fops = &dl_file_ops;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
hinfo->pde = proc_create_data(name, 0,
|
2008-10-08 03:35:01 -06:00
|
|
|
(family == NFPROTO_IPV4) ?
|
2010-01-18 00:33:28 -07:00
|
|
|
hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
|
2017-08-18 12:58:59 -06:00
|
|
|
fops, hinfo);
|
2008-01-31 05:48:13 -07:00
|
|
|
if (hinfo->pde == NULL) {
|
2013-04-19 04:43:33 -06:00
|
|
|
kfree(hinfo->name);
|
2008-01-31 05:48:13 -07:00
|
|
|
vfree(hinfo);
|
2010-03-19 10:32:59 -06:00
|
|
|
return -ENOMEM;
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
2010-01-18 00:33:28 -07:00
|
|
|
hinfo->net = net;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2014-07-23 22:36:50 -06:00
|
|
|
INIT_DEFERRABLE_WORK(&hinfo->gc_work, htable_gc);
|
|
|
|
|
queue_delayed_work(system_power_efficient_wq, &hinfo->gc_work,
|
|
|
|
|
msecs_to_jiffies(hinfo->cfg.gc_interval));
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2010-01-18 00:33:28 -07:00
|
|
|
hlist_add_head(&hinfo->node, &hashlimit_net->htables);
|
2008-01-31 05:48:13 -07:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-07 23:16:55 -06:00
|
|
|
static bool select_all(const struct xt_hashlimit_htable *ht,
|
|
|
|
|
const struct dsthash_ent *he)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-07 23:16:55 -06:00
|
|
|
static bool select_gc(const struct xt_hashlimit_htable *ht,
|
|
|
|
|
const struct dsthash_ent *he)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2007-12-12 12:11:28 -07:00
|
|
|
return time_after_eq(jiffies, he->expires);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
|
2007-07-07 23:16:55 -06:00
|
|
|
bool (*select)(const struct xt_hashlimit_htable *ht,
|
|
|
|
|
const struct dsthash_ent *he))
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-11-28 18:35:36 -07:00
|
|
|
unsigned int i;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
for (i = 0; i < ht->cfg.size; i++) {
|
|
|
|
|
struct dsthash_ent *dh;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
struct hlist_node *n;
|
2014-07-23 22:36:50 -06:00
|
|
|
|
|
|
|
|
spin_lock_bh(&ht->lock);
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
hlist_for_each_entry_safe(dh, n, &ht->hash[i], node) {
|
2005-04-16 16:20:36 -06:00
|
|
|
if ((*select)(ht, dh))
|
2006-11-28 18:35:36 -07:00
|
|
|
dsthash_free(ht, dh);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2014-07-23 22:36:50 -06:00
|
|
|
spin_unlock_bh(&ht->lock);
|
|
|
|
|
cond_resched();
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-23 22:36:50 -06:00
|
|
|
static void htable_gc(struct work_struct *work)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2014-07-23 22:36:50 -06:00
|
|
|
struct xt_hashlimit_htable *ht;
|
|
|
|
|
|
|
|
|
|
ht = container_of(work, struct xt_hashlimit_htable, gc_work.work);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
htable_selective_cleanup(ht, select_gc);
|
|
|
|
|
|
2014-07-23 22:36:50 -06:00
|
|
|
queue_delayed_work(system_power_efficient_wq,
|
|
|
|
|
&ht->gc_work, msecs_to_jiffies(ht->cfg.gc_interval));
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2013-12-06 01:57:19 -07:00
|
|
|
static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-01-18 00:33:28 -07:00
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net);
|
|
|
|
|
struct proc_dir_entry *parent;
|
|
|
|
|
|
|
|
|
|
if (hinfo->family == NFPROTO_IPV4)
|
|
|
|
|
parent = hashlimit_net->ipt_hashlimit;
|
|
|
|
|
else
|
|
|
|
|
parent = hashlimit_net->ip6t_hashlimit;
|
2012-12-24 06:42:17 -07:00
|
|
|
|
2013-12-06 01:57:19 -07:00
|
|
|
if (parent != NULL)
|
2013-04-19 04:43:33 -06:00
|
|
|
remove_proc_entry(hinfo->name, parent);
|
2013-12-06 01:57:19 -07:00
|
|
|
}
|
2012-12-24 06:42:17 -07:00
|
|
|
|
2013-12-06 01:57:19 -07:00
|
|
|
static void htable_destroy(struct xt_hashlimit_htable *hinfo)
|
|
|
|
|
{
|
2014-07-23 22:36:50 -06:00
|
|
|
cancel_delayed_work_sync(&hinfo->gc_work);
|
2013-12-06 01:57:19 -07:00
|
|
|
htable_remove_proc_entry(hinfo);
|
2005-04-16 16:20:36 -06:00
|
|
|
htable_selective_cleanup(hinfo, select_all);
|
2013-04-19 04:43:33 -06:00
|
|
|
kfree(hinfo->name);
|
2005-04-16 16:20:36 -06:00
|
|
|
vfree(hinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-18 00:33:28 -07:00
|
|
|
static struct xt_hashlimit_htable *htable_find_get(struct net *net,
|
|
|
|
|
const char *name,
|
2008-10-08 03:35:00 -06:00
|
|
|
u_int8_t family)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-01-18 00:33:28 -07:00
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
|
2006-11-28 18:35:36 -07:00
|
|
|
struct xt_hashlimit_htable *hinfo;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
hlist_for_each_entry(hinfo, &hashlimit_net->htables, node) {
|
2013-04-19 04:43:33 -06:00
|
|
|
if (!strcmp(name, hinfo->name) &&
|
2006-11-28 18:35:36 -07:00
|
|
|
hinfo->family == family) {
|
2010-02-03 05:24:54 -07:00
|
|
|
hinfo->use++;
|
2005-04-16 16:20:36 -06:00
|
|
|
return hinfo;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static void htable_put(struct xt_hashlimit_htable *hinfo)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-02-03 05:24:54 -07:00
|
|
|
mutex_lock(&hashlimit_mutex);
|
|
|
|
|
if (--hinfo->use == 0) {
|
2005-04-16 16:20:36 -06:00
|
|
|
hlist_del(&hinfo->node);
|
|
|
|
|
htable_destroy(hinfo);
|
|
|
|
|
}
|
2010-02-03 05:24:54 -07:00
|
|
|
mutex_unlock(&hashlimit_mutex);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* The algorithm used is the Simple Token Bucket Filter (TBF)
|
|
|
|
|
* see net/sched/sch_tbf.c in the linux source tree
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Rusty: This is my (non-mathematically-inclined) understanding of
|
|
|
|
|
this algorithm. The `average rate' in jiffies becomes your initial
|
|
|
|
|
amount of credit `credit' and the most credit you can ever have
|
|
|
|
|
`credit_cap'. The `peak rate' becomes the cost of passing the
|
|
|
|
|
test, `cost'.
|
|
|
|
|
|
|
|
|
|
`prev' tracks the last packet hit: you gain one credit per jiffy.
|
|
|
|
|
If you get credit balance more than this, the extra credit is
|
|
|
|
|
discarded. Every time the match passes, you lose `cost' credits;
|
|
|
|
|
if you don't have that many, the test fails.
|
|
|
|
|
|
|
|
|
|
See Alexey's formal explanation in net/sched/sch_tbf.c.
|
|
|
|
|
|
|
|
|
|
To get the maximum range, we multiply by this factor (ie. you get N
|
|
|
|
|
credits per jiffy). We want to allow a rate as low as 1 per day
|
|
|
|
|
(slowest userspace tool allows), which means
|
|
|
|
|
CREDITS_PER_JIFFY*HZ*60*60*24 < 2^32 ie.
|
|
|
|
|
*/
|
2016-09-22 10:42:46 -06:00
|
|
|
#define MAX_CPJ_v1 (0xFFFFFFFF / (HZ*60*60*24))
|
2016-10-06 07:40:14 -06:00
|
|
|
#define MAX_CPJ (0xFFFFFFFFFFFFFFFFULL / (HZ*60*60*24))
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
/* Repeated shift and or gives us all 1s, final shift and add 1 gives
|
|
|
|
|
* us the power of 2 below the theoretical max, so GCC simply does a
|
|
|
|
|
* shift. */
|
|
|
|
|
#define _POW2_BELOW2(x) ((x)|((x)>>1))
|
|
|
|
|
#define _POW2_BELOW4(x) (_POW2_BELOW2(x)|_POW2_BELOW2((x)>>2))
|
|
|
|
|
#define _POW2_BELOW8(x) (_POW2_BELOW4(x)|_POW2_BELOW4((x)>>4))
|
|
|
|
|
#define _POW2_BELOW16(x) (_POW2_BELOW8(x)|_POW2_BELOW8((x)>>8))
|
|
|
|
|
#define _POW2_BELOW32(x) (_POW2_BELOW16(x)|_POW2_BELOW16((x)>>16))
|
2016-09-22 10:43:44 -06:00
|
|
|
#define _POW2_BELOW64(x) (_POW2_BELOW32(x)|_POW2_BELOW32((x)>>32))
|
2005-04-16 16:20:36 -06:00
|
|
|
#define POW2_BELOW32(x) ((_POW2_BELOW32(x)>>1) + 1)
|
2016-09-22 10:43:44 -06:00
|
|
|
#define POW2_BELOW64(x) ((_POW2_BELOW64(x)>>1) + 1)
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
#define CREDITS_PER_JIFFY POW2_BELOW64(MAX_CPJ)
|
2016-09-22 10:42:46 -06:00
|
|
|
#define CREDITS_PER_JIFFY_v1 POW2_BELOW32(MAX_CPJ_v1)
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2012-05-07 04:51:45 -06:00
|
|
|
/* in byte mode, the lowest possible rate is one packet/second.
|
|
|
|
|
* credit_cap is used as a counter that tells us how many times we can
|
|
|
|
|
* refill the "credits available" counter when it becomes empty.
|
|
|
|
|
*/
|
|
|
|
|
#define MAX_CPJ_BYTES (0xFFFFFFFF / HZ)
|
|
|
|
|
#define CREDITS_PER_JIFFY_BYTES POW2_BELOW32(MAX_CPJ_BYTES)
|
|
|
|
|
|
|
|
|
|
static u32 xt_hashlimit_len_to_chunks(u32 len)
|
|
|
|
|
{
|
|
|
|
|
return (len >> XT_HASHLIMIT_BYTE_SHIFT) + 1;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
/* Precision saver. */
|
2016-09-22 10:43:44 -06:00
|
|
|
static u64 user2credits(u64 user, int revision)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2017-02-06 15:50:33 -07:00
|
|
|
u64 scale = (revision == 1) ?
|
|
|
|
|
XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
|
|
|
|
|
u64 cpj = (revision == 1) ?
|
|
|
|
|
CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2017-02-06 15:50:33 -07:00
|
|
|
/* Avoid overflow: divide the constant operands first */
|
|
|
|
|
if (scale >= HZ * cpj)
|
|
|
|
|
return div64_u64(user, div64_u64(scale, HZ * cpj));
|
|
|
|
|
|
|
|
|
|
return user * div64_u64(HZ * cpj, scale);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2012-05-07 04:51:45 -06:00
|
|
|
static u32 user2credits_byte(u32 user)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2012-05-07 04:51:45 -06:00
|
|
|
u64 us = user;
|
|
|
|
|
us *= HZ * CREDITS_PER_JIFFY_BYTES;
|
|
|
|
|
return (u32) (us >> 32);
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static u64 user2rate(u64 user)
|
|
|
|
|
{
|
|
|
|
|
if (user != 0) {
|
|
|
|
|
return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
|
|
|
|
|
} else {
|
|
|
|
|
pr_warn("invalid rate from userspace: %llu\n", user);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-07 23:38:58 -06:00
|
|
|
static u64 user2rate_bytes(u32 user)
|
2017-08-18 12:58:59 -06:00
|
|
|
{
|
|
|
|
|
u64 r;
|
|
|
|
|
|
2017-09-07 23:38:58 -06:00
|
|
|
r = user ? U32_MAX / user : U32_MAX;
|
|
|
|
|
r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
|
2017-08-18 12:58:59 -06:00
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now,
|
|
|
|
|
u32 mode, int revision)
|
2012-05-07 04:51:45 -06:00
|
|
|
{
|
|
|
|
|
unsigned long delta = now - dh->rateinfo.prev;
|
2016-09-22 10:43:44 -06:00
|
|
|
u64 cap, cpj;
|
2012-05-07 04:51:45 -06:00
|
|
|
|
|
|
|
|
if (delta == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
if (revision >= 3 && mode & XT_HASHLIMIT_RATE_MATCH) {
|
|
|
|
|
u64 interval = dh->rateinfo.interval * HZ;
|
|
|
|
|
|
|
|
|
|
if (delta < interval)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
dh->rateinfo.prev = now;
|
|
|
|
|
dh->rateinfo.prev_window =
|
|
|
|
|
((dh->rateinfo.current_rate * interval) >
|
|
|
|
|
(delta * dh->rateinfo.rate));
|
|
|
|
|
dh->rateinfo.current_rate = 0;
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
dh->rateinfo.prev = now;
|
2012-05-07 04:51:45 -06:00
|
|
|
|
|
|
|
|
if (mode & XT_HASHLIMIT_BYTES) {
|
2016-09-22 10:43:44 -06:00
|
|
|
u64 tmp = dh->rateinfo.credit;
|
2012-05-07 04:51:45 -06:00
|
|
|
dh->rateinfo.credit += CREDITS_PER_JIFFY_BYTES * delta;
|
|
|
|
|
cap = CREDITS_PER_JIFFY_BYTES * HZ;
|
|
|
|
|
if (tmp >= dh->rateinfo.credit) {/* overflow */
|
|
|
|
|
dh->rateinfo.credit = cap;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2016-09-22 10:43:44 -06:00
|
|
|
cpj = (revision == 1) ?
|
|
|
|
|
CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
|
|
|
|
|
dh->rateinfo.credit += delta * cpj;
|
2012-05-07 04:51:45 -06:00
|
|
|
cap = dh->rateinfo.credit_cap;
|
|
|
|
|
}
|
|
|
|
|
if (dh->rateinfo.credit > cap)
|
|
|
|
|
dh->rateinfo.credit = cap;
|
2006-11-28 18:35:36 -07:00
|
|
|
}
|
|
|
|
|
|
2012-05-07 04:51:44 -06:00
|
|
|
static void rateinfo_init(struct dsthash_ent *dh,
|
2016-09-22 10:43:44 -06:00
|
|
|
struct xt_hashlimit_htable *hinfo, int revision)
|
2012-05-07 04:51:44 -06:00
|
|
|
{
|
|
|
|
|
dh->rateinfo.prev = jiffies;
|
2017-08-18 12:58:59 -06:00
|
|
|
if (revision >= 3 && hinfo->cfg.mode & XT_HASHLIMIT_RATE_MATCH) {
|
|
|
|
|
dh->rateinfo.prev_window = 0;
|
|
|
|
|
dh->rateinfo.current_rate = 0;
|
|
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
|
2017-09-07 23:38:58 -06:00
|
|
|
dh->rateinfo.rate =
|
|
|
|
|
user2rate_bytes((u32)hinfo->cfg.avg);
|
2017-08-18 12:58:59 -06:00
|
|
|
if (hinfo->cfg.burst)
|
|
|
|
|
dh->rateinfo.burst =
|
|
|
|
|
hinfo->cfg.burst * dh->rateinfo.rate;
|
|
|
|
|
else
|
|
|
|
|
dh->rateinfo.burst = dh->rateinfo.rate;
|
|
|
|
|
} else {
|
|
|
|
|
dh->rateinfo.rate = user2rate(hinfo->cfg.avg);
|
|
|
|
|
dh->rateinfo.burst =
|
|
|
|
|
hinfo->cfg.burst + dh->rateinfo.rate;
|
|
|
|
|
}
|
|
|
|
|
dh->rateinfo.interval = hinfo->cfg.interval;
|
|
|
|
|
} else if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
|
2012-05-07 04:51:45 -06:00
|
|
|
dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
|
|
|
|
|
dh->rateinfo.cost = user2credits_byte(hinfo->cfg.avg);
|
|
|
|
|
dh->rateinfo.credit_cap = hinfo->cfg.burst;
|
|
|
|
|
} else {
|
|
|
|
|
dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
|
2016-09-22 10:43:44 -06:00
|
|
|
hinfo->cfg.burst, revision);
|
|
|
|
|
dh->rateinfo.cost = user2credits(hinfo->cfg.avg, revision);
|
2012-05-07 04:51:45 -06:00
|
|
|
dh->rateinfo.credit_cap = dh->rateinfo.credit;
|
|
|
|
|
}
|
2012-05-07 04:51:44 -06:00
|
|
|
}
|
|
|
|
|
|
2008-01-31 05:48:13 -07:00
|
|
|
static inline __be32 maskl(__be32 a, unsigned int l)
|
|
|
|
|
{
|
2008-04-09 16:14:18 -06:00
|
|
|
return l ? htonl(ntohl(a) & ~0 << (32 - l)) : 0;
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2008-01-31 05:48:13 -07:00
|
|
|
static void hashlimit_ipv6_mask(__be32 *i, unsigned int p)
|
|
|
|
|
{
|
|
|
|
|
switch (p) {
|
2008-04-09 16:14:18 -06:00
|
|
|
case 0 ... 31:
|
2008-01-31 05:48:13 -07:00
|
|
|
i[0] = maskl(i[0], p);
|
|
|
|
|
i[1] = i[2] = i[3] = 0;
|
|
|
|
|
break;
|
2008-04-09 16:14:18 -06:00
|
|
|
case 32 ... 63:
|
2008-01-31 05:48:13 -07:00
|
|
|
i[1] = maskl(i[1], p - 32);
|
|
|
|
|
i[2] = i[3] = 0;
|
|
|
|
|
break;
|
2008-04-09 16:14:18 -06:00
|
|
|
case 64 ... 95:
|
2008-01-31 05:48:13 -07:00
|
|
|
i[2] = maskl(i[2], p - 64);
|
|
|
|
|
i[3] = 0;
|
2010-03-25 10:25:11 -06:00
|
|
|
break;
|
2008-04-09 16:14:18 -06:00
|
|
|
case 96 ... 127:
|
2008-01-31 05:48:13 -07:00
|
|
|
i[3] = maskl(i[3], p - 96);
|
|
|
|
|
break;
|
|
|
|
|
case 128:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-01-31 19:42:26 -07:00
|
|
|
#endif
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
static int
|
2007-07-07 23:16:55 -06:00
|
|
|
hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
|
|
|
|
|
struct dsthash_dst *dst,
|
2006-11-28 18:35:36 -07:00
|
|
|
const struct sk_buff *skb, unsigned int protoff)
|
|
|
|
|
{
|
|
|
|
|
__be16 _ports[2], *ports;
|
2007-12-05 00:51:48 -07:00
|
|
|
u8 nexthdr;
|
2010-08-17 13:06:39 -06:00
|
|
|
int poff;
|
2006-11-28 18:35:36 -07:00
|
|
|
|
|
|
|
|
memset(dst, 0, sizeof(*dst));
|
|
|
|
|
|
|
|
|
|
switch (hinfo->family) {
|
2008-10-08 03:35:01 -06:00
|
|
|
case NFPROTO_IPV4:
|
2006-11-28 18:35:36 -07:00
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
|
2008-01-31 05:48:13 -07:00
|
|
|
dst->ip.dst = maskl(ip_hdr(skb)->daddr,
|
|
|
|
|
hinfo->cfg.dstmask);
|
2006-11-28 18:35:36 -07:00
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
|
2008-01-31 05:48:13 -07:00
|
|
|
dst->ip.src = maskl(ip_hdr(skb)->saddr,
|
|
|
|
|
hinfo->cfg.srcmask);
|
2006-11-28 18:35:36 -07:00
|
|
|
|
|
|
|
|
if (!(hinfo->cfg.mode &
|
|
|
|
|
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
|
|
|
|
|
return 0;
|
2007-04-20 23:47:35 -06:00
|
|
|
nexthdr = ip_hdr(skb)->protocol;
|
2006-11-28 18:35:36 -07:00
|
|
|
break;
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2008-10-08 03:35:01 -06:00
|
|
|
case NFPROTO_IPV6:
|
2012-01-10 17:52:17 -07:00
|
|
|
{
|
|
|
|
|
__be16 frag_off;
|
|
|
|
|
|
2008-01-31 05:48:13 -07:00
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
|
|
|
|
|
memcpy(&dst->ip6.dst, &ipv6_hdr(skb)->daddr,
|
|
|
|
|
sizeof(dst->ip6.dst));
|
|
|
|
|
hashlimit_ipv6_mask(dst->ip6.dst, hinfo->cfg.dstmask);
|
|
|
|
|
}
|
|
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
|
|
|
|
|
memcpy(&dst->ip6.src, &ipv6_hdr(skb)->saddr,
|
|
|
|
|
sizeof(dst->ip6.src));
|
|
|
|
|
hashlimit_ipv6_mask(dst->ip6.src, hinfo->cfg.srcmask);
|
|
|
|
|
}
|
2006-11-28 18:35:36 -07:00
|
|
|
|
|
|
|
|
if (!(hinfo->cfg.mode &
|
|
|
|
|
(XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
|
|
|
|
|
return 0;
|
2007-12-05 00:51:48 -07:00
|
|
|
nexthdr = ipv6_hdr(skb)->nexthdr;
|
2011-11-30 18:05:51 -07:00
|
|
|
protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);
|
2007-12-05 00:51:48 -07:00
|
|
|
if ((int)protoff < 0)
|
2006-11-28 18:35:36 -07:00
|
|
|
return -1;
|
|
|
|
|
break;
|
2012-01-10 17:52:17 -07:00
|
|
|
}
|
2006-11-28 18:35:36 -07:00
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
BUG();
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-08-17 13:06:39 -06:00
|
|
|
poff = proto_ports_offset(nexthdr);
|
|
|
|
|
if (poff >= 0) {
|
|
|
|
|
ports = skb_header_pointer(skb, protoff + poff, sizeof(_ports),
|
2006-11-28 18:35:36 -07:00
|
|
|
&_ports);
|
2010-08-17 13:06:39 -06:00
|
|
|
} else {
|
2006-11-28 18:35:36 -07:00
|
|
|
_ports[0] = _ports[1] = 0;
|
|
|
|
|
ports = _ports;
|
|
|
|
|
}
|
|
|
|
|
if (!ports)
|
|
|
|
|
return -1;
|
|
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SPT)
|
|
|
|
|
dst->src_port = ports[0];
|
|
|
|
|
if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DPT)
|
|
|
|
|
dst->dst_port = ports[1];
|
|
|
|
|
return 0;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2012-05-07 04:51:45 -06:00
|
|
|
static u32 hashlimit_byte_cost(unsigned int len, struct dsthash_ent *dh)
|
|
|
|
|
{
|
|
|
|
|
u64 tmp = xt_hashlimit_len_to_chunks(len);
|
|
|
|
|
tmp = tmp * dh->rateinfo.cost;
|
|
|
|
|
|
|
|
|
|
if (unlikely(tmp > CREDITS_PER_JIFFY_BYTES * HZ))
|
|
|
|
|
tmp = CREDITS_PER_JIFFY_BYTES * HZ;
|
|
|
|
|
|
|
|
|
|
if (dh->rateinfo.credit < tmp && dh->rateinfo.credit_cap) {
|
|
|
|
|
dh->rateinfo.credit_cap--;
|
|
|
|
|
dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
|
|
|
|
|
}
|
|
|
|
|
return (u32) tmp;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-07 23:16:00 -06:00
|
|
|
static bool
|
2016-09-22 10:43:44 -06:00
|
|
|
hashlimit_mt_common(const struct sk_buff *skb, struct xt_action_param *par,
|
|
|
|
|
struct xt_hashlimit_htable *hinfo,
|
2017-08-18 12:58:59 -06:00
|
|
|
const struct hashlimit_cfg3 *cfg, int revision)
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
|
|
|
|
unsigned long now = jiffies;
|
|
|
|
|
struct dsthash_ent *dh;
|
|
|
|
|
struct dsthash_dst dst;
|
2012-12-24 05:09:25 -07:00
|
|
|
bool race = false;
|
2016-09-22 10:43:44 -06:00
|
|
|
u64 cost;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
|
2008-01-31 05:48:13 -07:00
|
|
|
goto hotdrop;
|
|
|
|
|
|
netfilter: Remove duplicated rcu_read_lock.
This patch removes duplicate rcu_read_lock().
1. IPVS part:
According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
- packet RX/TX: does not need locks because packets come from hooks.
- sync msg RX: backup server uses RCU locks while registering new
connections.
- ip_vs_ctl.c: configuration get/set, RCU locks needed.
- xt_ipvs.c: It is a netfilter match, running from hook context.
As result, rcu_read_lock and rcu_read_unlock can be removed from:
- ip_vs_core.c: all
- ip_vs_ctl.c:
- only from ip_vs_has_real_service
- ip_vs_ftp.c: all
- ip_vs_proto_sctp.c: all
- ip_vs_proto_tcp.c: all
- ip_vs_proto_udp.c: all
- ip_vs_xmit.c: all (contains only packet processing)
2. Netfilter part:
There are three types of functions that are guaranteed the rcu_read_lock().
First, as result, functions are only called by nf_hook():
- nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
- tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
- match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
- xt_osf_match_packet().
Second, functions that caller already held the rcu_read_lock().
- destroy_conntrack(), ctnetlink_conntrack_event().
- ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
Third, functions that are mixed with type1 and type2.
These functions are called by nf_hook() also these are called by
ordinary functions that already held the rcu_read_lock():
- __ctnetlink_glue_build(), ctnetlink_expect_event().
- ctnetlink_proto_size().
Applied files are below:
- nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
- nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
- nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
- xt_connlimit.c, xt_hashlimit.c, xt_osf.c
Detailed calltrace can be found at:
http://marc.info/?l=netfilter-devel&m=149667610710350&w=2
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-18 23:27:33 -06:00
|
|
|
local_bh_disable();
|
2008-01-31 05:48:13 -07:00
|
|
|
dh = dsthash_find(hinfo, &dst);
|
|
|
|
|
if (dh == NULL) {
|
2012-12-24 05:09:25 -07:00
|
|
|
dh = dsthash_alloc_init(hinfo, &dst, &race);
|
2008-01-31 05:48:13 -07:00
|
|
|
if (dh == NULL) {
|
netfilter: Remove duplicated rcu_read_lock.
This patch removes duplicate rcu_read_lock().
1. IPVS part:
According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
- packet RX/TX: does not need locks because packets come from hooks.
- sync msg RX: backup server uses RCU locks while registering new
connections.
- ip_vs_ctl.c: configuration get/set, RCU locks needed.
- xt_ipvs.c: It is a netfilter match, running from hook context.
As result, rcu_read_lock and rcu_read_unlock can be removed from:
- ip_vs_core.c: all
- ip_vs_ctl.c:
- only from ip_vs_has_real_service
- ip_vs_ftp.c: all
- ip_vs_proto_sctp.c: all
- ip_vs_proto_tcp.c: all
- ip_vs_proto_udp.c: all
- ip_vs_xmit.c: all (contains only packet processing)
2. Netfilter part:
There are three types of functions that are guaranteed the rcu_read_lock().
First, as result, functions are only called by nf_hook():
- nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
- tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
- match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
- xt_osf_match_packet().
Second, functions that caller already held the rcu_read_lock().
- destroy_conntrack(), ctnetlink_conntrack_event().
- ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
Third, functions that are mixed with type1 and type2.
These functions are called by nf_hook() also these are called by
ordinary functions that already held the rcu_read_lock():
- __ctnetlink_glue_build(), ctnetlink_expect_event().
- ctnetlink_proto_size().
Applied files are below:
- nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
- nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
- nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
- xt_connlimit.c, xt_hashlimit.c, xt_osf.c
Detailed calltrace can be found at:
http://marc.info/?l=netfilter-devel&m=149667610710350&w=2
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-18 23:27:33 -06:00
|
|
|
local_bh_enable();
|
2008-01-31 05:48:13 -07:00
|
|
|
goto hotdrop;
|
2012-12-24 05:09:25 -07:00
|
|
|
} else if (race) {
|
|
|
|
|
/* Already got an entry, update expiration timeout */
|
|
|
|
|
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
|
2016-09-22 10:43:44 -06:00
|
|
|
rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
|
2012-12-24 05:09:25 -07:00
|
|
|
} else {
|
|
|
|
|
dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
|
2016-09-22 10:43:44 -06:00
|
|
|
rateinfo_init(dh, hinfo, revision);
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* update expiration timeout */
|
|
|
|
|
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
|
2016-09-22 10:43:44 -06:00
|
|
|
rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
if (cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
|
|
|
|
|
cost = (cfg->mode & XT_HASHLIMIT_BYTES) ? skb->len : 1;
|
|
|
|
|
dh->rateinfo.current_rate += cost;
|
|
|
|
|
|
|
|
|
|
if (!dh->rateinfo.prev_window &&
|
|
|
|
|
(dh->rateinfo.current_rate <= dh->rateinfo.burst)) {
|
|
|
|
|
spin_unlock(&dh->lock);
|
2018-02-12 09:11:48 -07:00
|
|
|
local_bh_enable();
|
2017-08-18 12:58:59 -06:00
|
|
|
return !(cfg->mode & XT_HASHLIMIT_INVERT);
|
|
|
|
|
} else {
|
|
|
|
|
goto overlimit;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->mode & XT_HASHLIMIT_BYTES)
|
2012-05-07 04:51:45 -06:00
|
|
|
cost = hashlimit_byte_cost(skb->len, dh);
|
|
|
|
|
else
|
|
|
|
|
cost = dh->rateinfo.cost;
|
|
|
|
|
|
|
|
|
|
if (dh->rateinfo.credit >= cost) {
|
2008-01-31 05:48:13 -07:00
|
|
|
/* below the limit */
|
2012-05-07 04:51:45 -06:00
|
|
|
dh->rateinfo.credit -= cost;
|
2010-04-01 06:35:56 -06:00
|
|
|
spin_unlock(&dh->lock);
|
netfilter: Remove duplicated rcu_read_lock.
This patch removes duplicate rcu_read_lock().
1. IPVS part:
According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
- packet RX/TX: does not need locks because packets come from hooks.
- sync msg RX: backup server uses RCU locks while registering new
connections.
- ip_vs_ctl.c: configuration get/set, RCU locks needed.
- xt_ipvs.c: It is a netfilter match, running from hook context.
As result, rcu_read_lock and rcu_read_unlock can be removed from:
- ip_vs_core.c: all
- ip_vs_ctl.c:
- only from ip_vs_has_real_service
- ip_vs_ftp.c: all
- ip_vs_proto_sctp.c: all
- ip_vs_proto_tcp.c: all
- ip_vs_proto_udp.c: all
- ip_vs_xmit.c: all (contains only packet processing)
2. Netfilter part:
There are three types of functions that are guaranteed the rcu_read_lock().
First, as result, functions are only called by nf_hook():
- nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
- tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
- match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
- xt_osf_match_packet().
Second, functions that caller already held the rcu_read_lock().
- destroy_conntrack(), ctnetlink_conntrack_event().
- ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
Third, functions that are mixed with type1 and type2.
These functions are called by nf_hook() also these are called by
ordinary functions that already held the rcu_read_lock():
- __ctnetlink_glue_build(), ctnetlink_expect_event().
- ctnetlink_proto_size().
Applied files are below:
- nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
- nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
- nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
- xt_connlimit.c, xt_hashlimit.c, xt_osf.c
Detailed calltrace can be found at:
http://marc.info/?l=netfilter-devel&m=149667610710350&w=2
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-18 23:27:33 -06:00
|
|
|
local_bh_enable();
|
2016-09-22 10:43:44 -06:00
|
|
|
return !(cfg->mode & XT_HASHLIMIT_INVERT);
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
overlimit:
|
2010-04-01 06:35:56 -06:00
|
|
|
spin_unlock(&dh->lock);
|
netfilter: Remove duplicated rcu_read_lock.
This patch removes duplicate rcu_read_lock().
1. IPVS part:
According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
- packet RX/TX: does not need locks because packets come from hooks.
- sync msg RX: backup server uses RCU locks while registering new
connections.
- ip_vs_ctl.c: configuration get/set, RCU locks needed.
- xt_ipvs.c: It is a netfilter match, running from hook context.
As result, rcu_read_lock and rcu_read_unlock can be removed from:
- ip_vs_core.c: all
- ip_vs_ctl.c:
- only from ip_vs_has_real_service
- ip_vs_ftp.c: all
- ip_vs_proto_sctp.c: all
- ip_vs_proto_tcp.c: all
- ip_vs_proto_udp.c: all
- ip_vs_xmit.c: all (contains only packet processing)
2. Netfilter part:
There are three types of functions that are guaranteed the rcu_read_lock().
First, as result, functions are only called by nf_hook():
- nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
- tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
- match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
- xt_osf_match_packet().
Second, functions that caller already held the rcu_read_lock().
- destroy_conntrack(), ctnetlink_conntrack_event().
- ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
Third, functions that are mixed with type1 and type2.
These functions are called by nf_hook() also these are called by
ordinary functions that already held the rcu_read_lock():
- __ctnetlink_glue_build(), ctnetlink_expect_event().
- ctnetlink_proto_size().
Applied files are below:
- nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
- nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
- nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
- xt_connlimit.c, xt_hashlimit.c, xt_osf.c
Detailed calltrace can be found at:
http://marc.info/?l=netfilter-devel&m=149667610710350&w=2
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-18 23:27:33 -06:00
|
|
|
local_bh_enable();
|
2008-01-31 05:48:13 -07:00
|
|
|
/* default match is underlimit - so over the limit, we need to invert */
|
2016-09-22 10:43:44 -06:00
|
|
|
return cfg->mode & XT_HASHLIMIT_INVERT;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
|
|
|
|
hotdrop:
|
2009-07-07 12:54:30 -06:00
|
|
|
par->hotdrop = true;
|
2008-01-31 05:48:13 -07:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static bool
|
|
|
|
|
hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
|
|
|
|
|
struct xt_hashlimit_htable *hinfo = info->hinfo;
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 cfg = {};
|
2016-09-22 10:43:44 -06:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
return hashlimit_mt_common(skb, par, hinfo, &cfg, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool
|
2017-08-18 12:58:59 -06:00
|
|
|
hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
|
2016-09-22 10:43:44 -06:00
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
|
|
|
|
|
struct xt_hashlimit_htable *hinfo = info->hinfo;
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 cfg = {};
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
return hashlimit_mt_common(skb, par, hinfo, &cfg, 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool
|
|
|
|
|
hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
|
|
|
|
|
struct xt_hashlimit_htable *hinfo = info->hinfo;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
return hashlimit_mt_common(skb, par, hinfo, &info->cfg, 3);
|
2016-09-22 10:43:44 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
|
|
|
|
|
struct xt_hashlimit_htable **hinfo,
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 *cfg,
|
2016-09-22 10:43:44 -06:00
|
|
|
const char *name, int revision)
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
2010-01-18 00:33:28 -07:00
|
|
|
struct net *net = par->net;
|
2010-03-19 10:32:59 -06:00
|
|
|
int ret;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->gc_interval == 0 || cfg->expire == 0)
|
2010-03-23 09:35:56 -06:00
|
|
|
return -EINVAL;
|
2010-03-17 17:44:52 -06:00
|
|
|
if (par->family == NFPROTO_IPV4) {
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->srcmask > 32 || cfg->dstmask > 32)
|
2010-03-23 09:35:56 -06:00
|
|
|
return -EINVAL;
|
2008-01-31 05:48:13 -07:00
|
|
|
} else {
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->srcmask > 128 || cfg->dstmask > 128)
|
2010-03-23 09:35:56 -06:00
|
|
|
return -EINVAL;
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
if (cfg->mode & ~XT_HASHLIMIT_ALL) {
|
2012-05-07 04:51:45 -06:00
|
|
|
pr_info("Unknown mode mask %X, kernel too old?\n",
|
2016-09-22 10:43:44 -06:00
|
|
|
cfg->mode);
|
2012-05-07 04:51:45 -06:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Check for overflow. */
|
2017-08-18 12:58:59 -06:00
|
|
|
if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
|
2017-09-07 23:38:58 -06:00
|
|
|
if (cfg->avg == 0 || cfg->avg > U32_MAX) {
|
2017-08-18 12:58:59 -06:00
|
|
|
pr_info("hashlimit invalid rate\n");
|
|
|
|
|
return -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (cfg->interval == 0) {
|
|
|
|
|
pr_info("hashlimit invalid interval\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
} else if (cfg->mode & XT_HASHLIMIT_BYTES) {
|
2016-09-22 10:43:44 -06:00
|
|
|
if (user2credits_byte(cfg->avg) == 0) {
|
|
|
|
|
pr_info("overflow, rate too high: %llu\n", cfg->avg);
|
2012-05-07 04:51:45 -06:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
2016-09-22 10:43:44 -06:00
|
|
|
} else if (cfg->burst == 0 ||
|
|
|
|
|
user2credits(cfg->avg * cfg->burst, revision) <
|
|
|
|
|
user2credits(cfg->avg, revision)) {
|
|
|
|
|
pr_info("overflow, try lower: %llu/%llu\n",
|
|
|
|
|
cfg->avg, cfg->burst);
|
2012-05-07 04:51:45 -06:00
|
|
|
return -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-03 05:24:54 -07:00
|
|
|
mutex_lock(&hashlimit_mutex);
|
2016-09-22 10:43:44 -06:00
|
|
|
*hinfo = htable_find_get(net, name, par->family);
|
|
|
|
|
if (*hinfo == NULL) {
|
|
|
|
|
ret = htable_create(net, cfg, name, par->family,
|
|
|
|
|
hinfo, revision);
|
2010-03-19 10:32:59 -06:00
|
|
|
if (ret < 0) {
|
|
|
|
|
mutex_unlock(&hashlimit_mutex);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
2010-02-03 05:24:54 -07:00
|
|
|
mutex_unlock(&hashlimit_mutex);
|
2016-09-22 10:43:44 -06:00
|
|
|
|
2010-03-23 09:35:56 -06:00
|
|
|
return 0;
|
2008-01-31 05:48:13 -07:00
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
|
|
|
|
|
{
|
|
|
|
|
struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 cfg = {};
|
2016-09-22 10:43:44 -06:00
|
|
|
int ret;
|
|
|
|
|
|
2018-03-09 17:15:45 -07:00
|
|
|
ret = xt_check_proc_name(info->name, sizeof(info->name));
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
return hashlimit_mt_check_common(par, &info->hinfo,
|
|
|
|
|
&cfg, info->name, 1);
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
|
2016-09-22 10:43:44 -06:00
|
|
|
{
|
|
|
|
|
struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
|
2017-08-18 12:58:59 -06:00
|
|
|
struct hashlimit_cfg3 cfg = {};
|
|
|
|
|
int ret;
|
|
|
|
|
|
2018-03-09 17:15:45 -07:00
|
|
|
ret = xt_check_proc_name(info->name, sizeof(info->name));
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2017-08-18 12:58:59 -06:00
|
|
|
|
|
|
|
|
ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
return hashlimit_mt_check_common(par, &info->hinfo,
|
|
|
|
|
&cfg, info->name, 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int hashlimit_mt_check(const struct xt_mtchk_param *par)
|
|
|
|
|
{
|
|
|
|
|
struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
|
2018-03-09 17:15:45 -07:00
|
|
|
int ret;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
2018-03-09 17:15:45 -07:00
|
|
|
ret = xt_check_proc_name(info->name, sizeof(info->name));
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
|
2017-08-18 12:58:59 -06:00
|
|
|
info->name, 3);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void hashlimit_mt_destroy_v2(const struct xt_mtdtor_param *par)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
|
|
|
|
|
|
|
|
|
|
htable_put(info->hinfo);
|
2016-09-22 10:43:44 -06:00
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:42:46 -06:00
|
|
|
static void hashlimit_mt_destroy_v1(const struct xt_mtdtor_param *par)
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
2008-10-08 03:35:19 -06:00
|
|
|
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
|
2008-01-31 05:48:13 -07:00
|
|
|
|
|
|
|
|
htable_put(info->hinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
|
|
|
|
|
{
|
2017-08-18 12:58:59 -06:00
|
|
|
const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
htable_put(info->hinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2007-12-05 00:24:03 -07:00
|
|
|
static struct xt_match hashlimit_mt_reg[] __read_mostly = {
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 1,
|
2008-10-08 03:35:01 -06:00
|
|
|
.family = NFPROTO_IPV4,
|
2016-09-22 10:42:46 -06:00
|
|
|
.match = hashlimit_mt_v1,
|
2008-01-31 05:48:13 -07:00
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo1),
|
2017-01-02 15:19:46 -07:00
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
|
2016-09-22 10:42:46 -06:00
|
|
|
.checkentry = hashlimit_mt_check_v1,
|
|
|
|
|
.destroy = hashlimit_mt_destroy_v1,
|
2008-01-31 05:48:13 -07:00
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
2016-09-22 10:43:44 -06:00
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 2,
|
|
|
|
|
.family = NFPROTO_IPV4,
|
2017-08-18 12:58:59 -06:00
|
|
|
.match = hashlimit_mt_v2,
|
2016-09-22 10:43:44 -06:00
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo2),
|
2017-01-02 15:19:46 -07:00
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
|
2017-08-18 12:58:59 -06:00
|
|
|
.checkentry = hashlimit_mt_check_v2,
|
|
|
|
|
.destroy = hashlimit_mt_destroy_v2,
|
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 3,
|
|
|
|
|
.family = NFPROTO_IPV4,
|
|
|
|
|
.match = hashlimit_mt,
|
|
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo3),
|
|
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo3, hinfo),
|
2016-09-22 10:43:44 -06:00
|
|
|
.checkentry = hashlimit_mt_check,
|
|
|
|
|
.destroy = hashlimit_mt_destroy,
|
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2008-01-31 05:48:13 -07:00
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 1,
|
2008-10-08 03:35:01 -06:00
|
|
|
.family = NFPROTO_IPV6,
|
2016-09-22 10:42:46 -06:00
|
|
|
.match = hashlimit_mt_v1,
|
2008-01-31 05:48:13 -07:00
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo1),
|
2017-01-02 15:19:46 -07:00
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo1, hinfo),
|
2016-09-22 10:42:46 -06:00
|
|
|
.checkentry = hashlimit_mt_check_v1,
|
|
|
|
|
.destroy = hashlimit_mt_destroy_v1,
|
2008-01-31 05:48:13 -07:00
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
2016-09-22 10:43:44 -06:00
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 2,
|
|
|
|
|
.family = NFPROTO_IPV6,
|
2017-08-18 12:58:59 -06:00
|
|
|
.match = hashlimit_mt_v2,
|
2016-09-22 10:43:44 -06:00
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo2),
|
2017-01-02 15:19:46 -07:00
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo2, hinfo),
|
2017-08-18 12:58:59 -06:00
|
|
|
.checkentry = hashlimit_mt_check_v2,
|
|
|
|
|
.destroy = hashlimit_mt_destroy_v2,
|
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.name = "hashlimit",
|
|
|
|
|
.revision = 3,
|
|
|
|
|
.family = NFPROTO_IPV6,
|
|
|
|
|
.match = hashlimit_mt,
|
|
|
|
|
.matchsize = sizeof(struct xt_hashlimit_mtinfo3),
|
|
|
|
|
.usersize = offsetof(struct xt_hashlimit_mtinfo3, hinfo),
|
2016-09-22 10:43:44 -06:00
|
|
|
.checkentry = hashlimit_mt_check,
|
|
|
|
|
.destroy = hashlimit_mt_destroy,
|
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
|
},
|
2007-12-17 23:45:28 -07:00
|
|
|
#endif
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* PROC stuff */
|
|
|
|
|
static void *dl_seq_start(struct seq_file *s, loff_t *pos)
|
2008-01-31 05:08:39 -07:00
|
|
|
__acquires(htable->lock)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-01-18 00:14:50 -07:00
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
2005-04-16 16:20:36 -06:00
|
|
|
unsigned int *bucket;
|
|
|
|
|
|
|
|
|
|
spin_lock_bh(&htable->lock);
|
|
|
|
|
if (*pos >= htable->cfg.size)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
bucket = kmalloc(sizeof(unsigned int), GFP_ATOMIC);
|
|
|
|
|
if (!bucket)
|
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
|
|
*bucket = *pos;
|
|
|
|
|
return bucket;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
|
|
|
|
|
{
|
2010-01-18 00:14:50 -07:00
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
2017-03-28 13:05:16 -06:00
|
|
|
unsigned int *bucket = v;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
*pos = ++(*bucket);
|
|
|
|
|
if (*pos >= htable->cfg.size) {
|
|
|
|
|
kfree(v);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return bucket;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void dl_seq_stop(struct seq_file *s, void *v)
|
2008-01-31 05:08:39 -07:00
|
|
|
__releases(htable->lock)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-01-18 00:14:50 -07:00
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
2017-03-28 13:05:16 -06:00
|
|
|
unsigned int *bucket = v;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-03-25 04:00:22 -06:00
|
|
|
if (!IS_ERR(bucket))
|
|
|
|
|
kfree(bucket);
|
2005-04-16 16:20:36 -06:00
|
|
|
spin_unlock_bh(&htable->lock);
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family,
|
|
|
|
|
struct seq_file *s)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-11-28 18:35:36 -07:00
|
|
|
switch (family) {
|
2008-10-08 03:35:01 -06:00
|
|
|
case NFPROTO_IPV4:
|
2016-09-22 10:43:44 -06:00
|
|
|
seq_printf(s, "%ld %pI4:%u->%pI4:%u %llu %llu %llu\n",
|
2014-10-27 15:43:45 -06:00
|
|
|
(long)(ent->expires - jiffies)/HZ,
|
|
|
|
|
&ent->dst.ip.src,
|
|
|
|
|
ntohs(ent->dst.src_port),
|
|
|
|
|
&ent->dst.ip.dst,
|
|
|
|
|
ntohs(ent->dst.dst_port),
|
|
|
|
|
ent->rateinfo.credit, ent->rateinfo.credit_cap,
|
|
|
|
|
ent->rateinfo.cost);
|
2010-04-01 06:35:56 -06:00
|
|
|
break;
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2008-10-08 03:35:01 -06:00
|
|
|
case NFPROTO_IPV6:
|
2016-09-22 10:43:44 -06:00
|
|
|
seq_printf(s, "%ld %pI6:%u->%pI6:%u %llu %llu %llu\n",
|
2014-10-27 15:43:45 -06:00
|
|
|
(long)(ent->expires - jiffies)/HZ,
|
|
|
|
|
&ent->dst.ip6.src,
|
|
|
|
|
ntohs(ent->dst.src_port),
|
|
|
|
|
&ent->dst.ip6.dst,
|
|
|
|
|
ntohs(ent->dst.dst_port),
|
|
|
|
|
ent->rateinfo.credit, ent->rateinfo.credit_cap,
|
|
|
|
|
ent->rateinfo.cost);
|
2010-04-01 06:35:56 -06:00
|
|
|
break;
|
2007-12-17 23:45:28 -07:00
|
|
|
#endif
|
2006-11-28 18:35:36 -07:00
|
|
|
default:
|
|
|
|
|
BUG();
|
|
|
|
|
}
|
2016-09-22 10:43:44 -06:00
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
|
|
|
|
|
struct seq_file *s)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_htable *ht = s->private;
|
|
|
|
|
|
|
|
|
|
spin_lock(&ent->lock);
|
|
|
|
|
/* recalculate to show accurate numbers */
|
|
|
|
|
rateinfo_recalc(ent, jiffies, ht->cfg.mode, 2);
|
|
|
|
|
|
|
|
|
|
dl_seq_print(ent, family, s);
|
|
|
|
|
|
|
|
|
|
spin_unlock(&ent->lock);
|
|
|
|
|
return seq_has_overflowed(s);
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
|
|
|
|
|
struct seq_file *s)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_htable *ht = s->private;
|
|
|
|
|
|
|
|
|
|
spin_lock(&ent->lock);
|
|
|
|
|
/* recalculate to show accurate numbers */
|
|
|
|
|
rateinfo_recalc(ent, jiffies, ht->cfg.mode, 1);
|
|
|
|
|
|
|
|
|
|
dl_seq_print(ent, family, s);
|
|
|
|
|
|
|
|
|
|
spin_unlock(&ent->lock);
|
|
|
|
|
return seq_has_overflowed(s);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
|
|
|
|
|
struct seq_file *s)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_hashlimit_htable *ht = s->private;
|
|
|
|
|
|
|
|
|
|
spin_lock(&ent->lock);
|
|
|
|
|
/* recalculate to show accurate numbers */
|
2017-08-18 12:58:59 -06:00
|
|
|
rateinfo_recalc(ent, jiffies, ht->cfg.mode, 3);
|
2016-09-22 10:43:44 -06:00
|
|
|
|
|
|
|
|
dl_seq_print(ent, family, s);
|
|
|
|
|
|
2010-04-01 06:35:56 -06:00
|
|
|
spin_unlock(&ent->lock);
|
2014-10-27 15:43:45 -06:00
|
|
|
return seq_has_overflowed(s);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static int dl_seq_show_v2(struct seq_file *s, void *v)
|
|
|
|
|
{
|
|
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
|
|
|
|
unsigned int *bucket = (unsigned int *)v;
|
|
|
|
|
struct dsthash_ent *ent;
|
|
|
|
|
|
|
|
|
|
if (!hlist_empty(&htable->hash[*bucket])) {
|
|
|
|
|
hlist_for_each_entry(ent, &htable->hash[*bucket], node)
|
|
|
|
|
if (dl_seq_real_show_v2(ent, htable->family, s))
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:42:46 -06:00
|
|
|
static int dl_seq_show_v1(struct seq_file *s, void *v)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2010-01-18 00:14:50 -07:00
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
2017-03-28 13:05:16 -06:00
|
|
|
unsigned int *bucket = v;
|
2005-04-16 16:20:36 -06:00
|
|
|
struct dsthash_ent *ent;
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
if (!hlist_empty(&htable->hash[*bucket])) {
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
hlist_for_each_entry(ent, &htable->hash[*bucket], node)
|
2016-09-22 10:42:46 -06:00
|
|
|
if (dl_seq_real_show_v1(ent, htable->family, s))
|
2009-05-27 07:45:34 -06:00
|
|
|
return -1;
|
2006-11-28 18:35:36 -07:00
|
|
|
}
|
2005-04-16 16:20:36 -06:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static int dl_seq_show(struct seq_file *s, void *v)
|
|
|
|
|
{
|
|
|
|
|
struct xt_hashlimit_htable *htable = s->private;
|
2017-03-28 13:05:16 -06:00
|
|
|
unsigned int *bucket = v;
|
2016-09-22 10:43:44 -06:00
|
|
|
struct dsthash_ent *ent;
|
|
|
|
|
|
|
|
|
|
if (!hlist_empty(&htable->hash[*bucket])) {
|
|
|
|
|
hlist_for_each_entry(ent, &htable->hash[*bucket], node)
|
|
|
|
|
if (dl_seq_real_show(ent, htable->family, s))
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:42:46 -06:00
|
|
|
static const struct seq_operations dl_seq_ops_v1 = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.start = dl_seq_start,
|
|
|
|
|
.next = dl_seq_next,
|
|
|
|
|
.stop = dl_seq_stop,
|
2016-09-22 10:42:46 -06:00
|
|
|
.show = dl_seq_show_v1
|
2005-04-16 16:20:36 -06:00
|
|
|
};
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static const struct seq_operations dl_seq_ops_v2 = {
|
|
|
|
|
.start = dl_seq_start,
|
|
|
|
|
.next = dl_seq_next,
|
|
|
|
|
.stop = dl_seq_stop,
|
|
|
|
|
.show = dl_seq_show_v2
|
|
|
|
|
};
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static const struct seq_operations dl_seq_ops = {
|
|
|
|
|
.start = dl_seq_start,
|
|
|
|
|
.next = dl_seq_next,
|
|
|
|
|
.stop = dl_seq_stop,
|
|
|
|
|
.show = dl_seq_show
|
|
|
|
|
};
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static int dl_proc_open_v2(struct inode *inode, struct file *file)
|
|
|
|
|
{
|
|
|
|
|
int ret = seq_open(file, &dl_seq_ops_v2);
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
struct seq_file *sf = file->private_data;
|
|
|
|
|
|
|
|
|
|
sf->private = PDE_DATA(inode);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:42:46 -06:00
|
|
|
static int dl_proc_open_v1(struct inode *inode, struct file *file)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2016-09-22 10:42:46 -06:00
|
|
|
int ret = seq_open(file, &dl_seq_ops_v1);
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
struct seq_file *sf = file->private_data;
|
2013-03-31 16:16:14 -06:00
|
|
|
sf->private = PDE_DATA(inode);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static int dl_proc_open(struct inode *inode, struct file *file)
|
|
|
|
|
{
|
|
|
|
|
int ret = seq_open(file, &dl_seq_ops);
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
struct seq_file *sf = file->private_data;
|
|
|
|
|
|
|
|
|
|
sf->private = PDE_DATA(inode);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-18 12:58:59 -06:00
|
|
|
static const struct file_operations dl_file_ops_v2 = {
|
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.open = dl_proc_open_v2,
|
|
|
|
|
.read = seq_read,
|
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
|
.release = seq_release
|
|
|
|
|
};
|
|
|
|
|
|
2016-09-22 10:42:46 -06:00
|
|
|
static const struct file_operations dl_file_ops_v1 = {
|
2005-04-16 16:20:36 -06:00
|
|
|
.owner = THIS_MODULE,
|
2016-09-22 10:42:46 -06:00
|
|
|
.open = dl_proc_open_v1,
|
2005-04-16 16:20:36 -06:00
|
|
|
.read = seq_read,
|
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
|
.release = seq_release
|
|
|
|
|
};
|
|
|
|
|
|
2016-09-22 10:43:44 -06:00
|
|
|
static const struct file_operations dl_file_ops = {
|
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.open = dl_proc_open,
|
|
|
|
|
.read = seq_read,
|
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
|
.release = seq_release
|
|
|
|
|
};
|
|
|
|
|
|
2010-01-18 00:33:28 -07:00
|
|
|
static int __net_init hashlimit_proc_net_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
|
|
|
|
|
|
|
|
|
|
hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net);
|
|
|
|
|
if (!hashlimit_net->ipt_hashlimit)
|
|
|
|
|
return -ENOMEM;
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2010-01-18 00:33:28 -07:00
|
|
|
hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net);
|
|
|
|
|
if (!hashlimit_net->ip6t_hashlimit) {
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry("ipt_hashlimit", net->proc_net);
|
2010-01-18 00:33:28 -07:00
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit hashlimit_proc_net_exit(struct net *net)
|
|
|
|
|
{
|
2012-12-24 06:42:17 -07:00
|
|
|
struct xt_hashlimit_htable *hinfo;
|
|
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
|
|
|
|
|
|
2013-12-06 01:57:19 -07:00
|
|
|
/* hashlimit_net_exit() is called before hashlimit_mt_destroy().
|
|
|
|
|
* Make sure that the parent ipt_hashlimit and ip6t_hashlimit proc
|
|
|
|
|
* entries is empty before trying to remove it.
|
2012-12-24 06:42:17 -07:00
|
|
|
*/
|
|
|
|
|
mutex_lock(&hashlimit_mutex);
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 18:06:00 -07:00
|
|
|
hlist_for_each_entry(hinfo, &hashlimit_net->htables, node)
|
2013-12-06 01:57:19 -07:00
|
|
|
htable_remove_proc_entry(hinfo);
|
2012-12-24 06:42:17 -07:00
|
|
|
hashlimit_net->ipt_hashlimit = NULL;
|
|
|
|
|
hashlimit_net->ip6t_hashlimit = NULL;
|
|
|
|
|
mutex_unlock(&hashlimit_mutex);
|
|
|
|
|
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry("ipt_hashlimit", net->proc_net);
|
2011-12-11 19:58:24 -07:00
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
2013-02-17 18:34:56 -07:00
|
|
|
remove_proc_entry("ip6t_hashlimit", net->proc_net);
|
2010-01-18 00:33:28 -07:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int __net_init hashlimit_net_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
|
|
|
|
|
|
|
|
|
|
INIT_HLIST_HEAD(&hashlimit_net->htables);
|
|
|
|
|
return hashlimit_proc_net_init(net);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit hashlimit_net_exit(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
hashlimit_proc_net_exit(net);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations hashlimit_net_ops = {
|
|
|
|
|
.init = hashlimit_net_init,
|
|
|
|
|
.exit = hashlimit_net_exit,
|
|
|
|
|
.id = &hashlimit_net_id,
|
|
|
|
|
.size = sizeof(struct hashlimit_net),
|
|
|
|
|
};
|
|
|
|
|
|
2007-12-05 00:24:03 -07:00
|
|
|
static int __init hashlimit_mt_init(void)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2006-11-28 18:35:36 -07:00
|
|
|
int err;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-01-18 00:33:28 -07:00
|
|
|
err = register_pernet_subsys(&hashlimit_net_ops);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
2007-12-05 00:24:03 -07:00
|
|
|
err = xt_register_matches(hashlimit_mt_reg,
|
|
|
|
|
ARRAY_SIZE(hashlimit_mt_reg));
|
2006-11-28 18:35:36 -07:00
|
|
|
if (err < 0)
|
|
|
|
|
goto err1;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
err = -ENOMEM;
|
|
|
|
|
hashlimit_cachep = kmem_cache_create("xt_hashlimit",
|
|
|
|
|
sizeof(struct dsthash_ent), 0, 0,
|
2007-07-19 19:11:58 -06:00
|
|
|
NULL);
|
2005-04-16 16:20:36 -06:00
|
|
|
if (!hashlimit_cachep) {
|
2014-09-09 22:17:32 -06:00
|
|
|
pr_warn("unable to create slab cache\n");
|
2006-11-28 18:35:36 -07:00
|
|
|
goto err2;
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
2010-01-18 00:33:28 -07:00
|
|
|
return 0;
|
|
|
|
|
|
2006-11-28 18:35:36 -07:00
|
|
|
err2:
|
2007-12-05 00:24:03 -07:00
|
|
|
xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
|
2006-11-28 18:35:36 -07:00
|
|
|
err1:
|
2010-01-18 00:33:28 -07:00
|
|
|
unregister_pernet_subsys(&hashlimit_net_ops);
|
2006-11-28 18:35:36 -07:00
|
|
|
return err;
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2007-12-05 00:24:03 -07:00
|
|
|
static void __exit hashlimit_mt_exit(void)
|
2005-04-16 16:20:36 -06:00
|
|
|
{
|
2007-12-05 00:24:03 -07:00
|
|
|
xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
|
2010-01-18 00:33:28 -07:00
|
|
|
unregister_pernet_subsys(&hashlimit_net_ops);
|
2010-04-01 06:35:56 -06:00
|
|
|
|
|
|
|
|
rcu_barrier_bh();
|
|
|
|
|
kmem_cache_destroy(hashlimit_cachep);
|
2005-04-16 16:20:36 -06:00
|
|
|
}
|
|
|
|
|
|
2007-12-05 00:24:03 -07:00
|
|
|
module_init(hashlimit_mt_init);
|
|
|
|
|
module_exit(hashlimit_mt_exit);
|