2007-07-15 03:47:26 +00:00
|
|
|
/*
|
|
|
|
|
* netfilter module to limit the number of parallel tcp
|
|
|
|
|
* connections per IP address.
|
|
|
|
|
* (c) 2000 Gerd Knorr <kraxel@bytesex.org>
|
|
|
|
|
* Nov 2002: Martin Bene <martin.bene@icomedias.com>:
|
|
|
|
|
* only ignore TIME_WAIT or gone connections
|
2007-11-06 04:35:56 +00:00
|
|
|
* (C) CC Computer Consultants GmbH, 2007
|
2007-07-15 03:47:26 +00:00
|
|
|
*
|
|
|
|
|
* based on ...
|
|
|
|
|
*
|
|
|
|
|
* Kernel module to match connection tracking information.
|
|
|
|
|
* GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au).
|
|
|
|
|
*/
|
2010-03-17 15:04:40 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
2007-07-15 03:47:26 +00:00
|
|
|
#include <linux/in.h>
|
|
|
|
|
#include <linux/in6.h>
|
|
|
|
|
#include <linux/ip.h>
|
|
|
|
|
#include <linux/ipv6.h>
|
|
|
|
|
#include <linux/jhash.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2007-07-15 03:47:26 +00:00
|
|
|
#include <linux/list.h>
|
2014-03-12 22:49:51 +00:00
|
|
|
#include <linux/rbtree.h>
|
2007-07-15 03:47:26 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/random.h>
|
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/netfilter/nf_conntrack_tcp.h>
|
|
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
|
|
|
#include <linux/netfilter/xt_connlimit.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_tuple.h>
|
2010-02-15 17:13:33 +00:00
|
|
|
#include <net/netfilter/nf_conntrack_zones.h>
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-20 10:53:39 +00:00
|
|
|
#define CONNLIMIT_SLOTS 256U
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_LOCKDEP
|
|
|
|
|
#define CONNLIMIT_LOCK_SLOTS 8U
|
|
|
|
|
#else
|
|
|
|
|
#define CONNLIMIT_LOCK_SLOTS 256U
|
|
|
|
|
#endif
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
#define CONNLIMIT_GC_MAX_NODES 8
|
2014-03-12 22:49:49 +00:00
|
|
|
|
2007-07-15 03:47:26 +00:00
|
|
|
/* we will save the tuples of all connections we care about */
|
|
|
|
|
struct xt_connlimit_conn {
|
2011-03-15 12:25:42 +00:00
|
|
|
struct hlist_node node;
|
2011-03-15 12:23:28 +00:00
|
|
|
struct nf_conntrack_tuple tuple;
|
2007-07-15 03:47:26 +00:00
|
|
|
};
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
struct xt_connlimit_rb {
|
|
|
|
|
struct rb_node node;
|
|
|
|
|
struct hlist_head hhead; /* connections/hosts in same subnet */
|
|
|
|
|
union nf_inet_addr addr; /* search key */
|
|
|
|
|
};
|
|
|
|
|
|
2014-03-20 10:53:39 +00:00
|
|
|
static spinlock_t xt_connlimit_locks[CONNLIMIT_LOCK_SLOTS] __cacheline_aligned_in_smp;
|
|
|
|
|
|
2007-07-15 03:47:26 +00:00
|
|
|
struct xt_connlimit_data {
|
2017-08-02 09:14:43 +00:00
|
|
|
struct rb_root climit_root[CONNLIMIT_SLOTS];
|
2007-07-15 03:47:26 +00:00
|
|
|
};
|
|
|
|
|
|
2010-01-04 15:28:38 +00:00
|
|
|
static u_int32_t connlimit_rnd __read_mostly;
|
2014-03-12 22:49:51 +00:00
|
|
|
static struct kmem_cache *connlimit_rb_cachep __read_mostly;
|
2014-03-07 13:37:12 +00:00
|
|
|
static struct kmem_cache *connlimit_conn_cachep __read_mostly;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2007-07-26 16:33:19 +00:00
|
|
|
static inline unsigned int connlimit_iphash(__be32 addr)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2014-03-12 22:49:49 +00:00
|
|
|
return jhash_1word((__force __u32)addr,
|
|
|
|
|
connlimit_rnd) % CONNLIMIT_SLOTS;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned int
|
2007-12-18 06:43:50 +00:00
|
|
|
connlimit_iphash6(const union nf_inet_addr *addr,
|
|
|
|
|
const union nf_inet_addr *mask)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2007-12-18 06:43:50 +00:00
|
|
|
union nf_inet_addr res;
|
2007-07-15 03:47:26 +00:00
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i)
|
|
|
|
|
res.ip6[i] = addr->ip6[i] & mask->ip6[i];
|
|
|
|
|
|
2014-03-12 22:49:49 +00:00
|
|
|
return jhash2((u32 *)res.ip6, ARRAY_SIZE(res.ip6),
|
|
|
|
|
connlimit_rnd) % CONNLIMIT_SLOTS;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline bool already_closed(const struct nf_conn *conn)
|
|
|
|
|
{
|
2008-04-14 09:15:52 +00:00
|
|
|
if (nf_ct_protonum(conn) == IPPROTO_TCP)
|
2008-06-04 16:57:51 +00:00
|
|
|
return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
|
|
|
|
|
conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
|
2007-07-15 03:47:26 +00:00
|
|
|
else
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:50 +00:00
|
|
|
static int
|
2007-12-18 06:43:50 +00:00
|
|
|
same_source_net(const union nf_inet_addr *addr,
|
|
|
|
|
const union nf_inet_addr *mask,
|
2008-10-08 09:35:00 +00:00
|
|
|
const union nf_inet_addr *u3, u_int8_t family)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2008-10-08 09:35:01 +00:00
|
|
|
if (family == NFPROTO_IPV4) {
|
2014-03-12 22:49:50 +00:00
|
|
|
return ntohl(addr->ip & mask->ip) -
|
|
|
|
|
ntohl(u3->ip & mask->ip);
|
2007-07-15 03:47:26 +00:00
|
|
|
} else {
|
2007-12-18 06:43:50 +00:00
|
|
|
union nf_inet_addr lh, rh;
|
2007-07-15 03:47:26 +00:00
|
|
|
unsigned int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(addr->ip6); ++i) {
|
|
|
|
|
lh.ip6[i] = addr->ip6[i] & mask->ip6[i];
|
|
|
|
|
rh.ip6[i] = u3->ip6[i] & mask->ip6[i];
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:50 +00:00
|
|
|
return memcmp(&lh.ip6, &rh.ip6, sizeof(lh.ip6));
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
static bool add_hlist(struct hlist_head *head,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const union nf_inet_addr *addr)
|
|
|
|
|
{
|
|
|
|
|
struct xt_connlimit_conn *conn;
|
|
|
|
|
|
|
|
|
|
conn = kmem_cache_alloc(connlimit_conn_cachep, GFP_ATOMIC);
|
|
|
|
|
if (conn == NULL)
|
|
|
|
|
return false;
|
|
|
|
|
conn->tuple = *tuple;
|
|
|
|
|
hlist_add_head(&conn->node, head);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned int check_hlist(struct net *net,
|
|
|
|
|
struct hlist_head *head,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
2015-08-08 19:40:01 +00:00
|
|
|
const struct nf_conntrack_zone *zone,
|
2014-03-12 22:49:51 +00:00
|
|
|
bool *addit)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2008-04-14 07:56:05 +00:00
|
|
|
const struct nf_conntrack_tuple_hash *found;
|
2007-07-15 03:47:26 +00:00
|
|
|
struct xt_connlimit_conn *conn;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
struct hlist_node *n;
|
2009-03-25 20:05:46 +00:00
|
|
|
struct nf_conn *found_ct;
|
2014-03-12 22:49:51 +00:00
|
|
|
unsigned int length = 0;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
*addit = true;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
|
|
|
|
/* check the saved connections */
|
2014-03-07 13:37:09 +00:00
|
|
|
hlist_for_each_entry_safe(conn, n, head, node) {
|
2014-11-14 12:21:48 +00:00
|
|
|
found = nf_conntrack_find_get(net, zone, &conn->tuple);
|
2014-03-07 13:37:10 +00:00
|
|
|
if (found == NULL) {
|
|
|
|
|
hlist_del(&conn->node);
|
2014-03-07 13:37:12 +00:00
|
|
|
kmem_cache_free(connlimit_conn_cachep, conn);
|
2014-03-07 13:37:10 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-07 13:37:10 +00:00
|
|
|
found_ct = nf_ct_tuplehash_to_ctrack(found);
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-07 13:37:10 +00:00
|
|
|
if (nf_ct_tuple_equal(&conn->tuple, tuple)) {
|
2007-07-15 03:47:26 +00:00
|
|
|
/*
|
|
|
|
|
* Just to be sure we have it only once in the list.
|
|
|
|
|
* We should not see tuples twice unless someone hooks
|
|
|
|
|
* this into a table without "-p tcp --syn".
|
|
|
|
|
*/
|
2014-03-07 13:37:11 +00:00
|
|
|
*addit = false;
|
2014-03-07 13:37:10 +00:00
|
|
|
} else if (already_closed(found_ct)) {
|
2007-07-15 03:47:26 +00:00
|
|
|
/*
|
|
|
|
|
* we do not care about connections which are
|
|
|
|
|
* closed already -> ditch it
|
|
|
|
|
*/
|
2009-03-25 20:05:46 +00:00
|
|
|
nf_ct_put(found_ct);
|
2011-03-15 12:25:42 +00:00
|
|
|
hlist_del(&conn->node);
|
2014-03-07 13:37:12 +00:00
|
|
|
kmem_cache_free(connlimit_conn_cachep, conn);
|
2007-07-15 03:47:26 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-25 20:05:46 +00:00
|
|
|
nf_ct_put(found_ct);
|
2014-03-12 22:49:51 +00:00
|
|
|
length++;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
return length;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
static void tree_nodes_free(struct rb_root *root,
|
|
|
|
|
struct xt_connlimit_rb *gc_nodes[],
|
|
|
|
|
unsigned int gc_count)
|
|
|
|
|
{
|
|
|
|
|
struct xt_connlimit_rb *rbconn;
|
|
|
|
|
|
|
|
|
|
while (gc_count) {
|
|
|
|
|
rbconn = gc_nodes[--gc_count];
|
|
|
|
|
rb_erase(&rbconn->node, root);
|
|
|
|
|
kmem_cache_free(connlimit_rb_cachep, rbconn);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned int
|
|
|
|
|
count_tree(struct net *net, struct rb_root *root,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const union nf_inet_addr *addr, const union nf_inet_addr *mask,
|
2015-08-08 19:40:01 +00:00
|
|
|
u8 family, const struct nf_conntrack_zone *zone)
|
2014-03-07 13:37:11 +00:00
|
|
|
{
|
2014-03-12 22:49:51 +00:00
|
|
|
struct xt_connlimit_rb *gc_nodes[CONNLIMIT_GC_MAX_NODES];
|
|
|
|
|
struct rb_node **rbnode, *parent;
|
|
|
|
|
struct xt_connlimit_rb *rbconn;
|
2014-03-07 13:37:12 +00:00
|
|
|
struct xt_connlimit_conn *conn;
|
2014-03-12 22:49:51 +00:00
|
|
|
unsigned int gc_count;
|
|
|
|
|
bool no_gc = false;
|
|
|
|
|
|
|
|
|
|
restart:
|
|
|
|
|
gc_count = 0;
|
|
|
|
|
parent = NULL;
|
|
|
|
|
rbnode = &(root->rb_node);
|
|
|
|
|
while (*rbnode) {
|
|
|
|
|
int diff;
|
|
|
|
|
bool addit;
|
|
|
|
|
|
2016-12-20 14:02:13 +00:00
|
|
|
rbconn = rb_entry(*rbnode, struct xt_connlimit_rb, node);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
|
|
|
|
parent = *rbnode;
|
|
|
|
|
diff = same_source_net(addr, mask, &rbconn->addr, family);
|
|
|
|
|
if (diff < 0) {
|
|
|
|
|
rbnode = &((*rbnode)->rb_left);
|
|
|
|
|
} else if (diff > 0) {
|
|
|
|
|
rbnode = &((*rbnode)->rb_right);
|
|
|
|
|
} else {
|
|
|
|
|
/* same source network -> be counted! */
|
|
|
|
|
unsigned int count;
|
2014-11-14 12:21:48 +00:00
|
|
|
count = check_hlist(net, &rbconn->hhead, tuple, zone, &addit);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
|
|
|
|
tree_nodes_free(root, gc_nodes, gc_count);
|
|
|
|
|
if (!addit)
|
|
|
|
|
return count;
|
|
|
|
|
|
|
|
|
|
if (!add_hlist(&rbconn->hhead, tuple, addr))
|
|
|
|
|
return 0; /* hotdrop */
|
|
|
|
|
|
|
|
|
|
return count + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (no_gc || gc_count >= ARRAY_SIZE(gc_nodes))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* only used for GC on hhead, retval and 'addit' ignored */
|
2014-11-14 12:21:48 +00:00
|
|
|
check_hlist(net, &rbconn->hhead, tuple, zone, &addit);
|
2014-03-12 22:49:51 +00:00
|
|
|
if (hlist_empty(&rbconn->hhead))
|
|
|
|
|
gc_nodes[gc_count++] = rbconn;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (gc_count) {
|
|
|
|
|
no_gc = true;
|
|
|
|
|
tree_nodes_free(root, gc_nodes, gc_count);
|
|
|
|
|
/* tree_node_free before new allocation permits
|
|
|
|
|
* allocator to re-use newly free'd object.
|
|
|
|
|
*
|
|
|
|
|
* This is a rare event; in most cases we will find
|
|
|
|
|
* existing node to re-use. (or gc_count is 0).
|
|
|
|
|
*/
|
|
|
|
|
goto restart;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* no match, need to insert new node */
|
|
|
|
|
rbconn = kmem_cache_alloc(connlimit_rb_cachep, GFP_ATOMIC);
|
|
|
|
|
if (rbconn == NULL)
|
|
|
|
|
return 0;
|
2014-03-07 13:37:12 +00:00
|
|
|
|
|
|
|
|
conn = kmem_cache_alloc(connlimit_conn_cachep, GFP_ATOMIC);
|
2014-03-12 22:49:51 +00:00
|
|
|
if (conn == NULL) {
|
|
|
|
|
kmem_cache_free(connlimit_rb_cachep, rbconn);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-07 13:37:11 +00:00
|
|
|
conn->tuple = *tuple;
|
2014-03-12 22:49:51 +00:00
|
|
|
rbconn->addr = *addr;
|
|
|
|
|
|
|
|
|
|
INIT_HLIST_HEAD(&rbconn->hhead);
|
|
|
|
|
hlist_add_head(&conn->node, &rbconn->hhead);
|
|
|
|
|
|
|
|
|
|
rb_link_node(&rbconn->node, parent, rbnode);
|
|
|
|
|
rb_insert_color(&rbconn->node, root);
|
|
|
|
|
return 1;
|
2014-03-07 13:37:11 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-07 13:37:09 +00:00
|
|
|
static int count_them(struct net *net,
|
|
|
|
|
struct xt_connlimit_data *data,
|
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
|
const union nf_inet_addr *addr,
|
|
|
|
|
const union nf_inet_addr *mask,
|
2015-08-08 19:40:01 +00:00
|
|
|
u_int8_t family,
|
|
|
|
|
const struct nf_conntrack_zone *zone)
|
2014-03-07 13:37:09 +00:00
|
|
|
{
|
2014-03-12 22:49:51 +00:00
|
|
|
struct rb_root *root;
|
2014-03-07 13:37:09 +00:00
|
|
|
int count;
|
|
|
|
|
u32 hash;
|
|
|
|
|
|
2017-08-02 09:14:43 +00:00
|
|
|
if (family == NFPROTO_IPV6)
|
2014-03-07 13:37:09 +00:00
|
|
|
hash = connlimit_iphash6(addr, mask);
|
2017-08-02 09:14:43 +00:00
|
|
|
else
|
2014-03-07 13:37:09 +00:00
|
|
|
hash = connlimit_iphash(addr->ip & mask->ip);
|
2017-08-02 09:14:43 +00:00
|
|
|
root = &data->climit_root[hash];
|
2014-03-07 13:37:09 +00:00
|
|
|
|
2014-03-20 10:53:39 +00:00
|
|
|
spin_lock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
2014-11-14 12:21:48 +00:00
|
|
|
count = count_tree(net, root, tuple, addr, mask, family, zone);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
2014-03-20 10:53:39 +00:00
|
|
|
spin_unlock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
|
2014-03-07 13:37:09 +00:00
|
|
|
|
|
|
|
|
return count;
|
|
|
|
|
}
|
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static bool
|
2009-07-07 18:42:08 +00:00
|
|
|
connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2016-11-03 09:56:21 +00:00
|
|
|
struct net *net = xt_net(par);
|
2008-10-08 09:35:18 +00:00
|
|
|
const struct xt_connlimit_info *info = par->matchinfo;
|
2007-12-18 06:44:47 +00:00
|
|
|
union nf_inet_addr addr;
|
2007-07-15 03:47:26 +00:00
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
|
const struct nf_conntrack_tuple *tuple_ptr = &tuple;
|
2015-08-08 19:40:01 +00:00
|
|
|
const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
|
2007-07-15 03:47:26 +00:00
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
|
|
const struct nf_conn *ct;
|
2014-03-12 22:49:51 +00:00
|
|
|
unsigned int connections;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
|
|
|
|
ct = nf_ct_get(skb, &ctinfo);
|
2014-11-14 12:21:48 +00:00
|
|
|
if (ct != NULL) {
|
2011-03-15 12:23:28 +00:00
|
|
|
tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
2014-11-14 12:21:48 +00:00
|
|
|
zone = nf_ct_zone(ct);
|
|
|
|
|
} else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
2016-11-03 09:56:21 +00:00
|
|
|
xt_family(par), net, &tuple)) {
|
2007-07-15 03:47:26 +00:00
|
|
|
goto hotdrop;
|
2014-11-14 12:21:48 +00:00
|
|
|
}
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2016-11-03 09:56:21 +00:00
|
|
|
if (xt_family(par) == NFPROTO_IPV6) {
|
2007-07-15 03:47:26 +00:00
|
|
|
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
2011-01-18 16:32:40 +00:00
|
|
|
memcpy(&addr.ip6, (info->flags & XT_CONNLIMIT_DADDR) ?
|
|
|
|
|
&iph->daddr : &iph->saddr, sizeof(addr.ip6));
|
2007-07-15 03:47:26 +00:00
|
|
|
} else {
|
|
|
|
|
const struct iphdr *iph = ip_hdr(skb);
|
2011-01-18 16:32:40 +00:00
|
|
|
addr.ip = (info->flags & XT_CONNLIMIT_DADDR) ?
|
|
|
|
|
iph->daddr : iph->saddr;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2010-01-18 07:07:50 +00:00
|
|
|
connections = count_them(net, info->data, tuple_ptr, &addr,
|
2016-11-03 09:56:21 +00:00
|
|
|
&info->mask, xt_family(par), zone);
|
2014-03-12 22:49:51 +00:00
|
|
|
if (connections == 0)
|
2007-07-15 03:47:26 +00:00
|
|
|
/* kmalloc failed, drop it entirely */
|
2011-01-18 00:36:57 +00:00
|
|
|
goto hotdrop;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2011-01-18 16:32:40 +00:00
|
|
|
return (connections > info->limit) ^
|
|
|
|
|
!!(info->flags & XT_CONNLIMIT_INVERT);
|
2007-07-15 03:47:26 +00:00
|
|
|
|
|
|
|
|
hotdrop:
|
2009-07-07 18:54:30 +00:00
|
|
|
par->hotdrop = true;
|
2007-07-15 03:47:26 +00:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2010-03-19 16:16:42 +00:00
|
|
|
static int connlimit_mt_check(const struct xt_mtchk_param *par)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2008-10-08 09:35:18 +00:00
|
|
|
struct xt_connlimit_info *info = par->matchinfo;
|
2007-07-15 03:47:26 +00:00
|
|
|
unsigned int i;
|
2010-03-19 16:32:59 +00:00
|
|
|
int ret;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2016-09-18 02:52:25 +00:00
|
|
|
net_get_random_once(&connlimit_rnd, sizeof(connlimit_rnd));
|
2011-03-15 12:26:32 +00:00
|
|
|
|
2016-11-15 20:36:40 +00:00
|
|
|
ret = nf_ct_netns_get(par->net, par->family);
|
2010-03-19 16:32:59 +00:00
|
|
|
if (ret < 0) {
|
2010-03-17 15:04:40 +00:00
|
|
|
pr_info("cannot load conntrack support for "
|
|
|
|
|
"address family %u\n", par->family);
|
2010-03-19 16:32:59 +00:00
|
|
|
return ret;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* init private data */
|
|
|
|
|
info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
|
|
|
|
|
if (info->data == NULL) {
|
2016-11-15 20:36:40 +00:00
|
|
|
nf_ct_netns_put(par->net, par->family);
|
2010-03-19 16:32:59 +00:00
|
|
|
return -ENOMEM;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-02 09:14:43 +00:00
|
|
|
for (i = 0; i < ARRAY_SIZE(info->data->climit_root); ++i)
|
|
|
|
|
info->data->climit_root[i] = RB_ROOT;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2010-03-23 15:35:56 +00:00
|
|
|
return 0;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
static void destroy_tree(struct rb_root *r)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
|
|
|
|
struct xt_connlimit_conn *conn;
|
2014-03-12 22:49:51 +00:00
|
|
|
struct xt_connlimit_rb *rbconn;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
struct hlist_node *n;
|
2014-03-12 22:49:51 +00:00
|
|
|
struct rb_node *node;
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
while ((node = rb_first(r)) != NULL) {
|
2016-12-20 14:02:13 +00:00
|
|
|
rbconn = rb_entry(node, struct xt_connlimit_rb, node);
|
2007-07-15 03:47:26 +00:00
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
rb_erase(node, r);
|
|
|
|
|
|
|
|
|
|
hlist_for_each_entry_safe(conn, n, &rbconn->hhead, node)
|
2014-03-07 13:37:12 +00:00
|
|
|
kmem_cache_free(connlimit_conn_cachep, conn);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
|
|
|
|
kmem_cache_free(connlimit_rb_cachep, rbconn);
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
2014-03-12 22:49:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
|
|
|
|
|
{
|
|
|
|
|
const struct xt_connlimit_info *info = par->matchinfo;
|
|
|
|
|
unsigned int i;
|
|
|
|
|
|
2016-11-15 20:36:40 +00:00
|
|
|
nf_ct_netns_put(par->net, par->family);
|
2014-03-12 22:49:51 +00:00
|
|
|
|
2017-08-02 09:14:43 +00:00
|
|
|
for (i = 0; i < ARRAY_SIZE(info->data->climit_root); ++i)
|
|
|
|
|
destroy_tree(&info->data->climit_root[i]);
|
2007-07-15 03:47:26 +00:00
|
|
|
|
|
|
|
|
kfree(info->data);
|
|
|
|
|
}
|
|
|
|
|
|
2012-05-19 04:39:01 +00:00
|
|
|
static struct xt_match connlimit_mt_reg __read_mostly = {
|
|
|
|
|
.name = "connlimit",
|
|
|
|
|
.revision = 1,
|
|
|
|
|
.family = NFPROTO_UNSPEC,
|
|
|
|
|
.checkentry = connlimit_mt_check,
|
|
|
|
|
.match = connlimit_mt,
|
|
|
|
|
.matchsize = sizeof(struct xt_connlimit_info),
|
2017-01-02 22:19:46 +00:00
|
|
|
.usersize = offsetof(struct xt_connlimit_info, data),
|
2012-05-19 04:39:01 +00:00
|
|
|
.destroy = connlimit_mt_destroy,
|
|
|
|
|
.me = THIS_MODULE,
|
2007-07-15 03:47:26 +00:00
|
|
|
};
|
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static int __init connlimit_mt_init(void)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2014-03-20 10:53:39 +00:00
|
|
|
int ret, i;
|
2014-03-12 22:49:49 +00:00
|
|
|
|
|
|
|
|
BUILD_BUG_ON(CONNLIMIT_LOCK_SLOTS > CONNLIMIT_SLOTS);
|
|
|
|
|
BUILD_BUG_ON((CONNLIMIT_SLOTS % CONNLIMIT_LOCK_SLOTS) != 0);
|
|
|
|
|
|
2014-03-20 10:53:39 +00:00
|
|
|
for (i = 0; i < CONNLIMIT_LOCK_SLOTS; ++i)
|
|
|
|
|
spin_lock_init(&xt_connlimit_locks[i]);
|
|
|
|
|
|
2014-03-07 13:37:12 +00:00
|
|
|
connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",
|
|
|
|
|
sizeof(struct xt_connlimit_conn),
|
|
|
|
|
0, 0, NULL);
|
|
|
|
|
if (!connlimit_conn_cachep)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2014-03-12 22:49:51 +00:00
|
|
|
connlimit_rb_cachep = kmem_cache_create("xt_connlimit_rb",
|
|
|
|
|
sizeof(struct xt_connlimit_rb),
|
|
|
|
|
0, 0, NULL);
|
|
|
|
|
if (!connlimit_rb_cachep) {
|
|
|
|
|
kmem_cache_destroy(connlimit_conn_cachep);
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
}
|
2014-03-07 13:37:12 +00:00
|
|
|
ret = xt_register_match(&connlimit_mt_reg);
|
2014-03-12 22:49:51 +00:00
|
|
|
if (ret != 0) {
|
2014-03-07 13:37:12 +00:00
|
|
|
kmem_cache_destroy(connlimit_conn_cachep);
|
2014-03-12 22:49:51 +00:00
|
|
|
kmem_cache_destroy(connlimit_rb_cachep);
|
|
|
|
|
}
|
2014-03-07 13:37:12 +00:00
|
|
|
return ret;
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static void __exit connlimit_mt_exit(void)
|
2007-07-15 03:47:26 +00:00
|
|
|
{
|
2012-05-19 04:39:01 +00:00
|
|
|
xt_unregister_match(&connlimit_mt_reg);
|
2014-03-07 13:37:12 +00:00
|
|
|
kmem_cache_destroy(connlimit_conn_cachep);
|
2014-03-12 22:49:51 +00:00
|
|
|
kmem_cache_destroy(connlimit_rb_cachep);
|
2007-07-15 03:47:26 +00:00
|
|
|
}
|
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
module_init(connlimit_mt_init);
|
|
|
|
|
module_exit(connlimit_mt_exit);
|
2008-10-08 09:35:20 +00:00
|
|
|
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
2008-01-15 07:42:28 +00:00
|
|
|
MODULE_DESCRIPTION("Xtables: Number of connections matching");
|
2007-07-15 03:47:26 +00:00
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
MODULE_ALIAS("ipt_connlimit");
|
|
|
|
|
MODULE_ALIAS("ip6t_connlimit");
|