]>
Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
3d2f30a1 PNA |
2 | /* |
3 | * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org> | |
3d2f30a1 PNA |
4 | */ |
5 | ||
6 | #include <linux/kernel.h> | |
7 | #include <linux/init.h> | |
8 | #include <linux/module.h> | |
9 | #include <linux/atomic.h> | |
10 | #include <linux/netlink.h> | |
11 | #include <linux/netfilter.h> | |
12 | #include <linux/netfilter/nf_tables.h> | |
13 | #include <net/netfilter/nf_tables.h> | |
14 | ||
15 | struct nft_quota { | |
85936e56 | 16 | atomic64_t quota; |
18965317 | 17 | unsigned long flags; |
ed0a0c60 | 18 | atomic64_t *consumed; |
3d2f30a1 PNA |
19 | }; |
20 | ||
22609b43 | 21 | static inline bool nft_overquota(struct nft_quota *priv, |
795595f6 | 22 | const struct sk_buff *skb) |
3d2f30a1 | 23 | { |
ed0a0c60 | 24 | return atomic64_add_return(skb->len, priv->consumed) >= |
85936e56 | 25 | atomic64_read(&priv->quota); |
3d2f30a1 PNA |
26 | } |
27 | ||
18965317 PNA |
28 | static inline bool nft_quota_invert(struct nft_quota *priv) |
29 | { | |
30 | return priv->flags & NFT_QUOTA_F_INV; | |
31 | } | |
32 | ||
173705d9 PNA |
33 | static inline void nft_quota_do_eval(struct nft_quota *priv, |
34 | struct nft_regs *regs, | |
35 | const struct nft_pktinfo *pkt) | |
3d2f30a1 | 36 | { |
18965317 | 37 | if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv)) |
3d2f30a1 PNA |
38 | regs->verdict.code = NFT_BREAK; |
39 | } | |
40 | ||
41 | static const struct nla_policy nft_quota_policy[NFTA_QUOTA_MAX + 1] = { | |
42 | [NFTA_QUOTA_BYTES] = { .type = NLA_U64 }, | |
43 | [NFTA_QUOTA_FLAGS] = { .type = NLA_U32 }, | |
73c25fb1 | 44 | [NFTA_QUOTA_CONSUMED] = { .type = NLA_U64 }, |
3d2f30a1 PNA |
45 | }; |
46 | ||
18965317 PNA |
47 | #define NFT_QUOTA_DEPLETED_BIT 1 /* From NFT_QUOTA_F_DEPLETED. */ |
48 | ||
173705d9 PNA |
49 | static void nft_quota_obj_eval(struct nft_object *obj, |
50 | struct nft_regs *regs, | |
51 | const struct nft_pktinfo *pkt) | |
52 | { | |
53 | struct nft_quota *priv = nft_obj_data(obj); | |
18965317 | 54 | bool overquota; |
173705d9 | 55 | |
18965317 PNA |
56 | overquota = nft_overquota(priv, pkt->skb); |
57 | if (overquota ^ nft_quota_invert(priv)) | |
58 | regs->verdict.code = NFT_BREAK; | |
59 | ||
60 | if (overquota && | |
61 | !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags)) | |
d152159b | 62 | nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0, |
6fb721cf | 63 | NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC); |
173705d9 PNA |
64 | } |
65 | ||
66 | static int nft_quota_do_init(const struct nlattr * const tb[], | |
67 | struct nft_quota *priv) | |
3d2f30a1 | 68 | { |
18965317 | 69 | unsigned long flags = 0; |
73c25fb1 | 70 | u64 quota, consumed = 0; |
3d2f30a1 PNA |
71 | |
72 | if (!tb[NFTA_QUOTA_BYTES]) | |
73 | return -EINVAL; | |
74 | ||
75 | quota = be64_to_cpu(nla_get_be64(tb[NFTA_QUOTA_BYTES])); | |
76 | if (quota > S64_MAX) | |
77 | return -EOVERFLOW; | |
78 | ||
73c25fb1 PNA |
79 | if (tb[NFTA_QUOTA_CONSUMED]) { |
80 | consumed = be64_to_cpu(nla_get_be64(tb[NFTA_QUOTA_CONSUMED])); | |
81 | if (consumed > quota) | |
82 | return -EINVAL; | |
83 | } | |
84 | ||
3d2f30a1 PNA |
85 | if (tb[NFTA_QUOTA_FLAGS]) { |
86 | flags = ntohl(nla_get_be32(tb[NFTA_QUOTA_FLAGS])); | |
87 | if (flags & ~NFT_QUOTA_F_INV) | |
88 | return -EINVAL; | |
18965317 PNA |
89 | if (flags & NFT_QUOTA_F_DEPLETED) |
90 | return -EOPNOTSUPP; | |
3d2f30a1 PNA |
91 | } |
92 | ||
42193ffd | 93 | priv->consumed = kmalloc(sizeof(*priv->consumed), GFP_KERNEL_ACCOUNT); |
ed0a0c60 PNA |
94 | if (!priv->consumed) |
95 | return -ENOMEM; | |
96 | ||
85936e56 | 97 | atomic64_set(&priv->quota, quota); |
18965317 | 98 | priv->flags = flags; |
ed0a0c60 | 99 | atomic64_set(priv->consumed, consumed); |
3d2f30a1 PNA |
100 | |
101 | return 0; | |
102 | } | |
103 | ||
ed0a0c60 PNA |
104 | static void nft_quota_do_destroy(const struct nft_ctx *ctx, |
105 | struct nft_quota *priv) | |
106 | { | |
107 | kfree(priv->consumed); | |
108 | } | |
109 | ||
84fba055 FW |
110 | static int nft_quota_obj_init(const struct nft_ctx *ctx, |
111 | const struct nlattr * const tb[], | |
173705d9 PNA |
112 | struct nft_object *obj) |
113 | { | |
114 | struct nft_quota *priv = nft_obj_data(obj); | |
115 | ||
116 | return nft_quota_do_init(tb, priv); | |
117 | } | |
118 | ||
85936e56 FFM |
119 | static void nft_quota_obj_update(struct nft_object *obj, |
120 | struct nft_object *newobj) | |
121 | { | |
122 | struct nft_quota *newpriv = nft_obj_data(newobj); | |
123 | struct nft_quota *priv = nft_obj_data(obj); | |
124 | u64 newquota; | |
125 | ||
126 | newquota = atomic64_read(&newpriv->quota); | |
127 | atomic64_set(&priv->quota, newquota); | |
128 | priv->flags = newpriv->flags; | |
129 | } | |
130 | ||
43da04a5 PNA |
131 | static int nft_quota_do_dump(struct sk_buff *skb, struct nft_quota *priv, |
132 | bool reset) | |
3d2f30a1 | 133 | { |
85936e56 | 134 | u64 consumed, consumed_cap, quota; |
18965317 | 135 | u32 flags = priv->flags; |
43da04a5 | 136 | |
795595f6 PNA |
137 | /* Since we inconditionally increment consumed quota for each packet |
138 | * that we see, don't go over the quota boundary in what we send to | |
139 | * userspace. | |
140 | */ | |
ed0a0c60 | 141 | consumed = atomic64_read(priv->consumed); |
85936e56 FFM |
142 | quota = atomic64_read(&priv->quota); |
143 | if (consumed >= quota) { | |
144 | consumed_cap = quota; | |
8010d7fe PNA |
145 | flags |= NFT_QUOTA_F_DEPLETED; |
146 | } else { | |
147 | consumed_cap = consumed; | |
148 | } | |
3d2f30a1 | 149 | |
85936e56 | 150 | if (nla_put_be64(skb, NFTA_QUOTA_BYTES, cpu_to_be64(quota), |
3d2f30a1 | 151 | NFTA_QUOTA_PAD) || |
8010d7fe | 152 | nla_put_be64(skb, NFTA_QUOTA_CONSUMED, cpu_to_be64(consumed_cap), |
795595f6 | 153 | NFTA_QUOTA_PAD) || |
3d2f30a1 PNA |
154 | nla_put_be32(skb, NFTA_QUOTA_FLAGS, htonl(flags))) |
155 | goto nla_put_failure; | |
8010d7fe PNA |
156 | |
157 | if (reset) { | |
ed0a0c60 | 158 | atomic64_sub(consumed, priv->consumed); |
8010d7fe PNA |
159 | clear_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags); |
160 | } | |
3d2f30a1 PNA |
161 | return 0; |
162 | ||
163 | nla_put_failure: | |
164 | return -1; | |
165 | } | |
166 | ||
43da04a5 PNA |
167 | static int nft_quota_obj_dump(struct sk_buff *skb, struct nft_object *obj, |
168 | bool reset) | |
173705d9 PNA |
169 | { |
170 | struct nft_quota *priv = nft_obj_data(obj); | |
171 | ||
43da04a5 | 172 | return nft_quota_do_dump(skb, priv, reset); |
173705d9 PNA |
173 | } |
174 | ||
ed0a0c60 PNA |
175 | static void nft_quota_obj_destroy(const struct nft_ctx *ctx, |
176 | struct nft_object *obj) | |
177 | { | |
178 | struct nft_quota *priv = nft_obj_data(obj); | |
179 | ||
180 | return nft_quota_do_destroy(ctx, priv); | |
181 | } | |
182 | ||
dfc46034 PBG |
183 | static struct nft_object_type nft_quota_obj_type; |
184 | static const struct nft_object_ops nft_quota_obj_ops = { | |
185 | .type = &nft_quota_obj_type, | |
173705d9 | 186 | .size = sizeof(struct nft_quota), |
173705d9 | 187 | .init = nft_quota_obj_init, |
ed0a0c60 | 188 | .destroy = nft_quota_obj_destroy, |
173705d9 PNA |
189 | .eval = nft_quota_obj_eval, |
190 | .dump = nft_quota_obj_dump, | |
85936e56 | 191 | .update = nft_quota_obj_update, |
dfc46034 PBG |
192 | }; |
193 | ||
194 | static struct nft_object_type nft_quota_obj_type __read_mostly = { | |
195 | .type = NFT_OBJECT_QUOTA, | |
196 | .ops = &nft_quota_obj_ops, | |
197 | .maxattr = NFTA_QUOTA_MAX, | |
198 | .policy = nft_quota_policy, | |
173705d9 PNA |
199 | .owner = THIS_MODULE, |
200 | }; | |
201 | ||
202 | static void nft_quota_eval(const struct nft_expr *expr, | |
203 | struct nft_regs *regs, | |
204 | const struct nft_pktinfo *pkt) | |
205 | { | |
206 | struct nft_quota *priv = nft_expr_priv(expr); | |
207 | ||
208 | nft_quota_do_eval(priv, regs, pkt); | |
209 | } | |
210 | ||
211 | static int nft_quota_init(const struct nft_ctx *ctx, | |
212 | const struct nft_expr *expr, | |
213 | const struct nlattr * const tb[]) | |
214 | { | |
215 | struct nft_quota *priv = nft_expr_priv(expr); | |
216 | ||
217 | return nft_quota_do_init(tb, priv); | |
218 | } | |
219 | ||
7d34aa3e PS |
220 | static int nft_quota_dump(struct sk_buff *skb, |
221 | const struct nft_expr *expr, bool reset) | |
173705d9 | 222 | { |
43da04a5 | 223 | struct nft_quota *priv = nft_expr_priv(expr); |
173705d9 | 224 | |
8daa8fde | 225 | return nft_quota_do_dump(skb, priv, reset); |
173705d9 PNA |
226 | } |
227 | ||
ed0a0c60 PNA |
228 | static void nft_quota_destroy(const struct nft_ctx *ctx, |
229 | const struct nft_expr *expr) | |
230 | { | |
231 | struct nft_quota *priv = nft_expr_priv(expr); | |
232 | ||
233 | return nft_quota_do_destroy(ctx, priv); | |
234 | } | |
235 | ||
fa23e0d4 | 236 | static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp) |
ed0a0c60 PNA |
237 | { |
238 | struct nft_quota *priv_dst = nft_expr_priv(dst); | |
aabef97a PNA |
239 | struct nft_quota *priv_src = nft_expr_priv(src); |
240 | ||
241 | priv_dst->quota = priv_src->quota; | |
242 | priv_dst->flags = priv_src->flags; | |
ed0a0c60 | 243 | |
fa23e0d4 | 244 | priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), gfp); |
51edb2ff | 245 | if (!priv_dst->consumed) |
ed0a0c60 PNA |
246 | return -ENOMEM; |
247 | ||
aabef97a | 248 | *priv_dst->consumed = *priv_src->consumed; |
ed0a0c60 PNA |
249 | |
250 | return 0; | |
251 | } | |
252 | ||
3d2f30a1 PNA |
253 | static struct nft_expr_type nft_quota_type; |
254 | static const struct nft_expr_ops nft_quota_ops = { | |
255 | .type = &nft_quota_type, | |
256 | .size = NFT_EXPR_SIZE(sizeof(struct nft_quota)), | |
257 | .eval = nft_quota_eval, | |
258 | .init = nft_quota_init, | |
ed0a0c60 PNA |
259 | .destroy = nft_quota_destroy, |
260 | .clone = nft_quota_clone, | |
3d2f30a1 | 261 | .dump = nft_quota_dump, |
b2d30654 | 262 | .reduce = NFT_REDUCE_READONLY, |
3d2f30a1 PNA |
263 | }; |
264 | ||
265 | static struct nft_expr_type nft_quota_type __read_mostly = { | |
266 | .name = "quota", | |
267 | .ops = &nft_quota_ops, | |
268 | .policy = nft_quota_policy, | |
269 | .maxattr = NFTA_QUOTA_MAX, | |
270 | .flags = NFT_EXPR_STATEFUL, | |
271 | .owner = THIS_MODULE, | |
272 | }; | |
273 | ||
274 | static int __init nft_quota_module_init(void) | |
275 | { | |
173705d9 PNA |
276 | int err; |
277 | ||
dfc46034 | 278 | err = nft_register_obj(&nft_quota_obj_type); |
173705d9 PNA |
279 | if (err < 0) |
280 | return err; | |
281 | ||
282 | err = nft_register_expr(&nft_quota_type); | |
283 | if (err < 0) | |
284 | goto err1; | |
285 | ||
286 | return 0; | |
287 | err1: | |
dfc46034 | 288 | nft_unregister_obj(&nft_quota_obj_type); |
173705d9 | 289 | return err; |
3d2f30a1 PNA |
290 | } |
291 | ||
292 | static void __exit nft_quota_module_exit(void) | |
293 | { | |
173705d9 | 294 | nft_unregister_expr(&nft_quota_type); |
dfc46034 | 295 | nft_unregister_obj(&nft_quota_obj_type); |
3d2f30a1 PNA |
296 | } |
297 | ||
298 | module_init(nft_quota_module_init); | |
299 | module_exit(nft_quota_module_exit); | |
300 | ||
301 | MODULE_LICENSE("GPL"); | |
302 | MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); | |
303 | MODULE_ALIAS_NFT_EXPR("quota"); | |
173705d9 | 304 | MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_QUOTA); |
4cacc395 | 305 | MODULE_DESCRIPTION("Netfilter nftables quota module"); |