hashlimit_mt_save(&info->cfg, info->name, 128, 2);
}
+static const struct rates rates_v1_xlate[] = {
+ { "day", XT_HASHLIMIT_SCALE * 24 * 60 * 60 },
+ { "hour", XT_HASHLIMIT_SCALE * 60 * 60 },
+ { "minute", XT_HASHLIMIT_SCALE * 60 },
+ { "second", XT_HASHLIMIT_SCALE } };
+
+static const struct rates rates_xlate[] = {
+ { "day", XT_HASHLIMIT_SCALE_v2 * 24 * 60 * 60 },
+ { "hour", XT_HASHLIMIT_SCALE_v2 * 60 * 60 },
+ { "minute", XT_HASHLIMIT_SCALE_v2 * 60 },
+ { "second", XT_HASHLIMIT_SCALE_v2 } };
+
+static void print_packets_rate_xlate(struct xt_xlate *xl, uint64_t avg,
+ uint64_t burst, int revision)
+{
+ unsigned int i;
+ const struct rates *_rates = (revision == 1) ?
+ rates_v1_xlate : rates_xlate;
+
+ for (i = 1; i < ARRAY_SIZE(rates); ++i)
+ if (avg > _rates[i].mult ||
+ _rates[i].mult / avg < _rates[i].mult % avg)
+ break;
+
+ xt_xlate_add(xl, " %llu/%s burst %lu packets",
+ _rates[i-1].mult / avg, _rates[i-1].name, burst);
+}
+
+static void print_bytes_rate_xlate(struct xt_xlate *xl,
+ const struct hashlimit_cfg2 *cfg)
+{
+ unsigned int i;
+ unsigned long long r;
+
+ r = cost_to_bytes(cfg->avg);
+
+ for (i = 0; i < ARRAY_SIZE(units) -1; ++i)
+ if (r >= units[i].thresh &&
+ bytes_to_cost(r & ~(units[i].thresh - 1)) == cfg->avg)
+ break;
+
+ xt_xlate_add(xl, " %llu %sbytes/second", r / units[i].thresh,
+ units[i].name);
+
+ r *= cfg->burst;
+ for (i = 0; i < ARRAY_SIZE(units) -1; ++i)
+ if (r >= units[i].thresh)
+ break;
+
+ if (cfg->burst > 0)
+ xt_xlate_add(xl, " burst %llu %sbytes", r / units[i].thresh,
+ units[i].name);
+}
+
+static void hashlimit_print_subnet_xlate(struct xt_xlate *xl,
+ uint32_t nsub, int family)
+{
+ char sep = (family == NFPROTO_IPV4) ? '.' : ':';
+ char *fmt = (family == NFPROTO_IPV4) ? "%u" : "%04x";
+ unsigned int nblocks = (family == NFPROTO_IPV4) ? 4 : 8;
+ unsigned int nbits = (family == NFPROTO_IPV4) ? 8 : 16;
+ unsigned int acm, i;
+
+ xt_xlate_add(xl, " and ");
+ while (nblocks--) {
+ acm = 0;
+
+ for (i = 0; i < nbits; i++) {
+ acm <<= 1;
+
+ if (nsub > 0) {
+ acm++;
+ nsub--;
+ }
+ }
+
+ xt_xlate_add(xl, fmt, acm);
+ if (nblocks > 0)
+ xt_xlate_add(xl, "%c", sep);
+ }
+}
+
+static const char *const hashlimit_modes4_xlate[] = {
+ [XT_HASHLIMIT_HASH_DIP] = "ip daddr",
+ [XT_HASHLIMIT_HASH_DPT] = "tcp dport",
+ [XT_HASHLIMIT_HASH_SIP] = "ip saddr",
+ [XT_HASHLIMIT_HASH_SPT] = "tcp sport",
+};
+
+static const char *const hashlimit_modes6_xlate[] = {
+ [XT_HASHLIMIT_HASH_DIP] = "ip6 daddr",
+ [XT_HASHLIMIT_HASH_DPT] = "tcp dport",
+ [XT_HASHLIMIT_HASH_SIP] = "ip6 saddr",
+ [XT_HASHLIMIT_HASH_SPT] = "tcp sport",
+};
+
+static int hashlimit_mode_xlate(struct xt_xlate *xl,
+ uint32_t mode, int family,
+ unsigned int nsrc, unsigned int ndst)
+{
+ const char * const *_modes = (family == NFPROTO_IPV4) ?
+ hashlimit_modes4_xlate : hashlimit_modes6_xlate;
+ bool prevopt = false;
+ unsigned int mask;
+
+ mode &= ~XT_HASHLIMIT_INVERT & ~XT_HASHLIMIT_BYTES;
+
+ for (mask = 1; mode > 0; mask <<= 1) {
+ if (!(mode & mask))
+ continue;
+
+ if (!prevopt) {
+ xt_xlate_add(xl, " ");
+ prevopt = true;
+ }
+ else {
+ xt_xlate_add(xl, " . ");
+ }
+
+ xt_xlate_add(xl, "%s", _modes[mask]);
+
+ if (mask == XT_HASHLIMIT_HASH_DIP &&
+ ((family == NFPROTO_IPV4 && ndst != 32) ||
+ (family == NFPROTO_IPV6 && ndst != 128)))
+ hashlimit_print_subnet_xlate(xl, ndst, family);
+ else if (mask == XT_HASHLIMIT_HASH_SIP &&
+ ((family == NFPROTO_IPV4 && nsrc != 32) ||
+ (family == NFPROTO_IPV6 && nsrc != 128)))
+ hashlimit_print_subnet_xlate(xl, nsrc, family);
+
+ mode &= ~mask;
+ }
+
+ return prevopt;
+}
+
+static int hashlimit_mt_xlate(struct xt_xlate *xl, const char *name,
+ const struct hashlimit_cfg2 *cfg,
+ int revision, int family)
+{
+ int ret = 1;
+
+ xt_xlate_add(xl, "flow table %s {", name);
+ ret = hashlimit_mode_xlate(xl, cfg->mode, family,
+ cfg->srcmask, cfg->dstmask);
+ xt_xlate_add(xl, " timeout %us limit rate", cfg->expire / 1000);
+
+ if (cfg->mode & XT_HASHLIMIT_INVERT)
+ xt_xlate_add(xl, " over");
+
+ if (cfg->mode & XT_HASHLIMIT_BYTES)
+ print_bytes_rate_xlate(xl, cfg);
+ else
+ print_packets_rate_xlate(xl, cfg->avg, cfg->burst, revision);
+
+ xt_xlate_add(xl, "}");
+
+ return ret;
+}
+
+static int hashlimit_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_hashlimit_info *info = (const void *)params->match->data;
+ int ret = 1;
+
+ xt_xlate_add(xl, "flow table %s {", info->name);
+ ret = hashlimit_mode_xlate(xl, info->cfg.mode, NFPROTO_IPV4, 32, 32);
+ xt_xlate_add(xl, " timeout %us limit rate", info->cfg.expire / 1000);
+ print_packets_rate_xlate(xl, info->cfg.avg, info->cfg.burst, 1);
+ xt_xlate_add(xl, "}");
+
+ return ret;
+}
+
+static int hashlimit_mt4_xlate_v1(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_hashlimit_mtinfo1 *info =
+ (const void *)params->match->data;
+ struct hashlimit_cfg2 cfg;
+
+ if (cfg_copy(&cfg, (const void *)&info->cfg, 1))
+ xtables_error(OTHER_PROBLEM, "unknown revision");
+
+ return hashlimit_mt_xlate(xl, info->name, &cfg, 1, NFPROTO_IPV4);
+}
+
+static int hashlimit_mt6_xlate_v1(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_hashlimit_mtinfo1 *info =
+ (const void *)params->match->data;
+ struct hashlimit_cfg2 cfg;
+
+ if (cfg_copy(&cfg, (const void *)&info->cfg, 1))
+ xtables_error(OTHER_PROBLEM, "unknown revision");
+
+ return hashlimit_mt_xlate(xl, info->name, &cfg, 1, NFPROTO_IPV6);
+}
+
+static int hashlimit_mt4_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_hashlimit_mtinfo2 *info =
+ (const void *)params->match->data;
+
+ return hashlimit_mt_xlate(xl, info->name, &info->cfg, 2, NFPROTO_IPV4);
+}
+
+static int hashlimit_mt6_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_hashlimit_mtinfo2 *info =
+ (const void *)params->match->data;
+
+ return hashlimit_mt_xlate(xl, info->name, &info->cfg, 2, NFPROTO_IPV6);
+}
+
static struct xtables_match hashlimit_mt_reg[] = {
{
.family = NFPROTO_UNSPEC,
.save = hashlimit_save,
.x6_options = hashlimit_opts,
.udata_size = sizeof(struct hashlimit_mt_udata),
+ .xlate = hashlimit_xlate,
},
{
.version = XTABLES_VERSION,
.save = hashlimit_mt4_save_v1,
.x6_options = hashlimit_mt_opts_v1,
.udata_size = sizeof(struct hashlimit_mt_udata),
+ .xlate = hashlimit_mt4_xlate_v1,
},
{
.version = XTABLES_VERSION,
.save = hashlimit_mt6_save_v1,
.x6_options = hashlimit_mt_opts_v1,
.udata_size = sizeof(struct hashlimit_mt_udata),
+ .xlate = hashlimit_mt6_xlate_v1,
},
{
.version = XTABLES_VERSION,
.save = hashlimit_mt4_save,
.x6_options = hashlimit_mt_opts,
.udata_size = sizeof(struct hashlimit_mt_udata),
+ .xlate = hashlimit_mt4_xlate,
},
{
.version = XTABLES_VERSION,
.save = hashlimit_mt6_save,
.x6_options = hashlimit_mt_opts,
.udata_size = sizeof(struct hashlimit_mt_udata),
+ .xlate = hashlimit_mt6_xlate,
},
};
projects / thirdparty / iptables.git / commitdiff
