From patchwork Wed Jan 2 20:42:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1020068 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43VNKd5T9Lz9s7T for ; Thu, 3 Jan 2019 07:43:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727651AbfABUnA (ORCPT ); Wed, 2 Jan 2019 15:43:00 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:43803 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727193AbfABUm7 (ORCPT ); Wed, 2 Jan 2019 15:42:59 -0500 Received: from mail-qt1-f198.google.com ([209.85.160.198]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1genLt-0002bg-Kh for netdev@vger.kernel.org; Wed, 02 Jan 2019 20:42:57 +0000 Received: by mail-qt1-f198.google.com with SMTP id u20so39963042qtk.6 for ; Wed, 02 Jan 2019 12:42:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cHMHvmTNqlp/UIh+cKOmQ9ElxYY2GNXRHT3+2VDoDIw=; b=LobMJKJ0l8SirXIye/lgeF2C2dkQLS0xv/ynbSRZ4DPueeeMf4UOohqNUhgQ+jTO7M sElkbZ10RoOkryUIdQzlcO5Z7Dp5XYT9a+jFJ9IvIGsyGRFerUlus8Sc3dW7ubQvHzVR 4WHFNDG6Y+E0qZhuUpUJ8ktKfU4gpoDiHQllzzfOOvXeVs2K6hhNBcwdiduYGvrnSt48 vg7UDfuHGGZFSF4Vyf+vsuLgONc+OLcKlkhPLPT7gkhEPsknQwdLF6SqeUJ1j0iA1Nfn z6Abzzct/77rSvTHFQa9bXyCX+6VhRH3dFsRD/fJRuFpCHUIIP1MbMTZrVIIZPbqIwqX zJ7A== X-Gm-Message-State: AJcUukcPozCXQ+wDH1cnQO+CvT7fsGiFQWt+gIei2RciqyQ8yUEA6Qd7 S7e+xD19Aliag+G7CGXBD+gKX7Kht2WPN6nr0h+WXNvBewCY6hfEHQqT3v2URnVgSsq98/es4Zs u8Rxa4JU9i0vgkNWaKFydBkmwMgJhI3tDJQ== X-Received: by 2002:a37:d204:: with SMTP id f4mr41556333qkj.311.1546461776841; Wed, 02 Jan 2019 12:42:56 -0800 (PST) X-Google-Smtp-Source: ALg8bN4UEviZMtAXvbDO4nCn6yAw6YppxULyyDCDsLnkoQtrGiZm4QKSz1KGUKJGWgQA8Tm6CdbKiw== X-Received: by 2002:a37:d204:: with SMTP id f4mr41556320qkj.311.1546461776635; Wed, 02 Jan 2019 12:42:56 -0800 (PST) Received: from localhost.localdomain ([179.159.56.118]) by smtp.gmail.com with ESMTPSA id e17sm26679381qte.12.2019.01.02.12.42.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Jan 2019 12:42:56 -0800 (PST) From: Mauricio Faria de Oliveira To: stable@vger.kernel.org, netdev@vger.kernel.org, Florian Westphal Cc: Alakesh Haloi , nivedita.singhvi@canonical.com, Pablo Neira Ayuso , Jozsef Kadlecsik , "David S. Miller" , Yi-Hung Wei Subject: [PATCH v2 4.14 2/5] netfilter: nf_conncount: expose connection list interface Date: Wed, 2 Jan 2019 18:42:01 -0200 Message-Id: <20190102204204.12389-3-mfo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190102204204.12389-1-mfo@canonical.com> References: <20190102204204.12389-1-mfo@canonical.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Pablo Neira Ayuso commit 5e5cbc7b23eaf13e18652c03efbad5be6995de6a upstream. This patch provides an interface to maintain the list of connections and the lookup function to obtain the number of connections in the list. Signed-off-by: Pablo Neira Ayuso [mfo: backport: refresh context lines and use older symbol/file names: - nf_conntrack_count.h: new file, add include guards. - nf_conncount.c -> xt_connlimit.c. - nf_conncount_rb -> xt_connlimit_rb - nf_conncount_tuple -> xt_connlimit_conn - conncount_rb_cachep -> connlimit_rb_cachep - conncount_conn_cachep -> connlimit_conn_cachep] Signed-off-by: Mauricio Faria de Oliveira --- include/net/netfilter/nf_conntrack_count.h | 14 ++++++++++++ net/netfilter/xt_connlimit.c | 36 +++++++++++++++++++----------- 2 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 include/net/netfilter/nf_conntrack_count.h diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h new file mode 100644 index 0000000..54e43b8 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_count.h @@ -0,0 +1,14 @@ +#ifndef _NF_CONNTRACK_COUNT_H +#define _NF_CONNTRACK_COUNT_H + +unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone, + bool *addit); + +bool nf_conncount_add(struct hlist_head *head, + const struct nf_conntrack_tuple *tuple); + +void nf_conncount_cache_free(struct hlist_head *hhead); + +#endif diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 79d4151..7af5875 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -114,7 +114,7 @@ same_source_net(const union nf_inet_addr *addr, } } -static bool add_hlist(struct hlist_head *head, +bool nf_conncount_add(struct hlist_head *head, const struct nf_conntrack_tuple *tuple) { struct xt_connlimit_conn *conn; @@ -126,12 +126,12 @@ static bool add_hlist(struct hlist_head *head, hlist_add_head(&conn->node, head); return true; } +EXPORT_SYMBOL_GPL(nf_conncount_add); -static unsigned int check_hlist(struct net *net, - struct hlist_head *head, - const struct nf_conntrack_tuple *tuple, - const struct nf_conntrack_zone *zone, - bool *addit) +unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone, + bool *addit) { const struct nf_conntrack_tuple_hash *found; struct xt_connlimit_conn *conn; @@ -176,6 +176,7 @@ static unsigned int check_hlist(struct net *net, return length; } +EXPORT_SYMBOL_GPL(nf_conncount_lookup); static void tree_nodes_free(struct rb_root *root, struct xt_connlimit_rb *gc_nodes[], @@ -222,13 +223,15 @@ count_tree(struct net *net, struct rb_root *root, } else { /* same source network -> be counted! */ unsigned int count; - count = check_hlist(net, &rbconn->hhead, tuple, zone, &addit); + + count = nf_conncount_lookup(net, &rbconn->hhead, tuple, + zone, &addit); tree_nodes_free(root, gc_nodes, gc_count); if (!addit) return count; - if (!add_hlist(&rbconn->hhead, tuple)) + if (!nf_conncount_add(&rbconn->hhead, tuple)) return 0; /* hotdrop */ return count + 1; @@ -238,7 +241,7 @@ count_tree(struct net *net, struct rb_root *root, continue; /* only used for GC on hhead, retval and 'addit' ignored */ - check_hlist(net, &rbconn->hhead, tuple, zone, &addit); + nf_conncount_lookup(net, &rbconn->hhead, tuple, zone, &addit); if (hlist_empty(&rbconn->hhead)) gc_nodes[gc_count++] = rbconn; } @@ -378,11 +381,19 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) return 0; } -static void destroy_tree(struct rb_root *r) +void nf_conncount_cache_free(struct hlist_head *hhead) { struct xt_connlimit_conn *conn; - struct xt_connlimit_rb *rbconn; struct hlist_node *n; + + hlist_for_each_entry_safe(conn, n, hhead, node) + kmem_cache_free(connlimit_conn_cachep, conn); +} +EXPORT_SYMBOL_GPL(nf_conncount_cache_free); + +static void destroy_tree(struct rb_root *r) +{ + struct xt_connlimit_rb *rbconn; struct rb_node *node; while ((node = rb_first(r)) != NULL) { @@ -390,8 +401,7 @@ static void destroy_tree(struct rb_root *r) rb_erase(node, r); - hlist_for_each_entry_safe(conn, n, &rbconn->hhead, node) - kmem_cache_free(connlimit_conn_cachep, conn); + nf_conncount_cache_free(&rbconn->hhead); kmem_cache_free(connlimit_rb_cachep, rbconn); }