From patchwork Thu Jan 10 03:36:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1022709 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43ZsB519c6z9sLw; Thu, 10 Jan 2019 14:37:01 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ghR9L-0003wN-1n; Thu, 10 Jan 2019 03:36:55 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1ghR9H-0003tq-FE for kernel-team@lists.ubuntu.com; Thu, 10 Jan 2019 03:36:51 +0000 Received: from mail-qk1-f199.google.com ([209.85.222.199]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1ghR9H-0002AZ-5N for kernel-team@lists.ubuntu.com; Thu, 10 Jan 2019 03:36:51 +0000 Received: by mail-qk1-f199.google.com with SMTP id 80so8270778qkd.0 for ; Wed, 09 Jan 2019 19:36:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=BwxCtpsg2WYe2Iy427AdzO+2IcZOAUIB2jgxyYF0IOk=; b=CvUueUmnPkibgwnIMOSxvjoZJNiShO8BEeZDGb5iD+XUytt2SJ0OC453WDxaDDOIWB aNNTidrwQivjGrMPNmoV8rLeX2x1Kouw2hr3OEfj4e3VhKG2qZh+QCjqy8J5xqh4GrbF sDs1TyOxc/9eg7D3XuWmh1Qhb/CxUZOIxrDDJW4+8iCpEjyYTdsVTZ+Y2r4OJu3//YoQ mxTzDlLg9l55e72ca5Q7T7fA8oMLXymYolwbkPkIa7xOaXqfsK5REsZPrCrfOr4MHqzw +WS9kLOXn2iVMuxO8pmUbp3Ca14DpRZ3xrAboX1qDhRJgWcCU2jgJOW9n3SyCDn47yZC lmHA== X-Gm-Message-State: AJcUukegyAiavXjKbkfOvSIgoe/uhmAUx7mB00dIgipHBWTDC5gImgRY lrU4up8QiWYdicoyYFfGXiR4dS48g0aEcwFjuZWX+AVwSOF+PIUmXdprtas+zVWuHc2gHWEecbp vjdrYcD6ZiqlyHwEFg+Te4pVTUkRDvLKsmFDGPz6XAA== X-Received: by 2002:a37:cc4c:: with SMTP id r73mr7605233qki.120.1547091410145; Wed, 09 Jan 2019 19:36:50 -0800 (PST) X-Google-Smtp-Source: ALg8bN4D8XGrNqOULoUe9euMrlD+j8HPtMyimykmAa97CUY4xu0CgkpQgbcYiEJOFScBWKonMT/lsw== X-Received: by 2002:a37:cc4c:: with SMTP id r73mr7605228qki.120.1547091409957; Wed, 09 Jan 2019 19:36:49 -0800 (PST) Received: from localhost.localdomain ([177.181.227.0]) by smtp.gmail.com with ESMTPSA id y4sm43568428qtc.47.2019.01.09.19.36.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 19:36:49 -0800 (PST) From: Mauricio Faria de Oliveira To: kernel-team@lists.ubuntu.com Subject: [SRU B][PATCH 2/5] netfilter: nf_conncount: expose connection list interface Date: Thu, 10 Jan 2019 01:36:00 -0200 Message-Id: <20190110033603.31647-3-mfo@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190110033603.31647-1-mfo@canonical.com> References: <20190110033603.31647-1-mfo@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso BugLink: https://bugs.launchpad.net/bugs/1811094 This patch provides an interface to maintain the list of connections and the lookup function to obtain the number of connections in the list. Signed-off-by: Pablo Neira Ayuso (backported from commit 5e5cbc7b23eaf13e18652c03efbad5be6995de6a) [mfo: backport: refresh context lines and use older symbol/file names: - nf_conntrack_count.h: new file, add include guards. - nf_conncount.c -> xt_connlimit.c. - nf_conncount_rb -> xt_connlimit_rb - nf_conncount_tuple -> xt_connlimit_conn - conncount_rb_cachep -> connlimit_rb_cachep - conncount_conn_cachep -> connlimit_conn_cachep] Signed-off-by: Mauricio Faria de Oliveira --- include/net/netfilter/nf_conntrack_count.h | 14 +++++++++ net/netfilter/xt_connlimit.c | 36 ++++++++++++++-------- 2 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 include/net/netfilter/nf_conntrack_count.h diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h new file mode 100644 index 000000000000..54e43b8a8da1 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_count.h @@ -0,0 +1,14 @@ +#ifndef _NF_CONNTRACK_COUNT_H +#define _NF_CONNTRACK_COUNT_H + +unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone, + bool *addit); + +bool nf_conncount_add(struct hlist_head *head, + const struct nf_conntrack_tuple *tuple); + +void nf_conncount_cache_free(struct hlist_head *hhead); + +#endif diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 580239db4af2..7f543db6c562 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -96,7 +96,7 @@ same_source(const union nf_inet_addr *addr, return memcmp(addr->ip6, u3->ip6, sizeof(addr->ip6)); } -static bool add_hlist(struct hlist_head *head, +bool nf_conncount_add(struct hlist_head *head, const struct nf_conntrack_tuple *tuple) { struct xt_connlimit_conn *conn; @@ -108,12 +108,12 @@ static bool add_hlist(struct hlist_head *head, hlist_add_head(&conn->node, head); return true; } +EXPORT_SYMBOL_GPL(nf_conncount_add); -static unsigned int check_hlist(struct net *net, - struct hlist_head *head, - const struct nf_conntrack_tuple *tuple, - const struct nf_conntrack_zone *zone, - bool *addit) +unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone, + bool *addit) { const struct nf_conntrack_tuple_hash *found; struct xt_connlimit_conn *conn; @@ -158,6 +158,7 @@ static unsigned int check_hlist(struct net *net, return length; } +EXPORT_SYMBOL_GPL(nf_conncount_lookup); static void tree_nodes_free(struct rb_root *root, struct xt_connlimit_rb *gc_nodes[], @@ -204,13 +205,15 @@ count_tree(struct net *net, struct rb_root *root, } else { /* same source network -> be counted! */ unsigned int count; - count = check_hlist(net, &rbconn->hhead, tuple, zone, &addit); + + count = nf_conncount_lookup(net, &rbconn->hhead, tuple, + zone, &addit); tree_nodes_free(root, gc_nodes, gc_count); if (!addit) return count; - if (!add_hlist(&rbconn->hhead, tuple)) + if (!nf_conncount_add(&rbconn->hhead, tuple)) return 0; /* hotdrop */ return count + 1; @@ -220,7 +223,7 @@ count_tree(struct net *net, struct rb_root *root, continue; /* only used for GC on hhead, retval and 'addit' ignored */ - check_hlist(net, &rbconn->hhead, tuple, zone, &addit); + nf_conncount_lookup(net, &rbconn->hhead, tuple, zone, &addit); if (hlist_empty(&rbconn->hhead)) gc_nodes[gc_count++] = rbconn; } @@ -366,11 +369,19 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par) return 0; } -static void destroy_tree(struct rb_root *r) +void nf_conncount_cache_free(struct hlist_head *hhead) { struct xt_connlimit_conn *conn; - struct xt_connlimit_rb *rbconn; struct hlist_node *n; + + hlist_for_each_entry_safe(conn, n, hhead, node) + kmem_cache_free(connlimit_conn_cachep, conn); +} +EXPORT_SYMBOL_GPL(nf_conncount_cache_free); + +static void destroy_tree(struct rb_root *r) +{ + struct xt_connlimit_rb *rbconn; struct rb_node *node; while ((node = rb_first(r)) != NULL) { @@ -378,8 +389,7 @@ static void destroy_tree(struct rb_root *r) rb_erase(node, r); - hlist_for_each_entry_safe(conn, n, &rbconn->hhead, node) - kmem_cache_free(connlimit_conn_cachep, conn); + nf_conncount_cache_free(&rbconn->hhead); kmem_cache_free(connlimit_rb_cachep, rbconn); }