netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 6/6] netfilter: nft_limit: add per-byte limiting
Date: Wed, 5 Aug 2015 12:43:54 +0200	[thread overview]
Message-ID: <20150805104353.GA23224@acer.localdomain> (raw)
In-Reply-To: <1438771124-3650-6-git-send-email-pablo@netfilter.org>

On 05.08, Pablo Neira Ayuso wrote:
> This patch adds a new NFTA_LIMIT_TYPE netlink attribute to indicate the type of
> limiting.
> 
> Contrary to per-packet limiting, the cost is calculated from the packet path
> since this depends on the packet length.
> 
> The burst attribute indicates the number of bytes in which the rate can be
> exceeded.

Thanks Pablo, I appreciate this rework. Just a suggestion, I'd propose to
use NFT_LIMIT_PKT_LENGTH instead of LIMIT_BYTES. I expect we might want to
add other limit types like connection rates etc in the future.

> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |    7 ++++
>  net/netfilter/nft_limit.c                |   63 ++++++++++++++++++++++++++++--
>  2 files changed, 66 insertions(+), 4 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index ef037dc..655fd04 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -783,18 +783,25 @@ enum nft_ct_attributes {
>  };
>  #define NFTA_CT_MAX		(__NFTA_CT_MAX - 1)
>  
> +enum nft_limit_type {
> +	NFT_LIMIT_PKTS,
> +	NFT_LIMIT_BYTES
> +};
> +
>  /**
>   * enum nft_limit_attributes - nf_tables limit expression netlink attributes
>   *
>   * @NFTA_LIMIT_RATE: refill rate (NLA_U64)
>   * @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
>   * @NFTA_LIMIT_BURST: burst (NLA_U32)
> + * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type)
>   */
>  enum nft_limit_attributes {
>  	NFTA_LIMIT_UNSPEC,
>  	NFTA_LIMIT_RATE,
>  	NFTA_LIMIT_UNIT,
>  	NFTA_LIMIT_BURST,
> +	NFTA_LIMIT_TYPE,
>  	__NFTA_LIMIT_MAX
>  };
>  #define NFTA_LIMIT_MAX		(__NFTA_LIMIT_MAX - 1)
> diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
> index b418698..0322dd0 100644
> --- a/net/netfilter/nft_limit.c
> +++ b/net/netfilter/nft_limit.c
> @@ -83,14 +83,16 @@ static int nft_limit_init(struct nft_limit *limit,
>  	return 0;
>  }
>  
> -static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit *limit)
> +static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit *limit,
> +			  enum nft_limit_type type)
>  {
>  	u64 secs = div_u64(limit->nsecs, NSEC_PER_SEC);
>  	u64 rate = limit->rate - limit->burst;
>  
>  	if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(rate)) ||
>  	    nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs)) ||
> -	    nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(limit->burst)))
> +	    nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(limit->burst)) ||
> +	    nla_put_be32(skb, NFTA_LIMIT_TYPE, htonl(type)))
>  		goto nla_put_failure;
>  	return 0;
>  
> @@ -117,6 +119,7 @@ static const struct nla_policy nft_limit_policy[NFTA_LIMIT_MAX + 1] = {
>  	[NFTA_LIMIT_RATE]	= { .type = NLA_U64 },
>  	[NFTA_LIMIT_UNIT]	= { .type = NLA_U64 },
>  	[NFTA_LIMIT_BURST]	= { .type = NLA_U32 },
> +	[NFTA_LIMIT_TYPE]	= { .type = NLA_U32 },
>  };
>  
>  static int nft_limit_pkts_init(const struct nft_ctx *ctx,
> @@ -138,7 +141,7 @@ static int nft_limit_pkts_dump(struct sk_buff *skb, const struct nft_expr *expr)
>  {
>  	const struct nft_limit_pkts *priv = nft_expr_priv(expr);
>  
> -	return nft_limit_dump(skb, &priv->limit);
> +	return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
>  }
>  
>  static struct nft_expr_type nft_limit_type;
> @@ -150,9 +153,61 @@ static const struct nft_expr_ops nft_limit_pkts_ops = {
>  	.dump		= nft_limit_pkts_dump,
>  };
>  
> +static void nft_limit_bytes_eval(const struct nft_expr *expr,
> +				 struct nft_regs *regs,
> +				 const struct nft_pktinfo *pkt)
> +{
> +	struct nft_limit *priv = nft_expr_priv(expr);
> +	u64 cost = div_u64(priv->nsecs * pkt->skb->len, priv->rate);
> +
> +	if (nft_limit_eval(priv, cost))
> +		regs->verdict.code = NFT_BREAK;
> +}
> +
> +static int nft_limit_bytes_init(const struct nft_ctx *ctx,
> +				const struct nft_expr *expr,
> +				const struct nlattr * const tb[])
> +{
> +	struct nft_limit *priv = nft_expr_priv(expr);
> +
> +	return nft_limit_init(priv, tb);
> +}
> +
> +static int nft_limit_bytes_dump(struct sk_buff *skb,
> +				const struct nft_expr *expr)
> +{
> +	const struct nft_limit *priv = nft_expr_priv(expr);
> +
> +	return nft_limit_dump(skb, priv, NFT_LIMIT_BYTES);
> +}
> +
> +static const struct nft_expr_ops nft_limit_bytes_ops = {
> +	.type		= &nft_limit_type,
> +	.size		= NFT_EXPR_SIZE(sizeof(struct nft_limit)),
> +	.eval		= nft_limit_bytes_eval,
> +	.init		= nft_limit_bytes_init,
> +	.dump		= nft_limit_bytes_dump,
> +};
> +
> +static const struct nft_expr_ops *
> +nft_limit_select_ops(const struct nft_ctx *ctx,
> +		     const struct nlattr * const tb[])
> +{
> +	if (tb[NFTA_LIMIT_TYPE] == NULL)
> +		return &nft_limit_pkts_ops;
> +
> +	switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
> +	case NFT_LIMIT_PKTS:
> +		return &nft_limit_pkts_ops;
> +	case NFT_LIMIT_BYTES:
> +		return &nft_limit_bytes_ops;
> +	}
> +	return ERR_PTR(-EOPNOTSUPP);
> +}
> +
>  static struct nft_expr_type nft_limit_type __read_mostly = {
>  	.name		= "limit",
> -	.ops		= &nft_limit_pkts_ops,
> +	.select_ops	= nft_limit_select_ops,
>  	.policy		= nft_limit_policy,
>  	.maxattr	= NFTA_LIMIT_MAX,
>  	.flags		= NFT_EXPR_STATEFUL,
> -- 
> 1.7.10.4
> 

  reply	other threads:[~2015-08-05 10:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-05 10:38 [PATCH nf-next 1/6] netfilter: nft_limit: rename to nft_limit_pkts Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 2/6] netfilter: nft_limit: convert to token-based limiting at nanosecond granularity Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 3/6] netfilter: nft_limit: factor out shared code with per-byte limiting Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 4/6] netfilter: nft_limit: add burst parameter Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 5/6] netfilter: nft_limit: constant token cost per packet Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 6/6] netfilter: nft_limit: add per-byte limiting Pablo Neira Ayuso
2015-08-05 10:43   ` Patrick McHardy [this message]
2015-08-06  9:01     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150805104353.GA23224@acer.localdomain \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).