From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 6/6] netfilter: nft_limit: add per-byte limiting
Date: Wed, 5 Aug 2015 12:43:54 +0200 [thread overview]
Message-ID: <20150805104353.GA23224@acer.localdomain> (raw)
In-Reply-To: <1438771124-3650-6-git-send-email-pablo@netfilter.org>
On 05.08, Pablo Neira Ayuso wrote:
> This patch adds a new NFTA_LIMIT_TYPE netlink attribute to indicate the type of
> limiting.
>
> Contrary to per-packet limiting, the cost is calculated from the packet path
> since this depends on the packet length.
>
> The burst attribute indicates the number of bytes in which the rate can be
> exceeded.
Thanks Pablo, I appreciate this rework. Just a suggestion, I'd propose to
use NFT_LIMIT_PKT_LENGTH instead of LIMIT_BYTES. I expect we might want to
add other limit types like connection rates etc in the future.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 7 ++++
> net/netfilter/nft_limit.c | 63 ++++++++++++++++++++++++++++--
> 2 files changed, 66 insertions(+), 4 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index ef037dc..655fd04 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -783,18 +783,25 @@ enum nft_ct_attributes {
> };
> #define NFTA_CT_MAX (__NFTA_CT_MAX - 1)
>
> +enum nft_limit_type {
> + NFT_LIMIT_PKTS,
> + NFT_LIMIT_BYTES
> +};
> +
> /**
> * enum nft_limit_attributes - nf_tables limit expression netlink attributes
> *
> * @NFTA_LIMIT_RATE: refill rate (NLA_U64)
> * @NFTA_LIMIT_UNIT: refill unit (NLA_U64)
> * @NFTA_LIMIT_BURST: burst (NLA_U32)
> + * @NFTA_LIMIT_TYPE: type of limit (NLA_U32: enum nft_limit_type)
> */
> enum nft_limit_attributes {
> NFTA_LIMIT_UNSPEC,
> NFTA_LIMIT_RATE,
> NFTA_LIMIT_UNIT,
> NFTA_LIMIT_BURST,
> + NFTA_LIMIT_TYPE,
> __NFTA_LIMIT_MAX
> };
> #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
> diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
> index b418698..0322dd0 100644
> --- a/net/netfilter/nft_limit.c
> +++ b/net/netfilter/nft_limit.c
> @@ -83,14 +83,16 @@ static int nft_limit_init(struct nft_limit *limit,
> return 0;
> }
>
> -static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit *limit)
> +static int nft_limit_dump(struct sk_buff *skb, const struct nft_limit *limit,
> + enum nft_limit_type type)
> {
> u64 secs = div_u64(limit->nsecs, NSEC_PER_SEC);
> u64 rate = limit->rate - limit->burst;
>
> if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(rate)) ||
> nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs)) ||
> - nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(limit->burst)))
> + nla_put_be32(skb, NFTA_LIMIT_BURST, htonl(limit->burst)) ||
> + nla_put_be32(skb, NFTA_LIMIT_TYPE, htonl(type)))
> goto nla_put_failure;
> return 0;
>
> @@ -117,6 +119,7 @@ static const struct nla_policy nft_limit_policy[NFTA_LIMIT_MAX + 1] = {
> [NFTA_LIMIT_RATE] = { .type = NLA_U64 },
> [NFTA_LIMIT_UNIT] = { .type = NLA_U64 },
> [NFTA_LIMIT_BURST] = { .type = NLA_U32 },
> + [NFTA_LIMIT_TYPE] = { .type = NLA_U32 },
> };
>
> static int nft_limit_pkts_init(const struct nft_ctx *ctx,
> @@ -138,7 +141,7 @@ static int nft_limit_pkts_dump(struct sk_buff *skb, const struct nft_expr *expr)
> {
> const struct nft_limit_pkts *priv = nft_expr_priv(expr);
>
> - return nft_limit_dump(skb, &priv->limit);
> + return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
> }
>
> static struct nft_expr_type nft_limit_type;
> @@ -150,9 +153,61 @@ static const struct nft_expr_ops nft_limit_pkts_ops = {
> .dump = nft_limit_pkts_dump,
> };
>
> +static void nft_limit_bytes_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + struct nft_limit *priv = nft_expr_priv(expr);
> + u64 cost = div_u64(priv->nsecs * pkt->skb->len, priv->rate);
> +
> + if (nft_limit_eval(priv, cost))
> + regs->verdict.code = NFT_BREAK;
> +}
> +
> +static int nft_limit_bytes_init(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nlattr * const tb[])
> +{
> + struct nft_limit *priv = nft_expr_priv(expr);
> +
> + return nft_limit_init(priv, tb);
> +}
> +
> +static int nft_limit_bytes_dump(struct sk_buff *skb,
> + const struct nft_expr *expr)
> +{
> + const struct nft_limit *priv = nft_expr_priv(expr);
> +
> + return nft_limit_dump(skb, priv, NFT_LIMIT_BYTES);
> +}
> +
> +static const struct nft_expr_ops nft_limit_bytes_ops = {
> + .type = &nft_limit_type,
> + .size = NFT_EXPR_SIZE(sizeof(struct nft_limit)),
> + .eval = nft_limit_bytes_eval,
> + .init = nft_limit_bytes_init,
> + .dump = nft_limit_bytes_dump,
> +};
> +
> +static const struct nft_expr_ops *
> +nft_limit_select_ops(const struct nft_ctx *ctx,
> + const struct nlattr * const tb[])
> +{
> + if (tb[NFTA_LIMIT_TYPE] == NULL)
> + return &nft_limit_pkts_ops;
> +
> + switch (ntohl(nla_get_be32(tb[NFTA_LIMIT_TYPE]))) {
> + case NFT_LIMIT_PKTS:
> + return &nft_limit_pkts_ops;
> + case NFT_LIMIT_BYTES:
> + return &nft_limit_bytes_ops;
> + }
> + return ERR_PTR(-EOPNOTSUPP);
> +}
> +
> static struct nft_expr_type nft_limit_type __read_mostly = {
> .name = "limit",
> - .ops = &nft_limit_pkts_ops,
> + .select_ops = nft_limit_select_ops,
> .policy = nft_limit_policy,
> .maxattr = NFTA_LIMIT_MAX,
> .flags = NFT_EXPR_STATEFUL,
> --
> 1.7.10.4
>
next prev parent reply other threads:[~2015-08-05 10:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-05 10:38 [PATCH nf-next 1/6] netfilter: nft_limit: rename to nft_limit_pkts Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 2/6] netfilter: nft_limit: convert to token-based limiting at nanosecond granularity Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 3/6] netfilter: nft_limit: factor out shared code with per-byte limiting Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 4/6] netfilter: nft_limit: add burst parameter Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 5/6] netfilter: nft_limit: constant token cost per packet Pablo Neira Ayuso
2015-08-05 10:38 ` [PATCH nf-next 6/6] netfilter: nft_limit: add per-byte limiting Pablo Neira Ayuso
2015-08-05 10:43 ` Patrick McHardy [this message]
2015-08-06 9:01 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150805104353.GA23224@acer.localdomain \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).