cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

nft_connlimit.c (7667B)

      1/* SPDX-License-Identifier: GPL-2.0 */
      2#include <linux/kernel.h>
      3#include <linux/init.h>
      4#include <linux/module.h>
      5#include <linux/spinlock.h>
      6#include <linux/netlink.h>
      7#include <linux/netfilter.h>
      8#include <linux/netfilter/nf_tables.h>
      9#include <net/netfilter/nf_tables.h>
     10#include <net/netfilter/nf_conntrack.h>
     11#include <net/netfilter/nf_conntrack_count.h>
     12#include <net/netfilter/nf_conntrack_core.h>
     13#include <net/netfilter/nf_conntrack_tuple.h>
     14#include <net/netfilter/nf_conntrack_zones.h>
     15
     16struct nft_connlimit {
     17	struct nf_conncount_list	*list;
     18	u32				limit;
     19	bool				invert;
     20};
     21
     22static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
     23					 struct nft_regs *regs,
     24					 const struct nft_pktinfo *pkt,
     25					 const struct nft_set_ext *ext)
     26{
     27	const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
     28	const struct nf_conntrack_tuple *tuple_ptr;
     29	struct nf_conntrack_tuple tuple;
     30	enum ip_conntrack_info ctinfo;
     31	const struct nf_conn *ct;
     32	unsigned int count;
     33
     34	tuple_ptr = &tuple;
     35
     36	ct = nf_ct_get(pkt->skb, &ctinfo);
     37	if (ct != NULL) {
     38		tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
     39		zone = nf_ct_zone(ct);
     40	} else if (!nf_ct_get_tuplepr(pkt->skb, skb_network_offset(pkt->skb),
     41				      nft_pf(pkt), nft_net(pkt), &tuple)) {
     42		regs->verdict.code = NF_DROP;
     43		return;
     44	}
     45
     46	if (nf_conncount_add(nft_net(pkt), priv->list, tuple_ptr, zone)) {
     47		regs->verdict.code = NF_DROP;
     48		return;
     49	}
     50
     51	count = priv->list->count;
     52
     53	if ((count > priv->limit) ^ priv->invert) {
     54		regs->verdict.code = NFT_BREAK;
     55		return;
     56	}
     57}
     58
     59static int nft_connlimit_do_init(const struct nft_ctx *ctx,
     60				 const struct nlattr * const tb[],
     61				 struct nft_connlimit *priv)
     62{
     63	bool invert = false;
     64	u32 flags, limit;
     65	int err;
     66
     67	if (!tb[NFTA_CONNLIMIT_COUNT])
     68		return -EINVAL;
     69
     70	limit = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_COUNT]));
     71
     72	if (tb[NFTA_CONNLIMIT_FLAGS]) {
     73		flags = ntohl(nla_get_be32(tb[NFTA_CONNLIMIT_FLAGS]));
     74		if (flags & ~NFT_CONNLIMIT_F_INV)
     75			return -EOPNOTSUPP;
     76		if (flags & NFT_CONNLIMIT_F_INV)
     77			invert = true;
     78	}
     79
     80	priv->list = kmalloc(sizeof(*priv->list), GFP_KERNEL_ACCOUNT);
     81	if (!priv->list)
     82		return -ENOMEM;
     83
     84	nf_conncount_list_init(priv->list);
     85	priv->limit	= limit;
     86	priv->invert	= invert;
     87
     88	err = nf_ct_netns_get(ctx->net, ctx->family);
     89	if (err < 0)
     90		goto err_netns;
     91
     92	return 0;
     93err_netns:
     94	kfree(priv->list);
     95
     96	return err;
     97}
     98
     99static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
    100				     struct nft_connlimit *priv)
    101{
    102	nf_ct_netns_put(ctx->net, ctx->family);
    103	nf_conncount_cache_free(priv->list);
    104	kfree(priv->list);
    105}
    106
    107static int nft_connlimit_do_dump(struct sk_buff *skb,
    108				 struct nft_connlimit *priv)
    109{
    110	if (nla_put_be32(skb, NFTA_CONNLIMIT_COUNT, htonl(priv->limit)))
    111		goto nla_put_failure;
    112	if (priv->invert &&
    113	    nla_put_be32(skb, NFTA_CONNLIMIT_FLAGS, htonl(NFT_CONNLIMIT_F_INV)))
    114		goto nla_put_failure;
    115
    116	return 0;
    117
    118nla_put_failure:
    119	return -1;
    120}
    121
    122static inline void nft_connlimit_obj_eval(struct nft_object *obj,
    123					struct nft_regs *regs,
    124					const struct nft_pktinfo *pkt)
    125{
    126	struct nft_connlimit *priv = nft_obj_data(obj);
    127
    128	nft_connlimit_do_eval(priv, regs, pkt, NULL);
    129}
    130
    131static int nft_connlimit_obj_init(const struct nft_ctx *ctx,
    132				const struct nlattr * const tb[],
    133				struct nft_object *obj)
    134{
    135	struct nft_connlimit *priv = nft_obj_data(obj);
    136
    137	return nft_connlimit_do_init(ctx, tb, priv);
    138}
    139
    140static void nft_connlimit_obj_destroy(const struct nft_ctx *ctx,
    141				      struct nft_object *obj)
    142{
    143	struct nft_connlimit *priv = nft_obj_data(obj);
    144
    145	nft_connlimit_do_destroy(ctx, priv);
    146}
    147
    148static int nft_connlimit_obj_dump(struct sk_buff *skb,
    149				  struct nft_object *obj, bool reset)
    150{
    151	struct nft_connlimit *priv = nft_obj_data(obj);
    152
    153	return nft_connlimit_do_dump(skb, priv);
    154}
    155
    156static const struct nla_policy nft_connlimit_policy[NFTA_CONNLIMIT_MAX + 1] = {
    157	[NFTA_CONNLIMIT_COUNT]	= { .type = NLA_U32 },
    158	[NFTA_CONNLIMIT_FLAGS]	= { .type = NLA_U32 },
    159};
    160
    161static struct nft_object_type nft_connlimit_obj_type;
    162static const struct nft_object_ops nft_connlimit_obj_ops = {
    163	.type		= &nft_connlimit_obj_type,
    164	.size		= sizeof(struct nft_connlimit),
    165	.eval		= nft_connlimit_obj_eval,
    166	.init		= nft_connlimit_obj_init,
    167	.destroy	= nft_connlimit_obj_destroy,
    168	.dump		= nft_connlimit_obj_dump,
    169};
    170
    171static struct nft_object_type nft_connlimit_obj_type __read_mostly = {
    172	.type		= NFT_OBJECT_CONNLIMIT,
    173	.ops		= &nft_connlimit_obj_ops,
    174	.maxattr	= NFTA_CONNLIMIT_MAX,
    175	.policy		= nft_connlimit_policy,
    176	.owner		= THIS_MODULE,
    177};
    178
    179static void nft_connlimit_eval(const struct nft_expr *expr,
    180			       struct nft_regs *regs,
    181			       const struct nft_pktinfo *pkt)
    182{
    183	struct nft_connlimit *priv = nft_expr_priv(expr);
    184
    185	nft_connlimit_do_eval(priv, regs, pkt, NULL);
    186}
    187
    188static int nft_connlimit_dump(struct sk_buff *skb, const struct nft_expr *expr)
    189{
    190	struct nft_connlimit *priv = nft_expr_priv(expr);
    191
    192	return nft_connlimit_do_dump(skb, priv);
    193}
    194
    195static int nft_connlimit_init(const struct nft_ctx *ctx,
    196			      const struct nft_expr *expr,
    197			      const struct nlattr * const tb[])
    198{
    199	struct nft_connlimit *priv = nft_expr_priv(expr);
    200
    201	return nft_connlimit_do_init(ctx, tb, priv);
    202}
    203
    204static void nft_connlimit_destroy(const struct nft_ctx *ctx,
    205				const struct nft_expr *expr)
    206{
    207	struct nft_connlimit *priv = nft_expr_priv(expr);
    208
    209	nft_connlimit_do_destroy(ctx, priv);
    210}
    211
    212static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
    213{
    214	struct nft_connlimit *priv_dst = nft_expr_priv(dst);
    215	struct nft_connlimit *priv_src = nft_expr_priv(src);
    216
    217	priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
    218	if (!priv_dst->list)
    219		return -ENOMEM;
    220
    221	nf_conncount_list_init(priv_dst->list);
    222	priv_dst->limit	 = priv_src->limit;
    223	priv_dst->invert = priv_src->invert;
    224
    225	return 0;
    226}
    227
    228static void nft_connlimit_destroy_clone(const struct nft_ctx *ctx,
    229					const struct nft_expr *expr)
    230{
    231	struct nft_connlimit *priv = nft_expr_priv(expr);
    232
    233	nf_conncount_cache_free(priv->list);
    234	kfree(priv->list);
    235}
    236
    237static bool nft_connlimit_gc(struct net *net, const struct nft_expr *expr)
    238{
    239	struct nft_connlimit *priv = nft_expr_priv(expr);
    240	bool ret;
    241
    242	local_bh_disable();
    243	ret = nf_conncount_gc_list(net, priv->list);
    244	local_bh_enable();
    245
    246	return ret;
    247}
    248
    249static struct nft_expr_type nft_connlimit_type;
    250static const struct nft_expr_ops nft_connlimit_ops = {
    251	.type		= &nft_connlimit_type,
    252	.size		= NFT_EXPR_SIZE(sizeof(struct nft_connlimit)),
    253	.eval		= nft_connlimit_eval,
    254	.init		= nft_connlimit_init,
    255	.destroy	= nft_connlimit_destroy,
    256	.clone		= nft_connlimit_clone,
    257	.destroy_clone	= nft_connlimit_destroy_clone,
    258	.dump		= nft_connlimit_dump,
    259	.gc		= nft_connlimit_gc,
    260	.reduce		= NFT_REDUCE_READONLY,
    261};
    262
    263static struct nft_expr_type nft_connlimit_type __read_mostly = {
    264	.name		= "connlimit",
    265	.ops		= &nft_connlimit_ops,
    266	.policy		= nft_connlimit_policy,
    267	.maxattr	= NFTA_CONNLIMIT_MAX,
    268	.flags		= NFT_EXPR_STATEFUL | NFT_EXPR_GC,
    269	.owner		= THIS_MODULE,
    270};
    271
    272static int __init nft_connlimit_module_init(void)
    273{
    274	int err;
    275
    276	err = nft_register_obj(&nft_connlimit_obj_type);
    277	if (err < 0)
    278		return err;
    279
    280	err = nft_register_expr(&nft_connlimit_type);
    281	if (err < 0)
    282		goto err1;
    283
    284	return 0;
    285err1:
    286	nft_unregister_obj(&nft_connlimit_obj_type);
    287	return err;
    288}
    289
    290static void __exit nft_connlimit_module_exit(void)
    291{
    292	nft_unregister_expr(&nft_connlimit_type);
    293	nft_unregister_obj(&nft_connlimit_obj_type);
    294}
    295
    296module_init(nft_connlimit_module_init);
    297module_exit(nft_connlimit_module_exit);
    298
    299MODULE_LICENSE("GPL");
    300MODULE_AUTHOR("Pablo Neira Ayuso");
    301MODULE_ALIAS_NFT_EXPR("connlimit");
    302MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CONNLIMIT);
    303MODULE_DESCRIPTION("nftables connlimit rule support");