net/netfilter/xt_connlimit.c at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / netfilter / xt_connlimit.c
at master 4.3 kB view raw
  1/*
  2 * netfilter module to limit the number of parallel tcp
  3 * connections per IP address.
  4 *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
  5 *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
  6 *		only ignore TIME_WAIT or gone connections
  7 *   (C) CC Computer Consultants GmbH, 2007
  8 *
  9 * based on ...
 10 *
 11 * Kernel module to match connection tracking information.
 12 * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
 13 */
 14#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 15
 16#include <linux/ip.h>
 17#include <linux/ipv6.h>
 18#include <linux/module.h>
 19#include <linux/skbuff.h>
 20#include <linux/netfilter/x_tables.h>
 21#include <linux/netfilter/xt_connlimit.h>
 22
 23#include <net/netfilter/nf_conntrack.h>
 24#include <net/netfilter/nf_conntrack_core.h>
 25#include <net/netfilter/nf_conntrack_tuple.h>
 26#include <net/netfilter/nf_conntrack_zones.h>
 27#include <net/netfilter/nf_conntrack_count.h>
 28
 29static bool
 30connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 31{
 32	struct net *net = xt_net(par);
 33	const struct xt_connlimit_info *info = par->matchinfo;
 34	const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
 35	enum ip_conntrack_info ctinfo;
 36	const struct nf_conn *ct;
 37	unsigned int connections;
 38	u32 key[5];
 39
 40	ct = nf_ct_get(skb, &ctinfo);
 41	if (ct)
 42		zone = nf_ct_zone(ct);
 43
 44	if (xt_family(par) == NFPROTO_IPV6) {
 45		const struct ipv6hdr *iph = ipv6_hdr(skb);
 46		union nf_inet_addr addr;
 47		unsigned int i;
 48
 49		memcpy(&addr.ip6, (info->flags & XT_CONNLIMIT_DADDR) ?
 50		       &iph->daddr : &iph->saddr, sizeof(addr.ip6));
 51
 52		for (i = 0; i < ARRAY_SIZE(addr.ip6); ++i)
 53			addr.ip6[i] &= info->mask.ip6[i];
 54		memcpy(key, &addr, sizeof(addr.ip6));
 55		key[4] = zone->id;
 56	} else {
 57		const struct iphdr *iph = ip_hdr(skb);
 58
 59		key[0] = (info->flags & XT_CONNLIMIT_DADDR) ?
 60			 (__force __u32)iph->daddr : (__force __u32)iph->saddr;
 61		key[0] &= (__force __u32)info->mask.ip;
 62		key[1] = zone->id;
 63	}
 64
 65	connections = nf_conncount_count_skb(net, skb, xt_family(par), info->data, key);
 66	if (connections == 0)
 67		/* kmalloc failed or tuple couldn't be found, drop it entirely */
 68		goto hotdrop;
 69
 70	return (connections > info->limit) ^ !!(info->flags & XT_CONNLIMIT_INVERT);
 71
 72 hotdrop:
 73	par->hotdrop = true;
 74	return false;
 75}
 76
 77static int connlimit_mt_check(const struct xt_mtchk_param *par)
 78{
 79	struct xt_connlimit_info *info = par->matchinfo;
 80	unsigned int keylen;
 81	int ret;
 82
 83	keylen = sizeof(u32);
 84	if (par->family == NFPROTO_IPV6)
 85		keylen += sizeof(struct in6_addr);
 86	else
 87		keylen += sizeof(struct in_addr);
 88
 89	ret = nf_ct_netns_get(par->net, par->family);
 90	if (ret < 0) {
 91		pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
 92				    par->family);
 93		return ret;
 94	}
 95
 96	/* init private data */
 97	info->data = nf_conncount_init(par->net, keylen);
 98	if (IS_ERR(info->data))
 99		nf_ct_netns_put(par->net, par->family);
100
101	return PTR_ERR_OR_ZERO(info->data);
102}
103
104static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
105{
106	const struct xt_connlimit_info *info = par->matchinfo;
107
108	nf_conncount_destroy(par->net, info->data);
109	nf_ct_netns_put(par->net, par->family);
110}
111
112static struct xt_match connlimit_mt_reg[] __read_mostly = {
113	{
114		.name       = "connlimit",
115		.revision   = 1,
116		.family     = NFPROTO_IPV4,
117		.checkentry = connlimit_mt_check,
118		.match      = connlimit_mt,
119		.matchsize  = sizeof(struct xt_connlimit_info),
120		.usersize   = offsetof(struct xt_connlimit_info, data),
121		.destroy    = connlimit_mt_destroy,
122		.me         = THIS_MODULE,
123	},
124#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
125	{
126		.name       = "connlimit",
127		.revision   = 1,
128		.family     = NFPROTO_IPV6,
129		.checkentry = connlimit_mt_check,
130		.match      = connlimit_mt,
131		.matchsize  = sizeof(struct xt_connlimit_info),
132		.usersize   = offsetof(struct xt_connlimit_info, data),
133		.destroy    = connlimit_mt_destroy,
134		.me         = THIS_MODULE,
135	},
136#endif
137};
138
139static int __init connlimit_mt_init(void)
140{
141	return xt_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
142}
143
144static void __exit connlimit_mt_exit(void)
145{
146	xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
147}
148
149module_init(connlimit_mt_init);
150module_exit(connlimit_mt_exit);
151MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
152MODULE_DESCRIPTION("Xtables: Number of connections matching");
153MODULE_LICENSE("GPL");
154MODULE_ALIAS("ipt_connlimit");
155MODULE_ALIAS("ip6t_connlimit");