1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * (C) 2007 Patrick McHardy <kaber@trash.net> 4 */ 5#include <linux/module.h> 6#include <linux/skbuff.h> 7#include <linux/gen_stats.h> 8 9#include <linux/netfilter/x_tables.h> 10#include <linux/netfilter/xt_rateest.h> 11#include <net/netfilter/xt_rateest.h> 12 13 14static bool 15xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par) 16{ 17 const struct xt_rateest_match_info *info = par->matchinfo; 18 struct gnet_stats_rate_est64 sample = {0}; 19 u_int32_t bps1, bps2, pps1, pps2; 20 bool ret = true; 21 22 gen_estimator_read(&info->est1->rate_est, &sample); 23 24 if (info->flags & XT_RATEEST_MATCH_DELTA) { 25 bps1 = info->bps1 >= sample.bps ? info->bps1 - sample.bps : 0; 26 pps1 = info->pps1 >= sample.pps ? info->pps1 - sample.pps : 0; 27 } else { 28 bps1 = sample.bps; 29 pps1 = sample.pps; 30 } 31 32 if (info->flags & XT_RATEEST_MATCH_ABS) { 33 bps2 = info->bps2; 34 pps2 = info->pps2; 35 } else { 36 gen_estimator_read(&info->est2->rate_est, &sample); 37 38 if (info->flags & XT_RATEEST_MATCH_DELTA) { 39 bps2 = info->bps2 >= sample.bps ? info->bps2 - sample.bps : 0; 40 pps2 = info->pps2 >= sample.pps ? info->pps2 - sample.pps : 0; 41 } else { 42 bps2 = sample.bps; 43 pps2 = sample.pps; 44 } 45 } 46 47 switch (info->mode) { 48 case XT_RATEEST_MATCH_LT: 49 if (info->flags & XT_RATEEST_MATCH_BPS) 50 ret &= bps1 < bps2; 51 if (info->flags & XT_RATEEST_MATCH_PPS) 52 ret &= pps1 < pps2; 53 break; 54 case XT_RATEEST_MATCH_GT: 55 if (info->flags & XT_RATEEST_MATCH_BPS) 56 ret &= bps1 > bps2; 57 if (info->flags & XT_RATEEST_MATCH_PPS) 58 ret &= pps1 > pps2; 59 break; 60 case XT_RATEEST_MATCH_EQ: 61 if (info->flags & XT_RATEEST_MATCH_BPS) 62 ret &= bps1 == bps2; 63 if (info->flags & XT_RATEEST_MATCH_PPS) 64 ret &= pps1 == pps2; 65 break; 66 } 67 68 ret ^= info->flags & XT_RATEEST_MATCH_INVERT ? true : false; 69 return ret; 70} 71 72static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) 73{ 74 struct xt_rateest_match_info *info = par->matchinfo; 75 struct xt_rateest *est1, *est2; 76 int ret = -EINVAL; 77 78 if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | 79 XT_RATEEST_MATCH_REL)) != 1) 80 goto err1; 81 82 if (!(info->flags & (XT_RATEEST_MATCH_BPS | XT_RATEEST_MATCH_PPS))) 83 goto err1; 84 85 switch (info->mode) { 86 case XT_RATEEST_MATCH_EQ: 87 case XT_RATEEST_MATCH_LT: 88 case XT_RATEEST_MATCH_GT: 89 break; 90 default: 91 goto err1; 92 } 93 94 ret = -ENOENT; 95 est1 = xt_rateest_lookup(par->net, info->name1); 96 if (!est1) 97 goto err1; 98 99 est2 = NULL; 100 if (info->flags & XT_RATEEST_MATCH_REL) { 101 est2 = xt_rateest_lookup(par->net, info->name2); 102 if (!est2) 103 goto err2; 104 } 105 106 info->est1 = est1; 107 info->est2 = est2; 108 return 0; 109 110err2: 111 xt_rateest_put(par->net, est1); 112err1: 113 return ret; 114} 115 116static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) 117{ 118 struct xt_rateest_match_info *info = par->matchinfo; 119 120 xt_rateest_put(par->net, info->est1); 121 if (info->est2) 122 xt_rateest_put(par->net, info->est2); 123} 124 125static struct xt_match xt_rateest_mt_reg __read_mostly = { 126 .name = "rateest", 127 .revision = 0, 128 .family = NFPROTO_UNSPEC, 129 .match = xt_rateest_mt, 130 .checkentry = xt_rateest_mt_checkentry, 131 .destroy = xt_rateest_mt_destroy, 132 .matchsize = sizeof(struct xt_rateest_match_info), 133 .usersize = offsetof(struct xt_rateest_match_info, est1), 134 .me = THIS_MODULE, 135}; 136 137static int __init xt_rateest_mt_init(void) 138{ 139 return xt_register_match(&xt_rateest_mt_reg); 140} 141 142static void __exit xt_rateest_mt_fini(void) 143{ 144 xt_unregister_match(&xt_rateest_mt_reg); 145} 146 147MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 148MODULE_LICENSE("GPL"); 149MODULE_DESCRIPTION("xtables rate estimator match"); 150MODULE_ALIAS("ipt_rateest"); 151MODULE_ALIAS("ip6t_rateest"); 152module_init(xt_rateest_mt_init); 153module_exit(xt_rateest_mt_fini); 154