2 * count the number of connections matching an arbitrary key.
4 * (C) 2017 Red Hat GmbH
5 * Author: Florian Westphal <fw@strlen.de>
7 * split from xt_connlimit.c:
8 * (c) 2000 Gerd Knorr <kraxel@bytesex.org>
9 * Nov 2002: Martin Bene <martin.bene@icomedias.com>:
10 * only ignore TIME_WAIT or gone connections
11 * (C) CC Computer Consultants GmbH, 2007
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 #include <linux/in6.h>
17 #include <linux/ipv6.h>
18 #include <linux/jhash.h>
19 #include <linux/slab.h>
20 #include <linux/list.h>
21 #include <linux/rbtree.h>
22 #include <linux/module.h>
23 #include <linux/random.h>
24 #include <linux/skbuff.h>
25 #include <linux/spinlock.h>
26 #include <linux/netfilter/nf_conntrack_tcp.h>
27 #include <linux/netfilter/x_tables.h>
28 #include <net/netfilter/nf_conntrack.h>
29 #include <net/netfilter/nf_conntrack_count.h>
30 #include <net/netfilter/nf_conntrack_core.h>
31 #include <net/netfilter/nf_conntrack_tuple.h>
32 #include <net/netfilter/nf_conntrack_zones.h>
34 #define CONNCOUNT_SLOTS 256U
36 #define CONNCOUNT_GC_MAX_NODES 8
39 /* we will save the tuples of all connections we care about */
40 struct nf_conncount_tuple {
41 struct list_head node;
42 struct nf_conntrack_tuple tuple;
43 struct nf_conntrack_zone zone;
48 struct nf_conncount_rb {
50 struct nf_conncount_list list;
52 struct rcu_head rcu_head;
55 static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp;
57 struct nf_conncount_data {
59 struct rb_root root[CONNCOUNT_SLOTS];
61 struct work_struct gc_work;
62 unsigned long pending_trees[BITS_TO_LONGS(CONNCOUNT_SLOTS)];
66 static u_int32_t conncount_rnd __read_mostly;
67 static struct kmem_cache *conncount_rb_cachep __read_mostly;
68 static struct kmem_cache *conncount_conn_cachep __read_mostly;
70 static inline bool already_closed(const struct nf_conn *conn)
72 if (nf_ct_protonum(conn) == IPPROTO_TCP)
73 return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
74 conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
79 static int key_diff(const u32 *a, const u32 *b, unsigned int klen)
81 return memcmp(a, b, klen * sizeof(u32));
84 static bool conn_free(struct nf_conncount_list *list,
85 struct nf_conncount_tuple *conn)
87 bool free_entry = false;
89 lockdep_assert_held(&list->list_lock);
92 list_del(&conn->node);
93 if (list->count == 0) {
98 kmem_cache_free(conncount_conn_cachep, conn);
102 static const struct nf_conntrack_tuple_hash *
103 find_or_evict(struct net *net, struct nf_conncount_list *list,
104 struct nf_conncount_tuple *conn, bool *free_entry)
106 const struct nf_conntrack_tuple_hash *found;
108 int cpu = raw_smp_processor_id();
111 found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
117 /* conn might have been added just before by another cpu and
118 * might still be unconfirmed. In this case, nf_conntrack_find()
119 * returns no result. Thus only evict if this cpu added the
120 * stale entry or if the entry is older than two jiffies.
123 if (conn->cpu == cpu || age >= 2) {
124 *free_entry = conn_free(list, conn);
125 return ERR_PTR(-ENOENT);
128 return ERR_PTR(-EAGAIN);
131 static int __nf_conncount_add(struct net *net,
132 struct nf_conncount_list *list,
133 const struct nf_conntrack_tuple *tuple,
134 const struct nf_conntrack_zone *zone)
136 const struct nf_conntrack_tuple_hash *found;
137 struct nf_conncount_tuple *conn, *conn_n;
138 struct nf_conn *found_ct;
139 unsigned int collect = 0;
140 bool free_entry = false;
142 /* check the saved connections */
143 list_for_each_entry_safe(conn, conn_n, &list->head, node) {
144 if (collect > CONNCOUNT_GC_MAX_NODES)
147 found = find_or_evict(net, list, conn, &free_entry);
149 /* Not found, but might be about to be confirmed */
150 if (PTR_ERR(found) == -EAGAIN) {
151 if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
152 nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
153 nf_ct_zone_id(zone, zone->dir))
154 return 0; /* already exists */
161 found_ct = nf_ct_tuplehash_to_ctrack(found);
163 if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
164 nf_ct_zone_equal(found_ct, zone, zone->dir)) {
166 * We should not see tuples twice unless someone hooks
167 * this into a table without "-p tcp --syn".
169 * Attempt to avoid a re-add in this case.
173 } else if (already_closed(found_ct)) {
175 * we do not care about connections which are
176 * closed already -> ditch it
179 conn_free(list, conn);
187 if (WARN_ON_ONCE(list->count > INT_MAX))
190 conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
194 conn->tuple = *tuple;
196 conn->cpu = raw_smp_processor_id();
197 conn->jiffies32 = (u32)jiffies;
198 list_add_tail(&conn->node, &list->head);
203 int nf_conncount_add(struct net *net,
204 struct nf_conncount_list *list,
205 const struct nf_conntrack_tuple *tuple,
206 const struct nf_conntrack_zone *zone)
210 /* check the saved connections */
211 spin_lock_bh(&list->list_lock);
212 ret = __nf_conncount_add(net, list, tuple, zone);
213 spin_unlock_bh(&list->list_lock);
217 EXPORT_SYMBOL_GPL(nf_conncount_add);
219 void nf_conncount_list_init(struct nf_conncount_list *list)
221 spin_lock_init(&list->list_lock);
222 INIT_LIST_HEAD(&list->head);
226 EXPORT_SYMBOL_GPL(nf_conncount_list_init);
228 /* Return true if the list is empty. Must be called with BH disabled. */
229 bool nf_conncount_gc_list(struct net *net,
230 struct nf_conncount_list *list)
232 const struct nf_conntrack_tuple_hash *found;
233 struct nf_conncount_tuple *conn, *conn_n;
234 struct nf_conn *found_ct;
235 unsigned int collected = 0;
236 bool free_entry = false;
239 /* don't bother if other cpu is already doing GC */
240 if (!spin_trylock(&list->list_lock))
243 list_for_each_entry_safe(conn, conn_n, &list->head, node) {
244 found = find_or_evict(net, list, conn, &free_entry);
246 if (PTR_ERR(found) == -ENOENT) {
248 spin_unlock(&list->list_lock);
256 found_ct = nf_ct_tuplehash_to_ctrack(found);
257 if (already_closed(found_ct)) {
259 * we do not care about connections which are
260 * closed already -> ditch it
263 if (conn_free(list, conn)) {
264 spin_unlock(&list->list_lock);
272 if (collected > CONNCOUNT_GC_MAX_NODES)
280 spin_unlock(&list->list_lock);
284 EXPORT_SYMBOL_GPL(nf_conncount_gc_list);
286 static void __tree_nodes_free(struct rcu_head *h)
288 struct nf_conncount_rb *rbconn;
290 rbconn = container_of(h, struct nf_conncount_rb, rcu_head);
291 kmem_cache_free(conncount_rb_cachep, rbconn);
294 static void tree_nodes_free(struct rb_root *root,
295 struct nf_conncount_rb *gc_nodes[],
296 unsigned int gc_count)
298 struct nf_conncount_rb *rbconn;
301 rbconn = gc_nodes[--gc_count];
302 spin_lock(&rbconn->list.list_lock);
303 rb_erase(&rbconn->node, root);
304 call_rcu(&rbconn->rcu_head, __tree_nodes_free);
305 spin_unlock(&rbconn->list.list_lock);
309 static void schedule_gc_worker(struct nf_conncount_data *data, int tree)
311 set_bit(tree, data->pending_trees);
312 schedule_work(&data->gc_work);
316 insert_tree(struct net *net,
317 struct nf_conncount_data *data,
318 struct rb_root *root,
322 const struct nf_conntrack_tuple *tuple,
323 const struct nf_conntrack_zone *zone)
325 struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES];
326 struct rb_node **rbnode, *parent;
327 struct nf_conncount_rb *rbconn;
328 struct nf_conncount_tuple *conn;
329 unsigned int count = 0, gc_count = 0;
332 spin_lock_bh(&nf_conncount_locks[hash]);
335 rbnode = &(root->rb_node);
338 rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);
341 diff = key_diff(key, rbconn->key, keylen);
343 rbnode = &((*rbnode)->rb_left);
344 } else if (diff > 0) {
345 rbnode = &((*rbnode)->rb_right);
349 ret = nf_conncount_add(net, &rbconn->list, tuple, zone);
351 count = 0; /* hotdrop */
353 count = rbconn->list.count;
354 tree_nodes_free(root, gc_nodes, gc_count);
358 if (gc_count >= ARRAY_SIZE(gc_nodes))
361 if (do_gc && nf_conncount_gc_list(net, &rbconn->list))
362 gc_nodes[gc_count++] = rbconn;
366 tree_nodes_free(root, gc_nodes, gc_count);
367 schedule_gc_worker(data, hash);
373 /* expected case: match, insert new node */
374 rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
378 conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
380 kmem_cache_free(conncount_rb_cachep, rbconn);
384 conn->tuple = *tuple;
386 memcpy(rbconn->key, key, sizeof(u32) * keylen);
388 nf_conncount_list_init(&rbconn->list);
389 list_add(&conn->node, &rbconn->list.head);
391 rbconn->list.count = count;
393 rb_link_node_rcu(&rbconn->node, parent, rbnode);
394 rb_insert_color(&rbconn->node, root);
396 spin_unlock_bh(&nf_conncount_locks[hash]);
401 count_tree(struct net *net,
402 struct nf_conncount_data *data,
404 const struct nf_conntrack_tuple *tuple,
405 const struct nf_conntrack_zone *zone)
407 struct rb_root *root;
408 struct rb_node *parent;
409 struct nf_conncount_rb *rbconn;
411 u8 keylen = data->keylen;
413 hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
414 root = &data->root[hash];
416 parent = rcu_dereference_raw(root->rb_node);
420 rbconn = rb_entry(parent, struct nf_conncount_rb, node);
422 diff = key_diff(key, rbconn->key, keylen);
424 parent = rcu_dereference_raw(parent->rb_left);
425 } else if (diff > 0) {
426 parent = rcu_dereference_raw(parent->rb_right);
431 nf_conncount_gc_list(net, &rbconn->list);
432 return rbconn->list.count;
435 spin_lock_bh(&rbconn->list.list_lock);
436 /* Node might be about to be free'd.
437 * We need to defer to insert_tree() in this case.
439 if (rbconn->list.count == 0) {
440 spin_unlock_bh(&rbconn->list.list_lock);
444 /* same source network -> be counted! */
445 ret = __nf_conncount_add(net, &rbconn->list, tuple, zone);
446 spin_unlock_bh(&rbconn->list.list_lock);
448 return 0; /* hotdrop */
450 return rbconn->list.count;
457 return insert_tree(net, data, root, hash, key, keylen, tuple, zone);
460 static void tree_gc_worker(struct work_struct *work)
462 struct nf_conncount_data *data = container_of(work, struct nf_conncount_data, gc_work);
463 struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES], *rbconn;
464 struct rb_root *root;
465 struct rb_node *node;
466 unsigned int tree, next_tree, gc_count = 0;
468 tree = data->gc_tree % CONNCOUNT_SLOTS;
469 root = &data->root[tree];
473 for (node = rb_first(root); node != NULL; node = rb_next(node)) {
474 rbconn = rb_entry(node, struct nf_conncount_rb, node);
475 if (nf_conncount_gc_list(data->net, &rbconn->list))
483 spin_lock_bh(&nf_conncount_locks[tree]);
484 if (gc_count < ARRAY_SIZE(gc_nodes))
485 goto next; /* do not bother */
488 node = rb_first(root);
489 while (node != NULL) {
490 rbconn = rb_entry(node, struct nf_conncount_rb, node);
491 node = rb_next(node);
493 if (rbconn->list.count > 0)
496 gc_nodes[gc_count++] = rbconn;
497 if (gc_count >= ARRAY_SIZE(gc_nodes)) {
498 tree_nodes_free(root, gc_nodes, gc_count);
503 tree_nodes_free(root, gc_nodes, gc_count);
505 clear_bit(tree, data->pending_trees);
507 next_tree = (tree + 1) % CONNCOUNT_SLOTS;
508 next_tree = find_next_bit(data->pending_trees, next_tree, CONNCOUNT_SLOTS);
510 if (next_tree < CONNCOUNT_SLOTS) {
511 data->gc_tree = next_tree;
515 spin_unlock_bh(&nf_conncount_locks[tree]);
518 /* Count and return number of conntrack entries in 'net' with particular 'key'.
519 * If 'tuple' is not null, insert it into the accounting data structure.
520 * Call with RCU read lock.
522 unsigned int nf_conncount_count(struct net *net,
523 struct nf_conncount_data *data,
525 const struct nf_conntrack_tuple *tuple,
526 const struct nf_conntrack_zone *zone)
528 return count_tree(net, data, key, tuple, zone);
530 EXPORT_SYMBOL_GPL(nf_conncount_count);
532 struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
535 struct nf_conncount_data *data;
538 if (keylen % sizeof(u32) ||
539 keylen / sizeof(u32) > MAX_KEYLEN ||
541 return ERR_PTR(-EINVAL);
543 net_get_random_once(&conncount_rnd, sizeof(conncount_rnd));
545 data = kmalloc(sizeof(*data), GFP_KERNEL);
547 return ERR_PTR(-ENOMEM);
549 ret = nf_ct_netns_get(net, family);
555 for (i = 0; i < ARRAY_SIZE(data->root); ++i)
556 data->root[i] = RB_ROOT;
558 data->keylen = keylen / sizeof(u32);
560 INIT_WORK(&data->gc_work, tree_gc_worker);
564 EXPORT_SYMBOL_GPL(nf_conncount_init);
566 void nf_conncount_cache_free(struct nf_conncount_list *list)
568 struct nf_conncount_tuple *conn, *conn_n;
570 list_for_each_entry_safe(conn, conn_n, &list->head, node)
571 kmem_cache_free(conncount_conn_cachep, conn);
573 EXPORT_SYMBOL_GPL(nf_conncount_cache_free);
575 static void destroy_tree(struct rb_root *r)
577 struct nf_conncount_rb *rbconn;
578 struct rb_node *node;
580 while ((node = rb_first(r)) != NULL) {
581 rbconn = rb_entry(node, struct nf_conncount_rb, node);
585 nf_conncount_cache_free(&rbconn->list);
587 kmem_cache_free(conncount_rb_cachep, rbconn);
591 void nf_conncount_destroy(struct net *net, unsigned int family,
592 struct nf_conncount_data *data)
596 cancel_work_sync(&data->gc_work);
597 nf_ct_netns_put(net, family);
599 for (i = 0; i < ARRAY_SIZE(data->root); ++i)
600 destroy_tree(&data->root[i]);
604 EXPORT_SYMBOL_GPL(nf_conncount_destroy);
606 static int __init nf_conncount_modinit(void)
610 for (i = 0; i < CONNCOUNT_SLOTS; ++i)
611 spin_lock_init(&nf_conncount_locks[i]);
613 conncount_conn_cachep = kmem_cache_create("nf_conncount_tuple",
614 sizeof(struct nf_conncount_tuple),
616 if (!conncount_conn_cachep)
619 conncount_rb_cachep = kmem_cache_create("nf_conncount_rb",
620 sizeof(struct nf_conncount_rb),
622 if (!conncount_rb_cachep) {
623 kmem_cache_destroy(conncount_conn_cachep);
630 static void __exit nf_conncount_modexit(void)
632 kmem_cache_destroy(conncount_conn_cachep);
633 kmem_cache_destroy(conncount_rb_cachep);
636 module_init(nf_conncount_modinit);
637 module_exit(nf_conncount_modexit);
638 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
639 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
640 MODULE_DESCRIPTION("netfilter: count number of connections matching a key");
641 MODULE_LICENSE("GPL");
projects / linux / blob