Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 1 | /* ip6tables match extension for limiting packets per destination |
| 2 | * |
| 3 | * (C) 2003-2004 by Harald Welte <laforge@netfilter.org> |
| 4 | * |
| 5 | * Development of this code was funded by Astaro AG, http://www.astaro.com/ |
| 6 | * |
| 7 | * Based on ipt_limit.c by |
Jan Engelhardt | 81bd588 | 2008-09-04 17:49:18 +0200 | [diff] [blame] | 8 | * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> |
| 9 | * Hervé Eychenne <rv@wallfire.org> |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 10 | * |
| 11 | * Error corections by nmalykh@bilim.com (22.01.2005) |
| 12 | */ |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 13 | #include <stdbool.h> |
Jan Engelhardt | ef18e81 | 2008-08-04 12:47:48 +0200 | [diff] [blame] | 14 | #include <stdint.h> |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 15 | #include <stdio.h> |
| 16 | #include <string.h> |
| 17 | #include <stdlib.h> |
| 18 | #include <getopt.h> |
Yasuyuki KOZAKAI | d62a9db | 2007-08-04 08:08:20 +0000 | [diff] [blame] | 19 | #include <xtables.h> |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 20 | #include <stddef.h> |
Yasuyuki KOZAKAI | d62a9db | 2007-08-04 08:08:20 +0000 | [diff] [blame] | 21 | #include <linux/netfilter/x_tables.h> |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 22 | #include <linux/netfilter/xt_hashlimit.h> |
| 23 | |
| 24 | #define XT_HASHLIMIT_BURST 5 |
| 25 | |
| 26 | /* miliseconds */ |
| 27 | #define XT_HASHLIMIT_GCINTERVAL 1000 |
| 28 | #define XT_HASHLIMIT_EXPIRE 10000 |
| 29 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 30 | static void hashlimit_help(void) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 31 | { |
| 32 | printf( |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 33 | "hashlimit match options:\n" |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 34 | "--hashlimit <avg> max average match rate\n" |
| 35 | " [Packets per second unless followed by \n" |
| 36 | " /sec /minute /hour /day postfixes]\n" |
| 37 | "--hashlimit-mode <mode> mode is a comma-separated list of\n" |
| 38 | " dstip,srcip,dstport,srcport\n" |
| 39 | "--hashlimit-name <name> name for /proc/net/ipt_hashlimit/\n" |
| 40 | "[--hashlimit-burst <num>] number to match in a burst, default %u\n" |
| 41 | "[--hashlimit-htable-size <num>] number of hashtable buckets\n" |
| 42 | "[--hashlimit-htable-max <num>] number of hashtable entries\n" |
| 43 | "[--hashlimit-htable-gcinterval] interval between garbage collection runs\n" |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 44 | "[--hashlimit-htable-expire] after which time are idle entries expired?\n", |
| 45 | XT_HASHLIMIT_BURST); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 46 | } |
| 47 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 48 | static void hashlimit_mt_help(void) |
| 49 | { |
| 50 | printf( |
| 51 | "hashlimit match options:\n" |
| 52 | " --hashlimit-upto <avg> max average match rate\n" |
| 53 | " [Packets per second unless followed by \n" |
| 54 | " /sec /minute /hour /day postfixes]\n" |
| 55 | " --hashlimit-above <avg> min average match rate\n" |
| 56 | " --hashlimit-mode <mode> mode is a comma-separated list of\n" |
| 57 | " dstip,srcip,dstport,srcport (or none)\n" |
| 58 | " --hashlimit-srcmask <length> source address grouping prefix length\n" |
| 59 | " --hashlimit-dstmask <length> destination address grouping prefix length\n" |
| 60 | " --hashlimit-name <name> name for /proc/net/ipt_hashlimit\n" |
| 61 | " --hashlimit-burst <num> number to match in a burst, default %u\n" |
| 62 | " --hashlimit-htable-size <num> number of hashtable buckets\n" |
| 63 | " --hashlimit-htable-max <num> number of hashtable entries\n" |
| 64 | " --hashlimit-htable-gcinterval interval between garbage collection runs\n" |
| 65 | " --hashlimit-htable-expire after which time are idle entries expired?\n" |
| 66 | "\n", XT_HASHLIMIT_BURST); |
| 67 | } |
| 68 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 69 | static const struct option hashlimit_opts[] = { |
Jan Engelhardt | 32b8e61 | 2010-07-23 21:16:14 +0200 | [diff] [blame] | 70 | {.name = "hashlimit", .has_arg = true, .val = '%'}, |
| 71 | {.name = "hashlimit-burst", .has_arg = true, .val = '$'}, |
| 72 | {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'}, |
| 73 | {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'}, |
| 74 | {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('}, |
| 75 | {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, |
| 76 | {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, |
| 77 | {.name = "hashlimit-name", .has_arg = true, .val = '"'}, |
| 78 | XT_GETOPT_TABLEEND, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 79 | }; |
| 80 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 81 | static const struct option hashlimit_mt_opts[] = { |
| 82 | {.name = "hashlimit-upto", .has_arg = true, .val = '%'}, |
| 83 | {.name = "hashlimit-above", .has_arg = true, .val = '^'}, |
| 84 | {.name = "hashlimit", .has_arg = true, .val = '%'}, |
| 85 | {.name = "hashlimit-srcmask", .has_arg = true, .val = '<'}, |
| 86 | {.name = "hashlimit-dstmask", .has_arg = true, .val = '>'}, |
| 87 | {.name = "hashlimit-burst", .has_arg = true, .val = '$'}, |
| 88 | {.name = "hashlimit-htable-size", .has_arg = true, .val = '&'}, |
| 89 | {.name = "hashlimit-htable-max", .has_arg = true, .val = '*'}, |
| 90 | {.name = "hashlimit-htable-gcinterval", .has_arg = true, .val = '('}, |
| 91 | {.name = "hashlimit-htable-expire", .has_arg = true, .val = ')'}, |
| 92 | {.name = "hashlimit-mode", .has_arg = true, .val = '_'}, |
| 93 | {.name = "hashlimit-name", .has_arg = true, .val = '"'}, |
Jan Engelhardt | 32b8e61 | 2010-07-23 21:16:14 +0200 | [diff] [blame] | 94 | XT_GETOPT_TABLEEND, |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 95 | }; |
| 96 | |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 97 | static |
Jan Engelhardt | 7ac4052 | 2011-01-07 12:34:04 +0100 | [diff] [blame] | 98 | int parse_rate(const char *rate, uint32_t *val) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 99 | { |
| 100 | const char *delim; |
Jan Engelhardt | 7ac4052 | 2011-01-07 12:34:04 +0100 | [diff] [blame] | 101 | uint32_t r; |
| 102 | uint32_t mult = 1; /* Seconds by default. */ |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 103 | |
| 104 | delim = strchr(rate, '/'); |
| 105 | if (delim) { |
| 106 | if (strlen(delim+1) == 0) |
| 107 | return 0; |
| 108 | |
| 109 | if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) |
| 110 | mult = 1; |
| 111 | else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) |
| 112 | mult = 60; |
| 113 | else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) |
| 114 | mult = 60*60; |
| 115 | else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) |
| 116 | mult = 24*60*60; |
| 117 | else |
| 118 | return 0; |
| 119 | } |
| 120 | r = atoi(rate); |
| 121 | if (!r) |
| 122 | return 0; |
| 123 | |
| 124 | /* This would get mapped to infinite (1/day is minimum they |
| 125 | can specify, so we're ok at that end). */ |
| 126 | if (r / mult > XT_HASHLIMIT_SCALE) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 127 | xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 128 | |
| 129 | *val = XT_HASHLIMIT_SCALE * mult / r; |
| 130 | return 1; |
| 131 | } |
| 132 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 133 | static void hashlimit_init(struct xt_entry_match *m) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 134 | { |
| 135 | struct xt_hashlimit_info *r = (struct xt_hashlimit_info *)m->data; |
| 136 | |
| 137 | r->cfg.burst = XT_HASHLIMIT_BURST; |
| 138 | r->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL; |
| 139 | r->cfg.expire = XT_HASHLIMIT_EXPIRE; |
| 140 | |
| 141 | } |
| 142 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 143 | static void hashlimit_mt4_init(struct xt_entry_match *match) |
| 144 | { |
| 145 | struct xt_hashlimit_mtinfo1 *info = (void *)match->data; |
| 146 | |
| 147 | info->cfg.mode = 0; |
| 148 | info->cfg.burst = XT_HASHLIMIT_BURST; |
| 149 | info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL; |
| 150 | info->cfg.expire = XT_HASHLIMIT_EXPIRE; |
| 151 | info->cfg.srcmask = 32; |
| 152 | info->cfg.dstmask = 32; |
| 153 | } |
| 154 | |
| 155 | static void hashlimit_mt6_init(struct xt_entry_match *match) |
| 156 | { |
| 157 | struct xt_hashlimit_mtinfo1 *info = (void *)match->data; |
| 158 | |
| 159 | info->cfg.mode = 0; |
| 160 | info->cfg.burst = XT_HASHLIMIT_BURST; |
| 161 | info->cfg.gc_interval = XT_HASHLIMIT_GCINTERVAL; |
| 162 | info->cfg.expire = XT_HASHLIMIT_EXPIRE; |
| 163 | info->cfg.srcmask = 128; |
| 164 | info->cfg.dstmask = 128; |
| 165 | } |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 166 | |
| 167 | /* Parse a 'mode' parameter into the required bitmask */ |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 168 | static int parse_mode(uint32_t *mode, char *option_arg) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 169 | { |
| 170 | char *tok; |
Jan Engelhardt | dbb7754 | 2008-02-11 00:33:30 +0100 | [diff] [blame] | 171 | char *arg = strdup(option_arg); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 172 | |
| 173 | if (!arg) |
| 174 | return -1; |
| 175 | |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 176 | for (tok = strtok(arg, ",|"); |
| 177 | tok; |
| 178 | tok = strtok(NULL, ",|")) { |
| 179 | if (!strcmp(tok, "dstip")) |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 180 | *mode |= XT_HASHLIMIT_HASH_DIP; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 181 | else if (!strcmp(tok, "srcip")) |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 182 | *mode |= XT_HASHLIMIT_HASH_SIP; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 183 | else if (!strcmp(tok, "srcport")) |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 184 | *mode |= XT_HASHLIMIT_HASH_SPT; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 185 | else if (!strcmp(tok, "dstport")) |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 186 | *mode |= XT_HASHLIMIT_HASH_DPT; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 187 | else { |
| 188 | free(arg); |
| 189 | return -1; |
| 190 | } |
| 191 | } |
| 192 | free(arg); |
| 193 | return 0; |
| 194 | } |
| 195 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 196 | enum { |
| 197 | PARAM_LIMIT = 1 << 0, |
| 198 | PARAM_BURST = 1 << 1, |
| 199 | PARAM_MODE = 1 << 2, |
| 200 | PARAM_NAME = 1 << 3, |
| 201 | PARAM_SIZE = 1 << 4, |
| 202 | PARAM_MAX = 1 << 5, |
| 203 | PARAM_GCINTERVAL = 1 << 6, |
| 204 | PARAM_EXPIRE = 1 << 7, |
| 205 | PARAM_SRCMASK = 1 << 8, |
| 206 | PARAM_DSTMASK = 1 << 9, |
| 207 | }; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 208 | |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 209 | static int |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 210 | hashlimit_parse(int c, char **argv, int invert, unsigned int *flags, |
| 211 | const void *entry, struct xt_entry_match **match) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 212 | { |
| 213 | struct xt_hashlimit_info *r = |
| 214 | (struct xt_hashlimit_info *)(*match)->data; |
| 215 | unsigned int num; |
| 216 | |
| 217 | switch(c) { |
| 218 | case '%': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 219 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 220 | *flags & PARAM_LIMIT); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 221 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 222 | if (!parse_rate(optarg, &r->cfg.avg)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 223 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 224 | "bad rate `%s'", optarg); |
| 225 | *flags |= PARAM_LIMIT; |
| 226 | break; |
| 227 | |
| 228 | case '$': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 229 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-burst", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 230 | *flags & PARAM_BURST); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 231 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 232 | if (!xtables_strtoui(optarg, NULL, &num, 0, 10000)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 233 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 234 | "bad --hashlimit-burst `%s'", optarg); |
| 235 | r->cfg.burst = num; |
| 236 | *flags |= PARAM_BURST; |
| 237 | break; |
| 238 | case '&': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 239 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 240 | *flags & PARAM_SIZE); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 241 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 242 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 243 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 244 | "bad --hashlimit-htable-size: `%s'", optarg); |
| 245 | r->cfg.size = num; |
| 246 | *flags |= PARAM_SIZE; |
| 247 | break; |
| 248 | case '*': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 249 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 250 | *flags & PARAM_MAX); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 251 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 252 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 253 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 254 | "bad --hashlimit-htable-max: `%s'", optarg); |
| 255 | r->cfg.max = num; |
| 256 | *flags |= PARAM_MAX; |
| 257 | break; |
| 258 | case '(': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 259 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 260 | "--hashlimit-htable-gcinterval", |
| 261 | *flags & PARAM_GCINTERVAL); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 262 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 263 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 264 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 265 | "bad --hashlimit-htable-gcinterval: `%s'", |
| 266 | optarg); |
| 267 | /* FIXME: not HZ dependent!! */ |
| 268 | r->cfg.gc_interval = num; |
| 269 | *flags |= PARAM_GCINTERVAL; |
| 270 | break; |
| 271 | case ')': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 272 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 273 | "--hashlimit-htable-expire", *flags & PARAM_EXPIRE); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 274 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 275 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 276 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 277 | "bad --hashlimit-htable-expire: `%s'", optarg); |
| 278 | /* FIXME: not HZ dependent */ |
| 279 | r->cfg.expire = num; |
| 280 | *flags |= PARAM_EXPIRE; |
| 281 | break; |
| 282 | case '_': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 283 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-mode", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 284 | *flags & PARAM_MODE); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 285 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 286 | if (parse_mode(&r->cfg.mode, optarg) < 0) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 287 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 288 | "bad --hashlimit-mode: `%s'\n", optarg); |
| 289 | *flags |= PARAM_MODE; |
| 290 | break; |
| 291 | case '"': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 292 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-name", |
Jan Engelhardt | da75a5a | 2008-01-20 13:39:11 +0000 | [diff] [blame] | 293 | *flags & PARAM_NAME); |
Jan Engelhardt | bbe8386 | 2009-10-24 00:45:33 +0200 | [diff] [blame] | 294 | if (xtables_check_inverse(optarg, &invert, &optind, 0, argv)) break; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 295 | if (strlen(optarg) == 0) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 296 | xtables_error(PARAMETER_PROBLEM, "Zero-length name?"); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 297 | strncpy(r->name, optarg, sizeof(r->name)); |
| 298 | *flags |= PARAM_NAME; |
| 299 | break; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 300 | } |
| 301 | |
| 302 | if (invert) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 303 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 304 | "hashlimit does not support invert"); |
| 305 | |
| 306 | return 1; |
| 307 | } |
| 308 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 309 | static int |
| 310 | hashlimit_mt_parse(struct xt_hashlimit_mtinfo1 *info, unsigned int *flags, |
| 311 | int c, int invert, unsigned int maxmask) |
| 312 | { |
| 313 | unsigned int num; |
| 314 | |
| 315 | switch(c) { |
| 316 | case '%': /* --hashlimit / --hashlimit-below */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 317 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-upto", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 318 | *flags & PARAM_LIMIT); |
| 319 | if (invert) |
| 320 | info->cfg.mode |= XT_HASHLIMIT_INVERT; |
| 321 | if (!parse_rate(optarg, &info->cfg.avg)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 322 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 323 | "--hashlimit-upto", optarg); |
| 324 | *flags |= PARAM_LIMIT; |
| 325 | return true; |
| 326 | |
| 327 | case '^': /* --hashlimit-above == !--hashlimit-below */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 328 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-above", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 329 | *flags & PARAM_LIMIT); |
| 330 | if (!invert) |
| 331 | info->cfg.mode |= XT_HASHLIMIT_INVERT; |
| 332 | if (!parse_rate(optarg, &info->cfg.avg)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 333 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 334 | "--hashlimit-above", optarg); |
| 335 | *flags |= PARAM_LIMIT; |
| 336 | return true; |
| 337 | |
| 338 | case '$': /* --hashlimit-burst */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 339 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-burst", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 340 | *flags & PARAM_BURST); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 341 | if (!xtables_strtoui(optarg, NULL, &num, 0, 10000)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 342 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 343 | "--hashlimit-burst", optarg); |
| 344 | info->cfg.burst = num; |
| 345 | *flags |= PARAM_BURST; |
| 346 | return true; |
| 347 | |
| 348 | case '&': /* --hashlimit-htable-size */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 349 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-size", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 350 | *flags & PARAM_SIZE); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 351 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 352 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 353 | "--hashlimit-htable-size", optarg); |
| 354 | info->cfg.size = num; |
| 355 | *flags |= PARAM_SIZE; |
| 356 | return true; |
| 357 | |
| 358 | case '*': /* --hashlimit-htable-max */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 359 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-htable-max", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 360 | *flags & PARAM_MAX); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 361 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 362 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 363 | "--hashlimit-htable-max", optarg); |
| 364 | info->cfg.max = num; |
| 365 | *flags |= PARAM_MAX; |
| 366 | return true; |
| 367 | |
| 368 | case '(': /* --hashlimit-htable-gcinterval */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 369 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 370 | "--hashlimit-htable-gcinterval", |
| 371 | *flags & PARAM_GCINTERVAL); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 372 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 373 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 374 | "--hashlimit-htable-gcinterval", optarg); |
| 375 | /* FIXME: not HZ dependent!! */ |
| 376 | info->cfg.gc_interval = num; |
| 377 | *flags |= PARAM_GCINTERVAL; |
| 378 | return true; |
| 379 | |
| 380 | case ')': /* --hashlimit-htable-expire */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 381 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 382 | "--hashlimit-htable-expire", *flags & PARAM_EXPIRE); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 383 | if (!xtables_strtoui(optarg, NULL, &num, 0, UINT32_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 384 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 385 | "--hashlimit-htable-expire", optarg); |
| 386 | /* FIXME: not HZ dependent */ |
| 387 | info->cfg.expire = num; |
| 388 | *flags |= PARAM_EXPIRE; |
| 389 | return true; |
| 390 | |
| 391 | case '_': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 392 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-mode", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 393 | *flags & PARAM_MODE); |
| 394 | if (parse_mode(&info->cfg.mode, optarg) < 0) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 395 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 396 | "--hashlimit-mode", optarg); |
| 397 | *flags |= PARAM_MODE; |
| 398 | return true; |
| 399 | |
| 400 | case '"': /* --hashlimit-name */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 401 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-name", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 402 | *flags & PARAM_NAME); |
| 403 | if (strlen(optarg) == 0) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 404 | xtables_error(PARAMETER_PROBLEM, "Zero-length name?"); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 405 | strncpy(info->name, optarg, sizeof(info->name)); |
| 406 | info->name[sizeof(info->name)-1] = '\0'; |
| 407 | *flags |= PARAM_NAME; |
| 408 | return true; |
| 409 | |
| 410 | case '<': /* --hashlimit-srcmask */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 411 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-srcmask", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 412 | *flags & PARAM_SRCMASK); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 413 | if (!xtables_strtoui(optarg, NULL, &num, 0, maxmask)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 414 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 415 | "--hashlimit-srcmask", optarg); |
| 416 | info->cfg.srcmask = num; |
| 417 | *flags |= PARAM_SRCMASK; |
| 418 | return true; |
| 419 | |
| 420 | case '>': /* --hashlimit-dstmask */ |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 421 | xtables_param_act(XTF_ONLY_ONCE, "hashlimit", "--hashlimit-dstmask", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 422 | *flags & PARAM_DSTMASK); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 423 | if (!xtables_strtoui(optarg, NULL, &num, 0, maxmask)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 424 | xtables_param_act(XTF_BAD_VALUE, "hashlimit", |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 425 | "--hashlimit-dstmask", optarg); |
| 426 | info->cfg.dstmask = num; |
| 427 | *flags |= PARAM_DSTMASK; |
| 428 | return true; |
| 429 | } |
| 430 | return false; |
| 431 | } |
| 432 | |
| 433 | static int |
| 434 | hashlimit_mt4_parse(int c, char **argv, int invert, unsigned int *flags, |
| 435 | const void *entry, struct xt_entry_match **match) |
| 436 | { |
| 437 | return hashlimit_mt_parse((void *)(*match)->data, |
| 438 | flags, c, invert, 32); |
| 439 | } |
| 440 | |
| 441 | static int |
| 442 | hashlimit_mt6_parse(int c, char **argv, int invert, unsigned int *flags, |
| 443 | const void *entry, struct xt_entry_match **match) |
| 444 | { |
| 445 | return hashlimit_mt_parse((void *)(*match)->data, |
| 446 | flags, c, invert, 128); |
| 447 | } |
| 448 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 449 | static void hashlimit_check(unsigned int flags) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 450 | { |
| 451 | if (!(flags & PARAM_LIMIT)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 452 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 453 | "You have to specify --hashlimit"); |
| 454 | if (!(flags & PARAM_MODE)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 455 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 456 | "You have to specify --hashlimit-mode"); |
| 457 | if (!(flags & PARAM_NAME)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 458 | xtables_error(PARAMETER_PROBLEM, |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 459 | "You have to specify --hashlimit-name"); |
| 460 | } |
| 461 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 462 | static void hashlimit_mt_check(unsigned int flags) |
| 463 | { |
| 464 | if (!(flags & PARAM_LIMIT)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 465 | xtables_error(PARAMETER_PROBLEM, "You have to specify " |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 466 | "--hashlimit-upto or --hashlimit-above"); |
| 467 | if (!(flags & PARAM_NAME)) |
Jan Engelhardt | 1829ed4 | 2009-02-21 03:29:44 +0100 | [diff] [blame] | 468 | xtables_error(PARAMETER_PROBLEM, |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 469 | "You have to specify --hashlimit-name"); |
| 470 | } |
| 471 | |
Jan Engelhardt | 0e2abed | 2007-10-04 16:25:58 +0000 | [diff] [blame] | 472 | static const struct rates |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 473 | { |
| 474 | const char *name; |
Jan Engelhardt | 7ac4052 | 2011-01-07 12:34:04 +0100 | [diff] [blame] | 475 | uint32_t mult; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 476 | } rates[] = { { "day", XT_HASHLIMIT_SCALE*24*60*60 }, |
| 477 | { "hour", XT_HASHLIMIT_SCALE*60*60 }, |
| 478 | { "min", XT_HASHLIMIT_SCALE*60 }, |
| 479 | { "sec", XT_HASHLIMIT_SCALE } }; |
| 480 | |
Jan Engelhardt | 7ac4052 | 2011-01-07 12:34:04 +0100 | [diff] [blame] | 481 | static void print_rate(uint32_t period) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 482 | { |
| 483 | unsigned int i; |
| 484 | |
Jan Engelhardt | 2c69b55 | 2009-04-30 19:32:02 +0200 | [diff] [blame] | 485 | for (i = 1; i < ARRAY_SIZE(rates); ++i) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 486 | if (period > rates[i].mult |
| 487 | || rates[i].mult/period < rates[i].mult%period) |
| 488 | break; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 489 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 490 | printf(" %u/%s", rates[i-1].mult / period, rates[i-1].name); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 491 | } |
| 492 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 493 | static void print_mode(unsigned int mode, char separator) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 494 | { |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 495 | bool prevmode = false; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 496 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 497 | putchar(' '); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 498 | if (mode & XT_HASHLIMIT_HASH_SIP) { |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 499 | fputs("srcip", stdout); |
| 500 | prevmode = 1; |
| 501 | } |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 502 | if (mode & XT_HASHLIMIT_HASH_SPT) { |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 503 | if (prevmode) |
| 504 | putchar(separator); |
| 505 | fputs("srcport", stdout); |
| 506 | prevmode = 1; |
| 507 | } |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 508 | if (mode & XT_HASHLIMIT_HASH_DIP) { |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 509 | if (prevmode) |
| 510 | putchar(separator); |
| 511 | fputs("dstip", stdout); |
| 512 | prevmode = 1; |
| 513 | } |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 514 | if (mode & XT_HASHLIMIT_HASH_DPT) { |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 515 | if (prevmode) |
| 516 | putchar(separator); |
| 517 | fputs("dstport", stdout); |
| 518 | } |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 519 | } |
| 520 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 521 | static void hashlimit_print(const void *ip, |
| 522 | const struct xt_entry_match *match, int numeric) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 523 | { |
Jan Engelhardt | 69f564e | 2009-05-26 13:14:06 +0200 | [diff] [blame] | 524 | const struct xt_hashlimit_info *r = (const void *)match->data; |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 525 | fputs(" limit: avg", stdout); print_rate(r->cfg.avg); |
| 526 | printf(" burst %u", r->cfg.burst); |
| 527 | fputs(" mode", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 528 | print_mode(r->cfg.mode, '-'); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 529 | if (r->cfg.size) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 530 | printf(" htable-size %u", r->cfg.size); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 531 | if (r->cfg.max) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 532 | printf(" htable-max %u", r->cfg.max); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 533 | if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 534 | printf(" htable-gcinterval %u", r->cfg.gc_interval); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 535 | if (r->cfg.expire != XT_HASHLIMIT_EXPIRE) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 536 | printf(" htable-expire %u", r->cfg.expire); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 537 | } |
| 538 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 539 | static void |
| 540 | hashlimit_mt_print(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask) |
| 541 | { |
| 542 | if (info->cfg.mode & XT_HASHLIMIT_INVERT) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 543 | fputs(" limit: above", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 544 | else |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 545 | fputs(" limit: up to", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 546 | print_rate(info->cfg.avg); |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 547 | printf(" burst %u", info->cfg.burst); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 548 | if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | |
| 549 | XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) { |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 550 | fputs(" mode", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 551 | print_mode(info->cfg.mode, '-'); |
| 552 | } |
| 553 | if (info->cfg.size != 0) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 554 | printf(" htable-size %u", info->cfg.size); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 555 | if (info->cfg.max != 0) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 556 | printf(" htable-max %u", info->cfg.max); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 557 | if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 558 | printf(" htable-gcinterval %u", info->cfg.gc_interval); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 559 | if (info->cfg.expire != XT_HASHLIMIT_EXPIRE) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 560 | printf(" htable-expire %u", info->cfg.expire); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 561 | |
| 562 | if (info->cfg.srcmask != dmask) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 563 | printf(" srcmask %u", info->cfg.srcmask); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 564 | if (info->cfg.dstmask != dmask) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 565 | printf(" dstmask %u", info->cfg.dstmask); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 566 | } |
| 567 | |
| 568 | static void |
| 569 | hashlimit_mt4_print(const void *ip, const struct xt_entry_match *match, |
| 570 | int numeric) |
| 571 | { |
| 572 | const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data; |
| 573 | |
| 574 | hashlimit_mt_print(info, 32); |
| 575 | } |
| 576 | |
| 577 | static void |
| 578 | hashlimit_mt6_print(const void *ip, const struct xt_entry_match *match, |
| 579 | int numeric) |
| 580 | { |
| 581 | const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data; |
| 582 | |
| 583 | hashlimit_mt_print(info, 128); |
| 584 | } |
| 585 | |
Jan Engelhardt | 181dead | 2007-10-04 16:27:07 +0000 | [diff] [blame] | 586 | static void hashlimit_save(const void *ip, const struct xt_entry_match *match) |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 587 | { |
Jan Engelhardt | 69f564e | 2009-05-26 13:14:06 +0200 | [diff] [blame] | 588 | const struct xt_hashlimit_info *r = (const void *)match->data; |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 589 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 590 | fputs(" --hashlimit", stdout); print_rate(r->cfg.avg); |
| 591 | printf(" --hashlimit-burst %u", r->cfg.burst); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 592 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 593 | fputs(" --hashlimit-mode", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 594 | print_mode(r->cfg.mode, ','); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 595 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 596 | printf(" --hashlimit-name %s", r->name); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 597 | |
| 598 | if (r->cfg.size) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 599 | printf(" --hashlimit-htable-size %u", r->cfg.size); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 600 | if (r->cfg.max) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 601 | printf(" --hashlimit-htable-max %u", r->cfg.max); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 602 | if (r->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 603 | printf(" --hashlimit-htable-gcinterval %u", r->cfg.gc_interval); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 604 | if (r->cfg.expire != XT_HASHLIMIT_EXPIRE) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 605 | printf(" --hashlimit-htable-expire %u", r->cfg.expire); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 606 | } |
| 607 | |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 608 | static void |
| 609 | hashlimit_mt_save(const struct xt_hashlimit_mtinfo1 *info, unsigned int dmask) |
| 610 | { |
| 611 | if (info->cfg.mode & XT_HASHLIMIT_INVERT) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 612 | fputs(" --hashlimit-above", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 613 | else |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 614 | fputs(" --hashlimit-upto", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 615 | print_rate(info->cfg.avg); |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 616 | printf(" --hashlimit-burst %u", info->cfg.burst); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 617 | |
| 618 | if (info->cfg.mode & (XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | |
| 619 | XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT)) { |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 620 | fputs(" --hashlimit-mode", stdout); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 621 | print_mode(info->cfg.mode, ','); |
| 622 | } |
| 623 | |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 624 | printf(" --hashlimit-name %s", info->name); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 625 | |
| 626 | if (info->cfg.size != 0) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 627 | printf(" --hashlimit-htable-size %u", info->cfg.size); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 628 | if (info->cfg.max != 0) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 629 | printf(" --hashlimit-htable-max %u", info->cfg.max); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 630 | if (info->cfg.gc_interval != XT_HASHLIMIT_GCINTERVAL) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 631 | printf(" --hashlimit-htable-gcinterval %u", info->cfg.gc_interval); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 632 | if (info->cfg.expire != XT_HASHLIMIT_EXPIRE) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 633 | printf(" --hashlimit-htable-expire %u", info->cfg.expire); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 634 | |
| 635 | if (info->cfg.srcmask != dmask) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 636 | printf(" --hashlimit-srcmask %u", info->cfg.srcmask); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 637 | if (info->cfg.dstmask != dmask) |
Jan Engelhardt | 7386635 | 2010-12-18 02:04:59 +0100 | [diff] [blame] | 638 | printf(" --hashlimit-dstmask %u", info->cfg.dstmask); |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 639 | } |
| 640 | |
| 641 | static void |
| 642 | hashlimit_mt4_save(const void *ip, const struct xt_entry_match *match) |
| 643 | { |
| 644 | const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data; |
| 645 | |
| 646 | hashlimit_mt_save(info, 32); |
| 647 | } |
| 648 | |
| 649 | static void |
| 650 | hashlimit_mt6_save(const void *ip, const struct xt_entry_match *match) |
| 651 | { |
| 652 | const struct xt_hashlimit_mtinfo1 *info = (const void *)match->data; |
| 653 | |
| 654 | hashlimit_mt_save(info, 128); |
| 655 | } |
| 656 | |
Jan Engelhardt | f2a7752 | 2009-06-25 20:12:12 +0200 | [diff] [blame] | 657 | static struct xtables_match hashlimit_mt_reg[] = { |
| 658 | { |
| 659 | .family = NFPROTO_UNSPEC, |
| 660 | .name = "hashlimit", |
| 661 | .version = XTABLES_VERSION, |
| 662 | .revision = 0, |
| 663 | .size = XT_ALIGN(sizeof(struct xt_hashlimit_info)), |
| 664 | .userspacesize = offsetof(struct xt_hashlimit_info, hinfo), |
| 665 | .help = hashlimit_help, |
| 666 | .init = hashlimit_init, |
| 667 | .parse = hashlimit_parse, |
| 668 | .final_check = hashlimit_check, |
| 669 | .print = hashlimit_print, |
| 670 | .save = hashlimit_save, |
| 671 | .extra_opts = hashlimit_opts, |
| 672 | }, |
| 673 | { |
| 674 | .version = XTABLES_VERSION, |
| 675 | .name = "hashlimit", |
| 676 | .revision = 1, |
| 677 | .family = NFPROTO_IPV4, |
| 678 | .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), |
| 679 | .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), |
| 680 | .help = hashlimit_mt_help, |
| 681 | .init = hashlimit_mt4_init, |
| 682 | .parse = hashlimit_mt4_parse, |
| 683 | .final_check = hashlimit_mt_check, |
| 684 | .print = hashlimit_mt4_print, |
| 685 | .save = hashlimit_mt4_save, |
| 686 | .extra_opts = hashlimit_mt_opts, |
| 687 | }, |
| 688 | { |
| 689 | .version = XTABLES_VERSION, |
| 690 | .name = "hashlimit", |
| 691 | .revision = 1, |
| 692 | .family = NFPROTO_IPV6, |
| 693 | .size = XT_ALIGN(sizeof(struct xt_hashlimit_mtinfo1)), |
| 694 | .userspacesize = offsetof(struct xt_hashlimit_mtinfo1, hinfo), |
| 695 | .help = hashlimit_mt_help, |
| 696 | .init = hashlimit_mt6_init, |
| 697 | .parse = hashlimit_mt6_parse, |
| 698 | .final_check = hashlimit_mt_check, |
| 699 | .print = hashlimit_mt6_print, |
| 700 | .save = hashlimit_mt6_save, |
| 701 | .extra_opts = hashlimit_mt_opts, |
| 702 | }, |
Jan Engelhardt | 9a8c77f | 2008-02-11 00:55:33 +0100 | [diff] [blame] | 703 | }; |
| 704 | |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 705 | void _init(void) |
| 706 | { |
Jan Engelhardt | f2a7752 | 2009-06-25 20:12:12 +0200 | [diff] [blame] | 707 | xtables_register_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); |
Patrick McHardy | 00524b2 | 2006-11-13 20:31:42 +0000 | [diff] [blame] | 708 | } |