From d86d732e19d4bdda19e977d9db9b0f51d1884b8a Mon Sep 17 00:00:00 2001 From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org" Date: Wed, 20 Oct 2004 13:28:17 +0000 Subject: hashlimit port of userspace plugin --- extensions/libipt_hashlimit.c | 365 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 extensions/libipt_hashlimit.c (limited to 'extensions') diff --git a/extensions/libipt_hashlimit.c b/extensions/libipt_hashlimit.c new file mode 100644 index 0000000..2dd5d41 --- /dev/null +++ b/extensions/libipt_hashlimit.c @@ -0,0 +1,365 @@ +/* iptables match extension for limiting packets per destination + * + * (C) 2003-2004 by Harald Welte + * + * Development of this code was funded by Astaro AG, http://www.astaro.com/ + * + * Based on ipt_limit.c by + * Jérôme de Vivie + * Hervé Eychenne + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define IPT_HASHLIMIT_BURST 5 + +/* miliseconds */ +#define IPT_HASHLIMIT_GCINTERVAL 1000 +#define IPT_HASHLIMIT_EXPIRE 10000 + +/* Function which prints out usage message. */ +static void +help(void) +{ + printf( +"hashlimit v%s options:\n" +"--hashlimit max average match rate\n" +" [Packets per second unless followed by \n" +" /sec /minute /hour /day postfixes]\n" +"--hashlimit-mode mode is a comma-separated list of\n" +" dstip,srcip,dstport,srcport\n" +"--hashlimit-name name for /proc/net/ipt_hashlimit/\n" +"[--hashlimit-burst ] number to match in a burst, default %u\n" +"[--hashlimit-htable-size ] number of hashtable buckets\n" +"[--hashlimit-htable-max ] number of hashtable entries\n" +"[--hashlimit-htable-gcinterval] interval between garbage collection runs\n" +"[--hashlimit-htable-expire] after which time are idle entries expired?\n" +"\n", IPTABLES_VERSION, IPT_HASHLIMIT_BURST); +} + +static struct option opts[] = { + { "hashlimit", 1, 0, '%' }, + { "hashlimit-burst", 1, 0, '$' }, + { "hashlimit-htable-size", 1, 0, '&' }, + { "hashlimit-htable-max", 1, 0, '*' }, + { "hashlimit-htable-gcinterval", 1, 0, '(' }, + { "hashlimit-htable-expire", 1, 0, ')' }, + { "hashlimit-mode", 1, 0, '_' }, + { "hashlimit-name", 1, 0, '"' }, + { 0 } +}; + +static +int parse_rate(const char *rate, u_int32_t *val) +{ + const char *delim; + u_int32_t r; + u_int32_t mult = 1; /* Seconds by default. */ + + delim = strchr(rate, '/'); + if (delim) { + if (strlen(delim+1) == 0) + return 0; + + if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0) + mult = 1; + else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0) + mult = 60; + else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0) + mult = 60*60; + else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0) + mult = 24*60*60; + else + return 0; + } + r = atoi(rate); + if (!r) + return 0; + + /* This would get mapped to infinite (1/day is minimum they + can specify, so we're ok at that end). */ + if (r / mult > IPT_HASHLIMIT_SCALE) + exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate); + + *val = IPT_HASHLIMIT_SCALE * mult / r; + return 1; +} + +/* Initialize the match. */ +static void +init(struct ipt_entry_match *m, unsigned int *nfcache) +{ + struct ipt_hashlimit_info *r = (struct ipt_hashlimit_info *)m->data; + + r->cfg.burst = IPT_HASHLIMIT_BURST; + r->cfg.gc_interval = IPT_HASHLIMIT_GCINTERVAL; + r->cfg.expire = IPT_HASHLIMIT_EXPIRE; + + /* Can't cache this */ + *nfcache |= NFC_UNKNOWN; +} + + +/* Parse a 'mode' parameter into the required bitmask */ +static int parse_mode(struct ipt_hashlimit_info *r, char *optarg) +{ + char *tok; + char *arg = strdup(optarg); + + if (!arg) + return -1; + + for (tok = strtok(arg, ",|"); + tok; + tok = strtok(NULL, ",|")) { + if (!strcmp(tok, "dstip")) + r->cfg.mode |= IPT_HASHLIMIT_HASH_DIP; + else if (!strcmp(optarg, "srcip")) + r->cfg.mode |= IPT_HASHLIMIT_HASH_SIP; + else if (!strcmp(optarg, "srcport")) + r->cfg.mode |= IPT_HASHLIMIT_HASH_SPT; + else if (!strcmp(optarg, "dstport")) + r->cfg.mode |= IPT_HASHLIMIT_HASH_DPT; + else + return -1; + } + return 1; +} + +#define PARAM_LIMIT 0x00000001 +#define PARAM_BURST 0x00000002 +#define PARAM_MODE 0x00000004 +#define PARAM_NAME 0x00000008 +#define PARAM_SIZE 0x00000010 +#define PARAM_MAX 0x00000020 +#define PARAM_GCINTERVAL 0x00000040 +#define PARAM_EXPIRE 0x00000080 + +/* Function which parses command options; returns true if it + ate an option */ +static int +parse(int c, char **argv, int invert, unsigned int *flags, + const struct ipt_entry *entry, + unsigned int *nfcache, + struct ipt_entry_match **match) +{ + struct ipt_hashlimit_info *r = + (struct ipt_hashlimit_info *)(*match)->data; + unsigned int num; + + switch(c) { + case '%': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (!parse_rate(optarg, &r->cfg.avg)) + exit_error(PARAMETER_PROBLEM, + "bad rate `%s'", optarg); + *flags |= PARAM_LIMIT; + break; + + case '$': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (string_to_number(optarg, 0, 10000, &num) == -1) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-burst `%s'", optarg); + r->cfg.burst = num; + *flags |= PARAM_BURST; + break; + case '&': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-htable-size: `%s'", optarg); + r->cfg.size = num; + *flags |= PARAM_SIZE; + break; + case '*': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-htable-max: `%s'", optarg); + r->cfg.max = num; + *flags |= PARAM_MAX; + break; + case '(': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-htable-gcinterval: `%s'", + optarg); + /* FIXME: not HZ dependent!! */ + r->cfg.gc_interval = num; + *flags |= PARAM_GCINTERVAL; + break; + case ')': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (string_to_number(optarg, 0, 0xffffffff, &num) == -1) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-htable-expire: `%s'", optarg); + /* FIXME: not HZ dependent */ + r->cfg.expire = num; + *flags |= PARAM_EXPIRE; + break; + case '_': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (parse_mode(r, optarg) < 0) + exit_error(PARAMETER_PROBLEM, + "bad --hashlimit-mode: `%s'\n", optarg); + *flags |= PARAM_MODE; + break; + case '"': + if (check_inverse(argv[optind-1], &invert, &optind, 0)) break; + if (strlen(optarg) == 0) + exit_error(PARAMETER_PROBLEM, "Zero-length name?"); + strncpy(r->name, optarg, sizeof(r->name)); + *flags |= PARAM_NAME; + break; + default: + return 0; + } + + if (invert) + exit_error(PARAMETER_PROBLEM, + "hashlimit does not support invert"); + + return 1; +} + +/* Final check; nothing. */ +static void final_check(unsigned int flags) +{ + if (!(flags & PARAM_LIMIT)) + exit_error(PARAMETER_PROBLEM, + "You have to specify --hashlimit"); + if (!(flags & PARAM_MODE)) + exit_error(PARAMETER_PROBLEM, + "You have to specify --hashlimit-mode"); + if (!(flags & PARAM_NAME)) + exit_error(PARAMETER_PROBLEM, + "You have to specify --hashlimit-name"); +} + +static struct rates +{ + const char *name; + u_int32_t mult; +} rates[] = { { "day", IPT_HASHLIMIT_SCALE*24*60*60 }, + { "hour", IPT_HASHLIMIT_SCALE*60*60 }, + { "min", IPT_HASHLIMIT_SCALE*60 }, + { "sec", IPT_HASHLIMIT_SCALE } }; + +static void print_rate(u_int32_t period) +{ + unsigned int i; + + for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) { + if (period > rates[i].mult + || rates[i].mult/period < rates[i].mult%period) + break; + } + + printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name); +} + +static void print_mode(const struct ipt_hashlimit_info *r, char separator) +{ + int prevmode = 0; + + if (r->cfg.mode & IPT_HASHLIMIT_HASH_SIP) { + if (prevmode) + putchar(separator); + puts("srcip"); + prevmode = 1; + } + if (r->cfg.mode & IPT_HASHLIMIT_HASH_SPT) { + if (prevmode) + putchar(separator); + puts("srcport"); + prevmode = 1; + } + if (r->cfg.mode & IPT_HASHLIMIT_HASH_DIP) { + if (prevmode) + putchar(separator); + puts("dstip"); + prevmode = 1; + } + if (r->cfg.mode & IPT_HASHLIMIT_HASH_SPT) { + if (prevmode) + putchar(seprator); + puts("dstport"); + } + putchar(' '); +} + +/* Prints out the matchinfo. */ +static void +print(const struct ipt_ip *ip, + const struct ipt_entry_match *match, + int numeric) +{ + struct ipt_hashlimit_info *r = + (struct ipt_hashlimit_info *)match->data; + puts("limit: avg "); print_rate(r->cfg.avg); + printf("burst %u ", r->cfg.burst); + puts("mode "); + print_mode(r, '-'); + if (r->cfg.size) + printf("htable-size %u ", r->cfg.size); + if (r->cfg.max) + printf("htable-max %u ", r->cfg.max); + if (r->cfg.gc_interval != IPT_HASHLIMIT_GCINTERVAL) + printf("htable-gcinterval %u ", r->cfg.gc_interval); + if (r->cfg.expire != IPT_HASHLIMIT_EXPIRE) + printf("htable-expire %u ", r->cfg.expire); +} + +/* FIXME: Make minimalist: only print rate if not default --RR */ +static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match) +{ + struct ipt_hashlimit_info *r = + (struct ipt_hashlimit_info *)match->data; + + puts("--hashlimit "); print_rate(r->cfg.avg); + if (r->cfg.burst != IPT_HASHLIMIT_BURST) + printf("--hashlimit-burst %u ", r->cfg.burst); + + puts("--mode "); + print_mode(r, ','); + + if (r->cfg.size) + printf("--hashlimit-htable-size %u ", r->cfg.size); + if (r->cfg.max) + printf("--hashlimit-htable-max %u ", r->cfg.max); + if (r->cfg.gc_interval != IPT_HASHLIMIT_GCINTERVAL) + printf("--hashlimit-htable-gcinterval %u", r->cfg.gc_interval); + if (r->cfg.expire != IPT_HASHLIMIT_EXPIRE) + printf("--hashlimit-htable-expire %u ", r->cfg.expire); +} + +static +struct iptables_match hashlimit += { NULL, + "hashlimit", + IPTABLES_VERSION, + IPT_ALIGN(sizeof(struct ipt_hashlimit_info)), + IPT_ALIGN(sizeof(struct ipt_hashlimit_info)), + //offsetof(struct ipt_hashlimit_info, prev), + &help, + &init, + &parse, + &final_check, + &print, + &save, + opts +}; + +void _init(void) +{ + register_match(&hashlimit); +} -- cgit v1.2.3