1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
struct nft_last {
unsigned long jiffies;
unsigned int set;
};
struct nft_last_priv {
struct nft_last *last;
};
static const struct nla_policy nft_last_policy[NFTA_LAST_MAX + 1] = {
[NFTA_LAST_SET] = { .type = NLA_U32 },
[NFTA_LAST_MSECS] = { .type = NLA_U64 },
};
static int nft_last_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
const struct nlattr * const tb[])
{
struct nft_last_priv *priv = nft_expr_priv(expr);
struct nft_last *last;
u64 last_jiffies;
int err;
last = kzalloc(sizeof(*last), GFP_KERNEL_ACCOUNT);
if (!last)
return -ENOMEM;
if (tb[NFTA_LAST_SET])
last->set = ntohl(nla_get_be32(tb[NFTA_LAST_SET]));
if (last->set && tb[NFTA_LAST_MSECS]) {
err = nf_msecs_to_jiffies64(tb[NFTA_LAST_MSECS], &last_jiffies);
if (err < 0)
goto err;
last->jiffies = jiffies - (unsigned long)last_jiffies;
}
priv->last = last;
return 0;
err:
kfree(last);
return err;
}
static void nft_last_eval(const struct nft_expr *expr,
struct nft_regs *regs, const struct nft_pktinfo *pkt)
{
struct nft_last_priv *priv = nft_expr_priv(expr);
struct nft_last *last = priv->last;
if (READ_ONCE(last->jiffies) != jiffies)
WRITE_ONCE(last->jiffies, jiffies);
if (READ_ONCE(last->set) == 0)
WRITE_ONCE(last->set, 1);
}
static int nft_last_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
struct nft_last_priv *priv = nft_expr_priv(expr);
struct nft_last *last = priv->last;
unsigned long last_jiffies = READ_ONCE(last->jiffies);
u32 last_set = READ_ONCE(last->set);
__be64 msecs;
if (time_before(jiffies, last_jiffies)) {
WRITE_ONCE(last->set, 0);
last_set = 0;
}
if (last_set)
msecs = nf_jiffies64_to_msecs(jiffies - last_jiffies);
else
msecs = 0;
if (nla_put_be32(skb, NFTA_LAST_SET, htonl(last_set)) ||
nla_put_be64(skb, NFTA_LAST_MSECS, msecs, NFTA_LAST_PAD))
goto nla_put_failure;
return 0;
nla_put_failure:
return -1;
}
static void nft_last_destroy(const struct nft_ctx *ctx,
const struct nft_expr *expr)
{
struct nft_last_priv *priv = nft_expr_priv(expr);
kfree(priv->last);
}
static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src)
{
struct nft_last_priv *priv_dst = nft_expr_priv(dst);
priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
if (!priv_dst->last)
return -ENOMEM;
return 0;
}
static const struct nft_expr_ops nft_last_ops = {
.type = &nft_last_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_last_priv)),
.eval = nft_last_eval,
.init = nft_last_init,
.destroy = nft_last_destroy,
.clone = nft_last_clone,
.dump = nft_last_dump,
.reduce = NFT_REDUCE_READONLY,
};
struct nft_expr_type nft_last_type __read_mostly = {
.name = "last",
.ops = &nft_last_ops,
.policy = nft_last_policy,
.maxattr = NFTA_LAST_MAX,
.flags = NFT_EXPR_STATEFUL,
.owner = THIS_MODULE,
};
|