2 * (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org>
3 * (C) 2011 Intra2net AG <http://www.intra2net.com>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation (or any later at your option).
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/kernel.h>
12 #include <linux/skbuff.h>
13 #include <linux/atomic.h>
14 #include <linux/refcount.h>
15 #include <linux/netlink.h>
16 #include <linux/rculist.h>
17 #include <linux/slab.h>
18 #include <linux/types.h>
19 #include <linux/errno.h>
20 #include <net/netlink.h>
23 #include <linux/netfilter.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/nfnetlink_acct.h>
27 MODULE_LICENSE("GPL");
28 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
29 MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure");
35 struct list_head head;
37 char name[NFACCT_NAME_MAX];
38 struct rcu_head rcu_head;
42 struct nfacct_filter {
47 #define NFACCT_F_QUOTA (NFACCT_F_QUOTA_PKTS | NFACCT_F_QUOTA_BYTES)
48 #define NFACCT_OVERQUOTA_BIT 2 /* NFACCT_F_OVERQUOTA */
50 static int nfnl_acct_new(struct net *net, struct sock *nfnl,
51 struct sk_buff *skb, const struct nlmsghdr *nlh,
52 const struct nlattr * const tb[])
54 struct nf_acct *nfacct, *matching = NULL;
56 unsigned int size = 0;
62 acct_name = nla_data(tb[NFACCT_NAME]);
63 if (strlen(acct_name) == 0)
66 list_for_each_entry(nfacct, &net->nfnl_acct_list, head) {
67 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0)
70 if (nlh->nlmsg_flags & NLM_F_EXCL)
78 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
79 /* reset counters if you request a replacement. */
80 atomic64_set(&matching->pkts, 0);
81 atomic64_set(&matching->bytes, 0);
82 smp_mb__before_atomic();
83 /* reset overquota flag if quota is enabled. */
84 if ((matching->flags & NFACCT_F_QUOTA))
85 clear_bit(NFACCT_OVERQUOTA_BIT,
92 if (tb[NFACCT_FLAGS]) {
93 flags = ntohl(nla_get_be32(tb[NFACCT_FLAGS]));
94 if (flags & ~NFACCT_F_QUOTA)
96 if ((flags & NFACCT_F_QUOTA) == NFACCT_F_QUOTA)
98 if (flags & NFACCT_F_OVERQUOTA)
100 if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
106 nfacct = kzalloc(sizeof(struct nf_acct) + size, GFP_KERNEL);
110 if (flags & NFACCT_F_QUOTA) {
111 u64 *quota = (u64 *)nfacct->data;
113 *quota = be64_to_cpu(nla_get_be64(tb[NFACCT_QUOTA]));
114 nfacct->flags = flags;
117 strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
119 if (tb[NFACCT_BYTES]) {
120 atomic64_set(&nfacct->bytes,
121 be64_to_cpu(nla_get_be64(tb[NFACCT_BYTES])));
123 if (tb[NFACCT_PKTS]) {
124 atomic64_set(&nfacct->pkts,
125 be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS])));
127 refcount_set(&nfacct->refcnt, 1);
128 list_add_tail_rcu(&nfacct->head, &net->nfnl_acct_list);
133 nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
134 int event, struct nf_acct *acct)
136 struct nlmsghdr *nlh;
137 struct nfgenmsg *nfmsg;
138 unsigned int flags = portid ? NLM_F_MULTI : 0;
142 event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event);
143 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
147 nfmsg = nlmsg_data(nlh);
148 nfmsg->nfgen_family = AF_UNSPEC;
149 nfmsg->version = NFNETLINK_V0;
152 if (nla_put_string(skb, NFACCT_NAME, acct->name))
153 goto nla_put_failure;
155 old_flags = acct->flags;
156 if (type == NFNL_MSG_ACCT_GET_CTRZERO) {
157 pkts = atomic64_xchg(&acct->pkts, 0);
158 bytes = atomic64_xchg(&acct->bytes, 0);
159 smp_mb__before_atomic();
160 if (acct->flags & NFACCT_F_QUOTA)
161 clear_bit(NFACCT_OVERQUOTA_BIT, &acct->flags);
163 pkts = atomic64_read(&acct->pkts);
164 bytes = atomic64_read(&acct->bytes);
166 if (nla_put_be64(skb, NFACCT_PKTS, cpu_to_be64(pkts),
168 nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes),
170 nla_put_be32(skb, NFACCT_USE, htonl(refcount_read(&acct->refcnt))))
171 goto nla_put_failure;
172 if (acct->flags & NFACCT_F_QUOTA) {
173 u64 *quota = (u64 *)acct->data;
175 if (nla_put_be32(skb, NFACCT_FLAGS, htonl(old_flags)) ||
176 nla_put_be64(skb, NFACCT_QUOTA, cpu_to_be64(*quota),
178 goto nla_put_failure;
185 nlmsg_cancel(skb, nlh);
190 nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
192 struct net *net = sock_net(skb->sk);
193 struct nf_acct *cur, *last;
194 const struct nfacct_filter *filter = cb->data;
199 last = (struct nf_acct *)cb->args[1];
204 list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) {
212 if (filter && (cur->flags & filter->mask) != filter->value)
215 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid,
217 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
218 NFNL_MSG_ACCT_NEW, cur) < 0) {
219 cb->args[1] = (unsigned long)cur;
229 static int nfnl_acct_done(struct netlink_callback *cb)
235 static const struct nla_policy filter_policy[NFACCT_FILTER_MAX + 1] = {
236 [NFACCT_FILTER_MASK] = { .type = NLA_U32 },
237 [NFACCT_FILTER_VALUE] = { .type = NLA_U32 },
240 static struct nfacct_filter *
241 nfacct_filter_alloc(const struct nlattr * const attr)
243 struct nfacct_filter *filter;
244 struct nlattr *tb[NFACCT_FILTER_MAX + 1];
247 err = nla_parse_nested(tb, NFACCT_FILTER_MAX, attr, filter_policy,
252 if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE])
253 return ERR_PTR(-EINVAL);
255 filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL);
257 return ERR_PTR(-ENOMEM);
259 filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK]));
260 filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE]));
265 static int nfnl_acct_get(struct net *net, struct sock *nfnl,
266 struct sk_buff *skb, const struct nlmsghdr *nlh,
267 const struct nlattr * const tb[])
273 if (nlh->nlmsg_flags & NLM_F_DUMP) {
274 struct netlink_dump_control c = {
275 .dump = nfnl_acct_dump,
276 .done = nfnl_acct_done,
279 if (tb[NFACCT_FILTER]) {
280 struct nfacct_filter *filter;
282 filter = nfacct_filter_alloc(tb[NFACCT_FILTER]);
284 return PTR_ERR(filter);
288 return netlink_dump_start(nfnl, skb, nlh, &c);
291 if (!tb[NFACCT_NAME])
293 acct_name = nla_data(tb[NFACCT_NAME]);
295 list_for_each_entry(cur, &net->nfnl_acct_list, head) {
296 struct sk_buff *skb2;
298 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
301 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
307 ret = nfnl_acct_fill_info(skb2, NETLINK_CB(skb).portid,
309 NFNL_MSG_TYPE(nlh->nlmsg_type),
310 NFNL_MSG_ACCT_NEW, cur);
315 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
320 /* this avoids a loop in nfnetlink. */
321 return ret == -EAGAIN ? -ENOBUFS : ret;
326 /* try to delete object, fail if it is still in use. */
327 static int nfnl_acct_try_del(struct nf_acct *cur)
331 /* We want to avoid races with nfnl_acct_put. So only when the current
332 * refcnt is 1, we decrease it to 0.
334 if (refcount_dec_if_one(&cur->refcnt)) {
335 /* We are protected by nfnl mutex. */
336 list_del_rcu(&cur->head);
337 kfree_rcu(cur, rcu_head);
344 static int nfnl_acct_del(struct net *net, struct sock *nfnl,
345 struct sk_buff *skb, const struct nlmsghdr *nlh,
346 const struct nlattr * const tb[])
348 struct nf_acct *cur, *tmp;
352 if (!tb[NFACCT_NAME]) {
353 list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head)
354 nfnl_acct_try_del(cur);
358 acct_name = nla_data(tb[NFACCT_NAME]);
360 list_for_each_entry(cur, &net->nfnl_acct_list, head) {
361 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0)
364 ret = nfnl_acct_try_del(cur);
373 static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
374 [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
375 [NFACCT_BYTES] = { .type = NLA_U64 },
376 [NFACCT_PKTS] = { .type = NLA_U64 },
377 [NFACCT_FLAGS] = { .type = NLA_U32 },
378 [NFACCT_QUOTA] = { .type = NLA_U64 },
379 [NFACCT_FILTER] = {.type = NLA_NESTED },
382 static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = {
383 [NFNL_MSG_ACCT_NEW] = { .call = nfnl_acct_new,
384 .attr_count = NFACCT_MAX,
385 .policy = nfnl_acct_policy },
386 [NFNL_MSG_ACCT_GET] = { .call = nfnl_acct_get,
387 .attr_count = NFACCT_MAX,
388 .policy = nfnl_acct_policy },
389 [NFNL_MSG_ACCT_GET_CTRZERO] = { .call = nfnl_acct_get,
390 .attr_count = NFACCT_MAX,
391 .policy = nfnl_acct_policy },
392 [NFNL_MSG_ACCT_DEL] = { .call = nfnl_acct_del,
393 .attr_count = NFACCT_MAX,
394 .policy = nfnl_acct_policy },
397 static const struct nfnetlink_subsystem nfnl_acct_subsys = {
399 .subsys_id = NFNL_SUBSYS_ACCT,
400 .cb_count = NFNL_MSG_ACCT_MAX,
404 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT);
406 struct nf_acct *nfnl_acct_find_get(struct net *net, const char *acct_name)
408 struct nf_acct *cur, *acct = NULL;
411 list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) {
412 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
415 if (!try_module_get(THIS_MODULE))
418 if (!refcount_inc_not_zero(&cur->refcnt)) {
419 module_put(THIS_MODULE);
430 EXPORT_SYMBOL_GPL(nfnl_acct_find_get);
432 void nfnl_acct_put(struct nf_acct *acct)
434 if (refcount_dec_and_test(&acct->refcnt))
435 kfree_rcu(acct, rcu_head);
437 module_put(THIS_MODULE);
439 EXPORT_SYMBOL_GPL(nfnl_acct_put);
441 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct)
443 atomic64_inc(&nfacct->pkts);
444 atomic64_add(skb->len, &nfacct->bytes);
446 EXPORT_SYMBOL_GPL(nfnl_acct_update);
448 static void nfnl_overquota_report(struct net *net, struct nf_acct *nfacct)
453 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
457 ret = nfnl_acct_fill_info(skb, 0, 0, NFNL_MSG_ACCT_OVERQUOTA, 0,
463 netlink_broadcast(net->nfnl, skb, 0, NFNLGRP_ACCT_QUOTA,
467 int nfnl_acct_overquota(struct net *net, const struct sk_buff *skb,
468 struct nf_acct *nfacct)
472 int ret = NFACCT_UNDERQUOTA;
474 /* no place here if we don't have a quota */
475 if (!(nfacct->flags & NFACCT_F_QUOTA))
476 return NFACCT_NO_QUOTA;
478 quota = (u64 *)nfacct->data;
479 now = (nfacct->flags & NFACCT_F_QUOTA_PKTS) ?
480 atomic64_read(&nfacct->pkts) : atomic64_read(&nfacct->bytes);
485 !test_and_set_bit(NFACCT_OVERQUOTA_BIT, &nfacct->flags)) {
486 nfnl_overquota_report(net, nfacct);
491 EXPORT_SYMBOL_GPL(nfnl_acct_overquota);
493 static int __net_init nfnl_acct_net_init(struct net *net)
495 INIT_LIST_HEAD(&net->nfnl_acct_list);
500 static void __net_exit nfnl_acct_net_exit(struct net *net)
502 struct nf_acct *cur, *tmp;
504 list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head) {
505 list_del_rcu(&cur->head);
507 if (refcount_dec_and_test(&cur->refcnt))
508 kfree_rcu(cur, rcu_head);
512 static struct pernet_operations nfnl_acct_ops = {
513 .init = nfnl_acct_net_init,
514 .exit = nfnl_acct_net_exit,
517 static int __init nfnl_acct_init(void)
521 ret = register_pernet_subsys(&nfnl_acct_ops);
523 pr_err("nfnl_acct_init: failed to register pernet ops\n");
527 pr_info("nfnl_acct: registering with nfnetlink.\n");
528 ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
530 pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
536 unregister_pernet_subsys(&nfnl_acct_ops);
541 static void __exit nfnl_acct_exit(void)
543 pr_info("nfnl_acct: unregistering from nfnetlink.\n");
544 nfnetlink_subsys_unregister(&nfnl_acct_subsys);
545 unregister_pernet_subsys(&nfnl_acct_ops);
548 module_init(nfnl_acct_init);
549 module_exit(nfnl_acct_exit);
projects / karo-tx-linux.git / blob