summaryrefslogtreecommitdiff
path: root/net/netfilter
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2015-07-31 14:10:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2015-08-07 11:49:49 +0200
commitdba27ec1bc382014aa2ba46e96f421b5f6536dae (patch)
tree315ad68755c1dc85658effc89e56bc7235b1234e /net/netfilter
parent09e4e42a00b99e94cfce27e63b06daca0c26e841 (diff)
netfilter: nft_limit: convert to token-based limiting at nanosecond granularity
Rework the limit expression to use a token-based limiting approach that refills the bucket gradually. The tokens are calculated at nanosecond granularity instead jiffies to improve precision. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nft_limit.c42
1 files changed, 26 insertions, 16 deletions
diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c
index d0788e172b4c..c79703e5baad 100644
--- a/net/netfilter/nft_limit.c
+++ b/net/netfilter/nft_limit.c
@@ -20,10 +20,11 @@
static DEFINE_SPINLOCK(limit_lock);
struct nft_limit {
+ u64 last;
u64 tokens;
+ u64 tokens_max;
u64 rate;
- u64 unit;
- unsigned long stamp;
+ u64 nsecs;
};
static void nft_limit_pkts_eval(const struct nft_expr *expr,
@@ -31,18 +32,23 @@ static void nft_limit_pkts_eval(const struct nft_expr *expr,
const struct nft_pktinfo *pkt)
{
struct nft_limit *priv = nft_expr_priv(expr);
+ u64 now, tokens, cost = div_u64(priv->nsecs, priv->rate);
+ s64 delta;
spin_lock_bh(&limit_lock);
- if (time_after_eq(jiffies, priv->stamp)) {
- priv->tokens = priv->rate;
- priv->stamp = jiffies + priv->unit * HZ;
- }
-
- if (priv->tokens >= 1) {
- priv->tokens--;
+ now = ktime_get_ns();
+ tokens = priv->tokens + now - priv->last;
+ if (tokens > priv->tokens_max)
+ tokens = priv->tokens_max;
+
+ priv->last = now;
+ delta = tokens - cost;
+ if (delta >= 0) {
+ priv->tokens = delta;
spin_unlock_bh(&limit_lock);
return;
}
+ priv->tokens = tokens;
spin_unlock_bh(&limit_lock);
regs->verdict.code = NFT_BREAK;
@@ -58,25 +64,29 @@ static int nft_limit_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
struct nft_limit *priv = nft_expr_priv(expr);
+ u64 unit;
if (tb[NFTA_LIMIT_RATE] == NULL ||
tb[NFTA_LIMIT_UNIT] == NULL)
return -EINVAL;
- priv->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
- priv->unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
- priv->stamp = jiffies + priv->unit * HZ;
- priv->tokens = priv->rate;
+ priv->rate = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_RATE]));
+ unit = be64_to_cpu(nla_get_be64(tb[NFTA_LIMIT_UNIT]));
+ priv->nsecs = unit * NSEC_PER_SEC;
+ if (priv->rate == 0 || priv->nsecs < unit)
+ return -EOVERFLOW;
+ priv->tokens = priv->tokens_max = priv->nsecs;
+ priv->last = ktime_get_ns();
return 0;
}
static int nft_limit_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
const struct nft_limit *priv = nft_expr_priv(expr);
+ u64 secs = div_u64(priv->nsecs, NSEC_PER_SEC);
- if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(priv->rate)))
- goto nla_put_failure;
- if (nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(priv->unit)))
+ if (nla_put_be64(skb, NFTA_LIMIT_RATE, cpu_to_be64(priv->rate)) ||
+ nla_put_be64(skb, NFTA_LIMIT_UNIT, cpu_to_be64(secs)))
goto nla_put_failure;
return 0;