whiterose

linux unikernel
Log | Files | Refs | README | LICENSE | git clone https://git.ne02ptzero.me/git/whiterose

xt_hashlimit.c (34706B)


      1 /*
      2  *	xt_hashlimit - Netfilter module to limit the number of packets per time
      3  *	separately for each hashbucket (sourceip/sourceport/dstip/dstport)
      4  *
      5  *	(C) 2003-2004 by Harald Welte <laforge@netfilter.org>
      6  *	(C) 2006-2012 Patrick McHardy <kaber@trash.net>
      7  *	Copyright © CC Computer Consultants GmbH, 2007 - 2008
      8  *
      9  * Development of this code was funded by Astaro AG, http://www.astaro.com/
     10  */
     11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
     12 #include <linux/module.h>
     13 #include <linux/spinlock.h>
     14 #include <linux/random.h>
     15 #include <linux/jhash.h>
     16 #include <linux/slab.h>
     17 #include <linux/vmalloc.h>
     18 #include <linux/proc_fs.h>
     19 #include <linux/seq_file.h>
     20 #include <linux/list.h>
     21 #include <linux/skbuff.h>
     22 #include <linux/mm.h>
     23 #include <linux/in.h>
     24 #include <linux/ip.h>
     25 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
     26 #include <linux/ipv6.h>
     27 #include <net/ipv6.h>
     28 #endif
     29 
     30 #include <net/net_namespace.h>
     31 #include <net/netns/generic.h>
     32 
     33 #include <linux/netfilter/x_tables.h>
     34 #include <linux/netfilter_ipv4/ip_tables.h>
     35 #include <linux/netfilter_ipv6/ip6_tables.h>
     36 #include <linux/netfilter/xt_hashlimit.h>
     37 #include <linux/mutex.h>
     38 #include <linux/kernel.h>
     39 
     40 MODULE_LICENSE("GPL");
     41 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
     42 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
     43 MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
     44 MODULE_ALIAS("ipt_hashlimit");
     45 MODULE_ALIAS("ip6t_hashlimit");
     46 
     47 struct hashlimit_net {
     48 	struct hlist_head	htables;
     49 	struct proc_dir_entry	*ipt_hashlimit;
     50 	struct proc_dir_entry	*ip6t_hashlimit;
     51 };
     52 
     53 static unsigned int hashlimit_net_id;
     54 static inline struct hashlimit_net *hashlimit_pernet(struct net *net)
     55 {
     56 	return net_generic(net, hashlimit_net_id);
     57 }
     58 
     59 /* need to declare this at the top */
     60 static const struct seq_operations dl_seq_ops_v2;
     61 static const struct seq_operations dl_seq_ops_v1;
     62 static const struct seq_operations dl_seq_ops;
     63 
     64 /* hash table crap */
     65 struct dsthash_dst {
     66 	union {
     67 		struct {
     68 			__be32 src;
     69 			__be32 dst;
     70 		} ip;
     71 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
     72 		struct {
     73 			__be32 src[4];
     74 			__be32 dst[4];
     75 		} ip6;
     76 #endif
     77 	};
     78 	__be16 src_port;
     79 	__be16 dst_port;
     80 };
     81 
     82 struct dsthash_ent {
     83 	/* static / read-only parts in the beginning */
     84 	struct hlist_node node;
     85 	struct dsthash_dst dst;
     86 
     87 	/* modified structure members in the end */
     88 	spinlock_t lock;
     89 	unsigned long expires;		/* precalculated expiry time */
     90 	struct {
     91 		unsigned long prev;	/* last modification */
     92 		union {
     93 			struct {
     94 				u_int64_t credit;
     95 				u_int64_t credit_cap;
     96 				u_int64_t cost;
     97 			};
     98 			struct {
     99 				u_int32_t interval, prev_window;
    100 				u_int64_t current_rate;
    101 				u_int64_t rate;
    102 				int64_t burst;
    103 			};
    104 		};
    105 	} rateinfo;
    106 	struct rcu_head rcu;
    107 };
    108 
    109 struct xt_hashlimit_htable {
    110 	struct hlist_node node;		/* global list of all htables */
    111 	int use;
    112 	u_int8_t family;
    113 	bool rnd_initialized;
    114 
    115 	struct hashlimit_cfg3 cfg;	/* config */
    116 
    117 	/* used internally */
    118 	spinlock_t lock;		/* lock for list_head */
    119 	u_int32_t rnd;			/* random seed for hash */
    120 	unsigned int count;		/* number entries in table */
    121 	struct delayed_work gc_work;
    122 
    123 	/* seq_file stuff */
    124 	struct proc_dir_entry *pde;
    125 	const char *name;
    126 	struct net *net;
    127 
    128 	struct hlist_head hash[0];	/* hashtable itself */
    129 };
    130 
    131 static int
    132 cfg_copy(struct hashlimit_cfg3 *to, const void *from, int revision)
    133 {
    134 	if (revision == 1) {
    135 		struct hashlimit_cfg1 *cfg = (struct hashlimit_cfg1 *)from;
    136 
    137 		to->mode = cfg->mode;
    138 		to->avg = cfg->avg;
    139 		to->burst = cfg->burst;
    140 		to->size = cfg->size;
    141 		to->max = cfg->max;
    142 		to->gc_interval = cfg->gc_interval;
    143 		to->expire = cfg->expire;
    144 		to->srcmask = cfg->srcmask;
    145 		to->dstmask = cfg->dstmask;
    146 	} else if (revision == 2) {
    147 		struct hashlimit_cfg2 *cfg = (struct hashlimit_cfg2 *)from;
    148 
    149 		to->mode = cfg->mode;
    150 		to->avg = cfg->avg;
    151 		to->burst = cfg->burst;
    152 		to->size = cfg->size;
    153 		to->max = cfg->max;
    154 		to->gc_interval = cfg->gc_interval;
    155 		to->expire = cfg->expire;
    156 		to->srcmask = cfg->srcmask;
    157 		to->dstmask = cfg->dstmask;
    158 	} else if (revision == 3) {
    159 		memcpy(to, from, sizeof(struct hashlimit_cfg3));
    160 	} else {
    161 		return -EINVAL;
    162 	}
    163 
    164 	return 0;
    165 }
    166 
    167 static DEFINE_MUTEX(hashlimit_mutex);	/* protects htables list */
    168 static struct kmem_cache *hashlimit_cachep __read_mostly;
    169 
    170 static inline bool dst_cmp(const struct dsthash_ent *ent,
    171 			   const struct dsthash_dst *b)
    172 {
    173 	return !memcmp(&ent->dst, b, sizeof(ent->dst));
    174 }
    175 
    176 static u_int32_t
    177 hash_dst(const struct xt_hashlimit_htable *ht, const struct dsthash_dst *dst)
    178 {
    179 	u_int32_t hash = jhash2((const u32 *)dst,
    180 				sizeof(*dst)/sizeof(u32),
    181 				ht->rnd);
    182 	/*
    183 	 * Instead of returning hash % ht->cfg.size (implying a divide)
    184 	 * we return the high 32 bits of the (hash * ht->cfg.size) that will
    185 	 * give results between [0 and cfg.size-1] and same hash distribution,
    186 	 * but using a multiply, less expensive than a divide
    187 	 */
    188 	return reciprocal_scale(hash, ht->cfg.size);
    189 }
    190 
    191 static struct dsthash_ent *
    192 dsthash_find(const struct xt_hashlimit_htable *ht,
    193 	     const struct dsthash_dst *dst)
    194 {
    195 	struct dsthash_ent *ent;
    196 	u_int32_t hash = hash_dst(ht, dst);
    197 
    198 	if (!hlist_empty(&ht->hash[hash])) {
    199 		hlist_for_each_entry_rcu(ent, &ht->hash[hash], node)
    200 			if (dst_cmp(ent, dst)) {
    201 				spin_lock(&ent->lock);
    202 				return ent;
    203 			}
    204 	}
    205 	return NULL;
    206 }
    207 
    208 /* allocate dsthash_ent, initialize dst, put in htable and lock it */
    209 static struct dsthash_ent *
    210 dsthash_alloc_init(struct xt_hashlimit_htable *ht,
    211 		   const struct dsthash_dst *dst, bool *race)
    212 {
    213 	struct dsthash_ent *ent;
    214 
    215 	spin_lock(&ht->lock);
    216 
    217 	/* Two or more packets may race to create the same entry in the
    218 	 * hashtable, double check if this packet lost race.
    219 	 */
    220 	ent = dsthash_find(ht, dst);
    221 	if (ent != NULL) {
    222 		spin_unlock(&ht->lock);
    223 		*race = true;
    224 		return ent;
    225 	}
    226 
    227 	/* initialize hash with random val at the time we allocate
    228 	 * the first hashtable entry */
    229 	if (unlikely(!ht->rnd_initialized)) {
    230 		get_random_bytes(&ht->rnd, sizeof(ht->rnd));
    231 		ht->rnd_initialized = true;
    232 	}
    233 
    234 	if (ht->cfg.max && ht->count >= ht->cfg.max) {
    235 		/* FIXME: do something. question is what.. */
    236 		net_err_ratelimited("max count of %u reached\n", ht->cfg.max);
    237 		ent = NULL;
    238 	} else
    239 		ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
    240 	if (ent) {
    241 		memcpy(&ent->dst, dst, sizeof(ent->dst));
    242 		spin_lock_init(&ent->lock);
    243 
    244 		spin_lock(&ent->lock);
    245 		hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
    246 		ht->count++;
    247 	}
    248 	spin_unlock(&ht->lock);
    249 	return ent;
    250 }
    251 
    252 static void dsthash_free_rcu(struct rcu_head *head)
    253 {
    254 	struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
    255 
    256 	kmem_cache_free(hashlimit_cachep, ent);
    257 }
    258 
    259 static inline void
    260 dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
    261 {
    262 	hlist_del_rcu(&ent->node);
    263 	call_rcu(&ent->rcu, dsthash_free_rcu);
    264 	ht->count--;
    265 }
    266 static void htable_gc(struct work_struct *work);
    267 
    268 static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
    269 			 const char *name, u_int8_t family,
    270 			 struct xt_hashlimit_htable **out_hinfo,
    271 			 int revision)
    272 {
    273 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
    274 	struct xt_hashlimit_htable *hinfo;
    275 	const struct seq_operations *ops;
    276 	unsigned int size, i;
    277 	unsigned long nr_pages = totalram_pages();
    278 	int ret;
    279 
    280 	if (cfg->size) {
    281 		size = cfg->size;
    282 	} else {
    283 		size = (nr_pages << PAGE_SHIFT) / 16384 /
    284 		       sizeof(struct hlist_head);
    285 		if (nr_pages > 1024 * 1024 * 1024 / PAGE_SIZE)
    286 			size = 8192;
    287 		if (size < 16)
    288 			size = 16;
    289 	}
    290 	/* FIXME: don't use vmalloc() here or anywhere else -HW */
    291 	hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
    292 	                sizeof(struct hlist_head) * size);
    293 	if (hinfo == NULL)
    294 		return -ENOMEM;
    295 	*out_hinfo = hinfo;
    296 
    297 	/* copy match config into hashtable config */
    298 	ret = cfg_copy(&hinfo->cfg, (void *)cfg, 3);
    299 	if (ret) {
    300 		vfree(hinfo);
    301 		return ret;
    302 	}
    303 
    304 	hinfo->cfg.size = size;
    305 	if (hinfo->cfg.max == 0)
    306 		hinfo->cfg.max = 8 * hinfo->cfg.size;
    307 	else if (hinfo->cfg.max < hinfo->cfg.size)
    308 		hinfo->cfg.max = hinfo->cfg.size;
    309 
    310 	for (i = 0; i < hinfo->cfg.size; i++)
    311 		INIT_HLIST_HEAD(&hinfo->hash[i]);
    312 
    313 	hinfo->use = 1;
    314 	hinfo->count = 0;
    315 	hinfo->family = family;
    316 	hinfo->rnd_initialized = false;
    317 	hinfo->name = kstrdup(name, GFP_KERNEL);
    318 	if (!hinfo->name) {
    319 		vfree(hinfo);
    320 		return -ENOMEM;
    321 	}
    322 	spin_lock_init(&hinfo->lock);
    323 
    324 	switch (revision) {
    325 	case 1:
    326 		ops = &dl_seq_ops_v1;
    327 		break;
    328 	case 2:
    329 		ops = &dl_seq_ops_v2;
    330 		break;
    331 	default:
    332 		ops = &dl_seq_ops;
    333 	}
    334 
    335 	hinfo->pde = proc_create_seq_data(name, 0,
    336 		(family == NFPROTO_IPV4) ?
    337 		hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
    338 		ops, hinfo);
    339 	if (hinfo->pde == NULL) {
    340 		kfree(hinfo->name);
    341 		vfree(hinfo);
    342 		return -ENOMEM;
    343 	}
    344 	hinfo->net = net;
    345 
    346 	INIT_DEFERRABLE_WORK(&hinfo->gc_work, htable_gc);
    347 	queue_delayed_work(system_power_efficient_wq, &hinfo->gc_work,
    348 			   msecs_to_jiffies(hinfo->cfg.gc_interval));
    349 
    350 	hlist_add_head(&hinfo->node, &hashlimit_net->htables);
    351 
    352 	return 0;
    353 }
    354 
    355 static bool select_all(const struct xt_hashlimit_htable *ht,
    356 		       const struct dsthash_ent *he)
    357 {
    358 	return true;
    359 }
    360 
    361 static bool select_gc(const struct xt_hashlimit_htable *ht,
    362 		      const struct dsthash_ent *he)
    363 {
    364 	return time_after_eq(jiffies, he->expires);
    365 }
    366 
    367 static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
    368 			bool (*select)(const struct xt_hashlimit_htable *ht,
    369 				      const struct dsthash_ent *he))
    370 {
    371 	unsigned int i;
    372 
    373 	for (i = 0; i < ht->cfg.size; i++) {
    374 		struct dsthash_ent *dh;
    375 		struct hlist_node *n;
    376 
    377 		spin_lock_bh(&ht->lock);
    378 		hlist_for_each_entry_safe(dh, n, &ht->hash[i], node) {
    379 			if ((*select)(ht, dh))
    380 				dsthash_free(ht, dh);
    381 		}
    382 		spin_unlock_bh(&ht->lock);
    383 		cond_resched();
    384 	}
    385 }
    386 
    387 static void htable_gc(struct work_struct *work)
    388 {
    389 	struct xt_hashlimit_htable *ht;
    390 
    391 	ht = container_of(work, struct xt_hashlimit_htable, gc_work.work);
    392 
    393 	htable_selective_cleanup(ht, select_gc);
    394 
    395 	queue_delayed_work(system_power_efficient_wq,
    396 			   &ht->gc_work, msecs_to_jiffies(ht->cfg.gc_interval));
    397 }
    398 
    399 static void htable_remove_proc_entry(struct xt_hashlimit_htable *hinfo)
    400 {
    401 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(hinfo->net);
    402 	struct proc_dir_entry *parent;
    403 
    404 	if (hinfo->family == NFPROTO_IPV4)
    405 		parent = hashlimit_net->ipt_hashlimit;
    406 	else
    407 		parent = hashlimit_net->ip6t_hashlimit;
    408 
    409 	if (parent != NULL)
    410 		remove_proc_entry(hinfo->name, parent);
    411 }
    412 
    413 static void htable_destroy(struct xt_hashlimit_htable *hinfo)
    414 {
    415 	cancel_delayed_work_sync(&hinfo->gc_work);
    416 	htable_remove_proc_entry(hinfo);
    417 	htable_selective_cleanup(hinfo, select_all);
    418 	kfree(hinfo->name);
    419 	vfree(hinfo);
    420 }
    421 
    422 static struct xt_hashlimit_htable *htable_find_get(struct net *net,
    423 						   const char *name,
    424 						   u_int8_t family)
    425 {
    426 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
    427 	struct xt_hashlimit_htable *hinfo;
    428 
    429 	hlist_for_each_entry(hinfo, &hashlimit_net->htables, node) {
    430 		if (!strcmp(name, hinfo->name) &&
    431 		    hinfo->family == family) {
    432 			hinfo->use++;
    433 			return hinfo;
    434 		}
    435 	}
    436 	return NULL;
    437 }
    438 
    439 static void htable_put(struct xt_hashlimit_htable *hinfo)
    440 {
    441 	mutex_lock(&hashlimit_mutex);
    442 	if (--hinfo->use == 0) {
    443 		hlist_del(&hinfo->node);
    444 		htable_destroy(hinfo);
    445 	}
    446 	mutex_unlock(&hashlimit_mutex);
    447 }
    448 
    449 /* The algorithm used is the Simple Token Bucket Filter (TBF)
    450  * see net/sched/sch_tbf.c in the linux source tree
    451  */
    452 
    453 /* Rusty: This is my (non-mathematically-inclined) understanding of
    454    this algorithm.  The `average rate' in jiffies becomes your initial
    455    amount of credit `credit' and the most credit you can ever have
    456    `credit_cap'.  The `peak rate' becomes the cost of passing the
    457    test, `cost'.
    458 
    459    `prev' tracks the last packet hit: you gain one credit per jiffy.
    460    If you get credit balance more than this, the extra credit is
    461    discarded.  Every time the match passes, you lose `cost' credits;
    462    if you don't have that many, the test fails.
    463 
    464    See Alexey's formal explanation in net/sched/sch_tbf.c.
    465 
    466    To get the maximum range, we multiply by this factor (ie. you get N
    467    credits per jiffy).  We want to allow a rate as low as 1 per day
    468    (slowest userspace tool allows), which means
    469    CREDITS_PER_JIFFY*HZ*60*60*24 < 2^32 ie.
    470 */
    471 #define MAX_CPJ_v1 (0xFFFFFFFF / (HZ*60*60*24))
    472 #define MAX_CPJ (0xFFFFFFFFFFFFFFFFULL / (HZ*60*60*24))
    473 
    474 /* Repeated shift and or gives us all 1s, final shift and add 1 gives
    475  * us the power of 2 below the theoretical max, so GCC simply does a
    476  * shift. */
    477 #define _POW2_BELOW2(x) ((x)|((x)>>1))
    478 #define _POW2_BELOW4(x) (_POW2_BELOW2(x)|_POW2_BELOW2((x)>>2))
    479 #define _POW2_BELOW8(x) (_POW2_BELOW4(x)|_POW2_BELOW4((x)>>4))
    480 #define _POW2_BELOW16(x) (_POW2_BELOW8(x)|_POW2_BELOW8((x)>>8))
    481 #define _POW2_BELOW32(x) (_POW2_BELOW16(x)|_POW2_BELOW16((x)>>16))
    482 #define _POW2_BELOW64(x) (_POW2_BELOW32(x)|_POW2_BELOW32((x)>>32))
    483 #define POW2_BELOW32(x) ((_POW2_BELOW32(x)>>1) + 1)
    484 #define POW2_BELOW64(x) ((_POW2_BELOW64(x)>>1) + 1)
    485 
    486 #define CREDITS_PER_JIFFY POW2_BELOW64(MAX_CPJ)
    487 #define CREDITS_PER_JIFFY_v1 POW2_BELOW32(MAX_CPJ_v1)
    488 
    489 /* in byte mode, the lowest possible rate is one packet/second.
    490  * credit_cap is used as a counter that tells us how many times we can
    491  * refill the "credits available" counter when it becomes empty.
    492  */
    493 #define MAX_CPJ_BYTES (0xFFFFFFFF / HZ)
    494 #define CREDITS_PER_JIFFY_BYTES POW2_BELOW32(MAX_CPJ_BYTES)
    495 
    496 static u32 xt_hashlimit_len_to_chunks(u32 len)
    497 {
    498 	return (len >> XT_HASHLIMIT_BYTE_SHIFT) + 1;
    499 }
    500 
    501 /* Precision saver. */
    502 static u64 user2credits(u64 user, int revision)
    503 {
    504 	u64 scale = (revision == 1) ?
    505 		XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
    506 	u64 cpj = (revision == 1) ?
    507 		CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
    508 
    509 	/* Avoid overflow: divide the constant operands first */
    510 	if (scale >= HZ * cpj)
    511 		return div64_u64(user, div64_u64(scale, HZ * cpj));
    512 
    513 	return user * div64_u64(HZ * cpj, scale);
    514 }
    515 
    516 static u32 user2credits_byte(u32 user)
    517 {
    518 	u64 us = user;
    519 	us *= HZ * CREDITS_PER_JIFFY_BYTES;
    520 	return (u32) (us >> 32);
    521 }
    522 
    523 static u64 user2rate(u64 user)
    524 {
    525 	if (user != 0) {
    526 		return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
    527 	} else {
    528 		pr_info_ratelimited("invalid rate from userspace: %llu\n",
    529 				    user);
    530 		return 0;
    531 	}
    532 }
    533 
    534 static u64 user2rate_bytes(u32 user)
    535 {
    536 	u64 r;
    537 
    538 	r = user ? U32_MAX / user : U32_MAX;
    539 	return (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
    540 }
    541 
    542 static void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now,
    543 			    u32 mode, int revision)
    544 {
    545 	unsigned long delta = now - dh->rateinfo.prev;
    546 	u64 cap, cpj;
    547 
    548 	if (delta == 0)
    549 		return;
    550 
    551 	if (revision >= 3 && mode & XT_HASHLIMIT_RATE_MATCH) {
    552 		u64 interval = dh->rateinfo.interval * HZ;
    553 
    554 		if (delta < interval)
    555 			return;
    556 
    557 		dh->rateinfo.prev = now;
    558 		dh->rateinfo.prev_window =
    559 			((dh->rateinfo.current_rate * interval) >
    560 			 (delta * dh->rateinfo.rate));
    561 		dh->rateinfo.current_rate = 0;
    562 
    563 		return;
    564 	}
    565 
    566 	dh->rateinfo.prev = now;
    567 
    568 	if (mode & XT_HASHLIMIT_BYTES) {
    569 		u64 tmp = dh->rateinfo.credit;
    570 		dh->rateinfo.credit += CREDITS_PER_JIFFY_BYTES * delta;
    571 		cap = CREDITS_PER_JIFFY_BYTES * HZ;
    572 		if (tmp >= dh->rateinfo.credit) {/* overflow */
    573 			dh->rateinfo.credit = cap;
    574 			return;
    575 		}
    576 	} else {
    577 		cpj = (revision == 1) ?
    578 			CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
    579 		dh->rateinfo.credit += delta * cpj;
    580 		cap = dh->rateinfo.credit_cap;
    581 	}
    582 	if (dh->rateinfo.credit > cap)
    583 		dh->rateinfo.credit = cap;
    584 }
    585 
    586 static void rateinfo_init(struct dsthash_ent *dh,
    587 			  struct xt_hashlimit_htable *hinfo, int revision)
    588 {
    589 	dh->rateinfo.prev = jiffies;
    590 	if (revision >= 3 && hinfo->cfg.mode & XT_HASHLIMIT_RATE_MATCH) {
    591 		dh->rateinfo.prev_window = 0;
    592 		dh->rateinfo.current_rate = 0;
    593 		if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
    594 			dh->rateinfo.rate =
    595 				user2rate_bytes((u32)hinfo->cfg.avg);
    596 			if (hinfo->cfg.burst)
    597 				dh->rateinfo.burst =
    598 					hinfo->cfg.burst * dh->rateinfo.rate;
    599 			else
    600 				dh->rateinfo.burst = dh->rateinfo.rate;
    601 		} else {
    602 			dh->rateinfo.rate = user2rate(hinfo->cfg.avg);
    603 			dh->rateinfo.burst =
    604 				hinfo->cfg.burst + dh->rateinfo.rate;
    605 		}
    606 		dh->rateinfo.interval = hinfo->cfg.interval;
    607 	} else if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
    608 		dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
    609 		dh->rateinfo.cost = user2credits_byte(hinfo->cfg.avg);
    610 		dh->rateinfo.credit_cap = hinfo->cfg.burst;
    611 	} else {
    612 		dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
    613 						   hinfo->cfg.burst, revision);
    614 		dh->rateinfo.cost = user2credits(hinfo->cfg.avg, revision);
    615 		dh->rateinfo.credit_cap = dh->rateinfo.credit;
    616 	}
    617 }
    618 
    619 static inline __be32 maskl(__be32 a, unsigned int l)
    620 {
    621 	return l ? htonl(ntohl(a) & ~0 << (32 - l)) : 0;
    622 }
    623 
    624 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
    625 static void hashlimit_ipv6_mask(__be32 *i, unsigned int p)
    626 {
    627 	switch (p) {
    628 	case 0 ... 31:
    629 		i[0] = maskl(i[0], p);
    630 		i[1] = i[2] = i[3] = 0;
    631 		break;
    632 	case 32 ... 63:
    633 		i[1] = maskl(i[1], p - 32);
    634 		i[2] = i[3] = 0;
    635 		break;
    636 	case 64 ... 95:
    637 		i[2] = maskl(i[2], p - 64);
    638 		i[3] = 0;
    639 		break;
    640 	case 96 ... 127:
    641 		i[3] = maskl(i[3], p - 96);
    642 		break;
    643 	case 128:
    644 		break;
    645 	}
    646 }
    647 #endif
    648 
    649 static int
    650 hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
    651 		   struct dsthash_dst *dst,
    652 		   const struct sk_buff *skb, unsigned int protoff)
    653 {
    654 	__be16 _ports[2], *ports;
    655 	u8 nexthdr;
    656 	int poff;
    657 
    658 	memset(dst, 0, sizeof(*dst));
    659 
    660 	switch (hinfo->family) {
    661 	case NFPROTO_IPV4:
    662 		if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP)
    663 			dst->ip.dst = maskl(ip_hdr(skb)->daddr,
    664 			              hinfo->cfg.dstmask);
    665 		if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP)
    666 			dst->ip.src = maskl(ip_hdr(skb)->saddr,
    667 			              hinfo->cfg.srcmask);
    668 
    669 		if (!(hinfo->cfg.mode &
    670 		      (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
    671 			return 0;
    672 		nexthdr = ip_hdr(skb)->protocol;
    673 		break;
    674 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
    675 	case NFPROTO_IPV6:
    676 	{
    677 		__be16 frag_off;
    678 
    679 		if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DIP) {
    680 			memcpy(&dst->ip6.dst, &ipv6_hdr(skb)->daddr,
    681 			       sizeof(dst->ip6.dst));
    682 			hashlimit_ipv6_mask(dst->ip6.dst, hinfo->cfg.dstmask);
    683 		}
    684 		if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SIP) {
    685 			memcpy(&dst->ip6.src, &ipv6_hdr(skb)->saddr,
    686 			       sizeof(dst->ip6.src));
    687 			hashlimit_ipv6_mask(dst->ip6.src, hinfo->cfg.srcmask);
    688 		}
    689 
    690 		if (!(hinfo->cfg.mode &
    691 		      (XT_HASHLIMIT_HASH_DPT | XT_HASHLIMIT_HASH_SPT)))
    692 			return 0;
    693 		nexthdr = ipv6_hdr(skb)->nexthdr;
    694 		protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr, &frag_off);
    695 		if ((int)protoff < 0)
    696 			return -1;
    697 		break;
    698 	}
    699 #endif
    700 	default:
    701 		BUG();
    702 		return 0;
    703 	}
    704 
    705 	poff = proto_ports_offset(nexthdr);
    706 	if (poff >= 0) {
    707 		ports = skb_header_pointer(skb, protoff + poff, sizeof(_ports),
    708 					   &_ports);
    709 	} else {
    710 		_ports[0] = _ports[1] = 0;
    711 		ports = _ports;
    712 	}
    713 	if (!ports)
    714 		return -1;
    715 	if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_SPT)
    716 		dst->src_port = ports[0];
    717 	if (hinfo->cfg.mode & XT_HASHLIMIT_HASH_DPT)
    718 		dst->dst_port = ports[1];
    719 	return 0;
    720 }
    721 
    722 static u32 hashlimit_byte_cost(unsigned int len, struct dsthash_ent *dh)
    723 {
    724 	u64 tmp = xt_hashlimit_len_to_chunks(len);
    725 	tmp = tmp * dh->rateinfo.cost;
    726 
    727 	if (unlikely(tmp > CREDITS_PER_JIFFY_BYTES * HZ))
    728 		tmp = CREDITS_PER_JIFFY_BYTES * HZ;
    729 
    730 	if (dh->rateinfo.credit < tmp && dh->rateinfo.credit_cap) {
    731 		dh->rateinfo.credit_cap--;
    732 		dh->rateinfo.credit = CREDITS_PER_JIFFY_BYTES * HZ;
    733 	}
    734 	return (u32) tmp;
    735 }
    736 
    737 static bool
    738 hashlimit_mt_common(const struct sk_buff *skb, struct xt_action_param *par,
    739 		    struct xt_hashlimit_htable *hinfo,
    740 		    const struct hashlimit_cfg3 *cfg, int revision)
    741 {
    742 	unsigned long now = jiffies;
    743 	struct dsthash_ent *dh;
    744 	struct dsthash_dst dst;
    745 	bool race = false;
    746 	u64 cost;
    747 
    748 	if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
    749 		goto hotdrop;
    750 
    751 	local_bh_disable();
    752 	dh = dsthash_find(hinfo, &dst);
    753 	if (dh == NULL) {
    754 		dh = dsthash_alloc_init(hinfo, &dst, &race);
    755 		if (dh == NULL) {
    756 			local_bh_enable();
    757 			goto hotdrop;
    758 		} else if (race) {
    759 			/* Already got an entry, update expiration timeout */
    760 			dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
    761 			rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
    762 		} else {
    763 			dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
    764 			rateinfo_init(dh, hinfo, revision);
    765 		}
    766 	} else {
    767 		/* update expiration timeout */
    768 		dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
    769 		rateinfo_recalc(dh, now, hinfo->cfg.mode, revision);
    770 	}
    771 
    772 	if (cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
    773 		cost = (cfg->mode & XT_HASHLIMIT_BYTES) ? skb->len : 1;
    774 		dh->rateinfo.current_rate += cost;
    775 
    776 		if (!dh->rateinfo.prev_window &&
    777 		    (dh->rateinfo.current_rate <= dh->rateinfo.burst)) {
    778 			spin_unlock(&dh->lock);
    779 			local_bh_enable();
    780 			return !(cfg->mode & XT_HASHLIMIT_INVERT);
    781 		} else {
    782 			goto overlimit;
    783 		}
    784 	}
    785 
    786 	if (cfg->mode & XT_HASHLIMIT_BYTES)
    787 		cost = hashlimit_byte_cost(skb->len, dh);
    788 	else
    789 		cost = dh->rateinfo.cost;
    790 
    791 	if (dh->rateinfo.credit >= cost) {
    792 		/* below the limit */
    793 		dh->rateinfo.credit -= cost;
    794 		spin_unlock(&dh->lock);
    795 		local_bh_enable();
    796 		return !(cfg->mode & XT_HASHLIMIT_INVERT);
    797 	}
    798 
    799 overlimit:
    800 	spin_unlock(&dh->lock);
    801 	local_bh_enable();
    802 	/* default match is underlimit - so over the limit, we need to invert */
    803 	return cfg->mode & XT_HASHLIMIT_INVERT;
    804 
    805  hotdrop:
    806 	par->hotdrop = true;
    807 	return false;
    808 }
    809 
    810 static bool
    811 hashlimit_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
    812 {
    813 	const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
    814 	struct xt_hashlimit_htable *hinfo = info->hinfo;
    815 	struct hashlimit_cfg3 cfg = {};
    816 	int ret;
    817 
    818 	ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
    819 	if (ret)
    820 		return ret;
    821 
    822 	return hashlimit_mt_common(skb, par, hinfo, &cfg, 1);
    823 }
    824 
    825 static bool
    826 hashlimit_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
    827 {
    828 	const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
    829 	struct xt_hashlimit_htable *hinfo = info->hinfo;
    830 	struct hashlimit_cfg3 cfg = {};
    831 	int ret;
    832 
    833 	ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
    834 	if (ret)
    835 		return ret;
    836 
    837 	return hashlimit_mt_common(skb, par, hinfo, &cfg, 2);
    838 }
    839 
    840 static bool
    841 hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
    842 {
    843 	const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
    844 	struct xt_hashlimit_htable *hinfo = info->hinfo;
    845 
    846 	return hashlimit_mt_common(skb, par, hinfo, &info->cfg, 3);
    847 }
    848 
    849 static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
    850 				     struct xt_hashlimit_htable **hinfo,
    851 				     struct hashlimit_cfg3 *cfg,
    852 				     const char *name, int revision)
    853 {
    854 	struct net *net = par->net;
    855 	int ret;
    856 
    857 	if (cfg->gc_interval == 0 || cfg->expire == 0)
    858 		return -EINVAL;
    859 	if (par->family == NFPROTO_IPV4) {
    860 		if (cfg->srcmask > 32 || cfg->dstmask > 32)
    861 			return -EINVAL;
    862 	} else {
    863 		if (cfg->srcmask > 128 || cfg->dstmask > 128)
    864 			return -EINVAL;
    865 	}
    866 
    867 	if (cfg->mode & ~XT_HASHLIMIT_ALL) {
    868 		pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n",
    869 				    cfg->mode);
    870 		return -EINVAL;
    871 	}
    872 
    873 	/* Check for overflow. */
    874 	if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
    875 		if (cfg->avg == 0 || cfg->avg > U32_MAX) {
    876 			pr_info_ratelimited("invalid rate\n");
    877 			return -ERANGE;
    878 		}
    879 
    880 		if (cfg->interval == 0) {
    881 			pr_info_ratelimited("invalid interval\n");
    882 			return -EINVAL;
    883 		}
    884 	} else if (cfg->mode & XT_HASHLIMIT_BYTES) {
    885 		if (user2credits_byte(cfg->avg) == 0) {
    886 			pr_info_ratelimited("overflow, rate too high: %llu\n",
    887 					    cfg->avg);
    888 			return -EINVAL;
    889 		}
    890 	} else if (cfg->burst == 0 ||
    891 		   user2credits(cfg->avg * cfg->burst, revision) <
    892 		   user2credits(cfg->avg, revision)) {
    893 		pr_info_ratelimited("overflow, try lower: %llu/%llu\n",
    894 				    cfg->avg, cfg->burst);
    895 		return -ERANGE;
    896 	}
    897 
    898 	mutex_lock(&hashlimit_mutex);
    899 	*hinfo = htable_find_get(net, name, par->family);
    900 	if (*hinfo == NULL) {
    901 		ret = htable_create(net, cfg, name, par->family,
    902 				    hinfo, revision);
    903 		if (ret < 0) {
    904 			mutex_unlock(&hashlimit_mutex);
    905 			return ret;
    906 		}
    907 	}
    908 	mutex_unlock(&hashlimit_mutex);
    909 
    910 	return 0;
    911 }
    912 
    913 static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
    914 {
    915 	struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
    916 	struct hashlimit_cfg3 cfg = {};
    917 	int ret;
    918 
    919 	ret = xt_check_proc_name(info->name, sizeof(info->name));
    920 	if (ret)
    921 		return ret;
    922 
    923 	ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
    924 	if (ret)
    925 		return ret;
    926 
    927 	return hashlimit_mt_check_common(par, &info->hinfo,
    928 					 &cfg, info->name, 1);
    929 }
    930 
    931 static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
    932 {
    933 	struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
    934 	struct hashlimit_cfg3 cfg = {};
    935 	int ret;
    936 
    937 	ret = xt_check_proc_name(info->name, sizeof(info->name));
    938 	if (ret)
    939 		return ret;
    940 
    941 	ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
    942 	if (ret)
    943 		return ret;
    944 
    945 	return hashlimit_mt_check_common(par, &info->hinfo,
    946 					 &cfg, info->name, 2);
    947 }
    948 
    949 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
    950 {
    951 	struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
    952 	int ret;
    953 
    954 	ret = xt_check_proc_name(info->name, sizeof(info->name));
    955 	if (ret)
    956 		return ret;
    957 
    958 	return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
    959 					 info->name, 3);
    960 }
    961 
    962 static void hashlimit_mt_destroy_v2(const struct xt_mtdtor_param *par)
    963 {
    964 	const struct xt_hashlimit_mtinfo2 *info = par->matchinfo;
    965 
    966 	htable_put(info->hinfo);
    967 }
    968 
    969 static void hashlimit_mt_destroy_v1(const struct xt_mtdtor_param *par)
    970 {
    971 	const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
    972 
    973 	htable_put(info->hinfo);
    974 }
    975 
    976 static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
    977 {
    978 	const struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
    979 
    980 	htable_put(info->hinfo);
    981 }
    982 
    983 static struct xt_match hashlimit_mt_reg[] __read_mostly = {
    984 	{
    985 		.name           = "hashlimit",
    986 		.revision       = 1,
    987 		.family         = NFPROTO_IPV4,
    988 		.match          = hashlimit_mt_v1,
    989 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo1),
    990 		.usersize	= offsetof(struct xt_hashlimit_mtinfo1, hinfo),
    991 		.checkentry     = hashlimit_mt_check_v1,
    992 		.destroy        = hashlimit_mt_destroy_v1,
    993 		.me             = THIS_MODULE,
    994 	},
    995 	{
    996 		.name           = "hashlimit",
    997 		.revision       = 2,
    998 		.family         = NFPROTO_IPV4,
    999 		.match          = hashlimit_mt_v2,
   1000 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo2),
   1001 		.usersize	= offsetof(struct xt_hashlimit_mtinfo2, hinfo),
   1002 		.checkentry     = hashlimit_mt_check_v2,
   1003 		.destroy        = hashlimit_mt_destroy_v2,
   1004 		.me             = THIS_MODULE,
   1005 	},
   1006 	{
   1007 		.name           = "hashlimit",
   1008 		.revision       = 3,
   1009 		.family         = NFPROTO_IPV4,
   1010 		.match          = hashlimit_mt,
   1011 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo3),
   1012 		.usersize	= offsetof(struct xt_hashlimit_mtinfo3, hinfo),
   1013 		.checkentry     = hashlimit_mt_check,
   1014 		.destroy        = hashlimit_mt_destroy,
   1015 		.me             = THIS_MODULE,
   1016 	},
   1017 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
   1018 	{
   1019 		.name           = "hashlimit",
   1020 		.revision       = 1,
   1021 		.family         = NFPROTO_IPV6,
   1022 		.match          = hashlimit_mt_v1,
   1023 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo1),
   1024 		.usersize	= offsetof(struct xt_hashlimit_mtinfo1, hinfo),
   1025 		.checkentry     = hashlimit_mt_check_v1,
   1026 		.destroy        = hashlimit_mt_destroy_v1,
   1027 		.me             = THIS_MODULE,
   1028 	},
   1029 	{
   1030 		.name           = "hashlimit",
   1031 		.revision       = 2,
   1032 		.family         = NFPROTO_IPV6,
   1033 		.match          = hashlimit_mt_v2,
   1034 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo2),
   1035 		.usersize	= offsetof(struct xt_hashlimit_mtinfo2, hinfo),
   1036 		.checkentry     = hashlimit_mt_check_v2,
   1037 		.destroy        = hashlimit_mt_destroy_v2,
   1038 		.me             = THIS_MODULE,
   1039 	},
   1040 	{
   1041 		.name           = "hashlimit",
   1042 		.revision       = 3,
   1043 		.family         = NFPROTO_IPV6,
   1044 		.match          = hashlimit_mt,
   1045 		.matchsize      = sizeof(struct xt_hashlimit_mtinfo3),
   1046 		.usersize	= offsetof(struct xt_hashlimit_mtinfo3, hinfo),
   1047 		.checkentry     = hashlimit_mt_check,
   1048 		.destroy        = hashlimit_mt_destroy,
   1049 		.me             = THIS_MODULE,
   1050 	},
   1051 #endif
   1052 };
   1053 
   1054 /* PROC stuff */
   1055 static void *dl_seq_start(struct seq_file *s, loff_t *pos)
   1056 	__acquires(htable->lock)
   1057 {
   1058 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1059 	unsigned int *bucket;
   1060 
   1061 	spin_lock_bh(&htable->lock);
   1062 	if (*pos >= htable->cfg.size)
   1063 		return NULL;
   1064 
   1065 	bucket = kmalloc(sizeof(unsigned int), GFP_ATOMIC);
   1066 	if (!bucket)
   1067 		return ERR_PTR(-ENOMEM);
   1068 
   1069 	*bucket = *pos;
   1070 	return bucket;
   1071 }
   1072 
   1073 static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
   1074 {
   1075 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1076 	unsigned int *bucket = v;
   1077 
   1078 	*pos = ++(*bucket);
   1079 	if (*pos >= htable->cfg.size) {
   1080 		kfree(v);
   1081 		return NULL;
   1082 	}
   1083 	return bucket;
   1084 }
   1085 
   1086 static void dl_seq_stop(struct seq_file *s, void *v)
   1087 	__releases(htable->lock)
   1088 {
   1089 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1090 	unsigned int *bucket = v;
   1091 
   1092 	if (!IS_ERR(bucket))
   1093 		kfree(bucket);
   1094 	spin_unlock_bh(&htable->lock);
   1095 }
   1096 
   1097 static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family,
   1098 			 struct seq_file *s)
   1099 {
   1100 	switch (family) {
   1101 	case NFPROTO_IPV4:
   1102 		seq_printf(s, "%ld %pI4:%u->%pI4:%u %llu %llu %llu\n",
   1103 			   (long)(ent->expires - jiffies)/HZ,
   1104 			   &ent->dst.ip.src,
   1105 			   ntohs(ent->dst.src_port),
   1106 			   &ent->dst.ip.dst,
   1107 			   ntohs(ent->dst.dst_port),
   1108 			   ent->rateinfo.credit, ent->rateinfo.credit_cap,
   1109 			   ent->rateinfo.cost);
   1110 		break;
   1111 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
   1112 	case NFPROTO_IPV6:
   1113 		seq_printf(s, "%ld %pI6:%u->%pI6:%u %llu %llu %llu\n",
   1114 			   (long)(ent->expires - jiffies)/HZ,
   1115 			   &ent->dst.ip6.src,
   1116 			   ntohs(ent->dst.src_port),
   1117 			   &ent->dst.ip6.dst,
   1118 			   ntohs(ent->dst.dst_port),
   1119 			   ent->rateinfo.credit, ent->rateinfo.credit_cap,
   1120 			   ent->rateinfo.cost);
   1121 		break;
   1122 #endif
   1123 	default:
   1124 		BUG();
   1125 	}
   1126 }
   1127 
   1128 static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
   1129 			       struct seq_file *s)
   1130 {
   1131 	struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
   1132 
   1133 	spin_lock(&ent->lock);
   1134 	/* recalculate to show accurate numbers */
   1135 	rateinfo_recalc(ent, jiffies, ht->cfg.mode, 2);
   1136 
   1137 	dl_seq_print(ent, family, s);
   1138 
   1139 	spin_unlock(&ent->lock);
   1140 	return seq_has_overflowed(s);
   1141 }
   1142 
   1143 static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
   1144 			       struct seq_file *s)
   1145 {
   1146 	struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
   1147 
   1148 	spin_lock(&ent->lock);
   1149 	/* recalculate to show accurate numbers */
   1150 	rateinfo_recalc(ent, jiffies, ht->cfg.mode, 1);
   1151 
   1152 	dl_seq_print(ent, family, s);
   1153 
   1154 	spin_unlock(&ent->lock);
   1155 	return seq_has_overflowed(s);
   1156 }
   1157 
   1158 static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
   1159 			    struct seq_file *s)
   1160 {
   1161 	struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
   1162 
   1163 	spin_lock(&ent->lock);
   1164 	/* recalculate to show accurate numbers */
   1165 	rateinfo_recalc(ent, jiffies, ht->cfg.mode, 3);
   1166 
   1167 	dl_seq_print(ent, family, s);
   1168 
   1169 	spin_unlock(&ent->lock);
   1170 	return seq_has_overflowed(s);
   1171 }
   1172 
   1173 static int dl_seq_show_v2(struct seq_file *s, void *v)
   1174 {
   1175 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1176 	unsigned int *bucket = (unsigned int *)v;
   1177 	struct dsthash_ent *ent;
   1178 
   1179 	if (!hlist_empty(&htable->hash[*bucket])) {
   1180 		hlist_for_each_entry(ent, &htable->hash[*bucket], node)
   1181 			if (dl_seq_real_show_v2(ent, htable->family, s))
   1182 				return -1;
   1183 	}
   1184 	return 0;
   1185 }
   1186 
   1187 static int dl_seq_show_v1(struct seq_file *s, void *v)
   1188 {
   1189 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1190 	unsigned int *bucket = v;
   1191 	struct dsthash_ent *ent;
   1192 
   1193 	if (!hlist_empty(&htable->hash[*bucket])) {
   1194 		hlist_for_each_entry(ent, &htable->hash[*bucket], node)
   1195 			if (dl_seq_real_show_v1(ent, htable->family, s))
   1196 				return -1;
   1197 	}
   1198 	return 0;
   1199 }
   1200 
   1201 static int dl_seq_show(struct seq_file *s, void *v)
   1202 {
   1203 	struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
   1204 	unsigned int *bucket = v;
   1205 	struct dsthash_ent *ent;
   1206 
   1207 	if (!hlist_empty(&htable->hash[*bucket])) {
   1208 		hlist_for_each_entry(ent, &htable->hash[*bucket], node)
   1209 			if (dl_seq_real_show(ent, htable->family, s))
   1210 				return -1;
   1211 	}
   1212 	return 0;
   1213 }
   1214 
   1215 static const struct seq_operations dl_seq_ops_v1 = {
   1216 	.start = dl_seq_start,
   1217 	.next  = dl_seq_next,
   1218 	.stop  = dl_seq_stop,
   1219 	.show  = dl_seq_show_v1
   1220 };
   1221 
   1222 static const struct seq_operations dl_seq_ops_v2 = {
   1223 	.start = dl_seq_start,
   1224 	.next  = dl_seq_next,
   1225 	.stop  = dl_seq_stop,
   1226 	.show  = dl_seq_show_v2
   1227 };
   1228 
   1229 static const struct seq_operations dl_seq_ops = {
   1230 	.start = dl_seq_start,
   1231 	.next  = dl_seq_next,
   1232 	.stop  = dl_seq_stop,
   1233 	.show  = dl_seq_show
   1234 };
   1235 
   1236 static int __net_init hashlimit_proc_net_init(struct net *net)
   1237 {
   1238 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
   1239 
   1240 	hashlimit_net->ipt_hashlimit = proc_mkdir("ipt_hashlimit", net->proc_net);
   1241 	if (!hashlimit_net->ipt_hashlimit)
   1242 		return -ENOMEM;
   1243 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
   1244 	hashlimit_net->ip6t_hashlimit = proc_mkdir("ip6t_hashlimit", net->proc_net);
   1245 	if (!hashlimit_net->ip6t_hashlimit) {
   1246 		remove_proc_entry("ipt_hashlimit", net->proc_net);
   1247 		return -ENOMEM;
   1248 	}
   1249 #endif
   1250 	return 0;
   1251 }
   1252 
   1253 static void __net_exit hashlimit_proc_net_exit(struct net *net)
   1254 {
   1255 	struct xt_hashlimit_htable *hinfo;
   1256 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
   1257 
   1258 	/* hashlimit_net_exit() is called before hashlimit_mt_destroy().
   1259 	 * Make sure that the parent ipt_hashlimit and ip6t_hashlimit proc
   1260 	 * entries is empty before trying to remove it.
   1261 	 */
   1262 	mutex_lock(&hashlimit_mutex);
   1263 	hlist_for_each_entry(hinfo, &hashlimit_net->htables, node)
   1264 		htable_remove_proc_entry(hinfo);
   1265 	hashlimit_net->ipt_hashlimit = NULL;
   1266 	hashlimit_net->ip6t_hashlimit = NULL;
   1267 	mutex_unlock(&hashlimit_mutex);
   1268 
   1269 	remove_proc_entry("ipt_hashlimit", net->proc_net);
   1270 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
   1271 	remove_proc_entry("ip6t_hashlimit", net->proc_net);
   1272 #endif
   1273 }
   1274 
   1275 static int __net_init hashlimit_net_init(struct net *net)
   1276 {
   1277 	struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
   1278 
   1279 	INIT_HLIST_HEAD(&hashlimit_net->htables);
   1280 	return hashlimit_proc_net_init(net);
   1281 }
   1282 
   1283 static void __net_exit hashlimit_net_exit(struct net *net)
   1284 {
   1285 	hashlimit_proc_net_exit(net);
   1286 }
   1287 
   1288 static struct pernet_operations hashlimit_net_ops = {
   1289 	.init	= hashlimit_net_init,
   1290 	.exit	= hashlimit_net_exit,
   1291 	.id	= &hashlimit_net_id,
   1292 	.size	= sizeof(struct hashlimit_net),
   1293 };
   1294 
   1295 static int __init hashlimit_mt_init(void)
   1296 {
   1297 	int err;
   1298 
   1299 	err = register_pernet_subsys(&hashlimit_net_ops);
   1300 	if (err < 0)
   1301 		return err;
   1302 	err = xt_register_matches(hashlimit_mt_reg,
   1303 	      ARRAY_SIZE(hashlimit_mt_reg));
   1304 	if (err < 0)
   1305 		goto err1;
   1306 
   1307 	err = -ENOMEM;
   1308 	hashlimit_cachep = kmem_cache_create("xt_hashlimit",
   1309 					    sizeof(struct dsthash_ent), 0, 0,
   1310 					    NULL);
   1311 	if (!hashlimit_cachep) {
   1312 		pr_warn("unable to create slab cache\n");
   1313 		goto err2;
   1314 	}
   1315 	return 0;
   1316 
   1317 err2:
   1318 	xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
   1319 err1:
   1320 	unregister_pernet_subsys(&hashlimit_net_ops);
   1321 	return err;
   1322 
   1323 }
   1324 
   1325 static void __exit hashlimit_mt_exit(void)
   1326 {
   1327 	xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
   1328 	unregister_pernet_subsys(&hashlimit_net_ops);
   1329 
   1330 	rcu_barrier();
   1331 	kmem_cache_destroy(hashlimit_cachep);
   1332 }
   1333 
   1334 module_init(hashlimit_mt_init);
   1335 module_exit(hashlimit_mt_exit);