libnftnl  1.0.2
limit.c
1 /*
2  * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published
6  * by the Free Software Foundation; either version 2 of the License, or
7  * (at your option) any later version.
8  *
9  * This code has been sponsored by Sophos Astaro <http://www.sophos.com>
10  */
11 
12 #include <stdio.h>
13 #include <stdint.h>
14 #include <inttypes.h>
15 #include <string.h>
16 #include <arpa/inet.h>
17 #include <errno.h>
18 #include <linux/netfilter/nf_tables.h>
19 
20 #include "internal.h"
21 #include <libmnl/libmnl.h>
22 #include <libnftnl/expr.h>
23 #include <libnftnl/rule.h>
24 #include "expr_ops.h"
25 
27  uint64_t rate;
28  uint64_t unit;
29 };
30 
31 static int
32 nft_rule_expr_limit_set(struct nft_rule_expr *e, uint16_t type,
33  const void *data, uint32_t data_len)
34 {
35  struct nft_expr_limit *limit = nft_expr_data(e);
36 
37  switch(type) {
38  case NFT_EXPR_LIMIT_RATE:
39  limit->rate = *((uint64_t *)data);
40  break;
41  case NFT_EXPR_LIMIT_UNIT:
42  limit->unit = *((uint64_t *)data);
43  break;
44  default:
45  return -1;
46  }
47  return 0;
48 }
49 
50 static const void *
51 nft_rule_expr_limit_get(const struct nft_rule_expr *e, uint16_t type,
52  uint32_t *data_len)
53 {
54  struct nft_expr_limit *limit = nft_expr_data(e);
55 
56  switch(type) {
57  case NFT_EXPR_LIMIT_RATE:
58  *data_len = sizeof(uint64_t);
59  return &limit->rate;
60  case NFT_EXPR_LIMIT_UNIT:
61  *data_len = sizeof(uint64_t);
62  return &limit->unit;
63  }
64  return NULL;
65 }
66 
67 static int nft_rule_expr_limit_cb(const struct nlattr *attr, void *data)
68 {
69  const struct nlattr **tb = data;
70  int type = mnl_attr_get_type(attr);
71 
72  if (mnl_attr_type_valid(attr, NFTA_LIMIT_MAX) < 0)
73  return MNL_CB_OK;
74 
75  switch(type) {
76  case NFTA_LIMIT_RATE:
77  case NFTA_LIMIT_UNIT:
78  if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) {
79  perror("mnl_attr_validate");
80  return MNL_CB_ERROR;
81  }
82  break;
83  }
84 
85  tb[type] = attr;
86  return MNL_CB_OK;
87 }
88 
89 static void
90 nft_rule_expr_limit_build(struct nlmsghdr *nlh, struct nft_rule_expr *e)
91 {
92  struct nft_expr_limit *limit = nft_expr_data(e);
93 
94  if (e->flags & (1 << NFT_EXPR_LIMIT_RATE))
95  mnl_attr_put_u64(nlh, NFTA_LIMIT_RATE, htobe64(limit->rate));
96  if (e->flags & (1 << NFT_EXPR_LIMIT_UNIT))
97  mnl_attr_put_u64(nlh, NFTA_LIMIT_UNIT, htobe64(limit->unit));
98 }
99 
100 static int
101 nft_rule_expr_limit_parse(struct nft_rule_expr *e, struct nlattr *attr)
102 {
103  struct nft_expr_limit *limit = nft_expr_data(e);
104  struct nlattr *tb[NFTA_LIMIT_MAX+1] = {};
105 
106  if (mnl_attr_parse_nested(attr, nft_rule_expr_limit_cb, tb) < 0)
107  return -1;
108 
109  if (tb[NFTA_LIMIT_RATE]) {
110  limit->rate = be64toh(mnl_attr_get_u64(tb[NFTA_LIMIT_RATE]));
111  e->flags |= (1 << NFT_EXPR_LIMIT_RATE);
112  }
113  if (tb[NFTA_LIMIT_UNIT]) {
114  limit->unit = be64toh(mnl_attr_get_u64(tb[NFTA_LIMIT_UNIT]));
115  e->flags |= (1 << NFT_EXPR_LIMIT_UNIT);
116  }
117 
118  return 0;
119 }
120 
121 static int nft_rule_expr_limit_json_parse(struct nft_rule_expr *e, json_t *root,
122  struct nft_parse_err *err)
123 {
124 #ifdef JSON_PARSING
125  uint64_t uval64;
126 
127  if (nft_jansson_parse_val(root, "rate", NFT_TYPE_U64, &uval64, err) == 0)
128  nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_RATE, uval64);
129 
130  if (nft_jansson_parse_val(root, "unit", NFT_TYPE_U64, &uval64, err) == 0)
131  nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, uval64);
132 
133  return 0;
134 #else
135  errno = EOPNOTSUPP;
136  return -1;
137 #endif
138 }
139 
140 static int nft_rule_expr_limit_xml_parse(struct nft_rule_expr *e,
141  mxml_node_t *tree,
142  struct nft_parse_err *err)
143 {
144 #ifdef XML_PARSING
145  uint64_t rate, unit;
146 
147  if (nft_mxml_num_parse(tree, "rate", MXML_DESCEND_FIRST, BASE_DEC,
148  &rate, NFT_TYPE_U64, NFT_XML_MAND, err) == 0)
149  nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_RATE, rate);
150 
151  if (nft_mxml_num_parse(tree, "unit", MXML_DESCEND_FIRST, BASE_DEC,
152  &unit, NFT_TYPE_U64, NFT_XML_MAND, err) == 0)
153  nft_rule_expr_set_u64(e, NFT_EXPR_LIMIT_UNIT, unit);
154 
155  return 0;
156 #else
157  errno = EOPNOTSUPP;
158  return -1;
159 #endif
160 }
161 
162 static const char *get_unit(uint64_t u)
163 {
164  switch (u) {
165  case 1: return "second";
166  case 60: return "minute";
167  case 60 * 60: return "hour";
168  case 60 * 60 * 24: return "day";
169  case 60 * 60 * 24 * 7: return "week";
170  }
171  return "error";
172 }
173 
174 static int nft_rule_expr_limit_snprintf_xml(char *buf, size_t len,
175  struct nft_rule_expr *e)
176 {
177  struct nft_expr_limit *limit = nft_expr_data(e);
178  int ret, size = len, offset = 0;
179 
180  if (e->flags & (1 << NFT_EXPR_LIMIT_RATE)) {
181  ret = snprintf(buf + offset, len, "<rate>%"PRIu64"</rate>",
182  limit->rate);
183  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
184  }
185  if (e->flags & (1 << NFT_EXPR_LIMIT_UNIT)) {
186  ret = snprintf(buf + offset, len, "<unit>%"PRIu64"</unit>",
187  limit->unit);
188  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
189  }
190 
191  return offset;
192 }
193 
194 static int nft_rule_expr_limit_snprintf_json(char *buf, size_t len,
195  struct nft_rule_expr *e)
196 {
197  struct nft_expr_limit *limit = nft_expr_data(e);
198  int ret, size = len, offset = 0;
199 
200  if (e->flags & (1 << NFT_EXPR_LIMIT_RATE)) {
201  ret = snprintf(buf + offset, len, "\"rate\":%"PRIu64",",
202  limit->rate);
203  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
204  }
205  if (e->flags & (1 << NFT_EXPR_LIMIT_UNIT)) {
206  ret = snprintf(buf + offset, len, "\"unit\":%"PRIu64",",
207  limit->unit);
208  SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
209  }
210 
211  /* Remove the last comma characther */
212  if (offset > 0)
213  offset--;
214 
215  return offset;
216 }
217 
218 static int nft_rule_expr_limit_snprintf_default(char *buf, size_t len,
219  struct nft_rule_expr *e)
220 {
221  struct nft_expr_limit *limit = nft_expr_data(e);
222 
223  return snprintf(buf, len, "rate %"PRIu64"/%s ",
224  limit->rate, get_unit(limit->unit));
225 }
226 
227 static int
228 nft_rule_expr_limit_snprintf(char *buf, size_t len, uint32_t type,
229  uint32_t flags, struct nft_rule_expr *e)
230 {
231 
232  switch(type) {
233  case NFT_OUTPUT_DEFAULT:
234  return nft_rule_expr_limit_snprintf_default(buf, len, e);
235  case NFT_OUTPUT_XML:
236  return nft_rule_expr_limit_snprintf_xml(buf, len, e);
237  case NFT_OUTPUT_JSON:
238  return nft_rule_expr_limit_snprintf_json(buf, len, e);
239  default:
240  break;
241  }
242  return -1;
243 }
244 
245 struct expr_ops expr_ops_limit = {
246  .name = "limit",
247  .alloc_len = sizeof(struct nft_expr_limit),
248  .max_attr = NFTA_LIMIT_MAX,
249  .set = nft_rule_expr_limit_set,
250  .get = nft_rule_expr_limit_get,
251  .parse = nft_rule_expr_limit_parse,
252  .build = nft_rule_expr_limit_build,
253  .snprintf = nft_rule_expr_limit_snprintf,
254  .xml_parse = nft_rule_expr_limit_xml_parse,
255  .json_parse = nft_rule_expr_limit_json_parse,
256 };
257 
258 static void __init expr_limit_init(void)
259 {
260  nft_expr_ops_register(&expr_ops_limit);
261 }