Received: by 2002:ac0:a591:0:0:0:0:0 with SMTP id m17-v6csp1412180imm; Thu, 5 Jul 2018 22:54:29 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcqTr1dE+J2wK48ECEmZesuAERnf0heDOE5Rm9yeunvsL3EXdbJnB8BWriIWOn+yYOGK4Ek X-Received: by 2002:a62:9042:: with SMTP id a63-v6mr9353572pfe.52.1530856469218; Thu, 05 Jul 2018 22:54:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530856469; cv=none; d=google.com; s=arc-20160816; b=xuwFidqvQTZwcD/pNauwloGkv4sUR+HSg4MOB207M/XKrg5uGqyEtyx49IIC4rzJjt 85CWbN5p9+FfTNowT+zJ/1h/5uRTMQDkinVOXuVBVIO8lENhnPTAp7m5TanRo2Ze6Isp W4eFo4HooWyKyTEddzxBkTKhhlzeRugqk7aSwEyOf2+FtOPb0SHGpznQv7205Nc0qKts NZyjf1HF2jFw83hbRSeNbGzvyOsvkfKMSSTswbDS6rJ2I11QfXcxAN5N2Vee8NSj31s1 HzeWCRmPsJUr+yHyiaD8N0vWmh+RFyTARdpTJcc6Yt4ROajXr4qRuSq5vYmdZBErOqKx kf0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=nOiLZwQqod/88mycBEc28KmpaM19gQmAuAFn20rsWEs=; b=R0SsDfEXD5QXXDD1mdSdYe48UJYXDbNFsjTTtB0/ZlBRx6MzOfG/KfnxJvIITSufkQ sUR6ZP7iUa9NJCmLtBU2py4/jZ9YmJJ7J/C8OqPo5mBfRuWCcqmSxF8K8ok1KDVUCr09 Q99R3wqpdfwNyehicZm+370FRz4HjQ4C2Co9Kx9rLaX0btvdjRJVLcSitJanSn/a4Q+a J7ye/diKJk0FZ8DaMCDTJ4tOTHOALJ+LAL4IZ6gEt001MIHH0nyhD2aE55C8W2VZp+sF iXqLH1Onf+5upw4RpyaZHtdD9pnk14rgH37uAoGlyQLKE2+g2ngIzr7bck6PN3abzGSN rODA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r29-v6si8485011pff.24.2018.07.05.22.54.15; Thu, 05 Jul 2018 22:54:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934658AbeGFFwm (ORCPT + 99 others); Fri, 6 Jul 2018 01:52:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33942 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934578AbeGFFwj (ORCPT ); Fri, 6 Jul 2018 01:52:39 -0400 Received: from localhost (D57D388D.static.ziggozakelijk.nl [213.125.56.141]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 82B2BB14; Fri, 6 Jul 2018 05:52:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 49/61] netfilter: nft_limit: fix packet ratelimiting Date: Fri, 6 Jul 2018 07:47:13 +0200 Message-Id: <20180706054714.220952655@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180706054712.332416244@linuxfoundation.org> References: <20180706054712.332416244@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Pablo Neira Ayuso [ Upstream commit 3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1 ] Credit calculations for the packet ratelimiting are not correct, as per the applied ratelimit of 25/second and burst 8, a total of 33 packets should have been accepted. This is true in iptables(33) but not in nftables (~65). For packet ratelimiting, use: div_u64(limit->nsecs, limit->rate) * limit->burst; to calculate credit, just like in iptables' xt_limit does. Moreover, use default burst in iptables, users are expecting similar behaviour. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nft_limit.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) --- a/net/netfilter/nft_limit.c +++ b/net/netfilter/nft_limit.c @@ -51,10 +51,13 @@ static inline bool nft_limit_eval(struct return !limit->invert; } +/* Use same default as in iptables. */ +#define NFT_LIMIT_PKT_BURST_DEFAULT 5 + static int nft_limit_init(struct nft_limit *limit, - const struct nlattr * const tb[]) + const struct nlattr * const tb[], bool pkts) { - u64 unit; + u64 unit, tokens; if (tb[NFTA_LIMIT_RATE] == NULL || tb[NFTA_LIMIT_UNIT] == NULL) @@ -68,18 +71,25 @@ static int nft_limit_init(struct nft_lim if (tb[NFTA_LIMIT_BURST]) limit->burst = ntohl(nla_get_be32(tb[NFTA_LIMIT_BURST])); - else - limit->burst = 0; + + if (pkts && limit->burst == 0) + limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT; if (limit->rate + limit->burst < limit->rate) return -EOVERFLOW; - /* The token bucket size limits the number of tokens can be - * accumulated. tokens_max specifies the bucket size. - * tokens_max = unit * (rate + burst) / rate. - */ - limit->tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), - limit->rate); + if (pkts) { + tokens = div_u64(limit->nsecs, limit->rate) * limit->burst; + } else { + /* The token bucket size limits the number of tokens can be + * accumulated. tokens_max specifies the bucket size. + * tokens_max = unit * (rate + burst) / rate. + */ + tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), + limit->rate); + } + + limit->tokens = tokens; limit->tokens_max = limit->tokens; if (tb[NFTA_LIMIT_FLAGS]) { @@ -144,7 +154,7 @@ static int nft_limit_pkts_init(const str struct nft_limit_pkts *priv = nft_expr_priv(expr); int err; - err = nft_limit_init(&priv->limit, tb); + err = nft_limit_init(&priv->limit, tb, true); if (err < 0) return err; @@ -185,7 +195,7 @@ static int nft_limit_bytes_init(const st { struct nft_limit *priv = nft_expr_priv(expr); - return nft_limit_init(priv, tb); + return nft_limit_init(priv, tb, false); } static int nft_limit_bytes_dump(struct sk_buff *skb, @@ -246,7 +256,7 @@ static int nft_limit_obj_pkts_init(const struct nft_limit_pkts *priv = nft_obj_data(obj); int err; - err = nft_limit_init(&priv->limit, tb); + err = nft_limit_init(&priv->limit, tb, true); if (err < 0) return err; @@ -289,7 +299,7 @@ static int nft_limit_obj_bytes_init(cons { struct nft_limit *priv = nft_obj_data(obj); - return nft_limit_init(priv, tb); + return nft_limit_init(priv, tb, false); } static int nft_limit_obj_bytes_dump(struct sk_buff *skb,