[PATCH 2.4] ipt_limit sync with 2.6.x

[PATCH 2.4] ipt_limit sync with 2.6.x

[Harald Welte]

[-- Attachment #1.1: Type: text/plain, Size: 701 bytes --]

Hi Dave!

could you please apply the patch from rusty's mail in the attachment?

It went in 2.6.x, but not 2.4.x.

It is not strictly needed on 2.4.x (at least not x86), but it's always
better to keep the code in sync.

The patch applies cleanly to 2.4.24 ipt_limit.c, I tested it a couple of
minutes ago.

Thanks.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: Type: message/rfc822, Size: 4929 bytes --]

From: Rusty Russell <rusty@rustcorp.com.au>
To: torvalds@transmeta.com
Cc: davem@redhat.com, coreteam@netfilter.org
Subject: [netfilter-core] [PATCH] ipt_limit fix for HZ=1000
Date: Thu, 09 Oct 2003 18:47:32 +1000
Message-ID: <20031009085114.E97F62C143@lists.samba.org>

The range that the iptables limit extension can specify depends on HZ.
This means that rules which worked i386 2.4 (100 HZ) won't work on
2.6.

The solution is to adjust the precision based on the HZ value (keeping
the range of possible values the same).  For extra geek cred, this is
done by calculating a power-of-two constant below the maximum
multiplication factor, which gcc then turns into a simple shift.

---
Linus, please apply.

Name: ip_limit HZ Fix
Author: Rusty Russell
Status: Booted on 2.6.0-test4-bk6

D: The CREDITS_PER_JIFFY value should be set to the largest power of 2
D: which still allows a limit of 1 packet per day, without overflowing
D: 32-bits.  A value of 128 is NOT sufficient for that criterion with
D: HZ=1000.
D:
D:  https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=127

diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal linux-2.6.0-test4-bk6/net/ipv4/netfilter/ipt_limit.c working-2.6.0-test4-bk6-tmp/net/ipv4/netfilter/ipt_limit.c
--- linux-2.6.0-test4-bk6/net/ipv4/netfilter/ipt_limit.c	2003-09-05 09:16:39.000000000 +1000
+++ working-2.6.0-test4-bk6-tmp/net/ipv4/netfilter/ipt_limit.c	2003-09-05 16:30:42.000000000 +1000
@@ -38,12 +38,23 @@ static spinlock_t limit_lock = SPIN_LOCK
 
    See Alexey's formal explanation in net/sched/sch_tbf.c.
 
-   To avoid underflow, we multiply by 128 (ie. you get 128 credits per
-   jiffy).  Hence a cost of 2^32-1, means one pass per 32768 seconds
-   at 1024HZ (or one every 9 hours).  A cost of 1 means 12800 passes
-   per second at 100HZ.  */
+   To get the maxmum range, we multiply by this factor (ie. you get N
+   credits per jiffy).  We want to allow a rate as low as 1 per day
+   (slowest userspace tool allows), which means
+   CREDITS_PER_JIFFY*HZ*60*60*24 < 2^32. ie. */
+#define MAX_CPJ (0xFFFFFFFF / (HZ*60*60*24))
 
-#define CREDITS_PER_JIFFY 128
+/* Repeated shift and or gives us all 1s, final shift and add 1 gives
+ * us the power of 2 below the theoretical max, so GCC simply does a
+ * shift. */
+#define _POW2_BELOW2(x) ((x)|((x)>>1))
+#define _POW2_BELOW4(x) (_POW2_BELOW2(x)|_POW2_BELOW2((x)>>2))
+#define _POW2_BELOW8(x) (_POW2_BELOW4(x)|_POW2_BELOW4((x)>>4))
+#define _POW2_BELOW16(x) (_POW2_BELOW8(x)|_POW2_BELOW8((x)>>8))
+#define _POW2_BELOW32(x) (_POW2_BELOW16(x)|_POW2_BELOW16((x)>>16))
+#define POW2_BELOW32(x) ((_POW2_BELOW32(x)>>1) + 1)
+
+#define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
 
 static int
 ipt_limit_match(const struct sk_buff *skb,
@@ -99,7 +110,7 @@ ipt_limit_checkentry(const char *tablena
 	/* Check for overflow. */
 	if (r->burst == 0
 	    || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
-		printk("Call rusty: overflow in ipt_limit: %u/%u\n",
+		printk("Overflow in ipt_limit, try lower: %u/%u\n",
 		       r->avg, r->burst);
 		return 0;
 	}


 
--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 2.4] ipt_limit sync with 2.6.x

[David S. Miller]

On Wed, 4 Feb 2004 10:06:52 +0100
Harald Welte <laforge@netfilter.org> wrote:

> could you please apply the patch from rusty's mail in the attachment?
> 
> It went in 2.6.x, but not 2.4.x.
> 
> It is not strictly needed on 2.4.x (at least not x86), but it's always
> better to keep the code in sync.
> 
> The patch applies cleanly to 2.4.24 ipt_limit.c, I tested it a couple of
> minutes ago.

Applied, thanks Harald.

Re: [PATCH 2.4] ipt_limit sync with 2.6.x

[David S. Miller]

On Wed, 4 Feb 2004 10:06:52 +0100
Harald Welte <laforge@netfilter.org> wrote:

> could you please apply the patch from rusty's mail in the attachment?
> 
> It went in 2.6.x, but not 2.4.x.

Harald, this change is in Marcelo's 2.4.x BK tree already.
Maybe this mail of your's just got resent by accident.