Negating limit

Negating limit

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello!

Here is a patch to allow a negated "limit", so we can match above and below the
limit.

It adds a new "flags" variable after the burst. I'm not sure, if I can add it
after the "*master" variable, so I added it here.
Does this preserve compatibility, because anything after is only used by the kernel?


struct xt_rateinfo {
        u_int32_t avg;    /* Average secs between packets * scale */
        u_int32_t burst;  /* Period multiplier for upper limit. */
        u_int8_t flags;   /* Match if, below or above limit? */

        /* Used internally by the kernel */
        unsigned long prev;
        u_int32_t credit;
        u_int32_t credit_cap, cost;

        /* Ugly, ugly fucker. */
        struct xt_rateinfo *master;
};

The patch is against 2.6.16.19.

Any comments? (I will post the patch for the iptables program, if I'm sure about
the position of the 'flags' variable...).


Regards
 Sven Anders

- --
 Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS service solutions AG
 Innstraße 71 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhIvg5lKZ7Feg4EcRAvC9AJ4oZbEYNYPzvwO49W6q/Zsuc8kuXQCfYVLH
npQt1K4pX0O6LAG786GZixE=
=sehO
-----END PGP SIGNATURE-----

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: limit.patch --]
[-- Type: text/x-diff; name="limit.patch", Size: 3016 bytes --]

--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter/xt_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter/xt_limit.h	2006-06-05 21:34:06.942212274 +0200
@@ -4,11 +4,16 @@
 /* timings are in milliseconds. */
 #define XT_LIMIT_SCALE 10000
 
+/* invert match? */
+#define XT_LIMIT_MATCH_BELOW  0x00
+#define XT_LIMIT_MATCH_ABOVE  0x01
+
 /* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
    seconds, or one every 59 hours. */
 struct xt_rateinfo {
 	u_int32_t avg;    /* Average secs between packets * scale */
 	u_int32_t burst;  /* Period multiplier for upper limit. */
+	u_int8_t flags;   /* Match if, below or above limit? */
 
 	/* Used internally by the kernel */
 	unsigned long prev;
--- /usr/src/linux-2.6.16.19-vanilla/net/netfilter/xt_limit.c	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/net/netfilter/xt_limit.c	2006-06-05 21:34:42.631296000 +0200
@@ -3,7 +3,9 @@
  * 2 September 1999: Changed from the target RATE to the match
  *                   `limit', removed logging.  Did I mention that
  *                   Alexey is a fucking genius?
- *                   Rusty Russell (rusty@rustcorp.com.au).  */
+ *                   Rusty Russell (rusty@rustcorp.com.au).
+ * 8 September 2004: Added inversion, Sven Anders <anders@anduras.de>
+ */
 
 /* (C) 1999 Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
  * (C) 1999 Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
@@ -74,6 +76,7 @@
 		int *hotdrop)
 {
 	struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
+	struct xt_rateinfo *info = (struct xt_rateinfo *)matchinfo;
 	unsigned long now = jiffies;
 
 	spin_lock_bh(&limit_lock);
@@ -85,11 +88,11 @@
 		/* We're not limited. */
 		r->credit -= r->cost;
 		spin_unlock_bh(&limit_lock);
-		return 1;
+		return !(info->flags & XT_LIMIT_MATCH_ABOVE);
 	}
 
        	spin_unlock_bh(&limit_lock);
-	return 0;
+	return (info->flags & XT_LIMIT_MATCH_ABOVE);
 }
 
 /* Precision saver. */
--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter_ipv4/ipt_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter_ipv4/ipt_limit.h	2006-06-05 21:37:04.895726230 +0200
@@ -3,6 +3,8 @@
 
 #include <linux/netfilter/xt_limit.h>
 #define IPT_LIMIT_SCALE XT_LIMIT_SCALE
+#define IPT_LIMIT_MATCH_BELOW XT_LIMIT_MATCH_BELOW
+#define IPT_LIMIT_MATCH_ABOVE XT_LIMIT_MATCH_ABOVE
 #define ipt_rateinfo xt_rateinfo
 
 #endif /*_IPT_RATE_H*/
--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter_ipv6/ip6t_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter_ipv6/ip6t_limit.h	2006-06-05 21:38:36.307011415 +0200
@@ -3,6 +3,8 @@
 
 #include <linux/netfilter/xt_limit.h>
 #define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
+#define IP6T_LIMIT_MATCH_BELOW XT_LIMIT_MATCH_BELOW
+#define IP6T_LIMIT_MATCH_ABOVE XT_LIMIT_MATCH_ABOVE
 #define ip6t_rateinfo xt_rateinfo
 
 #endif /*_IP6T_RATE_H*/

Re: Negating limit

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I found an old thread (Dec 2005) about the limit inversion problem.
Is the only problem that hinders the inclusion into the kernel the iptables
compatibility?
If so, what possibilities do exist to solve this problem?
(See my previous posting too please...)

Regards
 Sven Anders

- --
 Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS service solutions AG
 Innstraße 71 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhpwm5lKZ7Feg4EcRAhc9AKCB5vB86BNc5NZWbHtQmXkEHWxEOgCeOJyH
msyyo54VZwihURPEz78vdaE=
=AtyV
-----END PGP SIGNATURE-----

Re: Negating limit

[Patrick McHardy]

Sven Anders wrote:
> Here is a patch to allow a negated "limit", so we can match above and below the
> limit.
> 
> It adds a new "flags" variable after the burst. I'm not sure, if I can add it
> after the "*master" variable, so I added it here.
> Does this preserve compatibility, because anything after is only used by the kernel?

No, unfortunately there is no way to add a new variable to that struct
without breaking compatibility. You could add a new revision, but I
would like to think about Massimiliano Hofer's patch before that,
if we do something like that we can get rid of the "master" pointer
with the new revision.

Re: Negating limit

[Sven Anders]

[-- Attachment #1: Type: text/plain, Size: 1780 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick wrote:

>> Here is a patch to allow a negated "limit", so we can match above and below the
>> limit.
>>
>> It adds a new "flags" variable after the burst. I'm not sure, if I can add it
>> after the "*master" variable, so I added it here.
>> Does this preserve compatibility, because anything after is only used by the kernel?
> 
> No, unfortunately there is no way to add a new variable to that struct
> without breaking compatibility. You could add a new revision, but I
> would like to think about Massimiliano Hofer's patch before that,
> if we do something like that we can get rid of the "master" pointer
> with the new revision.

What do you mean with "new revision"? A new match named "limit2"?

Which of Massimiliano's patches do you mean? The "support for entry data" patch?

To understand correctly:

 Is it not possible under any circumstances to add new variables to a match info
 struct or is the problem the "master" variable?

 If so what is the "master" variable for?

 As far as I understand the size of the "match info struct" passed from the
 userspace must exactly match the size of the kernels "match info struct".
 Right?

Regards
 Sven Anders

- --
 Sven Anders <anders@anduras.de>                 () Ascii Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS service solutions AG
 Innstraße 71 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEh+oQ5lKZ7Feg4EcRAvHeAJ9JD1tBGvLhZwETVaEpgj/KPZe3KACfcUhG
2/TN39WZ3JjJjwye4xW84i8=
=GIIo
-----END PGP SIGNATURE-----