Skip to content

Commit 2b03bf7

Browse files
Laura Garcia Liebanaummakynes
Laura Garcia Liebana
authored and
ummakynes
committed
netfilter: nft_numgen: add number generation offset
Add support of an offset value for incremental counter and random. With this option the sysadmin is able to start the counter to a certain value and then apply the generated number. Example: meta mark set numgen inc mod 2 offset 100 This will generate marks with the serie 100, 101, 100, 101, ... Suggested-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Laura Garcia Liebana <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 14e2dee commit 2b03bf7

File tree

2 files changed

+28
-6
lines changed

2 files changed

+28
-6
lines changed

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1136,12 +1136,14 @@ enum nft_trace_types {
11361136
* @NFTA_NG_DREG: destination register (NLA_U32)
11371137
* @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
11381138
* @NFTA_NG_TYPE: operation type (NLA_U32)
1139+
* @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
11391140
*/
11401141
enum nft_ng_attributes {
11411142
NFTA_NG_UNSPEC,
11421143
NFTA_NG_DREG,
11431144
NFTA_NG_MODULUS,
11441145
NFTA_NG_TYPE,
1146+
NFTA_NG_OFFSET,
11451147
__NFTA_NG_MAX
11461148
};
11471149
#define NFTA_NG_MAX (__NFTA_NG_MAX - 1)

net/netfilter/nft_numgen.c

Lines changed: 26 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ struct nft_ng_inc {
2323
enum nft_registers dreg:8;
2424
u32 modulus;
2525
atomic_t counter;
26+
u32 offset;
2627
};
2728

2829
static void nft_ng_inc_eval(const struct nft_expr *expr,
@@ -37,13 +38,14 @@ static void nft_ng_inc_eval(const struct nft_expr *expr,
3738
nval = (oval + 1 < priv->modulus) ? oval + 1 : 0;
3839
} while (atomic_cmpxchg(&priv->counter, oval, nval) != oval);
3940

40-
regs->data[priv->dreg] = nval;
41+
regs->data[priv->dreg] = nval + priv->offset;
4142
}
4243

4344
static const struct nla_policy nft_ng_policy[NFTA_NG_MAX + 1] = {
4445
[NFTA_NG_DREG] = { .type = NLA_U32 },
4546
[NFTA_NG_MODULUS] = { .type = NLA_U32 },
4647
[NFTA_NG_TYPE] = { .type = NLA_U32 },
48+
[NFTA_NG_OFFSET] = { .type = NLA_U32 },
4749
};
4850

4951
static int nft_ng_inc_init(const struct nft_ctx *ctx,
@@ -52,10 +54,16 @@ static int nft_ng_inc_init(const struct nft_ctx *ctx,
5254
{
5355
struct nft_ng_inc *priv = nft_expr_priv(expr);
5456

57+
if (tb[NFTA_NG_OFFSET])
58+
priv->offset = ntohl(nla_get_be32(tb[NFTA_NG_OFFSET]));
59+
5560
priv->modulus = ntohl(nla_get_be32(tb[NFTA_NG_MODULUS]));
5661
if (priv->modulus == 0)
5762
return -ERANGE;
5863

64+
if (priv->offset + priv->modulus - 1 < priv->offset)
65+
return -EOVERFLOW;
66+
5967
priv->dreg = nft_parse_register(tb[NFTA_NG_DREG]);
6068
atomic_set(&priv->counter, 0);
6169

@@ -64,14 +72,16 @@ static int nft_ng_inc_init(const struct nft_ctx *ctx,
6472
}
6573

6674
static int nft_ng_dump(struct sk_buff *skb, enum nft_registers dreg,
67-
u32 modulus, enum nft_ng_types type)
75+
u32 modulus, enum nft_ng_types type, u32 offset)
6876
{
6977
if (nft_dump_register(skb, NFTA_NG_DREG, dreg))
7078
goto nla_put_failure;
7179
if (nla_put_be32(skb, NFTA_NG_MODULUS, htonl(modulus)))
7280
goto nla_put_failure;
7381
if (nla_put_be32(skb, NFTA_NG_TYPE, htonl(type)))
7482
goto nla_put_failure;
83+
if (nla_put_be32(skb, NFTA_NG_OFFSET, htonl(offset)))
84+
goto nla_put_failure;
7585

7686
return 0;
7787

@@ -83,12 +93,14 @@ static int nft_ng_inc_dump(struct sk_buff *skb, const struct nft_expr *expr)
8393
{
8494
const struct nft_ng_inc *priv = nft_expr_priv(expr);
8595

86-
return nft_ng_dump(skb, priv->dreg, priv->modulus, NFT_NG_INCREMENTAL);
96+
return nft_ng_dump(skb, priv->dreg, priv->modulus, NFT_NG_INCREMENTAL,
97+
priv->offset);
8798
}
8899

89100
struct nft_ng_random {
90101
enum nft_registers dreg:8;
91102
u32 modulus;
103+
u32 offset;
92104
};
93105

94106
static void nft_ng_random_eval(const struct nft_expr *expr,
@@ -97,9 +109,10 @@ static void nft_ng_random_eval(const struct nft_expr *expr,
97109
{
98110
struct nft_ng_random *priv = nft_expr_priv(expr);
99111
struct rnd_state *state = this_cpu_ptr(&nft_numgen_prandom_state);
112+
u32 val;
100113

101-
regs->data[priv->dreg] = reciprocal_scale(prandom_u32_state(state),
102-
priv->modulus);
114+
val = reciprocal_scale(prandom_u32_state(state), priv->modulus);
115+
regs->data[priv->dreg] = val + priv->offset;
103116
}
104117

105118
static int nft_ng_random_init(const struct nft_ctx *ctx,
@@ -108,10 +121,16 @@ static int nft_ng_random_init(const struct nft_ctx *ctx,
108121
{
109122
struct nft_ng_random *priv = nft_expr_priv(expr);
110123

124+
if (tb[NFTA_NG_OFFSET])
125+
priv->offset = ntohl(nla_get_be32(tb[NFTA_NG_OFFSET]));
126+
111127
priv->modulus = ntohl(nla_get_be32(tb[NFTA_NG_MODULUS]));
112128
if (priv->modulus == 0)
113129
return -ERANGE;
114130

131+
if (priv->offset + priv->modulus - 1 < priv->offset)
132+
return -EOVERFLOW;
133+
115134
prandom_init_once(&nft_numgen_prandom_state);
116135

117136
priv->dreg = nft_parse_register(tb[NFTA_NG_DREG]);
@@ -124,7 +143,8 @@ static int nft_ng_random_dump(struct sk_buff *skb, const struct nft_expr *expr)
124143
{
125144
const struct nft_ng_random *priv = nft_expr_priv(expr);
126145

127-
return nft_ng_dump(skb, priv->dreg, priv->modulus, NFT_NG_RANDOM);
146+
return nft_ng_dump(skb, priv->dreg, priv->modulus, NFT_NG_RANDOM,
147+
priv->offset);
128148
}
129149

130150
static struct nft_expr_type nft_ng_type;

0 commit comments

Comments
 (0)