2 * Kernel iptables module to track stats for packets based on user tags.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
10 #ifndef __XT_QTAGUID_INTERNAL_H__
11 #define __XT_QTAGUID_INTERNAL_H__
13 #include <linux/types.h>
14 #include <linux/rbtree.h>
15 #include <linux/spinlock_types.h>
16 #include <linux/workqueue.h>
19 #define IDEBUG_MASK (1<<0)
20 /* Iptable Matching. Per packet. */
21 #define MDEBUG_MASK (1<<1)
22 /* Red-black tree handling. Per packet. */
23 #define RDEBUG_MASK (1<<2)
24 /* procfs ctrl/stats handling */
25 #define CDEBUG_MASK (1<<3)
26 /* dev and resource tracking */
27 #define DDEBUG_MASK (1<<4)
29 /* E.g (IDEBUG_MASK | CDEBUG_MASK | DDEBUG_MASK) */
30 #define DEFAULT_DEBUG_MASK 0
33 * (Un)Define these *DEBUG to compile out/in the pr_debug calls.
34 * All undef: text size ~ 0x3030; all def: ~ 0x4404.
42 #define MSK_DEBUG(mask, ...) do { \
43 if (unlikely(qtaguid_debug_mask & (mask))) \
44 pr_debug(__VA_ARGS__); \
47 #define IF_DEBUG(...) MSK_DEBUG(IDEBUG_MASK, __VA_ARGS__)
49 #define IF_DEBUG(...) no_printk(__VA_ARGS__)
52 #define MT_DEBUG(...) MSK_DEBUG(MDEBUG_MASK, __VA_ARGS__)
54 #define MT_DEBUG(...) no_printk(__VA_ARGS__)
57 #define RB_DEBUG(...) MSK_DEBUG(RDEBUG_MASK, __VA_ARGS__)
59 #define RB_DEBUG(...) no_printk(__VA_ARGS__)
62 #define CT_DEBUG(...) MSK_DEBUG(CDEBUG_MASK, __VA_ARGS__)
64 #define CT_DEBUG(...) no_printk(__VA_ARGS__)
67 #define DR_DEBUG(...) MSK_DEBUG(DDEBUG_MASK, __VA_ARGS__)
69 #define DR_DEBUG(...) no_printk(__VA_ARGS__)
72 extern uint qtaguid_debug_mask;
74 /*---------------------------------------------------------------------------*/
78 * They represent what the data usage counters will be tracked against.
79 * By default a tag is just based on the UID.
80 * The UID is used as the base for policing, and can not be ignored.
81 * So a tag will always at least represent a UID (uid_tag).
83 * A tag can be augmented with an "accounting tag" which is associated
85 * User space can set the acct_tag portion of the tag which is then used
86 * with sockets: all data belonging to that socket will be counted against the
87 * tag. The policing is then based on the tag's uid_tag portion,
88 * and stats are collected for the acct_tag portion separately.
91 * a: {acct_tag=1, uid_tag=10003}
92 * b: {acct_tag=2, uid_tag=10003}
93 * c: {acct_tag=3, uid_tag=10003}
94 * d: {acct_tag=0, uid_tag=10003}
95 * a, b, and c represent tags associated with specific sockets.
96 * d is for the totals for that uid, including all untagged traffic.
97 * Typically d is used with policing/quota rules.
99 * We want tag_t big enough to distinguish uid_t and acct_tag.
100 * It might become a struct if needed.
101 * Nothing should be using it as an int.
103 typedef uint64_t tag_t; /* Only used via accessors */
105 #define TAG_UID_MASK 0xFFFFFFFFULL
106 #define TAG_ACCT_MASK (~0xFFFFFFFFULL)
108 static inline int tag_compare(tag_t t1, tag_t t2)
110 return t1 < t2 ? -1 : t1 == t2 ? 0 : 1;
113 static inline tag_t combine_atag_with_uid(tag_t acct_tag, uid_t uid)
115 return acct_tag | uid;
117 static inline tag_t make_tag_from_uid(uid_t uid)
121 static inline uid_t get_uid_from_tag(tag_t tag)
123 return tag & TAG_UID_MASK;
125 static inline tag_t get_utag_from_tag(tag_t tag)
127 return tag & TAG_UID_MASK;
129 static inline tag_t get_atag_from_tag(tag_t tag)
131 return tag & TAG_ACCT_MASK;
134 static inline bool valid_atag(tag_t tag)
136 return !(tag & TAG_UID_MASK);
138 static inline tag_t make_atag_from_value(uint32_t value)
140 return (uint64_t)value << 32;
142 /*---------------------------------------------------------------------------*/
145 * Maximum number of socket tags that a UID is allowed to have active.
146 * Multiple processes belonging to the same UID contribute towards this limit.
147 * Special UIDs that can impersonate a UID also contribute (e.g. download
150 #define DEFAULT_MAX_SOCK_TAGS 1024
153 * For now we only track 2 sets of counters.
154 * The default set is 0.
155 * Userspace can activate another set for a given uid being tracked.
157 #define IFS_MAX_COUNTER_SETS 2
165 /* For now, TCP, UDP, the rest */
173 struct byte_packet_counters {
178 struct data_counters {
179 struct byte_packet_counters bpc[IFS_MAX_COUNTER_SETS][IFS_MAX_DIRECTIONS][IFS_MAX_PROTOS];
182 /* Generic X based nodes used as a base for rb_tree ops */
190 struct data_counters counters;
192 * If this tag is acct_tag based, we need to count against the
193 * matching parent uid_tag.
195 struct data_counters *parent_counters;
199 struct list_head list; /* in iface_stat_list */
202 /* net_dev is only valid for active iface_stat */
203 struct net_device *net_dev;
205 struct byte_packet_counters totals[IFS_MAX_DIRECTIONS];
207 * We keep the last_known, because some devices reset their counters
208 * just before NETDEV_UP, while some will reset just before
209 * NETDEV_REGISTER (which is more normal).
210 * So now, if the device didn't do a NETDEV_UNREGISTER and we see
211 * its current dev stats smaller that what was previously known, we
212 * assume an UNREGISTER and just use the last_known.
214 struct byte_packet_counters last_known[IFS_MAX_DIRECTIONS];
215 /* last_known is usable when last_known_valid is true */
216 bool last_known_valid;
218 struct proc_dir_entry *proc_ptr;
220 struct rb_root tag_stat_tree;
221 spinlock_t tag_stat_list_lock;
224 /* This is needed to create proc_dir_entries from atomic context. */
225 struct iface_stat_work {
226 struct work_struct iface_work;
227 struct iface_stat *iface_entry;
231 * Track tag that this socket is transferring data for, and not necessarily
232 * the uid that owns the socket.
233 * This is the tag against which tag_stat.counters will be billed.
234 * These structs need to be looked up by sock and pid.
237 struct rb_node sock_node;
238 struct sock *sk; /* Only used as a number, never dereferenced */
239 /* The socket is needed for sockfd_put() */
240 struct socket *socket;
241 /* Used to associate with a given pid */
242 struct list_head list; /* in proc_qtu_data.sock_tag_list */
248 struct qtaguid_event_counts {
249 /* Various successful events */
250 atomic64_t sockets_tagged;
251 atomic64_t sockets_untagged;
252 atomic64_t counter_set_changes;
253 atomic64_t delete_cmds;
254 atomic64_t iface_events; /* Number of NETDEV_* events handled */
256 atomic64_t match_calls; /* Number of times iptables called mt */
258 * match_found_sk_*: numbers related to the netfilter matching
259 * function finding a sock for the sk_buff.
260 * Total skbs processed is sum(match_found*).
262 atomic64_t match_found_sk; /* An sk was already in the sk_buff. */
263 /* The connection tracker had or didn't have the sk. */
264 atomic64_t match_found_sk_in_ct;
265 atomic64_t match_found_no_sk_in_ct;
267 * No sk could be found. No apparent owner. Could happen with
268 * unsolicited traffic.
270 atomic64_t match_no_sk;
272 * The file ptr in the sk_socket wasn't there.
273 * This might happen for traffic while the socket is being closed.
275 atomic64_t match_no_sk_file;
278 /* Track the set active_set for the given tag. */
279 struct tag_counter_set {
284 /*----------------------------------------------*/
286 * The qtu uid data is used to track resources that are created directly or
287 * indirectly by processes (uid tracked).
288 * It is shared by the processes with the same uid.
289 * Some of the resource will be counted to prevent further rogue allocations,
290 * some will need freeing once the owner process (uid) exits.
292 struct uid_tag_data {
297 * For the uid, how many accounting tags have been set.
300 /* Track the number of proc_qtu_data that reference it */
302 struct rb_root tag_ref_tree;
303 /* No tag_node_tree_lock; use uid_tag_data_tree_lock */
310 * This tracks the number of active sockets that have a tag on them
311 * which matches this tag_ref.tn.tag.
312 * A tag ref can live on after the sockets are untagged.
313 * A tag ref can only be removed during a tag delete command.
318 struct proc_qtu_data {
322 struct uid_tag_data *parent_tag_data;
324 /* Tracks the sock_tags that need freeing upon this proc's death */
325 struct list_head sock_tag_list;
326 /* No spinlock_t sock_tag_list_lock; use the global one. */
329 /*----------------------------------------------*/
330 #endif /* ifndef __XT_QTAGUID_INTERNAL_H__ */