+4

include/linux/netfilter/Kbuild

reviewed

··· 1 1 + header-y += ipset/ 2 2 + 1 3 header-y += nf_conntrack_common.h 2 4 header-y += nf_conntrack_ftp.h 3 5 header-y += nf_conntrack_sctp.h ··· 37 35 header-y += xt_conntrack.h 38 36 header-y += xt_cpu.h 39 37 header-y += xt_dccp.h 38 38 + header-y += xt_devgroup.h 40 39 header-y += xt_dscp.h 41 40 header-y += xt_esp.h 42 41 header-y += xt_hashlimit.h ··· 58 55 header-y += xt_rateest.h 59 56 header-y += xt_realm.h 60 57 header-y += xt_recent.h 58 58 + header-y += xt_set.h 61 59 header-y += xt_sctp.h 62 60 header-y += xt_socket.h 63 61 header-y += xt_state.h

+4

include/linux/netfilter/ipset/Kbuild

reviewed

··· 1 1 + header-y += ip_set.h 2 2 + header-y += ip_set_bitmap.h 3 3 + header-y += ip_set_hash.h 4 4 + header-y += ip_set_list.h

+452

include/linux/netfilter/ipset/ip_set.h

reviewed

··· 1 1 + #ifndef _IP_SET_H 2 2 + #define _IP_SET_H 3 3 + 4 4 + /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 5 5 + * Patrick Schaaf <bof@bof.de> 6 6 + * Martin Josefsson <gandalf@wlug.westbo.se> 7 7 + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 8 8 + * 9 9 + * This program is free software; you can redistribute it and/or modify 10 10 + * it under the terms of the GNU General Public License version 2 as 11 11 + * published by the Free Software Foundation. 12 12 + */ 13 13 + 14 14 + /* The protocol version */ 15 15 + #define IPSET_PROTOCOL 6 16 16 + 17 17 + /* The max length of strings including NUL: set and type identifiers */ 18 18 + #define IPSET_MAXNAMELEN 32 19 19 + 20 20 + /* Message types and commands */ 21 21 + enum ipset_cmd { 22 22 + IPSET_CMD_NONE, 23 23 + IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ 24 24 + IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ 25 25 + IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ 26 26 + IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ 27 27 + IPSET_CMD_RENAME, /* 5: Rename a set */ 28 28 + IPSET_CMD_SWAP, /* 6: Swap two sets */ 29 29 + IPSET_CMD_LIST, /* 7: List sets */ 30 30 + IPSET_CMD_SAVE, /* 8: Save sets */ 31 31 + IPSET_CMD_ADD, /* 9: Add an element to a set */ 32 32 + IPSET_CMD_DEL, /* 10: Delete an element from a set */ 33 33 + IPSET_CMD_TEST, /* 11: Test an element in a set */ 34 34 + IPSET_CMD_HEADER, /* 12: Get set header data only */ 35 35 + IPSET_CMD_TYPE, /* 13: Get set type */ 36 36 + IPSET_MSG_MAX, /* Netlink message commands */ 37 37 + 38 38 + /* Commands in userspace: */ 39 39 + IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ 40 40 + IPSET_CMD_HELP, /* 15: Get help */ 41 41 + IPSET_CMD_VERSION, /* 16: Get program version */ 42 42 + IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ 43 43 + 44 44 + IPSET_CMD_MAX, 45 45 + 46 46 + IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ 47 47 + }; 48 48 + 49 49 + /* Attributes at command level */ 50 50 + enum { 51 51 + IPSET_ATTR_UNSPEC, 52 52 + IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ 53 53 + IPSET_ATTR_SETNAME, /* 2: Name of the set */ 54 54 + IPSET_ATTR_TYPENAME, /* 3: Typename */ 55 55 + IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ 56 56 + IPSET_ATTR_REVISION, /* 4: Settype revision */ 57 57 + IPSET_ATTR_FAMILY, /* 5: Settype family */ 58 58 + IPSET_ATTR_FLAGS, /* 6: Flags at command level */ 59 59 + IPSET_ATTR_DATA, /* 7: Nested attributes */ 60 60 + IPSET_ATTR_ADT, /* 8: Multiple data containers */ 61 61 + IPSET_ATTR_LINENO, /* 9: Restore lineno */ 62 62 + IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ 63 63 + IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ 64 64 + __IPSET_ATTR_CMD_MAX, 65 65 + }; 66 66 + #define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) 67 67 + 68 68 + /* CADT specific attributes */ 69 69 + enum { 70 70 + IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, 71 71 + IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, 72 72 + IPSET_ATTR_IP_TO, /* 2 */ 73 73 + IPSET_ATTR_CIDR, /* 3 */ 74 74 + IPSET_ATTR_PORT, /* 4 */ 75 75 + IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, 76 76 + IPSET_ATTR_PORT_TO, /* 5 */ 77 77 + IPSET_ATTR_TIMEOUT, /* 6 */ 78 78 + IPSET_ATTR_PROTO, /* 7 */ 79 79 + IPSET_ATTR_CADT_FLAGS, /* 8 */ 80 80 + IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ 81 81 + /* Reserve empty slots */ 82 82 + IPSET_ATTR_CADT_MAX = 16, 83 83 + /* Create-only specific attributes */ 84 84 + IPSET_ATTR_GC, 85 85 + IPSET_ATTR_HASHSIZE, 86 86 + IPSET_ATTR_MAXELEM, 87 87 + IPSET_ATTR_NETMASK, 88 88 + IPSET_ATTR_PROBES, 89 89 + IPSET_ATTR_RESIZE, 90 90 + IPSET_ATTR_SIZE, 91 91 + /* Kernel-only */ 92 92 + IPSET_ATTR_ELEMENTS, 93 93 + IPSET_ATTR_REFERENCES, 94 94 + IPSET_ATTR_MEMSIZE, 95 95 + 96 96 + __IPSET_ATTR_CREATE_MAX, 97 97 + }; 98 98 + #define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) 99 99 + 100 100 + /* ADT specific attributes */ 101 101 + enum { 102 102 + IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, 103 103 + IPSET_ATTR_NAME, 104 104 + IPSET_ATTR_NAMEREF, 105 105 + IPSET_ATTR_IP2, 106 106 + IPSET_ATTR_CIDR2, 107 107 + __IPSET_ATTR_ADT_MAX, 108 108 + }; 109 109 + #define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) 110 110 + 111 111 + /* IP specific attributes */ 112 112 + enum { 113 113 + IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, 114 114 + IPSET_ATTR_IPADDR_IPV6, 115 115 + __IPSET_ATTR_IPADDR_MAX, 116 116 + }; 117 117 + #define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) 118 118 + 119 119 + /* Error codes */ 120 120 + enum ipset_errno { 121 121 + IPSET_ERR_PRIVATE = 4096, 122 122 + IPSET_ERR_PROTOCOL, 123 123 + IPSET_ERR_FIND_TYPE, 124 124 + IPSET_ERR_MAX_SETS, 125 125 + IPSET_ERR_BUSY, 126 126 + IPSET_ERR_EXIST_SETNAME2, 127 127 + IPSET_ERR_TYPE_MISMATCH, 128 128 + IPSET_ERR_EXIST, 129 129 + IPSET_ERR_INVALID_CIDR, 130 130 + IPSET_ERR_INVALID_NETMASK, 131 131 + IPSET_ERR_INVALID_FAMILY, 132 132 + IPSET_ERR_TIMEOUT, 133 133 + IPSET_ERR_REFERENCED, 134 134 + IPSET_ERR_IPADDR_IPV4, 135 135 + IPSET_ERR_IPADDR_IPV6, 136 136 + 137 137 + /* Type specific error codes */ 138 138 + IPSET_ERR_TYPE_SPECIFIC = 4352, 139 139 + }; 140 140 + 141 141 + /* Flags at command level */ 142 142 + enum ipset_cmd_flags { 143 143 + IPSET_FLAG_BIT_EXIST = 0, 144 144 + IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), 145 145 + }; 146 146 + 147 147 + /* Flags at CADT attribute level */ 148 148 + enum ipset_cadt_flags { 149 149 + IPSET_FLAG_BIT_BEFORE = 0, 150 150 + IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), 151 151 + }; 152 152 + 153 153 + /* Commands with settype-specific attributes */ 154 154 + enum ipset_adt { 155 155 + IPSET_ADD, 156 156 + IPSET_DEL, 157 157 + IPSET_TEST, 158 158 + IPSET_ADT_MAX, 159 159 + IPSET_CREATE = IPSET_ADT_MAX, 160 160 + IPSET_CADT_MAX, 161 161 + }; 162 162 + 163 163 + #ifdef __KERNEL__ 164 164 + #include <linux/ip.h> 165 165 + #include <linux/ipv6.h> 166 166 + #include <linux/netlink.h> 167 167 + #include <linux/netfilter.h> 168 168 + #include <linux/vmalloc.h> 169 169 + #include <net/netlink.h> 170 170 + 171 171 + /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t 172 172 + * and IPSET_INVALID_ID if you want to increase the max number of sets. 173 173 + */ 174 174 + typedef u16 ip_set_id_t; 175 175 + 176 176 + #define IPSET_INVALID_ID 65535 177 177 + 178 178 + enum ip_set_dim { 179 179 + IPSET_DIM_ZERO = 0, 180 180 + IPSET_DIM_ONE, 181 181 + IPSET_DIM_TWO, 182 182 + IPSET_DIM_THREE, 183 183 + /* Max dimension in elements. 184 184 + * If changed, new revision of iptables match/target is required. 185 185 + */ 186 186 + IPSET_DIM_MAX = 6, 187 187 + }; 188 188 + 189 189 + /* Option flags for kernel operations */ 190 190 + enum ip_set_kopt { 191 191 + IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), 192 192 + IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), 193 193 + IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), 194 194 + IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), 195 195 + }; 196 196 + 197 197 + /* Set features */ 198 198 + enum ip_set_feature { 199 199 + IPSET_TYPE_IP_FLAG = 0, 200 200 + IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG), 201 201 + IPSET_TYPE_PORT_FLAG = 1, 202 202 + IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG), 203 203 + IPSET_TYPE_MAC_FLAG = 2, 204 204 + IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG), 205 205 + IPSET_TYPE_IP2_FLAG = 3, 206 206 + IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG), 207 207 + IPSET_TYPE_NAME_FLAG = 4, 208 208 + IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), 209 209 + /* Strictly speaking not a feature, but a flag for dumping: 210 210 + * this settype must be dumped last */ 211 211 + IPSET_DUMP_LAST_FLAG = 7, 212 212 + IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), 213 213 + }; 214 214 + 215 215 + struct ip_set; 216 216 + 217 217 + typedef int (*ipset_adtfn)(struct ip_set *set, void *value, u32 timeout); 218 218 + 219 219 + /* Set type, variant-specific part */ 220 220 + struct ip_set_type_variant { 221 221 + /* Kernelspace: test/add/del entries 222 222 + * returns negative error code, 223 223 + * zero for no match/success to add/delete 224 224 + * positive for matching element */ 225 225 + int (*kadt)(struct ip_set *set, const struct sk_buff * skb, 226 226 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags); 227 227 + 228 228 + /* Userspace: test/add/del entries 229 229 + * returns negative error code, 230 230 + * zero for no match/success to add/delete 231 231 + * positive for matching element */ 232 232 + int (*uadt)(struct ip_set *set, struct nlattr *tb[], 233 233 + enum ipset_adt adt, u32 *lineno, u32 flags); 234 234 + 235 235 + /* Low level add/del/test functions */ 236 236 + ipset_adtfn adt[IPSET_ADT_MAX]; 237 237 + 238 238 + /* When adding entries and set is full, try to resize the set */ 239 239 + int (*resize)(struct ip_set *set, bool retried); 240 240 + /* Destroy the set */ 241 241 + void (*destroy)(struct ip_set *set); 242 242 + /* Flush the elements */ 243 243 + void (*flush)(struct ip_set *set); 244 244 + /* Expire entries before listing */ 245 245 + void (*expire)(struct ip_set *set); 246 246 + /* List set header data */ 247 247 + int (*head)(struct ip_set *set, struct sk_buff *skb); 248 248 + /* List elements */ 249 249 + int (*list)(const struct ip_set *set, struct sk_buff *skb, 250 250 + struct netlink_callback *cb); 251 251 + 252 252 + /* Return true if "b" set is the same as "a" 253 253 + * according to the create set parameters */ 254 254 + bool (*same_set)(const struct ip_set *a, const struct ip_set *b); 255 255 + }; 256 256 + 257 257 + /* The core set type structure */ 258 258 + struct ip_set_type { 259 259 + struct list_head list; 260 260 + 261 261 + /* Typename */ 262 262 + char name[IPSET_MAXNAMELEN]; 263 263 + /* Protocol version */ 264 264 + u8 protocol; 265 265 + /* Set features to control swapping */ 266 266 + u8 features; 267 267 + /* Set type dimension */ 268 268 + u8 dimension; 269 269 + /* Supported family: may be AF_UNSPEC for both AF_INET/AF_INET6 */ 270 270 + u8 family; 271 271 + /* Type revision */ 272 272 + u8 revision; 273 273 + 274 274 + /* Create set */ 275 275 + int (*create)(struct ip_set *set, struct nlattr *tb[], u32 flags); 276 276 + 277 277 + /* Attribute policies */ 278 278 + const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1]; 279 279 + const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1]; 280 280 + 281 281 + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 282 282 + struct module *me; 283 283 + }; 284 284 + 285 285 + /* register and unregister set type */ 286 286 + extern int ip_set_type_register(struct ip_set_type *set_type); 287 287 + extern void ip_set_type_unregister(struct ip_set_type *set_type); 288 288 + 289 289 + /* A generic IP set */ 290 290 + struct ip_set { 291 291 + /* The name of the set */ 292 292 + char name[IPSET_MAXNAMELEN]; 293 293 + /* Lock protecting the set data */ 294 294 + rwlock_t lock; 295 295 + /* References to the set */ 296 296 + atomic_t ref; 297 297 + /* The core set type */ 298 298 + struct ip_set_type *type; 299 299 + /* The type variant doing the real job */ 300 300 + const struct ip_set_type_variant *variant; 301 301 + /* The actual INET family of the set */ 302 302 + u8 family; 303 303 + /* The type specific data */ 304 304 + void *data; 305 305 + }; 306 306 + 307 307 + /* register and unregister set references */ 308 308 + extern ip_set_id_t ip_set_get_byname(const char *name, struct ip_set **set); 309 309 + extern void ip_set_put_byindex(ip_set_id_t index); 310 310 + extern const char * ip_set_name_byindex(ip_set_id_t index); 311 311 + extern ip_set_id_t ip_set_nfnl_get(const char *name); 312 312 + extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index); 313 313 + extern void ip_set_nfnl_put(ip_set_id_t index); 314 314 + 315 315 + /* API for iptables set match, and SET target */ 316 316 + extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb, 317 317 + u8 family, u8 dim, u8 flags); 318 318 + extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb, 319 319 + u8 family, u8 dim, u8 flags); 320 320 + extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, 321 321 + u8 family, u8 dim, u8 flags); 322 322 + 323 323 + /* Utility functions */ 324 324 + extern void * ip_set_alloc(size_t size); 325 325 + extern void ip_set_free(void *members); 326 326 + extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); 327 327 + extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); 328 328 + 329 329 + static inline int 330 330 + ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) 331 331 + { 332 332 + __be32 ip; 333 333 + int ret = ip_set_get_ipaddr4(nla, &ip); 334 334 + 335 335 + if (ret) 336 336 + return ret; 337 337 + *ipaddr = ntohl(ip); 338 338 + return 0; 339 339 + } 340 340 + 341 341 + /* Ignore IPSET_ERR_EXIST errors if asked to do so? */ 342 342 + static inline bool 343 343 + ip_set_eexist(int ret, u32 flags) 344 344 + { 345 345 + return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); 346 346 + } 347 347 + 348 348 + /* Check the NLA_F_NET_BYTEORDER flag */ 349 349 + static inline bool 350 350 + ip_set_attr_netorder(struct nlattr *tb[], int type) 351 351 + { 352 352 + return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 353 353 + } 354 354 + 355 355 + static inline bool 356 356 + ip_set_optattr_netorder(struct nlattr *tb[], int type) 357 357 + { 358 358 + return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 359 359 + } 360 360 + 361 361 + /* Useful converters */ 362 362 + static inline u32 363 363 + ip_set_get_h32(const struct nlattr *attr) 364 364 + { 365 365 + return ntohl(nla_get_be32(attr)); 366 366 + } 367 367 + 368 368 + static inline u16 369 369 + ip_set_get_h16(const struct nlattr *attr) 370 370 + { 371 371 + return ntohs(nla_get_be16(attr)); 372 372 + } 373 373 + 374 374 + #define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED) 375 375 + #define ipset_nest_end(skb, start) nla_nest_end(skb, start) 376 376 + 377 377 + #define NLA_PUT_IPADDR4(skb, type, ipaddr) \ 378 378 + do { \ 379 379 + struct nlattr *__nested = ipset_nest_start(skb, type); \ 380 380 + \ 381 381 + if (!__nested) \ 382 382 + goto nla_put_failure; \ 383 383 + NLA_PUT_NET32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); \ 384 384 + ipset_nest_end(skb, __nested); \ 385 385 + } while (0) 386 386 + 387 387 + #define NLA_PUT_IPADDR6(skb, type, ipaddrptr) \ 388 388 + do { \ 389 389 + struct nlattr *__nested = ipset_nest_start(skb, type); \ 390 390 + \ 391 391 + if (!__nested) \ 392 392 + goto nla_put_failure; \ 393 393 + NLA_PUT(skb, IPSET_ATTR_IPADDR_IPV6, \ 394 394 + sizeof(struct in6_addr), ipaddrptr); \ 395 395 + ipset_nest_end(skb, __nested); \ 396 396 + } while (0) 397 397 + 398 398 + /* Get address from skbuff */ 399 399 + static inline __be32 400 400 + ip4addr(const struct sk_buff *skb, bool src) 401 401 + { 402 402 + return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 403 403 + } 404 404 + 405 405 + static inline void 406 406 + ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr) 407 407 + { 408 408 + *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 409 409 + } 410 410 + 411 411 + static inline void 412 412 + ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) 413 413 + { 414 414 + memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr, 415 415 + sizeof(*addr)); 416 416 + } 417 417 + 418 418 + /* Calculate the bytes required to store the inclusive range of a-b */ 419 419 + static inline int 420 420 + bitmap_bytes(u32 a, u32 b) 421 421 + { 422 422 + return 4 * ((((b - a + 8) / 8) + 3) / 4); 423 423 + } 424 424 + 425 425 + /* Interface to iptables/ip6tables */ 426 426 + 427 427 + #define SO_IP_SET 83 428 428 + 429 429 + union ip_set_name_index { 430 430 + char name[IPSET_MAXNAMELEN]; 431 431 + ip_set_id_t index; 432 432 + }; 433 433 + 434 434 + #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ 435 435 + struct ip_set_req_get_set { 436 436 + unsigned op; 437 437 + unsigned version; 438 438 + union ip_set_name_index set; 439 439 + }; 440 440 + 441 441 + #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ 442 442 + /* Uses ip_set_req_get_set */ 443 443 + 444 444 + #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ 445 445 + struct ip_set_req_version { 446 446 + unsigned op; 447 447 + unsigned version; 448 448 + }; 449 449 + 450 450 + #endif /* __KERNEL__ */ 451 451 + 452 452 + #endif /*_IP_SET_H */

+1074

include/linux/netfilter/ipset/ip_set_ahash.h

reviewed

··· 1 1 + #ifndef _IP_SET_AHASH_H 2 2 + #define _IP_SET_AHASH_H 3 3 + 4 4 + #include <linux/rcupdate.h> 5 5 + #include <linux/jhash.h> 6 6 + #include <linux/netfilter/ipset/ip_set_timeout.h> 7 7 + 8 8 + /* Hashing which uses arrays to resolve clashing. The hash table is resized 9 9 + * (doubled) when searching becomes too long. 10 10 + * Internally jhash is used with the assumption that the size of the 11 11 + * stored data is a multiple of sizeof(u32). If storage supports timeout, 12 12 + * the timeout field must be the last one in the data structure - that field 13 13 + * is ignored when computing the hash key. 14 14 + * 15 15 + * Readers and resizing 16 16 + * 17 17 + * Resizing can be triggered by userspace command only, and those 18 18 + * are serialized by the nfnl mutex. During resizing the set is 19 19 + * read-locked, so the only possible concurrent operations are 20 20 + * the kernel side readers. Those must be protected by proper RCU locking. 21 21 + */ 22 22 + 23 23 + /* Number of elements to store in an initial array block */ 24 24 + #define AHASH_INIT_SIZE 4 25 25 + /* Max number of elements to store in an array block */ 26 26 + #define AHASH_MAX_SIZE (3*4) 27 27 + 28 28 + /* A hash bucket */ 29 29 + struct hbucket { 30 30 + void *value; /* the array of the values */ 31 31 + u8 size; /* size of the array */ 32 32 + u8 pos; /* position of the first free entry */ 33 33 + }; 34 34 + 35 35 + /* The hash table: the table size stored here in order to make resizing easy */ 36 36 + struct htable { 37 37 + u8 htable_bits; /* size of hash table == 2^htable_bits */ 38 38 + struct hbucket bucket[0]; /* hashtable buckets */ 39 39 + }; 40 40 + 41 41 + #define hbucket(h, i) &((h)->bucket[i]) 42 42 + 43 43 + /* Book-keeping of the prefixes added to the set */ 44 44 + struct ip_set_hash_nets { 45 45 + u8 cidr; /* the different cidr values in the set */ 46 46 + u32 nets; /* number of elements per cidr */ 47 47 + }; 48 48 + 49 49 + /* The generic ip_set hash structure */ 50 50 + struct ip_set_hash { 51 51 + struct htable *table; /* the hash table */ 52 52 + u32 maxelem; /* max elements in the hash */ 53 53 + u32 elements; /* current element (vs timeout) */ 54 54 + u32 initval; /* random jhash init value */ 55 55 + u32 timeout; /* timeout value, if enabled */ 56 56 + struct timer_list gc; /* garbage collection when timeout enabled */ 57 57 + #ifdef IP_SET_HASH_WITH_NETMASK 58 58 + u8 netmask; /* netmask value for subnets to store */ 59 59 + #endif 60 60 + #ifdef IP_SET_HASH_WITH_NETS 61 61 + struct ip_set_hash_nets nets[0]; /* book-keeping of prefixes */ 62 62 + #endif 63 63 + }; 64 64 + 65 65 + /* Compute htable_bits from the user input parameter hashsize */ 66 66 + static u8 67 67 + htable_bits(u32 hashsize) 68 68 + { 69 69 + /* Assume that hashsize == 2^htable_bits */ 70 70 + u8 bits = fls(hashsize - 1); 71 71 + if (jhash_size(bits) != hashsize) 72 72 + /* Round up to the first 2^n value */ 73 73 + bits = fls(hashsize); 74 74 + 75 75 + return bits; 76 76 + } 77 77 + 78 78 + #ifdef IP_SET_HASH_WITH_NETS 79 79 + 80 80 + #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) 81 81 + 82 82 + /* Network cidr size book keeping when the hash stores different 83 83 + * sized networks */ 84 84 + static void 85 85 + add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask) 86 86 + { 87 87 + u8 i; 88 88 + 89 89 + ++h->nets[cidr-1].nets; 90 90 + 91 91 + pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets); 92 92 + 93 93 + if (h->nets[cidr-1].nets > 1) 94 94 + return; 95 95 + 96 96 + /* New cidr size */ 97 97 + for (i = 0; i < host_mask && h->nets[i].cidr; i++) { 98 98 + /* Add in increasing prefix order, so larger cidr first */ 99 99 + if (h->nets[i].cidr < cidr) 100 100 + swap(h->nets[i].cidr, cidr); 101 101 + } 102 102 + if (i < host_mask) 103 103 + h->nets[i].cidr = cidr; 104 104 + } 105 105 + 106 106 + static void 107 107 + del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask) 108 108 + { 109 109 + u8 i; 110 110 + 111 111 + --h->nets[cidr-1].nets; 112 112 + 113 113 + pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets); 114 114 + 115 115 + if (h->nets[cidr-1].nets != 0) 116 116 + return; 117 117 + 118 118 + /* All entries with this cidr size deleted, so cleanup h->cidr[] */ 119 119 + for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) { 120 120 + if (h->nets[i].cidr == cidr) 121 121 + h->nets[i].cidr = cidr = h->nets[i+1].cidr; 122 122 + } 123 123 + h->nets[i - 1].cidr = 0; 124 124 + } 125 125 + #endif 126 126 + 127 127 + /* Destroy the hashtable part of the set */ 128 128 + static void 129 129 + ahash_destroy(struct htable *t) 130 130 + { 131 131 + struct hbucket *n; 132 132 + u32 i; 133 133 + 134 134 + for (i = 0; i < jhash_size(t->htable_bits); i++) { 135 135 + n = hbucket(t, i); 136 136 + if (n->size) 137 137 + /* FIXME: use slab cache */ 138 138 + kfree(n->value); 139 139 + } 140 140 + 141 141 + ip_set_free(t); 142 142 + } 143 143 + 144 144 + /* Calculate the actual memory size of the set data */ 145 145 + static size_t 146 146 + ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask) 147 147 + { 148 148 + u32 i; 149 149 + struct htable *t = h->table; 150 150 + size_t memsize = sizeof(*h) 151 151 + + sizeof(*t) 152 152 + #ifdef IP_SET_HASH_WITH_NETS 153 153 + + sizeof(struct ip_set_hash_nets) * host_mask 154 154 + #endif 155 155 + + jhash_size(t->htable_bits) * sizeof(struct hbucket); 156 156 + 157 157 + for (i = 0; i < jhash_size(t->htable_bits); i++) 158 158 + memsize += t->bucket[i].size * dsize; 159 159 + 160 160 + return memsize; 161 161 + } 162 162 + 163 163 + /* Flush a hash type of set: destroy all elements */ 164 164 + static void 165 165 + ip_set_hash_flush(struct ip_set *set) 166 166 + { 167 167 + struct ip_set_hash *h = set->data; 168 168 + struct htable *t = h->table; 169 169 + struct hbucket *n; 170 170 + u32 i; 171 171 + 172 172 + for (i = 0; i < jhash_size(t->htable_bits); i++) { 173 173 + n = hbucket(t, i); 174 174 + if (n->size) { 175 175 + n->size = n->pos = 0; 176 176 + /* FIXME: use slab cache */ 177 177 + kfree(n->value); 178 178 + } 179 179 + } 180 180 + #ifdef IP_SET_HASH_WITH_NETS 181 181 + memset(h->nets, 0, sizeof(struct ip_set_hash_nets) 182 182 + * SET_HOST_MASK(set->family)); 183 183 + #endif 184 184 + h->elements = 0; 185 185 + } 186 186 + 187 187 + /* Destroy a hash type of set */ 188 188 + static void 189 189 + ip_set_hash_destroy(struct ip_set *set) 190 190 + { 191 191 + struct ip_set_hash *h = set->data; 192 192 + 193 193 + if (with_timeout(h->timeout)) 194 194 + del_timer_sync(&h->gc); 195 195 + 196 196 + ahash_destroy(h->table); 197 197 + kfree(h); 198 198 + 199 199 + set->data = NULL; 200 200 + } 201 201 + 202 202 + #define HKEY(data, initval, htable_bits) \ 203 203 + (jhash2((u32 *)(data), sizeof(struct type_pf_elem)/sizeof(u32), initval) \ 204 204 + & jhash_mask(htable_bits)) 205 205 + 206 206 + #endif /* _IP_SET_AHASH_H */ 207 207 + 208 208 + #define CONCAT(a, b, c) a##b##c 209 209 + #define TOKEN(a, b, c) CONCAT(a, b, c) 210 210 + 211 211 + /* Type/family dependent function prototypes */ 212 212 + 213 213 + #define type_pf_data_equal TOKEN(TYPE, PF, _data_equal) 214 214 + #define type_pf_data_isnull TOKEN(TYPE, PF, _data_isnull) 215 215 + #define type_pf_data_copy TOKEN(TYPE, PF, _data_copy) 216 216 + #define type_pf_data_zero_out TOKEN(TYPE, PF, _data_zero_out) 217 217 + #define type_pf_data_netmask TOKEN(TYPE, PF, _data_netmask) 218 218 + #define type_pf_data_list TOKEN(TYPE, PF, _data_list) 219 219 + #define type_pf_data_tlist TOKEN(TYPE, PF, _data_tlist) 220 220 + 221 221 + #define type_pf_elem TOKEN(TYPE, PF, _elem) 222 222 + #define type_pf_telem TOKEN(TYPE, PF, _telem) 223 223 + #define type_pf_data_timeout TOKEN(TYPE, PF, _data_timeout) 224 224 + #define type_pf_data_expired TOKEN(TYPE, PF, _data_expired) 225 225 + #define type_pf_data_timeout_set TOKEN(TYPE, PF, _data_timeout_set) 226 226 + 227 227 + #define type_pf_elem_add TOKEN(TYPE, PF, _elem_add) 228 228 + #define type_pf_add TOKEN(TYPE, PF, _add) 229 229 + #define type_pf_del TOKEN(TYPE, PF, _del) 230 230 + #define type_pf_test_cidrs TOKEN(TYPE, PF, _test_cidrs) 231 231 + #define type_pf_test TOKEN(TYPE, PF, _test) 232 232 + 233 233 + #define type_pf_elem_tadd TOKEN(TYPE, PF, _elem_tadd) 234 234 + #define type_pf_del_telem TOKEN(TYPE, PF, _ahash_del_telem) 235 235 + #define type_pf_expire TOKEN(TYPE, PF, _expire) 236 236 + #define type_pf_tadd TOKEN(TYPE, PF, _tadd) 237 237 + #define type_pf_tdel TOKEN(TYPE, PF, _tdel) 238 238 + #define type_pf_ttest_cidrs TOKEN(TYPE, PF, _ahash_ttest_cidrs) 239 239 + #define type_pf_ttest TOKEN(TYPE, PF, _ahash_ttest) 240 240 + 241 241 + #define type_pf_resize TOKEN(TYPE, PF, _resize) 242 242 + #define type_pf_tresize TOKEN(TYPE, PF, _tresize) 243 243 + #define type_pf_flush ip_set_hash_flush 244 244 + #define type_pf_destroy ip_set_hash_destroy 245 245 + #define type_pf_head TOKEN(TYPE, PF, _head) 246 246 + #define type_pf_list TOKEN(TYPE, PF, _list) 247 247 + #define type_pf_tlist TOKEN(TYPE, PF, _tlist) 248 248 + #define type_pf_same_set TOKEN(TYPE, PF, _same_set) 249 249 + #define type_pf_kadt TOKEN(TYPE, PF, _kadt) 250 250 + #define type_pf_uadt TOKEN(TYPE, PF, _uadt) 251 251 + #define type_pf_gc TOKEN(TYPE, PF, _gc) 252 252 + #define type_pf_gc_init TOKEN(TYPE, PF, _gc_init) 253 253 + #define type_pf_variant TOKEN(TYPE, PF, _variant) 254 254 + #define type_pf_tvariant TOKEN(TYPE, PF, _tvariant) 255 255 + 256 256 + /* Flavour without timeout */ 257 257 + 258 258 + /* Get the ith element from the array block n */ 259 259 + #define ahash_data(n, i) \ 260 260 + ((struct type_pf_elem *)((n)->value) + (i)) 261 261 + 262 262 + /* Add an element to the hash table when resizing the set: 263 263 + * we spare the maintenance of the internal counters. */ 264 264 + static int 265 265 + type_pf_elem_add(struct hbucket *n, const struct type_pf_elem *value) 266 266 + { 267 267 + if (n->pos >= n->size) { 268 268 + void *tmp; 269 269 + 270 270 + if (n->size >= AHASH_MAX_SIZE) 271 271 + /* Trigger rehashing */ 272 272 + return -EAGAIN; 273 273 + 274 274 + tmp = kzalloc((n->size + AHASH_INIT_SIZE) 275 275 + * sizeof(struct type_pf_elem), 276 276 + GFP_ATOMIC); 277 277 + if (!tmp) 278 278 + return -ENOMEM; 279 279 + if (n->size) { 280 280 + memcpy(tmp, n->value, 281 281 + sizeof(struct type_pf_elem) * n->size); 282 282 + kfree(n->value); 283 283 + } 284 284 + n->value = tmp; 285 285 + n->size += AHASH_INIT_SIZE; 286 286 + } 287 287 + type_pf_data_copy(ahash_data(n, n->pos++), value); 288 288 + return 0; 289 289 + } 290 290 + 291 291 + /* Resize a hash: create a new hash table with doubling the hashsize 292 292 + * and inserting the elements to it. Repeat until we succeed or 293 293 + * fail due to memory pressures. */ 294 294 + static int 295 295 + type_pf_resize(struct ip_set *set, bool retried) 296 296 + { 297 297 + struct ip_set_hash *h = set->data; 298 298 + struct htable *t, *orig = h->table; 299 299 + u8 htable_bits = orig->htable_bits; 300 300 + const struct type_pf_elem *data; 301 301 + struct hbucket *n, *m; 302 302 + u32 i, j; 303 303 + int ret; 304 304 + 305 305 + retry: 306 306 + ret = 0; 307 307 + htable_bits++; 308 308 + pr_debug("attempt to resize set %s from %u to %u, t %p\n", 309 309 + set->name, orig->htable_bits, htable_bits, orig); 310 310 + if (!htable_bits) 311 311 + /* In case we have plenty of memory :-) */ 312 312 + return -IPSET_ERR_HASH_FULL; 313 313 + t = ip_set_alloc(sizeof(*t) 314 314 + + jhash_size(htable_bits) * sizeof(struct hbucket)); 315 315 + if (!t) 316 316 + return -ENOMEM; 317 317 + t->htable_bits = htable_bits; 318 318 + 319 319 + read_lock_bh(&set->lock); 320 320 + for (i = 0; i < jhash_size(orig->htable_bits); i++) { 321 321 + n = hbucket(orig, i); 322 322 + for (j = 0; j < n->pos; j++) { 323 323 + data = ahash_data(n, j); 324 324 + m = hbucket(t, HKEY(data, h->initval, htable_bits)); 325 325 + ret = type_pf_elem_add(m, data); 326 326 + if (ret < 0) { 327 327 + read_unlock_bh(&set->lock); 328 328 + ahash_destroy(t); 329 329 + if (ret == -EAGAIN) 330 330 + goto retry; 331 331 + return ret; 332 332 + } 333 333 + } 334 334 + } 335 335 + 336 336 + rcu_assign_pointer(h->table, t); 337 337 + read_unlock_bh(&set->lock); 338 338 + 339 339 + /* Give time to other readers of the set */ 340 340 + synchronize_rcu_bh(); 341 341 + 342 342 + pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name, 343 343 + orig->htable_bits, orig, t->htable_bits, t); 344 344 + ahash_destroy(orig); 345 345 + 346 346 + return 0; 347 347 + } 348 348 + 349 349 + /* Add an element to a hash and update the internal counters when succeeded, 350 350 + * otherwise report the proper error code. */ 351 351 + static int 352 352 + type_pf_add(struct ip_set *set, void *value, u32 timeout) 353 353 + { 354 354 + struct ip_set_hash *h = set->data; 355 355 + struct htable *t; 356 356 + const struct type_pf_elem *d = value; 357 357 + struct hbucket *n; 358 358 + int i, ret = 0; 359 359 + u32 key; 360 360 + 361 361 + if (h->elements >= h->maxelem) 362 362 + return -IPSET_ERR_HASH_FULL; 363 363 + 364 364 + rcu_read_lock_bh(); 365 365 + t = rcu_dereference_bh(h->table); 366 366 + key = HKEY(value, h->initval, t->htable_bits); 367 367 + n = hbucket(t, key); 368 368 + for (i = 0; i < n->pos; i++) 369 369 + if (type_pf_data_equal(ahash_data(n, i), d)) { 370 370 + ret = -IPSET_ERR_EXIST; 371 371 + goto out; 372 372 + } 373 373 + 374 374 + ret = type_pf_elem_add(n, value); 375 375 + if (ret != 0) 376 376 + goto out; 377 377 + 378 378 + #ifdef IP_SET_HASH_WITH_NETS 379 379 + add_cidr(h, d->cidr, HOST_MASK); 380 380 + #endif 381 381 + h->elements++; 382 382 + out: 383 383 + rcu_read_unlock_bh(); 384 384 + return ret; 385 385 + } 386 386 + 387 387 + /* Delete an element from the hash: swap it with the last element 388 388 + * and free up space if possible. 389 389 + */ 390 390 + static int 391 391 + type_pf_del(struct ip_set *set, void *value, u32 timeout) 392 392 + { 393 393 + struct ip_set_hash *h = set->data; 394 394 + struct htable *t = h->table; 395 395 + const struct type_pf_elem *d = value; 396 396 + struct hbucket *n; 397 397 + int i; 398 398 + struct type_pf_elem *data; 399 399 + u32 key; 400 400 + 401 401 + key = HKEY(value, h->initval, t->htable_bits); 402 402 + n = hbucket(t, key); 403 403 + for (i = 0; i < n->pos; i++) { 404 404 + data = ahash_data(n, i); 405 405 + if (!type_pf_data_equal(data, d)) 406 406 + continue; 407 407 + if (i != n->pos - 1) 408 408 + /* Not last one */ 409 409 + type_pf_data_copy(data, ahash_data(n, n->pos - 1)); 410 410 + 411 411 + n->pos--; 412 412 + h->elements--; 413 413 + #ifdef IP_SET_HASH_WITH_NETS 414 414 + del_cidr(h, d->cidr, HOST_MASK); 415 415 + #endif 416 416 + if (n->pos + AHASH_INIT_SIZE < n->size) { 417 417 + void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) 418 418 + * sizeof(struct type_pf_elem), 419 419 + GFP_ATOMIC); 420 420 + if (!tmp) 421 421 + return 0; 422 422 + n->size -= AHASH_INIT_SIZE; 423 423 + memcpy(tmp, n->value, 424 424 + n->size * sizeof(struct type_pf_elem)); 425 425 + kfree(n->value); 426 426 + n->value = tmp; 427 427 + } 428 428 + return 0; 429 429 + } 430 430 + 431 431 + return -IPSET_ERR_EXIST; 432 432 + } 433 433 + 434 434 + #ifdef IP_SET_HASH_WITH_NETS 435 435 + 436 436 + /* Special test function which takes into account the different network 437 437 + * sizes added to the set */ 438 438 + static int 439 439 + type_pf_test_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout) 440 440 + { 441 441 + struct ip_set_hash *h = set->data; 442 442 + struct htable *t = h->table; 443 443 + struct hbucket *n; 444 444 + const struct type_pf_elem *data; 445 445 + int i, j = 0; 446 446 + u32 key; 447 447 + u8 host_mask = SET_HOST_MASK(set->family); 448 448 + 449 449 + pr_debug("test by nets\n"); 450 450 + for (; j < host_mask && h->nets[j].cidr; j++) { 451 451 + type_pf_data_netmask(d, h->nets[j].cidr); 452 452 + key = HKEY(d, h->initval, t->htable_bits); 453 453 + n = hbucket(t, key); 454 454 + for (i = 0; i < n->pos; i++) { 455 455 + data = ahash_data(n, i); 456 456 + if (type_pf_data_equal(data, d)) 457 457 + return 1; 458 458 + } 459 459 + } 460 460 + return 0; 461 461 + } 462 462 + #endif 463 463 + 464 464 + /* Test whether the element is added to the set */ 465 465 + static int 466 466 + type_pf_test(struct ip_set *set, void *value, u32 timeout) 467 467 + { 468 468 + struct ip_set_hash *h = set->data; 469 469 + struct htable *t = h->table; 470 470 + struct type_pf_elem *d = value; 471 471 + struct hbucket *n; 472 472 + const struct type_pf_elem *data; 473 473 + int i; 474 474 + u32 key; 475 475 + 476 476 + #ifdef IP_SET_HASH_WITH_NETS 477 477 + /* If we test an IP address and not a network address, 478 478 + * try all possible network sizes */ 479 479 + if (d->cidr == SET_HOST_MASK(set->family)) 480 480 + return type_pf_test_cidrs(set, d, timeout); 481 481 + #endif 482 482 + 483 483 + key = HKEY(d, h->initval, t->htable_bits); 484 484 + n = hbucket(t, key); 485 485 + for (i = 0; i < n->pos; i++) { 486 486 + data = ahash_data(n, i); 487 487 + if (type_pf_data_equal(data, d)) 488 488 + return 1; 489 489 + } 490 490 + return 0; 491 491 + } 492 492 + 493 493 + /* Reply a HEADER request: fill out the header part of the set */ 494 494 + static int 495 495 + type_pf_head(struct ip_set *set, struct sk_buff *skb) 496 496 + { 497 497 + const struct ip_set_hash *h = set->data; 498 498 + struct nlattr *nested; 499 499 + size_t memsize; 500 500 + 501 501 + read_lock_bh(&set->lock); 502 502 + memsize = ahash_memsize(h, with_timeout(h->timeout) 503 503 + ? sizeof(struct type_pf_telem) 504 504 + : sizeof(struct type_pf_elem), 505 505 + set->family == AF_INET ? 32 : 128); 506 506 + read_unlock_bh(&set->lock); 507 507 + 508 508 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 509 509 + if (!nested) 510 510 + goto nla_put_failure; 511 511 + NLA_PUT_NET32(skb, IPSET_ATTR_HASHSIZE, 512 512 + htonl(jhash_size(h->table->htable_bits))); 513 513 + NLA_PUT_NET32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem)); 514 514 + #ifdef IP_SET_HASH_WITH_NETMASK 515 515 + if (h->netmask != HOST_MASK) 516 516 + NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, h->netmask); 517 517 + #endif 518 518 + NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, 519 519 + htonl(atomic_read(&set->ref) - 1)); 520 520 + NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)); 521 521 + if (with_timeout(h->timeout)) 522 522 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(h->timeout)); 523 523 + ipset_nest_end(skb, nested); 524 524 + 525 525 + return 0; 526 526 + nla_put_failure: 527 527 + return -EMSGSIZE; 528 528 + } 529 529 + 530 530 + /* Reply a LIST/SAVE request: dump the elements of the specified set */ 531 531 + static int 532 532 + type_pf_list(const struct ip_set *set, 533 533 + struct sk_buff *skb, struct netlink_callback *cb) 534 534 + { 535 535 + const struct ip_set_hash *h = set->data; 536 536 + const struct htable *t = h->table; 537 537 + struct nlattr *atd, *nested; 538 538 + const struct hbucket *n; 539 539 + const struct type_pf_elem *data; 540 540 + u32 first = cb->args[2]; 541 541 + /* We assume that one hash bucket fills into one page */ 542 542 + void *incomplete; 543 543 + int i; 544 544 + 545 545 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 546 546 + if (!atd) 547 547 + return -EMSGSIZE; 548 548 + pr_debug("list hash set %s\n", set->name); 549 549 + for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) { 550 550 + incomplete = skb_tail_pointer(skb); 551 551 + n = hbucket(t, cb->args[2]); 552 552 + pr_debug("cb->args[2]: %lu, t %p n %p\n", cb->args[2], t, n); 553 553 + for (i = 0; i < n->pos; i++) { 554 554 + data = ahash_data(n, i); 555 555 + pr_debug("list hash %lu hbucket %p i %u, data %p\n", 556 556 + cb->args[2], n, i, data); 557 557 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 558 558 + if (!nested) { 559 559 + if (cb->args[2] == first) { 560 560 + nla_nest_cancel(skb, atd); 561 561 + return -EMSGSIZE; 562 562 + } else 563 563 + goto nla_put_failure; 564 564 + } 565 565 + if (type_pf_data_list(skb, data)) 566 566 + goto nla_put_failure; 567 567 + ipset_nest_end(skb, nested); 568 568 + } 569 569 + } 570 570 + ipset_nest_end(skb, atd); 571 571 + /* Set listing finished */ 572 572 + cb->args[2] = 0; 573 573 + 574 574 + return 0; 575 575 + 576 576 + nla_put_failure: 577 577 + nlmsg_trim(skb, incomplete); 578 578 + ipset_nest_end(skb, atd); 579 579 + if (unlikely(first == cb->args[2])) { 580 580 + pr_warning("Can't list set %s: one bucket does not fit into " 581 581 + "a message. Please report it!\n", set->name); 582 582 + cb->args[2] = 0; 583 583 + return -EMSGSIZE; 584 584 + } 585 585 + return 0; 586 586 + } 587 587 + 588 588 + static int 589 589 + type_pf_kadt(struct ip_set *set, const struct sk_buff * skb, 590 590 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags); 591 591 + static int 592 592 + type_pf_uadt(struct ip_set *set, struct nlattr *tb[], 593 593 + enum ipset_adt adt, u32 *lineno, u32 flags); 594 594 + 595 595 + static const struct ip_set_type_variant type_pf_variant = { 596 596 + .kadt = type_pf_kadt, 597 597 + .uadt = type_pf_uadt, 598 598 + .adt = { 599 599 + [IPSET_ADD] = type_pf_add, 600 600 + [IPSET_DEL] = type_pf_del, 601 601 + [IPSET_TEST] = type_pf_test, 602 602 + }, 603 603 + .destroy = type_pf_destroy, 604 604 + .flush = type_pf_flush, 605 605 + .head = type_pf_head, 606 606 + .list = type_pf_list, 607 607 + .resize = type_pf_resize, 608 608 + .same_set = type_pf_same_set, 609 609 + }; 610 610 + 611 611 + /* Flavour with timeout support */ 612 612 + 613 613 + #define ahash_tdata(n, i) \ 614 614 + (struct type_pf_elem *)((struct type_pf_telem *)((n)->value) + (i)) 615 615 + 616 616 + static inline u32 617 617 + type_pf_data_timeout(const struct type_pf_elem *data) 618 618 + { 619 619 + const struct type_pf_telem *tdata = 620 620 + (const struct type_pf_telem *) data; 621 621 + 622 622 + return tdata->timeout; 623 623 + } 624 624 + 625 625 + static inline bool 626 626 + type_pf_data_expired(const struct type_pf_elem *data) 627 627 + { 628 628 + const struct type_pf_telem *tdata = 629 629 + (const struct type_pf_telem *) data; 630 630 + 631 631 + return ip_set_timeout_expired(tdata->timeout); 632 632 + } 633 633 + 634 634 + static inline void 635 635 + type_pf_data_timeout_set(struct type_pf_elem *data, u32 timeout) 636 636 + { 637 637 + struct type_pf_telem *tdata = (struct type_pf_telem *) data; 638 638 + 639 639 + tdata->timeout = ip_set_timeout_set(timeout); 640 640 + } 641 641 + 642 642 + static int 643 643 + type_pf_elem_tadd(struct hbucket *n, const struct type_pf_elem *value, 644 644 + u32 timeout) 645 645 + { 646 646 + struct type_pf_elem *data; 647 647 + 648 648 + if (n->pos >= n->size) { 649 649 + void *tmp; 650 650 + 651 651 + if (n->size >= AHASH_MAX_SIZE) 652 652 + /* Trigger rehashing */ 653 653 + return -EAGAIN; 654 654 + 655 655 + tmp = kzalloc((n->size + AHASH_INIT_SIZE) 656 656 + * sizeof(struct type_pf_telem), 657 657 + GFP_ATOMIC); 658 658 + if (!tmp) 659 659 + return -ENOMEM; 660 660 + if (n->size) { 661 661 + memcpy(tmp, n->value, 662 662 + sizeof(struct type_pf_telem) * n->size); 663 663 + kfree(n->value); 664 664 + } 665 665 + n->value = tmp; 666 666 + n->size += AHASH_INIT_SIZE; 667 667 + } 668 668 + data = ahash_tdata(n, n->pos++); 669 669 + type_pf_data_copy(data, value); 670 670 + type_pf_data_timeout_set(data, timeout); 671 671 + return 0; 672 672 + } 673 673 + 674 674 + /* Delete expired elements from the hashtable */ 675 675 + static void 676 676 + type_pf_expire(struct ip_set_hash *h) 677 677 + { 678 678 + struct htable *t = h->table; 679 679 + struct hbucket *n; 680 680 + struct type_pf_elem *data; 681 681 + u32 i; 682 682 + int j; 683 683 + 684 684 + for (i = 0; i < jhash_size(t->htable_bits); i++) { 685 685 + n = hbucket(t, i); 686 686 + for (j = 0; j < n->pos; j++) { 687 687 + data = ahash_tdata(n, j); 688 688 + if (type_pf_data_expired(data)) { 689 689 + pr_debug("expired %u/%u\n", i, j); 690 690 + #ifdef IP_SET_HASH_WITH_NETS 691 691 + del_cidr(h, data->cidr, HOST_MASK); 692 692 + #endif 693 693 + if (j != n->pos - 1) 694 694 + /* Not last one */ 695 695 + type_pf_data_copy(data, 696 696 + ahash_tdata(n, n->pos - 1)); 697 697 + n->pos--; 698 698 + h->elements--; 699 699 + } 700 700 + } 701 701 + if (n->pos + AHASH_INIT_SIZE < n->size) { 702 702 + void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) 703 703 + * sizeof(struct type_pf_telem), 704 704 + GFP_ATOMIC); 705 705 + if (!tmp) 706 706 + /* Still try to delete expired elements */ 707 707 + continue; 708 708 + n->size -= AHASH_INIT_SIZE; 709 709 + memcpy(tmp, n->value, 710 710 + n->size * sizeof(struct type_pf_telem)); 711 711 + kfree(n->value); 712 712 + n->value = tmp; 713 713 + } 714 714 + } 715 715 + } 716 716 + 717 717 + static int 718 718 + type_pf_tresize(struct ip_set *set, bool retried) 719 719 + { 720 720 + struct ip_set_hash *h = set->data; 721 721 + struct htable *t, *orig = h->table; 722 722 + u8 htable_bits = orig->htable_bits; 723 723 + const struct type_pf_elem *data; 724 724 + struct hbucket *n, *m; 725 725 + u32 i, j; 726 726 + int ret; 727 727 + 728 728 + /* Try to cleanup once */ 729 729 + if (!retried) { 730 730 + i = h->elements; 731 731 + write_lock_bh(&set->lock); 732 732 + type_pf_expire(set->data); 733 733 + write_unlock_bh(&set->lock); 734 734 + if (h->elements < i) 735 735 + return 0; 736 736 + } 737 737 + 738 738 + retry: 739 739 + ret = 0; 740 740 + htable_bits++; 741 741 + if (!htable_bits) 742 742 + /* In case we have plenty of memory :-) */ 743 743 + return -IPSET_ERR_HASH_FULL; 744 744 + t = ip_set_alloc(sizeof(*t) 745 745 + + jhash_size(htable_bits) * sizeof(struct hbucket)); 746 746 + if (!t) 747 747 + return -ENOMEM; 748 748 + t->htable_bits = htable_bits; 749 749 + 750 750 + read_lock_bh(&set->lock); 751 751 + for (i = 0; i < jhash_size(orig->htable_bits); i++) { 752 752 + n = hbucket(orig, i); 753 753 + for (j = 0; j < n->pos; j++) { 754 754 + data = ahash_tdata(n, j); 755 755 + m = hbucket(t, HKEY(data, h->initval, htable_bits)); 756 756 + ret = type_pf_elem_tadd(m, data, 757 757 + type_pf_data_timeout(data)); 758 758 + if (ret < 0) { 759 759 + read_unlock_bh(&set->lock); 760 760 + ahash_destroy(t); 761 761 + if (ret == -EAGAIN) 762 762 + goto retry; 763 763 + return ret; 764 764 + } 765 765 + } 766 766 + } 767 767 + 768 768 + rcu_assign_pointer(h->table, t); 769 769 + read_unlock_bh(&set->lock); 770 770 + 771 771 + /* Give time to other readers of the set */ 772 772 + synchronize_rcu_bh(); 773 773 + 774 774 + ahash_destroy(orig); 775 775 + 776 776 + return 0; 777 777 + } 778 778 + 779 779 + static int 780 780 + type_pf_tadd(struct ip_set *set, void *value, u32 timeout) 781 781 + { 782 782 + struct ip_set_hash *h = set->data; 783 783 + struct htable *t = h->table; 784 784 + const struct type_pf_elem *d = value; 785 785 + struct hbucket *n; 786 786 + struct type_pf_elem *data; 787 787 + int ret = 0, i, j = AHASH_MAX_SIZE + 1; 788 788 + u32 key; 789 789 + 790 790 + if (h->elements >= h->maxelem) 791 791 + /* FIXME: when set is full, we slow down here */ 792 792 + type_pf_expire(h); 793 793 + if (h->elements >= h->maxelem) 794 794 + return -IPSET_ERR_HASH_FULL; 795 795 + 796 796 + rcu_read_lock_bh(); 797 797 + t = rcu_dereference_bh(h->table); 798 798 + key = HKEY(d, h->initval, t->htable_bits); 799 799 + n = hbucket(t, key); 800 800 + for (i = 0; i < n->pos; i++) { 801 801 + data = ahash_tdata(n, i); 802 802 + if (type_pf_data_equal(data, d)) { 803 803 + if (type_pf_data_expired(data)) 804 804 + j = i; 805 805 + else { 806 806 + ret = -IPSET_ERR_EXIST; 807 807 + goto out; 808 808 + } 809 809 + } else if (j == AHASH_MAX_SIZE + 1 && 810 810 + type_pf_data_expired(data)) 811 811 + j = i; 812 812 + } 813 813 + if (j != AHASH_MAX_SIZE + 1) { 814 814 + data = ahash_tdata(n, j); 815 815 + #ifdef IP_SET_HASH_WITH_NETS 816 816 + del_cidr(h, data->cidr, HOST_MASK); 817 817 + add_cidr(h, d->cidr, HOST_MASK); 818 818 + #endif 819 819 + type_pf_data_copy(data, d); 820 820 + type_pf_data_timeout_set(data, timeout); 821 821 + goto out; 822 822 + } 823 823 + ret = type_pf_elem_tadd(n, d, timeout); 824 824 + if (ret != 0) 825 825 + goto out; 826 826 + 827 827 + #ifdef IP_SET_HASH_WITH_NETS 828 828 + add_cidr(h, d->cidr, HOST_MASK); 829 829 + #endif 830 830 + h->elements++; 831 831 + out: 832 832 + rcu_read_unlock_bh(); 833 833 + return ret; 834 834 + } 835 835 + 836 836 + static int 837 837 + type_pf_tdel(struct ip_set *set, void *value, u32 timeout) 838 838 + { 839 839 + struct ip_set_hash *h = set->data; 840 840 + struct htable *t = h->table; 841 841 + const struct type_pf_elem *d = value; 842 842 + struct hbucket *n; 843 843 + int i, ret = 0; 844 844 + struct type_pf_elem *data; 845 845 + u32 key; 846 846 + 847 847 + key = HKEY(value, h->initval, t->htable_bits); 848 848 + n = hbucket(t, key); 849 849 + for (i = 0; i < n->pos; i++) { 850 850 + data = ahash_tdata(n, i); 851 851 + if (!type_pf_data_equal(data, d)) 852 852 + continue; 853 853 + if (type_pf_data_expired(data)) 854 854 + ret = -IPSET_ERR_EXIST; 855 855 + if (i != n->pos - 1) 856 856 + /* Not last one */ 857 857 + type_pf_data_copy(data, ahash_tdata(n, n->pos - 1)); 858 858 + 859 859 + n->pos--; 860 860 + h->elements--; 861 861 + #ifdef IP_SET_HASH_WITH_NETS 862 862 + del_cidr(h, d->cidr, HOST_MASK); 863 863 + #endif 864 864 + if (n->pos + AHASH_INIT_SIZE < n->size) { 865 865 + void *tmp = kzalloc((n->size - AHASH_INIT_SIZE) 866 866 + * sizeof(struct type_pf_telem), 867 867 + GFP_ATOMIC); 868 868 + if (!tmp) 869 869 + return 0; 870 870 + n->size -= AHASH_INIT_SIZE; 871 871 + memcpy(tmp, n->value, 872 872 + n->size * sizeof(struct type_pf_telem)); 873 873 + kfree(n->value); 874 874 + n->value = tmp; 875 875 + } 876 876 + return 0; 877 877 + } 878 878 + 879 879 + return -IPSET_ERR_EXIST; 880 880 + } 881 881 + 882 882 + #ifdef IP_SET_HASH_WITH_NETS 883 883 + static int 884 884 + type_pf_ttest_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout) 885 885 + { 886 886 + struct ip_set_hash *h = set->data; 887 887 + struct htable *t = h->table; 888 888 + struct type_pf_elem *data; 889 889 + struct hbucket *n; 890 890 + int i, j = 0; 891 891 + u32 key; 892 892 + u8 host_mask = SET_HOST_MASK(set->family); 893 893 + 894 894 + for (; j < host_mask && h->nets[j].cidr; j++) { 895 895 + type_pf_data_netmask(d, h->nets[j].cidr); 896 896 + key = HKEY(d, h->initval, t->htable_bits); 897 897 + n = hbucket(t, key); 898 898 + for (i = 0; i < n->pos; i++) { 899 899 + data = ahash_tdata(n, i); 900 900 + if (type_pf_data_equal(data, d)) 901 901 + return !type_pf_data_expired(data); 902 902 + } 903 903 + } 904 904 + return 0; 905 905 + } 906 906 + #endif 907 907 + 908 908 + static int 909 909 + type_pf_ttest(struct ip_set *set, void *value, u32 timeout) 910 910 + { 911 911 + struct ip_set_hash *h = set->data; 912 912 + struct htable *t = h->table; 913 913 + struct type_pf_elem *data, *d = value; 914 914 + struct hbucket *n; 915 915 + int i; 916 916 + u32 key; 917 917 + 918 918 + #ifdef IP_SET_HASH_WITH_NETS 919 919 + if (d->cidr == SET_HOST_MASK(set->family)) 920 920 + return type_pf_ttest_cidrs(set, d, timeout); 921 921 + #endif 922 922 + key = HKEY(d, h->initval, t->htable_bits); 923 923 + n = hbucket(t, key); 924 924 + for (i = 0; i < n->pos; i++) { 925 925 + data = ahash_tdata(n, i); 926 926 + if (type_pf_data_equal(data, d)) 927 927 + return !type_pf_data_expired(data); 928 928 + } 929 929 + return 0; 930 930 + } 931 931 + 932 932 + static int 933 933 + type_pf_tlist(const struct ip_set *set, 934 934 + struct sk_buff *skb, struct netlink_callback *cb) 935 935 + { 936 936 + const struct ip_set_hash *h = set->data; 937 937 + const struct htable *t = h->table; 938 938 + struct nlattr *atd, *nested; 939 939 + const struct hbucket *n; 940 940 + const struct type_pf_elem *data; 941 941 + u32 first = cb->args[2]; 942 942 + /* We assume that one hash bucket fills into one page */ 943 943 + void *incomplete; 944 944 + int i; 945 945 + 946 946 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 947 947 + if (!atd) 948 948 + return -EMSGSIZE; 949 949 + for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) { 950 950 + incomplete = skb_tail_pointer(skb); 951 951 + n = hbucket(t, cb->args[2]); 952 952 + for (i = 0; i < n->pos; i++) { 953 953 + data = ahash_tdata(n, i); 954 954 + pr_debug("list %p %u\n", n, i); 955 955 + if (type_pf_data_expired(data)) 956 956 + continue; 957 957 + pr_debug("do list %p %u\n", n, i); 958 958 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 959 959 + if (!nested) { 960 960 + if (cb->args[2] == first) { 961 961 + nla_nest_cancel(skb, atd); 962 962 + return -EMSGSIZE; 963 963 + } else 964 964 + goto nla_put_failure; 965 965 + } 966 966 + if (type_pf_data_tlist(skb, data)) 967 967 + goto nla_put_failure; 968 968 + ipset_nest_end(skb, nested); 969 969 + } 970 970 + } 971 971 + ipset_nest_end(skb, atd); 972 972 + /* Set listing finished */ 973 973 + cb->args[2] = 0; 974 974 + 975 975 + return 0; 976 976 + 977 977 + nla_put_failure: 978 978 + nlmsg_trim(skb, incomplete); 979 979 + ipset_nest_end(skb, atd); 980 980 + if (unlikely(first == cb->args[2])) { 981 981 + pr_warning("Can't list set %s: one bucket does not fit into " 982 982 + "a message. Please report it!\n", set->name); 983 983 + cb->args[2] = 0; 984 984 + return -EMSGSIZE; 985 985 + } 986 986 + return 0; 987 987 + } 988 988 + 989 989 + static const struct ip_set_type_variant type_pf_tvariant = { 990 990 + .kadt = type_pf_kadt, 991 991 + .uadt = type_pf_uadt, 992 992 + .adt = { 993 993 + [IPSET_ADD] = type_pf_tadd, 994 994 + [IPSET_DEL] = type_pf_tdel, 995 995 + [IPSET_TEST] = type_pf_ttest, 996 996 + }, 997 997 + .destroy = type_pf_destroy, 998 998 + .flush = type_pf_flush, 999 999 + .head = type_pf_head, 1000 1000 + .list = type_pf_tlist, 1001 1001 + .resize = type_pf_tresize, 1002 1002 + .same_set = type_pf_same_set, 1003 1003 + }; 1004 1004 + 1005 1005 + static void 1006 1006 + type_pf_gc(unsigned long ul_set) 1007 1007 + { 1008 1008 + struct ip_set *set = (struct ip_set *) ul_set; 1009 1009 + struct ip_set_hash *h = set->data; 1010 1010 + 1011 1011 + pr_debug("called\n"); 1012 1012 + write_lock_bh(&set->lock); 1013 1013 + type_pf_expire(h); 1014 1014 + write_unlock_bh(&set->lock); 1015 1015 + 1016 1016 + h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ; 1017 1017 + add_timer(&h->gc); 1018 1018 + } 1019 1019 + 1020 1020 + static void 1021 1021 + type_pf_gc_init(struct ip_set *set) 1022 1022 + { 1023 1023 + struct ip_set_hash *h = set->data; 1024 1024 + 1025 1025 + init_timer(&h->gc); 1026 1026 + h->gc.data = (unsigned long) set; 1027 1027 + h->gc.function = type_pf_gc; 1028 1028 + h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ; 1029 1029 + add_timer(&h->gc); 1030 1030 + pr_debug("gc initialized, run in every %u\n", 1031 1031 + IPSET_GC_PERIOD(h->timeout)); 1032 1032 + } 1033 1033 + 1034 1034 + #undef type_pf_data_equal 1035 1035 + #undef type_pf_data_isnull 1036 1036 + #undef type_pf_data_copy 1037 1037 + #undef type_pf_data_zero_out 1038 1038 + #undef type_pf_data_list 1039 1039 + #undef type_pf_data_tlist 1040 1040 + 1041 1041 + #undef type_pf_elem 1042 1042 + #undef type_pf_telem 1043 1043 + #undef type_pf_data_timeout 1044 1044 + #undef type_pf_data_expired 1045 1045 + #undef type_pf_data_netmask 1046 1046 + #undef type_pf_data_timeout_set 1047 1047 + 1048 1048 + #undef type_pf_elem_add 1049 1049 + #undef type_pf_add 1050 1050 + #undef type_pf_del 1051 1051 + #undef type_pf_test_cidrs 1052 1052 + #undef type_pf_test 1053 1053 + 1054 1054 + #undef type_pf_elem_tadd 1055 1055 + #undef type_pf_expire 1056 1056 + #undef type_pf_tadd 1057 1057 + #undef type_pf_tdel 1058 1058 + #undef type_pf_ttest_cidrs 1059 1059 + #undef type_pf_ttest 1060 1060 + 1061 1061 + #undef type_pf_resize 1062 1062 + #undef type_pf_tresize 1063 1063 + #undef type_pf_flush 1064 1064 + #undef type_pf_destroy 1065 1065 + #undef type_pf_head 1066 1066 + #undef type_pf_list 1067 1067 + #undef type_pf_tlist 1068 1068 + #undef type_pf_same_set 1069 1069 + #undef type_pf_kadt 1070 1070 + #undef type_pf_uadt 1071 1071 + #undef type_pf_gc 1072 1072 + #undef type_pf_gc_init 1073 1073 + #undef type_pf_variant 1074 1074 + #undef type_pf_tvariant

+31

include/linux/netfilter/ipset/ip_set_bitmap.h

reviewed

··· 1 1 + #ifndef __IP_SET_BITMAP_H 2 2 + #define __IP_SET_BITMAP_H 3 3 + 4 4 + /* Bitmap type specific error codes */ 5 5 + enum { 6 6 + /* The element is out of the range of the set */ 7 7 + IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, 8 8 + /* The range exceeds the size limit of the set type */ 9 9 + IPSET_ERR_BITMAP_RANGE_SIZE, 10 10 + }; 11 11 + 12 12 + #ifdef __KERNEL__ 13 13 + #define IPSET_BITMAP_MAX_RANGE 0x0000FFFF 14 14 + 15 15 + /* Common functions */ 16 16 + 17 17 + static inline u32 18 18 + range_to_mask(u32 from, u32 to, u8 *bits) 19 19 + { 20 20 + u32 mask = 0xFFFFFFFE; 21 21 + 22 22 + *bits = 32; 23 23 + while (--(*bits) > 0 && mask && (to & mask) != from) 24 24 + mask <<= 1; 25 25 + 26 26 + return mask; 27 27 + } 28 28 + 29 29 + #endif /* __KERNEL__ */ 30 30 + 31 31 + #endif /* __IP_SET_BITMAP_H */

+21

include/linux/netfilter/ipset/ip_set_getport.h

reviewed

··· 1 1 + #ifndef _IP_SET_GETPORT_H 2 2 + #define _IP_SET_GETPORT_H 3 3 + 4 4 + extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src, 5 5 + __be16 *port, u8 *proto); 6 6 + 7 7 + #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 8 8 + extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, 9 9 + __be16 *port, u8 *proto); 10 10 + #else 11 11 + static inline bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, 12 12 + __be16 *port, u8 *proto) 13 13 + { 14 14 + return false; 15 15 + } 16 16 + #endif 17 17 + 18 18 + extern bool ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, 19 19 + __be16 *port); 20 20 + 21 21 + #endif /*_IP_SET_GETPORT_H*/

+26

include/linux/netfilter/ipset/ip_set_hash.h

reviewed

··· 1 1 + #ifndef __IP_SET_HASH_H 2 2 + #define __IP_SET_HASH_H 3 3 + 4 4 + /* Hash type specific error codes */ 5 5 + enum { 6 6 + /* Hash is full */ 7 7 + IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, 8 8 + /* Null-valued element */ 9 9 + IPSET_ERR_HASH_ELEM, 10 10 + /* Invalid protocol */ 11 11 + IPSET_ERR_INVALID_PROTO, 12 12 + /* Protocol missing but must be specified */ 13 13 + IPSET_ERR_MISSING_PROTO, 14 14 + }; 15 15 + 16 16 + #ifdef __KERNEL__ 17 17 + 18 18 + #define IPSET_DEFAULT_HASHSIZE 1024 19 19 + #define IPSET_MIMINAL_HASHSIZE 64 20 20 + #define IPSET_DEFAULT_MAXELEM 65536 21 21 + #define IPSET_DEFAULT_PROBES 4 22 22 + #define IPSET_DEFAULT_RESIZE 100 23 23 + 24 24 + #endif /* __KERNEL__ */ 25 25 + 26 26 + #endif /* __IP_SET_HASH_H */

+27

include/linux/netfilter/ipset/ip_set_list.h

reviewed

··· 1 1 + #ifndef __IP_SET_LIST_H 2 2 + #define __IP_SET_LIST_H 3 3 + 4 4 + /* List type specific error codes */ 5 5 + enum { 6 6 + /* Set name to be added/deleted/tested does not exist. */ 7 7 + IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, 8 8 + /* list:set type is not permitted to add */ 9 9 + IPSET_ERR_LOOP, 10 10 + /* Missing reference set */ 11 11 + IPSET_ERR_BEFORE, 12 12 + /* Reference set does not exist */ 13 13 + IPSET_ERR_NAMEREF, 14 14 + /* Set is full */ 15 15 + IPSET_ERR_LIST_FULL, 16 16 + /* Reference set is not added to the set */ 17 17 + IPSET_ERR_REF_EXIST, 18 18 + }; 19 19 + 20 20 + #ifdef __KERNEL__ 21 21 + 22 22 + #define IP_SET_LIST_DEFAULT_SIZE 8 23 23 + #define IP_SET_LIST_MIN_SIZE 4 24 24 + 25 25 + #endif /* __KERNEL__ */ 26 26 + 27 27 + #endif /* __IP_SET_LIST_H */

+127

include/linux/netfilter/ipset/ip_set_timeout.h

reviewed

··· 1 1 + #ifndef _IP_SET_TIMEOUT_H 2 2 + #define _IP_SET_TIMEOUT_H 3 3 + 4 4 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 5 5 + * 6 6 + * This program is free software; you can redistribute it and/or modify 7 7 + * it under the terms of the GNU General Public License version 2 as 8 8 + * published by the Free Software Foundation. 9 9 + */ 10 10 + 11 11 + #ifdef __KERNEL__ 12 12 + 13 13 + /* How often should the gc be run by default */ 14 14 + #define IPSET_GC_TIME (3 * 60) 15 15 + 16 16 + /* Timeout period depending on the timeout value of the given set */ 17 17 + #define IPSET_GC_PERIOD(timeout) \ 18 18 + ((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1) 19 19 + 20 20 + /* Set is defined without timeout support: timeout value may be 0 */ 21 21 + #define IPSET_NO_TIMEOUT UINT_MAX 22 22 + 23 23 + #define with_timeout(timeout) ((timeout) != IPSET_NO_TIMEOUT) 24 24 + 25 25 + static inline unsigned int 26 26 + ip_set_timeout_uget(struct nlattr *tb) 27 27 + { 28 28 + unsigned int timeout = ip_set_get_h32(tb); 29 29 + 30 30 + /* Userspace supplied TIMEOUT parameter: adjust crazy size */ 31 31 + return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout; 32 32 + } 33 33 + 34 34 + #ifdef IP_SET_BITMAP_TIMEOUT 35 35 + 36 36 + /* Bitmap specific timeout constants and macros for the entries */ 37 37 + 38 38 + /* Bitmap entry is unset */ 39 39 + #define IPSET_ELEM_UNSET 0 40 40 + /* Bitmap entry is set with no timeout value */ 41 41 + #define IPSET_ELEM_PERMANENT (UINT_MAX/2) 42 42 + 43 43 + static inline bool 44 44 + ip_set_timeout_test(unsigned long timeout) 45 45 + { 46 46 + return timeout != IPSET_ELEM_UNSET && 47 47 + (timeout == IPSET_ELEM_PERMANENT || 48 48 + time_after(timeout, jiffies)); 49 49 + } 50 50 + 51 51 + static inline bool 52 52 + ip_set_timeout_expired(unsigned long timeout) 53 53 + { 54 54 + return timeout != IPSET_ELEM_UNSET && 55 55 + timeout != IPSET_ELEM_PERMANENT && 56 56 + time_before(timeout, jiffies); 57 57 + } 58 58 + 59 59 + static inline unsigned long 60 60 + ip_set_timeout_set(u32 timeout) 61 61 + { 62 62 + unsigned long t; 63 63 + 64 64 + if (!timeout) 65 65 + return IPSET_ELEM_PERMANENT; 66 66 + 67 67 + t = timeout * HZ + jiffies; 68 68 + if (t == IPSET_ELEM_UNSET || t == IPSET_ELEM_PERMANENT) 69 69 + /* Bingo! */ 70 70 + t++; 71 71 + 72 72 + return t; 73 73 + } 74 74 + 75 75 + static inline u32 76 76 + ip_set_timeout_get(unsigned long timeout) 77 77 + { 78 78 + return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ; 79 79 + } 80 80 + 81 81 + #else 82 82 + 83 83 + /* Hash specific timeout constants and macros for the entries */ 84 84 + 85 85 + /* Hash entry is set with no timeout value */ 86 86 + #define IPSET_ELEM_PERMANENT 0 87 87 + 88 88 + static inline bool 89 89 + ip_set_timeout_test(unsigned long timeout) 90 90 + { 91 91 + return timeout == IPSET_ELEM_PERMANENT || 92 92 + time_after(timeout, jiffies); 93 93 + } 94 94 + 95 95 + static inline bool 96 96 + ip_set_timeout_expired(unsigned long timeout) 97 97 + { 98 98 + return timeout != IPSET_ELEM_PERMANENT && 99 99 + time_before(timeout, jiffies); 100 100 + } 101 101 + 102 102 + static inline unsigned long 103 103 + ip_set_timeout_set(u32 timeout) 104 104 + { 105 105 + unsigned long t; 106 106 + 107 107 + if (!timeout) 108 108 + return IPSET_ELEM_PERMANENT; 109 109 + 110 110 + t = timeout * HZ + jiffies; 111 111 + if (t == IPSET_ELEM_PERMANENT) 112 112 + /* Bingo! :-) */ 113 113 + t++; 114 114 + 115 115 + return t; 116 116 + } 117 117 + 118 118 + static inline u32 119 119 + ip_set_timeout_get(unsigned long timeout) 120 120 + { 121 121 + return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ; 122 122 + } 123 123 + #endif /* ! IP_SET_BITMAP_TIMEOUT */ 124 124 + 125 125 + #endif /* __KERNEL__ */ 126 126 + 127 127 + #endif /* _IP_SET_TIMEOUT_H */

+35

include/linux/netfilter/ipset/pfxlen.h

reviewed

··· 1 1 + #ifndef _PFXLEN_H 2 2 + #define _PFXLEN_H 3 3 + 4 4 + #include <asm/byteorder.h> 5 5 + #include <linux/netfilter.h> 6 6 + 7 7 + /* Prefixlen maps, by Jan Engelhardt */ 8 8 + extern const union nf_inet_addr ip_set_netmask_map[]; 9 9 + extern const union nf_inet_addr ip_set_hostmask_map[]; 10 10 + 11 11 + static inline __be32 12 12 + ip_set_netmask(u8 pfxlen) 13 13 + { 14 14 + return ip_set_netmask_map[pfxlen].ip; 15 15 + } 16 16 + 17 17 + static inline const __be32 * 18 18 + ip_set_netmask6(u8 pfxlen) 19 19 + { 20 20 + return &ip_set_netmask_map[pfxlen].ip6[0]; 21 21 + } 22 22 + 23 23 + static inline u32 24 24 + ip_set_hostmask(u8 pfxlen) 25 25 + { 26 26 + return (__force u32) ip_set_hostmask_map[pfxlen].ip; 27 27 + } 28 28 + 29 29 + static inline const __be32 * 30 30 + ip_set_hostmask6(u8 pfxlen) 31 31 + { 32 32 + return &ip_set_hostmask_map[pfxlen].ip6[0]; 33 33 + } 34 34 + 35 35 + #endif /*_PFXLEN_H */

+2 -1

include/linux/netfilter/nfnetlink.h

reviewed

··· 47 47 #define NFNL_SUBSYS_QUEUE 3 48 48 #define NFNL_SUBSYS_ULOG 4 49 49 #define NFNL_SUBSYS_OSF 5 50 50 - #define NFNL_SUBSYS_COUNT 6 50 50 + #define NFNL_SUBSYS_IPSET 6 51 51 + #define NFNL_SUBSYS_COUNT 7 51 52 52 53 #ifdef __KERNEL__ 53 54

+21

include/linux/netfilter/xt_devgroup.h

reviewed

··· 1 1 + #ifndef _XT_DEVGROUP_H 2 2 + #define _XT_DEVGROUP_H 3 3 + 4 4 + #include <linux/types.h> 5 5 + 6 6 + enum xt_devgroup_flags { 7 7 + XT_DEVGROUP_MATCH_SRC = 0x1, 8 8 + XT_DEVGROUP_INVERT_SRC = 0x2, 9 9 + XT_DEVGROUP_MATCH_DST = 0x4, 10 10 + XT_DEVGROUP_INVERT_DST = 0x8, 11 11 + }; 12 12 + 13 13 + struct xt_devgroup_info { 14 14 + __u32 flags; 15 15 + __u32 src_group; 16 16 + __u32 src_mask; 17 17 + __u32 dst_group; 18 18 + __u32 dst_mask; 19 19 + }; 20 20 + 21 21 + #endif /* _XT_DEVGROUP_H */

+56

include/linux/netfilter/xt_set.h

reviewed

··· 1 1 + #ifndef _XT_SET_H 2 2 + #define _XT_SET_H 3 3 + 4 4 + #include <linux/types.h> 5 5 + #include <linux/netfilter/ipset/ip_set.h> 6 6 + 7 7 + /* Revision 0 interface: backward compatible with netfilter/iptables */ 8 8 + 9 9 + /* 10 10 + * Option flags for kernel operations (xt_set_info_v0) 11 11 + */ 12 12 + #define IPSET_SRC 0x01 /* Source match/add */ 13 13 + #define IPSET_DST 0x02 /* Destination match/add */ 14 14 + #define IPSET_MATCH_INV 0x04 /* Inverse matching */ 15 15 + 16 16 + struct xt_set_info_v0 { 17 17 + ip_set_id_t index; 18 18 + union { 19 19 + __u32 flags[IPSET_DIM_MAX + 1]; 20 20 + struct { 21 21 + __u32 __flags[IPSET_DIM_MAX]; 22 22 + __u8 dim; 23 23 + __u8 flags; 24 24 + } compat; 25 25 + } u; 26 26 + }; 27 27 + 28 28 + /* match and target infos */ 29 29 + struct xt_set_info_match_v0 { 30 30 + struct xt_set_info_v0 match_set; 31 31 + }; 32 32 + 33 33 + struct xt_set_info_target_v0 { 34 34 + struct xt_set_info_v0 add_set; 35 35 + struct xt_set_info_v0 del_set; 36 36 + }; 37 37 + 38 38 + /* Revision 1: current interface to netfilter/iptables */ 39 39 + 40 40 + struct xt_set_info { 41 41 + ip_set_id_t index; 42 42 + __u8 dim; 43 43 + __u8 flags; 44 44 + }; 45 45 + 46 46 + /* match and target infos */ 47 47 + struct xt_set_info_match { 48 48 + struct xt_set_info match_set; 49 49 + }; 50 50 + 51 51 + struct xt_set_info_target { 52 52 + struct xt_set_info add_set; 53 53 + struct xt_set_info del_set; 54 54 + }; 55 55 + 56 56 + #endif /*_XT_SET_H*/

-2

include/net/ip_vs.h

reviewed

··· 1109 1109 * we are loaded. Just set ip_vs_drop_rate to 'n' and 1110 1110 * we start to drop 1/rate of the packets 1111 1111 */ 1112 1112 - extern int ip_vs_drop_rate; 1113 1113 - extern int ip_vs_drop_counter; 1114 1112 1115 1113 static inline int ip_vs_todrop(struct netns_ipvs *ipvs) 1116 1114 {

+9

include/net/netlink.h

reviewed

··· 856 856 #define NLA_PUT_BE16(skb, attrtype, value) \ 857 857 NLA_PUT_TYPE(skb, __be16, attrtype, value) 858 858 859 859 + #define NLA_PUT_NET16(skb, attrtype, value) \ 860 860 + NLA_PUT_BE16(skb, attrtype | NLA_F_NET_BYTEORDER, value) 861 861 + 859 862 #define NLA_PUT_U32(skb, attrtype, value) \ 860 863 NLA_PUT_TYPE(skb, u32, attrtype, value) 861 864 862 865 #define NLA_PUT_BE32(skb, attrtype, value) \ 863 866 NLA_PUT_TYPE(skb, __be32, attrtype, value) 864 867 868 868 + #define NLA_PUT_NET32(skb, attrtype, value) \ 869 869 + NLA_PUT_BE32(skb, attrtype | NLA_F_NET_BYTEORDER, value) 870 870 + 865 871 #define NLA_PUT_U64(skb, attrtype, value) \ 866 872 NLA_PUT_TYPE(skb, u64, attrtype, value) 867 873 868 874 #define NLA_PUT_BE64(skb, attrtype, value) \ 869 875 NLA_PUT_TYPE(skb, __be64, attrtype, value) 876 876 + 877 877 + #define NLA_PUT_NET64(skb, attrtype, value) \ 878 878 + NLA_PUT_BE64(skb, attrtype | NLA_F_NET_BYTEORDER, value) 870 879 871 880 #define NLA_PUT_STRING(skb, attrtype, value) \ 872 881 NLA_PUT(skb, attrtype, strlen(value) + 1, value)

+23

net/netfilter/Kconfig

reviewed

··· 352 352 ctmark), similarly to the packet mark (nfmark). Using this 353 353 target and match, you can set and match on this mark. 354 354 355 355 + config NETFILTER_XT_SET 356 356 + tristate 'set target and match support' 357 357 + depends on IP_SET 358 358 + depends on NETFILTER_ADVANCED 359 359 + help 360 360 + This option adds the "SET" target and "set" match. 361 361 + 362 362 + Using this target and match, you can add/delete and match 363 363 + elements in the sets created by ipset(8). 364 364 + 365 365 + To compile it as a module, choose M here. If unsure, say N. 366 366 + 355 367 # alphabetically ordered list of targets 356 368 357 369 comment "Xtables targets" ··· 738 726 If you want to compile it as a module, say M here and read 739 727 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 740 728 729 729 + config NETFILTER_XT_MATCH_DEVGROUP 730 730 + tristate '"devgroup" match support' 731 731 + depends on NETFILTER_ADVANCED 732 732 + help 733 733 + This options adds a `devgroup' match, which allows to match on the 734 734 + device group a network device is assigned to. 735 735 + 736 736 + To compile it as a module, choose M here. If unsure, say N. 737 737 + 741 738 config NETFILTER_XT_MATCH_DSCP 742 739 tristate '"dscp" and "tos" match support' 743 740 depends on NETFILTER_ADVANCED ··· 1072 1051 endif # NETFILTER_XTABLES 1073 1052 1074 1053 endmenu 1054 1054 + 1055 1055 + source "net/netfilter/ipset/Kconfig" 1075 1056 1076 1057 source "net/netfilter/ipvs/Kconfig"

+5

net/netfilter/Makefile

reviewed

··· 46 46 # combos 47 47 obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o 48 48 obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o 49 49 + obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o 49 50 50 51 # targets 51 52 obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o ··· 77 76 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 78 77 obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o 79 78 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 79 79 + obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o 80 80 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o 81 81 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o 82 82 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o ··· 106 104 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o 107 105 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o 108 106 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o 107 107 + 108 108 + # ipset 109 109 + obj-$(CONFIG_IP_SET) += ipset/ 109 110 110 111 # IPVS 111 112 obj-$(CONFIG_IP_VS) += ipvs/

+121

net/netfilter/ipset/Kconfig

reviewed

··· 1 1 + menuconfig IP_SET 2 2 + tristate "IP set support" 3 3 + depends on INET && NETFILTER 4 4 + help 5 5 + This option adds IP set support to the kernel. 6 6 + In order to define and use the sets, you need the userspace utility 7 7 + ipset(8). You can use the sets in netfilter via the "set" match 8 8 + and "SET" target. 9 9 + 10 10 + To compile it as a module, choose M here. If unsure, say N. 11 11 + 12 12 + if IP_SET 13 13 + 14 14 + config IP_SET_MAX 15 15 + int "Maximum number of IP sets" 16 16 + default 256 17 17 + range 2 65534 18 18 + depends on IP_SET 19 19 + help 20 20 + You can define here default value of the maximum number 21 21 + of IP sets for the kernel. 22 22 + 23 23 + The value can be overriden by the 'max_sets' module 24 24 + parameter of the 'ip_set' module. 25 25 + 26 26 + config IP_SET_BITMAP_IP 27 27 + tristate "bitmap:ip set support" 28 28 + depends on IP_SET 29 29 + help 30 30 + This option adds the bitmap:ip set type support, by which one 31 31 + can store IPv4 addresses (or network addresse) from a range. 32 32 + 33 33 + To compile it as a module, choose M here. If unsure, say N. 34 34 + 35 35 + config IP_SET_BITMAP_IPMAC 36 36 + tristate "bitmap:ip,mac set support" 37 37 + depends on IP_SET 38 38 + help 39 39 + This option adds the bitmap:ip,mac set type support, by which one 40 40 + can store IPv4 address and (source) MAC address pairs from a range. 41 41 + 42 42 + To compile it as a module, choose M here. If unsure, say N. 43 43 + 44 44 + config IP_SET_BITMAP_PORT 45 45 + tristate "bitmap:port set support" 46 46 + depends on IP_SET 47 47 + help 48 48 + This option adds the bitmap:port set type support, by which one 49 49 + can store TCP/UDP port numbers from a range. 50 50 + 51 51 + To compile it as a module, choose M here. If unsure, say N. 52 52 + 53 53 + config IP_SET_HASH_IP 54 54 + tristate "hash:ip set support" 55 55 + depends on IP_SET 56 56 + help 57 57 + This option adds the hash:ip set type support, by which one 58 58 + can store arbitrary IPv4 or IPv6 addresses (or network addresses) 59 59 + in a set. 60 60 + 61 61 + To compile it as a module, choose M here. If unsure, say N. 62 62 + 63 63 + config IP_SET_HASH_IPPORT 64 64 + tristate "hash:ip,port set support" 65 65 + depends on IP_SET 66 66 + help 67 67 + This option adds the hash:ip,port set type support, by which one 68 68 + can store IPv4/IPv6 address and protocol/port pairs. 69 69 + 70 70 + To compile it as a module, choose M here. If unsure, say N. 71 71 + 72 72 + config IP_SET_HASH_IPPORTIP 73 73 + tristate "hash:ip,port,ip set support" 74 74 + depends on IP_SET 75 75 + help 76 76 + This option adds the hash:ip,port,ip set type support, by which 77 77 + one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6 78 78 + address triples in a set. 79 79 + 80 80 + To compile it as a module, choose M here. If unsure, say N. 81 81 + 82 82 + config IP_SET_HASH_IPPORTNET 83 83 + tristate "hash:ip,port,net set support" 84 84 + depends on IP_SET 85 85 + help 86 86 + This option adds the hash:ip,port,net set type support, by which 87 87 + one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6 88 88 + network address/prefix triples in a set. 89 89 + 90 90 + To compile it as a module, choose M here. If unsure, say N. 91 91 + 92 92 + config IP_SET_HASH_NET 93 93 + tristate "hash:net set support" 94 94 + depends on IP_SET 95 95 + help 96 96 + This option adds the hash:net set type support, by which 97 97 + one can store IPv4/IPv6 network address/prefix elements in a set. 98 98 + 99 99 + To compile it as a module, choose M here. If unsure, say N. 100 100 + 101 101 + config IP_SET_HASH_NETPORT 102 102 + tristate "hash:net,port set support" 103 103 + depends on IP_SET 104 104 + help 105 105 + This option adds the hash:net,port set type support, by which 106 106 + one can store IPv4/IPv6 network address/prefix and 107 107 + protocol/port pairs as elements in a set. 108 108 + 109 109 + To compile it as a module, choose M here. If unsure, say N. 110 110 + 111 111 + config IP_SET_LIST_SET 112 112 + tristate "list:set set support" 113 113 + depends on IP_SET 114 114 + help 115 115 + This option adds the list:set set type support. In this 116 116 + kind of set one can store the name of other sets and it forms 117 117 + an ordered union of the member sets. 118 118 + 119 119 + To compile it as a module, choose M here. If unsure, say N. 120 120 + 121 121 + endif # IP_SET

+24

net/netfilter/ipset/Makefile

reviewed

··· 1 1 + # 2 2 + # Makefile for the ipset modules 3 3 + # 4 4 + 5 5 + ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o 6 6 + 7 7 + # ipset core 8 8 + obj-$(CONFIG_IP_SET) += ip_set.o 9 9 + 10 10 + # bitmap types 11 11 + obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o 12 12 + obj-$(CONFIG_IP_SET_BITMAP_IPMAC) += ip_set_bitmap_ipmac.o 13 13 + obj-$(CONFIG_IP_SET_BITMAP_PORT) += ip_set_bitmap_port.o 14 14 + 15 15 + # hash types 16 16 + obj-$(CONFIG_IP_SET_HASH_IP) += ip_set_hash_ip.o 17 17 + obj-$(CONFIG_IP_SET_HASH_IPPORT) += ip_set_hash_ipport.o 18 18 + obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o 19 19 + obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o 20 20 + obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o 21 21 + obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o 22 22 + 23 23 + # list types 24 24 + obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o

+587

net/netfilter/ipset/ip_set_bitmap_ip.c

reviewed

··· 1 1 + /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 2 2 + * Patrick Schaaf <bof@bof.de> 3 3 + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 4 4 + * 5 5 + * This program is free software; you can redistribute it and/or modify 6 6 + * it under the terms of the GNU General Public License version 2 as 7 7 + * published by the Free Software Foundation. 8 8 + */ 9 9 + 10 10 + /* Kernel module implementing an IP set type: the bitmap:ip type */ 11 11 + 12 12 + #include <linux/module.h> 13 13 + #include <linux/ip.h> 14 14 + #include <linux/skbuff.h> 15 15 + #include <linux/errno.h> 16 16 + #include <linux/bitops.h> 17 17 + #include <linux/spinlock.h> 18 18 + #include <linux/netlink.h> 19 19 + #include <linux/jiffies.h> 20 20 + #include <linux/timer.h> 21 21 + #include <net/netlink.h> 22 22 + #include <net/tcp.h> 23 23 + 24 24 + #include <linux/netfilter/ipset/pfxlen.h> 25 25 + #include <linux/netfilter/ipset/ip_set.h> 26 26 + #include <linux/netfilter/ipset/ip_set_bitmap.h> 27 27 + #define IP_SET_BITMAP_TIMEOUT 28 28 + #include <linux/netfilter/ipset/ip_set_timeout.h> 29 29 + 30 30 + MODULE_LICENSE("GPL"); 31 31 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 32 32 + MODULE_DESCRIPTION("bitmap:ip type of IP sets"); 33 33 + MODULE_ALIAS("ip_set_bitmap:ip"); 34 34 + 35 35 + /* Type structure */ 36 36 + struct bitmap_ip { 37 37 + void *members; /* the set members */ 38 38 + u32 first_ip; /* host byte order, included in range */ 39 39 + u32 last_ip; /* host byte order, included in range */ 40 40 + u32 elements; /* number of max elements in the set */ 41 41 + u32 hosts; /* number of hosts in a subnet */ 42 42 + size_t memsize; /* members size */ 43 43 + u8 netmask; /* subnet netmask */ 44 44 + u32 timeout; /* timeout parameter */ 45 45 + struct timer_list gc; /* garbage collection */ 46 46 + }; 47 47 + 48 48 + /* Base variant */ 49 49 + 50 50 + static inline u32 51 51 + ip_to_id(const struct bitmap_ip *m, u32 ip) 52 52 + { 53 53 + return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip)/m->hosts; 54 54 + } 55 55 + 56 56 + static int 57 57 + bitmap_ip_test(struct ip_set *set, void *value, u32 timeout) 58 58 + { 59 59 + const struct bitmap_ip *map = set->data; 60 60 + u16 id = *(u16 *)value; 61 61 + 62 62 + return !!test_bit(id, map->members); 63 63 + } 64 64 + 65 65 + static int 66 66 + bitmap_ip_add(struct ip_set *set, void *value, u32 timeout) 67 67 + { 68 68 + struct bitmap_ip *map = set->data; 69 69 + u16 id = *(u16 *)value; 70 70 + 71 71 + if (test_and_set_bit(id, map->members)) 72 72 + return -IPSET_ERR_EXIST; 73 73 + 74 74 + return 0; 75 75 + } 76 76 + 77 77 + static int 78 78 + bitmap_ip_del(struct ip_set *set, void *value, u32 timeout) 79 79 + { 80 80 + struct bitmap_ip *map = set->data; 81 81 + u16 id = *(u16 *)value; 82 82 + 83 83 + if (!test_and_clear_bit(id, map->members)) 84 84 + return -IPSET_ERR_EXIST; 85 85 + 86 86 + return 0; 87 87 + } 88 88 + 89 89 + static int 90 90 + bitmap_ip_list(const struct ip_set *set, 91 91 + struct sk_buff *skb, struct netlink_callback *cb) 92 92 + { 93 93 + const struct bitmap_ip *map = set->data; 94 94 + struct nlattr *atd, *nested; 95 95 + u32 id, first = cb->args[2]; 96 96 + 97 97 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 98 98 + if (!atd) 99 99 + return -EMSGSIZE; 100 100 + for (; cb->args[2] < map->elements; cb->args[2]++) { 101 101 + id = cb->args[2]; 102 102 + if (!test_bit(id, map->members)) 103 103 + continue; 104 104 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 105 105 + if (!nested) { 106 106 + if (id == first) { 107 107 + nla_nest_cancel(skb, atd); 108 108 + return -EMSGSIZE; 109 109 + } else 110 110 + goto nla_put_failure; 111 111 + } 112 112 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, 113 113 + htonl(map->first_ip + id * map->hosts)); 114 114 + ipset_nest_end(skb, nested); 115 115 + } 116 116 + ipset_nest_end(skb, atd); 117 117 + /* Set listing finished */ 118 118 + cb->args[2] = 0; 119 119 + return 0; 120 120 + 121 121 + nla_put_failure: 122 122 + nla_nest_cancel(skb, nested); 123 123 + ipset_nest_end(skb, atd); 124 124 + if (unlikely(id == first)) { 125 125 + cb->args[2] = 0; 126 126 + return -EMSGSIZE; 127 127 + } 128 128 + return 0; 129 129 + } 130 130 + 131 131 + /* Timeout variant */ 132 132 + 133 133 + static int 134 134 + bitmap_ip_ttest(struct ip_set *set, void *value, u32 timeout) 135 135 + { 136 136 + const struct bitmap_ip *map = set->data; 137 137 + const unsigned long *members = map->members; 138 138 + u16 id = *(u16 *)value; 139 139 + 140 140 + return ip_set_timeout_test(members[id]); 141 141 + } 142 142 + 143 143 + static int 144 144 + bitmap_ip_tadd(struct ip_set *set, void *value, u32 timeout) 145 145 + { 146 146 + struct bitmap_ip *map = set->data; 147 147 + unsigned long *members = map->members; 148 148 + u16 id = *(u16 *)value; 149 149 + 150 150 + if (ip_set_timeout_test(members[id])) 151 151 + return -IPSET_ERR_EXIST; 152 152 + 153 153 + members[id] = ip_set_timeout_set(timeout); 154 154 + 155 155 + return 0; 156 156 + } 157 157 + 158 158 + static int 159 159 + bitmap_ip_tdel(struct ip_set *set, void *value, u32 timeout) 160 160 + { 161 161 + struct bitmap_ip *map = set->data; 162 162 + unsigned long *members = map->members; 163 163 + u16 id = *(u16 *)value; 164 164 + int ret = -IPSET_ERR_EXIST; 165 165 + 166 166 + if (ip_set_timeout_test(members[id])) 167 167 + ret = 0; 168 168 + 169 169 + members[id] = IPSET_ELEM_UNSET; 170 170 + return ret; 171 171 + } 172 172 + 173 173 + static int 174 174 + bitmap_ip_tlist(const struct ip_set *set, 175 175 + struct sk_buff *skb, struct netlink_callback *cb) 176 176 + { 177 177 + const struct bitmap_ip *map = set->data; 178 178 + struct nlattr *adt, *nested; 179 179 + u32 id, first = cb->args[2]; 180 180 + const unsigned long *members = map->members; 181 181 + 182 182 + adt = ipset_nest_start(skb, IPSET_ATTR_ADT); 183 183 + if (!adt) 184 184 + return -EMSGSIZE; 185 185 + for (; cb->args[2] < map->elements; cb->args[2]++) { 186 186 + id = cb->args[2]; 187 187 + if (!ip_set_timeout_test(members[id])) 188 188 + continue; 189 189 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 190 190 + if (!nested) { 191 191 + if (id == first) { 192 192 + nla_nest_cancel(skb, adt); 193 193 + return -EMSGSIZE; 194 194 + } else 195 195 + goto nla_put_failure; 196 196 + } 197 197 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, 198 198 + htonl(map->first_ip + id * map->hosts)); 199 199 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 200 200 + htonl(ip_set_timeout_get(members[id]))); 201 201 + ipset_nest_end(skb, nested); 202 202 + } 203 203 + ipset_nest_end(skb, adt); 204 204 + 205 205 + /* Set listing finished */ 206 206 + cb->args[2] = 0; 207 207 + 208 208 + return 0; 209 209 + 210 210 + nla_put_failure: 211 211 + nla_nest_cancel(skb, nested); 212 212 + ipset_nest_end(skb, adt); 213 213 + if (unlikely(id == first)) { 214 214 + cb->args[2] = 0; 215 215 + return -EMSGSIZE; 216 216 + } 217 217 + return 0; 218 218 + } 219 219 + 220 220 + static int 221 221 + bitmap_ip_kadt(struct ip_set *set, const struct sk_buff *skb, 222 222 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 223 223 + { 224 224 + struct bitmap_ip *map = set->data; 225 225 + ipset_adtfn adtfn = set->variant->adt[adt]; 226 226 + u32 ip; 227 227 + 228 228 + ip = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC)); 229 229 + if (ip < map->first_ip || ip > map->last_ip) 230 230 + return -IPSET_ERR_BITMAP_RANGE; 231 231 + 232 232 + ip = ip_to_id(map, ip); 233 233 + 234 234 + return adtfn(set, &ip, map->timeout); 235 235 + } 236 236 + 237 237 + static int 238 238 + bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[], 239 239 + enum ipset_adt adt, u32 *lineno, u32 flags) 240 240 + { 241 241 + struct bitmap_ip *map = set->data; 242 242 + ipset_adtfn adtfn = set->variant->adt[adt]; 243 243 + u32 timeout = map->timeout; 244 244 + u32 ip, ip_to, id; 245 245 + int ret = 0; 246 246 + 247 247 + if (unlikely(!tb[IPSET_ATTR_IP] || 248 248 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 249 249 + return -IPSET_ERR_PROTOCOL; 250 250 + 251 251 + if (tb[IPSET_ATTR_LINENO]) 252 252 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 253 253 + 254 254 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); 255 255 + if (ret) 256 256 + return ret; 257 257 + 258 258 + if (ip < map->first_ip || ip > map->last_ip) 259 259 + return -IPSET_ERR_BITMAP_RANGE; 260 260 + 261 261 + if (tb[IPSET_ATTR_TIMEOUT]) { 262 262 + if (!with_timeout(map->timeout)) 263 263 + return -IPSET_ERR_TIMEOUT; 264 264 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 265 265 + } 266 266 + 267 267 + if (adt == IPSET_TEST) { 268 268 + id = ip_to_id(map, ip); 269 269 + return adtfn(set, &id, timeout); 270 270 + } 271 271 + 272 272 + if (tb[IPSET_ATTR_IP_TO]) { 273 273 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 274 274 + if (ret) 275 275 + return ret; 276 276 + if (ip > ip_to) { 277 277 + swap(ip, ip_to); 278 278 + if (ip < map->first_ip) 279 279 + return -IPSET_ERR_BITMAP_RANGE; 280 280 + } 281 281 + } else if (tb[IPSET_ATTR_CIDR]) { 282 282 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 283 283 + 284 284 + if (cidr > 32) 285 285 + return -IPSET_ERR_INVALID_CIDR; 286 286 + ip &= ip_set_hostmask(cidr); 287 287 + ip_to = ip | ~ip_set_hostmask(cidr); 288 288 + } else 289 289 + ip_to = ip; 290 290 + 291 291 + if (ip_to > map->last_ip) 292 292 + return -IPSET_ERR_BITMAP_RANGE; 293 293 + 294 294 + for (; !before(ip_to, ip); ip += map->hosts) { 295 295 + id = ip_to_id(map, ip); 296 296 + ret = adtfn(set, &id, timeout);; 297 297 + 298 298 + if (ret && !ip_set_eexist(ret, flags)) 299 299 + return ret; 300 300 + else 301 301 + ret = 0; 302 302 + } 303 303 + return ret; 304 304 + } 305 305 + 306 306 + static void 307 307 + bitmap_ip_destroy(struct ip_set *set) 308 308 + { 309 309 + struct bitmap_ip *map = set->data; 310 310 + 311 311 + if (with_timeout(map->timeout)) 312 312 + del_timer_sync(&map->gc); 313 313 + 314 314 + ip_set_free(map->members); 315 315 + kfree(map); 316 316 + 317 317 + set->data = NULL; 318 318 + } 319 319 + 320 320 + static void 321 321 + bitmap_ip_flush(struct ip_set *set) 322 322 + { 323 323 + struct bitmap_ip *map = set->data; 324 324 + 325 325 + memset(map->members, 0, map->memsize); 326 326 + } 327 327 + 328 328 + static int 329 329 + bitmap_ip_head(struct ip_set *set, struct sk_buff *skb) 330 330 + { 331 331 + const struct bitmap_ip *map = set->data; 332 332 + struct nlattr *nested; 333 333 + 334 334 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 335 335 + if (!nested) 336 336 + goto nla_put_failure; 337 337 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip)); 338 338 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip)); 339 339 + if (map->netmask != 32) 340 340 + NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, map->netmask); 341 341 + NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, 342 342 + htonl(atomic_read(&set->ref) - 1)); 343 343 + NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, 344 344 + htonl(sizeof(*map) + map->memsize)); 345 345 + if (with_timeout(map->timeout)) 346 346 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout)); 347 347 + ipset_nest_end(skb, nested); 348 348 + 349 349 + return 0; 350 350 + nla_put_failure: 351 351 + return -EMSGSIZE; 352 352 + } 353 353 + 354 354 + static bool 355 355 + bitmap_ip_same_set(const struct ip_set *a, const struct ip_set *b) 356 356 + { 357 357 + const struct bitmap_ip *x = a->data; 358 358 + const struct bitmap_ip *y = b->data; 359 359 + 360 360 + return x->first_ip == y->first_ip && 361 361 + x->last_ip == y->last_ip && 362 362 + x->netmask == y->netmask && 363 363 + x->timeout == y->timeout; 364 364 + } 365 365 + 366 366 + static const struct ip_set_type_variant bitmap_ip = { 367 367 + .kadt = bitmap_ip_kadt, 368 368 + .uadt = bitmap_ip_uadt, 369 369 + .adt = { 370 370 + [IPSET_ADD] = bitmap_ip_add, 371 371 + [IPSET_DEL] = bitmap_ip_del, 372 372 + [IPSET_TEST] = bitmap_ip_test, 373 373 + }, 374 374 + .destroy = bitmap_ip_destroy, 375 375 + .flush = bitmap_ip_flush, 376 376 + .head = bitmap_ip_head, 377 377 + .list = bitmap_ip_list, 378 378 + .same_set = bitmap_ip_same_set, 379 379 + }; 380 380 + 381 381 + static const struct ip_set_type_variant bitmap_tip = { 382 382 + .kadt = bitmap_ip_kadt, 383 383 + .uadt = bitmap_ip_uadt, 384 384 + .adt = { 385 385 + [IPSET_ADD] = bitmap_ip_tadd, 386 386 + [IPSET_DEL] = bitmap_ip_tdel, 387 387 + [IPSET_TEST] = bitmap_ip_ttest, 388 388 + }, 389 389 + .destroy = bitmap_ip_destroy, 390 390 + .flush = bitmap_ip_flush, 391 391 + .head = bitmap_ip_head, 392 392 + .list = bitmap_ip_tlist, 393 393 + .same_set = bitmap_ip_same_set, 394 394 + }; 395 395 + 396 396 + static void 397 397 + bitmap_ip_gc(unsigned long ul_set) 398 398 + { 399 399 + struct ip_set *set = (struct ip_set *) ul_set; 400 400 + struct bitmap_ip *map = set->data; 401 401 + unsigned long *table = map->members; 402 402 + u32 id; 403 403 + 404 404 + /* We run parallel with other readers (test element) 405 405 + * but adding/deleting new entries is locked out */ 406 406 + read_lock_bh(&set->lock); 407 407 + for (id = 0; id < map->elements; id++) 408 408 + if (ip_set_timeout_expired(table[id])) 409 409 + table[id] = IPSET_ELEM_UNSET; 410 410 + read_unlock_bh(&set->lock); 411 411 + 412 412 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 413 413 + add_timer(&map->gc); 414 414 + } 415 415 + 416 416 + static void 417 417 + bitmap_ip_gc_init(struct ip_set *set) 418 418 + { 419 419 + struct bitmap_ip *map = set->data; 420 420 + 421 421 + init_timer(&map->gc); 422 422 + map->gc.data = (unsigned long) set; 423 423 + map->gc.function = bitmap_ip_gc; 424 424 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 425 425 + add_timer(&map->gc); 426 426 + } 427 427 + 428 428 + /* Create bitmap:ip type of sets */ 429 429 + 430 430 + static bool 431 431 + init_map_ip(struct ip_set *set, struct bitmap_ip *map, 432 432 + u32 first_ip, u32 last_ip, 433 433 + u32 elements, u32 hosts, u8 netmask) 434 434 + { 435 435 + map->members = ip_set_alloc(map->memsize); 436 436 + if (!map->members) 437 437 + return false; 438 438 + map->first_ip = first_ip; 439 439 + map->last_ip = last_ip; 440 440 + map->elements = elements; 441 441 + map->hosts = hosts; 442 442 + map->netmask = netmask; 443 443 + map->timeout = IPSET_NO_TIMEOUT; 444 444 + 445 445 + set->data = map; 446 446 + set->family = AF_INET; 447 447 + 448 448 + return true; 449 449 + } 450 450 + 451 451 + static int 452 452 + bitmap_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 453 453 + { 454 454 + struct bitmap_ip *map; 455 455 + u32 first_ip, last_ip, hosts, elements; 456 456 + u8 netmask = 32; 457 457 + int ret; 458 458 + 459 459 + if (unlikely(!tb[IPSET_ATTR_IP] || 460 460 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 461 461 + return -IPSET_ERR_PROTOCOL; 462 462 + 463 463 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip); 464 464 + if (ret) 465 465 + return ret; 466 466 + 467 467 + if (tb[IPSET_ATTR_IP_TO]) { 468 468 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip); 469 469 + if (ret) 470 470 + return ret; 471 471 + if (first_ip > last_ip) { 472 472 + u32 tmp = first_ip; 473 473 + 474 474 + first_ip = last_ip; 475 475 + last_ip = tmp; 476 476 + } 477 477 + } else if (tb[IPSET_ATTR_CIDR]) { 478 478 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 479 479 + 480 480 + if (cidr >= 32) 481 481 + return -IPSET_ERR_INVALID_CIDR; 482 482 + last_ip = first_ip | ~ip_set_hostmask(cidr); 483 483 + } else 484 484 + return -IPSET_ERR_PROTOCOL; 485 485 + 486 486 + if (tb[IPSET_ATTR_NETMASK]) { 487 487 + netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]); 488 488 + 489 489 + if (netmask > 32) 490 490 + return -IPSET_ERR_INVALID_NETMASK; 491 491 + 492 492 + first_ip &= ip_set_hostmask(netmask); 493 493 + last_ip |= ~ip_set_hostmask(netmask); 494 494 + } 495 495 + 496 496 + if (netmask == 32) { 497 497 + hosts = 1; 498 498 + elements = last_ip - first_ip + 1; 499 499 + } else { 500 500 + u8 mask_bits; 501 501 + u32 mask; 502 502 + 503 503 + mask = range_to_mask(first_ip, last_ip, &mask_bits); 504 504 + 505 505 + if ((!mask && (first_ip || last_ip != 0xFFFFFFFF)) || 506 506 + netmask <= mask_bits) 507 507 + return -IPSET_ERR_BITMAP_RANGE; 508 508 + 509 509 + pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); 510 510 + hosts = 2 << (32 - netmask - 1); 511 511 + elements = 2 << (netmask - mask_bits - 1); 512 512 + } 513 513 + if (elements > IPSET_BITMAP_MAX_RANGE + 1) 514 514 + return -IPSET_ERR_BITMAP_RANGE_SIZE; 515 515 + 516 516 + pr_debug("hosts %u, elements %u\n", hosts, elements); 517 517 + 518 518 + map = kzalloc(sizeof(*map), GFP_KERNEL); 519 519 + if (!map) 520 520 + return -ENOMEM; 521 521 + 522 522 + if (tb[IPSET_ATTR_TIMEOUT]) { 523 523 + map->memsize = elements * sizeof(unsigned long); 524 524 + 525 525 + if (!init_map_ip(set, map, first_ip, last_ip, 526 526 + elements, hosts, netmask)) { 527 527 + kfree(map); 528 528 + return -ENOMEM; 529 529 + } 530 530 + 531 531 + map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 532 532 + set->variant = &bitmap_tip; 533 533 + 534 534 + bitmap_ip_gc_init(set); 535 535 + } else { 536 536 + map->memsize = bitmap_bytes(0, elements - 1); 537 537 + 538 538 + if (!init_map_ip(set, map, first_ip, last_ip, 539 539 + elements, hosts, netmask)) { 540 540 + kfree(map); 541 541 + return -ENOMEM; 542 542 + } 543 543 + 544 544 + set->variant = &bitmap_ip; 545 545 + } 546 546 + return 0; 547 547 + } 548 548 + 549 549 + static struct ip_set_type bitmap_ip_type __read_mostly = { 550 550 + .name = "bitmap:ip", 551 551 + .protocol = IPSET_PROTOCOL, 552 552 + .features = IPSET_TYPE_IP, 553 553 + .dimension = IPSET_DIM_ONE, 554 554 + .family = AF_INET, 555 555 + .revision = 0, 556 556 + .create = bitmap_ip_create, 557 557 + .create_policy = { 558 558 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 559 559 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 560 560 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 561 561 + [IPSET_ATTR_NETMASK] = { .type = NLA_U8 }, 562 562 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 563 563 + }, 564 564 + .adt_policy = { 565 565 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 566 566 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 567 567 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 568 568 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 569 569 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 570 570 + }, 571 571 + .me = THIS_MODULE, 572 572 + }; 573 573 + 574 574 + static int __init 575 575 + bitmap_ip_init(void) 576 576 + { 577 577 + return ip_set_type_register(&bitmap_ip_type); 578 578 + } 579 579 + 580 580 + static void __exit 581 581 + bitmap_ip_fini(void) 582 582 + { 583 583 + ip_set_type_unregister(&bitmap_ip_type); 584 584 + } 585 585 + 586 586 + module_init(bitmap_ip_init); 587 587 + module_exit(bitmap_ip_fini);

+652

net/netfilter/ipset/ip_set_bitmap_ipmac.c

reviewed

··· 1 1 + /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 2 2 + * Patrick Schaaf <bof@bof.de> 3 3 + * Martin Josefsson <gandalf@wlug.westbo.se> 4 4 + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 5 5 + * 6 6 + * This program is free software; you can redistribute it and/or modify 7 7 + * it under the terms of the GNU General Public License version 2 as 8 8 + * published by the Free Software Foundation. 9 9 + */ 10 10 + 11 11 + /* Kernel module implementing an IP set type: the bitmap:ip,mac type */ 12 12 + 13 13 + #include <linux/module.h> 14 14 + #include <linux/ip.h> 15 15 + #include <linux/etherdevice.h> 16 16 + #include <linux/skbuff.h> 17 17 + #include <linux/errno.h> 18 18 + #include <linux/if_ether.h> 19 19 + #include <linux/netlink.h> 20 20 + #include <linux/jiffies.h> 21 21 + #include <linux/timer.h> 22 22 + #include <net/netlink.h> 23 23 + 24 24 + #include <linux/netfilter/ipset/pfxlen.h> 25 25 + #include <linux/netfilter/ipset/ip_set.h> 26 26 + #include <linux/netfilter/ipset/ip_set_timeout.h> 27 27 + #include <linux/netfilter/ipset/ip_set_bitmap.h> 28 28 + 29 29 + MODULE_LICENSE("GPL"); 30 30 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 31 31 + MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets"); 32 32 + MODULE_ALIAS("ip_set_bitmap:ip,mac"); 33 33 + 34 34 + enum { 35 35 + MAC_EMPTY, /* element is not set */ 36 36 + MAC_FILLED, /* element is set with MAC */ 37 37 + MAC_UNSET, /* element is set, without MAC */ 38 38 + }; 39 39 + 40 40 + /* Type structure */ 41 41 + struct bitmap_ipmac { 42 42 + void *members; /* the set members */ 43 43 + u32 first_ip; /* host byte order, included in range */ 44 44 + u32 last_ip; /* host byte order, included in range */ 45 45 + u32 timeout; /* timeout value */ 46 46 + struct timer_list gc; /* garbage collector */ 47 47 + size_t dsize; /* size of element */ 48 48 + }; 49 49 + 50 50 + /* ADT structure for generic function args */ 51 51 + struct ipmac { 52 52 + u32 id; /* id in array */ 53 53 + unsigned char *ether; /* ethernet address */ 54 54 + }; 55 55 + 56 56 + /* Member element without and with timeout */ 57 57 + 58 58 + struct ipmac_elem { 59 59 + unsigned char ether[ETH_ALEN]; 60 60 + unsigned char match; 61 61 + } __attribute__ ((aligned)); 62 62 + 63 63 + struct ipmac_telem { 64 64 + unsigned char ether[ETH_ALEN]; 65 65 + unsigned char match; 66 66 + unsigned long timeout; 67 67 + } __attribute__ ((aligned)); 68 68 + 69 69 + static inline void * 70 70 + bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id) 71 71 + { 72 72 + return (void *)((char *)map->members + id * map->dsize); 73 73 + } 74 74 + 75 75 + static inline bool 76 76 + bitmap_timeout(const struct bitmap_ipmac *map, u32 id) 77 77 + { 78 78 + const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id); 79 79 + 80 80 + return ip_set_timeout_test(elem->timeout); 81 81 + } 82 82 + 83 83 + static inline bool 84 84 + bitmap_expired(const struct bitmap_ipmac *map, u32 id) 85 85 + { 86 86 + const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id); 87 87 + 88 88 + return ip_set_timeout_expired(elem->timeout); 89 89 + } 90 90 + 91 91 + static inline int 92 92 + bitmap_ipmac_exist(const struct ipmac_telem *elem) 93 93 + { 94 94 + return elem->match == MAC_UNSET || 95 95 + (elem->match == MAC_FILLED && 96 96 + !ip_set_timeout_expired(elem->timeout)); 97 97 + } 98 98 + 99 99 + /* Base variant */ 100 100 + 101 101 + static int 102 102 + bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout) 103 103 + { 104 104 + const struct bitmap_ipmac *map = set->data; 105 105 + const struct ipmac *data = value; 106 106 + const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id); 107 107 + 108 108 + switch (elem->match) { 109 109 + case MAC_UNSET: 110 110 + /* Trigger kernel to fill out the ethernet address */ 111 111 + return -EAGAIN; 112 112 + case MAC_FILLED: 113 113 + return data->ether == NULL || 114 114 + compare_ether_addr(data->ether, elem->ether) == 0; 115 115 + } 116 116 + return 0; 117 117 + } 118 118 + 119 119 + static int 120 120 + bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout) 121 121 + { 122 122 + struct bitmap_ipmac *map = set->data; 123 123 + const struct ipmac *data = value; 124 124 + struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id); 125 125 + 126 126 + switch (elem->match) { 127 127 + case MAC_UNSET: 128 128 + if (!data->ether) 129 129 + /* Already added without ethernet address */ 130 130 + return -IPSET_ERR_EXIST; 131 131 + /* Fill the MAC address */ 132 132 + memcpy(elem->ether, data->ether, ETH_ALEN); 133 133 + elem->match = MAC_FILLED; 134 134 + break; 135 135 + case MAC_FILLED: 136 136 + return -IPSET_ERR_EXIST; 137 137 + case MAC_EMPTY: 138 138 + if (data->ether) { 139 139 + memcpy(elem->ether, data->ether, ETH_ALEN); 140 140 + elem->match = MAC_FILLED; 141 141 + } else 142 142 + elem->match = MAC_UNSET; 143 143 + } 144 144 + 145 145 + return 0; 146 146 + } 147 147 + 148 148 + static int 149 149 + bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout) 150 150 + { 151 151 + struct bitmap_ipmac *map = set->data; 152 152 + const struct ipmac *data = value; 153 153 + struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id); 154 154 + 155 155 + if (elem->match == MAC_EMPTY) 156 156 + return -IPSET_ERR_EXIST; 157 157 + 158 158 + elem->match = MAC_EMPTY; 159 159 + 160 160 + return 0; 161 161 + } 162 162 + 163 163 + static int 164 164 + bitmap_ipmac_list(const struct ip_set *set, 165 165 + struct sk_buff *skb, struct netlink_callback *cb) 166 166 + { 167 167 + const struct bitmap_ipmac *map = set->data; 168 168 + const struct ipmac_elem *elem; 169 169 + struct nlattr *atd, *nested; 170 170 + u32 id, first = cb->args[2]; 171 171 + u32 last = map->last_ip - map->first_ip; 172 172 + 173 173 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 174 174 + if (!atd) 175 175 + return -EMSGSIZE; 176 176 + for (; cb->args[2] <= last; cb->args[2]++) { 177 177 + id = cb->args[2]; 178 178 + elem = bitmap_ipmac_elem(map, id); 179 179 + if (elem->match == MAC_EMPTY) 180 180 + continue; 181 181 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 182 182 + if (!nested) { 183 183 + if (id == first) { 184 184 + nla_nest_cancel(skb, atd); 185 185 + return -EMSGSIZE; 186 186 + } else 187 187 + goto nla_put_failure; 188 188 + } 189 189 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, 190 190 + htonl(map->first_ip + id)); 191 191 + if (elem->match == MAC_FILLED) 192 192 + NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN, 193 193 + elem->ether); 194 194 + ipset_nest_end(skb, nested); 195 195 + } 196 196 + ipset_nest_end(skb, atd); 197 197 + /* Set listing finished */ 198 198 + cb->args[2] = 0; 199 199 + 200 200 + return 0; 201 201 + 202 202 + nla_put_failure: 203 203 + nla_nest_cancel(skb, nested); 204 204 + ipset_nest_end(skb, atd); 205 205 + if (unlikely(id == first)) { 206 206 + cb->args[2] = 0; 207 207 + return -EMSGSIZE; 208 208 + } 209 209 + return 0; 210 210 + } 211 211 + 212 212 + /* Timeout variant */ 213 213 + 214 214 + static int 215 215 + bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout) 216 216 + { 217 217 + const struct bitmap_ipmac *map = set->data; 218 218 + const struct ipmac *data = value; 219 219 + const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id); 220 220 + 221 221 + switch (elem->match) { 222 222 + case MAC_UNSET: 223 223 + /* Trigger kernel to fill out the ethernet address */ 224 224 + return -EAGAIN; 225 225 + case MAC_FILLED: 226 226 + return (data->ether == NULL || 227 227 + compare_ether_addr(data->ether, elem->ether) == 0) && 228 228 + !bitmap_expired(map, data->id); 229 229 + } 230 230 + return 0; 231 231 + } 232 232 + 233 233 + static int 234 234 + bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout) 235 235 + { 236 236 + struct bitmap_ipmac *map = set->data; 237 237 + const struct ipmac *data = value; 238 238 + struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id); 239 239 + 240 240 + switch (elem->match) { 241 241 + case MAC_UNSET: 242 242 + if (!data->ether) 243 243 + /* Already added without ethernet address */ 244 244 + return -IPSET_ERR_EXIST; 245 245 + /* Fill the MAC address and activate the timer */ 246 246 + memcpy(elem->ether, data->ether, ETH_ALEN); 247 247 + elem->match = MAC_FILLED; 248 248 + if (timeout == map->timeout) 249 249 + /* Timeout was not specified, get stored one */ 250 250 + timeout = elem->timeout; 251 251 + elem->timeout = ip_set_timeout_set(timeout); 252 252 + break; 253 253 + case MAC_FILLED: 254 254 + if (!bitmap_expired(map, data->id)) 255 255 + return -IPSET_ERR_EXIST; 256 256 + /* Fall through */ 257 257 + case MAC_EMPTY: 258 258 + if (data->ether) { 259 259 + memcpy(elem->ether, data->ether, ETH_ALEN); 260 260 + elem->match = MAC_FILLED; 261 261 + } else 262 262 + elem->match = MAC_UNSET; 263 263 + /* If MAC is unset yet, we store plain timeout value 264 264 + * because the timer is not activated yet 265 265 + * and we can reuse it later when MAC is filled out, 266 266 + * possibly by the kernel */ 267 267 + elem->timeout = data->ether ? ip_set_timeout_set(timeout) 268 268 + : timeout; 269 269 + break; 270 270 + } 271 271 + 272 272 + return 0; 273 273 + } 274 274 + 275 275 + static int 276 276 + bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout) 277 277 + { 278 278 + struct bitmap_ipmac *map = set->data; 279 279 + const struct ipmac *data = value; 280 280 + struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id); 281 281 + 282 282 + if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id)) 283 283 + return -IPSET_ERR_EXIST; 284 284 + 285 285 + elem->match = MAC_EMPTY; 286 286 + 287 287 + return 0; 288 288 + } 289 289 + 290 290 + static int 291 291 + bitmap_ipmac_tlist(const struct ip_set *set, 292 292 + struct sk_buff *skb, struct netlink_callback *cb) 293 293 + { 294 294 + const struct bitmap_ipmac *map = set->data; 295 295 + const struct ipmac_telem *elem; 296 296 + struct nlattr *atd, *nested; 297 297 + u32 id, first = cb->args[2]; 298 298 + u32 timeout, last = map->last_ip - map->first_ip; 299 299 + 300 300 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 301 301 + if (!atd) 302 302 + return -EMSGSIZE; 303 303 + for (; cb->args[2] <= last; cb->args[2]++) { 304 304 + id = cb->args[2]; 305 305 + elem = bitmap_ipmac_elem(map, id); 306 306 + if (!bitmap_ipmac_exist(elem)) 307 307 + continue; 308 308 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 309 309 + if (!nested) { 310 310 + if (id == first) { 311 311 + nla_nest_cancel(skb, atd); 312 312 + return -EMSGSIZE; 313 313 + } else 314 314 + goto nla_put_failure; 315 315 + } 316 316 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, 317 317 + htonl(map->first_ip + id)); 318 318 + if (elem->match == MAC_FILLED) 319 319 + NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN, 320 320 + elem->ether); 321 321 + timeout = elem->match == MAC_UNSET ? elem->timeout 322 322 + : ip_set_timeout_get(elem->timeout); 323 323 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout)); 324 324 + ipset_nest_end(skb, nested); 325 325 + } 326 326 + ipset_nest_end(skb, atd); 327 327 + /* Set listing finished */ 328 328 + cb->args[2] = 0; 329 329 + 330 330 + return 0; 331 331 + 332 332 + nla_put_failure: 333 333 + nla_nest_cancel(skb, nested); 334 334 + ipset_nest_end(skb, atd); 335 335 + return -EMSGSIZE; 336 336 + } 337 337 + 338 338 + static int 339 339 + bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, 340 340 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 341 341 + { 342 342 + struct bitmap_ipmac *map = set->data; 343 343 + ipset_adtfn adtfn = set->variant->adt[adt]; 344 344 + struct ipmac data; 345 345 + 346 346 + data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC)); 347 347 + if (data.id < map->first_ip || data.id > map->last_ip) 348 348 + return -IPSET_ERR_BITMAP_RANGE; 349 349 + 350 350 + /* Backward compatibility: we don't check the second flag */ 351 351 + if (skb_mac_header(skb) < skb->head || 352 352 + (skb_mac_header(skb) + ETH_HLEN) > skb->data) 353 353 + return -EINVAL; 354 354 + 355 355 + data.id -= map->first_ip; 356 356 + data.ether = eth_hdr(skb)->h_source; 357 357 + 358 358 + return adtfn(set, &data, map->timeout); 359 359 + } 360 360 + 361 361 + static int 362 362 + bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[], 363 363 + enum ipset_adt adt, u32 *lineno, u32 flags) 364 364 + { 365 365 + const struct bitmap_ipmac *map = set->data; 366 366 + ipset_adtfn adtfn = set->variant->adt[adt]; 367 367 + struct ipmac data; 368 368 + u32 timeout = map->timeout; 369 369 + int ret = 0; 370 370 + 371 371 + if (unlikely(!tb[IPSET_ATTR_IP] || 372 372 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 373 373 + return -IPSET_ERR_PROTOCOL; 374 374 + 375 375 + if (tb[IPSET_ATTR_LINENO]) 376 376 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 377 377 + 378 378 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id); 379 379 + if (ret) 380 380 + return ret; 381 381 + 382 382 + if (data.id < map->first_ip || data.id > map->last_ip) 383 383 + return -IPSET_ERR_BITMAP_RANGE; 384 384 + 385 385 + if (tb[IPSET_ATTR_ETHER]) 386 386 + data.ether = nla_data(tb[IPSET_ATTR_ETHER]); 387 387 + else 388 388 + data.ether = NULL; 389 389 + 390 390 + if (tb[IPSET_ATTR_TIMEOUT]) { 391 391 + if (!with_timeout(map->timeout)) 392 392 + return -IPSET_ERR_TIMEOUT; 393 393 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 394 394 + } 395 395 + 396 396 + data.id -= map->first_ip; 397 397 + 398 398 + ret = adtfn(set, &data, timeout); 399 399 + 400 400 + return ip_set_eexist(ret, flags) ? 0 : ret; 401 401 + } 402 402 + 403 403 + static void 404 404 + bitmap_ipmac_destroy(struct ip_set *set) 405 405 + { 406 406 + struct bitmap_ipmac *map = set->data; 407 407 + 408 408 + if (with_timeout(map->timeout)) 409 409 + del_timer_sync(&map->gc); 410 410 + 411 411 + ip_set_free(map->members); 412 412 + kfree(map); 413 413 + 414 414 + set->data = NULL; 415 415 + } 416 416 + 417 417 + static void 418 418 + bitmap_ipmac_flush(struct ip_set *set) 419 419 + { 420 420 + struct bitmap_ipmac *map = set->data; 421 421 + 422 422 + memset(map->members, 0, 423 423 + (map->last_ip - map->first_ip + 1) * map->dsize); 424 424 + } 425 425 + 426 426 + static int 427 427 + bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb) 428 428 + { 429 429 + const struct bitmap_ipmac *map = set->data; 430 430 + struct nlattr *nested; 431 431 + 432 432 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 433 433 + if (!nested) 434 434 + goto nla_put_failure; 435 435 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip)); 436 436 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip)); 437 437 + NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, 438 438 + htonl(atomic_read(&set->ref) - 1)); 439 439 + NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, 440 440 + htonl(sizeof(*map) 441 441 + + (map->last_ip - map->first_ip + 1) * map->dsize)); 442 442 + if (with_timeout(map->timeout)) 443 443 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout)); 444 444 + ipset_nest_end(skb, nested); 445 445 + 446 446 + return 0; 447 447 + nla_put_failure: 448 448 + return -EMSGSIZE; 449 449 + } 450 450 + 451 451 + static bool 452 452 + bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b) 453 453 + { 454 454 + const struct bitmap_ipmac *x = a->data; 455 455 + const struct bitmap_ipmac *y = b->data; 456 456 + 457 457 + return x->first_ip == y->first_ip && 458 458 + x->last_ip == y->last_ip && 459 459 + x->timeout == y->timeout; 460 460 + } 461 461 + 462 462 + static const struct ip_set_type_variant bitmap_ipmac = { 463 463 + .kadt = bitmap_ipmac_kadt, 464 464 + .uadt = bitmap_ipmac_uadt, 465 465 + .adt = { 466 466 + [IPSET_ADD] = bitmap_ipmac_add, 467 467 + [IPSET_DEL] = bitmap_ipmac_del, 468 468 + [IPSET_TEST] = bitmap_ipmac_test, 469 469 + }, 470 470 + .destroy = bitmap_ipmac_destroy, 471 471 + .flush = bitmap_ipmac_flush, 472 472 + .head = bitmap_ipmac_head, 473 473 + .list = bitmap_ipmac_list, 474 474 + .same_set = bitmap_ipmac_same_set, 475 475 + }; 476 476 + 477 477 + static const struct ip_set_type_variant bitmap_tipmac = { 478 478 + .kadt = bitmap_ipmac_kadt, 479 479 + .uadt = bitmap_ipmac_uadt, 480 480 + .adt = { 481 481 + [IPSET_ADD] = bitmap_ipmac_tadd, 482 482 + [IPSET_DEL] = bitmap_ipmac_tdel, 483 483 + [IPSET_TEST] = bitmap_ipmac_ttest, 484 484 + }, 485 485 + .destroy = bitmap_ipmac_destroy, 486 486 + .flush = bitmap_ipmac_flush, 487 487 + .head = bitmap_ipmac_head, 488 488 + .list = bitmap_ipmac_tlist, 489 489 + .same_set = bitmap_ipmac_same_set, 490 490 + }; 491 491 + 492 492 + static void 493 493 + bitmap_ipmac_gc(unsigned long ul_set) 494 494 + { 495 495 + struct ip_set *set = (struct ip_set *) ul_set; 496 496 + struct bitmap_ipmac *map = set->data; 497 497 + struct ipmac_telem *elem; 498 498 + u32 id, last = map->last_ip - map->first_ip; 499 499 + 500 500 + /* We run parallel with other readers (test element) 501 501 + * but adding/deleting new entries is locked out */ 502 502 + read_lock_bh(&set->lock); 503 503 + for (id = 0; id <= last; id++) { 504 504 + elem = bitmap_ipmac_elem(map, id); 505 505 + if (elem->match == MAC_FILLED && 506 506 + ip_set_timeout_expired(elem->timeout)) 507 507 + elem->match = MAC_EMPTY; 508 508 + } 509 509 + read_unlock_bh(&set->lock); 510 510 + 511 511 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 512 512 + add_timer(&map->gc); 513 513 + } 514 514 + 515 515 + static void 516 516 + bitmap_ipmac_gc_init(struct ip_set *set) 517 517 + { 518 518 + struct bitmap_ipmac *map = set->data; 519 519 + 520 520 + init_timer(&map->gc); 521 521 + map->gc.data = (unsigned long) set; 522 522 + map->gc.function = bitmap_ipmac_gc; 523 523 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 524 524 + add_timer(&map->gc); 525 525 + } 526 526 + 527 527 + /* Create bitmap:ip,mac type of sets */ 528 528 + 529 529 + static bool 530 530 + init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map, 531 531 + u32 first_ip, u32 last_ip) 532 532 + { 533 533 + map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize); 534 534 + if (!map->members) 535 535 + return false; 536 536 + map->first_ip = first_ip; 537 537 + map->last_ip = last_ip; 538 538 + map->timeout = IPSET_NO_TIMEOUT; 539 539 + 540 540 + set->data = map; 541 541 + set->family = AF_INET; 542 542 + 543 543 + return true; 544 544 + } 545 545 + 546 546 + static int 547 547 + bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[], 548 548 + u32 flags) 549 549 + { 550 550 + u32 first_ip, last_ip, elements; 551 551 + struct bitmap_ipmac *map; 552 552 + int ret; 553 553 + 554 554 + if (unlikely(!tb[IPSET_ATTR_IP] || 555 555 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 556 556 + return -IPSET_ERR_PROTOCOL; 557 557 + 558 558 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip); 559 559 + if (ret) 560 560 + return ret; 561 561 + 562 562 + if (tb[IPSET_ATTR_IP_TO]) { 563 563 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip); 564 564 + if (ret) 565 565 + return ret; 566 566 + if (first_ip > last_ip) { 567 567 + u32 tmp = first_ip; 568 568 + 569 569 + first_ip = last_ip; 570 570 + last_ip = tmp; 571 571 + } 572 572 + } else if (tb[IPSET_ATTR_CIDR]) { 573 573 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 574 574 + 575 575 + if (cidr >= 32) 576 576 + return -IPSET_ERR_INVALID_CIDR; 577 577 + last_ip = first_ip | ~ip_set_hostmask(cidr); 578 578 + } else 579 579 + return -IPSET_ERR_PROTOCOL; 580 580 + 581 581 + elements = last_ip - first_ip + 1; 582 582 + 583 583 + if (elements > IPSET_BITMAP_MAX_RANGE + 1) 584 584 + return -IPSET_ERR_BITMAP_RANGE_SIZE; 585 585 + 586 586 + map = kzalloc(sizeof(*map), GFP_KERNEL); 587 587 + if (!map) 588 588 + return -ENOMEM; 589 589 + 590 590 + if (tb[IPSET_ATTR_TIMEOUT]) { 591 591 + map->dsize = sizeof(struct ipmac_telem); 592 592 + 593 593 + if (!init_map_ipmac(set, map, first_ip, last_ip)) { 594 594 + kfree(map); 595 595 + return -ENOMEM; 596 596 + } 597 597 + 598 598 + map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 599 599 + 600 600 + set->variant = &bitmap_tipmac; 601 601 + 602 602 + bitmap_ipmac_gc_init(set); 603 603 + } else { 604 604 + map->dsize = sizeof(struct ipmac_elem); 605 605 + 606 606 + if (!init_map_ipmac(set, map, first_ip, last_ip)) { 607 607 + kfree(map); 608 608 + return -ENOMEM; 609 609 + } 610 610 + set->variant = &bitmap_ipmac; 611 611 + 612 612 + } 613 613 + return 0; 614 614 + } 615 615 + 616 616 + static struct ip_set_type bitmap_ipmac_type = { 617 617 + .name = "bitmap:ip,mac", 618 618 + .protocol = IPSET_PROTOCOL, 619 619 + .features = IPSET_TYPE_IP | IPSET_TYPE_MAC, 620 620 + .dimension = IPSET_DIM_TWO, 621 621 + .family = AF_INET, 622 622 + .revision = 0, 623 623 + .create = bitmap_ipmac_create, 624 624 + .create_policy = { 625 625 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 626 626 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 627 627 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 628 628 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 629 629 + }, 630 630 + .adt_policy = { 631 631 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 632 632 + [IPSET_ATTR_ETHER] = { .type = NLA_BINARY, .len = ETH_ALEN }, 633 633 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 634 634 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 635 635 + }, 636 636 + .me = THIS_MODULE, 637 637 + }; 638 638 + 639 639 + static int __init 640 640 + bitmap_ipmac_init(void) 641 641 + { 642 642 + return ip_set_type_register(&bitmap_ipmac_type); 643 643 + } 644 644 + 645 645 + static void __exit 646 646 + bitmap_ipmac_fini(void) 647 647 + { 648 648 + ip_set_type_unregister(&bitmap_ipmac_type); 649 649 + } 650 650 + 651 651 + module_init(bitmap_ipmac_init); 652 652 + module_exit(bitmap_ipmac_fini);

+515

net/netfilter/ipset/ip_set_bitmap_port.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the bitmap:port type */ 9 9 + 10 10 + #include <linux/module.h> 11 11 + #include <linux/ip.h> 12 12 + #include <linux/skbuff.h> 13 13 + #include <linux/errno.h> 14 14 + #include <linux/netlink.h> 15 15 + #include <linux/jiffies.h> 16 16 + #include <linux/timer.h> 17 17 + #include <net/netlink.h> 18 18 + 19 19 + #include <linux/netfilter/ipset/ip_set.h> 20 20 + #include <linux/netfilter/ipset/ip_set_bitmap.h> 21 21 + #include <linux/netfilter/ipset/ip_set_getport.h> 22 22 + #define IP_SET_BITMAP_TIMEOUT 23 23 + #include <linux/netfilter/ipset/ip_set_timeout.h> 24 24 + 25 25 + MODULE_LICENSE("GPL"); 26 26 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 27 27 + MODULE_DESCRIPTION("bitmap:port type of IP sets"); 28 28 + MODULE_ALIAS("ip_set_bitmap:port"); 29 29 + 30 30 + /* Type structure */ 31 31 + struct bitmap_port { 32 32 + void *members; /* the set members */ 33 33 + u16 first_port; /* host byte order, included in range */ 34 34 + u16 last_port; /* host byte order, included in range */ 35 35 + size_t memsize; /* members size */ 36 36 + u32 timeout; /* timeout parameter */ 37 37 + struct timer_list gc; /* garbage collection */ 38 38 + }; 39 39 + 40 40 + /* Base variant */ 41 41 + 42 42 + static int 43 43 + bitmap_port_test(struct ip_set *set, void *value, u32 timeout) 44 44 + { 45 45 + const struct bitmap_port *map = set->data; 46 46 + u16 id = *(u16 *)value; 47 47 + 48 48 + return !!test_bit(id, map->members); 49 49 + } 50 50 + 51 51 + static int 52 52 + bitmap_port_add(struct ip_set *set, void *value, u32 timeout) 53 53 + { 54 54 + struct bitmap_port *map = set->data; 55 55 + u16 id = *(u16 *)value; 56 56 + 57 57 + if (test_and_set_bit(id, map->members)) 58 58 + return -IPSET_ERR_EXIST; 59 59 + 60 60 + return 0; 61 61 + } 62 62 + 63 63 + static int 64 64 + bitmap_port_del(struct ip_set *set, void *value, u32 timeout) 65 65 + { 66 66 + struct bitmap_port *map = set->data; 67 67 + u16 id = *(u16 *)value; 68 68 + 69 69 + if (!test_and_clear_bit(id, map->members)) 70 70 + return -IPSET_ERR_EXIST; 71 71 + 72 72 + return 0; 73 73 + } 74 74 + 75 75 + static int 76 76 + bitmap_port_list(const struct ip_set *set, 77 77 + struct sk_buff *skb, struct netlink_callback *cb) 78 78 + { 79 79 + const struct bitmap_port *map = set->data; 80 80 + struct nlattr *atd, *nested; 81 81 + u16 id, first = cb->args[2]; 82 82 + u16 last = map->last_port - map->first_port; 83 83 + 84 84 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 85 85 + if (!atd) 86 86 + return -EMSGSIZE; 87 87 + for (; cb->args[2] <= last; cb->args[2]++) { 88 88 + id = cb->args[2]; 89 89 + if (!test_bit(id, map->members)) 90 90 + continue; 91 91 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 92 92 + if (!nested) { 93 93 + if (id == first) { 94 94 + nla_nest_cancel(skb, atd); 95 95 + return -EMSGSIZE; 96 96 + } else 97 97 + goto nla_put_failure; 98 98 + } 99 99 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, 100 100 + htons(map->first_port + id)); 101 101 + ipset_nest_end(skb, nested); 102 102 + } 103 103 + ipset_nest_end(skb, atd); 104 104 + /* Set listing finished */ 105 105 + cb->args[2] = 0; 106 106 + 107 107 + return 0; 108 108 + 109 109 + nla_put_failure: 110 110 + nla_nest_cancel(skb, nested); 111 111 + ipset_nest_end(skb, atd); 112 112 + if (unlikely(id == first)) { 113 113 + cb->args[2] = 0; 114 114 + return -EMSGSIZE; 115 115 + } 116 116 + return 0; 117 117 + } 118 118 + 119 119 + /* Timeout variant */ 120 120 + 121 121 + static int 122 122 + bitmap_port_ttest(struct ip_set *set, void *value, u32 timeout) 123 123 + { 124 124 + const struct bitmap_port *map = set->data; 125 125 + const unsigned long *members = map->members; 126 126 + u16 id = *(u16 *)value; 127 127 + 128 128 + return ip_set_timeout_test(members[id]); 129 129 + } 130 130 + 131 131 + static int 132 132 + bitmap_port_tadd(struct ip_set *set, void *value, u32 timeout) 133 133 + { 134 134 + struct bitmap_port *map = set->data; 135 135 + unsigned long *members = map->members; 136 136 + u16 id = *(u16 *)value; 137 137 + 138 138 + if (ip_set_timeout_test(members[id])) 139 139 + return -IPSET_ERR_EXIST; 140 140 + 141 141 + members[id] = ip_set_timeout_set(timeout); 142 142 + 143 143 + return 0; 144 144 + } 145 145 + 146 146 + static int 147 147 + bitmap_port_tdel(struct ip_set *set, void *value, u32 timeout) 148 148 + { 149 149 + struct bitmap_port *map = set->data; 150 150 + unsigned long *members = map->members; 151 151 + u16 id = *(u16 *)value; 152 152 + int ret = -IPSET_ERR_EXIST; 153 153 + 154 154 + if (ip_set_timeout_test(members[id])) 155 155 + ret = 0; 156 156 + 157 157 + members[id] = IPSET_ELEM_UNSET; 158 158 + return ret; 159 159 + } 160 160 + 161 161 + static int 162 162 + bitmap_port_tlist(const struct ip_set *set, 163 163 + struct sk_buff *skb, struct netlink_callback *cb) 164 164 + { 165 165 + const struct bitmap_port *map = set->data; 166 166 + struct nlattr *adt, *nested; 167 167 + u16 id, first = cb->args[2]; 168 168 + u16 last = map->last_port - map->first_port; 169 169 + const unsigned long *members = map->members; 170 170 + 171 171 + adt = ipset_nest_start(skb, IPSET_ATTR_ADT); 172 172 + if (!adt) 173 173 + return -EMSGSIZE; 174 174 + for (; cb->args[2] <= last; cb->args[2]++) { 175 175 + id = cb->args[2]; 176 176 + if (!ip_set_timeout_test(members[id])) 177 177 + continue; 178 178 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 179 179 + if (!nested) { 180 180 + if (id == first) { 181 181 + nla_nest_cancel(skb, adt); 182 182 + return -EMSGSIZE; 183 183 + } else 184 184 + goto nla_put_failure; 185 185 + } 186 186 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, 187 187 + htons(map->first_port + id)); 188 188 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 189 189 + htonl(ip_set_timeout_get(members[id]))); 190 190 + ipset_nest_end(skb, nested); 191 191 + } 192 192 + ipset_nest_end(skb, adt); 193 193 + 194 194 + /* Set listing finished */ 195 195 + cb->args[2] = 0; 196 196 + 197 197 + return 0; 198 198 + 199 199 + nla_put_failure: 200 200 + nla_nest_cancel(skb, nested); 201 201 + ipset_nest_end(skb, adt); 202 202 + if (unlikely(id == first)) { 203 203 + cb->args[2] = 0; 204 204 + return -EMSGSIZE; 205 205 + } 206 206 + return 0; 207 207 + } 208 208 + 209 209 + static int 210 210 + bitmap_port_kadt(struct ip_set *set, const struct sk_buff *skb, 211 211 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 212 212 + { 213 213 + struct bitmap_port *map = set->data; 214 214 + ipset_adtfn adtfn = set->variant->adt[adt]; 215 215 + __be16 __port; 216 216 + u16 port = 0; 217 217 + 218 218 + if (!ip_set_get_ip_port(skb, pf, flags & IPSET_DIM_ONE_SRC, &__port)) 219 219 + return -EINVAL; 220 220 + 221 221 + port = ntohs(__port); 222 222 + 223 223 + if (port < map->first_port || port > map->last_port) 224 224 + return -IPSET_ERR_BITMAP_RANGE; 225 225 + 226 226 + port -= map->first_port; 227 227 + 228 228 + return adtfn(set, &port, map->timeout); 229 229 + } 230 230 + 231 231 + static int 232 232 + bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[], 233 233 + enum ipset_adt adt, u32 *lineno, u32 flags) 234 234 + { 235 235 + struct bitmap_port *map = set->data; 236 236 + ipset_adtfn adtfn = set->variant->adt[adt]; 237 237 + u32 timeout = map->timeout; 238 238 + u32 port; /* wraparound */ 239 239 + u16 id, port_to; 240 240 + int ret = 0; 241 241 + 242 242 + if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 243 243 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 244 244 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 245 245 + return -IPSET_ERR_PROTOCOL; 246 246 + 247 247 + if (tb[IPSET_ATTR_LINENO]) 248 248 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 249 249 + 250 250 + port = ip_set_get_h16(tb[IPSET_ATTR_PORT]); 251 251 + if (port < map->first_port || port > map->last_port) 252 252 + return -IPSET_ERR_BITMAP_RANGE; 253 253 + 254 254 + if (tb[IPSET_ATTR_TIMEOUT]) { 255 255 + if (!with_timeout(map->timeout)) 256 256 + return -IPSET_ERR_TIMEOUT; 257 257 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 258 258 + } 259 259 + 260 260 + if (adt == IPSET_TEST) { 261 261 + id = port - map->first_port; 262 262 + return adtfn(set, &id, timeout); 263 263 + } 264 264 + 265 265 + if (tb[IPSET_ATTR_PORT_TO]) { 266 266 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 267 267 + if (port > port_to) { 268 268 + swap(port, port_to); 269 269 + if (port < map->first_port) 270 270 + return -IPSET_ERR_BITMAP_RANGE; 271 271 + } 272 272 + } else 273 273 + port_to = port; 274 274 + 275 275 + if (port_to > map->last_port) 276 276 + return -IPSET_ERR_BITMAP_RANGE; 277 277 + 278 278 + for (; port <= port_to; port++) { 279 279 + id = port - map->first_port; 280 280 + ret = adtfn(set, &id, timeout); 281 281 + 282 282 + if (ret && !ip_set_eexist(ret, flags)) 283 283 + return ret; 284 284 + else 285 285 + ret = 0; 286 286 + } 287 287 + return ret; 288 288 + } 289 289 + 290 290 + static void 291 291 + bitmap_port_destroy(struct ip_set *set) 292 292 + { 293 293 + struct bitmap_port *map = set->data; 294 294 + 295 295 + if (with_timeout(map->timeout)) 296 296 + del_timer_sync(&map->gc); 297 297 + 298 298 + ip_set_free(map->members); 299 299 + kfree(map); 300 300 + 301 301 + set->data = NULL; 302 302 + } 303 303 + 304 304 + static void 305 305 + bitmap_port_flush(struct ip_set *set) 306 306 + { 307 307 + struct bitmap_port *map = set->data; 308 308 + 309 309 + memset(map->members, 0, map->memsize); 310 310 + } 311 311 + 312 312 + static int 313 313 + bitmap_port_head(struct ip_set *set, struct sk_buff *skb) 314 314 + { 315 315 + const struct bitmap_port *map = set->data; 316 316 + struct nlattr *nested; 317 317 + 318 318 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 319 319 + if (!nested) 320 320 + goto nla_put_failure; 321 321 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, htons(map->first_port)); 322 322 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port)); 323 323 + NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, 324 324 + htonl(atomic_read(&set->ref) - 1)); 325 325 + NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, 326 326 + htonl(sizeof(*map) + map->memsize)); 327 327 + if (with_timeout(map->timeout)) 328 328 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout)); 329 329 + ipset_nest_end(skb, nested); 330 330 + 331 331 + return 0; 332 332 + nla_put_failure: 333 333 + return -EMSGSIZE; 334 334 + } 335 335 + 336 336 + static bool 337 337 + bitmap_port_same_set(const struct ip_set *a, const struct ip_set *b) 338 338 + { 339 339 + const struct bitmap_port *x = a->data; 340 340 + const struct bitmap_port *y = b->data; 341 341 + 342 342 + return x->first_port == y->first_port && 343 343 + x->last_port == y->last_port && 344 344 + x->timeout == y->timeout; 345 345 + } 346 346 + 347 347 + static const struct ip_set_type_variant bitmap_port = { 348 348 + .kadt = bitmap_port_kadt, 349 349 + .uadt = bitmap_port_uadt, 350 350 + .adt = { 351 351 + [IPSET_ADD] = bitmap_port_add, 352 352 + [IPSET_DEL] = bitmap_port_del, 353 353 + [IPSET_TEST] = bitmap_port_test, 354 354 + }, 355 355 + .destroy = bitmap_port_destroy, 356 356 + .flush = bitmap_port_flush, 357 357 + .head = bitmap_port_head, 358 358 + .list = bitmap_port_list, 359 359 + .same_set = bitmap_port_same_set, 360 360 + }; 361 361 + 362 362 + static const struct ip_set_type_variant bitmap_tport = { 363 363 + .kadt = bitmap_port_kadt, 364 364 + .uadt = bitmap_port_uadt, 365 365 + .adt = { 366 366 + [IPSET_ADD] = bitmap_port_tadd, 367 367 + [IPSET_DEL] = bitmap_port_tdel, 368 368 + [IPSET_TEST] = bitmap_port_ttest, 369 369 + }, 370 370 + .destroy = bitmap_port_destroy, 371 371 + .flush = bitmap_port_flush, 372 372 + .head = bitmap_port_head, 373 373 + .list = bitmap_port_tlist, 374 374 + .same_set = bitmap_port_same_set, 375 375 + }; 376 376 + 377 377 + static void 378 378 + bitmap_port_gc(unsigned long ul_set) 379 379 + { 380 380 + struct ip_set *set = (struct ip_set *) ul_set; 381 381 + struct bitmap_port *map = set->data; 382 382 + unsigned long *table = map->members; 383 383 + u32 id; /* wraparound */ 384 384 + u16 last = map->last_port - map->first_port; 385 385 + 386 386 + /* We run parallel with other readers (test element) 387 387 + * but adding/deleting new entries is locked out */ 388 388 + read_lock_bh(&set->lock); 389 389 + for (id = 0; id <= last; id++) 390 390 + if (ip_set_timeout_expired(table[id])) 391 391 + table[id] = IPSET_ELEM_UNSET; 392 392 + read_unlock_bh(&set->lock); 393 393 + 394 394 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 395 395 + add_timer(&map->gc); 396 396 + } 397 397 + 398 398 + static void 399 399 + bitmap_port_gc_init(struct ip_set *set) 400 400 + { 401 401 + struct bitmap_port *map = set->data; 402 402 + 403 403 + init_timer(&map->gc); 404 404 + map->gc.data = (unsigned long) set; 405 405 + map->gc.function = bitmap_port_gc; 406 406 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 407 407 + add_timer(&map->gc); 408 408 + } 409 409 + 410 410 + /* Create bitmap:ip type of sets */ 411 411 + 412 412 + static bool 413 413 + init_map_port(struct ip_set *set, struct bitmap_port *map, 414 414 + u16 first_port, u16 last_port) 415 415 + { 416 416 + map->members = ip_set_alloc(map->memsize); 417 417 + if (!map->members) 418 418 + return false; 419 419 + map->first_port = first_port; 420 420 + map->last_port = last_port; 421 421 + map->timeout = IPSET_NO_TIMEOUT; 422 422 + 423 423 + set->data = map; 424 424 + set->family = AF_UNSPEC; 425 425 + 426 426 + return true; 427 427 + } 428 428 + 429 429 + static int 430 430 + bitmap_port_create(struct ip_set *set, struct nlattr *tb[], 431 431 + u32 flags) 432 432 + { 433 433 + struct bitmap_port *map; 434 434 + u16 first_port, last_port; 435 435 + 436 436 + if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 437 437 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) || 438 438 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 439 439 + return -IPSET_ERR_PROTOCOL; 440 440 + 441 441 + first_port = ip_set_get_h16(tb[IPSET_ATTR_PORT]); 442 442 + last_port = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 443 443 + if (first_port > last_port) { 444 444 + u16 tmp = first_port; 445 445 + 446 446 + first_port = last_port; 447 447 + last_port = tmp; 448 448 + } 449 449 + 450 450 + map = kzalloc(sizeof(*map), GFP_KERNEL); 451 451 + if (!map) 452 452 + return -ENOMEM; 453 453 + 454 454 + if (tb[IPSET_ATTR_TIMEOUT]) { 455 455 + map->memsize = (last_port - first_port + 1) 456 456 + * sizeof(unsigned long); 457 457 + 458 458 + if (!init_map_port(set, map, first_port, last_port)) { 459 459 + kfree(map); 460 460 + return -ENOMEM; 461 461 + } 462 462 + 463 463 + map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 464 464 + set->variant = &bitmap_tport; 465 465 + 466 466 + bitmap_port_gc_init(set); 467 467 + } else { 468 468 + map->memsize = bitmap_bytes(0, last_port - first_port); 469 469 + pr_debug("memsize: %zu\n", map->memsize); 470 470 + if (!init_map_port(set, map, first_port, last_port)) { 471 471 + kfree(map); 472 472 + return -ENOMEM; 473 473 + } 474 474 + 475 475 + set->variant = &bitmap_port; 476 476 + } 477 477 + return 0; 478 478 + } 479 479 + 480 480 + static struct ip_set_type bitmap_port_type = { 481 481 + .name = "bitmap:port", 482 482 + .protocol = IPSET_PROTOCOL, 483 483 + .features = IPSET_TYPE_PORT, 484 484 + .dimension = IPSET_DIM_ONE, 485 485 + .family = AF_UNSPEC, 486 486 + .revision = 0, 487 487 + .create = bitmap_port_create, 488 488 + .create_policy = { 489 489 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 490 490 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 491 491 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 492 492 + }, 493 493 + .adt_policy = { 494 494 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 495 495 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 496 496 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 497 497 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 498 498 + }, 499 499 + .me = THIS_MODULE, 500 500 + }; 501 501 + 502 502 + static int __init 503 503 + bitmap_port_init(void) 504 504 + { 505 505 + return ip_set_type_register(&bitmap_port_type); 506 506 + } 507 507 + 508 508 + static void __exit 509 509 + bitmap_port_fini(void) 510 510 + { 511 511 + ip_set_type_unregister(&bitmap_port_type); 512 512 + } 513 513 + 514 514 + module_init(bitmap_port_init); 515 515 + module_exit(bitmap_port_fini);

+1671

net/netfilter/ipset/ip_set_core.c

reviewed

··· 1 1 + /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 2 2 + * Patrick Schaaf <bof@bof.de> 3 3 + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 4 4 + * 5 5 + * This program is free software; you can redistribute it and/or modify 6 6 + * it under the terms of the GNU General Public License version 2 as 7 7 + * published by the Free Software Foundation. 8 8 + */ 9 9 + 10 10 + /* Kernel module for IP set management */ 11 11 + 12 12 + #include <linux/init.h> 13 13 + #include <linux/module.h> 14 14 + #include <linux/moduleparam.h> 15 15 + #include <linux/ip.h> 16 16 + #include <linux/skbuff.h> 17 17 + #include <linux/spinlock.h> 18 18 + #include <linux/netlink.h> 19 19 + #include <linux/rculist.h> 20 20 + #include <linux/version.h> 21 21 + #include <net/netlink.h> 22 22 + 23 23 + #include <linux/netfilter.h> 24 24 + #include <linux/netfilter/nfnetlink.h> 25 25 + #include <linux/netfilter/ipset/ip_set.h> 26 26 + 27 27 + static LIST_HEAD(ip_set_type_list); /* all registered set types */ 28 28 + static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */ 29 29 + 30 30 + static struct ip_set **ip_set_list; /* all individual sets */ 31 31 + static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */ 32 32 + 33 33 + #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0) 34 34 + 35 35 + static unsigned int max_sets; 36 36 + 37 37 + module_param(max_sets, int, 0600); 38 38 + MODULE_PARM_DESC(max_sets, "maximal number of sets"); 39 39 + MODULE_LICENSE("GPL"); 40 40 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 41 41 + MODULE_DESCRIPTION("core IP set support"); 42 42 + MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); 43 43 + 44 44 + /* 45 45 + * The set types are implemented in modules and registered set types 46 46 + * can be found in ip_set_type_list. Adding/deleting types is 47 47 + * serialized by ip_set_type_mutex. 48 48 + */ 49 49 + 50 50 + static inline void 51 51 + ip_set_type_lock(void) 52 52 + { 53 53 + mutex_lock(&ip_set_type_mutex); 54 54 + } 55 55 + 56 56 + static inline void 57 57 + ip_set_type_unlock(void) 58 58 + { 59 59 + mutex_unlock(&ip_set_type_mutex); 60 60 + } 61 61 + 62 62 + /* Register and deregister settype */ 63 63 + 64 64 + static struct ip_set_type * 65 65 + find_set_type(const char *name, u8 family, u8 revision) 66 66 + { 67 67 + struct ip_set_type *type; 68 68 + 69 69 + list_for_each_entry_rcu(type, &ip_set_type_list, list) 70 70 + if (STREQ(type->name, name) && 71 71 + (type->family == family || type->family == AF_UNSPEC) && 72 72 + type->revision == revision) 73 73 + return type; 74 74 + return NULL; 75 75 + } 76 76 + 77 77 + /* Unlock, try to load a set type module and lock again */ 78 78 + static int 79 79 + try_to_load_type(const char *name) 80 80 + { 81 81 + nfnl_unlock(); 82 82 + pr_debug("try to load ip_set_%s\n", name); 83 83 + if (request_module("ip_set_%s", name) < 0) { 84 84 + pr_warning("Can't find ip_set type %s\n", name); 85 85 + nfnl_lock(); 86 86 + return -IPSET_ERR_FIND_TYPE; 87 87 + } 88 88 + nfnl_lock(); 89 89 + return -EAGAIN; 90 90 + } 91 91 + 92 92 + /* Find a set type and reference it */ 93 93 + static int 94 94 + find_set_type_get(const char *name, u8 family, u8 revision, 95 95 + struct ip_set_type **found) 96 96 + { 97 97 + rcu_read_lock(); 98 98 + *found = find_set_type(name, family, revision); 99 99 + if (*found) { 100 100 + int err = !try_module_get((*found)->me); 101 101 + rcu_read_unlock(); 102 102 + return err ? -EFAULT : 0; 103 103 + } 104 104 + rcu_read_unlock(); 105 105 + 106 106 + return try_to_load_type(name); 107 107 + } 108 108 + 109 109 + /* Find a given set type by name and family. 110 110 + * If we succeeded, the supported minimal and maximum revisions are 111 111 + * filled out. 112 112 + */ 113 113 + static int 114 114 + find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max) 115 115 + { 116 116 + struct ip_set_type *type; 117 117 + bool found = false; 118 118 + 119 119 + *min = *max = 0; 120 120 + rcu_read_lock(); 121 121 + list_for_each_entry_rcu(type, &ip_set_type_list, list) 122 122 + if (STREQ(type->name, name) && 123 123 + (type->family == family || type->family == AF_UNSPEC)) { 124 124 + found = true; 125 125 + if (type->revision < *min) 126 126 + *min = type->revision; 127 127 + else if (type->revision > *max) 128 128 + *max = type->revision; 129 129 + } 130 130 + rcu_read_unlock(); 131 131 + if (found) 132 132 + return 0; 133 133 + 134 134 + return try_to_load_type(name); 135 135 + } 136 136 + 137 137 + #define family_name(f) ((f) == AF_INET ? "inet" : \ 138 138 + (f) == AF_INET6 ? "inet6" : "any") 139 139 + 140 140 + /* Register a set type structure. The type is identified by 141 141 + * the unique triple of name, family and revision. 142 142 + */ 143 143 + int 144 144 + ip_set_type_register(struct ip_set_type *type) 145 145 + { 146 146 + int ret = 0; 147 147 + 148 148 + if (type->protocol != IPSET_PROTOCOL) { 149 149 + pr_warning("ip_set type %s, family %s, revision %u uses " 150 150 + "wrong protocol version %u (want %u)\n", 151 151 + type->name, family_name(type->family), 152 152 + type->revision, type->protocol, IPSET_PROTOCOL); 153 153 + return -EINVAL; 154 154 + } 155 155 + 156 156 + ip_set_type_lock(); 157 157 + if (find_set_type(type->name, type->family, type->revision)) { 158 158 + /* Duplicate! */ 159 159 + pr_warning("ip_set type %s, family %s, revision %u " 160 160 + "already registered!\n", type->name, 161 161 + family_name(type->family), type->revision); 162 162 + ret = -EINVAL; 163 163 + goto unlock; 164 164 + } 165 165 + list_add_rcu(&type->list, &ip_set_type_list); 166 166 + pr_debug("type %s, family %s, revision %u registered.\n", 167 167 + type->name, family_name(type->family), type->revision); 168 168 + unlock: 169 169 + ip_set_type_unlock(); 170 170 + return ret; 171 171 + } 172 172 + EXPORT_SYMBOL_GPL(ip_set_type_register); 173 173 + 174 174 + /* Unregister a set type. There's a small race with ip_set_create */ 175 175 + void 176 176 + ip_set_type_unregister(struct ip_set_type *type) 177 177 + { 178 178 + ip_set_type_lock(); 179 179 + if (!find_set_type(type->name, type->family, type->revision)) { 180 180 + pr_warning("ip_set type %s, family %s, revision %u " 181 181 + "not registered\n", type->name, 182 182 + family_name(type->family), type->revision); 183 183 + goto unlock; 184 184 + } 185 185 + list_del_rcu(&type->list); 186 186 + pr_debug("type %s, family %s, revision %u unregistered.\n", 187 187 + type->name, family_name(type->family), type->revision); 188 188 + unlock: 189 189 + ip_set_type_unlock(); 190 190 + 191 191 + synchronize_rcu(); 192 192 + } 193 193 + EXPORT_SYMBOL_GPL(ip_set_type_unregister); 194 194 + 195 195 + /* Utility functions */ 196 196 + void * 197 197 + ip_set_alloc(size_t size) 198 198 + { 199 199 + void *members = NULL; 200 200 + 201 201 + if (size < KMALLOC_MAX_SIZE) 202 202 + members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); 203 203 + 204 204 + if (members) { 205 205 + pr_debug("%p: allocated with kmalloc\n", members); 206 206 + return members; 207 207 + } 208 208 + 209 209 + members = vzalloc(size); 210 210 + if (!members) 211 211 + return NULL; 212 212 + pr_debug("%p: allocated with vmalloc\n", members); 213 213 + 214 214 + return members; 215 215 + } 216 216 + EXPORT_SYMBOL_GPL(ip_set_alloc); 217 217 + 218 218 + void 219 219 + ip_set_free(void *members) 220 220 + { 221 221 + pr_debug("%p: free with %s\n", members, 222 222 + is_vmalloc_addr(members) ? "vfree" : "kfree"); 223 223 + if (is_vmalloc_addr(members)) 224 224 + vfree(members); 225 225 + else 226 226 + kfree(members); 227 227 + } 228 228 + EXPORT_SYMBOL_GPL(ip_set_free); 229 229 + 230 230 + static inline bool 231 231 + flag_nested(const struct nlattr *nla) 232 232 + { 233 233 + return nla->nla_type & NLA_F_NESTED; 234 234 + } 235 235 + 236 236 + static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = { 237 237 + [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 }, 238 238 + [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY, 239 239 + .len = sizeof(struct in6_addr) }, 240 240 + }; 241 241 + 242 242 + int 243 243 + ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) 244 244 + { 245 245 + struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; 246 246 + 247 247 + if (unlikely(!flag_nested(nla))) 248 248 + return -IPSET_ERR_PROTOCOL; 249 249 + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy)) 250 250 + return -IPSET_ERR_PROTOCOL; 251 251 + if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) 252 252 + return -IPSET_ERR_PROTOCOL; 253 253 + 254 254 + *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]); 255 255 + return 0; 256 256 + } 257 257 + EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4); 258 258 + 259 259 + int 260 260 + ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) 261 261 + { 262 262 + struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; 263 263 + 264 264 + if (unlikely(!flag_nested(nla))) 265 265 + return -IPSET_ERR_PROTOCOL; 266 266 + 267 267 + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy)) 268 268 + return -IPSET_ERR_PROTOCOL; 269 269 + if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) 270 270 + return -IPSET_ERR_PROTOCOL; 271 271 + 272 272 + memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]), 273 273 + sizeof(struct in6_addr)); 274 274 + return 0; 275 275 + } 276 276 + EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6); 277 277 + 278 278 + /* 279 279 + * Creating/destroying/renaming/swapping affect the existence and 280 280 + * the properties of a set. All of these can be executed from userspace 281 281 + * only and serialized by the nfnl mutex indirectly from nfnetlink. 282 282 + * 283 283 + * Sets are identified by their index in ip_set_list and the index 284 284 + * is used by the external references (set/SET netfilter modules). 285 285 + * 286 286 + * The set behind an index may change by swapping only, from userspace. 287 287 + */ 288 288 + 289 289 + static inline void 290 290 + __ip_set_get(ip_set_id_t index) 291 291 + { 292 292 + atomic_inc(&ip_set_list[index]->ref); 293 293 + } 294 294 + 295 295 + static inline void 296 296 + __ip_set_put(ip_set_id_t index) 297 297 + { 298 298 + atomic_dec(&ip_set_list[index]->ref); 299 299 + } 300 300 + 301 301 + /* 302 302 + * Add, del and test set entries from kernel. 303 303 + * 304 304 + * The set behind the index must exist and must be referenced 305 305 + * so it can't be destroyed (or changed) under our foot. 306 306 + */ 307 307 + 308 308 + int 309 309 + ip_set_test(ip_set_id_t index, const struct sk_buff *skb, 310 310 + u8 family, u8 dim, u8 flags) 311 311 + { 312 312 + struct ip_set *set = ip_set_list[index]; 313 313 + int ret = 0; 314 314 + 315 315 + BUG_ON(set == NULL || atomic_read(&set->ref) == 0); 316 316 + pr_debug("set %s, index %u\n", set->name, index); 317 317 + 318 318 + if (dim < set->type->dimension || 319 319 + !(family == set->family || set->family == AF_UNSPEC)) 320 320 + return 0; 321 321 + 322 322 + read_lock_bh(&set->lock); 323 323 + ret = set->variant->kadt(set, skb, IPSET_TEST, family, dim, flags); 324 324 + read_unlock_bh(&set->lock); 325 325 + 326 326 + if (ret == -EAGAIN) { 327 327 + /* Type requests element to be completed */ 328 328 + pr_debug("element must be competed, ADD is triggered\n"); 329 329 + write_lock_bh(&set->lock); 330 330 + set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags); 331 331 + write_unlock_bh(&set->lock); 332 332 + ret = 1; 333 333 + } 334 334 + 335 335 + /* Convert error codes to nomatch */ 336 336 + return (ret < 0 ? 0 : ret); 337 337 + } 338 338 + EXPORT_SYMBOL_GPL(ip_set_test); 339 339 + 340 340 + int 341 341 + ip_set_add(ip_set_id_t index, const struct sk_buff *skb, 342 342 + u8 family, u8 dim, u8 flags) 343 343 + { 344 344 + struct ip_set *set = ip_set_list[index]; 345 345 + int ret; 346 346 + 347 347 + BUG_ON(set == NULL || atomic_read(&set->ref) == 0); 348 348 + pr_debug("set %s, index %u\n", set->name, index); 349 349 + 350 350 + if (dim < set->type->dimension || 351 351 + !(family == set->family || set->family == AF_UNSPEC)) 352 352 + return 0; 353 353 + 354 354 + write_lock_bh(&set->lock); 355 355 + ret = set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags); 356 356 + write_unlock_bh(&set->lock); 357 357 + 358 358 + return ret; 359 359 + } 360 360 + EXPORT_SYMBOL_GPL(ip_set_add); 361 361 + 362 362 + int 363 363 + ip_set_del(ip_set_id_t index, const struct sk_buff *skb, 364 364 + u8 family, u8 dim, u8 flags) 365 365 + { 366 366 + struct ip_set *set = ip_set_list[index]; 367 367 + int ret = 0; 368 368 + 369 369 + BUG_ON(set == NULL || atomic_read(&set->ref) == 0); 370 370 + pr_debug("set %s, index %u\n", set->name, index); 371 371 + 372 372 + if (dim < set->type->dimension || 373 373 + !(family == set->family || set->family == AF_UNSPEC)) 374 374 + return 0; 375 375 + 376 376 + write_lock_bh(&set->lock); 377 377 + ret = set->variant->kadt(set, skb, IPSET_DEL, family, dim, flags); 378 378 + write_unlock_bh(&set->lock); 379 379 + 380 380 + return ret; 381 381 + } 382 382 + EXPORT_SYMBOL_GPL(ip_set_del); 383 383 + 384 384 + /* 385 385 + * Find set by name, reference it once. The reference makes sure the 386 386 + * thing pointed to, does not go away under our feet. 387 387 + * 388 388 + * The nfnl mutex must already be activated. 389 389 + */ 390 390 + ip_set_id_t 391 391 + ip_set_get_byname(const char *name, struct ip_set **set) 392 392 + { 393 393 + ip_set_id_t i, index = IPSET_INVALID_ID; 394 394 + struct ip_set *s; 395 395 + 396 396 + for (i = 0; i < ip_set_max; i++) { 397 397 + s = ip_set_list[i]; 398 398 + if (s != NULL && STREQ(s->name, name)) { 399 399 + __ip_set_get(i); 400 400 + index = i; 401 401 + *set = s; 402 402 + } 403 403 + } 404 404 + 405 405 + return index; 406 406 + } 407 407 + EXPORT_SYMBOL_GPL(ip_set_get_byname); 408 408 + 409 409 + /* 410 410 + * If the given set pointer points to a valid set, decrement 411 411 + * reference count by 1. The caller shall not assume the index 412 412 + * to be valid, after calling this function. 413 413 + * 414 414 + * The nfnl mutex must already be activated. 415 415 + */ 416 416 + void 417 417 + ip_set_put_byindex(ip_set_id_t index) 418 418 + { 419 419 + if (ip_set_list[index] != NULL) { 420 420 + BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0); 421 421 + __ip_set_put(index); 422 422 + } 423 423 + } 424 424 + EXPORT_SYMBOL_GPL(ip_set_put_byindex); 425 425 + 426 426 + /* 427 427 + * Get the name of a set behind a set index. 428 428 + * We assume the set is referenced, so it does exist and 429 429 + * can't be destroyed. The set cannot be renamed due to 430 430 + * the referencing either. 431 431 + * 432 432 + * The nfnl mutex must already be activated. 433 433 + */ 434 434 + const char * 435 435 + ip_set_name_byindex(ip_set_id_t index) 436 436 + { 437 437 + const struct ip_set *set = ip_set_list[index]; 438 438 + 439 439 + BUG_ON(set == NULL); 440 440 + BUG_ON(atomic_read(&set->ref) == 0); 441 441 + 442 442 + /* Referenced, so it's safe */ 443 443 + return set->name; 444 444 + } 445 445 + EXPORT_SYMBOL_GPL(ip_set_name_byindex); 446 446 + 447 447 + /* 448 448 + * Routines to call by external subsystems, which do not 449 449 + * call nfnl_lock for us. 450 450 + */ 451 451 + 452 452 + /* 453 453 + * Find set by name, reference it once. The reference makes sure the 454 454 + * thing pointed to, does not go away under our feet. 455 455 + * 456 456 + * The nfnl mutex is used in the function. 457 457 + */ 458 458 + ip_set_id_t 459 459 + ip_set_nfnl_get(const char *name) 460 460 + { 461 461 + struct ip_set *s; 462 462 + ip_set_id_t index; 463 463 + 464 464 + nfnl_lock(); 465 465 + index = ip_set_get_byname(name, &s); 466 466 + nfnl_unlock(); 467 467 + 468 468 + return index; 469 469 + } 470 470 + EXPORT_SYMBOL_GPL(ip_set_nfnl_get); 471 471 + 472 472 + /* 473 473 + * Find set by index, reference it once. The reference makes sure the 474 474 + * thing pointed to, does not go away under our feet. 475 475 + * 476 476 + * The nfnl mutex is used in the function. 477 477 + */ 478 478 + ip_set_id_t 479 479 + ip_set_nfnl_get_byindex(ip_set_id_t index) 480 480 + { 481 481 + if (index > ip_set_max) 482 482 + return IPSET_INVALID_ID; 483 483 + 484 484 + nfnl_lock(); 485 485 + if (ip_set_list[index]) 486 486 + __ip_set_get(index); 487 487 + else 488 488 + index = IPSET_INVALID_ID; 489 489 + nfnl_unlock(); 490 490 + 491 491 + return index; 492 492 + } 493 493 + EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex); 494 494 + 495 495 + /* 496 496 + * If the given set pointer points to a valid set, decrement 497 497 + * reference count by 1. The caller shall not assume the index 498 498 + * to be valid, after calling this function. 499 499 + * 500 500 + * The nfnl mutex is used in the function. 501 501 + */ 502 502 + void 503 503 + ip_set_nfnl_put(ip_set_id_t index) 504 504 + { 505 505 + nfnl_lock(); 506 506 + if (ip_set_list[index] != NULL) { 507 507 + BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0); 508 508 + __ip_set_put(index); 509 509 + } 510 510 + nfnl_unlock(); 511 511 + } 512 512 + EXPORT_SYMBOL_GPL(ip_set_nfnl_put); 513 513 + 514 514 + /* 515 515 + * Communication protocol with userspace over netlink. 516 516 + * 517 517 + * We already locked by nfnl_lock. 518 518 + */ 519 519 + 520 520 + static inline bool 521 521 + protocol_failed(const struct nlattr * const tb[]) 522 522 + { 523 523 + return !tb[IPSET_ATTR_PROTOCOL] || 524 524 + nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL; 525 525 + } 526 526 + 527 527 + static inline u32 528 528 + flag_exist(const struct nlmsghdr *nlh) 529 529 + { 530 530 + return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST; 531 531 + } 532 532 + 533 533 + static struct nlmsghdr * 534 534 + start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags, 535 535 + enum ipset_cmd cmd) 536 536 + { 537 537 + struct nlmsghdr *nlh; 538 538 + struct nfgenmsg *nfmsg; 539 539 + 540 540 + nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8), 541 541 + sizeof(*nfmsg), flags); 542 542 + if (nlh == NULL) 543 543 + return NULL; 544 544 + 545 545 + nfmsg = nlmsg_data(nlh); 546 546 + nfmsg->nfgen_family = AF_INET; 547 547 + nfmsg->version = NFNETLINK_V0; 548 548 + nfmsg->res_id = 0; 549 549 + 550 550 + return nlh; 551 551 + } 552 552 + 553 553 + /* Create a set */ 554 554 + 555 555 + static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = { 556 556 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 557 557 + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, 558 558 + .len = IPSET_MAXNAMELEN - 1 }, 559 559 + [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, 560 560 + .len = IPSET_MAXNAMELEN - 1}, 561 561 + [IPSET_ATTR_REVISION] = { .type = NLA_U8 }, 562 562 + [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, 563 563 + [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, 564 564 + }; 565 565 + 566 566 + static ip_set_id_t 567 567 + find_set_id(const char *name) 568 568 + { 569 569 + ip_set_id_t i, index = IPSET_INVALID_ID; 570 570 + const struct ip_set *set; 571 571 + 572 572 + for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) { 573 573 + set = ip_set_list[i]; 574 574 + if (set != NULL && STREQ(set->name, name)) 575 575 + index = i; 576 576 + } 577 577 + return index; 578 578 + } 579 579 + 580 580 + static inline struct ip_set * 581 581 + find_set(const char *name) 582 582 + { 583 583 + ip_set_id_t index = find_set_id(name); 584 584 + 585 585 + return index == IPSET_INVALID_ID ? NULL : ip_set_list[index]; 586 586 + } 587 587 + 588 588 + static int 589 589 + find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set) 590 590 + { 591 591 + ip_set_id_t i; 592 592 + 593 593 + *index = IPSET_INVALID_ID; 594 594 + for (i = 0; i < ip_set_max; i++) { 595 595 + if (ip_set_list[i] == NULL) { 596 596 + if (*index == IPSET_INVALID_ID) 597 597 + *index = i; 598 598 + } else if (STREQ(name, ip_set_list[i]->name)) { 599 599 + /* Name clash */ 600 600 + *set = ip_set_list[i]; 601 601 + return -EEXIST; 602 602 + } 603 603 + } 604 604 + if (*index == IPSET_INVALID_ID) 605 605 + /* No free slot remained */ 606 606 + return -IPSET_ERR_MAX_SETS; 607 607 + return 0; 608 608 + } 609 609 + 610 610 + static int 611 611 + ip_set_create(struct sock *ctnl, struct sk_buff *skb, 612 612 + const struct nlmsghdr *nlh, 613 613 + const struct nlattr * const attr[]) 614 614 + { 615 615 + struct ip_set *set, *clash; 616 616 + ip_set_id_t index = IPSET_INVALID_ID; 617 617 + struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {}; 618 618 + const char *name, *typename; 619 619 + u8 family, revision; 620 620 + u32 flags = flag_exist(nlh); 621 621 + int ret = 0; 622 622 + 623 623 + if (unlikely(protocol_failed(attr) || 624 624 + attr[IPSET_ATTR_SETNAME] == NULL || 625 625 + attr[IPSET_ATTR_TYPENAME] == NULL || 626 626 + attr[IPSET_ATTR_REVISION] == NULL || 627 627 + attr[IPSET_ATTR_FAMILY] == NULL || 628 628 + (attr[IPSET_ATTR_DATA] != NULL && 629 629 + !flag_nested(attr[IPSET_ATTR_DATA])))) 630 630 + return -IPSET_ERR_PROTOCOL; 631 631 + 632 632 + name = nla_data(attr[IPSET_ATTR_SETNAME]); 633 633 + typename = nla_data(attr[IPSET_ATTR_TYPENAME]); 634 634 + family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); 635 635 + revision = nla_get_u8(attr[IPSET_ATTR_REVISION]); 636 636 + pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n", 637 637 + name, typename, family_name(family), revision); 638 638 + 639 639 + /* 640 640 + * First, and without any locks, allocate and initialize 641 641 + * a normal base set structure. 642 642 + */ 643 643 + set = kzalloc(sizeof(struct ip_set), GFP_KERNEL); 644 644 + if (!set) 645 645 + return -ENOMEM; 646 646 + rwlock_init(&set->lock); 647 647 + strlcpy(set->name, name, IPSET_MAXNAMELEN); 648 648 + atomic_set(&set->ref, 0); 649 649 + set->family = family; 650 650 + 651 651 + /* 652 652 + * Next, check that we know the type, and take 653 653 + * a reference on the type, to make sure it stays available 654 654 + * while constructing our new set. 655 655 + * 656 656 + * After referencing the type, we try to create the type 657 657 + * specific part of the set without holding any locks. 658 658 + */ 659 659 + ret = find_set_type_get(typename, family, revision, &(set->type)); 660 660 + if (ret) 661 661 + goto out; 662 662 + 663 663 + /* 664 664 + * Without holding any locks, create private part. 665 665 + */ 666 666 + if (attr[IPSET_ATTR_DATA] && 667 667 + nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], 668 668 + set->type->create_policy)) { 669 669 + ret = -IPSET_ERR_PROTOCOL; 670 670 + goto put_out; 671 671 + } 672 672 + 673 673 + ret = set->type->create(set, tb, flags); 674 674 + if (ret != 0) 675 675 + goto put_out; 676 676 + 677 677 + /* BTW, ret==0 here. */ 678 678 + 679 679 + /* 680 680 + * Here, we have a valid, constructed set and we are protected 681 681 + * by nfnl_lock. Find the first free index in ip_set_list and 682 682 + * check clashing. 683 683 + */ 684 684 + if ((ret = find_free_id(set->name, &index, &clash)) != 0) { 685 685 + /* If this is the same set and requested, ignore error */ 686 686 + if (ret == -EEXIST && 687 687 + (flags & IPSET_FLAG_EXIST) && 688 688 + STREQ(set->type->name, clash->type->name) && 689 689 + set->type->family == clash->type->family && 690 690 + set->type->revision == clash->type->revision && 691 691 + set->variant->same_set(set, clash)) 692 692 + ret = 0; 693 693 + goto cleanup; 694 694 + } 695 695 + 696 696 + /* 697 697 + * Finally! Add our shiny new set to the list, and be done. 698 698 + */ 699 699 + pr_debug("create: '%s' created with index %u!\n", set->name, index); 700 700 + ip_set_list[index] = set; 701 701 + 702 702 + return ret; 703 703 + 704 704 + cleanup: 705 705 + set->variant->destroy(set); 706 706 + put_out: 707 707 + module_put(set->type->me); 708 708 + out: 709 709 + kfree(set); 710 710 + return ret; 711 711 + } 712 712 + 713 713 + /* Destroy sets */ 714 714 + 715 715 + static const struct nla_policy 716 716 + ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = { 717 717 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 718 718 + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, 719 719 + .len = IPSET_MAXNAMELEN - 1 }, 720 720 + }; 721 721 + 722 722 + static void 723 723 + ip_set_destroy_set(ip_set_id_t index) 724 724 + { 725 725 + struct ip_set *set = ip_set_list[index]; 726 726 + 727 727 + pr_debug("set: %s\n", set->name); 728 728 + ip_set_list[index] = NULL; 729 729 + 730 730 + /* Must call it without holding any lock */ 731 731 + set->variant->destroy(set); 732 732 + module_put(set->type->me); 733 733 + kfree(set); 734 734 + } 735 735 + 736 736 + static int 737 737 + ip_set_destroy(struct sock *ctnl, struct sk_buff *skb, 738 738 + const struct nlmsghdr *nlh, 739 739 + const struct nlattr * const attr[]) 740 740 + { 741 741 + ip_set_id_t i; 742 742 + 743 743 + if (unlikely(protocol_failed(attr))) 744 744 + return -IPSET_ERR_PROTOCOL; 745 745 + 746 746 + /* References are protected by the nfnl mutex */ 747 747 + if (!attr[IPSET_ATTR_SETNAME]) { 748 748 + for (i = 0; i < ip_set_max; i++) { 749 749 + if (ip_set_list[i] != NULL && 750 750 + (atomic_read(&ip_set_list[i]->ref))) 751 751 + return -IPSET_ERR_BUSY; 752 752 + } 753 753 + for (i = 0; i < ip_set_max; i++) { 754 754 + if (ip_set_list[i] != NULL) 755 755 + ip_set_destroy_set(i); 756 756 + } 757 757 + } else { 758 758 + i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); 759 759 + if (i == IPSET_INVALID_ID) 760 760 + return -ENOENT; 761 761 + else if (atomic_read(&ip_set_list[i]->ref)) 762 762 + return -IPSET_ERR_BUSY; 763 763 + 764 764 + ip_set_destroy_set(i); 765 765 + } 766 766 + return 0; 767 767 + } 768 768 + 769 769 + /* Flush sets */ 770 770 + 771 771 + static void 772 772 + ip_set_flush_set(struct ip_set *set) 773 773 + { 774 774 + pr_debug("set: %s\n", set->name); 775 775 + 776 776 + write_lock_bh(&set->lock); 777 777 + set->variant->flush(set); 778 778 + write_unlock_bh(&set->lock); 779 779 + } 780 780 + 781 781 + static int 782 782 + ip_set_flush(struct sock *ctnl, struct sk_buff *skb, 783 783 + const struct nlmsghdr *nlh, 784 784 + const struct nlattr * const attr[]) 785 785 + { 786 786 + ip_set_id_t i; 787 787 + 788 788 + if (unlikely(protocol_failed(attr))) 789 789 + return -EPROTO; 790 790 + 791 791 + if (!attr[IPSET_ATTR_SETNAME]) { 792 792 + for (i = 0; i < ip_set_max; i++) 793 793 + if (ip_set_list[i] != NULL) 794 794 + ip_set_flush_set(ip_set_list[i]); 795 795 + } else { 796 796 + i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); 797 797 + if (i == IPSET_INVALID_ID) 798 798 + return -ENOENT; 799 799 + 800 800 + ip_set_flush_set(ip_set_list[i]); 801 801 + } 802 802 + 803 803 + return 0; 804 804 + } 805 805 + 806 806 + /* Rename a set */ 807 807 + 808 808 + static const struct nla_policy 809 809 + ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = { 810 810 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 811 811 + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, 812 812 + .len = IPSET_MAXNAMELEN - 1 }, 813 813 + [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, 814 814 + .len = IPSET_MAXNAMELEN - 1 }, 815 815 + }; 816 816 + 817 817 + static int 818 818 + ip_set_rename(struct sock *ctnl, struct sk_buff *skb, 819 819 + const struct nlmsghdr *nlh, 820 820 + const struct nlattr * const attr[]) 821 821 + { 822 822 + struct ip_set *set; 823 823 + const char *name2; 824 824 + ip_set_id_t i; 825 825 + 826 826 + if (unlikely(protocol_failed(attr) || 827 827 + attr[IPSET_ATTR_SETNAME] == NULL || 828 828 + attr[IPSET_ATTR_SETNAME2] == NULL)) 829 829 + return -IPSET_ERR_PROTOCOL; 830 830 + 831 831 + set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); 832 832 + if (set == NULL) 833 833 + return -ENOENT; 834 834 + if (atomic_read(&set->ref) != 0) 835 835 + return -IPSET_ERR_REFERENCED; 836 836 + 837 837 + name2 = nla_data(attr[IPSET_ATTR_SETNAME2]); 838 838 + for (i = 0; i < ip_set_max; i++) { 839 839 + if (ip_set_list[i] != NULL && 840 840 + STREQ(ip_set_list[i]->name, name2)) 841 841 + return -IPSET_ERR_EXIST_SETNAME2; 842 842 + } 843 843 + strncpy(set->name, name2, IPSET_MAXNAMELEN); 844 844 + 845 845 + return 0; 846 846 + } 847 847 + 848 848 + /* Swap two sets so that name/index points to the other. 849 849 + * References and set names are also swapped. 850 850 + * 851 851 + * We are protected by the nfnl mutex and references are 852 852 + * manipulated only by holding the mutex. The kernel interfaces 853 853 + * do not hold the mutex but the pointer settings are atomic 854 854 + * so the ip_set_list always contains valid pointers to the sets. 855 855 + */ 856 856 + 857 857 + static int 858 858 + ip_set_swap(struct sock *ctnl, struct sk_buff *skb, 859 859 + const struct nlmsghdr *nlh, 860 860 + const struct nlattr * const attr[]) 861 861 + { 862 862 + struct ip_set *from, *to; 863 863 + ip_set_id_t from_id, to_id; 864 864 + char from_name[IPSET_MAXNAMELEN]; 865 865 + u32 from_ref; 866 866 + 867 867 + if (unlikely(protocol_failed(attr) || 868 868 + attr[IPSET_ATTR_SETNAME] == NULL || 869 869 + attr[IPSET_ATTR_SETNAME2] == NULL)) 870 870 + return -IPSET_ERR_PROTOCOL; 871 871 + 872 872 + from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); 873 873 + if (from_id == IPSET_INVALID_ID) 874 874 + return -ENOENT; 875 875 + 876 876 + to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2])); 877 877 + if (to_id == IPSET_INVALID_ID) 878 878 + return -IPSET_ERR_EXIST_SETNAME2; 879 879 + 880 880 + from = ip_set_list[from_id]; 881 881 + to = ip_set_list[to_id]; 882 882 + 883 883 + /* Features must not change. 884 884 + * Not an artifical restriction anymore, as we must prevent 885 885 + * possible loops created by swapping in setlist type of sets. */ 886 886 + if (!(from->type->features == to->type->features && 887 887 + from->type->family == to->type->family)) 888 888 + return -IPSET_ERR_TYPE_MISMATCH; 889 889 + 890 890 + /* No magic here: ref munging protected by the nfnl_lock */ 891 891 + strncpy(from_name, from->name, IPSET_MAXNAMELEN); 892 892 + from_ref = atomic_read(&from->ref); 893 893 + 894 894 + strncpy(from->name, to->name, IPSET_MAXNAMELEN); 895 895 + atomic_set(&from->ref, atomic_read(&to->ref)); 896 896 + strncpy(to->name, from_name, IPSET_MAXNAMELEN); 897 897 + atomic_set(&to->ref, from_ref); 898 898 + 899 899 + ip_set_list[from_id] = to; 900 900 + ip_set_list[to_id] = from; 901 901 + 902 902 + return 0; 903 903 + } 904 904 + 905 905 + /* List/save set data */ 906 906 + 907 907 + #define DUMP_INIT 0L 908 908 + #define DUMP_ALL 1L 909 909 + #define DUMP_ONE 2L 910 910 + #define DUMP_LAST 3L 911 911 + 912 912 + static int 913 913 + ip_set_dump_done(struct netlink_callback *cb) 914 914 + { 915 915 + if (cb->args[2]) { 916 916 + pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name); 917 917 + __ip_set_put((ip_set_id_t) cb->args[1]); 918 918 + } 919 919 + return 0; 920 920 + } 921 921 + 922 922 + static inline void 923 923 + dump_attrs(struct nlmsghdr *nlh) 924 924 + { 925 925 + const struct nlattr *attr; 926 926 + int rem; 927 927 + 928 928 + pr_debug("dump nlmsg\n"); 929 929 + nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) { 930 930 + pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len); 931 931 + } 932 932 + } 933 933 + 934 934 + static int 935 935 + dump_init(struct netlink_callback *cb) 936 936 + { 937 937 + struct nlmsghdr *nlh = nlmsg_hdr(cb->skb); 938 938 + int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); 939 939 + struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; 940 940 + struct nlattr *attr = (void *)nlh + min_len; 941 941 + ip_set_id_t index; 942 942 + 943 943 + /* Second pass, so parser can't fail */ 944 944 + nla_parse(cda, IPSET_ATTR_CMD_MAX, 945 945 + attr, nlh->nlmsg_len - min_len, ip_set_setname_policy); 946 946 + 947 947 + /* cb->args[0] : dump single set/all sets 948 948 + * [1] : set index 949 949 + * [..]: type specific 950 950 + */ 951 951 + 952 952 + if (!cda[IPSET_ATTR_SETNAME]) { 953 953 + cb->args[0] = DUMP_ALL; 954 954 + return 0; 955 955 + } 956 956 + 957 957 + index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME])); 958 958 + if (index == IPSET_INVALID_ID) 959 959 + return -ENOENT; 960 960 + 961 961 + cb->args[0] = DUMP_ONE; 962 962 + cb->args[1] = index; 963 963 + return 0; 964 964 + } 965 965 + 966 966 + static int 967 967 + ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb) 968 968 + { 969 969 + ip_set_id_t index = IPSET_INVALID_ID, max; 970 970 + struct ip_set *set = NULL; 971 971 + struct nlmsghdr *nlh = NULL; 972 972 + unsigned int flags = NETLINK_CB(cb->skb).pid ? NLM_F_MULTI : 0; 973 973 + int ret = 0; 974 974 + 975 975 + if (cb->args[0] == DUMP_INIT) { 976 976 + ret = dump_init(cb); 977 977 + if (ret < 0) { 978 978 + nlh = nlmsg_hdr(cb->skb); 979 979 + /* We have to create and send the error message 980 980 + * manually :-( */ 981 981 + if (nlh->nlmsg_flags & NLM_F_ACK) 982 982 + netlink_ack(cb->skb, nlh, ret); 983 983 + return ret; 984 984 + } 985 985 + } 986 986 + 987 987 + if (cb->args[1] >= ip_set_max) 988 988 + goto out; 989 989 + 990 990 + pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]); 991 991 + max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max; 992 992 + for (; cb->args[1] < max; cb->args[1]++) { 993 993 + index = (ip_set_id_t) cb->args[1]; 994 994 + set = ip_set_list[index]; 995 995 + if (set == NULL) { 996 996 + if (cb->args[0] == DUMP_ONE) { 997 997 + ret = -ENOENT; 998 998 + goto out; 999 999 + } 1000 1000 + continue; 1001 1001 + } 1002 1002 + /* When dumping all sets, we must dump "sorted" 1003 1003 + * so that lists (unions of sets) are dumped last. 1004 1004 + */ 1005 1005 + if (cb->args[0] != DUMP_ONE && 1006 1006 + !((cb->args[0] == DUMP_ALL) ^ 1007 1007 + (set->type->features & IPSET_DUMP_LAST))) 1008 1008 + continue; 1009 1009 + pr_debug("List set: %s\n", set->name); 1010 1010 + if (!cb->args[2]) { 1011 1011 + /* Start listing: make sure set won't be destroyed */ 1012 1012 + pr_debug("reference set\n"); 1013 1013 + __ip_set_get(index); 1014 1014 + } 1015 1015 + nlh = start_msg(skb, NETLINK_CB(cb->skb).pid, 1016 1016 + cb->nlh->nlmsg_seq, flags, 1017 1017 + IPSET_CMD_LIST); 1018 1018 + if (!nlh) { 1019 1019 + ret = -EMSGSIZE; 1020 1020 + goto release_refcount; 1021 1021 + } 1022 1022 + NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); 1023 1023 + NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name); 1024 1024 + switch (cb->args[2]) { 1025 1025 + case 0: 1026 1026 + /* Core header data */ 1027 1027 + NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME, 1028 1028 + set->type->name); 1029 1029 + NLA_PUT_U8(skb, IPSET_ATTR_FAMILY, 1030 1030 + set->family); 1031 1031 + NLA_PUT_U8(skb, IPSET_ATTR_REVISION, 1032 1032 + set->type->revision); 1033 1033 + ret = set->variant->head(set, skb); 1034 1034 + if (ret < 0) 1035 1035 + goto release_refcount; 1036 1036 + /* Fall through and add elements */ 1037 1037 + default: 1038 1038 + read_lock_bh(&set->lock); 1039 1039 + ret = set->variant->list(set, skb, cb); 1040 1040 + read_unlock_bh(&set->lock); 1041 1041 + if (!cb->args[2]) { 1042 1042 + /* Set is done, proceed with next one */ 1043 1043 + if (cb->args[0] == DUMP_ONE) 1044 1044 + cb->args[1] = IPSET_INVALID_ID; 1045 1045 + else 1046 1046 + cb->args[1]++; 1047 1047 + } 1048 1048 + goto release_refcount; 1049 1049 + } 1050 1050 + } 1051 1051 + goto out; 1052 1052 + 1053 1053 + nla_put_failure: 1054 1054 + ret = -EFAULT; 1055 1055 + release_refcount: 1056 1056 + /* If there was an error or set is done, release set */ 1057 1057 + if (ret || !cb->args[2]) { 1058 1058 + pr_debug("release set %s\n", ip_set_list[index]->name); 1059 1059 + __ip_set_put(index); 1060 1060 + } 1061 1061 + 1062 1062 + /* If we dump all sets, continue with dumping last ones */ 1063 1063 + if (cb->args[0] == DUMP_ALL && cb->args[1] >= max && !cb->args[2]) 1064 1064 + cb->args[0] = DUMP_LAST; 1065 1065 + 1066 1066 + out: 1067 1067 + if (nlh) { 1068 1068 + nlmsg_end(skb, nlh); 1069 1069 + pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len); 1070 1070 + dump_attrs(nlh); 1071 1071 + } 1072 1072 + 1073 1073 + return ret < 0 ? ret : skb->len; 1074 1074 + } 1075 1075 + 1076 1076 + static int 1077 1077 + ip_set_dump(struct sock *ctnl, struct sk_buff *skb, 1078 1078 + const struct nlmsghdr *nlh, 1079 1079 + const struct nlattr * const attr[]) 1080 1080 + { 1081 1081 + if (unlikely(protocol_failed(attr))) 1082 1082 + return -IPSET_ERR_PROTOCOL; 1083 1083 + 1084 1084 + return netlink_dump_start(ctnl, skb, nlh, 1085 1085 + ip_set_dump_start, 1086 1086 + ip_set_dump_done); 1087 1087 + } 1088 1088 + 1089 1089 + /* Add, del and test */ 1090 1090 + 1091 1091 + static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = { 1092 1092 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 1093 1093 + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, 1094 1094 + .len = IPSET_MAXNAMELEN - 1 }, 1095 1095 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 1096 1096 + [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, 1097 1097 + [IPSET_ATTR_ADT] = { .type = NLA_NESTED }, 1098 1098 + }; 1099 1099 + 1100 1100 + static int 1101 1101 + call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, 1102 1102 + struct nlattr *tb[], enum ipset_adt adt, 1103 1103 + u32 flags, bool use_lineno) 1104 1104 + { 1105 1105 + int ret, retried = 0; 1106 1106 + u32 lineno = 0; 1107 1107 + bool eexist = flags & IPSET_FLAG_EXIST; 1108 1108 + 1109 1109 + do { 1110 1110 + write_lock_bh(&set->lock); 1111 1111 + ret = set->variant->uadt(set, tb, adt, &lineno, flags); 1112 1112 + write_unlock_bh(&set->lock); 1113 1113 + } while (ret == -EAGAIN && 1114 1114 + set->variant->resize && 1115 1115 + (ret = set->variant->resize(set, retried++)) == 0); 1116 1116 + 1117 1117 + if (!ret || (ret == -IPSET_ERR_EXIST && eexist)) 1118 1118 + return 0; 1119 1119 + if (lineno && use_lineno) { 1120 1120 + /* Error in restore/batch mode: send back lineno */ 1121 1121 + struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb); 1122 1122 + struct sk_buff *skb2; 1123 1123 + struct nlmsgerr *errmsg; 1124 1124 + size_t payload = sizeof(*errmsg) + nlmsg_len(nlh); 1125 1125 + int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); 1126 1126 + struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; 1127 1127 + struct nlattr *cmdattr; 1128 1128 + u32 *errline; 1129 1129 + 1130 1130 + skb2 = nlmsg_new(payload, GFP_KERNEL); 1131 1131 + if (skb2 == NULL) 1132 1132 + return -ENOMEM; 1133 1133 + rep = __nlmsg_put(skb2, NETLINK_CB(skb).pid, 1134 1134 + nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); 1135 1135 + errmsg = nlmsg_data(rep); 1136 1136 + errmsg->error = ret; 1137 1137 + memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); 1138 1138 + cmdattr = (void *)&errmsg->msg + min_len; 1139 1139 + 1140 1140 + nla_parse(cda, IPSET_ATTR_CMD_MAX, 1141 1141 + cmdattr, nlh->nlmsg_len - min_len, 1142 1142 + ip_set_adt_policy); 1143 1143 + 1144 1144 + errline = nla_data(cda[IPSET_ATTR_LINENO]); 1145 1145 + 1146 1146 + *errline = lineno; 1147 1147 + 1148 1148 + netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1149 1149 + /* Signal netlink not to send its ACK/errmsg. */ 1150 1150 + return -EINTR; 1151 1151 + } 1152 1152 + 1153 1153 + return ret; 1154 1154 + } 1155 1155 + 1156 1156 + static int 1157 1157 + ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, 1158 1158 + const struct nlmsghdr *nlh, 1159 1159 + const struct nlattr * const attr[]) 1160 1160 + { 1161 1161 + struct ip_set *set; 1162 1162 + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; 1163 1163 + const struct nlattr *nla; 1164 1164 + u32 flags = flag_exist(nlh); 1165 1165 + bool use_lineno; 1166 1166 + int ret = 0; 1167 1167 + 1168 1168 + if (unlikely(protocol_failed(attr) || 1169 1169 + attr[IPSET_ATTR_SETNAME] == NULL || 1170 1170 + !((attr[IPSET_ATTR_DATA] != NULL) ^ 1171 1171 + (attr[IPSET_ATTR_ADT] != NULL)) || 1172 1172 + (attr[IPSET_ATTR_DATA] != NULL && 1173 1173 + !flag_nested(attr[IPSET_ATTR_DATA])) || 1174 1174 + (attr[IPSET_ATTR_ADT] != NULL && 1175 1175 + (!flag_nested(attr[IPSET_ATTR_ADT]) || 1176 1176 + attr[IPSET_ATTR_LINENO] == NULL)))) 1177 1177 + return -IPSET_ERR_PROTOCOL; 1178 1178 + 1179 1179 + set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); 1180 1180 + if (set == NULL) 1181 1181 + return -ENOENT; 1182 1182 + 1183 1183 + use_lineno = !!attr[IPSET_ATTR_LINENO]; 1184 1184 + if (attr[IPSET_ATTR_DATA]) { 1185 1185 + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, 1186 1186 + attr[IPSET_ATTR_DATA], 1187 1187 + set->type->adt_policy)) 1188 1188 + return -IPSET_ERR_PROTOCOL; 1189 1189 + ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags, 1190 1190 + use_lineno); 1191 1191 + } else { 1192 1192 + int nla_rem; 1193 1193 + 1194 1194 + nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { 1195 1195 + memset(tb, 0, sizeof(tb)); 1196 1196 + if (nla_type(nla) != IPSET_ATTR_DATA || 1197 1197 + !flag_nested(nla) || 1198 1198 + nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, 1199 1199 + set->type->adt_policy)) 1200 1200 + return -IPSET_ERR_PROTOCOL; 1201 1201 + ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, 1202 1202 + flags, use_lineno); 1203 1203 + if (ret < 0) 1204 1204 + return ret; 1205 1205 + } 1206 1206 + } 1207 1207 + return ret; 1208 1208 + } 1209 1209 + 1210 1210 + static int 1211 1211 + ip_set_udel(struct sock *ctnl, struct sk_buff *skb, 1212 1212 + const struct nlmsghdr *nlh, 1213 1213 + const struct nlattr * const attr[]) 1214 1214 + { 1215 1215 + struct ip_set *set; 1216 1216 + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; 1217 1217 + const struct nlattr *nla; 1218 1218 + u32 flags = flag_exist(nlh); 1219 1219 + bool use_lineno; 1220 1220 + int ret = 0; 1221 1221 + 1222 1222 + if (unlikely(protocol_failed(attr) || 1223 1223 + attr[IPSET_ATTR_SETNAME] == NULL || 1224 1224 + !((attr[IPSET_ATTR_DATA] != NULL) ^ 1225 1225 + (attr[IPSET_ATTR_ADT] != NULL)) || 1226 1226 + (attr[IPSET_ATTR_DATA] != NULL && 1227 1227 + !flag_nested(attr[IPSET_ATTR_DATA])) || 1228 1228 + (attr[IPSET_ATTR_ADT] != NULL && 1229 1229 + (!flag_nested(attr[IPSET_ATTR_ADT]) || 1230 1230 + attr[IPSET_ATTR_LINENO] == NULL)))) 1231 1231 + return -IPSET_ERR_PROTOCOL; 1232 1232 + 1233 1233 + set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); 1234 1234 + if (set == NULL) 1235 1235 + return -ENOENT; 1236 1236 + 1237 1237 + use_lineno = !!attr[IPSET_ATTR_LINENO]; 1238 1238 + if (attr[IPSET_ATTR_DATA]) { 1239 1239 + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, 1240 1240 + attr[IPSET_ATTR_DATA], 1241 1241 + set->type->adt_policy)) 1242 1242 + return -IPSET_ERR_PROTOCOL; 1243 1243 + ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags, 1244 1244 + use_lineno); 1245 1245 + } else { 1246 1246 + int nla_rem; 1247 1247 + 1248 1248 + nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { 1249 1249 + memset(tb, 0, sizeof(*tb)); 1250 1250 + if (nla_type(nla) != IPSET_ATTR_DATA || 1251 1251 + !flag_nested(nla) || 1252 1252 + nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, 1253 1253 + set->type->adt_policy)) 1254 1254 + return -IPSET_ERR_PROTOCOL; 1255 1255 + ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, 1256 1256 + flags, use_lineno); 1257 1257 + if (ret < 0) 1258 1258 + return ret; 1259 1259 + } 1260 1260 + } 1261 1261 + return ret; 1262 1262 + } 1263 1263 + 1264 1264 + static int 1265 1265 + ip_set_utest(struct sock *ctnl, struct sk_buff *skb, 1266 1266 + const struct nlmsghdr *nlh, 1267 1267 + const struct nlattr * const attr[]) 1268 1268 + { 1269 1269 + struct ip_set *set; 1270 1270 + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; 1271 1271 + int ret = 0; 1272 1272 + 1273 1273 + if (unlikely(protocol_failed(attr) || 1274 1274 + attr[IPSET_ATTR_SETNAME] == NULL || 1275 1275 + attr[IPSET_ATTR_DATA] == NULL || 1276 1276 + !flag_nested(attr[IPSET_ATTR_DATA]))) 1277 1277 + return -IPSET_ERR_PROTOCOL; 1278 1278 + 1279 1279 + set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); 1280 1280 + if (set == NULL) 1281 1281 + return -ENOENT; 1282 1282 + 1283 1283 + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], 1284 1284 + set->type->adt_policy)) 1285 1285 + return -IPSET_ERR_PROTOCOL; 1286 1286 + 1287 1287 + read_lock_bh(&set->lock); 1288 1288 + ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0); 1289 1289 + read_unlock_bh(&set->lock); 1290 1290 + /* Userspace can't trigger element to be re-added */ 1291 1291 + if (ret == -EAGAIN) 1292 1292 + ret = 1; 1293 1293 + 1294 1294 + return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST; 1295 1295 + } 1296 1296 + 1297 1297 + /* Get headed data of a set */ 1298 1298 + 1299 1299 + static int 1300 1300 + ip_set_header(struct sock *ctnl, struct sk_buff *skb, 1301 1301 + const struct nlmsghdr *nlh, 1302 1302 + const struct nlattr * const attr[]) 1303 1303 + { 1304 1304 + const struct ip_set *set; 1305 1305 + struct sk_buff *skb2; 1306 1306 + struct nlmsghdr *nlh2; 1307 1307 + ip_set_id_t index; 1308 1308 + int ret = 0; 1309 1309 + 1310 1310 + if (unlikely(protocol_failed(attr) || 1311 1311 + attr[IPSET_ATTR_SETNAME] == NULL)) 1312 1312 + return -IPSET_ERR_PROTOCOL; 1313 1313 + 1314 1314 + index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); 1315 1315 + if (index == IPSET_INVALID_ID) 1316 1316 + return -ENOENT; 1317 1317 + set = ip_set_list[index]; 1318 1318 + 1319 1319 + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1320 1320 + if (skb2 == NULL) 1321 1321 + return -ENOMEM; 1322 1322 + 1323 1323 + nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, 1324 1324 + IPSET_CMD_HEADER); 1325 1325 + if (!nlh2) 1326 1326 + goto nlmsg_failure; 1327 1327 + NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); 1328 1328 + NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name); 1329 1329 + NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name); 1330 1330 + NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family); 1331 1331 + NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->type->revision); 1332 1332 + nlmsg_end(skb2, nlh2); 1333 1333 + 1334 1334 + ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1335 1335 + if (ret < 0) 1336 1336 + return ret; 1337 1337 + 1338 1338 + return 0; 1339 1339 + 1340 1340 + nla_put_failure: 1341 1341 + nlmsg_cancel(skb2, nlh2); 1342 1342 + nlmsg_failure: 1343 1343 + kfree_skb(skb2); 1344 1344 + return -EMSGSIZE; 1345 1345 + } 1346 1346 + 1347 1347 + /* Get type data */ 1348 1348 + 1349 1349 + static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = { 1350 1350 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 1351 1351 + [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, 1352 1352 + .len = IPSET_MAXNAMELEN - 1 }, 1353 1353 + [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, 1354 1354 + }; 1355 1355 + 1356 1356 + static int 1357 1357 + ip_set_type(struct sock *ctnl, struct sk_buff *skb, 1358 1358 + const struct nlmsghdr *nlh, 1359 1359 + const struct nlattr * const attr[]) 1360 1360 + { 1361 1361 + struct sk_buff *skb2; 1362 1362 + struct nlmsghdr *nlh2; 1363 1363 + u8 family, min, max; 1364 1364 + const char *typename; 1365 1365 + int ret = 0; 1366 1366 + 1367 1367 + if (unlikely(protocol_failed(attr) || 1368 1368 + attr[IPSET_ATTR_TYPENAME] == NULL || 1369 1369 + attr[IPSET_ATTR_FAMILY] == NULL)) 1370 1370 + return -IPSET_ERR_PROTOCOL; 1371 1371 + 1372 1372 + family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); 1373 1373 + typename = nla_data(attr[IPSET_ATTR_TYPENAME]); 1374 1374 + ret = find_set_type_minmax(typename, family, &min, &max); 1375 1375 + if (ret) 1376 1376 + return ret; 1377 1377 + 1378 1378 + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1379 1379 + if (skb2 == NULL) 1380 1380 + return -ENOMEM; 1381 1381 + 1382 1382 + nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, 1383 1383 + IPSET_CMD_TYPE); 1384 1384 + if (!nlh2) 1385 1385 + goto nlmsg_failure; 1386 1386 + NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); 1387 1387 + NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename); 1388 1388 + NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family); 1389 1389 + NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max); 1390 1390 + NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min); 1391 1391 + nlmsg_end(skb2, nlh2); 1392 1392 + 1393 1393 + pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len); 1394 1394 + ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1395 1395 + if (ret < 0) 1396 1396 + return ret; 1397 1397 + 1398 1398 + return 0; 1399 1399 + 1400 1400 + nla_put_failure: 1401 1401 + nlmsg_cancel(skb2, nlh2); 1402 1402 + nlmsg_failure: 1403 1403 + kfree_skb(skb2); 1404 1404 + return -EMSGSIZE; 1405 1405 + } 1406 1406 + 1407 1407 + /* Get protocol version */ 1408 1408 + 1409 1409 + static const struct nla_policy 1410 1410 + ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = { 1411 1411 + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, 1412 1412 + }; 1413 1413 + 1414 1414 + static int 1415 1415 + ip_set_protocol(struct sock *ctnl, struct sk_buff *skb, 1416 1416 + const struct nlmsghdr *nlh, 1417 1417 + const struct nlattr * const attr[]) 1418 1418 + { 1419 1419 + struct sk_buff *skb2; 1420 1420 + struct nlmsghdr *nlh2; 1421 1421 + int ret = 0; 1422 1422 + 1423 1423 + if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL)) 1424 1424 + return -IPSET_ERR_PROTOCOL; 1425 1425 + 1426 1426 + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1427 1427 + if (skb2 == NULL) 1428 1428 + return -ENOMEM; 1429 1429 + 1430 1430 + nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, 1431 1431 + IPSET_CMD_PROTOCOL); 1432 1432 + if (!nlh2) 1433 1433 + goto nlmsg_failure; 1434 1434 + NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); 1435 1435 + nlmsg_end(skb2, nlh2); 1436 1436 + 1437 1437 + ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1438 1438 + if (ret < 0) 1439 1439 + return ret; 1440 1440 + 1441 1441 + return 0; 1442 1442 + 1443 1443 + nla_put_failure: 1444 1444 + nlmsg_cancel(skb2, nlh2); 1445 1445 + nlmsg_failure: 1446 1446 + kfree_skb(skb2); 1447 1447 + return -EMSGSIZE; 1448 1448 + } 1449 1449 + 1450 1450 + static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { 1451 1451 + [IPSET_CMD_CREATE] = { 1452 1452 + .call = ip_set_create, 1453 1453 + .attr_count = IPSET_ATTR_CMD_MAX, 1454 1454 + .policy = ip_set_create_policy, 1455 1455 + }, 1456 1456 + [IPSET_CMD_DESTROY] = { 1457 1457 + .call = ip_set_destroy, 1458 1458 + .attr_count = IPSET_ATTR_CMD_MAX, 1459 1459 + .policy = ip_set_setname_policy, 1460 1460 + }, 1461 1461 + [IPSET_CMD_FLUSH] = { 1462 1462 + .call = ip_set_flush, 1463 1463 + .attr_count = IPSET_ATTR_CMD_MAX, 1464 1464 + .policy = ip_set_setname_policy, 1465 1465 + }, 1466 1466 + [IPSET_CMD_RENAME] = { 1467 1467 + .call = ip_set_rename, 1468 1468 + .attr_count = IPSET_ATTR_CMD_MAX, 1469 1469 + .policy = ip_set_setname2_policy, 1470 1470 + }, 1471 1471 + [IPSET_CMD_SWAP] = { 1472 1472 + .call = ip_set_swap, 1473 1473 + .attr_count = IPSET_ATTR_CMD_MAX, 1474 1474 + .policy = ip_set_setname2_policy, 1475 1475 + }, 1476 1476 + [IPSET_CMD_LIST] = { 1477 1477 + .call = ip_set_dump, 1478 1478 + .attr_count = IPSET_ATTR_CMD_MAX, 1479 1479 + .policy = ip_set_setname_policy, 1480 1480 + }, 1481 1481 + [IPSET_CMD_SAVE] = { 1482 1482 + .call = ip_set_dump, 1483 1483 + .attr_count = IPSET_ATTR_CMD_MAX, 1484 1484 + .policy = ip_set_setname_policy, 1485 1485 + }, 1486 1486 + [IPSET_CMD_ADD] = { 1487 1487 + .call = ip_set_uadd, 1488 1488 + .attr_count = IPSET_ATTR_CMD_MAX, 1489 1489 + .policy = ip_set_adt_policy, 1490 1490 + }, 1491 1491 + [IPSET_CMD_DEL] = { 1492 1492 + .call = ip_set_udel, 1493 1493 + .attr_count = IPSET_ATTR_CMD_MAX, 1494 1494 + .policy = ip_set_adt_policy, 1495 1495 + }, 1496 1496 + [IPSET_CMD_TEST] = { 1497 1497 + .call = ip_set_utest, 1498 1498 + .attr_count = IPSET_ATTR_CMD_MAX, 1499 1499 + .policy = ip_set_adt_policy, 1500 1500 + }, 1501 1501 + [IPSET_CMD_HEADER] = { 1502 1502 + .call = ip_set_header, 1503 1503 + .attr_count = IPSET_ATTR_CMD_MAX, 1504 1504 + .policy = ip_set_setname_policy, 1505 1505 + }, 1506 1506 + [IPSET_CMD_TYPE] = { 1507 1507 + .call = ip_set_type, 1508 1508 + .attr_count = IPSET_ATTR_CMD_MAX, 1509 1509 + .policy = ip_set_type_policy, 1510 1510 + }, 1511 1511 + [IPSET_CMD_PROTOCOL] = { 1512 1512 + .call = ip_set_protocol, 1513 1513 + .attr_count = IPSET_ATTR_CMD_MAX, 1514 1514 + .policy = ip_set_protocol_policy, 1515 1515 + }, 1516 1516 + }; 1517 1517 + 1518 1518 + static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = { 1519 1519 + .name = "ip_set", 1520 1520 + .subsys_id = NFNL_SUBSYS_IPSET, 1521 1521 + .cb_count = IPSET_MSG_MAX, 1522 1522 + .cb = ip_set_netlink_subsys_cb, 1523 1523 + }; 1524 1524 + 1525 1525 + /* Interface to iptables/ip6tables */ 1526 1526 + 1527 1527 + static int 1528 1528 + ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) 1529 1529 + { 1530 1530 + unsigned *op; 1531 1531 + void *data; 1532 1532 + int copylen = *len, ret = 0; 1533 1533 + 1534 1534 + if (!capable(CAP_NET_ADMIN)) 1535 1535 + return -EPERM; 1536 1536 + if (optval != SO_IP_SET) 1537 1537 + return -EBADF; 1538 1538 + if (*len < sizeof(unsigned)) 1539 1539 + return -EINVAL; 1540 1540 + 1541 1541 + data = vmalloc(*len); 1542 1542 + if (!data) 1543 1543 + return -ENOMEM; 1544 1544 + if (copy_from_user(data, user, *len) != 0) { 1545 1545 + ret = -EFAULT; 1546 1546 + goto done; 1547 1547 + } 1548 1548 + op = (unsigned *) data; 1549 1549 + 1550 1550 + if (*op < IP_SET_OP_VERSION) { 1551 1551 + /* Check the version at the beginning of operations */ 1552 1552 + struct ip_set_req_version *req_version = data; 1553 1553 + if (req_version->version != IPSET_PROTOCOL) { 1554 1554 + ret = -EPROTO; 1555 1555 + goto done; 1556 1556 + } 1557 1557 + } 1558 1558 + 1559 1559 + switch (*op) { 1560 1560 + case IP_SET_OP_VERSION: { 1561 1561 + struct ip_set_req_version *req_version = data; 1562 1562 + 1563 1563 + if (*len != sizeof(struct ip_set_req_version)) { 1564 1564 + ret = -EINVAL; 1565 1565 + goto done; 1566 1566 + } 1567 1567 + 1568 1568 + req_version->version = IPSET_PROTOCOL; 1569 1569 + ret = copy_to_user(user, req_version, 1570 1570 + sizeof(struct ip_set_req_version)); 1571 1571 + goto done; 1572 1572 + } 1573 1573 + case IP_SET_OP_GET_BYNAME: { 1574 1574 + struct ip_set_req_get_set *req_get = data; 1575 1575 + 1576 1576 + if (*len != sizeof(struct ip_set_req_get_set)) { 1577 1577 + ret = -EINVAL; 1578 1578 + goto done; 1579 1579 + } 1580 1580 + req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0'; 1581 1581 + nfnl_lock(); 1582 1582 + req_get->set.index = find_set_id(req_get->set.name); 1583 1583 + nfnl_unlock(); 1584 1584 + goto copy; 1585 1585 + } 1586 1586 + case IP_SET_OP_GET_BYINDEX: { 1587 1587 + struct ip_set_req_get_set *req_get = data; 1588 1588 + 1589 1589 + if (*len != sizeof(struct ip_set_req_get_set) || 1590 1590 + req_get->set.index >= ip_set_max) { 1591 1591 + ret = -EINVAL; 1592 1592 + goto done; 1593 1593 + } 1594 1594 + nfnl_lock(); 1595 1595 + strncpy(req_get->set.name, 1596 1596 + ip_set_list[req_get->set.index] 1597 1597 + ? ip_set_list[req_get->set.index]->name : "", 1598 1598 + IPSET_MAXNAMELEN); 1599 1599 + nfnl_unlock(); 1600 1600 + goto copy; 1601 1601 + } 1602 1602 + default: 1603 1603 + ret = -EBADMSG; 1604 1604 + goto done; 1605 1605 + } /* end of switch(op) */ 1606 1606 + 1607 1607 + copy: 1608 1608 + ret = copy_to_user(user, data, copylen); 1609 1609 + 1610 1610 + done: 1611 1611 + vfree(data); 1612 1612 + if (ret > 0) 1613 1613 + ret = 0; 1614 1614 + return ret; 1615 1615 + } 1616 1616 + 1617 1617 + static struct nf_sockopt_ops so_set __read_mostly = { 1618 1618 + .pf = PF_INET, 1619 1619 + .get_optmin = SO_IP_SET, 1620 1620 + .get_optmax = SO_IP_SET + 1, 1621 1621 + .get = &ip_set_sockfn_get, 1622 1622 + .owner = THIS_MODULE, 1623 1623 + }; 1624 1624 + 1625 1625 + static int __init 1626 1626 + ip_set_init(void) 1627 1627 + { 1628 1628 + int ret; 1629 1629 + 1630 1630 + if (max_sets) 1631 1631 + ip_set_max = max_sets; 1632 1632 + if (ip_set_max >= IPSET_INVALID_ID) 1633 1633 + ip_set_max = IPSET_INVALID_ID - 1; 1634 1634 + 1635 1635 + ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max, 1636 1636 + GFP_KERNEL); 1637 1637 + if (!ip_set_list) { 1638 1638 + pr_err("ip_set: Unable to create ip_set_list\n"); 1639 1639 + return -ENOMEM; 1640 1640 + } 1641 1641 + 1642 1642 + ret = nfnetlink_subsys_register(&ip_set_netlink_subsys); 1643 1643 + if (ret != 0) { 1644 1644 + pr_err("ip_set: cannot register with nfnetlink.\n"); 1645 1645 + kfree(ip_set_list); 1646 1646 + return ret; 1647 1647 + } 1648 1648 + ret = nf_register_sockopt(&so_set); 1649 1649 + if (ret != 0) { 1650 1650 + pr_err("SO_SET registry failed: %d\n", ret); 1651 1651 + nfnetlink_subsys_unregister(&ip_set_netlink_subsys); 1652 1652 + kfree(ip_set_list); 1653 1653 + return ret; 1654 1654 + } 1655 1655 + 1656 1656 + pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL); 1657 1657 + return 0; 1658 1658 + } 1659 1659 + 1660 1660 + static void __exit 1661 1661 + ip_set_fini(void) 1662 1662 + { 1663 1663 + /* There can't be any existing set */ 1664 1664 + nf_unregister_sockopt(&so_set); 1665 1665 + nfnetlink_subsys_unregister(&ip_set_netlink_subsys); 1666 1666 + kfree(ip_set_list); 1667 1667 + pr_debug("these are the famous last words\n"); 1668 1668 + } 1669 1669 + 1670 1670 + module_init(ip_set_init); 1671 1671 + module_exit(ip_set_fini);

+141

net/netfilter/ipset/ip_set_getport.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Get Layer-4 data from the packets */ 9 9 + 10 10 + #include <linux/ip.h> 11 11 + #include <linux/skbuff.h> 12 12 + #include <linux/icmp.h> 13 13 + #include <linux/icmpv6.h> 14 14 + #include <linux/netfilter_ipv6/ip6_tables.h> 15 15 + #include <net/ip.h> 16 16 + #include <net/ipv6.h> 17 17 + 18 18 + #include <linux/netfilter/ipset/ip_set_getport.h> 19 19 + 20 20 + /* We must handle non-linear skbs */ 21 21 + static bool 22 22 + get_port(const struct sk_buff *skb, int protocol, unsigned int protooff, 23 23 + bool src, __be16 *port, u8 *proto) 24 24 + { 25 25 + switch (protocol) { 26 26 + case IPPROTO_TCP: { 27 27 + struct tcphdr _tcph; 28 28 + const struct tcphdr *th; 29 29 + 30 30 + th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph); 31 31 + if (th == NULL) 32 32 + /* No choice either */ 33 33 + return false; 34 34 + 35 35 + *port = src ? th->source : th->dest; 36 36 + break; 37 37 + } 38 38 + case IPPROTO_UDP: { 39 39 + struct udphdr _udph; 40 40 + const struct udphdr *uh; 41 41 + 42 42 + uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph); 43 43 + if (uh == NULL) 44 44 + /* No choice either */ 45 45 + return false; 46 46 + 47 47 + *port = src ? uh->source : uh->dest; 48 48 + break; 49 49 + } 50 50 + case IPPROTO_ICMP: { 51 51 + struct icmphdr _ich; 52 52 + const struct icmphdr *ic; 53 53 + 54 54 + ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); 55 55 + if (ic == NULL) 56 56 + return false; 57 57 + 58 58 + *port = (__force __be16)htons((ic->type << 8) | ic->code); 59 59 + break; 60 60 + } 61 61 + case IPPROTO_ICMPV6: { 62 62 + struct icmp6hdr _ich; 63 63 + const struct icmp6hdr *ic; 64 64 + 65 65 + ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); 66 66 + if (ic == NULL) 67 67 + return false; 68 68 + 69 69 + *port = (__force __be16) 70 70 + htons((ic->icmp6_type << 8) | ic->icmp6_code); 71 71 + break; 72 72 + } 73 73 + default: 74 74 + break; 75 75 + } 76 76 + *proto = protocol; 77 77 + 78 78 + return true; 79 79 + } 80 80 + 81 81 + bool 82 82 + ip_set_get_ip4_port(const struct sk_buff *skb, bool src, 83 83 + __be16 *port, u8 *proto) 84 84 + { 85 85 + const struct iphdr *iph = ip_hdr(skb); 86 86 + unsigned int protooff = ip_hdrlen(skb); 87 87 + int protocol = iph->protocol; 88 88 + 89 89 + /* See comments at tcp_match in ip_tables.c */ 90 90 + if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET)) 91 91 + return false; 92 92 + 93 93 + return get_port(skb, protocol, protooff, src, port, proto); 94 94 + } 95 95 + EXPORT_SYMBOL_GPL(ip_set_get_ip4_port); 96 96 + 97 97 + #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 98 98 + bool 99 99 + ip_set_get_ip6_port(const struct sk_buff *skb, bool src, 100 100 + __be16 *port, u8 *proto) 101 101 + { 102 102 + int protoff; 103 103 + u8 nexthdr; 104 104 + 105 105 + nexthdr = ipv6_hdr(skb)->nexthdr; 106 106 + protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr); 107 107 + if (protoff < 0) 108 108 + return false; 109 109 + 110 110 + return get_port(skb, nexthdr, protoff, src, port, proto); 111 111 + } 112 112 + EXPORT_SYMBOL_GPL(ip_set_get_ip6_port); 113 113 + #endif 114 114 + 115 115 + bool 116 116 + ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port) 117 117 + { 118 118 + bool ret; 119 119 + u8 proto; 120 120 + 121 121 + switch (pf) { 122 122 + case AF_INET: 123 123 + ret = ip_set_get_ip4_port(skb, src, port, &proto); 124 124 + break; 125 125 + case AF_INET6: 126 126 + ret = ip_set_get_ip6_port(skb, src, port, &proto); 127 127 + break; 128 128 + default: 129 129 + return false; 130 130 + } 131 131 + if (!ret) 132 132 + return ret; 133 133 + switch (proto) { 134 134 + case IPPROTO_TCP: 135 135 + case IPPROTO_UDP: 136 136 + return true; 137 137 + default: 138 138 + return false; 139 139 + } 140 140 + } 141 141 + EXPORT_SYMBOL_GPL(ip_set_get_ip_port);

+464

net/netfilter/ipset/ip_set_hash_ip.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:ip type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + #include <net/tcp.h> 20 20 + 21 21 + #include <linux/netfilter.h> 22 22 + #include <linux/netfilter/ipset/pfxlen.h> 23 23 + #include <linux/netfilter/ipset/ip_set.h> 24 24 + #include <linux/netfilter/ipset/ip_set_timeout.h> 25 25 + #include <linux/netfilter/ipset/ip_set_hash.h> 26 26 + 27 27 + MODULE_LICENSE("GPL"); 28 28 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 29 29 + MODULE_DESCRIPTION("hash:ip type of IP sets"); 30 30 + MODULE_ALIAS("ip_set_hash:ip"); 31 31 + 32 32 + /* Type specific function prefix */ 33 33 + #define TYPE hash_ip 34 34 + 35 35 + static bool 36 36 + hash_ip_same_set(const struct ip_set *a, const struct ip_set *b); 37 37 + 38 38 + #define hash_ip4_same_set hash_ip_same_set 39 39 + #define hash_ip6_same_set hash_ip_same_set 40 40 + 41 41 + /* The type variant functions: IPv4 */ 42 42 + 43 43 + /* Member elements without timeout */ 44 44 + struct hash_ip4_elem { 45 45 + __be32 ip; 46 46 + }; 47 47 + 48 48 + /* Member elements with timeout support */ 49 49 + struct hash_ip4_telem { 50 50 + __be32 ip; 51 51 + unsigned long timeout; 52 52 + }; 53 53 + 54 54 + static inline bool 55 55 + hash_ip4_data_equal(const struct hash_ip4_elem *ip1, 56 56 + const struct hash_ip4_elem *ip2) 57 57 + { 58 58 + return ip1->ip == ip2->ip; 59 59 + } 60 60 + 61 61 + static inline bool 62 62 + hash_ip4_data_isnull(const struct hash_ip4_elem *elem) 63 63 + { 64 64 + return elem->ip == 0; 65 65 + } 66 66 + 67 67 + static inline void 68 68 + hash_ip4_data_copy(struct hash_ip4_elem *dst, const struct hash_ip4_elem *src) 69 69 + { 70 70 + dst->ip = src->ip; 71 71 + } 72 72 + 73 73 + /* Zero valued IP addresses cannot be stored */ 74 74 + static inline void 75 75 + hash_ip4_data_zero_out(struct hash_ip4_elem *elem) 76 76 + { 77 77 + elem->ip = 0; 78 78 + } 79 79 + 80 80 + static inline bool 81 81 + hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data) 82 82 + { 83 83 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 84 84 + return 0; 85 85 + 86 86 + nla_put_failure: 87 87 + return 1; 88 88 + } 89 89 + 90 90 + static bool 91 91 + hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data) 92 92 + { 93 93 + const struct hash_ip4_telem *tdata = 94 94 + (const struct hash_ip4_telem *)data; 95 95 + 96 96 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 97 97 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 98 98 + htonl(ip_set_timeout_get(tdata->timeout))); 99 99 + 100 100 + return 0; 101 101 + 102 102 + nla_put_failure: 103 103 + return 1; 104 104 + } 105 105 + 106 106 + #define IP_SET_HASH_WITH_NETMASK 107 107 + #define PF 4 108 108 + #define HOST_MASK 32 109 109 + #include <linux/netfilter/ipset/ip_set_ahash.h> 110 110 + 111 111 + static int 112 112 + hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb, 113 113 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 114 114 + { 115 115 + const struct ip_set_hash *h = set->data; 116 116 + ipset_adtfn adtfn = set->variant->adt[adt]; 117 117 + __be32 ip; 118 118 + 119 119 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &ip); 120 120 + ip &= ip_set_netmask(h->netmask); 121 121 + if (ip == 0) 122 122 + return -EINVAL; 123 123 + 124 124 + return adtfn(set, &ip, h->timeout); 125 125 + } 126 126 + 127 127 + static int 128 128 + hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], 129 129 + enum ipset_adt adt, u32 *lineno, u32 flags) 130 130 + { 131 131 + const struct ip_set_hash *h = set->data; 132 132 + ipset_adtfn adtfn = set->variant->adt[adt]; 133 133 + u32 ip, ip_to, hosts, timeout = h->timeout; 134 134 + __be32 nip; 135 135 + int ret = 0; 136 136 + 137 137 + if (unlikely(!tb[IPSET_ATTR_IP] || 138 138 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 139 139 + return -IPSET_ERR_PROTOCOL; 140 140 + 141 141 + if (tb[IPSET_ATTR_LINENO]) 142 142 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 143 143 + 144 144 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); 145 145 + if (ret) 146 146 + return ret; 147 147 + 148 148 + ip &= ip_set_hostmask(h->netmask); 149 149 + 150 150 + if (tb[IPSET_ATTR_TIMEOUT]) { 151 151 + if (!with_timeout(h->timeout)) 152 152 + return -IPSET_ERR_TIMEOUT; 153 153 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 154 154 + } 155 155 + 156 156 + if (adt == IPSET_TEST) { 157 157 + nip = htonl(ip); 158 158 + if (nip == 0) 159 159 + return -IPSET_ERR_HASH_ELEM; 160 160 + return adtfn(set, &nip, timeout); 161 161 + } 162 162 + 163 163 + if (tb[IPSET_ATTR_IP_TO]) { 164 164 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 165 165 + if (ret) 166 166 + return ret; 167 167 + if (ip > ip_to) 168 168 + swap(ip, ip_to); 169 169 + } else if (tb[IPSET_ATTR_CIDR]) { 170 170 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 171 171 + 172 172 + if (cidr > 32) 173 173 + return -IPSET_ERR_INVALID_CIDR; 174 174 + ip &= ip_set_hostmask(cidr); 175 175 + ip_to = ip | ~ip_set_hostmask(cidr); 176 176 + } else 177 177 + ip_to = ip; 178 178 + 179 179 + hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); 180 180 + 181 181 + for (; !before(ip_to, ip); ip += hosts) { 182 182 + nip = htonl(ip); 183 183 + if (nip == 0) 184 184 + return -IPSET_ERR_HASH_ELEM; 185 185 + ret = adtfn(set, &nip, timeout); 186 186 + 187 187 + if (ret && !ip_set_eexist(ret, flags)) 188 188 + return ret; 189 189 + else 190 190 + ret = 0; 191 191 + } 192 192 + return ret; 193 193 + } 194 194 + 195 195 + static bool 196 196 + hash_ip_same_set(const struct ip_set *a, const struct ip_set *b) 197 197 + { 198 198 + const struct ip_set_hash *x = a->data; 199 199 + const struct ip_set_hash *y = b->data; 200 200 + 201 201 + /* Resizing changes htable_bits, so we ignore it */ 202 202 + return x->maxelem == y->maxelem && 203 203 + x->timeout == y->timeout && 204 204 + x->netmask == y->netmask; 205 205 + } 206 206 + 207 207 + /* The type variant functions: IPv6 */ 208 208 + 209 209 + struct hash_ip6_elem { 210 210 + union nf_inet_addr ip; 211 211 + }; 212 212 + 213 213 + struct hash_ip6_telem { 214 214 + union nf_inet_addr ip; 215 215 + unsigned long timeout; 216 216 + }; 217 217 + 218 218 + static inline bool 219 219 + hash_ip6_data_equal(const struct hash_ip6_elem *ip1, 220 220 + const struct hash_ip6_elem *ip2) 221 221 + { 222 222 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0; 223 223 + } 224 224 + 225 225 + static inline bool 226 226 + hash_ip6_data_isnull(const struct hash_ip6_elem *elem) 227 227 + { 228 228 + return ipv6_addr_any(&elem->ip.in6); 229 229 + } 230 230 + 231 231 + static inline void 232 232 + hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src) 233 233 + { 234 234 + ipv6_addr_copy(&dst->ip.in6, &src->ip.in6); 235 235 + } 236 236 + 237 237 + static inline void 238 238 + hash_ip6_data_zero_out(struct hash_ip6_elem *elem) 239 239 + { 240 240 + ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0); 241 241 + } 242 242 + 243 243 + static inline void 244 244 + ip6_netmask(union nf_inet_addr *ip, u8 prefix) 245 245 + { 246 246 + ip->ip6[0] &= ip_set_netmask6(prefix)[0]; 247 247 + ip->ip6[1] &= ip_set_netmask6(prefix)[1]; 248 248 + ip->ip6[2] &= ip_set_netmask6(prefix)[2]; 249 249 + ip->ip6[3] &= ip_set_netmask6(prefix)[3]; 250 250 + } 251 251 + 252 252 + static bool 253 253 + hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data) 254 254 + { 255 255 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 256 256 + return 0; 257 257 + 258 258 + nla_put_failure: 259 259 + return 1; 260 260 + } 261 261 + 262 262 + static bool 263 263 + hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data) 264 264 + { 265 265 + const struct hash_ip6_telem *e = 266 266 + (const struct hash_ip6_telem *)data; 267 267 + 268 268 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 269 269 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 270 270 + htonl(ip_set_timeout_get(e->timeout))); 271 271 + return 0; 272 272 + 273 273 + nla_put_failure: 274 274 + return 1; 275 275 + } 276 276 + 277 277 + #undef PF 278 278 + #undef HOST_MASK 279 279 + 280 280 + #define PF 6 281 281 + #define HOST_MASK 128 282 282 + #include <linux/netfilter/ipset/ip_set_ahash.h> 283 283 + 284 284 + static int 285 285 + hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb, 286 286 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 287 287 + { 288 288 + const struct ip_set_hash *h = set->data; 289 289 + ipset_adtfn adtfn = set->variant->adt[adt]; 290 290 + union nf_inet_addr ip; 291 291 + 292 292 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &ip.in6); 293 293 + ip6_netmask(&ip, h->netmask); 294 294 + if (ipv6_addr_any(&ip.in6)) 295 295 + return -EINVAL; 296 296 + 297 297 + return adtfn(set, &ip, h->timeout); 298 298 + } 299 299 + 300 300 + static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = { 301 301 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 302 302 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 303 303 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 304 304 + }; 305 305 + 306 306 + static int 307 307 + hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[], 308 308 + enum ipset_adt adt, u32 *lineno, u32 flags) 309 309 + { 310 310 + const struct ip_set_hash *h = set->data; 311 311 + ipset_adtfn adtfn = set->variant->adt[adt]; 312 312 + union nf_inet_addr ip; 313 313 + u32 timeout = h->timeout; 314 314 + int ret; 315 315 + 316 316 + if (unlikely(!tb[IPSET_ATTR_IP] || 317 317 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 318 318 + tb[IPSET_ATTR_IP_TO] || 319 319 + tb[IPSET_ATTR_CIDR])) 320 320 + return -IPSET_ERR_PROTOCOL; 321 321 + 322 322 + if (tb[IPSET_ATTR_LINENO]) 323 323 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 324 324 + 325 325 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip); 326 326 + if (ret) 327 327 + return ret; 328 328 + 329 329 + ip6_netmask(&ip, h->netmask); 330 330 + if (ipv6_addr_any(&ip.in6)) 331 331 + return -IPSET_ERR_HASH_ELEM; 332 332 + 333 333 + if (tb[IPSET_ATTR_TIMEOUT]) { 334 334 + if (!with_timeout(h->timeout)) 335 335 + return -IPSET_ERR_TIMEOUT; 336 336 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 337 337 + } 338 338 + 339 339 + ret = adtfn(set, &ip, timeout); 340 340 + 341 341 + return ip_set_eexist(ret, flags) ? 0 : ret; 342 342 + } 343 343 + 344 344 + /* Create hash:ip type of sets */ 345 345 + 346 346 + static int 347 347 + hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 348 348 + { 349 349 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 350 350 + u8 netmask, hbits; 351 351 + struct ip_set_hash *h; 352 352 + 353 353 + if (!(set->family == AF_INET || set->family == AF_INET6)) 354 354 + return -IPSET_ERR_INVALID_FAMILY; 355 355 + netmask = set->family == AF_INET ? 32 : 128; 356 356 + pr_debug("Create set %s with family %s\n", 357 357 + set->name, set->family == AF_INET ? "inet" : "inet6"); 358 358 + 359 359 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 360 360 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 361 361 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 362 362 + return -IPSET_ERR_PROTOCOL; 363 363 + 364 364 + if (tb[IPSET_ATTR_HASHSIZE]) { 365 365 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 366 366 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 367 367 + hashsize = IPSET_MIMINAL_HASHSIZE; 368 368 + } 369 369 + 370 370 + if (tb[IPSET_ATTR_MAXELEM]) 371 371 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 372 372 + 373 373 + if (tb[IPSET_ATTR_NETMASK]) { 374 374 + netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]); 375 375 + 376 376 + if ((set->family == AF_INET && netmask > 32) || 377 377 + (set->family == AF_INET6 && netmask > 128) || 378 378 + netmask == 0) 379 379 + return -IPSET_ERR_INVALID_NETMASK; 380 380 + } 381 381 + 382 382 + h = kzalloc(sizeof(*h), GFP_KERNEL); 383 383 + if (!h) 384 384 + return -ENOMEM; 385 385 + 386 386 + h->maxelem = maxelem; 387 387 + h->netmask = netmask; 388 388 + get_random_bytes(&h->initval, sizeof(h->initval)); 389 389 + h->timeout = IPSET_NO_TIMEOUT; 390 390 + 391 391 + hbits = htable_bits(hashsize); 392 392 + h->table = ip_set_alloc( 393 393 + sizeof(struct htable) 394 394 + + jhash_size(hbits) * sizeof(struct hbucket)); 395 395 + if (!h->table) { 396 396 + kfree(h); 397 397 + return -ENOMEM; 398 398 + } 399 399 + h->table->htable_bits = hbits; 400 400 + 401 401 + set->data = h; 402 402 + 403 403 + if (tb[IPSET_ATTR_TIMEOUT]) { 404 404 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 405 405 + 406 406 + set->variant = set->family == AF_INET 407 407 + ? &hash_ip4_tvariant : &hash_ip6_tvariant; 408 408 + 409 409 + if (set->family == AF_INET) 410 410 + hash_ip4_gc_init(set); 411 411 + else 412 412 + hash_ip6_gc_init(set); 413 413 + } else { 414 414 + set->variant = set->family == AF_INET 415 415 + ? &hash_ip4_variant : &hash_ip6_variant; 416 416 + } 417 417 + 418 418 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 419 419 + set->name, jhash_size(h->table->htable_bits), 420 420 + h->table->htable_bits, h->maxelem, set->data, h->table); 421 421 + 422 422 + return 0; 423 423 + } 424 424 + 425 425 + static struct ip_set_type hash_ip_type __read_mostly = { 426 426 + .name = "hash:ip", 427 427 + .protocol = IPSET_PROTOCOL, 428 428 + .features = IPSET_TYPE_IP, 429 429 + .dimension = IPSET_DIM_ONE, 430 430 + .family = AF_UNSPEC, 431 431 + .revision = 0, 432 432 + .create = hash_ip_create, 433 433 + .create_policy = { 434 434 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 435 435 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 436 436 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 437 437 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 438 438 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 439 439 + [IPSET_ATTR_NETMASK] = { .type = NLA_U8 }, 440 440 + }, 441 441 + .adt_policy = { 442 442 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 443 443 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 444 444 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 445 445 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 446 446 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 447 447 + }, 448 448 + .me = THIS_MODULE, 449 449 + }; 450 450 + 451 451 + static int __init 452 452 + hash_ip_init(void) 453 453 + { 454 454 + return ip_set_type_register(&hash_ip_type); 455 455 + } 456 456 + 457 457 + static void __exit 458 458 + hash_ip_fini(void) 459 459 + { 460 460 + ip_set_type_unregister(&hash_ip_type); 461 461 + } 462 462 + 463 463 + module_init(hash_ip_init); 464 464 + module_exit(hash_ip_fini);

+544

net/netfilter/ipset/ip_set_hash_ipport.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:ip,port type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + #include <net/tcp.h> 20 20 + 21 21 + #include <linux/netfilter.h> 22 22 + #include <linux/netfilter/ipset/pfxlen.h> 23 23 + #include <linux/netfilter/ipset/ip_set.h> 24 24 + #include <linux/netfilter/ipset/ip_set_timeout.h> 25 25 + #include <linux/netfilter/ipset/ip_set_getport.h> 26 26 + #include <linux/netfilter/ipset/ip_set_hash.h> 27 27 + 28 28 + MODULE_LICENSE("GPL"); 29 29 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 30 30 + MODULE_DESCRIPTION("hash:ip,port type of IP sets"); 31 31 + MODULE_ALIAS("ip_set_hash:ip,port"); 32 32 + 33 33 + /* Type specific function prefix */ 34 34 + #define TYPE hash_ipport 35 35 + 36 36 + static bool 37 37 + hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b); 38 38 + 39 39 + #define hash_ipport4_same_set hash_ipport_same_set 40 40 + #define hash_ipport6_same_set hash_ipport_same_set 41 41 + 42 42 + /* The type variant functions: IPv4 */ 43 43 + 44 44 + /* Member elements without timeout */ 45 45 + struct hash_ipport4_elem { 46 46 + __be32 ip; 47 47 + __be16 port; 48 48 + u8 proto; 49 49 + u8 padding; 50 50 + }; 51 51 + 52 52 + /* Member elements with timeout support */ 53 53 + struct hash_ipport4_telem { 54 54 + __be32 ip; 55 55 + __be16 port; 56 56 + u8 proto; 57 57 + u8 padding; 58 58 + unsigned long timeout; 59 59 + }; 60 60 + 61 61 + static inline bool 62 62 + hash_ipport4_data_equal(const struct hash_ipport4_elem *ip1, 63 63 + const struct hash_ipport4_elem *ip2) 64 64 + { 65 65 + return ip1->ip == ip2->ip && 66 66 + ip1->port == ip2->port && 67 67 + ip1->proto == ip2->proto; 68 68 + } 69 69 + 70 70 + static inline bool 71 71 + hash_ipport4_data_isnull(const struct hash_ipport4_elem *elem) 72 72 + { 73 73 + return elem->proto == 0; 74 74 + } 75 75 + 76 76 + static inline void 77 77 + hash_ipport4_data_copy(struct hash_ipport4_elem *dst, 78 78 + const struct hash_ipport4_elem *src) 79 79 + { 80 80 + dst->ip = src->ip; 81 81 + dst->port = src->port; 82 82 + dst->proto = src->proto; 83 83 + } 84 84 + 85 85 + static inline void 86 86 + hash_ipport4_data_zero_out(struct hash_ipport4_elem *elem) 87 87 + { 88 88 + elem->proto = 0; 89 89 + } 90 90 + 91 91 + static bool 92 92 + hash_ipport4_data_list(struct sk_buff *skb, 93 93 + const struct hash_ipport4_elem *data) 94 94 + { 95 95 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 96 96 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 97 97 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 98 98 + return 0; 99 99 + 100 100 + nla_put_failure: 101 101 + return 1; 102 102 + } 103 103 + 104 104 + static bool 105 105 + hash_ipport4_data_tlist(struct sk_buff *skb, 106 106 + const struct hash_ipport4_elem *data) 107 107 + { 108 108 + const struct hash_ipport4_telem *tdata = 109 109 + (const struct hash_ipport4_telem *)data; 110 110 + 111 111 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 112 112 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port); 113 113 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 114 114 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 115 115 + htonl(ip_set_timeout_get(tdata->timeout))); 116 116 + 117 117 + return 0; 118 118 + 119 119 + nla_put_failure: 120 120 + return 1; 121 121 + } 122 122 + 123 123 + #define PF 4 124 124 + #define HOST_MASK 32 125 125 + #include <linux/netfilter/ipset/ip_set_ahash.h> 126 126 + 127 127 + static int 128 128 + hash_ipport4_kadt(struct ip_set *set, const struct sk_buff *skb, 129 129 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 130 130 + { 131 131 + const struct ip_set_hash *h = set->data; 132 132 + ipset_adtfn adtfn = set->variant->adt[adt]; 133 133 + struct hash_ipport4_elem data = { }; 134 134 + 135 135 + if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC, 136 136 + &data.port, &data.proto)) 137 137 + return -EINVAL; 138 138 + 139 139 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip); 140 140 + 141 141 + return adtfn(set, &data, h->timeout); 142 142 + } 143 143 + 144 144 + static int 145 145 + hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[], 146 146 + enum ipset_adt adt, u32 *lineno, u32 flags) 147 147 + { 148 148 + const struct ip_set_hash *h = set->data; 149 149 + ipset_adtfn adtfn = set->variant->adt[adt]; 150 150 + struct hash_ipport4_elem data = { }; 151 151 + u32 ip, ip_to, p, port, port_to; 152 152 + u32 timeout = h->timeout; 153 153 + int ret; 154 154 + 155 155 + if (unlikely(!tb[IPSET_ATTR_IP] || 156 156 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 157 157 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 158 158 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 159 159 + return -IPSET_ERR_PROTOCOL; 160 160 + 161 161 + if (tb[IPSET_ATTR_LINENO]) 162 162 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 163 163 + 164 164 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip); 165 165 + if (ret) 166 166 + return ret; 167 167 + 168 168 + if (tb[IPSET_ATTR_PORT]) 169 169 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 170 170 + else 171 171 + return -IPSET_ERR_PROTOCOL; 172 172 + 173 173 + if (tb[IPSET_ATTR_PROTO]) { 174 174 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 175 175 + 176 176 + if (data.proto == 0) 177 177 + return -IPSET_ERR_INVALID_PROTO; 178 178 + } else 179 179 + return -IPSET_ERR_MISSING_PROTO; 180 180 + 181 181 + switch (data.proto) { 182 182 + case IPPROTO_UDP: 183 183 + case IPPROTO_TCP: 184 184 + case IPPROTO_ICMP: 185 185 + break; 186 186 + default: 187 187 + data.port = 0; 188 188 + break; 189 189 + } 190 190 + 191 191 + if (tb[IPSET_ATTR_TIMEOUT]) { 192 192 + if (!with_timeout(h->timeout)) 193 193 + return -IPSET_ERR_TIMEOUT; 194 194 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 195 195 + } 196 196 + 197 197 + if (adt == IPSET_TEST || 198 198 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 199 199 + !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] || 200 200 + tb[IPSET_ATTR_PORT_TO])) { 201 201 + ret = adtfn(set, &data, timeout); 202 202 + return ip_set_eexist(ret, flags) ? 0 : ret; 203 203 + } 204 204 + 205 205 + ip = ntohl(data.ip); 206 206 + if (tb[IPSET_ATTR_IP_TO]) { 207 207 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 208 208 + if (ret) 209 209 + return ret; 210 210 + if (ip > ip_to) 211 211 + swap(ip, ip_to); 212 212 + } else if (tb[IPSET_ATTR_CIDR]) { 213 213 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 214 214 + 215 215 + if (cidr > 32) 216 216 + return -IPSET_ERR_INVALID_CIDR; 217 217 + ip &= ip_set_hostmask(cidr); 218 218 + ip_to = ip | ~ip_set_hostmask(cidr); 219 219 + } else 220 220 + ip_to = ip; 221 221 + 222 222 + port = ntohs(data.port); 223 223 + if (tb[IPSET_ATTR_PORT_TO]) { 224 224 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 225 225 + if (port > port_to) 226 226 + swap(port, port_to); 227 227 + } else 228 228 + port_to = port; 229 229 + 230 230 + for (; !before(ip_to, ip); ip++) 231 231 + for (p = port; p <= port_to; p++) { 232 232 + data.ip = htonl(ip); 233 233 + data.port = htons(p); 234 234 + ret = adtfn(set, &data, timeout); 235 235 + 236 236 + if (ret && !ip_set_eexist(ret, flags)) 237 237 + return ret; 238 238 + else 239 239 + ret = 0; 240 240 + } 241 241 + return ret; 242 242 + } 243 243 + 244 244 + static bool 245 245 + hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b) 246 246 + { 247 247 + const struct ip_set_hash *x = a->data; 248 248 + const struct ip_set_hash *y = b->data; 249 249 + 250 250 + /* Resizing changes htable_bits, so we ignore it */ 251 251 + return x->maxelem == y->maxelem && 252 252 + x->timeout == y->timeout; 253 253 + } 254 254 + 255 255 + /* The type variant functions: IPv6 */ 256 256 + 257 257 + struct hash_ipport6_elem { 258 258 + union nf_inet_addr ip; 259 259 + __be16 port; 260 260 + u8 proto; 261 261 + u8 padding; 262 262 + }; 263 263 + 264 264 + struct hash_ipport6_telem { 265 265 + union nf_inet_addr ip; 266 266 + __be16 port; 267 267 + u8 proto; 268 268 + u8 padding; 269 269 + unsigned long timeout; 270 270 + }; 271 271 + 272 272 + static inline bool 273 273 + hash_ipport6_data_equal(const struct hash_ipport6_elem *ip1, 274 274 + const struct hash_ipport6_elem *ip2) 275 275 + { 276 276 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && 277 277 + ip1->port == ip2->port && 278 278 + ip1->proto == ip2->proto; 279 279 + } 280 280 + 281 281 + static inline bool 282 282 + hash_ipport6_data_isnull(const struct hash_ipport6_elem *elem) 283 283 + { 284 284 + return elem->proto == 0; 285 285 + } 286 286 + 287 287 + static inline void 288 288 + hash_ipport6_data_copy(struct hash_ipport6_elem *dst, 289 289 + const struct hash_ipport6_elem *src) 290 290 + { 291 291 + memcpy(dst, src, sizeof(*dst)); 292 292 + } 293 293 + 294 294 + static inline void 295 295 + hash_ipport6_data_zero_out(struct hash_ipport6_elem *elem) 296 296 + { 297 297 + elem->proto = 0; 298 298 + } 299 299 + 300 300 + static bool 301 301 + hash_ipport6_data_list(struct sk_buff *skb, 302 302 + const struct hash_ipport6_elem *data) 303 303 + { 304 304 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 305 305 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 306 306 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 307 307 + return 0; 308 308 + 309 309 + nla_put_failure: 310 310 + return 1; 311 311 + } 312 312 + 313 313 + static bool 314 314 + hash_ipport6_data_tlist(struct sk_buff *skb, 315 315 + const struct hash_ipport6_elem *data) 316 316 + { 317 317 + const struct hash_ipport6_telem *e = 318 318 + (const struct hash_ipport6_telem *)data; 319 319 + 320 320 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 321 321 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 322 322 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 323 323 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 324 324 + htonl(ip_set_timeout_get(e->timeout))); 325 325 + return 0; 326 326 + 327 327 + nla_put_failure: 328 328 + return 1; 329 329 + } 330 330 + 331 331 + #undef PF 332 332 + #undef HOST_MASK 333 333 + 334 334 + #define PF 6 335 335 + #define HOST_MASK 128 336 336 + #include <linux/netfilter/ipset/ip_set_ahash.h> 337 337 + 338 338 + static int 339 339 + hash_ipport6_kadt(struct ip_set *set, const struct sk_buff *skb, 340 340 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 341 341 + { 342 342 + const struct ip_set_hash *h = set->data; 343 343 + ipset_adtfn adtfn = set->variant->adt[adt]; 344 344 + struct hash_ipport6_elem data = { }; 345 345 + 346 346 + if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC, 347 347 + &data.port, &data.proto)) 348 348 + return -EINVAL; 349 349 + 350 350 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6); 351 351 + 352 352 + return adtfn(set, &data, h->timeout); 353 353 + } 354 354 + 355 355 + static int 356 356 + hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[], 357 357 + enum ipset_adt adt, u32 *lineno, u32 flags) 358 358 + { 359 359 + const struct ip_set_hash *h = set->data; 360 360 + ipset_adtfn adtfn = set->variant->adt[adt]; 361 361 + struct hash_ipport6_elem data = { }; 362 362 + u32 port, port_to; 363 363 + u32 timeout = h->timeout; 364 364 + int ret; 365 365 + 366 366 + if (unlikely(!tb[IPSET_ATTR_IP] || 367 367 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 368 368 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 369 369 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 370 370 + tb[IPSET_ATTR_IP_TO] || 371 371 + tb[IPSET_ATTR_CIDR])) 372 372 + return -IPSET_ERR_PROTOCOL; 373 373 + 374 374 + if (tb[IPSET_ATTR_LINENO]) 375 375 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 376 376 + 377 377 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); 378 378 + if (ret) 379 379 + return ret; 380 380 + 381 381 + if (tb[IPSET_ATTR_PORT]) 382 382 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 383 383 + else 384 384 + return -IPSET_ERR_PROTOCOL; 385 385 + 386 386 + if (tb[IPSET_ATTR_PROTO]) { 387 387 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 388 388 + 389 389 + if (data.proto == 0) 390 390 + return -IPSET_ERR_INVALID_PROTO; 391 391 + } else 392 392 + return -IPSET_ERR_MISSING_PROTO; 393 393 + 394 394 + switch (data.proto) { 395 395 + case IPPROTO_UDP: 396 396 + case IPPROTO_TCP: 397 397 + case IPPROTO_ICMPV6: 398 398 + break; 399 399 + default: 400 400 + data.port = 0; 401 401 + break; 402 402 + } 403 403 + 404 404 + if (tb[IPSET_ATTR_TIMEOUT]) { 405 405 + if (!with_timeout(h->timeout)) 406 406 + return -IPSET_ERR_TIMEOUT; 407 407 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 408 408 + } 409 409 + 410 410 + if (adt == IPSET_TEST || 411 411 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 412 412 + !tb[IPSET_ATTR_PORT_TO]) { 413 413 + ret = adtfn(set, &data, timeout); 414 414 + return ip_set_eexist(ret, flags) ? 0 : ret; 415 415 + } 416 416 + 417 417 + port = ntohs(data.port); 418 418 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 419 419 + if (port > port_to) 420 420 + swap(port, port_to); 421 421 + 422 422 + for (; port <= port_to; port++) { 423 423 + data.port = htons(port); 424 424 + ret = adtfn(set, &data, timeout); 425 425 + 426 426 + if (ret && !ip_set_eexist(ret, flags)) 427 427 + return ret; 428 428 + else 429 429 + ret = 0; 430 430 + } 431 431 + return ret; 432 432 + } 433 433 + 434 434 + /* Create hash:ip type of sets */ 435 435 + 436 436 + static int 437 437 + hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 438 438 + { 439 439 + struct ip_set_hash *h; 440 440 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 441 441 + u8 hbits; 442 442 + 443 443 + if (!(set->family == AF_INET || set->family == AF_INET6)) 444 444 + return -IPSET_ERR_INVALID_FAMILY; 445 445 + 446 446 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 447 447 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 448 448 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 449 449 + return -IPSET_ERR_PROTOCOL; 450 450 + 451 451 + if (tb[IPSET_ATTR_HASHSIZE]) { 452 452 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 453 453 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 454 454 + hashsize = IPSET_MIMINAL_HASHSIZE; 455 455 + } 456 456 + 457 457 + if (tb[IPSET_ATTR_MAXELEM]) 458 458 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 459 459 + 460 460 + h = kzalloc(sizeof(*h), GFP_KERNEL); 461 461 + if (!h) 462 462 + return -ENOMEM; 463 463 + 464 464 + h->maxelem = maxelem; 465 465 + get_random_bytes(&h->initval, sizeof(h->initval)); 466 466 + h->timeout = IPSET_NO_TIMEOUT; 467 467 + 468 468 + hbits = htable_bits(hashsize); 469 469 + h->table = ip_set_alloc( 470 470 + sizeof(struct htable) 471 471 + + jhash_size(hbits) * sizeof(struct hbucket)); 472 472 + if (!h->table) { 473 473 + kfree(h); 474 474 + return -ENOMEM; 475 475 + } 476 476 + h->table->htable_bits = hbits; 477 477 + 478 478 + set->data = h; 479 479 + 480 480 + if (tb[IPSET_ATTR_TIMEOUT]) { 481 481 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 482 482 + 483 483 + set->variant = set->family == AF_INET 484 484 + ? &hash_ipport4_tvariant : &hash_ipport6_tvariant; 485 485 + 486 486 + if (set->family == AF_INET) 487 487 + hash_ipport4_gc_init(set); 488 488 + else 489 489 + hash_ipport6_gc_init(set); 490 490 + } else { 491 491 + set->variant = set->family == AF_INET 492 492 + ? &hash_ipport4_variant : &hash_ipport6_variant; 493 493 + } 494 494 + 495 495 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 496 496 + set->name, jhash_size(h->table->htable_bits), 497 497 + h->table->htable_bits, h->maxelem, set->data, h->table); 498 498 + 499 499 + return 0; 500 500 + } 501 501 + 502 502 + static struct ip_set_type hash_ipport_type __read_mostly = { 503 503 + .name = "hash:ip,port", 504 504 + .protocol = IPSET_PROTOCOL, 505 505 + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT, 506 506 + .dimension = IPSET_DIM_TWO, 507 507 + .family = AF_UNSPEC, 508 508 + .revision = 0, 509 509 + .create = hash_ipport_create, 510 510 + .create_policy = { 511 511 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 512 512 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 513 513 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 514 514 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 515 515 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 516 516 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 517 517 + }, 518 518 + .adt_policy = { 519 519 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 520 520 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 521 521 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 522 522 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 523 523 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 524 524 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 525 525 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 526 526 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 527 527 + }, 528 528 + .me = THIS_MODULE, 529 529 + }; 530 530 + 531 531 + static int __init 532 532 + hash_ipport_init(void) 533 533 + { 534 534 + return ip_set_type_register(&hash_ipport_type); 535 535 + } 536 536 + 537 537 + static void __exit 538 538 + hash_ipport_fini(void) 539 539 + { 540 540 + ip_set_type_unregister(&hash_ipport_type); 541 541 + } 542 542 + 543 543 + module_init(hash_ipport_init); 544 544 + module_exit(hash_ipport_fini);

+562

net/netfilter/ipset/ip_set_hash_ipportip.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:ip,port,ip type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + #include <net/tcp.h> 20 20 + 21 21 + #include <linux/netfilter.h> 22 22 + #include <linux/netfilter/ipset/pfxlen.h> 23 23 + #include <linux/netfilter/ipset/ip_set.h> 24 24 + #include <linux/netfilter/ipset/ip_set_timeout.h> 25 25 + #include <linux/netfilter/ipset/ip_set_getport.h> 26 26 + #include <linux/netfilter/ipset/ip_set_hash.h> 27 27 + 28 28 + MODULE_LICENSE("GPL"); 29 29 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 30 30 + MODULE_DESCRIPTION("hash:ip,port,ip type of IP sets"); 31 31 + MODULE_ALIAS("ip_set_hash:ip,port,ip"); 32 32 + 33 33 + /* Type specific function prefix */ 34 34 + #define TYPE hash_ipportip 35 35 + 36 36 + static bool 37 37 + hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b); 38 38 + 39 39 + #define hash_ipportip4_same_set hash_ipportip_same_set 40 40 + #define hash_ipportip6_same_set hash_ipportip_same_set 41 41 + 42 42 + /* The type variant functions: IPv4 */ 43 43 + 44 44 + /* Member elements without timeout */ 45 45 + struct hash_ipportip4_elem { 46 46 + __be32 ip; 47 47 + __be32 ip2; 48 48 + __be16 port; 49 49 + u8 proto; 50 50 + u8 padding; 51 51 + }; 52 52 + 53 53 + /* Member elements with timeout support */ 54 54 + struct hash_ipportip4_telem { 55 55 + __be32 ip; 56 56 + __be32 ip2; 57 57 + __be16 port; 58 58 + u8 proto; 59 59 + u8 padding; 60 60 + unsigned long timeout; 61 61 + }; 62 62 + 63 63 + static inline bool 64 64 + hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1, 65 65 + const struct hash_ipportip4_elem *ip2) 66 66 + { 67 67 + return ip1->ip == ip2->ip && 68 68 + ip1->ip2 == ip2->ip2 && 69 69 + ip1->port == ip2->port && 70 70 + ip1->proto == ip2->proto; 71 71 + } 72 72 + 73 73 + static inline bool 74 74 + hash_ipportip4_data_isnull(const struct hash_ipportip4_elem *elem) 75 75 + { 76 76 + return elem->proto == 0; 77 77 + } 78 78 + 79 79 + static inline void 80 80 + hash_ipportip4_data_copy(struct hash_ipportip4_elem *dst, 81 81 + const struct hash_ipportip4_elem *src) 82 82 + { 83 83 + memcpy(dst, src, sizeof(*dst)); 84 84 + } 85 85 + 86 86 + static inline void 87 87 + hash_ipportip4_data_zero_out(struct hash_ipportip4_elem *elem) 88 88 + { 89 89 + elem->proto = 0; 90 90 + } 91 91 + 92 92 + static bool 93 93 + hash_ipportip4_data_list(struct sk_buff *skb, 94 94 + const struct hash_ipportip4_elem *data) 95 95 + { 96 96 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 97 97 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2); 98 98 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 99 99 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 100 100 + return 0; 101 101 + 102 102 + nla_put_failure: 103 103 + return 1; 104 104 + } 105 105 + 106 106 + static bool 107 107 + hash_ipportip4_data_tlist(struct sk_buff *skb, 108 108 + const struct hash_ipportip4_elem *data) 109 109 + { 110 110 + const struct hash_ipportip4_telem *tdata = 111 111 + (const struct hash_ipportip4_telem *)data; 112 112 + 113 113 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 114 114 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2); 115 115 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port); 116 116 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 117 117 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 118 118 + htonl(ip_set_timeout_get(tdata->timeout))); 119 119 + 120 120 + return 0; 121 121 + 122 122 + nla_put_failure: 123 123 + return 1; 124 124 + } 125 125 + 126 126 + #define PF 4 127 127 + #define HOST_MASK 32 128 128 + #include <linux/netfilter/ipset/ip_set_ahash.h> 129 129 + 130 130 + static int 131 131 + hash_ipportip4_kadt(struct ip_set *set, const struct sk_buff *skb, 132 132 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 133 133 + { 134 134 + const struct ip_set_hash *h = set->data; 135 135 + ipset_adtfn adtfn = set->variant->adt[adt]; 136 136 + struct hash_ipportip4_elem data = { }; 137 137 + 138 138 + if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC, 139 139 + &data.port, &data.proto)) 140 140 + return -EINVAL; 141 141 + 142 142 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip); 143 143 + ip4addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2); 144 144 + 145 145 + return adtfn(set, &data, h->timeout); 146 146 + } 147 147 + 148 148 + static int 149 149 + hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[], 150 150 + enum ipset_adt adt, u32 *lineno, u32 flags) 151 151 + { 152 152 + const struct ip_set_hash *h = set->data; 153 153 + ipset_adtfn adtfn = set->variant->adt[adt]; 154 154 + struct hash_ipportip4_elem data = { }; 155 155 + u32 ip, ip_to, p, port, port_to; 156 156 + u32 timeout = h->timeout; 157 157 + int ret; 158 158 + 159 159 + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || 160 160 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 161 161 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 162 162 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 163 163 + return -IPSET_ERR_PROTOCOL; 164 164 + 165 165 + if (tb[IPSET_ATTR_LINENO]) 166 166 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 167 167 + 168 168 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip); 169 169 + if (ret) 170 170 + return ret; 171 171 + 172 172 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2); 173 173 + if (ret) 174 174 + return ret; 175 175 + 176 176 + if (tb[IPSET_ATTR_PORT]) 177 177 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 178 178 + else 179 179 + return -IPSET_ERR_PROTOCOL; 180 180 + 181 181 + if (tb[IPSET_ATTR_PROTO]) { 182 182 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 183 183 + 184 184 + if (data.proto == 0) 185 185 + return -IPSET_ERR_INVALID_PROTO; 186 186 + } else 187 187 + return -IPSET_ERR_MISSING_PROTO; 188 188 + 189 189 + switch (data.proto) { 190 190 + case IPPROTO_UDP: 191 191 + case IPPROTO_TCP: 192 192 + case IPPROTO_ICMP: 193 193 + break; 194 194 + default: 195 195 + data.port = 0; 196 196 + break; 197 197 + } 198 198 + 199 199 + if (tb[IPSET_ATTR_TIMEOUT]) { 200 200 + if (!with_timeout(h->timeout)) 201 201 + return -IPSET_ERR_TIMEOUT; 202 202 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 203 203 + } 204 204 + 205 205 + if (adt == IPSET_TEST || 206 206 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 207 207 + !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] || 208 208 + tb[IPSET_ATTR_PORT_TO])) { 209 209 + ret = adtfn(set, &data, timeout); 210 210 + return ip_set_eexist(ret, flags) ? 0 : ret; 211 211 + } 212 212 + 213 213 + ip = ntohl(data.ip); 214 214 + if (tb[IPSET_ATTR_IP_TO]) { 215 215 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 216 216 + if (ret) 217 217 + return ret; 218 218 + if (ip > ip_to) 219 219 + swap(ip, ip_to); 220 220 + } else if (tb[IPSET_ATTR_CIDR]) { 221 221 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 222 222 + 223 223 + if (cidr > 32) 224 224 + return -IPSET_ERR_INVALID_CIDR; 225 225 + ip &= ip_set_hostmask(cidr); 226 226 + ip_to = ip | ~ip_set_hostmask(cidr); 227 227 + } else 228 228 + ip_to = ip; 229 229 + 230 230 + port = ntohs(data.port); 231 231 + if (tb[IPSET_ATTR_PORT_TO]) { 232 232 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 233 233 + if (port > port_to) 234 234 + swap(port, port_to); 235 235 + } else 236 236 + port_to = port; 237 237 + 238 238 + for (; !before(ip_to, ip); ip++) 239 239 + for (p = port; p <= port_to; p++) { 240 240 + data.ip = htonl(ip); 241 241 + data.port = htons(p); 242 242 + ret = adtfn(set, &data, timeout); 243 243 + 244 244 + if (ret && !ip_set_eexist(ret, flags)) 245 245 + return ret; 246 246 + else 247 247 + ret = 0; 248 248 + } 249 249 + return ret; 250 250 + } 251 251 + 252 252 + static bool 253 253 + hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b) 254 254 + { 255 255 + const struct ip_set_hash *x = a->data; 256 256 + const struct ip_set_hash *y = b->data; 257 257 + 258 258 + /* Resizing changes htable_bits, so we ignore it */ 259 259 + return x->maxelem == y->maxelem && 260 260 + x->timeout == y->timeout; 261 261 + } 262 262 + 263 263 + /* The type variant functions: IPv6 */ 264 264 + 265 265 + struct hash_ipportip6_elem { 266 266 + union nf_inet_addr ip; 267 267 + union nf_inet_addr ip2; 268 268 + __be16 port; 269 269 + u8 proto; 270 270 + u8 padding; 271 271 + }; 272 272 + 273 273 + struct hash_ipportip6_telem { 274 274 + union nf_inet_addr ip; 275 275 + union nf_inet_addr ip2; 276 276 + __be16 port; 277 277 + u8 proto; 278 278 + u8 padding; 279 279 + unsigned long timeout; 280 280 + }; 281 281 + 282 282 + static inline bool 283 283 + hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1, 284 284 + const struct hash_ipportip6_elem *ip2) 285 285 + { 286 286 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && 287 287 + ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 && 288 288 + ip1->port == ip2->port && 289 289 + ip1->proto == ip2->proto; 290 290 + } 291 291 + 292 292 + static inline bool 293 293 + hash_ipportip6_data_isnull(const struct hash_ipportip6_elem *elem) 294 294 + { 295 295 + return elem->proto == 0; 296 296 + } 297 297 + 298 298 + static inline void 299 299 + hash_ipportip6_data_copy(struct hash_ipportip6_elem *dst, 300 300 + const struct hash_ipportip6_elem *src) 301 301 + { 302 302 + memcpy(dst, src, sizeof(*dst)); 303 303 + } 304 304 + 305 305 + static inline void 306 306 + hash_ipportip6_data_zero_out(struct hash_ipportip6_elem *elem) 307 307 + { 308 308 + elem->proto = 0; 309 309 + } 310 310 + 311 311 + static bool 312 312 + hash_ipportip6_data_list(struct sk_buff *skb, 313 313 + const struct hash_ipportip6_elem *data) 314 314 + { 315 315 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 316 316 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2); 317 317 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 318 318 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 319 319 + return 0; 320 320 + 321 321 + nla_put_failure: 322 322 + return 1; 323 323 + } 324 324 + 325 325 + static bool 326 326 + hash_ipportip6_data_tlist(struct sk_buff *skb, 327 327 + const struct hash_ipportip6_elem *data) 328 328 + { 329 329 + const struct hash_ipportip6_telem *e = 330 330 + (const struct hash_ipportip6_telem *)data; 331 331 + 332 332 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 333 333 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2); 334 334 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 335 335 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 336 336 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 337 337 + htonl(ip_set_timeout_get(e->timeout))); 338 338 + return 0; 339 339 + 340 340 + nla_put_failure: 341 341 + return 1; 342 342 + } 343 343 + 344 344 + #undef PF 345 345 + #undef HOST_MASK 346 346 + 347 347 + #define PF 6 348 348 + #define HOST_MASK 128 349 349 + #include <linux/netfilter/ipset/ip_set_ahash.h> 350 350 + 351 351 + static int 352 352 + hash_ipportip6_kadt(struct ip_set *set, const struct sk_buff *skb, 353 353 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 354 354 + { 355 355 + const struct ip_set_hash *h = set->data; 356 356 + ipset_adtfn adtfn = set->variant->adt[adt]; 357 357 + struct hash_ipportip6_elem data = { }; 358 358 + 359 359 + if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC, 360 360 + &data.port, &data.proto)) 361 361 + return -EINVAL; 362 362 + 363 363 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6); 364 364 + ip6addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2.in6); 365 365 + 366 366 + return adtfn(set, &data, h->timeout); 367 367 + } 368 368 + 369 369 + static int 370 370 + hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[], 371 371 + enum ipset_adt adt, u32 *lineno, u32 flags) 372 372 + { 373 373 + const struct ip_set_hash *h = set->data; 374 374 + ipset_adtfn adtfn = set->variant->adt[adt]; 375 375 + struct hash_ipportip6_elem data = { }; 376 376 + u32 port, port_to; 377 377 + u32 timeout = h->timeout; 378 378 + int ret; 379 379 + 380 380 + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || 381 381 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 382 382 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 383 383 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 384 384 + tb[IPSET_ATTR_IP_TO] || 385 385 + tb[IPSET_ATTR_CIDR])) 386 386 + return -IPSET_ERR_PROTOCOL; 387 387 + 388 388 + if (tb[IPSET_ATTR_LINENO]) 389 389 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 390 390 + 391 391 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); 392 392 + if (ret) 393 393 + return ret; 394 394 + 395 395 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2); 396 396 + if (ret) 397 397 + return ret; 398 398 + 399 399 + if (tb[IPSET_ATTR_PORT]) 400 400 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 401 401 + else 402 402 + return -IPSET_ERR_PROTOCOL; 403 403 + 404 404 + if (tb[IPSET_ATTR_PROTO]) { 405 405 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 406 406 + 407 407 + if (data.proto == 0) 408 408 + return -IPSET_ERR_INVALID_PROTO; 409 409 + } else 410 410 + return -IPSET_ERR_MISSING_PROTO; 411 411 + 412 412 + switch (data.proto) { 413 413 + case IPPROTO_UDP: 414 414 + case IPPROTO_TCP: 415 415 + case IPPROTO_ICMPV6: 416 416 + break; 417 417 + default: 418 418 + data.port = 0; 419 419 + break; 420 420 + } 421 421 + 422 422 + if (tb[IPSET_ATTR_TIMEOUT]) { 423 423 + if (!with_timeout(h->timeout)) 424 424 + return -IPSET_ERR_TIMEOUT; 425 425 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 426 426 + } 427 427 + 428 428 + if (adt == IPSET_TEST || 429 429 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 430 430 + !tb[IPSET_ATTR_PORT_TO]) { 431 431 + ret = adtfn(set, &data, timeout); 432 432 + return ip_set_eexist(ret, flags) ? 0 : ret; 433 433 + } 434 434 + 435 435 + port = ntohs(data.port); 436 436 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 437 437 + if (port > port_to) 438 438 + swap(port, port_to); 439 439 + 440 440 + for (; port <= port_to; port++) { 441 441 + data.port = htons(port); 442 442 + ret = adtfn(set, &data, timeout); 443 443 + 444 444 + if (ret && !ip_set_eexist(ret, flags)) 445 445 + return ret; 446 446 + else 447 447 + ret = 0; 448 448 + } 449 449 + return ret; 450 450 + } 451 451 + 452 452 + /* Create hash:ip type of sets */ 453 453 + 454 454 + static int 455 455 + hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 456 456 + { 457 457 + struct ip_set_hash *h; 458 458 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 459 459 + u8 hbits; 460 460 + 461 461 + if (!(set->family == AF_INET || set->family == AF_INET6)) 462 462 + return -IPSET_ERR_INVALID_FAMILY; 463 463 + 464 464 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 465 465 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 466 466 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 467 467 + return -IPSET_ERR_PROTOCOL; 468 468 + 469 469 + if (tb[IPSET_ATTR_HASHSIZE]) { 470 470 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 471 471 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 472 472 + hashsize = IPSET_MIMINAL_HASHSIZE; 473 473 + } 474 474 + 475 475 + if (tb[IPSET_ATTR_MAXELEM]) 476 476 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 477 477 + 478 478 + h = kzalloc(sizeof(*h), GFP_KERNEL); 479 479 + if (!h) 480 480 + return -ENOMEM; 481 481 + 482 482 + h->maxelem = maxelem; 483 483 + get_random_bytes(&h->initval, sizeof(h->initval)); 484 484 + h->timeout = IPSET_NO_TIMEOUT; 485 485 + 486 486 + hbits = htable_bits(hashsize); 487 487 + h->table = ip_set_alloc( 488 488 + sizeof(struct htable) 489 489 + + jhash_size(hbits) * sizeof(struct hbucket)); 490 490 + if (!h->table) { 491 491 + kfree(h); 492 492 + return -ENOMEM; 493 493 + } 494 494 + h->table->htable_bits = hbits; 495 495 + 496 496 + set->data = h; 497 497 + 498 498 + if (tb[IPSET_ATTR_TIMEOUT]) { 499 499 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 500 500 + 501 501 + set->variant = set->family == AF_INET 502 502 + ? &hash_ipportip4_tvariant : &hash_ipportip6_tvariant; 503 503 + 504 504 + if (set->family == AF_INET) 505 505 + hash_ipportip4_gc_init(set); 506 506 + else 507 507 + hash_ipportip6_gc_init(set); 508 508 + } else { 509 509 + set->variant = set->family == AF_INET 510 510 + ? &hash_ipportip4_variant : &hash_ipportip6_variant; 511 511 + } 512 512 + 513 513 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 514 514 + set->name, jhash_size(h->table->htable_bits), 515 515 + h->table->htable_bits, h->maxelem, set->data, h->table); 516 516 + 517 517 + return 0; 518 518 + } 519 519 + 520 520 + static struct ip_set_type hash_ipportip_type __read_mostly = { 521 521 + .name = "hash:ip,port,ip", 522 522 + .protocol = IPSET_PROTOCOL, 523 523 + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2, 524 524 + .dimension = IPSET_DIM_THREE, 525 525 + .family = AF_UNSPEC, 526 526 + .revision = 0, 527 527 + .create = hash_ipportip_create, 528 528 + .create_policy = { 529 529 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 530 530 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 531 531 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 532 532 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 533 533 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 534 534 + }, 535 535 + .adt_policy = { 536 536 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 537 537 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 538 538 + [IPSET_ATTR_IP2] = { .type = NLA_NESTED }, 539 539 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 540 540 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 541 541 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 542 542 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 543 543 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 544 544 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 545 545 + }, 546 546 + .me = THIS_MODULE, 547 547 + }; 548 548 + 549 549 + static int __init 550 550 + hash_ipportip_init(void) 551 551 + { 552 552 + return ip_set_type_register(&hash_ipportip_type); 553 553 + } 554 554 + 555 555 + static void __exit 556 556 + hash_ipportip_fini(void) 557 557 + { 558 558 + ip_set_type_unregister(&hash_ipportip_type); 559 559 + } 560 560 + 561 561 + module_init(hash_ipportip_init); 562 562 + module_exit(hash_ipportip_fini);

+628

net/netfilter/ipset/ip_set_hash_ipportnet.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:ip,port,net type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + #include <net/tcp.h> 20 20 + 21 21 + #include <linux/netfilter.h> 22 22 + #include <linux/netfilter/ipset/pfxlen.h> 23 23 + #include <linux/netfilter/ipset/ip_set.h> 24 24 + #include <linux/netfilter/ipset/ip_set_timeout.h> 25 25 + #include <linux/netfilter/ipset/ip_set_getport.h> 26 26 + #include <linux/netfilter/ipset/ip_set_hash.h> 27 27 + 28 28 + MODULE_LICENSE("GPL"); 29 29 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 30 30 + MODULE_DESCRIPTION("hash:ip,port,net type of IP sets"); 31 31 + MODULE_ALIAS("ip_set_hash:ip,port,net"); 32 32 + 33 33 + /* Type specific function prefix */ 34 34 + #define TYPE hash_ipportnet 35 35 + 36 36 + static bool 37 37 + hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b); 38 38 + 39 39 + #define hash_ipportnet4_same_set hash_ipportnet_same_set 40 40 + #define hash_ipportnet6_same_set hash_ipportnet_same_set 41 41 + 42 42 + /* The type variant functions: IPv4 */ 43 43 + 44 44 + /* Member elements without timeout */ 45 45 + struct hash_ipportnet4_elem { 46 46 + __be32 ip; 47 47 + __be32 ip2; 48 48 + __be16 port; 49 49 + u8 cidr; 50 50 + u8 proto; 51 51 + }; 52 52 + 53 53 + /* Member elements with timeout support */ 54 54 + struct hash_ipportnet4_telem { 55 55 + __be32 ip; 56 56 + __be32 ip2; 57 57 + __be16 port; 58 58 + u8 cidr; 59 59 + u8 proto; 60 60 + unsigned long timeout; 61 61 + }; 62 62 + 63 63 + static inline bool 64 64 + hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1, 65 65 + const struct hash_ipportnet4_elem *ip2) 66 66 + { 67 67 + return ip1->ip == ip2->ip && 68 68 + ip1->ip2 == ip2->ip2 && 69 69 + ip1->cidr == ip2->cidr && 70 70 + ip1->port == ip2->port && 71 71 + ip1->proto == ip2->proto; 72 72 + } 73 73 + 74 74 + static inline bool 75 75 + hash_ipportnet4_data_isnull(const struct hash_ipportnet4_elem *elem) 76 76 + { 77 77 + return elem->proto == 0; 78 78 + } 79 79 + 80 80 + static inline void 81 81 + hash_ipportnet4_data_copy(struct hash_ipportnet4_elem *dst, 82 82 + const struct hash_ipportnet4_elem *src) 83 83 + { 84 84 + memcpy(dst, src, sizeof(*dst)); 85 85 + } 86 86 + 87 87 + static inline void 88 88 + hash_ipportnet4_data_netmask(struct hash_ipportnet4_elem *elem, u8 cidr) 89 89 + { 90 90 + elem->ip2 &= ip_set_netmask(cidr); 91 91 + elem->cidr = cidr; 92 92 + } 93 93 + 94 94 + static inline void 95 95 + hash_ipportnet4_data_zero_out(struct hash_ipportnet4_elem *elem) 96 96 + { 97 97 + elem->proto = 0; 98 98 + } 99 99 + 100 100 + static bool 101 101 + hash_ipportnet4_data_list(struct sk_buff *skb, 102 102 + const struct hash_ipportnet4_elem *data) 103 103 + { 104 104 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 105 105 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2); 106 106 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 107 107 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr); 108 108 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 109 109 + return 0; 110 110 + 111 111 + nla_put_failure: 112 112 + return 1; 113 113 + } 114 114 + 115 115 + static bool 116 116 + hash_ipportnet4_data_tlist(struct sk_buff *skb, 117 117 + const struct hash_ipportnet4_elem *data) 118 118 + { 119 119 + const struct hash_ipportnet4_telem *tdata = 120 120 + (const struct hash_ipportnet4_telem *)data; 121 121 + 122 122 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 123 123 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2); 124 124 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port); 125 125 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr); 126 126 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 127 127 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 128 128 + htonl(ip_set_timeout_get(tdata->timeout))); 129 129 + 130 130 + return 0; 131 131 + 132 132 + nla_put_failure: 133 133 + return 1; 134 134 + } 135 135 + 136 136 + #define IP_SET_HASH_WITH_PROTO 137 137 + #define IP_SET_HASH_WITH_NETS 138 138 + 139 139 + #define PF 4 140 140 + #define HOST_MASK 32 141 141 + #include <linux/netfilter/ipset/ip_set_ahash.h> 142 142 + 143 143 + static int 144 144 + hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb, 145 145 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 146 146 + { 147 147 + const struct ip_set_hash *h = set->data; 148 148 + ipset_adtfn adtfn = set->variant->adt[adt]; 149 149 + struct hash_ipportnet4_elem data = 150 150 + { .cidr = h->nets[0].cidr || HOST_MASK }; 151 151 + 152 152 + if (data.cidr == 0) 153 153 + return -EINVAL; 154 154 + if (adt == IPSET_TEST) 155 155 + data.cidr = HOST_MASK; 156 156 + 157 157 + if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC, 158 158 + &data.port, &data.proto)) 159 159 + return -EINVAL; 160 160 + 161 161 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip); 162 162 + ip4addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2); 163 163 + data.ip2 &= ip_set_netmask(data.cidr); 164 164 + 165 165 + return adtfn(set, &data, h->timeout); 166 166 + } 167 167 + 168 168 + static int 169 169 + hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[], 170 170 + enum ipset_adt adt, u32 *lineno, u32 flags) 171 171 + { 172 172 + const struct ip_set_hash *h = set->data; 173 173 + ipset_adtfn adtfn = set->variant->adt[adt]; 174 174 + struct hash_ipportnet4_elem data = { .cidr = HOST_MASK }; 175 175 + u32 ip, ip_to, p, port, port_to; 176 176 + u32 timeout = h->timeout; 177 177 + int ret; 178 178 + 179 179 + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || 180 180 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 181 181 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 182 182 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 183 183 + return -IPSET_ERR_PROTOCOL; 184 184 + 185 185 + if (tb[IPSET_ATTR_LINENO]) 186 186 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 187 187 + 188 188 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip); 189 189 + if (ret) 190 190 + return ret; 191 191 + 192 192 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2); 193 193 + if (ret) 194 194 + return ret; 195 195 + 196 196 + if (tb[IPSET_ATTR_CIDR2]) 197 197 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]); 198 198 + 199 199 + if (!data.cidr) 200 200 + return -IPSET_ERR_INVALID_CIDR; 201 201 + 202 202 + data.ip2 &= ip_set_netmask(data.cidr); 203 203 + 204 204 + if (tb[IPSET_ATTR_PORT]) 205 205 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 206 206 + else 207 207 + return -IPSET_ERR_PROTOCOL; 208 208 + 209 209 + if (tb[IPSET_ATTR_PROTO]) { 210 210 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 211 211 + 212 212 + if (data.proto == 0) 213 213 + return -IPSET_ERR_INVALID_PROTO; 214 214 + } else 215 215 + return -IPSET_ERR_MISSING_PROTO; 216 216 + 217 217 + switch (data.proto) { 218 218 + case IPPROTO_UDP: 219 219 + case IPPROTO_TCP: 220 220 + case IPPROTO_ICMP: 221 221 + break; 222 222 + default: 223 223 + data.port = 0; 224 224 + break; 225 225 + } 226 226 + 227 227 + if (tb[IPSET_ATTR_TIMEOUT]) { 228 228 + if (!with_timeout(h->timeout)) 229 229 + return -IPSET_ERR_TIMEOUT; 230 230 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 231 231 + } 232 232 + 233 233 + if (adt == IPSET_TEST || 234 234 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 235 235 + !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] || 236 236 + tb[IPSET_ATTR_PORT_TO])) { 237 237 + ret = adtfn(set, &data, timeout); 238 238 + return ip_set_eexist(ret, flags) ? 0 : ret; 239 239 + } 240 240 + 241 241 + ip = ntohl(data.ip); 242 242 + if (tb[IPSET_ATTR_IP_TO]) { 243 243 + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); 244 244 + if (ret) 245 245 + return ret; 246 246 + if (ip > ip_to) 247 247 + swap(ip, ip_to); 248 248 + } else if (tb[IPSET_ATTR_CIDR]) { 249 249 + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 250 250 + 251 251 + if (cidr > 32) 252 252 + return -IPSET_ERR_INVALID_CIDR; 253 253 + ip &= ip_set_hostmask(cidr); 254 254 + ip_to = ip | ~ip_set_hostmask(cidr); 255 255 + } else 256 256 + ip_to = ip; 257 257 + 258 258 + port = ntohs(data.port); 259 259 + if (tb[IPSET_ATTR_PORT_TO]) { 260 260 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 261 261 + if (port > port_to) 262 262 + swap(port, port_to); 263 263 + } else 264 264 + port_to = port; 265 265 + 266 266 + for (; !before(ip_to, ip); ip++) 267 267 + for (p = port; p <= port_to; p++) { 268 268 + data.ip = htonl(ip); 269 269 + data.port = htons(p); 270 270 + ret = adtfn(set, &data, timeout); 271 271 + 272 272 + if (ret && !ip_set_eexist(ret, flags)) 273 273 + return ret; 274 274 + else 275 275 + ret = 0; 276 276 + } 277 277 + return ret; 278 278 + } 279 279 + 280 280 + static bool 281 281 + hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b) 282 282 + { 283 283 + const struct ip_set_hash *x = a->data; 284 284 + const struct ip_set_hash *y = b->data; 285 285 + 286 286 + /* Resizing changes htable_bits, so we ignore it */ 287 287 + return x->maxelem == y->maxelem && 288 288 + x->timeout == y->timeout; 289 289 + } 290 290 + 291 291 + /* The type variant functions: IPv6 */ 292 292 + 293 293 + struct hash_ipportnet6_elem { 294 294 + union nf_inet_addr ip; 295 295 + union nf_inet_addr ip2; 296 296 + __be16 port; 297 297 + u8 cidr; 298 298 + u8 proto; 299 299 + }; 300 300 + 301 301 + struct hash_ipportnet6_telem { 302 302 + union nf_inet_addr ip; 303 303 + union nf_inet_addr ip2; 304 304 + __be16 port; 305 305 + u8 cidr; 306 306 + u8 proto; 307 307 + unsigned long timeout; 308 308 + }; 309 309 + 310 310 + static inline bool 311 311 + hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1, 312 312 + const struct hash_ipportnet6_elem *ip2) 313 313 + { 314 314 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && 315 315 + ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 && 316 316 + ip1->cidr == ip2->cidr && 317 317 + ip1->port == ip2->port && 318 318 + ip1->proto == ip2->proto; 319 319 + } 320 320 + 321 321 + static inline bool 322 322 + hash_ipportnet6_data_isnull(const struct hash_ipportnet6_elem *elem) 323 323 + { 324 324 + return elem->proto == 0; 325 325 + } 326 326 + 327 327 + static inline void 328 328 + hash_ipportnet6_data_copy(struct hash_ipportnet6_elem *dst, 329 329 + const struct hash_ipportnet6_elem *src) 330 330 + { 331 331 + memcpy(dst, src, sizeof(*dst)); 332 332 + } 333 333 + 334 334 + static inline void 335 335 + hash_ipportnet6_data_zero_out(struct hash_ipportnet6_elem *elem) 336 336 + { 337 337 + elem->proto = 0; 338 338 + } 339 339 + 340 340 + static inline void 341 341 + ip6_netmask(union nf_inet_addr *ip, u8 prefix) 342 342 + { 343 343 + ip->ip6[0] &= ip_set_netmask6(prefix)[0]; 344 344 + ip->ip6[1] &= ip_set_netmask6(prefix)[1]; 345 345 + ip->ip6[2] &= ip_set_netmask6(prefix)[2]; 346 346 + ip->ip6[3] &= ip_set_netmask6(prefix)[3]; 347 347 + } 348 348 + 349 349 + static inline void 350 350 + hash_ipportnet6_data_netmask(struct hash_ipportnet6_elem *elem, u8 cidr) 351 351 + { 352 352 + ip6_netmask(&elem->ip2, cidr); 353 353 + elem->cidr = cidr; 354 354 + } 355 355 + 356 356 + static bool 357 357 + hash_ipportnet6_data_list(struct sk_buff *skb, 358 358 + const struct hash_ipportnet6_elem *data) 359 359 + { 360 360 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 361 361 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2); 362 362 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 363 363 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr); 364 364 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 365 365 + return 0; 366 366 + 367 367 + nla_put_failure: 368 368 + return 1; 369 369 + } 370 370 + 371 371 + static bool 372 372 + hash_ipportnet6_data_tlist(struct sk_buff *skb, 373 373 + const struct hash_ipportnet6_elem *data) 374 374 + { 375 375 + const struct hash_ipportnet6_telem *e = 376 376 + (const struct hash_ipportnet6_telem *)data; 377 377 + 378 378 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 379 379 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2); 380 380 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 381 381 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr); 382 382 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 383 383 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 384 384 + htonl(ip_set_timeout_get(e->timeout))); 385 385 + return 0; 386 386 + 387 387 + nla_put_failure: 388 388 + return 1; 389 389 + } 390 390 + 391 391 + #undef PF 392 392 + #undef HOST_MASK 393 393 + 394 394 + #define PF 6 395 395 + #define HOST_MASK 128 396 396 + #include <linux/netfilter/ipset/ip_set_ahash.h> 397 397 + 398 398 + static int 399 399 + hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb, 400 400 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 401 401 + { 402 402 + const struct ip_set_hash *h = set->data; 403 403 + ipset_adtfn adtfn = set->variant->adt[adt]; 404 404 + struct hash_ipportnet6_elem data = 405 405 + { .cidr = h->nets[0].cidr || HOST_MASK }; 406 406 + 407 407 + if (data.cidr == 0) 408 408 + return -EINVAL; 409 409 + if (adt == IPSET_TEST) 410 410 + data.cidr = HOST_MASK; 411 411 + 412 412 + if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC, 413 413 + &data.port, &data.proto)) 414 414 + return -EINVAL; 415 415 + 416 416 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6); 417 417 + ip6addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2.in6); 418 418 + ip6_netmask(&data.ip2, data.cidr); 419 419 + 420 420 + return adtfn(set, &data, h->timeout); 421 421 + } 422 422 + 423 423 + static int 424 424 + hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[], 425 425 + enum ipset_adt adt, u32 *lineno, u32 flags) 426 426 + { 427 427 + const struct ip_set_hash *h = set->data; 428 428 + ipset_adtfn adtfn = set->variant->adt[adt]; 429 429 + struct hash_ipportnet6_elem data = { .cidr = HOST_MASK }; 430 430 + u32 port, port_to; 431 431 + u32 timeout = h->timeout; 432 432 + int ret; 433 433 + 434 434 + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || 435 435 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 436 436 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 437 437 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 438 438 + tb[IPSET_ATTR_IP_TO] || 439 439 + tb[IPSET_ATTR_CIDR])) 440 440 + return -IPSET_ERR_PROTOCOL; 441 441 + 442 442 + if (tb[IPSET_ATTR_LINENO]) 443 443 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 444 444 + 445 445 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); 446 446 + if (ret) 447 447 + return ret; 448 448 + 449 449 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2); 450 450 + if (ret) 451 451 + return ret; 452 452 + 453 453 + if (tb[IPSET_ATTR_CIDR2]) 454 454 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]); 455 455 + 456 456 + if (!data.cidr) 457 457 + return -IPSET_ERR_INVALID_CIDR; 458 458 + 459 459 + ip6_netmask(&data.ip2, data.cidr); 460 460 + 461 461 + if (tb[IPSET_ATTR_PORT]) 462 462 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 463 463 + else 464 464 + return -IPSET_ERR_PROTOCOL; 465 465 + 466 466 + if (tb[IPSET_ATTR_PROTO]) { 467 467 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 468 468 + 469 469 + if (data.proto == 0) 470 470 + return -IPSET_ERR_INVALID_PROTO; 471 471 + } else 472 472 + return -IPSET_ERR_MISSING_PROTO; 473 473 + 474 474 + switch (data.proto) { 475 475 + case IPPROTO_UDP: 476 476 + case IPPROTO_TCP: 477 477 + case IPPROTO_ICMPV6: 478 478 + break; 479 479 + default: 480 480 + data.port = 0; 481 481 + break; 482 482 + } 483 483 + 484 484 + if (tb[IPSET_ATTR_TIMEOUT]) { 485 485 + if (!with_timeout(h->timeout)) 486 486 + return -IPSET_ERR_TIMEOUT; 487 487 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 488 488 + } 489 489 + 490 490 + if (adt == IPSET_TEST || 491 491 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 492 492 + !tb[IPSET_ATTR_PORT_TO]) { 493 493 + ret = adtfn(set, &data, timeout); 494 494 + return ip_set_eexist(ret, flags) ? 0 : ret; 495 495 + } 496 496 + 497 497 + port = ntohs(data.port); 498 498 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 499 499 + if (port > port_to) 500 500 + swap(port, port_to); 501 501 + 502 502 + for (; port <= port_to; port++) { 503 503 + data.port = htons(port); 504 504 + ret = adtfn(set, &data, timeout); 505 505 + 506 506 + if (ret && !ip_set_eexist(ret, flags)) 507 507 + return ret; 508 508 + else 509 509 + ret = 0; 510 510 + } 511 511 + return ret; 512 512 + } 513 513 + 514 514 + /* Create hash:ip type of sets */ 515 515 + 516 516 + static int 517 517 + hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 518 518 + { 519 519 + struct ip_set_hash *h; 520 520 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 521 521 + u8 hbits; 522 522 + 523 523 + if (!(set->family == AF_INET || set->family == AF_INET6)) 524 524 + return -IPSET_ERR_INVALID_FAMILY; 525 525 + 526 526 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 527 527 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 528 528 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 529 529 + return -IPSET_ERR_PROTOCOL; 530 530 + 531 531 + if (tb[IPSET_ATTR_HASHSIZE]) { 532 532 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 533 533 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 534 534 + hashsize = IPSET_MIMINAL_HASHSIZE; 535 535 + } 536 536 + 537 537 + if (tb[IPSET_ATTR_MAXELEM]) 538 538 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 539 539 + 540 540 + h = kzalloc(sizeof(*h) 541 541 + + sizeof(struct ip_set_hash_nets) 542 542 + * (set->family == AF_INET ? 32 : 128), GFP_KERNEL); 543 543 + if (!h) 544 544 + return -ENOMEM; 545 545 + 546 546 + h->maxelem = maxelem; 547 547 + get_random_bytes(&h->initval, sizeof(h->initval)); 548 548 + h->timeout = IPSET_NO_TIMEOUT; 549 549 + 550 550 + hbits = htable_bits(hashsize); 551 551 + h->table = ip_set_alloc( 552 552 + sizeof(struct htable) 553 553 + + jhash_size(hbits) * sizeof(struct hbucket)); 554 554 + if (!h->table) { 555 555 + kfree(h); 556 556 + return -ENOMEM; 557 557 + } 558 558 + h->table->htable_bits = hbits; 559 559 + 560 560 + set->data = h; 561 561 + 562 562 + if (tb[IPSET_ATTR_TIMEOUT]) { 563 563 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 564 564 + 565 565 + set->variant = set->family == AF_INET 566 566 + ? &hash_ipportnet4_tvariant 567 567 + : &hash_ipportnet6_tvariant; 568 568 + 569 569 + if (set->family == AF_INET) 570 570 + hash_ipportnet4_gc_init(set); 571 571 + else 572 572 + hash_ipportnet6_gc_init(set); 573 573 + } else { 574 574 + set->variant = set->family == AF_INET 575 575 + ? &hash_ipportnet4_variant : &hash_ipportnet6_variant; 576 576 + } 577 577 + 578 578 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 579 579 + set->name, jhash_size(h->table->htable_bits), 580 580 + h->table->htable_bits, h->maxelem, set->data, h->table); 581 581 + 582 582 + return 0; 583 583 + } 584 584 + 585 585 + static struct ip_set_type hash_ipportnet_type __read_mostly = { 586 586 + .name = "hash:ip,port,net", 587 587 + .protocol = IPSET_PROTOCOL, 588 588 + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2, 589 589 + .dimension = IPSET_DIM_THREE, 590 590 + .family = AF_UNSPEC, 591 591 + .revision = 0, 592 592 + .create = hash_ipportnet_create, 593 593 + .create_policy = { 594 594 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 595 595 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 596 596 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 597 597 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 598 598 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 599 599 + }, 600 600 + .adt_policy = { 601 601 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 602 602 + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, 603 603 + [IPSET_ATTR_IP2] = { .type = NLA_NESTED }, 604 604 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 605 605 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 606 606 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 607 607 + [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, 608 608 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 609 609 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 610 610 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 611 611 + }, 612 612 + .me = THIS_MODULE, 613 613 + }; 614 614 + 615 615 + static int __init 616 616 + hash_ipportnet_init(void) 617 617 + { 618 618 + return ip_set_type_register(&hash_ipportnet_type); 619 619 + } 620 620 + 621 621 + static void __exit 622 622 + hash_ipportnet_fini(void) 623 623 + { 624 624 + ip_set_type_unregister(&hash_ipportnet_type); 625 625 + } 626 626 + 627 627 + module_init(hash_ipportnet_init); 628 628 + module_exit(hash_ipportnet_fini);

+458

net/netfilter/ipset/ip_set_hash_net.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:net type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + 20 20 + #include <linux/netfilter.h> 21 21 + #include <linux/netfilter/ipset/pfxlen.h> 22 22 + #include <linux/netfilter/ipset/ip_set.h> 23 23 + #include <linux/netfilter/ipset/ip_set_timeout.h> 24 24 + #include <linux/netfilter/ipset/ip_set_hash.h> 25 25 + 26 26 + MODULE_LICENSE("GPL"); 27 27 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 28 28 + MODULE_DESCRIPTION("hash:net type of IP sets"); 29 29 + MODULE_ALIAS("ip_set_hash:net"); 30 30 + 31 31 + /* Type specific function prefix */ 32 32 + #define TYPE hash_net 33 33 + 34 34 + static bool 35 35 + hash_net_same_set(const struct ip_set *a, const struct ip_set *b); 36 36 + 37 37 + #define hash_net4_same_set hash_net_same_set 38 38 + #define hash_net6_same_set hash_net_same_set 39 39 + 40 40 + /* The type variant functions: IPv4 */ 41 41 + 42 42 + /* Member elements without timeout */ 43 43 + struct hash_net4_elem { 44 44 + __be32 ip; 45 45 + u16 padding0; 46 46 + u8 padding1; 47 47 + u8 cidr; 48 48 + }; 49 49 + 50 50 + /* Member elements with timeout support */ 51 51 + struct hash_net4_telem { 52 52 + __be32 ip; 53 53 + u16 padding0; 54 54 + u8 padding1; 55 55 + u8 cidr; 56 56 + unsigned long timeout; 57 57 + }; 58 58 + 59 59 + static inline bool 60 60 + hash_net4_data_equal(const struct hash_net4_elem *ip1, 61 61 + const struct hash_net4_elem *ip2) 62 62 + { 63 63 + return ip1->ip == ip2->ip && ip1->cidr == ip2->cidr; 64 64 + } 65 65 + 66 66 + static inline bool 67 67 + hash_net4_data_isnull(const struct hash_net4_elem *elem) 68 68 + { 69 69 + return elem->cidr == 0; 70 70 + } 71 71 + 72 72 + static inline void 73 73 + hash_net4_data_copy(struct hash_net4_elem *dst, 74 74 + const struct hash_net4_elem *src) 75 75 + { 76 76 + dst->ip = src->ip; 77 77 + dst->cidr = src->cidr; 78 78 + } 79 79 + 80 80 + static inline void 81 81 + hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr) 82 82 + { 83 83 + elem->ip &= ip_set_netmask(cidr); 84 84 + elem->cidr = cidr; 85 85 + } 86 86 + 87 87 + /* Zero CIDR values cannot be stored */ 88 88 + static inline void 89 89 + hash_net4_data_zero_out(struct hash_net4_elem *elem) 90 90 + { 91 91 + elem->cidr = 0; 92 92 + } 93 93 + 94 94 + static bool 95 95 + hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data) 96 96 + { 97 97 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 98 98 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 99 99 + return 0; 100 100 + 101 101 + nla_put_failure: 102 102 + return 1; 103 103 + } 104 104 + 105 105 + static bool 106 106 + hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data) 107 107 + { 108 108 + const struct hash_net4_telem *tdata = 109 109 + (const struct hash_net4_telem *)data; 110 110 + 111 111 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 112 112 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, tdata->cidr); 113 113 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 114 114 + htonl(ip_set_timeout_get(tdata->timeout))); 115 115 + 116 116 + return 0; 117 117 + 118 118 + nla_put_failure: 119 119 + return 1; 120 120 + } 121 121 + 122 122 + #define IP_SET_HASH_WITH_NETS 123 123 + 124 124 + #define PF 4 125 125 + #define HOST_MASK 32 126 126 + #include <linux/netfilter/ipset/ip_set_ahash.h> 127 127 + 128 128 + static int 129 129 + hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb, 130 130 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 131 131 + { 132 132 + const struct ip_set_hash *h = set->data; 133 133 + ipset_adtfn adtfn = set->variant->adt[adt]; 134 134 + struct hash_net4_elem data = { .cidr = h->nets[0].cidr || HOST_MASK }; 135 135 + 136 136 + if (data.cidr == 0) 137 137 + return -EINVAL; 138 138 + if (adt == IPSET_TEST) 139 139 + data.cidr = HOST_MASK; 140 140 + 141 141 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip); 142 142 + data.ip &= ip_set_netmask(data.cidr); 143 143 + 144 144 + return adtfn(set, &data, h->timeout); 145 145 + } 146 146 + 147 147 + static int 148 148 + hash_net4_uadt(struct ip_set *set, struct nlattr *tb[], 149 149 + enum ipset_adt adt, u32 *lineno, u32 flags) 150 150 + { 151 151 + const struct ip_set_hash *h = set->data; 152 152 + ipset_adtfn adtfn = set->variant->adt[adt]; 153 153 + struct hash_net4_elem data = { .cidr = HOST_MASK }; 154 154 + u32 timeout = h->timeout; 155 155 + int ret; 156 156 + 157 157 + if (unlikely(!tb[IPSET_ATTR_IP] || 158 158 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 159 159 + return -IPSET_ERR_PROTOCOL; 160 160 + 161 161 + if (tb[IPSET_ATTR_LINENO]) 162 162 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 163 163 + 164 164 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip); 165 165 + if (ret) 166 166 + return ret; 167 167 + 168 168 + if (tb[IPSET_ATTR_CIDR]) 169 169 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 170 170 + 171 171 + if (!data.cidr) 172 172 + return -IPSET_ERR_INVALID_CIDR; 173 173 + 174 174 + data.ip &= ip_set_netmask(data.cidr); 175 175 + 176 176 + if (tb[IPSET_ATTR_TIMEOUT]) { 177 177 + if (!with_timeout(h->timeout)) 178 178 + return -IPSET_ERR_TIMEOUT; 179 179 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 180 180 + } 181 181 + 182 182 + ret = adtfn(set, &data, timeout); 183 183 + 184 184 + return ip_set_eexist(ret, flags) ? 0 : ret; 185 185 + } 186 186 + 187 187 + static bool 188 188 + hash_net_same_set(const struct ip_set *a, const struct ip_set *b) 189 189 + { 190 190 + const struct ip_set_hash *x = a->data; 191 191 + const struct ip_set_hash *y = b->data; 192 192 + 193 193 + /* Resizing changes htable_bits, so we ignore it */ 194 194 + return x->maxelem == y->maxelem && 195 195 + x->timeout == y->timeout; 196 196 + } 197 197 + 198 198 + /* The type variant functions: IPv6 */ 199 199 + 200 200 + struct hash_net6_elem { 201 201 + union nf_inet_addr ip; 202 202 + u16 padding0; 203 203 + u8 padding1; 204 204 + u8 cidr; 205 205 + }; 206 206 + 207 207 + struct hash_net6_telem { 208 208 + union nf_inet_addr ip; 209 209 + u16 padding0; 210 210 + u8 padding1; 211 211 + u8 cidr; 212 212 + unsigned long timeout; 213 213 + }; 214 214 + 215 215 + static inline bool 216 216 + hash_net6_data_equal(const struct hash_net6_elem *ip1, 217 217 + const struct hash_net6_elem *ip2) 218 218 + { 219 219 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && 220 220 + ip1->cidr == ip2->cidr; 221 221 + } 222 222 + 223 223 + static inline bool 224 224 + hash_net6_data_isnull(const struct hash_net6_elem *elem) 225 225 + { 226 226 + return elem->cidr == 0; 227 227 + } 228 228 + 229 229 + static inline void 230 230 + hash_net6_data_copy(struct hash_net6_elem *dst, 231 231 + const struct hash_net6_elem *src) 232 232 + { 233 233 + ipv6_addr_copy(&dst->ip.in6, &src->ip.in6); 234 234 + dst->cidr = src->cidr; 235 235 + } 236 236 + 237 237 + static inline void 238 238 + hash_net6_data_zero_out(struct hash_net6_elem *elem) 239 239 + { 240 240 + elem->cidr = 0; 241 241 + } 242 242 + 243 243 + static inline void 244 244 + ip6_netmask(union nf_inet_addr *ip, u8 prefix) 245 245 + { 246 246 + ip->ip6[0] &= ip_set_netmask6(prefix)[0]; 247 247 + ip->ip6[1] &= ip_set_netmask6(prefix)[1]; 248 248 + ip->ip6[2] &= ip_set_netmask6(prefix)[2]; 249 249 + ip->ip6[3] &= ip_set_netmask6(prefix)[3]; 250 250 + } 251 251 + 252 252 + static inline void 253 253 + hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr) 254 254 + { 255 255 + ip6_netmask(&elem->ip, cidr); 256 256 + elem->cidr = cidr; 257 257 + } 258 258 + 259 259 + static bool 260 260 + hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data) 261 261 + { 262 262 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 263 263 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 264 264 + return 0; 265 265 + 266 266 + nla_put_failure: 267 267 + return 1; 268 268 + } 269 269 + 270 270 + static bool 271 271 + hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data) 272 272 + { 273 273 + const struct hash_net6_telem *e = 274 274 + (const struct hash_net6_telem *)data; 275 275 + 276 276 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 277 277 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, e->cidr); 278 278 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 279 279 + htonl(ip_set_timeout_get(e->timeout))); 280 280 + return 0; 281 281 + 282 282 + nla_put_failure: 283 283 + return 1; 284 284 + } 285 285 + 286 286 + #undef PF 287 287 + #undef HOST_MASK 288 288 + 289 289 + #define PF 6 290 290 + #define HOST_MASK 128 291 291 + #include <linux/netfilter/ipset/ip_set_ahash.h> 292 292 + 293 293 + static int 294 294 + hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb, 295 295 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 296 296 + { 297 297 + const struct ip_set_hash *h = set->data; 298 298 + ipset_adtfn adtfn = set->variant->adt[adt]; 299 299 + struct hash_net6_elem data = { .cidr = h->nets[0].cidr || HOST_MASK }; 300 300 + 301 301 + if (data.cidr == 0) 302 302 + return -EINVAL; 303 303 + if (adt == IPSET_TEST) 304 304 + data.cidr = HOST_MASK; 305 305 + 306 306 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6); 307 307 + ip6_netmask(&data.ip, data.cidr); 308 308 + 309 309 + return adtfn(set, &data, h->timeout); 310 310 + } 311 311 + 312 312 + static int 313 313 + hash_net6_uadt(struct ip_set *set, struct nlattr *tb[], 314 314 + enum ipset_adt adt, u32 *lineno, u32 flags) 315 315 + { 316 316 + const struct ip_set_hash *h = set->data; 317 317 + ipset_adtfn adtfn = set->variant->adt[adt]; 318 318 + struct hash_net6_elem data = { .cidr = HOST_MASK }; 319 319 + u32 timeout = h->timeout; 320 320 + int ret; 321 321 + 322 322 + if (unlikely(!tb[IPSET_ATTR_IP] || 323 323 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 324 324 + return -IPSET_ERR_PROTOCOL; 325 325 + 326 326 + if (tb[IPSET_ATTR_LINENO]) 327 327 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 328 328 + 329 329 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); 330 330 + if (ret) 331 331 + return ret; 332 332 + 333 333 + if (tb[IPSET_ATTR_CIDR]) 334 334 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 335 335 + 336 336 + if (!data.cidr) 337 337 + return -IPSET_ERR_INVALID_CIDR; 338 338 + 339 339 + ip6_netmask(&data.ip, data.cidr); 340 340 + 341 341 + if (tb[IPSET_ATTR_TIMEOUT]) { 342 342 + if (!with_timeout(h->timeout)) 343 343 + return -IPSET_ERR_TIMEOUT; 344 344 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 345 345 + } 346 346 + 347 347 + ret = adtfn(set, &data, timeout); 348 348 + 349 349 + return ip_set_eexist(ret, flags) ? 0 : ret; 350 350 + } 351 351 + 352 352 + /* Create hash:ip type of sets */ 353 353 + 354 354 + static int 355 355 + hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 356 356 + { 357 357 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 358 358 + struct ip_set_hash *h; 359 359 + u8 hbits; 360 360 + 361 361 + if (!(set->family == AF_INET || set->family == AF_INET6)) 362 362 + return -IPSET_ERR_INVALID_FAMILY; 363 363 + 364 364 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 365 365 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 366 366 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 367 367 + return -IPSET_ERR_PROTOCOL; 368 368 + 369 369 + if (tb[IPSET_ATTR_HASHSIZE]) { 370 370 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 371 371 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 372 372 + hashsize = IPSET_MIMINAL_HASHSIZE; 373 373 + } 374 374 + 375 375 + if (tb[IPSET_ATTR_MAXELEM]) 376 376 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 377 377 + 378 378 + h = kzalloc(sizeof(*h) 379 379 + + sizeof(struct ip_set_hash_nets) 380 380 + * (set->family == AF_INET ? 32 : 128), GFP_KERNEL); 381 381 + if (!h) 382 382 + return -ENOMEM; 383 383 + 384 384 + h->maxelem = maxelem; 385 385 + get_random_bytes(&h->initval, sizeof(h->initval)); 386 386 + h->timeout = IPSET_NO_TIMEOUT; 387 387 + 388 388 + hbits = htable_bits(hashsize); 389 389 + h->table = ip_set_alloc( 390 390 + sizeof(struct htable) 391 391 + + jhash_size(hbits) * sizeof(struct hbucket)); 392 392 + if (!h->table) { 393 393 + kfree(h); 394 394 + return -ENOMEM; 395 395 + } 396 396 + h->table->htable_bits = hbits; 397 397 + 398 398 + set->data = h; 399 399 + 400 400 + if (tb[IPSET_ATTR_TIMEOUT]) { 401 401 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 402 402 + 403 403 + set->variant = set->family == AF_INET 404 404 + ? &hash_net4_tvariant : &hash_net6_tvariant; 405 405 + 406 406 + if (set->family == AF_INET) 407 407 + hash_net4_gc_init(set); 408 408 + else 409 409 + hash_net6_gc_init(set); 410 410 + } else { 411 411 + set->variant = set->family == AF_INET 412 412 + ? &hash_net4_variant : &hash_net6_variant; 413 413 + } 414 414 + 415 415 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 416 416 + set->name, jhash_size(h->table->htable_bits), 417 417 + h->table->htable_bits, h->maxelem, set->data, h->table); 418 418 + 419 419 + return 0; 420 420 + } 421 421 + 422 422 + static struct ip_set_type hash_net_type __read_mostly = { 423 423 + .name = "hash:net", 424 424 + .protocol = IPSET_PROTOCOL, 425 425 + .features = IPSET_TYPE_IP, 426 426 + .dimension = IPSET_DIM_ONE, 427 427 + .family = AF_UNSPEC, 428 428 + .revision = 0, 429 429 + .create = hash_net_create, 430 430 + .create_policy = { 431 431 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 432 432 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 433 433 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 434 434 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 435 435 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 436 436 + }, 437 437 + .adt_policy = { 438 438 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 439 439 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 440 440 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 441 441 + }, 442 442 + .me = THIS_MODULE, 443 443 + }; 444 444 + 445 445 + static int __init 446 446 + hash_net_init(void) 447 447 + { 448 448 + return ip_set_type_register(&hash_net_type); 449 449 + } 450 450 + 451 451 + static void __exit 452 452 + hash_net_fini(void) 453 453 + { 454 454 + ip_set_type_unregister(&hash_net_type); 455 455 + } 456 456 + 457 457 + module_init(hash_net_init); 458 458 + module_exit(hash_net_fini);

+578

net/netfilter/ipset/ip_set_hash_netport.c

reviewed

··· 1 1 + /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the hash:net,port type */ 9 9 + 10 10 + #include <linux/jhash.h> 11 11 + #include <linux/module.h> 12 12 + #include <linux/ip.h> 13 13 + #include <linux/skbuff.h> 14 14 + #include <linux/errno.h> 15 15 + #include <linux/random.h> 16 16 + #include <net/ip.h> 17 17 + #include <net/ipv6.h> 18 18 + #include <net/netlink.h> 19 19 + 20 20 + #include <linux/netfilter.h> 21 21 + #include <linux/netfilter/ipset/pfxlen.h> 22 22 + #include <linux/netfilter/ipset/ip_set.h> 23 23 + #include <linux/netfilter/ipset/ip_set_timeout.h> 24 24 + #include <linux/netfilter/ipset/ip_set_getport.h> 25 25 + #include <linux/netfilter/ipset/ip_set_hash.h> 26 26 + 27 27 + MODULE_LICENSE("GPL"); 28 28 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 29 29 + MODULE_DESCRIPTION("hash:net,port type of IP sets"); 30 30 + MODULE_ALIAS("ip_set_hash:net,port"); 31 31 + 32 32 + /* Type specific function prefix */ 33 33 + #define TYPE hash_netport 34 34 + 35 35 + static bool 36 36 + hash_netport_same_set(const struct ip_set *a, const struct ip_set *b); 37 37 + 38 38 + #define hash_netport4_same_set hash_netport_same_set 39 39 + #define hash_netport6_same_set hash_netport_same_set 40 40 + 41 41 + /* The type variant functions: IPv4 */ 42 42 + 43 43 + /* Member elements without timeout */ 44 44 + struct hash_netport4_elem { 45 45 + __be32 ip; 46 46 + __be16 port; 47 47 + u8 proto; 48 48 + u8 cidr; 49 49 + }; 50 50 + 51 51 + /* Member elements with timeout support */ 52 52 + struct hash_netport4_telem { 53 53 + __be32 ip; 54 54 + __be16 port; 55 55 + u8 proto; 56 56 + u8 cidr; 57 57 + unsigned long timeout; 58 58 + }; 59 59 + 60 60 + static inline bool 61 61 + hash_netport4_data_equal(const struct hash_netport4_elem *ip1, 62 62 + const struct hash_netport4_elem *ip2) 63 63 + { 64 64 + return ip1->ip == ip2->ip && 65 65 + ip1->port == ip2->port && 66 66 + ip1->proto == ip2->proto && 67 67 + ip1->cidr == ip2->cidr; 68 68 + } 69 69 + 70 70 + static inline bool 71 71 + hash_netport4_data_isnull(const struct hash_netport4_elem *elem) 72 72 + { 73 73 + return elem->proto == 0; 74 74 + } 75 75 + 76 76 + static inline void 77 77 + hash_netport4_data_copy(struct hash_netport4_elem *dst, 78 78 + const struct hash_netport4_elem *src) 79 79 + { 80 80 + dst->ip = src->ip; 81 81 + dst->port = src->port; 82 82 + dst->proto = src->proto; 83 83 + dst->cidr = src->cidr; 84 84 + } 85 85 + 86 86 + static inline void 87 87 + hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr) 88 88 + { 89 89 + elem->ip &= ip_set_netmask(cidr); 90 90 + elem->cidr = cidr; 91 91 + } 92 92 + 93 93 + static inline void 94 94 + hash_netport4_data_zero_out(struct hash_netport4_elem *elem) 95 95 + { 96 96 + elem->proto = 0; 97 97 + } 98 98 + 99 99 + static bool 100 100 + hash_netport4_data_list(struct sk_buff *skb, 101 101 + const struct hash_netport4_elem *data) 102 102 + { 103 103 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); 104 104 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 105 105 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 106 106 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 107 107 + return 0; 108 108 + 109 109 + nla_put_failure: 110 110 + return 1; 111 111 + } 112 112 + 113 113 + static bool 114 114 + hash_netport4_data_tlist(struct sk_buff *skb, 115 115 + const struct hash_netport4_elem *data) 116 116 + { 117 117 + const struct hash_netport4_telem *tdata = 118 118 + (const struct hash_netport4_telem *)data; 119 119 + 120 120 + NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip); 121 121 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port); 122 122 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 123 123 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 124 124 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 125 125 + htonl(ip_set_timeout_get(tdata->timeout))); 126 126 + 127 127 + return 0; 128 128 + 129 129 + nla_put_failure: 130 130 + return 1; 131 131 + } 132 132 + 133 133 + #define IP_SET_HASH_WITH_PROTO 134 134 + #define IP_SET_HASH_WITH_NETS 135 135 + 136 136 + #define PF 4 137 137 + #define HOST_MASK 32 138 138 + #include <linux/netfilter/ipset/ip_set_ahash.h> 139 139 + 140 140 + static int 141 141 + hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb, 142 142 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 143 143 + { 144 144 + const struct ip_set_hash *h = set->data; 145 145 + ipset_adtfn adtfn = set->variant->adt[adt]; 146 146 + struct hash_netport4_elem data = { 147 147 + .cidr = h->nets[0].cidr || HOST_MASK }; 148 148 + 149 149 + if (data.cidr == 0) 150 150 + return -EINVAL; 151 151 + if (adt == IPSET_TEST) 152 152 + data.cidr = HOST_MASK; 153 153 + 154 154 + if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC, 155 155 + &data.port, &data.proto)) 156 156 + return -EINVAL; 157 157 + 158 158 + ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip); 159 159 + data.ip &= ip_set_netmask(data.cidr); 160 160 + 161 161 + return adtfn(set, &data, h->timeout); 162 162 + } 163 163 + 164 164 + static int 165 165 + hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[], 166 166 + enum ipset_adt adt, u32 *lineno, u32 flags) 167 167 + { 168 168 + const struct ip_set_hash *h = set->data; 169 169 + ipset_adtfn adtfn = set->variant->adt[adt]; 170 170 + struct hash_netport4_elem data = { .cidr = HOST_MASK }; 171 171 + u32 port, port_to; 172 172 + u32 timeout = h->timeout; 173 173 + int ret; 174 174 + 175 175 + if (unlikely(!tb[IPSET_ATTR_IP] || 176 176 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 177 177 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 178 178 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 179 179 + return -IPSET_ERR_PROTOCOL; 180 180 + 181 181 + if (tb[IPSET_ATTR_LINENO]) 182 182 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 183 183 + 184 184 + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip); 185 185 + if (ret) 186 186 + return ret; 187 187 + 188 188 + if (tb[IPSET_ATTR_CIDR]) 189 189 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 190 190 + if (!data.cidr) 191 191 + return -IPSET_ERR_INVALID_CIDR; 192 192 + data.ip &= ip_set_netmask(data.cidr); 193 193 + 194 194 + if (tb[IPSET_ATTR_PORT]) 195 195 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 196 196 + else 197 197 + return -IPSET_ERR_PROTOCOL; 198 198 + 199 199 + if (tb[IPSET_ATTR_PROTO]) { 200 200 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 201 201 + 202 202 + if (data.proto == 0) 203 203 + return -IPSET_ERR_INVALID_PROTO; 204 204 + } else 205 205 + return -IPSET_ERR_MISSING_PROTO; 206 206 + 207 207 + switch (data.proto) { 208 208 + case IPPROTO_UDP: 209 209 + case IPPROTO_TCP: 210 210 + case IPPROTO_ICMP: 211 211 + break; 212 212 + default: 213 213 + data.port = 0; 214 214 + break; 215 215 + } 216 216 + 217 217 + if (tb[IPSET_ATTR_TIMEOUT]) { 218 218 + if (!with_timeout(h->timeout)) 219 219 + return -IPSET_ERR_TIMEOUT; 220 220 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 221 221 + } 222 222 + 223 223 + if (adt == IPSET_TEST || 224 224 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 225 225 + !tb[IPSET_ATTR_PORT_TO]) { 226 226 + ret = adtfn(set, &data, timeout); 227 227 + return ip_set_eexist(ret, flags) ? 0 : ret; 228 228 + } 229 229 + 230 230 + port = ntohs(data.port); 231 231 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 232 232 + if (port > port_to) 233 233 + swap(port, port_to); 234 234 + 235 235 + for (; port <= port_to; port++) { 236 236 + data.port = htons(port); 237 237 + ret = adtfn(set, &data, timeout); 238 238 + 239 239 + if (ret && !ip_set_eexist(ret, flags)) 240 240 + return ret; 241 241 + else 242 242 + ret = 0; 243 243 + } 244 244 + return ret; 245 245 + } 246 246 + 247 247 + static bool 248 248 + hash_netport_same_set(const struct ip_set *a, const struct ip_set *b) 249 249 + { 250 250 + const struct ip_set_hash *x = a->data; 251 251 + const struct ip_set_hash *y = b->data; 252 252 + 253 253 + /* Resizing changes htable_bits, so we ignore it */ 254 254 + return x->maxelem == y->maxelem && 255 255 + x->timeout == y->timeout; 256 256 + } 257 257 + 258 258 + /* The type variant functions: IPv6 */ 259 259 + 260 260 + struct hash_netport6_elem { 261 261 + union nf_inet_addr ip; 262 262 + __be16 port; 263 263 + u8 proto; 264 264 + u8 cidr; 265 265 + }; 266 266 + 267 267 + struct hash_netport6_telem { 268 268 + union nf_inet_addr ip; 269 269 + __be16 port; 270 270 + u8 proto; 271 271 + u8 cidr; 272 272 + unsigned long timeout; 273 273 + }; 274 274 + 275 275 + static inline bool 276 276 + hash_netport6_data_equal(const struct hash_netport6_elem *ip1, 277 277 + const struct hash_netport6_elem *ip2) 278 278 + { 279 279 + return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && 280 280 + ip1->port == ip2->port && 281 281 + ip1->proto == ip2->proto && 282 282 + ip1->cidr == ip2->cidr; 283 283 + } 284 284 + 285 285 + static inline bool 286 286 + hash_netport6_data_isnull(const struct hash_netport6_elem *elem) 287 287 + { 288 288 + return elem->proto == 0; 289 289 + } 290 290 + 291 291 + static inline void 292 292 + hash_netport6_data_copy(struct hash_netport6_elem *dst, 293 293 + const struct hash_netport6_elem *src) 294 294 + { 295 295 + memcpy(dst, src, sizeof(*dst)); 296 296 + } 297 297 + 298 298 + static inline void 299 299 + hash_netport6_data_zero_out(struct hash_netport6_elem *elem) 300 300 + { 301 301 + elem->proto = 0; 302 302 + } 303 303 + 304 304 + static inline void 305 305 + ip6_netmask(union nf_inet_addr *ip, u8 prefix) 306 306 + { 307 307 + ip->ip6[0] &= ip_set_netmask6(prefix)[0]; 308 308 + ip->ip6[1] &= ip_set_netmask6(prefix)[1]; 309 309 + ip->ip6[2] &= ip_set_netmask6(prefix)[2]; 310 310 + ip->ip6[3] &= ip_set_netmask6(prefix)[3]; 311 311 + } 312 312 + 313 313 + static inline void 314 314 + hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr) 315 315 + { 316 316 + ip6_netmask(&elem->ip, cidr); 317 317 + elem->cidr = cidr; 318 318 + } 319 319 + 320 320 + static bool 321 321 + hash_netport6_data_list(struct sk_buff *skb, 322 322 + const struct hash_netport6_elem *data) 323 323 + { 324 324 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); 325 325 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 326 326 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 327 327 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 328 328 + return 0; 329 329 + 330 330 + nla_put_failure: 331 331 + return 1; 332 332 + } 333 333 + 334 334 + static bool 335 335 + hash_netport6_data_tlist(struct sk_buff *skb, 336 336 + const struct hash_netport6_elem *data) 337 337 + { 338 338 + const struct hash_netport6_telem *e = 339 339 + (const struct hash_netport6_telem *)data; 340 340 + 341 341 + NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); 342 342 + NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port); 343 343 + NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); 344 344 + NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto); 345 345 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 346 346 + htonl(ip_set_timeout_get(e->timeout))); 347 347 + return 0; 348 348 + 349 349 + nla_put_failure: 350 350 + return 1; 351 351 + } 352 352 + 353 353 + #undef PF 354 354 + #undef HOST_MASK 355 355 + 356 356 + #define PF 6 357 357 + #define HOST_MASK 128 358 358 + #include <linux/netfilter/ipset/ip_set_ahash.h> 359 359 + 360 360 + static int 361 361 + hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb, 362 362 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 363 363 + { 364 364 + const struct ip_set_hash *h = set->data; 365 365 + ipset_adtfn adtfn = set->variant->adt[adt]; 366 366 + struct hash_netport6_elem data = { 367 367 + .cidr = h->nets[0].cidr || HOST_MASK }; 368 368 + 369 369 + if (data.cidr == 0) 370 370 + return -EINVAL; 371 371 + if (adt == IPSET_TEST) 372 372 + data.cidr = HOST_MASK; 373 373 + 374 374 + if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC, 375 375 + &data.port, &data.proto)) 376 376 + return -EINVAL; 377 377 + 378 378 + ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6); 379 379 + ip6_netmask(&data.ip, data.cidr); 380 380 + 381 381 + return adtfn(set, &data, h->timeout); 382 382 + } 383 383 + 384 384 + static int 385 385 + hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[], 386 386 + enum ipset_adt adt, u32 *lineno, u32 flags) 387 387 + { 388 388 + const struct ip_set_hash *h = set->data; 389 389 + ipset_adtfn adtfn = set->variant->adt[adt]; 390 390 + struct hash_netport6_elem data = { .cidr = HOST_MASK }; 391 391 + u32 port, port_to; 392 392 + u32 timeout = h->timeout; 393 393 + int ret; 394 394 + 395 395 + if (unlikely(!tb[IPSET_ATTR_IP] || 396 396 + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || 397 397 + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || 398 398 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 399 399 + return -IPSET_ERR_PROTOCOL; 400 400 + 401 401 + if (tb[IPSET_ATTR_LINENO]) 402 402 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 403 403 + 404 404 + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); 405 405 + if (ret) 406 406 + return ret; 407 407 + 408 408 + if (tb[IPSET_ATTR_CIDR]) 409 409 + data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); 410 410 + if (!data.cidr) 411 411 + return -IPSET_ERR_INVALID_CIDR; 412 412 + ip6_netmask(&data.ip, data.cidr); 413 413 + 414 414 + if (tb[IPSET_ATTR_PORT]) 415 415 + data.port = nla_get_be16(tb[IPSET_ATTR_PORT]); 416 416 + else 417 417 + return -IPSET_ERR_PROTOCOL; 418 418 + 419 419 + if (tb[IPSET_ATTR_PROTO]) { 420 420 + data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); 421 421 + 422 422 + if (data.proto == 0) 423 423 + return -IPSET_ERR_INVALID_PROTO; 424 424 + } else 425 425 + return -IPSET_ERR_MISSING_PROTO; 426 426 + 427 427 + switch (data.proto) { 428 428 + case IPPROTO_UDP: 429 429 + case IPPROTO_TCP: 430 430 + case IPPROTO_ICMPV6: 431 431 + break; 432 432 + default: 433 433 + data.port = 0; 434 434 + break; 435 435 + } 436 436 + 437 437 + if (tb[IPSET_ATTR_TIMEOUT]) { 438 438 + if (!with_timeout(h->timeout)) 439 439 + return -IPSET_ERR_TIMEOUT; 440 440 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 441 441 + } 442 442 + 443 443 + if (adt == IPSET_TEST || 444 444 + !(data.proto == IPPROTO_TCP || data.proto == IPPROTO_UDP) || 445 445 + !tb[IPSET_ATTR_PORT_TO]) { 446 446 + ret = adtfn(set, &data, timeout); 447 447 + return ip_set_eexist(ret, flags) ? 0 : ret; 448 448 + } 449 449 + 450 450 + port = ntohs(data.port); 451 451 + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); 452 452 + if (port > port_to) 453 453 + swap(port, port_to); 454 454 + 455 455 + for (; port <= port_to; port++) { 456 456 + data.port = htons(port); 457 457 + ret = adtfn(set, &data, timeout); 458 458 + 459 459 + if (ret && !ip_set_eexist(ret, flags)) 460 460 + return ret; 461 461 + else 462 462 + ret = 0; 463 463 + } 464 464 + return ret; 465 465 + } 466 466 + 467 467 + /* Create hash:ip type of sets */ 468 468 + 469 469 + static int 470 470 + hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 471 471 + { 472 472 + struct ip_set_hash *h; 473 473 + u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; 474 474 + u8 hbits; 475 475 + 476 476 + if (!(set->family == AF_INET || set->family == AF_INET6)) 477 477 + return -IPSET_ERR_INVALID_FAMILY; 478 478 + 479 479 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || 480 480 + !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || 481 481 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 482 482 + return -IPSET_ERR_PROTOCOL; 483 483 + 484 484 + if (tb[IPSET_ATTR_HASHSIZE]) { 485 485 + hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); 486 486 + if (hashsize < IPSET_MIMINAL_HASHSIZE) 487 487 + hashsize = IPSET_MIMINAL_HASHSIZE; 488 488 + } 489 489 + 490 490 + if (tb[IPSET_ATTR_MAXELEM]) 491 491 + maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); 492 492 + 493 493 + h = kzalloc(sizeof(*h) 494 494 + + sizeof(struct ip_set_hash_nets) 495 495 + * (set->family == AF_INET ? 32 : 128), GFP_KERNEL); 496 496 + if (!h) 497 497 + return -ENOMEM; 498 498 + 499 499 + h->maxelem = maxelem; 500 500 + get_random_bytes(&h->initval, sizeof(h->initval)); 501 501 + h->timeout = IPSET_NO_TIMEOUT; 502 502 + 503 503 + hbits = htable_bits(hashsize); 504 504 + h->table = ip_set_alloc( 505 505 + sizeof(struct htable) 506 506 + + jhash_size(hbits) * sizeof(struct hbucket)); 507 507 + if (!h->table) { 508 508 + kfree(h); 509 509 + return -ENOMEM; 510 510 + } 511 511 + h->table->htable_bits = hbits; 512 512 + 513 513 + set->data = h; 514 514 + 515 515 + if (tb[IPSET_ATTR_TIMEOUT]) { 516 516 + h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 517 517 + 518 518 + set->variant = set->family == AF_INET 519 519 + ? &hash_netport4_tvariant : &hash_netport6_tvariant; 520 520 + 521 521 + if (set->family == AF_INET) 522 522 + hash_netport4_gc_init(set); 523 523 + else 524 524 + hash_netport6_gc_init(set); 525 525 + } else { 526 526 + set->variant = set->family == AF_INET 527 527 + ? &hash_netport4_variant : &hash_netport6_variant; 528 528 + } 529 529 + 530 530 + pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", 531 531 + set->name, jhash_size(h->table->htable_bits), 532 532 + h->table->htable_bits, h->maxelem, set->data, h->table); 533 533 + 534 534 + return 0; 535 535 + } 536 536 + 537 537 + static struct ip_set_type hash_netport_type __read_mostly = { 538 538 + .name = "hash:net,port", 539 539 + .protocol = IPSET_PROTOCOL, 540 540 + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT, 541 541 + .dimension = IPSET_DIM_TWO, 542 542 + .family = AF_UNSPEC, 543 543 + .revision = 0, 544 544 + .create = hash_netport_create, 545 545 + .create_policy = { 546 546 + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, 547 547 + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, 548 548 + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, 549 549 + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, 550 550 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 551 551 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 552 552 + }, 553 553 + .adt_policy = { 554 554 + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, 555 555 + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, 556 556 + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, 557 557 + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, 558 558 + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, 559 559 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 560 560 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 561 561 + }, 562 562 + .me = THIS_MODULE, 563 563 + }; 564 564 + 565 565 + static int __init 566 566 + hash_netport_init(void) 567 567 + { 568 568 + return ip_set_type_register(&hash_netport_type); 569 569 + } 570 570 + 571 571 + static void __exit 572 572 + hash_netport_fini(void) 573 573 + { 574 574 + ip_set_type_unregister(&hash_netport_type); 575 575 + } 576 576 + 577 577 + module_init(hash_netport_init); 578 578 + module_exit(hash_netport_fini);

+584

net/netfilter/ipset/ip_set_list_set.c

reviewed

··· 1 1 + /* Copyright (C) 2008-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2 2 + * 3 3 + * This program is free software; you can redistribute it and/or modify 4 4 + * it under the terms of the GNU General Public License version 2 as 5 5 + * published by the Free Software Foundation. 6 6 + */ 7 7 + 8 8 + /* Kernel module implementing an IP set type: the list:set type */ 9 9 + 10 10 + #include <linux/module.h> 11 11 + #include <linux/ip.h> 12 12 + #include <linux/skbuff.h> 13 13 + #include <linux/errno.h> 14 14 + 15 15 + #include <linux/netfilter/ipset/ip_set.h> 16 16 + #include <linux/netfilter/ipset/ip_set_timeout.h> 17 17 + #include <linux/netfilter/ipset/ip_set_list.h> 18 18 + 19 19 + MODULE_LICENSE("GPL"); 20 20 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 21 21 + MODULE_DESCRIPTION("list:set type of IP sets"); 22 22 + MODULE_ALIAS("ip_set_list:set"); 23 23 + 24 24 + /* Member elements without and with timeout */ 25 25 + struct set_elem { 26 26 + ip_set_id_t id; 27 27 + }; 28 28 + 29 29 + struct set_telem { 30 30 + ip_set_id_t id; 31 31 + unsigned long timeout; 32 32 + }; 33 33 + 34 34 + /* Type structure */ 35 35 + struct list_set { 36 36 + size_t dsize; /* element size */ 37 37 + u32 size; /* size of set list array */ 38 38 + u32 timeout; /* timeout value */ 39 39 + struct timer_list gc; /* garbage collection */ 40 40 + struct set_elem members[0]; /* the set members */ 41 41 + }; 42 42 + 43 43 + static inline struct set_elem * 44 44 + list_set_elem(const struct list_set *map, u32 id) 45 45 + { 46 46 + return (struct set_elem *)((char *)map->members + id * map->dsize); 47 47 + } 48 48 + 49 49 + static inline bool 50 50 + list_set_timeout(const struct list_set *map, u32 id) 51 51 + { 52 52 + const struct set_telem *elem = 53 53 + (const struct set_telem *) list_set_elem(map, id); 54 54 + 55 55 + return ip_set_timeout_test(elem->timeout); 56 56 + } 57 57 + 58 58 + static inline bool 59 59 + list_set_expired(const struct list_set *map, u32 id) 60 60 + { 61 61 + const struct set_telem *elem = 62 62 + (const struct set_telem *) list_set_elem(map, id); 63 63 + 64 64 + return ip_set_timeout_expired(elem->timeout); 65 65 + } 66 66 + 67 67 + static inline int 68 68 + list_set_exist(const struct set_telem *elem) 69 69 + { 70 70 + return elem->id != IPSET_INVALID_ID && 71 71 + !ip_set_timeout_expired(elem->timeout); 72 72 + } 73 73 + 74 74 + /* Set list without and with timeout */ 75 75 + 76 76 + static int 77 77 + list_set_kadt(struct ip_set *set, const struct sk_buff *skb, 78 78 + enum ipset_adt adt, u8 pf, u8 dim, u8 flags) 79 79 + { 80 80 + struct list_set *map = set->data; 81 81 + struct set_elem *elem; 82 82 + u32 i; 83 83 + int ret; 84 84 + 85 85 + for (i = 0; i < map->size; i++) { 86 86 + elem = list_set_elem(map, i); 87 87 + if (elem->id == IPSET_INVALID_ID) 88 88 + return 0; 89 89 + if (with_timeout(map->timeout) && list_set_expired(map, i)) 90 90 + continue; 91 91 + switch (adt) { 92 92 + case IPSET_TEST: 93 93 + ret = ip_set_test(elem->id, skb, pf, dim, flags); 94 94 + if (ret > 0) 95 95 + return ret; 96 96 + break; 97 97 + case IPSET_ADD: 98 98 + ret = ip_set_add(elem->id, skb, pf, dim, flags); 99 99 + if (ret == 0) 100 100 + return ret; 101 101 + break; 102 102 + case IPSET_DEL: 103 103 + ret = ip_set_del(elem->id, skb, pf, dim, flags); 104 104 + if (ret == 0) 105 105 + return ret; 106 106 + break; 107 107 + default: 108 108 + break; 109 109 + } 110 110 + } 111 111 + return -EINVAL; 112 112 + } 113 113 + 114 114 + static bool 115 115 + next_id_eq(const struct list_set *map, u32 i, ip_set_id_t id) 116 116 + { 117 117 + const struct set_elem *elem; 118 118 + 119 119 + if (i + 1 < map->size) { 120 120 + elem = list_set_elem(map, i + 1); 121 121 + return !!(elem->id == id && 122 122 + !(with_timeout(map->timeout) && 123 123 + list_set_expired(map, i + 1))); 124 124 + } 125 125 + 126 126 + return 0; 127 127 + } 128 128 + 129 129 + static void 130 130 + list_elem_add(struct list_set *map, u32 i, ip_set_id_t id) 131 131 + { 132 132 + struct set_elem *e; 133 133 + 134 134 + for (; i < map->size; i++) { 135 135 + e = list_set_elem(map, i); 136 136 + swap(e->id, id); 137 137 + if (e->id == IPSET_INVALID_ID) 138 138 + break; 139 139 + } 140 140 + } 141 141 + 142 142 + static void 143 143 + list_elem_tadd(struct list_set *map, u32 i, ip_set_id_t id, 144 144 + unsigned long timeout) 145 145 + { 146 146 + struct set_telem *e; 147 147 + 148 148 + for (; i < map->size; i++) { 149 149 + e = (struct set_telem *)list_set_elem(map, i); 150 150 + swap(e->id, id); 151 151 + if (e->id == IPSET_INVALID_ID) 152 152 + break; 153 153 + swap(e->timeout, timeout); 154 154 + } 155 155 + } 156 156 + 157 157 + static int 158 158 + list_set_add(struct list_set *map, u32 i, ip_set_id_t id, 159 159 + unsigned long timeout) 160 160 + { 161 161 + const struct set_elem *e = list_set_elem(map, i); 162 162 + 163 163 + if (i == map->size - 1 && e->id != IPSET_INVALID_ID) 164 164 + /* Last element replaced: e.g. add new,before,last */ 165 165 + ip_set_put_byindex(e->id); 166 166 + if (with_timeout(map->timeout)) 167 167 + list_elem_tadd(map, i, id, timeout); 168 168 + else 169 169 + list_elem_add(map, i, id); 170 170 + 171 171 + return 0; 172 172 + } 173 173 + 174 174 + static int 175 175 + list_set_del(struct list_set *map, ip_set_id_t id, u32 i) 176 176 + { 177 177 + struct set_elem *a = list_set_elem(map, i), *b; 178 178 + 179 179 + ip_set_put_byindex(id); 180 180 + 181 181 + for (; i < map->size - 1; i++) { 182 182 + b = list_set_elem(map, i + 1); 183 183 + a->id = b->id; 184 184 + if (with_timeout(map->timeout)) 185 185 + ((struct set_telem *)a)->timeout = 186 186 + ((struct set_telem *)b)->timeout; 187 187 + a = b; 188 188 + if (a->id == IPSET_INVALID_ID) 189 189 + break; 190 190 + } 191 191 + /* Last element */ 192 192 + a->id = IPSET_INVALID_ID; 193 193 + return 0; 194 194 + } 195 195 + 196 196 + static int 197 197 + list_set_uadt(struct ip_set *set, struct nlattr *tb[], 198 198 + enum ipset_adt adt, u32 *lineno, u32 flags) 199 199 + { 200 200 + struct list_set *map = set->data; 201 201 + bool with_timeout = with_timeout(map->timeout); 202 202 + int before = 0; 203 203 + u32 timeout = map->timeout; 204 204 + ip_set_id_t id, refid = IPSET_INVALID_ID; 205 205 + const struct set_elem *elem; 206 206 + struct ip_set *s; 207 207 + u32 i; 208 208 + int ret = 0; 209 209 + 210 210 + if (unlikely(!tb[IPSET_ATTR_NAME] || 211 211 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || 212 212 + !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) 213 213 + return -IPSET_ERR_PROTOCOL; 214 214 + 215 215 + if (tb[IPSET_ATTR_LINENO]) 216 216 + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); 217 217 + 218 218 + id = ip_set_get_byname(nla_data(tb[IPSET_ATTR_NAME]), &s); 219 219 + if (id == IPSET_INVALID_ID) 220 220 + return -IPSET_ERR_NAME; 221 221 + /* "Loop detection" */ 222 222 + if (s->type->features & IPSET_TYPE_NAME) { 223 223 + ret = -IPSET_ERR_LOOP; 224 224 + goto finish; 225 225 + } 226 226 + 227 227 + if (tb[IPSET_ATTR_CADT_FLAGS]) { 228 228 + u32 f = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); 229 229 + before = f & IPSET_FLAG_BEFORE; 230 230 + } 231 231 + 232 232 + if (before && !tb[IPSET_ATTR_NAMEREF]) { 233 233 + ret = -IPSET_ERR_BEFORE; 234 234 + goto finish; 235 235 + } 236 236 + 237 237 + if (tb[IPSET_ATTR_NAMEREF]) { 238 238 + refid = ip_set_get_byname(nla_data(tb[IPSET_ATTR_NAMEREF]), 239 239 + &s); 240 240 + if (refid == IPSET_INVALID_ID) { 241 241 + ret = -IPSET_ERR_NAMEREF; 242 242 + goto finish; 243 243 + } 244 244 + if (!before) 245 245 + before = -1; 246 246 + } 247 247 + if (tb[IPSET_ATTR_TIMEOUT]) { 248 248 + if (!with_timeout) { 249 249 + ret = -IPSET_ERR_TIMEOUT; 250 250 + goto finish; 251 251 + } 252 252 + timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); 253 253 + } 254 254 + 255 255 + switch (adt) { 256 256 + case IPSET_TEST: 257 257 + for (i = 0; i < map->size && !ret; i++) { 258 258 + elem = list_set_elem(map, i); 259 259 + if (elem->id == IPSET_INVALID_ID || 260 260 + (before != 0 && i + 1 >= map->size)) 261 261 + break; 262 262 + else if (with_timeout && list_set_expired(map, i)) 263 263 + continue; 264 264 + else if (before > 0 && elem->id == id) 265 265 + ret = next_id_eq(map, i, refid); 266 266 + else if (before < 0 && elem->id == refid) 267 267 + ret = next_id_eq(map, i, id); 268 268 + else if (before == 0 && elem->id == id) 269 269 + ret = 1; 270 270 + } 271 271 + break; 272 272 + case IPSET_ADD: 273 273 + for (i = 0; i < map->size && !ret; i++) { 274 274 + elem = list_set_elem(map, i); 275 275 + if (elem->id == id && 276 276 + !(with_timeout && list_set_expired(map, i))) 277 277 + ret = -IPSET_ERR_EXIST; 278 278 + } 279 279 + if (ret == -IPSET_ERR_EXIST) 280 280 + break; 281 281 + ret = -IPSET_ERR_LIST_FULL; 282 282 + for (i = 0; i < map->size && ret == -IPSET_ERR_LIST_FULL; i++) { 283 283 + elem = list_set_elem(map, i); 284 284 + if (elem->id == IPSET_INVALID_ID) 285 285 + ret = before != 0 ? -IPSET_ERR_REF_EXIST 286 286 + : list_set_add(map, i, id, timeout); 287 287 + else if (elem->id != refid) 288 288 + continue; 289 289 + else if (with_timeout && list_set_expired(map, i)) 290 290 + ret = -IPSET_ERR_REF_EXIST; 291 291 + else if (before) 292 292 + ret = list_set_add(map, i, id, timeout); 293 293 + else if (i + 1 < map->size) 294 294 + ret = list_set_add(map, i + 1, id, timeout); 295 295 + } 296 296 + break; 297 297 + case IPSET_DEL: 298 298 + ret = -IPSET_ERR_EXIST; 299 299 + for (i = 0; i < map->size && ret == -IPSET_ERR_EXIST; i++) { 300 300 + elem = list_set_elem(map, i); 301 301 + if (elem->id == IPSET_INVALID_ID) { 302 302 + ret = before != 0 ? -IPSET_ERR_REF_EXIST 303 303 + : -IPSET_ERR_EXIST; 304 304 + break; 305 305 + } else if (with_timeout && list_set_expired(map, i)) 306 306 + continue; 307 307 + else if (elem->id == id && 308 308 + (before == 0 || 309 309 + (before > 0 && 310 310 + next_id_eq(map, i, refid)))) 311 311 + ret = list_set_del(map, id, i); 312 312 + else if (before < 0 && 313 313 + elem->id == refid && 314 314 + next_id_eq(map, i, id)) 315 315 + ret = list_set_del(map, id, i + 1); 316 316 + } 317 317 + break; 318 318 + default: 319 319 + break; 320 320 + } 321 321 + 322 322 + finish: 323 323 + if (refid != IPSET_INVALID_ID) 324 324 + ip_set_put_byindex(refid); 325 325 + if (adt != IPSET_ADD || ret) 326 326 + ip_set_put_byindex(id); 327 327 + 328 328 + return ip_set_eexist(ret, flags) ? 0 : ret; 329 329 + } 330 330 + 331 331 + static void 332 332 + list_set_flush(struct ip_set *set) 333 333 + { 334 334 + struct list_set *map = set->data; 335 335 + struct set_elem *elem; 336 336 + u32 i; 337 337 + 338 338 + for (i = 0; i < map->size; i++) { 339 339 + elem = list_set_elem(map, i); 340 340 + if (elem->id != IPSET_INVALID_ID) { 341 341 + ip_set_put_byindex(elem->id); 342 342 + elem->id = IPSET_INVALID_ID; 343 343 + } 344 344 + } 345 345 + } 346 346 + 347 347 + static void 348 348 + list_set_destroy(struct ip_set *set) 349 349 + { 350 350 + struct list_set *map = set->data; 351 351 + 352 352 + if (with_timeout(map->timeout)) 353 353 + del_timer_sync(&map->gc); 354 354 + list_set_flush(set); 355 355 + kfree(map); 356 356 + 357 357 + set->data = NULL; 358 358 + } 359 359 + 360 360 + static int 361 361 + list_set_head(struct ip_set *set, struct sk_buff *skb) 362 362 + { 363 363 + const struct list_set *map = set->data; 364 364 + struct nlattr *nested; 365 365 + 366 366 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 367 367 + if (!nested) 368 368 + goto nla_put_failure; 369 369 + NLA_PUT_NET32(skb, IPSET_ATTR_SIZE, htonl(map->size)); 370 370 + if (with_timeout(map->timeout)) 371 371 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout)); 372 372 + NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, 373 373 + htonl(atomic_read(&set->ref) - 1)); 374 374 + NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, 375 375 + htonl(sizeof(*map) + map->size * map->dsize)); 376 376 + ipset_nest_end(skb, nested); 377 377 + 378 378 + return 0; 379 379 + nla_put_failure: 380 380 + return -EMSGSIZE; 381 381 + } 382 382 + 383 383 + static int 384 384 + list_set_list(const struct ip_set *set, 385 385 + struct sk_buff *skb, struct netlink_callback *cb) 386 386 + { 387 387 + const struct list_set *map = set->data; 388 388 + struct nlattr *atd, *nested; 389 389 + u32 i, first = cb->args[2]; 390 390 + const struct set_elem *e; 391 391 + 392 392 + atd = ipset_nest_start(skb, IPSET_ATTR_ADT); 393 393 + if (!atd) 394 394 + return -EMSGSIZE; 395 395 + for (; cb->args[2] < map->size; cb->args[2]++) { 396 396 + i = cb->args[2]; 397 397 + e = list_set_elem(map, i); 398 398 + if (e->id == IPSET_INVALID_ID) 399 399 + goto finish; 400 400 + if (with_timeout(map->timeout) && list_set_expired(map, i)) 401 401 + continue; 402 402 + nested = ipset_nest_start(skb, IPSET_ATTR_DATA); 403 403 + if (!nested) { 404 404 + if (i == first) { 405 405 + nla_nest_cancel(skb, atd); 406 406 + return -EMSGSIZE; 407 407 + } else 408 408 + goto nla_put_failure; 409 409 + } 410 410 + NLA_PUT_STRING(skb, IPSET_ATTR_NAME, 411 411 + ip_set_name_byindex(e->id)); 412 412 + if (with_timeout(map->timeout)) { 413 413 + const struct set_telem *te = 414 414 + (const struct set_telem *) e; 415 415 + NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, 416 416 + htonl(ip_set_timeout_get(te->timeout))); 417 417 + } 418 418 + ipset_nest_end(skb, nested); 419 419 + } 420 420 + finish: 421 421 + ipset_nest_end(skb, atd); 422 422 + /* Set listing finished */ 423 423 + cb->args[2] = 0; 424 424 + return 0; 425 425 + 426 426 + nla_put_failure: 427 427 + nla_nest_cancel(skb, nested); 428 428 + ipset_nest_end(skb, atd); 429 429 + if (unlikely(i == first)) { 430 430 + cb->args[2] = 0; 431 431 + return -EMSGSIZE; 432 432 + } 433 433 + return 0; 434 434 + } 435 435 + 436 436 + static bool 437 437 + list_set_same_set(const struct ip_set *a, const struct ip_set *b) 438 438 + { 439 439 + const struct list_set *x = a->data; 440 440 + const struct list_set *y = b->data; 441 441 + 442 442 + return x->size == y->size && 443 443 + x->timeout == y->timeout; 444 444 + } 445 445 + 446 446 + static const struct ip_set_type_variant list_set = { 447 447 + .kadt = list_set_kadt, 448 448 + .uadt = list_set_uadt, 449 449 + .destroy = list_set_destroy, 450 450 + .flush = list_set_flush, 451 451 + .head = list_set_head, 452 452 + .list = list_set_list, 453 453 + .same_set = list_set_same_set, 454 454 + }; 455 455 + 456 456 + static void 457 457 + list_set_gc(unsigned long ul_set) 458 458 + { 459 459 + struct ip_set *set = (struct ip_set *) ul_set; 460 460 + struct list_set *map = set->data; 461 461 + struct set_telem *e; 462 462 + u32 i; 463 463 + 464 464 + /* We run parallel with other readers (test element) 465 465 + * but adding/deleting new entries is locked out */ 466 466 + read_lock_bh(&set->lock); 467 467 + for (i = map->size - 1; i >= 0; i--) { 468 468 + e = (struct set_telem *) list_set_elem(map, i); 469 469 + if (e->id != IPSET_INVALID_ID && 470 470 + list_set_expired(map, i)) 471 471 + list_set_del(map, e->id, i); 472 472 + } 473 473 + read_unlock_bh(&set->lock); 474 474 + 475 475 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 476 476 + add_timer(&map->gc); 477 477 + } 478 478 + 479 479 + static void 480 480 + list_set_gc_init(struct ip_set *set) 481 481 + { 482 482 + struct list_set *map = set->data; 483 483 + 484 484 + init_timer(&map->gc); 485 485 + map->gc.data = (unsigned long) set; 486 486 + map->gc.function = list_set_gc; 487 487 + map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ; 488 488 + add_timer(&map->gc); 489 489 + } 490 490 + 491 491 + /* Create list:set type of sets */ 492 492 + 493 493 + static bool 494 494 + init_list_set(struct ip_set *set, u32 size, size_t dsize, 495 495 + unsigned long timeout) 496 496 + { 497 497 + struct list_set *map; 498 498 + struct set_elem *e; 499 499 + u32 i; 500 500 + 501 501 + map = kzalloc(sizeof(*map) + size * dsize, GFP_KERNEL); 502 502 + if (!map) 503 503 + return false; 504 504 + 505 505 + map->size = size; 506 506 + map->dsize = dsize; 507 507 + map->timeout = timeout; 508 508 + set->data = map; 509 509 + 510 510 + for (i = 0; i < size; i++) { 511 511 + e = list_set_elem(map, i); 512 512 + e->id = IPSET_INVALID_ID; 513 513 + } 514 514 + 515 515 + return true; 516 516 + } 517 517 + 518 518 + static int 519 519 + list_set_create(struct ip_set *set, struct nlattr *tb[], u32 flags) 520 520 + { 521 521 + u32 size = IP_SET_LIST_DEFAULT_SIZE; 522 522 + 523 523 + if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) || 524 524 + !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) 525 525 + return -IPSET_ERR_PROTOCOL; 526 526 + 527 527 + if (tb[IPSET_ATTR_SIZE]) 528 528 + size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]); 529 529 + if (size < IP_SET_LIST_MIN_SIZE) 530 530 + size = IP_SET_LIST_MIN_SIZE; 531 531 + 532 532 + if (tb[IPSET_ATTR_TIMEOUT]) { 533 533 + if (!init_list_set(set, size, sizeof(struct set_telem), 534 534 + ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]))) 535 535 + return -ENOMEM; 536 536 + 537 537 + list_set_gc_init(set); 538 538 + } else { 539 539 + if (!init_list_set(set, size, sizeof(struct set_elem), 540 540 + IPSET_NO_TIMEOUT)) 541 541 + return -ENOMEM; 542 542 + } 543 543 + set->variant = &list_set; 544 544 + return 0; 545 545 + } 546 546 + 547 547 + static struct ip_set_type list_set_type __read_mostly = { 548 548 + .name = "list:set", 549 549 + .protocol = IPSET_PROTOCOL, 550 550 + .features = IPSET_TYPE_NAME | IPSET_DUMP_LAST, 551 551 + .dimension = IPSET_DIM_ONE, 552 552 + .family = AF_UNSPEC, 553 553 + .revision = 0, 554 554 + .create = list_set_create, 555 555 + .create_policy = { 556 556 + [IPSET_ATTR_SIZE] = { .type = NLA_U32 }, 557 557 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 558 558 + }, 559 559 + .adt_policy = { 560 560 + [IPSET_ATTR_NAME] = { .type = NLA_STRING, 561 561 + .len = IPSET_MAXNAMELEN }, 562 562 + [IPSET_ATTR_NAMEREF] = { .type = NLA_STRING, 563 563 + .len = IPSET_MAXNAMELEN }, 564 564 + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, 565 565 + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, 566 566 + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, 567 567 + }, 568 568 + .me = THIS_MODULE, 569 569 + }; 570 570 + 571 571 + static int __init 572 572 + list_set_init(void) 573 573 + { 574 574 + return ip_set_type_register(&list_set_type); 575 575 + } 576 576 + 577 577 + static void __exit 578 578 + list_set_fini(void) 579 579 + { 580 580 + ip_set_type_unregister(&list_set_type); 581 581 + } 582 582 + 583 583 + module_init(list_set_init); 584 584 + module_exit(list_set_fini);

+291

net/netfilter/ipset/pfxlen.c

reviewed

··· 1 1 + #include <linux/netfilter/ipset/pfxlen.h> 2 2 + 3 3 + /* 4 4 + * Prefixlen maps for fast conversions, by Jan Engelhardt. 5 5 + */ 6 6 + 7 7 + #define E(a, b, c, d) \ 8 8 + {.ip6 = { \ 9 9 + __constant_htonl(a), __constant_htonl(b), \ 10 10 + __constant_htonl(c), __constant_htonl(d), \ 11 11 + } } 12 12 + 13 13 + /* 14 14 + * This table works for both IPv4 and IPv6; 15 15 + * just use prefixlen_netmask_map[prefixlength].ip. 16 16 + */ 17 17 + const union nf_inet_addr ip_set_netmask_map[] = { 18 18 + E(0x00000000, 0x00000000, 0x00000000, 0x00000000), 19 19 + E(0x80000000, 0x00000000, 0x00000000, 0x00000000), 20 20 + E(0xC0000000, 0x00000000, 0x00000000, 0x00000000), 21 21 + E(0xE0000000, 0x00000000, 0x00000000, 0x00000000), 22 22 + E(0xF0000000, 0x00000000, 0x00000000, 0x00000000), 23 23 + E(0xF8000000, 0x00000000, 0x00000000, 0x00000000), 24 24 + E(0xFC000000, 0x00000000, 0x00000000, 0x00000000), 25 25 + E(0xFE000000, 0x00000000, 0x00000000, 0x00000000), 26 26 + E(0xFF000000, 0x00000000, 0x00000000, 0x00000000), 27 27 + E(0xFF800000, 0x00000000, 0x00000000, 0x00000000), 28 28 + E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000), 29 29 + E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000), 30 30 + E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000), 31 31 + E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000), 32 32 + E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000), 33 33 + E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000), 34 34 + E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000), 35 35 + E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000), 36 36 + E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000), 37 37 + E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000), 38 38 + E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000), 39 39 + E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000), 40 40 + E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000), 41 41 + E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000), 42 42 + E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000), 43 43 + E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000), 44 44 + E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000), 45 45 + E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000), 46 46 + E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000), 47 47 + E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000), 48 48 + E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000), 49 49 + E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000), 50 50 + E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000), 51 51 + E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000), 52 52 + E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000), 53 53 + E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000), 54 54 + E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000), 55 55 + E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000), 56 56 + E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000), 57 57 + E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000), 58 58 + E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000), 59 59 + E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000), 60 60 + E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000), 61 61 + E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000), 62 62 + E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000), 63 63 + E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000), 64 64 + E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000), 65 65 + E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000), 66 66 + E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000), 67 67 + E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000), 68 68 + E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000), 69 69 + E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000), 70 70 + E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000), 71 71 + E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000), 72 72 + E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000), 73 73 + E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000), 74 74 + E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000), 75 75 + E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000), 76 76 + E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000), 77 77 + E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000), 78 78 + E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000), 79 79 + E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000), 80 80 + E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000), 81 81 + E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000), 82 82 + E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000), 83 83 + E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000), 84 84 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000), 85 85 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000), 86 86 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000), 87 87 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000), 88 88 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000), 89 89 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000), 90 90 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000), 91 91 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000), 92 92 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000), 93 93 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000), 94 94 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000), 95 95 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000), 96 96 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000), 97 97 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000), 98 98 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000), 99 99 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000), 100 100 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000), 101 101 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000), 102 102 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000), 103 103 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000), 104 104 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000), 105 105 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000), 106 106 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000), 107 107 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000), 108 108 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000), 109 109 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000), 110 110 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000), 111 111 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000), 112 112 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000), 113 113 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000), 114 114 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000), 115 115 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000), 116 116 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000), 117 117 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000), 118 118 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000), 119 119 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000), 120 120 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000), 121 121 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000), 122 122 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000), 123 123 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000), 124 124 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000), 125 125 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000), 126 126 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000), 127 127 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000), 128 128 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000), 129 129 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000), 130 130 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000), 131 131 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000), 132 132 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000), 133 133 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000), 134 134 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000), 135 135 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800), 136 136 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00), 137 137 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00), 138 138 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00), 139 139 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80), 140 140 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0), 141 141 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0), 142 142 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0), 143 143 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8), 144 144 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC), 145 145 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE), 146 146 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF), 147 147 + }; 148 148 + EXPORT_SYMBOL_GPL(ip_set_netmask_map); 149 149 + 150 150 + #undef E 151 151 + #define E(a, b, c, d) \ 152 152 + {.ip6 = { (__force __be32) a, (__force __be32) b, \ 153 153 + (__force __be32) c, (__force __be32) d, \ 154 154 + } } 155 155 + 156 156 + /* 157 157 + * This table works for both IPv4 and IPv6; 158 158 + * just use prefixlen_hostmask_map[prefixlength].ip. 159 159 + */ 160 160 + const union nf_inet_addr ip_set_hostmask_map[] = { 161 161 + E(0x00000000, 0x00000000, 0x00000000, 0x00000000), 162 162 + E(0x80000000, 0x00000000, 0x00000000, 0x00000000), 163 163 + E(0xC0000000, 0x00000000, 0x00000000, 0x00000000), 164 164 + E(0xE0000000, 0x00000000, 0x00000000, 0x00000000), 165 165 + E(0xF0000000, 0x00000000, 0x00000000, 0x00000000), 166 166 + E(0xF8000000, 0x00000000, 0x00000000, 0x00000000), 167 167 + E(0xFC000000, 0x00000000, 0x00000000, 0x00000000), 168 168 + E(0xFE000000, 0x00000000, 0x00000000, 0x00000000), 169 169 + E(0xFF000000, 0x00000000, 0x00000000, 0x00000000), 170 170 + E(0xFF800000, 0x00000000, 0x00000000, 0x00000000), 171 171 + E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000), 172 172 + E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000), 173 173 + E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000), 174 174 + E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000), 175 175 + E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000), 176 176 + E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000), 177 177 + E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000), 178 178 + E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000), 179 179 + E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000), 180 180 + E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000), 181 181 + E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000), 182 182 + E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000), 183 183 + E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000), 184 184 + E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000), 185 185 + E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000), 186 186 + E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000), 187 187 + E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000), 188 188 + E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000), 189 189 + E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000), 190 190 + E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000), 191 191 + E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000), 192 192 + E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000), 193 193 + E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000), 194 194 + E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000), 195 195 + E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000), 196 196 + E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000), 197 197 + E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000), 198 198 + E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000), 199 199 + E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000), 200 200 + E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000), 201 201 + E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000), 202 202 + E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000), 203 203 + E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000), 204 204 + E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000), 205 205 + E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000), 206 206 + E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000), 207 207 + E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000), 208 208 + E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000), 209 209 + E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000), 210 210 + E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000), 211 211 + E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000), 212 212 + E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000), 213 213 + E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000), 214 214 + E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000), 215 215 + E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000), 216 216 + E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000), 217 217 + E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000), 218 218 + E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000), 219 219 + E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000), 220 220 + E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000), 221 221 + E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000), 222 222 + E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000), 223 223 + E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000), 224 224 + E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000), 225 225 + E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000), 226 226 + E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000), 227 227 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000), 228 228 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000), 229 229 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000), 230 230 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000), 231 231 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000), 232 232 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000), 233 233 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000), 234 234 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000), 235 235 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000), 236 236 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000), 237 237 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000), 238 238 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000), 239 239 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000), 240 240 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000), 241 241 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000), 242 242 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000), 243 243 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000), 244 244 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000), 245 245 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000), 246 246 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000), 247 247 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000), 248 248 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000), 249 249 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000), 250 250 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000), 251 251 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000), 252 252 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000), 253 253 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000), 254 254 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000), 255 255 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000), 256 256 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000), 257 257 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000), 258 258 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000), 259 259 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000), 260 260 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000), 261 261 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000), 262 262 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000), 263 263 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000), 264 264 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000), 265 265 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000), 266 266 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000), 267 267 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000), 268 268 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000), 269 269 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000), 270 270 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000), 271 271 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000), 272 272 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000), 273 273 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000), 274 274 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000), 275 275 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000), 276 276 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000), 277 277 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000), 278 278 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800), 279 279 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00), 280 280 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00), 281 281 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00), 282 282 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80), 283 283 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0), 284 284 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0), 285 285 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0), 286 286 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8), 287 287 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC), 288 288 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE), 289 289 + E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF), 290 290 + }; 291 291 + EXPORT_SYMBOL_GPL(ip_set_hostmask_map);

+1 -1

net/netfilter/ipvs/ip_vs_core.c

reviewed

··· 1887 1887 ipvs->gen = atomic_read(&ipvs_netns_cnt); 1888 1888 atomic_inc(&ipvs_netns_cnt); 1889 1889 net->ipvs = ipvs; 1890 1890 - printk(KERN_INFO "IPVS: Creating netns size=%lu id=%d\n", 1890 1890 + printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n", 1891 1891 sizeof(struct netns_ipvs), ipvs->gen); 1892 1892 return 0; 1893 1893 }

+9 -8

net/netfilter/ipvs/ip_vs_ctl.c

reviewed

··· 3515 3515 } 3516 3516 spin_lock_init(&ipvs->tot_stats->lock); 3517 3517 3518 3518 - for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++) 3519 3519 - INIT_LIST_HEAD(&ipvs->rs_table[idx]); 3520 3520 - 3521 3518 proc_net_fops_create(net, "ip_vs", 0, &ip_vs_info_fops); 3522 3519 proc_net_fops_create(net, "ip_vs_stats", 0, &ip_vs_stats_fops); 3523 3520 proc_net_fops_create(net, "ip_vs_stats_percpu", 0, ··· 3552 3555 tbl[idx++].data = &ipvs->sysctl_nat_icmp_send; 3553 3556 3554 3557 3558 3558 + #ifdef CONFIG_SYSCTL 3555 3559 ipvs->sysctl_hdr = register_net_sysctl_table(net, net_vs_ctl_path, 3556 3560 tbl); 3557 3557 - if (ipvs->sysctl_hdr == NULL) 3558 3558 - goto err_reg; 3561 3561 + if (ipvs->sysctl_hdr == NULL) { 3562 3562 + if (!net_eq(net, &init_net)) 3563 3563 + kfree(tbl); 3564 3564 + goto err_dup; 3565 3565 + } 3566 3566 + #endif 3559 3567 ip_vs_new_estimator(net, ipvs->tot_stats); 3560 3568 ipvs->sysctl_tbl = tbl; 3561 3569 /* Schedule defense work */ ··· 3568 3566 schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD); 3569 3567 return 0; 3570 3568 3571 3571 - err_reg: 3572 3572 - if (!net_eq(net, &init_net)) 3573 3573 - kfree(tbl); 3574 3569 err_dup: 3575 3570 free_percpu(ipvs->cpustats); 3576 3571 err_alloc: ··· 3583 3584 ip_vs_kill_estimator(net, ipvs->tot_stats); 3584 3585 cancel_delayed_work_sync(&ipvs->defense_work); 3585 3586 cancel_work_sync(&ipvs->defense_work.work); 3587 3587 + #ifdef CONFIG_SYSCTL 3586 3588 unregister_net_sysctl_table(ipvs->sysctl_hdr); 3589 3589 + #endif 3587 3590 proc_net_remove(net, "ip_vs_stats_percpu"); 3588 3591 proc_net_remove(net, "ip_vs_stats"); 3589 3592 proc_net_remove(net, "ip_vs");

+10 -10

net/netfilter/ipvs/ip_vs_lblc.c

reviewed

··· 554 554 sizeof(vs_vars_table), 555 555 GFP_KERNEL); 556 556 if (ipvs->lblc_ctl_table == NULL) 557 557 - goto err_dup; 557 557 + return -ENOMEM; 558 558 } else 559 559 ipvs->lblc_ctl_table = vs_vars_table; 560 560 ipvs->sysctl_lblc_expiration = 24*60*60*HZ; 561 561 ipvs->lblc_ctl_table[0].data = &ipvs->sysctl_lblc_expiration; 562 562 563 563 + #ifdef CONFIG_SYSCTL 563 564 ipvs->lblc_ctl_header = 564 565 register_net_sysctl_table(net, net_vs_ctl_path, 565 566 ipvs->lblc_ctl_table); 566 566 - if (!ipvs->lblc_ctl_header) 567 567 - goto err_reg; 567 567 + if (!ipvs->lblc_ctl_header) { 568 568 + if (!net_eq(net, &init_net)) 569 569 + kfree(ipvs->lblc_ctl_table); 570 570 + return -ENOMEM; 571 571 + } 572 572 + #endif 568 573 569 574 return 0; 570 570 - 571 571 - err_reg: 572 572 - if (!net_eq(net, &init_net)) 573 573 - kfree(ipvs->lblc_ctl_table); 574 574 - 575 575 - err_dup: 576 576 - return -ENOMEM; 577 575 } 578 576 579 577 static void __net_exit __ip_vs_lblc_exit(struct net *net) 580 578 { 581 579 struct netns_ipvs *ipvs = net_ipvs(net); 582 580 581 581 + #ifdef CONFIG_SYSCTL 583 582 unregister_net_sysctl_table(ipvs->lblc_ctl_header); 583 583 + #endif 584 584 585 585 if (!net_eq(net, &init_net)) 586 586 kfree(ipvs->lblc_ctl_table);

+10 -10

net/netfilter/ipvs/ip_vs_lblcr.c

reviewed

··· 754 754 sizeof(vs_vars_table), 755 755 GFP_KERNEL); 756 756 if (ipvs->lblcr_ctl_table == NULL) 757 757 - goto err_dup; 757 757 + return -ENOMEM; 758 758 } else 759 759 ipvs->lblcr_ctl_table = vs_vars_table; 760 760 ipvs->sysctl_lblcr_expiration = 24*60*60*HZ; 761 761 ipvs->lblcr_ctl_table[0].data = &ipvs->sysctl_lblcr_expiration; 762 762 763 763 + #ifdef CONFIG_SYSCTL 763 764 ipvs->lblcr_ctl_header = 764 765 register_net_sysctl_table(net, net_vs_ctl_path, 765 766 ipvs->lblcr_ctl_table); 766 766 - if (!ipvs->lblcr_ctl_header) 767 767 - goto err_reg; 767 767 + if (!ipvs->lblcr_ctl_header) { 768 768 + if (!net_eq(net, &init_net)) 769 769 + kfree(ipvs->lblcr_ctl_table); 770 770 + return -ENOMEM; 771 771 + } 772 772 + #endif 768 773 769 774 return 0; 770 770 - 771 771 - err_reg: 772 772 - if (!net_eq(net, &init_net)) 773 773 - kfree(ipvs->lblcr_ctl_table); 774 774 - 775 775 - err_dup: 776 776 - return -ENOMEM; 777 775 } 778 776 779 777 static void __net_exit __ip_vs_lblcr_exit(struct net *net) 780 778 { 781 779 struct netns_ipvs *ipvs = net_ipvs(net); 782 780 781 781 + #ifdef CONFIG_SYSCTL 783 782 unregister_net_sysctl_table(ipvs->lblcr_ctl_header); 783 783 + #endif 784 784 785 785 if (!net_eq(net, &init_net)) 786 786 kfree(ipvs->lblcr_ctl_table);

+1 -1

net/netfilter/ipvs/ip_vs_sync.c

reviewed

··· 1686 1686 return register_pernet_subsys(&ipvs_sync_ops); 1687 1687 } 1688 1688 1689 1689 - void __exit ip_vs_sync_cleanup(void) 1689 1689 + void ip_vs_sync_cleanup(void) 1690 1690 { 1691 1691 unregister_pernet_subsys(&ipvs_sync_ops); 1692 1692 }

+1 -1

net/netfilter/nf_conntrack_netlink.c

reviewed

··· 803 803 static int 804 804 ctnetlink_parse_tuple(const struct nlattr * const cda[], 805 805 struct nf_conntrack_tuple *tuple, 806 806 - enum ctattr_tuple type, u_int8_t l3num) 806 806 + enum ctattr_type type, u_int8_t l3num) 807 807 { 808 808 struct nlattr *tb[CTA_TUPLE_MAX+1]; 809 809 int err;

+82

net/netfilter/xt_devgroup.c

reviewed

··· 1 1 + /* 2 2 + * Copyright (c) 2011 Patrick McHardy <kaber@trash.net> 3 3 + * 4 4 + * This program is free software; you can redistribute it and/or modify 5 5 + * it under the terms of the GNU General Public License version 2 as 6 6 + * published by the Free Software Foundation. 7 7 + */ 8 8 + 9 9 + #include <linux/module.h> 10 10 + #include <linux/skbuff.h> 11 11 + #include <linux/netdevice.h> 12 12 + 13 13 + #include <linux/netfilter/xt_devgroup.h> 14 14 + #include <linux/netfilter/x_tables.h> 15 15 + 16 16 + MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 17 17 + MODULE_LICENSE("GPL"); 18 18 + MODULE_DESCRIPTION("Xtables: Device group match"); 19 19 + MODULE_ALIAS("ipt_devgroup"); 20 20 + MODULE_ALIAS("ip6t_devgroup"); 21 21 + 22 22 + static bool devgroup_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 23 + { 24 24 + const struct xt_devgroup_info *info = par->matchinfo; 25 25 + 26 26 + if (info->flags & XT_DEVGROUP_MATCH_SRC && 27 27 + (((info->src_group ^ par->in->group) & info->src_mask ? 1 : 0) ^ 28 28 + ((info->flags & XT_DEVGROUP_INVERT_SRC) ? 1 : 0))) 29 29 + return false; 30 30 + 31 31 + if (info->flags & XT_DEVGROUP_MATCH_DST && 32 32 + (((info->dst_group ^ par->out->group) & info->dst_mask ? 1 : 0) ^ 33 33 + ((info->flags & XT_DEVGROUP_INVERT_DST) ? 1 : 0))) 34 34 + return false; 35 35 + 36 36 + return true; 37 37 + } 38 38 + 39 39 + static int devgroup_mt_checkentry(const struct xt_mtchk_param *par) 40 40 + { 41 41 + const struct xt_devgroup_info *info = par->matchinfo; 42 42 + 43 43 + if (info->flags & ~(XT_DEVGROUP_MATCH_SRC | XT_DEVGROUP_INVERT_SRC | 44 44 + XT_DEVGROUP_MATCH_DST | XT_DEVGROUP_INVERT_DST)) 45 45 + return -EINVAL; 46 46 + 47 47 + if (info->flags & XT_DEVGROUP_MATCH_SRC && 48 48 + par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) | 49 49 + (1 << NF_INET_LOCAL_IN) | 50 50 + (1 << NF_INET_FORWARD))) 51 51 + return -EINVAL; 52 52 + 53 53 + if (info->flags & XT_DEVGROUP_MATCH_DST && 54 54 + par->hook_mask & ~((1 << NF_INET_FORWARD) | 55 55 + (1 << NF_INET_LOCAL_OUT) | 56 56 + (1 << NF_INET_POST_ROUTING))) 57 57 + return -EINVAL; 58 58 + 59 59 + return 0; 60 60 + } 61 61 + 62 62 + static struct xt_match devgroup_mt_reg __read_mostly = { 63 63 + .name = "devgroup", 64 64 + .match = devgroup_mt, 65 65 + .checkentry = devgroup_mt_checkentry, 66 66 + .matchsize = sizeof(struct xt_devgroup_info), 67 67 + .family = NFPROTO_UNSPEC, 68 68 + .me = THIS_MODULE 69 69 + }; 70 70 + 71 71 + static int __init devgroup_mt_init(void) 72 72 + { 73 73 + return xt_register_match(&devgroup_mt_reg); 74 74 + } 75 75 + 76 76 + static void __exit devgroup_mt_exit(void) 77 77 + { 78 78 + xt_unregister_match(&devgroup_mt_reg); 79 79 + } 80 80 + 81 81 + module_init(devgroup_mt_init); 82 82 + module_exit(devgroup_mt_exit);

+359

net/netfilter/xt_set.c

reviewed

··· 1 1 + /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 2 2 + * Patrick Schaaf <bof@bof.de> 3 3 + * Martin Josefsson <gandalf@wlug.westbo.se> 4 4 + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 5 5 + * 6 6 + * This program is free software; you can redistribute it and/or modify 7 7 + * it under the terms of the GNU General Public License version 2 as 8 8 + * published by the Free Software Foundation. 9 9 + */ 10 10 + 11 11 + /* Kernel module which implements the set match and SET target 12 12 + * for netfilter/iptables. */ 13 13 + 14 14 + #include <linux/module.h> 15 15 + #include <linux/skbuff.h> 16 16 + #include <linux/version.h> 17 17 + 18 18 + #include <linux/netfilter/x_tables.h> 19 19 + #include <linux/netfilter/xt_set.h> 20 20 + 21 21 + MODULE_LICENSE("GPL"); 22 22 + MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); 23 23 + MODULE_DESCRIPTION("Xtables: IP set match and target module"); 24 24 + MODULE_ALIAS("xt_SET"); 25 25 + MODULE_ALIAS("ipt_set"); 26 26 + MODULE_ALIAS("ip6t_set"); 27 27 + MODULE_ALIAS("ipt_SET"); 28 28 + MODULE_ALIAS("ip6t_SET"); 29 29 + 30 30 + static inline int 31 31 + match_set(ip_set_id_t index, const struct sk_buff *skb, 32 32 + u8 pf, u8 dim, u8 flags, int inv) 33 33 + { 34 34 + if (ip_set_test(index, skb, pf, dim, flags)) 35 35 + inv = !inv; 36 36 + return inv; 37 37 + } 38 38 + 39 39 + /* Revision 0 interface: backward compatible with netfilter/iptables */ 40 40 + 41 41 + static bool 42 42 + set_match_v0(const struct sk_buff *skb, struct xt_action_param *par) 43 43 + { 44 44 + const struct xt_set_info_match_v0 *info = par->matchinfo; 45 45 + 46 46 + return match_set(info->match_set.index, skb, par->family, 47 47 + info->match_set.u.compat.dim, 48 48 + info->match_set.u.compat.flags, 49 49 + info->match_set.u.compat.flags & IPSET_INV_MATCH); 50 50 + } 51 51 + 52 52 + static void 53 53 + compat_flags(struct xt_set_info_v0 *info) 54 54 + { 55 55 + u_int8_t i; 56 56 + 57 57 + /* Fill out compatibility data according to enum ip_set_kopt */ 58 58 + info->u.compat.dim = IPSET_DIM_ZERO; 59 59 + if (info->u.flags[0] & IPSET_MATCH_INV) 60 60 + info->u.compat.flags |= IPSET_INV_MATCH; 61 61 + for (i = 0; i < IPSET_DIM_MAX-1 && info->u.flags[i]; i++) { 62 62 + info->u.compat.dim++; 63 63 + if (info->u.flags[i] & IPSET_SRC) 64 64 + info->u.compat.flags |= (1<<info->u.compat.dim); 65 65 + } 66 66 + } 67 67 + 68 68 + static int 69 69 + set_match_v0_checkentry(const struct xt_mtchk_param *par) 70 70 + { 71 71 + struct xt_set_info_match_v0 *info = par->matchinfo; 72 72 + ip_set_id_t index; 73 73 + 74 74 + index = ip_set_nfnl_get_byindex(info->match_set.index); 75 75 + 76 76 + if (index == IPSET_INVALID_ID) { 77 77 + pr_warning("Cannot find set indentified by id %u to match\n", 78 78 + info->match_set.index); 79 79 + return -ENOENT; 80 80 + } 81 81 + if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) { 82 82 + pr_warning("Protocol error: set match dimension " 83 83 + "is over the limit!\n"); 84 84 + return -ERANGE; 85 85 + } 86 86 + 87 87 + /* Fill out compatibility data */ 88 88 + compat_flags(&info->match_set); 89 89 + 90 90 + return 0; 91 91 + } 92 92 + 93 93 + static void 94 94 + set_match_v0_destroy(const struct xt_mtdtor_param *par) 95 95 + { 96 96 + struct xt_set_info_match_v0 *info = par->matchinfo; 97 97 + 98 98 + ip_set_nfnl_put(info->match_set.index); 99 99 + } 100 100 + 101 101 + static unsigned int 102 102 + set_target_v0(struct sk_buff *skb, const struct xt_action_param *par) 103 103 + { 104 104 + const struct xt_set_info_target_v0 *info = par->targinfo; 105 105 + 106 106 + if (info->add_set.index != IPSET_INVALID_ID) 107 107 + ip_set_add(info->add_set.index, skb, par->family, 108 108 + info->add_set.u.compat.dim, 109 109 + info->add_set.u.compat.flags); 110 110 + if (info->del_set.index != IPSET_INVALID_ID) 111 111 + ip_set_del(info->del_set.index, skb, par->family, 112 112 + info->del_set.u.compat.dim, 113 113 + info->del_set.u.compat.flags); 114 114 + 115 115 + return XT_CONTINUE; 116 116 + } 117 117 + 118 118 + static int 119 119 + set_target_v0_checkentry(const struct xt_tgchk_param *par) 120 120 + { 121 121 + struct xt_set_info_target_v0 *info = par->targinfo; 122 122 + ip_set_id_t index; 123 123 + 124 124 + if (info->add_set.index != IPSET_INVALID_ID) { 125 125 + index = ip_set_nfnl_get_byindex(info->add_set.index); 126 126 + if (index == IPSET_INVALID_ID) { 127 127 + pr_warning("Cannot find add_set index %u as target\n", 128 128 + info->add_set.index); 129 129 + return -ENOENT; 130 130 + } 131 131 + } 132 132 + 133 133 + if (info->del_set.index != IPSET_INVALID_ID) { 134 134 + index = ip_set_nfnl_get_byindex(info->del_set.index); 135 135 + if (index == IPSET_INVALID_ID) { 136 136 + pr_warning("Cannot find del_set index %u as target\n", 137 137 + info->del_set.index); 138 138 + return -ENOENT; 139 139 + } 140 140 + } 141 141 + if (info->add_set.u.flags[IPSET_DIM_MAX-1] != 0 || 142 142 + info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) { 143 143 + pr_warning("Protocol error: SET target dimension " 144 144 + "is over the limit!\n"); 145 145 + return -ERANGE; 146 146 + } 147 147 + 148 148 + /* Fill out compatibility data */ 149 149 + compat_flags(&info->add_set); 150 150 + compat_flags(&info->del_set); 151 151 + 152 152 + return 0; 153 153 + } 154 154 + 155 155 + static void 156 156 + set_target_v0_destroy(const struct xt_tgdtor_param *par) 157 157 + { 158 158 + const struct xt_set_info_target_v0 *info = par->targinfo; 159 159 + 160 160 + if (info->add_set.index != IPSET_INVALID_ID) 161 161 + ip_set_nfnl_put(info->add_set.index); 162 162 + if (info->del_set.index != IPSET_INVALID_ID) 163 163 + ip_set_nfnl_put(info->del_set.index); 164 164 + } 165 165 + 166 166 + /* Revision 1: current interface to netfilter/iptables */ 167 167 + 168 168 + static bool 169 169 + set_match(const struct sk_buff *skb, struct xt_action_param *par) 170 170 + { 171 171 + const struct xt_set_info_match *info = par->matchinfo; 172 172 + 173 173 + return match_set(info->match_set.index, skb, par->family, 174 174 + info->match_set.dim, 175 175 + info->match_set.flags, 176 176 + info->match_set.flags & IPSET_INV_MATCH); 177 177 + } 178 178 + 179 179 + static int 180 180 + set_match_checkentry(const struct xt_mtchk_param *par) 181 181 + { 182 182 + struct xt_set_info_match *info = par->matchinfo; 183 183 + ip_set_id_t index; 184 184 + 185 185 + index = ip_set_nfnl_get_byindex(info->match_set.index); 186 186 + 187 187 + if (index == IPSET_INVALID_ID) { 188 188 + pr_warning("Cannot find set indentified by id %u to match\n", 189 189 + info->match_set.index); 190 190 + return -ENOENT; 191 191 + } 192 192 + if (info->match_set.dim > IPSET_DIM_MAX) { 193 193 + pr_warning("Protocol error: set match dimension " 194 194 + "is over the limit!\n"); 195 195 + return -ERANGE; 196 196 + } 197 197 + 198 198 + return 0; 199 199 + } 200 200 + 201 201 + static void 202 202 + set_match_destroy(const struct xt_mtdtor_param *par) 203 203 + { 204 204 + struct xt_set_info_match *info = par->matchinfo; 205 205 + 206 206 + ip_set_nfnl_put(info->match_set.index); 207 207 + } 208 208 + 209 209 + static unsigned int 210 210 + set_target(struct sk_buff *skb, const struct xt_action_param *par) 211 211 + { 212 212 + const struct xt_set_info_target *info = par->targinfo; 213 213 + 214 214 + if (info->add_set.index != IPSET_INVALID_ID) 215 215 + ip_set_add(info->add_set.index, 216 216 + skb, par->family, 217 217 + info->add_set.dim, 218 218 + info->add_set.flags); 219 219 + if (info->del_set.index != IPSET_INVALID_ID) 220 220 + ip_set_del(info->del_set.index, 221 221 + skb, par->family, 222 222 + info->add_set.dim, 223 223 + info->del_set.flags); 224 224 + 225 225 + return XT_CONTINUE; 226 226 + } 227 227 + 228 228 + static int 229 229 + set_target_checkentry(const struct xt_tgchk_param *par) 230 230 + { 231 231 + const struct xt_set_info_target *info = par->targinfo; 232 232 + ip_set_id_t index; 233 233 + 234 234 + if (info->add_set.index != IPSET_INVALID_ID) { 235 235 + index = ip_set_nfnl_get_byindex(info->add_set.index); 236 236 + if (index == IPSET_INVALID_ID) { 237 237 + pr_warning("Cannot find add_set index %u as target\n", 238 238 + info->add_set.index); 239 239 + return -ENOENT; 240 240 + } 241 241 + } 242 242 + 243 243 + if (info->del_set.index != IPSET_INVALID_ID) { 244 244 + index = ip_set_nfnl_get_byindex(info->del_set.index); 245 245 + if (index == IPSET_INVALID_ID) { 246 246 + pr_warning("Cannot find del_set index %u as target\n", 247 247 + info->del_set.index); 248 248 + return -ENOENT; 249 249 + } 250 250 + } 251 251 + if (info->add_set.dim > IPSET_DIM_MAX || 252 252 + info->del_set.flags > IPSET_DIM_MAX) { 253 253 + pr_warning("Protocol error: SET target dimension " 254 254 + "is over the limit!\n"); 255 255 + return -ERANGE; 256 256 + } 257 257 + 258 258 + return 0; 259 259 + } 260 260 + 261 261 + static void 262 262 + set_target_destroy(const struct xt_tgdtor_param *par) 263 263 + { 264 264 + const struct xt_set_info_target *info = par->targinfo; 265 265 + 266 266 + if (info->add_set.index != IPSET_INVALID_ID) 267 267 + ip_set_nfnl_put(info->add_set.index); 268 268 + if (info->del_set.index != IPSET_INVALID_ID) 269 269 + ip_set_nfnl_put(info->del_set.index); 270 270 + } 271 271 + 272 272 + static struct xt_match set_matches[] __read_mostly = { 273 273 + { 274 274 + .name = "set", 275 275 + .family = NFPROTO_IPV4, 276 276 + .revision = 0, 277 277 + .match = set_match_v0, 278 278 + .matchsize = sizeof(struct xt_set_info_match_v0), 279 279 + .checkentry = set_match_v0_checkentry, 280 280 + .destroy = set_match_v0_destroy, 281 281 + .me = THIS_MODULE 282 282 + }, 283 283 + { 284 284 + .name = "set", 285 285 + .family = NFPROTO_IPV4, 286 286 + .revision = 1, 287 287 + .match = set_match, 288 288 + .matchsize = sizeof(struct xt_set_info_match), 289 289 + .checkentry = set_match_checkentry, 290 290 + .destroy = set_match_destroy, 291 291 + .me = THIS_MODULE 292 292 + }, 293 293 + { 294 294 + .name = "set", 295 295 + .family = NFPROTO_IPV6, 296 296 + .revision = 1, 297 297 + .match = set_match, 298 298 + .matchsize = sizeof(struct xt_set_info_match), 299 299 + .checkentry = set_match_checkentry, 300 300 + .destroy = set_match_destroy, 301 301 + .me = THIS_MODULE 302 302 + }, 303 303 + }; 304 304 + 305 305 + static struct xt_target set_targets[] __read_mostly = { 306 306 + { 307 307 + .name = "SET", 308 308 + .revision = 0, 309 309 + .family = NFPROTO_IPV4, 310 310 + .target = set_target_v0, 311 311 + .targetsize = sizeof(struct xt_set_info_target_v0), 312 312 + .checkentry = set_target_v0_checkentry, 313 313 + .destroy = set_target_v0_destroy, 314 314 + .me = THIS_MODULE 315 315 + }, 316 316 + { 317 317 + .name = "SET", 318 318 + .revision = 1, 319 319 + .family = NFPROTO_IPV4, 320 320 + .target = set_target, 321 321 + .targetsize = sizeof(struct xt_set_info_target), 322 322 + .checkentry = set_target_checkentry, 323 323 + .destroy = set_target_destroy, 324 324 + .me = THIS_MODULE 325 325 + }, 326 326 + { 327 327 + .name = "SET", 328 328 + .revision = 1, 329 329 + .family = NFPROTO_IPV6, 330 330 + .target = set_target, 331 331 + .targetsize = sizeof(struct xt_set_info_target), 332 332 + .checkentry = set_target_checkentry, 333 333 + .destroy = set_target_destroy, 334 334 + .me = THIS_MODULE 335 335 + }, 336 336 + }; 337 337 + 338 338 + static int __init xt_set_init(void) 339 339 + { 340 340 + int ret = xt_register_matches(set_matches, ARRAY_SIZE(set_matches)); 341 341 + 342 342 + if (!ret) { 343 343 + ret = xt_register_targets(set_targets, 344 344 + ARRAY_SIZE(set_targets)); 345 345 + if (ret) 346 346 + xt_unregister_matches(set_matches, 347 347 + ARRAY_SIZE(set_matches)); 348 348 + } 349 349 + return ret; 350 350 + } 351 351 + 352 352 + static void __exit xt_set_fini(void) 353 353 + { 354 354 + xt_unregister_matches(set_matches, ARRAY_SIZE(set_matches)); 355 355 + xt_unregister_targets(set_targets, ARRAY_SIZE(set_targets)); 356 356 + } 357 357 + 358 358 + module_init(xt_set_init); 359 359 + module_exit(xt_set_fini);