netfilter: ipset: bitmap:ip set type support

The module implements the bitmap:ip set type in two flavours, without and with timeout support. In this kind of set one can store IPv4 addresses (or network addresses) from a given range. In order not to waste memory, the timeout version does not rely on the kernel timer for every element to be timed out but on garbage collection. All set types use this mechanism. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2011-02-01 09:33:17 -0500
committer: Patrick McHardy <kaber@trash.net> 2011-02-01 09:33:17 -0500
commit: 72205fc68bd13109576aa6c4c12c740962d28a6c (patch)
tree: c034f0c9c216f489cfce377215b7420cb66d4b2f
parent: a7b4f989a629493bb4ec4a354def784d440b32c4 (diff)
5 files changed, 758 insertions, 0 deletions
diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h
new file mode 100644
index 000000000000..61a9e8746c83
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -0,0 +1,31 @@
+#ifndef __IP_SET_BITMAP_H
+#define __IP_SET_BITMAP_H
+/* Bitmap type specific error codes */
+enum {
+        /* The element is out of the range of the set */
+        IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+        /* The range exceeds the size limit of the set type */
+        IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+#ifdef __KERNEL__
+#define IPSET_BITMAP_MAX_RANGE  0x0000FFFF
+/* Common functions */
+static inline u32
+range_to_mask(u32 from, u32 to, u8 *bits)
+{
+        u32 mask = 0xFFFFFFFE;
+        *bits = 32;
+        while (--(*bits) > 0 && mask && (to & mask) != from)
+                mask <<= 1;
+        return mask;
+}
+#endif /* __KERNEL__ */
+#endif /* __IP_SET_BITMAP_H */
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h
new file mode 100644
index 000000000000..9f30c5f2ec1c
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -0,0 +1,127 @@
+#ifndef _IP_SET_TIMEOUT_H
+#define _IP_SET_TIMEOUT_H
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifdef __KERNEL__
+/* How often should the gc be run by default */
+#define IPSET_GC_TIME                   (3 * 60)
+/* Timeout period depending on the timeout value of the given set */
+#define IPSET_GC_PERIOD(timeout) \
+        ((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
+/* Set is defined without timeout support: timeout value may be 0 */
+#define IPSET_NO_TIMEOUT        UINT_MAX
+#define with_timeout(timeout)   ((timeout) != IPSET_NO_TIMEOUT)
+static inline unsigned int
+ip_set_timeout_uget(struct nlattr *tb)
+{
+        unsigned int timeout = ip_set_get_h32(tb);
+        /* Userspace supplied TIMEOUT parameter: adjust crazy size */
+        return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
+}
+#ifdef IP_SET_BITMAP_TIMEOUT
+/* Bitmap specific timeout constants and macros for the entries */
+/* Bitmap entry is unset */
+#define IPSET_ELEM_UNSET        0
+/* Bitmap entry is set with no timeout value */
+#define IPSET_ELEM_PERMANENT    (UINT_MAX/2)
+static inline bool
+ip_set_timeout_test(unsigned long timeout)
+{
+        return timeout != IPSET_ELEM_UNSET &&
+               (timeout == IPSET_ELEM_PERMANENT ||
+                time_after(timeout, jiffies));
+}
+static inline bool
+ip_set_timeout_expired(unsigned long timeout)
+{
+        return timeout != IPSET_ELEM_UNSET &&
+               timeout != IPSET_ELEM_PERMANENT &&
+               time_before(timeout, jiffies);
+}
+static inline unsigned long
+ip_set_timeout_set(u32 timeout)
+{
+        unsigned long t;
+        if (!timeout)
+                return IPSET_ELEM_PERMANENT;
+        t = timeout * HZ + jiffies;
+        if (t == IPSET_ELEM_UNSET || t == IPSET_ELEM_PERMANENT)
+                /* Bingo! */
+                t++;
+        return t;
+}
+static inline u32
+ip_set_timeout_get(unsigned long timeout)
+{
+        return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ;
+}
+#else
+/* Hash specific timeout constants and macros for the entries */
+/* Hash entry is set with no timeout value */
+#define IPSET_ELEM_PERMANENT    0
+static inline bool
+ip_set_timeout_test(unsigned long timeout)
+{
+        return timeout == IPSET_ELEM_PERMANENT ||
+               time_after(timeout, jiffies);
+}
+static inline bool
+ip_set_timeout_expired(unsigned long timeout)
+{
+        return timeout != IPSET_ELEM_PERMANENT &&
+               time_before(timeout, jiffies);
+}
+static inline unsigned long
+ip_set_timeout_set(u32 timeout)
+{
+        unsigned long t;
+        if (!timeout)
+                return IPSET_ELEM_PERMANENT;
+        t = timeout * HZ + jiffies;
+        if (t == IPSET_ELEM_PERMANENT)
+                /* Bingo! :-) */
+                t++;
+        return t;
+}
+static inline u32
+ip_set_timeout_get(unsigned long timeout)
+{
+        return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ;
+}
+#endif /* ! IP_SET_BITMAP_TIMEOUT */
+#endif  /* __KERNEL__ */
+#endif /* _IP_SET_TIMEOUT_H */
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index 5ade156dd470..b63a8eea183c 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -23,4 +23,13 @@ config IP_SET_MAX
          The value can be overriden by the 'max_sets' module
          parameter of the 'ip_set' module.
+config IP_SET_BITMAP_IP
+        tristate "bitmap:ip set support"
+        depends on IP_SET
+        help
+          This option adds the bitmap:ip set type support, by which one
+          can store IPv4 addresses (or network addresse) from a range.
+          To compile it as a module, choose M here.  If unsure, say N.
 endif # IP_SET
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile
index 910cd425c067..ea1c85e28af1 100644
--- a/net/netfilter/ipset/Makefile
+++ b/net/netfilter/ipset/Makefile
@@ -6,3 +6,6 @@ ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
 # ipset core
 obj-$(CONFIG_IP_SET) += ip_set.o
+# bitmap types
+obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
new file mode 100644
index 000000000000..047440085509
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -0,0 +1,588 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the bitmap:ip type */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/uaccess.h>
+#include <linux/bitops.h>
+#include <linux/spinlock.h>
+#include <linux/netlink.h>
+#include <linux/jiffies.h>
+#include <linux/timer.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_bitmap.h>
+#define IP_SET_BITMAP_TIMEOUT
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("bitmap:ip type of IP sets");
+MODULE_ALIAS("ip_set_bitmap:ip");
+/* Type structure */
+struct bitmap_ip {
+        void *members;          /* the set members */
+        u32 first_ip;           /* host byte order, included in range */
+        u32 last_ip;            /* host byte order, included in range */
+        u32 elements;           /* number of max elements in the set */
+        u32 hosts;              /* number of hosts in a subnet */
+        size_t memsize;         /* members size */
+        u8 netmask;             /* subnet netmask */
+        u32 timeout;            /* timeout parameter */
+        struct timer_list gc;   /* garbage collection */
+};
+/* Base variant */
+static inline u32
+ip_to_id(const struct bitmap_ip *m, u32 ip)
+{
+        return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip)/m->hosts;
+}
+static int
+bitmap_ip_test(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        return !!test_bit(id, map->members);
+}
+static int
+bitmap_ip_add(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        if (test_and_set_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_ip_del(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        if (!test_and_clear_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_ip_list(const struct ip_set *set,
+               struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *atd, *nested;
+        u32 id, first = cb->args[2];
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] < map->elements; cb->args[2]++) {
+                id = cb->args[2];
+                if (!test_bit(id, map->members))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id * map->hosts));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+/* Timeout variant */
+static int
+bitmap_ip_ttest(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ip *map = set->data;
+        const unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        return ip_set_timeout_test(members[id]);
+}
+static int
+bitmap_ip_tadd(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        if (ip_set_timeout_test(members[id]))
+                return -IPSET_ERR_EXIST;
+        members[id] = ip_set_timeout_set(timeout);
+        return 0;
+}
+static int
+bitmap_ip_tdel(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        int ret = -IPSET_ERR_EXIST;
+        if (ip_set_timeout_test(members[id]))
+                ret = 0;
+        members[id] = IPSET_ELEM_UNSET;
+        return ret;
+}
+static int
+bitmap_ip_tlist(const struct ip_set *set,
+                struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *adt, *nested;
+        u32 id, first = cb->args[2];
+        const unsigned long *members = map->members;
+        adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!adt)
+                return -EMSGSIZE;
+        for (; cb->args[2] < map->elements; cb->args[2]++) {
+                id = cb->args[2];
+                if (!ip_set_timeout_test(members[id]))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, adt);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id * map->hosts));
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                              htonl(ip_set_timeout_get(members[id])));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, adt);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, adt);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+static int
+bitmap_ip_kadt(struct ip_set *set, const struct sk_buff *skb,
+               enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        struct bitmap_ip *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 ip;
+        ip = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
+        if (ip < map->first_ip || ip > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        ip = ip_to_id(map, ip);
+        return adtfn(set, &ip, map->timeout);
+}
+static int
+bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
+               enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        struct bitmap_ip *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 timeout = map->timeout;
+        u32 ip, ip_to, id;
+        int ret = 0;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+        if (ret)
+                return ret;
+        if (ip < map->first_ip || ip > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(map->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST) {
+                id = ip_to_id(map, ip);
+                return adtfn(set, &id, timeout);
+        }
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to) {
+                        swap(ip, ip_to);
+                        if (ip < map->first_ip)
+                                return -IPSET_ERR_BITMAP_RANGE;
+                }
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        if (ip_to > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        for (; !before(ip_to, ip); ip += map->hosts) {
+                id = ip_to_id(map, ip);
+                ret = adtfn(set, &id, timeout);;
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+static void
+bitmap_ip_destroy(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        if (with_timeout(map->timeout))
+                del_timer_sync(&map->gc);
+        ip_set_free(map->members);
+        kfree(map);
+        set->data = NULL;
+}
+static void
+bitmap_ip_flush(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        memset(map->members, 0, map->memsize);
+}
+static int
+bitmap_ip_head(struct ip_set *set, struct sk_buff *skb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *nested;
+        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+        if (!nested)
+                goto nla_put_failure;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
+        if (map->netmask != 32)
+                NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, map->netmask);
+        NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES,
+                      htonl(atomic_read(&set->ref) - 1));
+        NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+                      htonl(sizeof(*map) + map->memsize));
+        if (with_timeout(map->timeout))
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+        ipset_nest_end(skb, nested);
+        return 0;
+nla_put_failure:
+        return -EMSGSIZE;
+}
+static bool
+bitmap_ip_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct bitmap_ip *x = a->data;
+        const struct bitmap_ip *y = b->data;
+        return x->first_ip == y->first_ip &&
+               x->last_ip == y->last_ip &&
+               x->netmask == y->netmask &&
+               x->timeout == y->timeout;
+}
+static const struct ip_set_type_variant bitmap_ip = {
+        .kadt   = bitmap_ip_kadt,
+        .uadt   = bitmap_ip_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ip_add,
+                [IPSET_DEL] = bitmap_ip_del,
+                [IPSET_TEST] = bitmap_ip_test,
+        },
+        .destroy = bitmap_ip_destroy,
+        .flush  = bitmap_ip_flush,
+        .head   = bitmap_ip_head,
+        .list   = bitmap_ip_list,
+        .same_set = bitmap_ip_same_set,
+};
+static const struct ip_set_type_variant bitmap_tip = {
+        .kadt   = bitmap_ip_kadt,
+        .uadt   = bitmap_ip_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ip_tadd,
+                [IPSET_DEL] = bitmap_ip_tdel,
+                [IPSET_TEST] = bitmap_ip_ttest,
+        },
+        .destroy = bitmap_ip_destroy,
+        .flush  = bitmap_ip_flush,
+        .head   = bitmap_ip_head,
+        .list   = bitmap_ip_tlist,
+        .same_set = bitmap_ip_same_set,
+};
+static void
+bitmap_ip_gc(unsigned long ul_set)
+{
+        struct ip_set *set = (struct ip_set *) ul_set;
+        struct bitmap_ip *map = set->data;
+        unsigned long *table = map->members;
+        u32 id;
+        /* We run parallel with other readers (test element)
+         * but adding/deleting new entries is locked out */
+        read_lock_bh(&set->lock);
+        for (id = 0; id < map->elements; id++)
+                if (ip_set_timeout_expired(table[id]))
+                        table[id] = IPSET_ELEM_UNSET;
+        read_unlock_bh(&set->lock);
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+static void
+bitmap_ip_gc_init(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        init_timer(&map->gc);
+        map->gc.data = (unsigned long) set;
+        map->gc.function = bitmap_ip_gc;
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+/* Create bitmap:ip type of sets */
+static bool
+init_map_ip(struct ip_set *set, struct bitmap_ip *map,
+            u32 first_ip, u32 last_ip,
+            u32 elements, u32 hosts, u8 netmask)
+{
+        map->members = ip_set_alloc(map->memsize);
+        if (!map->members)
+                return false;
+        map->first_ip = first_ip;
+        map->last_ip = last_ip;
+        map->elements = elements;
+        map->hosts = hosts;
+        map->netmask = netmask;
+        map->timeout = IPSET_NO_TIMEOUT;
+        set->data = map;
+        set->family = AF_INET;
+        return true;
+}
+static int
+bitmap_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct bitmap_ip *map;
+        u32 first_ip, last_ip, hosts, elements;
+        u8 netmask = 32;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
+                if (ret)
+                        return ret;
+                if (first_ip > last_ip) {
+                        u32 tmp = first_ip;
+                        first_ip = last_ip;
+                        last_ip = tmp;
+                }
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr >= 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                last_ip = first_ip | ~ip_set_hostmask(cidr);
+        } else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_NETMASK]) {
+                netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
+                if (netmask > 32)
+                        return -IPSET_ERR_INVALID_NETMASK;
+                first_ip &= ip_set_hostmask(netmask);
+                last_ip |= ~ip_set_hostmask(netmask);
+        }
+        if (netmask == 32) {
+                hosts = 1;
+                elements = last_ip - first_ip + 1;
+        } else {
+                u8 mask_bits;
+                u32 mask;
+                mask = range_to_mask(first_ip, last_ip, &mask_bits);
+                if ((!mask && (first_ip || last_ip != 0xFFFFFFFF)) ||
+                    netmask <= mask_bits)
+                        return -IPSET_ERR_BITMAP_RANGE;
+                pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+                hosts = 2 << (32 - netmask - 1);
+                elements = 2 << (netmask - mask_bits - 1);
+        }
+        if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+                return -IPSET_ERR_BITMAP_RANGE_SIZE;
+        pr_debug("hosts %u, elements %u\n", hosts, elements);
+        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        if (!map)
+                return -ENOMEM;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                map->memsize = elements * sizeof(unsigned long);
+                if (!init_map_ip(set, map, first_ip, last_ip,
+                                 elements, hosts, netmask)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = &bitmap_tip;
+                bitmap_ip_gc_init(set);
+        } else {
+                map->memsize = bitmap_bytes(0, elements - 1);
+                if (!init_map_ip(set, map, first_ip, last_ip,
+                                 elements, hosts, netmask)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                set->variant = &bitmap_ip;
+        }
+        return 0;
+}
+static struct ip_set_type bitmap_ip_type __read_mostly = {
+        .name           = "bitmap:ip",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_INET,
+        .revision       = 0,
+        .create         = bitmap_ip_create,
+        .create_policy  = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_NETMASK]    = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+bitmap_ip_init(void)
+{
+        return ip_set_type_register(&bitmap_ip_type);
+}
+static void __exit
+bitmap_ip_fini(void)
+{
+        ip_set_type_unregister(&bitmap_ip_type);
+}
+module_init(bitmap_ip_init);
+module_exit(bitmap_ip_fini);
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2011-02-01 09:33:17 -0500
committer	Patrick McHardy <kaber@trash.net>	2011-02-01 09:33:17 -0500
commit	72205fc68bd13109576aa6c4c12c740962d28a6c (patch)
tree	c034f0c9c216f489cfce377215b7420cb66d4b2f
parent	a7b4f989a629493bb4ec4a354def784d440b32c4 (diff)

diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h new file mode 100644 index 000000000000..61a9e8746c83 --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -0,0 +1,31 @@
		1	#ifndef __IP_SET_BITMAP_H
		2	#define __IP_SET_BITMAP_H
		3
		4	/* Bitmap type specific error codes */
		5	enum {
		6	/* The element is out of the range of the set */
		7	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
		8	/* The range exceeds the size limit of the set type */
		9	IPSET_ERR_BITMAP_RANGE_SIZE,
		10	};
		11
		12	#ifdef __KERNEL__
		13	#define IPSET_BITMAP_MAX_RANGE 0x0000FFFF
		14
		15	/* Common functions */
		16
		17	static inline u32
		18	range_to_mask(u32 from, u32 to, u8 *bits)
		19	{
		20	u32 mask = 0xFFFFFFFE;
		21
		22	*bits = 32;
		23	while (--(*bits) > 0 && mask && (to & mask) != from)
		24	mask <<= 1;
		25
		26	return mask;
		27	}
		28
		29	#endif /* __KERNEL__ */
		30
		31	#endif /* __IP_SET_BITMAP_H */


diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h new file mode 100644 index 000000000000..9f30c5f2ec1c --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -0,0 +1,127 @@
		1	#ifndef _IP_SET_TIMEOUT_H
		2	#define _IP_SET_TIMEOUT_H
		3
		4	/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License version 2 as
		8	* published by the Free Software Foundation.
		9	*/
		10
		11	#ifdef __KERNEL__
		12
		13	/* How often should the gc be run by default */
		14	#define IPSET_GC_TIME (3 * 60)
		15
		16	/* Timeout period depending on the timeout value of the given set */
		17	#define IPSET_GC_PERIOD(timeout) \
		18	((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
		19
		20	/* Set is defined without timeout support: timeout value may be 0 */
		21	#define IPSET_NO_TIMEOUT UINT_MAX
		22
		23	#define with_timeout(timeout) ((timeout) != IPSET_NO_TIMEOUT)
		24
		25	static inline unsigned int
		26	ip_set_timeout_uget(struct nlattr *tb)
		27	{
		28	unsigned int timeout = ip_set_get_h32(tb);
		29
		30	/* Userspace supplied TIMEOUT parameter: adjust crazy size */
		31	return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
		32	}
		33
		34	#ifdef IP_SET_BITMAP_TIMEOUT
		35
		36	/* Bitmap specific timeout constants and macros for the entries */
		37
		38	/* Bitmap entry is unset */
		39	#define IPSET_ELEM_UNSET 0
		40	/* Bitmap entry is set with no timeout value */
		41	#define IPSET_ELEM_PERMANENT (UINT_MAX/2)
		42
		43	static inline bool
		44	ip_set_timeout_test(unsigned long timeout)
		45	{
		46	return timeout != IPSET_ELEM_UNSET &&
		47	(timeout == IPSET_ELEM_PERMANENT \|\|
		48	time_after(timeout, jiffies));
		49	}
		50
		51	static inline bool
		52	ip_set_timeout_expired(unsigned long timeout)
		53	{
		54	return timeout != IPSET_ELEM_UNSET &&
		55	timeout != IPSET_ELEM_PERMANENT &&
		56	time_before(timeout, jiffies);
		57	}
		58
		59	static inline unsigned long
		60	ip_set_timeout_set(u32 timeout)
		61	{
		62	unsigned long t;
		63
		64	if (!timeout)
		65	return IPSET_ELEM_PERMANENT;
		66
		67	t = timeout * HZ + jiffies;
		68	if (t == IPSET_ELEM_UNSET \|\| t == IPSET_ELEM_PERMANENT)
		69	/* Bingo! */
		70	t++;
		71
		72	return t;
		73	}
		74
		75	static inline u32
		76	ip_set_timeout_get(unsigned long timeout)
		77	{
		78	return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ;
		79	}
		80
		81	#else
		82
		83	/* Hash specific timeout constants and macros for the entries */
		84
		85	/* Hash entry is set with no timeout value */
		86	#define IPSET_ELEM_PERMANENT 0
		87
		88	static inline bool
		89	ip_set_timeout_test(unsigned long timeout)
		90	{
		91	return timeout == IPSET_ELEM_PERMANENT \|\|
		92	time_after(timeout, jiffies);
		93	}
		94
		95	static inline bool
		96	ip_set_timeout_expired(unsigned long timeout)
		97	{
		98	return timeout != IPSET_ELEM_PERMANENT &&
		99	time_before(timeout, jiffies);
		100	}
		101
		102	static inline unsigned long
		103	ip_set_timeout_set(u32 timeout)
		104	{
		105	unsigned long t;
		106
		107	if (!timeout)
		108	return IPSET_ELEM_PERMANENT;
		109
		110	t = timeout * HZ + jiffies;
		111	if (t == IPSET_ELEM_PERMANENT)
		112	/* Bingo! :-) */
		113	t++;
		114
		115	return t;
		116	}
		117
		118	static inline u32
		119	ip_set_timeout_get(unsigned long timeout)
		120	{
		121	return timeout == IPSET_ELEM_PERMANENT ? 0 : (timeout - jiffies)/HZ;
		122	}
		123	#endif /* ! IP_SET_BITMAP_TIMEOUT */
		124
		125	#endif /* __KERNEL__ */
		126
		127	#endif /* _IP_SET_TIMEOUT_H */


diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig index 5ade156dd470..b63a8eea183c 100644 --- a/net/netfilter/ipset/Kconfig +++ b/net/netfilter/ipset/Kconfig
@@ -23,4 +23,13 @@ config IP_SET_MAX
23	The value can be overriden by the 'max_sets' module	23	The value can be overriden by the 'max_sets' module
24	parameter of the 'ip_set' module.	24	parameter of the 'ip_set' module.
25		25
		26	config IP_SET_BITMAP_IP
		27	tristate "bitmap:ip set support"
		28	depends on IP_SET
		29	help
		30	This option adds the bitmap:ip set type support, by which one
		31	can store IPv4 addresses (or network addresse) from a range.
		32
		33	To compile it as a module, choose M here. If unsure, say N.
		34
26	endif # IP_SET	35	endif # IP_SET


diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile index 910cd425c067..ea1c85e28af1 100644 --- a/net/netfilter/ipset/Makefile +++ b/net/netfilter/ipset/Makefile
@@ -6,3 +6,6 @@ ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
6		6
7	# ipset core	7	# ipset core
8	obj-$(CONFIG_IP_SET) += ip_set.o	8	obj-$(CONFIG_IP_SET) += ip_set.o
		9
		10	# bitmap types
		11	obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o


diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c new file mode 100644 index 000000000000..047440085509 --- /dev/null +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -0,0 +1,588 @@
		1	/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
		2	* Patrick Schaaf <bof@bof.de>
		3	* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*/
		9
		10	/* Kernel module implementing an IP set type: the bitmap:ip type */
		11
		12	#include <linux/module.h>
		13	#include <linux/ip.h>
		14	#include <linux/skbuff.h>
		15	#include <linux/errno.h>
		16	#include <linux/uaccess.h>
		17	#include <linux/bitops.h>
		18	#include <linux/spinlock.h>
		19	#include <linux/netlink.h>
		20	#include <linux/jiffies.h>
		21	#include <linux/timer.h>
		22	#include <net/netlink.h>
		23	#include <net/tcp.h>
		24
		25	#include <linux/netfilter/ipset/pfxlen.h>
		26	#include <linux/netfilter/ipset/ip_set.h>
		27	#include <linux/netfilter/ipset/ip_set_bitmap.h>
		28	#define IP_SET_BITMAP_TIMEOUT
		29	#include <linux/netfilter/ipset/ip_set_timeout.h>
		30
		31	MODULE_LICENSE("GPL");
		32	MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
		33	MODULE_DESCRIPTION("bitmap:ip type of IP sets");
		34	MODULE_ALIAS("ip_set_bitmap:ip");
		35
		36	/* Type structure */
		37	struct bitmap_ip {
		38	void members; / the set members */
		39	u32 first_ip; /* host byte order, included in range */
		40	u32 last_ip; /* host byte order, included in range */
		41	u32 elements; /* number of max elements in the set */
		42	u32 hosts; /* number of hosts in a subnet */
		43	size_t memsize; /* members size */
		44	u8 netmask; /* subnet netmask */
		45	u32 timeout; /* timeout parameter */
		46	struct timer_list gc; /* garbage collection */
		47	};
		48
		49	/* Base variant */
		50
		51	static inline u32
		52	ip_to_id(const struct bitmap_ip *m, u32 ip)
		53	{
		54	return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip)/m->hosts;
		55	}
		56
		57	static int
		58	bitmap_ip_test(struct ip_set set, void value, u32 timeout)
		59	{
		60	const struct bitmap_ip *map = set->data;
		61	u16 id = (u16 )value;
		62
		63	return !!test_bit(id, map->members);
		64	}
		65
		66	static int
		67	bitmap_ip_add(struct ip_set set, void value, u32 timeout)
		68	{
		69	struct bitmap_ip *map = set->data;
		70	u16 id = (u16 )value;
		71
		72	if (test_and_set_bit(id, map->members))
		73	return -IPSET_ERR_EXIST;
		74
		75	return 0;
		76	}
		77
		78	static int
		79	bitmap_ip_del(struct ip_set set, void value, u32 timeout)
		80	{
		81	struct bitmap_ip *map = set->data;
		82	u16 id = (u16 )value;
		83
		84	if (!test_and_clear_bit(id, map->members))
		85	return -IPSET_ERR_EXIST;
		86
		87	return 0;
		88	}
		89
		90	static int
		91	bitmap_ip_list(const struct ip_set *set,
		92	struct sk_buff skb, struct netlink_callback cb)
		93	{
		94	const struct bitmap_ip *map = set->data;
		95	struct nlattr atd, nested;
		96	u32 id, first = cb->args[2];
		97
		98	atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
		99	if (!atd)
		100	return -EMSGSIZE;
		101	for (; cb->args[2] < map->elements; cb->args[2]++) {
		102	id = cb->args[2];
		103	if (!test_bit(id, map->members))
		104	continue;
		105	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
		106	if (!nested) {
		107	if (id == first) {
		108	nla_nest_cancel(skb, atd);
		109	return -EMSGSIZE;
		110	} else
		111	goto nla_put_failure;
		112	}
		113	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
		114	htonl(map->first_ip + id * map->hosts));
		115	ipset_nest_end(skb, nested);
		116	}
		117	ipset_nest_end(skb, atd);
		118	/* Set listing finished */
		119	cb->args[2] = 0;
		120	return 0;
		121
		122	nla_put_failure:
		123	nla_nest_cancel(skb, nested);
		124	ipset_nest_end(skb, atd);
		125	if (unlikely(id == first)) {
		126	cb->args[2] = 0;
		127	return -EMSGSIZE;
		128	}
		129	return 0;
		130	}
		131
		132	/* Timeout variant */
		133
		134	static int
		135	bitmap_ip_ttest(struct ip_set set, void value, u32 timeout)
		136	{
		137	const struct bitmap_ip *map = set->data;
		138	const unsigned long *members = map->members;
		139	u16 id = (u16 )value;
		140
		141	return ip_set_timeout_test(members[id]);
		142	}
		143
		144	static int
		145	bitmap_ip_tadd(struct ip_set set, void value, u32 timeout)
		146	{
		147	struct bitmap_ip *map = set->data;
		148	unsigned long *members = map->members;
		149	u16 id = (u16 )value;
		150
		151	if (ip_set_timeout_test(members[id]))
		152	return -IPSET_ERR_EXIST;
		153
		154	members[id] = ip_set_timeout_set(timeout);
		155
		156	return 0;
		157	}
		158
		159	static int
		160	bitmap_ip_tdel(struct ip_set set, void value, u32 timeout)
		161	{
		162	struct bitmap_ip *map = set->data;
		163	unsigned long *members = map->members;
		164	u16 id = (u16 )value;
		165	int ret = -IPSET_ERR_EXIST;
		166
		167	if (ip_set_timeout_test(members[id]))
		168	ret = 0;
		169
		170	members[id] = IPSET_ELEM_UNSET;
		171	return ret;
		172	}
		173
		174	static int
		175	bitmap_ip_tlist(const struct ip_set *set,
		176	struct sk_buff skb, struct netlink_callback cb)
		177	{
		178	const struct bitmap_ip *map = set->data;
		179	struct nlattr adt, nested;
		180	u32 id, first = cb->args[2];
		181	const unsigned long *members = map->members;
		182
		183	adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
		184	if (!adt)
		185	return -EMSGSIZE;
		186	for (; cb->args[2] < map->elements; cb->args[2]++) {
		187	id = cb->args[2];
		188	if (!ip_set_timeout_test(members[id]))
		189	continue;
		190	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
		191	if (!nested) {
		192	if (id == first) {
		193	nla_nest_cancel(skb, adt);
		194	return -EMSGSIZE;
		195	} else
		196	goto nla_put_failure;
		197	}
		198	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
		199	htonl(map->first_ip + id * map->hosts));
		200	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
		201	htonl(ip_set_timeout_get(members[id])));
		202	ipset_nest_end(skb, nested);
		203	}
		204	ipset_nest_end(skb, adt);
		205
		206	/* Set listing finished */
		207	cb->args[2] = 0;
		208
		209	return 0;
		210
		211	nla_put_failure:
		212	nla_nest_cancel(skb, nested);
		213	ipset_nest_end(skb, adt);
		214	if (unlikely(id == first)) {
		215	cb->args[2] = 0;
		216	return -EMSGSIZE;
		217	}
		218	return 0;
		219	}
		220
		221	static int
		222	bitmap_ip_kadt(struct ip_set set, const struct sk_buff skb,
		223	enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
		224	{
		225	struct bitmap_ip *map = set->data;
		226	ipset_adtfn adtfn = set->variant->adt[adt];
		227	u32 ip;
		228
		229	ip = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
		230	if (ip < map->first_ip \|\| ip > map->last_ip)
		231	return -IPSET_ERR_BITMAP_RANGE;
		232
		233	ip = ip_to_id(map, ip);
		234
		235	return adtfn(set, &ip, map->timeout);
		236	}
		237
		238	static int
		239	bitmap_ip_uadt(struct ip_set set, struct nlattr tb[],
		240	enum ipset_adt adt, u32 *lineno, u32 flags)
		241	{
		242	struct bitmap_ip *map = set->data;
		243	ipset_adtfn adtfn = set->variant->adt[adt];
		244	u32 timeout = map->timeout;
		245	u32 ip, ip_to, id;
		246	int ret = 0;
		247
		248	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
		249	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
		250	return -IPSET_ERR_PROTOCOL;
		251
		252	if (tb[IPSET_ATTR_LINENO])
		253	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
		254
		255	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
		256	if (ret)
		257	return ret;
		258
		259	if (ip < map->first_ip \|\| ip > map->last_ip)
		260	return -IPSET_ERR_BITMAP_RANGE;
		261
		262	if (tb[IPSET_ATTR_TIMEOUT]) {
		263	if (!with_timeout(map->timeout))
		264	return -IPSET_ERR_TIMEOUT;
		265	timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
		266	}
		267
		268	if (adt == IPSET_TEST) {
		269	id = ip_to_id(map, ip);
		270	return adtfn(set, &id, timeout);
		271	}
		272
		273	if (tb[IPSET_ATTR_IP_TO]) {
		274	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
		275	if (ret)
		276	return ret;
		277	if (ip > ip_to) {
		278	swap(ip, ip_to);
		279	if (ip < map->first_ip)
		280	return -IPSET_ERR_BITMAP_RANGE;
		281	}
		282	} else if (tb[IPSET_ATTR_CIDR]) {
		283	u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
		284
		285	if (cidr > 32)
		286	return -IPSET_ERR_INVALID_CIDR;
		287	ip &= ip_set_hostmask(cidr);
		288	ip_to = ip \| ~ip_set_hostmask(cidr);
		289	} else
		290	ip_to = ip;
		291
		292	if (ip_to > map->last_ip)
		293	return -IPSET_ERR_BITMAP_RANGE;
		294
		295	for (; !before(ip_to, ip); ip += map->hosts) {
		296	id = ip_to_id(map, ip);
		297	ret = adtfn(set, &id, timeout);;
		298
		299	if (ret && !ip_set_eexist(ret, flags))
		300	return ret;
		301	else
		302	ret = 0;
		303	}
		304	return ret;
		305	}
		306
		307	static void
		308	bitmap_ip_destroy(struct ip_set *set)
		309	{
		310	struct bitmap_ip *map = set->data;
		311
		312	if (with_timeout(map->timeout))
		313	del_timer_sync(&map->gc);
		314
		315	ip_set_free(map->members);
		316	kfree(map);
		317
		318	set->data = NULL;
		319	}
		320
		321	static void
		322	bitmap_ip_flush(struct ip_set *set)
		323	{
		324	struct bitmap_ip *map = set->data;
		325
		326	memset(map->members, 0, map->memsize);
		327	}
		328
		329	static int
		330	bitmap_ip_head(struct ip_set set, struct sk_buff skb)
		331	{
		332	const struct bitmap_ip *map = set->data;
		333	struct nlattr *nested;
		334
		335	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
		336	if (!nested)
		337	goto nla_put_failure;
		338	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
		339	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
		340	if (map->netmask != 32)
		341	NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, map->netmask);
		342	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES,
		343	htonl(atomic_read(&set->ref) - 1));
		344	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
		345	htonl(sizeof(*map) + map->memsize));
		346	if (with_timeout(map->timeout))
		347	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
		348	ipset_nest_end(skb, nested);
		349
		350	return 0;
		351	nla_put_failure:
		352	return -EMSGSIZE;
		353	}
		354
		355	static bool
		356	bitmap_ip_same_set(const struct ip_set a, const struct ip_set b)
		357	{
		358	const struct bitmap_ip *x = a->data;
		359	const struct bitmap_ip *y = b->data;
		360
		361	return x->first_ip == y->first_ip &&
		362	x->last_ip == y->last_ip &&
		363	x->netmask == y->netmask &&
		364	x->timeout == y->timeout;
		365	}
		366
		367	static const struct ip_set_type_variant bitmap_ip = {
		368	.kadt = bitmap_ip_kadt,
		369	.uadt = bitmap_ip_uadt,
		370	.adt = {
		371	[IPSET_ADD] = bitmap_ip_add,
		372	[IPSET_DEL] = bitmap_ip_del,
		373	[IPSET_TEST] = bitmap_ip_test,
		374	},
		375	.destroy = bitmap_ip_destroy,
		376	.flush = bitmap_ip_flush,
		377	.head = bitmap_ip_head,
		378	.list = bitmap_ip_list,
		379	.same_set = bitmap_ip_same_set,
		380	};
		381
		382	static const struct ip_set_type_variant bitmap_tip = {
		383	.kadt = bitmap_ip_kadt,
		384	.uadt = bitmap_ip_uadt,
		385	.adt = {
		386	[IPSET_ADD] = bitmap_ip_tadd,
		387	[IPSET_DEL] = bitmap_ip_tdel,
		388	[IPSET_TEST] = bitmap_ip_ttest,
		389	},
		390	.destroy = bitmap_ip_destroy,
		391	.flush = bitmap_ip_flush,
		392	.head = bitmap_ip_head,
		393	.list = bitmap_ip_tlist,
		394	.same_set = bitmap_ip_same_set,
		395	};
		396
		397	static void
		398	bitmap_ip_gc(unsigned long ul_set)
		399	{
		400	struct ip_set set = (struct ip_set ) ul_set;
		401	struct bitmap_ip *map = set->data;
		402	unsigned long *table = map->members;
		403	u32 id;
		404
		405	/* We run parallel with other readers (test element)
		406	* but adding/deleting new entries is locked out */
		407	read_lock_bh(&set->lock);
		408	for (id = 0; id < map->elements; id++)
		409	if (ip_set_timeout_expired(table[id]))
		410	table[id] = IPSET_ELEM_UNSET;
		411	read_unlock_bh(&set->lock);
		412
		413	map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
		414	add_timer(&map->gc);
		415	}
		416
		417	static void
		418	bitmap_ip_gc_init(struct ip_set *set)
		419	{
		420	struct bitmap_ip *map = set->data;
		421
		422	init_timer(&map->gc);
		423	map->gc.data = (unsigned long) set;
		424	map->gc.function = bitmap_ip_gc;
		425	map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
		426	add_timer(&map->gc);
		427	}
		428
		429	/* Create bitmap:ip type of sets */
		430
		431	static bool
		432	init_map_ip(struct ip_set set, struct bitmap_ip map,
		433	u32 first_ip, u32 last_ip,
		434	u32 elements, u32 hosts, u8 netmask)
		435	{
		436	map->members = ip_set_alloc(map->memsize);
		437	if (!map->members)
		438	return false;
		439	map->first_ip = first_ip;
		440	map->last_ip = last_ip;
		441	map->elements = elements;
		442	map->hosts = hosts;
		443	map->netmask = netmask;
		444	map->timeout = IPSET_NO_TIMEOUT;
		445
		446	set->data = map;
		447	set->family = AF_INET;
		448
		449	return true;
		450	}
		451
		452	static int
		453	bitmap_ip_create(struct ip_set set, struct nlattr tb[], u32 flags)
		454	{
		455	struct bitmap_ip *map;
		456	u32 first_ip, last_ip, hosts, elements;
		457	u8 netmask = 32;
		458	int ret;
		459
		460	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
		461	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
		462	return -IPSET_ERR_PROTOCOL;
		463
		464	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
		465	if (ret)
		466	return ret;
		467
		468	if (tb[IPSET_ATTR_IP_TO]) {
		469	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
		470	if (ret)
		471	return ret;
		472	if (first_ip > last_ip) {
		473	u32 tmp = first_ip;
		474
		475	first_ip = last_ip;
		476	last_ip = tmp;
		477	}
		478	} else if (tb[IPSET_ATTR_CIDR]) {
		479	u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
		480
		481	if (cidr >= 32)
		482	return -IPSET_ERR_INVALID_CIDR;
		483	last_ip = first_ip \| ~ip_set_hostmask(cidr);
		484	} else
		485	return -IPSET_ERR_PROTOCOL;
		486
		487	if (tb[IPSET_ATTR_NETMASK]) {
		488	netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
		489
		490	if (netmask > 32)
		491	return -IPSET_ERR_INVALID_NETMASK;
		492
		493	first_ip &= ip_set_hostmask(netmask);
		494	last_ip \|= ~ip_set_hostmask(netmask);
		495	}
		496
		497	if (netmask == 32) {
		498	hosts = 1;
		499	elements = last_ip - first_ip + 1;
		500	} else {
		501	u8 mask_bits;
		502	u32 mask;
		503
		504	mask = range_to_mask(first_ip, last_ip, &mask_bits);
		505
		506	if ((!mask && (first_ip \|\| last_ip != 0xFFFFFFFF)) \|\|
		507	netmask <= mask_bits)
		508	return -IPSET_ERR_BITMAP_RANGE;
		509
		510	pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
		511	hosts = 2 << (32 - netmask - 1);
		512	elements = 2 << (netmask - mask_bits - 1);
		513	}
		514	if (elements > IPSET_BITMAP_MAX_RANGE + 1)
		515	return -IPSET_ERR_BITMAP_RANGE_SIZE;
		516
		517	pr_debug("hosts %u, elements %u\n", hosts, elements);
		518
		519	map = kzalloc(sizeof(*map), GFP_KERNEL);
		520	if (!map)
		521	return -ENOMEM;
		522
		523	if (tb[IPSET_ATTR_TIMEOUT]) {
		524	map->memsize = elements * sizeof(unsigned long);
		525
		526	if (!init_map_ip(set, map, first_ip, last_ip,
		527	elements, hosts, netmask)) {
		528	kfree(map);
		529	return -ENOMEM;
		530	}
		531
		532	map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
		533	set->variant = &bitmap_tip;
		534
		535	bitmap_ip_gc_init(set);
		536	} else {
		537	map->memsize = bitmap_bytes(0, elements - 1);
		538
		539	if (!init_map_ip(set, map, first_ip, last_ip,
		540	elements, hosts, netmask)) {
		541	kfree(map);
		542	return -ENOMEM;
		543	}
		544
		545	set->variant = &bitmap_ip;
		546	}
		547	return 0;
		548	}
		549
		550	static struct ip_set_type bitmap_ip_type __read_mostly = {
		551	.name = "bitmap:ip",
		552	.protocol = IPSET_PROTOCOL,
		553	.features = IPSET_TYPE_IP,
		554	.dimension = IPSET_DIM_ONE,
		555	.family = AF_INET,
		556	.revision = 0,
		557	.create = bitmap_ip_create,
		558	.create_policy = {
		559	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
		560	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
		561	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
		562	[IPSET_ATTR_NETMASK] = { .type = NLA_U8 },
		563	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
		564	},
		565	.adt_policy = {
		566	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
		567	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
		568	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
		569	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
		570	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
		571	},
		572	.me = THIS_MODULE,
		573	};
		574
		575	static int __init
		576	bitmap_ip_init(void)
		577	{
		578	return ip_set_type_register(&bitmap_ip_type);
		579	}
		580
		581	static void __exit
		582	bitmap_ip_fini(void)
		583	{
		584	ip_set_type_unregister(&bitmap_ip_type);
		585	}
		586
		587	module_init(bitmap_ip_init);
		588	module_exit(bitmap_ip_fini);