diff options
| author | Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> | 2013-09-22 14:56:32 -0400 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2013-09-30 15:33:28 -0400 |
| commit | b90cb8ba19dac9b98add5e64adb583fccbf63f94 (patch) | |
| tree | a3311d8c4899c681273a8746aaf72431464a70b7 | |
| parent | 68b63f08d22f23161c43cd2417104aa213ff877f (diff) | |
netfilter: ipset: Support comments in bitmap-type ipsets.
This provides kernel support for creating bitmap ipsets with comment
support.
As is the case for hashes, this incurs a penalty when flushing or
destroying the entire ipset as the entries must first be walked in order
to free the comment strings. This penalty is of course far less than the
cost of listing an ipset to userspace. Any set created without support
for comments will be flushed/destroyed as before.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
| -rw-r--r-- | net/netfilter/ipset/ip_set_bitmap_gen.h | 14 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_bitmap_ip.c | 4 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_bitmap_ipmac.c | 4 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_bitmap_port.c | 4 |
4 files changed, 17 insertions, 9 deletions
diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h index 4515fe8b83dd..6167fc9d0efe 100644 --- a/net/netfilter/ipset/ip_set_bitmap_gen.h +++ b/net/netfilter/ipset/ip_set_bitmap_gen.h | |||
| @@ -101,12 +101,9 @@ mtype_head(struct ip_set *set, struct sk_buff *skb) | |||
| 101 | nla_put_net32(skb, IPSET_ATTR_MEMSIZE, | 101 | nla_put_net32(skb, IPSET_ATTR_MEMSIZE, |
| 102 | htonl(sizeof(*map) + | 102 | htonl(sizeof(*map) + |
| 103 | map->memsize + | 103 | map->memsize + |
| 104 | set->dsize * map->elements)) || | 104 | set->dsize * map->elements))) |
| 105 | (SET_WITH_TIMEOUT(set) && | 105 | goto nla_put_failure; |
| 106 | nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(set->timeout))) || | 106 | if (unlikely(ip_set_put_flags(skb, set))) |
| 107 | (SET_WITH_COUNTER(set) && | ||
| 108 | nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, | ||
| 109 | htonl(IPSET_FLAG_WITH_COUNTERS)))) | ||
| 110 | goto nla_put_failure; | 107 | goto nla_put_failure; |
| 111 | ipset_nest_end(skb, nested); | 108 | ipset_nest_end(skb, nested); |
| 112 | 109 | ||
| @@ -162,6 +159,8 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext, | |||
| 162 | 159 | ||
| 163 | if (SET_WITH_COUNTER(set)) | 160 | if (SET_WITH_COUNTER(set)) |
| 164 | ip_set_init_counter(ext_counter(x, set), ext); | 161 | ip_set_init_counter(ext_counter(x, set), ext); |
| 162 | if (SET_WITH_COMMENT(set)) | ||
| 163 | ip_set_init_comment(ext_comment(x, set), ext); | ||
| 165 | return 0; | 164 | return 0; |
| 166 | } | 165 | } |
| 167 | 166 | ||
| @@ -233,6 +232,9 @@ mtype_list(const struct ip_set *set, | |||
| 233 | if (SET_WITH_COUNTER(set) && | 232 | if (SET_WITH_COUNTER(set) && |
| 234 | ip_set_put_counter(skb, ext_counter(x, set))) | 233 | ip_set_put_counter(skb, ext_counter(x, set))) |
| 235 | goto nla_put_failure; | 234 | goto nla_put_failure; |
| 235 | if (SET_WITH_COMMENT(set) && | ||
| 236 | ip_set_put_comment(skb, ext_comment(x, set))) | ||
| 237 | goto nla_put_failure; | ||
| 236 | ipset_nest_end(skb, nested); | 238 | ipset_nest_end(skb, nested); |
| 237 | } | 239 | } |
| 238 | ipset_nest_end(skb, adt); | 240 | ipset_nest_end(skb, adt); |
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index 94d985457c51..faac124e2645 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c | |||
| @@ -26,7 +26,8 @@ | |||
| 26 | #include <linux/netfilter/ipset/ip_set_bitmap.h> | 26 | #include <linux/netfilter/ipset/ip_set_bitmap.h> |
| 27 | 27 | ||
| 28 | #define IPSET_TYPE_REV_MIN 0 | 28 | #define IPSET_TYPE_REV_MIN 0 |
| 29 | #define IPSET_TYPE_REV_MAX 1 /* Counter support added */ | 29 | /* 1 Counter support added */ |
| 30 | #define IPSET_TYPE_REV_MAX 2 /* Comment support added */ | ||
| 30 | 31 | ||
| 31 | MODULE_LICENSE("GPL"); | 32 | MODULE_LICENSE("GPL"); |
| 32 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | 33 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); |
| @@ -354,6 +355,7 @@ static struct ip_set_type bitmap_ip_type __read_mostly = { | |||
| 354 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | 355 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, |
| 355 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | 356 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| 356 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | 357 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
| 358 | [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING }, | ||
| 357 | }, | 359 | }, |
| 358 | .me = THIS_MODULE, | 360 | .me = THIS_MODULE, |
| 359 | }; | 361 | }; |
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c index 654a97bedfe9..fb4d163dea82 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c | |||
| @@ -26,7 +26,8 @@ | |||
| 26 | #include <linux/netfilter/ipset/ip_set_bitmap.h> | 26 | #include <linux/netfilter/ipset/ip_set_bitmap.h> |
| 27 | 27 | ||
| 28 | #define IPSET_TYPE_REV_MIN 0 | 28 | #define IPSET_TYPE_REV_MIN 0 |
| 29 | #define IPSET_TYPE_REV_MAX 1 /* Counter support added */ | 29 | /* 1 Counter support added */ |
| 30 | #define IPSET_TYPE_REV_MAX 2 /* Comment support added */ | ||
| 30 | 31 | ||
| 31 | MODULE_LICENSE("GPL"); | 32 | MODULE_LICENSE("GPL"); |
| 32 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | 33 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); |
| @@ -403,6 +404,7 @@ static struct ip_set_type bitmap_ipmac_type = { | |||
| 403 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | 404 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, |
| 404 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | 405 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| 405 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | 406 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
| 407 | [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING }, | ||
| 406 | }, | 408 | }, |
| 407 | .me = THIS_MODULE, | 409 | .me = THIS_MODULE, |
| 408 | }; | 410 | }; |
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c index 1ef2f3186b80..407a63caee6b 100644 --- a/net/netfilter/ipset/ip_set_bitmap_port.c +++ b/net/netfilter/ipset/ip_set_bitmap_port.c | |||
| @@ -21,7 +21,8 @@ | |||
| 21 | #include <linux/netfilter/ipset/ip_set_getport.h> | 21 | #include <linux/netfilter/ipset/ip_set_getport.h> |
| 22 | 22 | ||
| 23 | #define IPSET_TYPE_REV_MIN 0 | 23 | #define IPSET_TYPE_REV_MIN 0 |
| 24 | #define IPSET_TYPE_REV_MAX 1 /* Counter support added */ | 24 | /* 1 Counter support added */ |
| 25 | #define IPSET_TYPE_REV_MAX 2 /* Comment support added */ | ||
| 25 | 26 | ||
| 26 | MODULE_LICENSE("GPL"); | 27 | MODULE_LICENSE("GPL"); |
| 27 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | 28 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); |
| @@ -288,6 +289,7 @@ static struct ip_set_type bitmap_port_type = { | |||
| 288 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | 289 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, |
| 289 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | 290 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| 290 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | 291 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
| 292 | [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING }, | ||
| 291 | }, | 293 | }, |
| 292 | .me = THIS_MODULE, | 294 | .me = THIS_MODULE, |
| 293 | }; | 295 | }; |