diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2011-06-16 13:00:48 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2011-06-16 13:00:48 -0400 |
| commit | e385357a2f214e4d4e79c6118f1bede2572e0701 (patch) | |
| tree | 22ec359f9c9dc8b2ba290383a80663a5ea9f705a /net/netfilter | |
| parent | 9b03a5ef49c01515387133ac5bd47073fae56318 (diff) | |
netfilter: ipset: hash:net,iface type introduced
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/ipset/Kconfig | 10 | ||||
| -rw-r--r-- | net/netfilter/ipset/Makefile | 1 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_netiface.c | 762 |
3 files changed, 773 insertions, 0 deletions
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig index 2c5b348eb3a8..ba36c283d837 100644 --- a/net/netfilter/ipset/Kconfig +++ b/net/netfilter/ipset/Kconfig | |||
| @@ -109,6 +109,16 @@ config IP_SET_HASH_NETPORT | |||
| 109 | 109 | ||
| 110 | To compile it as a module, choose M here. If unsure, say N. | 110 | To compile it as a module, choose M here. If unsure, say N. |
| 111 | 111 | ||
| 112 | config IP_SET_HASH_NETIFACE | ||
| 113 | tristate "hash:net,iface set support" | ||
| 114 | depends on IP_SET | ||
| 115 | help | ||
| 116 | This option adds the hash:net,iface set type support, by which | ||
| 117 | one can store IPv4/IPv6 network address/prefix and | ||
| 118 | interface name pairs as elements in a set. | ||
| 119 | |||
| 120 | To compile it as a module, choose M here. If unsure, say N. | ||
| 121 | |||
| 112 | config IP_SET_LIST_SET | 122 | config IP_SET_LIST_SET |
| 113 | tristate "list:set set support" | 123 | tristate "list:set set support" |
| 114 | depends on IP_SET | 124 | depends on IP_SET |
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile index 5adbdab67bd2..6e965ecd5444 100644 --- a/net/netfilter/ipset/Makefile +++ b/net/netfilter/ipset/Makefile | |||
| @@ -19,6 +19,7 @@ obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o | |||
| 19 | obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o | 19 | obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o |
| 20 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o | 20 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o |
| 21 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o | 21 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o |
| 22 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o | ||
| 22 | 23 | ||
| 23 | # list types | 24 | # list types |
| 24 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o | 25 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o |
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c new file mode 100644 index 000000000000..51e5df12bd00 --- /dev/null +++ b/net/netfilter/ipset/ip_set_hash_netiface.c | |||
| @@ -0,0 +1,762 @@ | |||
| 1 | /* Copyright (C) 2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
| 2 | * | ||
| 3 | * This program is free software; you can redistribute it and/or modify | ||
| 4 | * it under the terms of the GNU General Public License version 2 as | ||
| 5 | * published by the Free Software Foundation. | ||
| 6 | */ | ||
| 7 | |||
| 8 | /* Kernel module implementing an IP set type: the hash:net,iface type */ | ||
| 9 | |||
| 10 | #include <linux/jhash.h> | ||
| 11 | #include <linux/module.h> | ||
| 12 | #include <linux/ip.h> | ||
| 13 | #include <linux/skbuff.h> | ||
| 14 | #include <linux/errno.h> | ||
| 15 | #include <linux/random.h> | ||
| 16 | #include <linux/rbtree.h> | ||
| 17 | #include <net/ip.h> | ||
| 18 | #include <net/ipv6.h> | ||
| 19 | #include <net/netlink.h> | ||
| 20 | |||
| 21 | #include <linux/netfilter.h> | ||
| 22 | #include <linux/netfilter/ipset/pfxlen.h> | ||
| 23 | #include <linux/netfilter/ipset/ip_set.h> | ||
| 24 | #include <linux/netfilter/ipset/ip_set_timeout.h> | ||
| 25 | #include <linux/netfilter/ipset/ip_set_hash.h> | ||
| 26 | |||
| 27 | MODULE_LICENSE("GPL"); | ||
| 28 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | ||
| 29 | MODULE_DESCRIPTION("hash:net,iface type of IP sets"); | ||
| 30 | MODULE_ALIAS("ip_set_hash:net,iface"); | ||
| 31 | |||
| 32 | /* Interface name rbtree */ | ||
| 33 | |||
| 34 | struct iface_node { | ||
| 35 | struct rb_node node; | ||
| 36 | char iface[IFNAMSIZ]; | ||
| 37 | }; | ||
| 38 | |||
| 39 | #define iface_data(n) (rb_entry(n, struct iface_node, node)->iface) | ||
| 40 | |||
| 41 | static inline long | ||
| 42 | ifname_compare(const char *_a, const char *_b) | ||
| 43 | { | ||
| 44 | const long *a = (const long *)_a; | ||
| 45 | const long *b = (const long *)_b; | ||
| 46 | |||
| 47 | BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long)); | ||
| 48 | if (a[0] != b[0]) | ||
| 49 | return a[0] - b[0]; | ||
| 50 | if (IFNAMSIZ > sizeof(long)) { | ||
| 51 | if (a[1] != b[1]) | ||
| 52 | return a[1] - b[1]; | ||
| 53 | } | ||
| 54 | if (IFNAMSIZ > 2 * sizeof(long)) { | ||
| 55 | if (a[2] != b[2]) | ||
| 56 | return a[2] - b[2]; | ||
| 57 | } | ||
| 58 | if (IFNAMSIZ > 3 * sizeof(long)) { | ||
| 59 | if (a[3] != b[3]) | ||
| 60 | return a[3] - b[3]; | ||
| 61 | } | ||
| 62 | return 0; | ||
| 63 | } | ||
| 64 | |||
| 65 | static void | ||
| 66 | rbtree_destroy(struct rb_root *root) | ||
| 67 | { | ||
| 68 | struct rb_node *p, *n = root->rb_node; | ||
| 69 | struct iface_node *node; | ||
| 70 | |||
| 71 | /* Non-recursive destroy, like in ext3 */ | ||
| 72 | while (n) { | ||
| 73 | if (n->rb_left) { | ||
| 74 | n = n->rb_left; | ||
| 75 | continue; | ||
| 76 | } | ||
| 77 | if (n->rb_right) { | ||
| 78 | n = n->rb_right; | ||
| 79 | continue; | ||
| 80 | } | ||
| 81 | p = rb_parent(n); | ||
| 82 | node = rb_entry(n, struct iface_node, node); | ||
| 83 | if (!p) | ||
| 84 | *root = RB_ROOT; | ||
| 85 | else if (p->rb_left == n) | ||
| 86 | p->rb_left = NULL; | ||
| 87 | else if (p->rb_right == n) | ||
| 88 | p->rb_right = NULL; | ||
| 89 | |||
| 90 | kfree(node); | ||
| 91 | n = p; | ||
| 92 | } | ||
| 93 | } | ||
| 94 | |||
| 95 | static int | ||
| 96 | iface_test(struct rb_root *root, const char **iface) | ||
| 97 | { | ||
| 98 | struct rb_node *n = root->rb_node; | ||
| 99 | |||
| 100 | while (n) { | ||
| 101 | const char *d = iface_data(n); | ||
| 102 | int res = ifname_compare(*iface, d); | ||
| 103 | |||
| 104 | if (res < 0) | ||
| 105 | n = n->rb_left; | ||
| 106 | else if (res > 0) | ||
| 107 | n = n->rb_right; | ||
| 108 | else { | ||
| 109 | *iface = d; | ||
| 110 | return 1; | ||
| 111 | } | ||
| 112 | } | ||
| 113 | return 0; | ||
| 114 | } | ||
| 115 | |||
| 116 | static int | ||
| 117 | iface_add(struct rb_root *root, const char **iface) | ||
| 118 | { | ||
| 119 | struct rb_node **n = &(root->rb_node), *p = NULL; | ||
| 120 | struct iface_node *d; | ||
| 121 | |||
| 122 | while (*n) { | ||
| 123 | char *ifname = iface_data(*n); | ||
| 124 | int res = ifname_compare(*iface, ifname); | ||
| 125 | |||
| 126 | p = *n; | ||
| 127 | if (res < 0) | ||
| 128 | n = &((*n)->rb_left); | ||
| 129 | else if (res > 0) | ||
| 130 | n = &((*n)->rb_right); | ||
| 131 | else { | ||
| 132 | *iface = ifname; | ||
| 133 | return 0; | ||
| 134 | } | ||
| 135 | } | ||
| 136 | |||
| 137 | d = kzalloc(sizeof(*d), GFP_ATOMIC); | ||
| 138 | if (!d) | ||
| 139 | return -ENOMEM; | ||
| 140 | strcpy(d->iface, *iface); | ||
| 141 | |||
| 142 | rb_link_node(&d->node, p, n); | ||
| 143 | rb_insert_color(&d->node, root); | ||
| 144 | |||
| 145 | *iface = d->iface; | ||
| 146 | return 0; | ||
| 147 | } | ||
| 148 | |||
| 149 | /* Type specific function prefix */ | ||
| 150 | #define TYPE hash_netiface | ||
| 151 | |||
| 152 | static bool | ||
| 153 | hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b); | ||
| 154 | |||
| 155 | #define hash_netiface4_same_set hash_netiface_same_set | ||
| 156 | #define hash_netiface6_same_set hash_netiface_same_set | ||
| 157 | |||
| 158 | #define STREQ(a, b) (strcmp(a, b) == 0) | ||
| 159 | |||
| 160 | /* The type variant functions: IPv4 */ | ||
| 161 | |||
| 162 | /* Member elements without timeout */ | ||
| 163 | struct hash_netiface4_elem { | ||
| 164 | __be32 ip; | ||
| 165 | const char *iface; | ||
| 166 | u8 physdev; | ||
| 167 | u8 cidr; | ||
| 168 | u16 padding; | ||
| 169 | }; | ||
| 170 | |||
| 171 | /* Member elements with timeout support */ | ||
| 172 | struct hash_netiface4_telem { | ||
| 173 | __be32 ip; | ||
| 174 | const char *iface; | ||
| 175 | u8 physdev; | ||
| 176 | u8 cidr; | ||
| 177 | u16 padding; | ||
| 178 | unsigned long timeout; | ||
| 179 | }; | ||
| 180 | |||
| 181 | static inline bool | ||
| 182 | hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1, | ||
| 183 | const struct hash_netiface4_elem *ip2) | ||
| 184 | { | ||
| 185 | return ip1->ip == ip2->ip && | ||
| 186 | ip1->cidr == ip2->cidr && | ||
| 187 | ip1->physdev == ip2->physdev && | ||
| 188 | ip1->iface == ip2->iface; | ||
| 189 | } | ||
| 190 | |||
| 191 | static inline bool | ||
| 192 | hash_netiface4_data_isnull(const struct hash_netiface4_elem *elem) | ||
| 193 | { | ||
| 194 | return elem->cidr == 0; | ||
| 195 | } | ||
| 196 | |||
| 197 | static inline void | ||
| 198 | hash_netiface4_data_copy(struct hash_netiface4_elem *dst, | ||
| 199 | const struct hash_netiface4_elem *src) { | ||
| 200 | dst->ip = src->ip; | ||
| 201 | dst->cidr = src->cidr; | ||
| 202 | dst->physdev = src->physdev; | ||
| 203 | dst->iface = src->iface; | ||
| 204 | } | ||
| 205 | |||
| 206 | static inline void | ||
| 207 | hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr) | ||
| 208 | { | ||
| 209 | elem->ip &= ip_set_netmask(cidr); | ||
| 210 | elem->cidr = cidr; | ||
| 211 | } | ||
| 212 | |||
| 213 | static inline void | ||
| 214 | hash_netiface4_data_zero_out(struct hash_netiface4_elem *elem) | ||
| 215 | { | ||
| 216 | elem->cidr = 0; | ||
| 217 | } | ||
| 218 | |||
| 219 | static bool | ||
| 220 | hash_netiface4_data_list(struct sk_buff *skb, | ||
| 221 | const struct hash_netiface4_elem *data) | ||
| 222 | { | ||
| 223 | u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; | ||
| 224 | |||
| 225 | NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); | ||
| 226 | NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); | ||
| 227 | NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface); | ||
| 228 | if (flags) | ||
| 229 | NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags); | ||
| 230 | return 0; | ||
| 231 | |||
| 232 | nla_put_failure: | ||
| 233 | return 1; | ||
| 234 | } | ||
| 235 | |||
| 236 | static bool | ||
| 237 | hash_netiface4_data_tlist(struct sk_buff *skb, | ||
| 238 | const struct hash_netiface4_elem *data) | ||
| 239 | { | ||
| 240 | const struct hash_netiface4_telem *tdata = | ||
| 241 | (const struct hash_netiface4_telem *)data; | ||
| 242 | u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; | ||
| 243 | |||
| 244 | NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip); | ||
| 245 | NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); | ||
| 246 | NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface); | ||
| 247 | if (flags) | ||
| 248 | NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags); | ||
| 249 | NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, | ||
| 250 | htonl(ip_set_timeout_get(tdata->timeout))); | ||
| 251 | |||
| 252 | return 0; | ||
| 253 | |||
| 254 | nla_put_failure: | ||
| 255 | return 1; | ||
| 256 | } | ||
| 257 | |||
| 258 | #define IP_SET_HASH_WITH_NETS | ||
| 259 | #define IP_SET_HASH_WITH_RBTREE | ||
| 260 | |||
| 261 | #define PF 4 | ||
| 262 | #define HOST_MASK 32 | ||
| 263 | #include <linux/netfilter/ipset/ip_set_ahash.h> | ||
| 264 | |||
| 265 | static inline void | ||
| 266 | hash_netiface4_data_next(struct ip_set_hash *h, | ||
| 267 | const struct hash_netiface4_elem *d) | ||
| 268 | { | ||
| 269 | h->next.ip = ntohl(d->ip); | ||
| 270 | } | ||
| 271 | |||
| 272 | static int | ||
| 273 | hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb, | ||
| 274 | const struct xt_action_param *par, | ||
| 275 | enum ipset_adt adt, const struct ip_set_adt_opt *opt) | ||
| 276 | { | ||
| 277 | struct ip_set_hash *h = set->data; | ||
| 278 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
| 279 | struct hash_netiface4_elem data = { | ||
| 280 | .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK | ||
| 281 | }; | ||
| 282 | int ret; | ||
| 283 | |||
| 284 | if (data.cidr == 0) | ||
| 285 | return -EINVAL; | ||
| 286 | if (adt == IPSET_TEST) | ||
| 287 | data.cidr = HOST_MASK; | ||
| 288 | |||
| 289 | ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip); | ||
| 290 | data.ip &= ip_set_netmask(data.cidr); | ||
| 291 | |||
| 292 | #define IFACE(dir) (par->dir ? par->dir->name : NULL) | ||
| 293 | #define PHYSDEV(dir) (nf_bridge->dir ? nf_bridge->dir->name : NULL) | ||
| 294 | #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC) | ||
| 295 | |||
| 296 | if (opt->cmdflags & IPSET_FLAG_PHYSDEV) { | ||
| 297 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
| 298 | const struct nf_bridge_info *nf_bridge = skb->nf_bridge; | ||
| 299 | |||
| 300 | if (!nf_bridge) | ||
| 301 | return -EINVAL; | ||
| 302 | data.iface = SRCDIR ? PHYSDEV(physindev): PHYSDEV(physoutdev); | ||
| 303 | data.physdev = 1; | ||
| 304 | #else | ||
| 305 | data.iface = NULL; | ||
| 306 | #endif | ||
| 307 | } else | ||
| 308 | data.iface = SRCDIR ? IFACE(in) : IFACE(out); | ||
| 309 | |||
| 310 | if (!data.iface) | ||
| 311 | return -EINVAL; | ||
| 312 | ret = iface_test(&h->rbtree, &data.iface); | ||
| 313 | if (adt == IPSET_ADD) { | ||
| 314 | if (!ret) { | ||
| 315 | ret = iface_add(&h->rbtree, &data.iface); | ||
| 316 | if (ret) | ||
| 317 | return ret; | ||
| 318 | } | ||
| 319 | } else if (!ret) | ||
| 320 | return ret; | ||
| 321 | |||
| 322 | return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags); | ||
| 323 | } | ||
| 324 | |||
| 325 | static int | ||
| 326 | hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[], | ||
| 327 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) | ||
| 328 | { | ||
| 329 | struct ip_set_hash *h = set->data; | ||
| 330 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
| 331 | struct hash_netiface4_elem data = { .cidr = HOST_MASK }; | ||
| 332 | u32 ip = 0, ip_to, last; | ||
| 333 | u32 timeout = h->timeout; | ||
| 334 | char iface[IFNAMSIZ] = {}; | ||
| 335 | int ret; | ||
| 336 | |||
| 337 | if (unlikely(!tb[IPSET_ATTR_IP] || | ||
| 338 | !tb[IPSET_ATTR_IFACE] || | ||
| 339 | !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || | ||
| 340 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) | ||
| 341 | return -IPSET_ERR_PROTOCOL; | ||
| 342 | |||
| 343 | if (tb[IPSET_ATTR_LINENO]) | ||
| 344 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | ||
| 345 | |||
| 346 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); | ||
| 347 | if (ret) | ||
| 348 | return ret; | ||
| 349 | |||
| 350 | if (tb[IPSET_ATTR_CIDR]) { | ||
| 351 | data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | ||
| 352 | if (!data.cidr) | ||
| 353 | return -IPSET_ERR_INVALID_CIDR; | ||
| 354 | } | ||
| 355 | |||
| 356 | if (tb[IPSET_ATTR_TIMEOUT]) { | ||
| 357 | if (!with_timeout(h->timeout)) | ||
| 358 | return -IPSET_ERR_TIMEOUT; | ||
| 359 | timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); | ||
| 360 | } | ||
| 361 | |||
| 362 | strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE])); | ||
| 363 | data.iface = iface; | ||
| 364 | ret = iface_test(&h->rbtree, &data.iface); | ||
| 365 | if (adt == IPSET_ADD) { | ||
| 366 | if (!ret) { | ||
| 367 | ret = iface_add(&h->rbtree, &data.iface); | ||
| 368 | if (ret) | ||
| 369 | return ret; | ||
| 370 | } | ||
| 371 | } else if (!ret) | ||
| 372 | return ret; | ||
| 373 | |||
| 374 | if (tb[IPSET_ATTR_CADT_FLAGS]) { | ||
| 375 | u32 flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); | ||
| 376 | if (flags & IPSET_FLAG_PHYSDEV) | ||
| 377 | data.physdev = 1; | ||
| 378 | } | ||
| 379 | |||
| 380 | if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) { | ||
| 381 | data.ip = htonl(ip & ip_set_hostmask(data.cidr)); | ||
| 382 | ret = adtfn(set, &data, timeout, flags); | ||
| 383 | return ip_set_eexist(ret, flags) ? 0 : ret; | ||
| 384 | } | ||
| 385 | |||
| 386 | if (tb[IPSET_ATTR_IP_TO]) { | ||
| 387 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | ||
| 388 | if (ret) | ||
| 389 | return ret; | ||
| 390 | if (ip_to < ip) | ||
| 391 | swap(ip, ip_to); | ||
| 392 | if (ip + UINT_MAX == ip_to) | ||
| 393 | return -IPSET_ERR_HASH_RANGE; | ||
| 394 | } else { | ||
| 395 | ip_set_mask_from_to(ip, ip_to, data.cidr); | ||
| 396 | } | ||
| 397 | |||
| 398 | if (retried) | ||
| 399 | ip = h->next.ip; | ||
| 400 | while (!after(ip, ip_to)) { | ||
| 401 | data.ip = htonl(ip); | ||
| 402 | last = ip_set_range_to_cidr(ip, ip_to, &data.cidr); | ||
| 403 | ret = adtfn(set, &data, timeout, flags); | ||
| 404 | |||
| 405 | if (ret && !ip_set_eexist(ret, flags)) | ||
| 406 | return ret; | ||
| 407 | else | ||
| 408 | ret = 0; | ||
| 409 | ip = last + 1; | ||
| 410 | } | ||
| 411 | return ret; | ||
| 412 | } | ||
| 413 | |||
| 414 | static bool | ||
| 415 | hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b) | ||
| 416 | { | ||
| 417 | const struct ip_set_hash *x = a->data; | ||
| 418 | const struct ip_set_hash *y = b->data; | ||
| 419 | |||
| 420 | /* Resizing changes htable_bits, so we ignore it */ | ||
| 421 | return x->maxelem == y->maxelem && | ||
| 422 | x->timeout == y->timeout; | ||
| 423 | } | ||
| 424 | |||
| 425 | /* The type variant functions: IPv6 */ | ||
| 426 | |||
| 427 | struct hash_netiface6_elem { | ||
| 428 | union nf_inet_addr ip; | ||
| 429 | const char *iface; | ||
| 430 | u8 physdev; | ||
| 431 | u8 cidr; | ||
| 432 | u16 padding; | ||
| 433 | }; | ||
| 434 | |||
| 435 | struct hash_netiface6_telem { | ||
| 436 | union nf_inet_addr ip; | ||
| 437 | const char *iface; | ||
| 438 | u8 physdev; | ||
| 439 | u8 cidr; | ||
| 440 | u16 padding; | ||
| 441 | unsigned long timeout; | ||
| 442 | }; | ||
| 443 | |||
| 444 | static inline bool | ||
| 445 | hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1, | ||
| 446 | const struct hash_netiface6_elem *ip2) | ||
| 447 | { | ||
| 448 | return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && | ||
| 449 | ip1->cidr == ip2->cidr && | ||
| 450 | ip1->physdev == ip2->physdev && | ||
| 451 | ip1->iface == ip2->iface; | ||
| 452 | } | ||
| 453 | |||
| 454 | static inline bool | ||
| 455 | hash_netiface6_data_isnull(const struct hash_netiface6_elem *elem) | ||
| 456 | { | ||
| 457 | return elem->cidr == 0; | ||
| 458 | } | ||
| 459 | |||
| 460 | static inline void | ||
| 461 | hash_netiface6_data_copy(struct hash_netiface6_elem *dst, | ||
| 462 | const struct hash_netiface6_elem *src) | ||
| 463 | { | ||
| 464 | memcpy(dst, src, sizeof(*dst)); | ||
| 465 | } | ||
| 466 | |||
| 467 | static inline void | ||
| 468 | hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem) | ||
| 469 | { | ||
| 470 | } | ||
| 471 | |||
| 472 | static inline void | ||
| 473 | ip6_netmask(union nf_inet_addr *ip, u8 prefix) | ||
| 474 | { | ||
| 475 | ip->ip6[0] &= ip_set_netmask6(prefix)[0]; | ||
| 476 | ip->ip6[1] &= ip_set_netmask6(prefix)[1]; | ||
| 477 | ip->ip6[2] &= ip_set_netmask6(prefix)[2]; | ||
| 478 | ip->ip6[3] &= ip_set_netmask6(prefix)[3]; | ||
| 479 | } | ||
| 480 | |||
| 481 | static inline void | ||
| 482 | hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr) | ||
| 483 | { | ||
| 484 | ip6_netmask(&elem->ip, cidr); | ||
| 485 | elem->cidr = cidr; | ||
| 486 | } | ||
| 487 | |||
| 488 | static bool | ||
| 489 | hash_netiface6_data_list(struct sk_buff *skb, | ||
| 490 | const struct hash_netiface6_elem *data) | ||
| 491 | { | ||
| 492 | u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; | ||
| 493 | |||
| 494 | NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip); | ||
| 495 | NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); | ||
| 496 | NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface); | ||
| 497 | if (flags) | ||
| 498 | NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags); | ||
| 499 | return 0; | ||
| 500 | |||
| 501 | nla_put_failure: | ||
| 502 | return 1; | ||
| 503 | } | ||
| 504 | |||
| 505 | static bool | ||
| 506 | hash_netiface6_data_tlist(struct sk_buff *skb, | ||
| 507 | const struct hash_netiface6_elem *data) | ||
| 508 | { | ||
| 509 | const struct hash_netiface6_telem *e = | ||
| 510 | (const struct hash_netiface6_telem *)data; | ||
| 511 | u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; | ||
| 512 | |||
| 513 | NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip); | ||
| 514 | NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr); | ||
| 515 | NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface); | ||
| 516 | if (flags) | ||
| 517 | NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags); | ||
| 518 | NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, | ||
| 519 | htonl(ip_set_timeout_get(e->timeout))); | ||
| 520 | return 0; | ||
| 521 | |||
| 522 | nla_put_failure: | ||
| 523 | return 1; | ||
| 524 | } | ||
| 525 | |||
| 526 | #undef PF | ||
| 527 | #undef HOST_MASK | ||
| 528 | |||
| 529 | #define PF 6 | ||
| 530 | #define HOST_MASK 128 | ||
| 531 | #include <linux/netfilter/ipset/ip_set_ahash.h> | ||
| 532 | |||
| 533 | static inline void | ||
| 534 | hash_netiface6_data_next(struct ip_set_hash *h, | ||
| 535 | const struct hash_netiface6_elem *d) | ||
| 536 | { | ||
| 537 | } | ||
| 538 | |||
| 539 | static int | ||
| 540 | hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb, | ||
| 541 | const struct xt_action_param *par, | ||
| 542 | enum ipset_adt adt, const struct ip_set_adt_opt *opt) | ||
| 543 | { | ||
| 544 | struct ip_set_hash *h = set->data; | ||
| 545 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
| 546 | struct hash_netiface6_elem data = { | ||
| 547 | .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK | ||
| 548 | }; | ||
| 549 | int ret; | ||
| 550 | |||
| 551 | if (data.cidr == 0) | ||
| 552 | return -EINVAL; | ||
| 553 | if (adt == IPSET_TEST) | ||
| 554 | data.cidr = HOST_MASK; | ||
| 555 | |||
| 556 | ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6); | ||
| 557 | ip6_netmask(&data.ip, data.cidr); | ||
| 558 | |||
| 559 | if (opt->cmdflags & IPSET_FLAG_PHYSDEV) { | ||
| 560 | #ifdef CONFIG_BRIDGE_NETFILTER | ||
| 561 | const struct nf_bridge_info *nf_bridge = skb->nf_bridge; | ||
| 562 | |||
| 563 | if (!nf_bridge) | ||
| 564 | return -EINVAL; | ||
| 565 | data.iface = SRCDIR ? PHYSDEV(physindev): PHYSDEV(physoutdev); | ||
| 566 | data.physdev = 1; | ||
| 567 | #else | ||
| 568 | data.iface = NULL; | ||
| 569 | #endif | ||
| 570 | } else | ||
| 571 | data.iface = SRCDIR ? IFACE(in) : IFACE(out); | ||
| 572 | |||
| 573 | if (!data.iface) | ||
| 574 | return -EINVAL; | ||
| 575 | ret = iface_test(&h->rbtree, &data.iface); | ||
| 576 | if (adt == IPSET_ADD) { | ||
| 577 | if (!ret) { | ||
| 578 | ret = iface_add(&h->rbtree, &data.iface); | ||
| 579 | if (ret) | ||
| 580 | return ret; | ||
| 581 | } | ||
| 582 | } else if (!ret) | ||
| 583 | return ret; | ||
| 584 | |||
| 585 | return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags); | ||
| 586 | } | ||
| 587 | |||
| 588 | static int | ||
| 589 | hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[], | ||
| 590 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) | ||
| 591 | { | ||
| 592 | struct ip_set_hash *h = set->data; | ||
| 593 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
| 594 | struct hash_netiface6_elem data = { .cidr = HOST_MASK }; | ||
| 595 | u32 timeout = h->timeout; | ||
| 596 | char iface[IFNAMSIZ] = {}; | ||
| 597 | int ret; | ||
| 598 | |||
| 599 | if (unlikely(!tb[IPSET_ATTR_IP] || | ||
| 600 | !tb[IPSET_ATTR_IFACE] || | ||
| 601 | !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || | ||
| 602 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) | ||
| 603 | return -IPSET_ERR_PROTOCOL; | ||
| 604 | if (unlikely(tb[IPSET_ATTR_IP_TO])) | ||
| 605 | return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; | ||
| 606 | |||
| 607 | if (tb[IPSET_ATTR_LINENO]) | ||
| 608 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | ||
| 609 | |||
| 610 | ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip); | ||
| 611 | if (ret) | ||
| 612 | return ret; | ||
| 613 | |||
| 614 | if (tb[IPSET_ATTR_CIDR]) | ||
| 615 | data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | ||
| 616 | if (!data.cidr) | ||
| 617 | return -IPSET_ERR_INVALID_CIDR; | ||
| 618 | ip6_netmask(&data.ip, data.cidr); | ||
| 619 | |||
| 620 | if (tb[IPSET_ATTR_TIMEOUT]) { | ||
| 621 | if (!with_timeout(h->timeout)) | ||
| 622 | return -IPSET_ERR_TIMEOUT; | ||
| 623 | timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); | ||
| 624 | } | ||
| 625 | |||
| 626 | strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE])); | ||
| 627 | data.iface = iface; | ||
| 628 | ret = iface_test(&h->rbtree, &data.iface); | ||
| 629 | if (adt == IPSET_ADD) { | ||
| 630 | if (!ret) { | ||
| 631 | ret = iface_add(&h->rbtree, &data.iface); | ||
| 632 | if (ret) | ||
| 633 | return ret; | ||
| 634 | } | ||
| 635 | } else if (!ret) | ||
| 636 | return ret; | ||
| 637 | |||
| 638 | if (tb[IPSET_ATTR_CADT_FLAGS]) { | ||
| 639 | u32 flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); | ||
| 640 | if (flags & IPSET_FLAG_PHYSDEV) | ||
| 641 | data.physdev = 1; | ||
| 642 | } | ||
| 643 | |||
| 644 | ret = adtfn(set, &data, timeout, flags); | ||
| 645 | |||
| 646 | return ip_set_eexist(ret, flags) ? 0 : ret; | ||
| 647 | } | ||
| 648 | |||
| 649 | /* Create hash:ip type of sets */ | ||
| 650 | |||
| 651 | static int | ||
| 652 | hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags) | ||
| 653 | { | ||
| 654 | struct ip_set_hash *h; | ||
| 655 | u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM; | ||
| 656 | u8 hbits; | ||
| 657 | |||
| 658 | if (!(set->family == AF_INET || set->family == AF_INET6)) | ||
| 659 | return -IPSET_ERR_INVALID_FAMILY; | ||
| 660 | |||
| 661 | if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) || | ||
| 662 | !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) || | ||
| 663 | !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT))) | ||
| 664 | return -IPSET_ERR_PROTOCOL; | ||
| 665 | |||
| 666 | if (tb[IPSET_ATTR_HASHSIZE]) { | ||
| 667 | hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]); | ||
| 668 | if (hashsize < IPSET_MIMINAL_HASHSIZE) | ||
| 669 | hashsize = IPSET_MIMINAL_HASHSIZE; | ||
| 670 | } | ||
| 671 | |||
| 672 | if (tb[IPSET_ATTR_MAXELEM]) | ||
| 673 | maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]); | ||
| 674 | |||
| 675 | h = kzalloc(sizeof(*h) | ||
| 676 | + sizeof(struct ip_set_hash_nets) | ||
| 677 | * (set->family == AF_INET ? 32 : 128), GFP_KERNEL); | ||
| 678 | if (!h) | ||
| 679 | return -ENOMEM; | ||
| 680 | |||
| 681 | h->maxelem = maxelem; | ||
| 682 | get_random_bytes(&h->initval, sizeof(h->initval)); | ||
| 683 | h->timeout = IPSET_NO_TIMEOUT; | ||
| 684 | |||
| 685 | hbits = htable_bits(hashsize); | ||
| 686 | h->table = ip_set_alloc( | ||
| 687 | sizeof(struct htable) | ||
| 688 | + jhash_size(hbits) * sizeof(struct hbucket)); | ||
| 689 | if (!h->table) { | ||
| 690 | kfree(h); | ||
| 691 | return -ENOMEM; | ||
| 692 | } | ||
| 693 | h->table->htable_bits = hbits; | ||
| 694 | h->rbtree = RB_ROOT; | ||
| 695 | |||
| 696 | set->data = h; | ||
| 697 | |||
| 698 | if (tb[IPSET_ATTR_TIMEOUT]) { | ||
| 699 | h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); | ||
| 700 | |||
| 701 | set->variant = set->family == AF_INET | ||
| 702 | ? &hash_netiface4_tvariant : &hash_netiface6_tvariant; | ||
| 703 | |||
| 704 | if (set->family == AF_INET) | ||
| 705 | hash_netiface4_gc_init(set); | ||
| 706 | else | ||
| 707 | hash_netiface6_gc_init(set); | ||
| 708 | } else { | ||
| 709 | set->variant = set->family == AF_INET | ||
| 710 | ? &hash_netiface4_variant : &hash_netiface6_variant; | ||
| 711 | } | ||
| 712 | |||
| 713 | pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n", | ||
| 714 | set->name, jhash_size(h->table->htable_bits), | ||
| 715 | h->table->htable_bits, h->maxelem, set->data, h->table); | ||
| 716 | |||
| 717 | return 0; | ||
| 718 | } | ||
| 719 | |||
| 720 | static struct ip_set_type hash_netiface_type __read_mostly = { | ||
| 721 | .name = "hash:net,iface", | ||
| 722 | .protocol = IPSET_PROTOCOL, | ||
| 723 | .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE, | ||
| 724 | .dimension = IPSET_DIM_TWO, | ||
| 725 | .family = AF_UNSPEC, | ||
| 726 | .revision_min = 0, | ||
| 727 | .create = hash_netiface_create, | ||
| 728 | .create_policy = { | ||
| 729 | [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, | ||
| 730 | [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, | ||
| 731 | [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, | ||
| 732 | [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, | ||
| 733 | [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, | ||
| 734 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | ||
| 735 | }, | ||
| 736 | .adt_policy = { | ||
| 737 | [IPSET_ATTR_IP] = { .type = NLA_NESTED }, | ||
| 738 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, | ||
| 739 | [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING, | ||
| 740 | .len = IPSET_MAXNAMELEN - 1 }, | ||
| 741 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, | ||
| 742 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | ||
| 743 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | ||
| 744 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | ||
| 745 | }, | ||
| 746 | .me = THIS_MODULE, | ||
| 747 | }; | ||
| 748 | |||
| 749 | static int __init | ||
| 750 | hash_netiface_init(void) | ||
| 751 | { | ||
| 752 | return ip_set_type_register(&hash_netiface_type); | ||
| 753 | } | ||
| 754 | |||
| 755 | static void __exit | ||
| 756 | hash_netiface_fini(void) | ||
| 757 | { | ||
| 758 | ip_set_type_unregister(&hash_netiface_type); | ||
| 759 | } | ||
| 760 | |||
| 761 | module_init(hash_netiface_init); | ||
| 762 | module_exit(hash_netiface_fini); | ||