diff options
author | Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> | 2013-09-20 04:13:53 -0400 |
---|---|---|
committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2013-09-30 15:33:28 -0400 |
commit | ea53ac5b630e813aec20c7cdcfe511daca70dee4 (patch) | |
tree | c9263e919fb0352932b25f1b7ad56794476cc8c4 /net/netfilter | |
parent | d9628bbeca888fd1f9a9c57864dd90b7d25954e0 (diff) |
netfilter: ipset: Add hash:net,net module to kernel.
This adds a new set that provides the ability to configure pairs of
subnets. A small amount of additional handling code has been added to
the generic hash header file - this code is conditionally activated by a
preprocessor definition.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/ipset/Kconfig | 9 | ||||
-rw-r--r-- | net/netfilter/ipset/Makefile | 1 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_hash_gen.h | 58 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_hash_netnet.c | 482 |
4 files changed, 541 insertions, 9 deletions
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig index fd2c14b6c51b..9119f658a69b 100644 --- a/net/netfilter/ipset/Kconfig +++ b/net/netfilter/ipset/Kconfig | |||
@@ -99,6 +99,15 @@ config IP_SET_HASH_NET | |||
99 | 99 | ||
100 | To compile it as a module, choose M here. If unsure, say N. | 100 | To compile it as a module, choose M here. If unsure, say N. |
101 | 101 | ||
102 | config IP_SET_HASH_NETNET | ||
103 | tristate "hash:net,net set support" | ||
104 | depends on IP_SET | ||
105 | help | ||
106 | This option adds the hash:net,net set type support, by which | ||
107 | one can store IPv4/IPv6 network address/prefix pairs in a set. | ||
108 | |||
109 | To compile it as a module, choose M here. If unsure, say N. | ||
110 | |||
102 | config IP_SET_HASH_NETPORT | 111 | config IP_SET_HASH_NETPORT |
103 | tristate "hash:net,port set support" | 112 | tristate "hash:net,port set support" |
104 | depends on IP_SET | 113 | depends on IP_SET |
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile index 6e965ecd5444..43eef7a19e3c 100644 --- a/net/netfilter/ipset/Makefile +++ b/net/netfilter/ipset/Makefile | |||
@@ -20,6 +20,7 @@ obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o | |||
20 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o | 20 | obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o |
21 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o | 21 | obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o |
22 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o | 22 | obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o |
23 | obj-$(CONFIG_IP_SET_HASH_NETNET) += ip_set_hash_netnet.o | ||
23 | 24 | ||
24 | # list types | 25 | # list types |
25 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o | 26 | obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o |
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h index 3c26e5b946f5..6bd2eef4f5d0 100644 --- a/net/netfilter/ipset/ip_set_hash_gen.h +++ b/net/netfilter/ipset/ip_set_hash_gen.h | |||
@@ -142,11 +142,16 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize) | |||
142 | } | 142 | } |
143 | 143 | ||
144 | #ifdef IP_SET_HASH_WITH_NETS | 144 | #ifdef IP_SET_HASH_WITH_NETS |
145 | #if IPSET_NET_COUNT > 1 | ||
146 | #define __CIDR(cidr, i) (cidr[i]) | ||
147 | #else | ||
148 | #define __CIDR(cidr, i) (cidr) | ||
149 | #endif | ||
145 | #ifdef IP_SET_HASH_WITH_NETS_PACKED | 150 | #ifdef IP_SET_HASH_WITH_NETS_PACKED |
146 | /* When cidr is packed with nomatch, cidr - 1 is stored in the entry */ | 151 | /* When cidr is packed with nomatch, cidr - 1 is stored in the entry */ |
147 | #define CIDR(cidr) (cidr + 1) | 152 | #define CIDR(cidr, i) (__CIDR(cidr, i) + 1) |
148 | #else | 153 | #else |
149 | #define CIDR(cidr) (cidr) | 154 | #define CIDR(cidr, i) (__CIDR(cidr, i)) |
150 | #endif | 155 | #endif |
151 | 156 | ||
152 | #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) | 157 | #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) |
@@ -210,6 +215,7 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize) | |||
210 | #define mtype_do_data_match(d) 1 | 215 | #define mtype_do_data_match(d) 1 |
211 | #endif | 216 | #endif |
212 | #define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags) | 217 | #define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags) |
218 | #define mtype_data_reset_elem IPSET_TOKEN(MTYPE, _data_reset_elem) | ||
213 | #define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags) | 219 | #define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags) |
214 | #define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask) | 220 | #define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask) |
215 | #define mtype_data_list IPSET_TOKEN(MTYPE, _data_list) | 221 | #define mtype_data_list IPSET_TOKEN(MTYPE, _data_list) |
@@ -461,6 +467,9 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize) | |||
461 | struct mtype_elem *data; | 467 | struct mtype_elem *data; |
462 | u32 i; | 468 | u32 i; |
463 | int j; | 469 | int j; |
470 | #ifdef IP_SET_HASH_WITH_NETS | ||
471 | u8 k; | ||
472 | #endif | ||
464 | 473 | ||
465 | rcu_read_lock_bh(); | 474 | rcu_read_lock_bh(); |
466 | t = rcu_dereference_bh(h->table); | 475 | t = rcu_dereference_bh(h->table); |
@@ -471,8 +480,9 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize) | |||
471 | if (ip_set_timeout_expired(ext_timeout(data, set))) { | 480 | if (ip_set_timeout_expired(ext_timeout(data, set))) { |
472 | pr_debug("expired %u/%u\n", i, j); | 481 | pr_debug("expired %u/%u\n", i, j); |
473 | #ifdef IP_SET_HASH_WITH_NETS | 482 | #ifdef IP_SET_HASH_WITH_NETS |
474 | mtype_del_cidr(h, CIDR(data->cidr), | 483 | for (k = 0; k < IPSET_NET_COUNT; k++) |
475 | nets_length, 0); | 484 | mtype_del_cidr(h, CIDR(data->cidr, k), |
485 | nets_length, k); | ||
476 | #endif | 486 | #endif |
477 | ip_set_ext_destroy(set, data); | 487 | ip_set_ext_destroy(set, data); |
478 | if (j != n->pos - 1) | 488 | if (j != n->pos - 1) |
@@ -658,8 +668,12 @@ reuse_slot: | |||
658 | /* Fill out reused slot */ | 668 | /* Fill out reused slot */ |
659 | data = ahash_data(n, j, set->dsize); | 669 | data = ahash_data(n, j, set->dsize); |
660 | #ifdef IP_SET_HASH_WITH_NETS | 670 | #ifdef IP_SET_HASH_WITH_NETS |
661 | mtype_del_cidr(h, CIDR(data->cidr), NLEN(set->family), 0); | 671 | for (i = 0; i < IPSET_NET_COUNT; i++) { |
662 | mtype_add_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); | 672 | mtype_del_cidr(h, CIDR(data->cidr, i), |
673 | NLEN(set->family), i); | ||
674 | mtype_add_cidr(h, CIDR(d->cidr, i), | ||
675 | NLEN(set->family), i); | ||
676 | } | ||
663 | #endif | 677 | #endif |
664 | ip_set_ext_destroy(set, data); | 678 | ip_set_ext_destroy(set, data); |
665 | } else { | 679 | } else { |
@@ -673,7 +687,9 @@ reuse_slot: | |||
673 | } | 687 | } |
674 | data = ahash_data(n, n->pos++, set->dsize); | 688 | data = ahash_data(n, n->pos++, set->dsize); |
675 | #ifdef IP_SET_HASH_WITH_NETS | 689 | #ifdef IP_SET_HASH_WITH_NETS |
676 | mtype_add_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); | 690 | for (i = 0; i < IPSET_NET_COUNT; i++) |
691 | mtype_add_cidr(h, CIDR(d->cidr, i), NLEN(set->family), | ||
692 | i); | ||
677 | #endif | 693 | #endif |
678 | h->elements++; | 694 | h->elements++; |
679 | } | 695 | } |
@@ -704,6 +720,9 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext, | |||
704 | struct mtype_elem *data; | 720 | struct mtype_elem *data; |
705 | struct hbucket *n; | 721 | struct hbucket *n; |
706 | int i, ret = -IPSET_ERR_EXIST; | 722 | int i, ret = -IPSET_ERR_EXIST; |
723 | #ifdef IP_SET_HASH_WITH_NETS | ||
724 | u8 j; | ||
725 | #endif | ||
707 | u32 key, multi = 0; | 726 | u32 key, multi = 0; |
708 | 727 | ||
709 | rcu_read_lock_bh(); | 728 | rcu_read_lock_bh(); |
@@ -725,7 +744,9 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext, | |||
725 | n->pos--; | 744 | n->pos--; |
726 | h->elements--; | 745 | h->elements--; |
727 | #ifdef IP_SET_HASH_WITH_NETS | 746 | #ifdef IP_SET_HASH_WITH_NETS |
728 | mtype_del_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); | 747 | for (j = 0; j < IPSET_NET_COUNT; j++) |
748 | mtype_del_cidr(h, CIDR(d->cidr, j), NLEN(set->family), | ||
749 | j); | ||
729 | #endif | 750 | #endif |
730 | ip_set_ext_destroy(set, data); | 751 | ip_set_ext_destroy(set, data); |
731 | if (n->pos + AHASH_INIT_SIZE < n->size) { | 752 | if (n->pos + AHASH_INIT_SIZE < n->size) { |
@@ -772,13 +793,26 @@ mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d, | |||
772 | struct htable *t = rcu_dereference_bh(h->table); | 793 | struct htable *t = rcu_dereference_bh(h->table); |
773 | struct hbucket *n; | 794 | struct hbucket *n; |
774 | struct mtype_elem *data; | 795 | struct mtype_elem *data; |
796 | #if IPSET_NET_COUNT == 2 | ||
797 | struct mtype_elem orig = *d; | ||
798 | int i, j = 0, k; | ||
799 | #else | ||
775 | int i, j = 0; | 800 | int i, j = 0; |
801 | #endif | ||
776 | u32 key, multi = 0; | 802 | u32 key, multi = 0; |
777 | u8 nets_length = NLEN(set->family); | 803 | u8 nets_length = NLEN(set->family); |
778 | 804 | ||
779 | pr_debug("test by nets\n"); | 805 | pr_debug("test by nets\n"); |
780 | for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) { | 806 | for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) { |
807 | #if IPSET_NET_COUNT == 2 | ||
808 | mtype_data_reset_elem(d, &orig); | ||
809 | mtype_data_netmask(d, h->nets[j].cidr[0], false); | ||
810 | for (k = 0; k < nets_length && h->nets[k].nets[1] && !multi; | ||
811 | k++) { | ||
812 | mtype_data_netmask(d, h->nets[k].cidr[1], true); | ||
813 | #else | ||
781 | mtype_data_netmask(d, h->nets[j].cidr[0]); | 814 | mtype_data_netmask(d, h->nets[j].cidr[0]); |
815 | #endif | ||
782 | key = HKEY(d, h->initval, t->htable_bits); | 816 | key = HKEY(d, h->initval, t->htable_bits); |
783 | n = hbucket(t, key); | 817 | n = hbucket(t, key); |
784 | for (i = 0; i < n->pos; i++) { | 818 | for (i = 0; i < n->pos; i++) { |
@@ -798,6 +832,9 @@ mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d, | |||
798 | return mtype_data_match(data, ext, | 832 | return mtype_data_match(data, ext, |
799 | mext, set, flags); | 833 | mext, set, flags); |
800 | } | 834 | } |
835 | #if IPSET_NET_COUNT == 2 | ||
836 | } | ||
837 | #endif | ||
801 | } | 838 | } |
802 | return 0; | 839 | return 0; |
803 | } | 840 | } |
@@ -821,7 +858,10 @@ mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext, | |||
821 | #ifdef IP_SET_HASH_WITH_NETS | 858 | #ifdef IP_SET_HASH_WITH_NETS |
822 | /* If we test an IP address and not a network address, | 859 | /* If we test an IP address and not a network address, |
823 | * try all possible network sizes */ | 860 | * try all possible network sizes */ |
824 | if (CIDR(d->cidr) == SET_HOST_MASK(set->family)) { | 861 | for (i = 0; i < IPSET_NET_COUNT; i++) |
862 | if (CIDR(d->cidr, i) != SET_HOST_MASK(set->family)) | ||
863 | break; | ||
864 | if (i == IPSET_NET_COUNT) { | ||
825 | ret = mtype_test_cidrs(set, d, ext, mext, flags); | 865 | ret = mtype_test_cidrs(set, d, ext, mext, flags); |
826 | goto out; | 866 | goto out; |
827 | } | 867 | } |
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c new file mode 100644 index 000000000000..771ce2b565a6 --- /dev/null +++ b/net/netfilter/ipset/ip_set_hash_netnet.c | |||
@@ -0,0 +1,482 @@ | |||
1 | /* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
2 | * Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> | ||
3 | * | ||
4 | * This program is free software; you can redistribute it and/or modify | ||
5 | * it under the terms of the GNU General Public License version 2 as | ||
6 | * published by the Free Software Foundation. | ||
7 | */ | ||
8 | |||
9 | /* Kernel module implementing an IP set type: the hash:net type */ | ||
10 | |||
11 | #include <linux/jhash.h> | ||
12 | #include <linux/module.h> | ||
13 | #include <linux/ip.h> | ||
14 | #include <linux/skbuff.h> | ||
15 | #include <linux/errno.h> | ||
16 | #include <linux/random.h> | ||
17 | #include <net/ip.h> | ||
18 | #include <net/ipv6.h> | ||
19 | #include <net/netlink.h> | ||
20 | |||
21 | #include <linux/netfilter.h> | ||
22 | #include <linux/netfilter/ipset/pfxlen.h> | ||
23 | #include <linux/netfilter/ipset/ip_set.h> | ||
24 | #include <linux/netfilter/ipset/ip_set_hash.h> | ||
25 | |||
26 | #define IPSET_TYPE_REV_MIN 0 | ||
27 | #define IPSET_TYPE_REV_MAX 0 | ||
28 | |||
29 | MODULE_LICENSE("GPL"); | ||
30 | MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>"); | ||
31 | IP_SET_MODULE_DESC("hash:net,net", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX); | ||
32 | MODULE_ALIAS("ip_set_hash:net,net"); | ||
33 | |||
34 | /* Type specific function prefix */ | ||
35 | #define HTYPE hash_netnet | ||
36 | #define IP_SET_HASH_WITH_NETS | ||
37 | #define IPSET_NET_COUNT 2 | ||
38 | |||
39 | /* IPv4 variants */ | ||
40 | |||
41 | /* Member elements */ | ||
42 | struct hash_netnet4_elem { | ||
43 | union { | ||
44 | __be32 ip[2]; | ||
45 | __be64 ipcmp; | ||
46 | }; | ||
47 | u8 nomatch; | ||
48 | union { | ||
49 | u8 cidr[2]; | ||
50 | u16 ccmp; | ||
51 | }; | ||
52 | }; | ||
53 | |||
54 | /* Common functions */ | ||
55 | |||
56 | static inline bool | ||
57 | hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1, | ||
58 | const struct hash_netnet4_elem *ip2, | ||
59 | u32 *multi) | ||
60 | { | ||
61 | return ip1->ipcmp == ip2->ipcmp && | ||
62 | ip2->ccmp == ip2->ccmp; | ||
63 | } | ||
64 | |||
65 | static inline int | ||
66 | hash_netnet4_do_data_match(const struct hash_netnet4_elem *elem) | ||
67 | { | ||
68 | return elem->nomatch ? -ENOTEMPTY : 1; | ||
69 | } | ||
70 | |||
71 | static inline void | ||
72 | hash_netnet4_data_set_flags(struct hash_netnet4_elem *elem, u32 flags) | ||
73 | { | ||
74 | elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH; | ||
75 | } | ||
76 | |||
77 | static inline void | ||
78 | hash_netnet4_data_reset_flags(struct hash_netnet4_elem *elem, u8 *flags) | ||
79 | { | ||
80 | swap(*flags, elem->nomatch); | ||
81 | } | ||
82 | |||
83 | static inline void | ||
84 | hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem, | ||
85 | struct hash_netnet4_elem *orig) | ||
86 | { | ||
87 | elem->ip[1] = orig->ip[1]; | ||
88 | } | ||
89 | |||
90 | static inline void | ||
91 | hash_netnet4_data_netmask(struct hash_netnet4_elem *elem, u8 cidr, bool inner) | ||
92 | { | ||
93 | if (inner) { | ||
94 | elem->ip[1] &= ip_set_netmask(cidr); | ||
95 | elem->cidr[1] = cidr; | ||
96 | } else { | ||
97 | elem->ip[0] &= ip_set_netmask(cidr); | ||
98 | elem->cidr[0] = cidr; | ||
99 | } | ||
100 | } | ||
101 | |||
102 | static bool | ||
103 | hash_netnet4_data_list(struct sk_buff *skb, | ||
104 | const struct hash_netnet4_elem *data) | ||
105 | { | ||
106 | u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; | ||
107 | |||
108 | if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) || | ||
109 | nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip[1]) || | ||
110 | nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) || | ||
111 | nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) || | ||
112 | (flags && | ||
113 | nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) | ||
114 | goto nla_put_failure; | ||
115 | return 0; | ||
116 | |||
117 | nla_put_failure: | ||
118 | return 1; | ||
119 | } | ||
120 | |||
121 | static inline void | ||
122 | hash_netnet4_data_next(struct hash_netnet4_elem *next, | ||
123 | const struct hash_netnet4_elem *d) | ||
124 | { | ||
125 | next->ipcmp = d->ipcmp; | ||
126 | } | ||
127 | |||
128 | #define MTYPE hash_netnet4 | ||
129 | #define PF 4 | ||
130 | #define HOST_MASK 32 | ||
131 | #include "ip_set_hash_gen.h" | ||
132 | |||
133 | static int | ||
134 | hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb, | ||
135 | const struct xt_action_param *par, | ||
136 | enum ipset_adt adt, struct ip_set_adt_opt *opt) | ||
137 | { | ||
138 | const struct hash_netnet *h = set->data; | ||
139 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
140 | struct hash_netnet4_elem e = { | ||
141 | .cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK, | ||
142 | .cidr[1] = h->nets[0].cidr[1] ? h->nets[0].cidr[1] : HOST_MASK, | ||
143 | }; | ||
144 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); | ||
145 | |||
146 | if (adt == IPSET_TEST) | ||
147 | e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK; | ||
148 | |||
149 | ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]); | ||
150 | ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1]); | ||
151 | e.ip[0] &= ip_set_netmask(e.cidr[0]); | ||
152 | e.ip[1] &= ip_set_netmask(e.cidr[1]); | ||
153 | |||
154 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); | ||
155 | } | ||
156 | |||
157 | static int | ||
158 | hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[], | ||
159 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) | ||
160 | { | ||
161 | const struct hash_netnet *h = set->data; | ||
162 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
163 | struct hash_netnet4_elem e = { .cidr[0] = HOST_MASK, | ||
164 | .cidr[1] = HOST_MASK }; | ||
165 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); | ||
166 | u32 ip = 0, ip_to = 0, last; | ||
167 | u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2; | ||
168 | u8 cidr, cidr2; | ||
169 | int ret; | ||
170 | |||
171 | if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || | ||
172 | !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || | ||
173 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) || | ||
174 | !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) || | ||
175 | !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES))) | ||
176 | return -IPSET_ERR_PROTOCOL; | ||
177 | |||
178 | if (tb[IPSET_ATTR_LINENO]) | ||
179 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | ||
180 | |||
181 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) || | ||
182 | ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from) || | ||
183 | ip_set_get_extensions(set, tb, &ext); | ||
184 | if (ret) | ||
185 | return ret; | ||
186 | |||
187 | if (tb[IPSET_ATTR_CIDR]) { | ||
188 | cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | ||
189 | if (!cidr || cidr > HOST_MASK) | ||
190 | return -IPSET_ERR_INVALID_CIDR; | ||
191 | e.cidr[0] = cidr; | ||
192 | } | ||
193 | |||
194 | if (tb[IPSET_ATTR_CIDR2]) { | ||
195 | cidr2 = nla_get_u8(tb[IPSET_ATTR_CIDR2]); | ||
196 | if (!cidr2 || cidr2 > HOST_MASK) | ||
197 | return -IPSET_ERR_INVALID_CIDR; | ||
198 | e.cidr[1] = cidr2; | ||
199 | } | ||
200 | |||
201 | if (tb[IPSET_ATTR_CADT_FLAGS]) { | ||
202 | u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); | ||
203 | if (cadt_flags & IPSET_FLAG_NOMATCH) | ||
204 | flags |= (IPSET_FLAG_NOMATCH << 16); | ||
205 | } | ||
206 | |||
207 | if (adt == IPSET_TEST || !(tb[IPSET_ATTR_IP_TO] && | ||
208 | tb[IPSET_ATTR_IP2_TO])) { | ||
209 | e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0])); | ||
210 | e.ip[1] = htonl(ip2_from & ip_set_hostmask(e.cidr[1])); | ||
211 | ret = adtfn(set, &e, &ext, &ext, flags); | ||
212 | return ip_set_enomatch(ret, flags, adt, set) ? -ret : | ||
213 | ip_set_eexist(ret, flags) ? 0 : ret; | ||
214 | } | ||
215 | |||
216 | ip_to = ip; | ||
217 | if (tb[IPSET_ATTR_IP_TO]) { | ||
218 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | ||
219 | if (ret) | ||
220 | return ret; | ||
221 | if (ip_to < ip) | ||
222 | swap(ip, ip_to); | ||
223 | if (ip + UINT_MAX == ip_to) | ||
224 | return -IPSET_ERR_HASH_RANGE; | ||
225 | } | ||
226 | |||
227 | ip2_to = ip2_from; | ||
228 | if (tb[IPSET_ATTR_IP2_TO]) { | ||
229 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to); | ||
230 | if (ret) | ||
231 | return ret; | ||
232 | if (ip2_to < ip2_from) | ||
233 | swap(ip2_from, ip2_to); | ||
234 | if (ip2_from + UINT_MAX == ip2_to) | ||
235 | return -IPSET_ERR_HASH_RANGE; | ||
236 | |||
237 | } | ||
238 | |||
239 | if (retried) | ||
240 | ip = ntohl(h->next.ip[0]); | ||
241 | |||
242 | while (!after(ip, ip_to)) { | ||
243 | e.ip[0] = htonl(ip); | ||
244 | last = ip_set_range_to_cidr(ip, ip_to, &cidr); | ||
245 | e.cidr[0] = cidr; | ||
246 | ip2 = (retried && | ||
247 | ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1]) | ||
248 | : ip2_from; | ||
249 | while (!after(ip2, ip2_to)) { | ||
250 | e.ip[1] = htonl(ip2); | ||
251 | last2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr2); | ||
252 | e.cidr[1] = cidr2; | ||
253 | ret = adtfn(set, &e, &ext, &ext, flags); | ||
254 | if (ret && !ip_set_eexist(ret, flags)) | ||
255 | return ret; | ||
256 | else | ||
257 | ret = 0; | ||
258 | ip2 = last2 + 1; | ||
259 | } | ||
260 | ip = last + 1; | ||
261 | } | ||
262 | return ret; | ||
263 | } | ||
264 | |||
265 | /* IPv6 variants */ | ||
266 | |||
267 | struct hash_netnet6_elem { | ||
268 | union nf_inet_addr ip[2]; | ||
269 | u8 nomatch; | ||
270 | union { | ||
271 | u8 cidr[2]; | ||
272 | u16 ccmp; | ||
273 | }; | ||
274 | }; | ||
275 | |||
276 | /* Common functions */ | ||
277 | |||
278 | static inline bool | ||
279 | hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1, | ||
280 | const struct hash_netnet6_elem *ip2, | ||
281 | u32 *multi) | ||
282 | { | ||
283 | return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) && | ||
284 | ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) && | ||
285 | ip1->ccmp == ip2->ccmp; | ||
286 | } | ||
287 | |||
288 | static inline int | ||
289 | hash_netnet6_do_data_match(const struct hash_netnet6_elem *elem) | ||
290 | { | ||
291 | return elem->nomatch ? -ENOTEMPTY : 1; | ||
292 | } | ||
293 | |||
294 | static inline void | ||
295 | hash_netnet6_data_set_flags(struct hash_netnet6_elem *elem, u32 flags) | ||
296 | { | ||
297 | elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH; | ||
298 | } | ||
299 | |||
300 | static inline void | ||
301 | hash_netnet6_data_reset_flags(struct hash_netnet6_elem *elem, u8 *flags) | ||
302 | { | ||
303 | swap(*flags, elem->nomatch); | ||
304 | } | ||
305 | |||
306 | static inline void | ||
307 | hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem, | ||
308 | struct hash_netnet6_elem *orig) | ||
309 | { | ||
310 | elem->ip[1] = orig->ip[1]; | ||
311 | } | ||
312 | |||
313 | static inline void | ||
314 | hash_netnet6_data_netmask(struct hash_netnet6_elem *elem, u8 cidr, bool inner) | ||
315 | { | ||
316 | if (inner) { | ||
317 | ip6_netmask(&elem->ip[1], cidr); | ||
318 | elem->cidr[1] = cidr; | ||
319 | } else { | ||
320 | ip6_netmask(&elem->ip[0], cidr); | ||
321 | elem->cidr[0] = cidr; | ||
322 | } | ||
323 | } | ||
324 | |||
325 | static bool | ||
326 | hash_netnet6_data_list(struct sk_buff *skb, | ||
327 | const struct hash_netnet6_elem *data) | ||
328 | { | ||
329 | u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; | ||
330 | |||
331 | if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) || | ||
332 | nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip[1].in6) || | ||
333 | nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) || | ||
334 | nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) || | ||
335 | (flags && | ||
336 | nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) | ||
337 | goto nla_put_failure; | ||
338 | return 0; | ||
339 | |||
340 | nla_put_failure: | ||
341 | return 1; | ||
342 | } | ||
343 | |||
344 | static inline void | ||
345 | hash_netnet6_data_next(struct hash_netnet4_elem *next, | ||
346 | const struct hash_netnet6_elem *d) | ||
347 | { | ||
348 | } | ||
349 | |||
350 | #undef MTYPE | ||
351 | #undef PF | ||
352 | #undef HOST_MASK | ||
353 | |||
354 | #define MTYPE hash_netnet6 | ||
355 | #define PF 6 | ||
356 | #define HOST_MASK 128 | ||
357 | #define IP_SET_EMIT_CREATE | ||
358 | #include "ip_set_hash_gen.h" | ||
359 | |||
360 | static int | ||
361 | hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb, | ||
362 | const struct xt_action_param *par, | ||
363 | enum ipset_adt adt, struct ip_set_adt_opt *opt) | ||
364 | { | ||
365 | const struct hash_netnet *h = set->data; | ||
366 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
367 | struct hash_netnet6_elem e = { | ||
368 | .cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK, | ||
369 | .cidr[1] = h->nets[0].cidr[1] ? h->nets[0].cidr[1] : HOST_MASK | ||
370 | }; | ||
371 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); | ||
372 | |||
373 | if (adt == IPSET_TEST) | ||
374 | e.ccmp = (HOST_MASK << (sizeof(u8)*8)) | HOST_MASK; | ||
375 | |||
376 | ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6); | ||
377 | ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6); | ||
378 | ip6_netmask(&e.ip[0], e.cidr[0]); | ||
379 | ip6_netmask(&e.ip[1], e.cidr[1]); | ||
380 | |||
381 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); | ||
382 | } | ||
383 | |||
384 | static int | ||
385 | hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[], | ||
386 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) | ||
387 | { | ||
388 | ipset_adtfn adtfn = set->variant->adt[adt]; | ||
389 | struct hash_netnet6_elem e = { .cidr[0] = HOST_MASK, | ||
390 | .cidr[1] = HOST_MASK }; | ||
391 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); | ||
392 | int ret; | ||
393 | |||
394 | if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || | ||
395 | !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || | ||
396 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) || | ||
397 | !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) || | ||
398 | !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES))) | ||
399 | return -IPSET_ERR_PROTOCOL; | ||
400 | if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO])) | ||
401 | return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; | ||
402 | |||
403 | if (tb[IPSET_ATTR_LINENO]) | ||
404 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | ||
405 | |||
406 | ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) || | ||
407 | ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]) || | ||
408 | ip_set_get_extensions(set, tb, &ext); | ||
409 | if (ret) | ||
410 | return ret; | ||
411 | |||
412 | if (tb[IPSET_ATTR_CIDR]) | ||
413 | e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]); | ||
414 | |||
415 | if (tb[IPSET_ATTR_CIDR2]) | ||
416 | e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]); | ||
417 | |||
418 | if (!e.cidr[0] || e.cidr[0] > HOST_MASK || !e.cidr[1] || | ||
419 | e.cidr[1] > HOST_MASK) | ||
420 | return -IPSET_ERR_INVALID_CIDR; | ||
421 | |||
422 | ip6_netmask(&e.ip[0], e.cidr[0]); | ||
423 | ip6_netmask(&e.ip[1], e.cidr[1]); | ||
424 | |||
425 | if (tb[IPSET_ATTR_CADT_FLAGS]) { | ||
426 | u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); | ||
427 | if (cadt_flags & IPSET_FLAG_NOMATCH) | ||
428 | flags |= (IPSET_FLAG_NOMATCH << 16); | ||
429 | } | ||
430 | |||
431 | ret = adtfn(set, &e, &ext, &ext, flags); | ||
432 | |||
433 | return ip_set_enomatch(ret, flags, adt, set) ? -ret : | ||
434 | ip_set_eexist(ret, flags) ? 0 : ret; | ||
435 | } | ||
436 | |||
437 | static struct ip_set_type hash_netnet_type __read_mostly = { | ||
438 | .name = "hash:net,net", | ||
439 | .protocol = IPSET_PROTOCOL, | ||
440 | .features = IPSET_TYPE_IP | IPSET_TYPE_IP2 | IPSET_TYPE_NOMATCH, | ||
441 | .dimension = IPSET_DIM_TWO, | ||
442 | .family = NFPROTO_UNSPEC, | ||
443 | .revision_min = IPSET_TYPE_REV_MIN, | ||
444 | .revision_max = IPSET_TYPE_REV_MAX, | ||
445 | .create = hash_netnet_create, | ||
446 | .create_policy = { | ||
447 | [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, | ||
448 | [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, | ||
449 | [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, | ||
450 | [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, | ||
451 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | ||
452 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, | ||
453 | }, | ||
454 | .adt_policy = { | ||
455 | [IPSET_ATTR_IP] = { .type = NLA_NESTED }, | ||
456 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, | ||
457 | [IPSET_ATTR_IP2] = { .type = NLA_NESTED }, | ||
458 | [IPSET_ATTR_IP2_TO] = { .type = NLA_NESTED }, | ||
459 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | ||
460 | [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, | ||
461 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | ||
462 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, | ||
463 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | ||
464 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | ||
465 | }, | ||
466 | .me = THIS_MODULE, | ||
467 | }; | ||
468 | |||
469 | static int __init | ||
470 | hash_netnet_init(void) | ||
471 | { | ||
472 | return ip_set_type_register(&hash_netnet_type); | ||
473 | } | ||
474 | |||
475 | static void __exit | ||
476 | hash_netnet_fini(void) | ||
477 | { | ||
478 | ip_set_type_unregister(&hash_netnet_type); | ||
479 | } | ||
480 | |||
481 | module_init(hash_netnet_init); | ||
482 | module_exit(hash_netnet_fini); | ||