aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--net/netfilter/ipset/Kconfig9
-rw-r--r--net/netfilter/ipset/Makefile1
-rw-r--r--net/netfilter/ipset/ip_set_hash_gen.h58
-rw-r--r--net/netfilter/ipset/ip_set_hash_netnet.c482
4 files changed, 541 insertions, 9 deletions
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
index fd2c14b6c51b..9119f658a69b 100644
--- a/net/netfilter/ipset/Kconfig
+++ b/net/netfilter/ipset/Kconfig
@@ -99,6 +99,15 @@ config IP_SET_HASH_NET
99 99
100 To compile it as a module, choose M here. If unsure, say N. 100 To compile it as a module, choose M here. If unsure, say N.
101 101
102config IP_SET_HASH_NETNET
103 tristate "hash:net,net set support"
104 depends on IP_SET
105 help
106 This option adds the hash:net,net set type support, by which
107 one can store IPv4/IPv6 network address/prefix pairs in a set.
108
109 To compile it as a module, choose M here. If unsure, say N.
110
102config IP_SET_HASH_NETPORT 111config IP_SET_HASH_NETPORT
103 tristate "hash:net,port set support" 112 tristate "hash:net,port set support"
104 depends on IP_SET 113 depends on IP_SET
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile
index 6e965ecd5444..43eef7a19e3c 100644
--- a/net/netfilter/ipset/Makefile
+++ b/net/netfilter/ipset/Makefile
@@ -20,6 +20,7 @@ obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o
20obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o 20obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o
21obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o 21obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o
22obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o 22obj-$(CONFIG_IP_SET_HASH_NETIFACE) += ip_set_hash_netiface.o
23obj-$(CONFIG_IP_SET_HASH_NETNET) += ip_set_hash_netnet.o
23 24
24# list types 25# list types
25obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o 26obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 3c26e5b946f5..6bd2eef4f5d0 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -142,11 +142,16 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
142} 142}
143 143
144#ifdef IP_SET_HASH_WITH_NETS 144#ifdef IP_SET_HASH_WITH_NETS
145#if IPSET_NET_COUNT > 1
146#define __CIDR(cidr, i) (cidr[i])
147#else
148#define __CIDR(cidr, i) (cidr)
149#endif
145#ifdef IP_SET_HASH_WITH_NETS_PACKED 150#ifdef IP_SET_HASH_WITH_NETS_PACKED
146/* When cidr is packed with nomatch, cidr - 1 is stored in the entry */ 151/* When cidr is packed with nomatch, cidr - 1 is stored in the entry */
147#define CIDR(cidr) (cidr + 1) 152#define CIDR(cidr, i) (__CIDR(cidr, i) + 1)
148#else 153#else
149#define CIDR(cidr) (cidr) 154#define CIDR(cidr, i) (__CIDR(cidr, i))
150#endif 155#endif
151 156
152#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128) 157#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)
@@ -210,6 +215,7 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
210#define mtype_do_data_match(d) 1 215#define mtype_do_data_match(d) 1
211#endif 216#endif
212#define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags) 217#define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags)
218#define mtype_data_reset_elem IPSET_TOKEN(MTYPE, _data_reset_elem)
213#define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags) 219#define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags)
214#define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask) 220#define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask)
215#define mtype_data_list IPSET_TOKEN(MTYPE, _data_list) 221#define mtype_data_list IPSET_TOKEN(MTYPE, _data_list)
@@ -461,6 +467,9 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
461 struct mtype_elem *data; 467 struct mtype_elem *data;
462 u32 i; 468 u32 i;
463 int j; 469 int j;
470#ifdef IP_SET_HASH_WITH_NETS
471 u8 k;
472#endif
464 473
465 rcu_read_lock_bh(); 474 rcu_read_lock_bh();
466 t = rcu_dereference_bh(h->table); 475 t = rcu_dereference_bh(h->table);
@@ -471,8 +480,9 @@ mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
471 if (ip_set_timeout_expired(ext_timeout(data, set))) { 480 if (ip_set_timeout_expired(ext_timeout(data, set))) {
472 pr_debug("expired %u/%u\n", i, j); 481 pr_debug("expired %u/%u\n", i, j);
473#ifdef IP_SET_HASH_WITH_NETS 482#ifdef IP_SET_HASH_WITH_NETS
474 mtype_del_cidr(h, CIDR(data->cidr), 483 for (k = 0; k < IPSET_NET_COUNT; k++)
475 nets_length, 0); 484 mtype_del_cidr(h, CIDR(data->cidr, k),
485 nets_length, k);
476#endif 486#endif
477 ip_set_ext_destroy(set, data); 487 ip_set_ext_destroy(set, data);
478 if (j != n->pos - 1) 488 if (j != n->pos - 1)
@@ -658,8 +668,12 @@ reuse_slot:
658 /* Fill out reused slot */ 668 /* Fill out reused slot */
659 data = ahash_data(n, j, set->dsize); 669 data = ahash_data(n, j, set->dsize);
660#ifdef IP_SET_HASH_WITH_NETS 670#ifdef IP_SET_HASH_WITH_NETS
661 mtype_del_cidr(h, CIDR(data->cidr), NLEN(set->family), 0); 671 for (i = 0; i < IPSET_NET_COUNT; i++) {
662 mtype_add_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); 672 mtype_del_cidr(h, CIDR(data->cidr, i),
673 NLEN(set->family), i);
674 mtype_add_cidr(h, CIDR(d->cidr, i),
675 NLEN(set->family), i);
676 }
663#endif 677#endif
664 ip_set_ext_destroy(set, data); 678 ip_set_ext_destroy(set, data);
665 } else { 679 } else {
@@ -673,7 +687,9 @@ reuse_slot:
673 } 687 }
674 data = ahash_data(n, n->pos++, set->dsize); 688 data = ahash_data(n, n->pos++, set->dsize);
675#ifdef IP_SET_HASH_WITH_NETS 689#ifdef IP_SET_HASH_WITH_NETS
676 mtype_add_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); 690 for (i = 0; i < IPSET_NET_COUNT; i++)
691 mtype_add_cidr(h, CIDR(d->cidr, i), NLEN(set->family),
692 i);
677#endif 693#endif
678 h->elements++; 694 h->elements++;
679 } 695 }
@@ -704,6 +720,9 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
704 struct mtype_elem *data; 720 struct mtype_elem *data;
705 struct hbucket *n; 721 struct hbucket *n;
706 int i, ret = -IPSET_ERR_EXIST; 722 int i, ret = -IPSET_ERR_EXIST;
723#ifdef IP_SET_HASH_WITH_NETS
724 u8 j;
725#endif
707 u32 key, multi = 0; 726 u32 key, multi = 0;
708 727
709 rcu_read_lock_bh(); 728 rcu_read_lock_bh();
@@ -725,7 +744,9 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
725 n->pos--; 744 n->pos--;
726 h->elements--; 745 h->elements--;
727#ifdef IP_SET_HASH_WITH_NETS 746#ifdef IP_SET_HASH_WITH_NETS
728 mtype_del_cidr(h, CIDR(d->cidr), NLEN(set->family), 0); 747 for (j = 0; j < IPSET_NET_COUNT; j++)
748 mtype_del_cidr(h, CIDR(d->cidr, j), NLEN(set->family),
749 j);
729#endif 750#endif
730 ip_set_ext_destroy(set, data); 751 ip_set_ext_destroy(set, data);
731 if (n->pos + AHASH_INIT_SIZE < n->size) { 752 if (n->pos + AHASH_INIT_SIZE < n->size) {
@@ -772,13 +793,26 @@ mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
772 struct htable *t = rcu_dereference_bh(h->table); 793 struct htable *t = rcu_dereference_bh(h->table);
773 struct hbucket *n; 794 struct hbucket *n;
774 struct mtype_elem *data; 795 struct mtype_elem *data;
796#if IPSET_NET_COUNT == 2
797 struct mtype_elem orig = *d;
798 int i, j = 0, k;
799#else
775 int i, j = 0; 800 int i, j = 0;
801#endif
776 u32 key, multi = 0; 802 u32 key, multi = 0;
777 u8 nets_length = NLEN(set->family); 803 u8 nets_length = NLEN(set->family);
778 804
779 pr_debug("test by nets\n"); 805 pr_debug("test by nets\n");
780 for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) { 806 for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) {
807#if IPSET_NET_COUNT == 2
808 mtype_data_reset_elem(d, &orig);
809 mtype_data_netmask(d, h->nets[j].cidr[0], false);
810 for (k = 0; k < nets_length && h->nets[k].nets[1] && !multi;
811 k++) {
812 mtype_data_netmask(d, h->nets[k].cidr[1], true);
813#else
781 mtype_data_netmask(d, h->nets[j].cidr[0]); 814 mtype_data_netmask(d, h->nets[j].cidr[0]);
815#endif
782 key = HKEY(d, h->initval, t->htable_bits); 816 key = HKEY(d, h->initval, t->htable_bits);
783 n = hbucket(t, key); 817 n = hbucket(t, key);
784 for (i = 0; i < n->pos; i++) { 818 for (i = 0; i < n->pos; i++) {
@@ -798,6 +832,9 @@ mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
798 return mtype_data_match(data, ext, 832 return mtype_data_match(data, ext,
799 mext, set, flags); 833 mext, set, flags);
800 } 834 }
835#if IPSET_NET_COUNT == 2
836 }
837#endif
801 } 838 }
802 return 0; 839 return 0;
803} 840}
@@ -821,7 +858,10 @@ mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext,
821#ifdef IP_SET_HASH_WITH_NETS 858#ifdef IP_SET_HASH_WITH_NETS
822 /* If we test an IP address and not a network address, 859 /* If we test an IP address and not a network address,
823 * try all possible network sizes */ 860 * try all possible network sizes */
824 if (CIDR(d->cidr) == SET_HOST_MASK(set->family)) { 861 for (i = 0; i < IPSET_NET_COUNT; i++)
862 if (CIDR(d->cidr, i) != SET_HOST_MASK(set->family))
863 break;
864 if (i == IPSET_NET_COUNT) {
825 ret = mtype_test_cidrs(set, d, ext, mext, flags); 865 ret = mtype_test_cidrs(set, d, ext, mext, flags);
826 goto out; 866 goto out;
827 } 867 }
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
new file mode 100644
index 000000000000..771ce2b565a6
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -0,0 +1,482 @@
1/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 * Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8
9/* Kernel module implementing an IP set type: the hash:net type */
10
11#include <linux/jhash.h>
12#include <linux/module.h>
13#include <linux/ip.h>
14#include <linux/skbuff.h>
15#include <linux/errno.h>
16#include <linux/random.h>
17#include <net/ip.h>
18#include <net/ipv6.h>
19#include <net/netlink.h>
20
21#include <linux/netfilter.h>
22#include <linux/netfilter/ipset/pfxlen.h>
23#include <linux/netfilter/ipset/ip_set.h>
24#include <linux/netfilter/ipset/ip_set_hash.h>
25
26#define IPSET_TYPE_REV_MIN 0
27#define IPSET_TYPE_REV_MAX 0
28
29MODULE_LICENSE("GPL");
30MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>");
31IP_SET_MODULE_DESC("hash:net,net", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
32MODULE_ALIAS("ip_set_hash:net,net");
33
34/* Type specific function prefix */
35#define HTYPE hash_netnet
36#define IP_SET_HASH_WITH_NETS
37#define IPSET_NET_COUNT 2
38
39/* IPv4 variants */
40
41/* Member elements */
42struct hash_netnet4_elem {
43 union {
44 __be32 ip[2];
45 __be64 ipcmp;
46 };
47 u8 nomatch;
48 union {
49 u8 cidr[2];
50 u16 ccmp;
51 };
52};
53
54/* Common functions */
55
56static inline bool
57hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
58 const struct hash_netnet4_elem *ip2,
59 u32 *multi)
60{
61 return ip1->ipcmp == ip2->ipcmp &&
62 ip2->ccmp == ip2->ccmp;
63}
64
65static inline int
66hash_netnet4_do_data_match(const struct hash_netnet4_elem *elem)
67{
68 return elem->nomatch ? -ENOTEMPTY : 1;
69}
70
71static inline void
72hash_netnet4_data_set_flags(struct hash_netnet4_elem *elem, u32 flags)
73{
74 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
75}
76
77static inline void
78hash_netnet4_data_reset_flags(struct hash_netnet4_elem *elem, u8 *flags)
79{
80 swap(*flags, elem->nomatch);
81}
82
83static inline void
84hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem,
85 struct hash_netnet4_elem *orig)
86{
87 elem->ip[1] = orig->ip[1];
88}
89
90static inline void
91hash_netnet4_data_netmask(struct hash_netnet4_elem *elem, u8 cidr, bool inner)
92{
93 if (inner) {
94 elem->ip[1] &= ip_set_netmask(cidr);
95 elem->cidr[1] = cidr;
96 } else {
97 elem->ip[0] &= ip_set_netmask(cidr);
98 elem->cidr[0] = cidr;
99 }
100}
101
102static bool
103hash_netnet4_data_list(struct sk_buff *skb,
104 const struct hash_netnet4_elem *data)
105{
106 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
107
108 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
109 nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip[1]) ||
110 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
111 nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) ||
112 (flags &&
113 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
114 goto nla_put_failure;
115 return 0;
116
117nla_put_failure:
118 return 1;
119}
120
121static inline void
122hash_netnet4_data_next(struct hash_netnet4_elem *next,
123 const struct hash_netnet4_elem *d)
124{
125 next->ipcmp = d->ipcmp;
126}
127
128#define MTYPE hash_netnet4
129#define PF 4
130#define HOST_MASK 32
131#include "ip_set_hash_gen.h"
132
133static int
134hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
135 const struct xt_action_param *par,
136 enum ipset_adt adt, struct ip_set_adt_opt *opt)
137{
138 const struct hash_netnet *h = set->data;
139 ipset_adtfn adtfn = set->variant->adt[adt];
140 struct hash_netnet4_elem e = {
141 .cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK,
142 .cidr[1] = h->nets[0].cidr[1] ? h->nets[0].cidr[1] : HOST_MASK,
143 };
144 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
145
146 if (adt == IPSET_TEST)
147 e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK;
148
149 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
150 ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1]);
151 e.ip[0] &= ip_set_netmask(e.cidr[0]);
152 e.ip[1] &= ip_set_netmask(e.cidr[1]);
153
154 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
155}
156
157static int
158hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
159 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
160{
161 const struct hash_netnet *h = set->data;
162 ipset_adtfn adtfn = set->variant->adt[adt];
163 struct hash_netnet4_elem e = { .cidr[0] = HOST_MASK,
164 .cidr[1] = HOST_MASK };
165 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
166 u32 ip = 0, ip_to = 0, last;
167 u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
168 u8 cidr, cidr2;
169 int ret;
170
171 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
172 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
173 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
174 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
175 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES)))
176 return -IPSET_ERR_PROTOCOL;
177
178 if (tb[IPSET_ATTR_LINENO])
179 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
180
181 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
182 ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from) ||
183 ip_set_get_extensions(set, tb, &ext);
184 if (ret)
185 return ret;
186
187 if (tb[IPSET_ATTR_CIDR]) {
188 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
189 if (!cidr || cidr > HOST_MASK)
190 return -IPSET_ERR_INVALID_CIDR;
191 e.cidr[0] = cidr;
192 }
193
194 if (tb[IPSET_ATTR_CIDR2]) {
195 cidr2 = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
196 if (!cidr2 || cidr2 > HOST_MASK)
197 return -IPSET_ERR_INVALID_CIDR;
198 e.cidr[1] = cidr2;
199 }
200
201 if (tb[IPSET_ATTR_CADT_FLAGS]) {
202 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
203 if (cadt_flags & IPSET_FLAG_NOMATCH)
204 flags |= (IPSET_FLAG_NOMATCH << 16);
205 }
206
207 if (adt == IPSET_TEST || !(tb[IPSET_ATTR_IP_TO] &&
208 tb[IPSET_ATTR_IP2_TO])) {
209 e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0]));
210 e.ip[1] = htonl(ip2_from & ip_set_hostmask(e.cidr[1]));
211 ret = adtfn(set, &e, &ext, &ext, flags);
212 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
213 ip_set_eexist(ret, flags) ? 0 : ret;
214 }
215
216 ip_to = ip;
217 if (tb[IPSET_ATTR_IP_TO]) {
218 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
219 if (ret)
220 return ret;
221 if (ip_to < ip)
222 swap(ip, ip_to);
223 if (ip + UINT_MAX == ip_to)
224 return -IPSET_ERR_HASH_RANGE;
225 }
226
227 ip2_to = ip2_from;
228 if (tb[IPSET_ATTR_IP2_TO]) {
229 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
230 if (ret)
231 return ret;
232 if (ip2_to < ip2_from)
233 swap(ip2_from, ip2_to);
234 if (ip2_from + UINT_MAX == ip2_to)
235 return -IPSET_ERR_HASH_RANGE;
236
237 }
238
239 if (retried)
240 ip = ntohl(h->next.ip[0]);
241
242 while (!after(ip, ip_to)) {
243 e.ip[0] = htonl(ip);
244 last = ip_set_range_to_cidr(ip, ip_to, &cidr);
245 e.cidr[0] = cidr;
246 ip2 = (retried &&
247 ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
248 : ip2_from;
249 while (!after(ip2, ip2_to)) {
250 e.ip[1] = htonl(ip2);
251 last2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr2);
252 e.cidr[1] = cidr2;
253 ret = adtfn(set, &e, &ext, &ext, flags);
254 if (ret && !ip_set_eexist(ret, flags))
255 return ret;
256 else
257 ret = 0;
258 ip2 = last2 + 1;
259 }
260 ip = last + 1;
261 }
262 return ret;
263}
264
265/* IPv6 variants */
266
267struct hash_netnet6_elem {
268 union nf_inet_addr ip[2];
269 u8 nomatch;
270 union {
271 u8 cidr[2];
272 u16 ccmp;
273 };
274};
275
276/* Common functions */
277
278static inline bool
279hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1,
280 const struct hash_netnet6_elem *ip2,
281 u32 *multi)
282{
283 return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
284 ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
285 ip1->ccmp == ip2->ccmp;
286}
287
288static inline int
289hash_netnet6_do_data_match(const struct hash_netnet6_elem *elem)
290{
291 return elem->nomatch ? -ENOTEMPTY : 1;
292}
293
294static inline void
295hash_netnet6_data_set_flags(struct hash_netnet6_elem *elem, u32 flags)
296{
297 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
298}
299
300static inline void
301hash_netnet6_data_reset_flags(struct hash_netnet6_elem *elem, u8 *flags)
302{
303 swap(*flags, elem->nomatch);
304}
305
306static inline void
307hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem,
308 struct hash_netnet6_elem *orig)
309{
310 elem->ip[1] = orig->ip[1];
311}
312
313static inline void
314hash_netnet6_data_netmask(struct hash_netnet6_elem *elem, u8 cidr, bool inner)
315{
316 if (inner) {
317 ip6_netmask(&elem->ip[1], cidr);
318 elem->cidr[1] = cidr;
319 } else {
320 ip6_netmask(&elem->ip[0], cidr);
321 elem->cidr[0] = cidr;
322 }
323}
324
325static bool
326hash_netnet6_data_list(struct sk_buff *skb,
327 const struct hash_netnet6_elem *data)
328{
329 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
330
331 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
332 nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip[1].in6) ||
333 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
334 nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) ||
335 (flags &&
336 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
337 goto nla_put_failure;
338 return 0;
339
340nla_put_failure:
341 return 1;
342}
343
344static inline void
345hash_netnet6_data_next(struct hash_netnet4_elem *next,
346 const struct hash_netnet6_elem *d)
347{
348}
349
350#undef MTYPE
351#undef PF
352#undef HOST_MASK
353
354#define MTYPE hash_netnet6
355#define PF 6
356#define HOST_MASK 128
357#define IP_SET_EMIT_CREATE
358#include "ip_set_hash_gen.h"
359
360static int
361hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
362 const struct xt_action_param *par,
363 enum ipset_adt adt, struct ip_set_adt_opt *opt)
364{
365 const struct hash_netnet *h = set->data;
366 ipset_adtfn adtfn = set->variant->adt[adt];
367 struct hash_netnet6_elem e = {
368 .cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK,
369 .cidr[1] = h->nets[0].cidr[1] ? h->nets[0].cidr[1] : HOST_MASK
370 };
371 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
372
373 if (adt == IPSET_TEST)
374 e.ccmp = (HOST_MASK << (sizeof(u8)*8)) | HOST_MASK;
375
376 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
377 ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6);
378 ip6_netmask(&e.ip[0], e.cidr[0]);
379 ip6_netmask(&e.ip[1], e.cidr[1]);
380
381 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
382}
383
384static int
385hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
386 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
387{
388 ipset_adtfn adtfn = set->variant->adt[adt];
389 struct hash_netnet6_elem e = { .cidr[0] = HOST_MASK,
390 .cidr[1] = HOST_MASK };
391 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
392 int ret;
393
394 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
395 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
396 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
397 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
398 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES)))
399 return -IPSET_ERR_PROTOCOL;
400 if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO]))
401 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
402
403 if (tb[IPSET_ATTR_LINENO])
404 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
405
406 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
407 ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]) ||
408 ip_set_get_extensions(set, tb, &ext);
409 if (ret)
410 return ret;
411
412 if (tb[IPSET_ATTR_CIDR])
413 e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
414
415 if (tb[IPSET_ATTR_CIDR2])
416 e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
417
418 if (!e.cidr[0] || e.cidr[0] > HOST_MASK || !e.cidr[1] ||
419 e.cidr[1] > HOST_MASK)
420 return -IPSET_ERR_INVALID_CIDR;
421
422 ip6_netmask(&e.ip[0], e.cidr[0]);
423 ip6_netmask(&e.ip[1], e.cidr[1]);
424
425 if (tb[IPSET_ATTR_CADT_FLAGS]) {
426 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
427 if (cadt_flags & IPSET_FLAG_NOMATCH)
428 flags |= (IPSET_FLAG_NOMATCH << 16);
429 }
430
431 ret = adtfn(set, &e, &ext, &ext, flags);
432
433 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
434 ip_set_eexist(ret, flags) ? 0 : ret;
435}
436
437static struct ip_set_type hash_netnet_type __read_mostly = {
438 .name = "hash:net,net",
439 .protocol = IPSET_PROTOCOL,
440 .features = IPSET_TYPE_IP | IPSET_TYPE_IP2 | IPSET_TYPE_NOMATCH,
441 .dimension = IPSET_DIM_TWO,
442 .family = NFPROTO_UNSPEC,
443 .revision_min = IPSET_TYPE_REV_MIN,
444 .revision_max = IPSET_TYPE_REV_MAX,
445 .create = hash_netnet_create,
446 .create_policy = {
447 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
448 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
449 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
450 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
451 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
452 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
453 },
454 .adt_policy = {
455 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
456 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
457 [IPSET_ATTR_IP2] = { .type = NLA_NESTED },
458 [IPSET_ATTR_IP2_TO] = { .type = NLA_NESTED },
459 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
460 [IPSET_ATTR_CIDR2] = { .type = NLA_U8 },
461 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
462 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
463 [IPSET_ATTR_BYTES] = { .type = NLA_U64 },
464 [IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
465 },
466 .me = THIS_MODULE,
467};
468
469static int __init
470hash_netnet_init(void)
471{
472 return ip_set_type_register(&hash_netnet_type);
473}
474
475static void __exit
476hash_netnet_fini(void)
477{
478 ip_set_type_unregister(&hash_netnet_type);
479}
480
481module_init(hash_netnet_init);
482module_exit(hash_netnet_fini);
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-17 19:42:30 -0400