Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip_set_hash_ip.c
Go to the documentation of this file.
1 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <[email protected]>
2  *
3  * This program is free software; you can redistribute it and/or modify
4  * it under the terms of the GNU General Public License version 2 as
5  * published by the Free Software Foundation.
6  */
7 
8 /* Kernel module implementing an IP set type: the hash:ip type */
9 
10 #include <linux/jhash.h>
11 #include <linux/module.h>
12 #include <linux/ip.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <net/ip.h>
17 #include <net/ipv6.h>
18 #include <net/netlink.h>
19 #include <net/tcp.h>
20 
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_timeout.h>
25 #include <linux/netfilter/ipset/ip_set_hash.h>
26 
27 #define REVISION_MIN 0
28 #define REVISION_MAX 0
29 
30 MODULE_LICENSE("GPL");
31 MODULE_AUTHOR("Jozsef Kadlecsik <[email protected]>");
32 IP_SET_MODULE_DESC("hash:ip", REVISION_MIN, REVISION_MAX);
33 MODULE_ALIAS("ip_set_hash:ip");
34 
35 /* Type specific function prefix */
36 #define TYPE hash_ip
37 
38 static bool
39 hash_ip_same_set(const struct ip_set *a, const struct ip_set *b);
40 
41 #define hash_ip4_same_set hash_ip_same_set
42 #define hash_ip6_same_set hash_ip_same_set
43 
44 /* The type variant functions: IPv4 */
45 
46 /* Member elements without timeout */
47 struct hash_ip4_elem {
48  __be32 ip;
49 };
50 
51 /* Member elements with timeout support */
52 struct hash_ip4_telem {
53  __be32 ip;
54  unsigned long timeout;
55 };
56 
57 static inline bool
58 hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
59  const struct hash_ip4_elem *ip2,
60  u32 *multi)
61 {
62  return ip1->ip == ip2->ip;
63 }
64 
65 static inline bool
66 hash_ip4_data_isnull(const struct hash_ip4_elem *elem)
67 {
68  return elem->ip == 0;
69 }
70 
71 static inline void
72 hash_ip4_data_copy(struct hash_ip4_elem *dst, const struct hash_ip4_elem *src)
73 {
74  dst->ip = src->ip;
75 }
76 
77 /* Zero valued IP addresses cannot be stored */
78 static inline void
79 hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
80 {
81  elem->ip = 0;
82 }
83 
84 static inline bool
85 hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data)
86 {
87  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip))
88  goto nla_put_failure;
89  return 0;
90 
91 nla_put_failure:
92  return 1;
93 }
94 
95 static bool
96 hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data)
97 {
98  const struct hash_ip4_telem *tdata =
99  (const struct hash_ip4_telem *)data;
100 
101  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
102  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
103  htonl(ip_set_timeout_get(tdata->timeout))))
104  goto nla_put_failure;
105 
106  return 0;
107 
108 nla_put_failure:
109  return 1;
110 }
111 
112 #define IP_SET_HASH_WITH_NETMASK
113 #define PF 4
114 #define HOST_MASK 32
115 #include <linux/netfilter/ipset/ip_set_ahash.h>
116 
117 static inline void
118 hash_ip4_data_next(struct ip_set_hash *h, const struct hash_ip4_elem *d)
119 {
120  h->next.ip = d->ip;
121 }
122 
123 static int
124 hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb,
125  const struct xt_action_param *par,
126  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
127 {
128  const struct ip_set_hash *h = set->data;
129  ipset_adtfn adtfn = set->variant->adt[adt];
130  __be32 ip;
131 
132  ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip);
133  ip &= ip_set_netmask(h->netmask);
134  if (ip == 0)
135  return -EINVAL;
136 
137  return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
138 }
139 
140 static int
141 hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
142  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
143 {
144  const struct ip_set_hash *h = set->data;
145  ipset_adtfn adtfn = set->variant->adt[adt];
146  u32 ip, ip_to, hosts, timeout = h->timeout;
147  __be32 nip;
148  int ret = 0;
149 
150  if (unlikely(!tb[IPSET_ATTR_IP] ||
151  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
152  return -IPSET_ERR_PROTOCOL;
153 
154  if (tb[IPSET_ATTR_LINENO])
155  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
156 
157  ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
158  if (ret)
159  return ret;
160 
161  ip &= ip_set_hostmask(h->netmask);
162 
163  if (tb[IPSET_ATTR_TIMEOUT]) {
164  if (!with_timeout(h->timeout))
165  return -IPSET_ERR_TIMEOUT;
166  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
167  }
168 
169  if (adt == IPSET_TEST) {
170  nip = htonl(ip);
171  if (nip == 0)
172  return -IPSET_ERR_HASH_ELEM;
173  return adtfn(set, &nip, timeout, flags);
174  }
175 
176  ip_to = ip;
177  if (tb[IPSET_ATTR_IP_TO]) {
178  ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
179  if (ret)
180  return ret;
181  if (ip > ip_to)
182  swap(ip, ip_to);
183  } else if (tb[IPSET_ATTR_CIDR]) {
184  u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
185 
186  if (!cidr || cidr > 32)
187  return -IPSET_ERR_INVALID_CIDR;
188  ip_set_mask_from_to(ip, ip_to, cidr);
189  }
190 
191  hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
192 
193  if (retried)
194  ip = ntohl(h->next.ip);
195  for (; !before(ip_to, ip); ip += hosts) {
196  nip = htonl(ip);
197  if (nip == 0)
198  return -IPSET_ERR_HASH_ELEM;
199  ret = adtfn(set, &nip, timeout, flags);
200 
201  if (ret && !ip_set_eexist(ret, flags))
202  return ret;
203  else
204  ret = 0;
205  }
206  return ret;
207 }
208 
209 static bool
210 hash_ip_same_set(const struct ip_set *a, const struct ip_set *b)
211 {
212  const struct ip_set_hash *x = a->data;
213  const struct ip_set_hash *y = b->data;
214 
215  /* Resizing changes htable_bits, so we ignore it */
216  return x->maxelem == y->maxelem &&
217  x->timeout == y->timeout &&
218  x->netmask == y->netmask;
219 }
220 
221 /* The type variant functions: IPv6 */
222 
223 struct hash_ip6_elem {
224  union nf_inet_addr ip;
225 };
226 
227 struct hash_ip6_telem {
228  union nf_inet_addr ip;
229  unsigned long timeout;
230 };
231 
232 static inline bool
233 hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
234  const struct hash_ip6_elem *ip2,
235  u32 *multi)
236 {
237  return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
238 }
239 
240 static inline bool
241 hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
242 {
243  return ipv6_addr_any(&elem->ip.in6);
244 }
245 
246 static inline void
247 hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
248 {
249  dst->ip.in6 = src->ip.in6;
250 }
251 
252 static inline void
253 hash_ip6_data_zero_out(struct hash_ip6_elem *elem)
254 {
255  ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0);
256 }
257 
258 static inline void
259 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
260 {
261  ip->ip6[0] &= ip_set_netmask6(prefix)[0];
262  ip->ip6[1] &= ip_set_netmask6(prefix)[1];
263  ip->ip6[2] &= ip_set_netmask6(prefix)[2];
264  ip->ip6[3] &= ip_set_netmask6(prefix)[3];
265 }
266 
267 static bool
268 hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data)
269 {
270  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6))
271  goto nla_put_failure;
272  return 0;
273 
274 nla_put_failure:
275  return 1;
276 }
277 
278 static bool
279 hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data)
280 {
281  const struct hash_ip6_telem *e =
282  (const struct hash_ip6_telem *)data;
283 
284  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
285  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
286  htonl(ip_set_timeout_get(e->timeout))))
287  goto nla_put_failure;
288  return 0;
289 
290 nla_put_failure:
291  return 1;
292 }
293 
294 #undef PF
295 #undef HOST_MASK
296 
297 #define PF 6
298 #define HOST_MASK 128
299 #include <linux/netfilter/ipset/ip_set_ahash.h>
300 
301 static inline void
302 hash_ip6_data_next(struct ip_set_hash *h, const struct hash_ip6_elem *d)
303 {
304 }
305 
306 static int
307 hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb,
308  const struct xt_action_param *par,
309  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
310 {
311  const struct ip_set_hash *h = set->data;
312  ipset_adtfn adtfn = set->variant->adt[adt];
313  union nf_inet_addr ip;
314 
315  ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip.in6);
316  ip6_netmask(&ip, h->netmask);
317  if (ipv6_addr_any(&ip.in6))
318  return -EINVAL;
319 
320  return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
321 }
322 
323 static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = {
324  [IPSET_ATTR_IP] = { .type = NLA_NESTED },
325  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
326  [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
327 };
328 
329 static int
330 hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
331  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
332 {
333  const struct ip_set_hash *h = set->data;
334  ipset_adtfn adtfn = set->variant->adt[adt];
335  union nf_inet_addr ip;
336  u32 timeout = h->timeout;
337  int ret;
338 
339  if (unlikely(!tb[IPSET_ATTR_IP] ||
340  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
341  tb[IPSET_ATTR_IP_TO] ||
342  tb[IPSET_ATTR_CIDR]))
343  return -IPSET_ERR_PROTOCOL;
344 
345  if (tb[IPSET_ATTR_LINENO])
346  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
347 
348  ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip);
349  if (ret)
350  return ret;
351 
352  ip6_netmask(&ip, h->netmask);
353  if (ipv6_addr_any(&ip.in6))
354  return -IPSET_ERR_HASH_ELEM;
355 
356  if (tb[IPSET_ATTR_TIMEOUT]) {
357  if (!with_timeout(h->timeout))
358  return -IPSET_ERR_TIMEOUT;
359  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
360  }
361 
362  ret = adtfn(set, &ip, timeout, flags);
363 
364  return ip_set_eexist(ret, flags) ? 0 : ret;
365 }
366 
367 /* Create hash:ip type of sets */
368 
369 static int
370 hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
371 {
372  u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
373  u8 netmask, hbits;
374  size_t hsize;
375  struct ip_set_hash *h;
376 
377  if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
378  return -IPSET_ERR_INVALID_FAMILY;
379  netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
380  pr_debug("Create set %s with family %s\n",
381  set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
382 
383  if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
384  !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
385  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
386  return -IPSET_ERR_PROTOCOL;
387 
388  if (tb[IPSET_ATTR_HASHSIZE]) {
389  hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
390  if (hashsize < IPSET_MIMINAL_HASHSIZE)
391  hashsize = IPSET_MIMINAL_HASHSIZE;
392  }
393 
394  if (tb[IPSET_ATTR_MAXELEM])
395  maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
396 
397  if (tb[IPSET_ATTR_NETMASK]) {
398  netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
399 
400  if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
401  (set->family == NFPROTO_IPV6 && netmask > 128) ||
402  netmask == 0)
403  return -IPSET_ERR_INVALID_NETMASK;
404  }
405 
406  h = kzalloc(sizeof(*h), GFP_KERNEL);
407  if (!h)
408  return -ENOMEM;
409 
410  h->maxelem = maxelem;
411  h->netmask = netmask;
412  get_random_bytes(&h->initval, sizeof(h->initval));
413  h->timeout = IPSET_NO_TIMEOUT;
414 
415  hbits = htable_bits(hashsize);
416  hsize = htable_size(hbits);
417  if (hsize == 0) {
418  kfree(h);
419  return -ENOMEM;
420  }
421  h->table = ip_set_alloc(hsize);
422  if (!h->table) {
423  kfree(h);
424  return -ENOMEM;
425  }
426  h->table->htable_bits = hbits;
427 
428  set->data = h;
429 
430  if (tb[IPSET_ATTR_TIMEOUT]) {
431  h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
432 
433  set->variant = set->family == NFPROTO_IPV4
434  ? &hash_ip4_tvariant : &hash_ip6_tvariant;
435 
436  if (set->family == NFPROTO_IPV4)
437  hash_ip4_gc_init(set);
438  else
439  hash_ip6_gc_init(set);
440  } else {
441  set->variant = set->family == NFPROTO_IPV4
442  ? &hash_ip4_variant : &hash_ip6_variant;
443  }
444 
445  pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
446  set->name, jhash_size(h->table->htable_bits),
447  h->table->htable_bits, h->maxelem, set->data, h->table);
448 
449  return 0;
450 }
451 
452 static struct ip_set_type hash_ip_type __read_mostly = {
453  .name = "hash:ip",
454  .protocol = IPSET_PROTOCOL,
455  .features = IPSET_TYPE_IP,
456  .dimension = IPSET_DIM_ONE,
457  .family = NFPROTO_UNSPEC,
458  .revision_min = REVISION_MIN,
459  .revision_max = REVISION_MAX,
460  .create = hash_ip_create,
461  .create_policy = {
462  [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
463  [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
464  [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
465  [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
466  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
467  [IPSET_ATTR_NETMASK] = { .type = NLA_U8 },
468  },
469  .adt_policy = {
470  [IPSET_ATTR_IP] = { .type = NLA_NESTED },
471  [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
472  [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
473  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
474  [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
475  },
476  .me = THIS_MODULE,
477 };
478 
479 static int __init
480 hash_ip_init(void)
481 {
482  return ip_set_type_register(&hash_ip_type);
483 }
484 
485 static void __exit
486 hash_ip_fini(void)
487 {
488  ip_set_type_unregister(&hash_ip_type);
489 }
490 
491 module_init(hash_ip_init);
492 module_exit(hash_ip_fini);
Generated on Thu Jan 10 2013 15:00:09 for Linux Kernel by   doxygen 1.8.2