Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip_set_hash_ipportip.c
Go to the documentation of this file.
1 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <[email protected]>
2  *
3  * This program is free software; you can redistribute it and/or modify
4  * it under the terms of the GNU General Public License version 2 as
5  * published by the Free Software Foundation.
6  */
7 
8 /* Kernel module implementing an IP set type: the hash:ip,port,ip type */
9 
10 #include <linux/jhash.h>
11 #include <linux/module.h>
12 #include <linux/ip.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <net/ip.h>
17 #include <net/ipv6.h>
18 #include <net/netlink.h>
19 #include <net/tcp.h>
20 
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_timeout.h>
25 #include <linux/netfilter/ipset/ip_set_getport.h>
26 #include <linux/netfilter/ipset/ip_set_hash.h>
27 
28 #define REVISION_MIN 0
29 #define REVISION_MAX 1 /* SCTP and UDPLITE support added */
30 
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Jozsef Kadlecsik <[email protected]>");
33 IP_SET_MODULE_DESC("hash:ip,port,ip", REVISION_MIN, REVISION_MAX);
34 MODULE_ALIAS("ip_set_hash:ip,port,ip");
35 
36 /* Type specific function prefix */
37 #define TYPE hash_ipportip
38 
39 static bool
40 hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b);
41 
42 #define hash_ipportip4_same_set hash_ipportip_same_set
43 #define hash_ipportip6_same_set hash_ipportip_same_set
44 
45 /* The type variant functions: IPv4 */
46 
47 /* Member elements without timeout */
48 struct hash_ipportip4_elem {
49  __be32 ip;
50  __be32 ip2;
51  __be16 port;
52  u8 proto;
53  u8 padding;
54 };
55 
56 /* Member elements with timeout support */
57 struct hash_ipportip4_telem {
58  __be32 ip;
59  __be32 ip2;
60  __be16 port;
61  u8 proto;
62  u8 padding;
63  unsigned long timeout;
64 };
65 
66 static inline bool
67 hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
68  const struct hash_ipportip4_elem *ip2,
69  u32 *multi)
70 {
71  return ip1->ip == ip2->ip &&
72  ip1->ip2 == ip2->ip2 &&
73  ip1->port == ip2->port &&
74  ip1->proto == ip2->proto;
75 }
76 
77 static inline bool
78 hash_ipportip4_data_isnull(const struct hash_ipportip4_elem *elem)
79 {
80  return elem->proto == 0;
81 }
82 
83 static inline void
84 hash_ipportip4_data_copy(struct hash_ipportip4_elem *dst,
85  const struct hash_ipportip4_elem *src)
86 {
87  memcpy(dst, src, sizeof(*dst));
88 }
89 
90 static inline void
91 hash_ipportip4_data_zero_out(struct hash_ipportip4_elem *elem)
92 {
93  elem->proto = 0;
94 }
95 
96 static bool
97 hash_ipportip4_data_list(struct sk_buff *skb,
98  const struct hash_ipportip4_elem *data)
99 {
100  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
101  nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) ||
102  nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
103  nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
104  goto nla_put_failure;
105  return 0;
106 
107 nla_put_failure:
108  return 1;
109 }
110 
111 static bool
112 hash_ipportip4_data_tlist(struct sk_buff *skb,
113  const struct hash_ipportip4_elem *data)
114 {
115  const struct hash_ipportip4_telem *tdata =
116  (const struct hash_ipportip4_telem *)data;
117 
118  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
119  nla_put_ipaddr4(skb, IPSET_ATTR_IP2, tdata->ip2) ||
120  nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
121  nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
122  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
123  htonl(ip_set_timeout_get(tdata->timeout))))
124  goto nla_put_failure;
125  return 0;
126 
127 nla_put_failure:
128  return 1;
129 }
130 
131 #define PF 4
132 #define HOST_MASK 32
133 #include <linux/netfilter/ipset/ip_set_ahash.h>
134 
135 static inline void
136 hash_ipportip4_data_next(struct ip_set_hash *h,
137  const struct hash_ipportip4_elem *d)
138 {
139  h->next.ip = d->ip;
140  h->next.port = d->port;
141 }
142 
143 static int
144 hash_ipportip4_kadt(struct ip_set *set, const struct sk_buff *skb,
145  const struct xt_action_param *par,
146  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
147 {
148  const struct ip_set_hash *h = set->data;
149  ipset_adtfn adtfn = set->variant->adt[adt];
150  struct hash_ipportip4_elem data = { };
151 
152  if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
153  &data.port, &data.proto))
154  return -EINVAL;
155 
156  ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
157  ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2);
158 
159  return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
160 }
161 
162 static int
163 hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
164  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
165 {
166  const struct ip_set_hash *h = set->data;
167  ipset_adtfn adtfn = set->variant->adt[adt];
168  struct hash_ipportip4_elem data = { };
169  u32 ip, ip_to, p = 0, port, port_to;
170  u32 timeout = h->timeout;
171  bool with_ports = false;
172  int ret;
173 
174  if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
175  !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
176  !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
177  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
178  return -IPSET_ERR_PROTOCOL;
179 
180  if (tb[IPSET_ATTR_LINENO])
181  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
182 
183  ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
184  if (ret)
185  return ret;
186 
187  ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2);
188  if (ret)
189  return ret;
190 
191  if (tb[IPSET_ATTR_PORT])
192  data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
193  else
194  return -IPSET_ERR_PROTOCOL;
195 
196  if (tb[IPSET_ATTR_PROTO]) {
197  data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
198  with_ports = ip_set_proto_with_ports(data.proto);
199 
200  if (data.proto == 0)
201  return -IPSET_ERR_INVALID_PROTO;
202  } else
203  return -IPSET_ERR_MISSING_PROTO;
204 
205  if (!(with_ports || data.proto == IPPROTO_ICMP))
206  data.port = 0;
207 
208  if (tb[IPSET_ATTR_TIMEOUT]) {
209  if (!with_timeout(h->timeout))
210  return -IPSET_ERR_TIMEOUT;
211  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
212  }
213 
214  if (adt == IPSET_TEST ||
215  !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
216  tb[IPSET_ATTR_PORT_TO])) {
217  ret = adtfn(set, &data, timeout, flags);
218  return ip_set_eexist(ret, flags) ? 0 : ret;
219  }
220 
221  ip_to = ip = ntohl(data.ip);
222  if (tb[IPSET_ATTR_IP_TO]) {
223  ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
224  if (ret)
225  return ret;
226  if (ip > ip_to)
227  swap(ip, ip_to);
228  } else if (tb[IPSET_ATTR_CIDR]) {
229  u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
230 
231  if (!cidr || cidr > 32)
232  return -IPSET_ERR_INVALID_CIDR;
233  ip_set_mask_from_to(ip, ip_to, cidr);
234  }
235 
236  port_to = port = ntohs(data.port);
237  if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
238  port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
239  if (port > port_to)
240  swap(port, port_to);
241  }
242 
243  if (retried)
244  ip = ntohl(h->next.ip);
245  for (; !before(ip_to, ip); ip++) {
246  p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
247  : port;
248  for (; p <= port_to; p++) {
249  data.ip = htonl(ip);
250  data.port = htons(p);
251  ret = adtfn(set, &data, timeout, flags);
252 
253  if (ret && !ip_set_eexist(ret, flags))
254  return ret;
255  else
256  ret = 0;
257  }
258  }
259  return ret;
260 }
261 
262 static bool
263 hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b)
264 {
265  const struct ip_set_hash *x = a->data;
266  const struct ip_set_hash *y = b->data;
267 
268  /* Resizing changes htable_bits, so we ignore it */
269  return x->maxelem == y->maxelem &&
270  x->timeout == y->timeout;
271 }
272 
273 /* The type variant functions: IPv6 */
274 
275 struct hash_ipportip6_elem {
276  union nf_inet_addr ip;
277  union nf_inet_addr ip2;
278  __be16 port;
279  u8 proto;
280  u8 padding;
281 };
282 
283 struct hash_ipportip6_telem {
284  union nf_inet_addr ip;
285  union nf_inet_addr ip2;
286  __be16 port;
287  u8 proto;
288  u8 padding;
289  unsigned long timeout;
290 };
291 
292 static inline bool
293 hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1,
294  const struct hash_ipportip6_elem *ip2,
295  u32 *multi)
296 {
297  return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
298  ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
299  ip1->port == ip2->port &&
300  ip1->proto == ip2->proto;
301 }
302 
303 static inline bool
304 hash_ipportip6_data_isnull(const struct hash_ipportip6_elem *elem)
305 {
306  return elem->proto == 0;
307 }
308 
309 static inline void
310 hash_ipportip6_data_copy(struct hash_ipportip6_elem *dst,
311  const struct hash_ipportip6_elem *src)
312 {
313  memcpy(dst, src, sizeof(*dst));
314 }
315 
316 static inline void
317 hash_ipportip6_data_zero_out(struct hash_ipportip6_elem *elem)
318 {
319  elem->proto = 0;
320 }
321 
322 static bool
323 hash_ipportip6_data_list(struct sk_buff *skb,
324  const struct hash_ipportip6_elem *data)
325 {
326  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
327  nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
328  nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
329  nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
330  goto nla_put_failure;
331  return 0;
332 
333 nla_put_failure:
334  return 1;
335 }
336 
337 static bool
338 hash_ipportip6_data_tlist(struct sk_buff *skb,
339  const struct hash_ipportip6_elem *data)
340 {
341  const struct hash_ipportip6_telem *e =
342  (const struct hash_ipportip6_telem *)data;
343 
344  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
345  nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
346  nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
347  nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
348  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
349  htonl(ip_set_timeout_get(e->timeout))))
350  goto nla_put_failure;
351  return 0;
352 
353 nla_put_failure:
354  return 1;
355 }
356 
357 #undef PF
358 #undef HOST_MASK
359 
360 #define PF 6
361 #define HOST_MASK 128
362 #include <linux/netfilter/ipset/ip_set_ahash.h>
363 
364 static inline void
365 hash_ipportip6_data_next(struct ip_set_hash *h,
366  const struct hash_ipportip6_elem *d)
367 {
368  h->next.port = d->port;
369 }
370 
371 static int
372 hash_ipportip6_kadt(struct ip_set *set, const struct sk_buff *skb,
373  const struct xt_action_param *par,
374  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
375 {
376  const struct ip_set_hash *h = set->data;
377  ipset_adtfn adtfn = set->variant->adt[adt];
378  struct hash_ipportip6_elem data = { };
379 
380  if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
381  &data.port, &data.proto))
382  return -EINVAL;
383 
384  ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
385  ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
386 
387  return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
388 }
389 
390 static int
391 hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
392  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
393 {
394  const struct ip_set_hash *h = set->data;
395  ipset_adtfn adtfn = set->variant->adt[adt];
396  struct hash_ipportip6_elem data = { };
397  u32 port, port_to;
398  u32 timeout = h->timeout;
399  bool with_ports = false;
400  int ret;
401 
402  if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
403  !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
404  !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
405  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
406  tb[IPSET_ATTR_IP_TO] ||
407  tb[IPSET_ATTR_CIDR]))
408  return -IPSET_ERR_PROTOCOL;
409 
410  if (tb[IPSET_ATTR_LINENO])
411  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
412 
413  ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
414  if (ret)
415  return ret;
416 
417  ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
418  if (ret)
419  return ret;
420 
421  if (tb[IPSET_ATTR_PORT])
422  data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
423  else
424  return -IPSET_ERR_PROTOCOL;
425 
426  if (tb[IPSET_ATTR_PROTO]) {
427  data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
428  with_ports = ip_set_proto_with_ports(data.proto);
429 
430  if (data.proto == 0)
431  return -IPSET_ERR_INVALID_PROTO;
432  } else
433  return -IPSET_ERR_MISSING_PROTO;
434 
435  if (!(with_ports || data.proto == IPPROTO_ICMPV6))
436  data.port = 0;
437 
438  if (tb[IPSET_ATTR_TIMEOUT]) {
439  if (!with_timeout(h->timeout))
440  return -IPSET_ERR_TIMEOUT;
441  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
442  }
443 
444  if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
445  ret = adtfn(set, &data, timeout, flags);
446  return ip_set_eexist(ret, flags) ? 0 : ret;
447  }
448 
449  port = ntohs(data.port);
450  port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
451  if (port > port_to)
452  swap(port, port_to);
453 
454  if (retried)
455  port = ntohs(h->next.port);
456  for (; port <= port_to; port++) {
457  data.port = htons(port);
458  ret = adtfn(set, &data, timeout, flags);
459 
460  if (ret && !ip_set_eexist(ret, flags))
461  return ret;
462  else
463  ret = 0;
464  }
465  return ret;
466 }
467 
468 /* Create hash:ip type of sets */
469 
470 static int
471 hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
472 {
473  struct ip_set_hash *h;
474  u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
475  u8 hbits;
476  size_t hsize;
477 
478  if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
479  return -IPSET_ERR_INVALID_FAMILY;
480 
481  if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
482  !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
483  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
484  return -IPSET_ERR_PROTOCOL;
485 
486  if (tb[IPSET_ATTR_HASHSIZE]) {
487  hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
488  if (hashsize < IPSET_MIMINAL_HASHSIZE)
489  hashsize = IPSET_MIMINAL_HASHSIZE;
490  }
491 
492  if (tb[IPSET_ATTR_MAXELEM])
493  maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
494 
495  h = kzalloc(sizeof(*h), GFP_KERNEL);
496  if (!h)
497  return -ENOMEM;
498 
499  h->maxelem = maxelem;
500  get_random_bytes(&h->initval, sizeof(h->initval));
501  h->timeout = IPSET_NO_TIMEOUT;
502 
503  hbits = htable_bits(hashsize);
504  hsize = htable_size(hbits);
505  if (hsize == 0) {
506  kfree(h);
507  return -ENOMEM;
508  }
509  h->table = ip_set_alloc(hsize);
510  if (!h->table) {
511  kfree(h);
512  return -ENOMEM;
513  }
514  h->table->htable_bits = hbits;
515 
516  set->data = h;
517 
518  if (tb[IPSET_ATTR_TIMEOUT]) {
519  h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
520 
521  set->variant = set->family == NFPROTO_IPV4
522  ? &hash_ipportip4_tvariant : &hash_ipportip6_tvariant;
523 
524  if (set->family == NFPROTO_IPV4)
525  hash_ipportip4_gc_init(set);
526  else
527  hash_ipportip6_gc_init(set);
528  } else {
529  set->variant = set->family == NFPROTO_IPV4
530  ? &hash_ipportip4_variant : &hash_ipportip6_variant;
531  }
532 
533  pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
534  set->name, jhash_size(h->table->htable_bits),
535  h->table->htable_bits, h->maxelem, set->data, h->table);
536 
537  return 0;
538 }
539 
540 static struct ip_set_type hash_ipportip_type __read_mostly = {
541  .name = "hash:ip,port,ip",
542  .protocol = IPSET_PROTOCOL,
543  .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
544  .dimension = IPSET_DIM_THREE,
545  .family = NFPROTO_UNSPEC,
546  .revision_min = REVISION_MIN,
547  .revision_max = REVISION_MAX,
548  .create = hash_ipportip_create,
549  .create_policy = {
550  [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
551  [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
552  [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
553  [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
554  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
555  },
556  .adt_policy = {
557  [IPSET_ATTR_IP] = { .type = NLA_NESTED },
558  [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
559  [IPSET_ATTR_IP2] = { .type = NLA_NESTED },
560  [IPSET_ATTR_PORT] = { .type = NLA_U16 },
561  [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 },
562  [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
563  [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
564  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
565  [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
566  },
567  .me = THIS_MODULE,
568 };
569 
570 static int __init
571 hash_ipportip_init(void)
572 {
573  return ip_set_type_register(&hash_ipportip_type);
574 }
575 
576 static void __exit
577 hash_ipportip_fini(void)
578 {
579  ip_set_type_unregister(&hash_ipportip_type);
580 }
581 
582 module_init(hash_ipportip_init);
583 module_exit(hash_ipportip_fini);
Generated on Thu Jan 10 2013 15:00:09 for Linux Kernel by   doxygen 1.8.2