Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip_set_hash_net.c
Go to the documentation of this file.
1 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <[email protected]>
2  *
3  * This program is free software; you can redistribute it and/or modify
4  * it under the terms of the GNU General Public License version 2 as
5  * published by the Free Software Foundation.
6  */
7 
8 /* Kernel module implementing an IP set type: the hash:net type */
9 
10 #include <linux/jhash.h>
11 #include <linux/module.h>
12 #include <linux/ip.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <net/ip.h>
17 #include <net/ipv6.h>
18 #include <net/netlink.h>
19 
20 #include <linux/netfilter.h>
21 #include <linux/netfilter/ipset/pfxlen.h>
22 #include <linux/netfilter/ipset/ip_set.h>
23 #include <linux/netfilter/ipset/ip_set_timeout.h>
24 #include <linux/netfilter/ipset/ip_set_hash.h>
25 
26 #define REVISION_MIN 0
27 /* 1 Range as input support for IPv4 added */
28 #define REVISION_MAX 2 /* nomatch flag support added */
29 
30 MODULE_LICENSE("GPL");
31 MODULE_AUTHOR("Jozsef Kadlecsik <[email protected]>");
32 IP_SET_MODULE_DESC("hash:net", REVISION_MIN, REVISION_MAX);
33 MODULE_ALIAS("ip_set_hash:net");
34 
35 /* Type specific function prefix */
36 #define TYPE hash_net
37 
38 static bool
39 hash_net_same_set(const struct ip_set *a, const struct ip_set *b);
40 
41 #define hash_net4_same_set hash_net_same_set
42 #define hash_net6_same_set hash_net_same_set
43 
44 /* The type variant functions: IPv4 */
45 
46 /* Member elements without timeout */
47 struct hash_net4_elem {
48  __be32 ip;
49  u16 padding0;
50  u8 nomatch;
51  u8 cidr;
52 };
53 
54 /* Member elements with timeout support */
55 struct hash_net4_telem {
56  __be32 ip;
57  u16 padding0;
58  u8 nomatch;
59  u8 cidr;
60  unsigned long timeout;
61 };
62 
63 static inline bool
64 hash_net4_data_equal(const struct hash_net4_elem *ip1,
65  const struct hash_net4_elem *ip2,
66  u32 *multi)
67 {
68  return ip1->ip == ip2->ip &&
69  ip1->cidr == ip2->cidr;
70 }
71 
72 static inline bool
73 hash_net4_data_isnull(const struct hash_net4_elem *elem)
74 {
75  return elem->cidr == 0;
76 }
77 
78 static inline void
79 hash_net4_data_copy(struct hash_net4_elem *dst,
80  const struct hash_net4_elem *src)
81 {
82  dst->ip = src->ip;
83  dst->cidr = src->cidr;
84  dst->nomatch = src->nomatch;
85 }
86 
87 static inline void
88 hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
89 {
90  dst->nomatch = flags & IPSET_FLAG_NOMATCH;
91 }
92 
93 static inline int
94 hash_net4_data_match(const struct hash_net4_elem *elem)
95 {
96  return elem->nomatch ? -ENOTEMPTY : 1;
97 }
98 
99 static inline void
100 hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
101 {
102  elem->ip &= ip_set_netmask(cidr);
103  elem->cidr = cidr;
104 }
105 
106 /* Zero CIDR values cannot be stored */
107 static inline void
108 hash_net4_data_zero_out(struct hash_net4_elem *elem)
109 {
110  elem->cidr = 0;
111 }
112 
113 static bool
114 hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
115 {
116  u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
117 
118  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
119  nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
120  (flags &&
121  nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
122  goto nla_put_failure;
123  return 0;
124 
125 nla_put_failure:
126  return 1;
127 }
128 
129 static bool
130 hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data)
131 {
132  const struct hash_net4_telem *tdata =
133  (const struct hash_net4_telem *)data;
134  u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
135 
136  if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
137  nla_put_u8(skb, IPSET_ATTR_CIDR, tdata->cidr) ||
138  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
139  htonl(ip_set_timeout_get(tdata->timeout))) ||
140  (flags &&
141  nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
142  goto nla_put_failure;
143  return 0;
144 
145 nla_put_failure:
146  return 1;
147 }
148 
149 #define IP_SET_HASH_WITH_NETS
150 
151 #define PF 4
152 #define HOST_MASK 32
153 #include <linux/netfilter/ipset/ip_set_ahash.h>
154 
155 static inline void
156 hash_net4_data_next(struct ip_set_hash *h,
157  const struct hash_net4_elem *d)
158 {
159  h->next.ip = d->ip;
160 }
161 
162 static int
163 hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
164  const struct xt_action_param *par,
165  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
166 {
167  const struct ip_set_hash *h = set->data;
168  ipset_adtfn adtfn = set->variant->adt[adt];
169  struct hash_net4_elem data = {
170  .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
171  };
172 
173  if (data.cidr == 0)
174  return -EINVAL;
175  if (adt == IPSET_TEST)
176  data.cidr = HOST_MASK;
177 
178  ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
179  data.ip &= ip_set_netmask(data.cidr);
180 
181  return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
182 }
183 
184 static int
185 hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
186  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
187 {
188  const struct ip_set_hash *h = set->data;
189  ipset_adtfn adtfn = set->variant->adt[adt];
190  struct hash_net4_elem data = { .cidr = HOST_MASK };
191  u32 timeout = h->timeout;
192  u32 ip = 0, ip_to, last;
193  int ret;
194 
195  if (unlikely(!tb[IPSET_ATTR_IP] ||
196  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
197  !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
198  return -IPSET_ERR_PROTOCOL;
199 
200  if (tb[IPSET_ATTR_LINENO])
201  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
202 
203  ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
204  if (ret)
205  return ret;
206 
207  if (tb[IPSET_ATTR_CIDR]) {
208  data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
209  if (!data.cidr || data.cidr > HOST_MASK)
210  return -IPSET_ERR_INVALID_CIDR;
211  }
212 
213  if (tb[IPSET_ATTR_TIMEOUT]) {
214  if (!with_timeout(h->timeout))
215  return -IPSET_ERR_TIMEOUT;
216  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
217  }
218 
219  if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
220  u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
221  if (cadt_flags & IPSET_FLAG_NOMATCH)
222  flags |= (cadt_flags << 16);
223  }
224 
225  if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
226  data.ip = htonl(ip & ip_set_hostmask(data.cidr));
227  ret = adtfn(set, &data, timeout, flags);
228  return ip_set_eexist(ret, flags) ? 0 : ret;
229  }
230 
231  ip_to = ip;
232  if (tb[IPSET_ATTR_IP_TO]) {
233  ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
234  if (ret)
235  return ret;
236  if (ip_to < ip)
237  swap(ip, ip_to);
238  if (ip + UINT_MAX == ip_to)
239  return -IPSET_ERR_HASH_RANGE;
240  }
241  if (retried)
242  ip = ntohl(h->next.ip);
243  while (!after(ip, ip_to)) {
244  data.ip = htonl(ip);
245  last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
246  ret = adtfn(set, &data, timeout, flags);
247  if (ret && !ip_set_eexist(ret, flags))
248  return ret;
249  else
250  ret = 0;
251  ip = last + 1;
252  }
253  return ret;
254 }
255 
256 static bool
257 hash_net_same_set(const struct ip_set *a, const struct ip_set *b)
258 {
259  const struct ip_set_hash *x = a->data;
260  const struct ip_set_hash *y = b->data;
261 
262  /* Resizing changes htable_bits, so we ignore it */
263  return x->maxelem == y->maxelem &&
264  x->timeout == y->timeout;
265 }
266 
267 /* The type variant functions: IPv6 */
268 
269 struct hash_net6_elem {
270  union nf_inet_addr ip;
271  u16 padding0;
272  u8 nomatch;
273  u8 cidr;
274 };
275 
276 struct hash_net6_telem {
277  union nf_inet_addr ip;
278  u16 padding0;
279  u8 nomatch;
280  u8 cidr;
281  unsigned long timeout;
282 };
283 
284 static inline bool
285 hash_net6_data_equal(const struct hash_net6_elem *ip1,
286  const struct hash_net6_elem *ip2,
287  u32 *multi)
288 {
289  return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
290  ip1->cidr == ip2->cidr;
291 }
292 
293 static inline bool
294 hash_net6_data_isnull(const struct hash_net6_elem *elem)
295 {
296  return elem->cidr == 0;
297 }
298 
299 static inline void
300 hash_net6_data_copy(struct hash_net6_elem *dst,
301  const struct hash_net6_elem *src)
302 {
303  dst->ip.in6 = src->ip.in6;
304  dst->cidr = src->cidr;
305  dst->nomatch = src->nomatch;
306 }
307 
308 static inline void
309 hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
310 {
311  dst->nomatch = flags & IPSET_FLAG_NOMATCH;
312 }
313 
314 static inline int
315 hash_net6_data_match(const struct hash_net6_elem *elem)
316 {
317  return elem->nomatch ? -ENOTEMPTY : 1;
318 }
319 
320 static inline void
321 hash_net6_data_zero_out(struct hash_net6_elem *elem)
322 {
323  elem->cidr = 0;
324 }
325 
326 static inline void
327 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
328 {
329  ip->ip6[0] &= ip_set_netmask6(prefix)[0];
330  ip->ip6[1] &= ip_set_netmask6(prefix)[1];
331  ip->ip6[2] &= ip_set_netmask6(prefix)[2];
332  ip->ip6[3] &= ip_set_netmask6(prefix)[3];
333 }
334 
335 static inline void
336 hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
337 {
338  ip6_netmask(&elem->ip, cidr);
339  elem->cidr = cidr;
340 }
341 
342 static bool
343 hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
344 {
345  u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
346 
347  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
348  nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
349  (flags &&
350  nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
351  goto nla_put_failure;
352  return 0;
353 
354 nla_put_failure:
355  return 1;
356 }
357 
358 static bool
359 hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data)
360 {
361  const struct hash_net6_telem *e =
362  (const struct hash_net6_telem *)data;
363  u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
364 
365  if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
366  nla_put_u8(skb, IPSET_ATTR_CIDR, e->cidr) ||
367  nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
368  htonl(ip_set_timeout_get(e->timeout))) ||
369  (flags &&
370  nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
371  goto nla_put_failure;
372  return 0;
373 
374 nla_put_failure:
375  return 1;
376 }
377 
378 #undef PF
379 #undef HOST_MASK
380 
381 #define PF 6
382 #define HOST_MASK 128
383 #include <linux/netfilter/ipset/ip_set_ahash.h>
384 
385 static inline void
386 hash_net6_data_next(struct ip_set_hash *h,
387  const struct hash_net6_elem *d)
388 {
389 }
390 
391 static int
392 hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
393  const struct xt_action_param *par,
394  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
395 {
396  const struct ip_set_hash *h = set->data;
397  ipset_adtfn adtfn = set->variant->adt[adt];
398  struct hash_net6_elem data = {
399  .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
400  };
401 
402  if (data.cidr == 0)
403  return -EINVAL;
404  if (adt == IPSET_TEST)
405  data.cidr = HOST_MASK;
406 
407  ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
408  ip6_netmask(&data.ip, data.cidr);
409 
410  return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
411 }
412 
413 static int
414 hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
415  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
416 {
417  const struct ip_set_hash *h = set->data;
418  ipset_adtfn adtfn = set->variant->adt[adt];
419  struct hash_net6_elem data = { .cidr = HOST_MASK };
420  u32 timeout = h->timeout;
421  int ret;
422 
423  if (unlikely(!tb[IPSET_ATTR_IP] ||
424  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
425  !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
426  return -IPSET_ERR_PROTOCOL;
427  if (unlikely(tb[IPSET_ATTR_IP_TO]))
428  return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
429 
430  if (tb[IPSET_ATTR_LINENO])
431  *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
432 
433  ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
434  if (ret)
435  return ret;
436 
437  if (tb[IPSET_ATTR_CIDR])
438  data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
439 
440  if (!data.cidr || data.cidr > HOST_MASK)
441  return -IPSET_ERR_INVALID_CIDR;
442 
443  ip6_netmask(&data.ip, data.cidr);
444 
445  if (tb[IPSET_ATTR_TIMEOUT]) {
446  if (!with_timeout(h->timeout))
447  return -IPSET_ERR_TIMEOUT;
448  timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
449  }
450 
451  if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
452  u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
453  if (cadt_flags & IPSET_FLAG_NOMATCH)
454  flags |= (cadt_flags << 16);
455  }
456 
457  ret = adtfn(set, &data, timeout, flags);
458 
459  return ip_set_eexist(ret, flags) ? 0 : ret;
460 }
461 
462 /* Create hash:ip type of sets */
463 
464 static int
465 hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
466 {
467  u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
468  struct ip_set_hash *h;
469  u8 hbits;
470  size_t hsize;
471 
472  if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
473  return -IPSET_ERR_INVALID_FAMILY;
474 
475  if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
476  !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
477  !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
478  return -IPSET_ERR_PROTOCOL;
479 
480  if (tb[IPSET_ATTR_HASHSIZE]) {
481  hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
482  if (hashsize < IPSET_MIMINAL_HASHSIZE)
483  hashsize = IPSET_MIMINAL_HASHSIZE;
484  }
485 
486  if (tb[IPSET_ATTR_MAXELEM])
487  maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
488 
489  h = kzalloc(sizeof(*h)
490  + sizeof(struct ip_set_hash_nets)
491  * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
492  if (!h)
493  return -ENOMEM;
494 
495  h->maxelem = maxelem;
496  get_random_bytes(&h->initval, sizeof(h->initval));
497  h->timeout = IPSET_NO_TIMEOUT;
498 
499  hbits = htable_bits(hashsize);
500  hsize = htable_size(hbits);
501  if (hsize == 0) {
502  kfree(h);
503  return -ENOMEM;
504  }
505  h->table = ip_set_alloc(hsize);
506  if (!h->table) {
507  kfree(h);
508  return -ENOMEM;
509  }
510  h->table->htable_bits = hbits;
511 
512  set->data = h;
513 
514  if (tb[IPSET_ATTR_TIMEOUT]) {
515  h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
516 
517  set->variant = set->family == NFPROTO_IPV4
518  ? &hash_net4_tvariant : &hash_net6_tvariant;
519 
520  if (set->family == NFPROTO_IPV4)
521  hash_net4_gc_init(set);
522  else
523  hash_net6_gc_init(set);
524  } else {
525  set->variant = set->family == NFPROTO_IPV4
526  ? &hash_net4_variant : &hash_net6_variant;
527  }
528 
529  pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
530  set->name, jhash_size(h->table->htable_bits),
531  h->table->htable_bits, h->maxelem, set->data, h->table);
532 
533  return 0;
534 }
535 
536 static struct ip_set_type hash_net_type __read_mostly = {
537  .name = "hash:net",
538  .protocol = IPSET_PROTOCOL,
539  .features = IPSET_TYPE_IP | IPSET_TYPE_NOMATCH,
540  .dimension = IPSET_DIM_ONE,
541  .family = NFPROTO_UNSPEC,
542  .revision_min = REVISION_MIN,
543  .revision_max = REVISION_MAX,
544  .create = hash_net_create,
545  .create_policy = {
546  [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
547  [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
548  [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
549  [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
550  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
551  },
552  .adt_policy = {
553  [IPSET_ATTR_IP] = { .type = NLA_NESTED },
554  [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
555  [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
556  [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
557  [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
558  },
559  .me = THIS_MODULE,
560 };
561 
562 static int __init
563 hash_net_init(void)
564 {
565  return ip_set_type_register(&hash_net_type);
566 }
567 
568 static void __exit
569 hash_net_fini(void)
570 {
571  ip_set_type_unregister(&hash_net_type);
572 }
573 
574 module_init(hash_net_init);
575 module_exit(hash_net_fini);
Generated on Thu Jan 10 2013 15:00:09 for Linux Kernel by   doxygen 1.8.2