1 /* Copyright (C) 2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
8 /* Kernel module implementing an IP set type: the hash:net,iface type */
10 #include <linux/jhash.h>
11 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <linux/rbtree.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_timeout.h>
25 #include <linux/netfilter/ipset/ip_set_hash.h>
27 MODULE_LICENSE("GPL");
28 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
29 MODULE_DESCRIPTION("hash:net,iface type of IP sets");
30 MODULE_ALIAS("ip_set_hash:net,iface");
32 /* Interface name rbtree */
39 #define iface_data(n) (rb_entry(n, struct iface_node, node)->iface)
42 ifname_compare(const char *_a, const char *_b)
44 const long *a = (const long *)_a;
45 const long *b = (const long *)_b;
47 BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
50 if (IFNAMSIZ > sizeof(long)) {
54 if (IFNAMSIZ > 2 * sizeof(long)) {
58 if (IFNAMSIZ > 3 * sizeof(long)) {
66 rbtree_destroy(struct rb_root *root)
68 struct rb_node *p, *n = root->rb_node;
69 struct iface_node *node;
71 /* Non-recursive destroy, like in ext3 */
82 node = rb_entry(n, struct iface_node, node);
85 else if (p->rb_left == n)
87 else if (p->rb_right == n)
96 iface_test(struct rb_root *root, const char **iface)
98 struct rb_node *n = root->rb_node;
101 const char *d = iface_data(n);
102 long res = ifname_compare(*iface, d);
117 iface_add(struct rb_root *root, const char **iface)
119 struct rb_node **n = &(root->rb_node), *p = NULL;
120 struct iface_node *d;
123 char *ifname = iface_data(*n);
124 long res = ifname_compare(*iface, ifname);
128 n = &((*n)->rb_left);
130 n = &((*n)->rb_right);
137 d = kzalloc(sizeof(*d), GFP_ATOMIC);
140 strcpy(d->iface, *iface);
142 rb_link_node(&d->node, p, n);
143 rb_insert_color(&d->node, root);
149 /* Type specific function prefix */
150 #define TYPE hash_netiface
153 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b);
155 #define hash_netiface4_same_set hash_netiface_same_set
156 #define hash_netiface6_same_set hash_netiface_same_set
158 #define STREQ(a, b) (strcmp(a, b) == 0)
160 /* The type variant functions: IPv4 */
162 struct hash_netiface4_elem_hashed {
170 #define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
172 /* Member elements without timeout */
173 struct hash_netiface4_elem {
182 /* Member elements with timeout support */
183 struct hash_netiface4_telem {
190 unsigned long timeout;
194 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
195 const struct hash_netiface4_elem *ip2,
198 return ip1->ip == ip2->ip &&
199 ip1->cidr == ip2->cidr &&
201 ip1->physdev == ip2->physdev &&
202 ip1->iface == ip2->iface;
206 hash_netiface4_data_isnull(const struct hash_netiface4_elem *elem)
208 return elem->cidr == 0;
212 hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
213 const struct hash_netiface4_elem *src)
216 dst->cidr = src->cidr;
217 dst->physdev = src->physdev;
218 dst->iface = src->iface;
219 dst->nomatch = src->nomatch;
223 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
225 dst->nomatch = flags & IPSET_FLAG_NOMATCH;
229 hash_netiface4_data_match(const struct hash_netiface4_elem *elem)
231 return !elem->nomatch;
235 hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
237 elem->ip &= ip_set_netmask(cidr);
242 hash_netiface4_data_zero_out(struct hash_netiface4_elem *elem)
248 hash_netiface4_data_list(struct sk_buff *skb,
249 const struct hash_netiface4_elem *data)
251 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
254 flags |= IPSET_FLAG_NOMATCH;
255 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
256 NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
257 NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
259 NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
267 hash_netiface4_data_tlist(struct sk_buff *skb,
268 const struct hash_netiface4_elem *data)
270 const struct hash_netiface4_telem *tdata =
271 (const struct hash_netiface4_telem *)data;
272 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
275 flags |= IPSET_FLAG_NOMATCH;
276 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
277 NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
278 NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
280 NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
281 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
282 htonl(ip_set_timeout_get(tdata->timeout)));
290 #define IP_SET_HASH_WITH_NETS
291 #define IP_SET_HASH_WITH_RBTREE
292 #define IP_SET_HASH_WITH_MULTI
296 #include <linux/netfilter/ipset/ip_set_ahash.h>
299 hash_netiface4_data_next(struct ip_set_hash *h,
300 const struct hash_netiface4_elem *d)
302 h->next.ip = ntohl(d->ip);
306 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
307 const struct xt_action_param *par,
308 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
310 struct ip_set_hash *h = set->data;
311 ipset_adtfn adtfn = set->variant->adt[adt];
312 struct hash_netiface4_elem data = {
313 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
319 if (adt == IPSET_TEST)
320 data.cidr = HOST_MASK;
322 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
323 data.ip &= ip_set_netmask(data.cidr);
325 #define IFACE(dir) (par->dir ? par->dir->name : NULL)
326 #define PHYSDEV(dir) (nf_bridge->dir ? nf_bridge->dir->name : NULL)
327 #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
329 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
330 #ifdef CONFIG_BRIDGE_NETFILTER
331 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
335 data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
341 data.iface = SRCDIR ? IFACE(in) : IFACE(out);
345 ret = iface_test(&h->rbtree, &data.iface);
346 if (adt == IPSET_ADD) {
348 ret = iface_add(&h->rbtree, &data.iface);
355 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
359 hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
360 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
362 struct ip_set_hash *h = set->data;
363 ipset_adtfn adtfn = set->variant->adt[adt];
364 struct hash_netiface4_elem data = { .cidr = HOST_MASK };
365 u32 ip = 0, ip_to, last;
366 u32 timeout = h->timeout;
367 char iface[IFNAMSIZ] = {};
370 if (unlikely(!tb[IPSET_ATTR_IP] ||
371 !tb[IPSET_ATTR_IFACE] ||
372 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
373 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
374 return -IPSET_ERR_PROTOCOL;
376 if (tb[IPSET_ATTR_LINENO])
377 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
379 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
383 if (tb[IPSET_ATTR_CIDR]) {
384 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
385 if (!data.cidr || data.cidr > HOST_MASK)
386 return -IPSET_ERR_INVALID_CIDR;
389 if (tb[IPSET_ATTR_TIMEOUT]) {
390 if (!with_timeout(h->timeout))
391 return -IPSET_ERR_TIMEOUT;
392 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
395 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
397 ret = iface_test(&h->rbtree, &data.iface);
398 if (adt == IPSET_ADD) {
400 ret = iface_add(&h->rbtree, &data.iface);
407 if (tb[IPSET_ATTR_CADT_FLAGS]) {
408 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
409 if (cadt_flags & IPSET_FLAG_PHYSDEV)
411 if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
412 flags |= (cadt_flags << 16);
415 if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
416 data.ip = htonl(ip & ip_set_hostmask(data.cidr));
417 ret = adtfn(set, &data, timeout, flags);
418 return ip_set_eexist(ret, flags) ? 0 : ret;
421 if (tb[IPSET_ATTR_IP_TO]) {
422 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
427 if (ip + UINT_MAX == ip_to)
428 return -IPSET_ERR_HASH_RANGE;
430 ip_set_mask_from_to(ip, ip_to, data.cidr);
435 while (!after(ip, ip_to)) {
437 last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
438 ret = adtfn(set, &data, timeout, flags);
440 if (ret && !ip_set_eexist(ret, flags))
450 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b)
452 const struct ip_set_hash *x = a->data;
453 const struct ip_set_hash *y = b->data;
455 /* Resizing changes htable_bits, so we ignore it */
456 return x->maxelem == y->maxelem &&
457 x->timeout == y->timeout;
460 /* The type variant functions: IPv6 */
462 struct hash_netiface6_elem_hashed {
463 union nf_inet_addr ip;
470 #define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
472 struct hash_netiface6_elem {
473 union nf_inet_addr ip;
481 struct hash_netiface6_telem {
482 union nf_inet_addr ip;
488 unsigned long timeout;
492 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
493 const struct hash_netiface6_elem *ip2,
496 return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
497 ip1->cidr == ip2->cidr &&
499 ip1->physdev == ip2->physdev &&
500 ip1->iface == ip2->iface;
504 hash_netiface6_data_isnull(const struct hash_netiface6_elem *elem)
506 return elem->cidr == 0;
510 hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
511 const struct hash_netiface6_elem *src)
513 memcpy(dst, src, sizeof(*dst));
517 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
519 dst->nomatch = flags & IPSET_FLAG_NOMATCH;
523 hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
525 return !elem->nomatch;
529 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
535 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
537 ip->ip6[0] &= ip_set_netmask6(prefix)[0];
538 ip->ip6[1] &= ip_set_netmask6(prefix)[1];
539 ip->ip6[2] &= ip_set_netmask6(prefix)[2];
540 ip->ip6[3] &= ip_set_netmask6(prefix)[3];
544 hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
546 ip6_netmask(&elem->ip, cidr);
551 hash_netiface6_data_list(struct sk_buff *skb,
552 const struct hash_netiface6_elem *data)
554 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
557 flags |= IPSET_FLAG_NOMATCH;
558 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
559 NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
560 NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
562 NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
570 hash_netiface6_data_tlist(struct sk_buff *skb,
571 const struct hash_netiface6_elem *data)
573 const struct hash_netiface6_telem *e =
574 (const struct hash_netiface6_telem *)data;
575 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
578 flags |= IPSET_FLAG_NOMATCH;
579 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
580 NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
581 NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
583 NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
584 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
585 htonl(ip_set_timeout_get(e->timeout)));
596 #define HOST_MASK 128
597 #include <linux/netfilter/ipset/ip_set_ahash.h>
600 hash_netiface6_data_next(struct ip_set_hash *h,
601 const struct hash_netiface6_elem *d)
606 hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
607 const struct xt_action_param *par,
608 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
610 struct ip_set_hash *h = set->data;
611 ipset_adtfn adtfn = set->variant->adt[adt];
612 struct hash_netiface6_elem data = {
613 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
619 if (adt == IPSET_TEST)
620 data.cidr = HOST_MASK;
622 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
623 ip6_netmask(&data.ip, data.cidr);
625 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
626 #ifdef CONFIG_BRIDGE_NETFILTER
627 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
631 data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
637 data.iface = SRCDIR ? IFACE(in) : IFACE(out);
641 ret = iface_test(&h->rbtree, &data.iface);
642 if (adt == IPSET_ADD) {
644 ret = iface_add(&h->rbtree, &data.iface);
651 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
655 hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
656 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
658 struct ip_set_hash *h = set->data;
659 ipset_adtfn adtfn = set->variant->adt[adt];
660 struct hash_netiface6_elem data = { .cidr = HOST_MASK };
661 u32 timeout = h->timeout;
662 char iface[IFNAMSIZ] = {};
665 if (unlikely(!tb[IPSET_ATTR_IP] ||
666 !tb[IPSET_ATTR_IFACE] ||
667 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
668 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
669 return -IPSET_ERR_PROTOCOL;
670 if (unlikely(tb[IPSET_ATTR_IP_TO]))
671 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
673 if (tb[IPSET_ATTR_LINENO])
674 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
676 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
680 if (tb[IPSET_ATTR_CIDR])
681 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
682 if (!data.cidr || data.cidr > HOST_MASK)
683 return -IPSET_ERR_INVALID_CIDR;
684 ip6_netmask(&data.ip, data.cidr);
686 if (tb[IPSET_ATTR_TIMEOUT]) {
687 if (!with_timeout(h->timeout))
688 return -IPSET_ERR_TIMEOUT;
689 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
692 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
694 ret = iface_test(&h->rbtree, &data.iface);
695 if (adt == IPSET_ADD) {
697 ret = iface_add(&h->rbtree, &data.iface);
704 if (tb[IPSET_ATTR_CADT_FLAGS]) {
705 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
706 if (cadt_flags & IPSET_FLAG_PHYSDEV)
708 if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
709 flags |= (cadt_flags << 16);
712 ret = adtfn(set, &data, timeout, flags);
714 return ip_set_eexist(ret, flags) ? 0 : ret;
717 /* Create hash:ip type of sets */
720 hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
722 struct ip_set_hash *h;
723 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
727 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
728 return -IPSET_ERR_INVALID_FAMILY;
730 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
731 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
732 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
733 return -IPSET_ERR_PROTOCOL;
735 if (tb[IPSET_ATTR_HASHSIZE]) {
736 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
737 if (hashsize < IPSET_MIMINAL_HASHSIZE)
738 hashsize = IPSET_MIMINAL_HASHSIZE;
741 if (tb[IPSET_ATTR_MAXELEM])
742 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
744 h = kzalloc(sizeof(*h)
745 + sizeof(struct ip_set_hash_nets)
746 * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
750 h->maxelem = maxelem;
751 get_random_bytes(&h->initval, sizeof(h->initval));
752 h->timeout = IPSET_NO_TIMEOUT;
753 h->ahash_max = AHASH_MAX_SIZE;
755 hbits = htable_bits(hashsize);
756 hsize = htable_size(hbits);
761 h->table = ip_set_alloc(hsize);
766 h->table->htable_bits = hbits;
771 if (tb[IPSET_ATTR_TIMEOUT]) {
772 h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
774 set->variant = set->family == NFPROTO_IPV4
775 ? &hash_netiface4_tvariant : &hash_netiface6_tvariant;
777 if (set->family == NFPROTO_IPV4)
778 hash_netiface4_gc_init(set);
780 hash_netiface6_gc_init(set);
782 set->variant = set->family == NFPROTO_IPV4
783 ? &hash_netiface4_variant : &hash_netiface6_variant;
786 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
787 set->name, jhash_size(h->table->htable_bits),
788 h->table->htable_bits, h->maxelem, set->data, h->table);
793 static struct ip_set_type hash_netiface_type __read_mostly = {
794 .name = "hash:net,iface",
795 .protocol = IPSET_PROTOCOL,
796 .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE,
797 .dimension = IPSET_DIM_TWO,
798 .family = NFPROTO_UNSPEC,
800 .revision_max = 1, /* nomatch flag support added */
801 .create = hash_netiface_create,
803 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
804 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
805 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
806 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
807 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
808 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
811 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
812 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
813 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
814 .len = IPSET_MAXNAMELEN - 1 },
815 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
816 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
817 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
818 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
824 hash_netiface_init(void)
826 return ip_set_type_register(&hash_netiface_type);
830 hash_netiface_fini(void)
832 ip_set_type_unregister(&hash_netiface_type);
835 module_init(hash_netiface_init);
836 module_exit(hash_netiface_fini);
projects / linux-flexiantxendom0-3.2.10.git / blob