1 /* Copyright (C) 2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
8 /* Kernel module implementing an IP set type: the hash:net,iface type */
10 #include <linux/jhash.h>
11 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <linux/rbtree.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_timeout.h>
25 #include <linux/netfilter/ipset/ip_set_hash.h>
27 #define REVISION_MIN 0
28 /* 1 nomatch flag support added */
29 #define REVISION_MAX 2 /* /0 support added */
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
33 IP_SET_MODULE_DESC("hash:net,iface", REVISION_MIN, REVISION_MAX);
34 MODULE_ALIAS("ip_set_hash:net,iface");
36 /* Interface name rbtree */
43 #define iface_data(n) (rb_entry(n, struct iface_node, node)->iface)
46 rbtree_destroy(struct rb_root *root)
48 struct rb_node *p, *n = root->rb_node;
49 struct iface_node *node;
51 /* Non-recursive destroy, like in ext3 */
62 node = rb_entry(n, struct iface_node, node);
65 else if (p->rb_left == n)
67 else if (p->rb_right == n)
76 iface_test(struct rb_root *root, const char **iface)
78 struct rb_node *n = root->rb_node;
81 const char *d = iface_data(n);
82 int res = strcmp(*iface, d);
97 iface_add(struct rb_root *root, const char **iface)
99 struct rb_node **n = &(root->rb_node), *p = NULL;
100 struct iface_node *d;
103 char *ifname = iface_data(*n);
104 int res = strcmp(*iface, ifname);
108 n = &((*n)->rb_left);
110 n = &((*n)->rb_right);
117 d = kzalloc(sizeof(*d), GFP_ATOMIC);
120 strcpy(d->iface, *iface);
122 rb_link_node(&d->node, p, n);
123 rb_insert_color(&d->node, root);
129 /* Type specific function prefix */
130 #define TYPE hash_netiface
133 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b);
135 #define hash_netiface4_same_set hash_netiface_same_set
136 #define hash_netiface6_same_set hash_netiface_same_set
138 #define STREQ(a, b) (strcmp(a, b) == 0)
140 /* The type variant functions: IPv4 */
142 struct hash_netiface4_elem_hashed {
150 #define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
152 /* Member elements without timeout */
153 struct hash_netiface4_elem {
162 /* Member elements with timeout support */
163 struct hash_netiface4_telem {
170 unsigned long timeout;
174 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
175 const struct hash_netiface4_elem *ip2,
178 return ip1->ip == ip2->ip &&
179 ip1->cidr == ip2->cidr &&
181 ip1->physdev == ip2->physdev &&
182 ip1->iface == ip2->iface;
186 hash_netiface4_data_isnull(const struct hash_netiface4_elem *elem)
188 return elem->elem == 0;
192 hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
193 const struct hash_netiface4_elem *src)
195 memcpy(dst, src, sizeof(*dst));
199 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
201 dst->nomatch = flags & IPSET_FLAG_NOMATCH;
205 hash_netiface4_data_match(const struct hash_netiface4_elem *elem)
207 return elem->nomatch ? -ENOTEMPTY : 1;
211 hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
213 elem->ip &= ip_set_netmask(cidr);
218 hash_netiface4_data_zero_out(struct hash_netiface4_elem *elem)
224 hash_netiface4_data_list(struct sk_buff *skb,
225 const struct hash_netiface4_elem *data)
227 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
230 flags |= IPSET_FLAG_NOMATCH;
231 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
232 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
233 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
235 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
236 goto nla_put_failure;
244 hash_netiface4_data_tlist(struct sk_buff *skb,
245 const struct hash_netiface4_elem *data)
247 const struct hash_netiface4_telem *tdata =
248 (const struct hash_netiface4_telem *)data;
249 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
252 flags |= IPSET_FLAG_NOMATCH;
253 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
254 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
255 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
257 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))) ||
258 nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
259 htonl(ip_set_timeout_get(tdata->timeout))))
260 goto nla_put_failure;
268 #define IP_SET_HASH_WITH_NETS
269 #define IP_SET_HASH_WITH_RBTREE
270 #define IP_SET_HASH_WITH_MULTI
274 #include <linux/netfilter/ipset/ip_set_ahash.h>
277 hash_netiface4_data_next(struct ip_set_hash *h,
278 const struct hash_netiface4_elem *d)
284 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
285 const struct xt_action_param *par,
286 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
288 struct ip_set_hash *h = set->data;
289 ipset_adtfn adtfn = set->variant->adt[adt];
290 struct hash_netiface4_elem data = {
291 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
298 if (adt == IPSET_TEST)
299 data.cidr = HOST_MASK;
301 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
302 data.ip &= ip_set_netmask(data.cidr);
304 #define IFACE(dir) (par->dir ? par->dir->name : NULL)
305 #define PHYSDEV(dir) (nf_bridge->dir ? nf_bridge->dir->name : NULL)
306 #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
308 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
309 #ifdef CONFIG_BRIDGE_NETFILTER
310 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
314 data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
320 data.iface = SRCDIR ? IFACE(in) : IFACE(out);
324 ret = iface_test(&h->rbtree, &data.iface);
325 if (adt == IPSET_ADD) {
327 ret = iface_add(&h->rbtree, &data.iface);
334 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
338 hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
339 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
341 struct ip_set_hash *h = set->data;
342 ipset_adtfn adtfn = set->variant->adt[adt];
343 struct hash_netiface4_elem data = { .cidr = HOST_MASK, .elem = 1 };
344 u32 ip = 0, ip_to, last;
345 u32 timeout = h->timeout;
346 char iface[IFNAMSIZ];
349 if (unlikely(!tb[IPSET_ATTR_IP] ||
350 !tb[IPSET_ATTR_IFACE] ||
351 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
352 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
353 return -IPSET_ERR_PROTOCOL;
355 if (tb[IPSET_ATTR_LINENO])
356 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
358 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
362 if (tb[IPSET_ATTR_CIDR]) {
363 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
364 if (data.cidr > HOST_MASK)
365 return -IPSET_ERR_INVALID_CIDR;
368 if (tb[IPSET_ATTR_TIMEOUT]) {
369 if (!with_timeout(h->timeout))
370 return -IPSET_ERR_TIMEOUT;
371 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
374 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
376 ret = iface_test(&h->rbtree, &data.iface);
377 if (adt == IPSET_ADD) {
379 ret = iface_add(&h->rbtree, &data.iface);
386 if (tb[IPSET_ATTR_CADT_FLAGS]) {
387 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
388 if (cadt_flags & IPSET_FLAG_PHYSDEV)
390 if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
391 flags |= (cadt_flags << 16);
393 if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
394 data.ip = htonl(ip & ip_set_hostmask(data.cidr));
395 ret = adtfn(set, &data, timeout, flags);
396 return ip_set_eexist(ret, flags) ? 0 : ret;
399 if (tb[IPSET_ATTR_IP_TO]) {
400 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
405 if (ip + UINT_MAX == ip_to)
406 return -IPSET_ERR_HASH_RANGE;
408 ip_set_mask_from_to(ip, ip_to, data.cidr);
412 ip = ntohl(h->next.ip);
413 while (!after(ip, ip_to)) {
415 last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
416 ret = adtfn(set, &data, timeout, flags);
418 if (ret && !ip_set_eexist(ret, flags))
428 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b)
430 const struct ip_set_hash *x = a->data;
431 const struct ip_set_hash *y = b->data;
433 /* Resizing changes htable_bits, so we ignore it */
434 return x->maxelem == y->maxelem &&
435 x->timeout == y->timeout;
438 /* The type variant functions: IPv6 */
440 struct hash_netiface6_elem_hashed {
441 union nf_inet_addr ip;
448 #define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
450 struct hash_netiface6_elem {
451 union nf_inet_addr ip;
459 struct hash_netiface6_telem {
460 union nf_inet_addr ip;
466 unsigned long timeout;
470 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
471 const struct hash_netiface6_elem *ip2,
474 return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
475 ip1->cidr == ip2->cidr &&
477 ip1->physdev == ip2->physdev &&
478 ip1->iface == ip2->iface;
482 hash_netiface6_data_isnull(const struct hash_netiface6_elem *elem)
484 return elem->elem == 0;
488 hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
489 const struct hash_netiface6_elem *src)
491 memcpy(dst, src, sizeof(*dst));
495 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
497 dst->nomatch = flags & IPSET_FLAG_NOMATCH;
501 hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
503 return elem->nomatch ? -ENOTEMPTY : 1;
507 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
513 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
515 ip->ip6[0] &= ip_set_netmask6(prefix)[0];
516 ip->ip6[1] &= ip_set_netmask6(prefix)[1];
517 ip->ip6[2] &= ip_set_netmask6(prefix)[2];
518 ip->ip6[3] &= ip_set_netmask6(prefix)[3];
522 hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
524 ip6_netmask(&elem->ip, cidr);
529 hash_netiface6_data_list(struct sk_buff *skb,
530 const struct hash_netiface6_elem *data)
532 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
535 flags |= IPSET_FLAG_NOMATCH;
536 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
537 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
538 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
540 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
541 goto nla_put_failure;
549 hash_netiface6_data_tlist(struct sk_buff *skb,
550 const struct hash_netiface6_elem *data)
552 const struct hash_netiface6_telem *e =
553 (const struct hash_netiface6_telem *)data;
554 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
557 flags |= IPSET_FLAG_NOMATCH;
558 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
559 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
560 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
562 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))) ||
563 nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
564 htonl(ip_set_timeout_get(e->timeout))))
565 goto nla_put_failure;
576 #define HOST_MASK 128
577 #include <linux/netfilter/ipset/ip_set_ahash.h>
580 hash_netiface6_data_next(struct ip_set_hash *h,
581 const struct hash_netiface6_elem *d)
586 hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
587 const struct xt_action_param *par,
588 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
590 struct ip_set_hash *h = set->data;
591 ipset_adtfn adtfn = set->variant->adt[adt];
592 struct hash_netiface6_elem data = {
593 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
600 if (adt == IPSET_TEST)
601 data.cidr = HOST_MASK;
603 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
604 ip6_netmask(&data.ip, data.cidr);
606 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
607 #ifdef CONFIG_BRIDGE_NETFILTER
608 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
612 data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
618 data.iface = SRCDIR ? IFACE(in) : IFACE(out);
622 ret = iface_test(&h->rbtree, &data.iface);
623 if (adt == IPSET_ADD) {
625 ret = iface_add(&h->rbtree, &data.iface);
632 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
636 hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
637 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
639 struct ip_set_hash *h = set->data;
640 ipset_adtfn adtfn = set->variant->adt[adt];
641 struct hash_netiface6_elem data = { .cidr = HOST_MASK, .elem = 1 };
642 u32 timeout = h->timeout;
643 char iface[IFNAMSIZ];
646 if (unlikely(!tb[IPSET_ATTR_IP] ||
647 !tb[IPSET_ATTR_IFACE] ||
648 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
649 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
650 return -IPSET_ERR_PROTOCOL;
651 if (unlikely(tb[IPSET_ATTR_IP_TO]))
652 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
654 if (tb[IPSET_ATTR_LINENO])
655 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
657 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
661 if (tb[IPSET_ATTR_CIDR])
662 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
663 if (data.cidr > HOST_MASK)
664 return -IPSET_ERR_INVALID_CIDR;
665 ip6_netmask(&data.ip, data.cidr);
667 if (tb[IPSET_ATTR_TIMEOUT]) {
668 if (!with_timeout(h->timeout))
669 return -IPSET_ERR_TIMEOUT;
670 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
673 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
675 ret = iface_test(&h->rbtree, &data.iface);
676 if (adt == IPSET_ADD) {
678 ret = iface_add(&h->rbtree, &data.iface);
685 if (tb[IPSET_ATTR_CADT_FLAGS]) {
686 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
687 if (cadt_flags & IPSET_FLAG_PHYSDEV)
689 if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
690 flags |= (cadt_flags << 16);
693 ret = adtfn(set, &data, timeout, flags);
695 return ip_set_eexist(ret, flags) ? 0 : ret;
698 /* Create hash:ip type of sets */
701 hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
703 struct ip_set_hash *h;
704 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
708 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
709 return -IPSET_ERR_INVALID_FAMILY;
711 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
712 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
713 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
714 return -IPSET_ERR_PROTOCOL;
716 if (tb[IPSET_ATTR_HASHSIZE]) {
717 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
718 if (hashsize < IPSET_MIMINAL_HASHSIZE)
719 hashsize = IPSET_MIMINAL_HASHSIZE;
722 if (tb[IPSET_ATTR_MAXELEM])
723 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
725 h = kzalloc(sizeof(*h)
726 + sizeof(struct ip_set_hash_nets)
727 * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
731 h->maxelem = maxelem;
732 get_random_bytes(&h->initval, sizeof(h->initval));
733 h->timeout = IPSET_NO_TIMEOUT;
734 h->ahash_max = AHASH_MAX_SIZE;
736 hbits = htable_bits(hashsize);
737 hsize = htable_size(hbits);
742 h->table = ip_set_alloc(hsize);
747 h->table->htable_bits = hbits;
752 if (tb[IPSET_ATTR_TIMEOUT]) {
753 h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
755 set->variant = set->family == NFPROTO_IPV4
756 ? &hash_netiface4_tvariant : &hash_netiface6_tvariant;
758 if (set->family == NFPROTO_IPV4)
759 hash_netiface4_gc_init(set);
761 hash_netiface6_gc_init(set);
763 set->variant = set->family == NFPROTO_IPV4
764 ? &hash_netiface4_variant : &hash_netiface6_variant;
767 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
768 set->name, jhash_size(h->table->htable_bits),
769 h->table->htable_bits, h->maxelem, set->data, h->table);
774 static struct ip_set_type hash_netiface_type __read_mostly = {
775 .name = "hash:net,iface",
776 .protocol = IPSET_PROTOCOL,
777 .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE |
779 .dimension = IPSET_DIM_TWO,
780 .family = NFPROTO_UNSPEC,
781 .revision_min = REVISION_MIN,
782 .revision_max = REVISION_MAX,
783 .create = hash_netiface_create,
785 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
786 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
787 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
788 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
789 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
790 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
793 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
794 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
795 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
796 .len = IFNAMSIZ - 1 },
797 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
798 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
799 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
800 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
806 hash_netiface_init(void)
808 return ip_set_type_register(&hash_netiface_type);
812 hash_netiface_fini(void)
814 ip_set_type_unregister(&hash_netiface_type);
817 module_init(hash_netiface_init);
818 module_exit(hash_netiface_fini);
projects / karo-tx-linux.git / blob