1 /* Copyright (C) 2011-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
8 /* Kernel module implementing an IP set type: the hash:net,iface type */
10 #include <linux/jhash.h>
11 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <linux/rbtree.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_hash.h>
26 #define REVISION_MIN 0
27 /* 1 nomatch flag support added */
28 /* 2 /0 support added */
29 #define REVISION_MAX 3 /* Counters support added */
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
33 IP_SET_MODULE_DESC("hash:net,iface", REVISION_MIN, REVISION_MAX);
34 MODULE_ALIAS("ip_set_hash:net,iface");
36 /* Interface name rbtree */
43 #define iface_data(n) (rb_entry(n, struct iface_node, node)->iface)
46 rbtree_destroy(struct rb_root *root)
48 struct rb_node *p, *n = root->rb_node;
49 struct iface_node *node;
51 /* Non-recursive destroy, like in ext3 */
62 node = rb_entry(n, struct iface_node, node);
65 else if (p->rb_left == n)
67 else if (p->rb_right == n)
76 iface_test(struct rb_root *root, const char **iface)
78 struct rb_node *n = root->rb_node;
81 const char *d = iface_data(n);
82 int res = strcmp(*iface, d);
97 iface_add(struct rb_root *root, const char **iface)
99 struct rb_node **n = &(root->rb_node), *p = NULL;
100 struct iface_node *d;
103 char *ifname = iface_data(*n);
104 int res = strcmp(*iface, ifname);
108 n = &((*n)->rb_left);
110 n = &((*n)->rb_right);
117 d = kzalloc(sizeof(*d), GFP_ATOMIC);
120 strcpy(d->iface, *iface);
122 rb_link_node(&d->node, p, n);
123 rb_insert_color(&d->node, root);
129 /* Type specific function prefix */
130 #define HTYPE hash_netiface
131 #define IP_SET_HASH_WITH_NETS
132 #define IP_SET_HASH_WITH_RBTREE
133 #define IP_SET_HASH_WITH_MULTI
135 #define STREQ(a, b) (strcmp(a, b) == 0)
139 struct hash_netiface4_elem_hashed {
147 /* Member elements without timeout */
148 struct hash_netiface4_elem {
157 struct hash_netiface4t_elem {
164 unsigned long timeout;
167 struct hash_netiface4c_elem {
174 struct ip_set_counter counter;
177 struct hash_netiface4ct_elem {
184 struct ip_set_counter counter;
185 unsigned long timeout;
188 /* Common functions */
191 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
192 const struct hash_netiface4_elem *ip2,
195 return ip1->ip == ip2->ip &&
196 ip1->cidr == ip2->cidr &&
198 ip1->physdev == ip2->physdev &&
199 ip1->iface == ip2->iface;
203 hash_netiface4_do_data_match(const struct hash_netiface4_elem *elem)
205 return elem->nomatch ? -ENOTEMPTY : 1;
209 hash_netiface4_data_set_flags(struct hash_netiface4_elem *elem, u32 flags)
211 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
215 hash_netiface4_data_reset_flags(struct hash_netiface4_elem *elem, u8 *flags)
217 swap(*flags, elem->nomatch);
221 hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
223 elem->ip &= ip_set_netmask(cidr);
228 hash_netiface4_data_list(struct sk_buff *skb,
229 const struct hash_netiface4_elem *data)
231 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
234 flags |= IPSET_FLAG_NOMATCH;
235 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
236 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
237 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
239 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
240 goto nla_put_failure;
248 hash_netiface4_data_next(struct hash_netiface4_elem *next,
249 const struct hash_netiface4_elem *d)
254 #define MTYPE hash_netiface4
257 #define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
258 #include "ip_set_hash_gen.h"
261 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
262 const struct xt_action_param *par,
263 enum ipset_adt adt, struct ip_set_adt_opt *opt)
265 struct hash_netiface *h = set->data;
266 ipset_adtfn adtfn = set->variant->adt[adt];
267 struct hash_netiface4_elem e = {
268 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
271 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
276 if (adt == IPSET_TEST)
279 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
280 e.ip &= ip_set_netmask(e.cidr);
282 #define IFACE(dir) (par->dir ? par->dir->name : NULL)
283 #define PHYSDEV(dir) (nf_bridge->dir ? nf_bridge->dir->name : NULL)
284 #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
286 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
287 #ifdef CONFIG_BRIDGE_NETFILTER
288 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
292 e.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
298 e.iface = SRCDIR ? IFACE(in) : IFACE(out);
302 ret = iface_test(&h->rbtree, &e.iface);
303 if (adt == IPSET_ADD) {
305 ret = iface_add(&h->rbtree, &e.iface);
312 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
316 hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
317 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
319 struct hash_netiface *h = set->data;
320 ipset_adtfn adtfn = set->variant->adt[adt];
321 struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
322 struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
323 u32 ip = 0, ip_to, last;
324 char iface[IFNAMSIZ];
327 if (unlikely(!tb[IPSET_ATTR_IP] ||
328 !tb[IPSET_ATTR_IFACE] ||
329 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
330 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
331 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
332 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES)))
333 return -IPSET_ERR_PROTOCOL;
335 if (tb[IPSET_ATTR_LINENO])
336 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
338 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
339 ip_set_get_extensions(set, tb, &ext);
343 if (tb[IPSET_ATTR_CIDR]) {
344 e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
345 if (e.cidr > HOST_MASK)
346 return -IPSET_ERR_INVALID_CIDR;
349 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
351 ret = iface_test(&h->rbtree, &e.iface);
352 if (adt == IPSET_ADD) {
354 ret = iface_add(&h->rbtree, &e.iface);
361 if (tb[IPSET_ATTR_CADT_FLAGS]) {
362 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
363 if (cadt_flags & IPSET_FLAG_PHYSDEV)
365 if (cadt_flags & IPSET_FLAG_NOMATCH)
366 flags |= (IPSET_FLAG_NOMATCH << 16);
368 if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
369 e.ip = htonl(ip & ip_set_hostmask(e.cidr));
370 ret = adtfn(set, &e, &ext, &ext, flags);
371 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
372 ip_set_eexist(ret, flags) ? 0 : ret;
375 if (tb[IPSET_ATTR_IP_TO]) {
376 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
381 if (ip + UINT_MAX == ip_to)
382 return -IPSET_ERR_HASH_RANGE;
384 ip_set_mask_from_to(ip, ip_to, e.cidr);
387 ip = ntohl(h->next.ip);
388 while (!after(ip, ip_to)) {
390 last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
391 ret = adtfn(set, &e, &ext, &ext, flags);
393 if (ret && !ip_set_eexist(ret, flags))
404 struct hash_netiface6_elem_hashed {
405 union nf_inet_addr ip;
412 struct hash_netiface6_elem {
413 union nf_inet_addr ip;
421 struct hash_netiface6t_elem {
422 union nf_inet_addr ip;
428 unsigned long timeout;
431 struct hash_netiface6c_elem {
432 union nf_inet_addr ip;
438 struct ip_set_counter counter;
441 struct hash_netiface6ct_elem {
442 union nf_inet_addr ip;
448 struct ip_set_counter counter;
449 unsigned long timeout;
452 /* Common functions */
455 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
456 const struct hash_netiface6_elem *ip2,
459 return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
460 ip1->cidr == ip2->cidr &&
462 ip1->physdev == ip2->physdev &&
463 ip1->iface == ip2->iface;
467 hash_netiface6_do_data_match(const struct hash_netiface6_elem *elem)
469 return elem->nomatch ? -ENOTEMPTY : 1;
473 hash_netiface6_data_set_flags(struct hash_netiface6_elem *elem, u32 flags)
475 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
479 hash_netiface6_data_reset_flags(struct hash_netiface6_elem *elem, u8 *flags)
481 swap(*flags, elem->nomatch);
485 hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
487 ip6_netmask(&elem->ip, cidr);
492 hash_netiface6_data_list(struct sk_buff *skb,
493 const struct hash_netiface6_elem *data)
495 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
498 flags |= IPSET_FLAG_NOMATCH;
499 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
500 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
501 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
503 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
504 goto nla_put_failure;
512 hash_netiface6_data_next(struct hash_netiface4_elem *next,
513 const struct hash_netiface6_elem *d)
522 #define MTYPE hash_netiface6
524 #define HOST_MASK 128
525 #define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
526 #define IP_SET_EMIT_CREATE
527 #include "ip_set_hash_gen.h"
530 hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
531 const struct xt_action_param *par,
532 enum ipset_adt adt, struct ip_set_adt_opt *opt)
534 struct hash_netiface *h = set->data;
535 ipset_adtfn adtfn = set->variant->adt[adt];
536 struct hash_netiface6_elem e = {
537 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
540 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
545 if (adt == IPSET_TEST)
548 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
549 ip6_netmask(&e.ip, e.cidr);
551 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
552 #ifdef CONFIG_BRIDGE_NETFILTER
553 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
557 e.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
563 e.iface = SRCDIR ? IFACE(in) : IFACE(out);
567 ret = iface_test(&h->rbtree, &e.iface);
568 if (adt == IPSET_ADD) {
570 ret = iface_add(&h->rbtree, &e.iface);
577 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
581 hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
582 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
584 struct hash_netiface *h = set->data;
585 ipset_adtfn adtfn = set->variant->adt[adt];
586 struct hash_netiface6_elem e = { .cidr = HOST_MASK, .elem = 1 };
587 struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
588 char iface[IFNAMSIZ];
591 if (unlikely(!tb[IPSET_ATTR_IP] ||
592 !tb[IPSET_ATTR_IFACE] ||
593 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
594 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
595 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
596 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES)))
597 return -IPSET_ERR_PROTOCOL;
598 if (unlikely(tb[IPSET_ATTR_IP_TO]))
599 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
601 if (tb[IPSET_ATTR_LINENO])
602 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
604 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
605 ip_set_get_extensions(set, tb, &ext);
609 if (tb[IPSET_ATTR_CIDR])
610 e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
611 if (e.cidr > HOST_MASK)
612 return -IPSET_ERR_INVALID_CIDR;
613 ip6_netmask(&e.ip, e.cidr);
615 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
617 ret = iface_test(&h->rbtree, &e.iface);
618 if (adt == IPSET_ADD) {
620 ret = iface_add(&h->rbtree, &e.iface);
627 if (tb[IPSET_ATTR_CADT_FLAGS]) {
628 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
629 if (cadt_flags & IPSET_FLAG_PHYSDEV)
631 if (cadt_flags & IPSET_FLAG_NOMATCH)
632 flags |= (IPSET_FLAG_NOMATCH << 16);
635 ret = adtfn(set, &e, &ext, &ext, flags);
637 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
638 ip_set_eexist(ret, flags) ? 0 : ret;
641 static struct ip_set_type hash_netiface_type __read_mostly = {
642 .name = "hash:net,iface",
643 .protocol = IPSET_PROTOCOL,
644 .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE |
646 .dimension = IPSET_DIM_TWO,
647 .family = NFPROTO_UNSPEC,
648 .revision_min = REVISION_MIN,
649 .revision_max = REVISION_MAX,
650 .create = hash_netiface_create,
652 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
653 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
654 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
655 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
656 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
657 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
658 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
661 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
662 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
663 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
664 .len = IFNAMSIZ - 1 },
665 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
666 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
667 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
668 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
669 [IPSET_ATTR_BYTES] = { .type = NLA_U64 },
670 [IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
676 hash_netiface_init(void)
678 return ip_set_type_register(&hash_netiface_type);
682 hash_netiface_fini(void)
684 ip_set_type_unregister(&hash_netiface_type);
687 module_init(hash_netiface_init);
688 module_exit(hash_netiface_fini);
projects / karo-tx-linux.git / blob