]>
Commit | Line | Data |
---|---|---|
7d2f026e | 1 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set.h linux-2.6/include/linux/netfilter_ipv4/ip_set.h |
2 | --- a/include/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100 | |
3 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 4 | @@ -0,0 +1,498 @@ |
5 | +#ifndef _IP_SET_H | |
6 | +#define _IP_SET_H | |
7 | + | |
8 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> | |
9 | + * Patrick Schaaf <bof@bof.de> | |
10 | + * Martin Josefsson <gandalf@wlug.westbo.se> | |
11 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
12 | + * | |
13 | + * This program is free software; you can redistribute it and/or modify | |
14 | + * it under the terms of the GNU General Public License version 2 as | |
15 | + * published by the Free Software Foundation. | |
16 | + */ | |
17 | + | |
18 | +#if 0 | |
19 | +#define IP_SET_DEBUG | |
20 | +#endif | |
21 | + | |
22 | +/* | |
23 | + * A sockopt of such quality has hardly ever been seen before on the open | |
24 | + * market! This little beauty, hardly ever used: above 64, so it's | |
25 | + * traditionally used for firewalling, not touched (even once!) by the | |
26 | + * 2.0, 2.2 and 2.4 kernels! | |
27 | + * | |
28 | + * Comes with its own certificate of authenticity, valid anywhere in the | |
29 | + * Free world! | |
30 | + * | |
31 | + * Rusty, 19.4.2000 | |
32 | + */ | |
33 | +#define SO_IP_SET 83 | |
34 | + | |
35 | +/* | |
36 | + * Heavily modify by Joakim Axelsson 08.03.2002 | |
37 | + * - Made it more modulebased | |
38 | + * | |
39 | + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004 | |
40 | + * - bindings added | |
41 | + * - in order to "deal with" backward compatibility, renamed to ipset | |
42 | + */ | |
43 | + | |
44 | +/* | |
45 | + * Used so that the kernel module and ipset-binary can match their versions | |
46 | + */ | |
47 | +#define IP_SET_PROTOCOL_VERSION 2 | |
48 | + | |
49 | +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */ | |
50 | + | |
51 | +/* Lets work with our own typedef for representing an IP address. | |
52 | + * We hope to make the code more portable, possibly to IPv6... | |
53 | + * | |
54 | + * The representation works in HOST byte order, because most set types | |
55 | + * will perform arithmetic operations and compare operations. | |
56 | + * | |
57 | + * For now the type is an uint32_t. | |
58 | + * | |
59 | + * Make sure to ONLY use the functions when translating and parsing | |
60 | + * in order to keep the host byte order and make it more portable: | |
61 | + * parse_ip() | |
62 | + * parse_mask() | |
63 | + * parse_ipandmask() | |
64 | + * ip_tostring() | |
65 | + * (Joakim: where are they???) | |
66 | + */ | |
67 | + | |
68 | +typedef uint32_t ip_set_ip_t; | |
69 | + | |
70 | +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t | |
71 | + * and IP_SET_INVALID_ID if you want to increase the max number of sets. | |
72 | + */ | |
73 | +typedef uint16_t ip_set_id_t; | |
74 | + | |
75 | +#define IP_SET_INVALID_ID 65535 | |
76 | + | |
77 | +/* How deep we follow bindings */ | |
78 | +#define IP_SET_MAX_BINDINGS 6 | |
79 | + | |
80 | +/* | |
81 | + * Option flags for kernel operations (ipt_set_info) | |
82 | + */ | |
83 | +#define IPSET_SRC 0x01 /* Source match/add */ | |
84 | +#define IPSET_DST 0x02 /* Destination match/add */ | |
85 | +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ | |
86 | + | |
87 | +/* | |
88 | + * Set features | |
89 | + */ | |
90 | +#define IPSET_TYPE_IP 0x01 /* IP address type of set */ | |
91 | +#define IPSET_TYPE_PORT 0x02 /* Port type of set */ | |
92 | +#define IPSET_DATA_SINGLE 0x04 /* Single data storage */ | |
93 | +#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */ | |
94 | + | |
95 | +/* Reserved keywords */ | |
96 | +#define IPSET_TOKEN_DEFAULT ":default:" | |
97 | +#define IPSET_TOKEN_ALL ":all:" | |
98 | + | |
99 | +/* SO_IP_SET operation constants, and their request struct types. | |
100 | + * | |
101 | + * Operation ids: | |
102 | + * 0-99: commands with version checking | |
103 | + * 100-199: add/del/test/bind/unbind | |
104 | + * 200-299: list, save, restore | |
105 | + */ | |
106 | + | |
107 | +/* Single shot operations: | |
108 | + * version, create, destroy, flush, rename and swap | |
109 | + * | |
110 | + * Sets are identified by name. | |
111 | + */ | |
112 | + | |
113 | +#define IP_SET_REQ_STD \ | |
114 | + unsigned op; \ | |
115 | + unsigned version; \ | |
116 | + char name[IP_SET_MAXNAMELEN] | |
117 | + | |
118 | +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */ | |
119 | +struct ip_set_req_create { | |
120 | + IP_SET_REQ_STD; | |
121 | + char typename[IP_SET_MAXNAMELEN]; | |
122 | +}; | |
123 | + | |
124 | +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */ | |
125 | +struct ip_set_req_std { | |
126 | + IP_SET_REQ_STD; | |
127 | +}; | |
128 | + | |
129 | +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */ | |
130 | +/* Uses ip_set_req_std */ | |
131 | + | |
132 | +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */ | |
133 | +/* Uses ip_set_req_create */ | |
134 | + | |
135 | +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */ | |
136 | +/* Uses ip_set_req_create */ | |
137 | + | |
138 | +union ip_set_name_index { | |
139 | + char name[IP_SET_MAXNAMELEN]; | |
140 | + ip_set_id_t index; | |
141 | +}; | |
142 | + | |
143 | +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ | |
144 | +struct ip_set_req_get_set { | |
145 | + unsigned op; | |
146 | + unsigned version; | |
147 | + union ip_set_name_index set; | |
148 | +}; | |
149 | + | |
150 | +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ | |
151 | +/* Uses ip_set_req_get_set */ | |
152 | + | |
153 | +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ | |
154 | +struct ip_set_req_version { | |
155 | + unsigned op; | |
156 | + unsigned version; | |
157 | +}; | |
158 | + | |
159 | +/* Double shots operations: | |
160 | + * add, del, test, bind and unbind. | |
161 | + * | |
162 | + * First we query the kernel to get the index and type of the target set, | |
163 | + * then issue the command. Validity of IP is checked in kernel in order | |
164 | + * to minimalize sockopt operations. | |
165 | + */ | |
166 | + | |
167 | +/* Get minimal set data for add/del/test/bind/unbind IP */ | |
168 | +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */ | |
169 | +struct ip_set_req_adt_get { | |
170 | + unsigned op; | |
171 | + unsigned version; | |
172 | + union ip_set_name_index set; | |
173 | + char typename[IP_SET_MAXNAMELEN]; | |
174 | +}; | |
175 | + | |
176 | +#define IP_SET_REQ_BYINDEX \ | |
177 | + unsigned op; \ | |
178 | + ip_set_id_t index; | |
179 | + | |
180 | +struct ip_set_req_adt { | |
181 | + IP_SET_REQ_BYINDEX; | |
182 | +}; | |
183 | + | |
184 | +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */ | |
185 | +/* Uses ip_set_req_adt, with type specific addage */ | |
186 | + | |
187 | +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */ | |
188 | +/* Uses ip_set_req_adt, with type specific addage */ | |
189 | + | |
190 | +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */ | |
191 | +/* Uses ip_set_req_adt, with type specific addage */ | |
192 | + | |
193 | +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */ | |
194 | +/* Uses ip_set_req_bind, with type specific addage */ | |
195 | +struct ip_set_req_bind { | |
196 | + IP_SET_REQ_BYINDEX; | |
197 | + char binding[IP_SET_MAXNAMELEN]; | |
198 | +}; | |
199 | + | |
200 | +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */ | |
201 | +/* Uses ip_set_req_bind, with type speficic addage | |
202 | + * index = 0 means unbinding for all sets */ | |
203 | + | |
204 | +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */ | |
205 | +/* Uses ip_set_req_bind, with type specific addage */ | |
206 | + | |
207 | +/* Multiple shots operations: list, save, restore. | |
208 | + * | |
209 | + * - check kernel version and query the max number of sets | |
210 | + * - get the basic information on all sets | |
211 | + * and size required for the next step | |
212 | + * - get actual set data: header, data, bindings | |
213 | + */ | |
214 | + | |
215 | +/* Get max_sets and the index of a queried set | |
216 | + */ | |
217 | +#define IP_SET_OP_MAX_SETS 0x00000020 | |
218 | +struct ip_set_req_max_sets { | |
219 | + unsigned op; | |
220 | + unsigned version; | |
221 | + ip_set_id_t max_sets; /* max_sets */ | |
222 | + ip_set_id_t sets; /* real number of sets */ | |
223 | + union ip_set_name_index set; /* index of set if name used */ | |
224 | +}; | |
225 | + | |
226 | +/* Get the id and name of the sets plus size for next step */ | |
227 | +#define IP_SET_OP_LIST_SIZE 0x00000201 | |
228 | +#define IP_SET_OP_SAVE_SIZE 0x00000202 | |
229 | +struct ip_set_req_setnames { | |
230 | + unsigned op; | |
231 | + ip_set_id_t index; /* set to list/save */ | |
232 | + size_t size; /* size to get setdata/bindings */ | |
233 | + /* followed by sets number of struct ip_set_name_list */ | |
234 | +}; | |
235 | + | |
236 | +struct ip_set_name_list { | |
237 | + char name[IP_SET_MAXNAMELEN]; | |
238 | + char typename[IP_SET_MAXNAMELEN]; | |
239 | + ip_set_id_t index; | |
240 | + ip_set_id_t id; | |
241 | +}; | |
242 | + | |
243 | +/* The actual list operation */ | |
244 | +#define IP_SET_OP_LIST 0x00000203 | |
245 | +struct ip_set_req_list { | |
246 | + IP_SET_REQ_BYINDEX; | |
247 | + /* sets number of struct ip_set_list in reply */ | |
248 | +}; | |
249 | + | |
250 | +struct ip_set_list { | |
251 | + ip_set_id_t index; | |
252 | + ip_set_id_t binding; | |
253 | + u_int32_t ref; | |
254 | + size_t header_size; /* Set header data of header_size */ | |
255 | + size_t members_size; /* Set members data of members_size */ | |
256 | + size_t bindings_size; /* Set bindings data of bindings_size */ | |
257 | +}; | |
258 | + | |
259 | +struct ip_set_hash_list { | |
260 | + ip_set_ip_t ip; | |
261 | + ip_set_id_t binding; | |
262 | +}; | |
263 | + | |
264 | +/* The save operation */ | |
265 | +#define IP_SET_OP_SAVE 0x00000204 | |
266 | +/* Uses ip_set_req_list, in the reply replaced by | |
267 | + * sets number of struct ip_set_save plus a marker | |
268 | + * ip_set_save followed by ip_set_hash_save structures. | |
269 | + */ | |
270 | +struct ip_set_save { | |
271 | + ip_set_id_t index; | |
272 | + ip_set_id_t binding; | |
273 | + size_t header_size; /* Set header data of header_size */ | |
274 | + size_t members_size; /* Set members data of members_size */ | |
275 | +}; | |
276 | + | |
277 | +/* At restoring, ip == 0 means default binding for the given set: */ | |
278 | +struct ip_set_hash_save { | |
279 | + ip_set_ip_t ip; | |
280 | + ip_set_id_t id; | |
281 | + ip_set_id_t binding; | |
282 | +}; | |
283 | + | |
284 | +/* The restore operation */ | |
285 | +#define IP_SET_OP_RESTORE 0x00000205 | |
286 | +/* Uses ip_set_req_setnames followed by ip_set_restore structures | |
287 | + * plus a marker ip_set_restore, followed by ip_set_hash_save | |
288 | + * structures. | |
289 | + */ | |
290 | +struct ip_set_restore { | |
291 | + char name[IP_SET_MAXNAMELEN]; | |
292 | + char typename[IP_SET_MAXNAMELEN]; | |
293 | + ip_set_id_t index; | |
294 | + size_t header_size; /* Create data of header_size */ | |
295 | + size_t members_size; /* Set members data of members_size */ | |
296 | +}; | |
297 | + | |
298 | +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b) | |
299 | +{ | |
300 | + return 4 * ((((b - a + 8) / 8) + 3) / 4); | |
301 | +} | |
302 | + | |
303 | +#ifdef __KERNEL__ | |
304 | + | |
305 | +#define ip_set_printk(format, args...) \ | |
306 | + do { \ | |
307 | + printk("%s: %s: ", __FILE__, __FUNCTION__); \ | |
308 | + printk(format "\n" , ## args); \ | |
309 | + } while (0) | |
310 | + | |
311 | +#if defined(IP_SET_DEBUG) | |
312 | +#define DP(format, args...) \ | |
313 | + do { \ | |
314 | + printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\ | |
315 | + printk(format "\n" , ## args); \ | |
316 | + } while (0) | |
317 | +#define IP_SET_ASSERT(x) \ | |
318 | + do { \ | |
319 | + if (!(x)) \ | |
320 | + printk("IP_SET_ASSERT: %s:%i(%s)\n", \ | |
321 | + __FILE__, __LINE__, __FUNCTION__); \ | |
322 | + } while (0) | |
323 | +#else | |
324 | +#define DP(format, args...) | |
325 | +#define IP_SET_ASSERT(x) | |
326 | +#endif | |
327 | + | |
328 | +struct ip_set; | |
329 | + | |
330 | +/* | |
331 | + * The ip_set_type definition - one per set type, e.g. "ipmap". | |
332 | + * | |
333 | + * Each individual set has a pointer, set->type, going to one | |
334 | + * of these structures. Function pointers inside the structure implement | |
335 | + * the real behaviour of the sets. | |
336 | + * | |
337 | + * If not mentioned differently, the implementation behind the function | |
338 | + * pointers of a set_type, is expected to return 0 if ok, and a negative | |
339 | + * errno (e.g. -EINVAL) on error. | |
340 | + */ | |
341 | +struct ip_set_type { | |
342 | + struct list_head list; /* next in list of set types */ | |
343 | + | |
344 | + /* test for IP in set (kernel: iptables -m set src|dst) | |
345 | + * return 0 if not in set, 1 if in set. | |
346 | + */ | |
347 | + int (*testip_kernel) (struct ip_set *set, | |
348 | + const struct sk_buff * skb, | |
349 | + ip_set_ip_t *ip, | |
350 | + const u_int32_t *flags, | |
351 | + unsigned char index); | |
352 | + | |
353 | + /* test for IP in set (userspace: ipset -T set IP) | |
354 | + * return 0 if not in set, 1 if in set. | |
355 | + */ | |
356 | + int (*testip) (struct ip_set *set, | |
357 | + const void *data, size_t size, | |
358 | + ip_set_ip_t *ip); | |
359 | + | |
360 | + /* | |
361 | + * Size of the data structure passed by when | |
362 | + * adding/deletin/testing an entry. | |
363 | + */ | |
364 | + size_t reqsize; | |
365 | + | |
366 | + /* Add IP into set (userspace: ipset -A set IP) | |
367 | + * Return -EEXIST if the address is already in the set, | |
368 | + * and -ERANGE if the address lies outside the set bounds. | |
369 | + * If the address was not already in the set, 0 is returned. | |
370 | + */ | |
371 | + int (*addip) (struct ip_set *set, | |
372 | + const void *data, size_t size, | |
373 | + ip_set_ip_t *ip); | |
374 | + | |
375 | + /* Add IP into set (kernel: iptables ... -j SET set src|dst) | |
376 | + * Return -EEXIST if the address is already in the set, | |
377 | + * and -ERANGE if the address lies outside the set bounds. | |
378 | + * If the address was not already in the set, 0 is returned. | |
379 | + */ | |
380 | + int (*addip_kernel) (struct ip_set *set, | |
381 | + const struct sk_buff * skb, | |
382 | + ip_set_ip_t *ip, | |
383 | + const u_int32_t *flags, | |
384 | + unsigned char index); | |
385 | + | |
386 | + /* remove IP from set (userspace: ipset -D set --entry x) | |
387 | + * Return -EEXIST if the address is NOT in the set, | |
388 | + * and -ERANGE if the address lies outside the set bounds. | |
389 | + * If the address really was in the set, 0 is returned. | |
390 | + */ | |
391 | + int (*delip) (struct ip_set *set, | |
392 | + const void *data, size_t size, | |
393 | + ip_set_ip_t *ip); | |
394 | + | |
395 | + /* remove IP from set (kernel: iptables ... -j SET --entry x) | |
396 | + * Return -EEXIST if the address is NOT in the set, | |
397 | + * and -ERANGE if the address lies outside the set bounds. | |
398 | + * If the address really was in the set, 0 is returned. | |
399 | + */ | |
400 | + int (*delip_kernel) (struct ip_set *set, | |
401 | + const struct sk_buff * skb, | |
402 | + ip_set_ip_t *ip, | |
403 | + const u_int32_t *flags, | |
404 | + unsigned char index); | |
405 | + | |
406 | + /* new set creation - allocated type specific items | |
407 | + */ | |
408 | + int (*create) (struct ip_set *set, | |
409 | + const void *data, size_t size); | |
410 | + | |
411 | + /* retry the operation after successfully tweaking the set | |
412 | + */ | |
413 | + int (*retry) (struct ip_set *set); | |
414 | + | |
415 | + /* set destruction - free type specific items | |
416 | + * There is no return value. | |
417 | + * Can be called only when child sets are destroyed. | |
418 | + */ | |
419 | + void (*destroy) (struct ip_set *set); | |
420 | + | |
421 | + /* set flushing - reset all bits in the set, or something similar. | |
422 | + * There is no return value. | |
423 | + */ | |
424 | + void (*flush) (struct ip_set *set); | |
425 | + | |
426 | + /* Listing: size needed for header | |
427 | + */ | |
428 | + size_t header_size; | |
429 | + | |
430 | + /* Listing: Get the header | |
431 | + * | |
432 | + * Fill in the information in "data". | |
433 | + * This function is always run after list_header_size() under a | |
434 | + * writelock on the set. Therefor is the length of "data" always | |
435 | + * correct. | |
436 | + */ | |
437 | + void (*list_header) (const struct ip_set *set, | |
438 | + void *data); | |
439 | + | |
440 | + /* Listing: Get the size for the set members | |
441 | + */ | |
442 | + int (*list_members_size) (const struct ip_set *set); | |
443 | + | |
444 | + /* Listing: Get the set members | |
445 | + * | |
446 | + * Fill in the information in "data". | |
447 | + * This function is always run after list_member_size() under a | |
448 | + * writelock on the set. Therefor is the length of "data" always | |
449 | + * correct. | |
450 | + */ | |
451 | + void (*list_members) (const struct ip_set *set, | |
452 | + void *data); | |
453 | + | |
454 | + char typename[IP_SET_MAXNAMELEN]; | |
455 | + unsigned char features; | |
456 | + int protocol_version; | |
457 | + | |
458 | + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | |
459 | + struct module *me; | |
460 | +}; | |
461 | + | |
462 | +extern int ip_set_register_set_type(struct ip_set_type *set_type); | |
463 | +extern void ip_set_unregister_set_type(struct ip_set_type *set_type); | |
464 | + | |
465 | +/* A generic ipset */ | |
466 | +struct ip_set { | |
467 | + char name[IP_SET_MAXNAMELEN]; /* the name of the set */ | |
468 | + rwlock_t lock; /* lock for concurrency control */ | |
469 | + ip_set_id_t id; /* set id for swapping */ | |
470 | + ip_set_id_t binding; /* default binding for the set */ | |
471 | + atomic_t ref; /* in kernel and in hash references */ | |
472 | + struct ip_set_type *type; /* the set types */ | |
473 | + void *data; /* pooltype specific data */ | |
474 | +}; | |
475 | + | |
476 | +/* Structure to bind set elements to sets */ | |
477 | +struct ip_set_hash { | |
478 | + struct list_head list; /* list of clashing entries in hash */ | |
479 | + ip_set_ip_t ip; /* ip from set */ | |
480 | + ip_set_id_t id; /* set id */ | |
481 | + ip_set_id_t binding; /* set we bind the element to */ | |
482 | +}; | |
483 | + | |
484 | +/* register and unregister set references */ | |
485 | +extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]); | |
486 | +extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id); | |
487 | +extern void ip_set_put(ip_set_id_t id); | |
488 | + | |
489 | +/* API for iptables set match, and SET target */ | |
490 | +extern void ip_set_addip_kernel(ip_set_id_t id, | |
491 | + const struct sk_buff *skb, | |
492 | + const u_int32_t *flags); | |
493 | +extern void ip_set_delip_kernel(ip_set_id_t id, | |
494 | + const struct sk_buff *skb, | |
495 | + const u_int32_t *flags); | |
496 | +extern int ip_set_testip_kernel(ip_set_id_t id, | |
497 | + const struct sk_buff *skb, | |
498 | + const u_int32_t *flags); | |
499 | + | |
500 | +#endif /* __KERNEL__ */ | |
501 | + | |
502 | +#endif /*_IP_SET_H*/ | |
7d2f026e | 503 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_iphash.h linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h |
504 | --- a/include/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100 | |
505 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 506 | @@ -0,0 +1,30 @@ |
507 | +#ifndef __IP_SET_IPHASH_H | |
508 | +#define __IP_SET_IPHASH_H | |
509 | + | |
510 | +#include <linux/netfilter_ipv4/ip_set.h> | |
511 | + | |
512 | +#define SETTYPE_NAME "iphash" | |
513 | +#define MAX_RANGE 0x0000FFFF | |
514 | + | |
515 | +struct ip_set_iphash { | |
516 | + ip_set_ip_t *members; /* the iphash proper */ | |
517 | + uint32_t elements; /* number of elements */ | |
518 | + uint32_t hashsize; /* hash size */ | |
519 | + uint16_t probes; /* max number of probes */ | |
520 | + uint16_t resize; /* resize factor in percent */ | |
521 | + ip_set_ip_t netmask; /* netmask */ | |
522 | + void *initval[0]; /* initvals for jhash_1word */ | |
523 | +}; | |
524 | + | |
525 | +struct ip_set_req_iphash_create { | |
526 | + uint32_t hashsize; | |
527 | + uint16_t probes; | |
528 | + uint16_t resize; | |
529 | + ip_set_ip_t netmask; | |
530 | +}; | |
531 | + | |
532 | +struct ip_set_req_iphash { | |
533 | + ip_set_ip_t ip; | |
534 | +}; | |
535 | + | |
536 | +#endif /* __IP_SET_IPHASH_H */ | |
7d2f026e | 537 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_ipmap.h linux-2.6/include/linux/netfilter_ipv4/ip_set_ipmap.h |
538 | --- a/include/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100 | |
539 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_ipmap.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 540 | @@ -0,0 +1,56 @@ |
541 | +#ifndef __IP_SET_IPMAP_H | |
542 | +#define __IP_SET_IPMAP_H | |
543 | + | |
544 | +#include <linux/netfilter_ipv4/ip_set.h> | |
545 | + | |
546 | +#define SETTYPE_NAME "ipmap" | |
547 | +#define MAX_RANGE 0x0000FFFF | |
548 | + | |
549 | +struct ip_set_ipmap { | |
550 | + void *members; /* the ipmap proper */ | |
551 | + ip_set_ip_t first_ip; /* host byte order, included in range */ | |
552 | + ip_set_ip_t last_ip; /* host byte order, included in range */ | |
553 | + ip_set_ip_t netmask; /* subnet netmask */ | |
554 | + ip_set_ip_t sizeid; /* size of set in IPs */ | |
555 | + ip_set_ip_t hosts; /* number of hosts in a subnet */ | |
556 | +}; | |
557 | + | |
558 | +struct ip_set_req_ipmap_create { | |
559 | + ip_set_ip_t from; | |
560 | + ip_set_ip_t to; | |
561 | + ip_set_ip_t netmask; | |
562 | +}; | |
563 | + | |
564 | +struct ip_set_req_ipmap { | |
565 | + ip_set_ip_t ip; | |
566 | +}; | |
567 | + | |
568 | +unsigned int | |
569 | +mask_to_bits(ip_set_ip_t mask) | |
570 | +{ | |
571 | + unsigned int bits = 32; | |
572 | + ip_set_ip_t maskaddr; | |
573 | + | |
574 | + if (mask == 0xFFFFFFFF) | |
575 | + return bits; | |
576 | + | |
577 | + maskaddr = 0xFFFFFFFE; | |
578 | + while (--bits >= 0 && maskaddr != mask) | |
579 | + maskaddr <<= 1; | |
580 | + | |
581 | + return bits; | |
582 | +} | |
583 | + | |
584 | +ip_set_ip_t | |
585 | +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits) | |
586 | +{ | |
587 | + ip_set_ip_t mask = 0xFFFFFFFE; | |
588 | + | |
589 | + *bits = 32; | |
590 | + while (--(*bits) >= 0 && mask && (to & mask) != from) | |
591 | + mask <<= 1; | |
592 | + | |
593 | + return mask; | |
594 | +} | |
595 | + | |
596 | +#endif /* __IP_SET_IPMAP_H */ | |
7d2f026e | 597 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_ipporthash.h linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h |
598 | --- a/include/linux/netfilter_ipv4/ip_set_ipporthash.h 1970-01-01 01:00:00.000000000 +0100 | |
599 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 600 | @@ -0,0 +1,34 @@ |
601 | +#ifndef __IP_SET_IPPORTHASH_H | |
602 | +#define __IP_SET_IPPORTHASH_H | |
603 | + | |
604 | +#include <linux/netfilter_ipv4/ip_set.h> | |
605 | + | |
606 | +#define SETTYPE_NAME "ipporthash" | |
607 | +#define MAX_RANGE 0x0000FFFF | |
608 | +#define INVALID_PORT (MAX_RANGE + 1) | |
609 | + | |
610 | +struct ip_set_ipporthash { | |
611 | + ip_set_ip_t *members; /* the ipporthash proper */ | |
612 | + uint32_t elements; /* number of elements */ | |
613 | + uint32_t hashsize; /* hash size */ | |
614 | + uint16_t probes; /* max number of probes */ | |
615 | + uint16_t resize; /* resize factor in percent */ | |
616 | + ip_set_ip_t first_ip; /* host byte order, included in range */ | |
617 | + ip_set_ip_t last_ip; /* host byte order, included in range */ | |
618 | + void *initval[0]; /* initvals for jhash_1word */ | |
619 | +}; | |
620 | + | |
621 | +struct ip_set_req_ipporthash_create { | |
622 | + uint32_t hashsize; | |
623 | + uint16_t probes; | |
624 | + uint16_t resize; | |
625 | + ip_set_ip_t from; | |
626 | + ip_set_ip_t to; | |
627 | +}; | |
628 | + | |
629 | +struct ip_set_req_ipporthash { | |
630 | + ip_set_ip_t ip; | |
631 | + ip_set_ip_t port; | |
632 | +}; | |
633 | + | |
634 | +#endif /* __IP_SET_IPPORTHASH_H */ | |
7d2f026e | 635 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_iptree.h linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h |
636 | --- a/include/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100 | |
637 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 638 | @@ -0,0 +1,40 @@ |
639 | +#ifndef __IP_SET_IPTREE_H | |
640 | +#define __IP_SET_IPTREE_H | |
641 | + | |
642 | +#include <linux/netfilter_ipv4/ip_set.h> | |
643 | + | |
644 | +#define SETTYPE_NAME "iptree" | |
645 | +#define MAX_RANGE 0x0000FFFF | |
646 | + | |
647 | +struct ip_set_iptreed { | |
648 | + unsigned long expires[256]; /* x.x.x.ADDR */ | |
649 | +}; | |
650 | + | |
651 | +struct ip_set_iptreec { | |
652 | + struct ip_set_iptreed *tree[256]; /* x.x.ADDR.* */ | |
653 | +}; | |
654 | + | |
655 | +struct ip_set_iptreeb { | |
656 | + struct ip_set_iptreec *tree[256]; /* x.ADDR.*.* */ | |
657 | +}; | |
658 | + | |
659 | +struct ip_set_iptree { | |
660 | + unsigned int timeout; | |
661 | + unsigned int gc_interval; | |
662 | +#ifdef __KERNEL__ | |
663 | + uint32_t elements; /* number of elements */ | |
664 | + struct timer_list gc; | |
665 | + struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */ | |
666 | +#endif | |
667 | +}; | |
668 | + | |
669 | +struct ip_set_req_iptree_create { | |
670 | + unsigned int timeout; | |
671 | +}; | |
672 | + | |
673 | +struct ip_set_req_iptree { | |
674 | + ip_set_ip_t ip; | |
675 | + unsigned int timeout; | |
676 | +}; | |
677 | + | |
678 | +#endif /* __IP_SET_IPTREE_H */ | |
7d2f026e | 679 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_iptreemap.h linux-2.6/include/linux/netfilter_ipv4/ip_set_iptreemap.h |
680 | --- a/include/linux/netfilter_ipv4/ip_set_iptreemap.h 1970-01-01 01:00:00.000000000 +0100 | |
681 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_iptreemap.h 2008-07-08 16:52:53.465235839 +0200 | |
f45e9687 | 682 | @@ -0,0 +1,40 @@ |
683 | +#ifndef __IP_SET_IPTREEMAP_H | |
684 | +#define __IP_SET_IPTREEMAP_H | |
685 | + | |
686 | +#include <linux/netfilter_ipv4/ip_set.h> | |
687 | + | |
688 | +#define SETTYPE_NAME "iptreemap" | |
689 | + | |
690 | +#ifdef __KERNEL__ | |
691 | +struct ip_set_iptreemap_d { | |
692 | + unsigned char bitmap[32]; /* x.x.x.y */ | |
693 | +}; | |
694 | + | |
695 | +struct ip_set_iptreemap_c { | |
696 | + struct ip_set_iptreemap_d *tree[256]; /* x.x.y.x */ | |
697 | +}; | |
698 | + | |
699 | +struct ip_set_iptreemap_b { | |
700 | + struct ip_set_iptreemap_c *tree[256]; /* x.y.x.x */ | |
701 | + unsigned char dirty[32]; | |
702 | +}; | |
703 | +#endif | |
704 | + | |
705 | +struct ip_set_iptreemap { | |
706 | + unsigned int gc_interval; | |
707 | +#ifdef __KERNEL__ | |
708 | + struct timer_list gc; | |
709 | + struct ip_set_iptreemap_b *tree[256]; /* y.x.x.x */ | |
710 | +#endif | |
711 | +}; | |
712 | + | |
713 | +struct ip_set_req_iptreemap_create { | |
714 | + unsigned int gc_interval; | |
715 | +}; | |
716 | + | |
717 | +struct ip_set_req_iptreemap { | |
718 | + ip_set_ip_t start; | |
719 | + ip_set_ip_t end; | |
720 | +}; | |
721 | + | |
722 | +#endif /* __IP_SET_IPTREEMAP_H */ | |
7d2f026e | 723 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_jhash.h linux-2.6/include/linux/netfilter_ipv4/ip_set_jhash.h |
724 | --- a/include/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100 | |
725 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_jhash.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 726 | @@ -0,0 +1,148 @@ |
727 | +#ifndef _LINUX_IPSET_JHASH_H | |
728 | +#define _LINUX_IPSET_JHASH_H | |
729 | + | |
730 | +/* This is a copy of linux/jhash.h but the types u32/u8 are changed | |
731 | + * to __u32/__u8 so that the header file can be included into | |
732 | + * userspace code as well. Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) | |
733 | + */ | |
734 | + | |
735 | +/* jhash.h: Jenkins hash support. | |
736 | + * | |
737 | + * Copyright (C) 1996 Bob Jenkins (bob_jenkins@burtleburtle.net) | |
738 | + * | |
739 | + * http://burtleburtle.net/bob/hash/ | |
740 | + * | |
741 | + * These are the credits from Bob's sources: | |
742 | + * | |
743 | + * lookup2.c, by Bob Jenkins, December 1996, Public Domain. | |
744 | + * hash(), hash2(), hash3, and mix() are externally useful functions. | |
745 | + * Routines to test the hash are included if SELF_TEST is defined. | |
746 | + * You can use this free for any purpose. It has no warranty. | |
747 | + * | |
748 | + * Copyright (C) 2003 David S. Miller (davem@redhat.com) | |
749 | + * | |
750 | + * I've modified Bob's hash to be useful in the Linux kernel, and | |
751 | + * any bugs present are surely my fault. -DaveM | |
752 | + */ | |
753 | + | |
754 | +/* NOTE: Arguments are modified. */ | |
755 | +#define __jhash_mix(a, b, c) \ | |
756 | +{ \ | |
757 | + a -= b; a -= c; a ^= (c>>13); \ | |
758 | + b -= c; b -= a; b ^= (a<<8); \ | |
759 | + c -= a; c -= b; c ^= (b>>13); \ | |
760 | + a -= b; a -= c; a ^= (c>>12); \ | |
761 | + b -= c; b -= a; b ^= (a<<16); \ | |
762 | + c -= a; c -= b; c ^= (b>>5); \ | |
763 | + a -= b; a -= c; a ^= (c>>3); \ | |
764 | + b -= c; b -= a; b ^= (a<<10); \ | |
765 | + c -= a; c -= b; c ^= (b>>15); \ | |
766 | +} | |
767 | + | |
768 | +/* The golden ration: an arbitrary value */ | |
769 | +#define JHASH_GOLDEN_RATIO 0x9e3779b9 | |
770 | + | |
771 | +/* The most generic version, hashes an arbitrary sequence | |
772 | + * of bytes. No alignment or length assumptions are made about | |
773 | + * the input key. | |
774 | + */ | |
775 | +static inline __u32 jhash(void *key, __u32 length, __u32 initval) | |
776 | +{ | |
777 | + __u32 a, b, c, len; | |
778 | + __u8 *k = key; | |
779 | + | |
780 | + len = length; | |
781 | + a = b = JHASH_GOLDEN_RATIO; | |
782 | + c = initval; | |
783 | + | |
784 | + while (len >= 12) { | |
785 | + a += (k[0] +((__u32)k[1]<<8) +((__u32)k[2]<<16) +((__u32)k[3]<<24)); | |
786 | + b += (k[4] +((__u32)k[5]<<8) +((__u32)k[6]<<16) +((__u32)k[7]<<24)); | |
787 | + c += (k[8] +((__u32)k[9]<<8) +((__u32)k[10]<<16)+((__u32)k[11]<<24)); | |
788 | + | |
789 | + __jhash_mix(a,b,c); | |
790 | + | |
791 | + k += 12; | |
792 | + len -= 12; | |
793 | + } | |
794 | + | |
795 | + c += length; | |
796 | + switch (len) { | |
797 | + case 11: c += ((__u32)k[10]<<24); | |
798 | + case 10: c += ((__u32)k[9]<<16); | |
799 | + case 9 : c += ((__u32)k[8]<<8); | |
800 | + case 8 : b += ((__u32)k[7]<<24); | |
801 | + case 7 : b += ((__u32)k[6]<<16); | |
802 | + case 6 : b += ((__u32)k[5]<<8); | |
803 | + case 5 : b += k[4]; | |
804 | + case 4 : a += ((__u32)k[3]<<24); | |
805 | + case 3 : a += ((__u32)k[2]<<16); | |
806 | + case 2 : a += ((__u32)k[1]<<8); | |
807 | + case 1 : a += k[0]; | |
808 | + }; | |
809 | + | |
810 | + __jhash_mix(a,b,c); | |
811 | + | |
812 | + return c; | |
813 | +} | |
814 | + | |
815 | +/* A special optimized version that handles 1 or more of __u32s. | |
816 | + * The length parameter here is the number of __u32s in the key. | |
817 | + */ | |
818 | +static inline __u32 jhash2(__u32 *k, __u32 length, __u32 initval) | |
819 | +{ | |
820 | + __u32 a, b, c, len; | |
821 | + | |
822 | + a = b = JHASH_GOLDEN_RATIO; | |
823 | + c = initval; | |
824 | + len = length; | |
825 | + | |
826 | + while (len >= 3) { | |
827 | + a += k[0]; | |
828 | + b += k[1]; | |
829 | + c += k[2]; | |
830 | + __jhash_mix(a, b, c); | |
831 | + k += 3; len -= 3; | |
832 | + } | |
833 | + | |
834 | + c += length * 4; | |
835 | + | |
836 | + switch (len) { | |
837 | + case 2 : b += k[1]; | |
838 | + case 1 : a += k[0]; | |
839 | + }; | |
840 | + | |
841 | + __jhash_mix(a,b,c); | |
842 | + | |
843 | + return c; | |
844 | +} | |
845 | + | |
846 | + | |
847 | +/* A special ultra-optimized versions that knows they are hashing exactly | |
848 | + * 3, 2 or 1 word(s). | |
849 | + * | |
850 | + * NOTE: In partilar the "c += length; __jhash_mix(a,b,c);" normally | |
851 | + * done at the end is not done here. | |
852 | + */ | |
853 | +static inline __u32 jhash_3words(__u32 a, __u32 b, __u32 c, __u32 initval) | |
854 | +{ | |
855 | + a += JHASH_GOLDEN_RATIO; | |
856 | + b += JHASH_GOLDEN_RATIO; | |
857 | + c += initval; | |
858 | + | |
859 | + __jhash_mix(a, b, c); | |
860 | + | |
861 | + return c; | |
862 | +} | |
863 | + | |
864 | +static inline __u32 jhash_2words(__u32 a, __u32 b, __u32 initval) | |
865 | +{ | |
866 | + return jhash_3words(a, b, 0, initval); | |
867 | +} | |
868 | + | |
869 | +static inline __u32 jhash_1word(__u32 a, __u32 initval) | |
870 | +{ | |
871 | + return jhash_3words(a, 0, 0, initval); | |
872 | +} | |
873 | + | |
874 | +#endif /* _LINUX_IPSET_JHASH_H */ | |
7d2f026e | 875 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_macipmap.h linux-2.6/include/linux/netfilter_ipv4/ip_set_macipmap.h |
876 | --- a/include/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100 | |
877 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_macipmap.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 878 | @@ -0,0 +1,38 @@ |
879 | +#ifndef __IP_SET_MACIPMAP_H | |
880 | +#define __IP_SET_MACIPMAP_H | |
881 | + | |
882 | +#include <linux/netfilter_ipv4/ip_set.h> | |
883 | + | |
884 | +#define SETTYPE_NAME "macipmap" | |
885 | +#define MAX_RANGE 0x0000FFFF | |
886 | + | |
887 | +/* general flags */ | |
888 | +#define IPSET_MACIP_MATCHUNSET 1 | |
889 | + | |
890 | +/* per ip flags */ | |
891 | +#define IPSET_MACIP_ISSET 1 | |
892 | + | |
893 | +struct ip_set_macipmap { | |
894 | + void *members; /* the macipmap proper */ | |
895 | + ip_set_ip_t first_ip; /* host byte order, included in range */ | |
896 | + ip_set_ip_t last_ip; /* host byte order, included in range */ | |
897 | + u_int32_t flags; | |
898 | +}; | |
899 | + | |
900 | +struct ip_set_req_macipmap_create { | |
901 | + ip_set_ip_t from; | |
902 | + ip_set_ip_t to; | |
903 | + u_int32_t flags; | |
904 | +}; | |
905 | + | |
906 | +struct ip_set_req_macipmap { | |
907 | + ip_set_ip_t ip; | |
908 | + unsigned char ethernet[ETH_ALEN]; | |
909 | +}; | |
910 | + | |
911 | +struct ip_set_macip { | |
912 | + unsigned short flags; | |
913 | + unsigned char ethernet[ETH_ALEN]; | |
914 | +}; | |
915 | + | |
916 | +#endif /* __IP_SET_MACIPMAP_H */ | |
7d2f026e | 917 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_malloc.h linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h |
918 | --- a/include/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100 | |
919 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h 2008-07-08 16:52:53.465235839 +0200 | |
920 | @@ -0,0 +1,143 @@ | |
1aedc22c | 921 | +#ifndef _IP_SET_MALLOC_H |
922 | +#define _IP_SET_MALLOC_H | |
923 | + | |
924 | +#ifdef __KERNEL__ | |
925 | + | |
7d2f026e | 926 | +static size_t max_malloc_size = 0, max_page_size = 0; |
1aedc22c | 927 | + |
7d2f026e | 928 | +static inline bool init_max_page_size(void) |
1aedc22c | 929 | +{ |
7d2f026e | 930 | + size_t page_size = 0; |
931 | + | |
932 | +#define CACHE(x) if (max_page_size == 0 || x < max_page_size) \ | |
933 | + page_size = x; | |
1aedc22c | 934 | +#include <linux/kmalloc_sizes.h> |
935 | +#undef CACHE | |
7d2f026e | 936 | + if (page_size) { |
937 | + if (max_malloc_size == 0) | |
938 | + max_malloc_size = page_size; | |
1aedc22c | 939 | + |
7d2f026e | 940 | + max_page_size = page_size; |
1aedc22c | 941 | + |
7d2f026e | 942 | + return 1; |
943 | + } | |
944 | + return 0; | |
1aedc22c | 945 | +} |
946 | + | |
947 | +struct harray { | |
948 | + size_t max_elements; | |
949 | + void *arrays[0]; | |
950 | +}; | |
951 | + | |
952 | +static inline void * | |
7d2f026e | 953 | +__harray_malloc(size_t hashsize, size_t typesize, int flags) |
1aedc22c | 954 | +{ |
955 | + struct harray *harray; | |
956 | + size_t max_elements, size, i, j; | |
957 | + | |
7d2f026e | 958 | + BUG_ON(max_page_size == 0); |
1aedc22c | 959 | + |
7d2f026e | 960 | + if (typesize > max_page_size) |
1aedc22c | 961 | + return NULL; |
962 | + | |
7d2f026e | 963 | + max_elements = max_page_size/typesize; |
1aedc22c | 964 | + size = hashsize/max_elements; |
965 | + if (hashsize % max_elements) | |
966 | + size++; | |
967 | + | |
968 | + /* Last pointer signals end of arrays */ | |
969 | + harray = kmalloc(sizeof(struct harray) + (size + 1) * sizeof(void *), | |
970 | + flags); | |
971 | + | |
972 | + if (!harray) | |
973 | + return NULL; | |
974 | + | |
975 | + for (i = 0; i < size - 1; i++) { | |
976 | + harray->arrays[i] = kmalloc(max_elements * typesize, flags); | |
977 | + if (!harray->arrays[i]) | |
978 | + goto undo; | |
979 | + memset(harray->arrays[i], 0, max_elements * typesize); | |
980 | + } | |
981 | + harray->arrays[i] = kmalloc((hashsize - i * max_elements) * typesize, | |
982 | + flags); | |
983 | + if (!harray->arrays[i]) | |
984 | + goto undo; | |
985 | + memset(harray->arrays[i], 0, (hashsize - i * max_elements) * typesize); | |
986 | + | |
987 | + harray->max_elements = max_elements; | |
988 | + harray->arrays[size] = NULL; | |
989 | + | |
990 | + return (void *)harray; | |
991 | + | |
992 | + undo: | |
993 | + for (j = 0; j < i; j++) { | |
994 | + kfree(harray->arrays[j]); | |
995 | + } | |
996 | + kfree(harray); | |
997 | + return NULL; | |
998 | +} | |
999 | + | |
7d2f026e | 1000 | +static inline void * |
1001 | +harray_malloc(size_t hashsize, size_t typesize, int flags) | |
1002 | +{ | |
1003 | + void *harray; | |
1004 | + | |
1005 | + do { | |
1006 | + harray = __harray_malloc(hashsize, typesize, flags|__GFP_NOWARN); | |
1007 | + } while (harray == NULL && init_max_page_size()); | |
1008 | + | |
1009 | + return harray; | |
1010 | +} | |
1011 | + | |
1aedc22c | 1012 | +static inline void harray_free(void *h) |
1013 | +{ | |
1014 | + struct harray *harray = (struct harray *) h; | |
1015 | + size_t i; | |
1016 | + | |
1017 | + for (i = 0; harray->arrays[i] != NULL; i++) | |
1018 | + kfree(harray->arrays[i]); | |
1019 | + kfree(harray); | |
1020 | +} | |
1021 | + | |
1022 | +static inline void harray_flush(void *h, size_t hashsize, size_t typesize) | |
1023 | +{ | |
1024 | + struct harray *harray = (struct harray *) h; | |
1025 | + size_t i; | |
1026 | + | |
1027 | + for (i = 0; harray->arrays[i+1] != NULL; i++) | |
1028 | + memset(harray->arrays[i], 0, harray->max_elements * typesize); | |
1029 | + memset(harray->arrays[i], 0, | |
1030 | + (hashsize - i * harray->max_elements) * typesize); | |
1031 | +} | |
1032 | + | |
1033 | +#define HARRAY_ELEM(h, type, which) \ | |
1034 | +({ \ | |
1035 | + struct harray *__h = (struct harray *)(h); \ | |
1036 | + ((type)((__h)->arrays[(which)/(__h)->max_elements]) \ | |
1037 | + + (which)%(__h)->max_elements); \ | |
1038 | +}) | |
1039 | + | |
7d2f026e | 1040 | +/* General memory allocation and deallocation */ |
1041 | +static inline void * ip_set_malloc(size_t bytes) | |
1042 | +{ | |
1043 | + BUG_ON(max_malloc_size == 0); | |
1044 | + | |
1045 | + if (bytes > max_malloc_size) | |
1046 | + return vmalloc(bytes); | |
1047 | + else | |
1048 | + return kmalloc(bytes, GFP_KERNEL | __GFP_NOWARN); | |
1049 | +} | |
1050 | + | |
1051 | +static inline void ip_set_free(void * data, size_t bytes) | |
1052 | +{ | |
1053 | + BUG_ON(max_malloc_size == 0); | |
1054 | + | |
1055 | + if (bytes > max_malloc_size) | |
1056 | + vfree(data); | |
1057 | + else | |
1058 | + kfree(data); | |
1059 | +} | |
1060 | + | |
1aedc22c | 1061 | +#endif /* __KERNEL__ */ |
1062 | + | |
1063 | +#endif /*_IP_SET_MALLOC_H*/ | |
7d2f026e | 1064 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_nethash.h linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h |
1065 | --- a/include/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100 | |
1066 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 1067 | @@ -0,0 +1,55 @@ |
1068 | +#ifndef __IP_SET_NETHASH_H | |
1069 | +#define __IP_SET_NETHASH_H | |
1070 | + | |
1071 | +#include <linux/netfilter_ipv4/ip_set.h> | |
1072 | + | |
1073 | +#define SETTYPE_NAME "nethash" | |
1074 | +#define MAX_RANGE 0x0000FFFF | |
1075 | + | |
1076 | +struct ip_set_nethash { | |
1077 | + ip_set_ip_t *members; /* the nethash proper */ | |
1078 | + uint32_t elements; /* number of elements */ | |
1079 | + uint32_t hashsize; /* hash size */ | |
1080 | + uint16_t probes; /* max number of probes */ | |
1081 | + uint16_t resize; /* resize factor in percent */ | |
1082 | + unsigned char cidr[30]; /* CIDR sizes */ | |
1083 | + void *initval[0]; /* initvals for jhash_1word */ | |
1084 | +}; | |
1085 | + | |
1086 | +struct ip_set_req_nethash_create { | |
1087 | + uint32_t hashsize; | |
1088 | + uint16_t probes; | |
1089 | + uint16_t resize; | |
1090 | +}; | |
1091 | + | |
1092 | +struct ip_set_req_nethash { | |
1093 | + ip_set_ip_t ip; | |
1094 | + unsigned char cidr; | |
1095 | +}; | |
1096 | + | |
1097 | +static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1}; | |
1098 | + | |
1099 | +static inline ip_set_ip_t | |
1100 | +pack(ip_set_ip_t ip, unsigned char cidr) | |
1101 | +{ | |
1102 | + ip_set_ip_t addr, *paddr = &addr; | |
1103 | + unsigned char n, t, *a; | |
1104 | + | |
1105 | + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr)))); | |
1106 | +#ifdef __KERNEL__ | |
1107 | + DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr); | |
1108 | +#endif | |
1109 | + n = cidr / 8; | |
1110 | + t = cidr % 8; | |
1111 | + a = &((unsigned char *)paddr)[n]; | |
1112 | + *a = *a /(1 << (8 - t)) + shifts[t]; | |
1113 | +#ifdef __KERNEL__ | |
1114 | + DP("n: %u, t: %u, a: %u", n, t, *a); | |
1115 | + DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u", | |
1116 | + HIPQUAD(ip), cidr, NIPQUAD(addr)); | |
1117 | +#endif | |
1118 | + | |
1119 | + return ntohl(addr); | |
1120 | +} | |
1121 | + | |
1122 | +#endif /* __IP_SET_NETHASH_H */ | |
7d2f026e | 1123 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ip_set_portmap.h linux-2.6/include/linux/netfilter_ipv4/ip_set_portmap.h |
1124 | --- a/include/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100 | |
1125 | +++ linux-2.6/include/linux/netfilter_ipv4/ip_set_portmap.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 1126 | @@ -0,0 +1,25 @@ |
1127 | +#ifndef __IP_SET_PORTMAP_H | |
1128 | +#define __IP_SET_PORTMAP_H | |
1129 | + | |
1130 | +#include <linux/netfilter_ipv4/ip_set.h> | |
1131 | + | |
1132 | +#define SETTYPE_NAME "portmap" | |
1133 | +#define MAX_RANGE 0x0000FFFF | |
1134 | +#define INVALID_PORT (MAX_RANGE + 1) | |
1135 | + | |
1136 | +struct ip_set_portmap { | |
1137 | + void *members; /* the portmap proper */ | |
1138 | + ip_set_ip_t first_port; /* host byte order, included in range */ | |
1139 | + ip_set_ip_t last_port; /* host byte order, included in range */ | |
1140 | +}; | |
1141 | + | |
1142 | +struct ip_set_req_portmap_create { | |
1143 | + ip_set_ip_t from; | |
1144 | + ip_set_ip_t to; | |
1145 | +}; | |
1146 | + | |
1147 | +struct ip_set_req_portmap { | |
1148 | + ip_set_ip_t port; | |
1149 | +}; | |
1150 | + | |
1151 | +#endif /* __IP_SET_PORTMAP_H */ | |
7d2f026e | 1152 | diff -uNrp --exclude=.svn a/include/linux/netfilter_ipv4/ipt_set.h linux-2.6/include/linux/netfilter_ipv4/ipt_set.h |
1153 | --- a/include/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100 | |
1154 | +++ linux-2.6/include/linux/netfilter_ipv4/ipt_set.h 2008-07-08 16:52:53.465235839 +0200 | |
1aedc22c | 1155 | @@ -0,0 +1,21 @@ |
1156 | +#ifndef _IPT_SET_H | |
1157 | +#define _IPT_SET_H | |
1158 | + | |
1159 | +#include <linux/netfilter_ipv4/ip_set.h> | |
1160 | + | |
1161 | +struct ipt_set_info { | |
1162 | + ip_set_id_t index; | |
1163 | + u_int32_t flags[IP_SET_MAX_BINDINGS + 1]; | |
1164 | +}; | |
1165 | + | |
1166 | +/* match info */ | |
1167 | +struct ipt_set_info_match { | |
1168 | + struct ipt_set_info match_set; | |
1169 | +}; | |
1170 | + | |
1171 | +struct ipt_set_info_target { | |
1172 | + struct ipt_set_info add_set; | |
1173 | + struct ipt_set_info del_set; | |
1174 | +}; | |
1175 | + | |
1176 | +#endif /*_IPT_SET_H*/ | |
7d2f026e | 1177 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set.c linux-2.6/net/ipv4/netfilter/ip_set.c |
1178 | --- a/net/ipv4/netfilter/ip_set.c 1970-01-01 01:00:00.000000000 +0100 | |
1179 | +++ linux-2.6/net/ipv4/netfilter/ip_set.c 2008-07-08 16:52:53.965201208 +0200 | |
1180 | @@ -0,0 +1,1981 @@ | |
1aedc22c | 1181 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
1182 | + * Patrick Schaaf <bof@bof.de> | |
1183 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
1184 | + * | |
1185 | + * This program is free software; you can redistribute it and/or modify | |
1186 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 1187 | + * published by the Free Software Foundation. |
1aedc22c | 1188 | + */ |
1189 | + | |
1190 | +/* Kernel module for IP set management */ | |
1191 | + | |
1192 | +#include <linux/version.h> | |
1193 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
1194 | +#include <linux/config.h> | |
1195 | +#endif | |
1196 | +#include <linux/module.h> | |
1197 | +#include <linux/moduleparam.h> | |
1198 | +#include <linux/kmod.h> | |
1199 | +#include <linux/ip.h> | |
1200 | +#include <linux/skbuff.h> | |
1201 | +#include <linux/random.h> | |
f45e9687 | 1202 | +#include <linux/jhash.h> |
1aedc22c | 1203 | +#include <linux/netfilter_ipv4/ip_tables.h> |
1204 | +#include <linux/errno.h> | |
1205 | +#include <asm/uaccess.h> | |
1206 | +#include <asm/bitops.h> | |
1207 | +#include <asm/semaphore.h> | |
1208 | +#include <linux/spinlock.h> | |
1209 | +#include <linux/vmalloc.h> | |
1210 | + | |
1211 | +#define ASSERT_READ_LOCK(x) | |
1212 | +#define ASSERT_WRITE_LOCK(x) | |
1213 | +#include <linux/netfilter_ipv4/ip_set.h> | |
1214 | + | |
1215 | +static struct list_head set_type_list; /* all registered sets */ | |
1216 | +static struct ip_set **ip_set_list; /* all individual sets */ | |
1217 | +static DEFINE_RWLOCK(ip_set_lock); /* protects the lists and the hash */ | |
1218 | +static DECLARE_MUTEX(ip_set_app_mutex); /* serializes user access */ | |
1219 | +static ip_set_id_t ip_set_max = CONFIG_IP_NF_SET_MAX; | |
1220 | +static ip_set_id_t ip_set_bindings_hash_size = CONFIG_IP_NF_SET_HASHSIZE; | |
1221 | +static struct list_head *ip_set_hash; /* hash of bindings */ | |
1222 | +static unsigned int ip_set_hash_random; /* random seed */ | |
1223 | + | |
7d2f026e | 1224 | +#define SETNAME_EQ(a,b) (strncmp(a,b,IP_SET_MAXNAMELEN) == 0) |
1225 | + | |
1aedc22c | 1226 | +/* |
1227 | + * Sets are identified either by the index in ip_set_list or by id. | |
7d2f026e | 1228 | + * The id never changes and is used to find a key in the hash. |
1229 | + * The index may change by swapping and used at all other places | |
1aedc22c | 1230 | + * (set/SET netfilter modules, binding value, etc.) |
1231 | + * | |
1232 | + * Userspace requests are serialized by ip_set_mutex and sets can | |
7d2f026e | 1233 | + * be deleted only from userspace. Therefore ip_set_list locking |
1aedc22c | 1234 | + * must obey the following rules: |
1235 | + * | |
1236 | + * - kernel requests: read and write locking mandatory | |
1237 | + * - user requests: read locking optional, write locking mandatory | |
1238 | + */ | |
1239 | + | |
1240 | +static inline void | |
1241 | +__ip_set_get(ip_set_id_t index) | |
1242 | +{ | |
1243 | + atomic_inc(&ip_set_list[index]->ref); | |
1244 | +} | |
1245 | + | |
1246 | +static inline void | |
1247 | +__ip_set_put(ip_set_id_t index) | |
1248 | +{ | |
1249 | + atomic_dec(&ip_set_list[index]->ref); | |
1250 | +} | |
1251 | + | |
1252 | +/* | |
1253 | + * Binding routines | |
1254 | + */ | |
1255 | + | |
1256 | +static inline struct ip_set_hash * | |
1257 | +__ip_set_find(u_int32_t key, ip_set_id_t id, ip_set_ip_t ip) | |
1258 | +{ | |
1259 | + struct ip_set_hash *set_hash; | |
1260 | + | |
1261 | + list_for_each_entry(set_hash, &ip_set_hash[key], list) | |
1262 | + if (set_hash->id == id && set_hash->ip == ip) | |
1263 | + return set_hash; | |
1264 | + | |
1265 | + return NULL; | |
1266 | +} | |
1267 | + | |
1268 | +static ip_set_id_t | |
1269 | +ip_set_find_in_hash(ip_set_id_t id, ip_set_ip_t ip) | |
1270 | +{ | |
7d2f026e | 1271 | + u_int32_t key = jhash_2words(id, ip, ip_set_hash_random) |
1aedc22c | 1272 | + % ip_set_bindings_hash_size; |
1273 | + struct ip_set_hash *set_hash; | |
1274 | + | |
1275 | + ASSERT_READ_LOCK(&ip_set_lock); | |
1276 | + IP_SET_ASSERT(ip_set_list[id]); | |
1277 | + DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip)); | |
1278 | + | |
1279 | + set_hash = __ip_set_find(key, id, ip); | |
1280 | + | |
7d2f026e | 1281 | + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, |
1aedc22c | 1282 | + HIPQUAD(ip), |
1283 | + set_hash != NULL ? ip_set_list[set_hash->binding]->name : ""); | |
1284 | + | |
1285 | + return (set_hash != NULL ? set_hash->binding : IP_SET_INVALID_ID); | |
1286 | +} | |
1287 | + | |
7d2f026e | 1288 | +static inline void |
1aedc22c | 1289 | +__set_hash_del(struct ip_set_hash *set_hash) |
1290 | +{ | |
1291 | + ASSERT_WRITE_LOCK(&ip_set_lock); | |
1292 | + IP_SET_ASSERT(ip_set_list[set_hash->binding]); | |
1293 | + | |
1294 | + __ip_set_put(set_hash->binding); | |
1295 | + list_del(&set_hash->list); | |
1296 | + kfree(set_hash); | |
1297 | +} | |
1298 | + | |
1299 | +static int | |
1300 | +ip_set_hash_del(ip_set_id_t id, ip_set_ip_t ip) | |
1301 | +{ | |
1302 | + u_int32_t key = jhash_2words(id, ip, ip_set_hash_random) | |
1303 | + % ip_set_bindings_hash_size; | |
1304 | + struct ip_set_hash *set_hash; | |
1305 | + | |
1306 | + IP_SET_ASSERT(ip_set_list[id]); | |
1307 | + DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip)); | |
1308 | + write_lock_bh(&ip_set_lock); | |
1309 | + set_hash = __ip_set_find(key, id, ip); | |
1310 | + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, | |
1311 | + HIPQUAD(ip), | |
1312 | + set_hash != NULL ? ip_set_list[set_hash->binding]->name : ""); | |
1313 | + | |
1314 | + if (set_hash != NULL) | |
1315 | + __set_hash_del(set_hash); | |
1316 | + write_unlock_bh(&ip_set_lock); | |
1317 | + return 0; | |
1318 | +} | |
1319 | + | |
7d2f026e | 1320 | +static int |
1aedc22c | 1321 | +ip_set_hash_add(ip_set_id_t id, ip_set_ip_t ip, ip_set_id_t binding) |
1322 | +{ | |
1323 | + u_int32_t key = jhash_2words(id, ip, ip_set_hash_random) | |
1324 | + % ip_set_bindings_hash_size; | |
1325 | + struct ip_set_hash *set_hash; | |
1326 | + int ret = 0; | |
1327 | + | |
1328 | + IP_SET_ASSERT(ip_set_list[id]); | |
1329 | + IP_SET_ASSERT(ip_set_list[binding]); | |
7d2f026e | 1330 | + DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name, |
1aedc22c | 1331 | + HIPQUAD(ip), ip_set_list[binding]->name); |
1332 | + write_lock_bh(&ip_set_lock); | |
1333 | + set_hash = __ip_set_find(key, id, ip); | |
1334 | + if (!set_hash) { | |
9f54053a | 1335 | + set_hash = kmalloc(sizeof(struct ip_set_hash), GFP_ATOMIC); |
1aedc22c | 1336 | + if (!set_hash) { |
1337 | + ret = -ENOMEM; | |
1338 | + goto unlock; | |
1339 | + } | |
1340 | + INIT_LIST_HEAD(&set_hash->list); | |
1341 | + set_hash->id = id; | |
1342 | + set_hash->ip = ip; | |
9f54053a | 1343 | + list_add(&set_hash->list, &ip_set_hash[key]); |
1aedc22c | 1344 | + } else { |
1345 | + IP_SET_ASSERT(ip_set_list[set_hash->binding]); | |
1346 | + DP("overwrite binding: %s", | |
1347 | + ip_set_list[set_hash->binding]->name); | |
1348 | + __ip_set_put(set_hash->binding); | |
1349 | + } | |
1350 | + set_hash->binding = binding; | |
1351 | + __ip_set_get(set_hash->binding); | |
9f54053a JR |
1352 | + DP("stored: key %u, id %u (%s), ip %u.%u.%u.%u, binding %u (%s)", |
1353 | + key, id, ip_set_list[id]->name, | |
1354 | + HIPQUAD(ip), binding, ip_set_list[binding]->name); | |
1aedc22c | 1355 | + unlock: |
1356 | + write_unlock_bh(&ip_set_lock); | |
1357 | + return ret; | |
1358 | +} | |
1359 | + | |
1360 | +#define FOREACH_HASH_DO(fn, args...) \ | |
1361 | +({ \ | |
1362 | + ip_set_id_t __key; \ | |
1363 | + struct ip_set_hash *__set_hash; \ | |
1364 | + \ | |
1365 | + for (__key = 0; __key < ip_set_bindings_hash_size; __key++) { \ | |
1366 | + list_for_each_entry(__set_hash, &ip_set_hash[__key], list) \ | |
1367 | + fn(__set_hash , ## args); \ | |
1368 | + } \ | |
1369 | +}) | |
1370 | + | |
1371 | +#define FOREACH_HASH_RW_DO(fn, args...) \ | |
1372 | +({ \ | |
1373 | + ip_set_id_t __key; \ | |
1374 | + struct ip_set_hash *__set_hash, *__n; \ | |
1375 | + \ | |
1376 | + ASSERT_WRITE_LOCK(&ip_set_lock); \ | |
1377 | + for (__key = 0; __key < ip_set_bindings_hash_size; __key++) { \ | |
1378 | + list_for_each_entry_safe(__set_hash, __n, &ip_set_hash[__key], list)\ | |
1379 | + fn(__set_hash , ## args); \ | |
1380 | + } \ | |
1381 | +}) | |
1382 | + | |
1383 | +/* Add, del and test set entries from kernel */ | |
1384 | + | |
1385 | +#define follow_bindings(index, set, ip) \ | |
1386 | +((index = ip_set_find_in_hash((set)->id, ip)) != IP_SET_INVALID_ID \ | |
1387 | + || (index = (set)->binding) != IP_SET_INVALID_ID) | |
1388 | + | |
1389 | +int | |
1390 | +ip_set_testip_kernel(ip_set_id_t index, | |
1391 | + const struct sk_buff *skb, | |
1392 | + const u_int32_t *flags) | |
1393 | +{ | |
1394 | + struct ip_set *set; | |
1395 | + ip_set_ip_t ip; | |
1396 | + int res; | |
1397 | + unsigned char i = 0; | |
1398 | + | |
1399 | + IP_SET_ASSERT(flags[i]); | |
1400 | + read_lock_bh(&ip_set_lock); | |
1401 | + do { | |
1402 | + set = ip_set_list[index]; | |
1403 | + IP_SET_ASSERT(set); | |
1404 | + DP("set %s, index %u", set->name, index); | |
1405 | + read_lock_bh(&set->lock); | |
1406 | + res = set->type->testip_kernel(set, skb, &ip, flags, i++); | |
1407 | + read_unlock_bh(&set->lock); | |
1408 | + i += !!(set->type->features & IPSET_DATA_DOUBLE); | |
7d2f026e | 1409 | + } while (res > 0 |
1410 | + && flags[i] | |
1aedc22c | 1411 | + && follow_bindings(index, set, ip)); |
1412 | + read_unlock_bh(&ip_set_lock); | |
1413 | + | |
1414 | + return res; | |
1415 | +} | |
1416 | + | |
1417 | +void | |
1418 | +ip_set_addip_kernel(ip_set_id_t index, | |
1419 | + const struct sk_buff *skb, | |
1420 | + const u_int32_t *flags) | |
1421 | +{ | |
1422 | + struct ip_set *set; | |
1423 | + ip_set_ip_t ip; | |
1424 | + int res; | |
1425 | + unsigned char i = 0; | |
1426 | + | |
1427 | + IP_SET_ASSERT(flags[i]); | |
1428 | + retry: | |
1429 | + read_lock_bh(&ip_set_lock); | |
1430 | + do { | |
1431 | + set = ip_set_list[index]; | |
1432 | + IP_SET_ASSERT(set); | |
1433 | + DP("set %s, index %u", set->name, index); | |
1434 | + write_lock_bh(&set->lock); | |
1435 | + res = set->type->addip_kernel(set, skb, &ip, flags, i++); | |
1436 | + write_unlock_bh(&set->lock); | |
1437 | + i += !!(set->type->features & IPSET_DATA_DOUBLE); | |
1438 | + } while ((res == 0 || res == -EEXIST) | |
7d2f026e | 1439 | + && flags[i] |
1aedc22c | 1440 | + && follow_bindings(index, set, ip)); |
1441 | + read_unlock_bh(&ip_set_lock); | |
1442 | + | |
1443 | + if (res == -EAGAIN | |
1444 | + && set->type->retry | |
1445 | + && (res = set->type->retry(set)) == 0) | |
1446 | + goto retry; | |
1447 | +} | |
1448 | + | |
1449 | +void | |
1450 | +ip_set_delip_kernel(ip_set_id_t index, | |
1451 | + const struct sk_buff *skb, | |
1452 | + const u_int32_t *flags) | |
1453 | +{ | |
1454 | + struct ip_set *set; | |
1455 | + ip_set_ip_t ip; | |
1456 | + int res; | |
1457 | + unsigned char i = 0; | |
1458 | + | |
1459 | + IP_SET_ASSERT(flags[i]); | |
1460 | + read_lock_bh(&ip_set_lock); | |
1461 | + do { | |
1462 | + set = ip_set_list[index]; | |
1463 | + IP_SET_ASSERT(set); | |
1464 | + DP("set %s, index %u", set->name, index); | |
1465 | + write_lock_bh(&set->lock); | |
1466 | + res = set->type->delip_kernel(set, skb, &ip, flags, i++); | |
1467 | + write_unlock_bh(&set->lock); | |
1468 | + i += !!(set->type->features & IPSET_DATA_DOUBLE); | |
1469 | + } while ((res == 0 || res == -EEXIST) | |
7d2f026e | 1470 | + && flags[i] |
1aedc22c | 1471 | + && follow_bindings(index, set, ip)); |
1472 | + read_unlock_bh(&ip_set_lock); | |
1473 | +} | |
1474 | + | |
1475 | +/* Register and deregister settype */ | |
1476 | + | |
1477 | +static inline struct ip_set_type * | |
1478 | +find_set_type(const char *name) | |
1479 | +{ | |
1480 | + struct ip_set_type *set_type; | |
1481 | + | |
1482 | + list_for_each_entry(set_type, &set_type_list, list) | |
1483 | + if (!strncmp(set_type->typename, name, IP_SET_MAXNAMELEN - 1)) | |
1484 | + return set_type; | |
1485 | + return NULL; | |
1486 | +} | |
1487 | + | |
7d2f026e | 1488 | +int |
1aedc22c | 1489 | +ip_set_register_set_type(struct ip_set_type *set_type) |
1490 | +{ | |
1491 | + int ret = 0; | |
1492 | + | |
1493 | + if (set_type->protocol_version != IP_SET_PROTOCOL_VERSION) { | |
1494 | + ip_set_printk("'%s' uses wrong protocol version %u (want %u)", | |
1495 | + set_type->typename, | |
1496 | + set_type->protocol_version, | |
1497 | + IP_SET_PROTOCOL_VERSION); | |
1498 | + return -EINVAL; | |
1499 | + } | |
1500 | + | |
1501 | + write_lock_bh(&ip_set_lock); | |
1502 | + if (find_set_type(set_type->typename)) { | |
1503 | + /* Duplicate! */ | |
7d2f026e | 1504 | + ip_set_printk("'%s' already registered!", |
1aedc22c | 1505 | + set_type->typename); |
1506 | + ret = -EINVAL; | |
1507 | + goto unlock; | |
1508 | + } | |
1509 | + if (!try_module_get(THIS_MODULE)) { | |
1510 | + ret = -EFAULT; | |
1511 | + goto unlock; | |
1512 | + } | |
1513 | + list_add(&set_type->list, &set_type_list); | |
1514 | + DP("'%s' registered.", set_type->typename); | |
1515 | + unlock: | |
1516 | + write_unlock_bh(&ip_set_lock); | |
1517 | + return ret; | |
1518 | +} | |
1519 | + | |
1520 | +void | |
1521 | +ip_set_unregister_set_type(struct ip_set_type *set_type) | |
1522 | +{ | |
1523 | + write_lock_bh(&ip_set_lock); | |
1524 | + if (!find_set_type(set_type->typename)) { | |
1525 | + ip_set_printk("'%s' not registered?", | |
1526 | + set_type->typename); | |
1527 | + goto unlock; | |
1528 | + } | |
1529 | + list_del(&set_type->list); | |
1530 | + module_put(THIS_MODULE); | |
1531 | + DP("'%s' unregistered.", set_type->typename); | |
1532 | + unlock: | |
1533 | + write_unlock_bh(&ip_set_lock); | |
1534 | + | |
1535 | +} | |
1536 | + | |
1537 | +/* | |
1538 | + * Userspace routines | |
1539 | + */ | |
1540 | + | |
1541 | +/* | |
1542 | + * Find set by name, reference it once. The reference makes sure the | |
1543 | + * thing pointed to, does not go away under our feet. Drop the reference | |
1544 | + * later, using ip_set_put(). | |
1545 | + */ | |
1546 | +ip_set_id_t | |
1547 | +ip_set_get_byname(const char *name) | |
1548 | +{ | |
1549 | + ip_set_id_t i, index = IP_SET_INVALID_ID; | |
1550 | + | |
1551 | + down(&ip_set_app_mutex); | |
1552 | + for (i = 0; i < ip_set_max; i++) { | |
1553 | + if (ip_set_list[i] != NULL | |
7d2f026e | 1554 | + && SETNAME_EQ(ip_set_list[i]->name, name)) { |
1aedc22c | 1555 | + __ip_set_get(i); |
1556 | + index = i; | |
1557 | + break; | |
1558 | + } | |
1559 | + } | |
1560 | + up(&ip_set_app_mutex); | |
1561 | + return index; | |
1562 | +} | |
1563 | + | |
1564 | +/* | |
1565 | + * Find set by index, reference it once. The reference makes sure the | |
1566 | + * thing pointed to, does not go away under our feet. Drop the reference | |
1567 | + * later, using ip_set_put(). | |
1568 | + */ | |
1569 | +ip_set_id_t | |
1570 | +ip_set_get_byindex(ip_set_id_t index) | |
1571 | +{ | |
1572 | + down(&ip_set_app_mutex); | |
1573 | + | |
1574 | + if (index >= ip_set_max) | |
1575 | + return IP_SET_INVALID_ID; | |
1576 | + | |
1577 | + if (ip_set_list[index]) | |
1578 | + __ip_set_get(index); | |
1579 | + else | |
1580 | + index = IP_SET_INVALID_ID; | |
1581 | + | |
1582 | + up(&ip_set_app_mutex); | |
1583 | + return index; | |
1584 | +} | |
1585 | + | |
1586 | +/* | |
1587 | + * If the given set pointer points to a valid set, decrement | |
1588 | + * reference count by 1. The caller shall not assume the index | |
1589 | + * to be valid, after calling this function. | |
1590 | + */ | |
1591 | +void ip_set_put(ip_set_id_t index) | |
1592 | +{ | |
1593 | + down(&ip_set_app_mutex); | |
1594 | + if (ip_set_list[index]) | |
1595 | + __ip_set_put(index); | |
1596 | + up(&ip_set_app_mutex); | |
1597 | +} | |
1598 | + | |
1599 | +/* Find a set by name or index */ | |
1600 | +static ip_set_id_t | |
1601 | +ip_set_find_byname(const char *name) | |
1602 | +{ | |
1603 | + ip_set_id_t i, index = IP_SET_INVALID_ID; | |
1604 | + | |
1605 | + for (i = 0; i < ip_set_max; i++) { | |
1606 | + if (ip_set_list[i] != NULL | |
7d2f026e | 1607 | + && SETNAME_EQ(ip_set_list[i]->name, name)) { |
1aedc22c | 1608 | + index = i; |
1609 | + break; | |
1610 | + } | |
1611 | + } | |
1612 | + return index; | |
1613 | +} | |
1614 | + | |
1615 | +static ip_set_id_t | |
1616 | +ip_set_find_byindex(ip_set_id_t index) | |
1617 | +{ | |
1618 | + if (index >= ip_set_max || ip_set_list[index] == NULL) | |
1619 | + index = IP_SET_INVALID_ID; | |
1620 | + | |
1621 | + return index; | |
1622 | +} | |
1623 | + | |
1624 | +/* | |
1625 | + * Add, del, test, bind and unbind | |
1626 | + */ | |
1627 | + | |
1628 | +static inline int | |
1629 | +__ip_set_testip(struct ip_set *set, | |
1630 | + const void *data, | |
1631 | + size_t size, | |
1632 | + ip_set_ip_t *ip) | |
1633 | +{ | |
1634 | + int res; | |
1635 | + | |
1636 | + read_lock_bh(&set->lock); | |
1637 | + res = set->type->testip(set, data, size, ip); | |
1638 | + read_unlock_bh(&set->lock); | |
1639 | + | |
1640 | + return res; | |
1641 | +} | |
1642 | + | |
1643 | +static int | |
1644 | +__ip_set_addip(ip_set_id_t index, | |
1645 | + const void *data, | |
1646 | + size_t size) | |
1647 | +{ | |
1648 | + struct ip_set *set = ip_set_list[index]; | |
1649 | + ip_set_ip_t ip; | |
1650 | + int res; | |
1651 | + | |
1652 | + IP_SET_ASSERT(set); | |
1653 | + do { | |
1654 | + write_lock_bh(&set->lock); | |
1655 | + res = set->type->addip(set, data, size, &ip); | |
1656 | + write_unlock_bh(&set->lock); | |
1657 | + } while (res == -EAGAIN | |
1658 | + && set->type->retry | |
1659 | + && (res = set->type->retry(set)) == 0); | |
1660 | + | |
1661 | + return res; | |
1662 | +} | |
1663 | + | |
1664 | +static int | |
1665 | +ip_set_addip(ip_set_id_t index, | |
1666 | + const void *data, | |
1667 | + size_t size) | |
1668 | +{ | |
1669 | + | |
1670 | + return __ip_set_addip(index, | |
1671 | + data + sizeof(struct ip_set_req_adt), | |
1672 | + size - sizeof(struct ip_set_req_adt)); | |
1673 | +} | |
1674 | + | |
1675 | +static int | |
1676 | +ip_set_delip(ip_set_id_t index, | |
1677 | + const void *data, | |
1678 | + size_t size) | |
1679 | +{ | |
1680 | + struct ip_set *set = ip_set_list[index]; | |
1681 | + ip_set_ip_t ip; | |
1682 | + int res; | |
1683 | + | |
1684 | + IP_SET_ASSERT(set); | |
1685 | + write_lock_bh(&set->lock); | |
1686 | + res = set->type->delip(set, | |
1687 | + data + sizeof(struct ip_set_req_adt), | |
1688 | + size - sizeof(struct ip_set_req_adt), | |
1689 | + &ip); | |
1690 | + write_unlock_bh(&set->lock); | |
1691 | + | |
1692 | + return res; | |
1693 | +} | |
1694 | + | |
1695 | +static int | |
1696 | +ip_set_testip(ip_set_id_t index, | |
1697 | + const void *data, | |
1698 | + size_t size) | |
1699 | +{ | |
1700 | + struct ip_set *set = ip_set_list[index]; | |
1701 | + ip_set_ip_t ip; | |
1702 | + int res; | |
1703 | + | |
1704 | + IP_SET_ASSERT(set); | |
1705 | + res = __ip_set_testip(set, | |
1706 | + data + sizeof(struct ip_set_req_adt), | |
1707 | + size - sizeof(struct ip_set_req_adt), | |
1708 | + &ip); | |
1709 | + | |
1710 | + return (res > 0 ? -EEXIST : res); | |
1711 | +} | |
1712 | + | |
1713 | +static int | |
1714 | +ip_set_bindip(ip_set_id_t index, | |
1715 | + const void *data, | |
1716 | + size_t size) | |
1717 | +{ | |
1718 | + struct ip_set *set = ip_set_list[index]; | |
7d2f026e | 1719 | + const struct ip_set_req_bind *req_bind; |
1aedc22c | 1720 | + ip_set_id_t binding; |
1721 | + ip_set_ip_t ip; | |
1722 | + int res; | |
1723 | + | |
1724 | + IP_SET_ASSERT(set); | |
1725 | + if (size < sizeof(struct ip_set_req_bind)) | |
1726 | + return -EINVAL; | |
1727 | + | |
7d2f026e | 1728 | + req_bind = data; |
1aedc22c | 1729 | + |
7d2f026e | 1730 | + if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_DEFAULT)) { |
1aedc22c | 1731 | + /* Default binding of a set */ |
7d2f026e | 1732 | + const char *binding_name; |
1aedc22c | 1733 | + |
1734 | + if (size != sizeof(struct ip_set_req_bind) + IP_SET_MAXNAMELEN) | |
1735 | + return -EINVAL; | |
1736 | + | |
7d2f026e | 1737 | + binding_name = data + sizeof(struct ip_set_req_bind); |
1aedc22c | 1738 | + |
1739 | + binding = ip_set_find_byname(binding_name); | |
1740 | + if (binding == IP_SET_INVALID_ID) | |
1741 | + return -ENOENT; | |
1742 | + | |
1743 | + write_lock_bh(&ip_set_lock); | |
1744 | + /* Sets as binding values are referenced */ | |
1745 | + if (set->binding != IP_SET_INVALID_ID) | |
1746 | + __ip_set_put(set->binding); | |
1747 | + set->binding = binding; | |
1748 | + __ip_set_get(set->binding); | |
1749 | + write_unlock_bh(&ip_set_lock); | |
1750 | + | |
1751 | + return 0; | |
1752 | + } | |
1753 | + binding = ip_set_find_byname(req_bind->binding); | |
1754 | + if (binding == IP_SET_INVALID_ID) | |
1755 | + return -ENOENT; | |
1756 | + | |
1757 | + res = __ip_set_testip(set, | |
1758 | + data + sizeof(struct ip_set_req_bind), | |
1759 | + size - sizeof(struct ip_set_req_bind), | |
1760 | + &ip); | |
1761 | + DP("set %s, ip: %u.%u.%u.%u, binding %s", | |
1762 | + set->name, HIPQUAD(ip), ip_set_list[binding]->name); | |
1763 | + | |
1764 | + if (res >= 0) | |
1765 | + res = ip_set_hash_add(set->id, ip, binding); | |
1766 | + | |
1767 | + return res; | |
1768 | +} | |
1769 | + | |
1770 | +#define FOREACH_SET_DO(fn, args...) \ | |
1771 | +({ \ | |
1772 | + ip_set_id_t __i; \ | |
1773 | + struct ip_set *__set; \ | |
1774 | + \ | |
1775 | + for (__i = 0; __i < ip_set_max; __i++) { \ | |
1776 | + __set = ip_set_list[__i]; \ | |
1777 | + if (__set != NULL) \ | |
1778 | + fn(__set , ##args); \ | |
1779 | + } \ | |
1780 | +}) | |
1781 | + | |
1782 | +static inline void | |
1783 | +__set_hash_del_byid(struct ip_set_hash *set_hash, ip_set_id_t id) | |
1784 | +{ | |
1785 | + if (set_hash->id == id) | |
1786 | + __set_hash_del(set_hash); | |
1787 | +} | |
1788 | + | |
1789 | +static inline void | |
1790 | +__unbind_default(struct ip_set *set) | |
1791 | +{ | |
1792 | + if (set->binding != IP_SET_INVALID_ID) { | |
1793 | + /* Sets as binding values are referenced */ | |
1794 | + __ip_set_put(set->binding); | |
1795 | + set->binding = IP_SET_INVALID_ID; | |
1796 | + } | |
1797 | +} | |
1798 | + | |
1799 | +static int | |
1800 | +ip_set_unbindip(ip_set_id_t index, | |
1801 | + const void *data, | |
1802 | + size_t size) | |
1803 | +{ | |
1804 | + struct ip_set *set; | |
7d2f026e | 1805 | + const struct ip_set_req_bind *req_bind; |
1aedc22c | 1806 | + ip_set_ip_t ip; |
1807 | + int res; | |
1808 | + | |
1809 | + DP(""); | |
1810 | + if (size < sizeof(struct ip_set_req_bind)) | |
1811 | + return -EINVAL; | |
1812 | + | |
7d2f026e | 1813 | + req_bind = data; |
1aedc22c | 1814 | + |
1815 | + DP("%u %s", index, req_bind->binding); | |
1816 | + if (index == IP_SET_INVALID_ID) { | |
1817 | + /* unbind :all: */ | |
7d2f026e | 1818 | + if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_DEFAULT)) { |
1aedc22c | 1819 | + /* Default binding of sets */ |
1820 | + write_lock_bh(&ip_set_lock); | |
1821 | + FOREACH_SET_DO(__unbind_default); | |
1822 | + write_unlock_bh(&ip_set_lock); | |
1823 | + return 0; | |
7d2f026e | 1824 | + } else if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_ALL)) { |
1aedc22c | 1825 | + /* Flush all bindings of all sets*/ |
1826 | + write_lock_bh(&ip_set_lock); | |
1827 | + FOREACH_HASH_RW_DO(__set_hash_del); | |
1828 | + write_unlock_bh(&ip_set_lock); | |
1829 | + return 0; | |
1830 | + } | |
1831 | + DP("unreachable reached!"); | |
1832 | + return -EINVAL; | |
1833 | + } | |
1834 | + | |
1835 | + set = ip_set_list[index]; | |
1836 | + IP_SET_ASSERT(set); | |
7d2f026e | 1837 | + if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_DEFAULT)) { |
1aedc22c | 1838 | + /* Default binding of set */ |
1839 | + ip_set_id_t binding = ip_set_find_byindex(set->binding); | |
1840 | + | |
1841 | + if (binding == IP_SET_INVALID_ID) | |
1842 | + return -ENOENT; | |
1843 | + | |
1844 | + write_lock_bh(&ip_set_lock); | |
1845 | + /* Sets in hash values are referenced */ | |
1846 | + __ip_set_put(set->binding); | |
1847 | + set->binding = IP_SET_INVALID_ID; | |
1848 | + write_unlock_bh(&ip_set_lock); | |
1849 | + | |
1850 | + return 0; | |
7d2f026e | 1851 | + } else if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_ALL)) { |
1aedc22c | 1852 | + /* Flush all bindings */ |
1853 | + | |
1854 | + write_lock_bh(&ip_set_lock); | |
1855 | + FOREACH_HASH_RW_DO(__set_hash_del_byid, set->id); | |
1856 | + write_unlock_bh(&ip_set_lock); | |
1857 | + return 0; | |
1858 | + } | |
1859 | + | |
1860 | + res = __ip_set_testip(set, | |
1861 | + data + sizeof(struct ip_set_req_bind), | |
1862 | + size - sizeof(struct ip_set_req_bind), | |
1863 | + &ip); | |
1864 | + | |
1865 | + DP("set %s, ip: %u.%u.%u.%u", set->name, HIPQUAD(ip)); | |
1866 | + if (res >= 0) | |
1867 | + res = ip_set_hash_del(set->id, ip); | |
1868 | + | |
1869 | + return res; | |
1870 | +} | |
1871 | + | |
1872 | +static int | |
1873 | +ip_set_testbind(ip_set_id_t index, | |
1874 | + const void *data, | |
1875 | + size_t size) | |
1876 | +{ | |
1877 | + struct ip_set *set = ip_set_list[index]; | |
7d2f026e | 1878 | + const struct ip_set_req_bind *req_bind; |
1aedc22c | 1879 | + ip_set_id_t binding; |
1880 | + ip_set_ip_t ip; | |
1881 | + int res; | |
1882 | + | |
1883 | + IP_SET_ASSERT(set); | |
1884 | + if (size < sizeof(struct ip_set_req_bind)) | |
1885 | + return -EINVAL; | |
1886 | + | |
7d2f026e | 1887 | + req_bind = data; |
1aedc22c | 1888 | + |
7d2f026e | 1889 | + if (SETNAME_EQ(req_bind->binding, IPSET_TOKEN_DEFAULT)) { |
1aedc22c | 1890 | + /* Default binding of set */ |
7d2f026e | 1891 | + const char *binding_name; |
1aedc22c | 1892 | + |
1893 | + if (size != sizeof(struct ip_set_req_bind) + IP_SET_MAXNAMELEN) | |
1894 | + return -EINVAL; | |
1895 | + | |
7d2f026e | 1896 | + binding_name = data + sizeof(struct ip_set_req_bind); |
1aedc22c | 1897 | + |
1898 | + binding = ip_set_find_byname(binding_name); | |
1899 | + if (binding == IP_SET_INVALID_ID) | |
1900 | + return -ENOENT; | |
1901 | + | |
1902 | + res = (set->binding == binding) ? -EEXIST : 0; | |
1903 | + | |
1904 | + return res; | |
1905 | + } | |
1906 | + binding = ip_set_find_byname(req_bind->binding); | |
1907 | + if (binding == IP_SET_INVALID_ID) | |
1908 | + return -ENOENT; | |
1909 | + | |
1910 | + | |
1911 | + res = __ip_set_testip(set, | |
1912 | + data + sizeof(struct ip_set_req_bind), | |
1913 | + size - sizeof(struct ip_set_req_bind), | |
1914 | + &ip); | |
1915 | + DP("set %s, ip: %u.%u.%u.%u, binding %s", | |
1916 | + set->name, HIPQUAD(ip), ip_set_list[binding]->name); | |
7d2f026e | 1917 | + |
1aedc22c | 1918 | + if (res >= 0) |
1919 | + res = (ip_set_find_in_hash(set->id, ip) == binding) | |
1920 | + ? -EEXIST : 0; | |
1921 | + | |
1922 | + return res; | |
1923 | +} | |
1924 | + | |
1925 | +static struct ip_set_type * | |
1926 | +find_set_type_rlock(const char *typename) | |
1927 | +{ | |
1928 | + struct ip_set_type *type; | |
1929 | + | |
1930 | + read_lock_bh(&ip_set_lock); | |
1931 | + type = find_set_type(typename); | |
1932 | + if (type == NULL) | |
1933 | + read_unlock_bh(&ip_set_lock); | |
1934 | + | |
1935 | + return type; | |
1936 | +} | |
1937 | + | |
1938 | +static int | |
1939 | +find_free_id(const char *name, | |
1940 | + ip_set_id_t *index, | |
1941 | + ip_set_id_t *id) | |
1942 | +{ | |
1943 | + ip_set_id_t i; | |
1944 | + | |
1945 | + *id = IP_SET_INVALID_ID; | |
1946 | + for (i = 0; i < ip_set_max; i++) { | |
1947 | + if (ip_set_list[i] == NULL) { | |
1948 | + if (*id == IP_SET_INVALID_ID) | |
1949 | + *id = *index = i; | |
7d2f026e | 1950 | + } else if (SETNAME_EQ(name, ip_set_list[i]->name)) |
1aedc22c | 1951 | + /* Name clash */ |
1952 | + return -EEXIST; | |
1953 | + } | |
1954 | + if (*id == IP_SET_INVALID_ID) | |
1955 | + /* No free slot remained */ | |
1956 | + return -ERANGE; | |
1957 | + /* Check that index is usable as id (swapping) */ | |
1958 | + check: | |
1959 | + for (i = 0; i < ip_set_max; i++) { | |
1960 | + if (ip_set_list[i] != NULL | |
1961 | + && ip_set_list[i]->id == *id) { | |
1962 | + *id = i; | |
1963 | + goto check; | |
1964 | + } | |
1965 | + } | |
1966 | + return 0; | |
1967 | +} | |
1968 | + | |
1969 | +/* | |
1970 | + * Create a set | |
1971 | + */ | |
1972 | +static int | |
1973 | +ip_set_create(const char *name, | |
1974 | + const char *typename, | |
1975 | + ip_set_id_t restore, | |
1976 | + const void *data, | |
1977 | + size_t size) | |
1978 | +{ | |
1979 | + struct ip_set *set; | |
1980 | + ip_set_id_t index = 0, id; | |
1981 | + int res = 0; | |
1982 | + | |
1983 | + DP("setname: %s, typename: %s, id: %u", name, typename, restore); | |
1984 | + /* | |
1985 | + * First, and without any locks, allocate and initialize | |
1986 | + * a normal base set structure. | |
1987 | + */ | |
1988 | + set = kmalloc(sizeof(struct ip_set), GFP_KERNEL); | |
1989 | + if (!set) | |
1990 | + return -ENOMEM; | |
1991 | + set->lock = RW_LOCK_UNLOCKED; | |
1992 | + strncpy(set->name, name, IP_SET_MAXNAMELEN); | |
1993 | + set->binding = IP_SET_INVALID_ID; | |
1994 | + atomic_set(&set->ref, 0); | |
1995 | + | |
1996 | + /* | |
1997 | + * Next, take the &ip_set_lock, check that we know the type, | |
1998 | + * and take a reference on the type, to make sure it | |
1999 | + * stays available while constructing our new set. | |
2000 | + * | |
2001 | + * After referencing the type, we drop the &ip_set_lock, | |
2002 | + * and let the new set construction run without locks. | |
2003 | + */ | |
2004 | + set->type = find_set_type_rlock(typename); | |
2005 | + if (set->type == NULL) { | |
2006 | + /* Try loading the module */ | |
2007 | + char modulename[IP_SET_MAXNAMELEN + strlen("ip_set_") + 1]; | |
2008 | + strcpy(modulename, "ip_set_"); | |
2009 | + strcat(modulename, typename); | |
2010 | + DP("try to load %s", modulename); | |
2011 | + request_module(modulename); | |
2012 | + set->type = find_set_type_rlock(typename); | |
2013 | + } | |
2014 | + if (set->type == NULL) { | |
2015 | + ip_set_printk("no set type '%s', set '%s' not created", | |
2016 | + typename, name); | |
2017 | + res = -ENOENT; | |
2018 | + goto out; | |
2019 | + } | |
2020 | + if (!try_module_get(set->type->me)) { | |
2021 | + read_unlock_bh(&ip_set_lock); | |
2022 | + res = -EFAULT; | |
2023 | + goto out; | |
2024 | + } | |
2025 | + read_unlock_bh(&ip_set_lock); | |
2026 | + | |
2027 | + /* | |
2028 | + * Without holding any locks, create private part. | |
2029 | + */ | |
2030 | + res = set->type->create(set, data, size); | |
2031 | + if (res != 0) | |
2032 | + goto put_out; | |
2033 | + | |
2034 | + /* BTW, res==0 here. */ | |
2035 | + | |
2036 | + /* | |
2037 | + * Here, we have a valid, constructed set. &ip_set_lock again, | |
7d2f026e | 2038 | + * find free id/index and check that it is not already in |
1aedc22c | 2039 | + * ip_set_list. |
2040 | + */ | |
2041 | + write_lock_bh(&ip_set_lock); | |
2042 | + if ((res = find_free_id(set->name, &index, &id)) != 0) { | |
2043 | + DP("no free id!"); | |
2044 | + goto cleanup; | |
2045 | + } | |
2046 | + | |
2047 | + /* Make sure restore gets the same index */ | |
2048 | + if (restore != IP_SET_INVALID_ID && index != restore) { | |
2049 | + DP("Can't restore, sets are screwed up"); | |
2050 | + res = -ERANGE; | |
2051 | + goto cleanup; | |
2052 | + } | |
7d2f026e | 2053 | + |
1aedc22c | 2054 | + /* |
2055 | + * Finally! Add our shiny new set to the list, and be done. | |
2056 | + */ | |
2057 | + DP("create: '%s' created with index %u, id %u!", set->name, index, id); | |
2058 | + set->id = id; | |
2059 | + ip_set_list[index] = set; | |
2060 | + write_unlock_bh(&ip_set_lock); | |
2061 | + return res; | |
2062 | + | |
2063 | + cleanup: | |
2064 | + write_unlock_bh(&ip_set_lock); | |
2065 | + set->type->destroy(set); | |
2066 | + put_out: | |
2067 | + module_put(set->type->me); | |
2068 | + out: | |
2069 | + kfree(set); | |
2070 | + return res; | |
2071 | +} | |
2072 | + | |
2073 | +/* | |
2074 | + * Destroy a given existing set | |
2075 | + */ | |
2076 | +static void | |
2077 | +ip_set_destroy_set(ip_set_id_t index) | |
2078 | +{ | |
2079 | + struct ip_set *set = ip_set_list[index]; | |
2080 | + | |
2081 | + IP_SET_ASSERT(set); | |
2082 | + DP("set: %s", set->name); | |
2083 | + write_lock_bh(&ip_set_lock); | |
2084 | + FOREACH_HASH_RW_DO(__set_hash_del_byid, set->id); | |
2085 | + if (set->binding != IP_SET_INVALID_ID) | |
2086 | + __ip_set_put(set->binding); | |
2087 | + ip_set_list[index] = NULL; | |
2088 | + write_unlock_bh(&ip_set_lock); | |
2089 | + | |
2090 | + /* Must call it without holding any lock */ | |
2091 | + set->type->destroy(set); | |
2092 | + module_put(set->type->me); | |
2093 | + kfree(set); | |
2094 | +} | |
2095 | + | |
2096 | +/* | |
2097 | + * Destroy a set - or all sets | |
2098 | + * Sets must not be referenced/used. | |
2099 | + */ | |
2100 | +static int | |
2101 | +ip_set_destroy(ip_set_id_t index) | |
2102 | +{ | |
2103 | + ip_set_id_t i; | |
2104 | + | |
2105 | + /* ref modification always protected by the mutex */ | |
2106 | + if (index != IP_SET_INVALID_ID) { | |
2107 | + if (atomic_read(&ip_set_list[index]->ref)) | |
2108 | + return -EBUSY; | |
2109 | + ip_set_destroy_set(index); | |
2110 | + } else { | |
2111 | + for (i = 0; i < ip_set_max; i++) { | |
7d2f026e | 2112 | + if (ip_set_list[i] != NULL |
1aedc22c | 2113 | + && (atomic_read(&ip_set_list[i]->ref))) |
2114 | + return -EBUSY; | |
2115 | + } | |
2116 | + | |
2117 | + for (i = 0; i < ip_set_max; i++) { | |
2118 | + if (ip_set_list[i] != NULL) | |
2119 | + ip_set_destroy_set(i); | |
2120 | + } | |
2121 | + } | |
2122 | + return 0; | |
2123 | +} | |
2124 | + | |
2125 | +static void | |
2126 | +ip_set_flush_set(struct ip_set *set) | |
2127 | +{ | |
2128 | + DP("set: %s %u", set->name, set->id); | |
2129 | + | |
2130 | + write_lock_bh(&set->lock); | |
2131 | + set->type->flush(set); | |
2132 | + write_unlock_bh(&set->lock); | |
2133 | +} | |
2134 | + | |
7d2f026e | 2135 | +/* |
1aedc22c | 2136 | + * Flush data in a set - or in all sets |
2137 | + */ | |
2138 | +static int | |
2139 | +ip_set_flush(ip_set_id_t index) | |
2140 | +{ | |
2141 | + if (index != IP_SET_INVALID_ID) { | |
2142 | + IP_SET_ASSERT(ip_set_list[index]); | |
2143 | + ip_set_flush_set(ip_set_list[index]); | |
2144 | + } else | |
2145 | + FOREACH_SET_DO(ip_set_flush_set); | |
2146 | + | |
2147 | + return 0; | |
2148 | +} | |
2149 | + | |
2150 | +/* Rename a set */ | |
2151 | +static int | |
2152 | +ip_set_rename(ip_set_id_t index, const char *name) | |
2153 | +{ | |
2154 | + struct ip_set *set = ip_set_list[index]; | |
2155 | + ip_set_id_t i; | |
2156 | + int res = 0; | |
2157 | + | |
2158 | + DP("set: %s to %s", set->name, name); | |
2159 | + write_lock_bh(&ip_set_lock); | |
2160 | + for (i = 0; i < ip_set_max; i++) { | |
2161 | + if (ip_set_list[i] != NULL | |
7d2f026e | 2162 | + && SETNAME_EQ(ip_set_list[i]->name, name)) { |
1aedc22c | 2163 | + res = -EEXIST; |
2164 | + goto unlock; | |
2165 | + } | |
2166 | + } | |
2167 | + strncpy(set->name, name, IP_SET_MAXNAMELEN); | |
2168 | + unlock: | |
2169 | + write_unlock_bh(&ip_set_lock); | |
2170 | + return res; | |
2171 | +} | |
2172 | + | |
2173 | +/* | |
2174 | + * Swap two sets so that name/index points to the other. | |
2175 | + * References are also swapped. | |
2176 | + */ | |
2177 | +static int | |
2178 | +ip_set_swap(ip_set_id_t from_index, ip_set_id_t to_index) | |
2179 | +{ | |
2180 | + struct ip_set *from = ip_set_list[from_index]; | |
2181 | + struct ip_set *to = ip_set_list[to_index]; | |
2182 | + char from_name[IP_SET_MAXNAMELEN]; | |
2183 | + u_int32_t from_ref; | |
2184 | + | |
2185 | + DP("set: %s to %s", from->name, to->name); | |
2186 | + /* Features must not change. Artifical restriction. */ | |
2187 | + if (from->type->features != to->type->features) | |
2188 | + return -ENOEXEC; | |
2189 | + | |
2190 | + /* No magic here: ref munging protected by the mutex */ | |
2191 | + write_lock_bh(&ip_set_lock); | |
2192 | + strncpy(from_name, from->name, IP_SET_MAXNAMELEN); | |
2193 | + from_ref = atomic_read(&from->ref); | |
2194 | + | |
2195 | + strncpy(from->name, to->name, IP_SET_MAXNAMELEN); | |
2196 | + atomic_set(&from->ref, atomic_read(&to->ref)); | |
2197 | + strncpy(to->name, from_name, IP_SET_MAXNAMELEN); | |
2198 | + atomic_set(&to->ref, from_ref); | |
2199 | + | |
2200 | + ip_set_list[from_index] = to; | |
2201 | + ip_set_list[to_index] = from; | |
2202 | + | |
2203 | + write_unlock_bh(&ip_set_lock); | |
2204 | + return 0; | |
2205 | +} | |
2206 | + | |
2207 | +/* | |
2208 | + * List set data | |
2209 | + */ | |
2210 | + | |
2211 | +static inline void | |
2212 | +__set_hash_bindings_size_list(struct ip_set_hash *set_hash, | |
2213 | + ip_set_id_t id, size_t *size) | |
2214 | +{ | |
2215 | + if (set_hash->id == id) | |
2216 | + *size += sizeof(struct ip_set_hash_list); | |
2217 | +} | |
2218 | + | |
2219 | +static inline void | |
2220 | +__set_hash_bindings_size_save(struct ip_set_hash *set_hash, | |
2221 | + ip_set_id_t id, size_t *size) | |
2222 | +{ | |
2223 | + if (set_hash->id == id) | |
2224 | + *size += sizeof(struct ip_set_hash_save); | |
2225 | +} | |
2226 | + | |
2227 | +static inline void | |
2228 | +__set_hash_bindings(struct ip_set_hash *set_hash, | |
2229 | + ip_set_id_t id, void *data, int *used) | |
2230 | +{ | |
2231 | + if (set_hash->id == id) { | |
7d2f026e | 2232 | + struct ip_set_hash_list *hash_list = data + *used; |
1aedc22c | 2233 | + |
2234 | + hash_list->ip = set_hash->ip; | |
2235 | + hash_list->binding = set_hash->binding; | |
2236 | + *used += sizeof(struct ip_set_hash_list); | |
2237 | + } | |
2238 | +} | |
2239 | + | |
2240 | +static int ip_set_list_set(ip_set_id_t index, | |
2241 | + void *data, | |
2242 | + int *used, | |
2243 | + int len) | |
2244 | +{ | |
2245 | + struct ip_set *set = ip_set_list[index]; | |
2246 | + struct ip_set_list *set_list; | |
2247 | + | |
2248 | + /* Pointer to our header */ | |
7d2f026e | 2249 | + set_list = data + *used; |
1aedc22c | 2250 | + |
2251 | + DP("set: %s, used: %d %p %p", set->name, *used, data, data + *used); | |
2252 | + | |
2253 | + /* Get and ensure header size */ | |
2254 | + if (*used + sizeof(struct ip_set_list) > len) | |
2255 | + goto not_enough_mem; | |
2256 | + *used += sizeof(struct ip_set_list); | |
2257 | + | |
2258 | + read_lock_bh(&set->lock); | |
2259 | + /* Get and ensure set specific header size */ | |
2260 | + set_list->header_size = set->type->header_size; | |
2261 | + if (*used + set_list->header_size > len) | |
2262 | + goto unlock_set; | |
2263 | + | |
2264 | + /* Fill in the header */ | |
2265 | + set_list->index = index; | |
2266 | + set_list->binding = set->binding; | |
2267 | + set_list->ref = atomic_read(&set->ref); | |
2268 | + | |
2269 | + /* Fill in set spefific header data */ | |
2270 | + set->type->list_header(set, data + *used); | |
2271 | + *used += set_list->header_size; | |
2272 | + | |
2273 | + /* Get and ensure set specific members size */ | |
2274 | + set_list->members_size = set->type->list_members_size(set); | |
2275 | + if (*used + set_list->members_size > len) | |
2276 | + goto unlock_set; | |
2277 | + | |
2278 | + /* Fill in set spefific members data */ | |
2279 | + set->type->list_members(set, data + *used); | |
2280 | + *used += set_list->members_size; | |
2281 | + read_unlock_bh(&set->lock); | |
2282 | + | |
2283 | + /* Bindings */ | |
2284 | + | |
2285 | + /* Get and ensure set specific bindings size */ | |
2286 | + set_list->bindings_size = 0; | |
2287 | + FOREACH_HASH_DO(__set_hash_bindings_size_list, | |
2288 | + set->id, &set_list->bindings_size); | |
2289 | + if (*used + set_list->bindings_size > len) | |
2290 | + goto not_enough_mem; | |
2291 | + | |
2292 | + /* Fill in set spefific bindings data */ | |
2293 | + FOREACH_HASH_DO(__set_hash_bindings, set->id, data, used); | |
2294 | + | |
2295 | + return 0; | |
2296 | + | |
2297 | + unlock_set: | |
2298 | + read_unlock_bh(&set->lock); | |
2299 | + not_enough_mem: | |
2300 | + DP("not enough mem, try again"); | |
2301 | + return -EAGAIN; | |
2302 | +} | |
2303 | + | |
2304 | +/* | |
2305 | + * Save sets | |
2306 | + */ | |
2307 | +static int ip_set_save_set(ip_set_id_t index, | |
2308 | + void *data, | |
2309 | + int *used, | |
2310 | + int len) | |
2311 | +{ | |
2312 | + struct ip_set *set; | |
2313 | + struct ip_set_save *set_save; | |
2314 | + | |
2315 | + /* Pointer to our header */ | |
7d2f026e | 2316 | + set_save = data + *used; |
1aedc22c | 2317 | + |
2318 | + /* Get and ensure header size */ | |
2319 | + if (*used + sizeof(struct ip_set_save) > len) | |
2320 | + goto not_enough_mem; | |
2321 | + *used += sizeof(struct ip_set_save); | |
2322 | + | |
2323 | + set = ip_set_list[index]; | |
7d2f026e | 2324 | + DP("set: %s, used: %u(%u) %p %p", set->name, *used, len, |
1aedc22c | 2325 | + data, data + *used); |
2326 | + | |
2327 | + read_lock_bh(&set->lock); | |
2328 | + /* Get and ensure set specific header size */ | |
2329 | + set_save->header_size = set->type->header_size; | |
2330 | + if (*used + set_save->header_size > len) | |
2331 | + goto unlock_set; | |
2332 | + | |
2333 | + /* Fill in the header */ | |
2334 | + set_save->index = index; | |
2335 | + set_save->binding = set->binding; | |
2336 | + | |
2337 | + /* Fill in set spefific header data */ | |
2338 | + set->type->list_header(set, data + *used); | |
2339 | + *used += set_save->header_size; | |
2340 | + | |
2341 | + DP("set header filled: %s, used: %u(%u) %p %p", set->name, *used, | |
2342 | + set_save->header_size, data, data + *used); | |
2343 | + /* Get and ensure set specific members size */ | |
2344 | + set_save->members_size = set->type->list_members_size(set); | |
2345 | + if (*used + set_save->members_size > len) | |
2346 | + goto unlock_set; | |
2347 | + | |
2348 | + /* Fill in set spefific members data */ | |
2349 | + set->type->list_members(set, data + *used); | |
2350 | + *used += set_save->members_size; | |
2351 | + read_unlock_bh(&set->lock); | |
2352 | + DP("set members filled: %s, used: %u(%u) %p %p", set->name, *used, | |
2353 | + set_save->members_size, data, data + *used); | |
2354 | + return 0; | |
2355 | + | |
2356 | + unlock_set: | |
2357 | + read_unlock_bh(&set->lock); | |
2358 | + not_enough_mem: | |
2359 | + DP("not enough mem, try again"); | |
2360 | + return -EAGAIN; | |
2361 | +} | |
2362 | + | |
2363 | +static inline void | |
2364 | +__set_hash_save_bindings(struct ip_set_hash *set_hash, | |
2365 | + ip_set_id_t id, | |
2366 | + void *data, | |
2367 | + int *used, | |
2368 | + int len, | |
2369 | + int *res) | |
2370 | +{ | |
2371 | + if (*res == 0 | |
2372 | + && (id == IP_SET_INVALID_ID || set_hash->id == id)) { | |
7d2f026e | 2373 | + struct ip_set_hash_save *hash_save = data + *used; |
1aedc22c | 2374 | + /* Ensure bindings size */ |
2375 | + if (*used + sizeof(struct ip_set_hash_save) > len) { | |
2376 | + *res = -ENOMEM; | |
2377 | + return; | |
2378 | + } | |
2379 | + hash_save->id = set_hash->id; | |
2380 | + hash_save->ip = set_hash->ip; | |
2381 | + hash_save->binding = set_hash->binding; | |
2382 | + *used += sizeof(struct ip_set_hash_save); | |
2383 | + } | |
2384 | +} | |
2385 | + | |
2386 | +static int ip_set_save_bindings(ip_set_id_t index, | |
2387 | + void *data, | |
2388 | + int *used, | |
2389 | + int len) | |
2390 | +{ | |
2391 | + int res = 0; | |
2392 | + struct ip_set_save *set_save; | |
2393 | + | |
2394 | + DP("used %u, len %u", *used, len); | |
2395 | + /* Get and ensure header size */ | |
2396 | + if (*used + sizeof(struct ip_set_save) > len) | |
2397 | + return -ENOMEM; | |
2398 | + | |
2399 | + /* Marker */ | |
7d2f026e | 2400 | + set_save = data + *used; |
1aedc22c | 2401 | + set_save->index = IP_SET_INVALID_ID; |
2402 | + set_save->header_size = 0; | |
2403 | + set_save->members_size = 0; | |
2404 | + *used += sizeof(struct ip_set_save); | |
2405 | + | |
2406 | + DP("marker added used %u, len %u", *used, len); | |
2407 | + /* Fill in bindings data */ | |
2408 | + if (index != IP_SET_INVALID_ID) | |
2409 | + /* Sets are identified by id in hash */ | |
2410 | + index = ip_set_list[index]->id; | |
2411 | + FOREACH_HASH_DO(__set_hash_save_bindings, index, data, used, len, &res); | |
2412 | + | |
2413 | + return res; | |
2414 | +} | |
2415 | + | |
2416 | +/* | |
2417 | + * Restore sets | |
2418 | + */ | |
2419 | +static int ip_set_restore(void *data, | |
2420 | + int len) | |
2421 | +{ | |
2422 | + int res = 0; | |
2423 | + int line = 0, used = 0, members_size; | |
2424 | + struct ip_set *set; | |
2425 | + struct ip_set_hash_save *hash_save; | |
2426 | + struct ip_set_restore *set_restore; | |
2427 | + ip_set_id_t index; | |
2428 | + | |
2429 | + /* Loop to restore sets */ | |
2430 | + while (1) { | |
2431 | + line++; | |
2432 | + | |
2433 | + DP("%u %u %u", used, sizeof(struct ip_set_restore), len); | |
2434 | + /* Get and ensure header size */ | |
2435 | + if (used + sizeof(struct ip_set_restore) > len) | |
2436 | + return line; | |
7d2f026e | 2437 | + set_restore = data + used; |
1aedc22c | 2438 | + used += sizeof(struct ip_set_restore); |
2439 | + | |
2440 | + /* Ensure data size */ | |
7d2f026e | 2441 | + if (used |
2442 | + + set_restore->header_size | |
1aedc22c | 2443 | + + set_restore->members_size > len) |
2444 | + return line; | |
2445 | + | |
2446 | + /* Check marker */ | |
2447 | + if (set_restore->index == IP_SET_INVALID_ID) { | |
2448 | + line--; | |
2449 | + goto bindings; | |
2450 | + } | |
2451 | + | |
2452 | + /* Try to create the set */ | |
2453 | + DP("restore %s %s", set_restore->name, set_restore->typename); | |
2454 | + res = ip_set_create(set_restore->name, | |
2455 | + set_restore->typename, | |
2456 | + set_restore->index, | |
2457 | + data + used, | |
2458 | + set_restore->header_size); | |
2459 | + | |
2460 | + if (res != 0) | |
2461 | + return line; | |
2462 | + used += set_restore->header_size; | |
2463 | + | |
2464 | + index = ip_set_find_byindex(set_restore->index); | |
2465 | + DP("index %u, restore_index %u", index, set_restore->index); | |
2466 | + if (index != set_restore->index) | |
2467 | + return line; | |
2468 | + /* Try to restore members data */ | |
2469 | + set = ip_set_list[index]; | |
2470 | + members_size = 0; | |
2471 | + DP("members_size %u reqsize %u", | |
2472 | + set_restore->members_size, set->type->reqsize); | |
2473 | + while (members_size + set->type->reqsize <= | |
2474 | + set_restore->members_size) { | |
2475 | + line++; | |
2476 | + DP("members: %u, line %u", members_size, line); | |
2477 | + res = __ip_set_addip(index, | |
2478 | + data + used + members_size, | |
2479 | + set->type->reqsize); | |
7d2f026e | 2480 | + if (!(res == 0 || res == -EEXIST)) |
1aedc22c | 2481 | + return line; |
2482 | + members_size += set->type->reqsize; | |
2483 | + } | |
2484 | + | |
2485 | + DP("members_size %u %u", | |
2486 | + set_restore->members_size, members_size); | |
2487 | + if (members_size != set_restore->members_size) | |
2488 | + return line++; | |
2489 | + used += set_restore->members_size; | |
2490 | + } | |
2491 | + | |
2492 | + bindings: | |
2493 | + /* Loop to restore bindings */ | |
2494 | + while (used < len) { | |
2495 | + line++; | |
2496 | + | |
2497 | + DP("restore binding, line %u", line); | |
2498 | + /* Get and ensure size */ | |
2499 | + if (used + sizeof(struct ip_set_hash_save) > len) | |
2500 | + return line; | |
7d2f026e | 2501 | + hash_save = data + used; |
1aedc22c | 2502 | + used += sizeof(struct ip_set_hash_save); |
2503 | + | |
2504 | + /* hash_save->id is used to store the index */ | |
2505 | + index = ip_set_find_byindex(hash_save->id); | |
2506 | + DP("restore binding index %u, id %u, %u -> %u", | |
2507 | + index, hash_save->id, hash_save->ip, hash_save->binding); | |
2508 | + if (index != hash_save->id) | |
2509 | + return line; | |
9f54053a JR |
2510 | + if (ip_set_find_byindex(hash_save->binding) == IP_SET_INVALID_ID) { |
2511 | + DP("corrupt binding set index %u", hash_save->binding); | |
2512 | + return line; | |
2513 | + } | |
1aedc22c | 2514 | + set = ip_set_list[hash_save->id]; |
2515 | + /* Null valued IP means default binding */ | |
2516 | + if (hash_save->ip) | |
7d2f026e | 2517 | + res = ip_set_hash_add(set->id, |
1aedc22c | 2518 | + hash_save->ip, |
2519 | + hash_save->binding); | |
2520 | + else { | |
2521 | + IP_SET_ASSERT(set->binding == IP_SET_INVALID_ID); | |
2522 | + write_lock_bh(&ip_set_lock); | |
2523 | + set->binding = hash_save->binding; | |
2524 | + __ip_set_get(set->binding); | |
2525 | + write_unlock_bh(&ip_set_lock); | |
2526 | + DP("default binding: %u", set->binding); | |
2527 | + } | |
2528 | + if (res != 0) | |
2529 | + return line; | |
2530 | + } | |
2531 | + if (used != len) | |
2532 | + return line; | |
2533 | + | |
2534 | + return 0; | |
2535 | +} | |
2536 | + | |
2537 | +static int | |
2538 | +ip_set_sockfn_set(struct sock *sk, int optval, void *user, unsigned int len) | |
2539 | +{ | |
2540 | + void *data; | |
2541 | + int res = 0; /* Assume OK */ | |
2542 | + unsigned *op; | |
2543 | + struct ip_set_req_adt *req_adt; | |
2544 | + ip_set_id_t index = IP_SET_INVALID_ID; | |
2545 | + int (*adtfn)(ip_set_id_t index, | |
2546 | + const void *data, size_t size); | |
2547 | + struct fn_table { | |
2548 | + int (*fn)(ip_set_id_t index, | |
2549 | + const void *data, size_t size); | |
2550 | + } adtfn_table[] = | |
2551 | + { { ip_set_addip }, { ip_set_delip }, { ip_set_testip}, | |
2552 | + { ip_set_bindip}, { ip_set_unbindip }, { ip_set_testbind }, | |
2553 | + }; | |
2554 | + | |
2555 | + DP("optval=%d, user=%p, len=%d", optval, user, len); | |
2556 | + if (!capable(CAP_NET_ADMIN)) | |
2557 | + return -EPERM; | |
2558 | + if (optval != SO_IP_SET) | |
2559 | + return -EBADF; | |
2560 | + if (len <= sizeof(unsigned)) { | |
2561 | + ip_set_printk("short userdata (want >%zu, got %u)", | |
2562 | + sizeof(unsigned), len); | |
2563 | + return -EINVAL; | |
2564 | + } | |
2565 | + data = vmalloc(len); | |
2566 | + if (!data) { | |
2567 | + DP("out of mem for %u bytes", len); | |
2568 | + return -ENOMEM; | |
2569 | + } | |
2570 | + if (copy_from_user(data, user, len) != 0) { | |
2571 | + res = -EFAULT; | |
2572 | + goto done; | |
2573 | + } | |
2574 | + if (down_interruptible(&ip_set_app_mutex)) { | |
2575 | + res = -EINTR; | |
2576 | + goto done; | |
2577 | + } | |
2578 | + | |
2579 | + op = (unsigned *)data; | |
2580 | + DP("op=%x", *op); | |
2581 | + | |
2582 | + if (*op < IP_SET_OP_VERSION) { | |
2583 | + /* Check the version at the beginning of operations */ | |
7d2f026e | 2584 | + struct ip_set_req_version *req_version = data; |
1aedc22c | 2585 | + if (req_version->version != IP_SET_PROTOCOL_VERSION) { |
2586 | + res = -EPROTO; | |
2587 | + goto done; | |
2588 | + } | |
2589 | + } | |
2590 | + | |
2591 | + switch (*op) { | |
2592 | + case IP_SET_OP_CREATE:{ | |
7d2f026e | 2593 | + struct ip_set_req_create *req_create = data; |
1aedc22c | 2594 | + |
2595 | + if (len < sizeof(struct ip_set_req_create)) { | |
2596 | + ip_set_printk("short CREATE data (want >=%zu, got %u)", | |
2597 | + sizeof(struct ip_set_req_create), len); | |
2598 | + res = -EINVAL; | |
2599 | + goto done; | |
2600 | + } | |
2601 | + req_create->name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2602 | + req_create->typename[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2603 | + res = ip_set_create(req_create->name, | |
2604 | + req_create->typename, | |
2605 | + IP_SET_INVALID_ID, | |
2606 | + data + sizeof(struct ip_set_req_create), | |
2607 | + len - sizeof(struct ip_set_req_create)); | |
2608 | + goto done; | |
2609 | + } | |
2610 | + case IP_SET_OP_DESTROY:{ | |
7d2f026e | 2611 | + struct ip_set_req_std *req_destroy = data; |
1aedc22c | 2612 | + |
2613 | + if (len != sizeof(struct ip_set_req_std)) { | |
2614 | + ip_set_printk("invalid DESTROY data (want %zu, got %u)", | |
2615 | + sizeof(struct ip_set_req_std), len); | |
2616 | + res = -EINVAL; | |
2617 | + goto done; | |
2618 | + } | |
7d2f026e | 2619 | + if (SETNAME_EQ(req_destroy->name, IPSET_TOKEN_ALL)) { |
1aedc22c | 2620 | + /* Destroy all sets */ |
2621 | + index = IP_SET_INVALID_ID; | |
2622 | + } else { | |
2623 | + req_destroy->name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2624 | + index = ip_set_find_byname(req_destroy->name); | |
2625 | + | |
2626 | + if (index == IP_SET_INVALID_ID) { | |
2627 | + res = -ENOENT; | |
2628 | + goto done; | |
2629 | + } | |
2630 | + } | |
2631 | + | |
2632 | + res = ip_set_destroy(index); | |
2633 | + goto done; | |
2634 | + } | |
2635 | + case IP_SET_OP_FLUSH:{ | |
7d2f026e | 2636 | + struct ip_set_req_std *req_flush = data; |
1aedc22c | 2637 | + |
2638 | + if (len != sizeof(struct ip_set_req_std)) { | |
2639 | + ip_set_printk("invalid FLUSH data (want %zu, got %u)", | |
2640 | + sizeof(struct ip_set_req_std), len); | |
2641 | + res = -EINVAL; | |
2642 | + goto done; | |
2643 | + } | |
7d2f026e | 2644 | + if (SETNAME_EQ(req_flush->name, IPSET_TOKEN_ALL)) { |
1aedc22c | 2645 | + /* Flush all sets */ |
2646 | + index = IP_SET_INVALID_ID; | |
2647 | + } else { | |
2648 | + req_flush->name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2649 | + index = ip_set_find_byname(req_flush->name); | |
2650 | + | |
2651 | + if (index == IP_SET_INVALID_ID) { | |
2652 | + res = -ENOENT; | |
2653 | + goto done; | |
2654 | + } | |
2655 | + } | |
2656 | + res = ip_set_flush(index); | |
2657 | + goto done; | |
2658 | + } | |
2659 | + case IP_SET_OP_RENAME:{ | |
7d2f026e | 2660 | + struct ip_set_req_create *req_rename = data; |
1aedc22c | 2661 | + |
2662 | + if (len != sizeof(struct ip_set_req_create)) { | |
2663 | + ip_set_printk("invalid RENAME data (want %zu, got %u)", | |
2664 | + sizeof(struct ip_set_req_create), len); | |
2665 | + res = -EINVAL; | |
2666 | + goto done; | |
2667 | + } | |
2668 | + | |
2669 | + req_rename->name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2670 | + req_rename->typename[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2671 | + | |
2672 | + index = ip_set_find_byname(req_rename->name); | |
2673 | + if (index == IP_SET_INVALID_ID) { | |
2674 | + res = -ENOENT; | |
2675 | + goto done; | |
2676 | + } | |
2677 | + res = ip_set_rename(index, req_rename->typename); | |
2678 | + goto done; | |
2679 | + } | |
2680 | + case IP_SET_OP_SWAP:{ | |
7d2f026e | 2681 | + struct ip_set_req_create *req_swap = data; |
1aedc22c | 2682 | + ip_set_id_t to_index; |
2683 | + | |
2684 | + if (len != sizeof(struct ip_set_req_create)) { | |
2685 | + ip_set_printk("invalid SWAP data (want %zu, got %u)", | |
2686 | + sizeof(struct ip_set_req_create), len); | |
2687 | + res = -EINVAL; | |
2688 | + goto done; | |
2689 | + } | |
2690 | + | |
2691 | + req_swap->name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2692 | + req_swap->typename[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2693 | + | |
2694 | + index = ip_set_find_byname(req_swap->name); | |
2695 | + if (index == IP_SET_INVALID_ID) { | |
2696 | + res = -ENOENT; | |
2697 | + goto done; | |
2698 | + } | |
2699 | + to_index = ip_set_find_byname(req_swap->typename); | |
2700 | + if (to_index == IP_SET_INVALID_ID) { | |
2701 | + res = -ENOENT; | |
2702 | + goto done; | |
2703 | + } | |
2704 | + res = ip_set_swap(index, to_index); | |
2705 | + goto done; | |
2706 | + } | |
7d2f026e | 2707 | + default: |
1aedc22c | 2708 | + break; /* Set identified by id */ |
2709 | + } | |
2710 | + | |
2711 | + /* There we may have add/del/test/bind/unbind/test_bind operations */ | |
2712 | + if (*op < IP_SET_OP_ADD_IP || *op > IP_SET_OP_TEST_BIND_SET) { | |
2713 | + res = -EBADMSG; | |
2714 | + goto done; | |
2715 | + } | |
2716 | + adtfn = adtfn_table[*op - IP_SET_OP_ADD_IP].fn; | |
2717 | + | |
2718 | + if (len < sizeof(struct ip_set_req_adt)) { | |
2719 | + ip_set_printk("short data in adt request (want >=%zu, got %u)", | |
2720 | + sizeof(struct ip_set_req_adt), len); | |
2721 | + res = -EINVAL; | |
2722 | + goto done; | |
2723 | + } | |
7d2f026e | 2724 | + req_adt = data; |
1aedc22c | 2725 | + |
2726 | + /* -U :all: :all:|:default: uses IP_SET_INVALID_ID */ | |
7d2f026e | 2727 | + if (!(*op == IP_SET_OP_UNBIND_SET |
1aedc22c | 2728 | + && req_adt->index == IP_SET_INVALID_ID)) { |
2729 | + index = ip_set_find_byindex(req_adt->index); | |
2730 | + if (index == IP_SET_INVALID_ID) { | |
2731 | + res = -ENOENT; | |
2732 | + goto done; | |
2733 | + } | |
2734 | + } | |
2735 | + res = adtfn(index, data, len); | |
2736 | + | |
2737 | + done: | |
2738 | + up(&ip_set_app_mutex); | |
2739 | + vfree(data); | |
2740 | + if (res > 0) | |
2741 | + res = 0; | |
2742 | + DP("final result %d", res); | |
2743 | + return res; | |
2744 | +} | |
2745 | + | |
7d2f026e | 2746 | +static int |
1aedc22c | 2747 | +ip_set_sockfn_get(struct sock *sk, int optval, void *user, int *len) |
2748 | +{ | |
2749 | + int res = 0; | |
2750 | + unsigned *op; | |
2751 | + ip_set_id_t index = IP_SET_INVALID_ID; | |
2752 | + void *data; | |
2753 | + int copylen = *len; | |
2754 | + | |
2755 | + DP("optval=%d, user=%p, len=%d", optval, user, *len); | |
2756 | + if (!capable(CAP_NET_ADMIN)) | |
2757 | + return -EPERM; | |
2758 | + if (optval != SO_IP_SET) | |
2759 | + return -EBADF; | |
2760 | + if (*len < sizeof(unsigned)) { | |
2761 | + ip_set_printk("short userdata (want >=%zu, got %d)", | |
2762 | + sizeof(unsigned), *len); | |
2763 | + return -EINVAL; | |
2764 | + } | |
2765 | + data = vmalloc(*len); | |
2766 | + if (!data) { | |
2767 | + DP("out of mem for %d bytes", *len); | |
2768 | + return -ENOMEM; | |
2769 | + } | |
2770 | + if (copy_from_user(data, user, *len) != 0) { | |
2771 | + res = -EFAULT; | |
2772 | + goto done; | |
2773 | + } | |
2774 | + if (down_interruptible(&ip_set_app_mutex)) { | |
2775 | + res = -EINTR; | |
2776 | + goto done; | |
2777 | + } | |
2778 | + | |
2779 | + op = (unsigned *) data; | |
2780 | + DP("op=%x", *op); | |
2781 | + | |
2782 | + if (*op < IP_SET_OP_VERSION) { | |
2783 | + /* Check the version at the beginning of operations */ | |
7d2f026e | 2784 | + struct ip_set_req_version *req_version = data; |
1aedc22c | 2785 | + if (req_version->version != IP_SET_PROTOCOL_VERSION) { |
2786 | + res = -EPROTO; | |
2787 | + goto done; | |
2788 | + } | |
2789 | + } | |
2790 | + | |
2791 | + switch (*op) { | |
2792 | + case IP_SET_OP_VERSION: { | |
7d2f026e | 2793 | + struct ip_set_req_version *req_version = data; |
1aedc22c | 2794 | + |
2795 | + if (*len != sizeof(struct ip_set_req_version)) { | |
2796 | + ip_set_printk("invalid VERSION (want %zu, got %d)", | |
2797 | + sizeof(struct ip_set_req_version), | |
2798 | + *len); | |
2799 | + res = -EINVAL; | |
2800 | + goto done; | |
2801 | + } | |
2802 | + | |
2803 | + req_version->version = IP_SET_PROTOCOL_VERSION; | |
2804 | + res = copy_to_user(user, req_version, | |
2805 | + sizeof(struct ip_set_req_version)); | |
2806 | + goto done; | |
2807 | + } | |
2808 | + case IP_SET_OP_GET_BYNAME: { | |
7d2f026e | 2809 | + struct ip_set_req_get_set *req_get = data; |
1aedc22c | 2810 | + |
2811 | + if (*len != sizeof(struct ip_set_req_get_set)) { | |
2812 | + ip_set_printk("invalid GET_BYNAME (want %zu, got %d)", | |
2813 | + sizeof(struct ip_set_req_get_set), *len); | |
2814 | + res = -EINVAL; | |
2815 | + goto done; | |
2816 | + } | |
2817 | + req_get->set.name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2818 | + index = ip_set_find_byname(req_get->set.name); | |
2819 | + req_get->set.index = index; | |
2820 | + goto copy; | |
2821 | + } | |
2822 | + case IP_SET_OP_GET_BYINDEX: { | |
7d2f026e | 2823 | + struct ip_set_req_get_set *req_get = data; |
1aedc22c | 2824 | + |
2825 | + if (*len != sizeof(struct ip_set_req_get_set)) { | |
2826 | + ip_set_printk("invalid GET_BYINDEX (want %zu, got %d)", | |
2827 | + sizeof(struct ip_set_req_get_set), *len); | |
2828 | + res = -EINVAL; | |
2829 | + goto done; | |
2830 | + } | |
2831 | + req_get->set.name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2832 | + index = ip_set_find_byindex(req_get->set.index); | |
2833 | + strncpy(req_get->set.name, | |
2834 | + index == IP_SET_INVALID_ID ? "" | |
2835 | + : ip_set_list[index]->name, IP_SET_MAXNAMELEN); | |
2836 | + goto copy; | |
2837 | + } | |
2838 | + case IP_SET_OP_ADT_GET: { | |
7d2f026e | 2839 | + struct ip_set_req_adt_get *req_get = data; |
1aedc22c | 2840 | + |
2841 | + if (*len != sizeof(struct ip_set_req_adt_get)) { | |
2842 | + ip_set_printk("invalid ADT_GET (want %zu, got %d)", | |
2843 | + sizeof(struct ip_set_req_adt_get), *len); | |
2844 | + res = -EINVAL; | |
2845 | + goto done; | |
2846 | + } | |
2847 | + req_get->set.name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
2848 | + index = ip_set_find_byname(req_get->set.name); | |
2849 | + if (index != IP_SET_INVALID_ID) { | |
2850 | + req_get->set.index = index; | |
2851 | + strncpy(req_get->typename, | |
2852 | + ip_set_list[index]->type->typename, | |
2853 | + IP_SET_MAXNAMELEN - 1); | |
2854 | + } else { | |
2855 | + res = -ENOENT; | |
2856 | + goto done; | |
2857 | + } | |
2858 | + goto copy; | |
2859 | + } | |
2860 | + case IP_SET_OP_MAX_SETS: { | |
7d2f026e | 2861 | + struct ip_set_req_max_sets *req_max_sets = data; |
1aedc22c | 2862 | + ip_set_id_t i; |
2863 | + | |
2864 | + if (*len != sizeof(struct ip_set_req_max_sets)) { | |
2865 | + ip_set_printk("invalid MAX_SETS (want %zu, got %d)", | |
2866 | + sizeof(struct ip_set_req_max_sets), *len); | |
2867 | + res = -EINVAL; | |
2868 | + goto done; | |
2869 | + } | |
2870 | + | |
7d2f026e | 2871 | + if (SETNAME_EQ(req_max_sets->set.name, IPSET_TOKEN_ALL)) { |
1aedc22c | 2872 | + req_max_sets->set.index = IP_SET_INVALID_ID; |
2873 | + } else { | |
2874 | + req_max_sets->set.name[IP_SET_MAXNAMELEN - 1] = '\0'; | |
7d2f026e | 2875 | + req_max_sets->set.index = |
1aedc22c | 2876 | + ip_set_find_byname(req_max_sets->set.name); |
2877 | + if (req_max_sets->set.index == IP_SET_INVALID_ID) { | |
2878 | + res = -ENOENT; | |
2879 | + goto done; | |
2880 | + } | |
2881 | + } | |
2882 | + req_max_sets->max_sets = ip_set_max; | |
2883 | + req_max_sets->sets = 0; | |
2884 | + for (i = 0; i < ip_set_max; i++) { | |
2885 | + if (ip_set_list[i] != NULL) | |
2886 | + req_max_sets->sets++; | |
2887 | + } | |
2888 | + goto copy; | |
2889 | + } | |
7d2f026e | 2890 | + case IP_SET_OP_LIST_SIZE: |
1aedc22c | 2891 | + case IP_SET_OP_SAVE_SIZE: { |
7d2f026e | 2892 | + struct ip_set_req_setnames *req_setnames = data; |
1aedc22c | 2893 | + struct ip_set_name_list *name_list; |
2894 | + struct ip_set *set; | |
2895 | + ip_set_id_t i; | |
2896 | + int used; | |
2897 | + | |
2898 | + if (*len < sizeof(struct ip_set_req_setnames)) { | |
2899 | + ip_set_printk("short LIST_SIZE (want >=%zu, got %d)", | |
2900 | + sizeof(struct ip_set_req_setnames), *len); | |
2901 | + res = -EINVAL; | |
2902 | + goto done; | |
2903 | + } | |
2904 | + | |
2905 | + req_setnames->size = 0; | |
2906 | + used = sizeof(struct ip_set_req_setnames); | |
2907 | + for (i = 0; i < ip_set_max; i++) { | |
2908 | + if (ip_set_list[i] == NULL) | |
2909 | + continue; | |
7d2f026e | 2910 | + name_list = data + used; |
1aedc22c | 2911 | + used += sizeof(struct ip_set_name_list); |
2912 | + if (used > copylen) { | |
2913 | + res = -EAGAIN; | |
2914 | + goto done; | |
2915 | + } | |
2916 | + set = ip_set_list[i]; | |
2917 | + /* Fill in index, name, etc. */ | |
2918 | + name_list->index = i; | |
2919 | + name_list->id = set->id; | |
2920 | + strncpy(name_list->name, | |
2921 | + set->name, | |
2922 | + IP_SET_MAXNAMELEN - 1); | |
2923 | + strncpy(name_list->typename, | |
2924 | + set->type->typename, | |
2925 | + IP_SET_MAXNAMELEN - 1); | |
2926 | + DP("filled %s of type %s, index %u\n", | |
2927 | + name_list->name, name_list->typename, | |
2928 | + name_list->index); | |
2929 | + if (!(req_setnames->index == IP_SET_INVALID_ID | |
2930 | + || req_setnames->index == i)) | |
2931 | + continue; | |
2932 | + /* Update size */ | |
2933 | + switch (*op) { | |
2934 | + case IP_SET_OP_LIST_SIZE: { | |
2935 | + req_setnames->size += sizeof(struct ip_set_list) | |
2936 | + + set->type->header_size | |
2937 | + + set->type->list_members_size(set); | |
2938 | + /* Sets are identified by id in the hash */ | |
7d2f026e | 2939 | + FOREACH_HASH_DO(__set_hash_bindings_size_list, |
1aedc22c | 2940 | + set->id, &req_setnames->size); |
2941 | + break; | |
2942 | + } | |
2943 | + case IP_SET_OP_SAVE_SIZE: { | |
2944 | + req_setnames->size += sizeof(struct ip_set_save) | |
2945 | + + set->type->header_size | |
2946 | + + set->type->list_members_size(set); | |
2947 | + FOREACH_HASH_DO(__set_hash_bindings_size_save, | |
2948 | + set->id, &req_setnames->size); | |
2949 | + break; | |
2950 | + } | |
2951 | + default: | |
2952 | + break; | |
2953 | + } | |
2954 | + } | |
2955 | + if (copylen != used) { | |
2956 | + res = -EAGAIN; | |
2957 | + goto done; | |
2958 | + } | |
2959 | + goto copy; | |
2960 | + } | |
2961 | + case IP_SET_OP_LIST: { | |
7d2f026e | 2962 | + struct ip_set_req_list *req_list = data; |
1aedc22c | 2963 | + ip_set_id_t i; |
2964 | + int used; | |
2965 | + | |
2966 | + if (*len < sizeof(struct ip_set_req_list)) { | |
2967 | + ip_set_printk("short LIST (want >=%zu, got %d)", | |
2968 | + sizeof(struct ip_set_req_list), *len); | |
2969 | + res = -EINVAL; | |
2970 | + goto done; | |
2971 | + } | |
2972 | + index = req_list->index; | |
2973 | + if (index != IP_SET_INVALID_ID | |
2974 | + && ip_set_find_byindex(index) != index) { | |
2975 | + res = -ENOENT; | |
2976 | + goto done; | |
2977 | + } | |
2978 | + used = 0; | |
2979 | + if (index == IP_SET_INVALID_ID) { | |
2980 | + /* List all sets */ | |
2981 | + for (i = 0; i < ip_set_max && res == 0; i++) { | |
2982 | + if (ip_set_list[i] != NULL) | |
2983 | + res = ip_set_list_set(i, data, &used, *len); | |
2984 | + } | |
2985 | + } else { | |
2986 | + /* List an individual set */ | |
2987 | + res = ip_set_list_set(index, data, &used, *len); | |
2988 | + } | |
2989 | + if (res != 0) | |
2990 | + goto done; | |
2991 | + else if (copylen != used) { | |
2992 | + res = -EAGAIN; | |
2993 | + goto done; | |
2994 | + } | |
2995 | + goto copy; | |
2996 | + } | |
2997 | + case IP_SET_OP_SAVE: { | |
7d2f026e | 2998 | + struct ip_set_req_list *req_save = data; |
1aedc22c | 2999 | + ip_set_id_t i; |
3000 | + int used; | |
3001 | + | |
3002 | + if (*len < sizeof(struct ip_set_req_list)) { | |
3003 | + ip_set_printk("short SAVE (want >=%zu, got %d)", | |
3004 | + sizeof(struct ip_set_req_list), *len); | |
3005 | + res = -EINVAL; | |
3006 | + goto done; | |
3007 | + } | |
3008 | + index = req_save->index; | |
3009 | + if (index != IP_SET_INVALID_ID | |
3010 | + && ip_set_find_byindex(index) != index) { | |
3011 | + res = -ENOENT; | |
3012 | + goto done; | |
3013 | + } | |
3014 | + used = 0; | |
3015 | + if (index == IP_SET_INVALID_ID) { | |
3016 | + /* Save all sets */ | |
3017 | + for (i = 0; i < ip_set_max && res == 0; i++) { | |
3018 | + if (ip_set_list[i] != NULL) | |
3019 | + res = ip_set_save_set(i, data, &used, *len); | |
3020 | + } | |
3021 | + } else { | |
3022 | + /* Save an individual set */ | |
3023 | + res = ip_set_save_set(index, data, &used, *len); | |
3024 | + } | |
3025 | + if (res == 0) | |
3026 | + res = ip_set_save_bindings(index, data, &used, *len); | |
3027 | + | |
3028 | + if (res != 0) | |
3029 | + goto done; | |
3030 | + else if (copylen != used) { | |
3031 | + res = -EAGAIN; | |
3032 | + goto done; | |
3033 | + } | |
3034 | + goto copy; | |
3035 | + } | |
3036 | + case IP_SET_OP_RESTORE: { | |
7d2f026e | 3037 | + struct ip_set_req_setnames *req_restore = data; |
1aedc22c | 3038 | + int line; |
3039 | + | |
3040 | + if (*len < sizeof(struct ip_set_req_setnames) | |
3041 | + || *len != req_restore->size) { | |
3042 | + ip_set_printk("invalid RESTORE (want =%zu, got %d)", | |
3043 | + req_restore->size, *len); | |
3044 | + res = -EINVAL; | |
3045 | + goto done; | |
3046 | + } | |
3047 | + line = ip_set_restore(data + sizeof(struct ip_set_req_setnames), | |
3048 | + req_restore->size - sizeof(struct ip_set_req_setnames)); | |
3049 | + DP("ip_set_restore: %u", line); | |
3050 | + if (line != 0) { | |
3051 | + res = -EAGAIN; | |
3052 | + req_restore->size = line; | |
3053 | + copylen = sizeof(struct ip_set_req_setnames); | |
3054 | + goto copy; | |
3055 | + } | |
3056 | + goto done; | |
3057 | + } | |
3058 | + default: | |
3059 | + res = -EBADMSG; | |
3060 | + goto done; | |
3061 | + } /* end of switch(op) */ | |
3062 | + | |
3063 | + copy: | |
3064 | + DP("set %s, copylen %u", index != IP_SET_INVALID_ID | |
3065 | + && ip_set_list[index] | |
3066 | + ? ip_set_list[index]->name | |
3067 | + : ":all:", copylen); | |
3068 | + res = copy_to_user(user, data, copylen); | |
3069 | + | |
3070 | + done: | |
3071 | + up(&ip_set_app_mutex); | |
3072 | + vfree(data); | |
3073 | + if (res > 0) | |
3074 | + res = 0; | |
3075 | + DP("final result %d", res); | |
3076 | + return res; | |
3077 | +} | |
3078 | + | |
3079 | +static struct nf_sockopt_ops so_set = { | |
3080 | + .pf = PF_INET, | |
3081 | + .set_optmin = SO_IP_SET, | |
3082 | + .set_optmax = SO_IP_SET + 1, | |
3083 | + .set = &ip_set_sockfn_set, | |
3084 | + .get_optmin = SO_IP_SET, | |
3085 | + .get_optmax = SO_IP_SET + 1, | |
7d2f026e | 3086 | + .get = &ip_set_sockfn_get, |
3087 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) | |
3088 | + .use = 0, | |
3089 | +#else | |
3090 | + .owner = THIS_MODULE, | |
3091 | +#endif | |
1aedc22c | 3092 | +}; |
3093 | + | |
3094 | +static int max_sets, hash_size; | |
3095 | +module_param(max_sets, int, 0600); | |
3096 | +MODULE_PARM_DESC(max_sets, "maximal number of sets"); | |
3097 | +module_param(hash_size, int, 0600); | |
3098 | +MODULE_PARM_DESC(hash_size, "hash size for bindings"); | |
3099 | +MODULE_LICENSE("GPL"); | |
3100 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
3101 | +MODULE_DESCRIPTION("module implementing core IP set support"); | |
3102 | + | |
f45e9687 | 3103 | +static int __init ip_set_init(void) |
1aedc22c | 3104 | +{ |
3105 | + int res; | |
3106 | + ip_set_id_t i; | |
3107 | + | |
3108 | + get_random_bytes(&ip_set_hash_random, 4); | |
3109 | + if (max_sets) | |
3110 | + ip_set_max = max_sets; | |
3111 | + ip_set_list = vmalloc(sizeof(struct ip_set *) * ip_set_max); | |
3112 | + if (!ip_set_list) { | |
3113 | + printk(KERN_ERR "Unable to create ip_set_list\n"); | |
3114 | + return -ENOMEM; | |
3115 | + } | |
3116 | + memset(ip_set_list, 0, sizeof(struct ip_set *) * ip_set_max); | |
3117 | + if (hash_size) | |
3118 | + ip_set_bindings_hash_size = hash_size; | |
3119 | + ip_set_hash = vmalloc(sizeof(struct list_head) * ip_set_bindings_hash_size); | |
3120 | + if (!ip_set_hash) { | |
3121 | + printk(KERN_ERR "Unable to create ip_set_hash\n"); | |
3122 | + vfree(ip_set_list); | |
3123 | + return -ENOMEM; | |
3124 | + } | |
3125 | + for (i = 0; i < ip_set_bindings_hash_size; i++) | |
3126 | + INIT_LIST_HEAD(&ip_set_hash[i]); | |
3127 | + | |
3128 | + INIT_LIST_HEAD(&set_type_list); | |
3129 | + | |
3130 | + res = nf_register_sockopt(&so_set); | |
3131 | + if (res != 0) { | |
3132 | + ip_set_printk("SO_SET registry failed: %d", res); | |
3133 | + vfree(ip_set_list); | |
3134 | + vfree(ip_set_hash); | |
3135 | + return res; | |
3136 | + } | |
3137 | + return 0; | |
3138 | +} | |
3139 | + | |
f45e9687 | 3140 | +static void __exit ip_set_fini(void) |
1aedc22c | 3141 | +{ |
3142 | + /* There can't be any existing set or binding */ | |
3143 | + nf_unregister_sockopt(&so_set); | |
3144 | + vfree(ip_set_list); | |
3145 | + vfree(ip_set_hash); | |
3146 | + DP("these are the famous last words"); | |
3147 | +} | |
3148 | + | |
3149 | +EXPORT_SYMBOL(ip_set_register_set_type); | |
3150 | +EXPORT_SYMBOL(ip_set_unregister_set_type); | |
3151 | + | |
3152 | +EXPORT_SYMBOL(ip_set_get_byname); | |
3153 | +EXPORT_SYMBOL(ip_set_get_byindex); | |
3154 | +EXPORT_SYMBOL(ip_set_put); | |
3155 | + | |
3156 | +EXPORT_SYMBOL(ip_set_addip_kernel); | |
3157 | +EXPORT_SYMBOL(ip_set_delip_kernel); | |
3158 | +EXPORT_SYMBOL(ip_set_testip_kernel); | |
3159 | + | |
f45e9687 | 3160 | +module_init(ip_set_init); |
3161 | +module_exit(ip_set_fini); | |
7d2f026e | 3162 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_iphash.c linux-2.6/net/ipv4/netfilter/ip_set_iphash.c |
3163 | --- a/net/ipv4/netfilter/ip_set_iphash.c 1970-01-01 01:00:00.000000000 +0100 | |
3164 | +++ linux-2.6/net/ipv4/netfilter/ip_set_iphash.c 2008-07-08 16:52:53.965201208 +0200 | |
3165 | @@ -0,0 +1,425 @@ | |
1aedc22c | 3166 | +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
3167 | + * | |
3168 | + * This program is free software; you can redistribute it and/or modify | |
3169 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 3170 | + * published by the Free Software Foundation. |
1aedc22c | 3171 | + */ |
3172 | + | |
3173 | +/* Kernel module implementing an ip hash set */ | |
3174 | + | |
3175 | +#include <linux/module.h> | |
3176 | +#include <linux/ip.h> | |
3177 | +#include <linux/skbuff.h> | |
f45e9687 | 3178 | +#include <linux/version.h> |
3179 | +#include <linux/jhash.h> | |
1aedc22c | 3180 | +#include <linux/netfilter_ipv4/ip_tables.h> |
3181 | +#include <linux/netfilter_ipv4/ip_set.h> | |
3182 | +#include <linux/errno.h> | |
3183 | +#include <asm/uaccess.h> | |
3184 | +#include <asm/bitops.h> | |
3185 | +#include <linux/spinlock.h> | |
3186 | +#include <linux/vmalloc.h> | |
3187 | +#include <linux/random.h> | |
3188 | + | |
3189 | +#include <net/ip.h> | |
3190 | + | |
3191 | +#include <linux/netfilter_ipv4/ip_set_malloc.h> | |
3192 | +#include <linux/netfilter_ipv4/ip_set_iphash.h> | |
1aedc22c | 3193 | + |
3194 | +static int limit = MAX_RANGE; | |
3195 | + | |
3196 | +static inline __u32 | |
3197 | +jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip) | |
3198 | +{ | |
3199 | + return jhash_1word(ip, *(((uint32_t *) map->initval) + i)); | |
3200 | +} | |
3201 | + | |
3202 | +static inline __u32 | |
3203 | +hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3204 | +{ | |
7d2f026e | 3205 | + struct ip_set_iphash *map = set->data; |
1aedc22c | 3206 | + __u32 id; |
3207 | + u_int16_t i; | |
3208 | + ip_set_ip_t *elem; | |
3209 | + | |
3210 | + *hash_ip = ip & map->netmask; | |
3211 | + DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u, %u.%u.%u.%u", | |
3212 | + set->name, HIPQUAD(ip), HIPQUAD(*hash_ip), HIPQUAD(map->netmask)); | |
3213 | + | |
3214 | + for (i = 0; i < map->probes; i++) { | |
3215 | + id = jhash_ip(map, i, *hash_ip) % map->hashsize; | |
3216 | + DP("hash key: %u", id); | |
3217 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
3218 | + if (*elem == *hash_ip) | |
3219 | + return id; | |
3220 | + /* No shortcut at testing - there can be deleted | |
3221 | + * entries. */ | |
3222 | + } | |
3223 | + return UINT_MAX; | |
3224 | +} | |
3225 | + | |
3226 | +static inline int | |
3227 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3228 | +{ | |
3229 | + return (ip && hash_id(set, ip, hash_ip) != UINT_MAX); | |
3230 | +} | |
3231 | + | |
3232 | +static int | |
3233 | +testip(struct ip_set *set, const void *data, size_t size, | |
3234 | + ip_set_ip_t *hash_ip) | |
3235 | +{ | |
7d2f026e | 3236 | + const struct ip_set_req_iphash *req = data; |
1aedc22c | 3237 | + |
3238 | + if (size != sizeof(struct ip_set_req_iphash)) { | |
3239 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3240 | + sizeof(struct ip_set_req_iphash), | |
3241 | + size); | |
3242 | + return -EINVAL; | |
3243 | + } | |
3244 | + return __testip(set, req->ip, hash_ip); | |
3245 | +} | |
3246 | + | |
3247 | +static int | |
7d2f026e | 3248 | +testip_kernel(struct ip_set *set, |
1aedc22c | 3249 | + const struct sk_buff *skb, |
3250 | + ip_set_ip_t *hash_ip, | |
3251 | + const u_int32_t *flags, | |
3252 | + unsigned char index) | |
3253 | +{ | |
3254 | + return __testip(set, | |
7d2f026e | 3255 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 3256 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 3257 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3258 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3259 | +#else |
7d2f026e | 3260 | + ? skb->nh.iph->saddr |
f45e9687 | 3261 | + : skb->nh.iph->daddr), |
3262 | +#endif | |
1aedc22c | 3263 | + hash_ip); |
3264 | +} | |
3265 | + | |
3266 | +static inline int | |
3267 | +__addip(struct ip_set_iphash *map, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3268 | +{ | |
3269 | + __u32 probe; | |
3270 | + u_int16_t i; | |
3271 | + ip_set_ip_t *elem; | |
3272 | + | |
f45e9687 | 3273 | + if (!ip || map->elements >= limit) |
1aedc22c | 3274 | + return -ERANGE; |
3275 | + | |
3276 | + *hash_ip = ip & map->netmask; | |
3277 | + | |
3278 | + for (i = 0; i < map->probes; i++) { | |
3279 | + probe = jhash_ip(map, i, *hash_ip) % map->hashsize; | |
3280 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe); | |
3281 | + if (*elem == *hash_ip) | |
3282 | + return -EEXIST; | |
3283 | + if (!*elem) { | |
3284 | + *elem = *hash_ip; | |
3285 | + map->elements++; | |
3286 | + return 0; | |
3287 | + } | |
3288 | + } | |
3289 | + /* Trigger rehashing */ | |
3290 | + return -EAGAIN; | |
3291 | +} | |
3292 | + | |
3293 | +static int | |
3294 | +addip(struct ip_set *set, const void *data, size_t size, | |
3295 | + ip_set_ip_t *hash_ip) | |
3296 | +{ | |
7d2f026e | 3297 | + const struct ip_set_req_iphash *req = data; |
1aedc22c | 3298 | + |
3299 | + if (size != sizeof(struct ip_set_req_iphash)) { | |
3300 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3301 | + sizeof(struct ip_set_req_iphash), | |
3302 | + size); | |
3303 | + return -EINVAL; | |
3304 | + } | |
7d2f026e | 3305 | + return __addip(set->data, req->ip, hash_ip); |
1aedc22c | 3306 | +} |
3307 | + | |
3308 | +static int | |
7d2f026e | 3309 | +addip_kernel(struct ip_set *set, |
1aedc22c | 3310 | + const struct sk_buff *skb, |
3311 | + ip_set_ip_t *hash_ip, | |
3312 | + const u_int32_t *flags, | |
3313 | + unsigned char index) | |
3314 | +{ | |
3315 | + return __addip((struct ip_set_iphash *) set->data, | |
7d2f026e | 3316 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 3317 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 3318 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3319 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3320 | +#else |
7d2f026e | 3321 | + ? skb->nh.iph->saddr |
f45e9687 | 3322 | + : skb->nh.iph->daddr), |
3323 | +#endif | |
1aedc22c | 3324 | + hash_ip); |
3325 | +} | |
3326 | + | |
3327 | +static int retry(struct ip_set *set) | |
3328 | +{ | |
7d2f026e | 3329 | + struct ip_set_iphash *map = set->data; |
1aedc22c | 3330 | + ip_set_ip_t hash_ip, *elem; |
3331 | + void *members; | |
3332 | + u_int32_t i, hashsize = map->hashsize; | |
3333 | + int res; | |
3334 | + struct ip_set_iphash *tmp; | |
3335 | + | |
3336 | + if (map->resize == 0) | |
3337 | + return -ERANGE; | |
3338 | + | |
3339 | + again: | |
3340 | + res = 0; | |
3341 | + | |
3342 | + /* Calculate new hash size */ | |
3343 | + hashsize += (hashsize * map->resize)/100; | |
3344 | + if (hashsize == map->hashsize) | |
3345 | + hashsize++; | |
3346 | + | |
3347 | + ip_set_printk("rehashing of set %s triggered: " | |
3348 | + "hashsize grows from %u to %u", | |
3349 | + set->name, map->hashsize, hashsize); | |
3350 | + | |
7d2f026e | 3351 | + tmp = kmalloc(sizeof(struct ip_set_iphash) |
1aedc22c | 3352 | + + map->probes * sizeof(uint32_t), GFP_ATOMIC); |
3353 | + if (!tmp) { | |
3354 | + DP("out of memory for %d bytes", | |
3355 | + sizeof(struct ip_set_iphash) | |
3356 | + + map->probes * sizeof(uint32_t)); | |
3357 | + return -ENOMEM; | |
3358 | + } | |
3359 | + tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC); | |
3360 | + if (!tmp->members) { | |
3361 | + DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t)); | |
3362 | + kfree(tmp); | |
3363 | + return -ENOMEM; | |
3364 | + } | |
3365 | + tmp->hashsize = hashsize; | |
3366 | + tmp->elements = 0; | |
3367 | + tmp->probes = map->probes; | |
3368 | + tmp->resize = map->resize; | |
3369 | + tmp->netmask = map->netmask; | |
3370 | + memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t)); | |
3371 | + | |
3372 | + write_lock_bh(&set->lock); | |
7d2f026e | 3373 | + map = set->data; /* Play safe */ |
1aedc22c | 3374 | + for (i = 0; i < map->hashsize && res == 0; i++) { |
3375 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
3376 | + if (*elem) | |
3377 | + res = __addip(tmp, *elem, &hash_ip); | |
3378 | + } | |
3379 | + if (res) { | |
3380 | + /* Failure, try again */ | |
3381 | + write_unlock_bh(&set->lock); | |
3382 | + harray_free(tmp->members); | |
3383 | + kfree(tmp); | |
3384 | + goto again; | |
3385 | + } | |
3386 | + | |
3387 | + /* Success at resizing! */ | |
3388 | + members = map->members; | |
3389 | + | |
3390 | + map->hashsize = tmp->hashsize; | |
3391 | + map->members = tmp->members; | |
3392 | + write_unlock_bh(&set->lock); | |
3393 | + | |
3394 | + harray_free(members); | |
3395 | + kfree(tmp); | |
3396 | + | |
3397 | + return 0; | |
3398 | +} | |
3399 | + | |
3400 | +static inline int | |
3401 | +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3402 | +{ | |
7d2f026e | 3403 | + struct ip_set_iphash *map = set->data; |
1aedc22c | 3404 | + ip_set_ip_t id, *elem; |
3405 | + | |
3406 | + if (!ip) | |
3407 | + return -ERANGE; | |
3408 | + | |
3409 | + id = hash_id(set, ip, hash_ip); | |
3410 | + if (id == UINT_MAX) | |
3411 | + return -EEXIST; | |
3412 | + | |
3413 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
3414 | + *elem = 0; | |
3415 | + map->elements--; | |
3416 | + | |
3417 | + return 0; | |
3418 | +} | |
3419 | + | |
3420 | +static int | |
3421 | +delip(struct ip_set *set, const void *data, size_t size, | |
3422 | + ip_set_ip_t *hash_ip) | |
3423 | +{ | |
7d2f026e | 3424 | + const struct ip_set_req_iphash *req = data; |
1aedc22c | 3425 | + |
3426 | + if (size != sizeof(struct ip_set_req_iphash)) { | |
3427 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3428 | + sizeof(struct ip_set_req_iphash), | |
3429 | + size); | |
3430 | + return -EINVAL; | |
3431 | + } | |
3432 | + return __delip(set, req->ip, hash_ip); | |
3433 | +} | |
3434 | + | |
3435 | +static int | |
7d2f026e | 3436 | +delip_kernel(struct ip_set *set, |
1aedc22c | 3437 | + const struct sk_buff *skb, |
3438 | + ip_set_ip_t *hash_ip, | |
3439 | + const u_int32_t *flags, | |
3440 | + unsigned char index) | |
3441 | +{ | |
3442 | + return __delip(set, | |
7d2f026e | 3443 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 3444 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 3445 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3446 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3447 | +#else |
7d2f026e | 3448 | + ? skb->nh.iph->saddr |
f45e9687 | 3449 | + : skb->nh.iph->daddr), |
3450 | +#endif | |
1aedc22c | 3451 | + hash_ip); |
3452 | +} | |
3453 | + | |
3454 | +static int create(struct ip_set *set, const void *data, size_t size) | |
3455 | +{ | |
7d2f026e | 3456 | + const struct ip_set_req_iphash_create *req = data; |
1aedc22c | 3457 | + struct ip_set_iphash *map; |
3458 | + uint16_t i; | |
3459 | + | |
3460 | + if (size != sizeof(struct ip_set_req_iphash_create)) { | |
3461 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3462 | + sizeof(struct ip_set_req_iphash_create), | |
3463 | + size); | |
3464 | + return -EINVAL; | |
3465 | + } | |
3466 | + | |
3467 | + if (req->hashsize < 1) { | |
3468 | + ip_set_printk("hashsize too small"); | |
3469 | + return -ENOEXEC; | |
3470 | + } | |
3471 | + | |
3472 | + if (req->probes < 1) { | |
3473 | + ip_set_printk("probes too small"); | |
3474 | + return -ENOEXEC; | |
3475 | + } | |
3476 | + | |
7d2f026e | 3477 | + map = kmalloc(sizeof(struct ip_set_iphash) |
1aedc22c | 3478 | + + req->probes * sizeof(uint32_t), GFP_KERNEL); |
3479 | + if (!map) { | |
3480 | + DP("out of memory for %d bytes", | |
3481 | + sizeof(struct ip_set_iphash) | |
3482 | + + req->probes * sizeof(uint32_t)); | |
3483 | + return -ENOMEM; | |
3484 | + } | |
3485 | + for (i = 0; i < req->probes; i++) | |
3486 | + get_random_bytes(((uint32_t *) map->initval)+i, 4); | |
3487 | + map->elements = 0; | |
3488 | + map->hashsize = req->hashsize; | |
3489 | + map->probes = req->probes; | |
3490 | + map->resize = req->resize; | |
3491 | + map->netmask = req->netmask; | |
3492 | + map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL); | |
3493 | + if (!map->members) { | |
3494 | + DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t)); | |
3495 | + kfree(map); | |
3496 | + return -ENOMEM; | |
3497 | + } | |
3498 | + | |
3499 | + set->data = map; | |
3500 | + return 0; | |
3501 | +} | |
3502 | + | |
3503 | +static void destroy(struct ip_set *set) | |
3504 | +{ | |
7d2f026e | 3505 | + struct ip_set_iphash *map = set->data; |
1aedc22c | 3506 | + |
3507 | + harray_free(map->members); | |
3508 | + kfree(map); | |
3509 | + | |
3510 | + set->data = NULL; | |
3511 | +} | |
3512 | + | |
3513 | +static void flush(struct ip_set *set) | |
3514 | +{ | |
7d2f026e | 3515 | + struct ip_set_iphash *map = set->data; |
1aedc22c | 3516 | + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); |
3517 | + map->elements = 0; | |
3518 | +} | |
3519 | + | |
3520 | +static void list_header(const struct ip_set *set, void *data) | |
3521 | +{ | |
7d2f026e | 3522 | + struct ip_set_iphash *map = set->data; |
3523 | + struct ip_set_req_iphash_create *header = data; | |
1aedc22c | 3524 | + |
3525 | + header->hashsize = map->hashsize; | |
3526 | + header->probes = map->probes; | |
3527 | + header->resize = map->resize; | |
3528 | + header->netmask = map->netmask; | |
3529 | +} | |
3530 | + | |
3531 | +static int list_members_size(const struct ip_set *set) | |
3532 | +{ | |
7d2f026e | 3533 | + const struct ip_set_iphash *map = set->data; |
1aedc22c | 3534 | + |
3535 | + return (map->hashsize * sizeof(ip_set_ip_t)); | |
3536 | +} | |
3537 | + | |
3538 | +static void list_members(const struct ip_set *set, void *data) | |
3539 | +{ | |
7d2f026e | 3540 | + const struct ip_set_iphash *map = set->data; |
1aedc22c | 3541 | + ip_set_ip_t i, *elem; |
3542 | + | |
3543 | + for (i = 0; i < map->hashsize; i++) { | |
3544 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
3545 | + ((ip_set_ip_t *)data)[i] = *elem; | |
3546 | + } | |
3547 | +} | |
3548 | + | |
3549 | +static struct ip_set_type ip_set_iphash = { | |
3550 | + .typename = SETTYPE_NAME, | |
3551 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
3552 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
3553 | + .create = &create, | |
3554 | + .destroy = &destroy, | |
3555 | + .flush = &flush, | |
3556 | + .reqsize = sizeof(struct ip_set_req_iphash), | |
3557 | + .addip = &addip, | |
3558 | + .addip_kernel = &addip_kernel, | |
3559 | + .retry = &retry, | |
3560 | + .delip = &delip, | |
3561 | + .delip_kernel = &delip_kernel, | |
3562 | + .testip = &testip, | |
3563 | + .testip_kernel = &testip_kernel, | |
3564 | + .header_size = sizeof(struct ip_set_req_iphash_create), | |
3565 | + .list_header = &list_header, | |
3566 | + .list_members_size = &list_members_size, | |
3567 | + .list_members = &list_members, | |
3568 | + .me = THIS_MODULE, | |
3569 | +}; | |
3570 | + | |
3571 | +MODULE_LICENSE("GPL"); | |
3572 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
3573 | +MODULE_DESCRIPTION("iphash type of IP sets"); | |
3574 | +module_param(limit, int, 0600); | |
3575 | +MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); | |
3576 | + | |
f45e9687 | 3577 | +static int __init ip_set_iphash_init(void) |
1aedc22c | 3578 | +{ |
7d2f026e | 3579 | + init_max_page_size(); |
1aedc22c | 3580 | + return ip_set_register_set_type(&ip_set_iphash); |
3581 | +} | |
3582 | + | |
f45e9687 | 3583 | +static void __exit ip_set_iphash_fini(void) |
1aedc22c | 3584 | +{ |
3585 | + /* FIXME: possible race with ip_set_create() */ | |
3586 | + ip_set_unregister_set_type(&ip_set_iphash); | |
3587 | +} | |
3588 | + | |
f45e9687 | 3589 | +module_init(ip_set_iphash_init); |
3590 | +module_exit(ip_set_iphash_fini); | |
7d2f026e | 3591 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_ipmap.c linux-2.6/net/ipv4/netfilter/ip_set_ipmap.c |
3592 | --- a/net/ipv4/netfilter/ip_set_ipmap.c 1970-01-01 01:00:00.000000000 +0100 | |
3593 | +++ linux-2.6/net/ipv4/netfilter/ip_set_ipmap.c 2008-07-08 16:52:53.965201208 +0200 | |
3594 | @@ -0,0 +1,331 @@ | |
1aedc22c | 3595 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
3596 | + * Patrick Schaaf <bof@bof.de> | |
3597 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
3598 | + * | |
3599 | + * This program is free software; you can redistribute it and/or modify | |
3600 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 3601 | + * published by the Free Software Foundation. |
1aedc22c | 3602 | + */ |
3603 | + | |
3604 | +/* Kernel module implementing an IP set type: the single bitmap type */ | |
3605 | + | |
3606 | +#include <linux/module.h> | |
3607 | +#include <linux/ip.h> | |
3608 | +#include <linux/skbuff.h> | |
f45e9687 | 3609 | +#include <linux/version.h> |
1aedc22c | 3610 | +#include <linux/netfilter_ipv4/ip_tables.h> |
3611 | +#include <linux/netfilter_ipv4/ip_set.h> | |
3612 | +#include <linux/errno.h> | |
3613 | +#include <asm/uaccess.h> | |
3614 | +#include <asm/bitops.h> | |
3615 | +#include <linux/spinlock.h> | |
3616 | + | |
3617 | +#include <linux/netfilter_ipv4/ip_set_ipmap.h> | |
3618 | + | |
3619 | +static inline ip_set_ip_t | |
3620 | +ip_to_id(const struct ip_set_ipmap *map, ip_set_ip_t ip) | |
3621 | +{ | |
3622 | + return (ip - map->first_ip)/map->hosts; | |
3623 | +} | |
3624 | + | |
3625 | +static inline int | |
3626 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3627 | +{ | |
7d2f026e | 3628 | + struct ip_set_ipmap *map = set->data; |
1aedc22c | 3629 | + |
3630 | + if (ip < map->first_ip || ip > map->last_ip) | |
3631 | + return -ERANGE; | |
3632 | + | |
3633 | + *hash_ip = ip & map->netmask; | |
3634 | + DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u", | |
3635 | + set->name, HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
3636 | + return !!test_bit(ip_to_id(map, *hash_ip), map->members); | |
3637 | +} | |
3638 | + | |
3639 | +static int | |
3640 | +testip(struct ip_set *set, const void *data, size_t size, | |
3641 | + ip_set_ip_t *hash_ip) | |
3642 | +{ | |
7d2f026e | 3643 | + const struct ip_set_req_ipmap *req = data; |
1aedc22c | 3644 | + |
3645 | + if (size != sizeof(struct ip_set_req_ipmap)) { | |
3646 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3647 | + sizeof(struct ip_set_req_ipmap), | |
3648 | + size); | |
3649 | + return -EINVAL; | |
3650 | + } | |
3651 | + return __testip(set, req->ip, hash_ip); | |
3652 | +} | |
3653 | + | |
3654 | +static int | |
7d2f026e | 3655 | +testip_kernel(struct ip_set *set, |
1aedc22c | 3656 | + const struct sk_buff *skb, |
3657 | + ip_set_ip_t *hash_ip, | |
3658 | + const u_int32_t *flags, | |
3659 | + unsigned char index) | |
3660 | +{ | |
f45e9687 | 3661 | + int res = __testip(set, |
3662 | + ntohl(flags[index] & IPSET_SRC | |
3663 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) | |
7d2f026e | 3664 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3665 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3666 | +#else |
7d2f026e | 3667 | + ? skb->nh.iph->saddr |
f45e9687 | 3668 | + : skb->nh.iph->daddr), |
3669 | +#endif | |
1aedc22c | 3670 | + hash_ip); |
3671 | + return (res < 0 ? 0 : res); | |
3672 | +} | |
3673 | + | |
3674 | +static inline int | |
3675 | +__addip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
3676 | +{ | |
7d2f026e | 3677 | + struct ip_set_ipmap *map = set->data; |
1aedc22c | 3678 | + |
3679 | + if (ip < map->first_ip || ip > map->last_ip) | |
3680 | + return -ERANGE; | |
3681 | + | |
3682 | + *hash_ip = ip & map->netmask; | |
3683 | + DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
3684 | + if (test_and_set_bit(ip_to_id(map, *hash_ip), map->members)) | |
3685 | + return -EEXIST; | |
3686 | + | |
3687 | + return 0; | |
3688 | +} | |
3689 | + | |
3690 | +static int | |
3691 | +addip(struct ip_set *set, const void *data, size_t size, | |
3692 | + ip_set_ip_t *hash_ip) | |
3693 | +{ | |
7d2f026e | 3694 | + const struct ip_set_req_ipmap *req = data; |
1aedc22c | 3695 | + |
3696 | + if (size != sizeof(struct ip_set_req_ipmap)) { | |
3697 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3698 | + sizeof(struct ip_set_req_ipmap), | |
3699 | + size); | |
3700 | + return -EINVAL; | |
3701 | + } | |
3702 | + DP("%u.%u.%u.%u", HIPQUAD(req->ip)); | |
3703 | + return __addip(set, req->ip, hash_ip); | |
3704 | +} | |
3705 | + | |
3706 | +static int | |
7d2f026e | 3707 | +addip_kernel(struct ip_set *set, |
1aedc22c | 3708 | + const struct sk_buff *skb, |
3709 | + ip_set_ip_t *hash_ip, | |
3710 | + const u_int32_t *flags, | |
3711 | + unsigned char index) | |
3712 | +{ | |
3713 | + return __addip(set, | |
7d2f026e | 3714 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 3715 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 3716 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3717 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3718 | +#else |
7d2f026e | 3719 | + ? skb->nh.iph->saddr |
f45e9687 | 3720 | + : skb->nh.iph->daddr), |
3721 | +#endif | |
1aedc22c | 3722 | + hash_ip); |
3723 | +} | |
3724 | + | |
7d2f026e | 3725 | +static inline int |
1aedc22c | 3726 | +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) |
3727 | +{ | |
7d2f026e | 3728 | + struct ip_set_ipmap *map = set->data; |
1aedc22c | 3729 | + |
3730 | + if (ip < map->first_ip || ip > map->last_ip) | |
3731 | + return -ERANGE; | |
3732 | + | |
3733 | + *hash_ip = ip & map->netmask; | |
3734 | + DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
3735 | + if (!test_and_clear_bit(ip_to_id(map, *hash_ip), map->members)) | |
3736 | + return -EEXIST; | |
3737 | + | |
3738 | + return 0; | |
3739 | +} | |
3740 | + | |
3741 | +static int | |
3742 | +delip(struct ip_set *set, const void *data, size_t size, | |
3743 | + ip_set_ip_t *hash_ip) | |
3744 | +{ | |
7d2f026e | 3745 | + const struct ip_set_req_ipmap *req = data; |
1aedc22c | 3746 | + |
3747 | + if (size != sizeof(struct ip_set_req_ipmap)) { | |
3748 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3749 | + sizeof(struct ip_set_req_ipmap), | |
3750 | + size); | |
3751 | + return -EINVAL; | |
3752 | + } | |
3753 | + return __delip(set, req->ip, hash_ip); | |
3754 | +} | |
3755 | + | |
3756 | +static int | |
3757 | +delip_kernel(struct ip_set *set, | |
3758 | + const struct sk_buff *skb, | |
3759 | + ip_set_ip_t *hash_ip, | |
3760 | + const u_int32_t *flags, | |
3761 | + unsigned char index) | |
3762 | +{ | |
3763 | + return __delip(set, | |
7d2f026e | 3764 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 3765 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 3766 | + ? ip_hdr(skb)->saddr |
5ce52adc | 3767 | + : ip_hdr(skb)->daddr), |
f45e9687 | 3768 | +#else |
7d2f026e | 3769 | + ? skb->nh.iph->saddr |
f45e9687 | 3770 | + : skb->nh.iph->daddr), |
3771 | +#endif | |
1aedc22c | 3772 | + hash_ip); |
3773 | +} | |
3774 | + | |
3775 | +static int create(struct ip_set *set, const void *data, size_t size) | |
3776 | +{ | |
3777 | + int newbytes; | |
7d2f026e | 3778 | + const struct ip_set_req_ipmap_create *req = data; |
1aedc22c | 3779 | + struct ip_set_ipmap *map; |
3780 | + | |
3781 | + if (size != sizeof(struct ip_set_req_ipmap_create)) { | |
3782 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
3783 | + sizeof(struct ip_set_req_ipmap_create), | |
3784 | + size); | |
3785 | + return -EINVAL; | |
3786 | + } | |
3787 | + | |
3788 | + DP("from %u.%u.%u.%u to %u.%u.%u.%u", | |
3789 | + HIPQUAD(req->from), HIPQUAD(req->to)); | |
3790 | + | |
3791 | + if (req->from > req->to) { | |
3792 | + DP("bad ip range"); | |
3793 | + return -ENOEXEC; | |
3794 | + } | |
3795 | + | |
3796 | + map = kmalloc(sizeof(struct ip_set_ipmap), GFP_KERNEL); | |
3797 | + if (!map) { | |
3798 | + DP("out of memory for %d bytes", | |
3799 | + sizeof(struct ip_set_ipmap)); | |
3800 | + return -ENOMEM; | |
3801 | + } | |
3802 | + map->first_ip = req->from; | |
3803 | + map->last_ip = req->to; | |
3804 | + map->netmask = req->netmask; | |
3805 | + | |
3806 | + if (req->netmask == 0xFFFFFFFF) { | |
3807 | + map->hosts = 1; | |
3808 | + map->sizeid = map->last_ip - map->first_ip + 1; | |
3809 | + } else { | |
3810 | + unsigned int mask_bits, netmask_bits; | |
3811 | + ip_set_ip_t mask; | |
3812 | + | |
3813 | + map->first_ip &= map->netmask; /* Should we better bark? */ | |
3814 | + | |
3815 | + mask = range_to_mask(map->first_ip, map->last_ip, &mask_bits); | |
3816 | + netmask_bits = mask_to_bits(map->netmask); | |
3817 | + | |
3818 | + if ((!mask && (map->first_ip || map->last_ip != 0xFFFFFFFF)) | |
3819 | + || netmask_bits <= mask_bits) | |
3820 | + return -ENOEXEC; | |
3821 | + | |
3822 | + DP("mask_bits %u, netmask_bits %u", | |
3823 | + mask_bits, netmask_bits); | |
3824 | + map->hosts = 2 << (32 - netmask_bits - 1); | |
3825 | + map->sizeid = 2 << (netmask_bits - mask_bits - 1); | |
3826 | + } | |
3827 | + if (map->sizeid > MAX_RANGE + 1) { | |
3828 | + ip_set_printk("range too big (max %d addresses)", | |
3829 | + MAX_RANGE+1); | |
3830 | + kfree(map); | |
3831 | + return -ENOEXEC; | |
3832 | + } | |
3833 | + DP("hosts %u, sizeid %u", map->hosts, map->sizeid); | |
3834 | + newbytes = bitmap_bytes(0, map->sizeid - 1); | |
3835 | + map->members = kmalloc(newbytes, GFP_KERNEL); | |
3836 | + if (!map->members) { | |
3837 | + DP("out of memory for %d bytes", newbytes); | |
3838 | + kfree(map); | |
3839 | + return -ENOMEM; | |
3840 | + } | |
3841 | + memset(map->members, 0, newbytes); | |
3842 | + | |
3843 | + set->data = map; | |
3844 | + return 0; | |
3845 | +} | |
3846 | + | |
3847 | +static void destroy(struct ip_set *set) | |
3848 | +{ | |
7d2f026e | 3849 | + struct ip_set_ipmap *map = set->data; |
1aedc22c | 3850 | + |
3851 | + kfree(map->members); | |
3852 | + kfree(map); | |
3853 | + | |
3854 | + set->data = NULL; | |
3855 | +} | |
3856 | + | |
3857 | +static void flush(struct ip_set *set) | |
3858 | +{ | |
7d2f026e | 3859 | + struct ip_set_ipmap *map = set->data; |
1aedc22c | 3860 | + memset(map->members, 0, bitmap_bytes(0, map->sizeid - 1)); |
3861 | +} | |
3862 | + | |
3863 | +static void list_header(const struct ip_set *set, void *data) | |
3864 | +{ | |
7d2f026e | 3865 | + const struct ip_set_ipmap *map = set->data; |
3866 | + struct ip_set_req_ipmap_create *header = data; | |
1aedc22c | 3867 | + |
3868 | + header->from = map->first_ip; | |
3869 | + header->to = map->last_ip; | |
3870 | + header->netmask = map->netmask; | |
3871 | +} | |
3872 | + | |
3873 | +static int list_members_size(const struct ip_set *set) | |
3874 | +{ | |
7d2f026e | 3875 | + const struct ip_set_ipmap *map = set->data; |
1aedc22c | 3876 | + |
3877 | + return bitmap_bytes(0, map->sizeid - 1); | |
3878 | +} | |
3879 | + | |
3880 | +static void list_members(const struct ip_set *set, void *data) | |
3881 | +{ | |
7d2f026e | 3882 | + const struct ip_set_ipmap *map = set->data; |
1aedc22c | 3883 | + int bytes = bitmap_bytes(0, map->sizeid - 1); |
3884 | + | |
3885 | + memcpy(data, map->members, bytes); | |
3886 | +} | |
3887 | + | |
3888 | +static struct ip_set_type ip_set_ipmap = { | |
3889 | + .typename = SETTYPE_NAME, | |
3890 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
3891 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
3892 | + .create = &create, | |
3893 | + .destroy = &destroy, | |
3894 | + .flush = &flush, | |
3895 | + .reqsize = sizeof(struct ip_set_req_ipmap), | |
3896 | + .addip = &addip, | |
3897 | + .addip_kernel = &addip_kernel, | |
3898 | + .delip = &delip, | |
3899 | + .delip_kernel = &delip_kernel, | |
3900 | + .testip = &testip, | |
3901 | + .testip_kernel = &testip_kernel, | |
3902 | + .header_size = sizeof(struct ip_set_req_ipmap_create), | |
3903 | + .list_header = &list_header, | |
3904 | + .list_members_size = &list_members_size, | |
3905 | + .list_members = &list_members, | |
3906 | + .me = THIS_MODULE, | |
3907 | +}; | |
3908 | + | |
3909 | +MODULE_LICENSE("GPL"); | |
3910 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
3911 | +MODULE_DESCRIPTION("ipmap type of IP sets"); | |
3912 | + | |
f45e9687 | 3913 | +static int __init ip_set_ipmap_init(void) |
1aedc22c | 3914 | +{ |
3915 | + return ip_set_register_set_type(&ip_set_ipmap); | |
3916 | +} | |
3917 | + | |
f45e9687 | 3918 | +static void __exit ip_set_ipmap_fini(void) |
1aedc22c | 3919 | +{ |
3920 | + /* FIXME: possible race with ip_set_create() */ | |
3921 | + ip_set_unregister_set_type(&ip_set_ipmap); | |
3922 | +} | |
3923 | + | |
f45e9687 | 3924 | +module_init(ip_set_ipmap_init); |
3925 | +module_exit(ip_set_ipmap_fini); | |
7d2f026e | 3926 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_ipporthash.c linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c |
3927 | --- a/net/ipv4/netfilter/ip_set_ipporthash.c 1970-01-01 01:00:00.000000000 +0100 | |
3928 | +++ linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c 2008-07-08 16:52:53.965201208 +0200 | |
3929 | @@ -0,0 +1,575 @@ | |
1aedc22c | 3930 | +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
3931 | + * | |
3932 | + * This program is free software; you can redistribute it and/or modify | |
3933 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 3934 | + * published by the Free Software Foundation. |
1aedc22c | 3935 | + */ |
3936 | + | |
3937 | +/* Kernel module implementing an ip+port hash set */ | |
3938 | + | |
3939 | +#include <linux/module.h> | |
3940 | +#include <linux/ip.h> | |
3941 | +#include <linux/tcp.h> | |
3942 | +#include <linux/udp.h> | |
3943 | +#include <linux/skbuff.h> | |
f45e9687 | 3944 | +#include <linux/version.h> |
3945 | +#include <linux/jhash.h> | |
1aedc22c | 3946 | +#include <linux/netfilter_ipv4/ip_tables.h> |
3947 | +#include <linux/netfilter_ipv4/ip_set.h> | |
3948 | +#include <linux/errno.h> | |
3949 | +#include <asm/uaccess.h> | |
3950 | +#include <asm/bitops.h> | |
3951 | +#include <linux/spinlock.h> | |
3952 | +#include <linux/vmalloc.h> | |
3953 | +#include <linux/random.h> | |
3954 | + | |
3955 | +#include <net/ip.h> | |
3956 | + | |
3957 | +#include <linux/netfilter_ipv4/ip_set_malloc.h> | |
3958 | +#include <linux/netfilter_ipv4/ip_set_ipporthash.h> | |
1aedc22c | 3959 | + |
3960 | +static int limit = MAX_RANGE; | |
3961 | + | |
3962 | +/* We must handle non-linear skbs */ | |
3963 | +static inline ip_set_ip_t | |
3964 | +get_port(const struct sk_buff *skb, u_int32_t flags) | |
3965 | +{ | |
f45e9687 | 3966 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 3967 | + struct iphdr *iph = ip_hdr(skb); |
f45e9687 | 3968 | +#else |
3969 | + struct iphdr *iph = skb->nh.iph; | |
3970 | +#endif | |
1aedc22c | 3971 | + u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET; |
3972 | + | |
3973 | + switch (iph->protocol) { | |
3974 | + case IPPROTO_TCP: { | |
3975 | + struct tcphdr tcph; | |
3976 | + | |
3977 | + /* See comments at tcp_match in ip_tables.c */ | |
3978 | + if (offset) | |
3979 | + return INVALID_PORT; | |
3980 | + | |
f45e9687 | 3981 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 3982 | + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0) |
f45e9687 | 3983 | +#else |
3984 | + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) | |
3985 | +#endif | |
1aedc22c | 3986 | + /* No choice either */ |
3987 | + return INVALID_PORT; | |
3988 | + | |
3989 | + return ntohs(flags & IPSET_SRC ? | |
3990 | + tcph.source : tcph.dest); | |
3991 | + } | |
3992 | + case IPPROTO_UDP: { | |
3993 | + struct udphdr udph; | |
3994 | + | |
3995 | + if (offset) | |
3996 | + return INVALID_PORT; | |
3997 | + | |
f45e9687 | 3998 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 3999 | + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0) |
f45e9687 | 4000 | +#else |
4001 | + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) | |
4002 | +#endif | |
1aedc22c | 4003 | + /* No choice either */ |
4004 | + return INVALID_PORT; | |
4005 | + | |
4006 | + return ntohs(flags & IPSET_SRC ? | |
4007 | + udph.source : udph.dest); | |
4008 | + } | |
4009 | + default: | |
4010 | + return INVALID_PORT; | |
4011 | + } | |
4012 | +} | |
4013 | + | |
4014 | +static inline __u32 | |
4015 | +jhash_ip(const struct ip_set_ipporthash *map, uint16_t i, ip_set_ip_t ip) | |
4016 | +{ | |
4017 | + return jhash_1word(ip, *(((uint32_t *) map->initval) + i)); | |
4018 | +} | |
4019 | + | |
4020 | +#define HASH_IP(map, ip, port) (port + ((ip - ((map)->first_ip)) << 16)) | |
4021 | + | |
4022 | +static inline __u32 | |
4023 | +hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port, | |
4024 | + ip_set_ip_t *hash_ip) | |
4025 | +{ | |
7d2f026e | 4026 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4027 | + __u32 id; |
4028 | + u_int16_t i; | |
4029 | + ip_set_ip_t *elem; | |
4030 | + | |
4031 | + *hash_ip = HASH_IP(map, ip, port); | |
4032 | + DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u", | |
4033 | + set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip)); | |
4034 | + | |
4035 | + for (i = 0; i < map->probes; i++) { | |
4036 | + id = jhash_ip(map, i, *hash_ip) % map->hashsize; | |
4037 | + DP("hash key: %u", id); | |
4038 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
4039 | + if (*elem == *hash_ip) | |
4040 | + return id; | |
4041 | + /* No shortcut at testing - there can be deleted | |
4042 | + * entries. */ | |
4043 | + } | |
4044 | + return UINT_MAX; | |
4045 | +} | |
4046 | + | |
4047 | +static inline int | |
4048 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port, | |
4049 | + ip_set_ip_t *hash_ip) | |
4050 | +{ | |
7d2f026e | 4051 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4052 | + |
4053 | + if (ip < map->first_ip || ip > map->last_ip) | |
4054 | + return -ERANGE; | |
4055 | + | |
4056 | + return (hash_id(set, ip, port, hash_ip) != UINT_MAX); | |
4057 | +} | |
4058 | + | |
4059 | +static int | |
4060 | +testip(struct ip_set *set, const void *data, size_t size, | |
4061 | + ip_set_ip_t *hash_ip) | |
4062 | +{ | |
7d2f026e | 4063 | + const struct ip_set_req_ipporthash *req = data; |
1aedc22c | 4064 | + |
4065 | + if (size != sizeof(struct ip_set_req_ipporthash)) { | |
4066 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4067 | + sizeof(struct ip_set_req_ipporthash), | |
4068 | + size); | |
4069 | + return -EINVAL; | |
4070 | + } | |
4071 | + return __testip(set, req->ip, req->port, hash_ip); | |
4072 | +} | |
4073 | + | |
4074 | +static int | |
7d2f026e | 4075 | +testip_kernel(struct ip_set *set, |
1aedc22c | 4076 | + const struct sk_buff *skb, |
4077 | + ip_set_ip_t *hash_ip, | |
4078 | + const u_int32_t *flags, | |
4079 | + unsigned char index) | |
4080 | +{ | |
4081 | + ip_set_ip_t port; | |
f45e9687 | 4082 | + int res; |
1aedc22c | 4083 | + |
4084 | + if (flags[index+1] == 0) | |
f45e9687 | 4085 | + return 0; |
1aedc22c | 4086 | + |
4087 | + port = get_port(skb, flags[index+1]); | |
4088 | + | |
4089 | + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", | |
4090 | + flags[index] & IPSET_SRC ? "SRC" : "DST", | |
f45e9687 | 4091 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc JR |
4092 | + NIPQUAD(ip_hdr(skb)->saddr), |
4093 | + NIPQUAD(ip_hdr(skb)->daddr)); | |
f45e9687 | 4094 | +#else |
4095 | + NIPQUAD(skb->nh.iph->saddr), | |
4096 | + NIPQUAD(skb->nh.iph->daddr)); | |
4097 | +#endif | |
1aedc22c | 4098 | + DP("flag %s port %u", |
7d2f026e | 4099 | + flags[index+1] & IPSET_SRC ? "SRC" : "DST", |
1aedc22c | 4100 | + port); |
4101 | + if (port == INVALID_PORT) | |
4102 | + return 0; | |
4103 | + | |
f45e9687 | 4104 | + res = __testip(set, |
7d2f026e | 4105 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 4106 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4107 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4108 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4109 | +#else |
7d2f026e | 4110 | + ? skb->nh.iph->saddr |
f45e9687 | 4111 | + : skb->nh.iph->daddr), |
4112 | +#endif | |
1aedc22c | 4113 | + port, |
4114 | + hash_ip); | |
f45e9687 | 4115 | + return (res < 0 ? 0 : res); |
4116 | + | |
1aedc22c | 4117 | +} |
4118 | + | |
4119 | +static inline int | |
4120 | +__add_haship(struct ip_set_ipporthash *map, ip_set_ip_t hash_ip) | |
4121 | +{ | |
4122 | + __u32 probe; | |
4123 | + u_int16_t i; | |
4124 | + ip_set_ip_t *elem; | |
4125 | + | |
4126 | + for (i = 0; i < map->probes; i++) { | |
4127 | + probe = jhash_ip(map, i, hash_ip) % map->hashsize; | |
4128 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe); | |
4129 | + if (*elem == hash_ip) | |
4130 | + return -EEXIST; | |
4131 | + if (!*elem) { | |
4132 | + *elem = hash_ip; | |
4133 | + map->elements++; | |
4134 | + return 0; | |
4135 | + } | |
4136 | + } | |
4137 | + /* Trigger rehashing */ | |
4138 | + return -EAGAIN; | |
4139 | +} | |
4140 | + | |
4141 | +static inline int | |
4142 | +__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port, | |
4143 | + ip_set_ip_t *hash_ip) | |
4144 | +{ | |
4145 | + if (map->elements > limit) | |
4146 | + return -ERANGE; | |
4147 | + if (ip < map->first_ip || ip > map->last_ip) | |
4148 | + return -ERANGE; | |
4149 | + | |
4150 | + *hash_ip = HASH_IP(map, ip, port); | |
4151 | + | |
4152 | + return __add_haship(map, *hash_ip); | |
4153 | +} | |
4154 | + | |
4155 | +static int | |
4156 | +addip(struct ip_set *set, const void *data, size_t size, | |
4157 | + ip_set_ip_t *hash_ip) | |
4158 | +{ | |
7d2f026e | 4159 | + const struct ip_set_req_ipporthash *req = data; |
1aedc22c | 4160 | + |
4161 | + if (size != sizeof(struct ip_set_req_ipporthash)) { | |
4162 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4163 | + sizeof(struct ip_set_req_ipporthash), | |
4164 | + size); | |
4165 | + return -EINVAL; | |
4166 | + } | |
7d2f026e | 4167 | + return __addip(set->data, req->ip, req->port, hash_ip); |
1aedc22c | 4168 | +} |
4169 | + | |
4170 | +static int | |
7d2f026e | 4171 | +addip_kernel(struct ip_set *set, |
1aedc22c | 4172 | + const struct sk_buff *skb, |
4173 | + ip_set_ip_t *hash_ip, | |
4174 | + const u_int32_t *flags, | |
4175 | + unsigned char index) | |
4176 | +{ | |
4177 | + ip_set_ip_t port; | |
4178 | + | |
4179 | + if (flags[index+1] == 0) | |
4180 | + return -EINVAL; | |
4181 | + | |
4182 | + port = get_port(skb, flags[index+1]); | |
4183 | + | |
4184 | + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", | |
4185 | + flags[index] & IPSET_SRC ? "SRC" : "DST", | |
f45e9687 | 4186 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc JR |
4187 | + NIPQUAD(ip_hdr(skb)->saddr), |
4188 | + NIPQUAD(ip_hdr(skb)->daddr)); | |
f45e9687 | 4189 | +#else |
4190 | + NIPQUAD(skb->nh.iph->saddr), | |
4191 | + NIPQUAD(skb->nh.iph->daddr)); | |
4192 | +#endif | |
7d2f026e | 4193 | + DP("flag %s port %u", |
4194 | + flags[index+1] & IPSET_SRC ? "SRC" : "DST", | |
1aedc22c | 4195 | + port); |
4196 | + if (port == INVALID_PORT) | |
4197 | + return -EINVAL; | |
4198 | + | |
7d2f026e | 4199 | + return __addip(set->data, |
4200 | + ntohl(flags[index] & IPSET_SRC | |
f45e9687 | 4201 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4202 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4203 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4204 | +#else |
7d2f026e | 4205 | + ? skb->nh.iph->saddr |
f45e9687 | 4206 | + : skb->nh.iph->daddr), |
4207 | +#endif | |
1aedc22c | 4208 | + port, |
4209 | + hash_ip); | |
4210 | +} | |
4211 | + | |
4212 | +static int retry(struct ip_set *set) | |
4213 | +{ | |
7d2f026e | 4214 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4215 | + ip_set_ip_t *elem; |
4216 | + void *members; | |
4217 | + u_int32_t i, hashsize = map->hashsize; | |
4218 | + int res; | |
4219 | + struct ip_set_ipporthash *tmp; | |
4220 | + | |
4221 | + if (map->resize == 0) | |
4222 | + return -ERANGE; | |
4223 | + | |
4224 | + again: | |
4225 | + res = 0; | |
4226 | + | |
4227 | + /* Calculate new hash size */ | |
4228 | + hashsize += (hashsize * map->resize)/100; | |
4229 | + if (hashsize == map->hashsize) | |
4230 | + hashsize++; | |
4231 | + | |
4232 | + ip_set_printk("rehashing of set %s triggered: " | |
4233 | + "hashsize grows from %u to %u", | |
4234 | + set->name, map->hashsize, hashsize); | |
4235 | + | |
7d2f026e | 4236 | + tmp = kmalloc(sizeof(struct ip_set_ipporthash) |
1aedc22c | 4237 | + + map->probes * sizeof(uint32_t), GFP_ATOMIC); |
4238 | + if (!tmp) { | |
4239 | + DP("out of memory for %d bytes", | |
4240 | + sizeof(struct ip_set_ipporthash) | |
4241 | + + map->probes * sizeof(uint32_t)); | |
4242 | + return -ENOMEM; | |
4243 | + } | |
4244 | + tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC); | |
4245 | + if (!tmp->members) { | |
4246 | + DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t)); | |
4247 | + kfree(tmp); | |
4248 | + return -ENOMEM; | |
4249 | + } | |
4250 | + tmp->hashsize = hashsize; | |
4251 | + tmp->elements = 0; | |
4252 | + tmp->probes = map->probes; | |
4253 | + tmp->resize = map->resize; | |
4254 | + tmp->first_ip = map->first_ip; | |
4255 | + tmp->last_ip = map->last_ip; | |
4256 | + memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t)); | |
4257 | + | |
4258 | + write_lock_bh(&set->lock); | |
7d2f026e | 4259 | + map = set->data; /* Play safe */ |
1aedc22c | 4260 | + for (i = 0; i < map->hashsize && res == 0; i++) { |
4261 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
4262 | + if (*elem) | |
4263 | + res = __add_haship(tmp, *elem); | |
4264 | + } | |
4265 | + if (res) { | |
4266 | + /* Failure, try again */ | |
4267 | + write_unlock_bh(&set->lock); | |
4268 | + harray_free(tmp->members); | |
4269 | + kfree(tmp); | |
4270 | + goto again; | |
4271 | + } | |
4272 | + | |
4273 | + /* Success at resizing! */ | |
4274 | + members = map->members; | |
4275 | + | |
4276 | + map->hashsize = tmp->hashsize; | |
4277 | + map->members = tmp->members; | |
4278 | + write_unlock_bh(&set->lock); | |
4279 | + | |
4280 | + harray_free(members); | |
4281 | + kfree(tmp); | |
4282 | + | |
4283 | + return 0; | |
4284 | +} | |
4285 | + | |
4286 | +static inline int | |
4287 | +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t port, | |
4288 | + ip_set_ip_t *hash_ip) | |
4289 | +{ | |
7d2f026e | 4290 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4291 | + ip_set_ip_t id; |
4292 | + ip_set_ip_t *elem; | |
4293 | + | |
4294 | + if (ip < map->first_ip || ip > map->last_ip) | |
4295 | + return -ERANGE; | |
4296 | + | |
4297 | + id = hash_id(set, ip, port, hash_ip); | |
4298 | + | |
4299 | + if (id == UINT_MAX) | |
4300 | + return -EEXIST; | |
4301 | + | |
4302 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
4303 | + *elem = 0; | |
4304 | + map->elements--; | |
4305 | + | |
4306 | + return 0; | |
4307 | +} | |
4308 | + | |
4309 | +static int | |
4310 | +delip(struct ip_set *set, const void *data, size_t size, | |
4311 | + ip_set_ip_t *hash_ip) | |
4312 | +{ | |
7d2f026e | 4313 | + const struct ip_set_req_ipporthash *req = data; |
1aedc22c | 4314 | + |
4315 | + if (size != sizeof(struct ip_set_req_ipporthash)) { | |
4316 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4317 | + sizeof(struct ip_set_req_ipporthash), | |
4318 | + size); | |
4319 | + return -EINVAL; | |
4320 | + } | |
4321 | + return __delip(set, req->ip, req->port, hash_ip); | |
4322 | +} | |
4323 | + | |
4324 | +static int | |
7d2f026e | 4325 | +delip_kernel(struct ip_set *set, |
1aedc22c | 4326 | + const struct sk_buff *skb, |
4327 | + ip_set_ip_t *hash_ip, | |
4328 | + const u_int32_t *flags, | |
4329 | + unsigned char index) | |
4330 | +{ | |
4331 | + ip_set_ip_t port; | |
4332 | + | |
4333 | + if (flags[index+1] == 0) | |
4334 | + return -EINVAL; | |
4335 | + | |
4336 | + port = get_port(skb, flags[index+1]); | |
4337 | + | |
4338 | + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", | |
4339 | + flags[index] & IPSET_SRC ? "SRC" : "DST", | |
f45e9687 | 4340 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc JR |
4341 | + NIPQUAD(ip_hdr(skb)->saddr), |
4342 | + NIPQUAD(ip_hdr(skb)->daddr)); | |
f45e9687 | 4343 | +#else |
4344 | + NIPQUAD(skb->nh.iph->saddr), | |
4345 | + NIPQUAD(skb->nh.iph->daddr)); | |
4346 | +#endif | |
1aedc22c | 4347 | + DP("flag %s port %u", |
7d2f026e | 4348 | + flags[index+1] & IPSET_SRC ? "SRC" : "DST", |
1aedc22c | 4349 | + port); |
4350 | + if (port == INVALID_PORT) | |
4351 | + return -EINVAL; | |
4352 | + | |
4353 | + return __delip(set, | |
7d2f026e | 4354 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 4355 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4356 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4357 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4358 | +#else |
7d2f026e | 4359 | + ? skb->nh.iph->saddr |
f45e9687 | 4360 | + : skb->nh.iph->daddr), |
4361 | +#endif | |
1aedc22c | 4362 | + port, |
4363 | + hash_ip); | |
4364 | +} | |
4365 | + | |
4366 | +static int create(struct ip_set *set, const void *data, size_t size) | |
4367 | +{ | |
7d2f026e | 4368 | + const struct ip_set_req_ipporthash_create *req = data; |
1aedc22c | 4369 | + struct ip_set_ipporthash *map; |
4370 | + uint16_t i; | |
4371 | + | |
4372 | + if (size != sizeof(struct ip_set_req_ipporthash_create)) { | |
4373 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4374 | + sizeof(struct ip_set_req_ipporthash_create), | |
4375 | + size); | |
4376 | + return -EINVAL; | |
4377 | + } | |
4378 | + | |
4379 | + if (req->hashsize < 1) { | |
4380 | + ip_set_printk("hashsize too small"); | |
4381 | + return -ENOEXEC; | |
4382 | + } | |
4383 | + | |
4384 | + if (req->probes < 1) { | |
4385 | + ip_set_printk("probes too small"); | |
4386 | + return -ENOEXEC; | |
4387 | + } | |
4388 | + | |
7d2f026e | 4389 | + map = kmalloc(sizeof(struct ip_set_ipporthash) |
1aedc22c | 4390 | + + req->probes * sizeof(uint32_t), GFP_KERNEL); |
4391 | + if (!map) { | |
4392 | + DP("out of memory for %d bytes", | |
4393 | + sizeof(struct ip_set_ipporthash) | |
4394 | + + req->probes * sizeof(uint32_t)); | |
4395 | + return -ENOMEM; | |
4396 | + } | |
4397 | + for (i = 0; i < req->probes; i++) | |
4398 | + get_random_bytes(((uint32_t *) map->initval)+i, 4); | |
4399 | + map->elements = 0; | |
4400 | + map->hashsize = req->hashsize; | |
4401 | + map->probes = req->probes; | |
4402 | + map->resize = req->resize; | |
4403 | + map->first_ip = req->from; | |
4404 | + map->last_ip = req->to; | |
4405 | + map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL); | |
4406 | + if (!map->members) { | |
4407 | + DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t)); | |
4408 | + kfree(map); | |
4409 | + return -ENOMEM; | |
4410 | + } | |
4411 | + | |
4412 | + set->data = map; | |
4413 | + return 0; | |
4414 | +} | |
4415 | + | |
4416 | +static void destroy(struct ip_set *set) | |
4417 | +{ | |
7d2f026e | 4418 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4419 | + |
4420 | + harray_free(map->members); | |
4421 | + kfree(map); | |
4422 | + | |
4423 | + set->data = NULL; | |
4424 | +} | |
4425 | + | |
4426 | +static void flush(struct ip_set *set) | |
4427 | +{ | |
7d2f026e | 4428 | + struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4429 | + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); |
4430 | + map->elements = 0; | |
4431 | +} | |
4432 | + | |
4433 | +static void list_header(const struct ip_set *set, void *data) | |
4434 | +{ | |
7d2f026e | 4435 | + const struct ip_set_ipporthash *map = set->data; |
4436 | + struct ip_set_req_ipporthash_create *header = data; | |
1aedc22c | 4437 | + |
4438 | + header->hashsize = map->hashsize; | |
4439 | + header->probes = map->probes; | |
4440 | + header->resize = map->resize; | |
4441 | + header->from = map->first_ip; | |
4442 | + header->to = map->last_ip; | |
4443 | +} | |
4444 | + | |
4445 | +static int list_members_size(const struct ip_set *set) | |
4446 | +{ | |
7d2f026e | 4447 | + const struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4448 | + |
4449 | + return (map->hashsize * sizeof(ip_set_ip_t)); | |
4450 | +} | |
4451 | + | |
4452 | +static void list_members(const struct ip_set *set, void *data) | |
4453 | +{ | |
7d2f026e | 4454 | + const struct ip_set_ipporthash *map = set->data; |
1aedc22c | 4455 | + ip_set_ip_t i, *elem; |
4456 | + | |
4457 | + for (i = 0; i < map->hashsize; i++) { | |
4458 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
4459 | + ((ip_set_ip_t *)data)[i] = *elem; | |
4460 | + } | |
4461 | +} | |
4462 | + | |
4463 | +static struct ip_set_type ip_set_ipporthash = { | |
4464 | + .typename = SETTYPE_NAME, | |
4465 | + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_DATA_DOUBLE, | |
4466 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
4467 | + .create = &create, | |
4468 | + .destroy = &destroy, | |
4469 | + .flush = &flush, | |
4470 | + .reqsize = sizeof(struct ip_set_req_ipporthash), | |
4471 | + .addip = &addip, | |
4472 | + .addip_kernel = &addip_kernel, | |
4473 | + .retry = &retry, | |
4474 | + .delip = &delip, | |
4475 | + .delip_kernel = &delip_kernel, | |
4476 | + .testip = &testip, | |
4477 | + .testip_kernel = &testip_kernel, | |
4478 | + .header_size = sizeof(struct ip_set_req_ipporthash_create), | |
4479 | + .list_header = &list_header, | |
4480 | + .list_members_size = &list_members_size, | |
4481 | + .list_members = &list_members, | |
4482 | + .me = THIS_MODULE, | |
4483 | +}; | |
4484 | + | |
4485 | +MODULE_LICENSE("GPL"); | |
4486 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
4487 | +MODULE_DESCRIPTION("ipporthash type of IP sets"); | |
4488 | +module_param(limit, int, 0600); | |
4489 | +MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); | |
4490 | + | |
f45e9687 | 4491 | +static int __init ip_set_ipporthash_init(void) |
1aedc22c | 4492 | +{ |
7d2f026e | 4493 | + init_max_page_size(); |
1aedc22c | 4494 | + return ip_set_register_set_type(&ip_set_ipporthash); |
4495 | +} | |
4496 | + | |
f45e9687 | 4497 | +static void __exit ip_set_ipporthash_fini(void) |
1aedc22c | 4498 | +{ |
4499 | + /* FIXME: possible race with ip_set_create() */ | |
4500 | + ip_set_unregister_set_type(&ip_set_ipporthash); | |
4501 | +} | |
4502 | + | |
f45e9687 | 4503 | +module_init(ip_set_ipporthash_init); |
4504 | +module_exit(ip_set_ipporthash_fini); | |
7d2f026e | 4505 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_iptree.c linux-2.6/net/ipv4/netfilter/ip_set_iptree.c |
4506 | --- a/net/ipv4/netfilter/ip_set_iptree.c 1970-01-01 01:00:00.000000000 +0100 | |
4507 | +++ linux-2.6/net/ipv4/netfilter/ip_set_iptree.c 2008-07-08 16:52:53.965201208 +0200 | |
4508 | @@ -0,0 +1,607 @@ | |
1aedc22c | 4509 | +/* Copyright (C) 2005 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
4510 | + * | |
4511 | + * This program is free software; you can redistribute it and/or modify | |
4512 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 4513 | + * published by the Free Software Foundation. |
1aedc22c | 4514 | + */ |
4515 | + | |
4516 | +/* Kernel module implementing an IP set type: the iptree type */ | |
4517 | + | |
9f54053a | 4518 | +#include <linux/version.h> |
1aedc22c | 4519 | +#include <linux/module.h> |
4520 | +#include <linux/ip.h> | |
4521 | +#include <linux/skbuff.h> | |
4522 | +#include <linux/slab.h> | |
4523 | +#include <linux/delay.h> | |
4524 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
4525 | +#include <linux/netfilter_ipv4/ip_set.h> | |
4526 | +#include <linux/errno.h> | |
4527 | +#include <asm/uaccess.h> | |
4528 | +#include <asm/bitops.h> | |
4529 | +#include <linux/spinlock.h> | |
4530 | + | |
4531 | +/* Backward compatibility */ | |
4532 | +#ifndef __nocast | |
4533 | +#define __nocast | |
4534 | +#endif | |
4535 | + | |
4536 | +#include <linux/netfilter_ipv4/ip_set_iptree.h> | |
4537 | + | |
4538 | +static int limit = MAX_RANGE; | |
4539 | + | |
4540 | +/* Garbage collection interval in seconds: */ | |
4541 | +#define IPTREE_GC_TIME 5*60 | |
7d2f026e | 4542 | +/* Sleep so many milliseconds before trying again |
4543 | + * to delete the gc timer at destroying/flushing a set */ | |
1aedc22c | 4544 | +#define IPTREE_DESTROY_SLEEP 100 |
4545 | + | |
9f54053a | 4546 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) |
ca74d27b | 4547 | +static struct kmem_cache *branch_cachep; |
4548 | +static struct kmem_cache *leaf_cachep; | |
9f54053a JR |
4549 | +#else |
4550 | +static kmem_cache_t *branch_cachep; | |
4551 | +static kmem_cache_t *leaf_cachep; | |
4552 | +#endif | |
1aedc22c | 4553 | + |
f45e9687 | 4554 | +#if defined(__LITTLE_ENDIAN) |
1aedc22c | 4555 | +#define ABCD(a,b,c,d,addrp) do { \ |
4556 | + a = ((unsigned char *)addrp)[3]; \ | |
4557 | + b = ((unsigned char *)addrp)[2]; \ | |
4558 | + c = ((unsigned char *)addrp)[1]; \ | |
4559 | + d = ((unsigned char *)addrp)[0]; \ | |
4560 | +} while (0) | |
f45e9687 | 4561 | +#elif defined(__BIG_ENDIAN) |
4562 | +#define ABCD(a,b,c,d,addrp) do { \ | |
4563 | + a = ((unsigned char *)addrp)[0]; \ | |
4564 | + b = ((unsigned char *)addrp)[1]; \ | |
4565 | + c = ((unsigned char *)addrp)[2]; \ | |
4566 | + d = ((unsigned char *)addrp)[3]; \ | |
4567 | +} while (0) | |
4568 | +#else | |
4569 | +#error "Please fix asm/byteorder.h" | |
4570 | +#endif /* __LITTLE_ENDIAN */ | |
1aedc22c | 4571 | + |
4572 | +#define TESTIP_WALK(map, elem, branch) do { \ | |
4573 | + if ((map)->tree[elem]) { \ | |
4574 | + branch = (map)->tree[elem]; \ | |
4575 | + } else \ | |
4576 | + return 0; \ | |
4577 | +} while (0) | |
4578 | + | |
4579 | +static inline int | |
4580 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
4581 | +{ | |
7d2f026e | 4582 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4583 | + struct ip_set_iptreeb *btree; |
4584 | + struct ip_set_iptreec *ctree; | |
4585 | + struct ip_set_iptreed *dtree; | |
4586 | + unsigned char a,b,c,d; | |
4587 | + | |
4588 | + if (!ip) | |
4589 | + return -ERANGE; | |
4590 | + | |
4591 | + *hash_ip = ip; | |
4592 | + ABCD(a, b, c, d, hash_ip); | |
4593 | + DP("%u %u %u %u timeout %u", a, b, c, d, map->timeout); | |
4594 | + TESTIP_WALK(map, a, btree); | |
4595 | + TESTIP_WALK(btree, b, ctree); | |
4596 | + TESTIP_WALK(ctree, c, dtree); | |
4597 | + DP("%lu %lu", dtree->expires[d], jiffies); | |
f45e9687 | 4598 | + return dtree->expires[d] |
4599 | + && (!map->timeout | |
4600 | + || time_after(dtree->expires[d], jiffies)); | |
1aedc22c | 4601 | +} |
4602 | + | |
4603 | +static int | |
4604 | +testip(struct ip_set *set, const void *data, size_t size, | |
4605 | + ip_set_ip_t *hash_ip) | |
4606 | +{ | |
7d2f026e | 4607 | + const struct ip_set_req_iptree *req = data; |
1aedc22c | 4608 | + |
4609 | + if (size != sizeof(struct ip_set_req_iptree)) { | |
4610 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4611 | + sizeof(struct ip_set_req_iptree), | |
4612 | + size); | |
4613 | + return -EINVAL; | |
4614 | + } | |
4615 | + return __testip(set, req->ip, hash_ip); | |
4616 | +} | |
4617 | + | |
4618 | +static int | |
7d2f026e | 4619 | +testip_kernel(struct ip_set *set, |
1aedc22c | 4620 | + const struct sk_buff *skb, |
4621 | + ip_set_ip_t *hash_ip, | |
4622 | + const u_int32_t *flags, | |
4623 | + unsigned char index) | |
4624 | +{ | |
4625 | + int res; | |
4626 | + | |
4627 | + DP("flag: %s src: %u.%u.%u.%u dst: %u.%u.%u.%u", | |
4628 | + flags[index] & IPSET_SRC ? "SRC" : "DST", | |
f45e9687 | 4629 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc JR |
4630 | + NIPQUAD(ip_hdr(skb)->saddr), |
4631 | + NIPQUAD(ip_hdr(skb)->daddr)); | |
f45e9687 | 4632 | +#else |
4633 | + NIPQUAD(skb->nh.iph->saddr), | |
4634 | + NIPQUAD(skb->nh.iph->daddr)); | |
4635 | +#endif | |
1aedc22c | 4636 | + |
4637 | + res = __testip(set, | |
7d2f026e | 4638 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 4639 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4640 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4641 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4642 | +#else |
7d2f026e | 4643 | + ? skb->nh.iph->saddr |
f45e9687 | 4644 | + : skb->nh.iph->daddr), |
4645 | +#endif | |
1aedc22c | 4646 | + hash_ip); |
4647 | + return (res < 0 ? 0 : res); | |
4648 | +} | |
4649 | + | |
f45e9687 | 4650 | +#define ADDIP_WALK(map, elem, branch, type, cachep) do { \ |
1aedc22c | 4651 | + if ((map)->tree[elem]) { \ |
4652 | + DP("found %u", elem); \ | |
4653 | + branch = (map)->tree[elem]; \ | |
4654 | + } else { \ | |
4655 | + branch = (type *) \ | |
f45e9687 | 4656 | + kmem_cache_alloc(cachep, GFP_ATOMIC); \ |
1aedc22c | 4657 | + if (branch == NULL) \ |
4658 | + return -ENOMEM; \ | |
4659 | + memset(branch, 0, sizeof(*branch)); \ | |
4660 | + (map)->tree[elem] = branch; \ | |
4661 | + DP("alloc %u", elem); \ | |
4662 | + } \ | |
4663 | +} while (0) | |
4664 | + | |
4665 | +static inline int | |
4666 | +__addip(struct ip_set *set, ip_set_ip_t ip, unsigned int timeout, | |
f45e9687 | 4667 | + ip_set_ip_t *hash_ip) |
1aedc22c | 4668 | +{ |
7d2f026e | 4669 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4670 | + struct ip_set_iptreeb *btree; |
4671 | + struct ip_set_iptreec *ctree; | |
4672 | + struct ip_set_iptreed *dtree; | |
4673 | + unsigned char a,b,c,d; | |
4674 | + int ret = 0; | |
4675 | + | |
f45e9687 | 4676 | + if (!ip || map->elements >= limit) |
1aedc22c | 4677 | + /* We could call the garbage collector |
4678 | + * but it's probably overkill */ | |
4679 | + return -ERANGE; | |
4680 | + | |
4681 | + *hash_ip = ip; | |
4682 | + ABCD(a, b, c, d, hash_ip); | |
4683 | + DP("%u %u %u %u timeout %u", a, b, c, d, timeout); | |
f45e9687 | 4684 | + ADDIP_WALK(map, a, btree, struct ip_set_iptreeb, branch_cachep); |
4685 | + ADDIP_WALK(btree, b, ctree, struct ip_set_iptreec, branch_cachep); | |
4686 | + ADDIP_WALK(ctree, c, dtree, struct ip_set_iptreed, leaf_cachep); | |
1aedc22c | 4687 | + if (dtree->expires[d] |
4688 | + && (!map->timeout || time_after(dtree->expires[d], jiffies))) | |
4689 | + ret = -EEXIST; | |
4690 | + dtree->expires[d] = map->timeout ? (timeout * HZ + jiffies) : 1; | |
f45e9687 | 4691 | + /* Lottery: I won! */ |
1aedc22c | 4692 | + if (dtree->expires[d] == 0) |
4693 | + dtree->expires[d] = 1; | |
4694 | + DP("%u %lu", d, dtree->expires[d]); | |
4695 | + if (ret == 0) | |
4696 | + map->elements++; | |
4697 | + return ret; | |
4698 | +} | |
4699 | + | |
4700 | +static int | |
4701 | +addip(struct ip_set *set, const void *data, size_t size, | |
4702 | + ip_set_ip_t *hash_ip) | |
4703 | +{ | |
7d2f026e | 4704 | + struct ip_set_iptree *map = set->data; |
4705 | + const struct ip_set_req_iptree *req = data; | |
1aedc22c | 4706 | + |
4707 | + if (size != sizeof(struct ip_set_req_iptree)) { | |
4708 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4709 | + sizeof(struct ip_set_req_iptree), | |
4710 | + size); | |
4711 | + return -EINVAL; | |
4712 | + } | |
4713 | + DP("%u.%u.%u.%u %u", HIPQUAD(req->ip), req->timeout); | |
4714 | + return __addip(set, req->ip, | |
4715 | + req->timeout ? req->timeout : map->timeout, | |
f45e9687 | 4716 | + hash_ip); |
1aedc22c | 4717 | +} |
4718 | + | |
4719 | +static int | |
7d2f026e | 4720 | +addip_kernel(struct ip_set *set, |
1aedc22c | 4721 | + const struct sk_buff *skb, |
4722 | + ip_set_ip_t *hash_ip, | |
4723 | + const u_int32_t *flags, | |
4724 | + unsigned char index) | |
4725 | +{ | |
7d2f026e | 4726 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4727 | + |
4728 | + return __addip(set, | |
7d2f026e | 4729 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 4730 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4731 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4732 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4733 | +#else |
7d2f026e | 4734 | + ? skb->nh.iph->saddr |
f45e9687 | 4735 | + : skb->nh.iph->daddr), |
4736 | +#endif | |
1aedc22c | 4737 | + map->timeout, |
f45e9687 | 4738 | + hash_ip); |
1aedc22c | 4739 | +} |
4740 | + | |
4741 | +#define DELIP_WALK(map, elem, branch) do { \ | |
4742 | + if ((map)->tree[elem]) { \ | |
4743 | + branch = (map)->tree[elem]; \ | |
4744 | + } else \ | |
4745 | + return -EEXIST; \ | |
4746 | +} while (0) | |
4747 | + | |
7d2f026e | 4748 | +static inline int |
1aedc22c | 4749 | +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) |
4750 | +{ | |
7d2f026e | 4751 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4752 | + struct ip_set_iptreeb *btree; |
4753 | + struct ip_set_iptreec *ctree; | |
4754 | + struct ip_set_iptreed *dtree; | |
4755 | + unsigned char a,b,c,d; | |
4756 | + | |
4757 | + if (!ip) | |
4758 | + return -ERANGE; | |
4759 | + | |
4760 | + *hash_ip = ip; | |
4761 | + ABCD(a, b, c, d, hash_ip); | |
4762 | + DELIP_WALK(map, a, btree); | |
4763 | + DELIP_WALK(btree, b, ctree); | |
4764 | + DELIP_WALK(ctree, c, dtree); | |
4765 | + | |
4766 | + if (dtree->expires[d]) { | |
4767 | + dtree->expires[d] = 0; | |
4768 | + map->elements--; | |
4769 | + return 0; | |
4770 | + } | |
4771 | + return -EEXIST; | |
4772 | +} | |
4773 | + | |
4774 | +static int | |
4775 | +delip(struct ip_set *set, const void *data, size_t size, | |
4776 | + ip_set_ip_t *hash_ip) | |
4777 | +{ | |
7d2f026e | 4778 | + const struct ip_set_req_iptree *req = data; |
1aedc22c | 4779 | + |
4780 | + if (size != sizeof(struct ip_set_req_iptree)) { | |
4781 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4782 | + sizeof(struct ip_set_req_iptree), | |
4783 | + size); | |
4784 | + return -EINVAL; | |
4785 | + } | |
4786 | + return __delip(set, req->ip, hash_ip); | |
4787 | +} | |
4788 | + | |
4789 | +static int | |
7d2f026e | 4790 | +delip_kernel(struct ip_set *set, |
1aedc22c | 4791 | + const struct sk_buff *skb, |
4792 | + ip_set_ip_t *hash_ip, | |
4793 | + const u_int32_t *flags, | |
4794 | + unsigned char index) | |
4795 | +{ | |
4796 | + return __delip(set, | |
7d2f026e | 4797 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 4798 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 4799 | + ? ip_hdr(skb)->saddr |
5ce52adc | 4800 | + : ip_hdr(skb)->daddr), |
f45e9687 | 4801 | +#else |
7d2f026e | 4802 | + ? skb->nh.iph->saddr |
f45e9687 | 4803 | + : skb->nh.iph->daddr), |
4804 | +#endif | |
1aedc22c | 4805 | + hash_ip); |
4806 | +} | |
4807 | + | |
4808 | +#define LOOP_WALK_BEGIN(map, i, branch) \ | |
4809 | + for (i = 0; i < 256; i++) { \ | |
4810 | + if (!(map)->tree[i]) \ | |
4811 | + continue; \ | |
4812 | + branch = (map)->tree[i] | |
4813 | + | |
4814 | +#define LOOP_WALK_END } | |
4815 | + | |
4816 | +static void ip_tree_gc(unsigned long ul_set) | |
4817 | +{ | |
7d2f026e | 4818 | + struct ip_set *set = (struct ip_set *) ul_set; |
4819 | + struct ip_set_iptree *map = set->data; | |
1aedc22c | 4820 | + struct ip_set_iptreeb *btree; |
4821 | + struct ip_set_iptreec *ctree; | |
4822 | + struct ip_set_iptreed *dtree; | |
4823 | + unsigned int a,b,c,d; | |
4824 | + unsigned char i,j,k; | |
4825 | + | |
4826 | + i = j = k = 0; | |
4827 | + DP("gc: %s", set->name); | |
4828 | + write_lock_bh(&set->lock); | |
4829 | + LOOP_WALK_BEGIN(map, a, btree); | |
4830 | + LOOP_WALK_BEGIN(btree, b, ctree); | |
4831 | + LOOP_WALK_BEGIN(ctree, c, dtree); | |
4832 | + for (d = 0; d < 256; d++) { | |
4833 | + if (dtree->expires[d]) { | |
4834 | + DP("gc: %u %u %u %u: expires %lu jiffies %lu", | |
4835 | + a, b, c, d, | |
4836 | + dtree->expires[d], jiffies); | |
4837 | + if (map->timeout | |
4838 | + && time_before(dtree->expires[d], jiffies)) { | |
4839 | + dtree->expires[d] = 0; | |
4840 | + map->elements--; | |
4841 | + } else | |
4842 | + k = 1; | |
4843 | + } | |
4844 | + } | |
4845 | + if (k == 0) { | |
4846 | + DP("gc: %s: leaf %u %u %u empty", | |
4847 | + set->name, a, b, c); | |
4848 | + kmem_cache_free(leaf_cachep, dtree); | |
4849 | + ctree->tree[c] = NULL; | |
4850 | + } else { | |
4851 | + DP("gc: %s: leaf %u %u %u not empty", | |
4852 | + set->name, a, b, c); | |
4853 | + j = 1; | |
4854 | + k = 0; | |
4855 | + } | |
4856 | + LOOP_WALK_END; | |
4857 | + if (j == 0) { | |
4858 | + DP("gc: %s: branch %u %u empty", | |
4859 | + set->name, a, b); | |
4860 | + kmem_cache_free(branch_cachep, ctree); | |
4861 | + btree->tree[b] = NULL; | |
4862 | + } else { | |
4863 | + DP("gc: %s: branch %u %u not empty", | |
4864 | + set->name, a, b); | |
4865 | + i = 1; | |
4866 | + j = k = 0; | |
4867 | + } | |
4868 | + LOOP_WALK_END; | |
4869 | + if (i == 0) { | |
4870 | + DP("gc: %s: branch %u empty", | |
4871 | + set->name, a); | |
4872 | + kmem_cache_free(branch_cachep, btree); | |
4873 | + map->tree[a] = NULL; | |
4874 | + } else { | |
4875 | + DP("gc: %s: branch %u not empty", | |
4876 | + set->name, a); | |
4877 | + i = j = k = 0; | |
4878 | + } | |
4879 | + LOOP_WALK_END; | |
4880 | + write_unlock_bh(&set->lock); | |
4881 | + | |
4882 | + map->gc.expires = jiffies + map->gc_interval * HZ; | |
4883 | + add_timer(&map->gc); | |
4884 | +} | |
4885 | + | |
4886 | +static inline void init_gc_timer(struct ip_set *set) | |
4887 | +{ | |
7d2f026e | 4888 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4889 | + |
4890 | + /* Even if there is no timeout for the entries, | |
4891 | + * we still have to call gc because delete | |
4892 | + * do not clean up empty branches */ | |
4893 | + map->gc_interval = IPTREE_GC_TIME; | |
4894 | + init_timer(&map->gc); | |
4895 | + map->gc.data = (unsigned long) set; | |
4896 | + map->gc.function = ip_tree_gc; | |
4897 | + map->gc.expires = jiffies + map->gc_interval * HZ; | |
4898 | + add_timer(&map->gc); | |
4899 | +} | |
4900 | + | |
4901 | +static int create(struct ip_set *set, const void *data, size_t size) | |
4902 | +{ | |
7d2f026e | 4903 | + const struct ip_set_req_iptree_create *req = data; |
1aedc22c | 4904 | + struct ip_set_iptree *map; |
4905 | + | |
4906 | + if (size != sizeof(struct ip_set_req_iptree_create)) { | |
4907 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
4908 | + sizeof(struct ip_set_req_iptree_create), | |
4909 | + size); | |
4910 | + return -EINVAL; | |
4911 | + } | |
4912 | + | |
4913 | + map = kmalloc(sizeof(struct ip_set_iptree), GFP_KERNEL); | |
4914 | + if (!map) { | |
4915 | + DP("out of memory for %d bytes", | |
4916 | + sizeof(struct ip_set_iptree)); | |
4917 | + return -ENOMEM; | |
4918 | + } | |
4919 | + memset(map, 0, sizeof(*map)); | |
4920 | + map->timeout = req->timeout; | |
4921 | + map->elements = 0; | |
4922 | + set->data = map; | |
4923 | + | |
4924 | + init_gc_timer(set); | |
4925 | + | |
4926 | + return 0; | |
4927 | +} | |
4928 | + | |
4929 | +static void __flush(struct ip_set_iptree *map) | |
4930 | +{ | |
4931 | + struct ip_set_iptreeb *btree; | |
4932 | + struct ip_set_iptreec *ctree; | |
4933 | + struct ip_set_iptreed *dtree; | |
4934 | + unsigned int a,b,c; | |
4935 | + | |
4936 | + LOOP_WALK_BEGIN(map, a, btree); | |
4937 | + LOOP_WALK_BEGIN(btree, b, ctree); | |
4938 | + LOOP_WALK_BEGIN(ctree, c, dtree); | |
4939 | + kmem_cache_free(leaf_cachep, dtree); | |
4940 | + LOOP_WALK_END; | |
4941 | + kmem_cache_free(branch_cachep, ctree); | |
4942 | + LOOP_WALK_END; | |
4943 | + kmem_cache_free(branch_cachep, btree); | |
4944 | + LOOP_WALK_END; | |
4945 | + map->elements = 0; | |
4946 | +} | |
4947 | + | |
4948 | +static void destroy(struct ip_set *set) | |
4949 | +{ | |
7d2f026e | 4950 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4951 | + |
4952 | + /* gc might be running */ | |
4953 | + while (!del_timer(&map->gc)) | |
4954 | + msleep(IPTREE_DESTROY_SLEEP); | |
4955 | + __flush(map); | |
4956 | + kfree(map); | |
4957 | + set->data = NULL; | |
4958 | +} | |
4959 | + | |
4960 | +static void flush(struct ip_set *set) | |
4961 | +{ | |
7d2f026e | 4962 | + struct ip_set_iptree *map = set->data; |
1aedc22c | 4963 | + unsigned int timeout = map->timeout; |
4964 | + | |
4965 | + /* gc might be running */ | |
4966 | + while (!del_timer(&map->gc)) | |
4967 | + msleep(IPTREE_DESTROY_SLEEP); | |
4968 | + __flush(map); | |
4969 | + memset(map, 0, sizeof(*map)); | |
4970 | + map->timeout = timeout; | |
4971 | + | |
4972 | + init_gc_timer(set); | |
4973 | +} | |
4974 | + | |
4975 | +static void list_header(const struct ip_set *set, void *data) | |
4976 | +{ | |
7d2f026e | 4977 | + const struct ip_set_iptree *map = set->data; |
4978 | + struct ip_set_req_iptree_create *header = data; | |
1aedc22c | 4979 | + |
4980 | + header->timeout = map->timeout; | |
4981 | +} | |
4982 | + | |
4983 | +static int list_members_size(const struct ip_set *set) | |
4984 | +{ | |
7d2f026e | 4985 | + const struct ip_set_iptree *map = set->data; |
1aedc22c | 4986 | + struct ip_set_iptreeb *btree; |
4987 | + struct ip_set_iptreec *ctree; | |
4988 | + struct ip_set_iptreed *dtree; | |
4989 | + unsigned int a,b,c,d; | |
4990 | + unsigned int count = 0; | |
4991 | + | |
4992 | + LOOP_WALK_BEGIN(map, a, btree); | |
4993 | + LOOP_WALK_BEGIN(btree, b, ctree); | |
4994 | + LOOP_WALK_BEGIN(ctree, c, dtree); | |
4995 | + for (d = 0; d < 256; d++) { | |
4996 | + if (dtree->expires[d] | |
4997 | + && (!map->timeout || time_after(dtree->expires[d], jiffies))) | |
4998 | + count++; | |
4999 | + } | |
5000 | + LOOP_WALK_END; | |
5001 | + LOOP_WALK_END; | |
5002 | + LOOP_WALK_END; | |
5003 | + | |
5004 | + DP("members %u", count); | |
5005 | + return (count * sizeof(struct ip_set_req_iptree)); | |
5006 | +} | |
5007 | + | |
5008 | +static void list_members(const struct ip_set *set, void *data) | |
5009 | +{ | |
7d2f026e | 5010 | + const struct ip_set_iptree *map = set->data; |
1aedc22c | 5011 | + struct ip_set_iptreeb *btree; |
5012 | + struct ip_set_iptreec *ctree; | |
5013 | + struct ip_set_iptreed *dtree; | |
5014 | + unsigned int a,b,c,d; | |
5015 | + size_t offset = 0; | |
5016 | + struct ip_set_req_iptree *entry; | |
5017 | + | |
5018 | + LOOP_WALK_BEGIN(map, a, btree); | |
5019 | + LOOP_WALK_BEGIN(btree, b, ctree); | |
5020 | + LOOP_WALK_BEGIN(ctree, c, dtree); | |
5021 | + for (d = 0; d < 256; d++) { | |
5022 | + if (dtree->expires[d] | |
5023 | + && (!map->timeout || time_after(dtree->expires[d], jiffies))) { | |
7d2f026e | 5024 | + entry = data + offset; |
1aedc22c | 5025 | + entry->ip = ((a << 24) | (b << 16) | (c << 8) | d); |
7d2f026e | 5026 | + entry->timeout = !map->timeout ? 0 |
1aedc22c | 5027 | + : (dtree->expires[d] - jiffies)/HZ; |
5028 | + offset += sizeof(struct ip_set_req_iptree); | |
5029 | + } | |
5030 | + } | |
5031 | + LOOP_WALK_END; | |
5032 | + LOOP_WALK_END; | |
5033 | + LOOP_WALK_END; | |
5034 | +} | |
5035 | + | |
5036 | +static struct ip_set_type ip_set_iptree = { | |
5037 | + .typename = SETTYPE_NAME, | |
5038 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
5039 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
5040 | + .create = &create, | |
5041 | + .destroy = &destroy, | |
5042 | + .flush = &flush, | |
5043 | + .reqsize = sizeof(struct ip_set_req_iptree), | |
5044 | + .addip = &addip, | |
5045 | + .addip_kernel = &addip_kernel, | |
5046 | + .delip = &delip, | |
5047 | + .delip_kernel = &delip_kernel, | |
5048 | + .testip = &testip, | |
5049 | + .testip_kernel = &testip_kernel, | |
5050 | + .header_size = sizeof(struct ip_set_req_iptree_create), | |
5051 | + .list_header = &list_header, | |
5052 | + .list_members_size = &list_members_size, | |
5053 | + .list_members = &list_members, | |
5054 | + .me = THIS_MODULE, | |
5055 | +}; | |
5056 | + | |
5057 | +MODULE_LICENSE("GPL"); | |
5058 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
5059 | +MODULE_DESCRIPTION("iptree type of IP sets"); | |
5060 | +module_param(limit, int, 0600); | |
5061 | +MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); | |
5062 | + | |
f45e9687 | 5063 | +static int __init ip_set_iptree_init(void) |
1aedc22c | 5064 | +{ |
5065 | + int ret; | |
5066 | + | |
f45e9687 | 5067 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
5068 | + branch_cachep = kmem_cache_create("ip_set_iptreeb", | |
5069 | + sizeof(struct ip_set_iptreeb), | |
5070 | + 0, 0, NULL); | |
5071 | +#else | |
1aedc22c | 5072 | + branch_cachep = kmem_cache_create("ip_set_iptreeb", |
5073 | + sizeof(struct ip_set_iptreeb), | |
5074 | + 0, 0, NULL, NULL); | |
f45e9687 | 5075 | +#endif |
1aedc22c | 5076 | + if (!branch_cachep) { |
5077 | + printk(KERN_ERR "Unable to create ip_set_iptreeb slab cache\n"); | |
5078 | + ret = -ENOMEM; | |
5079 | + goto out; | |
5080 | + } | |
f45e9687 | 5081 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
5082 | + leaf_cachep = kmem_cache_create("ip_set_iptreed", | |
5083 | + sizeof(struct ip_set_iptreed), | |
5084 | + 0, 0, NULL); | |
5085 | +#else | |
1aedc22c | 5086 | + leaf_cachep = kmem_cache_create("ip_set_iptreed", |
5087 | + sizeof(struct ip_set_iptreed), | |
5088 | + 0, 0, NULL, NULL); | |
f45e9687 | 5089 | +#endif |
1aedc22c | 5090 | + if (!leaf_cachep) { |
5091 | + printk(KERN_ERR "Unable to create ip_set_iptreed slab cache\n"); | |
5092 | + ret = -ENOMEM; | |
5093 | + goto free_branch; | |
5094 | + } | |
5095 | + ret = ip_set_register_set_type(&ip_set_iptree); | |
5096 | + if (ret == 0) | |
5097 | + goto out; | |
5098 | + | |
5099 | + kmem_cache_destroy(leaf_cachep); | |
5100 | + free_branch: | |
5101 | + kmem_cache_destroy(branch_cachep); | |
5102 | + out: | |
5103 | + return ret; | |
5104 | +} | |
5105 | + | |
f45e9687 | 5106 | +static void __exit ip_set_iptree_fini(void) |
1aedc22c | 5107 | +{ |
5108 | + /* FIXME: possible race with ip_set_create() */ | |
5109 | + ip_set_unregister_set_type(&ip_set_iptree); | |
5110 | + kmem_cache_destroy(leaf_cachep); | |
5111 | + kmem_cache_destroy(branch_cachep); | |
5112 | +} | |
5113 | + | |
f45e9687 | 5114 | +module_init(ip_set_iptree_init); |
5115 | +module_exit(ip_set_iptree_fini); | |
7d2f026e | 5116 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_iptreemap.c linux-2.6/net/ipv4/netfilter/ip_set_iptreemap.c |
5117 | --- a/net/ipv4/netfilter/ip_set_iptreemap.c 1970-01-01 01:00:00.000000000 +0100 | |
5118 | +++ linux-2.6/net/ipv4/netfilter/ip_set_iptreemap.c 2008-07-08 16:52:53.965201208 +0200 | |
5119 | @@ -0,0 +1,827 @@ | |
f45e9687 | 5120 | +/* Copyright (C) 2007 Sven Wegener <sven.wegener@stealer.net> |
5121 | + * | |
5122 | + * This program is free software; you can redistribute it and/or modify it | |
5123 | + * under the terms of the GNU General Public License version 2 as published by | |
5124 | + * the Free Software Foundation. | |
5125 | + */ | |
5126 | + | |
5127 | +/* This modules implements the iptreemap ipset type. It uses bitmaps to | |
7d2f026e | 5128 | + * represent every single IPv4 address as a bit. The bitmaps are managed in a |
5129 | + * tree structure, where the first three octets of an address are used as an | |
5130 | + * index to find the bitmap and the last octet is used as the bit number. | |
f45e9687 | 5131 | + */ |
5132 | + | |
5133 | +#include <linux/version.h> | |
7d2f026e | 5134 | +#include <linux/kernel.h> |
f45e9687 | 5135 | +#include <linux/module.h> |
5136 | +#include <linux/ip.h> | |
5137 | +#include <linux/skbuff.h> | |
5138 | +#include <linux/slab.h> | |
5139 | +#include <linux/delay.h> | |
5140 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
5141 | +#include <linux/netfilter_ipv4/ip_set.h> | |
5142 | +#include <linux/errno.h> | |
5143 | +#include <asm/uaccess.h> | |
5144 | +#include <asm/bitops.h> | |
5145 | +#include <linux/spinlock.h> | |
5146 | + | |
5147 | +#include <linux/netfilter_ipv4/ip_set_iptreemap.h> | |
5148 | + | |
5149 | +#define IPTREEMAP_DEFAULT_GC_TIME (5 * 60) | |
5150 | +#define IPTREEMAP_DESTROY_SLEEP (100) | |
5151 | + | |
5152 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) | |
5153 | +static struct kmem_cache *cachep_b; | |
5154 | +static struct kmem_cache *cachep_c; | |
5155 | +static struct kmem_cache *cachep_d; | |
5156 | +#else | |
5157 | +static kmem_cache_t *cachep_b; | |
5158 | +static kmem_cache_t *cachep_c; | |
5159 | +static kmem_cache_t *cachep_d; | |
5160 | +#endif | |
5161 | + | |
5162 | +static struct ip_set_iptreemap_d *fullbitmap_d; | |
5163 | +static struct ip_set_iptreemap_c *fullbitmap_c; | |
5164 | +static struct ip_set_iptreemap_b *fullbitmap_b; | |
5165 | + | |
5166 | +#if defined(__LITTLE_ENDIAN) | |
5167 | +#define ABCD(a, b, c, d, addr) \ | |
5168 | + do { \ | |
5169 | + a = ((unsigned char *)addr)[3]; \ | |
5170 | + b = ((unsigned char *)addr)[2]; \ | |
5171 | + c = ((unsigned char *)addr)[1]; \ | |
5172 | + d = ((unsigned char *)addr)[0]; \ | |
5173 | + } while (0) | |
5174 | +#elif defined(__BIG_ENDIAN) | |
5175 | +#define ABCD(a,b,c,d,addrp) do { \ | |
5176 | + a = ((unsigned char *)addrp)[0]; \ | |
5177 | + b = ((unsigned char *)addrp)[1]; \ | |
5178 | + c = ((unsigned char *)addrp)[2]; \ | |
5179 | + d = ((unsigned char *)addrp)[3]; \ | |
5180 | +} while (0) | |
5181 | +#else | |
5182 | +#error "Please fix asm/byteorder.h" | |
5183 | +#endif /* __LITTLE_ENDIAN */ | |
5184 | + | |
5185 | +#define TESTIP_WALK(map, elem, branch, full) \ | |
5186 | + do { \ | |
5187 | + branch = (map)->tree[elem]; \ | |
5188 | + if (!branch) \ | |
5189 | + return 0; \ | |
5190 | + else if (branch == full) \ | |
5191 | + return 1; \ | |
5192 | + } while (0) | |
5193 | + | |
5194 | +#define ADDIP_WALK(map, elem, branch, type, cachep, full) \ | |
5195 | + do { \ | |
5196 | + branch = (map)->tree[elem]; \ | |
5197 | + if (!branch) { \ | |
5198 | + branch = (type *) kmem_cache_alloc(cachep, GFP_ATOMIC); \ | |
5199 | + if (!branch) \ | |
5200 | + return -ENOMEM; \ | |
5201 | + memset(branch, 0, sizeof(*branch)); \ | |
5202 | + (map)->tree[elem] = branch; \ | |
5203 | + } else if (branch == full) { \ | |
5204 | + return -EEXIST; \ | |
5205 | + } \ | |
5206 | + } while (0) | |
5207 | + | |
5208 | +#define ADDIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free) \ | |
5209 | + for (a = a1; a <= a2; a++) { \ | |
5210 | + branch = (map)->tree[a]; \ | |
5211 | + if (branch != full) { \ | |
5212 | + if ((a > a1 && a < a2) || (hint)) { \ | |
5213 | + if (branch) \ | |
5214 | + free(branch); \ | |
5215 | + (map)->tree[a] = full; \ | |
5216 | + continue; \ | |
5217 | + } else if (!branch) { \ | |
5218 | + branch = kmem_cache_alloc(cachep, GFP_ATOMIC); \ | |
5219 | + if (!branch) \ | |
5220 | + return -ENOMEM; \ | |
5221 | + memset(branch, 0, sizeof(*branch)); \ | |
5222 | + (map)->tree[a] = branch; \ | |
5223 | + } | |
5224 | + | |
5225 | +#define ADDIP_RANGE_LOOP_END() \ | |
5226 | + } \ | |
5227 | + } | |
5228 | + | |
5229 | +#define DELIP_WALK(map, elem, branch, cachep, full, flags) \ | |
5230 | + do { \ | |
5231 | + branch = (map)->tree[elem]; \ | |
5232 | + if (!branch) { \ | |
5233 | + return -EEXIST; \ | |
5234 | + } else if (branch == full) { \ | |
5235 | + branch = kmem_cache_alloc(cachep, flags); \ | |
5236 | + if (!branch) \ | |
5237 | + return -ENOMEM; \ | |
5238 | + memcpy(branch, full, sizeof(*full)); \ | |
5239 | + (map)->tree[elem] = branch; \ | |
5240 | + } \ | |
5241 | + } while (0) | |
5242 | + | |
5243 | +#define DELIP_RANGE_LOOP(map, a, a1, a2, hint, branch, full, cachep, free, flags) \ | |
5244 | + for (a = a1; a <= a2; a++) { \ | |
5245 | + branch = (map)->tree[a]; \ | |
5246 | + if (branch) { \ | |
5247 | + if ((a > a1 && a < a2) || (hint)) { \ | |
5248 | + if (branch != full) \ | |
5249 | + free(branch); \ | |
5250 | + (map)->tree[a] = NULL; \ | |
5251 | + continue; \ | |
5252 | + } else if (branch == full) { \ | |
5253 | + branch = kmem_cache_alloc(cachep, flags); \ | |
5254 | + if (!branch) \ | |
5255 | + return -ENOMEM; \ | |
5256 | + memcpy(branch, full, sizeof(*branch)); \ | |
5257 | + (map)->tree[a] = branch; \ | |
5258 | + } | |
5259 | + | |
5260 | +#define DELIP_RANGE_LOOP_END() \ | |
5261 | + } \ | |
5262 | + } | |
5263 | + | |
5264 | +#define LOOP_WALK_BEGIN(map, i, branch) \ | |
5265 | + for (i = 0; i < 256; i++) { \ | |
5266 | + branch = (map)->tree[i]; \ | |
5267 | + if (likely(!branch)) \ | |
5268 | + continue; | |
5269 | + | |
5270 | +#define LOOP_WALK_END() \ | |
5271 | + } | |
5272 | + | |
5273 | +#define LOOP_WALK_BEGIN_GC(map, i, branch, full, cachep, count) \ | |
5274 | + count = -256; \ | |
5275 | + for (i = 0; i < 256; i++) { \ | |
5276 | + branch = (map)->tree[i]; \ | |
5277 | + if (likely(!branch)) \ | |
5278 | + continue; \ | |
5279 | + count++; \ | |
5280 | + if (branch == full) { \ | |
5281 | + count++; \ | |
5282 | + continue; \ | |
5283 | + } | |
5284 | + | |
5285 | +#define LOOP_WALK_END_GC(map, i, branch, full, cachep, count) \ | |
5286 | + if (-256 == count) { \ | |
5287 | + kmem_cache_free(cachep, branch); \ | |
5288 | + (map)->tree[i] = NULL; \ | |
5289 | + } else if (256 == count) { \ | |
5290 | + kmem_cache_free(cachep, branch); \ | |
5291 | + (map)->tree[i] = full; \ | |
5292 | + } \ | |
5293 | + } | |
5294 | + | |
5295 | +#define LOOP_WALK_BEGIN_COUNT(map, i, branch, inrange, count) \ | |
5296 | + for (i = 0; i < 256; i++) { \ | |
5297 | + if (!(map)->tree[i]) { \ | |
5298 | + if (inrange) { \ | |
5299 | + count++; \ | |
5300 | + inrange = 0; \ | |
5301 | + } \ | |
5302 | + continue; \ | |
5303 | + } \ | |
5304 | + branch = (map)->tree[i]; | |
5305 | + | |
5306 | +#define LOOP_WALK_END_COUNT() \ | |
5307 | + } | |
5308 | + | |
f45e9687 | 5309 | +#define GETVALUE1(a, a1, b1, r) \ |
5310 | + (a == a1 ? b1 : r) | |
5311 | + | |
5312 | +#define GETVALUE2(a, b, a1, b1, c1, r) \ | |
5313 | + (a == a1 && b == b1 ? c1 : r) | |
5314 | + | |
5315 | +#define GETVALUE3(a, b, c, a1, b1, c1, d1, r) \ | |
5316 | + (a == a1 && b == b1 && c == c1 ? d1 : r) | |
5317 | + | |
5318 | +#define CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2) \ | |
5319 | + ( \ | |
5320 | + GETVALUE1(a, a1, b1, 0) == 0 \ | |
5321 | + && GETVALUE1(a, a2, b2, 255) == 255 \ | |
5322 | + && c1 == 0 \ | |
5323 | + && c2 == 255 \ | |
5324 | + && d1 == 0 \ | |
5325 | + && d2 == 255 \ | |
5326 | + ) | |
5327 | + | |
5328 | +#define CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2) \ | |
5329 | + ( \ | |
5330 | + GETVALUE2(a, b, a1, b1, c1, 0) == 0 \ | |
5331 | + && GETVALUE2(a, b, a2, b2, c2, 255) == 255 \ | |
5332 | + && d1 == 0 \ | |
5333 | + && d2 == 255 \ | |
5334 | + ) | |
5335 | + | |
5336 | +#define CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2) \ | |
5337 | + ( \ | |
5338 | + GETVALUE3(a, b, c, a1, b1, c1, d1, 0) == 0 \ | |
5339 | + && GETVALUE3(a, b, c, a2, b2, c2, d2, 255) == 255 \ | |
5340 | + ) | |
5341 | + | |
5342 | + | |
5343 | +static inline void | |
5344 | +free_d(struct ip_set_iptreemap_d *map) | |
5345 | +{ | |
5346 | + kmem_cache_free(cachep_d, map); | |
5347 | +} | |
5348 | + | |
5349 | +static inline void | |
5350 | +free_c(struct ip_set_iptreemap_c *map) | |
5351 | +{ | |
5352 | + struct ip_set_iptreemap_d *dtree; | |
5353 | + unsigned int i; | |
5354 | + | |
5355 | + LOOP_WALK_BEGIN(map, i, dtree) { | |
5356 | + if (dtree != fullbitmap_d) | |
5357 | + free_d(dtree); | |
5358 | + } LOOP_WALK_END(); | |
5359 | + | |
5360 | + kmem_cache_free(cachep_c, map); | |
5361 | +} | |
5362 | + | |
5363 | +static inline void | |
5364 | +free_b(struct ip_set_iptreemap_b *map) | |
5365 | +{ | |
5366 | + struct ip_set_iptreemap_c *ctree; | |
5367 | + unsigned int i; | |
5368 | + | |
5369 | + LOOP_WALK_BEGIN(map, i, ctree) { | |
5370 | + if (ctree != fullbitmap_c) | |
5371 | + free_c(ctree); | |
5372 | + } LOOP_WALK_END(); | |
5373 | + | |
5374 | + kmem_cache_free(cachep_b, map); | |
5375 | +} | |
5376 | + | |
5377 | +static inline int | |
5378 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
5379 | +{ | |
7d2f026e | 5380 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5381 | + struct ip_set_iptreemap_b *btree; |
5382 | + struct ip_set_iptreemap_c *ctree; | |
5383 | + struct ip_set_iptreemap_d *dtree; | |
5384 | + unsigned char a, b, c, d; | |
5385 | + | |
5386 | + *hash_ip = ip; | |
5387 | + | |
5388 | + ABCD(a, b, c, d, hash_ip); | |
5389 | + | |
5390 | + TESTIP_WALK(map, a, btree, fullbitmap_b); | |
5391 | + TESTIP_WALK(btree, b, ctree, fullbitmap_c); | |
5392 | + TESTIP_WALK(ctree, c, dtree, fullbitmap_d); | |
5393 | + | |
5394 | + return !!test_bit(d, (void *) dtree->bitmap); | |
5395 | +} | |
5396 | + | |
5397 | +static int | |
5398 | +testip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip) | |
5399 | +{ | |
7d2f026e | 5400 | + const struct ip_set_req_iptreemap *req = data; |
f45e9687 | 5401 | + |
5402 | + if (size != sizeof(struct ip_set_req_iptreemap)) { | |
5403 | + ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size); | |
5404 | + return -EINVAL; | |
5405 | + } | |
5406 | + | |
5407 | + return __testip(set, req->start, hash_ip); | |
5408 | +} | |
5409 | + | |
5410 | +static int | |
5411 | +testip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index) | |
5412 | +{ | |
5413 | + int res; | |
5414 | + | |
7d2f026e | 5415 | + res = __testip(set, |
5416 | + ntohl(flags[index] & IPSET_SRC | |
f45e9687 | 5417 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 5418 | + ? ip_hdr(skb)->saddr |
f45e9687 | 5419 | + : ip_hdr(skb)->daddr), |
5420 | +#else | |
7d2f026e | 5421 | + ? skb->nh.iph->saddr |
f45e9687 | 5422 | + : skb->nh.iph->daddr), |
5423 | +#endif | |
5424 | + hash_ip); | |
5425 | + | |
5426 | + return (res < 0 ? 0 : res); | |
5427 | +} | |
5428 | + | |
5429 | +static inline int | |
5430 | +__addip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
5431 | +{ | |
5432 | + struct ip_set_iptreemap *map = (struct ip_set_iptreemap *) set->data; | |
5433 | + struct ip_set_iptreemap_b *btree; | |
5434 | + struct ip_set_iptreemap_c *ctree; | |
5435 | + struct ip_set_iptreemap_d *dtree; | |
5436 | + unsigned char a, b, c, d; | |
5437 | + | |
5438 | + *hash_ip = ip; | |
5439 | + | |
5440 | + ABCD(a, b, c, d, hash_ip); | |
5441 | + | |
5442 | + ADDIP_WALK(map, a, btree, struct ip_set_iptreemap_b, cachep_b, fullbitmap_b); | |
5443 | + ADDIP_WALK(btree, b, ctree, struct ip_set_iptreemap_c, cachep_c, fullbitmap_c); | |
5444 | + ADDIP_WALK(ctree, c, dtree, struct ip_set_iptreemap_d, cachep_d, fullbitmap_d); | |
5445 | + | |
7d2f026e | 5446 | + if (__test_and_set_bit(d, (void *) dtree->bitmap)) |
f45e9687 | 5447 | + return -EEXIST; |
5448 | + | |
7d2f026e | 5449 | + __set_bit(b, (void *) btree->dirty); |
f45e9687 | 5450 | + |
5451 | + return 0; | |
5452 | +} | |
5453 | + | |
5454 | +static inline int | |
5455 | +__addip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_t *hash_ip) | |
5456 | +{ | |
7d2f026e | 5457 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5458 | + struct ip_set_iptreemap_b *btree; |
5459 | + struct ip_set_iptreemap_c *ctree; | |
5460 | + struct ip_set_iptreemap_d *dtree; | |
5461 | + unsigned int a, b, c, d; | |
5462 | + unsigned char a1, b1, c1, d1; | |
5463 | + unsigned char a2, b2, c2, d2; | |
5464 | + | |
5465 | + if (start == end) | |
5466 | + return __addip_single(set, start, hash_ip); | |
5467 | + | |
5468 | + *hash_ip = start; | |
5469 | + | |
5470 | + ABCD(a1, b1, c1, d1, &start); | |
5471 | + ABCD(a2, b2, c2, d2, &end); | |
5472 | + | |
5473 | + /* This is sooo ugly... */ | |
5474 | + ADDIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b) { | |
5475 | + ADDIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c) { | |
5476 | + ADDIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d) { | |
5477 | + for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++) | |
7d2f026e | 5478 | + __set_bit(d, (void *) dtree->bitmap); |
5479 | + __set_bit(b, (void *) btree->dirty); | |
f45e9687 | 5480 | + } ADDIP_RANGE_LOOP_END(); |
5481 | + } ADDIP_RANGE_LOOP_END(); | |
5482 | + } ADDIP_RANGE_LOOP_END(); | |
5483 | + | |
5484 | + return 0; | |
5485 | +} | |
5486 | + | |
5487 | +static int | |
5488 | +addip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip) | |
5489 | +{ | |
7d2f026e | 5490 | + const struct ip_set_req_iptreemap *req = data; |
f45e9687 | 5491 | + |
5492 | + if (size != sizeof(struct ip_set_req_iptreemap)) { | |
5493 | + ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size); | |
5494 | + return -EINVAL; | |
5495 | + } | |
5496 | + | |
7d2f026e | 5497 | + return __addip_range(set, min(req->start, req->end), max(req->start, req->end), hash_ip); |
f45e9687 | 5498 | +} |
5499 | + | |
5500 | +static int | |
5501 | +addip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index) | |
5502 | +{ | |
5503 | + | |
5504 | + return __addip_single(set, | |
7d2f026e | 5505 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 5506 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 5507 | + ? ip_hdr(skb)->saddr |
f45e9687 | 5508 | + : ip_hdr(skb)->daddr), |
5509 | +#else | |
7d2f026e | 5510 | + ? skb->nh.iph->saddr |
f45e9687 | 5511 | + : skb->nh.iph->daddr), |
5512 | +#endif | |
5513 | + hash_ip); | |
5514 | +} | |
5515 | + | |
5516 | +static inline int | |
5517 | +__delip_single(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip, unsigned int __nocast flags) | |
5518 | +{ | |
7d2f026e | 5519 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5520 | + struct ip_set_iptreemap_b *btree; |
5521 | + struct ip_set_iptreemap_c *ctree; | |
5522 | + struct ip_set_iptreemap_d *dtree; | |
5523 | + unsigned char a,b,c,d; | |
5524 | + | |
5525 | + *hash_ip = ip; | |
5526 | + | |
5527 | + ABCD(a, b, c, d, hash_ip); | |
5528 | + | |
5529 | + DELIP_WALK(map, a, btree, cachep_b, fullbitmap_b, flags); | |
5530 | + DELIP_WALK(btree, b, ctree, cachep_c, fullbitmap_c, flags); | |
5531 | + DELIP_WALK(ctree, c, dtree, cachep_d, fullbitmap_d, flags); | |
5532 | + | |
7d2f026e | 5533 | + if (!__test_and_clear_bit(d, (void *) dtree->bitmap)) |
f45e9687 | 5534 | + return -EEXIST; |
5535 | + | |
7d2f026e | 5536 | + __set_bit(b, (void *) btree->dirty); |
f45e9687 | 5537 | + |
5538 | + return 0; | |
5539 | +} | |
5540 | + | |
5541 | +static inline int | |
5542 | +__delip_range(struct ip_set *set, ip_set_ip_t start, ip_set_ip_t end, ip_set_ip_t *hash_ip, unsigned int __nocast flags) | |
5543 | +{ | |
7d2f026e | 5544 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5545 | + struct ip_set_iptreemap_b *btree; |
5546 | + struct ip_set_iptreemap_c *ctree; | |
5547 | + struct ip_set_iptreemap_d *dtree; | |
5548 | + unsigned int a, b, c, d; | |
5549 | + unsigned char a1, b1, c1, d1; | |
5550 | + unsigned char a2, b2, c2, d2; | |
5551 | + | |
5552 | + if (start == end) | |
5553 | + return __delip_single(set, start, hash_ip, flags); | |
5554 | + | |
5555 | + *hash_ip = start; | |
5556 | + | |
5557 | + ABCD(a1, b1, c1, d1, &start); | |
5558 | + ABCD(a2, b2, c2, d2, &end); | |
5559 | + | |
5560 | + /* This is sooo ugly... */ | |
5561 | + DELIP_RANGE_LOOP(map, a, a1, a2, CHECK1(a, a1, a2, b1, b2, c1, c2, d1, d2), btree, fullbitmap_b, cachep_b, free_b, flags) { | |
5562 | + DELIP_RANGE_LOOP(btree, b, GETVALUE1(a, a1, b1, 0), GETVALUE1(a, a2, b2, 255), CHECK2(a, b, a1, a2, b1, b2, c1, c2, d1, d2), ctree, fullbitmap_c, cachep_c, free_c, flags) { | |
5563 | + DELIP_RANGE_LOOP(ctree, c, GETVALUE2(a, b, a1, b1, c1, 0), GETVALUE2(a, b, a2, b2, c2, 255), CHECK3(a, b, c, a1, a2, b1, b2, c1, c2, d1, d2), dtree, fullbitmap_d, cachep_d, free_d, flags) { | |
5564 | + for (d = GETVALUE3(a, b, c, a1, b1, c1, d1, 0); d <= GETVALUE3(a, b, c, a2, b2, c2, d2, 255); d++) | |
7d2f026e | 5565 | + __clear_bit(d, (void *) dtree->bitmap); |
5566 | + __set_bit(b, (void *) btree->dirty); | |
f45e9687 | 5567 | + } DELIP_RANGE_LOOP_END(); |
5568 | + } DELIP_RANGE_LOOP_END(); | |
5569 | + } DELIP_RANGE_LOOP_END(); | |
5570 | + | |
5571 | + return 0; | |
5572 | +} | |
5573 | + | |
5574 | +static int | |
5575 | +delip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip) | |
5576 | +{ | |
7d2f026e | 5577 | + const struct ip_set_req_iptreemap *req = data; |
f45e9687 | 5578 | + |
5579 | + if (size != sizeof(struct ip_set_req_iptreemap)) { | |
5580 | + ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap), size); | |
5581 | + return -EINVAL; | |
5582 | + } | |
5583 | + | |
7d2f026e | 5584 | + return __delip_range(set, min(req->start, req->end), max(req->start, req->end), hash_ip, GFP_KERNEL); |
f45e9687 | 5585 | +} |
5586 | + | |
5587 | +static int | |
5588 | +delip_kernel(struct ip_set *set, const struct sk_buff *skb, ip_set_ip_t *hash_ip, const u_int32_t *flags, unsigned char index) | |
5589 | +{ | |
7d2f026e | 5590 | + return __delip_single(set, |
5591 | + ntohl(flags[index] & IPSET_SRC | |
f45e9687 | 5592 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 5593 | + ? ip_hdr(skb)->saddr |
f45e9687 | 5594 | + : ip_hdr(skb)->daddr), |
5595 | +#else | |
7d2f026e | 5596 | + ? skb->nh.iph->saddr |
f45e9687 | 5597 | + : skb->nh.iph->daddr), |
5598 | +#endif | |
5599 | + hash_ip, | |
5600 | + GFP_ATOMIC); | |
5601 | +} | |
5602 | + | |
5603 | +/* Check the status of the bitmap | |
5604 | + * -1 == all bits cleared | |
5605 | + * 1 == all bits set | |
5606 | + * 0 == anything else | |
5607 | + */ | |
5608 | +static inline int | |
5609 | +bitmap_status(struct ip_set_iptreemap_d *dtree) | |
5610 | +{ | |
5611 | + unsigned char first = dtree->bitmap[0]; | |
5612 | + int a; | |
5613 | + | |
5614 | + for (a = 1; a < 32; a++) | |
5615 | + if (dtree->bitmap[a] != first) | |
5616 | + return 0; | |
5617 | + | |
5618 | + return (first == 0 ? -1 : (first == 255 ? 1 : 0)); | |
5619 | +} | |
5620 | + | |
5621 | +static void | |
5622 | +gc(unsigned long addr) | |
5623 | +{ | |
5624 | + struct ip_set *set = (struct ip_set *) addr; | |
7d2f026e | 5625 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5626 | + struct ip_set_iptreemap_b *btree; |
5627 | + struct ip_set_iptreemap_c *ctree; | |
5628 | + struct ip_set_iptreemap_d *dtree; | |
5629 | + unsigned int a, b, c; | |
5630 | + int i, j, k; | |
5631 | + | |
5632 | + write_lock_bh(&set->lock); | |
5633 | + | |
5634 | + LOOP_WALK_BEGIN_GC(map, a, btree, fullbitmap_b, cachep_b, i) { | |
5635 | + LOOP_WALK_BEGIN_GC(btree, b, ctree, fullbitmap_c, cachep_c, j) { | |
7d2f026e | 5636 | + if (!__test_and_clear_bit(b, (void *) btree->dirty)) |
f45e9687 | 5637 | + continue; |
5638 | + LOOP_WALK_BEGIN_GC(ctree, c, dtree, fullbitmap_d, cachep_d, k) { | |
5639 | + switch (bitmap_status(dtree)) { | |
5640 | + case -1: | |
5641 | + kmem_cache_free(cachep_d, dtree); | |
5642 | + ctree->tree[c] = NULL; | |
5643 | + k--; | |
5644 | + break; | |
5645 | + case 1: | |
5646 | + kmem_cache_free(cachep_d, dtree); | |
5647 | + ctree->tree[c] = fullbitmap_d; | |
5648 | + k++; | |
5649 | + break; | |
5650 | + } | |
5651 | + } LOOP_WALK_END(); | |
5652 | + } LOOP_WALK_END_GC(btree, b, ctree, fullbitmap_c, cachep_c, k); | |
5653 | + } LOOP_WALK_END_GC(map, a, btree, fullbitmap_b, cachep_b, j); | |
5654 | + | |
5655 | + write_unlock_bh(&set->lock); | |
5656 | + | |
5657 | + map->gc.expires = jiffies + map->gc_interval * HZ; | |
5658 | + add_timer(&map->gc); | |
5659 | +} | |
5660 | + | |
5661 | +static inline void | |
5662 | +init_gc_timer(struct ip_set *set) | |
5663 | +{ | |
7d2f026e | 5664 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5665 | + |
5666 | + init_timer(&map->gc); | |
5667 | + map->gc.data = (unsigned long) set; | |
5668 | + map->gc.function = gc; | |
5669 | + map->gc.expires = jiffies + map->gc_interval * HZ; | |
5670 | + add_timer(&map->gc); | |
5671 | +} | |
5672 | + | |
5673 | +static int create(struct ip_set *set, const void *data, size_t size) | |
5674 | +{ | |
7d2f026e | 5675 | + const struct ip_set_req_iptreemap_create *req = data; |
f45e9687 | 5676 | + struct ip_set_iptreemap *map; |
5677 | + | |
5678 | + if (size != sizeof(struct ip_set_req_iptreemap_create)) { | |
5679 | + ip_set_printk("data length wrong (want %zu, have %zu)", sizeof(struct ip_set_req_iptreemap_create), size); | |
5680 | + return -EINVAL; | |
5681 | + } | |
5682 | + | |
5683 | + map = kzalloc(sizeof(*map), GFP_KERNEL); | |
5684 | + if (!map) | |
5685 | + return -ENOMEM; | |
5686 | + | |
5687 | + map->gc_interval = req->gc_interval ? req->gc_interval : IPTREEMAP_DEFAULT_GC_TIME; | |
5688 | + set->data = map; | |
5689 | + | |
5690 | + init_gc_timer(set); | |
5691 | + | |
5692 | + return 0; | |
5693 | +} | |
5694 | + | |
5695 | +static inline void __flush(struct ip_set_iptreemap *map) | |
5696 | +{ | |
5697 | + struct ip_set_iptreemap_b *btree; | |
5698 | + unsigned int a; | |
5699 | + | |
5700 | + LOOP_WALK_BEGIN(map, a, btree); | |
5701 | + if (btree != fullbitmap_b) | |
5702 | + free_b(btree); | |
5703 | + LOOP_WALK_END(); | |
5704 | +} | |
5705 | + | |
5706 | +static void destroy(struct ip_set *set) | |
5707 | +{ | |
7d2f026e | 5708 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5709 | + |
5710 | + while (!del_timer(&map->gc)) | |
5711 | + msleep(IPTREEMAP_DESTROY_SLEEP); | |
5712 | + | |
5713 | + __flush(map); | |
5714 | + kfree(map); | |
5715 | + | |
5716 | + set->data = NULL; | |
5717 | +} | |
5718 | + | |
5719 | +static void flush(struct ip_set *set) | |
5720 | +{ | |
7d2f026e | 5721 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5722 | + |
5723 | + while (!del_timer(&map->gc)) | |
5724 | + msleep(IPTREEMAP_DESTROY_SLEEP); | |
5725 | + | |
5726 | + __flush(map); | |
5727 | + | |
5728 | + memset(map, 0, sizeof(*map)); | |
5729 | + | |
5730 | + init_gc_timer(set); | |
5731 | +} | |
5732 | + | |
5733 | +static void list_header(const struct ip_set *set, void *data) | |
5734 | +{ | |
7d2f026e | 5735 | + struct ip_set_iptreemap *map = set->data; |
5736 | + struct ip_set_req_iptreemap_create *header = data; | |
f45e9687 | 5737 | + |
5738 | + header->gc_interval = map->gc_interval; | |
5739 | +} | |
5740 | + | |
5741 | +static int list_members_size(const struct ip_set *set) | |
5742 | +{ | |
7d2f026e | 5743 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5744 | + struct ip_set_iptreemap_b *btree; |
5745 | + struct ip_set_iptreemap_c *ctree; | |
5746 | + struct ip_set_iptreemap_d *dtree; | |
5747 | + unsigned int a, b, c, d, inrange = 0, count = 0; | |
5748 | + | |
5749 | + LOOP_WALK_BEGIN_COUNT(map, a, btree, inrange, count) { | |
5750 | + LOOP_WALK_BEGIN_COUNT(btree, b, ctree, inrange, count) { | |
5751 | + LOOP_WALK_BEGIN_COUNT(ctree, c, dtree, inrange, count) { | |
5752 | + for (d = 0; d < 256; d++) { | |
5753 | + if (test_bit(d, (void *) dtree->bitmap)) { | |
5754 | + inrange = 1; | |
5755 | + } else if (inrange) { | |
5756 | + count++; | |
5757 | + inrange = 0; | |
5758 | + } | |
5759 | + } | |
5760 | + } LOOP_WALK_END_COUNT(); | |
5761 | + } LOOP_WALK_END_COUNT(); | |
5762 | + } LOOP_WALK_END_COUNT(); | |
5763 | + | |
5764 | + if (inrange) | |
5765 | + count++; | |
5766 | + | |
5767 | + return (count * sizeof(struct ip_set_req_iptreemap)); | |
5768 | +} | |
5769 | + | |
5770 | +static inline size_t add_member(void *data, size_t offset, ip_set_ip_t start, ip_set_ip_t end) | |
5771 | +{ | |
7d2f026e | 5772 | + struct ip_set_req_iptreemap *entry = data + offset; |
f45e9687 | 5773 | + |
5774 | + entry->start = start; | |
5775 | + entry->end = end; | |
5776 | + | |
5777 | + return sizeof(*entry); | |
5778 | +} | |
5779 | + | |
5780 | +static void list_members(const struct ip_set *set, void *data) | |
5781 | +{ | |
7d2f026e | 5782 | + struct ip_set_iptreemap *map = set->data; |
f45e9687 | 5783 | + struct ip_set_iptreemap_b *btree; |
5784 | + struct ip_set_iptreemap_c *ctree; | |
5785 | + struct ip_set_iptreemap_d *dtree; | |
5786 | + unsigned int a, b, c, d, inrange = 0; | |
5787 | + size_t offset = 0; | |
5788 | + ip_set_ip_t start = 0, end = 0, ip; | |
5789 | + | |
5790 | + LOOP_WALK_BEGIN(map, a, btree) { | |
5791 | + LOOP_WALK_BEGIN(btree, b, ctree) { | |
5792 | + LOOP_WALK_BEGIN(ctree, c, dtree) { | |
5793 | + for (d = 0; d < 256; d++) { | |
5794 | + if (test_bit(d, (void *) dtree->bitmap)) { | |
5795 | + ip = ((a << 24) | (b << 16) | (c << 8) | d); | |
5796 | + if (!inrange) { | |
5797 | + inrange = 1; | |
5798 | + start = ip; | |
5799 | + } else if (end < ip - 1) { | |
5800 | + offset += add_member(data, offset, start, end); | |
5801 | + start = ip; | |
5802 | + } | |
5803 | + end = ip; | |
5804 | + } else if (inrange) { | |
5805 | + offset += add_member(data, offset, start, end); | |
5806 | + inrange = 0; | |
5807 | + } | |
5808 | + } | |
5809 | + } LOOP_WALK_END(); | |
5810 | + } LOOP_WALK_END(); | |
5811 | + } LOOP_WALK_END(); | |
5812 | + | |
5813 | + if (inrange) | |
5814 | + add_member(data, offset, start, end); | |
5815 | +} | |
5816 | + | |
5817 | +static struct ip_set_type ip_set_iptreemap = { | |
5818 | + .typename = SETTYPE_NAME, | |
5819 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
5820 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
5821 | + .create = create, | |
5822 | + .destroy = destroy, | |
5823 | + .flush = flush, | |
5824 | + .reqsize = sizeof(struct ip_set_req_iptreemap), | |
5825 | + .addip = addip, | |
5826 | + .addip_kernel = addip_kernel, | |
5827 | + .delip = delip, | |
5828 | + .delip_kernel = delip_kernel, | |
5829 | + .testip = testip, | |
5830 | + .testip_kernel = testip_kernel, | |
5831 | + .header_size = sizeof(struct ip_set_req_iptreemap_create), | |
5832 | + .list_header = list_header, | |
5833 | + .list_members_size = list_members_size, | |
5834 | + .list_members = list_members, | |
5835 | + .me = THIS_MODULE, | |
5836 | +}; | |
5837 | + | |
5838 | +MODULE_LICENSE("GPL"); | |
5839 | +MODULE_AUTHOR("Sven Wegener <sven.wegener@stealer.net>"); | |
5840 | +MODULE_DESCRIPTION("iptreemap type of IP sets"); | |
5841 | + | |
5842 | +static int __init ip_set_iptreemap_init(void) | |
5843 | +{ | |
5844 | + int ret = -ENOMEM; | |
5845 | + int a; | |
5846 | + | |
5847 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) | |
7d2f026e | 5848 | + cachep_b = kmem_cache_create("ip_set_iptreemap_b", |
5849 | + sizeof(struct ip_set_iptreemap_b), | |
f45e9687 | 5850 | + 0, 0, NULL); |
5851 | +#else | |
7d2f026e | 5852 | + cachep_b = kmem_cache_create("ip_set_iptreemap_b", |
5853 | + sizeof(struct ip_set_iptreemap_b), | |
f45e9687 | 5854 | + 0, 0, NULL, NULL); |
5855 | +#endif | |
5856 | + if (!cachep_b) { | |
5857 | + ip_set_printk("Unable to create ip_set_iptreemap_b slab cache"); | |
5858 | + goto out; | |
5859 | + } | |
5860 | + | |
5861 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) | |
7d2f026e | 5862 | + cachep_c = kmem_cache_create("ip_set_iptreemap_c", |
f45e9687 | 5863 | + sizeof(struct ip_set_iptreemap_c), |
5864 | + 0, 0, NULL); | |
5865 | +#else | |
7d2f026e | 5866 | + cachep_c = kmem_cache_create("ip_set_iptreemap_c", |
f45e9687 | 5867 | + sizeof(struct ip_set_iptreemap_c), |
5868 | + 0, 0, NULL, NULL); | |
5869 | +#endif | |
5870 | + if (!cachep_c) { | |
5871 | + ip_set_printk("Unable to create ip_set_iptreemap_c slab cache"); | |
5872 | + goto outb; | |
5873 | + } | |
5874 | + | |
5875 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) | |
5876 | + cachep_d = kmem_cache_create("ip_set_iptreemap_d", | |
5877 | + sizeof(struct ip_set_iptreemap_d), | |
5878 | + 0, 0, NULL); | |
5879 | +#else | |
5880 | + cachep_d = kmem_cache_create("ip_set_iptreemap_d", | |
5881 | + sizeof(struct ip_set_iptreemap_d), | |
5882 | + 0, 0, NULL, NULL); | |
5883 | +#endif | |
5884 | + if (!cachep_d) { | |
5885 | + ip_set_printk("Unable to create ip_set_iptreemap_d slab cache"); | |
5886 | + goto outc; | |
5887 | + } | |
5888 | + | |
5889 | + fullbitmap_d = kmem_cache_alloc(cachep_d, GFP_KERNEL); | |
5890 | + if (!fullbitmap_d) | |
5891 | + goto outd; | |
5892 | + | |
5893 | + fullbitmap_c = kmem_cache_alloc(cachep_c, GFP_KERNEL); | |
5894 | + if (!fullbitmap_c) | |
5895 | + goto outbitmapd; | |
5896 | + | |
5897 | + fullbitmap_b = kmem_cache_alloc(cachep_b, GFP_KERNEL); | |
5898 | + if (!fullbitmap_b) | |
5899 | + goto outbitmapc; | |
5900 | + | |
5901 | + ret = ip_set_register_set_type(&ip_set_iptreemap); | |
5902 | + if (0 > ret) | |
5903 | + goto outbitmapb; | |
5904 | + | |
5905 | + /* Now init our global bitmaps */ | |
5906 | + memset(fullbitmap_d->bitmap, 0xff, sizeof(fullbitmap_d->bitmap)); | |
5907 | + | |
5908 | + for (a = 0; a < 256; a++) | |
5909 | + fullbitmap_c->tree[a] = fullbitmap_d; | |
5910 | + | |
5911 | + for (a = 0; a < 256; a++) | |
5912 | + fullbitmap_b->tree[a] = fullbitmap_c; | |
5913 | + memset(fullbitmap_b->dirty, 0, sizeof(fullbitmap_b->dirty)); | |
5914 | + | |
5915 | + return 0; | |
5916 | + | |
5917 | +outbitmapb: | |
5918 | + kmem_cache_free(cachep_b, fullbitmap_b); | |
5919 | +outbitmapc: | |
5920 | + kmem_cache_free(cachep_c, fullbitmap_c); | |
5921 | +outbitmapd: | |
5922 | + kmem_cache_free(cachep_d, fullbitmap_d); | |
5923 | +outd: | |
5924 | + kmem_cache_destroy(cachep_d); | |
5925 | +outc: | |
5926 | + kmem_cache_destroy(cachep_c); | |
5927 | +outb: | |
5928 | + kmem_cache_destroy(cachep_b); | |
5929 | +out: | |
5930 | + | |
5931 | + return ret; | |
5932 | +} | |
5933 | + | |
5934 | +static void __exit ip_set_iptreemap_fini(void) | |
5935 | +{ | |
5936 | + ip_set_unregister_set_type(&ip_set_iptreemap); | |
5937 | + kmem_cache_free(cachep_d, fullbitmap_d); | |
5938 | + kmem_cache_free(cachep_c, fullbitmap_c); | |
5939 | + kmem_cache_free(cachep_b, fullbitmap_b); | |
5940 | + kmem_cache_destroy(cachep_d); | |
5941 | + kmem_cache_destroy(cachep_c); | |
5942 | + kmem_cache_destroy(cachep_b); | |
5943 | +} | |
5944 | + | |
5945 | +module_init(ip_set_iptreemap_init); | |
5946 | +module_exit(ip_set_iptreemap_fini); | |
7d2f026e | 5947 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_macipmap.c linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c |
5948 | --- a/net/ipv4/netfilter/ip_set_macipmap.c 1970-01-01 01:00:00.000000000 +0100 | |
5949 | +++ linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c 2008-07-08 16:52:53.965201208 +0200 | |
5950 | @@ -0,0 +1,360 @@ | |
1aedc22c | 5951 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
5952 | + * Patrick Schaaf <bof@bof.de> | |
5953 | + * Martin Josefsson <gandalf@wlug.westbo.se> | |
5954 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
5955 | + * | |
5956 | + * This program is free software; you can redistribute it and/or modify | |
5957 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 5958 | + * published by the Free Software Foundation. |
1aedc22c | 5959 | + */ |
5960 | + | |
5961 | +/* Kernel module implementing an IP set type: the macipmap type */ | |
5962 | + | |
5963 | +#include <linux/module.h> | |
5964 | +#include <linux/ip.h> | |
5965 | +#include <linux/skbuff.h> | |
f45e9687 | 5966 | +#include <linux/version.h> |
1aedc22c | 5967 | +#include <linux/netfilter_ipv4/ip_tables.h> |
5968 | +#include <linux/netfilter_ipv4/ip_set.h> | |
5969 | +#include <linux/errno.h> | |
5970 | +#include <asm/uaccess.h> | |
5971 | +#include <asm/bitops.h> | |
5972 | +#include <linux/spinlock.h> | |
5973 | +#include <linux/if_ether.h> | |
5974 | +#include <linux/vmalloc.h> | |
5975 | + | |
5976 | +#include <linux/netfilter_ipv4/ip_set_malloc.h> | |
5977 | +#include <linux/netfilter_ipv4/ip_set_macipmap.h> | |
5978 | + | |
5979 | +static int | |
5980 | +testip(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip) | |
5981 | +{ | |
7d2f026e | 5982 | + struct ip_set_macipmap *map = set->data; |
5983 | + struct ip_set_macip *table = map->members; | |
5984 | + const struct ip_set_req_macipmap *req = data; | |
1aedc22c | 5985 | + |
5986 | + if (size != sizeof(struct ip_set_req_macipmap)) { | |
5987 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
5988 | + sizeof(struct ip_set_req_macipmap), | |
5989 | + size); | |
5990 | + return -EINVAL; | |
5991 | + } | |
5992 | + | |
5993 | + if (req->ip < map->first_ip || req->ip > map->last_ip) | |
5994 | + return -ERANGE; | |
5995 | + | |
5996 | + *hash_ip = req->ip; | |
5997 | + DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u", | |
5998 | + set->name, HIPQUAD(req->ip), HIPQUAD(*hash_ip)); | |
5999 | + if (test_bit(IPSET_MACIP_ISSET, | |
6000 | + (void *) &table[req->ip - map->first_ip].flags)) { | |
6001 | + return (memcmp(req->ethernet, | |
6002 | + &table[req->ip - map->first_ip].ethernet, | |
6003 | + ETH_ALEN) == 0); | |
6004 | + } else { | |
6005 | + return (map->flags & IPSET_MACIP_MATCHUNSET ? 1 : 0); | |
6006 | + } | |
6007 | +} | |
6008 | + | |
6009 | +static int | |
7d2f026e | 6010 | +testip_kernel(struct ip_set *set, |
1aedc22c | 6011 | + const struct sk_buff *skb, |
6012 | + ip_set_ip_t *hash_ip, | |
6013 | + const u_int32_t *flags, | |
6014 | + unsigned char index) | |
6015 | +{ | |
7d2f026e | 6016 | + struct ip_set_macipmap *map = set->data; |
6017 | + struct ip_set_macip *table = map->members; | |
1aedc22c | 6018 | + ip_set_ip_t ip; |
6019 | + | |
6020 | + ip = ntohl(flags[index] & IPSET_SRC | |
f45e9687 | 6021 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6022 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6023 | + : ip_hdr(skb)->daddr); |
f45e9687 | 6024 | +#else |
6025 | + ? skb->nh.iph->saddr | |
6026 | + : skb->nh.iph->daddr); | |
6027 | +#endif | |
1aedc22c | 6028 | + |
6029 | + if (ip < map->first_ip || ip > map->last_ip) | |
6030 | + return 0; | |
6031 | + | |
6032 | + *hash_ip = ip; | |
6033 | + DP("set: %s, ip:%u.%u.%u.%u, %u.%u.%u.%u", | |
6034 | + set->name, HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
6035 | + if (test_bit(IPSET_MACIP_ISSET, | |
6036 | + (void *) &table[ip - map->first_ip].flags)) { | |
6037 | + /* Is mac pointer valid? | |
6038 | + * If so, compare... */ | |
f45e9687 | 6039 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
6040 | + return (skb_mac_header(skb) >= skb->head | |
6041 | + && (skb_mac_header(skb) + ETH_HLEN) <= skb->data | |
6042 | +#else | |
6043 | + return (skb->mac.raw >= skb->head | |
6044 | + && (skb->mac.raw + ETH_HLEN) <= skb->data | |
6045 | +#endif | |
1aedc22c | 6046 | + && (memcmp(eth_hdr(skb)->h_source, |
6047 | + &table[ip - map->first_ip].ethernet, | |
6048 | + ETH_ALEN) == 0)); | |
6049 | + } else { | |
6050 | + return (map->flags & IPSET_MACIP_MATCHUNSET ? 1 : 0); | |
6051 | + } | |
6052 | +} | |
6053 | + | |
6054 | +/* returns 0 on success */ | |
6055 | +static inline int | |
7d2f026e | 6056 | +__addip(struct ip_set *set, |
6057 | + ip_set_ip_t ip, const unsigned char *ethernet, ip_set_ip_t *hash_ip) | |
1aedc22c | 6058 | +{ |
7d2f026e | 6059 | + struct ip_set_macipmap *map = set->data; |
6060 | + struct ip_set_macip *table = map->members; | |
1aedc22c | 6061 | + |
6062 | + if (ip < map->first_ip || ip > map->last_ip) | |
6063 | + return -ERANGE; | |
7d2f026e | 6064 | + if (test_and_set_bit(IPSET_MACIP_ISSET, |
1aedc22c | 6065 | + (void *) &table[ip - map->first_ip].flags)) |
6066 | + return -EEXIST; | |
6067 | + | |
6068 | + *hash_ip = ip; | |
6069 | + DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
6070 | + memcpy(&table[ip - map->first_ip].ethernet, ethernet, ETH_ALEN); | |
6071 | + return 0; | |
6072 | +} | |
6073 | + | |
6074 | +static int | |
6075 | +addip(struct ip_set *set, const void *data, size_t size, | |
6076 | + ip_set_ip_t *hash_ip) | |
6077 | +{ | |
7d2f026e | 6078 | + const struct ip_set_req_macipmap *req = data; |
1aedc22c | 6079 | + |
6080 | + if (size != sizeof(struct ip_set_req_macipmap)) { | |
6081 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6082 | + sizeof(struct ip_set_req_macipmap), | |
6083 | + size); | |
6084 | + return -EINVAL; | |
6085 | + } | |
6086 | + return __addip(set, req->ip, req->ethernet, hash_ip); | |
6087 | +} | |
6088 | + | |
6089 | +static int | |
7d2f026e | 6090 | +addip_kernel(struct ip_set *set, |
1aedc22c | 6091 | + const struct sk_buff *skb, |
6092 | + ip_set_ip_t *hash_ip, | |
6093 | + const u_int32_t *flags, | |
6094 | + unsigned char index) | |
6095 | +{ | |
6096 | + ip_set_ip_t ip; | |
6097 | + | |
6098 | + ip = ntohl(flags[index] & IPSET_SRC | |
f45e9687 | 6099 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6100 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6101 | + : ip_hdr(skb)->daddr); |
f45e9687 | 6102 | +#else |
6103 | + ? skb->nh.iph->saddr | |
6104 | + : skb->nh.iph->daddr); | |
6105 | +#endif | |
1aedc22c | 6106 | + |
f45e9687 | 6107 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
6108 | + if (!(skb_mac_header(skb) >= skb->head | |
6109 | + && (skb_mac_header(skb) + ETH_HLEN) <= skb->data)) | |
6110 | +#else | |
6111 | + if (!(skb->mac.raw >= skb->head | |
6112 | + && (skb->mac.raw + ETH_HLEN) <= skb->data)) | |
6113 | +#endif | |
1aedc22c | 6114 | + return -EINVAL; |
6115 | + | |
6116 | + return __addip(set, ip, eth_hdr(skb)->h_source, hash_ip); | |
6117 | +} | |
6118 | + | |
6119 | +static inline int | |
6120 | +__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
6121 | +{ | |
7d2f026e | 6122 | + struct ip_set_macipmap *map = set->data; |
6123 | + struct ip_set_macip *table = map->members; | |
1aedc22c | 6124 | + |
6125 | + if (ip < map->first_ip || ip > map->last_ip) | |
6126 | + return -ERANGE; | |
7d2f026e | 6127 | + if (!test_and_clear_bit(IPSET_MACIP_ISSET, |
1aedc22c | 6128 | + (void *)&table[ip - map->first_ip].flags)) |
6129 | + return -EEXIST; | |
6130 | + | |
6131 | + *hash_ip = ip; | |
6132 | + DP("%u.%u.%u.%u, %u.%u.%u.%u", HIPQUAD(ip), HIPQUAD(*hash_ip)); | |
6133 | + return 0; | |
6134 | +} | |
6135 | + | |
6136 | +static int | |
6137 | +delip(struct ip_set *set, const void *data, size_t size, | |
6138 | + ip_set_ip_t *hash_ip) | |
6139 | +{ | |
7d2f026e | 6140 | + const struct ip_set_req_macipmap *req = data; |
1aedc22c | 6141 | + |
6142 | + if (size != sizeof(struct ip_set_req_macipmap)) { | |
6143 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6144 | + sizeof(struct ip_set_req_macipmap), | |
6145 | + size); | |
6146 | + return -EINVAL; | |
6147 | + } | |
6148 | + return __delip(set, req->ip, hash_ip); | |
6149 | +} | |
6150 | + | |
6151 | +static int | |
6152 | +delip_kernel(struct ip_set *set, | |
6153 | + const struct sk_buff *skb, | |
6154 | + ip_set_ip_t *hash_ip, | |
6155 | + const u_int32_t *flags, | |
6156 | + unsigned char index) | |
6157 | +{ | |
6158 | + return __delip(set, | |
7d2f026e | 6159 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 6160 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6161 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6162 | + : ip_hdr(skb)->daddr), |
f45e9687 | 6163 | +#else |
7d2f026e | 6164 | + ? skb->nh.iph->saddr |
f45e9687 | 6165 | + : skb->nh.iph->daddr), |
6166 | +#endif | |
1aedc22c | 6167 | + hash_ip); |
6168 | +} | |
6169 | + | |
7d2f026e | 6170 | +static inline size_t members_size(ip_set_ip_t from, ip_set_ip_t to) |
1aedc22c | 6171 | +{ |
6172 | + return (size_t)((to - from + 1) * sizeof(struct ip_set_macip)); | |
6173 | +} | |
6174 | + | |
6175 | +static int create(struct ip_set *set, const void *data, size_t size) | |
6176 | +{ | |
7d2f026e | 6177 | + size_t newbytes; |
6178 | + const struct ip_set_req_macipmap_create *req = data; | |
1aedc22c | 6179 | + struct ip_set_macipmap *map; |
6180 | + | |
6181 | + if (size != sizeof(struct ip_set_req_macipmap_create)) { | |
6182 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6183 | + sizeof(struct ip_set_req_macipmap_create), | |
6184 | + size); | |
6185 | + return -EINVAL; | |
6186 | + } | |
6187 | + | |
6188 | + DP("from %u.%u.%u.%u to %u.%u.%u.%u", | |
6189 | + HIPQUAD(req->from), HIPQUAD(req->to)); | |
6190 | + | |
6191 | + if (req->from > req->to) { | |
6192 | + DP("bad ip range"); | |
6193 | + return -ENOEXEC; | |
6194 | + } | |
6195 | + | |
6196 | + if (req->to - req->from > MAX_RANGE) { | |
6197 | + ip_set_printk("range too big (max %d addresses)", | |
6198 | + MAX_RANGE+1); | |
6199 | + return -ENOEXEC; | |
6200 | + } | |
6201 | + | |
6202 | + map = kmalloc(sizeof(struct ip_set_macipmap), GFP_KERNEL); | |
6203 | + if (!map) { | |
6204 | + DP("out of memory for %d bytes", | |
6205 | + sizeof(struct ip_set_macipmap)); | |
6206 | + return -ENOMEM; | |
6207 | + } | |
6208 | + map->flags = req->flags; | |
6209 | + map->first_ip = req->from; | |
6210 | + map->last_ip = req->to; | |
6211 | + newbytes = members_size(map->first_ip, map->last_ip); | |
6212 | + map->members = ip_set_malloc(newbytes); | |
6213 | + DP("members: %u %p", newbytes, map->members); | |
6214 | + if (!map->members) { | |
6215 | + DP("out of memory for %d bytes", newbytes); | |
6216 | + kfree(map); | |
6217 | + return -ENOMEM; | |
6218 | + } | |
6219 | + memset(map->members, 0, newbytes); | |
6220 | + | |
6221 | + set->data = map; | |
6222 | + return 0; | |
6223 | +} | |
6224 | + | |
6225 | +static void destroy(struct ip_set *set) | |
6226 | +{ | |
7d2f026e | 6227 | + struct ip_set_macipmap *map = set->data; |
1aedc22c | 6228 | + |
6229 | + ip_set_free(map->members, members_size(map->first_ip, map->last_ip)); | |
6230 | + kfree(map); | |
6231 | + | |
6232 | + set->data = NULL; | |
6233 | +} | |
6234 | + | |
6235 | +static void flush(struct ip_set *set) | |
6236 | +{ | |
7d2f026e | 6237 | + struct ip_set_macipmap *map = set->data; |
1aedc22c | 6238 | + memset(map->members, 0, members_size(map->first_ip, map->last_ip)); |
6239 | +} | |
6240 | + | |
6241 | +static void list_header(const struct ip_set *set, void *data) | |
6242 | +{ | |
7d2f026e | 6243 | + const struct ip_set_macipmap *map = set->data; |
6244 | + struct ip_set_req_macipmap_create *header = data; | |
1aedc22c | 6245 | + |
6246 | + DP("list_header %x %x %u", map->first_ip, map->last_ip, | |
6247 | + map->flags); | |
6248 | + | |
6249 | + header->from = map->first_ip; | |
6250 | + header->to = map->last_ip; | |
6251 | + header->flags = map->flags; | |
6252 | +} | |
6253 | + | |
6254 | +static int list_members_size(const struct ip_set *set) | |
6255 | +{ | |
7d2f026e | 6256 | + const struct ip_set_macipmap *map = set->data; |
1aedc22c | 6257 | + |
6258 | + DP("%u", members_size(map->first_ip, map->last_ip)); | |
6259 | + return members_size(map->first_ip, map->last_ip); | |
6260 | +} | |
6261 | + | |
6262 | +static void list_members(const struct ip_set *set, void *data) | |
6263 | +{ | |
7d2f026e | 6264 | + const struct ip_set_macipmap *map = set->data; |
1aedc22c | 6265 | + |
6266 | + int bytes = members_size(map->first_ip, map->last_ip); | |
6267 | + | |
6268 | + DP("members: %u %p", bytes, map->members); | |
6269 | + memcpy(data, map->members, bytes); | |
6270 | +} | |
6271 | + | |
6272 | +static struct ip_set_type ip_set_macipmap = { | |
6273 | + .typename = SETTYPE_NAME, | |
6274 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
6275 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
6276 | + .create = &create, | |
6277 | + .destroy = &destroy, | |
6278 | + .flush = &flush, | |
6279 | + .reqsize = sizeof(struct ip_set_req_macipmap), | |
6280 | + .addip = &addip, | |
6281 | + .addip_kernel = &addip_kernel, | |
6282 | + .delip = &delip, | |
6283 | + .delip_kernel = &delip_kernel, | |
6284 | + .testip = &testip, | |
6285 | + .testip_kernel = &testip_kernel, | |
6286 | + .header_size = sizeof(struct ip_set_req_macipmap_create), | |
6287 | + .list_header = &list_header, | |
6288 | + .list_members_size = &list_members_size, | |
6289 | + .list_members = &list_members, | |
6290 | + .me = THIS_MODULE, | |
6291 | +}; | |
6292 | + | |
6293 | +MODULE_LICENSE("GPL"); | |
6294 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
6295 | +MODULE_DESCRIPTION("macipmap type of IP sets"); | |
6296 | + | |
f45e9687 | 6297 | +static int __init ip_set_macipmap_init(void) |
1aedc22c | 6298 | +{ |
7d2f026e | 6299 | + init_max_page_size(); |
1aedc22c | 6300 | + return ip_set_register_set_type(&ip_set_macipmap); |
6301 | +} | |
6302 | + | |
f45e9687 | 6303 | +static void __exit ip_set_macipmap_fini(void) |
1aedc22c | 6304 | +{ |
6305 | + /* FIXME: possible race with ip_set_create() */ | |
6306 | + ip_set_unregister_set_type(&ip_set_macipmap); | |
6307 | +} | |
6308 | + | |
f45e9687 | 6309 | +module_init(ip_set_macipmap_init); |
6310 | +module_exit(ip_set_macipmap_fini); | |
7d2f026e | 6311 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_nethash.c linux-2.6/net/ipv4/netfilter/ip_set_nethash.c |
6312 | --- a/net/ipv4/netfilter/ip_set_nethash.c 1970-01-01 01:00:00.000000000 +0100 | |
6313 | +++ linux-2.6/net/ipv4/netfilter/ip_set_nethash.c 2008-07-08 16:52:53.965201208 +0200 | |
6314 | @@ -0,0 +1,490 @@ | |
1aedc22c | 6315 | +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
6316 | + * | |
6317 | + * This program is free software; you can redistribute it and/or modify | |
6318 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 6319 | + * published by the Free Software Foundation. |
1aedc22c | 6320 | + */ |
6321 | + | |
6322 | +/* Kernel module implementing a cidr nethash set */ | |
6323 | + | |
6324 | +#include <linux/module.h> | |
6325 | +#include <linux/ip.h> | |
6326 | +#include <linux/skbuff.h> | |
f45e9687 | 6327 | +#include <linux/version.h> |
6328 | +#include <linux/jhash.h> | |
1aedc22c | 6329 | +#include <linux/netfilter_ipv4/ip_tables.h> |
6330 | +#include <linux/netfilter_ipv4/ip_set.h> | |
6331 | +#include <linux/errno.h> | |
6332 | +#include <asm/uaccess.h> | |
6333 | +#include <asm/bitops.h> | |
6334 | +#include <linux/spinlock.h> | |
6335 | +#include <linux/vmalloc.h> | |
6336 | +#include <linux/random.h> | |
6337 | + | |
6338 | +#include <net/ip.h> | |
6339 | + | |
6340 | +#include <linux/netfilter_ipv4/ip_set_malloc.h> | |
6341 | +#include <linux/netfilter_ipv4/ip_set_nethash.h> | |
1aedc22c | 6342 | + |
6343 | +static int limit = MAX_RANGE; | |
6344 | + | |
6345 | +static inline __u32 | |
6346 | +jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip) | |
6347 | +{ | |
6348 | + return jhash_1word(ip, *(((uint32_t *) map->initval) + i)); | |
6349 | +} | |
6350 | + | |
6351 | +static inline __u32 | |
6352 | +hash_id_cidr(struct ip_set_nethash *map, | |
6353 | + ip_set_ip_t ip, | |
6354 | + unsigned char cidr, | |
6355 | + ip_set_ip_t *hash_ip) | |
6356 | +{ | |
6357 | + __u32 id; | |
6358 | + u_int16_t i; | |
6359 | + ip_set_ip_t *elem; | |
6360 | + | |
6361 | + *hash_ip = pack(ip, cidr); | |
6362 | + | |
6363 | + for (i = 0; i < map->probes; i++) { | |
6364 | + id = jhash_ip(map, i, *hash_ip) % map->hashsize; | |
6365 | + DP("hash key: %u", id); | |
6366 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
6367 | + if (*elem == *hash_ip) | |
6368 | + return id; | |
6369 | + } | |
6370 | + return UINT_MAX; | |
6371 | +} | |
6372 | + | |
6373 | +static inline __u32 | |
6374 | +hash_id(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
6375 | +{ | |
7d2f026e | 6376 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6377 | + __u32 id = UINT_MAX; |
6378 | + int i; | |
6379 | + | |
6380 | + for (i = 0; i < 30 && map->cidr[i]; i++) { | |
6381 | + id = hash_id_cidr(map, ip, map->cidr[i], hash_ip); | |
6382 | + if (id != UINT_MAX) | |
6383 | + break; | |
6384 | + } | |
6385 | + return id; | |
6386 | +} | |
6387 | + | |
6388 | +static inline int | |
6389 | +__testip_cidr(struct ip_set *set, ip_set_ip_t ip, unsigned char cidr, | |
6390 | + ip_set_ip_t *hash_ip) | |
6391 | +{ | |
7d2f026e | 6392 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6393 | + |
6394 | + return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX); | |
6395 | +} | |
6396 | + | |
6397 | +static inline int | |
6398 | +__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip) | |
6399 | +{ | |
6400 | + return (ip && hash_id(set, ip, hash_ip) != UINT_MAX); | |
6401 | +} | |
6402 | + | |
6403 | +static int | |
6404 | +testip(struct ip_set *set, const void *data, size_t size, | |
6405 | + ip_set_ip_t *hash_ip) | |
6406 | +{ | |
7d2f026e | 6407 | + const struct ip_set_req_nethash *req = data; |
1aedc22c | 6408 | + |
6409 | + if (size != sizeof(struct ip_set_req_nethash)) { | |
6410 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6411 | + sizeof(struct ip_set_req_nethash), | |
6412 | + size); | |
6413 | + return -EINVAL; | |
6414 | + } | |
6415 | + return (req->cidr == 32 ? __testip(set, req->ip, hash_ip) | |
6416 | + : __testip_cidr(set, req->ip, req->cidr, hash_ip)); | |
6417 | +} | |
6418 | + | |
6419 | +static int | |
7d2f026e | 6420 | +testip_kernel(struct ip_set *set, |
1aedc22c | 6421 | + const struct sk_buff *skb, |
6422 | + ip_set_ip_t *hash_ip, | |
6423 | + const u_int32_t *flags, | |
6424 | + unsigned char index) | |
6425 | +{ | |
6426 | + return __testip(set, | |
7d2f026e | 6427 | + ntohl(flags[index] & IPSET_SRC |
f45e9687 | 6428 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6429 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6430 | + : ip_hdr(skb)->daddr), |
f45e9687 | 6431 | +#else |
7d2f026e | 6432 | + ? skb->nh.iph->saddr |
f45e9687 | 6433 | + : skb->nh.iph->daddr), |
6434 | +#endif | |
1aedc22c | 6435 | + hash_ip); |
6436 | +} | |
6437 | + | |
6438 | +static inline int | |
6439 | +__addip_base(struct ip_set_nethash *map, ip_set_ip_t ip) | |
6440 | +{ | |
6441 | + __u32 probe; | |
6442 | + u_int16_t i; | |
6443 | + ip_set_ip_t *elem; | |
6444 | + | |
6445 | + for (i = 0; i < map->probes; i++) { | |
6446 | + probe = jhash_ip(map, i, ip) % map->hashsize; | |
6447 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, probe); | |
6448 | + if (*elem == ip) | |
6449 | + return -EEXIST; | |
6450 | + if (!*elem) { | |
6451 | + *elem = ip; | |
6452 | + map->elements++; | |
6453 | + return 0; | |
6454 | + } | |
6455 | + } | |
6456 | + /* Trigger rehashing */ | |
6457 | + return -EAGAIN; | |
6458 | +} | |
6459 | + | |
6460 | +static inline int | |
6461 | +__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr, | |
6462 | + ip_set_ip_t *hash_ip) | |
6463 | +{ | |
f45e9687 | 6464 | + if (!ip || map->elements >= limit) |
1aedc22c | 6465 | + return -ERANGE; |
6466 | + | |
6467 | + *hash_ip = pack(ip, cidr); | |
6468 | + DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip)); | |
6469 | + | |
6470 | + return __addip_base(map, *hash_ip); | |
6471 | +} | |
6472 | + | |
6473 | +static void | |
6474 | +update_cidr_sizes(struct ip_set_nethash *map, unsigned char cidr) | |
6475 | +{ | |
6476 | + unsigned char next; | |
6477 | + int i; | |
6478 | + | |
6479 | + for (i = 0; i < 30 && map->cidr[i]; i++) { | |
6480 | + if (map->cidr[i] == cidr) { | |
6481 | + return; | |
6482 | + } else if (map->cidr[i] < cidr) { | |
6483 | + next = map->cidr[i]; | |
6484 | + map->cidr[i] = cidr; | |
6485 | + cidr = next; | |
6486 | + } | |
6487 | + } | |
6488 | + if (i < 30) | |
6489 | + map->cidr[i] = cidr; | |
6490 | +} | |
6491 | + | |
6492 | +static int | |
6493 | +addip(struct ip_set *set, const void *data, size_t size, | |
6494 | + ip_set_ip_t *hash_ip) | |
6495 | +{ | |
7d2f026e | 6496 | + const struct ip_set_req_nethash *req = data; |
1aedc22c | 6497 | + int ret; |
6498 | + | |
6499 | + if (size != sizeof(struct ip_set_req_nethash)) { | |
6500 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6501 | + sizeof(struct ip_set_req_nethash), | |
6502 | + size); | |
6503 | + return -EINVAL; | |
6504 | + } | |
7d2f026e | 6505 | + ret = __addip(set->data, req->ip, req->cidr, hash_ip); |
1aedc22c | 6506 | + |
6507 | + if (ret == 0) | |
7d2f026e | 6508 | + update_cidr_sizes(set->data, req->cidr); |
1aedc22c | 6509 | + |
6510 | + return ret; | |
6511 | +} | |
6512 | + | |
6513 | +static int | |
7d2f026e | 6514 | +addip_kernel(struct ip_set *set, |
1aedc22c | 6515 | + const struct sk_buff *skb, |
6516 | + ip_set_ip_t *hash_ip, | |
6517 | + const u_int32_t *flags, | |
6518 | + unsigned char index) | |
6519 | +{ | |
7d2f026e | 6520 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6521 | + int ret = -ERANGE; |
7d2f026e | 6522 | + ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC |
f45e9687 | 6523 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6524 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6525 | + : ip_hdr(skb)->daddr); |
f45e9687 | 6526 | +#else |
6527 | + ? skb->nh.iph->saddr | |
6528 | + : skb->nh.iph->daddr); | |
6529 | +#endif | |
1aedc22c | 6530 | + |
6531 | + if (map->cidr[0]) | |
6532 | + ret = __addip(map, ip, map->cidr[0], hash_ip); | |
6533 | + | |
6534 | + return ret; | |
6535 | +} | |
6536 | + | |
6537 | +static int retry(struct ip_set *set) | |
6538 | +{ | |
7d2f026e | 6539 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6540 | + ip_set_ip_t *elem; |
6541 | + void *members; | |
6542 | + u_int32_t i, hashsize = map->hashsize; | |
6543 | + int res; | |
6544 | + struct ip_set_nethash *tmp; | |
6545 | + | |
6546 | + if (map->resize == 0) | |
6547 | + return -ERANGE; | |
6548 | + | |
6549 | + again: | |
6550 | + res = 0; | |
6551 | + | |
6552 | + /* Calculate new parameters */ | |
6553 | + hashsize += (hashsize * map->resize)/100; | |
6554 | + if (hashsize == map->hashsize) | |
6555 | + hashsize++; | |
6556 | + | |
6557 | + ip_set_printk("rehashing of set %s triggered: " | |
6558 | + "hashsize grows from %u to %u", | |
6559 | + set->name, map->hashsize, hashsize); | |
6560 | + | |
7d2f026e | 6561 | + tmp = kmalloc(sizeof(struct ip_set_nethash) |
1aedc22c | 6562 | + + map->probes * sizeof(uint32_t), GFP_ATOMIC); |
6563 | + if (!tmp) { | |
6564 | + DP("out of memory for %d bytes", | |
6565 | + sizeof(struct ip_set_nethash) | |
6566 | + + map->probes * sizeof(uint32_t)); | |
6567 | + return -ENOMEM; | |
6568 | + } | |
6569 | + tmp->members = harray_malloc(hashsize, sizeof(ip_set_ip_t), GFP_ATOMIC); | |
6570 | + if (!tmp->members) { | |
6571 | + DP("out of memory for %d bytes", hashsize * sizeof(ip_set_ip_t)); | |
6572 | + kfree(tmp); | |
6573 | + return -ENOMEM; | |
6574 | + } | |
6575 | + tmp->hashsize = hashsize; | |
6576 | + tmp->elements = 0; | |
6577 | + tmp->probes = map->probes; | |
6578 | + tmp->resize = map->resize; | |
6579 | + memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t)); | |
6580 | + memcpy(tmp->cidr, map->cidr, 30 * sizeof(unsigned char)); | |
6581 | + | |
6582 | + write_lock_bh(&set->lock); | |
7d2f026e | 6583 | + map = set->data; /* Play safe */ |
1aedc22c | 6584 | + for (i = 0; i < map->hashsize && res == 0; i++) { |
6585 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
6586 | + if (*elem) | |
6587 | + res = __addip_base(tmp, *elem); | |
6588 | + } | |
6589 | + if (res) { | |
6590 | + /* Failure, try again */ | |
6591 | + write_unlock_bh(&set->lock); | |
6592 | + harray_free(tmp->members); | |
6593 | + kfree(tmp); | |
6594 | + goto again; | |
6595 | + } | |
6596 | + | |
6597 | + /* Success at resizing! */ | |
6598 | + members = map->members; | |
6599 | + | |
6600 | + map->hashsize = tmp->hashsize; | |
6601 | + map->members = tmp->members; | |
6602 | + write_unlock_bh(&set->lock); | |
6603 | + | |
6604 | + harray_free(members); | |
6605 | + kfree(tmp); | |
6606 | + | |
6607 | + return 0; | |
6608 | +} | |
6609 | + | |
6610 | +static inline int | |
6611 | +__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr, | |
6612 | + ip_set_ip_t *hash_ip) | |
6613 | +{ | |
6614 | + ip_set_ip_t id, *elem; | |
6615 | + | |
6616 | + if (!ip) | |
6617 | + return -ERANGE; | |
6618 | + | |
6619 | + id = hash_id_cidr(map, ip, cidr, hash_ip); | |
6620 | + if (id == UINT_MAX) | |
6621 | + return -EEXIST; | |
6622 | + | |
6623 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id); | |
6624 | + *elem = 0; | |
6625 | + map->elements--; | |
6626 | + return 0; | |
6627 | +} | |
6628 | + | |
6629 | +static int | |
6630 | +delip(struct ip_set *set, const void *data, size_t size, | |
6631 | + ip_set_ip_t *hash_ip) | |
6632 | +{ | |
7d2f026e | 6633 | + const struct ip_set_req_nethash *req = data; |
1aedc22c | 6634 | + |
6635 | + if (size != sizeof(struct ip_set_req_nethash)) { | |
6636 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6637 | + sizeof(struct ip_set_req_nethash), | |
6638 | + size); | |
6639 | + return -EINVAL; | |
6640 | + } | |
6641 | + /* TODO: no garbage collection in map->cidr */ | |
7d2f026e | 6642 | + return __delip(set->data, req->ip, req->cidr, hash_ip); |
1aedc22c | 6643 | +} |
6644 | + | |
6645 | +static int | |
7d2f026e | 6646 | +delip_kernel(struct ip_set *set, |
1aedc22c | 6647 | + const struct sk_buff *skb, |
6648 | + ip_set_ip_t *hash_ip, | |
6649 | + const u_int32_t *flags, | |
6650 | + unsigned char index) | |
6651 | +{ | |
7d2f026e | 6652 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6653 | + int ret = -ERANGE; |
7d2f026e | 6654 | + ip_set_ip_t ip = ntohl(flags[index] & IPSET_SRC |
f45e9687 | 6655 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
7d2f026e | 6656 | + ? ip_hdr(skb)->saddr |
5ce52adc | 6657 | + : ip_hdr(skb)->daddr); |
f45e9687 | 6658 | +#else |
6659 | + ? skb->nh.iph->saddr | |
6660 | + : skb->nh.iph->daddr); | |
6661 | +#endif | |
1aedc22c | 6662 | + |
6663 | + if (map->cidr[0]) | |
6664 | + ret = __delip(map, ip, map->cidr[0], hash_ip); | |
6665 | + | |
6666 | + return ret; | |
6667 | +} | |
6668 | + | |
6669 | +static int create(struct ip_set *set, const void *data, size_t size) | |
6670 | +{ | |
7d2f026e | 6671 | + const struct ip_set_req_nethash_create *req = data; |
1aedc22c | 6672 | + struct ip_set_nethash *map; |
6673 | + uint16_t i; | |
6674 | + | |
6675 | + if (size != sizeof(struct ip_set_req_nethash_create)) { | |
6676 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6677 | + sizeof(struct ip_set_req_nethash_create), | |
6678 | + size); | |
6679 | + return -EINVAL; | |
6680 | + } | |
6681 | + | |
6682 | + if (req->hashsize < 1) { | |
6683 | + ip_set_printk("hashsize too small"); | |
6684 | + return -ENOEXEC; | |
6685 | + } | |
6686 | + if (req->probes < 1) { | |
6687 | + ip_set_printk("probes too small"); | |
6688 | + return -ENOEXEC; | |
6689 | + } | |
6690 | + | |
6691 | + map = kmalloc(sizeof(struct ip_set_nethash) | |
6692 | + + req->probes * sizeof(uint32_t), GFP_KERNEL); | |
6693 | + if (!map) { | |
6694 | + DP("out of memory for %d bytes", | |
6695 | + sizeof(struct ip_set_nethash) | |
6696 | + + req->probes * sizeof(uint32_t)); | |
6697 | + return -ENOMEM; | |
6698 | + } | |
6699 | + for (i = 0; i < req->probes; i++) | |
6700 | + get_random_bytes(((uint32_t *) map->initval)+i, 4); | |
6701 | + map->elements = 0; | |
6702 | + map->hashsize = req->hashsize; | |
6703 | + map->probes = req->probes; | |
6704 | + map->resize = req->resize; | |
6705 | + memset(map->cidr, 0, 30 * sizeof(unsigned char)); | |
6706 | + map->members = harray_malloc(map->hashsize, sizeof(ip_set_ip_t), GFP_KERNEL); | |
6707 | + if (!map->members) { | |
6708 | + DP("out of memory for %d bytes", map->hashsize * sizeof(ip_set_ip_t)); | |
6709 | + kfree(map); | |
6710 | + return -ENOMEM; | |
6711 | + } | |
6712 | + | |
6713 | + set->data = map; | |
6714 | + return 0; | |
6715 | +} | |
6716 | + | |
6717 | +static void destroy(struct ip_set *set) | |
6718 | +{ | |
7d2f026e | 6719 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6720 | + |
6721 | + harray_free(map->members); | |
6722 | + kfree(map); | |
6723 | + | |
6724 | + set->data = NULL; | |
6725 | +} | |
6726 | + | |
6727 | +static void flush(struct ip_set *set) | |
6728 | +{ | |
7d2f026e | 6729 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6730 | + harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t)); |
6731 | + memset(map->cidr, 0, 30 * sizeof(unsigned char)); | |
6732 | + map->elements = 0; | |
6733 | +} | |
6734 | + | |
6735 | +static void list_header(const struct ip_set *set, void *data) | |
6736 | +{ | |
7d2f026e | 6737 | + const struct ip_set_nethash *map = set->data; |
6738 | + struct ip_set_req_nethash_create *header = data; | |
1aedc22c | 6739 | + |
6740 | + header->hashsize = map->hashsize; | |
6741 | + header->probes = map->probes; | |
6742 | + header->resize = map->resize; | |
6743 | +} | |
6744 | + | |
6745 | +static int list_members_size(const struct ip_set *set) | |
6746 | +{ | |
7d2f026e | 6747 | + struct ip_set_nethash *map = set->data; |
1aedc22c | 6748 | + |
6749 | + return (map->hashsize * sizeof(ip_set_ip_t)); | |
6750 | +} | |
6751 | + | |
6752 | +static void list_members(const struct ip_set *set, void *data) | |
6753 | +{ | |
7d2f026e | 6754 | + const struct ip_set_nethash *map = set->data; |
1aedc22c | 6755 | + ip_set_ip_t i, *elem; |
6756 | + | |
6757 | + for (i = 0; i < map->hashsize; i++) { | |
6758 | + elem = HARRAY_ELEM(map->members, ip_set_ip_t *, i); | |
6759 | + ((ip_set_ip_t *)data)[i] = *elem; | |
6760 | + } | |
6761 | +} | |
6762 | + | |
6763 | +static struct ip_set_type ip_set_nethash = { | |
6764 | + .typename = SETTYPE_NAME, | |
6765 | + .features = IPSET_TYPE_IP | IPSET_DATA_SINGLE, | |
6766 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
6767 | + .create = &create, | |
6768 | + .destroy = &destroy, | |
6769 | + .flush = &flush, | |
6770 | + .reqsize = sizeof(struct ip_set_req_nethash), | |
6771 | + .addip = &addip, | |
6772 | + .addip_kernel = &addip_kernel, | |
6773 | + .retry = &retry, | |
6774 | + .delip = &delip, | |
6775 | + .delip_kernel = &delip_kernel, | |
6776 | + .testip = &testip, | |
6777 | + .testip_kernel = &testip_kernel, | |
6778 | + .header_size = sizeof(struct ip_set_req_nethash_create), | |
6779 | + .list_header = &list_header, | |
6780 | + .list_members_size = &list_members_size, | |
6781 | + .list_members = &list_members, | |
6782 | + .me = THIS_MODULE, | |
6783 | +}; | |
6784 | + | |
6785 | +MODULE_LICENSE("GPL"); | |
6786 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
6787 | +MODULE_DESCRIPTION("nethash type of IP sets"); | |
6788 | +module_param(limit, int, 0600); | |
6789 | +MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets"); | |
6790 | + | |
f45e9687 | 6791 | +static int __init ip_set_nethash_init(void) |
1aedc22c | 6792 | +{ |
7d2f026e | 6793 | + init_max_page_size(); |
1aedc22c | 6794 | + return ip_set_register_set_type(&ip_set_nethash); |
6795 | +} | |
6796 | + | |
f45e9687 | 6797 | +static void __exit ip_set_nethash_fini(void) |
1aedc22c | 6798 | +{ |
6799 | + /* FIXME: possible race with ip_set_create() */ | |
6800 | + ip_set_unregister_set_type(&ip_set_nethash); | |
6801 | +} | |
6802 | + | |
f45e9687 | 6803 | +module_init(ip_set_nethash_init); |
6804 | +module_exit(ip_set_nethash_fini); | |
7d2f026e | 6805 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ip_set_portmap.c linux-2.6/net/ipv4/netfilter/ip_set_portmap.c |
6806 | --- a/net/ipv4/netfilter/ip_set_portmap.c 1970-01-01 01:00:00.000000000 +0100 | |
6807 | +++ linux-2.6/net/ipv4/netfilter/ip_set_portmap.c 2008-07-08 16:52:53.965201208 +0200 | |
6808 | @@ -0,0 +1,341 @@ | |
1aedc22c | 6809 | +/* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
6810 | + * | |
6811 | + * This program is free software; you can redistribute it and/or modify | |
6812 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 6813 | + * published by the Free Software Foundation. |
1aedc22c | 6814 | + */ |
6815 | + | |
6816 | +/* Kernel module implementing a port set type as a bitmap */ | |
6817 | + | |
6818 | +#include <linux/module.h> | |
6819 | +#include <linux/ip.h> | |
6820 | +#include <linux/tcp.h> | |
6821 | +#include <linux/udp.h> | |
6822 | +#include <linux/skbuff.h> | |
f45e9687 | 6823 | +#include <linux/version.h> |
1aedc22c | 6824 | +#include <linux/netfilter_ipv4/ip_tables.h> |
6825 | +#include <linux/netfilter_ipv4/ip_set.h> | |
6826 | +#include <linux/errno.h> | |
6827 | +#include <asm/uaccess.h> | |
6828 | +#include <asm/bitops.h> | |
6829 | +#include <linux/spinlock.h> | |
6830 | + | |
6831 | +#include <net/ip.h> | |
6832 | + | |
6833 | +#include <linux/netfilter_ipv4/ip_set_portmap.h> | |
6834 | + | |
6835 | +/* We must handle non-linear skbs */ | |
6836 | +static inline ip_set_ip_t | |
6837 | +get_port(const struct sk_buff *skb, u_int32_t flags) | |
6838 | +{ | |
f45e9687 | 6839 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 6840 | + struct iphdr *iph = ip_hdr(skb); |
f45e9687 | 6841 | +#else |
6842 | + struct iphdr *iph = skb->nh.iph; | |
6843 | +#endif | |
1aedc22c | 6844 | + u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET; |
1aedc22c | 6845 | + switch (iph->protocol) { |
6846 | + case IPPROTO_TCP: { | |
6847 | + struct tcphdr tcph; | |
6848 | + | |
6849 | + /* See comments at tcp_match in ip_tables.c */ | |
6850 | + if (offset) | |
6851 | + return INVALID_PORT; | |
6852 | + | |
f45e9687 | 6853 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 6854 | + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0) |
f45e9687 | 6855 | +#else |
6856 | + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) | |
6857 | +#endif | |
1aedc22c | 6858 | + /* No choice either */ |
6859 | + return INVALID_PORT; | |
6860 | + | |
6861 | + return ntohs(flags & IPSET_SRC ? | |
6862 | + tcph.source : tcph.dest); | |
6863 | + } | |
6864 | + case IPPROTO_UDP: { | |
6865 | + struct udphdr udph; | |
6866 | + | |
6867 | + if (offset) | |
6868 | + return INVALID_PORT; | |
6869 | + | |
f45e9687 | 6870 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) |
5ce52adc | 6871 | + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0) |
f45e9687 | 6872 | +#else |
6873 | + if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) | |
6874 | +#endif | |
1aedc22c | 6875 | + /* No choice either */ |
6876 | + return INVALID_PORT; | |
6877 | + | |
6878 | + return ntohs(flags & IPSET_SRC ? | |
6879 | + udph.source : udph.dest); | |
6880 | + } | |
6881 | + default: | |
6882 | + return INVALID_PORT; | |
6883 | + } | |
6884 | +} | |
6885 | + | |
6886 | +static inline int | |
6887 | +__testport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port) | |
6888 | +{ | |
7d2f026e | 6889 | + struct ip_set_portmap *map = set->data; |
1aedc22c | 6890 | + |
6891 | + if (port < map->first_port || port > map->last_port) | |
6892 | + return -ERANGE; | |
6893 | + | |
6894 | + *hash_port = port; | |
6895 | + DP("set: %s, port:%u, %u", set->name, port, *hash_port); | |
6896 | + return !!test_bit(port - map->first_port, map->members); | |
6897 | +} | |
6898 | + | |
6899 | +static int | |
6900 | +testport(struct ip_set *set, const void *data, size_t size, | |
6901 | + ip_set_ip_t *hash_port) | |
6902 | +{ | |
7d2f026e | 6903 | + const struct ip_set_req_portmap *req = data; |
1aedc22c | 6904 | + |
6905 | + if (size != sizeof(struct ip_set_req_portmap)) { | |
6906 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6907 | + sizeof(struct ip_set_req_portmap), | |
6908 | + size); | |
6909 | + return -EINVAL; | |
6910 | + } | |
6911 | + return __testport(set, req->port, hash_port); | |
6912 | +} | |
6913 | + | |
6914 | +static int | |
7d2f026e | 6915 | +testport_kernel(struct ip_set *set, |
1aedc22c | 6916 | + const struct sk_buff *skb, |
6917 | + ip_set_ip_t *hash_port, | |
6918 | + const u_int32_t *flags, | |
6919 | + unsigned char index) | |
6920 | +{ | |
6921 | + int res; | |
6922 | + ip_set_ip_t port = get_port(skb, flags[index]); | |
6923 | + | |
6924 | + DP("flag %s port %u", flags[index] & IPSET_SRC ? "SRC" : "DST", port); | |
6925 | + if (port == INVALID_PORT) | |
6926 | + return 0; | |
6927 | + | |
6928 | + res = __testport(set, port, hash_port); | |
6929 | + | |
6930 | + return (res < 0 ? 0 : res); | |
6931 | +} | |
6932 | + | |
6933 | +static inline int | |
6934 | +__addport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port) | |
6935 | +{ | |
7d2f026e | 6936 | + struct ip_set_portmap *map = set->data; |
1aedc22c | 6937 | + |
6938 | + if (port < map->first_port || port > map->last_port) | |
6939 | + return -ERANGE; | |
6940 | + if (test_and_set_bit(port - map->first_port, map->members)) | |
6941 | + return -EEXIST; | |
6942 | + | |
6943 | + *hash_port = port; | |
6944 | + DP("port %u", port); | |
6945 | + return 0; | |
6946 | +} | |
6947 | + | |
6948 | +static int | |
6949 | +addport(struct ip_set *set, const void *data, size_t size, | |
6950 | + ip_set_ip_t *hash_port) | |
6951 | +{ | |
7d2f026e | 6952 | + const struct ip_set_req_portmap *req = data; |
1aedc22c | 6953 | + |
6954 | + if (size != sizeof(struct ip_set_req_portmap)) { | |
6955 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
6956 | + sizeof(struct ip_set_req_portmap), | |
6957 | + size); | |
6958 | + return -EINVAL; | |
6959 | + } | |
6960 | + return __addport(set, req->port, hash_port); | |
6961 | +} | |
6962 | + | |
6963 | +static int | |
7d2f026e | 6964 | +addport_kernel(struct ip_set *set, |
1aedc22c | 6965 | + const struct sk_buff *skb, |
6966 | + ip_set_ip_t *hash_port, | |
6967 | + const u_int32_t *flags, | |
6968 | + unsigned char index) | |
6969 | +{ | |
6970 | + ip_set_ip_t port = get_port(skb, flags[index]); | |
6971 | + | |
6972 | + if (port == INVALID_PORT) | |
6973 | + return -EINVAL; | |
6974 | + | |
6975 | + return __addport(set, port, hash_port); | |
6976 | +} | |
6977 | + | |
6978 | +static inline int | |
6979 | +__delport(struct ip_set *set, ip_set_ip_t port, ip_set_ip_t *hash_port) | |
6980 | +{ | |
7d2f026e | 6981 | + struct ip_set_portmap *map = set->data; |
1aedc22c | 6982 | + |
6983 | + if (port < map->first_port || port > map->last_port) | |
6984 | + return -ERANGE; | |
6985 | + if (!test_and_clear_bit(port - map->first_port, map->members)) | |
6986 | + return -EEXIST; | |
6987 | + | |
6988 | + *hash_port = port; | |
6989 | + DP("port %u", port); | |
6990 | + return 0; | |
6991 | +} | |
6992 | + | |
6993 | +static int | |
6994 | +delport(struct ip_set *set, const void *data, size_t size, | |
6995 | + ip_set_ip_t *hash_port) | |
6996 | +{ | |
7d2f026e | 6997 | + const struct ip_set_req_portmap *req = data; |
1aedc22c | 6998 | + |
6999 | + if (size != sizeof(struct ip_set_req_portmap)) { | |
7000 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
7001 | + sizeof(struct ip_set_req_portmap), | |
7002 | + size); | |
7003 | + return -EINVAL; | |
7004 | + } | |
7005 | + return __delport(set, req->port, hash_port); | |
7006 | +} | |
7007 | + | |
7008 | +static int | |
7d2f026e | 7009 | +delport_kernel(struct ip_set *set, |
1aedc22c | 7010 | + const struct sk_buff *skb, |
7011 | + ip_set_ip_t *hash_port, | |
7012 | + const u_int32_t *flags, | |
7013 | + unsigned char index) | |
7014 | +{ | |
7015 | + ip_set_ip_t port = get_port(skb, flags[index]); | |
7016 | + | |
7017 | + if (port == INVALID_PORT) | |
7018 | + return -EINVAL; | |
7019 | + | |
7020 | + return __delport(set, port, hash_port); | |
7021 | +} | |
7022 | + | |
7023 | +static int create(struct ip_set *set, const void *data, size_t size) | |
7024 | +{ | |
7025 | + int newbytes; | |
7d2f026e | 7026 | + const struct ip_set_req_portmap_create *req = data; |
1aedc22c | 7027 | + struct ip_set_portmap *map; |
7028 | + | |
7029 | + if (size != sizeof(struct ip_set_req_portmap_create)) { | |
7030 | + ip_set_printk("data length wrong (want %zu, have %zu)", | |
7031 | + sizeof(struct ip_set_req_portmap_create), | |
7032 | + size); | |
7033 | + return -EINVAL; | |
7034 | + } | |
7035 | + | |
7036 | + DP("from %u to %u", req->from, req->to); | |
7037 | + | |
7038 | + if (req->from > req->to) { | |
7039 | + DP("bad port range"); | |
7040 | + return -ENOEXEC; | |
7041 | + } | |
7042 | + | |
7043 | + if (req->to - req->from > MAX_RANGE) { | |
7044 | + ip_set_printk("range too big (max %d ports)", | |
7045 | + MAX_RANGE+1); | |
7046 | + return -ENOEXEC; | |
7047 | + } | |
7048 | + | |
7049 | + map = kmalloc(sizeof(struct ip_set_portmap), GFP_KERNEL); | |
7050 | + if (!map) { | |
7051 | + DP("out of memory for %d bytes", | |
7052 | + sizeof(struct ip_set_portmap)); | |
7053 | + return -ENOMEM; | |
7054 | + } | |
7055 | + map->first_port = req->from; | |
7056 | + map->last_port = req->to; | |
7057 | + newbytes = bitmap_bytes(req->from, req->to); | |
7058 | + map->members = kmalloc(newbytes, GFP_KERNEL); | |
7059 | + if (!map->members) { | |
7060 | + DP("out of memory for %d bytes", newbytes); | |
7061 | + kfree(map); | |
7062 | + return -ENOMEM; | |
7063 | + } | |
7064 | + memset(map->members, 0, newbytes); | |
7065 | + | |
7066 | + set->data = map; | |
7067 | + return 0; | |
7068 | +} | |
7069 | + | |
7070 | +static void destroy(struct ip_set *set) | |
7071 | +{ | |
7d2f026e | 7072 | + struct ip_set_portmap *map = set->data; |
1aedc22c | 7073 | + |
7074 | + kfree(map->members); | |
7075 | + kfree(map); | |
7076 | + | |
7077 | + set->data = NULL; | |
7078 | +} | |
7079 | + | |
7080 | +static void flush(struct ip_set *set) | |
7081 | +{ | |
7d2f026e | 7082 | + struct ip_set_portmap *map = set->data; |
1aedc22c | 7083 | + memset(map->members, 0, bitmap_bytes(map->first_port, map->last_port)); |
7084 | +} | |
7085 | + | |
7086 | +static void list_header(const struct ip_set *set, void *data) | |
7087 | +{ | |
7d2f026e | 7088 | + const struct ip_set_portmap *map = set->data; |
7089 | + struct ip_set_req_portmap_create *header = data; | |
1aedc22c | 7090 | + |
7091 | + DP("list_header %u %u", map->first_port, map->last_port); | |
7092 | + | |
7093 | + header->from = map->first_port; | |
7094 | + header->to = map->last_port; | |
7095 | +} | |
7096 | + | |
7097 | +static int list_members_size(const struct ip_set *set) | |
7098 | +{ | |
7d2f026e | 7099 | + const struct ip_set_portmap *map = set->data; |
1aedc22c | 7100 | + |
7101 | + return bitmap_bytes(map->first_port, map->last_port); | |
7102 | +} | |
7103 | + | |
7104 | +static void list_members(const struct ip_set *set, void *data) | |
7105 | +{ | |
7d2f026e | 7106 | + const struct ip_set_portmap *map = set->data; |
1aedc22c | 7107 | + int bytes = bitmap_bytes(map->first_port, map->last_port); |
7108 | + | |
7109 | + memcpy(data, map->members, bytes); | |
7110 | +} | |
7111 | + | |
7112 | +static struct ip_set_type ip_set_portmap = { | |
7113 | + .typename = SETTYPE_NAME, | |
7114 | + .features = IPSET_TYPE_PORT | IPSET_DATA_SINGLE, | |
7115 | + .protocol_version = IP_SET_PROTOCOL_VERSION, | |
7116 | + .create = &create, | |
7117 | + .destroy = &destroy, | |
7118 | + .flush = &flush, | |
7119 | + .reqsize = sizeof(struct ip_set_req_portmap), | |
7120 | + .addip = &addport, | |
7121 | + .addip_kernel = &addport_kernel, | |
7122 | + .delip = &delport, | |
7123 | + .delip_kernel = &delport_kernel, | |
7124 | + .testip = &testport, | |
7125 | + .testip_kernel = &testport_kernel, | |
7126 | + .header_size = sizeof(struct ip_set_req_portmap_create), | |
7127 | + .list_header = &list_header, | |
7128 | + .list_members_size = &list_members_size, | |
7129 | + .list_members = &list_members, | |
7130 | + .me = THIS_MODULE, | |
7131 | +}; | |
7132 | + | |
7133 | +MODULE_LICENSE("GPL"); | |
7134 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
7135 | +MODULE_DESCRIPTION("portmap type of IP sets"); | |
7136 | + | |
f45e9687 | 7137 | +static int __init ip_set_portmap_init(void) |
1aedc22c | 7138 | +{ |
7139 | + return ip_set_register_set_type(&ip_set_portmap); | |
7140 | +} | |
7141 | + | |
f45e9687 | 7142 | +static void __exit ip_set_portmap_fini(void) |
1aedc22c | 7143 | +{ |
7144 | + /* FIXME: possible race with ip_set_create() */ | |
7145 | + ip_set_unregister_set_type(&ip_set_portmap); | |
7146 | +} | |
7147 | + | |
f45e9687 | 7148 | +module_init(ip_set_portmap_init); |
7149 | +module_exit(ip_set_portmap_fini); | |
7d2f026e | 7150 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ipt_set.c linux-2.6/net/ipv4/netfilter/ipt_set.c |
7151 | --- a/net/ipv4/netfilter/ipt_set.c 1970-01-01 01:00:00.000000000 +0100 | |
7152 | +++ linux-2.6/net/ipv4/netfilter/ipt_set.c 2008-07-08 16:52:53.965201208 +0200 | |
7153 | @@ -0,0 +1,159 @@ | |
1aedc22c | 7154 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
7155 | + * Patrick Schaaf <bof@bof.de> | |
7156 | + * Martin Josefsson <gandalf@wlug.westbo.se> | |
7157 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
7158 | + * | |
7159 | + * This program is free software; you can redistribute it and/or modify | |
7160 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 7161 | + * published by the Free Software Foundation. |
1aedc22c | 7162 | + */ |
7163 | + | |
9f54053a | 7164 | +/* Kernel module to match an IP set. */ |
1aedc22c | 7165 | + |
1aedc22c | 7166 | +#include <linux/module.h> |
9f54053a JR |
7167 | +#include <linux/ip.h> |
7168 | +#include <linux/skbuff.h> | |
1aedc22c | 7169 | +#include <linux/version.h> |
9f54053a JR |
7170 | + |
7171 | +#include <linux/netfilter_ipv4/ip_tables.h> | |
7172 | +#include <linux/netfilter_ipv4/ip_set.h> | |
1aedc22c | 7173 | +#include <linux/netfilter_ipv4/ipt_set.h> |
7174 | + | |
9f54053a JR |
7175 | +static inline int |
7176 | +match_set(const struct ipt_set_info *info, | |
7177 | + const struct sk_buff *skb, | |
7178 | + int inv) | |
7179 | +{ | |
7180 | + if (ip_set_testip_kernel(info->index, skb, info->flags)) | |
7181 | + inv = !inv; | |
7182 | + return inv; | |
7183 | +} | |
7184 | + | |
f45e9687 | 7185 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
7186 | +static bool | |
7187 | +#else | |
9f54053a | 7188 | +static int |
f45e9687 | 7189 | +#endif |
9f54053a JR |
7190 | +match(const struct sk_buff *skb, |
7191 | + const struct net_device *in, | |
7192 | + const struct net_device *out, | |
1aedc22c | 7193 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) |
9f54053a | 7194 | + const struct xt_match *match, |
1aedc22c | 7195 | +#endif |
9f54053a | 7196 | + const void *matchinfo, |
f45e9687 | 7197 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
7198 | + int offset, unsigned int protoff, bool *hotdrop) | |
7199 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) | |
9f54053a | 7200 | + int offset, unsigned int protoff, int *hotdrop) |
1aedc22c | 7201 | +#else |
9f54053a | 7202 | + int offset, int *hotdrop) |
1aedc22c | 7203 | +#endif |
7204 | +{ | |
9f54053a JR |
7205 | + const struct ipt_set_info_match *info = matchinfo; |
7206 | + | |
7207 | + return match_set(&info->match_set, | |
7208 | + skb, | |
7209 | + info->match_set.flags[0] & IPSET_MATCH_INV); | |
1aedc22c | 7210 | +} |
7211 | + | |
f45e9687 | 7212 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
7d2f026e | 7213 | +static bool |
f45e9687 | 7214 | +#else |
1aedc22c | 7215 | +static int |
f45e9687 | 7216 | +#endif |
1aedc22c | 7217 | +checkentry(const char *tablename, |
7218 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) | |
9f54053a | 7219 | + const void *inf, |
1aedc22c | 7220 | +#else |
9f54053a | 7221 | + const struct ipt_ip *ip, |
1aedc22c | 7222 | +#endif |
7223 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) | |
9f54053a | 7224 | + const struct xt_match *match, |
1aedc22c | 7225 | +#endif |
9f54053a | 7226 | + void *matchinfo, |
1aedc22c | 7227 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) |
9f54053a | 7228 | + unsigned int matchsize, |
1aedc22c | 7229 | +#endif |
7230 | + unsigned int hook_mask) | |
7231 | +{ | |
7d2f026e | 7232 | + struct ipt_set_info_match *info = matchinfo; |
1aedc22c | 7233 | + ip_set_id_t index; |
7234 | + | |
7235 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a JR |
7236 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { |
7237 | + ip_set_printk("invalid matchsize %d", matchsize); | |
1aedc22c | 7238 | + return 0; |
7239 | + } | |
7240 | +#endif | |
7241 | + | |
9f54053a JR |
7242 | + index = ip_set_get_byindex(info->match_set.index); |
7243 | + | |
7244 | + if (index == IP_SET_INVALID_ID) { | |
7245 | + ip_set_printk("Cannot find set indentified by id %u to match", | |
7246 | + info->match_set.index); | |
7247 | + return 0; /* error */ | |
1aedc22c | 7248 | + } |
9f54053a | 7249 | + if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) { |
1aedc22c | 7250 | + ip_set_printk("That's nasty!"); |
7251 | + return 0; /* error */ | |
7252 | + } | |
7253 | + | |
7254 | + return 1; | |
7255 | +} | |
7256 | + | |
7257 | +static void destroy( | |
7258 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) | |
9f54053a | 7259 | + const struct xt_match *match, |
1aedc22c | 7260 | +#endif |
7261 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a | 7262 | + void *matchinfo, unsigned int matchsize) |
1aedc22c | 7263 | +#else |
9f54053a | 7264 | + void *matchinfo) |
1aedc22c | 7265 | +#endif |
7266 | +{ | |
9f54053a | 7267 | + struct ipt_set_info_match *info = matchinfo; |
1aedc22c | 7268 | + |
7269 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a JR |
7270 | + if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) { |
7271 | + ip_set_printk("invalid matchsize %d", matchsize); | |
1aedc22c | 7272 | + return; |
7273 | + } | |
7274 | +#endif | |
9f54053a | 7275 | + ip_set_put(info->match_set.index); |
1aedc22c | 7276 | +} |
7277 | + | |
9f54053a JR |
7278 | +static struct ipt_match set_match = { |
7279 | + .name = "set", | |
7280 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) | |
7281 | + .family = AF_INET, | |
7282 | +#endif | |
7283 | + .match = &match, | |
1aedc22c | 7284 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) |
9f54053a | 7285 | + .matchsize = sizeof(struct ipt_set_info_match), |
1aedc22c | 7286 | +#endif |
9f54053a JR |
7287 | + .checkentry = &checkentry, |
7288 | + .destroy = &destroy, | |
7289 | + .me = THIS_MODULE | |
1aedc22c | 7290 | +}; |
7291 | + | |
7292 | +MODULE_LICENSE("GPL"); | |
7293 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
9f54053a | 7294 | +MODULE_DESCRIPTION("iptables IP set match module"); |
1aedc22c | 7295 | + |
9f54053a JR |
7296 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) |
7297 | +#define ipt_register_match xt_register_match | |
7298 | +#define ipt_unregister_match xt_unregister_match | |
7299 | +#endif | |
7300 | + | |
7301 | +static int __init ipt_ipset_init(void) | |
1aedc22c | 7302 | +{ |
9f54053a | 7303 | + return ipt_register_match(&set_match); |
1aedc22c | 7304 | +} |
7305 | + | |
9f54053a | 7306 | +static void __exit ipt_ipset_fini(void) |
1aedc22c | 7307 | +{ |
9f54053a | 7308 | + ipt_unregister_match(&set_match); |
1aedc22c | 7309 | +} |
7310 | + | |
9f54053a JR |
7311 | +module_init(ipt_ipset_init); |
7312 | +module_exit(ipt_ipset_fini); | |
7d2f026e | 7313 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/ipt_SET.c linux-2.6/net/ipv4/netfilter/ipt_SET.c |
7314 | --- a/net/ipv4/netfilter/ipt_SET.c 1970-01-01 01:00:00.000000000 +0100 | |
7315 | +++ linux-2.6/net/ipv4/netfilter/ipt_SET.c 2008-07-08 16:52:53.965201208 +0200 | |
7316 | @@ -0,0 +1,179 @@ | |
1aedc22c | 7317 | +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
7318 | + * Patrick Schaaf <bof@bof.de> | |
7319 | + * Martin Josefsson <gandalf@wlug.westbo.se> | |
7320 | + * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
7321 | + * | |
7322 | + * This program is free software; you can redistribute it and/or modify | |
7323 | + * it under the terms of the GNU General Public License version 2 as | |
7d2f026e | 7324 | + * published by the Free Software Foundation. |
1aedc22c | 7325 | + */ |
7326 | + | |
9f54053a | 7327 | +/* ipt_SET.c - netfilter target to manipulate IP sets */ |
1aedc22c | 7328 | + |
9f54053a | 7329 | +#include <linux/types.h> |
1aedc22c | 7330 | +#include <linux/ip.h> |
9f54053a JR |
7331 | +#include <linux/timer.h> |
7332 | +#include <linux/module.h> | |
7333 | +#include <linux/netfilter.h> | |
7334 | +#include <linux/netdevice.h> | |
7335 | +#include <linux/if.h> | |
7336 | +#include <linux/inetdevice.h> | |
1aedc22c | 7337 | +#include <linux/version.h> |
9f54053a JR |
7338 | +#include <net/protocol.h> |
7339 | +#include <net/checksum.h> | |
7340 | +#include <linux/netfilter_ipv4.h> | |
f45e9687 | 7341 | +#include <linux/netfilter_ipv4/ip_tables.h> |
1aedc22c | 7342 | +#include <linux/netfilter_ipv4/ipt_set.h> |
7343 | + | |
9f54053a | 7344 | +static unsigned int |
7d2f026e | 7345 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24) |
7346 | +target(struct sk_buff *skb, | |
7347 | +#else | |
9f54053a | 7348 | +target(struct sk_buff **pskb, |
7d2f026e | 7349 | +#endif |
9f54053a JR |
7350 | + const struct net_device *in, |
7351 | + const struct net_device *out, | |
7352 | + unsigned int hooknum, | |
1aedc22c | 7353 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) |
9f54053a | 7354 | + const struct xt_target *target, |
1aedc22c | 7355 | +#endif |
9f54053a JR |
7356 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) |
7357 | + const void *targinfo, | |
7358 | + void *userinfo) | |
1aedc22c | 7359 | +#else |
9f54053a | 7360 | + const void *targinfo) |
1aedc22c | 7361 | +#endif |
7362 | +{ | |
9f54053a | 7363 | + const struct ipt_set_info_target *info = targinfo; |
7d2f026e | 7364 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) |
7365 | + struct sk_buff *skb = *pskb; | |
7366 | +#endif | |
7367 | + | |
9f54053a JR |
7368 | + |
7369 | + if (info->add_set.index != IP_SET_INVALID_ID) | |
7370 | + ip_set_addip_kernel(info->add_set.index, | |
7d2f026e | 7371 | + skb, |
9f54053a JR |
7372 | + info->add_set.flags); |
7373 | + if (info->del_set.index != IP_SET_INVALID_ID) | |
7374 | + ip_set_delip_kernel(info->del_set.index, | |
7d2f026e | 7375 | + skb, |
9f54053a JR |
7376 | + info->del_set.flags); |
7377 | + | |
7378 | + return IPT_CONTINUE; | |
1aedc22c | 7379 | +} |
7380 | + | |
f45e9687 | 7381 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) |
7382 | +static bool | |
7383 | +#else | |
1aedc22c | 7384 | +static int |
f45e9687 | 7385 | +#endif |
1aedc22c | 7386 | +checkentry(const char *tablename, |
7387 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16) | |
9f54053a | 7388 | + const void *e, |
1aedc22c | 7389 | +#else |
9f54053a | 7390 | + const struct ipt_entry *e, |
1aedc22c | 7391 | +#endif |
7392 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) | |
9f54053a | 7393 | + const struct xt_target *target, |
1aedc22c | 7394 | +#endif |
9f54053a | 7395 | + void *targinfo, |
1aedc22c | 7396 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) |
7d2f026e | 7397 | + unsigned int targinfosize, |
1aedc22c | 7398 | +#endif |
7399 | + unsigned int hook_mask) | |
7400 | +{ | |
7d2f026e | 7401 | + struct ipt_set_info_target *info = targinfo; |
1aedc22c | 7402 | + ip_set_id_t index; |
7403 | + | |
7404 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a JR |
7405 | + if (targinfosize != IPT_ALIGN(sizeof(*info))) { |
7406 | + DP("bad target info size %u", targinfosize); | |
1aedc22c | 7407 | + return 0; |
7408 | + } | |
7409 | +#endif | |
7410 | + | |
9f54053a JR |
7411 | + if (info->add_set.index != IP_SET_INVALID_ID) { |
7412 | + index = ip_set_get_byindex(info->add_set.index); | |
7413 | + if (index == IP_SET_INVALID_ID) { | |
7414 | + ip_set_printk("cannot find add_set index %u as target", | |
7415 | + info->add_set.index); | |
7416 | + return 0; /* error */ | |
7417 | + } | |
1aedc22c | 7418 | + } |
9f54053a JR |
7419 | + |
7420 | + if (info->del_set.index != IP_SET_INVALID_ID) { | |
7421 | + index = ip_set_get_byindex(info->del_set.index); | |
7422 | + if (index == IP_SET_INVALID_ID) { | |
7423 | + ip_set_printk("cannot find del_set index %u as target", | |
7424 | + info->del_set.index); | |
7425 | + return 0; /* error */ | |
7426 | + } | |
7427 | + } | |
7428 | + if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0 | |
7429 | + || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) { | |
1aedc22c | 7430 | + ip_set_printk("That's nasty!"); |
7431 | + return 0; /* error */ | |
7432 | + } | |
7433 | + | |
7434 | + return 1; | |
7435 | +} | |
7436 | + | |
7437 | +static void destroy( | |
7438 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) | |
9f54053a | 7439 | + const struct xt_target *target, |
1aedc22c | 7440 | +#endif |
7441 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a | 7442 | + void *targetinfo, unsigned int targetsize) |
1aedc22c | 7443 | +#else |
9f54053a | 7444 | + void *targetinfo) |
1aedc22c | 7445 | +#endif |
7446 | +{ | |
9f54053a | 7447 | + struct ipt_set_info_target *info = targetinfo; |
1aedc22c | 7448 | + |
7449 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) | |
9f54053a JR |
7450 | + if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) { |
7451 | + ip_set_printk("invalid targetsize %d", targetsize); | |
1aedc22c | 7452 | + return; |
7453 | + } | |
7454 | +#endif | |
9f54053a JR |
7455 | + if (info->add_set.index != IP_SET_INVALID_ID) |
7456 | + ip_set_put(info->add_set.index); | |
7457 | + if (info->del_set.index != IP_SET_INVALID_ID) | |
7458 | + ip_set_put(info->del_set.index); | |
1aedc22c | 7459 | +} |
7460 | + | |
9f54053a JR |
7461 | +static struct ipt_target SET_target = { |
7462 | + .name = "SET", | |
7463 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) | |
7464 | + .family = AF_INET, | |
7465 | +#endif | |
7466 | + .target = target, | |
1aedc22c | 7467 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) |
9f54053a | 7468 | + .targetsize = sizeof(struct ipt_set_info_target), |
1aedc22c | 7469 | +#endif |
9f54053a JR |
7470 | + .checkentry = checkentry, |
7471 | + .destroy = destroy, | |
7472 | + .me = THIS_MODULE | |
1aedc22c | 7473 | +}; |
7474 | + | |
7475 | +MODULE_LICENSE("GPL"); | |
7476 | +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
9f54053a | 7477 | +MODULE_DESCRIPTION("iptables IP set target module"); |
1aedc22c | 7478 | + |
9f54053a JR |
7479 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,21) |
7480 | +#define ipt_register_target xt_register_target | |
7481 | +#define ipt_unregister_target xt_unregister_target | |
7482 | +#endif | |
7483 | + | |
7484 | +static int __init ipt_SET_init(void) | |
1aedc22c | 7485 | +{ |
9f54053a | 7486 | + return ipt_register_target(&SET_target); |
1aedc22c | 7487 | +} |
7488 | + | |
9f54053a | 7489 | +static void __exit ipt_SET_fini(void) |
1aedc22c | 7490 | +{ |
9f54053a | 7491 | + ipt_unregister_target(&SET_target); |
1aedc22c | 7492 | +} |
7493 | + | |
9f54053a JR |
7494 | +module_init(ipt_SET_init); |
7495 | +module_exit(ipt_SET_fini); | |
7d2f026e | 7496 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/Kconfig.ladd linux-2.6/net/ipv4/netfilter/Kconfig.ladd |
7497 | --- a/net/ipv4/netfilter/Kconfig.ladd 1970-01-01 01:00:00.000000000 +0100 | |
7498 | +++ linux-2.6/net/ipv4/netfilter/Kconfig.ladd 2008-07-08 16:52:53.965201208 +0200 | |
f45e9687 | 7499 | @@ -0,0 +1,116 @@ |
9f54053a JR |
7500 | +config IP_NF_SET |
7501 | + tristate "IP set support" | |
7502 | + depends on INET && NETFILTER | |
7503 | + help | |
7504 | + This option adds IP set support to the kernel. | |
7505 | + In order to define and use sets, you need the userspace utility | |
7506 | + ipset(8). | |
7507 | + | |
7508 | + To compile it as a module, choose M here. If unsure, say N. | |
7509 | + | |
7510 | +config IP_NF_SET_MAX | |
7511 | + int "Maximum number of IP sets" | |
7512 | + default 256 | |
7513 | + range 2 65534 | |
7514 | + depends on IP_NF_SET | |
7515 | + help | |
7516 | + You can define here default value of the maximum number | |
7517 | + of IP sets for the kernel. | |
7518 | + | |
7519 | + The value can be overriden by the 'max_sets' module | |
7520 | + parameter of the 'ip_set' module. | |
7521 | + | |
7522 | +config IP_NF_SET_HASHSIZE | |
7523 | + int "Hash size for bindings of IP sets" | |
7524 | + default 1024 | |
7525 | + depends on IP_NF_SET | |
7526 | + help | |
7527 | + You can define here default value of the hash size for | |
7528 | + bindings of IP sets. | |
7529 | + | |
7530 | + The value can be overriden by the 'hash_size' module | |
7531 | + parameter of the 'ip_set' module. | |
7532 | + | |
7533 | +config IP_NF_SET_IPMAP | |
7534 | + tristate "ipmap set support" | |
7535 | + depends on IP_NF_SET | |
7536 | + help | |
7537 | + This option adds the ipmap set type support. | |
7538 | + | |
7539 | + To compile it as a module, choose M here. If unsure, say N. | |
7540 | + | |
7541 | +config IP_NF_SET_MACIPMAP | |
7542 | + tristate "macipmap set support" | |
7543 | + depends on IP_NF_SET | |
7544 | + help | |
7545 | + This option adds the macipmap set type support. | |
7546 | + | |
7547 | + To compile it as a module, choose M here. If unsure, say N. | |
7548 | + | |
7549 | +config IP_NF_SET_PORTMAP | |
7550 | + tristate "portmap set support" | |
7551 | + depends on IP_NF_SET | |
7552 | + help | |
7553 | + This option adds the portmap set type support. | |
7554 | + | |
7555 | + To compile it as a module, choose M here. If unsure, say N. | |
7556 | + | |
7557 | +config IP_NF_SET_IPHASH | |
7558 | + tristate "iphash set support" | |
7559 | + depends on IP_NF_SET | |
7560 | + help | |
7561 | + This option adds the iphash set type support. | |
7562 | + | |
7563 | + To compile it as a module, choose M here. If unsure, say N. | |
7564 | + | |
7565 | +config IP_NF_SET_NETHASH | |
7566 | + tristate "nethash set support" | |
7567 | + depends on IP_NF_SET | |
7568 | + help | |
7569 | + This option adds the nethash set type support. | |
7570 | + | |
7571 | + To compile it as a module, choose M here. If unsure, say N. | |
7572 | + | |
7573 | +config IP_NF_SET_IPPORTHASH | |
7574 | + tristate "ipporthash set support" | |
7575 | + depends on IP_NF_SET | |
7576 | + help | |
7577 | + This option adds the ipporthash set type support. | |
7578 | + | |
7579 | + To compile it as a module, choose M here. If unsure, say N. | |
7580 | + | |
7581 | +config IP_NF_SET_IPTREE | |
7582 | + tristate "iptree set support" | |
7583 | + depends on IP_NF_SET | |
7584 | + help | |
7585 | + This option adds the iptree set type support. | |
7586 | + | |
7587 | + To compile it as a module, choose M here. If unsure, say N. | |
7588 | + | |
f45e9687 | 7589 | +config IP_NF_SET_IPTREEMAP |
7590 | + tristate "iptreemap set support" | |
7591 | + depends on IP_NF_SET | |
7592 | + help | |
7593 | + This option adds the iptreemap set type support. | |
7594 | + | |
7595 | + To compile it as a module, choose M here. If unsure, say N. | |
7596 | + | |
9f54053a JR |
7597 | +config IP_NF_MATCH_SET |
7598 | + tristate "set match support" | |
7599 | + depends on IP_NF_SET | |
7600 | + help | |
7601 | + Set matching matches against given IP sets. | |
7602 | + You need the ipset utility to create and set up the sets. | |
7603 | + | |
7604 | + To compile it as a module, choose M here. If unsure, say N. | |
7605 | + | |
7606 | +config IP_NF_TARGET_SET | |
7607 | + tristate "SET target support" | |
7608 | + depends on IP_NF_SET | |
7609 | + help | |
7610 | + The SET target makes possible to add/delete entries | |
7611 | + in IP sets. | |
7612 | + You need the ipset utility to create and set up the sets. | |
7613 | + | |
7614 | + To compile it as a module, choose M here. If unsure, say N. | |
7615 | + | |
7d2f026e | 7616 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/Makefile.ladd linux-2.6/net/ipv4/netfilter/Makefile.ladd |
7617 | --- a/net/ipv4/netfilter/Makefile.ladd 1970-01-01 01:00:00.000000000 +0100 | |
7618 | +++ linux-2.6/net/ipv4/netfilter/Makefile.ladd 2008-07-08 16:52:53.965201208 +0200 | |
f45e9687 | 7619 | @@ -0,0 +1,2 @@ |
7620 | +obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o | |
9f54053a | 7621 | +obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o |
7d2f026e | 7622 | diff -uNrp --exclude=.svn a/net/ipv4/netfilter/Makefile.ladd_2 linux-2.6/net/ipv4/netfilter/Makefile.ladd_2 |
7623 | --- a/net/ipv4/netfilter/Makefile.ladd_2 1970-01-01 01:00:00.000000000 +0100 | |
7624 | +++ linux-2.6/net/ipv4/netfilter/Makefile.ladd_2 2008-07-08 16:52:53.965201208 +0200 | |
f45e9687 | 7625 | @@ -0,0 +1,13 @@ |
7626 | +obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o | |
9f54053a JR |
7627 | +obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o |
7628 | + | |
7629 | +# sets | |
7630 | +obj-$(CONFIG_IP_NF_SET) += ip_set.o | |
7631 | +obj-$(CONFIG_IP_NF_SET_IPMAP) += ip_set_ipmap.o | |
7632 | +obj-$(CONFIG_IP_NF_SET_PORTMAP) += ip_set_portmap.o | |
7633 | +obj-$(CONFIG_IP_NF_SET_MACIPMAP) += ip_set_macipmap.o | |
7634 | +obj-$(CONFIG_IP_NF_SET_IPHASH) += ip_set_iphash.o | |
7635 | +obj-$(CONFIG_IP_NF_SET_NETHASH) += ip_set_nethash.o | |
7636 | +obj-$(CONFIG_IP_NF_SET_IPPORTHASH) += ip_set_ipporthash.o | |
7637 | +obj-$(CONFIG_IP_NF_SET_IPTREE) += ip_set_iptree.o | |
f45e9687 | 7638 | +obj-$(CONFIG_IP_NF_SET_IPTREEMAP) += ip_set_iptreemap.o |