1 /* Copyright (C) 2011-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
8 /* Kernel module implementing an IP set type: the hash:net,iface type */
10 #include <linux/jhash.h>
11 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
16 #include <linux/rbtree.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/ipset/pfxlen.h>
23 #include <linux/netfilter/ipset/ip_set.h>
24 #include <linux/netfilter/ipset/ip_set_hash.h>
26 #define IPSET_TYPE_REV_MIN 0
27 /* 1 nomatch flag support added */
28 /* 2 /0 support added */
29 /* 3 Counters support added */
30 /* 4 Comments support added */
31 /* 5 Forceadd support added */
32 #define IPSET_TYPE_REV_MAX 6 /* skbinfo support added */
34 MODULE_LICENSE("GPL");
35 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
36 IP_SET_MODULE_DESC("hash:net,iface", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
37 MODULE_ALIAS("ip_set_hash:net,iface");
39 /* Interface name rbtree */
46 #define iface_data(n) (rb_entry(n, struct iface_node, node)->iface)
49 rbtree_destroy(struct rb_root *root)
51 struct iface_node *node, *next;
53 rbtree_postorder_for_each_entry_safe(node, next, root, node)
60 iface_test(struct rb_root *root, const char **iface)
62 struct rb_node *n = root->rb_node;
65 const char *d = iface_data(n);
66 int res = strcmp(*iface, d);
81 iface_add(struct rb_root *root, const char **iface)
83 struct rb_node **n = &(root->rb_node), *p = NULL;
87 char *ifname = iface_data(*n);
88 int res = strcmp(*iface, ifname);
94 n = &((*n)->rb_right);
101 d = kzalloc(sizeof(*d), GFP_ATOMIC);
104 strcpy(d->iface, *iface);
106 rb_link_node(&d->node, p, n);
107 rb_insert_color(&d->node, root);
113 /* Type specific function prefix */
114 #define HTYPE hash_netiface
115 #define IP_SET_HASH_WITH_NETS
116 #define IP_SET_HASH_WITH_RBTREE
117 #define IP_SET_HASH_WITH_MULTI
118 #define IP_SET_HASH_WITH_NET0
120 #define STREQ(a, b) (strcmp(a, b) == 0)
124 struct hash_netiface4_elem_hashed {
132 /* Member elements */
133 struct hash_netiface4_elem {
142 /* Common functions */
145 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
146 const struct hash_netiface4_elem *ip2,
149 return ip1->ip == ip2->ip &&
150 ip1->cidr == ip2->cidr &&
152 ip1->physdev == ip2->physdev &&
153 ip1->iface == ip2->iface;
157 hash_netiface4_do_data_match(const struct hash_netiface4_elem *elem)
159 return elem->nomatch ? -ENOTEMPTY : 1;
163 hash_netiface4_data_set_flags(struct hash_netiface4_elem *elem, u32 flags)
165 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
169 hash_netiface4_data_reset_flags(struct hash_netiface4_elem *elem, u8 *flags)
171 swap(*flags, elem->nomatch);
175 hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
177 elem->ip &= ip_set_netmask(cidr);
182 hash_netiface4_data_list(struct sk_buff *skb,
183 const struct hash_netiface4_elem *data)
185 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
188 flags |= IPSET_FLAG_NOMATCH;
189 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
190 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
191 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
193 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
194 goto nla_put_failure;
202 hash_netiface4_data_next(struct hash_netiface4_elem *next,
203 const struct hash_netiface4_elem *d)
208 #define MTYPE hash_netiface4
211 #define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
212 #include "ip_set_hash_gen.h"
215 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
216 const struct xt_action_param *par,
217 enum ipset_adt adt, struct ip_set_adt_opt *opt)
219 struct hash_netiface *h = set->data;
220 ipset_adtfn adtfn = set->variant->adt[adt];
221 struct hash_netiface4_elem e = {
222 .cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
225 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
230 if (adt == IPSET_TEST)
233 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
234 e.ip &= ip_set_netmask(e.cidr);
236 #define IFACE(dir) (par->dir ? par->dir->name : NULL)
237 #define PHYSDEV(dir) (nf_bridge->dir ? nf_bridge->dir->name : NULL)
238 #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
240 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
241 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
242 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
246 e.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
252 e.iface = SRCDIR ? IFACE(in) : IFACE(out);
256 ret = iface_test(&h->rbtree, &e.iface);
257 if (adt == IPSET_ADD) {
259 ret = iface_add(&h->rbtree, &e.iface);
266 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
270 hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
271 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
273 struct hash_netiface *h = set->data;
274 ipset_adtfn adtfn = set->variant->adt[adt];
275 struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
276 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
277 u32 ip = 0, ip_to = 0, last;
278 char iface[IFNAMSIZ];
281 if (unlikely(!tb[IPSET_ATTR_IP] ||
282 !tb[IPSET_ATTR_IFACE] ||
283 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
284 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
285 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
286 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
287 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
288 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
289 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
290 return -IPSET_ERR_PROTOCOL;
292 if (tb[IPSET_ATTR_LINENO])
293 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
295 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
296 ip_set_get_extensions(set, tb, &ext);
300 if (tb[IPSET_ATTR_CIDR]) {
301 e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
302 if (e.cidr > HOST_MASK)
303 return -IPSET_ERR_INVALID_CIDR;
306 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
308 ret = iface_test(&h->rbtree, &e.iface);
309 if (adt == IPSET_ADD) {
311 ret = iface_add(&h->rbtree, &e.iface);
318 if (tb[IPSET_ATTR_CADT_FLAGS]) {
319 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
320 if (cadt_flags & IPSET_FLAG_PHYSDEV)
322 if (cadt_flags & IPSET_FLAG_NOMATCH)
323 flags |= (IPSET_FLAG_NOMATCH << 16);
325 if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
326 e.ip = htonl(ip & ip_set_hostmask(e.cidr));
327 ret = adtfn(set, &e, &ext, &ext, flags);
328 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
329 ip_set_eexist(ret, flags) ? 0 : ret;
332 if (tb[IPSET_ATTR_IP_TO]) {
333 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
338 if (ip + UINT_MAX == ip_to)
339 return -IPSET_ERR_HASH_RANGE;
341 ip_set_mask_from_to(ip, ip_to, e.cidr);
344 ip = ntohl(h->next.ip);
345 while (!after(ip, ip_to)) {
347 last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
348 ret = adtfn(set, &e, &ext, &ext, flags);
350 if (ret && !ip_set_eexist(ret, flags))
361 struct hash_netiface6_elem_hashed {
362 union nf_inet_addr ip;
369 struct hash_netiface6_elem {
370 union nf_inet_addr ip;
378 /* Common functions */
381 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
382 const struct hash_netiface6_elem *ip2,
385 return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
386 ip1->cidr == ip2->cidr &&
388 ip1->physdev == ip2->physdev &&
389 ip1->iface == ip2->iface;
393 hash_netiface6_do_data_match(const struct hash_netiface6_elem *elem)
395 return elem->nomatch ? -ENOTEMPTY : 1;
399 hash_netiface6_data_set_flags(struct hash_netiface6_elem *elem, u32 flags)
401 elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
405 hash_netiface6_data_reset_flags(struct hash_netiface6_elem *elem, u8 *flags)
407 swap(*flags, elem->nomatch);
411 hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
413 ip6_netmask(&elem->ip, cidr);
418 hash_netiface6_data_list(struct sk_buff *skb,
419 const struct hash_netiface6_elem *data)
421 u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
424 flags |= IPSET_FLAG_NOMATCH;
425 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
426 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
427 nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
429 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
430 goto nla_put_failure;
438 hash_netiface6_data_next(struct hash_netiface4_elem *next,
439 const struct hash_netiface6_elem *d)
448 #define MTYPE hash_netiface6
450 #define HOST_MASK 128
451 #define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
452 #define IP_SET_EMIT_CREATE
453 #include "ip_set_hash_gen.h"
456 hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
457 const struct xt_action_param *par,
458 enum ipset_adt adt, struct ip_set_adt_opt *opt)
460 struct hash_netiface *h = set->data;
461 ipset_adtfn adtfn = set->variant->adt[adt];
462 struct hash_netiface6_elem e = {
463 .cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
466 struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
471 if (adt == IPSET_TEST)
474 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
475 ip6_netmask(&e.ip, e.cidr);
477 if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
478 #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
479 const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
483 e.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
489 e.iface = SRCDIR ? IFACE(in) : IFACE(out);
493 ret = iface_test(&h->rbtree, &e.iface);
494 if (adt == IPSET_ADD) {
496 ret = iface_add(&h->rbtree, &e.iface);
503 return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
507 hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
508 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
510 struct hash_netiface *h = set->data;
511 ipset_adtfn adtfn = set->variant->adt[adt];
512 struct hash_netiface6_elem e = { .cidr = HOST_MASK, .elem = 1 };
513 struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
514 char iface[IFNAMSIZ];
517 if (unlikely(!tb[IPSET_ATTR_IP] ||
518 !tb[IPSET_ATTR_IFACE] ||
519 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
520 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
521 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
522 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
523 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
524 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
525 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
526 return -IPSET_ERR_PROTOCOL;
527 if (unlikely(tb[IPSET_ATTR_IP_TO]))
528 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
530 if (tb[IPSET_ATTR_LINENO])
531 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
533 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
534 ip_set_get_extensions(set, tb, &ext);
538 if (tb[IPSET_ATTR_CIDR])
539 e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
540 if (e.cidr > HOST_MASK)
541 return -IPSET_ERR_INVALID_CIDR;
542 ip6_netmask(&e.ip, e.cidr);
544 strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
546 ret = iface_test(&h->rbtree, &e.iface);
547 if (adt == IPSET_ADD) {
549 ret = iface_add(&h->rbtree, &e.iface);
556 if (tb[IPSET_ATTR_CADT_FLAGS]) {
557 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
558 if (cadt_flags & IPSET_FLAG_PHYSDEV)
560 if (cadt_flags & IPSET_FLAG_NOMATCH)
561 flags |= (IPSET_FLAG_NOMATCH << 16);
564 ret = adtfn(set, &e, &ext, &ext, flags);
566 return ip_set_enomatch(ret, flags, adt, set) ? -ret :
567 ip_set_eexist(ret, flags) ? 0 : ret;
570 static struct ip_set_type hash_netiface_type __read_mostly = {
571 .name = "hash:net,iface",
572 .protocol = IPSET_PROTOCOL,
573 .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE |
575 .dimension = IPSET_DIM_TWO,
576 .family = NFPROTO_UNSPEC,
577 .revision_min = IPSET_TYPE_REV_MIN,
578 .revision_max = IPSET_TYPE_REV_MAX,
579 .create = hash_netiface_create,
581 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
582 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
583 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
584 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
585 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
586 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
587 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
590 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
591 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
592 [IPSET_ATTR_IFACE] = { .type = NLA_NUL_STRING,
593 .len = IFNAMSIZ - 1 },
594 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
595 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
596 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
597 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
598 [IPSET_ATTR_BYTES] = { .type = NLA_U64 },
599 [IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
600 [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
601 [IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
602 [IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
603 [IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
609 hash_netiface_init(void)
611 return ip_set_type_register(&hash_netiface_type);
615 hash_netiface_fini(void)
617 ip_set_type_unregister(&hash_netiface_type);
620 module_init(hash_netiface_init);
621 module_exit(hash_netiface_fini);
projects / cascardo / linux.git / blob