Commit | Line | Data |
---|---|---|
fe03d474 | 1 | /* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> |
6c027889 JK |
2 | * |
3 | * This program is free software; you can redistribute it and/or modify | |
4 | * it under the terms of the GNU General Public License version 2 as | |
5 | * published by the Free Software Foundation. | |
6 | */ | |
7 | ||
8 | /* Kernel module implementing an IP set type: the hash:ip type */ | |
9 | ||
10 | #include <linux/jhash.h> | |
11 | #include <linux/module.h> | |
12 | #include <linux/ip.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/errno.h> | |
6c027889 JK |
15 | #include <linux/random.h> |
16 | #include <net/ip.h> | |
17 | #include <net/ipv6.h> | |
18 | #include <net/netlink.h> | |
19 | #include <net/tcp.h> | |
20 | ||
21 | #include <linux/netfilter.h> | |
22 | #include <linux/netfilter/ipset/pfxlen.h> | |
23 | #include <linux/netfilter/ipset/ip_set.h> | |
6c027889 JK |
24 | #include <linux/netfilter/ipset/ip_set_hash.h> |
25 | ||
35b8dcf8 | 26 | #define IPSET_TYPE_REV_MIN 0 |
fda75c6d | 27 | /* 1 Counters support */ |
07cf8f5a | 28 | /* 2 Comments support */ |
af331419 AD |
29 | /* 3 Forceadd support */ |
30 | #define IPSET_TYPE_REV_MAX 4 /* skbinfo support */ | |
10111a6e | 31 | |
6c027889 | 32 | MODULE_LICENSE("GPL"); |
fe03d474 | 33 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); |
35b8dcf8 | 34 | IP_SET_MODULE_DESC("hash:ip", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX); |
6c027889 JK |
35 | MODULE_ALIAS("ip_set_hash:ip"); |
36 | ||
37 | /* Type specific function prefix */ | |
5d50e1d8 JK |
38 | #define HTYPE hash_ip |
39 | #define IP_SET_HASH_WITH_NETMASK | |
6c027889 | 40 | |
03c8b234 | 41 | /* IPv4 variant */ |
6c027889 | 42 | |
5d50e1d8 | 43 | /* Member elements */ |
6c027889 | 44 | struct hash_ip4_elem { |
5d50e1d8 | 45 | /* Zero valued IP addresses cannot be stored */ |
6c027889 JK |
46 | __be32 ip; |
47 | }; | |
48 | ||
5d50e1d8 | 49 | /* Common functions */ |
6c027889 JK |
50 | |
51 | static inline bool | |
5d50e1d8 JK |
52 | hash_ip4_data_equal(const struct hash_ip4_elem *e1, |
53 | const struct hash_ip4_elem *e2, | |
54 | u32 *multi) | |
6c027889 | 55 | { |
5d50e1d8 | 56 | return e1->ip == e2->ip; |
6c027889 JK |
57 | } |
58 | ||
728a7e69 | 59 | static bool |
5d50e1d8 | 60 | hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *e) |
6c027889 | 61 | { |
5d50e1d8 | 62 | if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, e->ip)) |
7cf7899d | 63 | goto nla_put_failure; |
728a7e69 | 64 | return false; |
6c027889 JK |
65 | |
66 | nla_put_failure: | |
728a7e69 | 67 | return true; |
6c027889 JK |
68 | } |
69 | ||
5d50e1d8 JK |
70 | static inline void |
71 | hash_ip4_data_next(struct hash_ip4_elem *next, const struct hash_ip4_elem *e) | |
6c027889 | 72 | { |
5d50e1d8 | 73 | next->ip = e->ip; |
6c027889 JK |
74 | } |
75 | ||
5d50e1d8 | 76 | #define MTYPE hash_ip4 |
6c027889 | 77 | #define HOST_MASK 32 |
5d50e1d8 | 78 | #include "ip_set_hash_gen.h" |
3d14b171 | 79 | |
6c027889 JK |
80 | static int |
81 | hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb, | |
b66554cf | 82 | const struct xt_action_param *par, |
5d50e1d8 | 83 | enum ipset_adt adt, struct ip_set_adt_opt *opt) |
6c027889 | 84 | { |
21956ab2 | 85 | const struct hash_ip4 *h = set->data; |
6c027889 | 86 | ipset_adtfn adtfn = set->variant->adt[adt]; |
94729f8a | 87 | struct hash_ip4_elem e = { 0 }; |
ca134ce8 | 88 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); |
6c027889 JK |
89 | __be32 ip; |
90 | ||
ac8cc925 | 91 | ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip); |
6c027889 JK |
92 | ip &= ip_set_netmask(h->netmask); |
93 | if (ip == 0) | |
94 | return -EINVAL; | |
95 | ||
5d50e1d8 JK |
96 | e.ip = ip; |
97 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); | |
6c027889 JK |
98 | } |
99 | ||
100 | static int | |
101 | hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], | |
3d14b171 | 102 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) |
6c027889 | 103 | { |
21956ab2 | 104 | const struct hash_ip4 *h = set->data; |
6c027889 | 105 | ipset_adtfn adtfn = set->variant->adt[adt]; |
94729f8a | 106 | struct hash_ip4_elem e = { 0 }; |
ca134ce8 | 107 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); |
20b2fab4 | 108 | u32 ip = 0, ip_to = 0, hosts; |
6c027889 JK |
109 | int ret = 0; |
110 | ||
6c027889 JK |
111 | if (tb[IPSET_ATTR_LINENO]) |
112 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | |
113 | ||
a212e08e SP |
114 | if (unlikely(!tb[IPSET_ATTR_IP])) |
115 | return -IPSET_ERR_PROTOCOL; | |
116 | ||
8e55d2e5 SP |
117 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); |
118 | if (ret) | |
119 | return ret; | |
120 | ||
121 | ret = ip_set_get_extensions(set, tb, &ext); | |
6c027889 JK |
122 | if (ret) |
123 | return ret; | |
124 | ||
125 | ip &= ip_set_hostmask(h->netmask); | |
48596a8d JK |
126 | e.ip = htonl(ip); |
127 | if (e.ip == 0) | |
128 | return -IPSET_ERR_HASH_ELEM; | |
6c027889 | 129 | |
48596a8d | 130 | if (adt == IPSET_TEST) |
5d50e1d8 | 131 | return adtfn(set, &e, &ext, &ext, flags); |
6c027889 | 132 | |
4fe198e6 | 133 | ip_to = ip; |
6c027889 JK |
134 | if (tb[IPSET_ATTR_IP_TO]) { |
135 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | |
136 | if (ret) | |
137 | return ret; | |
138 | if (ip > ip_to) | |
139 | swap(ip, ip_to); | |
140 | } else if (tb[IPSET_ATTR_CIDR]) { | |
141 | u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | |
142 | ||
cabfd139 | 143 | if (!cidr || cidr > HOST_MASK) |
6c027889 | 144 | return -IPSET_ERR_INVALID_CIDR; |
e6146e86 | 145 | ip_set_mask_from_to(ip, ip_to, cidr); |
4fe198e6 | 146 | } |
6c027889 JK |
147 | |
148 | hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); | |
149 | ||
48596a8d | 150 | if (retried) { |
6e27c9b4 | 151 | ip = ntohl(h->next.ip); |
5d50e1d8 | 152 | e.ip = htonl(ip); |
48596a8d JK |
153 | } |
154 | for (; ip <= ip_to;) { | |
5d50e1d8 | 155 | ret = adtfn(set, &e, &ext, &ext, flags); |
6c027889 JK |
156 | if (ret && !ip_set_eexist(ret, flags)) |
157 | return ret; | |
ca0f6a5c | 158 | |
48596a8d JK |
159 | ip += hosts; |
160 | e.ip = htonl(ip); | |
161 | if (e.ip == 0) | |
162 | return 0; | |
163 | ||
ca0f6a5c | 164 | ret = 0; |
6c027889 JK |
165 | } |
166 | return ret; | |
167 | } | |
168 | ||
03c8b234 | 169 | /* IPv6 variant */ |
6c027889 | 170 | |
5d50e1d8 | 171 | /* Member elements */ |
6c027889 JK |
172 | struct hash_ip6_elem { |
173 | union nf_inet_addr ip; | |
174 | }; | |
175 | ||
5d50e1d8 JK |
176 | /* Common functions */ |
177 | ||
6c027889 JK |
178 | static inline bool |
179 | hash_ip6_data_equal(const struct hash_ip6_elem *ip1, | |
89dc79b7 JK |
180 | const struct hash_ip6_elem *ip2, |
181 | u32 *multi) | |
6c027889 | 182 | { |
29e3b160 | 183 | return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6); |
6c027889 JK |
184 | } |
185 | ||
6c027889 | 186 | static inline void |
5d50e1d8 | 187 | hash_ip6_netmask(union nf_inet_addr *ip, u8 prefix) |
6c027889 | 188 | { |
5d50e1d8 | 189 | ip6_netmask(ip, prefix); |
6c027889 JK |
190 | } |
191 | ||
6c027889 | 192 | static bool |
5d50e1d8 | 193 | hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *e) |
6c027889 | 194 | { |
5d50e1d8 | 195 | if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6)) |
7cf7899d | 196 | goto nla_put_failure; |
728a7e69 | 197 | return false; |
6c027889 JK |
198 | |
199 | nla_put_failure: | |
728a7e69 | 200 | return true; |
6c027889 JK |
201 | } |
202 | ||
5d50e1d8 | 203 | static inline void |
21956ab2 | 204 | hash_ip6_data_next(struct hash_ip6_elem *next, const struct hash_ip6_elem *e) |
6c027889 | 205 | { |
6c027889 JK |
206 | } |
207 | ||
5d50e1d8 | 208 | #undef MTYPE |
6c027889 JK |
209 | #undef HOST_MASK |
210 | ||
5d50e1d8 | 211 | #define MTYPE hash_ip6 |
6c027889 | 212 | #define HOST_MASK 128 |
6c027889 | 213 | |
5d50e1d8 JK |
214 | #define IP_SET_EMIT_CREATE |
215 | #include "ip_set_hash_gen.h" | |
3d14b171 | 216 | |
6c027889 JK |
217 | static int |
218 | hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb, | |
b66554cf | 219 | const struct xt_action_param *par, |
5d50e1d8 | 220 | enum ipset_adt adt, struct ip_set_adt_opt *opt) |
6c027889 | 221 | { |
21956ab2 | 222 | const struct hash_ip6 *h = set->data; |
6c027889 | 223 | ipset_adtfn adtfn = set->variant->adt[adt]; |
94729f8a | 224 | struct hash_ip6_elem e = { { .all = { 0 } } }; |
ca134ce8 | 225 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); |
6c027889 | 226 | |
5d50e1d8 JK |
227 | ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); |
228 | hash_ip6_netmask(&e.ip, h->netmask); | |
229 | if (ipv6_addr_any(&e.ip.in6)) | |
6c027889 JK |
230 | return -EINVAL; |
231 | ||
5d50e1d8 | 232 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); |
6c027889 JK |
233 | } |
234 | ||
6c027889 JK |
235 | static int |
236 | hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[], | |
3d14b171 | 237 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) |
6c027889 | 238 | { |
21956ab2 | 239 | const struct hash_ip6 *h = set->data; |
6c027889 | 240 | ipset_adtfn adtfn = set->variant->adt[adt]; |
94729f8a | 241 | struct hash_ip6_elem e = { { .all = { 0 } } }; |
ca134ce8 | 242 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); |
6c027889 JK |
243 | int ret; |
244 | ||
a212e08e SP |
245 | if (tb[IPSET_ATTR_LINENO]) |
246 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | |
247 | ||
2c227f27 | 248 | if (unlikely(!tb[IPSET_ATTR_IP])) |
6c027889 | 249 | return -IPSET_ERR_PROTOCOL; |
2c227f27 SP |
250 | if (unlikely(tb[IPSET_ATTR_IP_TO])) |
251 | return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; | |
252 | if (unlikely(tb[IPSET_ATTR_CIDR])) { | |
253 | u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | |
254 | ||
255 | if (cidr != HOST_MASK) | |
256 | return -IPSET_ERR_INVALID_CIDR; | |
257 | } | |
6c027889 | 258 | |
8e55d2e5 SP |
259 | ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); |
260 | if (ret) | |
261 | return ret; | |
262 | ||
263 | ret = ip_set_get_extensions(set, tb, &ext); | |
6c027889 JK |
264 | if (ret) |
265 | return ret; | |
266 | ||
5d50e1d8 JK |
267 | hash_ip6_netmask(&e.ip, h->netmask); |
268 | if (ipv6_addr_any(&e.ip.in6)) | |
6c027889 JK |
269 | return -IPSET_ERR_HASH_ELEM; |
270 | ||
5d50e1d8 | 271 | ret = adtfn(set, &e, &ext, &ext, flags); |
6c027889 JK |
272 | |
273 | return ip_set_eexist(ret, flags) ? 0 : ret; | |
274 | } | |
275 | ||
6c027889 JK |
276 | static struct ip_set_type hash_ip_type __read_mostly = { |
277 | .name = "hash:ip", | |
278 | .protocol = IPSET_PROTOCOL, | |
279 | .features = IPSET_TYPE_IP, | |
280 | .dimension = IPSET_DIM_ONE, | |
c15f1c83 | 281 | .family = NFPROTO_UNSPEC, |
35b8dcf8 JK |
282 | .revision_min = IPSET_TYPE_REV_MIN, |
283 | .revision_max = IPSET_TYPE_REV_MAX, | |
6c027889 JK |
284 | .create = hash_ip_create, |
285 | .create_policy = { | |
286 | [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, | |
287 | [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, | |
288 | [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, | |
289 | [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, | |
290 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | |
291 | [IPSET_ATTR_NETMASK] = { .type = NLA_U8 }, | |
00d71b27 | 292 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
6c027889 JK |
293 | }, |
294 | .adt_policy = { | |
295 | [IPSET_ATTR_IP] = { .type = NLA_NESTED }, | |
296 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, | |
297 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | |
298 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | |
299 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | |
00d71b27 JK |
300 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
301 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | |
03726186 SP |
302 | [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING, |
303 | .len = IPSET_MAX_COMMENT_SIZE }, | |
af331419 AD |
304 | [IPSET_ATTR_SKBMARK] = { .type = NLA_U64 }, |
305 | [IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 }, | |
306 | [IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 }, | |
6c027889 JK |
307 | }, |
308 | .me = THIS_MODULE, | |
309 | }; | |
310 | ||
311 | static int __init | |
312 | hash_ip_init(void) | |
313 | { | |
314 | return ip_set_type_register(&hash_ip_type); | |
315 | } | |
316 | ||
317 | static void __exit | |
318 | hash_ip_fini(void) | |
319 | { | |
18f84d41 | 320 | rcu_barrier(); |
6c027889 JK |
321 | ip_set_type_unregister(&hash_ip_type); |
322 | } | |
323 | ||
324 | module_init(hash_ip_init); | |
325 | module_exit(hash_ip_fini); |