1 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
8 /* Kernel module implementing an IP set type: the hash:net,port type */
10 #include <linux/jhash.h>
11 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/errno.h>
15 #include <linux/random.h>
18 #include <net/netlink.h>
20 #include <linux/netfilter.h>
21 #include <linux/netfilter/ipset/pfxlen.h>
22 #include <linux/netfilter/ipset/ip_set.h>
23 #include <linux/netfilter/ipset/ip_set_timeout.h>
24 #include <linux/netfilter/ipset/ip_set_getport.h>
25 #include <linux/netfilter/ipset/ip_set_hash.h>
27 #define REVISION_MIN 0
28 /* 1 SCTP and UDPLITE support added */
29 /* 2 Range as input support for IPv4 added */
30 #define REVISION_MAX 3 /* nomatch flag support added */
32 MODULE_LICENSE("GPL");
33 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
34 IP_SET_MODULE_DESC("hash:net,port", REVISION_MIN, REVISION_MAX);
35 MODULE_ALIAS("ip_set_hash:net,port");
37 /* Type specific function prefix */
38 #define TYPE hash_netport
41 hash_netport_same_set(const struct ip_set *a, const struct ip_set *b);
43 #define hash_netport4_same_set hash_netport_same_set
44 #define hash_netport6_same_set hash_netport_same_set
46 /* The type variant functions: IPv4 */
48 /* We squeeze the "nomatch" flag into cidr: we don't support cidr == 0
49 * However this way we have to store internally cidr - 1,
50 * dancing back and forth.
52 #define IP_SET_HASH_WITH_NETS_PACKED
54 /* Member elements without timeout */
55 struct hash_netport4_elem {
63 /* Member elements with timeout support */
64 struct hash_netport4_telem {
70 unsigned long timeout;
74 hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
75 const struct hash_netport4_elem *ip2,
78 return ip1->ip == ip2->ip &&
79 ip1->port == ip2->port &&
80 ip1->proto == ip2->proto &&
81 ip1->cidr == ip2->cidr;
85 hash_netport4_data_isnull(const struct hash_netport4_elem *elem)
87 return elem->proto == 0;
91 hash_netport4_data_copy(struct hash_netport4_elem *dst,
92 const struct hash_netport4_elem *src)
95 dst->port = src->port;
96 dst->proto = src->proto;
97 dst->cidr = src->cidr;
98 dst->nomatch = src->nomatch;
102 hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
104 dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
108 hash_netport4_data_reset_flags(struct hash_netport4_elem *dst, u32 *flags)
111 *flags = IPSET_FLAG_NOMATCH;
117 hash_netport4_data_match(const struct hash_netport4_elem *elem)
119 return elem->nomatch ? -ENOTEMPTY : 1;
123 hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr)
125 elem->ip &= ip_set_netmask(cidr);
126 elem->cidr = cidr - 1;
130 hash_netport4_data_zero_out(struct hash_netport4_elem *elem)
136 hash_netport4_data_list(struct sk_buff *skb,
137 const struct hash_netport4_elem *data)
139 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
141 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
142 nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
143 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
144 nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
146 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
147 goto nla_put_failure;
155 hash_netport4_data_tlist(struct sk_buff *skb,
156 const struct hash_netport4_elem *data)
158 const struct hash_netport4_telem *tdata =
159 (const struct hash_netport4_telem *)data;
160 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
162 if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
163 nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
164 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
165 nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
166 nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
167 htonl(ip_set_timeout_get(tdata->timeout))) ||
169 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
170 goto nla_put_failure;
177 #define IP_SET_HASH_WITH_PROTO
178 #define IP_SET_HASH_WITH_NETS
182 #include <linux/netfilter/ipset/ip_set_ahash.h>
185 hash_netport4_data_next(struct ip_set_hash *h,
186 const struct hash_netport4_elem *d)
189 h->next.port = d->port;
193 hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
194 const struct xt_action_param *par,
195 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
197 const struct ip_set_hash *h = set->data;
198 ipset_adtfn adtfn = set->variant->adt[adt];
199 struct hash_netport4_elem data = {
200 .cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1
203 if (adt == IPSET_TEST)
204 data.cidr = HOST_MASK - 1;
206 if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
207 &data.port, &data.proto))
210 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
211 data.ip &= ip_set_netmask(data.cidr + 1);
213 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
217 hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
218 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
220 const struct ip_set_hash *h = set->data;
221 ipset_adtfn adtfn = set->variant->adt[adt];
222 struct hash_netport4_elem data = { .cidr = HOST_MASK - 1 };
223 u32 port, port_to, p = 0, ip = 0, ip_to, last;
224 u32 timeout = h->timeout;
225 bool with_ports = false;
229 if (unlikely(!tb[IPSET_ATTR_IP] ||
230 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
231 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
232 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
233 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
234 return -IPSET_ERR_PROTOCOL;
236 if (tb[IPSET_ATTR_LINENO])
237 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
239 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
243 if (tb[IPSET_ATTR_CIDR]) {
244 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
245 if (!cidr || cidr > HOST_MASK)
246 return -IPSET_ERR_INVALID_CIDR;
247 data.cidr = cidr - 1;
250 if (tb[IPSET_ATTR_PORT])
251 data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
253 return -IPSET_ERR_PROTOCOL;
255 if (tb[IPSET_ATTR_PROTO]) {
256 data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
257 with_ports = ip_set_proto_with_ports(data.proto);
260 return -IPSET_ERR_INVALID_PROTO;
262 return -IPSET_ERR_MISSING_PROTO;
264 if (!(with_ports || data.proto == IPPROTO_ICMP))
267 if (tb[IPSET_ATTR_TIMEOUT]) {
268 if (!with_timeout(h->timeout))
269 return -IPSET_ERR_TIMEOUT;
270 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
273 with_ports = with_ports && tb[IPSET_ATTR_PORT_TO];
275 if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
276 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
277 if (cadt_flags & IPSET_FLAG_NOMATCH)
278 flags |= (cadt_flags << 16);
281 if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) {
282 data.ip = htonl(ip & ip_set_hostmask(data.cidr + 1));
283 ret = adtfn(set, &data, timeout, flags);
284 return ip_set_eexist(ret, flags) ? 0 : ret;
287 port = port_to = ntohs(data.port);
288 if (tb[IPSET_ATTR_PORT_TO]) {
289 port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
293 if (tb[IPSET_ATTR_IP_TO]) {
294 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
299 if (ip + UINT_MAX == ip_to)
300 return -IPSET_ERR_HASH_RANGE;
302 ip_set_mask_from_to(ip, ip_to, data.cidr + 1);
306 ip = ntohl(h->next.ip);
307 while (!after(ip, ip_to)) {
309 last = ip_set_range_to_cidr(ip, ip_to, &cidr);
310 data.cidr = cidr - 1;
311 p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
313 for (; p <= port_to; p++) {
314 data.port = htons(p);
315 ret = adtfn(set, &data, timeout, flags);
317 if (ret && !ip_set_eexist(ret, flags))
328 hash_netport_same_set(const struct ip_set *a, const struct ip_set *b)
330 const struct ip_set_hash *x = a->data;
331 const struct ip_set_hash *y = b->data;
333 /* Resizing changes htable_bits, so we ignore it */
334 return x->maxelem == y->maxelem &&
335 x->timeout == y->timeout;
338 /* The type variant functions: IPv6 */
340 struct hash_netport6_elem {
341 union nf_inet_addr ip;
348 struct hash_netport6_telem {
349 union nf_inet_addr ip;
354 unsigned long timeout;
358 hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
359 const struct hash_netport6_elem *ip2,
362 return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
363 ip1->port == ip2->port &&
364 ip1->proto == ip2->proto &&
365 ip1->cidr == ip2->cidr;
369 hash_netport6_data_isnull(const struct hash_netport6_elem *elem)
371 return elem->proto == 0;
375 hash_netport6_data_copy(struct hash_netport6_elem *dst,
376 const struct hash_netport6_elem *src)
378 memcpy(dst, src, sizeof(*dst));
382 hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
384 dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
388 hash_netport6_data_reset_flags(struct hash_netport6_elem *dst, u32 *flags)
391 *flags = IPSET_FLAG_NOMATCH;
397 hash_netport6_data_match(const struct hash_netport6_elem *elem)
399 return elem->nomatch ? -ENOTEMPTY : 1;
403 hash_netport6_data_zero_out(struct hash_netport6_elem *elem)
409 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
411 ip->ip6[0] &= ip_set_netmask6(prefix)[0];
412 ip->ip6[1] &= ip_set_netmask6(prefix)[1];
413 ip->ip6[2] &= ip_set_netmask6(prefix)[2];
414 ip->ip6[3] &= ip_set_netmask6(prefix)[3];
418 hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr)
420 ip6_netmask(&elem->ip, cidr);
421 elem->cidr = cidr - 1;
425 hash_netport6_data_list(struct sk_buff *skb,
426 const struct hash_netport6_elem *data)
428 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
430 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
431 nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
432 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
433 nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
435 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
436 goto nla_put_failure;
444 hash_netport6_data_tlist(struct sk_buff *skb,
445 const struct hash_netport6_elem *data)
447 const struct hash_netport6_telem *e =
448 (const struct hash_netport6_telem *)data;
449 u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
451 if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
452 nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
453 nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
454 nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
455 nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
456 htonl(ip_set_timeout_get(e->timeout))) ||
458 nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
459 goto nla_put_failure;
470 #define HOST_MASK 128
471 #include <linux/netfilter/ipset/ip_set_ahash.h>
474 hash_netport6_data_next(struct ip_set_hash *h,
475 const struct hash_netport6_elem *d)
477 h->next.port = d->port;
481 hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
482 const struct xt_action_param *par,
483 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
485 const struct ip_set_hash *h = set->data;
486 ipset_adtfn adtfn = set->variant->adt[adt];
487 struct hash_netport6_elem data = {
488 .cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1,
491 if (adt == IPSET_TEST)
492 data.cidr = HOST_MASK - 1;
494 if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
495 &data.port, &data.proto))
498 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
499 ip6_netmask(&data.ip, data.cidr + 1);
501 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
505 hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
506 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
508 const struct ip_set_hash *h = set->data;
509 ipset_adtfn adtfn = set->variant->adt[adt];
510 struct hash_netport6_elem data = { .cidr = HOST_MASK - 1 };
512 u32 timeout = h->timeout;
513 bool with_ports = false;
517 if (unlikely(!tb[IPSET_ATTR_IP] ||
518 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
519 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
520 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
521 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
522 return -IPSET_ERR_PROTOCOL;
523 if (unlikely(tb[IPSET_ATTR_IP_TO]))
524 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
526 if (tb[IPSET_ATTR_LINENO])
527 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
529 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
533 if (tb[IPSET_ATTR_CIDR]) {
534 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
535 if (!cidr || cidr > HOST_MASK)
536 return -IPSET_ERR_INVALID_CIDR;
537 data.cidr = cidr - 1;
539 ip6_netmask(&data.ip, data.cidr + 1);
541 if (tb[IPSET_ATTR_PORT])
542 data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
544 return -IPSET_ERR_PROTOCOL;
546 if (tb[IPSET_ATTR_PROTO]) {
547 data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
548 with_ports = ip_set_proto_with_ports(data.proto);
551 return -IPSET_ERR_INVALID_PROTO;
553 return -IPSET_ERR_MISSING_PROTO;
555 if (!(with_ports || data.proto == IPPROTO_ICMPV6))
558 if (tb[IPSET_ATTR_TIMEOUT]) {
559 if (!with_timeout(h->timeout))
560 return -IPSET_ERR_TIMEOUT;
561 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
564 if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
565 u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
566 if (cadt_flags & IPSET_FLAG_NOMATCH)
567 flags |= (cadt_flags << 16);
570 if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
571 ret = adtfn(set, &data, timeout, flags);
572 return ip_set_eexist(ret, flags) ? 0 : ret;
575 port = ntohs(data.port);
576 port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
581 port = ntohs(h->next.port);
582 for (; port <= port_to; port++) {
583 data.port = htons(port);
584 ret = adtfn(set, &data, timeout, flags);
586 if (ret && !ip_set_eexist(ret, flags))
594 /* Create hash:ip type of sets */
597 hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
599 struct ip_set_hash *h;
600 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
604 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
605 return -IPSET_ERR_INVALID_FAMILY;
607 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
608 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
609 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
610 return -IPSET_ERR_PROTOCOL;
612 if (tb[IPSET_ATTR_HASHSIZE]) {
613 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
614 if (hashsize < IPSET_MIMINAL_HASHSIZE)
615 hashsize = IPSET_MIMINAL_HASHSIZE;
618 if (tb[IPSET_ATTR_MAXELEM])
619 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
621 h = kzalloc(sizeof(*h)
622 + sizeof(struct ip_set_hash_nets)
623 * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
627 h->maxelem = maxelem;
628 get_random_bytes(&h->initval, sizeof(h->initval));
629 h->timeout = IPSET_NO_TIMEOUT;
631 hbits = htable_bits(hashsize);
632 hsize = htable_size(hbits);
637 h->table = ip_set_alloc(hsize);
642 h->table->htable_bits = hbits;
646 if (tb[IPSET_ATTR_TIMEOUT]) {
647 h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
649 set->variant = set->family == NFPROTO_IPV4
650 ? &hash_netport4_tvariant : &hash_netport6_tvariant;
652 if (set->family == NFPROTO_IPV4)
653 hash_netport4_gc_init(set);
655 hash_netport6_gc_init(set);
657 set->variant = set->family == NFPROTO_IPV4
658 ? &hash_netport4_variant : &hash_netport6_variant;
661 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
662 set->name, jhash_size(h->table->htable_bits),
663 h->table->htable_bits, h->maxelem, set->data, h->table);
668 static struct ip_set_type hash_netport_type __read_mostly = {
669 .name = "hash:net,port",
670 .protocol = IPSET_PROTOCOL,
671 .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_NOMATCH,
672 .dimension = IPSET_DIM_TWO,
673 .family = NFPROTO_UNSPEC,
674 .revision_min = REVISION_MIN,
675 .revision_max = REVISION_MAX,
676 .create = hash_netport_create,
678 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
679 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
680 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
681 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
682 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
683 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
686 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
687 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
688 [IPSET_ATTR_PORT] = { .type = NLA_U16 },
689 [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 },
690 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
691 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
692 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
693 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
694 [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
700 hash_netport_init(void)
702 return ip_set_type_register(&hash_netport_type);
706 hash_netport_fini(void)
708 ip_set_type_unregister(&hash_netport_type);
711 module_init(hash_netport_init);
712 module_exit(hash_netport_fini);