]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - net/netfilter/ipset/ip_set_hash_gen.h
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: ipset: Use netlink callback dump args only
[mirror_ubuntu-zesty-kernel.git] / net / netfilter / ipset / ip_set_hash_gen.h
CommitLineData
1feab10d
JK		 1/* Copyright (C) 2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8#ifndef _IP_SET_HASH_GEN_H
9#define _IP_SET_HASH_GEN_H
10
11#include <linux/rcupdate.h>
12#include <linux/jhash.h>
13#include <linux/netfilter/ipset/ip_set_timeout.h>
14#ifndef rcu_dereference_bh
15#define rcu_dereference_bh(p) rcu_dereference(p)
16#endif
17
a0f28dc7
JK		 18#define rcu_dereference_bh_nfnl(p) rcu_dereference_bh_check(p, 1)
19
1feab10d
JK		 20/* Hashing which uses arrays to resolve clashing. The hash table is resized
21 * (doubled) when searching becomes too long.
22 * Internally jhash is used with the assumption that the size of the
23 * stored data is a multiple of sizeof(u32). If storage supports timeout,
24 * the timeout field must be the last one in the data structure - that field
25 * is ignored when computing the hash key.
26 *
27 * Readers and resizing
28 *
29 * Resizing can be triggered by userspace command only, and those
30 * are serialized by the nfnl mutex. During resizing the set is
31 * read-locked, so the only possible concurrent operations are
32 * the kernel side readers. Those must be protected by proper RCU locking.
33 */
34
35/* Number of elements to store in an initial array block */
36#define AHASH_INIT_SIZE 4
37/* Max number of elements to store in an array block */
38#define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
39
40/* Max number of elements can be tuned */
41#ifdef IP_SET_HASH_WITH_MULTI
42#define AHASH_MAX(h) ((h)->ahash_max)
43
44static inline u8
45tune_ahash_max(u8 curr, u32 multi)
46{
47 u32 n;
48
49 if (multi < curr)
50 return curr;
51
52 n = curr + AHASH_INIT_SIZE;
53 /* Currently, at listing one hash bucket must fit into a message.
54 * Therefore we have a hard limit here.
55 */
56 return n > curr && n <= 64 ? n : curr;
57}
58#define TUNE_AHASH_MAX(h, multi) \
59 ((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
60#else
61#define AHASH_MAX(h) AHASH_MAX_SIZE
62#define TUNE_AHASH_MAX(h, multi)
63#endif
64
65/* A hash bucket */
66struct hbucket {
67 void *value; /* the array of the values */
68 u8 size; /* size of the array */
69 u8 pos; /* position of the first free entry */
70};
71
72/* The hash table: the table size stored here in order to make resizing easy */
73struct htable {
74 u8 htable_bits; /* size of hash table == 2^htable_bits */
75 struct hbucket bucket[0]; /* hashtable buckets */
76};
77
78#define hbucket(h, i) (&((h)->bucket[i]))
79
a04d8b6b
JK		 80#ifndef IPSET_NET_COUNT
81#define IPSET_NET_COUNT 1
82#endif
83
1feab10d
JK		 84/* Book-keeping of the prefixes added to the set */
85struct net_prefixes {
a04d8b6b
JK		 86 u32 nets[IPSET_NET_COUNT]; /* number of elements per cidr */
87 u8 cidr[IPSET_NET_COUNT]; /* the different cidr values in the set */
1feab10d
JK		 88};
89
90/* Compute the hash table size */
91static size_t
92htable_size(u8 hbits)
93{
94 size_t hsize;
95
96 /* We must fit both into u32 in jhash and size_t */
97 if (hbits > 31)
98 return 0;
99 hsize = jhash_size(hbits);
100 if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
101 < hsize)
102 return 0;
103
104 return hsize * sizeof(struct hbucket) + sizeof(struct htable);
105}
106
107/* Compute htable_bits from the user input parameter hashsize */
108static u8
109htable_bits(u32 hashsize)
110{
111 /* Assume that hashsize == 2^htable_bits */
112 u8 bits = fls(hashsize - 1);
113 if (jhash_size(bits) != hashsize)
114 /* Round up to the first 2^n value */
115 bits = fls(hashsize);
116
117 return bits;
118}
119
1feab10d
JK		 120static int
121hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
122{
123 if (n->pos >= n->size) {
124 void *tmp;
125
126 if (n->size >= ahash_max)
127 /* Trigger rehashing */
128 return -EAGAIN;
129
130 tmp = kzalloc((n->size + AHASH_INIT_SIZE) * dsize,
131 GFP_ATOMIC);
132 if (!tmp)
133 return -ENOMEM;
134 if (n->size) {
135 memcpy(tmp, n->value, n->size * dsize);
136 kfree(n->value);
137 }
138 n->value = tmp;
139 n->size += AHASH_INIT_SIZE;
140 }
141 return 0;
142}
143
144#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 145#if IPSET_NET_COUNT > 1
146#define __CIDR(cidr, i) (cidr[i])
147#else
148#define __CIDR(cidr, i) (cidr)
149#endif
1feab10d
JK		 150#ifdef IP_SET_HASH_WITH_NETS_PACKED
151/* When cidr is packed with nomatch, cidr - 1 is stored in the entry */
ea53ac5b 152#define CIDR(cidr, i) (__CIDR(cidr, i) + 1)
1feab10d 153#else
ea53ac5b 154#define CIDR(cidr, i) (__CIDR(cidr, i))
1feab10d
JK		 155#endif
156
157#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)
158
159#ifdef IP_SET_HASH_WITH_MULTI
a04d8b6b 160#define NLEN(family) (SET_HOST_MASK(family) + 1)
1feab10d 161#else
a04d8b6b 162#define NLEN(family) SET_HOST_MASK(family)
1feab10d
JK		 163#endif
164
165#else
a04d8b6b 166#define NLEN(family) 0
1feab10d
JK		 167#endif /* IP_SET_HASH_WITH_NETS */
168
1feab10d
JK		 169#endif /* _IP_SET_HASH_GEN_H */
170
171/* Family dependent templates */
172
173#undef ahash_data
174#undef mtype_data_equal
175#undef mtype_do_data_match
176#undef mtype_data_set_flags
177#undef mtype_data_reset_flags
178#undef mtype_data_netmask
179#undef mtype_data_list
180#undef mtype_data_next
181#undef mtype_elem
182
40cd63bf
JK		 183#undef mtype_ahash_destroy
184#undef mtype_ext_cleanup
1feab10d
JK		 185#undef mtype_add_cidr
186#undef mtype_del_cidr
187#undef mtype_ahash_memsize
188#undef mtype_flush
189#undef mtype_destroy
190#undef mtype_gc_init
191#undef mtype_same_set
192#undef mtype_kadt
193#undef mtype_uadt
194#undef mtype
195
196#undef mtype_add
197#undef mtype_del
198#undef mtype_test_cidrs
199#undef mtype_test
200#undef mtype_expire
201#undef mtype_resize
202#undef mtype_head
203#undef mtype_list
204#undef mtype_gc
205#undef mtype_gc_init
206#undef mtype_variant
207#undef mtype_data_match
208
209#undef HKEY
210
35b8dcf8 211#define mtype_data_equal IPSET_TOKEN(MTYPE, _data_equal)
1feab10d 212#ifdef IP_SET_HASH_WITH_NETS
35b8dcf8 213#define mtype_do_data_match IPSET_TOKEN(MTYPE, _do_data_match)
1feab10d
JK		 214#else
215#define mtype_do_data_match(d) 1
216#endif
35b8dcf8 217#define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags)
ea53ac5b 218#define mtype_data_reset_elem IPSET_TOKEN(MTYPE, _data_reset_elem)
35b8dcf8
JK		 219#define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags)
220#define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask)
221#define mtype_data_list IPSET_TOKEN(MTYPE, _data_list)
222#define mtype_data_next IPSET_TOKEN(MTYPE, _data_next)
223#define mtype_elem IPSET_TOKEN(MTYPE, _elem)
40cd63bf
JK		 224#define mtype_ahash_destroy IPSET_TOKEN(MTYPE, _ahash_destroy)
225#define mtype_ext_cleanup IPSET_TOKEN(MTYPE, _ext_cleanup)
35b8dcf8
JK		 226#define mtype_add_cidr IPSET_TOKEN(MTYPE, _add_cidr)
227#define mtype_del_cidr IPSET_TOKEN(MTYPE, _del_cidr)
228#define mtype_ahash_memsize IPSET_TOKEN(MTYPE, _ahash_memsize)
229#define mtype_flush IPSET_TOKEN(MTYPE, _flush)
230#define mtype_destroy IPSET_TOKEN(MTYPE, _destroy)
231#define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
232#define mtype_same_set IPSET_TOKEN(MTYPE, _same_set)
233#define mtype_kadt IPSET_TOKEN(MTYPE, _kadt)
234#define mtype_uadt IPSET_TOKEN(MTYPE, _uadt)
1feab10d
JK		 235#define mtype MTYPE
236
35b8dcf8
JK		 237#define mtype_elem IPSET_TOKEN(MTYPE, _elem)
238#define mtype_add IPSET_TOKEN(MTYPE, _add)
239#define mtype_del IPSET_TOKEN(MTYPE, _del)
240#define mtype_test_cidrs IPSET_TOKEN(MTYPE, _test_cidrs)
241#define mtype_test IPSET_TOKEN(MTYPE, _test)
242#define mtype_expire IPSET_TOKEN(MTYPE, _expire)
243#define mtype_resize IPSET_TOKEN(MTYPE, _resize)
244#define mtype_head IPSET_TOKEN(MTYPE, _head)
245#define mtype_list IPSET_TOKEN(MTYPE, _list)
246#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
247#define mtype_variant IPSET_TOKEN(MTYPE, _variant)
248#define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
1feab10d
JK		 249
250#ifndef HKEY_DATALEN
251#define HKEY_DATALEN sizeof(struct mtype_elem)
252#endif
253
254#define HKEY(data, initval, htable_bits) \
255(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
256 & jhash_mask(htable_bits))
257
258#ifndef htype
259#define htype HTYPE
260
261/* The generic hash structure */
262struct htype {
a0f28dc7 263 struct htable __rcu *table; /* the hash table */
1feab10d
JK		 264 u32 maxelem; /* max elements in the hash */
265 u32 elements; /* current element (vs timeout) */
266 u32 initval; /* random jhash init value */
1feab10d
JK		 267 struct timer_list gc; /* garbage collection when timeout enabled */
268 struct mtype_elem next; /* temporary storage for uadd */
269#ifdef IP_SET_HASH_WITH_MULTI
270 u8 ahash_max; /* max elements in an array block */
271#endif
272#ifdef IP_SET_HASH_WITH_NETMASK
273 u8 netmask; /* netmask value for subnets to store */
274#endif
275#ifdef IP_SET_HASH_WITH_RBTREE
276 struct rb_root rbtree;
277#endif
278#ifdef IP_SET_HASH_WITH_NETS
279 struct net_prefixes nets[0]; /* book-keeping of prefixes */
280#endif
281};
282#endif
283
284#ifdef IP_SET_HASH_WITH_NETS
285/* Network cidr size book keeping when the hash stores different
286 * sized networks */
287static void
a04d8b6b 288mtype_add_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
1feab10d
JK		 289{
290 int i, j;
291
292 /* Add in increasing prefix order, so larger cidr first */
a04d8b6b 293 for (i = 0, j = -1; i < nets_length && h->nets[i].nets[n]; i++) {
1feab10d
JK		 294 if (j != -1)
295 continue;
a04d8b6b 296 else if (h->nets[i].cidr[n] < cidr)
1feab10d 297 j = i;
a04d8b6b
JK		 298 else if (h->nets[i].cidr[n] == cidr) {
299 h->nets[i].nets[n]++;
1feab10d
JK		 300 return;
301 }
302 }
303 if (j != -1) {
304 for (; i > j; i--) {
a04d8b6b
JK		 305 h->nets[i].cidr[n] = h->nets[i - 1].cidr[n];
306 h->nets[i].nets[n] = h->nets[i - 1].nets[n];
1feab10d
JK		 307 }
308 }
a04d8b6b
JK		 309 h->nets[i].cidr[n] = cidr;
310 h->nets[i].nets[n] = 1;
1feab10d
JK		 311}
312
313static void
a04d8b6b 314mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
1feab10d 315{
2cf55125
OS		 316 u8 i, j, net_end = nets_length - 1;
317
318 for (i = 0; i < nets_length; i++) {
a04d8b6b 319 if (h->nets[i].cidr[n] != cidr)
2cf55125 320 continue;
a04d8b6b
JK		 321 if (h->nets[i].nets[n] > 1 || i == net_end ||
322 h->nets[i + 1].nets[n] == 0) {
323 h->nets[i].nets[n]--;
2cf55125
OS		 324 return;
325 }
a04d8b6b
JK		 326 for (j = i; j < net_end && h->nets[j].nets[n]; j++) {
327 h->nets[j].cidr[n] = h->nets[j + 1].cidr[n];
328 h->nets[j].nets[n] = h->nets[j + 1].nets[n];
2cf55125 329 }
a04d8b6b 330 h->nets[j].nets[n] = 0;
2cf55125 331 return;
1feab10d
JK		 332 }
333}
334#endif
335
336/* Calculate the actual memory size of the set data */
337static size_t
a0f28dc7 338mtype_ahash_memsize(const struct htype *h, const struct htable *t,
ca134ce8 339 u8 nets_length, size_t dsize)
1feab10d
JK		 340{
341 u32 i;
1feab10d
JK		 342 size_t memsize = sizeof(*h)
343 + sizeof(*t)
344#ifdef IP_SET_HASH_WITH_NETS
345 + sizeof(struct net_prefixes) * nets_length
346#endif
347 + jhash_size(t->htable_bits) * sizeof(struct hbucket);
348
349 for (i = 0; i < jhash_size(t->htable_bits); i++)
ca134ce8 350 memsize += t->bucket[i].size * dsize;
1feab10d
JK		 351
352 return memsize;
353}
354
40cd63bf
JK		 355/* Get the ith element from the array block n */
356#define ahash_data(n, i, dsize) \
357 ((struct mtype_elem *)((n)->value + ((i) * (dsize))))
358
359static void
360mtype_ext_cleanup(struct ip_set *set, struct hbucket *n)
361{
362 int i;
363
364 for (i = 0; i < n->pos; i++)
365 ip_set_ext_destroy(set, ahash_data(n, i, set->dsize));
366}
367
1feab10d
JK		 368/* Flush a hash type of set: destroy all elements */
369static void
370mtype_flush(struct ip_set *set)
371{
372 struct htype *h = set->data;
a0f28dc7 373 struct htable *t;
1feab10d
JK		 374 struct hbucket *n;
375 u32 i;
376
a0f28dc7 377 t = rcu_dereference_bh_nfnl(h->table);
1feab10d
JK		 378 for (i = 0; i < jhash_size(t->htable_bits); i++) {
379 n = hbucket(t, i);
380 if (n->size) {
40cd63bf
JK		 381 if (set->extensions & IPSET_EXT_DESTROY)
382 mtype_ext_cleanup(set, n);
1feab10d
JK		 383 n->size = n->pos = 0;
384 /* FIXME: use slab cache */
385 kfree(n->value);
386 }
387 }
388#ifdef IP_SET_HASH_WITH_NETS
a04d8b6b 389 memset(h->nets, 0, sizeof(struct net_prefixes) * NLEN(set->family));
1feab10d
JK		 390#endif
391 h->elements = 0;
392}
393
40cd63bf
JK		 394/* Destroy the hashtable part of the set */
395static void
80571a9e 396mtype_ahash_destroy(struct ip_set *set, struct htable *t, bool ext_destroy)
40cd63bf
JK		 397{
398 struct hbucket *n;
399 u32 i;
400
401 for (i = 0; i < jhash_size(t->htable_bits); i++) {
402 n = hbucket(t, i);
403 if (n->size) {
80571a9e 404 if (set->extensions & IPSET_EXT_DESTROY && ext_destroy)
40cd63bf
JK		 405 mtype_ext_cleanup(set, n);
406 /* FIXME: use slab cache */
407 kfree(n->value);
408 }
409 }
410
411 ip_set_free(t);
412}
413
1feab10d
JK		 414/* Destroy a hash type of set */
415static void
416mtype_destroy(struct ip_set *set)
417{
418 struct htype *h = set->data;
419
420 if (set->extensions & IPSET_EXT_TIMEOUT)
421 del_timer_sync(&h->gc);
422
80571a9e 423 mtype_ahash_destroy(set, rcu_dereference_bh_nfnl(h->table), true);
1feab10d
JK		 424#ifdef IP_SET_HASH_WITH_RBTREE
425 rbtree_destroy(&h->rbtree);
426#endif
427 kfree(h);
428
429 set->data = NULL;
430}
431
432static void
433mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
434{
435 struct htype *h = set->data;
436
437 init_timer(&h->gc);
438 h->gc.data = (unsigned long) set;
439 h->gc.function = gc;
ca134ce8 440 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
1feab10d
JK		 441 add_timer(&h->gc);
442 pr_debug("gc initialized, run in every %u\n",
ca134ce8 443 IPSET_GC_PERIOD(set->timeout));
1feab10d
JK		 444}
445
446static bool
447mtype_same_set(const struct ip_set *a, const struct ip_set *b)
448{
449 const struct htype *x = a->data;
450 const struct htype *y = b->data;
451
452 /* Resizing changes htable_bits, so we ignore it */
453 return x->maxelem == y->maxelem &&
ca134ce8 454 a->timeout == b->timeout &&
1feab10d
JK		 455#ifdef IP_SET_HASH_WITH_NETMASK
456 x->netmask == y->netmask &&
457#endif
458 a->extensions == b->extensions;
459}
460
1feab10d
JK		 461/* Delete expired elements from the hashtable */
462static void
ca134ce8 463mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
1feab10d 464{
a0f28dc7 465 struct htable *t;
1feab10d
JK		 466 struct hbucket *n;
467 struct mtype_elem *data;
468 u32 i;
469 int j;
ea53ac5b
OS		 470#ifdef IP_SET_HASH_WITH_NETS
471 u8 k;
472#endif
1feab10d 473
a0f28dc7
JK		 474 rcu_read_lock_bh();
475 t = rcu_dereference_bh(h->table);
1feab10d
JK		 476 for (i = 0; i < jhash_size(t->htable_bits); i++) {
477 n = hbucket(t, i);
478 for (j = 0; j < n->pos; j++) {
479 data = ahash_data(n, j, dsize);
ca134ce8 480 if (ip_set_timeout_expired(ext_timeout(data, set))) {
1feab10d
JK		 481 pr_debug("expired %u/%u\n", i, j);
482#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 483 for (k = 0; k < IPSET_NET_COUNT; k++)
484 mtype_del_cidr(h, CIDR(data->cidr, k),
485 nets_length, k);
1feab10d 486#endif
40cd63bf 487 ip_set_ext_destroy(set, data);
1feab10d
JK		 488 if (j != n->pos - 1)
489 /* Not last one */
490 memcpy(data,
491 ahash_data(n, n->pos - 1, dsize),
492 dsize);
493 n->pos--;
494 h->elements--;
495 }
496 }
497 if (n->pos + AHASH_INIT_SIZE < n->size) {
498 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
499 * dsize,
500 GFP_ATOMIC);
501 if (!tmp)
502 /* Still try to delete expired elements */
503 continue;
504 n->size -= AHASH_INIT_SIZE;
505 memcpy(tmp, n->value, n->size * dsize);
506 kfree(n->value);
507 n->value = tmp;
508 }
509 }
a0f28dc7 510 rcu_read_unlock_bh();
1feab10d
JK		 511}
512
513static void
514mtype_gc(unsigned long ul_set)
515{
516 struct ip_set *set = (struct ip_set *) ul_set;
517 struct htype *h = set->data;
518
519 pr_debug("called\n");
520 write_lock_bh(&set->lock);
ca134ce8 521 mtype_expire(set, h, NLEN(set->family), set->dsize);
1feab10d
JK		 522 write_unlock_bh(&set->lock);
523
ca134ce8 524 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
1feab10d
JK		 525 add_timer(&h->gc);
526}
527
528/* Resize a hash: create a new hash table with doubling the hashsize
529 * and inserting the elements to it. Repeat until we succeed or
530 * fail due to memory pressures. */
531static int
532mtype_resize(struct ip_set *set, bool retried)
533{
534 struct htype *h = set->data;
a0f28dc7 535 struct htable *t, *orig = rcu_dereference_bh_nfnl(h->table);
1feab10d
JK		 536 u8 htable_bits = orig->htable_bits;
537#ifdef IP_SET_HASH_WITH_NETS
538 u8 flags;
539#endif
540 struct mtype_elem *data;
541 struct mtype_elem *d;
542 struct hbucket *n, *m;
543 u32 i, j;
544 int ret;
545
546 /* Try to cleanup once */
547 if (SET_WITH_TIMEOUT(set) && !retried) {
548 i = h->elements;
549 write_lock_bh(&set->lock);
ca134ce8 550 mtype_expire(set, set->data, NLEN(set->family), set->dsize);
1feab10d
JK		 551 write_unlock_bh(&set->lock);
552 if (h->elements < i)
553 return 0;
554 }
555
556retry:
557 ret = 0;
558 htable_bits++;
559 pr_debug("attempt to resize set %s from %u to %u, t %p\n",
560 set->name, orig->htable_bits, htable_bits, orig);
561 if (!htable_bits) {
562 /* In case we have plenty of memory :-) */
563 pr_warning("Cannot increase the hashsize of set %s further\n",
564 set->name);
565 return -IPSET_ERR_HASH_FULL;
566 }
567 t = ip_set_alloc(sizeof(*t)
568 + jhash_size(htable_bits) * sizeof(struct hbucket));
569 if (!t)
570 return -ENOMEM;
571 t->htable_bits = htable_bits;
572
573 read_lock_bh(&set->lock);
574 for (i = 0; i < jhash_size(orig->htable_bits); i++) {
575 n = hbucket(orig, i);
576 for (j = 0; j < n->pos; j++) {
ca134ce8 577 data = ahash_data(n, j, set->dsize);
1feab10d
JK		 578#ifdef IP_SET_HASH_WITH_NETS
579 flags = 0;
580 mtype_data_reset_flags(data, &flags);
581#endif
582 m = hbucket(t, HKEY(data, h->initval, htable_bits));
ca134ce8 583 ret = hbucket_elem_add(m, AHASH_MAX(h), set->dsize);
1feab10d
JK		 584 if (ret < 0) {
585#ifdef IP_SET_HASH_WITH_NETS
586 mtype_data_reset_flags(data, &flags);
587#endif
588 read_unlock_bh(&set->lock);
80571a9e 589 mtype_ahash_destroy(set, t, false);
1feab10d
JK		 590 if (ret == -EAGAIN)
591 goto retry;
592 return ret;
593 }
ca134ce8
JK		 594 d = ahash_data(m, m->pos++, set->dsize);
595 memcpy(d, data, set->dsize);
1feab10d
JK		 596#ifdef IP_SET_HASH_WITH_NETS
597 mtype_data_reset_flags(d, &flags);
598#endif
599 }
600 }
601
602 rcu_assign_pointer(h->table, t);
603 read_unlock_bh(&set->lock);
604
605 /* Give time to other readers of the set */
606 synchronize_rcu_bh();
607
608 pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name,
609 orig->htable_bits, orig, t->htable_bits, t);
80571a9e 610 mtype_ahash_destroy(set, orig, false);
1feab10d
JK		 611
612 return 0;
613}
614
615/* Add an element to a hash and update the internal counters when succeeded,
616 * otherwise report the proper error code. */
617static int
618mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
619 struct ip_set_ext *mext, u32 flags)
620{
621 struct htype *h = set->data;
622 struct htable *t;
623 const struct mtype_elem *d = value;
624 struct mtype_elem *data;
625 struct hbucket *n;
626 int i, ret = 0;
627 int j = AHASH_MAX(h) + 1;
628 bool flag_exist = flags & IPSET_FLAG_EXIST;
629 u32 key, multi = 0;
630
631 if (SET_WITH_TIMEOUT(set) && h->elements >= h->maxelem)
632 /* FIXME: when set is full, we slow down here */
ca134ce8 633 mtype_expire(set, h, NLEN(set->family), set->dsize);
1feab10d
JK		 634
635 if (h->elements >= h->maxelem) {
636 if (net_ratelimit())
637 pr_warning("Set %s is full, maxelem %u reached\n",
638 set->name, h->maxelem);
639 return -IPSET_ERR_HASH_FULL;
640 }
641
642 rcu_read_lock_bh();
643 t = rcu_dereference_bh(h->table);
644 key = HKEY(value, h->initval, t->htable_bits);
645 n = hbucket(t, key);
646 for (i = 0; i < n->pos; i++) {
ca134ce8 647 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 648 if (mtype_data_equal(data, d, &multi)) {
649 if (flag_exist ||
650 (SET_WITH_TIMEOUT(set) &&
ca134ce8 651 ip_set_timeout_expired(ext_timeout(data, set)))) {
1feab10d
JK		 652 /* Just the extensions could be overwritten */
653 j = i;
654 goto reuse_slot;
655 } else {
656 ret = -IPSET_ERR_EXIST;
657 goto out;
658 }
659 }
660 /* Reuse first timed out entry */
661 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 662 ip_set_timeout_expired(ext_timeout(data, set)) &&
1feab10d
JK		 663 j != AHASH_MAX(h) + 1)
664 j = i;
665 }
666reuse_slot:
667 if (j != AHASH_MAX(h) + 1) {
668 /* Fill out reused slot */
ca134ce8 669 data = ahash_data(n, j, set->dsize);
1feab10d 670#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 671 for (i = 0; i < IPSET_NET_COUNT; i++) {
672 mtype_del_cidr(h, CIDR(data->cidr, i),
673 NLEN(set->family), i);
674 mtype_add_cidr(h, CIDR(d->cidr, i),
675 NLEN(set->family), i);
676 }
1feab10d 677#endif
40cd63bf 678 ip_set_ext_destroy(set, data);
1feab10d
JK		 679 } else {
680 /* Use/create a new slot */
681 TUNE_AHASH_MAX(h, multi);
ca134ce8 682 ret = hbucket_elem_add(n, AHASH_MAX(h), set->dsize);
1feab10d
JK		 683 if (ret != 0) {
684 if (ret == -EAGAIN)
685 mtype_data_next(&h->next, d);
686 goto out;
687 }
ca134ce8 688 data = ahash_data(n, n->pos++, set->dsize);
1feab10d 689#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 690 for (i = 0; i < IPSET_NET_COUNT; i++)
691 mtype_add_cidr(h, CIDR(d->cidr, i), NLEN(set->family),
692 i);
1feab10d
JK		 693#endif
694 h->elements++;
695 }
696 memcpy(data, d, sizeof(struct mtype_elem));
697#ifdef IP_SET_HASH_WITH_NETS
698 mtype_data_set_flags(data, flags);
699#endif
700 if (SET_WITH_TIMEOUT(set))
ca134ce8 701 ip_set_timeout_set(ext_timeout(data, set), ext->timeout);
00d71b27 702 if (SET_WITH_COUNTER(set))
ca134ce8 703 ip_set_init_counter(ext_counter(data, set), ext);
fda75c6d
OS		 704 if (SET_WITH_COMMENT(set))
705 ip_set_init_comment(ext_comment(data, set), ext);
1feab10d
JK		 706
707out:
708 rcu_read_unlock_bh();
709 return ret;
710}
711
712/* Delete an element from the hash: swap it with the last element
713 * and free up space if possible.
714 */
715static int
716mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
717 struct ip_set_ext *mext, u32 flags)
718{
719 struct htype *h = set->data;
a0f28dc7 720 struct htable *t;
1feab10d
JK		 721 const struct mtype_elem *d = value;
722 struct mtype_elem *data;
723 struct hbucket *n;
a0f28dc7 724 int i, ret = -IPSET_ERR_EXIST;
ea53ac5b
OS		 725#ifdef IP_SET_HASH_WITH_NETS
726 u8 j;
727#endif
1feab10d
JK		 728 u32 key, multi = 0;
729
a0f28dc7
JK		 730 rcu_read_lock_bh();
731 t = rcu_dereference_bh(h->table);
1feab10d
JK		 732 key = HKEY(value, h->initval, t->htable_bits);
733 n = hbucket(t, key);
734 for (i = 0; i < n->pos; i++) {
ca134ce8 735 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 736 if (!mtype_data_equal(data, d, &multi))
737 continue;
738 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 739 ip_set_timeout_expired(ext_timeout(data, set)))
a0f28dc7 740 goto out;
1feab10d
JK		 741 if (i != n->pos - 1)
742 /* Not last one */
ca134ce8
JK		 743 memcpy(data, ahash_data(n, n->pos - 1, set->dsize),
744 set->dsize);
1feab10d
JK		 745
746 n->pos--;
747 h->elements--;
748#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 749 for (j = 0; j < IPSET_NET_COUNT; j++)
750 mtype_del_cidr(h, CIDR(d->cidr, j), NLEN(set->family),
751 j);
1feab10d 752#endif
40cd63bf 753 ip_set_ext_destroy(set, data);
1feab10d
JK		 754 if (n->pos + AHASH_INIT_SIZE < n->size) {
755 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
ca134ce8 756 * set->dsize,
1feab10d 757 GFP_ATOMIC);
a0f28dc7
JK		 758 if (!tmp) {
759 ret = 0;
760 goto out;
761 }
1feab10d 762 n->size -= AHASH_INIT_SIZE;
ca134ce8 763 memcpy(tmp, n->value, n->size * set->dsize);
1feab10d
JK		 764 kfree(n->value);
765 n->value = tmp;
766 }
a0f28dc7
JK		 767 ret = 0;
768 goto out;
1feab10d
JK		 769 }
770
a0f28dc7
JK		 771out:
772 rcu_read_unlock_bh();
773 return ret;
1feab10d
JK		 774}
775
776static inline int
777mtype_data_match(struct mtype_elem *data, const struct ip_set_ext *ext,
778 struct ip_set_ext *mext, struct ip_set *set, u32 flags)
779{
00d71b27 780 if (SET_WITH_COUNTER(set))
ca134ce8 781 ip_set_update_counter(ext_counter(data, set),
00d71b27 782 ext, mext, flags);
1feab10d
JK		 783 return mtype_do_data_match(data);
784}
785
786#ifdef IP_SET_HASH_WITH_NETS
787/* Special test function which takes into account the different network
788 * sizes added to the set */
789static int
790mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
791 const struct ip_set_ext *ext,
792 struct ip_set_ext *mext, u32 flags)
793{
794 struct htype *h = set->data;
a0f28dc7 795 struct htable *t = rcu_dereference_bh(h->table);
1feab10d
JK		 796 struct hbucket *n;
797 struct mtype_elem *data;
ea53ac5b
OS		 798#if IPSET_NET_COUNT == 2
799 struct mtype_elem orig = *d;
800 int i, j = 0, k;
801#else
1feab10d 802 int i, j = 0;
ea53ac5b 803#endif
1feab10d 804 u32 key, multi = 0;
a04d8b6b 805 u8 nets_length = NLEN(set->family);
1feab10d
JK		 806
807 pr_debug("test by nets\n");
a04d8b6b 808 for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) {
ea53ac5b
OS		 809#if IPSET_NET_COUNT == 2
810 mtype_data_reset_elem(d, &orig);
811 mtype_data_netmask(d, h->nets[j].cidr[0], false);
812 for (k = 0; k < nets_length && h->nets[k].nets[1] && !multi;
813 k++) {
814 mtype_data_netmask(d, h->nets[k].cidr[1], true);
815#else
a04d8b6b 816 mtype_data_netmask(d, h->nets[j].cidr[0]);
ea53ac5b 817#endif
1feab10d
JK		 818 key = HKEY(d, h->initval, t->htable_bits);
819 n = hbucket(t, key);
820 for (i = 0; i < n->pos; i++) {
ca134ce8 821 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 822 if (!mtype_data_equal(data, d, &multi))
823 continue;
824 if (SET_WITH_TIMEOUT(set)) {
825 if (!ip_set_timeout_expired(
ca134ce8 826 ext_timeout(data, set)))
1feab10d
JK		 827 return mtype_data_match(data, ext,
828 mext, set,
829 flags);
830#ifdef IP_SET_HASH_WITH_MULTI
831 multi = 0;
832#endif
833 } else
834 return mtype_data_match(data, ext,
835 mext, set, flags);
836 }
ea53ac5b
OS		 837#if IPSET_NET_COUNT == 2
838 }
839#endif
1feab10d
JK		 840 }
841 return 0;
842}
843#endif
844
845/* Test whether the element is added to the set */
846static int
847mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext,
848 struct ip_set_ext *mext, u32 flags)
849{
850 struct htype *h = set->data;
a0f28dc7 851 struct htable *t;
1feab10d
JK		 852 struct mtype_elem *d = value;
853 struct hbucket *n;
854 struct mtype_elem *data;
a0f28dc7 855 int i, ret = 0;
1feab10d
JK		 856 u32 key, multi = 0;
857
a0f28dc7
JK		 858 rcu_read_lock_bh();
859 t = rcu_dereference_bh(h->table);
1feab10d
JK		 860#ifdef IP_SET_HASH_WITH_NETS
861 /* If we test an IP address and not a network address,
862 * try all possible network sizes */
ea53ac5b
OS		 863 for (i = 0; i < IPSET_NET_COUNT; i++)
864 if (CIDR(d->cidr, i) != SET_HOST_MASK(set->family))
865 break;
866 if (i == IPSET_NET_COUNT) {
a0f28dc7
JK		 867 ret = mtype_test_cidrs(set, d, ext, mext, flags);
868 goto out;
869 }
1feab10d
JK		 870#endif
871
872 key = HKEY(d, h->initval, t->htable_bits);
873 n = hbucket(t, key);
874 for (i = 0; i < n->pos; i++) {
ca134ce8 875 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 876 if (mtype_data_equal(data, d, &multi) &&
877 !(SET_WITH_TIMEOUT(set) &&
ca134ce8 878 ip_set_timeout_expired(ext_timeout(data, set)))) {
a0f28dc7
JK		 879 ret = mtype_data_match(data, ext, mext, set, flags);
880 goto out;
881 }
1feab10d 882 }
a0f28dc7
JK		 883out:
884 rcu_read_unlock_bh();
885 return ret;
1feab10d
JK		 886}
887
888/* Reply a HEADER request: fill out the header part of the set */
889static int
890mtype_head(struct ip_set *set, struct sk_buff *skb)
891{
892 const struct htype *h = set->data;
a0f28dc7 893 const struct htable *t;
1feab10d
JK		 894 struct nlattr *nested;
895 size_t memsize;
896
a0f28dc7 897 t = rcu_dereference_bh_nfnl(h->table);
ca134ce8 898 memsize = mtype_ahash_memsize(h, t, NLEN(set->family), set->dsize);
1feab10d
JK		 899
900 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
901 if (!nested)
902 goto nla_put_failure;
903 if (nla_put_net32(skb, IPSET_ATTR_HASHSIZE,
a0f28dc7 904 htonl(jhash_size(t->htable_bits))) ||
1feab10d
JK		 905 nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem)))
906 goto nla_put_failure;
907#ifdef IP_SET_HASH_WITH_NETMASK
908 if (h->netmask != HOST_MASK &&
909 nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask))
910 goto nla_put_failure;
911#endif
912 if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
fda75c6d
OS		 913 nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
914 goto nla_put_failure;
915 if (unlikely(ip_set_put_flags(skb, set)))
1feab10d
JK		 916 goto nla_put_failure;
917 ipset_nest_end(skb, nested);
918
919 return 0;
920nla_put_failure:
921 return -EMSGSIZE;
922}
923
924/* Reply a LIST/SAVE request: dump the elements of the specified set */
925static int
926mtype_list(const struct ip_set *set,
927 struct sk_buff *skb, struct netlink_callback *cb)
928{
929 const struct htype *h = set->data;
a0f28dc7 930 const struct htable *t = rcu_dereference_bh_nfnl(h->table);
1feab10d
JK		 931 struct nlattr *atd, *nested;
932 const struct hbucket *n;
933 const struct mtype_elem *e;
93302880 934 u32 first = cb->args[IPSET_CB_ARG0];
1feab10d
JK		 935 /* We assume that one hash bucket fills into one page */
936 void *incomplete;
937 int i;
938
939 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
940 if (!atd)
941 return -EMSGSIZE;
942 pr_debug("list hash set %s\n", set->name);
93302880
JK		 943 for (; cb->args[IPSET_CB_ARG0] < jhash_size(t->htable_bits);
944 cb->args[IPSET_CB_ARG0]++) {
1feab10d 945 incomplete = skb_tail_pointer(skb);
93302880
JK		 946 n = hbucket(t, cb->args[IPSET_CB_ARG0]);
947 pr_debug("cb->arg bucket: %lu, t %p n %p\n",
948 cb->args[IPSET_CB_ARG0], t, n);
1feab10d 949 for (i = 0; i < n->pos; i++) {
ca134ce8 950 e = ahash_data(n, i, set->dsize);
1feab10d 951 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 952 ip_set_timeout_expired(ext_timeout(e, set)))
1feab10d
JK		 953 continue;
954 pr_debug("list hash %lu hbucket %p i %u, data %p\n",
93302880 955 cb->args[IPSET_CB_ARG0], n, i, e);
1feab10d
JK		 956 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
957 if (!nested) {
93302880 958 if (cb->args[IPSET_CB_ARG0] == first) {
1feab10d
JK		 959 nla_nest_cancel(skb, atd);
960 return -EMSGSIZE;
961 } else
962 goto nla_put_failure;
963 }
964 if (mtype_data_list(skb, e))
965 goto nla_put_failure;
3fd986b3 966 if (ip_set_put_extensions(skb, set, e, true))
fda75c6d 967 goto nla_put_failure;
1feab10d
JK		 968 ipset_nest_end(skb, nested);
969 }
970 }
971 ipset_nest_end(skb, atd);
972 /* Set listing finished */
93302880 973 cb->args[IPSET_CB_ARG0] = 0;
1feab10d
JK		 974
975 return 0;
976
977nla_put_failure:
978 nlmsg_trim(skb, incomplete);
93302880 979 if (unlikely(first == cb->args[IPSET_CB_ARG0])) {
1feab10d
JK		 980 pr_warning("Can't list set %s: one bucket does not fit into "
981 "a message. Please report it!\n", set->name);
93302880 982 cb->args[IPSET_CB_ARG0] = 0;
1feab10d
JK		 983 return -EMSGSIZE;
984 }
122ebbf2 985 ipset_nest_end(skb, atd);
1feab10d
JK		 986 return 0;
987}
988
989static int
35b8dcf8
JK		 990IPSET_TOKEN(MTYPE, _kadt)(struct ip_set *set, const struct sk_buff *skb,
991 const struct xt_action_param *par,
992 enum ipset_adt adt, struct ip_set_adt_opt *opt);
1feab10d
JK		 993
994static int
35b8dcf8
JK		 995IPSET_TOKEN(MTYPE, _uadt)(struct ip_set *set, struct nlattr *tb[],
996 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
1feab10d
JK		 997
998static const struct ip_set_type_variant mtype_variant = {
999 .kadt = mtype_kadt,
1000 .uadt = mtype_uadt,
1001 .adt = {
1002 [IPSET_ADD] = mtype_add,
1003 [IPSET_DEL] = mtype_del,
1004 [IPSET_TEST] = mtype_test,
1005 },
1006 .destroy = mtype_destroy,
1007 .flush = mtype_flush,
1008 .head = mtype_head,
1009 .list = mtype_list,
1010 .resize = mtype_resize,
1011 .same_set = mtype_same_set,
1012};
1013
1014#ifdef IP_SET_EMIT_CREATE
1015static int
1785e8f4
VL		 1016IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
1017 struct nlattr *tb[], u32 flags)
1feab10d
JK		 1018{
1019 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
1020 u8 hbits;
1021#ifdef IP_SET_HASH_WITH_NETMASK
1022 u8 netmask;
1023#endif
1024 size_t hsize;
1025 struct HTYPE *h;
a0f28dc7 1026 struct htable *t;
1feab10d
JK		 1027
1028 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
1029 return -IPSET_ERR_INVALID_FAMILY;
1030#ifdef IP_SET_HASH_WITH_NETMASK
1031 netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
1032 pr_debug("Create set %s with family %s\n",
1033 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
1034#endif
1035
1036 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
1037 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
1038 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
1039 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
1040 return -IPSET_ERR_PROTOCOL;
1041
1042 if (tb[IPSET_ATTR_HASHSIZE]) {
1043 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
1044 if (hashsize < IPSET_MIMINAL_HASHSIZE)
1045 hashsize = IPSET_MIMINAL_HASHSIZE;
1046 }
1047
1048 if (tb[IPSET_ATTR_MAXELEM])
1049 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
1050
1051#ifdef IP_SET_HASH_WITH_NETMASK
1052 if (tb[IPSET_ATTR_NETMASK]) {
1053 netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
1054
1055 if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
1056 (set->family == NFPROTO_IPV6 && netmask > 128) ||
1057 netmask == 0)
1058 return -IPSET_ERR_INVALID_NETMASK;
1059 }
1060#endif
1061
1062 hsize = sizeof(*h);
1063#ifdef IP_SET_HASH_WITH_NETS
1064 hsize += sizeof(struct net_prefixes) *
1065 (set->family == NFPROTO_IPV4 ? 32 : 128);
1066#endif
1067 h = kzalloc(hsize, GFP_KERNEL);
1068 if (!h)
1069 return -ENOMEM;
1070
1071 h->maxelem = maxelem;
1072#ifdef IP_SET_HASH_WITH_NETMASK
1073 h->netmask = netmask;
1074#endif
1075 get_random_bytes(&h->initval, sizeof(h->initval));
ca134ce8 1076 set->timeout = IPSET_NO_TIMEOUT;
1feab10d
JK		 1077
1078 hbits = htable_bits(hashsize);
1079 hsize = htable_size(hbits);
1080 if (hsize == 0) {
1081 kfree(h);
1082 return -ENOMEM;
1083 }
a0f28dc7
JK		 1084 t = ip_set_alloc(hsize);
1085 if (!t) {
1feab10d
JK		 1086 kfree(h);
1087 return -ENOMEM;
1088 }
a0f28dc7
JK		 1089 t->htable_bits = hbits;
1090 rcu_assign_pointer(h->table, t);
1feab10d
JK		 1091
1092 set->data = h;
40cd63bf 1093 if (set->family == NFPROTO_IPV4) {
35b8dcf8 1094 set->variant = &IPSET_TOKEN(HTYPE, 4_variant);
03c8b234
JK		 1095 set->dsize = ip_set_elem_len(set, tb,
1096 sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)));
1097 } else {
35b8dcf8 1098 set->variant = &IPSET_TOKEN(HTYPE, 6_variant);
03c8b234
JK		 1099 set->dsize = ip_set_elem_len(set, tb,
1100 sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)));
1101 }
1102 if (tb[IPSET_ATTR_TIMEOUT]) {
ca134ce8 1103 set->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
03c8b234 1104 if (set->family == NFPROTO_IPV4)
35b8dcf8
JK		 1105 IPSET_TOKEN(HTYPE, 4_gc_init)(set,
1106 IPSET_TOKEN(HTYPE, 4_gc));
03c8b234 1107 else
35b8dcf8
JK		 1108 IPSET_TOKEN(HTYPE, 6_gc_init)(set,
1109 IPSET_TOKEN(HTYPE, 6_gc));
1feab10d
JK		 1110 }
1111
1112 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
a0f28dc7
JK		 1113 set->name, jhash_size(t->htable_bits),
1114 t->htable_bits, h->maxelem, set->data, t);
1feab10d
JK		 1115
1116 return 0;
1117}
1118#endif /* IP_SET_EMIT_CREATE */
ubuntu-zesty-kernel mirror