]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - net/netfilter/ipset/ip_set_hash_ipportnet.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: ipset: fix return code for destroy when sets are in use
[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / ipset / ip_set_hash_ipportnet.c
CommitLineData
41d22f7b
JK		 1/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8/* Kernel module implementing an IP set type: the hash:ip,port,net type */
9
10#include <linux/jhash.h>
11#include <linux/module.h>
12#include <linux/ip.h>
13#include <linux/skbuff.h>
14#include <linux/errno.h>
41d22f7b
JK		 15#include <linux/random.h>
16#include <net/ip.h>
17#include <net/ipv6.h>
18#include <net/netlink.h>
19#include <net/tcp.h>
20
21#include <linux/netfilter.h>
22#include <linux/netfilter/ipset/pfxlen.h>
23#include <linux/netfilter/ipset/ip_set.h>
24#include <linux/netfilter/ipset/ip_set_timeout.h>
25#include <linux/netfilter/ipset/ip_set_getport.h>
26#include <linux/netfilter/ipset/ip_set_hash.h>
27
28MODULE_LICENSE("GPL");
29MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
30MODULE_DESCRIPTION("hash:ip,port,net type of IP sets");
31MODULE_ALIAS("ip_set_hash:ip,port,net");
32
33/* Type specific function prefix */
34#define TYPE hash_ipportnet
35
36static bool
37hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b);
38
39#define hash_ipportnet4_same_set hash_ipportnet_same_set
40#define hash_ipportnet6_same_set hash_ipportnet_same_set
41
42/* The type variant functions: IPv4 */
43
44/* Member elements without timeout */
45struct hash_ipportnet4_elem {
46 __be32 ip;
47 __be32 ip2;
48 __be16 port;
49 u8 cidr;
50 u8 proto;
51};
52
53/* Member elements with timeout support */
54struct hash_ipportnet4_telem {
55 __be32 ip;
56 __be32 ip2;
57 __be16 port;
58 u8 cidr;
59 u8 proto;
60 unsigned long timeout;
61};
62
63static inline bool
64hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
65 const struct hash_ipportnet4_elem *ip2)
66{
67 return ip1->ip == ip2->ip &&
68 ip1->ip2 == ip2->ip2 &&
69 ip1->cidr == ip2->cidr &&
70 ip1->port == ip2->port &&
71 ip1->proto == ip2->proto;
72}
73
74static inline bool
75hash_ipportnet4_data_isnull(const struct hash_ipportnet4_elem *elem)
76{
77 return elem->proto == 0;
78}
79
80static inline void
81hash_ipportnet4_data_copy(struct hash_ipportnet4_elem *dst,
82 const struct hash_ipportnet4_elem *src)
83{
84 memcpy(dst, src, sizeof(*dst));
85}
86
87static inline void
88hash_ipportnet4_data_netmask(struct hash_ipportnet4_elem *elem, u8 cidr)
89{
90 elem->ip2 &= ip_set_netmask(cidr);
91 elem->cidr = cidr;
92}
93
94static inline void
95hash_ipportnet4_data_zero_out(struct hash_ipportnet4_elem *elem)
96{
97 elem->proto = 0;
98}
99
100static bool
101hash_ipportnet4_data_list(struct sk_buff *skb,
102 const struct hash_ipportnet4_elem *data)
103{
104 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
105 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
106 NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
107 NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
108 NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
109 return 0;
110
111nla_put_failure:
112 return 1;
113}
114
115static bool
116hash_ipportnet4_data_tlist(struct sk_buff *skb,
117 const struct hash_ipportnet4_elem *data)
118{
119 const struct hash_ipportnet4_telem *tdata =
120 (const struct hash_ipportnet4_telem *)data;
121
122 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
123 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
124 NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
125 NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
126 NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
127 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
128 htonl(ip_set_timeout_get(tdata->timeout)));
129
130 return 0;
131
132nla_put_failure:
133 return 1;
134}
135
136#define IP_SET_HASH_WITH_PROTO
137#define IP_SET_HASH_WITH_NETS
138
139#define PF 4
140#define HOST_MASK 32
141#include <linux/netfilter/ipset/ip_set_ahash.h>
142
3d14b171
JK		 143static inline void
144hash_ipportnet4_data_next(struct ip_set_hash *h,
145 const struct hash_ipportnet4_elem *d)
146{
147 h->next.ip = ntohl(d->ip);
148 h->next.port = ntohs(d->port);
d0d9e0a5 149 h->next.ip2 = ntohl(d->ip2);
3d14b171
JK		 150}
151
41d22f7b
JK		 152static int
153hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
b66554cf 154 const struct xt_action_param *par,
ac8cc925 155 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
41d22f7b
JK		 156{
157 const struct ip_set_hash *h = set->data;
158 ipset_adtfn adtfn = set->variant->adt[adt];
159 struct hash_ipportnet4_elem data =
160 { .cidr = h->nets[0].cidr || HOST_MASK };
161
162 if (data.cidr == 0)
163 return -EINVAL;
164 if (adt == IPSET_TEST)
165 data.cidr = HOST_MASK;
166
ac8cc925 167 if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
41d22f7b
JK		 168 &data.port, &data.proto))
169 return -EINVAL;
170
ac8cc925
JK		 171 ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
172 ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2);
41d22f7b
JK		 173 data.ip2 &= ip_set_netmask(data.cidr);
174
ac8cc925 175 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
41d22f7b
JK		 176}
177
178static int
179hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
3d14b171 180 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
41d22f7b
JK		 181{
182 const struct ip_set_hash *h = set->data;
183 ipset_adtfn adtfn = set->variant->adt[adt];
184 struct hash_ipportnet4_elem data = { .cidr = HOST_MASK };
3d14b171 185 u32 ip, ip_to, p = 0, port, port_to;
d0d9e0a5 186 u32 ip2_from = 0, ip2_to, ip2_last, ip2;
41d22f7b 187 u32 timeout = h->timeout;
5e0c1eb7 188 bool with_ports = false;
41d22f7b
JK		 189 int ret;
190
191 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
192 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
193 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
194 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
195 return -IPSET_ERR_PROTOCOL;
196
197 if (tb[IPSET_ATTR_LINENO])
198 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
199
d0d9e0a5 200 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
41d22f7b
JK		 201 if (ret)
202 return ret;
203
d0d9e0a5 204 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
41d22f7b
JK		 205 if (ret)
206 return ret;
207
d0d9e0a5 208 if (tb[IPSET_ATTR_CIDR2]) {
41d22f7b 209 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
d0d9e0a5
JK		 210 if (!data.cidr)
211 return -IPSET_ERR_INVALID_CIDR;
212 }
41d22f7b
JK		 213
214 if (tb[IPSET_ATTR_PORT])
215 data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
216 else
217 return -IPSET_ERR_PROTOCOL;
218
219 if (tb[IPSET_ATTR_PROTO]) {
220 data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
5e0c1eb7 221 with_ports = ip_set_proto_with_ports(data.proto);
41d22f7b
JK		 222
223 if (data.proto == 0)
224 return -IPSET_ERR_INVALID_PROTO;
225 } else
226 return -IPSET_ERR_MISSING_PROTO;
227
5e0c1eb7 228 if (!(with_ports || data.proto == IPPROTO_ICMP))
41d22f7b 229 data.port = 0;
41d22f7b
JK		 230
231 if (tb[IPSET_ATTR_TIMEOUT]) {
232 if (!with_timeout(h->timeout))
233 return -IPSET_ERR_TIMEOUT;
234 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
235 }
236
d0d9e0a5 237 with_ports = with_ports && tb[IPSET_ATTR_PORT_TO];
41d22f7b 238 if (adt == IPSET_TEST ||
d0d9e0a5
JK		 239 !(tb[IPSET_ATTR_CIDR] || tb[IPSET_ATTR_IP_TO] || with_ports ||
240 tb[IPSET_ATTR_IP2_TO])) {
241 data.ip = htonl(ip);
242 data.ip2 = htonl(ip2_from & ip_set_hostmask(data.cidr));
5416219e 243 ret = adtfn(set, &data, timeout, flags);
41d22f7b
JK		 244 return ip_set_eexist(ret, flags) ? 0 : ret;
245 }
246
41d22f7b
JK		 247 if (tb[IPSET_ATTR_IP_TO]) {
248 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
249 if (ret)
250 return ret;
251 if (ip > ip_to)
252 swap(ip, ip_to);
253 } else if (tb[IPSET_ATTR_CIDR]) {
254 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
255
256 if (cidr > 32)
257 return -IPSET_ERR_INVALID_CIDR;
e6146e86 258 ip_set_mask_from_to(ip, ip_to, cidr);
d0d9e0a5 259 }
41d22f7b 260
5e0c1eb7 261 port_to = port = ntohs(data.port);
d0d9e0a5 262 if (tb[IPSET_ATTR_PORT_TO]) {
41d22f7b
JK		 263 port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
264 if (port > port_to)
265 swap(port, port_to);
5e0c1eb7 266 }
d0d9e0a5
JK		 267 if (tb[IPSET_ATTR_IP2_TO]) {
268 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
269 if (ret)
270 return ret;
271 if (ip2_from > ip2_to)
272 swap(ip2_from, ip2_to);
273 if (ip2_from + UINT_MAX == ip2_to)
274 return -IPSET_ERR_HASH_RANGE;
275 } else {
e6146e86 276 ip_set_mask_from_to(ip2_from, ip2_to, data.cidr);
d0d9e0a5 277 }
41d22f7b 278
3d14b171
JK		 279 if (retried)
280 ip = h->next.ip;
281 for (; !before(ip_to, ip); ip++) {
d0d9e0a5 282 data.ip = htonl(ip);
3d14b171
JK		 283 p = retried && ip == h->next.ip ? h->next.port : port;
284 for (; p <= port_to; p++) {
41d22f7b 285 data.port = htons(p);
d0d9e0a5
JK		 286 ip2 = retried && ip == h->next.ip && p == h->next.port
287 ? h->next.ip2 : ip2_from;
288 while (!after(ip2, ip2_to)) {
289 data.ip2 = htonl(ip2);
290 ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
291 &data.cidr);
292 ret = adtfn(set, &data, timeout, flags);
293
294 if (ret && !ip_set_eexist(ret, flags))
295 return ret;
296 else
297 ret = 0;
298 ip2 = ip2_last + 1;
299 }
41d22f7b 300 }
3d14b171 301 }
41d22f7b
JK		 302 return ret;
303}
304
305static bool
306hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b)
307{
308 const struct ip_set_hash *x = a->data;
309 const struct ip_set_hash *y = b->data;
310
311 /* Resizing changes htable_bits, so we ignore it */
312 return x->maxelem == y->maxelem &&
313 x->timeout == y->timeout;
314}
315
316/* The type variant functions: IPv6 */
317
318struct hash_ipportnet6_elem {
319 union nf_inet_addr ip;
320 union nf_inet_addr ip2;
321 __be16 port;
322 u8 cidr;
323 u8 proto;
324};
325
326struct hash_ipportnet6_telem {
327 union nf_inet_addr ip;
328 union nf_inet_addr ip2;
329 __be16 port;
330 u8 cidr;
331 u8 proto;
332 unsigned long timeout;
333};
334
335static inline bool
336hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
337 const struct hash_ipportnet6_elem *ip2)
338{
339 return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
340 ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
341 ip1->cidr == ip2->cidr &&
342 ip1->port == ip2->port &&
343 ip1->proto == ip2->proto;
344}
345
346static inline bool
347hash_ipportnet6_data_isnull(const struct hash_ipportnet6_elem *elem)
348{
349 return elem->proto == 0;
350}
351
352static inline void
353hash_ipportnet6_data_copy(struct hash_ipportnet6_elem *dst,
354 const struct hash_ipportnet6_elem *src)
355{
356 memcpy(dst, src, sizeof(*dst));
357}
358
359static inline void
360hash_ipportnet6_data_zero_out(struct hash_ipportnet6_elem *elem)
361{
362 elem->proto = 0;
363}
364
365static inline void
366ip6_netmask(union nf_inet_addr *ip, u8 prefix)
367{
368 ip->ip6[0] &= ip_set_netmask6(prefix)[0];
369 ip->ip6[1] &= ip_set_netmask6(prefix)[1];
370 ip->ip6[2] &= ip_set_netmask6(prefix)[2];
371 ip->ip6[3] &= ip_set_netmask6(prefix)[3];
372}
373
374static inline void
375hash_ipportnet6_data_netmask(struct hash_ipportnet6_elem *elem, u8 cidr)
376{
377 ip6_netmask(&elem->ip2, cidr);
378 elem->cidr = cidr;
379}
380
381static bool
382hash_ipportnet6_data_list(struct sk_buff *skb,
383 const struct hash_ipportnet6_elem *data)
384{
385 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
386 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
387 NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
388 NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
389 NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
390 return 0;
391
392nla_put_failure:
393 return 1;
394}
395
396static bool
397hash_ipportnet6_data_tlist(struct sk_buff *skb,
398 const struct hash_ipportnet6_elem *data)
399{
400 const struct hash_ipportnet6_telem *e =
401 (const struct hash_ipportnet6_telem *)data;
402
403 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
404 NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
405 NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
406 NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
407 NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
408 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
409 htonl(ip_set_timeout_get(e->timeout)));
410 return 0;
411
412nla_put_failure:
413 return 1;
414}
415
416#undef PF
417#undef HOST_MASK
418
419#define PF 6
420#define HOST_MASK 128
421#include <linux/netfilter/ipset/ip_set_ahash.h>
422
3d14b171
JK		 423static inline void
424hash_ipportnet6_data_next(struct ip_set_hash *h,
425 const struct hash_ipportnet6_elem *d)
426{
427 h->next.port = ntohs(d->port);
428}
429
41d22f7b
JK		 430static int
431hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
b66554cf 432 const struct xt_action_param *par,
ac8cc925 433 enum ipset_adt adt, const struct ip_set_adt_opt *opt)
41d22f7b
JK		 434{
435 const struct ip_set_hash *h = set->data;
436 ipset_adtfn adtfn = set->variant->adt[adt];
437 struct hash_ipportnet6_elem data =
438 { .cidr = h->nets[0].cidr || HOST_MASK };
439
440 if (data.cidr == 0)
441 return -EINVAL;
442 if (adt == IPSET_TEST)
443 data.cidr = HOST_MASK;
444
ac8cc925 445 if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
41d22f7b
JK		 446 &data.port, &data.proto))
447 return -EINVAL;
448
ac8cc925
JK		 449 ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
450 ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
41d22f7b
JK		 451 ip6_netmask(&data.ip2, data.cidr);
452
ac8cc925 453 return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
41d22f7b
JK		 454}
455
456static int
457hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
3d14b171 458 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
41d22f7b
JK		 459{
460 const struct ip_set_hash *h = set->data;
461 ipset_adtfn adtfn = set->variant->adt[adt];
462 struct hash_ipportnet6_elem data = { .cidr = HOST_MASK };
463 u32 port, port_to;
464 u32 timeout = h->timeout;
5e0c1eb7 465 bool with_ports = false;
41d22f7b
JK		 466 int ret;
467
468 if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
469 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
470 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
471 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
472 tb[IPSET_ATTR_IP_TO] ||
473 tb[IPSET_ATTR_CIDR]))
474 return -IPSET_ERR_PROTOCOL;
d0d9e0a5
JK		 475 if (unlikely(tb[IPSET_ATTR_IP_TO]))
476 return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
41d22f7b
JK		 477
478 if (tb[IPSET_ATTR_LINENO])
479 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
480
481 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
482 if (ret)
483 return ret;
484
485 ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
486 if (ret)
487 return ret;
488
489 if (tb[IPSET_ATTR_CIDR2])
490 data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
491
492 if (!data.cidr)
493 return -IPSET_ERR_INVALID_CIDR;
494
495 ip6_netmask(&data.ip2, data.cidr);
496
497 if (tb[IPSET_ATTR_PORT])
498 data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
499 else
500 return -IPSET_ERR_PROTOCOL;
501
502 if (tb[IPSET_ATTR_PROTO]) {
503 data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
5e0c1eb7 504 with_ports = ip_set_proto_with_ports(data.proto);
41d22f7b
JK		 505
506 if (data.proto == 0)
507 return -IPSET_ERR_INVALID_PROTO;
508 } else
509 return -IPSET_ERR_MISSING_PROTO;
510
5e0c1eb7 511 if (!(with_ports || data.proto == IPPROTO_ICMPV6))
41d22f7b 512 data.port = 0;
41d22f7b
JK		 513
514 if (tb[IPSET_ATTR_TIMEOUT]) {
515 if (!with_timeout(h->timeout))
516 return -IPSET_ERR_TIMEOUT;
517 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
518 }
519
5e0c1eb7 520 if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
5416219e 521 ret = adtfn(set, &data, timeout, flags);
41d22f7b
JK		 522 return ip_set_eexist(ret, flags) ? 0 : ret;
523 }
524
525 port = ntohs(data.port);
526 port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
527 if (port > port_to)
528 swap(port, port_to);
529
3d14b171
JK		 530 if (retried)
531 port = h->next.port;
41d22f7b
JK		 532 for (; port <= port_to; port++) {
533 data.port = htons(port);
5416219e 534 ret = adtfn(set, &data, timeout, flags);
41d22f7b
JK		 535
536 if (ret && !ip_set_eexist(ret, flags))
537 return ret;
538 else
539 ret = 0;
540 }
541 return ret;
542}
543
544/* Create hash:ip type of sets */
545
546static int
547hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
548{
549 struct ip_set_hash *h;
550 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
551 u8 hbits;
552
553 if (!(set->family == AF_INET || set->family == AF_INET6))
554 return -IPSET_ERR_INVALID_FAMILY;
555
556 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
557 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
558 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
559 return -IPSET_ERR_PROTOCOL;
560
561 if (tb[IPSET_ATTR_HASHSIZE]) {
562 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
563 if (hashsize < IPSET_MIMINAL_HASHSIZE)
564 hashsize = IPSET_MIMINAL_HASHSIZE;
565 }
566
567 if (tb[IPSET_ATTR_MAXELEM])
568 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
569
570 h = kzalloc(sizeof(*h)
571 + sizeof(struct ip_set_hash_nets)
572 * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
573 if (!h)
574 return -ENOMEM;
575
576 h->maxelem = maxelem;
577 get_random_bytes(&h->initval, sizeof(h->initval));
578 h->timeout = IPSET_NO_TIMEOUT;
579
580 hbits = htable_bits(hashsize);
581 h->table = ip_set_alloc(
582 sizeof(struct htable)
583 + jhash_size(hbits) * sizeof(struct hbucket));
584 if (!h->table) {
585 kfree(h);
586 return -ENOMEM;
587 }
588 h->table->htable_bits = hbits;
589
590 set->data = h;
591
592 if (tb[IPSET_ATTR_TIMEOUT]) {
593 h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
594
595 set->variant = set->family == AF_INET
596 ? &hash_ipportnet4_tvariant
597 : &hash_ipportnet6_tvariant;
598
599 if (set->family == AF_INET)
600 hash_ipportnet4_gc_init(set);
601 else
602 hash_ipportnet6_gc_init(set);
603 } else {
604 set->variant = set->family == AF_INET
605 ? &hash_ipportnet4_variant : &hash_ipportnet6_variant;
606 }
607
608 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
609 set->name, jhash_size(h->table->htable_bits),
610 h->table->htable_bits, h->maxelem, set->data, h->table);
611
612 return 0;
613}
614
615static struct ip_set_type hash_ipportnet_type __read_mostly = {
616 .name = "hash:ip,port,net",
617 .protocol = IPSET_PROTOCOL,
618 .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
619 .dimension = IPSET_DIM_THREE,
620 .family = AF_UNSPEC,
f1e00b39 621 .revision_min = 0,
d0d9e0a5
JK		 622 /* 1 SCTP and UDPLITE support added */
623 .revision_max = 2, /* Range as input support for IPv4 added */
41d22f7b
JK		 624 .create = hash_ipportnet_create,
625 .create_policy = {
626 [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
627 [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
628 [IPSET_ATTR_PROBES] = { .type = NLA_U8 },
629 [IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
630 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
631 },
632 .adt_policy = {
633 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
634 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
635 [IPSET_ATTR_IP2] = { .type = NLA_NESTED },
d0d9e0a5 636 [IPSET_ATTR_IP2_TO] = { .type = NLA_NESTED },
41d22f7b
JK		 637 [IPSET_ATTR_PORT] = { .type = NLA_U16 },
638 [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 },
639 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
640 [IPSET_ATTR_CIDR2] = { .type = NLA_U8 },
641 [IPSET_ATTR_PROTO] = { .type = NLA_U8 },
642 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
643 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
644 },
645 .me = THIS_MODULE,
646};
647
648static int __init
649hash_ipportnet_init(void)
650{
651 return ip_set_type_register(&hash_ipportnet_type);
652}
653
654static void __exit
655hash_ipportnet_fini(void)
656{
657 ip_set_type_unregister(&hash_ipportnet_type);
658}
659
660module_init(hash_ipportnet_init);
661module_exit(hash_ipportnet_fini);
Ubuntu Hirsute Linux kernel mirror