]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - net/netfilter/ipset/ip_set_hash_gen.h
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / ipset / ip_set_hash_gen.h
1 /* Copyright (C) 2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8 #ifndef _IP_SET_HASH_GEN_H
9 #define _IP_SET_HASH_GEN_H
10
11 #include <linux/rcupdate.h>
12 #include <linux/jhash.h>
13 #include <linux/netfilter/ipset/ip_set_timeout.h>
14 #ifndef rcu_dereference_bh
15 #define rcu_dereference_bh(p) rcu_dereference(p)
16 #endif
17
18 #define rcu_dereference_bh_nfnl(p) rcu_dereference_bh_check(p, 1)
19
20 /* Hashing which uses arrays to resolve clashing. The hash table is resized
21 * (doubled) when searching becomes too long.
22 * Internally jhash is used with the assumption that the size of the
23 * stored data is a multiple of sizeof(u32). If storage supports timeout,
24 * the timeout field must be the last one in the data structure - that field
25 * is ignored when computing the hash key.
26 *
27 * Readers and resizing
28 *
29 * Resizing can be triggered by userspace command only, and those
30 * are serialized by the nfnl mutex. During resizing the set is
31 * read-locked, so the only possible concurrent operations are
32 * the kernel side readers. Those must be protected by proper RCU locking.
33 */
34
35 /* Number of elements to store in an initial array block */
36 #define AHASH_INIT_SIZE 4
37 /* Max number of elements to store in an array block */
38 #define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
39
40 /* Max number of elements can be tuned */
41 #ifdef IP_SET_HASH_WITH_MULTI
42 #define AHASH_MAX(h) ((h)->ahash_max)
43
44 static inline u8
45 tune_ahash_max(u8 curr, u32 multi)
46 {
47 u32 n;
48
49 if (multi < curr)
50 return curr;
51
52 n = curr + AHASH_INIT_SIZE;
53 /* Currently, at listing one hash bucket must fit into a message.
54 * Therefore we have a hard limit here.
55 */
56 return n > curr && n <= 64 ? n : curr;
57 }
58 #define TUNE_AHASH_MAX(h, multi) \
59 ((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
60 #else
61 #define AHASH_MAX(h) AHASH_MAX_SIZE
62 #define TUNE_AHASH_MAX(h, multi)
63 #endif
64
65 /* A hash bucket */
66 struct hbucket {
67 void *value; /* the array of the values */
68 u8 size; /* size of the array */
69 u8 pos; /* position of the first free entry */
70 };
71
72 /* The hash table: the table size stored here in order to make resizing easy */
73 struct htable {
74 u8 htable_bits; /* size of hash table == 2^htable_bits */
75 struct hbucket bucket[0]; /* hashtable buckets */
76 };
77
78 #define hbucket(h, i) (&((h)->bucket[i]))
79
80 #ifndef IPSET_NET_COUNT
81 #define IPSET_NET_COUNT 1
82 #endif
83
84 /* Book-keeping of the prefixes added to the set */
85 struct net_prefixes {
86 u32 nets[IPSET_NET_COUNT]; /* number of elements per cidr */
87 u8 cidr[IPSET_NET_COUNT]; /* the different cidr values in the set */
88 };
89
90 /* Compute the hash table size */
91 static size_t
92 htable_size(u8 hbits)
93 {
94 size_t hsize;
95
96 /* We must fit both into u32 in jhash and size_t */
97 if (hbits > 31)
98 return 0;
99 hsize = jhash_size(hbits);
100 if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
101 < hsize)
102 return 0;
103
104 return hsize * sizeof(struct hbucket) + sizeof(struct htable);
105 }
106
107 /* Compute htable_bits from the user input parameter hashsize */
108 static u8
109 htable_bits(u32 hashsize)
110 {
111 /* Assume that hashsize == 2^htable_bits */
112 u8 bits = fls(hashsize - 1);
113 if (jhash_size(bits) != hashsize)
114 /* Round up to the first 2^n value */
115 bits = fls(hashsize);
116
117 return bits;
118 }
119
120 static int
121 hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
122 {
123 if (n->pos >= n->size) {
124 void *tmp;
125
126 if (n->size >= ahash_max)
127 /* Trigger rehashing */
128 return -EAGAIN;
129
130 tmp = kzalloc((n->size + AHASH_INIT_SIZE) * dsize,
131 GFP_ATOMIC);
132 if (!tmp)
133 return -ENOMEM;
134 if (n->size) {
135 memcpy(tmp, n->value, n->size * dsize);
136 kfree(n->value);
137 }
138 n->value = tmp;
139 n->size += AHASH_INIT_SIZE;
140 }
141 return 0;
142 }
143
144 #ifdef IP_SET_HASH_WITH_NETS
145 #if IPSET_NET_COUNT > 1
146 #define __CIDR(cidr, i) (cidr[i])
147 #else
148 #define __CIDR(cidr, i) (cidr)
149 #endif
150 #ifdef IP_SET_HASH_WITH_NETS_PACKED
151 /* When cidr is packed with nomatch, cidr - 1 is stored in the entry */
152 #define CIDR(cidr, i) (__CIDR(cidr, i) + 1)
153 #else
154 #define CIDR(cidr, i) (__CIDR(cidr, i))
155 #endif
156
157 #define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)
158
159 #ifdef IP_SET_HASH_WITH_MULTI
160 #define NLEN(family) (SET_HOST_MASK(family) + 1)
161 #else
162 #define NLEN(family) SET_HOST_MASK(family)
163 #endif
164
165 #else
166 #define NLEN(family) 0
167 #endif /* IP_SET_HASH_WITH_NETS */
168
169 #endif /* _IP_SET_HASH_GEN_H */
170
171 /* Family dependent templates */
172
173 #undef ahash_data
174 #undef mtype_data_equal
175 #undef mtype_do_data_match
176 #undef mtype_data_set_flags
177 #undef mtype_data_reset_flags
178 #undef mtype_data_netmask
179 #undef mtype_data_list
180 #undef mtype_data_next
181 #undef mtype_elem
182
183 #undef mtype_ahash_destroy
184 #undef mtype_ext_cleanup
185 #undef mtype_add_cidr
186 #undef mtype_del_cidr
187 #undef mtype_ahash_memsize
188 #undef mtype_flush
189 #undef mtype_destroy
190 #undef mtype_gc_init
191 #undef mtype_same_set
192 #undef mtype_kadt
193 #undef mtype_uadt
194 #undef mtype
195
196 #undef mtype_add
197 #undef mtype_del
198 #undef mtype_test_cidrs
199 #undef mtype_test
200 #undef mtype_expire
201 #undef mtype_resize
202 #undef mtype_head
203 #undef mtype_list
204 #undef mtype_gc
205 #undef mtype_gc_init
206 #undef mtype_variant
207 #undef mtype_data_match
208
209 #undef HKEY
210
211 #define mtype_data_equal IPSET_TOKEN(MTYPE, _data_equal)
212 #ifdef IP_SET_HASH_WITH_NETS
213 #define mtype_do_data_match IPSET_TOKEN(MTYPE, _do_data_match)
214 #else
215 #define mtype_do_data_match(d) 1
216 #endif
217 #define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags)
218 #define mtype_data_reset_elem IPSET_TOKEN(MTYPE, _data_reset_elem)
219 #define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags)
220 #define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask)
221 #define mtype_data_list IPSET_TOKEN(MTYPE, _data_list)
222 #define mtype_data_next IPSET_TOKEN(MTYPE, _data_next)
223 #define mtype_elem IPSET_TOKEN(MTYPE, _elem)
224 #define mtype_ahash_destroy IPSET_TOKEN(MTYPE, _ahash_destroy)
225 #define mtype_ext_cleanup IPSET_TOKEN(MTYPE, _ext_cleanup)
226 #define mtype_add_cidr IPSET_TOKEN(MTYPE, _add_cidr)
227 #define mtype_del_cidr IPSET_TOKEN(MTYPE, _del_cidr)
228 #define mtype_ahash_memsize IPSET_TOKEN(MTYPE, _ahash_memsize)
229 #define mtype_flush IPSET_TOKEN(MTYPE, _flush)
230 #define mtype_destroy IPSET_TOKEN(MTYPE, _destroy)
231 #define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
232 #define mtype_same_set IPSET_TOKEN(MTYPE, _same_set)
233 #define mtype_kadt IPSET_TOKEN(MTYPE, _kadt)
234 #define mtype_uadt IPSET_TOKEN(MTYPE, _uadt)
235 #define mtype MTYPE
236
237 #define mtype_add IPSET_TOKEN(MTYPE, _add)
238 #define mtype_del IPSET_TOKEN(MTYPE, _del)
239 #define mtype_test_cidrs IPSET_TOKEN(MTYPE, _test_cidrs)
240 #define mtype_test IPSET_TOKEN(MTYPE, _test)
241 #define mtype_expire IPSET_TOKEN(MTYPE, _expire)
242 #define mtype_resize IPSET_TOKEN(MTYPE, _resize)
243 #define mtype_head IPSET_TOKEN(MTYPE, _head)
244 #define mtype_list IPSET_TOKEN(MTYPE, _list)
245 #define mtype_gc IPSET_TOKEN(MTYPE, _gc)
246 #define mtype_variant IPSET_TOKEN(MTYPE, _variant)
247 #define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
248
249 #ifndef HKEY_DATALEN
250 #define HKEY_DATALEN sizeof(struct mtype_elem)
251 #endif
252
253 #define HKEY(data, initval, htable_bits) \
254 (jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
255 & jhash_mask(htable_bits))
256
257 #ifndef htype
258 #define htype HTYPE
259
260 /* The generic hash structure */
261 struct htype {
262 struct htable __rcu *table; /* the hash table */
263 u32 maxelem; /* max elements in the hash */
264 u32 elements; /* current element (vs timeout) */
265 u32 initval; /* random jhash init value */
266 #ifdef IP_SET_HASH_WITH_MARKMASK
267 u32 markmask; /* markmask value for mark mask to store */
268 #endif
269 struct timer_list gc; /* garbage collection when timeout enabled */
270 struct mtype_elem next; /* temporary storage for uadd */
271 #ifdef IP_SET_HASH_WITH_MULTI
272 u8 ahash_max; /* max elements in an array block */
273 #endif
274 #ifdef IP_SET_HASH_WITH_NETMASK
275 u8 netmask; /* netmask value for subnets to store */
276 #endif
277 #ifdef IP_SET_HASH_WITH_RBTREE
278 struct rb_root rbtree;
279 #endif
280 #ifdef IP_SET_HASH_WITH_NETS
281 struct net_prefixes nets[0]; /* book-keeping of prefixes */
282 #endif
283 };
284 #endif
285
286 #ifdef IP_SET_HASH_WITH_NETS
287 /* Network cidr size book keeping when the hash stores different
288 * sized networks */
289 static void
290 mtype_add_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
291 {
292 int i, j;
293
294 /* Add in increasing prefix order, so larger cidr first */
295 for (i = 0, j = -1; i < nets_length && h->nets[i].nets[n]; i++) {
296 if (j != -1)
297 continue;
298 else if (h->nets[i].cidr[n] < cidr)
299 j = i;
300 else if (h->nets[i].cidr[n] == cidr) {
301 h->nets[i].nets[n]++;
302 return;
303 }
304 }
305 if (j != -1) {
306 for (; i > j; i--) {
307 h->nets[i].cidr[n] = h->nets[i - 1].cidr[n];
308 h->nets[i].nets[n] = h->nets[i - 1].nets[n];
309 }
310 }
311 h->nets[i].cidr[n] = cidr;
312 h->nets[i].nets[n] = 1;
313 }
314
315 static void
316 mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
317 {
318 u8 i, j, net_end = nets_length - 1;
319
320 for (i = 0; i < nets_length; i++) {
321 if (h->nets[i].cidr[n] != cidr)
322 continue;
323 if (h->nets[i].nets[n] > 1 || i == net_end ||
324 h->nets[i + 1].nets[n] == 0) {
325 h->nets[i].nets[n]--;
326 return;
327 }
328 for (j = i; j < net_end && h->nets[j].nets[n]; j++) {
329 h->nets[j].cidr[n] = h->nets[j + 1].cidr[n];
330 h->nets[j].nets[n] = h->nets[j + 1].nets[n];
331 }
332 h->nets[j].nets[n] = 0;
333 return;
334 }
335 }
336 #endif
337
338 /* Calculate the actual memory size of the set data */
339 static size_t
340 mtype_ahash_memsize(const struct htype *h, const struct htable *t,
341 u8 nets_length, size_t dsize)
342 {
343 u32 i;
344 size_t memsize = sizeof(*h)
345 + sizeof(*t)
346 #ifdef IP_SET_HASH_WITH_NETS
347 + sizeof(struct net_prefixes) * nets_length
348 #endif
349 + jhash_size(t->htable_bits) * sizeof(struct hbucket);
350
351 for (i = 0; i < jhash_size(t->htable_bits); i++)
352 memsize += t->bucket[i].size * dsize;
353
354 return memsize;
355 }
356
357 /* Get the ith element from the array block n */
358 #define ahash_data(n, i, dsize) \
359 ((struct mtype_elem *)((n)->value + ((i) * (dsize))))
360
361 static void
362 mtype_ext_cleanup(struct ip_set *set, struct hbucket *n)
363 {
364 int i;
365
366 for (i = 0; i < n->pos; i++)
367 ip_set_ext_destroy(set, ahash_data(n, i, set->dsize));
368 }
369
370 /* Flush a hash type of set: destroy all elements */
371 static void
372 mtype_flush(struct ip_set *set)
373 {
374 struct htype *h = set->data;
375 struct htable *t;
376 struct hbucket *n;
377 u32 i;
378
379 t = rcu_dereference_bh_nfnl(h->table);
380 for (i = 0; i < jhash_size(t->htable_bits); i++) {
381 n = hbucket(t, i);
382 if (n->size) {
383 if (set->extensions & IPSET_EXT_DESTROY)
384 mtype_ext_cleanup(set, n);
385 n->size = n->pos = 0;
386 /* FIXME: use slab cache */
387 kfree(n->value);
388 }
389 }
390 #ifdef IP_SET_HASH_WITH_NETS
391 memset(h->nets, 0, sizeof(struct net_prefixes) * NLEN(set->family));
392 #endif
393 h->elements = 0;
394 }
395
396 /* Destroy the hashtable part of the set */
397 static void
398 mtype_ahash_destroy(struct ip_set *set, struct htable *t, bool ext_destroy)
399 {
400 struct hbucket *n;
401 u32 i;
402
403 for (i = 0; i < jhash_size(t->htable_bits); i++) {
404 n = hbucket(t, i);
405 if (n->size) {
406 if (set->extensions & IPSET_EXT_DESTROY && ext_destroy)
407 mtype_ext_cleanup(set, n);
408 /* FIXME: use slab cache */
409 kfree(n->value);
410 }
411 }
412
413 ip_set_free(t);
414 }
415
416 /* Destroy a hash type of set */
417 static void
418 mtype_destroy(struct ip_set *set)
419 {
420 struct htype *h = set->data;
421
422 if (set->extensions & IPSET_EXT_TIMEOUT)
423 del_timer_sync(&h->gc);
424
425 mtype_ahash_destroy(set, rcu_dereference_bh_nfnl(h->table), true);
426 #ifdef IP_SET_HASH_WITH_RBTREE
427 rbtree_destroy(&h->rbtree);
428 #endif
429 kfree(h);
430
431 set->data = NULL;
432 }
433
434 static void
435 mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
436 {
437 struct htype *h = set->data;
438
439 init_timer(&h->gc);
440 h->gc.data = (unsigned long) set;
441 h->gc.function = gc;
442 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
443 add_timer(&h->gc);
444 pr_debug("gc initialized, run in every %u\n",
445 IPSET_GC_PERIOD(set->timeout));
446 }
447
448 static bool
449 mtype_same_set(const struct ip_set *a, const struct ip_set *b)
450 {
451 const struct htype *x = a->data;
452 const struct htype *y = b->data;
453
454 /* Resizing changes htable_bits, so we ignore it */
455 return x->maxelem == y->maxelem &&
456 a->timeout == b->timeout &&
457 #ifdef IP_SET_HASH_WITH_NETMASK
458 x->netmask == y->netmask &&
459 #endif
460 #ifdef IP_SET_HASH_WITH_MARKMASK
461 x->markmask == y->markmask &&
462 #endif
463 a->extensions == b->extensions;
464 }
465
466 /* Delete expired elements from the hashtable */
467 static void
468 mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
469 {
470 struct htable *t;
471 struct hbucket *n;
472 struct mtype_elem *data;
473 u32 i;
474 int j;
475 #ifdef IP_SET_HASH_WITH_NETS
476 u8 k;
477 #endif
478
479 rcu_read_lock_bh();
480 t = rcu_dereference_bh(h->table);
481 for (i = 0; i < jhash_size(t->htable_bits); i++) {
482 n = hbucket(t, i);
483 for (j = 0; j < n->pos; j++) {
484 data = ahash_data(n, j, dsize);
485 if (ip_set_timeout_expired(ext_timeout(data, set))) {
486 pr_debug("expired %u/%u\n", i, j);
487 #ifdef IP_SET_HASH_WITH_NETS
488 for (k = 0; k < IPSET_NET_COUNT; k++)
489 mtype_del_cidr(h, CIDR(data->cidr, k),
490 nets_length, k);
491 #endif
492 ip_set_ext_destroy(set, data);
493 if (j != n->pos - 1)
494 /* Not last one */
495 memcpy(data,
496 ahash_data(n, n->pos - 1, dsize),
497 dsize);
498 n->pos--;
499 h->elements--;
500 }
501 }
502 if (n->pos + AHASH_INIT_SIZE < n->size) {
503 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
504 * dsize,
505 GFP_ATOMIC);
506 if (!tmp)
507 /* Still try to delete expired elements */
508 continue;
509 n->size -= AHASH_INIT_SIZE;
510 memcpy(tmp, n->value, n->size * dsize);
511 kfree(n->value);
512 n->value = tmp;
513 }
514 }
515 rcu_read_unlock_bh();
516 }
517
518 static void
519 mtype_gc(unsigned long ul_set)
520 {
521 struct ip_set *set = (struct ip_set *) ul_set;
522 struct htype *h = set->data;
523
524 pr_debug("called\n");
525 write_lock_bh(&set->lock);
526 mtype_expire(set, h, NLEN(set->family), set->dsize);
527 write_unlock_bh(&set->lock);
528
529 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
530 add_timer(&h->gc);
531 }
532
533 /* Resize a hash: create a new hash table with doubling the hashsize
534 * and inserting the elements to it. Repeat until we succeed or
535 * fail due to memory pressures. */
536 static int
537 mtype_resize(struct ip_set *set, bool retried)
538 {
539 struct htype *h = set->data;
540 struct htable *t, *orig = rcu_dereference_bh_nfnl(h->table);
541 u8 htable_bits = orig->htable_bits;
542 #ifdef IP_SET_HASH_WITH_NETS
543 u8 flags;
544 #endif
545 struct mtype_elem *data;
546 struct mtype_elem *d;
547 struct hbucket *n, *m;
548 u32 i, j;
549 int ret;
550
551 /* Try to cleanup once */
552 if (SET_WITH_TIMEOUT(set) && !retried) {
553 i = h->elements;
554 write_lock_bh(&set->lock);
555 mtype_expire(set, set->data, NLEN(set->family), set->dsize);
556 write_unlock_bh(&set->lock);
557 if (h->elements < i)
558 return 0;
559 }
560
561 retry:
562 ret = 0;
563 htable_bits++;
564 pr_debug("attempt to resize set %s from %u to %u, t %p\n",
565 set->name, orig->htable_bits, htable_bits, orig);
566 if (!htable_bits) {
567 /* In case we have plenty of memory :-) */
568 pr_warning("Cannot increase the hashsize of set %s further\n",
569 set->name);
570 return -IPSET_ERR_HASH_FULL;
571 }
572 t = ip_set_alloc(sizeof(*t)
573 + jhash_size(htable_bits) * sizeof(struct hbucket));
574 if (!t)
575 return -ENOMEM;
576 t->htable_bits = htable_bits;
577
578 read_lock_bh(&set->lock);
579 for (i = 0; i < jhash_size(orig->htable_bits); i++) {
580 n = hbucket(orig, i);
581 for (j = 0; j < n->pos; j++) {
582 data = ahash_data(n, j, set->dsize);
583 #ifdef IP_SET_HASH_WITH_NETS
584 flags = 0;
585 mtype_data_reset_flags(data, &flags);
586 #endif
587 m = hbucket(t, HKEY(data, h->initval, htable_bits));
588 ret = hbucket_elem_add(m, AHASH_MAX(h), set->dsize);
589 if (ret < 0) {
590 #ifdef IP_SET_HASH_WITH_NETS
591 mtype_data_reset_flags(data, &flags);
592 #endif
593 read_unlock_bh(&set->lock);
594 mtype_ahash_destroy(set, t, false);
595 if (ret == -EAGAIN)
596 goto retry;
597 return ret;
598 }
599 d = ahash_data(m, m->pos++, set->dsize);
600 memcpy(d, data, set->dsize);
601 #ifdef IP_SET_HASH_WITH_NETS
602 mtype_data_reset_flags(d, &flags);
603 #endif
604 }
605 }
606
607 rcu_assign_pointer(h->table, t);
608 read_unlock_bh(&set->lock);
609
610 /* Give time to other readers of the set */
611 synchronize_rcu_bh();
612
613 pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name,
614 orig->htable_bits, orig, t->htable_bits, t);
615 mtype_ahash_destroy(set, orig, false);
616
617 return 0;
618 }
619
620 /* Add an element to a hash and update the internal counters when succeeded,
621 * otherwise report the proper error code. */
622 static int
623 mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
624 struct ip_set_ext *mext, u32 flags)
625 {
626 struct htype *h = set->data;
627 struct htable *t;
628 const struct mtype_elem *d = value;
629 struct mtype_elem *data;
630 struct hbucket *n;
631 int i, ret = 0;
632 int j = AHASH_MAX(h) + 1;
633 bool flag_exist = flags & IPSET_FLAG_EXIST;
634 u32 key, multi = 0;
635
636 if (h->elements >= h->maxelem && SET_WITH_FORCEADD(set)) {
637 rcu_read_lock_bh();
638 t = rcu_dereference_bh(h->table);
639 key = HKEY(value, h->initval, t->htable_bits);
640 n = hbucket(t,key);
641 if (n->pos) {
642 /* Choosing the first entry in the array to replace */
643 j = 0;
644 goto reuse_slot;
645 }
646 rcu_read_unlock_bh();
647 }
648 if (SET_WITH_TIMEOUT(set) && h->elements >= h->maxelem)
649 /* FIXME: when set is full, we slow down here */
650 mtype_expire(set, h, NLEN(set->family), set->dsize);
651
652 if (h->elements >= h->maxelem) {
653 if (net_ratelimit())
654 pr_warning("Set %s is full, maxelem %u reached\n",
655 set->name, h->maxelem);
656 return -IPSET_ERR_HASH_FULL;
657 }
658
659 rcu_read_lock_bh();
660 t = rcu_dereference_bh(h->table);
661 key = HKEY(value, h->initval, t->htable_bits);
662 n = hbucket(t, key);
663 for (i = 0; i < n->pos; i++) {
664 data = ahash_data(n, i, set->dsize);
665 if (mtype_data_equal(data, d, &multi)) {
666 if (flag_exist ||
667 (SET_WITH_TIMEOUT(set) &&
668 ip_set_timeout_expired(ext_timeout(data, set)))) {
669 /* Just the extensions could be overwritten */
670 j = i;
671 goto reuse_slot;
672 } else {
673 ret = -IPSET_ERR_EXIST;
674 goto out;
675 }
676 }
677 /* Reuse first timed out entry */
678 if (SET_WITH_TIMEOUT(set) &&
679 ip_set_timeout_expired(ext_timeout(data, set)) &&
680 j != AHASH_MAX(h) + 1)
681 j = i;
682 }
683 reuse_slot:
684 if (j != AHASH_MAX(h) + 1) {
685 /* Fill out reused slot */
686 data = ahash_data(n, j, set->dsize);
687 #ifdef IP_SET_HASH_WITH_NETS
688 for (i = 0; i < IPSET_NET_COUNT; i++) {
689 mtype_del_cidr(h, CIDR(data->cidr, i),
690 NLEN(set->family), i);
691 mtype_add_cidr(h, CIDR(d->cidr, i),
692 NLEN(set->family), i);
693 }
694 #endif
695 ip_set_ext_destroy(set, data);
696 } else {
697 /* Use/create a new slot */
698 TUNE_AHASH_MAX(h, multi);
699 ret = hbucket_elem_add(n, AHASH_MAX(h), set->dsize);
700 if (ret != 0) {
701 if (ret == -EAGAIN)
702 mtype_data_next(&h->next, d);
703 goto out;
704 }
705 data = ahash_data(n, n->pos++, set->dsize);
706 #ifdef IP_SET_HASH_WITH_NETS
707 for (i = 0; i < IPSET_NET_COUNT; i++)
708 mtype_add_cidr(h, CIDR(d->cidr, i), NLEN(set->family),
709 i);
710 #endif
711 h->elements++;
712 }
713 memcpy(data, d, sizeof(struct mtype_elem));
714 #ifdef IP_SET_HASH_WITH_NETS
715 mtype_data_set_flags(data, flags);
716 #endif
717 if (SET_WITH_TIMEOUT(set))
718 ip_set_timeout_set(ext_timeout(data, set), ext->timeout);
719 if (SET_WITH_COUNTER(set))
720 ip_set_init_counter(ext_counter(data, set), ext);
721 if (SET_WITH_COMMENT(set))
722 ip_set_init_comment(ext_comment(data, set), ext);
723
724 out:
725 rcu_read_unlock_bh();
726 return ret;
727 }
728
729 /* Delete an element from the hash: swap it with the last element
730 * and free up space if possible.
731 */
732 static int
733 mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
734 struct ip_set_ext *mext, u32 flags)
735 {
736 struct htype *h = set->data;
737 struct htable *t;
738 const struct mtype_elem *d = value;
739 struct mtype_elem *data;
740 struct hbucket *n;
741 int i, ret = -IPSET_ERR_EXIST;
742 #ifdef IP_SET_HASH_WITH_NETS
743 u8 j;
744 #endif
745 u32 key, multi = 0;
746
747 rcu_read_lock_bh();
748 t = rcu_dereference_bh(h->table);
749 key = HKEY(value, h->initval, t->htable_bits);
750 n = hbucket(t, key);
751 for (i = 0; i < n->pos; i++) {
752 data = ahash_data(n, i, set->dsize);
753 if (!mtype_data_equal(data, d, &multi))
754 continue;
755 if (SET_WITH_TIMEOUT(set) &&
756 ip_set_timeout_expired(ext_timeout(data, set)))
757 goto out;
758 if (i != n->pos - 1)
759 /* Not last one */
760 memcpy(data, ahash_data(n, n->pos - 1, set->dsize),
761 set->dsize);
762
763 n->pos--;
764 h->elements--;
765 #ifdef IP_SET_HASH_WITH_NETS
766 for (j = 0; j < IPSET_NET_COUNT; j++)
767 mtype_del_cidr(h, CIDR(d->cidr, j), NLEN(set->family),
768 j);
769 #endif
770 ip_set_ext_destroy(set, data);
771 if (n->pos + AHASH_INIT_SIZE < n->size) {
772 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
773 * set->dsize,
774 GFP_ATOMIC);
775 if (!tmp) {
776 ret = 0;
777 goto out;
778 }
779 n->size -= AHASH_INIT_SIZE;
780 memcpy(tmp, n->value, n->size * set->dsize);
781 kfree(n->value);
782 n->value = tmp;
783 }
784 ret = 0;
785 goto out;
786 }
787
788 out:
789 rcu_read_unlock_bh();
790 return ret;
791 }
792
793 static inline int
794 mtype_data_match(struct mtype_elem *data, const struct ip_set_ext *ext,
795 struct ip_set_ext *mext, struct ip_set *set, u32 flags)
796 {
797 if (SET_WITH_COUNTER(set))
798 ip_set_update_counter(ext_counter(data, set),
799 ext, mext, flags);
800 return mtype_do_data_match(data);
801 }
802
803 #ifdef IP_SET_HASH_WITH_NETS
804 /* Special test function which takes into account the different network
805 * sizes added to the set */
806 static int
807 mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
808 const struct ip_set_ext *ext,
809 struct ip_set_ext *mext, u32 flags)
810 {
811 struct htype *h = set->data;
812 struct htable *t = rcu_dereference_bh(h->table);
813 struct hbucket *n;
814 struct mtype_elem *data;
815 #if IPSET_NET_COUNT == 2
816 struct mtype_elem orig = *d;
817 int i, j = 0, k;
818 #else
819 int i, j = 0;
820 #endif
821 u32 key, multi = 0;
822 u8 nets_length = NLEN(set->family);
823
824 pr_debug("test by nets\n");
825 for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) {
826 #if IPSET_NET_COUNT == 2
827 mtype_data_reset_elem(d, &orig);
828 mtype_data_netmask(d, h->nets[j].cidr[0], false);
829 for (k = 0; k < nets_length && h->nets[k].nets[1] && !multi;
830 k++) {
831 mtype_data_netmask(d, h->nets[k].cidr[1], true);
832 #else
833 mtype_data_netmask(d, h->nets[j].cidr[0]);
834 #endif
835 key = HKEY(d, h->initval, t->htable_bits);
836 n = hbucket(t, key);
837 for (i = 0; i < n->pos; i++) {
838 data = ahash_data(n, i, set->dsize);
839 if (!mtype_data_equal(data, d, &multi))
840 continue;
841 if (SET_WITH_TIMEOUT(set)) {
842 if (!ip_set_timeout_expired(
843 ext_timeout(data, set)))
844 return mtype_data_match(data, ext,
845 mext, set,
846 flags);
847 #ifdef IP_SET_HASH_WITH_MULTI
848 multi = 0;
849 #endif
850 } else
851 return mtype_data_match(data, ext,
852 mext, set, flags);
853 }
854 #if IPSET_NET_COUNT == 2
855 }
856 #endif
857 }
858 return 0;
859 }
860 #endif
861
862 /* Test whether the element is added to the set */
863 static int
864 mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext,
865 struct ip_set_ext *mext, u32 flags)
866 {
867 struct htype *h = set->data;
868 struct htable *t;
869 struct mtype_elem *d = value;
870 struct hbucket *n;
871 struct mtype_elem *data;
872 int i, ret = 0;
873 u32 key, multi = 0;
874
875 rcu_read_lock_bh();
876 t = rcu_dereference_bh(h->table);
877 #ifdef IP_SET_HASH_WITH_NETS
878 /* If we test an IP address and not a network address,
879 * try all possible network sizes */
880 for (i = 0; i < IPSET_NET_COUNT; i++)
881 if (CIDR(d->cidr, i) != SET_HOST_MASK(set->family))
882 break;
883 if (i == IPSET_NET_COUNT) {
884 ret = mtype_test_cidrs(set, d, ext, mext, flags);
885 goto out;
886 }
887 #endif
888
889 key = HKEY(d, h->initval, t->htable_bits);
890 n = hbucket(t, key);
891 for (i = 0; i < n->pos; i++) {
892 data = ahash_data(n, i, set->dsize);
893 if (mtype_data_equal(data, d, &multi) &&
894 !(SET_WITH_TIMEOUT(set) &&
895 ip_set_timeout_expired(ext_timeout(data, set)))) {
896 ret = mtype_data_match(data, ext, mext, set, flags);
897 goto out;
898 }
899 }
900 out:
901 rcu_read_unlock_bh();
902 return ret;
903 }
904
905 /* Reply a HEADER request: fill out the header part of the set */
906 static int
907 mtype_head(struct ip_set *set, struct sk_buff *skb)
908 {
909 const struct htype *h = set->data;
910 const struct htable *t;
911 struct nlattr *nested;
912 size_t memsize;
913
914 t = rcu_dereference_bh_nfnl(h->table);
915 memsize = mtype_ahash_memsize(h, t, NLEN(set->family), set->dsize);
916
917 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
918 if (!nested)
919 goto nla_put_failure;
920 if (nla_put_net32(skb, IPSET_ATTR_HASHSIZE,
921 htonl(jhash_size(t->htable_bits))) ||
922 nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem)))
923 goto nla_put_failure;
924 #ifdef IP_SET_HASH_WITH_NETMASK
925 if (h->netmask != HOST_MASK &&
926 nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask))
927 goto nla_put_failure;
928 #endif
929 #ifdef IP_SET_HASH_WITH_MARKMASK
930 if (nla_put_u32(skb, IPSET_ATTR_MARKMASK, h->markmask))
931 goto nla_put_failure;
932 #endif
933 if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
934 nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
935 goto nla_put_failure;
936 if (unlikely(ip_set_put_flags(skb, set)))
937 goto nla_put_failure;
938 ipset_nest_end(skb, nested);
939
940 return 0;
941 nla_put_failure:
942 return -EMSGSIZE;
943 }
944
945 /* Reply a LIST/SAVE request: dump the elements of the specified set */
946 static int
947 mtype_list(const struct ip_set *set,
948 struct sk_buff *skb, struct netlink_callback *cb)
949 {
950 const struct htype *h = set->data;
951 const struct htable *t = rcu_dereference_bh_nfnl(h->table);
952 struct nlattr *atd, *nested;
953 const struct hbucket *n;
954 const struct mtype_elem *e;
955 u32 first = cb->args[IPSET_CB_ARG0];
956 /* We assume that one hash bucket fills into one page */
957 void *incomplete;
958 int i;
959
960 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
961 if (!atd)
962 return -EMSGSIZE;
963 pr_debug("list hash set %s\n", set->name);
964 for (; cb->args[IPSET_CB_ARG0] < jhash_size(t->htable_bits);
965 cb->args[IPSET_CB_ARG0]++) {
966 incomplete = skb_tail_pointer(skb);
967 n = hbucket(t, cb->args[IPSET_CB_ARG0]);
968 pr_debug("cb->arg bucket: %lu, t %p n %p\n",
969 cb->args[IPSET_CB_ARG0], t, n);
970 for (i = 0; i < n->pos; i++) {
971 e = ahash_data(n, i, set->dsize);
972 if (SET_WITH_TIMEOUT(set) &&
973 ip_set_timeout_expired(ext_timeout(e, set)))
974 continue;
975 pr_debug("list hash %lu hbucket %p i %u, data %p\n",
976 cb->args[IPSET_CB_ARG0], n, i, e);
977 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
978 if (!nested) {
979 if (cb->args[IPSET_CB_ARG0] == first) {
980 nla_nest_cancel(skb, atd);
981 return -EMSGSIZE;
982 } else
983 goto nla_put_failure;
984 }
985 if (mtype_data_list(skb, e))
986 goto nla_put_failure;
987 if (ip_set_put_extensions(skb, set, e, true))
988 goto nla_put_failure;
989 ipset_nest_end(skb, nested);
990 }
991 }
992 ipset_nest_end(skb, atd);
993 /* Set listing finished */
994 cb->args[IPSET_CB_ARG0] = 0;
995
996 return 0;
997
998 nla_put_failure:
999 nlmsg_trim(skb, incomplete);
1000 if (unlikely(first == cb->args[IPSET_CB_ARG0])) {
1001 pr_warning("Can't list set %s: one bucket does not fit into "
1002 "a message. Please report it!\n", set->name);
1003 cb->args[IPSET_CB_ARG0] = 0;
1004 return -EMSGSIZE;
1005 }
1006 ipset_nest_end(skb, atd);
1007 return 0;
1008 }
1009
1010 static int
1011 IPSET_TOKEN(MTYPE, _kadt)(struct ip_set *set, const struct sk_buff *skb,
1012 const struct xt_action_param *par,
1013 enum ipset_adt adt, struct ip_set_adt_opt *opt);
1014
1015 static int
1016 IPSET_TOKEN(MTYPE, _uadt)(struct ip_set *set, struct nlattr *tb[],
1017 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
1018
1019 static const struct ip_set_type_variant mtype_variant = {
1020 .kadt = mtype_kadt,
1021 .uadt = mtype_uadt,
1022 .adt = {
1023 [IPSET_ADD] = mtype_add,
1024 [IPSET_DEL] = mtype_del,
1025 [IPSET_TEST] = mtype_test,
1026 },
1027 .destroy = mtype_destroy,
1028 .flush = mtype_flush,
1029 .head = mtype_head,
1030 .list = mtype_list,
1031 .resize = mtype_resize,
1032 .same_set = mtype_same_set,
1033 };
1034
1035 #ifdef IP_SET_EMIT_CREATE
1036 static int
1037 IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
1038 struct nlattr *tb[], u32 flags)
1039 {
1040 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
1041 #ifdef IP_SET_HASH_WITH_MARKMASK
1042 u32 markmask;
1043 #endif
1044 u8 hbits;
1045 #ifdef IP_SET_HASH_WITH_NETMASK
1046 u8 netmask;
1047 #endif
1048 size_t hsize;
1049 struct HTYPE *h;
1050 struct htable *t;
1051
1052 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
1053 return -IPSET_ERR_INVALID_FAMILY;
1054
1055 #ifdef IP_SET_HASH_WITH_MARKMASK
1056 markmask = 0xffffffff;
1057 #endif
1058 #ifdef IP_SET_HASH_WITH_NETMASK
1059 netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
1060 pr_debug("Create set %s with family %s\n",
1061 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
1062 #endif
1063
1064 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
1065 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
1066 #ifdef IP_SET_HASH_WITH_MARKMASK
1067 !ip_set_optattr_netorder(tb, IPSET_ATTR_MARKMASK) ||
1068 #endif
1069 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
1070 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
1071 return -IPSET_ERR_PROTOCOL;
1072
1073 if (tb[IPSET_ATTR_HASHSIZE]) {
1074 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
1075 if (hashsize < IPSET_MIMINAL_HASHSIZE)
1076 hashsize = IPSET_MIMINAL_HASHSIZE;
1077 }
1078
1079 if (tb[IPSET_ATTR_MAXELEM])
1080 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
1081
1082 #ifdef IP_SET_HASH_WITH_NETMASK
1083 if (tb[IPSET_ATTR_NETMASK]) {
1084 netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
1085
1086 if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
1087 (set->family == NFPROTO_IPV6 && netmask > 128) ||
1088 netmask == 0)
1089 return -IPSET_ERR_INVALID_NETMASK;
1090 }
1091 #endif
1092 #ifdef IP_SET_HASH_WITH_MARKMASK
1093 if (tb[IPSET_ATTR_MARKMASK]) {
1094 markmask = ntohl(nla_get_u32(tb[IPSET_ATTR_MARKMASK]));
1095
1096 if ((markmask > 4294967295u) || markmask == 0)
1097 return -IPSET_ERR_INVALID_MARKMASK;
1098 }
1099 #endif
1100
1101 hsize = sizeof(*h);
1102 #ifdef IP_SET_HASH_WITH_NETS
1103 hsize += sizeof(struct net_prefixes) *
1104 (set->family == NFPROTO_IPV4 ? 32 : 128);
1105 #endif
1106 h = kzalloc(hsize, GFP_KERNEL);
1107 if (!h)
1108 return -ENOMEM;
1109
1110 h->maxelem = maxelem;
1111 #ifdef IP_SET_HASH_WITH_NETMASK
1112 h->netmask = netmask;
1113 #endif
1114 #ifdef IP_SET_HASH_WITH_MARKMASK
1115 h->markmask = markmask;
1116 #endif
1117 get_random_bytes(&h->initval, sizeof(h->initval));
1118 set->timeout = IPSET_NO_TIMEOUT;
1119
1120 hbits = htable_bits(hashsize);
1121 hsize = htable_size(hbits);
1122 if (hsize == 0) {
1123 kfree(h);
1124 return -ENOMEM;
1125 }
1126 t = ip_set_alloc(hsize);
1127 if (!t) {
1128 kfree(h);
1129 return -ENOMEM;
1130 }
1131 t->htable_bits = hbits;
1132 rcu_assign_pointer(h->table, t);
1133
1134 set->data = h;
1135 if (set->family == NFPROTO_IPV4) {
1136 set->variant = &IPSET_TOKEN(HTYPE, 4_variant);
1137 set->dsize = ip_set_elem_len(set, tb,
1138 sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)));
1139 } else {
1140 set->variant = &IPSET_TOKEN(HTYPE, 6_variant);
1141 set->dsize = ip_set_elem_len(set, tb,
1142 sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)));
1143 }
1144 if (tb[IPSET_ATTR_TIMEOUT]) {
1145 set->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
1146 if (set->family == NFPROTO_IPV4)
1147 IPSET_TOKEN(HTYPE, 4_gc_init)(set,
1148 IPSET_TOKEN(HTYPE, 4_gc));
1149 else
1150 IPSET_TOKEN(HTYPE, 6_gc_init)(set,
1151 IPSET_TOKEN(HTYPE, 6_gc));
1152 }
1153
1154 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
1155 set->name, jhash_size(t->htable_bits),
1156 t->htable_bits, h->maxelem, set->data, t);
1157
1158 return 0;
1159 }
1160 #endif /* IP_SET_EMIT_CREATE */
ubuntu-bionic-kernel mirror