[deliverable/linux.git] / net / netfilter / ipset / ip_set_hash_ip.c

/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

/* Kernel module implementing an IP set type: the hash:ip type */

#include <linux/jhash.h>
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/errno.h>
#include <linux/random.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/netlink.h>
#include <net/tcp.h>

#include <linux/netfilter.h>
#include <linux/netfilter/ipset/pfxlen.h>
#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <linux/netfilter/ipset/ip_set_hash.h>

#define REVISION_MIN	0
#define REVISION_MAX	0

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
IP_SET_MODULE_DESC("hash:ip", REVISION_MIN, REVISION_MAX);
MODULE_ALIAS("ip_set_hash:ip");

/* Type specific function prefix */
#define TYPE		hash_ip

static bool
hash_ip_same_set(const struct ip_set *a, const struct ip_set *b);

#define hash_ip4_same_set	hash_ip_same_set
#define hash_ip6_same_set	hash_ip_same_set

/* The type variant functions: IPv4 */

/* Member elements without timeout */
struct hash_ip4_elem {
	__be32 ip;
};

/* Member elements with timeout support */
struct hash_ip4_telem {
	__be32 ip;
	unsigned long timeout;
};

static inline bool
hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
		    const struct hash_ip4_elem *ip2,
		    u32 *multi)
{
	return ip1->ip == ip2->ip;
}

static inline bool
hash_ip4_data_isnull(const struct hash_ip4_elem *elem)
{
	return elem->ip == 0;
}

static inline void
hash_ip4_data_copy(struct hash_ip4_elem *dst, const struct hash_ip4_elem *src)
{
	dst->ip = src->ip;
}

/* Zero valued IP addresses cannot be stored */
static inline void
hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
{
	elem->ip = 0;
}

static inline bool
hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data)
{
	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

static bool
hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data)
{
	const struct hash_ip4_telem *tdata =
		(const struct hash_ip4_telem *)data;

	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
			  htonl(ip_set_timeout_get(tdata->timeout))))
		goto nla_put_failure;

	return 0;

nla_put_failure:
	return 1;
}

#define IP_SET_HASH_WITH_NETMASK
#define PF		4
#define HOST_MASK	32
#include <linux/netfilter/ipset/ip_set_ahash.h>

static inline void
hash_ip4_data_next(struct ip_set_hash *h, const struct hash_ip4_elem *d)
{
	h->next.ip = d->ip;
}

static int
hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb,
	      const struct xt_action_param *par,
	      enum ipset_adt adt, const struct ip_set_adt_opt *opt)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	__be32 ip;

	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip);
	ip &= ip_set_netmask(h->netmask);
	if (ip == 0)
		return -EINVAL;

	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
}

static int
hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
	      enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	u32 ip, ip_to, hosts, timeout = h->timeout;
	__be32 nip;
	int ret = 0;

	if (unlikely(!tb[IPSET_ATTR_IP] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
		return -IPSET_ERR_PROTOCOL;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
	if (ret)
		return ret;

	ip &= ip_set_hostmask(h->netmask);

	if (tb[IPSET_ATTR_TIMEOUT]) {
		if (!with_timeout(h->timeout))
			return -IPSET_ERR_TIMEOUT;
		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	}

	if (adt == IPSET_TEST) {
		nip = htonl(ip);
		if (nip == 0)
			return -IPSET_ERR_HASH_ELEM;
		return adtfn(set, &nip, timeout, flags);
	}

	ip_to = ip;
	if (tb[IPSET_ATTR_IP_TO]) {
		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
		if (ret)
			return ret;
		if (ip > ip_to)
			swap(ip, ip_to);
	} else if (tb[IPSET_ATTR_CIDR]) {
		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);

		if (!cidr || cidr > 32)
			return -IPSET_ERR_INVALID_CIDR;
		ip_set_mask_from_to(ip, ip_to, cidr);
	}

	hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);

	if (retried)
		ip = ntohl(h->next.ip);
	for (; !before(ip_to, ip); ip += hosts) {
		nip = htonl(ip);
		if (nip == 0)
			return -IPSET_ERR_HASH_ELEM;
		ret = adtfn(set, &nip, timeout, flags);

		if (ret && !ip_set_eexist(ret, flags))
			return ret;
		else
			ret = 0;
	}
	return ret;
}

static bool
hash_ip_same_set(const struct ip_set *a, const struct ip_set *b)
{
	const struct ip_set_hash *x = a->data;
	const struct ip_set_hash *y = b->data;

	/* Resizing changes htable_bits, so we ignore it */
	return x->maxelem == y->maxelem &&
	       x->timeout == y->timeout &&
	       x->netmask == y->netmask;
}

/* The type variant functions: IPv6 */

struct hash_ip6_elem {
	union nf_inet_addr ip;
};

struct hash_ip6_telem {
	union nf_inet_addr ip;
	unsigned long timeout;
};

static inline bool
hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
		    const struct hash_ip6_elem *ip2,
		    u32 *multi)
{
	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
}

static inline bool
hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
{
	return ipv6_addr_any(&elem->ip.in6);
}

static inline void
hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
{
	dst->ip.in6 = src->ip.in6;
}

static inline void
hash_ip6_data_zero_out(struct hash_ip6_elem *elem)
{
	ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0);
}

static inline void
ip6_netmask(union nf_inet_addr *ip, u8 prefix)
{
	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
}

static bool
hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data)
{
	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

static bool
hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data)
{
	const struct hash_ip6_telem *e =
		(const struct hash_ip6_telem *)data;

	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
			  htonl(ip_set_timeout_get(e->timeout))))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

#undef PF
#undef HOST_MASK

#define PF		6
#define HOST_MASK	128
#include <linux/netfilter/ipset/ip_set_ahash.h>

static inline void
hash_ip6_data_next(struct ip_set_hash *h, const struct hash_ip6_elem *d)
{
}

static int
hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb,
	      const struct xt_action_param *par,
	      enum ipset_adt adt, const struct ip_set_adt_opt *opt)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	union nf_inet_addr ip;

	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip.in6);
	ip6_netmask(&ip, h->netmask);
	if (ipv6_addr_any(&ip.in6))
		return -EINVAL;

	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
}

static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = {
	[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
	[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
	[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
};

static int
hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
	      enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	union nf_inet_addr ip;
	u32 timeout = h->timeout;
	int ret;

	if (unlikely(!tb[IPSET_ATTR_IP] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
		     tb[IPSET_ATTR_IP_TO] ||
		     tb[IPSET_ATTR_CIDR]))
		return -IPSET_ERR_PROTOCOL;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip);
	if (ret)
		return ret;

	ip6_netmask(&ip, h->netmask);
	if (ipv6_addr_any(&ip.in6))
		return -IPSET_ERR_HASH_ELEM;

	if (tb[IPSET_ATTR_TIMEOUT]) {
		if (!with_timeout(h->timeout))
			return -IPSET_ERR_TIMEOUT;
		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	}

	ret = adtfn(set, &ip, timeout, flags);

	return ip_set_eexist(ret, flags) ? 0 : ret;
}

/* Create hash:ip type of sets */

static int
hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
{
	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
	u8 netmask, hbits;
	size_t hsize;
	struct ip_set_hash *h;

	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
		return -IPSET_ERR_INVALID_FAMILY;
	netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
	pr_debug("Create set %s with family %s\n",
		 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");

	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
		return -IPSET_ERR_PROTOCOL;

	if (tb[IPSET_ATTR_HASHSIZE]) {
		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
		if (hashsize < IPSET_MIMINAL_HASHSIZE)
			hashsize = IPSET_MIMINAL_HASHSIZE;
	}

	if (tb[IPSET_ATTR_MAXELEM])
		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);

	if (tb[IPSET_ATTR_NETMASK]) {
		netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);

		if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
		    (set->family == NFPROTO_IPV6 && netmask > 128) ||
		    netmask == 0)
			return -IPSET_ERR_INVALID_NETMASK;
	}

	h = kzalloc(sizeof(*h), GFP_KERNEL);
	if (!h)
		return -ENOMEM;

	h->maxelem = maxelem;
	h->netmask = netmask;
	get_random_bytes(&h->initval, sizeof(h->initval));
	h->timeout = IPSET_NO_TIMEOUT;

	hbits = htable_bits(hashsize);
	hsize = htable_size(hbits);
	if (hsize == 0) {
		kfree(h);
		return -ENOMEM;
	}
	h->table = ip_set_alloc(hsize);
	if (!h->table) {
		kfree(h);
		return -ENOMEM;
	}
	h->table->htable_bits = hbits;

	set->data = h;

	if (tb[IPSET_ATTR_TIMEOUT]) {
		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);

		set->variant = set->family == NFPROTO_IPV4
			? &hash_ip4_tvariant : &hash_ip6_tvariant;

		if (set->family == NFPROTO_IPV4)
			hash_ip4_gc_init(set);
		else
			hash_ip6_gc_init(set);
	} else {
		set->variant = set->family == NFPROTO_IPV4
			? &hash_ip4_variant : &hash_ip6_variant;
	}

	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
		 set->name, jhash_size(h->table->htable_bits),
		 h->table->htable_bits, h->maxelem, set->data, h->table);

	return 0;
}

static struct ip_set_type hash_ip_type __read_mostly = {
	.name		= "hash:ip",
	.protocol	= IPSET_PROTOCOL,
	.features	= IPSET_TYPE_IP,
	.dimension	= IPSET_DIM_ONE,
	.family		= NFPROTO_UNSPEC,
	.revision_min	= REVISION_MIN,
	.revision_max	= REVISION_MAX,
	.create		= hash_ip_create,
	.create_policy	= {
		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_NETMASK]	= { .type = NLA_U8  },
	},
	.adt_policy	= {
		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
	},
	.me		= THIS_MODULE,
};

static int __init
hash_ip_init(void)
{
	return ip_set_type_register(&hash_ip_type);
}

static void __exit
hash_ip_fini(void)
{
	ip_set_type_unregister(&hash_ip_type);
}

module_init(hash_ip_init);
module_exit(hash_ip_fini);
Commit	Line	Data
6c027889 JK	1	/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	2	*
	3	* This program is free software; you can redistribute it and/or modify
	4	* it under the terms of the GNU General Public License version 2 as
	5	* published by the Free Software Foundation.
	6	*/
	7
	8	/* Kernel module implementing an IP set type: the hash:ip type */
	9
	10	#include <linux/jhash.h>
	11	#include <linux/module.h>
	12	#include <linux/ip.h>
	13	#include <linux/skbuff.h>
	14	#include <linux/errno.h>
6c027889 JK	15	#include <linux/random.h>
	16	#include <net/ip.h>
	17	#include <net/ipv6.h>
	18	#include <net/netlink.h>
	19	#include <net/tcp.h>
	20
	21	#include <linux/netfilter.h>
	22	#include <linux/netfilter/ipset/pfxlen.h>
	23	#include <linux/netfilter/ipset/ip_set.h>
	24	#include <linux/netfilter/ipset/ip_set_timeout.h>
	25	#include <linux/netfilter/ipset/ip_set_hash.h>
	26
10111a6e JK	27	#define REVISION_MIN 0
	28	#define REVISION_MAX 0
	29
6c027889 JK	30	MODULE_LICENSE("GPL");
6c027889 JK	31	MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
10111a6e	32	IP_SET_MODULE_DESC("hash:ip", REVISION_MIN, REVISION_MAX);
6c027889 JK	33	MODULE_ALIAS("ip_set_hash:ip");
	34
	35	/* Type specific function prefix */
	36	#define TYPE hash_ip
	37
	38	static bool
	39	hash_ip_same_set(const struct ip_set a, const struct ip_set b);
	40
	41	#define hash_ip4_same_set hash_ip_same_set
	42	#define hash_ip6_same_set hash_ip_same_set
	43
	44	/* The type variant functions: IPv4 */
	45
	46	/* Member elements without timeout */
	47	struct hash_ip4_elem {
	48	__be32 ip;
	49	};
	50
	51	/* Member elements with timeout support */
	52	struct hash_ip4_telem {
	53	__be32 ip;
	54	unsigned long timeout;
	55	};
	56
	57	static inline bool
	58	hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
89dc79b7 JK	59	const struct hash_ip4_elem *ip2,
89dc79b7 JK	60	u32 *multi)
6c027889 JK	61	{
	62	return ip1->ip == ip2->ip;
	63	}
	64
	65	static inline bool
	66	hash_ip4_data_isnull(const struct hash_ip4_elem *elem)
	67	{
	68	return elem->ip == 0;
	69	}
	70
	71	static inline void
	72	hash_ip4_data_copy(struct hash_ip4_elem dst, const struct hash_ip4_elem src)
	73	{
	74	dst->ip = src->ip;
	75	}
	76
	77	/* Zero valued IP addresses cannot be stored */
	78	static inline void
	79	hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
	80	{
	81	elem->ip = 0;
	82	}
	83
	84	static inline bool
	85	hash_ip4_data_list(struct sk_buff skb, const struct hash_ip4_elem data)
	86	{
7cf7899d DM	87	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip))
7cf7899d DM	88	goto nla_put_failure;
6c027889 JK	89	return 0;
	90
	91	nla_put_failure:
	92	return 1;
	93	}
	94
	95	static bool
	96	hash_ip4_data_tlist(struct sk_buff skb, const struct hash_ip4_elem data)
	97	{
	98	const struct hash_ip4_telem *tdata =
	99	(const struct hash_ip4_telem *)data;
	100
7cf7899d DM	101	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) \|\|
	102	nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
	103	htonl(ip_set_timeout_get(tdata->timeout))))
	104	goto nla_put_failure;
6c027889 JK	105
	106	return 0;
	107
	108	nla_put_failure:
	109	return 1;
	110	}
	111
	112	#define IP_SET_HASH_WITH_NETMASK
	113	#define PF 4
	114	#define HOST_MASK 32
	115	#include <linux/netfilter/ipset/ip_set_ahash.h>
	116
3d14b171 JK	117	static inline void
	118	hash_ip4_data_next(struct ip_set_hash h, const struct hash_ip4_elem d)
	119	{
6e27c9b4	120	h->next.ip = d->ip;
3d14b171 JK	121	}
3d14b171 JK	122
6c027889 JK	123	static int
6c027889 JK	124	hash_ip4_kadt(struct ip_set set, const struct sk_buff skb,
b66554cf	125	const struct xt_action_param *par,
ac8cc925	126	enum ipset_adt adt, const struct ip_set_adt_opt *opt)
6c027889 JK	127	{
	128	const struct ip_set_hash *h = set->data;
	129	ipset_adtfn adtfn = set->variant->adt[adt];
	130	__be32 ip;
	131
ac8cc925	132	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip);
6c027889 JK	133	ip &= ip_set_netmask(h->netmask);
	134	if (ip == 0)
	135	return -EINVAL;
	136
ac8cc925	137	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
6c027889 JK	138	}
	139
	140	static int
	141	hash_ip4_uadt(struct ip_set set, struct nlattr tb[],
3d14b171	142	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
6c027889 JK	143	{
	144	const struct ip_set_hash *h = set->data;
	145	ipset_adtfn adtfn = set->variant->adt[adt];
	146	u32 ip, ip_to, hosts, timeout = h->timeout;
	147	__be32 nip;
	148	int ret = 0;
	149
	150	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
	151	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
	152	return -IPSET_ERR_PROTOCOL;
	153
	154	if (tb[IPSET_ATTR_LINENO])
	155	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	156
	157	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
	158	if (ret)
	159	return ret;
	160
	161	ip &= ip_set_hostmask(h->netmask);
	162
	163	if (tb[IPSET_ATTR_TIMEOUT]) {
	164	if (!with_timeout(h->timeout))
	165	return -IPSET_ERR_TIMEOUT;
	166	timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	167	}
	168
	169	if (adt == IPSET_TEST) {
	170	nip = htonl(ip);
	171	if (nip == 0)
	172	return -IPSET_ERR_HASH_ELEM;
5416219e	173	return adtfn(set, &nip, timeout, flags);
6c027889 JK	174	}
6c027889 JK	175
4fe198e6	176	ip_to = ip;
6c027889 JK	177	if (tb[IPSET_ATTR_IP_TO]) {
	178	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
	179	if (ret)
	180	return ret;
	181	if (ip > ip_to)
	182	swap(ip, ip_to);
	183	} else if (tb[IPSET_ATTR_CIDR]) {
	184	u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
	185
b9fed748	186	if (!cidr \|\| cidr > 32)
6c027889	187	return -IPSET_ERR_INVALID_CIDR;
e6146e86	188	ip_set_mask_from_to(ip, ip_to, cidr);
4fe198e6	189	}
6c027889 JK	190
	191	hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
	192
3d14b171	193	if (retried)
6e27c9b4	194	ip = ntohl(h->next.ip);
6c027889 JK	195	for (; !before(ip_to, ip); ip += hosts) {
	196	nip = htonl(ip);
	197	if (nip == 0)
	198	return -IPSET_ERR_HASH_ELEM;
5416219e	199	ret = adtfn(set, &nip, timeout, flags);
6c027889 JK	200
	201	if (ret && !ip_set_eexist(ret, flags))
	202	return ret;
	203	else
	204	ret = 0;
	205	}
	206	return ret;
	207	}
	208
	209	static bool
	210	hash_ip_same_set(const struct ip_set a, const struct ip_set b)
	211	{
	212	const struct ip_set_hash *x = a->data;
	213	const struct ip_set_hash *y = b->data;
	214
	215	/* Resizing changes htable_bits, so we ignore it */
	216	return x->maxelem == y->maxelem &&
	217	x->timeout == y->timeout &&
	218	x->netmask == y->netmask;
	219	}
	220
	221	/* The type variant functions: IPv6 */
	222
	223	struct hash_ip6_elem {
	224	union nf_inet_addr ip;
	225	};
	226
	227	struct hash_ip6_telem {
	228	union nf_inet_addr ip;
	229	unsigned long timeout;
	230	};
	231
	232	static inline bool
	233	hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
89dc79b7 JK	234	const struct hash_ip6_elem *ip2,
89dc79b7 JK	235	u32 *multi)
6c027889 JK	236	{
	237	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
	238	}
	239
	240	static inline bool
	241	hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
	242	{
	243	return ipv6_addr_any(&elem->ip.in6);
	244	}
	245
	246	static inline void
	247	hash_ip6_data_copy(struct hash_ip6_elem dst, const struct hash_ip6_elem src)
	248	{
4e3fd7a0	249	dst->ip.in6 = src->ip.in6;
6c027889 JK	250	}
	251
	252	static inline void
	253	hash_ip6_data_zero_out(struct hash_ip6_elem *elem)
	254	{
	255	ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0);
	256	}
	257
	258	static inline void
	259	ip6_netmask(union nf_inet_addr *ip, u8 prefix)
	260	{
	261	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
	262	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
	263	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
	264	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
	265	}
	266
	267	static bool
	268	hash_ip6_data_list(struct sk_buff skb, const struct hash_ip6_elem data)
	269	{
7cf7899d DM	270	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6))
7cf7899d DM	271	goto nla_put_failure;
6c027889 JK	272	return 0;
	273
	274	nla_put_failure:
	275	return 1;
	276	}
	277
	278	static bool
	279	hash_ip6_data_tlist(struct sk_buff skb, const struct hash_ip6_elem data)
	280	{
	281	const struct hash_ip6_telem *e =
	282	(const struct hash_ip6_telem *)data;
	283
7cf7899d DM	284	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) \|\|
	285	nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
	286	htonl(ip_set_timeout_get(e->timeout))))
	287	goto nla_put_failure;
6c027889 JK	288	return 0;
	289
	290	nla_put_failure:
	291	return 1;
	292	}
	293
	294	#undef PF
	295	#undef HOST_MASK
	296
	297	#define PF 6
	298	#define HOST_MASK 128
	299	#include <linux/netfilter/ipset/ip_set_ahash.h>
	300
3d14b171 JK	301	static inline void
	302	hash_ip6_data_next(struct ip_set_hash h, const struct hash_ip6_elem d)
	303	{
	304	}
	305
6c027889 JK	306	static int
6c027889 JK	307	hash_ip6_kadt(struct ip_set set, const struct sk_buff skb,
b66554cf	308	const struct xt_action_param *par,
ac8cc925	309	enum ipset_adt adt, const struct ip_set_adt_opt *opt)
6c027889 JK	310	{
	311	const struct ip_set_hash *h = set->data;
	312	ipset_adtfn adtfn = set->variant->adt[adt];
	313	union nf_inet_addr ip;
	314
ac8cc925	315	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip.in6);
6c027889 JK	316	ip6_netmask(&ip, h->netmask);
	317	if (ipv6_addr_any(&ip.in6))
	318	return -EINVAL;
	319
ac8cc925	320	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
6c027889 JK	321	}
	322
	323	static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = {
	324	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
	325	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	326	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
	327	};
	328
	329	static int
	330	hash_ip6_uadt(struct ip_set set, struct nlattr tb[],
3d14b171	331	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
6c027889 JK	332	{
	333	const struct ip_set_hash *h = set->data;
	334	ipset_adtfn adtfn = set->variant->adt[adt];
	335	union nf_inet_addr ip;
	336	u32 timeout = h->timeout;
	337	int ret;
	338
	339	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
	340	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) \|\|
	341	tb[IPSET_ATTR_IP_TO] \|\|
	342	tb[IPSET_ATTR_CIDR]))
	343	return -IPSET_ERR_PROTOCOL;
	344
	345	if (tb[IPSET_ATTR_LINENO])
	346	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	347
	348	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip);
	349	if (ret)
	350	return ret;
	351
	352	ip6_netmask(&ip, h->netmask);
	353	if (ipv6_addr_any(&ip.in6))
	354	return -IPSET_ERR_HASH_ELEM;
	355
	356	if (tb[IPSET_ATTR_TIMEOUT]) {
	357	if (!with_timeout(h->timeout))
	358	return -IPSET_ERR_TIMEOUT;
	359	timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	360	}
	361
5416219e	362	ret = adtfn(set, &ip, timeout, flags);
6c027889 JK	363
	364	return ip_set_eexist(ret, flags) ? 0 : ret;
	365	}
	366
	367	/* Create hash:ip type of sets */
	368
	369	static int
	370	hash_ip_create(struct ip_set set, struct nlattr tb[], u32 flags)
	371	{
	372	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
	373	u8 netmask, hbits;
26a5d3cc	374	size_t hsize;
6c027889 JK	375	struct ip_set_hash *h;
6c027889 JK	376
c15f1c83	377	if (!(set->family == NFPROTO_IPV4 \|\| set->family == NFPROTO_IPV6))
6c027889	378	return -IPSET_ERR_INVALID_FAMILY;
c15f1c83	379	netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
6c027889	380	pr_debug("Create set %s with family %s\n",
c15f1c83	381	set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
6c027889 JK	382
	383	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) \|\|
	384	!ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) \|\|
	385	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
	386	return -IPSET_ERR_PROTOCOL;
	387
	388	if (tb[IPSET_ATTR_HASHSIZE]) {
	389	hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
	390	if (hashsize < IPSET_MIMINAL_HASHSIZE)
	391	hashsize = IPSET_MIMINAL_HASHSIZE;
	392	}
	393
	394	if (tb[IPSET_ATTR_MAXELEM])
	395	maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
	396
	397	if (tb[IPSET_ATTR_NETMASK]) {
	398	netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
	399
c15f1c83 JE	400	if ((set->family == NFPROTO_IPV4 && netmask > 32) \|\|
c15f1c83 JE	401	(set->family == NFPROTO_IPV6 && netmask > 128) \|\|
6c027889 JK	402	netmask == 0)
	403	return -IPSET_ERR_INVALID_NETMASK;
	404	}
	405
	406	h = kzalloc(sizeof(*h), GFP_KERNEL);
	407	if (!h)
	408	return -ENOMEM;
	409
	410	h->maxelem = maxelem;
	411	h->netmask = netmask;
	412	get_random_bytes(&h->initval, sizeof(h->initval));
	413	h->timeout = IPSET_NO_TIMEOUT;
	414
	415	hbits = htable_bits(hashsize);
26a5d3cc JK	416	hsize = htable_size(hbits);
	417	if (hsize == 0) {
	418	kfree(h);
	419	return -ENOMEM;
	420	}
	421	h->table = ip_set_alloc(hsize);
6c027889 JK	422	if (!h->table) {
	423	kfree(h);
	424	return -ENOMEM;
	425	}
	426	h->table->htable_bits = hbits;
	427
	428	set->data = h;
	429
	430	if (tb[IPSET_ATTR_TIMEOUT]) {
	431	h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	432
c15f1c83	433	set->variant = set->family == NFPROTO_IPV4
6c027889 JK	434	? &hash_ip4_tvariant : &hash_ip6_tvariant;
6c027889 JK	435
c15f1c83	436	if (set->family == NFPROTO_IPV4)
6c027889 JK	437	hash_ip4_gc_init(set);
	438	else
	439	hash_ip6_gc_init(set);
	440	} else {
c15f1c83	441	set->variant = set->family == NFPROTO_IPV4
6c027889 JK	442	? &hash_ip4_variant : &hash_ip6_variant;
	443	}
	444
	445	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
	446	set->name, jhash_size(h->table->htable_bits),
	447	h->table->htable_bits, h->maxelem, set->data, h->table);
	448
	449	return 0;
	450	}
	451
	452	static struct ip_set_type hash_ip_type __read_mostly = {
	453	.name = "hash:ip",
	454	.protocol = IPSET_PROTOCOL,
	455	.features = IPSET_TYPE_IP,
	456	.dimension = IPSET_DIM_ONE,
c15f1c83	457	.family = NFPROTO_UNSPEC,
10111a6e JK	458	.revision_min = REVISION_MIN,
10111a6e JK	459	.revision_max = REVISION_MAX,
6c027889 JK	460	.create = hash_ip_create,
	461	.create_policy = {
	462	[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
	463	[IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
	464	[IPSET_ATTR_PROBES] = { .type = NLA_U8 },
	465	[IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
	466	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	467	[IPSET_ATTR_NETMASK] = { .type = NLA_U8 },
	468	},
	469	.adt_policy = {
	470	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
	471	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
	472	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
	473	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	474	[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
	475	},
	476	.me = THIS_MODULE,
	477	};
	478
	479	static int __init
	480	hash_ip_init(void)
	481	{
	482	return ip_set_type_register(&hash_ip_type);
	483	}
	484
	485	static void __exit
	486	hash_ip_fini(void)
	487	{
	488	ip_set_type_unregister(&hash_ip_type);
	489	}
	490
	491	module_init(hash_ip_init);
	492	module_exit(hash_ip_fini);