projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: ipset: timeout can be modified for already added elements
[deliverable/linux.git] / net / netfilter / ipset / ip_set_bitmap_port.c
1 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8 /* Kernel module implementing an IP set type: the bitmap:port type */
9
10 #include <linux/module.h>
11 #include <linux/ip.h>
12 #include <linux/skbuff.h>
13 #include <linux/errno.h>
14 #include <linux/netlink.h>
15 #include <linux/jiffies.h>
16 #include <linux/timer.h>
17 #include <net/netlink.h>
18
19 #include <linux/netfilter/ipset/ip_set.h>
20 #include <linux/netfilter/ipset/ip_set_bitmap.h>
21 #include <linux/netfilter/ipset/ip_set_getport.h>
22 #define IP_SET_BITMAP_TIMEOUT
23 #include <linux/netfilter/ipset/ip_set_timeout.h>
24
25 MODULE_LICENSE("GPL");
26 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
27 MODULE_DESCRIPTION("bitmap:port type of IP sets");
28 MODULE_ALIAS("ip_set_bitmap:port");
29
30 /* Type structure */
31 struct bitmap_port {
32 void *members; /* the set members */
33 u16 first_port; /* host byte order, included in range */
34 u16 last_port; /* host byte order, included in range */
35 size_t memsize; /* members size */
36 u32 timeout; /* timeout parameter */
37 struct timer_list gc; /* garbage collection */
38 };
39
40 /* Base variant */
41
42 static int
43 bitmap_port_test(struct ip_set *set, void *value, u32 timeout, u32 flags)
44 {
45 const struct bitmap_port *map = set->data;
46 u16 id = *(u16 *)value;
47
48 return !!test_bit(id, map->members);
49 }
50
51 static int
52 bitmap_port_add(struct ip_set *set, void *value, u32 timeout, u32 flags)
53 {
54 struct bitmap_port *map = set->data;
55 u16 id = *(u16 *)value;
56
57 if (test_and_set_bit(id, map->members))
58 return -IPSET_ERR_EXIST;
59
60 return 0;
61 }
62
63 static int
64 bitmap_port_del(struct ip_set *set, void *value, u32 timeout, u32 flags)
65 {
66 struct bitmap_port *map = set->data;
67 u16 id = *(u16 *)value;
68
69 if (!test_and_clear_bit(id, map->members))
70 return -IPSET_ERR_EXIST;
71
72 return 0;
73 }
74
75 static int
76 bitmap_port_list(const struct ip_set *set,
77 struct sk_buff *skb, struct netlink_callback *cb)
78 {
79 const struct bitmap_port *map = set->data;
80 struct nlattr *atd, *nested;
81 u16 id, first = cb->args[2];
82 u16 last = map->last_port - map->first_port;
83
84 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
85 if (!atd)
86 return -EMSGSIZE;
87 for (; cb->args[2] <= last; cb->args[2]++) {
88 id = cb->args[2];
89 if (!test_bit(id, map->members))
90 continue;
91 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
92 if (!nested) {
93 if (id == first) {
94 nla_nest_cancel(skb, atd);
95 return -EMSGSIZE;
96 } else
97 goto nla_put_failure;
98 }
99 NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
100 htons(map->first_port + id));
101 ipset_nest_end(skb, nested);
102 }
103 ipset_nest_end(skb, atd);
104 /* Set listing finished */
105 cb->args[2] = 0;
106
107 return 0;
108
109 nla_put_failure:
110 nla_nest_cancel(skb, nested);
111 ipset_nest_end(skb, atd);
112 if (unlikely(id == first)) {
113 cb->args[2] = 0;
114 return -EMSGSIZE;
115 }
116 return 0;
117 }
118
119 /* Timeout variant */
120
121 static int
122 bitmap_port_ttest(struct ip_set *set, void *value, u32 timeout, u32 flags)
123 {
124 const struct bitmap_port *map = set->data;
125 const unsigned long *members = map->members;
126 u16 id = *(u16 *)value;
127
128 return ip_set_timeout_test(members[id]);
129 }
130
131 static int
132 bitmap_port_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
133 {
134 struct bitmap_port *map = set->data;
135 unsigned long *members = map->members;
136 u16 id = *(u16 *)value;
137
138 if (ip_set_timeout_test(members[id]) && !(flags & IPSET_FLAG_EXIST))
139 return -IPSET_ERR_EXIST;
140
141 members[id] = ip_set_timeout_set(timeout);
142
143 return 0;
144 }
145
146 static int
147 bitmap_port_tdel(struct ip_set *set, void *value, u32 timeout, u32 flags)
148 {
149 struct bitmap_port *map = set->data;
150 unsigned long *members = map->members;
151 u16 id = *(u16 *)value;
152 int ret = -IPSET_ERR_EXIST;
153
154 if (ip_set_timeout_test(members[id]))
155 ret = 0;
156
157 members[id] = IPSET_ELEM_UNSET;
158 return ret;
159 }
160
161 static int
162 bitmap_port_tlist(const struct ip_set *set,
163 struct sk_buff *skb, struct netlink_callback *cb)
164 {
165 const struct bitmap_port *map = set->data;
166 struct nlattr *adt, *nested;
167 u16 id, first = cb->args[2];
168 u16 last = map->last_port - map->first_port;
169 const unsigned long *members = map->members;
170
171 adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
172 if (!adt)
173 return -EMSGSIZE;
174 for (; cb->args[2] <= last; cb->args[2]++) {
175 id = cb->args[2];
176 if (!ip_set_timeout_test(members[id]))
177 continue;
178 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
179 if (!nested) {
180 if (id == first) {
181 nla_nest_cancel(skb, adt);
182 return -EMSGSIZE;
183 } else
184 goto nla_put_failure;
185 }
186 NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
187 htons(map->first_port + id));
188 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
189 htonl(ip_set_timeout_get(members[id])));
190 ipset_nest_end(skb, nested);
191 }
192 ipset_nest_end(skb, adt);
193
194 /* Set listing finished */
195 cb->args[2] = 0;
196
197 return 0;
198
199 nla_put_failure:
200 nla_nest_cancel(skb, nested);
201 ipset_nest_end(skb, adt);
202 if (unlikely(id == first)) {
203 cb->args[2] = 0;
204 return -EMSGSIZE;
205 }
206 return 0;
207 }
208
209 static int
210 bitmap_port_kadt(struct ip_set *set, const struct sk_buff *skb,
211 enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
212 {
213 struct bitmap_port *map = set->data;
214 ipset_adtfn adtfn = set->variant->adt[adt];
215 __be16 __port;
216 u16 port = 0;
217
218 if (!ip_set_get_ip_port(skb, pf, flags & IPSET_DIM_ONE_SRC, &__port))
219 return -EINVAL;
220
221 port = ntohs(__port);
222
223 if (port < map->first_port || port > map->last_port)
224 return -IPSET_ERR_BITMAP_RANGE;
225
226 port -= map->first_port;
227
228 return adtfn(set, &port, map->timeout, flags);
229 }
230
231 static int
232 bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
233 enum ipset_adt adt, u32 *lineno, u32 flags)
234 {
235 struct bitmap_port *map = set->data;
236 ipset_adtfn adtfn = set->variant->adt[adt];
237 u32 timeout = map->timeout;
238 u32 port; /* wraparound */
239 u16 id, port_to;
240 int ret = 0;
241
242 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
243 !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
244 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
245 return -IPSET_ERR_PROTOCOL;
246
247 if (tb[IPSET_ATTR_LINENO])
248 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
249
250 port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
251 if (port < map->first_port || port > map->last_port)
252 return -IPSET_ERR_BITMAP_RANGE;
253
254 if (tb[IPSET_ATTR_TIMEOUT]) {
255 if (!with_timeout(map->timeout))
256 return -IPSET_ERR_TIMEOUT;
257 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
258 }
259
260 if (adt == IPSET_TEST) {
261 id = port - map->first_port;
262 return adtfn(set, &id, timeout, flags);
263 }
264
265 if (tb[IPSET_ATTR_PORT_TO]) {
266 port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
267 if (port > port_to) {
268 swap(port, port_to);
269 if (port < map->first_port)
270 return -IPSET_ERR_BITMAP_RANGE;
271 }
272 } else
273 port_to = port;
274
275 if (port_to > map->last_port)
276 return -IPSET_ERR_BITMAP_RANGE;
277
278 for (; port <= port_to; port++) {
279 id = port - map->first_port;
280 ret = adtfn(set, &id, timeout, flags);
281
282 if (ret && !ip_set_eexist(ret, flags))
283 return ret;
284 else
285 ret = 0;
286 }
287 return ret;
288 }
289
290 static void
291 bitmap_port_destroy(struct ip_set *set)
292 {
293 struct bitmap_port *map = set->data;
294
295 if (with_timeout(map->timeout))
296 del_timer_sync(&map->gc);
297
298 ip_set_free(map->members);
299 kfree(map);
300
301 set->data = NULL;
302 }
303
304 static void
305 bitmap_port_flush(struct ip_set *set)
306 {
307 struct bitmap_port *map = set->data;
308
309 memset(map->members, 0, map->memsize);
310 }
311
312 static int
313 bitmap_port_head(struct ip_set *set, struct sk_buff *skb)
314 {
315 const struct bitmap_port *map = set->data;
316 struct nlattr *nested;
317
318 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
319 if (!nested)
320 goto nla_put_failure;
321 NLA_PUT_NET16(skb, IPSET_ATTR_PORT, htons(map->first_port));
322 NLA_PUT_NET16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port));
323 NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
324 NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
325 htonl(sizeof(*map) + map->memsize));
326 if (with_timeout(map->timeout))
327 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
328 ipset_nest_end(skb, nested);
329
330 return 0;
331 nla_put_failure:
332 return -EMSGSIZE;
333 }
334
335 static bool
336 bitmap_port_same_set(const struct ip_set *a, const struct ip_set *b)
337 {
338 const struct bitmap_port *x = a->data;
339 const struct bitmap_port *y = b->data;
340
341 return x->first_port == y->first_port &&
342 x->last_port == y->last_port &&
343 x->timeout == y->timeout;
344 }
345
346 static const struct ip_set_type_variant bitmap_port = {
347 .kadt = bitmap_port_kadt,
348 .uadt = bitmap_port_uadt,
349 .adt = {
350 [IPSET_ADD] = bitmap_port_add,
351 [IPSET_DEL] = bitmap_port_del,
352 [IPSET_TEST] = bitmap_port_test,
353 },
354 .destroy = bitmap_port_destroy,
355 .flush = bitmap_port_flush,
356 .head = bitmap_port_head,
357 .list = bitmap_port_list,
358 .same_set = bitmap_port_same_set,
359 };
360
361 static const struct ip_set_type_variant bitmap_tport = {
362 .kadt = bitmap_port_kadt,
363 .uadt = bitmap_port_uadt,
364 .adt = {
365 [IPSET_ADD] = bitmap_port_tadd,
366 [IPSET_DEL] = bitmap_port_tdel,
367 [IPSET_TEST] = bitmap_port_ttest,
368 },
369 .destroy = bitmap_port_destroy,
370 .flush = bitmap_port_flush,
371 .head = bitmap_port_head,
372 .list = bitmap_port_tlist,
373 .same_set = bitmap_port_same_set,
374 };
375
376 static void
377 bitmap_port_gc(unsigned long ul_set)
378 {
379 struct ip_set *set = (struct ip_set *) ul_set;
380 struct bitmap_port *map = set->data;
381 unsigned long *table = map->members;
382 u32 id; /* wraparound */
383 u16 last = map->last_port - map->first_port;
384
385 /* We run parallel with other readers (test element)
386 * but adding/deleting new entries is locked out */
387 read_lock_bh(&set->lock);
388 for (id = 0; id <= last; id++)
389 if (ip_set_timeout_expired(table[id]))
390 table[id] = IPSET_ELEM_UNSET;
391 read_unlock_bh(&set->lock);
392
393 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
394 add_timer(&map->gc);
395 }
396
397 static void
398 bitmap_port_gc_init(struct ip_set *set)
399 {
400 struct bitmap_port *map = set->data;
401
402 init_timer(&map->gc);
403 map->gc.data = (unsigned long) set;
404 map->gc.function = bitmap_port_gc;
405 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
406 add_timer(&map->gc);
407 }
408
409 /* Create bitmap:ip type of sets */
410
411 static bool
412 init_map_port(struct ip_set *set, struct bitmap_port *map,
413 u16 first_port, u16 last_port)
414 {
415 map->members = ip_set_alloc(map->memsize);
416 if (!map->members)
417 return false;
418 map->first_port = first_port;
419 map->last_port = last_port;
420 map->timeout = IPSET_NO_TIMEOUT;
421
422 set->data = map;
423 set->family = AF_UNSPEC;
424
425 return true;
426 }
427
428 static int
429 bitmap_port_create(struct ip_set *set, struct nlattr *tb[],
430 u32 flags)
431 {
432 struct bitmap_port *map;
433 u16 first_port, last_port;
434
435 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
436 !ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) ||
437 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
438 return -IPSET_ERR_PROTOCOL;
439
440 first_port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
441 last_port = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
442 if (first_port > last_port) {
443 u16 tmp = first_port;
444
445 first_port = last_port;
446 last_port = tmp;
447 }
448
449 map = kzalloc(sizeof(*map), GFP_KERNEL);
450 if (!map)
451 return -ENOMEM;
452
453 if (tb[IPSET_ATTR_TIMEOUT]) {
454 map->memsize = (last_port - first_port + 1)
455 * sizeof(unsigned long);
456
457 if (!init_map_port(set, map, first_port, last_port)) {
458 kfree(map);
459 return -ENOMEM;
460 }
461
462 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
463 set->variant = &bitmap_tport;
464
465 bitmap_port_gc_init(set);
466 } else {
467 map->memsize = bitmap_bytes(0, last_port - first_port);
468 pr_debug("memsize: %zu\n", map->memsize);
469 if (!init_map_port(set, map, first_port, last_port)) {
470 kfree(map);
471 return -ENOMEM;
472 }
473
474 set->variant = &bitmap_port;
475 }
476 return 0;
477 }
478
479 static struct ip_set_type bitmap_port_type = {
480 .name = "bitmap:port",
481 .protocol = IPSET_PROTOCOL,
482 .features = IPSET_TYPE_PORT,
483 .dimension = IPSET_DIM_ONE,
484 .family = AF_UNSPEC,
485 .revision = 0,
486 .create = bitmap_port_create,
487 .create_policy = {
488 [IPSET_ATTR_PORT] = { .type = NLA_U16 },
489 [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 },
490 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
491 },
492 .adt_policy = {
493 [IPSET_ATTR_PORT] = { .type = NLA_U16 },
494 [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 },
495 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
496 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
497 },
498 .me = THIS_MODULE,
499 };
500
501 static int __init
502 bitmap_port_init(void)
503 {
504 return ip_set_type_register(&bitmap_port_type);
505 }
506
507 static void __exit
508 bitmap_port_fini(void)
509 {
510 ip_set_type_unregister(&bitmap_port_type);
511 }
512
513 module_init(bitmap_port_init);
514 module_exit(bitmap_port_fini);
Linux kernel - Deliverables
This page took 0.048768 seconds and 5 git commands to generate.