hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://blackhole.kfki.hu/nf-next 

Jozsef Kadlecsik says:

====================
ipset patches for nf-next

Please consider to apply the next bunch of patches for ipset. First
comes the small changes, then the bugfixes and at the end the RCU
related patches.

* Use MSEC_PER_SEC consistently instead of the number.
* Use SET_WITH_*() helpers to test set extensions from Sergey Popovich.
* Check extensions attributes before getting extensions from Sergey Popovich.
* Permit CIDR equal to the host address CIDR in IPv6 from Sergey Popovich.
* Make sure we always return line number on batch in the case of error
  from Sergey Popovich.
* Check CIDR value only when attribute is given from Sergey Popovich.
* Fix cidr handling for hash:*net* types, reported by Jonathan Johnson.
* Fix parallel resizing and listing of the same set so that the original
  set is kept for the whole dumping.
* Make sure listing doesn't grab a set which is just being destroyed.
* Remove rbtree from ip_set_hash_netiface.c in order to introduce RCU.
* Replace rwlock_t with spinlock_t in "struct ip_set", change the locking
  in the core and simplifications in the timeout routines.
* Introduce RCU locking in bitmap:* types with a slight modification in the
  logic on how an element is added.
* Introduce RCU locking in hash:* types. This is the most complex part of
  the changes.
* Introduce RCU locking in list type where standard rculist is used.
* Fix coding styles reported by checkpatch.pl.
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2015-06-15 18:31:22 +02:00
parent f09becc79f ca0f6a5cd9
commit 53b8762727
25 changed files with 1336 additions and 1329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
include/linux/netfilter/ipset/ip_set.h
View File

@ -108,8 +108,13 @@ struct ip_set_counter {
atomic64_t packets; atomic64_t packets;
}; };
struct ip_set_comment_rcu {
struct rcu_head rcu;
char str[0];
};
struct ip_set_comment { struct ip_set_comment {
char *str; struct ip_set_comment_rcu __rcu *c;
}; };
struct ip_set_skbinfo { struct ip_set_skbinfo {
@ -176,6 +181,9 @@ struct ip_set_type_variant {
/* List elements */ /* List elements */
int (*list)(const struct ip_set *set, struct sk_buff *skb, int (*list)(const struct ip_set *set, struct sk_buff *skb,
struct netlink_callback *cb); struct netlink_callback *cb);
/* Keep listing private when resizing runs parallel */
void (*uref)(struct ip_set *set, struct netlink_callback *cb,
bool start);
/* Return true if "b" set is the same as "a" /* Return true if "b" set is the same as "a"
* according to the create set parameters */ * according to the create set parameters */
@ -223,7 +231,7 @@ struct ip_set {
/* The name of the set */ /* The name of the set */
char name[IPSET_MAXNAMELEN]; char name[IPSET_MAXNAMELEN];
/* Lock protecting the set data */ /* Lock protecting the set data */
rwlock_t lock; spinlock_t lock;
/* References to the set */ /* References to the set */
u32 ref; u32 ref;
/* The core set type */ /* The core set type */
@ -341,12 +349,11 @@ ip_set_put_skbinfo(struct sk_buff *skb, struct ip_set_skbinfo *skbinfo)
cpu_to_be64((u64)skbinfo->skbmark << 32 | cpu_to_be64((u64)skbinfo->skbmark << 32 |
skbinfo->skbmarkmask))) || skbinfo->skbmarkmask))) ||
(skbinfo->skbprio && (skbinfo->skbprio &&
nla_put_net32(skb, IPSET_ATTR_SKBPRIO, nla_put_net32(skb, IPSET_ATTR_SKBPRIO,
cpu_to_be32(skbinfo->skbprio))) || cpu_to_be32(skbinfo->skbprio))) ||
(skbinfo->skbqueue && (skbinfo->skbqueue &&
nla_put_net16(skb, IPSET_ATTR_SKBQUEUE, nla_put_net16(skb, IPSET_ATTR_SKBQUEUE,
cpu_to_be16(skbinfo->skbqueue))); cpu_to_be16(skbinfo->skbqueue)));
} }
static inline void static inline void
@ -380,12 +387,12 @@ ip_set_init_counter(struct ip_set_counter *counter,
/* Netlink CB args */ /* Netlink CB args */
enum { enum {
IPSET_CB_NET = 0, IPSET_CB_NET = 0, /* net namespace */
IPSET_CB_DUMP, IPSET_CB_DUMP, /* dump single set/all sets */
IPSET_CB_INDEX, IPSET_CB_INDEX, /* set index */
IPSET_CB_ARG0, IPSET_CB_PRIVATE, /* set private data */
IPSET_CB_ARG0, /* type specific */
IPSET_CB_ARG1, IPSET_CB_ARG1,
IPSET_CB_ARG2,
}; };
/* register and unregister set references */ /* register and unregister set references */
@ -545,8 +552,6 @@ ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
{ .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \ { .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \
.timeout = (set)->timeout } .timeout = (set)->timeout }
#define IP_SET_INIT_CIDR(a, b) ((a) ? (a) : (b))
#define IPSET_CONCAT(a, b) a##b #define IPSET_CONCAT(a, b) a##b
#define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b) #define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b)

38
include/linux/netfilter/ipset/ip_set_comment.h
View File

@ -16,41 +16,57 @@ ip_set_comment_uget(struct nlattr *tb)
return nla_data(tb); return nla_data(tb);
} }
/* Called from uadd only, protected by the set spinlock.
* The kadt functions don't use the comment extensions in any way.
*/
static inline void static inline void
ip_set_init_comment(struct ip_set_comment *comment, ip_set_init_comment(struct ip_set_comment *comment,
const struct ip_set_ext *ext) const struct ip_set_ext *ext)
{ {
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
size_t len = ext->comment ? strlen(ext->comment) : 0; size_t len = ext->comment ? strlen(ext->comment) : 0;
if (unlikely(comment->str)) { if (unlikely(c)) {
kfree(comment->str); kfree_rcu(c, rcu);
comment->str = NULL; rcu_assign_pointer(comment->c, NULL);
} }
if (!len) if (!len)
return; return;
if (unlikely(len > IPSET_MAX_COMMENT_SIZE)) if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
len = IPSET_MAX_COMMENT_SIZE; len = IPSET_MAX_COMMENT_SIZE;
comment->str = kzalloc(len + 1, GFP_ATOMIC); c = kzalloc(sizeof(*c) + len + 1, GFP_ATOMIC);
if (unlikely(!comment->str)) if (unlikely(!c))
return; return;
strlcpy(comment->str, ext->comment, len + 1); strlcpy(c->str, ext->comment, len + 1);
rcu_assign_pointer(comment->c, c);
} }
/* Used only when dumping a set, protected by rcu_read_lock_bh() */
static inline int static inline int
ip_set_put_comment(struct sk_buff *skb, struct ip_set_comment *comment) ip_set_put_comment(struct sk_buff *skb, struct ip_set_comment *comment)
{ {
if (!comment->str) struct ip_set_comment_rcu *c = rcu_dereference_bh(comment->c);
if (!c)
return 0; return 0;
return nla_put_string(skb, IPSET_ATTR_COMMENT, comment->str); return nla_put_string(skb, IPSET_ATTR_COMMENT, c->str);
} }
/* Called from uadd/udel, flush or the garbage collectors protected
* by the set spinlock.
* Called when the set is destroyed and when there can't be any user
* of the set data anymore.
*/
static inline void static inline void
ip_set_comment_free(struct ip_set_comment *comment) ip_set_comment_free(struct ip_set_comment *comment)
{ {
if (unlikely(!comment->str)) struct ip_set_comment_rcu *c;
c = rcu_dereference_protected(comment->c, 1);
if (unlikely(!c))
return; return;
kfree(comment->str); kfree_rcu(c, rcu);
comment->str = NULL; rcu_assign_pointer(comment->c, NULL);
} }
#endif #endif

27
include/linux/netfilter/ipset/ip_set_timeout.h
View File

@ -40,38 +40,33 @@ ip_set_timeout_uget(struct nlattr *tb)
} }
static inline bool static inline bool
ip_set_timeout_test(unsigned long timeout) ip_set_timeout_expired(unsigned long *t)
{ {
return timeout == IPSET_ELEM_PERMANENT || return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
time_is_after_jiffies(timeout);
}
static inline bool
ip_set_timeout_expired(unsigned long *timeout)
{
return *timeout != IPSET_ELEM_PERMANENT &&
time_is_before_jiffies(*timeout);
} }
static inline void static inline void
ip_set_timeout_set(unsigned long *timeout, u32 t) ip_set_timeout_set(unsigned long *timeout, u32 value)
{ {
if (!t) { unsigned long t;
if (!value) {
*timeout = IPSET_ELEM_PERMANENT; *timeout = IPSET_ELEM_PERMANENT;
return; return;
} }
*timeout = msecs_to_jiffies(t * 1000) + jiffies; t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
if (*timeout == IPSET_ELEM_PERMANENT) if (t == IPSET_ELEM_PERMANENT)
/* Bingo! :-) */ /* Bingo! :-) */
(*timeout)--; t--;
*timeout = t;
} }
static inline u32 static inline u32
ip_set_timeout_get(unsigned long *timeout) ip_set_timeout_get(unsigned long *timeout)
{ {
return *timeout == IPSET_ELEM_PERMANENT ? 0 : return *timeout == IPSET_ELEM_PERMANENT ? 0 :
jiffies_to_msecs(*timeout - jiffies)/1000; jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
} }
#endif /* __KERNEL__ */ #endif /* __KERNEL__ */

6
include/uapi/linux/netfilter/ipset/ip_set.h
View File

@ -15,12 +15,12 @@
/* The protocol version */ /* The protocol version */
#define IPSET_PROTOCOL 6 #define IPSET_PROTOCOL 6
/* The maximum permissible comment length we will accept over netlink */
#define IPSET_MAX_COMMENT_SIZE 255
/* The max length of strings including NUL: set and type identifiers */ /* The max length of strings including NUL: set and type identifiers */
#define IPSET_MAXNAMELEN 32 #define IPSET_MAXNAMELEN 32
/* The maximum permissible comment length we will accept over netlink */
#define IPSET_MAX_COMMENT_SIZE 255
/* Message types and commands */ /* Message types and commands */
enum ipset_cmd { enum ipset_cmd {
IPSET_CMD_NONE, IPSET_CMD_NONE,

44
net/netfilter/ipset/ip_set_bitmap_gen.h
View File

@ -41,7 +41,7 @@ mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
struct mtype *map = set->data; struct mtype *map = set->data;
init_timer(&map->gc); init_timer(&map->gc);
map->gc.data = (unsigned long) set; map->gc.data = (unsigned long)set;
map->gc.function = gc; map->gc.function = gc;
map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ; map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
add_timer(&map->gc); add_timer(&map->gc);
@ -144,10 +144,12 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
if (ret == IPSET_ADD_FAILED) { if (ret == IPSET_ADD_FAILED) {
if (SET_WITH_TIMEOUT(set) && if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(x, set))) ip_set_timeout_expired(ext_timeout(x, set))) {
ret = 0; ret = 0;
else if (!(flags & IPSET_FLAG_EXIST)) } else if (!(flags & IPSET_FLAG_EXIST)) {
set_bit(e->id, map->members);
return -IPSET_ERR_EXIST; return -IPSET_ERR_EXIST;
}
/* Element is re-added, cleanup extensions */ /* Element is re-added, cleanup extensions */
ip_set_ext_destroy(set, x); ip_set_ext_destroy(set, x);
} }
@ -165,6 +167,10 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
ip_set_init_comment(ext_comment(x, set), ext); ip_set_init_comment(ext_comment(x, set), ext);
if (SET_WITH_SKBINFO(set)) if (SET_WITH_SKBINFO(set))
ip_set_init_skbinfo(ext_skbinfo(x, set), ext); ip_set_init_skbinfo(ext_skbinfo(x, set), ext);
/* Activate element */
set_bit(e->id, map->members);
return 0; return 0;
} }
@ -203,10 +209,13 @@ mtype_list(const struct ip_set *set,
struct nlattr *adt, *nested; struct nlattr *adt, *nested;
void *x; void *x;
u32 id, first = cb->args[IPSET_CB_ARG0]; u32 id, first = cb->args[IPSET_CB_ARG0];
int ret = 0;
adt = ipset_nest_start(skb, IPSET_ATTR_ADT); adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
if (!adt) if (!adt)
return -EMSGSIZE; return -EMSGSIZE;
/* Extensions may be replaced */
rcu_read_lock();
for (; cb->args[IPSET_CB_ARG0] < map->elements; for (; cb->args[IPSET_CB_ARG0] < map->elements;
cb->args[IPSET_CB_ARG0]++) { cb->args[IPSET_CB_ARG0]++) {
id = cb->args[IPSET_CB_ARG0]; id = cb->args[IPSET_CB_ARG0];
@ -214,7 +223,7 @@ mtype_list(const struct ip_set *set,
if (!test_bit(id, map->members) || if (!test_bit(id, map->members) ||
(SET_WITH_TIMEOUT(set) && (SET_WITH_TIMEOUT(set) &&
#ifdef IP_SET_BITMAP_STORED_TIMEOUT #ifdef IP_SET_BITMAP_STORED_TIMEOUT
mtype_is_filled((const struct mtype_elem *) x) && mtype_is_filled((const struct mtype_elem *)x) &&
#endif #endif
ip_set_timeout_expired(ext_timeout(x, set)))) ip_set_timeout_expired(ext_timeout(x, set))))
continue; continue;
@ -222,14 +231,16 @@ mtype_list(const struct ip_set *set,
if (!nested) { if (!nested) {
if (id == first) { if (id == first) {
nla_nest_cancel(skb, adt); nla_nest_cancel(skb, adt);
return -EMSGSIZE; ret = -EMSGSIZE;
} else goto out;
goto nla_put_failure; }
goto nla_put_failure;
} }
if (mtype_do_list(skb, map, id, set->dsize)) if (mtype_do_list(skb, map, id, set->dsize))
goto nla_put_failure; goto nla_put_failure;
if (ip_set_put_extensions(skb, set, x, if (ip_set_put_extensions(skb, set, x,
mtype_is_filled((const struct mtype_elem *) x))) mtype_is_filled((const struct mtype_elem *)x)))
goto nla_put_failure; goto nla_put_failure;
ipset_nest_end(skb, nested); ipset_nest_end(skb, nested);
} }
@ -238,29 +249,32 @@ mtype_list(const struct ip_set *set,
/* Set listing finished */ /* Set listing finished */
cb->args[IPSET_CB_ARG0] = 0; cb->args[IPSET_CB_ARG0] = 0;
return 0; goto out;
nla_put_failure: nla_put_failure:
nla_nest_cancel(skb, nested); nla_nest_cancel(skb, nested);
if (unlikely(id == first)) { if (unlikely(id == first)) {
cb->args[IPSET_CB_ARG0] = 0; cb->args[IPSET_CB_ARG0] = 0;
return -EMSGSIZE; ret = -EMSGSIZE;
} }
ipset_nest_end(skb, adt); ipset_nest_end(skb, adt);
return 0; out:
rcu_read_unlock();
return ret;
} }
static void static void
mtype_gc(unsigned long ul_set) mtype_gc(unsigned long ul_set)
{ {
struct ip_set *set = (struct ip_set *) ul_set; struct ip_set *set = (struct ip_set *)ul_set;
struct mtype *map = set->data; struct mtype *map = set->data;
void *x; void *x;
u32 id; u32 id;
/* We run parallel with other readers (test element) /* We run parallel with other readers (test element)
* but adding/deleting new entries is locked out */ * but adding/deleting new entries is locked out
read_lock_bh(&set->lock); */
spin_lock_bh(&set->lock);
for (id = 0; id < map->elements; id++) for (id = 0; id < map->elements; id++)
if (mtype_gc_test(id, map, set->dsize)) { if (mtype_gc_test(id, map, set->dsize)) {
x = get_ext(set, map, id); x = get_ext(set, map, id);
@ -269,7 +283,7 @@ mtype_gc(unsigned long ul_set)
ip_set_ext_destroy(set, x); ip_set_ext_destroy(set, x);
} }
} }
read_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ; map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
add_timer(&map->gc); add_timer(&map->gc);

27
net/netfilter/ipset/ip_set_bitmap_ip.c
View File

@ -59,7 +59,7 @@ struct bitmap_ip_adt_elem {
static inline u32 static inline u32
ip_to_id(const struct bitmap_ip *m, u32 ip) ip_to_id(const struct bitmap_ip *m, u32 ip)
{ {
return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip)/m->hosts; return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip) / m->hosts;
} }
/* Common functions */ /* Common functions */
@ -81,7 +81,7 @@ static inline int
bitmap_ip_do_add(const struct bitmap_ip_adt_elem *e, struct bitmap_ip *map, bitmap_ip_do_add(const struct bitmap_ip_adt_elem *e, struct bitmap_ip *map,
u32 flags, size_t dsize) u32 flags, size_t dsize)
{ {
return !!test_and_set_bit(e->id, map->members); return !!test_bit(e->id, map->members);
} }
static inline int static inline int
@ -138,18 +138,12 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret = 0; int ret = 0;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP]))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -181,8 +175,9 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
if (!cidr || cidr > HOST_MASK) if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr); ip_set_mask_from_to(ip, ip_to, cidr);
} else } else {
ip_to = ip; ip_to = ip;
}
if (ip_to > map->last_ip) if (ip_to > map->last_ip)
return -IPSET_ERR_BITMAP_RANGE; return -IPSET_ERR_BITMAP_RANGE;
@ -193,8 +188,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -284,8 +279,9 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
if (cidr >= HOST_MASK) if (cidr >= HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(first_ip, last_ip, cidr); ip_set_mask_from_to(first_ip, last_ip, cidr);
} else } else {
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
}
if (tb[IPSET_ATTR_NETMASK]) { if (tb[IPSET_ATTR_NETMASK]) {
netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]); netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
@ -382,6 +378,7 @@ bitmap_ip_init(void)
static void __exit static void __exit
bitmap_ip_fini(void) bitmap_ip_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&bitmap_ip_type); ip_set_type_unregister(&bitmap_ip_type);
} }

46
net/netfilter/ipset/ip_set_bitmap_ipmac.c
View File

@ -90,7 +90,7 @@ bitmap_ipmac_do_test(const struct bitmap_ipmac_adt_elem *e,
return 0; return 0;
elem = get_elem(map->extensions, e->id, dsize); elem = get_elem(map->extensions, e->id, dsize);
if (elem->filled == MAC_FILLED) if (elem->filled == MAC_FILLED)
return e->ether == NULL || return !e->ether ||
ether_addr_equal(e->ether, elem->ether); ether_addr_equal(e->ether, elem->ether);
/* Trigger kernel to fill out the ethernet address */ /* Trigger kernel to fill out the ethernet address */
return -EAGAIN; return -EAGAIN;
@ -131,7 +131,8 @@ bitmap_ipmac_add_timeout(unsigned long *timeout,
/* If MAC is unset yet, we store plain timeout value /* If MAC is unset yet, we store plain timeout value
* because the timer is not activated yet * because the timer is not activated yet
* and we can reuse it later when MAC is filled out, * and we can reuse it later when MAC is filled out,
* possibly by the kernel */ * possibly by the kernel
*/
if (e->ether) if (e->ether)
ip_set_timeout_set(timeout, t); ip_set_timeout_set(timeout, t);
else else
@ -147,28 +148,35 @@ bitmap_ipmac_do_add(const struct bitmap_ipmac_adt_elem *e,
struct bitmap_ipmac_elem *elem; struct bitmap_ipmac_elem *elem;
elem = get_elem(map->extensions, e->id, dsize); elem = get_elem(map->extensions, e->id, dsize);
if (test_and_set_bit(e->id, map->members)) { if (test_bit(e->id, map->members)) {
if (elem->filled == MAC_FILLED) { if (elem->filled == MAC_FILLED) {
if (e->ether && (flags & IPSET_FLAG_EXIST)) if (e->ether &&
memcpy(elem->ether, e->ether, ETH_ALEN); (flags & IPSET_FLAG_EXIST) &&
!ether_addr_equal(e->ether, elem->ether)) {
/* memcpy isn't atomic */
clear_bit(e->id, map->members);
smp_mb__after_atomic();
ether_addr_copy(elem->ether, e->ether);
}
return IPSET_ADD_FAILED; return IPSET_ADD_FAILED;
} else if (!e->ether) } else if (!e->ether)
/* Already added without ethernet address */ /* Already added without ethernet address */
return IPSET_ADD_FAILED; return IPSET_ADD_FAILED;
/* Fill the MAC address and trigger the timer activation */ /* Fill the MAC address and trigger the timer activation */
memcpy(elem->ether, e->ether, ETH_ALEN); clear_bit(e->id, map->members);
smp_mb__after_atomic();
ether_addr_copy(elem->ether, e->ether);
elem->filled = MAC_FILLED; elem->filled = MAC_FILLED;
return IPSET_ADD_START_STORED_TIMEOUT; return IPSET_ADD_START_STORED_TIMEOUT;
} else if (e->ether) { } else if (e->ether) {
/* We can store MAC too */ /* We can store MAC too */
memcpy(elem->ether, e->ether, ETH_ALEN); ether_addr_copy(elem->ether, e->ether);
elem->filled = MAC_FILLED; elem->filled = MAC_FILLED;
return 0; return 0;
} else {
elem->filled = MAC_UNSET;
/* MAC is not stored yet, don't start timer */
return IPSET_ADD_STORE_PLAIN_TIMEOUT;
} }
elem->filled = MAC_UNSET;
/* MAC is not stored yet, don't start timer */
return IPSET_ADD_STORE_PLAIN_TIMEOUT;
} }
static inline int static inline int
@ -239,18 +247,12 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
u32 ip = 0; u32 ip = 0;
int ret = 0; int ret = 0;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP]))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -350,8 +352,9 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
if (cidr >= HOST_MASK) if (cidr >= HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(first_ip, last_ip, cidr); ip_set_mask_from_to(first_ip, last_ip, cidr);
} else } else {
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
}
elements = (u64)last_ip - first_ip + 1; elements = (u64)last_ip - first_ip + 1;
@ -419,6 +422,7 @@ bitmap_ipmac_init(void)
static void __exit static void __exit
bitmap_ipmac_fini(void) bitmap_ipmac_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&bitmap_ipmac_type); ip_set_type_unregister(&bitmap_ipmac_type);
} }

24
net/netfilter/ipset/ip_set_bitmap_port.c
View File

@ -73,7 +73,7 @@ static inline int
bitmap_port_do_add(const struct bitmap_port_adt_elem *e, bitmap_port_do_add(const struct bitmap_port_adt_elem *e,
struct bitmap_port *map, u32 flags, size_t dsize) struct bitmap_port *map, u32 flags, size_t dsize)
{ {
return !!test_and_set_bit(e->id, map->members); return !!test_bit(e->id, map->members);
} }
static inline int static inline int
@ -136,19 +136,13 @@ bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
u16 port_to; u16 port_to;
int ret = 0; int ret = 0;
if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
return -IPSET_ERR_PROTOCOL;
port = ip_set_get_h16(tb[IPSET_ATTR_PORT]); port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
if (port < map->first_port || port > map->last_port) if (port < map->first_port || port > map->last_port)
return -IPSET_ERR_BITMAP_RANGE; return -IPSET_ERR_BITMAP_RANGE;
@ -168,8 +162,9 @@ bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
if (port < map->first_port) if (port < map->first_port)
return -IPSET_ERR_BITMAP_RANGE; return -IPSET_ERR_BITMAP_RANGE;
} }
} else } else {
port_to = port; port_to = port;
}
if (port_to > map->last_port) if (port_to > map->last_port)
return -IPSET_ERR_BITMAP_RANGE; return -IPSET_ERR_BITMAP_RANGE;
@ -180,8 +175,8 @@ bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -312,6 +307,7 @@ bitmap_port_init(void)
static void __exit static void __exit
bitmap_port_fini(void) bitmap_port_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&bitmap_port_type); ip_set_type_unregister(&bitmap_port_type);
} }

344
net/netfilter/ipset/ip_set_core.c
View File

@ -32,8 +32,10 @@ static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
struct ip_set_net { struct ip_set_net {
struct ip_set * __rcu *ip_set_list; /* all individual sets */ struct ip_set * __rcu *ip_set_list; /* all individual sets */
ip_set_id_t ip_set_max; /* max number of sets */ ip_set_id_t ip_set_max; /* max number of sets */
int is_deleted; /* deleted by ip_set_net_exit */ bool is_deleted; /* deleted by ip_set_net_exit */
bool is_destroyed; /* all sets are destroyed */
}; };
static int ip_set_net_id __read_mostly; static int ip_set_net_id __read_mostly;
static inline struct ip_set_net *ip_set_pernet(struct net *net) static inline struct ip_set_net *ip_set_pernet(struct net *net)
@ -59,8 +61,7 @@ MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
#define ip_set(inst, id) \ #define ip_set(inst, id) \
ip_set_dereference((inst)->ip_set_list)[id] ip_set_dereference((inst)->ip_set_list)[id]
/* /* The set types are implemented in modules and registered set types
* The set types are implemented in modules and registered set types
* can be found in ip_set_type_list. Adding/deleting types is * can be found in ip_set_type_list. Adding/deleting types is
* serialized by ip_set_type_mutex. * serialized by ip_set_type_mutex.
*/ */
@ -130,7 +131,8 @@ __find_set_type_get(const char *name, u8 family, u8 revision,
goto unlock; goto unlock;
} }
/* Make sure the type is already loaded /* Make sure the type is already loaded
* but we don't support the revision */ * but we don't support the revision
*/
list_for_each_entry_rcu(type, &ip_set_type_list, list) list_for_each_entry_rcu(type, &ip_set_type_list, list)
if (STRNCMP(type->name, name)) { if (STRNCMP(type->name, name)) {
err = -IPSET_ERR_FIND_TYPE; err = -IPSET_ERR_FIND_TYPE;
@ -208,15 +210,15 @@ ip_set_type_register(struct ip_set_type *type)
pr_warn("ip_set type %s, family %s with revision min %u already registered!\n", pr_warn("ip_set type %s, family %s with revision min %u already registered!\n",
type->name, family_name(type->family), type->name, family_name(type->family),
type->revision_min); type->revision_min);
ret = -EINVAL; ip_set_type_unlock();
goto unlock; return -EINVAL;
} }
list_add_rcu(&type->list, &ip_set_type_list); list_add_rcu(&type->list, &ip_set_type_list);
pr_debug("type %s, family %s, revision %u:%u registered.\n", pr_debug("type %s, family %s, revision %u:%u registered.\n",
type->name, family_name(type->family), type->name, family_name(type->family),
type->revision_min, type->revision_max); type->revision_min, type->revision_max);
unlock:
ip_set_type_unlock(); ip_set_type_unlock();
return ret; return ret;
} }
EXPORT_SYMBOL_GPL(ip_set_type_register); EXPORT_SYMBOL_GPL(ip_set_type_register);
@ -230,12 +232,12 @@ ip_set_type_unregister(struct ip_set_type *type)
pr_warn("ip_set type %s, family %s with revision min %u not registered\n", pr_warn("ip_set type %s, family %s with revision min %u not registered\n",
type->name, family_name(type->family), type->name, family_name(type->family),
type->revision_min); type->revision_min);
goto unlock; ip_set_type_unlock();
return;
} }
list_del_rcu(&type->list); list_del_rcu(&type->list);
pr_debug("type %s, family %s with revision min %u unregistered.\n", pr_debug("type %s, family %s with revision min %u unregistered.\n",
type->name, family_name(type->family), type->revision_min); type->name, family_name(type->family), type->revision_min);
unlock:
ip_set_type_unlock(); ip_set_type_unlock();
synchronize_rcu(); synchronize_rcu();
@ -289,7 +291,7 @@ static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
int int
ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
{ {
struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
if (unlikely(!flag_nested(nla))) if (unlikely(!flag_nested(nla)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
@ -306,7 +308,7 @@ EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
int int
ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
{ {
struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
if (unlikely(!flag_nested(nla))) if (unlikely(!flag_nested(nla)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
@ -317,7 +319,7 @@ ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]), memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
sizeof(struct in6_addr)); sizeof(struct in6_addr));
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6); EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
@ -389,13 +391,22 @@ ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext *ext) struct ip_set_ext *ext)
{ {
u64 fullmark; u64 fullmark;
if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_TIMEOUT]) { if (tb[IPSET_ATTR_TIMEOUT]) {
if (!(set->extensions & IPSET_EXT_TIMEOUT)) if (!SET_WITH_TIMEOUT(set))
return -IPSET_ERR_TIMEOUT; return -IPSET_ERR_TIMEOUT;
ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]); ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
} }
if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) { if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
if (!(set->extensions & IPSET_EXT_COUNTER)) if (!SET_WITH_COUNTER(set))
return -IPSET_ERR_COUNTER; return -IPSET_ERR_COUNTER;
if (tb[IPSET_ATTR_BYTES]) if (tb[IPSET_ATTR_BYTES])
ext->bytes = be64_to_cpu(nla_get_be64( ext->bytes = be64_to_cpu(nla_get_be64(
@ -405,25 +416,25 @@ ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
tb[IPSET_ATTR_PACKETS])); tb[IPSET_ATTR_PACKETS]));
} }
if (tb[IPSET_ATTR_COMMENT]) { if (tb[IPSET_ATTR_COMMENT]) {
if (!(set->extensions & IPSET_EXT_COMMENT)) if (!SET_WITH_COMMENT(set))
return -IPSET_ERR_COMMENT; return -IPSET_ERR_COMMENT;
ext->comment = ip_set_comment_uget(tb[IPSET_ATTR_COMMENT]); ext->comment = ip_set_comment_uget(tb[IPSET_ATTR_COMMENT]);
} }
if (tb[IPSET_ATTR_SKBMARK]) { if (tb[IPSET_ATTR_SKBMARK]) {
if (!(set->extensions & IPSET_EXT_SKBINFO)) if (!SET_WITH_SKBINFO(set))
return -IPSET_ERR_SKBINFO; return -IPSET_ERR_SKBINFO;
fullmark = be64_to_cpu(nla_get_be64(tb[IPSET_ATTR_SKBMARK])); fullmark = be64_to_cpu(nla_get_be64(tb[IPSET_ATTR_SKBMARK]));
ext->skbmark = fullmark >> 32; ext->skbmark = fullmark >> 32;
ext->skbmarkmask = fullmark & 0xffffffff; ext->skbmarkmask = fullmark & 0xffffffff;
} }
if (tb[IPSET_ATTR_SKBPRIO]) { if (tb[IPSET_ATTR_SKBPRIO]) {
if (!(set->extensions & IPSET_EXT_SKBINFO)) if (!SET_WITH_SKBINFO(set))
return -IPSET_ERR_SKBINFO; return -IPSET_ERR_SKBINFO;
ext->skbprio = be32_to_cpu(nla_get_be32( ext->skbprio = be32_to_cpu(nla_get_be32(
tb[IPSET_ATTR_SKBPRIO])); tb[IPSET_ATTR_SKBPRIO]));
} }
if (tb[IPSET_ATTR_SKBQUEUE]) { if (tb[IPSET_ATTR_SKBQUEUE]) {
if (!(set->extensions & IPSET_EXT_SKBINFO)) if (!SET_WITH_SKBINFO(set))
return -IPSET_ERR_SKBINFO; return -IPSET_ERR_SKBINFO;
ext->skbqueue = be16_to_cpu(nla_get_be16( ext->skbqueue = be16_to_cpu(nla_get_be16(
tb[IPSET_ATTR_SKBQUEUE])); tb[IPSET_ATTR_SKBQUEUE]));
@ -457,8 +468,7 @@ ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
} }
EXPORT_SYMBOL_GPL(ip_set_put_extensions); EXPORT_SYMBOL_GPL(ip_set_put_extensions);
/* /* Creating/destroying/renaming/swapping affect the existence and
* Creating/destroying/renaming/swapping affect the existence and
* the properties of a set. All of these can be executed from userspace * the properties of a set. All of these can be executed from userspace
* only and serialized by the nfnl mutex indirectly from nfnetlink. * only and serialized by the nfnl mutex indirectly from nfnetlink.
* *
@ -485,8 +495,7 @@ __ip_set_put(struct ip_set *set)
write_unlock_bh(&ip_set_ref_lock); write_unlock_bh(&ip_set_ref_lock);
} }
/* /* Add, del and test set entries from kernel.
* Add, del and test set entries from kernel.
* *
* The set behind the index must exist and must be referenced * The set behind the index must exist and must be referenced
* so it can't be destroyed (or changed) under our foot. * so it can't be destroyed (or changed) under our foot.
@ -514,23 +523,23 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
dev_net(par->in ? par->in : par->out), index); dev_net(par->in ? par->in : par->out), index);
int ret = 0; int ret = 0;
BUG_ON(set == NULL); BUG_ON(!set);
pr_debug("set %s, index %u\n", set->name, index); pr_debug("set %s, index %u\n", set->name, index);
if (opt->dim < set->type->dimension || if (opt->dim < set->type->dimension ||
!(opt->family == set->family || set->family == NFPROTO_UNSPEC)) !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
return 0; return 0;
read_lock_bh(&set->lock); rcu_read_lock_bh();
ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt); ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
read_unlock_bh(&set->lock); rcu_read_unlock_bh();
if (ret == -EAGAIN) { if (ret == -EAGAIN) {
/* Type requests element to be completed */ /* Type requests element to be completed */
pr_debug("element must be completed, ADD is triggered\n"); pr_debug("element must be completed, ADD is triggered\n");
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
set->variant->kadt(set, skb, par, IPSET_ADD, opt); set->variant->kadt(set, skb, par, IPSET_ADD, opt);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
ret = 1; ret = 1;
} else { } else {
/* --return-nomatch: invert matched element */ /* --return-nomatch: invert matched element */
@ -553,16 +562,16 @@ ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
dev_net(par->in ? par->in : par->out), index); dev_net(par->in ? par->in : par->out), index);
int ret; int ret;
BUG_ON(set == NULL); BUG_ON(!set);
pr_debug("set %s, index %u\n", set->name, index); pr_debug("set %s, index %u\n", set->name, index);
if (opt->dim < set->type->dimension || if (opt->dim < set->type->dimension ||
!(opt->family == set->family || set->family == NFPROTO_UNSPEC)) !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
return -IPSET_ERR_TYPE_MISMATCH; return -IPSET_ERR_TYPE_MISMATCH;
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt); ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
return ret; return ret;
} }
@ -576,23 +585,22 @@ ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
dev_net(par->in ? par->in : par->out), index); dev_net(par->in ? par->in : par->out), index);
int ret = 0; int ret = 0;
BUG_ON(set == NULL); BUG_ON(!set);
pr_debug("set %s, index %u\n", set->name, index); pr_debug("set %s, index %u\n", set->name, index);
if (opt->dim < set->type->dimension || if (opt->dim < set->type->dimension ||
!(opt->family == set->family || set->family == NFPROTO_UNSPEC)) !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
return -IPSET_ERR_TYPE_MISMATCH; return -IPSET_ERR_TYPE_MISMATCH;
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt); ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
return ret; return ret;
} }
EXPORT_SYMBOL_GPL(ip_set_del); EXPORT_SYMBOL_GPL(ip_set_del);
/* /* Find set by name, reference it once. The reference makes sure the
* Find set by name, reference it once. The reference makes sure the
* thing pointed to, does not go away under our feet. * thing pointed to, does not go away under our feet.
* *
*/ */
@ -606,7 +614,7 @@ ip_set_get_byname(struct net *net, const char *name, struct ip_set **set)
rcu_read_lock(); rcu_read_lock();
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = rcu_dereference(inst->ip_set_list)[i]; s = rcu_dereference(inst->ip_set_list)[i];
if (s != NULL && STRNCMP(s->name, name)) { if (s && STRNCMP(s->name, name)) {
__ip_set_get(s); __ip_set_get(s);
index = i; index = i;
*set = s; *set = s;
@ -619,8 +627,7 @@ ip_set_get_byname(struct net *net, const char *name, struct ip_set **set)
} }
EXPORT_SYMBOL_GPL(ip_set_get_byname); EXPORT_SYMBOL_GPL(ip_set_get_byname);
/* /* If the given set pointer points to a valid set, decrement
* If the given set pointer points to a valid set, decrement
* reference count by 1. The caller shall not assume the index * reference count by 1. The caller shall not assume the index
* to be valid, after calling this function. * to be valid, after calling this function.
* *
@ -633,7 +640,7 @@ __ip_set_put_byindex(struct ip_set_net *inst, ip_set_id_t index)
rcu_read_lock(); rcu_read_lock();
set = rcu_dereference(inst->ip_set_list)[index]; set = rcu_dereference(inst->ip_set_list)[index];
if (set != NULL) if (set)
__ip_set_put(set); __ip_set_put(set);
rcu_read_unlock(); rcu_read_unlock();
} }
@ -647,8 +654,7 @@ ip_set_put_byindex(struct net *net, ip_set_id_t index)
} }
EXPORT_SYMBOL_GPL(ip_set_put_byindex); EXPORT_SYMBOL_GPL(ip_set_put_byindex);
/* /* Get the name of a set behind a set index.
* Get the name of a set behind a set index.
* We assume the set is referenced, so it does exist and * We assume the set is referenced, so it does exist and
* can't be destroyed. The set cannot be renamed due to * can't be destroyed. The set cannot be renamed due to
* the referencing either. * the referencing either.
@ -659,7 +665,7 @@ ip_set_name_byindex(struct net *net, ip_set_id_t index)
{ {
const struct ip_set *set = ip_set_rcu_get(net, index); const struct ip_set *set = ip_set_rcu_get(net, index);
BUG_ON(set == NULL); BUG_ON(!set);
BUG_ON(set->ref == 0); BUG_ON(set->ref == 0);
/* Referenced, so it's safe */ /* Referenced, so it's safe */
@ -667,13 +673,11 @@ ip_set_name_byindex(struct net *net, ip_set_id_t index)
} }
EXPORT_SYMBOL_GPL(ip_set_name_byindex); EXPORT_SYMBOL_GPL(ip_set_name_byindex);
/* /* Routines to call by external subsystems, which do not
* Routines to call by external subsystems, which do not
* call nfnl_lock for us. * call nfnl_lock for us.
*/ */
/* /* Find set by index, reference it once. The reference makes sure the
* Find set by index, reference it once. The reference makes sure the
* thing pointed to, does not go away under our feet. * thing pointed to, does not go away under our feet.
* *
* The nfnl mutex is used in the function. * The nfnl mutex is used in the function.
@ -699,8 +703,7 @@ ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
} }
EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex); EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
/* /* If the given set pointer points to a valid set, decrement
* If the given set pointer points to a valid set, decrement
* reference count by 1. The caller shall not assume the index * reference count by 1. The caller shall not assume the index
* to be valid, after calling this function. * to be valid, after calling this function.
* *
@ -715,15 +718,14 @@ ip_set_nfnl_put(struct net *net, ip_set_id_t index)
nfnl_lock(NFNL_SUBSYS_IPSET); nfnl_lock(NFNL_SUBSYS_IPSET);
if (!inst->is_deleted) { /* already deleted from ip_set_net_exit() */ if (!inst->is_deleted) { /* already deleted from ip_set_net_exit() */
set = ip_set(inst, index); set = ip_set(inst, index);
if (set != NULL) if (set)
__ip_set_put(set); __ip_set_put(set);
} }
nfnl_unlock(NFNL_SUBSYS_IPSET); nfnl_unlock(NFNL_SUBSYS_IPSET);
} }
EXPORT_SYMBOL_GPL(ip_set_nfnl_put); EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
/* /* Communication protocol with userspace over netlink.
* Communication protocol with userspace over netlink.
* *
* The commands are serialized by the nfnl mutex. * The commands are serialized by the nfnl mutex.
*/ */
@ -750,7 +752,7 @@ start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8), nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
sizeof(*nfmsg), flags); sizeof(*nfmsg), flags);
if (nlh == NULL) if (!nlh)
return NULL; return NULL;
nfmsg = nlmsg_data(nlh); nfmsg = nlmsg_data(nlh);
@ -783,7 +785,7 @@ find_set_and_id(struct ip_set_net *inst, const char *name, ip_set_id_t *id)
*id = IPSET_INVALID_ID; *id = IPSET_INVALID_ID;
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
set = ip_set(inst, i); set = ip_set(inst, i);
if (set != NULL && STRNCMP(set->name, name)) { if (set && STRNCMP(set->name, name)) {
*id = i; *id = i;
break; break;
} }
@ -809,7 +811,7 @@ find_free_id(struct ip_set_net *inst, const char *name, ip_set_id_t *index,
*index = IPSET_INVALID_ID; *index = IPSET_INVALID_ID;
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i); s = ip_set(inst, i);
if (s == NULL) { if (!s) {
if (*index == IPSET_INVALID_ID) if (*index == IPSET_INVALID_ID)
*index = i; *index = i;
} else if (STRNCMP(name, s->name)) { } else if (STRNCMP(name, s->name)) {
@ -841,18 +843,18 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
struct ip_set_net *inst = ip_set_pernet(net); struct ip_set_net *inst = ip_set_pernet(net);
struct ip_set *set, *clash = NULL; struct ip_set *set, *clash = NULL;
ip_set_id_t index = IPSET_INVALID_ID; ip_set_id_t index = IPSET_INVALID_ID;
struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {}; struct nlattr *tb[IPSET_ATTR_CREATE_MAX + 1] = {};
const char *name, *typename; const char *name, *typename;
u8 family, revision; u8 family, revision;
u32 flags = flag_exist(nlh); u32 flags = flag_exist(nlh);
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
attr[IPSET_ATTR_TYPENAME] == NULL || !attr[IPSET_ATTR_TYPENAME] ||
attr[IPSET_ATTR_REVISION] == NULL || !attr[IPSET_ATTR_REVISION] ||
attr[IPSET_ATTR_FAMILY] == NULL || !attr[IPSET_ATTR_FAMILY] ||
(attr[IPSET_ATTR_DATA] != NULL && (attr[IPSET_ATTR_DATA] &&
!flag_nested(attr[IPSET_ATTR_DATA])))) !flag_nested(attr[IPSET_ATTR_DATA]))))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
@ -863,33 +865,29 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n", pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
name, typename, family_name(family), revision); name, typename, family_name(family), revision);
/* /* First, and without any locks, allocate and initialize
* First, and without any locks, allocate and initialize
* a normal base set structure. * a normal base set structure.
*/ */
set = kzalloc(sizeof(struct ip_set), GFP_KERNEL); set = kzalloc(sizeof(*set), GFP_KERNEL);
if (!set) if (!set)
return -ENOMEM; return -ENOMEM;
rwlock_init(&set->lock); spin_lock_init(&set->lock);
strlcpy(set->name, name, IPSET_MAXNAMELEN); strlcpy(set->name, name, IPSET_MAXNAMELEN);
set->family = family; set->family = family;
set->revision = revision; set->revision = revision;
/* /* Next, check that we know the type, and take
* Next, check that we know the type, and take
* a reference on the type, to make sure it stays available * a reference on the type, to make sure it stays available
* while constructing our new set. * while constructing our new set.
* *
* After referencing the type, we try to create the type * After referencing the type, we try to create the type
* specific part of the set without holding any locks. * specific part of the set without holding any locks.
*/ */
ret = find_set_type_get(typename, family, revision, &(set->type)); ret = find_set_type_get(typename, family, revision, &set->type);
if (ret) if (ret)
goto out; goto out;
/* /* Without holding any locks, create private part. */
* Without holding any locks, create private part.
*/
if (attr[IPSET_ATTR_DATA] && if (attr[IPSET_ATTR_DATA] &&
nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
set->type->create_policy)) { set->type->create_policy)) {
@ -903,8 +901,7 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
/* BTW, ret==0 here. */ /* BTW, ret==0 here. */
/* /* Here, we have a valid, constructed set and we are protected
* Here, we have a valid, constructed set and we are protected
* by the nfnl mutex. Find the first free index in ip_set_list * by the nfnl mutex. Find the first free index in ip_set_list
* and check clashing. * and check clashing.
*/ */
@ -927,7 +924,7 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
/* Wraparound */ /* Wraparound */
goto cleanup; goto cleanup;
list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL); list = kcalloc(i, sizeof(struct ip_set *), GFP_KERNEL);
if (!list) if (!list)
goto cleanup; goto cleanup;
/* nfnl mutex is held, both lists are valid */ /* nfnl mutex is held, both lists are valid */
@ -941,12 +938,11 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
inst->ip_set_max = i; inst->ip_set_max = i;
kfree(tmp); kfree(tmp);
ret = 0; ret = 0;
} else if (ret) } else if (ret) {
goto cleanup; goto cleanup;
}
/* /* Finally! Add our shiny new set to the list, and be done. */
* Finally! Add our shiny new set to the list, and be done.
*/
pr_debug("create: '%s' created with index %u!\n", set->name, index); pr_debug("create: '%s' created with index %u!\n", set->name, index);
ip_set(inst, index) = set; ip_set(inst, index) = set;
@ -971,12 +967,9 @@ ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
}; };
static void static void
ip_set_destroy_set(struct ip_set_net *inst, ip_set_id_t index) ip_set_destroy_set(struct ip_set *set)
{ {
struct ip_set *set = ip_set(inst, index);
pr_debug("set: %s\n", set->name); pr_debug("set: %s\n", set->name);
ip_set(inst, index) = NULL;
/* Must call it without holding any lock */ /* Must call it without holding any lock */
set->variant->destroy(set); set->variant->destroy(set);
@ -1011,30 +1004,36 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
if (!attr[IPSET_ATTR_SETNAME]) { if (!attr[IPSET_ATTR_SETNAME]) {
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i); s = ip_set(inst, i);
if (s != NULL && s->ref) { if (s && s->ref) {
ret = -IPSET_ERR_BUSY; ret = -IPSET_ERR_BUSY;
goto out; goto out;
} }
} }
inst->is_destroyed = true;
read_unlock_bh(&ip_set_ref_lock); read_unlock_bh(&ip_set_ref_lock);
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i); s = ip_set(inst, i);
if (s != NULL) if (s) {
ip_set_destroy_set(inst, i); ip_set(inst, i) = NULL;
ip_set_destroy_set(s);
}
} }
/* Modified by ip_set_destroy() only, which is serialized */
inst->is_destroyed = false;
} else { } else {
s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
&i); &i);
if (s == NULL) { if (!s) {
ret = -ENOENT; ret = -ENOENT;
goto out; goto out;
} else if (s->ref) { } else if (s->ref) {
ret = -IPSET_ERR_BUSY; ret = -IPSET_ERR_BUSY;
goto out; goto out;
} }
ip_set(inst, i) = NULL;
read_unlock_bh(&ip_set_ref_lock); read_unlock_bh(&ip_set_ref_lock);
ip_set_destroy_set(inst, i); ip_set_destroy_set(s);
} }
return 0; return 0;
out: out:
@ -1049,9 +1048,9 @@ ip_set_flush_set(struct ip_set *set)
{ {
pr_debug("set: %s\n", set->name); pr_debug("set: %s\n", set->name);
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
set->variant->flush(set); set->variant->flush(set);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
} }
static int static int
@ -1069,12 +1068,12 @@ ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
if (!attr[IPSET_ATTR_SETNAME]) { if (!attr[IPSET_ATTR_SETNAME]) {
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i); s = ip_set(inst, i);
if (s != NULL) if (s)
ip_set_flush_set(s); ip_set_flush_set(s);
} }
} else { } else {
s = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); s = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (s == NULL) if (!s)
return -ENOENT; return -ENOENT;
ip_set_flush_set(s); ip_set_flush_set(s);
@ -1106,12 +1105,12 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
attr[IPSET_ATTR_SETNAME2] == NULL)) !attr[IPSET_ATTR_SETNAME2]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
read_lock_bh(&ip_set_ref_lock); read_lock_bh(&ip_set_ref_lock);
@ -1123,7 +1122,7 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
name2 = nla_data(attr[IPSET_ATTR_SETNAME2]); name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i); s = ip_set(inst, i);
if (s != NULL && STRNCMP(s->name, name2)) { if (s && STRNCMP(s->name, name2)) {
ret = -IPSET_ERR_EXIST_SETNAME2; ret = -IPSET_ERR_EXIST_SETNAME2;
goto out; goto out;
} }
@ -1155,23 +1154,24 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
char from_name[IPSET_MAXNAMELEN]; char from_name[IPSET_MAXNAMELEN];
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
attr[IPSET_ATTR_SETNAME2] == NULL)) !attr[IPSET_ATTR_SETNAME2]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
from = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), from = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
&from_id); &from_id);
if (from == NULL) if (!from)
return -ENOENT; return -ENOENT;
to = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME2]), to = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME2]),
&to_id); &to_id);
if (to == NULL) if (!to)
return -IPSET_ERR_EXIST_SETNAME2; return -IPSET_ERR_EXIST_SETNAME2;
/* Features must not change. /* Features must not change.
* Not an artificial restriction anymore, as we must prevent * Not an artifical restriction anymore, as we must prevent
* possible loops created by swapping in setlist type of sets. */ * possible loops created by swapping in setlist type of sets.
*/
if (!(from->type->features == to->type->features && if (!(from->type->features == to->type->features &&
from->family == to->family)) from->family == to->family))
return -IPSET_ERR_TYPE_MISMATCH; return -IPSET_ERR_TYPE_MISMATCH;
@ -1202,12 +1202,16 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
static int static int
ip_set_dump_done(struct netlink_callback *cb) ip_set_dump_done(struct netlink_callback *cb)
{ {
struct ip_set_net *inst = (struct ip_set_net *)cb->args[IPSET_CB_NET];
if (cb->args[IPSET_CB_ARG0]) { if (cb->args[IPSET_CB_ARG0]) {
pr_debug("release set %s\n", struct ip_set_net *inst =
ip_set(inst, cb->args[IPSET_CB_INDEX])->name); (struct ip_set_net *)cb->args[IPSET_CB_NET];
__ip_set_put_byindex(inst, ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
(ip_set_id_t) cb->args[IPSET_CB_INDEX]); struct ip_set *set = ip_set(inst, index);
if (set->variant->uref)
set->variant->uref(set, cb, false);
pr_debug("release set %s\n", set->name);
__ip_set_put_byindex(inst, index);
} }
return 0; return 0;
} }
@ -1229,7 +1233,7 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
{ {
struct nlmsghdr *nlh = nlmsg_hdr(cb->skb); struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
int min_len = nlmsg_total_size(sizeof(struct nfgenmsg)); int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
struct nlattr *attr = (void *)nlh + min_len; struct nlattr *attr = (void *)nlh + min_len;
u32 dump_type; u32 dump_type;
ip_set_id_t index; ip_set_id_t index;
@ -1238,27 +1242,23 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
nla_parse(cda, IPSET_ATTR_CMD_MAX, nla_parse(cda, IPSET_ATTR_CMD_MAX,
attr, nlh->nlmsg_len - min_len, ip_set_setname_policy); attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
/* cb->args[IPSET_CB_NET]: net namespace
* [IPSET_CB_DUMP]: dump single set/all sets
* [IPSET_CB_INDEX]: set index
* [IPSET_CB_ARG0]: type specific
*/
if (cda[IPSET_ATTR_SETNAME]) { if (cda[IPSET_ATTR_SETNAME]) {
struct ip_set *set; struct ip_set *set;
set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]), set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]),
&index); &index);
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
dump_type = DUMP_ONE; dump_type = DUMP_ONE;
cb->args[IPSET_CB_INDEX] = index; cb->args[IPSET_CB_INDEX] = index;
} else } else {
dump_type = DUMP_ALL; dump_type = DUMP_ALL;
}
if (cda[IPSET_ATTR_FLAGS]) { if (cda[IPSET_ATTR_FLAGS]) {
u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]); u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
dump_type |= (f << 16); dump_type |= (f << 16);
} }
cb->args[IPSET_CB_NET] = (unsigned long)inst; cb->args[IPSET_CB_NET] = (unsigned long)inst;
@ -1276,6 +1276,7 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0; unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk)); struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));
u32 dump_type, dump_flags; u32 dump_type, dump_flags;
bool is_destroyed;
int ret = 0; int ret = 0;
if (!cb->args[IPSET_CB_DUMP]) { if (!cb->args[IPSET_CB_DUMP]) {
@ -1283,7 +1284,8 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
if (ret < 0) { if (ret < 0) {
nlh = nlmsg_hdr(cb->skb); nlh = nlmsg_hdr(cb->skb);
/* We have to create and send the error message /* We have to create and send the error message
* manually :-( */ * manually :-(
*/
if (nlh->nlmsg_flags & NLM_F_ACK) if (nlh->nlmsg_flags & NLM_F_ACK)
netlink_ack(cb->skb, nlh, ret); netlink_ack(cb->skb, nlh, ret);
return ret; return ret;
@ -1301,13 +1303,21 @@ dump_last:
pr_debug("dump type, flag: %u %u index: %ld\n", pr_debug("dump type, flag: %u %u index: %ld\n",
dump_type, dump_flags, cb->args[IPSET_CB_INDEX]); dump_type, dump_flags, cb->args[IPSET_CB_INDEX]);
for (; cb->args[IPSET_CB_INDEX] < max; cb->args[IPSET_CB_INDEX]++) { for (; cb->args[IPSET_CB_INDEX] < max; cb->args[IPSET_CB_INDEX]++) {
index = (ip_set_id_t) cb->args[IPSET_CB_INDEX]; index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
write_lock_bh(&ip_set_ref_lock);
set = ip_set(inst, index); set = ip_set(inst, index);
if (set == NULL) { is_destroyed = inst->is_destroyed;
if (!set || is_destroyed) {
write_unlock_bh(&ip_set_ref_lock);
if (dump_type == DUMP_ONE) { if (dump_type == DUMP_ONE) {
ret = -ENOENT; ret = -ENOENT;
goto out; goto out;
} }
if (is_destroyed) {
/* All sets are just being destroyed */
ret = 0;
goto out;
}
continue; continue;
} }
/* When dumping all sets, we must dump "sorted" /* When dumping all sets, we must dump "sorted"
@ -1315,14 +1325,17 @@ dump_last:
*/ */
if (dump_type != DUMP_ONE && if (dump_type != DUMP_ONE &&
((dump_type == DUMP_ALL) == ((dump_type == DUMP_ALL) ==
!!(set->type->features & IPSET_DUMP_LAST))) !!(set->type->features & IPSET_DUMP_LAST))) {
write_unlock_bh(&ip_set_ref_lock);
continue; continue;
}
pr_debug("List set: %s\n", set->name); pr_debug("List set: %s\n", set->name);
if (!cb->args[IPSET_CB_ARG0]) { if (!cb->args[IPSET_CB_ARG0]) {
/* Start listing: make sure set won't be destroyed */ /* Start listing: make sure set won't be destroyed */
pr_debug("reference set\n"); pr_debug("reference set\n");
__ip_set_get(set); set->ref++;
} }
write_unlock_bh(&ip_set_ref_lock);
nlh = start_msg(skb, NETLINK_CB(cb->skb).portid, nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq, flags, cb->nlh->nlmsg_seq, flags,
IPSET_CMD_LIST); IPSET_CMD_LIST);
@ -1350,11 +1363,13 @@ dump_last:
goto release_refcount; goto release_refcount;
if (dump_flags & IPSET_FLAG_LIST_HEADER) if (dump_flags & IPSET_FLAG_LIST_HEADER)
goto next_set; goto next_set;
if (set->variant->uref)
set->variant->uref(set, cb, true);
/* Fall through and add elements */ /* Fall through and add elements */
default: default:
read_lock_bh(&set->lock); rcu_read_lock_bh();
ret = set->variant->list(set, skb, cb); ret = set->variant->list(set, skb, cb);
read_unlock_bh(&set->lock); rcu_read_unlock_bh();
if (!cb->args[IPSET_CB_ARG0]) if (!cb->args[IPSET_CB_ARG0])
/* Set is done, proceed with next one */ /* Set is done, proceed with next one */
goto next_set; goto next_set;
@ -1366,6 +1381,8 @@ dump_last:
dump_type = DUMP_LAST; dump_type = DUMP_LAST;
cb->args[IPSET_CB_DUMP] = dump_type | (dump_flags << 16); cb->args[IPSET_CB_DUMP] = dump_type | (dump_flags << 16);
cb->args[IPSET_CB_INDEX] = 0; cb->args[IPSET_CB_INDEX] = 0;
if (set && set->variant->uref)
set->variant->uref(set, cb, false);
goto dump_last; goto dump_last;
} }
goto out; goto out;
@ -1380,7 +1397,10 @@ next_set:
release_refcount: release_refcount:
/* If there was an error or set is done, release set */ /* If there was an error or set is done, release set */
if (ret || !cb->args[IPSET_CB_ARG0]) { if (ret || !cb->args[IPSET_CB_ARG0]) {
pr_debug("release set %s\n", ip_set(inst, index)->name); set = ip_set(inst, index);
if (set->variant->uref)
set->variant->uref(set, cb, false);
pr_debug("release set %s\n", set->name);
__ip_set_put_byindex(inst, index); __ip_set_put_byindex(inst, index);
cb->args[IPSET_CB_ARG0] = 0; cb->args[IPSET_CB_ARG0] = 0;
} }
@ -1432,9 +1452,9 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
bool eexist = flags & IPSET_FLAG_EXIST, retried = false; bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
do { do {
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
retried = true; retried = true;
} while (ret == -EAGAIN && } while (ret == -EAGAIN &&
set->variant->resize && set->variant->resize &&
@ -1450,12 +1470,12 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
size_t payload = min(SIZE_MAX, size_t payload = min(SIZE_MAX,
sizeof(*errmsg) + nlmsg_len(nlh)); sizeof(*errmsg) + nlmsg_len(nlh));
int min_len = nlmsg_total_size(sizeof(struct nfgenmsg)); int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
struct nlattr *cmdattr; struct nlattr *cmdattr;
u32 *errline; u32 *errline;
skb2 = nlmsg_new(payload, GFP_KERNEL); skb2 = nlmsg_new(payload, GFP_KERNEL);
if (skb2 == NULL) if (!skb2)
return -ENOMEM; return -ENOMEM;
rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
@ -1472,7 +1492,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
*errline = lineno; *errline = lineno;
netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid,
MSG_DONTWAIT);
/* Signal netlink not to send its ACK/errmsg. */ /* Signal netlink not to send its ACK/errmsg. */
return -EINTR; return -EINTR;
} }
@ -1487,25 +1508,25 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
{ {
struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl)); struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl));
struct ip_set *set; struct ip_set *set;
struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
const struct nlattr *nla; const struct nlattr *nla;
u32 flags = flag_exist(nlh); u32 flags = flag_exist(nlh);
bool use_lineno; bool use_lineno;
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
!((attr[IPSET_ATTR_DATA] != NULL) ^ !((attr[IPSET_ATTR_DATA] != NULL) ^
(attr[IPSET_ATTR_ADT] != NULL)) || (attr[IPSET_ATTR_ADT] != NULL)) ||
(attr[IPSET_ATTR_DATA] != NULL && (attr[IPSET_ATTR_DATA] &&
!flag_nested(attr[IPSET_ATTR_DATA])) || !flag_nested(attr[IPSET_ATTR_DATA])) ||
(attr[IPSET_ATTR_ADT] != NULL && (attr[IPSET_ATTR_ADT] &&
(!flag_nested(attr[IPSET_ATTR_ADT]) || (!flag_nested(attr[IPSET_ATTR_ADT]) ||
attr[IPSET_ATTR_LINENO] == NULL)))) !attr[IPSET_ATTR_LINENO]))))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
use_lineno = !!attr[IPSET_ATTR_LINENO]; use_lineno = !!attr[IPSET_ATTR_LINENO];
@ -1542,25 +1563,25 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
{ {
struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl)); struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl));
struct ip_set *set; struct ip_set *set;
struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
const struct nlattr *nla; const struct nlattr *nla;
u32 flags = flag_exist(nlh); u32 flags = flag_exist(nlh);
bool use_lineno; bool use_lineno;
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
!((attr[IPSET_ATTR_DATA] != NULL) ^ !((attr[IPSET_ATTR_DATA] != NULL) ^
(attr[IPSET_ATTR_ADT] != NULL)) || (attr[IPSET_ATTR_ADT] != NULL)) ||
(attr[IPSET_ATTR_DATA] != NULL && (attr[IPSET_ATTR_DATA] &&
!flag_nested(attr[IPSET_ATTR_DATA])) || !flag_nested(attr[IPSET_ATTR_DATA])) ||
(attr[IPSET_ATTR_ADT] != NULL && (attr[IPSET_ATTR_ADT] &&
(!flag_nested(attr[IPSET_ATTR_ADT]) || (!flag_nested(attr[IPSET_ATTR_ADT]) ||
attr[IPSET_ATTR_LINENO] == NULL)))) !attr[IPSET_ATTR_LINENO]))))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
use_lineno = !!attr[IPSET_ATTR_LINENO]; use_lineno = !!attr[IPSET_ATTR_LINENO];
@ -1597,26 +1618,26 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
{ {
struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl)); struct ip_set_net *inst = ip_set_pernet(sock_net(ctnl));
struct ip_set *set; struct ip_set *set;
struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL || !attr[IPSET_ATTR_SETNAME] ||
attr[IPSET_ATTR_DATA] == NULL || !attr[IPSET_ATTR_DATA] ||
!flag_nested(attr[IPSET_ATTR_DATA]))) !flag_nested(attr[IPSET_ATTR_DATA])))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
set->type->adt_policy)) set->type->adt_policy))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
read_lock_bh(&set->lock); rcu_read_lock_bh();
ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
read_unlock_bh(&set->lock); rcu_read_unlock_bh();
/* Userspace can't trigger element to be re-added */ /* Userspace can't trigger element to be re-added */
if (ret == -EAGAIN) if (ret == -EAGAIN)
ret = 1; ret = 1;
@ -1638,15 +1659,15 @@ ip_set_header(struct sock *ctnl, struct sk_buff *skb,
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_SETNAME] == NULL)) !attr[IPSET_ATTR_SETNAME]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME])); set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
if (set == NULL) if (!set)
return -ENOENT; return -ENOENT;
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (skb2 == NULL) if (!skb2)
return -ENOMEM; return -ENOMEM;
nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
@ -1695,8 +1716,8 @@ ip_set_type(struct sock *ctnl, struct sk_buff *skb,
int ret = 0; int ret = 0;
if (unlikely(protocol_failed(attr) || if (unlikely(protocol_failed(attr) ||
attr[IPSET_ATTR_TYPENAME] == NULL || !attr[IPSET_ATTR_TYPENAME] ||
attr[IPSET_ATTR_FAMILY] == NULL)) !attr[IPSET_ATTR_FAMILY]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
@ -1706,7 +1727,7 @@ ip_set_type(struct sock *ctnl, struct sk_buff *skb,
return ret; return ret;
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (skb2 == NULL) if (!skb2)
return -ENOMEM; return -ENOMEM;
nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
@ -1751,11 +1772,11 @@ ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh2; struct nlmsghdr *nlh2;
int ret = 0; int ret = 0;
if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL)) if (unlikely(!attr[IPSET_ATTR_PROTOCOL]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (skb2 == NULL) if (!skb2)
return -ENOMEM; return -ENOMEM;
nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
@ -1883,7 +1904,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
ret = -EFAULT; ret = -EFAULT;
goto done; goto done;
} }
op = (unsigned int *) data; op = (unsigned int *)data;
if (*op < IP_SET_OP_VERSION) { if (*op < IP_SET_OP_VERSION) {
/* Check the version at the beginning of operations */ /* Check the version at the beginning of operations */
@ -1995,10 +2016,11 @@ ip_set_net_init(struct net *net)
if (inst->ip_set_max >= IPSET_INVALID_ID) if (inst->ip_set_max >= IPSET_INVALID_ID)
inst->ip_set_max = IPSET_INVALID_ID - 1; inst->ip_set_max = IPSET_INVALID_ID - 1;
list = kzalloc(sizeof(struct ip_set *) * inst->ip_set_max, GFP_KERNEL); list = kcalloc(inst->ip_set_max, sizeof(struct ip_set *), GFP_KERNEL);
if (!list) if (!list)
return -ENOMEM; return -ENOMEM;
inst->is_deleted = 0; inst->is_deleted = false;
inst->is_destroyed = false;
rcu_assign_pointer(inst->ip_set_list, list); rcu_assign_pointer(inst->ip_set_list, list);
return 0; return 0;
} }
@ -2011,12 +2033,14 @@ ip_set_net_exit(struct net *net)
struct ip_set *set = NULL; struct ip_set *set = NULL;
ip_set_id_t i; ip_set_id_t i;
inst->is_deleted = 1; /* flag for ip_set_nfnl_put */ inst->is_deleted = true; /* flag for ip_set_nfnl_put */
for (i = 0; i < inst->ip_set_max; i++) { for (i = 0; i < inst->ip_set_max; i++) {
set = ip_set(inst, i); set = ip_set(inst, i);
if (set != NULL) if (set) {
ip_set_destroy_set(inst, i); ip_set(inst, i) = NULL;
ip_set_destroy_set(set);
}
} }
kfree(rcu_dereference_protected(inst->ip_set_list, 1)); kfree(rcu_dereference_protected(inst->ip_set_list, 1));
} }
@ -2028,11 +2052,11 @@ static struct pernet_operations ip_set_net_ops = {
.size = sizeof(struct ip_set_net) .size = sizeof(struct ip_set_net)
}; };
static int __init static int __init
ip_set_init(void) ip_set_init(void)
{ {
int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys); int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
if (ret != 0) { if (ret != 0) {
pr_err("ip_set: cannot register with nfnetlink.\n"); pr_err("ip_set: cannot register with nfnetlink.\n");
return ret; return ret;

13
net/netfilter/ipset/ip_set_getport.c
View File

@ -30,7 +30,7 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
const struct tcphdr *th; const struct tcphdr *th;
th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph); th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph);
if (th == NULL) if (!th)
/* No choice either */ /* No choice either */
return false; return false;
@ -42,7 +42,7 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
const sctp_sctphdr_t *sh; const sctp_sctphdr_t *sh;
sh = skb_header_pointer(skb, protooff, sizeof(_sh), &_sh); sh = skb_header_pointer(skb, protooff, sizeof(_sh), &_sh);
if (sh == NULL) if (!sh)
/* No choice either */ /* No choice either */
return false; return false;
@ -55,7 +55,7 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
const struct udphdr *uh; const struct udphdr *uh;
uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph); uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph);
if (uh == NULL) if (!uh)
/* No choice either */ /* No choice either */
return false; return false;
@ -67,7 +67,7 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
const struct icmphdr *ic; const struct icmphdr *ic;
ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
if (ic == NULL) if (!ic)
return false; return false;
*port = (__force __be16)htons((ic->type << 8) | ic->code); *port = (__force __be16)htons((ic->type << 8) | ic->code);
@ -78,7 +78,7 @@ get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
const struct icmp6hdr *ic; const struct icmp6hdr *ic;
ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
if (ic == NULL) if (!ic)
return false; return false;
*port = (__force __be16) *port = (__force __be16)
@ -116,7 +116,8 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
return false; return false;
default: default:
/* Other protocols doesn't have ports, /* Other protocols doesn't have ports,
so we can match fragments */ * so we can match fragments.
*/
*proto = protocol; *proto = protocol;
return true; return true;
} }

724
net/netfilter/ipset/ip_set_hash_gen.h
View File

File diff suppressed because it is too large Load Diff

39
net/netfilter/ipset/ip_set_hash_ip.c
View File

@ -108,18 +108,12 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
u32 ip = 0, ip_to = 0, hosts; u32 ip = 0, ip_to = 0, hosts;
int ret = 0; int ret = 0;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP]))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -164,8 +158,8 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -246,20 +240,20 @@ hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE) ||
tb[IPSET_ATTR_IP_TO] ||
tb[IPSET_ATTR_CIDR]))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP]))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (unlikely(tb[IPSET_ATTR_CIDR])) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (cidr != HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -321,6 +315,7 @@ hash_ip_init(void)
static void __exit static void __exit
hash_ip_fini(void) hash_ip_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_ip_type); ip_set_type_unregister(&hash_ip_type);
} }

48
net/netfilter/ipset/ip_set_hash_ipmark.c
View File

@ -108,19 +108,13 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
u32 ip, ip_to = 0; u32 ip, ip_to = 0;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_MARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_MARK)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -161,8 +155,8 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -212,7 +206,6 @@ hash_ipmark6_data_next(struct hash_ipmark4_elem *next,
#define IP_SET_EMIT_CREATE #define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h" #include "ip_set_hash_gen.h"
static int static int
hash_ipmark6_kadt(struct ip_set *set, const struct sk_buff *skb, hash_ipmark6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
@ -240,21 +233,21 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_MARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE) ||
tb[IPSET_ATTR_IP_TO] ||
tb[IPSET_ATTR_CIDR]))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_MARK)))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (unlikely(tb[IPSET_ATTR_CIDR])) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (cidr != HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -274,10 +267,8 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
ret = adtfn(set, &e, &ext, &ext, flags); ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0;
return ret; return 0;
} }
static struct ip_set_type hash_ipmark_type __read_mostly = { static struct ip_set_type hash_ipmark_type __read_mostly = {
@ -325,6 +316,7 @@ hash_ipmark_init(void)
static void __exit static void __exit
hash_ipmark_fini(void) hash_ipmark_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_ipmark_type); ip_set_type_unregister(&hash_ipmark_type);
} }

57
net/netfilter/ipset/ip_set_hash_ipport.c
View File

@ -116,20 +116,14 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
bool with_ports = false; bool with_ports = false;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -146,8 +140,9 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMP)) if (!(with_ports || e.proto == IPPROTO_ICMP))
e.port = 0; e.port = 0;
@ -193,8 +188,8 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
} }
return ret; return ret;
@ -279,22 +274,22 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
bool with_ports = false; bool with_ports = false;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE) ||
tb[IPSET_ATTR_IP_TO] ||
tb[IPSET_ATTR_CIDR]))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (unlikely(tb[IPSET_ATTR_CIDR])) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (cidr != HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -311,8 +306,9 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMPV6)) if (!(with_ports || e.proto == IPPROTO_ICMPV6))
e.port = 0; e.port = 0;
@ -335,8 +331,8 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -388,6 +384,7 @@ hash_ipport_init(void)
static void __exit static void __exit
hash_ipport_fini(void) hash_ipport_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_ipport_type); ip_set_type_unregister(&hash_ipport_type);
} }

59
net/netfilter/ipset/ip_set_hash_ipportip.c
View File

@ -63,7 +63,7 @@ hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
static bool static bool
hash_ipportip4_data_list(struct sk_buff *skb, hash_ipportip4_data_list(struct sk_buff *skb,
const struct hash_ipportip4_elem *data) const struct hash_ipportip4_elem *data)
{ {
if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) || if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) || nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) ||
@ -119,20 +119,14 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
bool with_ports = false; bool with_ports = false;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -153,8 +147,9 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMP)) if (!(with_ports || e.proto == IPPROTO_ICMP))
e.port = 0; e.port = 0;
@ -200,8 +195,8 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
} }
return ret; return ret;
@ -290,22 +285,22 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
bool with_ports = false; bool with_ports = false;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE) ||
tb[IPSET_ATTR_IP_TO] ||
tb[IPSET_ATTR_CIDR]))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (unlikely(tb[IPSET_ATTR_CIDR])) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (cidr != HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -326,8 +321,9 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMPV6)) if (!(with_ports || e.proto == IPPROTO_ICMPV6))
e.port = 0; e.port = 0;
@ -350,8 +346,8 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -403,6 +399,7 @@ hash_ipportip_init(void)
static void __exit static void __exit
hash_ipportip_fini(void) hash_ipportip_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_ipportip_type); ip_set_type_unregister(&hash_ipportip_type);
} }

58
net/netfilter/ipset/ip_set_hash_ipportnet.c
View File

@ -141,7 +141,7 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_ipportnet *h = set->data; const struct hash_ipportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet4_elem e = { struct hash_ipportnet4_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK) - 1, .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -173,21 +173,15 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
u8 cidr; u8 cidr;
int ret; int ret;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -215,14 +209,16 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMP)) if (!(with_ports || e.proto == IPPROTO_ICMP))
e.port = 0; e.port = 0;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -269,8 +265,9 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip2_from, ip2_to); swap(ip2_from, ip2_to);
if (ip2_from + UINT_MAX == ip2_to) if (ip2_from + UINT_MAX == ip2_to)
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1); ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1);
}
if (retried) if (retried)
ip = ntohl(h->next.ip); ip = ntohl(h->next.ip);
@ -293,8 +290,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
ip2 = ip2_last + 1; ip2 = ip2_last + 1;
} }
} }
@ -395,7 +392,7 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_ipportnet *h = set->data; const struct hash_ipportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet6_elem e = { struct hash_ipportnet6_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK) - 1, .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -426,24 +423,22 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
u8 cidr; u8 cidr;
int ret; int ret;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE) ||
tb[IPSET_ATTR_IP_TO] ||
tb[IPSET_ATTR_CIDR]))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO])) if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (unlikely(tb[IPSET_ATTR_CIDR])) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (tb[IPSET_ATTR_LINENO]) if (cidr != HOST_MASK)
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); return -IPSET_ERR_INVALID_CIDR;
}
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
@ -474,14 +469,16 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMPV6)) if (!(with_ports || e.proto == IPPROTO_ICMPV6))
e.port = 0; e.port = 0;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -505,8 +502,8 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -562,6 +559,7 @@ hash_ipportnet_init(void)
static void __exit static void __exit
hash_ipportnet_fini(void) hash_ipportnet_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_ipportnet_type); ip_set_type_unregister(&hash_ipportnet_type);
} }

19
net/netfilter/ipset/ip_set_hash_mac.c
View File

@ -89,10 +89,10 @@ hash_mac4_kadt(struct ip_set *set, const struct sk_buff *skb,
return 0; return 0;
if (skb_mac_header(skb) < skb->head || if (skb_mac_header(skb) < skb->head ||
(skb_mac_header(skb) + ETH_HLEN) > skb->data) (skb_mac_header(skb) + ETH_HLEN) > skb->data)
return -EINVAL; return -EINVAL;
memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
if (memcmp(e.ether, invalid_ether, ETH_ALEN) == 0) if (memcmp(e.ether, invalid_ether, ETH_ALEN) == 0)
return -EINVAL; return -EINVAL;
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
@ -107,22 +107,16 @@ hash_mac4_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_ETHER] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_ETHER]))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_extensions(set, tb, &ext); ret = ip_set_get_extensions(set, tb, &ext);
if (ret) if (ret)
return ret; return ret;
memcpy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]), ETH_ALEN); ether_addr_copy(e.ether, nla_data(tb[IPSET_ATTR_ETHER]));
if (memcmp(e.ether, invalid_ether, ETH_ALEN) == 0) if (memcmp(e.ether, invalid_ether, ETH_ALEN) == 0)
return -IPSET_ERR_HASH_ELEM; return -IPSET_ERR_HASH_ELEM;
@ -171,6 +165,7 @@ hash_mac_init(void)
static void __exit static void __exit
hash_mac_fini(void) hash_mac_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_mac_type); ip_set_type_unregister(&hash_mac_type);
} }

49
net/netfilter/ipset/ip_set_hash_net.c
View File

@ -120,7 +120,7 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_net *h = set->data; const struct hash_net *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net4_elem e = { struct hash_net4_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -146,19 +146,13 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
u32 ip = 0, ip_to = 0, last; u32 ip = 0, ip_to = 0, last;
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -175,6 +169,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -182,7 +177,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) { if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
e.ip = htonl(ip & ip_set_hostmask(e.cidr)); e.ip = htonl(ip & ip_set_hostmask(e.cidr));
ret = adtfn(set, &e, &ext, &ext, flags); ret = adtfn(set, &e, &ext, &ext, flags);
return ip_set_enomatch(ret, flags, adt, set) ? -ret: return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret; ip_set_eexist(ret, flags) ? 0 : ret;
} }
@ -204,8 +199,8 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
ret = adtfn(set, &e, &ext, &ext, flags); ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
ip = last + 1; ip = last + 1;
} }
return ret; return ret;
@ -294,7 +289,7 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_net *h = set->data; const struct hash_net *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net6_elem e = { struct hash_net6_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -318,21 +313,15 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret; int ret;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO])) if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -341,16 +330,17 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret) if (ret)
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) if (tb[IPSET_ATTR_CIDR]) {
e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (!e.cidr || e.cidr > HOST_MASK)
if (!e.cidr || e.cidr > HOST_MASK) return -IPSET_ERR_INVALID_CIDR;
return -IPSET_ERR_INVALID_CIDR; }
ip6_netmask(&e.ip, e.cidr); ip6_netmask(&e.ip, e.cidr);
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -404,6 +394,7 @@ hash_net_init(void)
static void __exit static void __exit
hash_net_fini(void) hash_net_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_net_type); ip_set_type_unregister(&hash_net_type);
} }

233
net/netfilter/ipset/ip_set_hash_netiface.c
View File

@ -13,7 +13,6 @@
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/rbtree.h>
#include <net/ip.h> #include <net/ip.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/netlink.h> #include <net/netlink.h>
@ -37,88 +36,13 @@ MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
IP_SET_MODULE_DESC("hash:net,iface", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX); IP_SET_MODULE_DESC("hash:net,iface", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
MODULE_ALIAS("ip_set_hash:net,iface"); MODULE_ALIAS("ip_set_hash:net,iface");
/* Interface name rbtree */
struct iface_node {
struct rb_node node;
char iface[IFNAMSIZ];
};
#define iface_data(n) (rb_entry(n, struct iface_node, node)->iface)
static void
rbtree_destroy(struct rb_root *root)
{
struct iface_node *node, *next;
rbtree_postorder_for_each_entry_safe(node, next, root, node)
kfree(node);
*root = RB_ROOT;
}
static int
iface_test(struct rb_root *root, const char **iface)
{
struct rb_node *n = root->rb_node;
while (n) {
const char *d = iface_data(n);
int res = strcmp(*iface, d);
if (res < 0)
n = n->rb_left;
else if (res > 0)
n = n->rb_right;
else {
*iface = d;
return 1;
}
}
return 0;
}
static int
iface_add(struct rb_root *root, const char **iface)
{
struct rb_node **n = &(root->rb_node), *p = NULL;
struct iface_node *d;
while (*n) {
char *ifname = iface_data(*n);
int res = strcmp(*iface, ifname);
p = *n;
if (res < 0)
n = &((*n)->rb_left);
else if (res > 0)
n = &((*n)->rb_right);
else {
*iface = ifname;
return 0;
}
}
d = kzalloc(sizeof(*d), GFP_ATOMIC);
if (!d)
return -ENOMEM;
strcpy(d->iface, *iface);
rb_link_node(&d->node, p, n);
rb_insert_color(&d->node, root);
*iface = d->iface;
return 0;
}
/* Type specific function prefix */ /* Type specific function prefix */
#define HTYPE hash_netiface #define HTYPE hash_netiface
#define IP_SET_HASH_WITH_NETS #define IP_SET_HASH_WITH_NETS
#define IP_SET_HASH_WITH_RBTREE
#define IP_SET_HASH_WITH_MULTI #define IP_SET_HASH_WITH_MULTI
#define IP_SET_HASH_WITH_NET0 #define IP_SET_HASH_WITH_NET0
#define STREQ(a, b) (strcmp(a, b) == 0) #define STRLCPY(a, b) strlcpy(a, b, IFNAMSIZ)
/* IPv4 variant */ /* IPv4 variant */
@ -137,7 +61,7 @@ struct hash_netiface4_elem {
u8 cidr; u8 cidr;
u8 nomatch; u8 nomatch;
u8 elem; u8 elem;
const char *iface; char iface[IFNAMSIZ];
}; };
/* Common functions */ /* Common functions */
@ -151,7 +75,7 @@ hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
ip1->cidr == ip2->cidr && ip1->cidr == ip2->cidr &&
(++*multi) && (++*multi) &&
ip1->physdev == ip2->physdev && ip1->physdev == ip2->physdev &&
ip1->iface == ip2->iface; strcmp(ip1->iface, ip2->iface) == 0;
} }
static inline int static inline int
@ -219,7 +143,7 @@ static const char *get_physindev_name(const struct sk_buff *skb)
return dev ? dev->name : NULL; return dev ? dev->name : NULL;
} }
static const char *get_phyoutdev_name(const struct sk_buff *skb) static const char *get_physoutdev_name(const struct sk_buff *skb)
{ {
struct net_device *dev = nf_bridge_get_physoutdev(skb); struct net_device *dev = nf_bridge_get_physoutdev(skb);
@ -235,11 +159,10 @@ hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
struct hash_netiface *h = set->data; struct hash_netiface *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface4_elem e = { struct hash_netiface4_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
.elem = 1, .elem = 1,
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
int ret;
if (e.cidr == 0) if (e.cidr == 0)
return -EINVAL; return -EINVAL;
@ -249,35 +172,25 @@ hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
e.ip &= ip_set_netmask(e.cidr); e.ip &= ip_set_netmask(e.cidr);
#define IFACE(dir) (par->dir ? par->dir->name : NULL) #define IFACE(dir) (par->dir ? par->dir->name : "")
#define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC) #define SRCDIR (opt->flags & IPSET_DIM_TWO_SRC)
if (opt->cmdflags & IPSET_FLAG_PHYSDEV) { if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
e.iface = SRCDIR ? get_physindev_name(skb) : const char *eiface = SRCDIR ? get_physindev_name(skb) :
get_phyoutdev_name(skb); get_physoutdev_name(skb);
if (!e.iface) if (!eiface)
return -EINVAL; return -EINVAL;
STRLCPY(e.iface, eiface);
e.physdev = 1; e.physdev = 1;
#else
e.iface = NULL;
#endif #endif
} else } else {
e.iface = SRCDIR ? IFACE(in) : IFACE(out); STRLCPY(e.iface, SRCDIR ? IFACE(in) : IFACE(out));
}
if (!e.iface) if (strlen(e.iface) == 0)
return -EINVAL; return -EINVAL;
ret = iface_test(&h->rbtree, &e.iface);
if (adt == IPSET_ADD) {
if (!ret) {
ret = iface_add(&h->rbtree, &e.iface);
if (ret)
return ret;
}
} else if (!ret)
return ret;
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
} }
@ -290,23 +203,16 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 }; struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, last; u32 ip = 0, ip_to = 0, last;
char iface[IFNAMSIZ];
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!tb[IPSET_ATTR_IFACE] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!tb[IPSET_ATTR_IFACE] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -320,21 +226,11 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.cidr > HOST_MASK) if (e.cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
} }
nla_strlcpy(e.iface, tb[IPSET_ATTR_IFACE], IFNAMSIZ);
strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
e.iface = iface;
ret = iface_test(&h->rbtree, &e.iface);
if (adt == IPSET_ADD) {
if (!ret) {
ret = iface_add(&h->rbtree, &e.iface);
if (ret)
return ret;
}
} else if (!ret)
return ret;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_PHYSDEV) if (cadt_flags & IPSET_FLAG_PHYSDEV)
e.physdev = 1; e.physdev = 1;
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
@ -355,8 +251,9 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip, ip_to); swap(ip, ip_to);
if (ip + UINT_MAX == ip_to) if (ip + UINT_MAX == ip_to)
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip, ip_to, e.cidr); ip_set_mask_from_to(ip, ip_to, e.cidr);
}
if (retried) if (retried)
ip = ntohl(h->next.ip); ip = ntohl(h->next.ip);
@ -367,8 +264,8 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
ip = last + 1; ip = last + 1;
} }
return ret; return ret;
@ -390,7 +287,7 @@ struct hash_netiface6_elem {
u8 cidr; u8 cidr;
u8 nomatch; u8 nomatch;
u8 elem; u8 elem;
const char *iface; char iface[IFNAMSIZ];
}; };
/* Common functions */ /* Common functions */
@ -404,7 +301,7 @@ hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
ip1->cidr == ip2->cidr && ip1->cidr == ip2->cidr &&
(++*multi) && (++*multi) &&
ip1->physdev == ip2->physdev && ip1->physdev == ip2->physdev &&
ip1->iface == ip2->iface; strcmp(ip1->iface, ip2->iface) == 0;
} }
static inline int static inline int
@ -475,11 +372,10 @@ hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
struct hash_netiface *h = set->data; struct hash_netiface *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface6_elem e = { struct hash_netiface6_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
.elem = 1, .elem = 1,
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
int ret;
if (e.cidr == 0) if (e.cidr == 0)
return -EINVAL; return -EINVAL;
@ -491,60 +387,43 @@ hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
if (opt->cmdflags & IPSET_FLAG_PHYSDEV) { if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
e.iface = SRCDIR ? get_physindev_name(skb) : const char *eiface = SRCDIR ? get_physindev_name(skb) :
get_phyoutdev_name(skb); get_physoutdev_name(skb);
if (!e.iface)
if (!eiface)
return -EINVAL; return -EINVAL;
STRLCPY(e.iface, eiface);
e.physdev = 1; e.physdev = 1;
#else
e.iface = NULL;
#endif #endif
} else } else {
e.iface = SRCDIR ? IFACE(in) : IFACE(out); STRLCPY(e.iface, SRCDIR ? IFACE(in) : IFACE(out));
}
if (!e.iface) if (strlen(e.iface) == 0)
return -EINVAL; return -EINVAL;
ret = iface_test(&h->rbtree, &e.iface);
if (adt == IPSET_ADD) {
if (!ret) {
ret = iface_add(&h->rbtree, &e.iface);
if (ret)
return ret;
}
} else if (!ret)
return ret;
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
} }
static int static int
hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[], hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{ {
struct hash_netiface *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface6_elem e = { .cidr = HOST_MASK, .elem = 1 }; struct hash_netiface6_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
char iface[IFNAMSIZ];
int ret; int ret;
if (unlikely(!tb[IPSET_ATTR_IP] ||
!tb[IPSET_ATTR_IFACE] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] ||
!tb[IPSET_ATTR_IFACE] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -553,26 +432,19 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret) if (ret)
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) if (tb[IPSET_ATTR_CIDR]) {
e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (e.cidr > HOST_MASK) if (e.cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
}
ip6_netmask(&e.ip, e.cidr); ip6_netmask(&e.ip, e.cidr);
strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE])); nla_strlcpy(e.iface, tb[IPSET_ATTR_IFACE], IFNAMSIZ);
e.iface = iface;
ret = iface_test(&h->rbtree, &e.iface);
if (adt == IPSET_ADD) {
if (!ret) {
ret = iface_add(&h->rbtree, &e.iface);
if (ret)
return ret;
}
} else if (!ret)
return ret;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_PHYSDEV) if (cadt_flags & IPSET_FLAG_PHYSDEV)
e.physdev = 1; e.physdev = 1;
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
@ -633,6 +505,7 @@ hash_netiface_init(void)
static void __exit static void __exit
hash_netiface_fini(void) hash_netiface_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_netiface_type); ip_set_type_unregister(&hash_netiface_type);
} }

120
net/netfilter/ipset/ip_set_hash_netnet.c
View File

@ -57,8 +57,8 @@ struct hash_netnet4_elem {
static inline bool static inline bool
hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1, hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
const struct hash_netnet4_elem *ip2, const struct hash_netnet4_elem *ip2,
u32 *multi) u32 *multi)
{ {
return ip1->ipcmp == ip2->ipcmp && return ip1->ipcmp == ip2->ipcmp &&
ip1->ccmp == ip2->ccmp; ip1->ccmp == ip2->ccmp;
@ -84,7 +84,7 @@ hash_netnet4_data_reset_flags(struct hash_netnet4_elem *elem, u8 *flags)
static inline void static inline void
hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem, hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem,
struct hash_netnet4_elem *orig) struct hash_netnet4_elem *orig)
{ {
elem->ip[1] = orig->ip[1]; elem->ip[1] = orig->ip[1];
} }
@ -103,7 +103,7 @@ hash_netnet4_data_netmask(struct hash_netnet4_elem *elem, u8 cidr, bool inner)
static bool static bool
hash_netnet4_data_list(struct sk_buff *skb, hash_netnet4_data_list(struct sk_buff *skb,
const struct hash_netnet4_elem *data) const struct hash_netnet4_elem *data)
{ {
u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
@ -122,7 +122,7 @@ nla_put_failure:
static inline void static inline void
hash_netnet4_data_next(struct hash_netnet4_elem *next, hash_netnet4_data_next(struct hash_netnet4_elem *next,
const struct hash_netnet4_elem *d) const struct hash_netnet4_elem *d)
{ {
next->ipcmp = d->ipcmp; next->ipcmp = d->ipcmp;
} }
@ -133,16 +133,16 @@ hash_netnet4_data_next(struct hash_netnet4_elem *next,
static int static int
hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb, hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
enum ipset_adt adt, struct ip_set_adt_opt *opt) enum ipset_adt adt, struct ip_set_adt_opt *opt)
{ {
const struct hash_netnet *h = set->data; const struct hash_netnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet4_elem e = { }; struct hash_netnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK); e.cidr[0] = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK); e.cidr[1] = INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
if (adt == IPSET_TEST) if (adt == IPSET_TEST)
e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK; e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK;
@ -156,31 +156,23 @@ hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
static int static int
hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[], hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{ {
const struct hash_netnet *h = set->data; const struct hash_netnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet4_elem e = { }; struct hash_netnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, last; u32 ip = 0, ip_to = 0, last;
u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2; u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
u8 cidr, cidr2;
int ret; int ret;
e.cidr[0] = e.cidr[1] = HOST_MASK;
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -194,21 +186,20 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) { if (tb[IPSET_ATTR_CIDR]) {
cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (!cidr || cidr > HOST_MASK) if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
e.cidr[0] = cidr;
} }
if (tb[IPSET_ATTR_CIDR2]) { if (tb[IPSET_ATTR_CIDR2]) {
cidr2 = nla_get_u8(tb[IPSET_ATTR_CIDR2]); e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
if (!cidr2 || cidr2 > HOST_MASK) if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
e.cidr[1] = cidr2;
} }
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -231,8 +222,9 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip, ip_to); swap(ip, ip_to);
if (unlikely(ip + UINT_MAX == ip_to)) if (unlikely(ip + UINT_MAX == ip_to))
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip, ip_to, e.cidr[0]); ip_set_mask_from_to(ip, ip_to, e.cidr[0]);
}
ip2_to = ip2_from; ip2_to = ip2_from;
if (tb[IPSET_ATTR_IP2_TO]) { if (tb[IPSET_ATTR_IP2_TO]) {
@ -243,28 +235,27 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip2_from, ip2_to); swap(ip2_from, ip2_to);
if (unlikely(ip2_from + UINT_MAX == ip2_to)) if (unlikely(ip2_from + UINT_MAX == ip2_to))
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]); ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
if (retried) if (retried)
ip = ntohl(h->next.ip[0]); ip = ntohl(h->next.ip[0]);
while (!after(ip, ip_to)) { while (!after(ip, ip_to)) {
e.ip[0] = htonl(ip); e.ip[0] = htonl(ip);
last = ip_set_range_to_cidr(ip, ip_to, &cidr); last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
e.cidr[0] = cidr;
ip2 = (retried && ip2 = (retried &&
ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1]) ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
: ip2_from; : ip2_from;
while (!after(ip2, ip2_to)) { while (!after(ip2, ip2_to)) {
e.ip[1] = htonl(ip2); e.ip[1] = htonl(ip2);
last2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr2); last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
e.cidr[1] = cidr2;
ret = adtfn(set, &e, &ext, &ext, flags); ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
ip2 = last2 + 1; ip2 = last2 + 1;
} }
ip = last + 1; ip = last + 1;
@ -288,8 +279,8 @@ struct hash_netnet6_elem {
static inline bool static inline bool
hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1, hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1,
const struct hash_netnet6_elem *ip2, const struct hash_netnet6_elem *ip2,
u32 *multi) u32 *multi)
{ {
return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) && return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) && ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
@ -316,7 +307,7 @@ hash_netnet6_data_reset_flags(struct hash_netnet6_elem *elem, u8 *flags)
static inline void static inline void
hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem, hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem,
struct hash_netnet6_elem *orig) struct hash_netnet6_elem *orig)
{ {
elem->ip[1] = orig->ip[1]; elem->ip[1] = orig->ip[1];
} }
@ -335,7 +326,7 @@ hash_netnet6_data_netmask(struct hash_netnet6_elem *elem, u8 cidr, bool inner)
static bool static bool
hash_netnet6_data_list(struct sk_buff *skb, hash_netnet6_data_list(struct sk_buff *skb,
const struct hash_netnet6_elem *data) const struct hash_netnet6_elem *data)
{ {
u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
@ -354,7 +345,7 @@ nla_put_failure:
static inline void static inline void
hash_netnet6_data_next(struct hash_netnet4_elem *next, hash_netnet6_data_next(struct hash_netnet4_elem *next,
const struct hash_netnet6_elem *d) const struct hash_netnet6_elem *d)
{ {
} }
@ -368,18 +359,18 @@ hash_netnet6_data_next(struct hash_netnet4_elem *next,
static int static int
hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb, hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
enum ipset_adt adt, struct ip_set_adt_opt *opt) enum ipset_adt adt, struct ip_set_adt_opt *opt)
{ {
const struct hash_netnet *h = set->data; const struct hash_netnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet6_elem e = { }; struct hash_netnet6_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK); e.cidr[0] = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK); e.cidr[1] = INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
if (adt == IPSET_TEST) if (adt == IPSET_TEST)
e.ccmp = (HOST_MASK << (sizeof(u8)*8)) | HOST_MASK; e.ccmp = (HOST_MASK << (sizeof(u8) * 8)) | HOST_MASK;
ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6); ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6); ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6);
@ -391,29 +382,22 @@ hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
static int static int
hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[], hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{ {
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet6_elem e = { }; struct hash_netnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
int ret; int ret;
e.cidr[0] = e.cidr[1] = HOST_MASK; if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO])) if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
if (ret) if (ret)
return ret; return ret;
@ -426,21 +410,24 @@ hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret) if (ret)
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]); e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
if (!e.cidr[0] || e.cidr[0] > HOST_MASK || !e.cidr[1] || return -IPSET_ERR_INVALID_CIDR;
e.cidr[1] > HOST_MASK) }
return -IPSET_ERR_INVALID_CIDR;
ip6_netmask(&e.ip[0], e.cidr[0]); ip6_netmask(&e.ip[0], e.cidr[0]);
ip6_netmask(&e.ip[1], e.cidr[1]); ip6_netmask(&e.ip[1], e.cidr[1]);
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -497,6 +484,7 @@ hash_netnet_init(void)
static void __exit static void __exit
hash_netnet_fini(void) hash_netnet_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_netnet_type); ip_set_type_unregister(&hash_netnet_type);
} }

52
net/netfilter/ipset/ip_set_hash_netport.c
View File

@ -136,7 +136,7 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_netport *h = set->data; const struct hash_netport *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netport4_elem e = { struct hash_netport4_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK) - 1, .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -166,21 +166,15 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
u8 cidr; u8 cidr;
int ret; int ret;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -204,8 +198,9 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMP)) if (!(with_ports || e.proto == IPPROTO_ICMP))
e.port = 0; e.port = 0;
@ -214,6 +209,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -239,8 +235,9 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip, ip_to); swap(ip, ip_to);
if (ip + UINT_MAX == ip_to) if (ip + UINT_MAX == ip_to)
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip, ip_to, e.cidr + 1); ip_set_mask_from_to(ip, ip_to, e.cidr + 1);
}
if (retried) if (retried)
ip = ntohl(h->next.ip); ip = ntohl(h->next.ip);
@ -256,8 +253,8 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
ip = last + 1; ip = last + 1;
} }
@ -354,7 +351,7 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct hash_netport *h = set->data; const struct hash_netport *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netport6_elem e = { struct hash_netport6_elem e = {
.cidr = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK) - 1, .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK),
}; };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
@ -384,23 +381,17 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
u8 cidr; u8 cidr;
int ret; int ret;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || if (unlikely(!tb[IPSET_ATTR_IP] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO])) if (unlikely(tb[IPSET_ATTR_IP_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
if (ret) if (ret)
return ret; return ret;
@ -425,14 +416,16 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMPV6)) if (!(with_ports || e.proto == IPPROTO_ICMPV6))
e.port = 0; e.port = 0;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -456,8 +449,8 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -510,6 +503,7 @@ hash_netport_init(void)
static void __exit static void __exit
hash_netport_fini(void) hash_netport_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_netport_type); ip_set_type_unregister(&hash_netport_type);
} }

132
net/netfilter/ipset/ip_set_hash_netportnet.c
View File

@ -62,8 +62,8 @@ struct hash_netportnet4_elem {
static inline bool static inline bool
hash_netportnet4_data_equal(const struct hash_netportnet4_elem *ip1, hash_netportnet4_data_equal(const struct hash_netportnet4_elem *ip1,
const struct hash_netportnet4_elem *ip2, const struct hash_netportnet4_elem *ip2,
u32 *multi) u32 *multi)
{ {
return ip1->ipcmp == ip2->ipcmp && return ip1->ipcmp == ip2->ipcmp &&
ip1->ccmp == ip2->ccmp && ip1->ccmp == ip2->ccmp &&
@ -91,7 +91,7 @@ hash_netportnet4_data_reset_flags(struct hash_netportnet4_elem *elem, u8 *flags)
static inline void static inline void
hash_netportnet4_data_reset_elem(struct hash_netportnet4_elem *elem, hash_netportnet4_data_reset_elem(struct hash_netportnet4_elem *elem,
struct hash_netportnet4_elem *orig) struct hash_netportnet4_elem *orig)
{ {
elem->ip[1] = orig->ip[1]; elem->ip[1] = orig->ip[1];
} }
@ -111,7 +111,7 @@ hash_netportnet4_data_netmask(struct hash_netportnet4_elem *elem,
static bool static bool
hash_netportnet4_data_list(struct sk_buff *skb, hash_netportnet4_data_list(struct sk_buff *skb,
const struct hash_netportnet4_elem *data) const struct hash_netportnet4_elem *data)
{ {
u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
@ -132,7 +132,7 @@ nla_put_failure:
static inline void static inline void
hash_netportnet4_data_next(struct hash_netportnet4_elem *next, hash_netportnet4_data_next(struct hash_netportnet4_elem *next,
const struct hash_netportnet4_elem *d) const struct hash_netportnet4_elem *d)
{ {
next->ipcmp = d->ipcmp; next->ipcmp = d->ipcmp;
next->port = d->port; next->port = d->port;
@ -144,16 +144,16 @@ hash_netportnet4_data_next(struct hash_netportnet4_elem *next,
static int static int
hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb, hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
enum ipset_adt adt, struct ip_set_adt_opt *opt) enum ipset_adt adt, struct ip_set_adt_opt *opt)
{ {
const struct hash_netportnet *h = set->data; const struct hash_netportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet4_elem e = { }; struct hash_netportnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK); e.cidr[0] = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK); e.cidr[1] = INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
if (adt == IPSET_TEST) if (adt == IPSET_TEST)
e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK; e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK;
@ -171,34 +171,26 @@ hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
static int static int
hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[], hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{ {
const struct hash_netportnet *h = set->data; const struct hash_netportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet4_elem e = { }; struct hash_netportnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, ip_last, p = 0, port, port_to; u32 ip = 0, ip_to = 0, ip_last, p = 0, port, port_to;
u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2; u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
bool with_ports = false; bool with_ports = false;
u8 cidr, cidr2;
int ret; int ret;
e.cidr[0] = e.cidr[1] = HOST_MASK;
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
if (ret) if (ret)
return ret; return ret;
@ -212,17 +204,15 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) { if (tb[IPSET_ATTR_CIDR]) {
cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (!cidr || cidr > HOST_MASK) if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
e.cidr[0] = cidr;
} }
if (tb[IPSET_ATTR_CIDR2]) { if (tb[IPSET_ATTR_CIDR2]) {
cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]); e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
if (!cidr || cidr > HOST_MASK) if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR; return -IPSET_ERR_INVALID_CIDR;
e.cidr[1] = cidr;
} }
e.port = nla_get_be16(tb[IPSET_ATTR_PORT]); e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
@ -233,14 +223,16 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMP)) if (!(with_ports || e.proto == IPPROTO_ICMP))
e.port = 0; e.port = 0;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -264,8 +256,9 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip, ip_to); swap(ip, ip_to);
if (unlikely(ip + UINT_MAX == ip_to)) if (unlikely(ip + UINT_MAX == ip_to))
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip, ip_to, e.cidr[0]); ip_set_mask_from_to(ip, ip_to, e.cidr[0]);
}
port_to = port = ntohs(e.port); port_to = port = ntohs(e.port);
if (tb[IPSET_ATTR_PORT_TO]) { if (tb[IPSET_ATTR_PORT_TO]) {
@ -283,16 +276,16 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(ip2_from, ip2_to); swap(ip2_from, ip2_to);
if (unlikely(ip2_from + UINT_MAX == ip2_to)) if (unlikely(ip2_from + UINT_MAX == ip2_to))
return -IPSET_ERR_HASH_RANGE; return -IPSET_ERR_HASH_RANGE;
} else } else {
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]); ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
if (retried) if (retried)
ip = ntohl(h->next.ip[0]); ip = ntohl(h->next.ip[0]);
while (!after(ip, ip_to)) { while (!after(ip, ip_to)) {
e.ip[0] = htonl(ip); e.ip[0] = htonl(ip);
ip_last = ip_set_range_to_cidr(ip, ip_to, &cidr); ip_last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
e.cidr[0] = cidr;
p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port) p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
: port; : port;
for (; p <= port_to; p++) { for (; p <= port_to; p++) {
@ -303,13 +296,12 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
while (!after(ip2, ip2_to)) { while (!after(ip2, ip2_to)) {
e.ip[1] = htonl(ip2); e.ip[1] = htonl(ip2);
ip2_last = ip_set_range_to_cidr(ip2, ip2_to, ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
&cidr2); &e.cidr[1]);
e.cidr[1] = cidr2;
ret = adtfn(set, &e, &ext, &ext, flags); ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
ip2 = ip2_last + 1; ip2 = ip2_last + 1;
} }
} }
@ -336,8 +328,8 @@ struct hash_netportnet6_elem {
static inline bool static inline bool
hash_netportnet6_data_equal(const struct hash_netportnet6_elem *ip1, hash_netportnet6_data_equal(const struct hash_netportnet6_elem *ip1,
const struct hash_netportnet6_elem *ip2, const struct hash_netportnet6_elem *ip2,
u32 *multi) u32 *multi)
{ {
return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) && return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) && ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
@ -366,7 +358,7 @@ hash_netportnet6_data_reset_flags(struct hash_netportnet6_elem *elem, u8 *flags)
static inline void static inline void
hash_netportnet6_data_reset_elem(struct hash_netportnet6_elem *elem, hash_netportnet6_data_reset_elem(struct hash_netportnet6_elem *elem,
struct hash_netportnet6_elem *orig) struct hash_netportnet6_elem *orig)
{ {
elem->ip[1] = orig->ip[1]; elem->ip[1] = orig->ip[1];
} }
@ -386,7 +378,7 @@ hash_netportnet6_data_netmask(struct hash_netportnet6_elem *elem,
static bool static bool
hash_netportnet6_data_list(struct sk_buff *skb, hash_netportnet6_data_list(struct sk_buff *skb,
const struct hash_netportnet6_elem *data) const struct hash_netportnet6_elem *data)
{ {
u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
@ -407,7 +399,7 @@ nla_put_failure:
static inline void static inline void
hash_netportnet6_data_next(struct hash_netportnet4_elem *next, hash_netportnet6_data_next(struct hash_netportnet4_elem *next,
const struct hash_netportnet6_elem *d) const struct hash_netportnet6_elem *d)
{ {
next->port = d->port; next->port = d->port;
} }
@ -422,16 +414,16 @@ hash_netportnet6_data_next(struct hash_netportnet4_elem *next,
static int static int
hash_netportnet6_kadt(struct ip_set *set, const struct sk_buff *skb, hash_netportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
enum ipset_adt adt, struct ip_set_adt_opt *opt) enum ipset_adt adt, struct ip_set_adt_opt *opt)
{ {
const struct hash_netportnet *h = set->data; const struct hash_netportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet6_elem e = { }; struct hash_netportnet6_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK); e.cidr[0] = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK); e.cidr[1] = INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
if (adt == IPSET_TEST) if (adt == IPSET_TEST)
e.ccmp = (HOST_MASK << (sizeof(u8) * 8)) | HOST_MASK; e.ccmp = (HOST_MASK << (sizeof(u8) * 8)) | HOST_MASK;
@ -449,34 +441,27 @@ hash_netportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
static int static int
hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[], hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{ {
const struct hash_netportnet *h = set->data; const struct hash_netportnet *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt]; ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet6_elem e = { }; struct hash_netportnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set); struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 port, port_to; u32 port, port_to;
bool with_ports = false; bool with_ports = false;
int ret; int ret;
e.cidr[0] = e.cidr[1] = HOST_MASK; if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) || !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL; return -IPSET_ERR_PROTOCOL;
if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO])) if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO]))
return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]); ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
if (ret) if (ret)
return ret; return ret;
@ -489,15 +474,17 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret) if (ret)
return ret; return ret;
if (tb[IPSET_ATTR_CIDR]) if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]); e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]); e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
if (unlikely(!e.cidr[0] || e.cidr[0] > HOST_MASK || !e.cidr[1] || return -IPSET_ERR_INVALID_CIDR;
e.cidr[1] > HOST_MASK)) }
return -IPSET_ERR_INVALID_CIDR;
ip6_netmask(&e.ip[0], e.cidr[0]); ip6_netmask(&e.ip[0], e.cidr[0]);
ip6_netmask(&e.ip[1], e.cidr[1]); ip6_netmask(&e.ip[1], e.cidr[1]);
@ -510,14 +497,16 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (e.proto == 0) if (e.proto == 0)
return -IPSET_ERR_INVALID_PROTO; return -IPSET_ERR_INVALID_PROTO;
} else } else {
return -IPSET_ERR_MISSING_PROTO; return -IPSET_ERR_MISSING_PROTO;
}
if (!(with_ports || e.proto == IPPROTO_ICMPV6)) if (!(with_ports || e.proto == IPPROTO_ICMPV6))
e.port = 0; e.port = 0;
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
if (cadt_flags & IPSET_FLAG_NOMATCH) if (cadt_flags & IPSET_FLAG_NOMATCH)
flags |= (IPSET_FLAG_NOMATCH << 16); flags |= (IPSET_FLAG_NOMATCH << 16);
} }
@ -541,8 +530,8 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret && !ip_set_eexist(ret, flags)) if (ret && !ip_set_eexist(ret, flags))
return ret; return ret;
else
ret = 0; ret = 0;
} }
return ret; return ret;
} }
@ -598,6 +587,7 @@ hash_netportnet_init(void)
static void __exit static void __exit
hash_netportnet_fini(void) hash_netportnet_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&hash_netportnet_type); ip_set_type_unregister(&hash_netportnet_type);
} }

417
net/netfilter/ipset/ip_set_list_set.c
View File

@ -9,6 +9,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/rculist.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/errno.h> #include <linux/errno.h>
@ -27,6 +28,8 @@ MODULE_ALIAS("ip_set_list:set");
/* Member elements */ /* Member elements */
struct set_elem { struct set_elem {
struct rcu_head rcu;
struct list_head list;
ip_set_id_t id; ip_set_id_t id;
}; };
@ -41,12 +44,9 @@ struct list_set {
u32 size; /* size of set list array */ u32 size; /* size of set list array */
struct timer_list gc; /* garbage collection */ struct timer_list gc; /* garbage collection */
struct net *net; /* namespace */ struct net *net; /* namespace */
struct set_elem members[0]; /* the set members */ struct list_head members; /* the set members */
}; };
#define list_set_elem(set, map, id) \
(struct set_elem *)((void *)(map)->members + (id) * (set)->dsize)
static int static int
list_set_ktest(struct ip_set *set, const struct sk_buff *skb, list_set_ktest(struct ip_set *set, const struct sk_buff *skb,
const struct xt_action_param *par, const struct xt_action_param *par,
@ -54,17 +54,14 @@ list_set_ktest(struct ip_set *set, const struct sk_buff *skb,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e; struct set_elem *e;
u32 i, cmdflags = opt->cmdflags; u32 cmdflags = opt->cmdflags;
int ret; int ret;
/* Don't lookup sub-counters at all */ /* Don't lookup sub-counters at all */
opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS; opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE) if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE; opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
for (i = 0; i < map->size; i++) { list_for_each_entry_rcu(e, &map->members, list) {
e = list_set_elem(set, map, i);
if (e->id == IPSET_INVALID_ID)
return 0;
if (SET_WITH_TIMEOUT(set) && if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set))) ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
@ -91,13 +88,9 @@ list_set_kadd(struct ip_set *set, const struct sk_buff *skb,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e; struct set_elem *e;
u32 i;
int ret; int ret;
for (i = 0; i < map->size; i++) { list_for_each_entry(e, &map->members, list) {
e = list_set_elem(set, map, i);
if (e->id == IPSET_INVALID_ID)
return 0;
if (SET_WITH_TIMEOUT(set) && if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set))) ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
@ -115,13 +108,9 @@ list_set_kdel(struct ip_set *set, const struct sk_buff *skb,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e; struct set_elem *e;
u32 i;
int ret; int ret;
for (i = 0; i < map->size; i++) { list_for_each_entry(e, &map->members, list) {
e = list_set_elem(set, map, i);
if (e->id == IPSET_INVALID_ID)
return 0;
if (SET_WITH_TIMEOUT(set) && if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set))) ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
@ -138,110 +127,65 @@ list_set_kadt(struct ip_set *set, const struct sk_buff *skb,
enum ipset_adt adt, struct ip_set_adt_opt *opt) enum ipset_adt adt, struct ip_set_adt_opt *opt)
{ {
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
int ret = -EINVAL;
rcu_read_lock();
switch (adt) { switch (adt) {
case IPSET_TEST: case IPSET_TEST:
return list_set_ktest(set, skb, par, opt, &ext); ret = list_set_ktest(set, skb, par, opt, &ext);
break;
case IPSET_ADD: case IPSET_ADD:
return list_set_kadd(set, skb, par, opt, &ext); ret = list_set_kadd(set, skb, par, opt, &ext);
break;
case IPSET_DEL: case IPSET_DEL:
return list_set_kdel(set, skb, par, opt, &ext); ret = list_set_kdel(set, skb, par, opt, &ext);
break;
default: default:
break; break;
} }
return -EINVAL; rcu_read_unlock();
return ret;
} }
static bool /* Userspace interfaces: we are protected by the nfnl mutex */
id_eq(const struct ip_set *set, u32 i, ip_set_id_t id)
{
const struct list_set *map = set->data;
const struct set_elem *e;
if (i >= map->size) static void
return 0; __list_set_del(struct ip_set *set, struct set_elem *e)
e = list_set_elem(set, map, i);
return !!(e->id == id &&
!(SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set))));
}
static int
list_set_add(struct ip_set *set, u32 i, struct set_adt_elem *d,
const struct ip_set_ext *ext)
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e = list_set_elem(set, map, i);
if (e->id != IPSET_INVALID_ID) {
if (i == map->size - 1) {
/* Last element replaced: e.g. add new,before,last */
ip_set_put_byindex(map->net, e->id);
ip_set_ext_destroy(set, e);
} else {
struct set_elem *x = list_set_elem(set, map,
map->size - 1);
/* Last element pushed off */
if (x->id != IPSET_INVALID_ID) {
ip_set_put_byindex(map->net, x->id);
ip_set_ext_destroy(set, x);
}
memmove(list_set_elem(set, map, i + 1), e,
set->dsize * (map->size - (i + 1)));
/* Extensions must be initialized to zero */
memset(e, 0, set->dsize);
}
}
e->id = d->id;
if (SET_WITH_TIMEOUT(set))
ip_set_timeout_set(ext_timeout(e, set), ext->timeout);
if (SET_WITH_COUNTER(set))
ip_set_init_counter(ext_counter(e, set), ext);
if (SET_WITH_COMMENT(set))
ip_set_init_comment(ext_comment(e, set), ext);
if (SET_WITH_SKBINFO(set))
ip_set_init_skbinfo(ext_skbinfo(e, set), ext);
return 0;
}
static int
list_set_del(struct ip_set *set, u32 i)
{
struct list_set *map = set->data;
struct set_elem *e = list_set_elem(set, map, i);
ip_set_put_byindex(map->net, e->id); ip_set_put_byindex(map->net, e->id);
/* We may call it, because we don't have a to be destroyed
* extension which is used by the kernel.
*/
ip_set_ext_destroy(set, e); ip_set_ext_destroy(set, e);
kfree_rcu(e, rcu);
}
if (i < map->size - 1) static inline void
memmove(e, list_set_elem(set, map, i + 1), list_set_del(struct ip_set *set, struct set_elem *e)
set->dsize * (map->size - (i + 1))); {
list_del_rcu(&e->list);
__list_set_del(set, e);
}
/* Last element */ static inline void
e = list_set_elem(set, map, map->size - 1); list_set_replace(struct ip_set *set, struct set_elem *e, struct set_elem *old)
e->id = IPSET_INVALID_ID; {
return 0; list_replace_rcu(&old->list, &e->list);
__list_set_del(set, old);
} }
static void static void
set_cleanup_entries(struct ip_set *set) set_cleanup_entries(struct ip_set *set)
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e; struct set_elem *e, *n;
u32 i = 0;
while (i < map->size) { list_for_each_entry_safe(e, n, &map->members, list)
e = list_set_elem(set, map, i); if (ip_set_timeout_expired(ext_timeout(e, set)))
if (e->id != IPSET_INVALID_ID && list_set_del(set, e);
ip_set_timeout_expired(ext_timeout(e, set)))
list_set_del(set, i);
/* Check element moved to position i in next loop */
else
i++;
}
} }
static int static int
@ -250,31 +194,46 @@ list_set_utest(struct ip_set *set, void *value, const struct ip_set_ext *ext,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_adt_elem *d = value; struct set_adt_elem *d = value;
struct set_elem *e; struct set_elem *e, *next, *prev = NULL;
u32 i;
int ret; int ret;
for (i = 0; i < map->size; i++) { list_for_each_entry(e, &map->members, list) {
e = list_set_elem(set, map, i); if (SET_WITH_TIMEOUT(set) &&
if (e->id == IPSET_INVALID_ID) ip_set_timeout_expired(ext_timeout(e, set)))
return 0;
else if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
else if (e->id != d->id) else if (e->id != d->id) {
prev = e;
continue; continue;
}
if (d->before == 0) if (d->before == 0) {
return 1; ret = 1;
else if (d->before > 0) } else if (d->before > 0) {
ret = id_eq(set, i + 1, d->refid); next = list_next_entry(e, list);
else ret = !list_is_last(&e->list, &map->members) &&
ret = i > 0 && id_eq(set, i - 1, d->refid); next->id == d->refid;
} else {
ret = prev && prev->id == d->refid;
}
return ret; return ret;
} }
return 0; return 0;
} }
static void
list_set_init_extensions(struct ip_set *set, const struct ip_set_ext *ext,
struct set_elem *e)
{
if (SET_WITH_COUNTER(set))
ip_set_init_counter(ext_counter(e, set), ext);
if (SET_WITH_COMMENT(set))
ip_set_init_comment(ext_comment(e, set), ext);
if (SET_WITH_SKBINFO(set))
ip_set_init_skbinfo(ext_skbinfo(e, set), ext);
/* Update timeout last */
if (SET_WITH_TIMEOUT(set))
ip_set_timeout_set(ext_timeout(e, set), ext->timeout);
}
static int static int
list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext, list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
@ -282,60 +241,78 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_adt_elem *d = value; struct set_adt_elem *d = value;
struct set_elem *e; struct set_elem *e, *n, *prev, *next;
bool flag_exist = flags & IPSET_FLAG_EXIST; bool flag_exist = flags & IPSET_FLAG_EXIST;
u32 i, ret = 0;
if (SET_WITH_TIMEOUT(set)) if (SET_WITH_TIMEOUT(set))
set_cleanup_entries(set); set_cleanup_entries(set);
/* Check already added element */ /* Find where to add the new entry */
for (i = 0; i < map->size; i++) { n = prev = next = NULL;
e = list_set_elem(set, map, i); list_for_each_entry(e, &map->members, list) {
if (e->id == IPSET_INVALID_ID) if (SET_WITH_TIMEOUT(set) &&
goto insert; ip_set_timeout_expired(ext_timeout(e, set)))
else if (e->id != d->id)
continue; continue;
else if (d->id == e->id)
if ((d->before > 1 && !id_eq(set, i + 1, d->refid)) || n = e;
(d->before < 0 && else if (d->before == 0 || e->id != d->refid)
(i == 0 || !id_eq(set, i - 1, d->refid)))) continue;
/* Before/after doesn't match */ else if (d->before > 0)
next = e;
else
prev = e;
}
/* Re-add already existing element */
if (n) {
if ((d->before > 0 && !next) ||
(d->before < 0 && !prev))
return -IPSET_ERR_REF_EXIST; return -IPSET_ERR_REF_EXIST;
if (!flag_exist) if (!flag_exist)
/* Can't re-add */
return -IPSET_ERR_EXIST; return -IPSET_ERR_EXIST;
/* Update extensions */ /* Update extensions */
ip_set_ext_destroy(set, e); ip_set_ext_destroy(set, n);
list_set_init_extensions(set, ext, n);
if (SET_WITH_TIMEOUT(set))
ip_set_timeout_set(ext_timeout(e, set), ext->timeout);
if (SET_WITH_COUNTER(set))
ip_set_init_counter(ext_counter(e, set), ext);
if (SET_WITH_COMMENT(set))
ip_set_init_comment(ext_comment(e, set), ext);
if (SET_WITH_SKBINFO(set))
ip_set_init_skbinfo(ext_skbinfo(e, set), ext);
/* Set is already added to the list */ /* Set is already added to the list */
ip_set_put_byindex(map->net, d->id); ip_set_put_byindex(map->net, d->id);
return 0; return 0;
} }
insert: /* Add new entry */
ret = -IPSET_ERR_LIST_FULL; if (d->before == 0) {
for (i = 0; i < map->size && ret == -IPSET_ERR_LIST_FULL; i++) { /* Append */
e = list_set_elem(set, map, i); n = list_empty(&map->members) ? NULL :
if (e->id == IPSET_INVALID_ID) list_last_entry(&map->members, struct set_elem, list);
ret = d->before != 0 ? -IPSET_ERR_REF_EXIST } else if (d->before > 0) {
: list_set_add(set, i, d, ext); /* Insert after next element */
else if (e->id != d->refid) if (!list_is_last(&next->list, &map->members))
continue; n = list_next_entry(next, list);
else if (d->before > 0) } else {
ret = list_set_add(set, i, d, ext); /* Insert before prev element */
else if (i + 1 < map->size) if (prev->list.prev != &map->members)
ret = list_set_add(set, i + 1, d, ext); n = list_prev_entry(prev, list);
} }
/* Can we replace a timed out entry? */
if (n &&
!(SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(n, set))))
n = NULL;
return ret; e = kzalloc(set->dsize, GFP_KERNEL);
if (!e)
return -ENOMEM;
e->id = d->id;
INIT_LIST_HEAD(&e->list);
list_set_init_extensions(set, ext, e);
if (n)
list_set_replace(set, e, n);
else if (next)
list_add_tail_rcu(&e->list, &next->list);
else if (prev)
list_add_rcu(&e->list, &prev->list);
else
list_add_tail_rcu(&e->list, &map->members);
return 0;
} }
static int static int
@ -344,32 +321,30 @@ list_set_udel(struct ip_set *set, void *value, const struct ip_set_ext *ext,
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_adt_elem *d = value; struct set_adt_elem *d = value;
struct set_elem *e; struct set_elem *e, *next, *prev = NULL;
u32 i;
for (i = 0; i < map->size; i++) { list_for_each_entry(e, &map->members, list) {
e = list_set_elem(set, map, i); if (SET_WITH_TIMEOUT(set) &&
if (e->id == IPSET_INVALID_ID) ip_set_timeout_expired(ext_timeout(e, set)))
return d->before != 0 ? -IPSET_ERR_REF_EXIST
: -IPSET_ERR_EXIST;
else if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
else if (e->id != d->id) else if (e->id != d->id) {
prev = e;
continue; continue;
}
if (d->before == 0) if (d->before > 0) {
return list_set_del(set, i); next = list_next_entry(e, list);
else if (d->before > 0) { if (list_is_last(&e->list, &map->members) ||
if (!id_eq(set, i + 1, d->refid)) next->id != d->refid)
return -IPSET_ERR_REF_EXIST; return -IPSET_ERR_REF_EXIST;
return list_set_del(set, i); } else if (d->before < 0) {
} else if (i == 0 || !id_eq(set, i - 1, d->refid)) if (!prev || prev->id != d->refid)
return -IPSET_ERR_REF_EXIST; return -IPSET_ERR_REF_EXIST;
else }
return list_set_del(set, i); list_set_del(set, e);
return 0;
} }
return -IPSET_ERR_EXIST; return d->before != 0 ? -IPSET_ERR_REF_EXIST : -IPSET_ERR_EXIST;
} }
static int static int
@ -383,19 +358,13 @@ list_set_uadt(struct ip_set *set, struct nlattr *tb[],
struct ip_set *s; struct ip_set *s;
int ret = 0; int ret = 0;
if (unlikely(!tb[IPSET_ATTR_NAME] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
return -IPSET_ERR_PROTOCOL;
if (tb[IPSET_ATTR_LINENO]) if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
if (unlikely(!tb[IPSET_ATTR_NAME] ||
!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
return -IPSET_ERR_PROTOCOL;
ret = ip_set_get_extensions(set, tb, &ext); ret = ip_set_get_extensions(set, tb, &ext);
if (ret) if (ret)
return ret; return ret;
@ -410,6 +379,7 @@ list_set_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CADT_FLAGS]) { if (tb[IPSET_ATTR_CADT_FLAGS]) {
u32 f = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); u32 f = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
e.before = f & IPSET_FLAG_BEFORE; e.before = f & IPSET_FLAG_BEFORE;
} }
@ -447,27 +417,26 @@ static void
list_set_flush(struct ip_set *set) list_set_flush(struct ip_set *set)
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e; struct set_elem *e, *n;
u32 i;
for (i = 0; i < map->size; i++) { list_for_each_entry_safe(e, n, &map->members, list)
e = list_set_elem(set, map, i); list_set_del(set, e);
if (e->id != IPSET_INVALID_ID) {
ip_set_put_byindex(map->net, e->id);
ip_set_ext_destroy(set, e);
e->id = IPSET_INVALID_ID;
}
}
} }
static void static void
list_set_destroy(struct ip_set *set) list_set_destroy(struct ip_set *set)
{ {
struct list_set *map = set->data; struct list_set *map = set->data;
struct set_elem *e, *n;
if (SET_WITH_TIMEOUT(set)) if (SET_WITH_TIMEOUT(set))
del_timer_sync(&map->gc); del_timer_sync(&map->gc);
list_set_flush(set); list_for_each_entry_safe(e, n, &map->members, list) {
list_del(&e->list);
ip_set_put_byindex(map->net, e->id);
ip_set_ext_destroy(set, e);
kfree(e);
}
kfree(map); kfree(map);
set->data = NULL; set->data = NULL;
@ -478,6 +447,11 @@ list_set_head(struct ip_set *set, struct sk_buff *skb)
{ {
const struct list_set *map = set->data; const struct list_set *map = set->data;
struct nlattr *nested; struct nlattr *nested;
struct set_elem *e;
u32 n = 0;
list_for_each_entry(e, &map->members, list)
n++;
nested = ipset_nest_start(skb, IPSET_ATTR_DATA); nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
if (!nested) if (!nested)
@ -485,7 +459,7 @@ list_set_head(struct ip_set *set, struct sk_buff *skb)
if (nla_put_net32(skb, IPSET_ATTR_SIZE, htonl(map->size)) || if (nla_put_net32(skb, IPSET_ATTR_SIZE, htonl(map->size)) ||
nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) || nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
nla_put_net32(skb, IPSET_ATTR_MEMSIZE, nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
htonl(sizeof(*map) + map->size * set->dsize))) htonl(sizeof(*map) + n * set->dsize)))
goto nla_put_failure; goto nla_put_failure;
if (unlikely(ip_set_put_flags(skb, set))) if (unlikely(ip_set_put_flags(skb, set)))
goto nla_put_failure; goto nla_put_failure;
@ -502,18 +476,22 @@ list_set_list(const struct ip_set *set,
{ {
const struct list_set *map = set->data; const struct list_set *map = set->data;
struct nlattr *atd, *nested; struct nlattr *atd, *nested;
u32 i, first = cb->args[IPSET_CB_ARG0]; u32 i = 0, first = cb->args[IPSET_CB_ARG0];
const struct set_elem *e; struct set_elem *e;
int ret = 0;
atd = ipset_nest_start(skb, IPSET_ATTR_ADT); atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
if (!atd) if (!atd)
return -EMSGSIZE; return -EMSGSIZE;
for (; cb->args[IPSET_CB_ARG0] < map->size; list_for_each_entry(e, &map->members, list) {
cb->args[IPSET_CB_ARG0]++) { if (i == first)
i = cb->args[IPSET_CB_ARG0]; break;
e = list_set_elem(set, map, i); i++;
if (e->id == IPSET_INVALID_ID) }
goto finish;
rcu_read_lock();
list_for_each_entry_from(e, &map->members, list) {
i++;
if (SET_WITH_TIMEOUT(set) && if (SET_WITH_TIMEOUT(set) &&
ip_set_timeout_expired(ext_timeout(e, set))) ip_set_timeout_expired(ext_timeout(e, set)))
continue; continue;
@ -521,9 +499,10 @@ list_set_list(const struct ip_set *set,
if (!nested) { if (!nested) {
if (i == first) { if (i == first) {
nla_nest_cancel(skb, atd); nla_nest_cancel(skb, atd);
return -EMSGSIZE; ret = -EMSGSIZE;
} else goto out;
goto nla_put_failure; }
goto nla_put_failure;
} }
if (nla_put_string(skb, IPSET_ATTR_NAME, if (nla_put_string(skb, IPSET_ATTR_NAME,
ip_set_name_byindex(map->net, e->id))) ip_set_name_byindex(map->net, e->id)))
@ -532,20 +511,23 @@ list_set_list(const struct ip_set *set,
goto nla_put_failure; goto nla_put_failure;
ipset_nest_end(skb, nested); ipset_nest_end(skb, nested);
} }
finish:
ipset_nest_end(skb, atd); ipset_nest_end(skb, atd);
/* Set listing finished */ /* Set listing finished */
cb->args[IPSET_CB_ARG0] = 0; cb->args[IPSET_CB_ARG0] = 0;
return 0; goto out;
nla_put_failure: nla_put_failure:
nla_nest_cancel(skb, nested); nla_nest_cancel(skb, nested);
if (unlikely(i == first)) { if (unlikely(i == first)) {
cb->args[IPSET_CB_ARG0] = 0; cb->args[IPSET_CB_ARG0] = 0;
return -EMSGSIZE; ret = -EMSGSIZE;
} }
cb->args[IPSET_CB_ARG0] = i - 1;
ipset_nest_end(skb, atd); ipset_nest_end(skb, atd);
return 0; out:
rcu_read_unlock();
return ret;
} }
static bool static bool
@ -577,12 +559,12 @@ static const struct ip_set_type_variant set_variant = {
static void static void
list_set_gc(unsigned long ul_set) list_set_gc(unsigned long ul_set)
{ {
struct ip_set *set = (struct ip_set *) ul_set; struct ip_set *set = (struct ip_set *)ul_set;
struct list_set *map = set->data; struct list_set *map = set->data;
write_lock_bh(&set->lock); spin_lock_bh(&set->lock);
set_cleanup_entries(set); set_cleanup_entries(set);
write_unlock_bh(&set->lock); spin_unlock_bh(&set->lock);
map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ; map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
add_timer(&map->gc); add_timer(&map->gc);
@ -594,7 +576,7 @@ list_set_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
struct list_set *map = set->data; struct list_set *map = set->data;
init_timer(&map->gc); init_timer(&map->gc);
map->gc.data = (unsigned long) set; map->gc.data = (unsigned long)set;
map->gc.function = gc; map->gc.function = gc;
map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ; map->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
add_timer(&map->gc); add_timer(&map->gc);
@ -606,24 +588,16 @@ static bool
init_list_set(struct net *net, struct ip_set *set, u32 size) init_list_set(struct net *net, struct ip_set *set, u32 size)
{ {
struct list_set *map; struct list_set *map;
struct set_elem *e;
u32 i;
map = kzalloc(sizeof(*map) + map = kzalloc(sizeof(*map), GFP_KERNEL);
min_t(u32, size, IP_SET_LIST_MAX_SIZE) * set->dsize,
GFP_KERNEL);
if (!map) if (!map)
return false; return false;
map->size = size; map->size = size;
map->net = net; map->net = net;
INIT_LIST_HEAD(&map->members);
set->data = map; set->data = map;
for (i = 0; i < size; i++) {
e = list_set_elem(set, map, i);
e->id = IPSET_INVALID_ID;
}
return true; return true;
} }
@ -696,6 +670,7 @@ list_set_init(void)
static void __exit static void __exit
list_set_fini(void) list_set_fini(void)
{ {
rcu_barrier();
ip_set_type_unregister(&list_set_type); ip_set_type_unregister(&list_set_type);
} }

16
net/netfilter/ipset/pfxlen.c
View File

@ -1,9 +1,7 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/netfilter/ipset/pfxlen.h> #include <linux/netfilter/ipset/pfxlen.h>
/* /* Prefixlen maps for fast conversions, by Jan Engelhardt. */
* Prefixlen maps for fast conversions, by Jan Engelhardt.
*/
#define E(a, b, c, d) \ #define E(a, b, c, d) \
{.ip6 = { \ {.ip6 = { \
@ -11,8 +9,7 @@
htonl(c), htonl(d), \ htonl(c), htonl(d), \
} } } }
/* /* This table works for both IPv4 and IPv6;
* This table works for both IPv4 and IPv6;
* just use prefixlen_netmask_map[prefixlength].ip. * just use prefixlen_netmask_map[prefixlength].ip.
*/ */
const union nf_inet_addr ip_set_netmask_map[] = { const union nf_inet_addr ip_set_netmask_map[] = {
@ -149,13 +146,12 @@ const union nf_inet_addr ip_set_netmask_map[] = {
EXPORT_SYMBOL_GPL(ip_set_netmask_map); EXPORT_SYMBOL_GPL(ip_set_netmask_map);
#undef E #undef E
#define E(a, b, c, d) \ #define E(a, b, c, d) \
{.ip6 = { (__force __be32) a, (__force __be32) b, \ {.ip6 = { (__force __be32)a, (__force __be32)b, \
(__force __be32) c, (__force __be32) d, \ (__force __be32)c, (__force __be32)d, \
} } } }
/* /* This table works for both IPv4 and IPv6;
* This table works for both IPv4 and IPv6;
* just use prefixlen_hostmask_map[prefixlength].ip. * just use prefixlen_hostmask_map[prefixlength].ip.
*/ */
const union nf_inet_addr ip_set_hostmask_map[] = { const union nf_inet_addr ip_set_hostmask_map[] = {

44
net/netfilter/xt_set.c
View File

@ -9,7 +9,8 @@
*/ */
/* Kernel module which implements the set match and SET target /* Kernel module which implements the set match and SET target
* for netfilter/iptables. */ * for netfilter/iptables.
*/
#include <linux/module.h> #include <linux/module.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
@ -53,6 +54,7 @@ static bool
set_match_v0(const struct sk_buff *skb, struct xt_action_param *par) set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
{ {
const struct xt_set_info_match_v0 *info = par->matchinfo; const struct xt_set_info_match_v0 *info = par->matchinfo;
ADT_OPT(opt, par->family, info->match_set.u.compat.dim, ADT_OPT(opt, par->family, info->match_set.u.compat.dim,
info->match_set.u.compat.flags, 0, UINT_MAX); info->match_set.u.compat.flags, 0, UINT_MAX);
@ -69,10 +71,10 @@ compat_flags(struct xt_set_info_v0 *info)
info->u.compat.dim = IPSET_DIM_ZERO; info->u.compat.dim = IPSET_DIM_ZERO;
if (info->u.flags[0] & IPSET_MATCH_INV) if (info->u.flags[0] & IPSET_MATCH_INV)
info->u.compat.flags |= IPSET_INV_MATCH; info->u.compat.flags |= IPSET_INV_MATCH;
for (i = 0; i < IPSET_DIM_MAX-1 && info->u.flags[i]; i++) { for (i = 0; i < IPSET_DIM_MAX - 1 && info->u.flags[i]; i++) {
info->u.compat.dim++; info->u.compat.dim++;
if (info->u.flags[i] & IPSET_SRC) if (info->u.flags[i] & IPSET_SRC)
info->u.compat.flags |= (1<<info->u.compat.dim); info->u.compat.flags |= (1 << info->u.compat.dim);
} }
} }
@ -89,7 +91,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
info->match_set.index); info->match_set.index);
return -ENOENT; return -ENOENT;
} }
if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) { if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
pr_warn("Protocol error: set match dimension is over the limit!\n"); pr_warn("Protocol error: set match dimension is over the limit!\n");
ip_set_nfnl_put(par->net, info->match_set.index); ip_set_nfnl_put(par->net, info->match_set.index);
return -ERANGE; return -ERANGE;
@ -115,6 +117,7 @@ static bool
set_match_v1(const struct sk_buff *skb, struct xt_action_param *par) set_match_v1(const struct sk_buff *skb, struct xt_action_param *par)
{ {
const struct xt_set_info_match_v1 *info = par->matchinfo; const struct xt_set_info_match_v1 *info = par->matchinfo;
ADT_OPT(opt, par->family, info->match_set.dim, ADT_OPT(opt, par->family, info->match_set.dim,
info->match_set.flags, 0, UINT_MAX); info->match_set.flags, 0, UINT_MAX);
@ -179,9 +182,10 @@ static bool
set_match_v3(const struct sk_buff *skb, struct xt_action_param *par) set_match_v3(const struct sk_buff *skb, struct xt_action_param *par)
{ {
const struct xt_set_info_match_v3 *info = par->matchinfo; const struct xt_set_info_match_v3 *info = par->matchinfo;
int ret;
ADT_OPT(opt, par->family, info->match_set.dim, ADT_OPT(opt, par->family, info->match_set.dim,
info->match_set.flags, info->flags, UINT_MAX); info->match_set.flags, info->flags, UINT_MAX);
int ret;
if (info->packets.op != IPSET_COUNTER_NONE || if (info->packets.op != IPSET_COUNTER_NONE ||
info->bytes.op != IPSET_COUNTER_NONE) info->bytes.op != IPSET_COUNTER_NONE)
@ -225,9 +229,10 @@ static bool
set_match_v4(const struct sk_buff *skb, struct xt_action_param *par) set_match_v4(const struct sk_buff *skb, struct xt_action_param *par)
{ {
const struct xt_set_info_match_v4 *info = par->matchinfo; const struct xt_set_info_match_v4 *info = par->matchinfo;
int ret;
ADT_OPT(opt, par->family, info->match_set.dim, ADT_OPT(opt, par->family, info->match_set.dim,
info->match_set.flags, info->flags, UINT_MAX); info->match_set.flags, info->flags, UINT_MAX);
int ret;
if (info->packets.op != IPSET_COUNTER_NONE || if (info->packets.op != IPSET_COUNTER_NONE ||
info->bytes.op != IPSET_COUNTER_NONE) info->bytes.op != IPSET_COUNTER_NONE)
@ -253,6 +258,7 @@ static unsigned int
set_target_v0(struct sk_buff *skb, const struct xt_action_param *par) set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct xt_set_info_target_v0 *info = par->targinfo; const struct xt_set_info_target_v0 *info = par->targinfo;
ADT_OPT(add_opt, par->family, info->add_set.u.compat.dim, ADT_OPT(add_opt, par->family, info->add_set.u.compat.dim,
info->add_set.u.compat.flags, 0, UINT_MAX); info->add_set.u.compat.flags, 0, UINT_MAX);
ADT_OPT(del_opt, par->family, info->del_set.u.compat.dim, ADT_OPT(del_opt, par->family, info->del_set.u.compat.dim,
@ -291,8 +297,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
return -ENOENT; return -ENOENT;
} }
} }
if (info->add_set.u.flags[IPSET_DIM_MAX-1] != 0 || if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 ||
info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) { info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
pr_warn("Protocol error: SET target dimension is over the limit!\n"); pr_warn("Protocol error: SET target dimension is over the limit!\n");
if (info->add_set.index != IPSET_INVALID_ID) if (info->add_set.index != IPSET_INVALID_ID)
ip_set_nfnl_put(par->net, info->add_set.index); ip_set_nfnl_put(par->net, info->add_set.index);
@ -325,6 +331,7 @@ static unsigned int
set_target_v1(struct sk_buff *skb, const struct xt_action_param *par) set_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct xt_set_info_target_v1 *info = par->targinfo; const struct xt_set_info_target_v1 *info = par->targinfo;
ADT_OPT(add_opt, par->family, info->add_set.dim, ADT_OPT(add_opt, par->family, info->add_set.dim,
info->add_set.flags, 0, UINT_MAX); info->add_set.flags, 0, UINT_MAX);
ADT_OPT(del_opt, par->family, info->del_set.dim, ADT_OPT(del_opt, par->family, info->del_set.dim,
@ -393,6 +400,7 @@ static unsigned int
set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct xt_set_info_target_v2 *info = par->targinfo; const struct xt_set_info_target_v2 *info = par->targinfo;
ADT_OPT(add_opt, par->family, info->add_set.dim, ADT_OPT(add_opt, par->family, info->add_set.dim,
info->add_set.flags, info->flags, info->timeout); info->add_set.flags, info->flags, info->timeout);
ADT_OPT(del_opt, par->family, info->del_set.dim, ADT_OPT(del_opt, par->family, info->del_set.dim,
@ -400,8 +408,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
/* Normalize to fit into jiffies */ /* Normalize to fit into jiffies */
if (add_opt.ext.timeout != IPSET_NO_TIMEOUT && if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
add_opt.ext.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
add_opt.ext.timeout = UINT_MAX/MSEC_PER_SEC; add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID) if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt); ip_set_add(info->add_set.index, skb, par, &add_opt);
if (info->del_set.index != IPSET_INVALID_ID) if (info->del_set.index != IPSET_INVALID_ID)
@ -419,6 +427,8 @@ static unsigned int
set_target_v3(struct sk_buff *skb, const struct xt_action_param *par) set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct xt_set_info_target_v3 *info = par->targinfo; const struct xt_set_info_target_v3 *info = par->targinfo;
int ret;
ADT_OPT(add_opt, par->family, info->add_set.dim, ADT_OPT(add_opt, par->family, info->add_set.dim,
info->add_set.flags, info->flags, info->timeout); info->add_set.flags, info->flags, info->timeout);
ADT_OPT(del_opt, par->family, info->del_set.dim, ADT_OPT(del_opt, par->family, info->del_set.dim,
@ -426,12 +436,10 @@ set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
ADT_OPT(map_opt, par->family, info->map_set.dim, ADT_OPT(map_opt, par->family, info->map_set.dim,
info->map_set.flags, 0, UINT_MAX); info->map_set.flags, 0, UINT_MAX);
int ret;
/* Normalize to fit into jiffies */ /* Normalize to fit into jiffies */
if (add_opt.ext.timeout != IPSET_NO_TIMEOUT && if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
add_opt.ext.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
add_opt.ext.timeout = UINT_MAX/MSEC_PER_SEC; add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
if (info->add_set.index != IPSET_INVALID_ID) if (info->add_set.index != IPSET_INVALID_ID)
ip_set_add(info->add_set.index, skb, par, &add_opt); ip_set_add(info->add_set.index, skb, par, &add_opt);
if (info->del_set.index != IPSET_INVALID_ID) if (info->del_set.index != IPSET_INVALID_ID)
@ -457,7 +465,6 @@ set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
return XT_CONTINUE; return XT_CONTINUE;
} }
static int static int
set_target_v3_checkentry(const struct xt_tgchk_param *par) set_target_v3_checkentry(const struct xt_tgchk_param *par)
{ {
@ -497,8 +504,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
!(par->hook_mask & (1 << NF_INET_FORWARD | !(par->hook_mask & (1 << NF_INET_FORWARD |
1 << NF_INET_LOCAL_OUT | 1 << NF_INET_LOCAL_OUT |
1 << NF_INET_POST_ROUTING))) { 1 << NF_INET_POST_ROUTING))) {
pr_warn("mapping of prio or/and queue is allowed only" pr_warn("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");
"from OUTPUT/FORWARD/POSTROUTING chains\n");
return -EINVAL; return -EINVAL;
} }
index = ip_set_nfnl_get_byindex(par->net, index = ip_set_nfnl_get_byindex(par->net,
@ -519,8 +525,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
if (info->add_set.dim > IPSET_DIM_MAX || if (info->add_set.dim > IPSET_DIM_MAX ||
info->del_set.dim > IPSET_DIM_MAX || info->del_set.dim > IPSET_DIM_MAX ||
info->map_set.dim > IPSET_DIM_MAX) { info->map_set.dim > IPSET_DIM_MAX) {
pr_warn("Protocol error: SET target dimension " pr_warn("Protocol error: SET target dimension is over the limit!\n");
"is over the limit!\n");
if (info->add_set.index != IPSET_INVALID_ID) if (info->add_set.index != IPSET_INVALID_ID)
ip_set_nfnl_put(par->net, info->add_set.index); ip_set_nfnl_put(par->net, info->add_set.index);
if (info->del_set.index != IPSET_INVALID_ID) if (info->del_set.index != IPSET_INVALID_ID)
@ -546,7 +551,6 @@ set_target_v3_destroy(const struct xt_tgdtor_param *par)
ip_set_nfnl_put(par->net, info->map_set.index); ip_set_nfnl_put(par->net, info->map_set.index);
} }
static struct xt_match set_matches[] __read_mostly = { static struct xt_match set_matches[] __read_mostly = {
{ {
.name = "set", .name = "set",