projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: ipset: Fix parallel resizing and listing of the same set
[deliverable/linux.git] / net / netfilter / ipset / ip_set_hash_gen.h
CommitLineData
1feab10d
JK		 1/* Copyright (C) 2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8#ifndef _IP_SET_HASH_GEN_H
9#define _IP_SET_HASH_GEN_H
10
11#include <linux/rcupdate.h>
12#include <linux/jhash.h>
13#include <linux/netfilter/ipset/ip_set_timeout.h>
14#ifndef rcu_dereference_bh
15#define rcu_dereference_bh(p) rcu_dereference(p)
16#endif
17
a0f28dc7
JK		 18#define rcu_dereference_bh_nfnl(p) rcu_dereference_bh_check(p, 1)
19
1feab10d
JK		 20/* Hashing which uses arrays to resolve clashing. The hash table is resized
21 * (doubled) when searching becomes too long.
22 * Internally jhash is used with the assumption that the size of the
23 * stored data is a multiple of sizeof(u32). If storage supports timeout,
24 * the timeout field must be the last one in the data structure - that field
25 * is ignored when computing the hash key.
26 *
27 * Readers and resizing
28 *
29 * Resizing can be triggered by userspace command only, and those
30 * are serialized by the nfnl mutex. During resizing the set is
31 * read-locked, so the only possible concurrent operations are
32 * the kernel side readers. Those must be protected by proper RCU locking.
33 */
34
35/* Number of elements to store in an initial array block */
36#define AHASH_INIT_SIZE 4
37/* Max number of elements to store in an array block */
38#define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
39
40/* Max number of elements can be tuned */
41#ifdef IP_SET_HASH_WITH_MULTI
42#define AHASH_MAX(h) ((h)->ahash_max)
43
44static inline u8
45tune_ahash_max(u8 curr, u32 multi)
46{
47 u32 n;
48
49 if (multi < curr)
50 return curr;
51
52 n = curr + AHASH_INIT_SIZE;
53 /* Currently, at listing one hash bucket must fit into a message.
54 * Therefore we have a hard limit here.
55 */
56 return n > curr && n <= 64 ? n : curr;
57}
58#define TUNE_AHASH_MAX(h, multi) \
59 ((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
60#else
61#define AHASH_MAX(h) AHASH_MAX_SIZE
62#define TUNE_AHASH_MAX(h, multi)
63#endif
64
65/* A hash bucket */
66struct hbucket {
67 void *value; /* the array of the values */
68 u8 size; /* size of the array */
69 u8 pos; /* position of the first free entry */
70};
71
72/* The hash table: the table size stored here in order to make resizing easy */
73struct htable {
c4c99783
JK		 74 atomic_t ref; /* References for resizing */
75 atomic_t uref; /* References for dumping */
1feab10d
JK		 76 u8 htable_bits; /* size of hash table == 2^htable_bits */
77 struct hbucket bucket[0]; /* hashtable buckets */
78};
79
80#define hbucket(h, i) (&((h)->bucket[i]))
81
a04d8b6b
JK		 82#ifndef IPSET_NET_COUNT
83#define IPSET_NET_COUNT 1
84#endif
85
1feab10d
JK		 86/* Book-keeping of the prefixes added to the set */
87struct net_prefixes {
a04d8b6b
JK		 88 u32 nets[IPSET_NET_COUNT]; /* number of elements per cidr */
89 u8 cidr[IPSET_NET_COUNT]; /* the different cidr values in the set */
1feab10d
JK		 90};
91
92/* Compute the hash table size */
93static size_t
94htable_size(u8 hbits)
95{
96 size_t hsize;
97
98 /* We must fit both into u32 in jhash and size_t */
99 if (hbits > 31)
100 return 0;
101 hsize = jhash_size(hbits);
102 if ((((size_t)-1) - sizeof(struct htable))/sizeof(struct hbucket)
103 < hsize)
104 return 0;
105
106 return hsize * sizeof(struct hbucket) + sizeof(struct htable);
107}
108
109/* Compute htable_bits from the user input parameter hashsize */
110static u8
111htable_bits(u32 hashsize)
112{
113 /* Assume that hashsize == 2^htable_bits */
114 u8 bits = fls(hashsize - 1);
115 if (jhash_size(bits) != hashsize)
116 /* Round up to the first 2^n value */
117 bits = fls(hashsize);
118
119 return bits;
120}
121
1feab10d
JK		 122static int
123hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
124{
125 if (n->pos >= n->size) {
126 void *tmp;
127
128 if (n->size >= ahash_max)
129 /* Trigger rehashing */
130 return -EAGAIN;
131
132 tmp = kzalloc((n->size + AHASH_INIT_SIZE) * dsize,
133 GFP_ATOMIC);
134 if (!tmp)
135 return -ENOMEM;
136 if (n->size) {
137 memcpy(tmp, n->value, n->size * dsize);
138 kfree(n->value);
139 }
140 n->value = tmp;
141 n->size += AHASH_INIT_SIZE;
142 }
143 return 0;
144}
145
146#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b
OS		 147#if IPSET_NET_COUNT > 1
148#define __CIDR(cidr, i) (cidr[i])
149#else
150#define __CIDR(cidr, i) (cidr)
151#endif
25a76f34
JK		 152
153/* cidr + 1 is stored in net_prefixes to support /0 */
f690cbae
JK		 154#define NCIDR_PUT(cidr) ((cidr) + 1)
155#define NCIDR_GET(cidr) ((cidr) - 1)
25a76f34 156
1feab10d 157#ifdef IP_SET_HASH_WITH_NETS_PACKED
25a76f34 158/* When cidr is packed with nomatch, cidr - 1 is stored in the data entry */
f690cbae
JK		 159#define DCIDR_PUT(cidr) ((cidr) - 1)
160#define DCIDR_GET(cidr, i) (__CIDR(cidr, i) + 1)
1feab10d 161#else
f690cbae
JK		 162#define DCIDR_PUT(cidr) (cidr)
163#define DCIDR_GET(cidr, i) __CIDR(cidr, i)
1feab10d
JK		 164#endif
165
f690cbae
JK		 166#define INIT_CIDR(cidr, host_mask) \
167 DCIDR_PUT(((cidr) ? NCIDR_GET(cidr) : host_mask))
168
1feab10d
JK		 169#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)
170
59de79cf 171#ifdef IP_SET_HASH_WITH_NET0
a04d8b6b 172#define NLEN(family) (SET_HOST_MASK(family) + 1)
1feab10d 173#else
a04d8b6b 174#define NLEN(family) SET_HOST_MASK(family)
1feab10d
JK		 175#endif
176
177#else
a04d8b6b 178#define NLEN(family) 0
1feab10d
JK		 179#endif /* IP_SET_HASH_WITH_NETS */
180
1feab10d
JK		 181#endif /* _IP_SET_HASH_GEN_H */
182
183/* Family dependent templates */
184
185#undef ahash_data
186#undef mtype_data_equal
187#undef mtype_do_data_match
188#undef mtype_data_set_flags
43ef29c9 189#undef mtype_data_reset_elem
1feab10d
JK		 190#undef mtype_data_reset_flags
191#undef mtype_data_netmask
192#undef mtype_data_list
193#undef mtype_data_next
194#undef mtype_elem
195
40cd63bf
JK		 196#undef mtype_ahash_destroy
197#undef mtype_ext_cleanup
1feab10d
JK		 198#undef mtype_add_cidr
199#undef mtype_del_cidr
200#undef mtype_ahash_memsize
201#undef mtype_flush
202#undef mtype_destroy
1feab10d
JK		 203#undef mtype_same_set
204#undef mtype_kadt
205#undef mtype_uadt
206#undef mtype
207
208#undef mtype_add
209#undef mtype_del
210#undef mtype_test_cidrs
211#undef mtype_test
c4c99783 212#undef mtype_uref
1feab10d
JK		 213#undef mtype_expire
214#undef mtype_resize
215#undef mtype_head
216#undef mtype_list
217#undef mtype_gc
218#undef mtype_gc_init
219#undef mtype_variant
220#undef mtype_data_match
221
222#undef HKEY
223
35b8dcf8 224#define mtype_data_equal IPSET_TOKEN(MTYPE, _data_equal)
1feab10d 225#ifdef IP_SET_HASH_WITH_NETS
35b8dcf8 226#define mtype_do_data_match IPSET_TOKEN(MTYPE, _do_data_match)
1feab10d
JK		 227#else
228#define mtype_do_data_match(d) 1
229#endif
35b8dcf8 230#define mtype_data_set_flags IPSET_TOKEN(MTYPE, _data_set_flags)
ea53ac5b 231#define mtype_data_reset_elem IPSET_TOKEN(MTYPE, _data_reset_elem)
35b8dcf8
JK		 232#define mtype_data_reset_flags IPSET_TOKEN(MTYPE, _data_reset_flags)
233#define mtype_data_netmask IPSET_TOKEN(MTYPE, _data_netmask)
234#define mtype_data_list IPSET_TOKEN(MTYPE, _data_list)
235#define mtype_data_next IPSET_TOKEN(MTYPE, _data_next)
236#define mtype_elem IPSET_TOKEN(MTYPE, _elem)
43ef29c9 237
40cd63bf
JK		 238#define mtype_ahash_destroy IPSET_TOKEN(MTYPE, _ahash_destroy)
239#define mtype_ext_cleanup IPSET_TOKEN(MTYPE, _ext_cleanup)
35b8dcf8
JK		 240#define mtype_add_cidr IPSET_TOKEN(MTYPE, _add_cidr)
241#define mtype_del_cidr IPSET_TOKEN(MTYPE, _del_cidr)
242#define mtype_ahash_memsize IPSET_TOKEN(MTYPE, _ahash_memsize)
243#define mtype_flush IPSET_TOKEN(MTYPE, _flush)
244#define mtype_destroy IPSET_TOKEN(MTYPE, _destroy)
35b8dcf8
JK		 245#define mtype_same_set IPSET_TOKEN(MTYPE, _same_set)
246#define mtype_kadt IPSET_TOKEN(MTYPE, _kadt)
247#define mtype_uadt IPSET_TOKEN(MTYPE, _uadt)
1feab10d
JK		 248#define mtype MTYPE
249
35b8dcf8
JK		 250#define mtype_add IPSET_TOKEN(MTYPE, _add)
251#define mtype_del IPSET_TOKEN(MTYPE, _del)
252#define mtype_test_cidrs IPSET_TOKEN(MTYPE, _test_cidrs)
253#define mtype_test IPSET_TOKEN(MTYPE, _test)
c4c99783 254#define mtype_uref IPSET_TOKEN(MTYPE, _uref)
35b8dcf8
JK		 255#define mtype_expire IPSET_TOKEN(MTYPE, _expire)
256#define mtype_resize IPSET_TOKEN(MTYPE, _resize)
257#define mtype_head IPSET_TOKEN(MTYPE, _head)
258#define mtype_list IPSET_TOKEN(MTYPE, _list)
259#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
43ef29c9 260#define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
35b8dcf8
JK		 261#define mtype_variant IPSET_TOKEN(MTYPE, _variant)
262#define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
1feab10d 263
1823fb79
SP		 264#ifndef MTYPE
265#error "MTYPE is not defined!"
266#endif
267
268#ifndef HOST_MASK
269#error "HOST_MASK is not defined!"
270#endif
271
1feab10d
JK		 272#ifndef HKEY_DATALEN
273#define HKEY_DATALEN sizeof(struct mtype_elem)
274#endif
275
276#define HKEY(data, initval, htable_bits) \
277(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
278 & jhash_mask(htable_bits))
279
280#ifndef htype
1823fb79
SP		 281#ifndef HTYPE
282#error "HTYPE is not defined!"
283#endif /* HTYPE */
1feab10d
JK		 284#define htype HTYPE
285
286/* The generic hash structure */
287struct htype {
a0f28dc7 288 struct htable __rcu *table; /* the hash table */
1feab10d
JK		 289 u32 maxelem; /* max elements in the hash */
290 u32 elements; /* current element (vs timeout) */
291 u32 initval; /* random jhash init value */
4d0e5c07
VD		 292#ifdef IP_SET_HASH_WITH_MARKMASK
293 u32 markmask; /* markmask value for mark mask to store */
294#endif
1feab10d
JK		 295 struct timer_list gc; /* garbage collection when timeout enabled */
296 struct mtype_elem next; /* temporary storage for uadd */
297#ifdef IP_SET_HASH_WITH_MULTI
298 u8 ahash_max; /* max elements in an array block */
299#endif
300#ifdef IP_SET_HASH_WITH_NETMASK
301 u8 netmask; /* netmask value for subnets to store */
302#endif
303#ifdef IP_SET_HASH_WITH_RBTREE
304 struct rb_root rbtree;
305#endif
306#ifdef IP_SET_HASH_WITH_NETS
307 struct net_prefixes nets[0]; /* book-keeping of prefixes */
308#endif
309};
1823fb79 310#endif /* htype */
1feab10d
JK		 311
312#ifdef IP_SET_HASH_WITH_NETS
313/* Network cidr size book keeping when the hash stores different
f690cbae
JK		 314 * sized networks. cidr == real cidr + 1 to support /0.
315 */
1feab10d 316static void
a04d8b6b 317mtype_add_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
1feab10d
JK		 318{
319 int i, j;
320
321 /* Add in increasing prefix order, so larger cidr first */
25a76f34 322 for (i = 0, j = -1; i < nets_length && h->nets[i].cidr[n]; i++) {
1feab10d
JK		 323 if (j != -1)
324 continue;
a04d8b6b 325 else if (h->nets[i].cidr[n] < cidr)
1feab10d 326 j = i;
a04d8b6b 327 else if (h->nets[i].cidr[n] == cidr) {
25a76f34 328 h->nets[cidr - 1].nets[n]++;
1feab10d
JK		 329 return;
330 }
331 }
332 if (j != -1) {
25a76f34 333 for (; i > j; i--)
a04d8b6b 334 h->nets[i].cidr[n] = h->nets[i - 1].cidr[n];
1feab10d 335 }
a04d8b6b 336 h->nets[i].cidr[n] = cidr;
25a76f34 337 h->nets[cidr - 1].nets[n] = 1;
1feab10d
JK		 338}
339
340static void
a04d8b6b 341mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length, u8 n)
1feab10d 342{
2cf55125
OS		 343 u8 i, j, net_end = nets_length - 1;
344
345 for (i = 0; i < nets_length; i++) {
a04d8b6b 346 if (h->nets[i].cidr[n] != cidr)
2cf55125 347 continue;
25a76f34
JK		 348 h->nets[cidr -1].nets[n]--;
349 if (h->nets[cidr -1].nets[n] > 0)
2cf55125 350 return;
25a76f34 351 for (j = i; j < net_end && h->nets[j].cidr[n]; j++)
a04d8b6b 352 h->nets[j].cidr[n] = h->nets[j + 1].cidr[n];
25a76f34 353 h->nets[j].cidr[n] = 0;
2cf55125 354 return;
1feab10d
JK		 355 }
356}
357#endif
358
359/* Calculate the actual memory size of the set data */
360static size_t
a0f28dc7 361mtype_ahash_memsize(const struct htype *h, const struct htable *t,
ca134ce8 362 u8 nets_length, size_t dsize)
1feab10d
JK		 363{
364 u32 i;
1feab10d
JK		 365 size_t memsize = sizeof(*h)
366 + sizeof(*t)
367#ifdef IP_SET_HASH_WITH_NETS
368 + sizeof(struct net_prefixes) * nets_length
369#endif
370 + jhash_size(t->htable_bits) * sizeof(struct hbucket);
371
372 for (i = 0; i < jhash_size(t->htable_bits); i++)
ca134ce8 373 memsize += t->bucket[i].size * dsize;
1feab10d
JK		 374
375 return memsize;
376}
377
40cd63bf
JK		 378/* Get the ith element from the array block n */
379#define ahash_data(n, i, dsize) \
380 ((struct mtype_elem *)((n)->value + ((i) * (dsize))))
381
382static void
383mtype_ext_cleanup(struct ip_set *set, struct hbucket *n)
384{
385 int i;
386
387 for (i = 0; i < n->pos; i++)
388 ip_set_ext_destroy(set, ahash_data(n, i, set->dsize));
389}
390
1feab10d
JK		 391/* Flush a hash type of set: destroy all elements */
392static void
393mtype_flush(struct ip_set *set)
394{
395 struct htype *h = set->data;
a0f28dc7 396 struct htable *t;
1feab10d
JK		 397 struct hbucket *n;
398 u32 i;
399
a0f28dc7 400 t = rcu_dereference_bh_nfnl(h->table);
1feab10d
JK		 401 for (i = 0; i < jhash_size(t->htable_bits); i++) {
402 n = hbucket(t, i);
403 if (n->size) {
40cd63bf
JK		 404 if (set->extensions & IPSET_EXT_DESTROY)
405 mtype_ext_cleanup(set, n);
1feab10d
JK		 406 n->size = n->pos = 0;
407 /* FIXME: use slab cache */
408 kfree(n->value);
409 }
410 }
411#ifdef IP_SET_HASH_WITH_NETS
a04d8b6b 412 memset(h->nets, 0, sizeof(struct net_prefixes) * NLEN(set->family));
1feab10d
JK		 413#endif
414 h->elements = 0;
415}
416
40cd63bf
JK		 417/* Destroy the hashtable part of the set */
418static void
80571a9e 419mtype_ahash_destroy(struct ip_set *set, struct htable *t, bool ext_destroy)
40cd63bf
JK		 420{
421 struct hbucket *n;
422 u32 i;
423
424 for (i = 0; i < jhash_size(t->htable_bits); i++) {
425 n = hbucket(t, i);
426 if (n->size) {
80571a9e 427 if (set->extensions & IPSET_EXT_DESTROY && ext_destroy)
40cd63bf
JK		 428 mtype_ext_cleanup(set, n);
429 /* FIXME: use slab cache */
430 kfree(n->value);
431 }
432 }
433
434 ip_set_free(t);
435}
436
1feab10d
JK		 437/* Destroy a hash type of set */
438static void
439mtype_destroy(struct ip_set *set)
440{
441 struct htype *h = set->data;
442
edda0791 443 if (SET_WITH_TIMEOUT(set))
1feab10d
JK		 444 del_timer_sync(&h->gc);
445
80571a9e 446 mtype_ahash_destroy(set, rcu_dereference_bh_nfnl(h->table), true);
1feab10d
JK		 447#ifdef IP_SET_HASH_WITH_RBTREE
448 rbtree_destroy(&h->rbtree);
449#endif
450 kfree(h);
451
452 set->data = NULL;
453}
454
455static void
456mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
457{
458 struct htype *h = set->data;
459
460 init_timer(&h->gc);
461 h->gc.data = (unsigned long) set;
462 h->gc.function = gc;
ca134ce8 463 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
1feab10d
JK		 464 add_timer(&h->gc);
465 pr_debug("gc initialized, run in every %u\n",
ca134ce8 466 IPSET_GC_PERIOD(set->timeout));
1feab10d
JK		 467}
468
469static bool
470mtype_same_set(const struct ip_set *a, const struct ip_set *b)
471{
472 const struct htype *x = a->data;
473 const struct htype *y = b->data;
474
475 /* Resizing changes htable_bits, so we ignore it */
476 return x->maxelem == y->maxelem &&
ca134ce8 477 a->timeout == b->timeout &&
1feab10d
JK		 478#ifdef IP_SET_HASH_WITH_NETMASK
479 x->netmask == y->netmask &&
4d0e5c07
VD		 480#endif
481#ifdef IP_SET_HASH_WITH_MARKMASK
482 x->markmask == y->markmask &&
1feab10d
JK		 483#endif
484 a->extensions == b->extensions;
485}
486
1feab10d
JK		 487/* Delete expired elements from the hashtable */
488static void
ca134ce8 489mtype_expire(struct ip_set *set, struct htype *h, u8 nets_length, size_t dsize)
1feab10d 490{
a0f28dc7 491 struct htable *t;
1feab10d
JK		 492 struct hbucket *n;
493 struct mtype_elem *data;
494 u32 i;
495 int j;
ea53ac5b
OS		 496#ifdef IP_SET_HASH_WITH_NETS
497 u8 k;
498#endif
1feab10d 499
a0f28dc7
JK		 500 rcu_read_lock_bh();
501 t = rcu_dereference_bh(h->table);
1feab10d
JK		 502 for (i = 0; i < jhash_size(t->htable_bits); i++) {
503 n = hbucket(t, i);
504 for (j = 0; j < n->pos; j++) {
505 data = ahash_data(n, j, dsize);
ca134ce8 506 if (ip_set_timeout_expired(ext_timeout(data, set))) {
1feab10d
JK		 507 pr_debug("expired %u/%u\n", i, j);
508#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b 509 for (k = 0; k < IPSET_NET_COUNT; k++)
f690cbae
JK		 510 mtype_del_cidr(h,
511 NCIDR_PUT(DCIDR_GET(data->cidr,
512 k)),
513 nets_length, k);
1feab10d 514#endif
40cd63bf 515 ip_set_ext_destroy(set, data);
1feab10d
JK		 516 if (j != n->pos - 1)
517 /* Not last one */
518 memcpy(data,
519 ahash_data(n, n->pos - 1, dsize),
520 dsize);
521 n->pos--;
522 h->elements--;
523 }
524 }
525 if (n->pos + AHASH_INIT_SIZE < n->size) {
526 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
527 * dsize,
528 GFP_ATOMIC);
529 if (!tmp)
530 /* Still try to delete expired elements */
531 continue;
532 n->size -= AHASH_INIT_SIZE;
533 memcpy(tmp, n->value, n->size * dsize);
534 kfree(n->value);
535 n->value = tmp;
536 }
537 }
a0f28dc7 538 rcu_read_unlock_bh();
1feab10d
JK		 539}
540
541static void
542mtype_gc(unsigned long ul_set)
543{
544 struct ip_set *set = (struct ip_set *) ul_set;
545 struct htype *h = set->data;
546
547 pr_debug("called\n");
548 write_lock_bh(&set->lock);
ca134ce8 549 mtype_expire(set, h, NLEN(set->family), set->dsize);
1feab10d
JK		 550 write_unlock_bh(&set->lock);
551
ca134ce8 552 h->gc.expires = jiffies + IPSET_GC_PERIOD(set->timeout) * HZ;
1feab10d
JK		 553 add_timer(&h->gc);
554}
555
556/* Resize a hash: create a new hash table with doubling the hashsize
557 * and inserting the elements to it. Repeat until we succeed or
558 * fail due to memory pressures. */
559static int
560mtype_resize(struct ip_set *set, bool retried)
561{
562 struct htype *h = set->data;
a0f28dc7 563 struct htable *t, *orig = rcu_dereference_bh_nfnl(h->table);
1feab10d
JK		 564 u8 htable_bits = orig->htable_bits;
565#ifdef IP_SET_HASH_WITH_NETS
566 u8 flags;
567#endif
568 struct mtype_elem *data;
569 struct mtype_elem *d;
570 struct hbucket *n, *m;
571 u32 i, j;
572 int ret;
573
574 /* Try to cleanup once */
575 if (SET_WITH_TIMEOUT(set) && !retried) {
576 i = h->elements;
577 write_lock_bh(&set->lock);
ca134ce8 578 mtype_expire(set, set->data, NLEN(set->family), set->dsize);
1feab10d
JK		 579 write_unlock_bh(&set->lock);
580 if (h->elements < i)
581 return 0;
582 }
583
584retry:
585 ret = 0;
586 htable_bits++;
587 pr_debug("attempt to resize set %s from %u to %u, t %p\n",
588 set->name, orig->htable_bits, htable_bits, orig);
589 if (!htable_bits) {
590 /* In case we have plenty of memory :-) */
b167a37c
JP		 591 pr_warn("Cannot increase the hashsize of set %s further\n",
592 set->name);
1feab10d
JK		 593 return -IPSET_ERR_HASH_FULL;
594 }
595 t = ip_set_alloc(sizeof(*t)
596 + jhash_size(htable_bits) * sizeof(struct hbucket));
597 if (!t)
598 return -ENOMEM;
599 t->htable_bits = htable_bits;
600
601 read_lock_bh(&set->lock);
c4c99783
JK		 602 /* There can't be another parallel resizing, but dumping is possible */
603 atomic_set(&orig->ref, 1);
604 atomic_inc(&orig->uref);
1feab10d
JK		 605 for (i = 0; i < jhash_size(orig->htable_bits); i++) {
606 n = hbucket(orig, i);
607 for (j = 0; j < n->pos; j++) {
ca134ce8 608 data = ahash_data(n, j, set->dsize);
1feab10d
JK		 609#ifdef IP_SET_HASH_WITH_NETS
610 flags = 0;
611 mtype_data_reset_flags(data, &flags);
612#endif
613 m = hbucket(t, HKEY(data, h->initval, htable_bits));
ca134ce8 614 ret = hbucket_elem_add(m, AHASH_MAX(h), set->dsize);
1feab10d
JK		 615 if (ret < 0) {
616#ifdef IP_SET_HASH_WITH_NETS
617 mtype_data_reset_flags(data, &flags);
618#endif
c4c99783
JK		 619 atomic_set(&orig->ref, 0);
620 atomic_dec(&orig->uref);
1feab10d 621 read_unlock_bh(&set->lock);
80571a9e 622 mtype_ahash_destroy(set, t, false);
1feab10d
JK		 623 if (ret == -EAGAIN)
624 goto retry;
625 return ret;
626 }
ca134ce8
JK		 627 d = ahash_data(m, m->pos++, set->dsize);
628 memcpy(d, data, set->dsize);
1feab10d
JK		 629#ifdef IP_SET_HASH_WITH_NETS
630 mtype_data_reset_flags(d, &flags);
631#endif
632 }
633 }
634
635 rcu_assign_pointer(h->table, t);
636 read_unlock_bh(&set->lock);
637
638 /* Give time to other readers of the set */
639 synchronize_rcu_bh();
640
641 pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name,
642 orig->htable_bits, orig, t->htable_bits, t);
c4c99783
JK		 643 /* If there's nobody else dumping the table, destroy it */
644 if (atomic_dec_and_test(&orig->uref)) {
645 pr_debug("Table destroy by resize %p\n", orig);
646 mtype_ahash_destroy(set, orig, false);
647 }
1feab10d
JK		 648
649 return 0;
650}
651
652/* Add an element to a hash and update the internal counters when succeeded,
653 * otherwise report the proper error code. */
654static int
655mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
656 struct ip_set_ext *mext, u32 flags)
657{
658 struct htype *h = set->data;
659 struct htable *t;
660 const struct mtype_elem *d = value;
661 struct mtype_elem *data;
662 struct hbucket *n;
663 int i, ret = 0;
664 int j = AHASH_MAX(h) + 1;
665 bool flag_exist = flags & IPSET_FLAG_EXIST;
666 u32 key, multi = 0;
667
1feab10d
JK		 668 rcu_read_lock_bh();
669 t = rcu_dereference_bh(h->table);
670 key = HKEY(value, h->initval, t->htable_bits);
671 n = hbucket(t, key);
672 for (i = 0; i < n->pos; i++) {
ca134ce8 673 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 674 if (mtype_data_equal(data, d, &multi)) {
675 if (flag_exist ||
676 (SET_WITH_TIMEOUT(set) &&
ca134ce8 677 ip_set_timeout_expired(ext_timeout(data, set)))) {
1feab10d
JK		 678 /* Just the extensions could be overwritten */
679 j = i;
680 goto reuse_slot;
681 } else {
682 ret = -IPSET_ERR_EXIST;
683 goto out;
684 }
685 }
686 /* Reuse first timed out entry */
687 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 688 ip_set_timeout_expired(ext_timeout(data, set)) &&
1feab10d
JK		 689 j != AHASH_MAX(h) + 1)
690 j = i;
691 }
86ac79c7
JK		 692 if (h->elements >= h->maxelem && SET_WITH_FORCEADD(set) && n->pos) {
693 /* Choosing the first entry in the array to replace */
694 j = 0;
695 goto reuse_slot;
696 }
697 if (SET_WITH_TIMEOUT(set) && h->elements >= h->maxelem)
698 /* FIXME: when set is full, we slow down here */
699 mtype_expire(set, h, NLEN(set->family), set->dsize);
700
701 if (h->elements >= h->maxelem) {
702 if (net_ratelimit())
703 pr_warn("Set %s is full, maxelem %u reached\n",
704 set->name, h->maxelem);
705 ret = -IPSET_ERR_HASH_FULL;
706 goto out;
707 }
708
1feab10d
JK		 709reuse_slot:
710 if (j != AHASH_MAX(h) + 1) {
711 /* Fill out reused slot */
ca134ce8 712 data = ahash_data(n, j, set->dsize);
1feab10d 713#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b 714 for (i = 0; i < IPSET_NET_COUNT; i++) {
f690cbae 715 mtype_del_cidr(h, NCIDR_PUT(DCIDR_GET(data->cidr, i)),
ea53ac5b 716 NLEN(set->family), i);
f690cbae 717 mtype_add_cidr(h, NCIDR_PUT(DCIDR_GET(d->cidr, i)),
ea53ac5b
OS		 718 NLEN(set->family), i);
719 }
1feab10d 720#endif
40cd63bf 721 ip_set_ext_destroy(set, data);
1feab10d
JK		 722 } else {
723 /* Use/create a new slot */
724 TUNE_AHASH_MAX(h, multi);
ca134ce8 725 ret = hbucket_elem_add(n, AHASH_MAX(h), set->dsize);
1feab10d
JK		 726 if (ret != 0) {
727 if (ret == -EAGAIN)
728 mtype_data_next(&h->next, d);
729 goto out;
730 }
ca134ce8 731 data = ahash_data(n, n->pos++, set->dsize);
1feab10d 732#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b 733 for (i = 0; i < IPSET_NET_COUNT; i++)
f690cbae
JK		 734 mtype_add_cidr(h, NCIDR_PUT(DCIDR_GET(d->cidr, i)),
735 NLEN(set->family), i);
1feab10d
JK		 736#endif
737 h->elements++;
738 }
739 memcpy(data, d, sizeof(struct mtype_elem));
740#ifdef IP_SET_HASH_WITH_NETS
741 mtype_data_set_flags(data, flags);
742#endif
743 if (SET_WITH_TIMEOUT(set))
ca134ce8 744 ip_set_timeout_set(ext_timeout(data, set), ext->timeout);
00d71b27 745 if (SET_WITH_COUNTER(set))
ca134ce8 746 ip_set_init_counter(ext_counter(data, set), ext);
fda75c6d
OS		 747 if (SET_WITH_COMMENT(set))
748 ip_set_init_comment(ext_comment(data, set), ext);
af331419
AD		 749 if (SET_WITH_SKBINFO(set))
750 ip_set_init_skbinfo(ext_skbinfo(data, set), ext);
1feab10d
JK		 751
752out:
753 rcu_read_unlock_bh();
754 return ret;
755}
756
757/* Delete an element from the hash: swap it with the last element
758 * and free up space if possible.
759 */
760static int
761mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
762 struct ip_set_ext *mext, u32 flags)
763{
764 struct htype *h = set->data;
a0f28dc7 765 struct htable *t;
1feab10d
JK		 766 const struct mtype_elem *d = value;
767 struct mtype_elem *data;
768 struct hbucket *n;
a0f28dc7 769 int i, ret = -IPSET_ERR_EXIST;
ea53ac5b
OS		 770#ifdef IP_SET_HASH_WITH_NETS
771 u8 j;
772#endif
1feab10d
JK		 773 u32 key, multi = 0;
774
a0f28dc7
JK		 775 rcu_read_lock_bh();
776 t = rcu_dereference_bh(h->table);
1feab10d
JK		 777 key = HKEY(value, h->initval, t->htable_bits);
778 n = hbucket(t, key);
779 for (i = 0; i < n->pos; i++) {
ca134ce8 780 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 781 if (!mtype_data_equal(data, d, &multi))
782 continue;
783 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 784 ip_set_timeout_expired(ext_timeout(data, set)))
a0f28dc7 785 goto out;
1feab10d
JK		 786 if (i != n->pos - 1)
787 /* Not last one */
ca134ce8
JK		 788 memcpy(data, ahash_data(n, n->pos - 1, set->dsize),
789 set->dsize);
1feab10d
JK		 790
791 n->pos--;
792 h->elements--;
793#ifdef IP_SET_HASH_WITH_NETS
ea53ac5b 794 for (j = 0; j < IPSET_NET_COUNT; j++)
f690cbae
JK		 795 mtype_del_cidr(h, NCIDR_PUT(DCIDR_GET(d->cidr, j)),
796 NLEN(set->family), j);
1feab10d 797#endif
40cd63bf 798 ip_set_ext_destroy(set, data);
1feab10d
JK		 799 if (n->pos + AHASH_INIT_SIZE < n->size) {
800 void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
ca134ce8 801 * set->dsize,
1feab10d 802 GFP_ATOMIC);
a0f28dc7
JK		 803 if (!tmp) {
804 ret = 0;
805 goto out;
806 }
1feab10d 807 n->size -= AHASH_INIT_SIZE;
ca134ce8 808 memcpy(tmp, n->value, n->size * set->dsize);
1feab10d
JK		 809 kfree(n->value);
810 n->value = tmp;
811 }
a0f28dc7
JK		 812 ret = 0;
813 goto out;
1feab10d
JK		 814 }
815
a0f28dc7
JK		 816out:
817 rcu_read_unlock_bh();
818 return ret;
1feab10d
JK		 819}
820
821static inline int
822mtype_data_match(struct mtype_elem *data, const struct ip_set_ext *ext,
823 struct ip_set_ext *mext, struct ip_set *set, u32 flags)
824{
00d71b27 825 if (SET_WITH_COUNTER(set))
ca134ce8 826 ip_set_update_counter(ext_counter(data, set),
00d71b27 827 ext, mext, flags);
af331419
AD		 828 if (SET_WITH_SKBINFO(set))
829 ip_set_get_skbinfo(ext_skbinfo(data, set),
830 ext, mext, flags);
1feab10d
JK		 831 return mtype_do_data_match(data);
832}
833
834#ifdef IP_SET_HASH_WITH_NETS
835/* Special test function which takes into account the different network
836 * sizes added to the set */
837static int
838mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
839 const struct ip_set_ext *ext,
840 struct ip_set_ext *mext, u32 flags)
841{
842 struct htype *h = set->data;
a0f28dc7 843 struct htable *t = rcu_dereference_bh(h->table);
1feab10d
JK		 844 struct hbucket *n;
845 struct mtype_elem *data;
ea53ac5b
OS		 846#if IPSET_NET_COUNT == 2
847 struct mtype_elem orig = *d;
848 int i, j = 0, k;
849#else
1feab10d 850 int i, j = 0;
ea53ac5b 851#endif
1feab10d 852 u32 key, multi = 0;
a04d8b6b 853 u8 nets_length = NLEN(set->family);
1feab10d
JK		 854
855 pr_debug("test by nets\n");
25a76f34 856 for (; j < nets_length && h->nets[j].cidr[0] && !multi; j++) {
ea53ac5b
OS		 857#if IPSET_NET_COUNT == 2
858 mtype_data_reset_elem(d, &orig);
f690cbae 859 mtype_data_netmask(d, NCIDR_GET(h->nets[j].cidr[0]), false);
25a76f34 860 for (k = 0; k < nets_length && h->nets[k].cidr[1] && !multi;
ea53ac5b 861 k++) {
f690cbae
JK		 862 mtype_data_netmask(d, NCIDR_GET(h->nets[k].cidr[1]),
863 true);
ea53ac5b 864#else
f690cbae 865 mtype_data_netmask(d, NCIDR_GET(h->nets[j].cidr[0]));
ea53ac5b 866#endif
1feab10d
JK		 867 key = HKEY(d, h->initval, t->htable_bits);
868 n = hbucket(t, key);
869 for (i = 0; i < n->pos; i++) {
ca134ce8 870 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 871 if (!mtype_data_equal(data, d, &multi))
872 continue;
873 if (SET_WITH_TIMEOUT(set)) {
874 if (!ip_set_timeout_expired(
ca134ce8 875 ext_timeout(data, set)))
1feab10d
JK		 876 return mtype_data_match(data, ext,
877 mext, set,
878 flags);
879#ifdef IP_SET_HASH_WITH_MULTI
880 multi = 0;
881#endif
882 } else
883 return mtype_data_match(data, ext,
884 mext, set, flags);
885 }
ea53ac5b
OS		 886#if IPSET_NET_COUNT == 2
887 }
888#endif
1feab10d
JK		 889 }
890 return 0;
891}
892#endif
893
894/* Test whether the element is added to the set */
895static int
896mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext,
897 struct ip_set_ext *mext, u32 flags)
898{
899 struct htype *h = set->data;
a0f28dc7 900 struct htable *t;
1feab10d
JK		 901 struct mtype_elem *d = value;
902 struct hbucket *n;
903 struct mtype_elem *data;
a0f28dc7 904 int i, ret = 0;
1feab10d
JK		 905 u32 key, multi = 0;
906
a0f28dc7
JK		 907 rcu_read_lock_bh();
908 t = rcu_dereference_bh(h->table);
1feab10d
JK		 909#ifdef IP_SET_HASH_WITH_NETS
910 /* If we test an IP address and not a network address,
911 * try all possible network sizes */
ea53ac5b 912 for (i = 0; i < IPSET_NET_COUNT; i++)
f690cbae 913 if (DCIDR_GET(d->cidr, i) != SET_HOST_MASK(set->family))
ea53ac5b
OS		 914 break;
915 if (i == IPSET_NET_COUNT) {
a0f28dc7
JK		 916 ret = mtype_test_cidrs(set, d, ext, mext, flags);
917 goto out;
918 }
1feab10d
JK		 919#endif
920
921 key = HKEY(d, h->initval, t->htable_bits);
922 n = hbucket(t, key);
923 for (i = 0; i < n->pos; i++) {
ca134ce8 924 data = ahash_data(n, i, set->dsize);
1feab10d
JK		 925 if (mtype_data_equal(data, d, &multi) &&
926 !(SET_WITH_TIMEOUT(set) &&
ca134ce8 927 ip_set_timeout_expired(ext_timeout(data, set)))) {
a0f28dc7
JK		 928 ret = mtype_data_match(data, ext, mext, set, flags);
929 goto out;
930 }
1feab10d 931 }
a0f28dc7
JK		 932out:
933 rcu_read_unlock_bh();
934 return ret;
1feab10d
JK		 935}
936
937/* Reply a HEADER request: fill out the header part of the set */
938static int
939mtype_head(struct ip_set *set, struct sk_buff *skb)
940{
941 const struct htype *h = set->data;
a0f28dc7 942 const struct htable *t;
1feab10d
JK		 943 struct nlattr *nested;
944 size_t memsize;
945
a0f28dc7 946 t = rcu_dereference_bh_nfnl(h->table);
ca134ce8 947 memsize = mtype_ahash_memsize(h, t, NLEN(set->family), set->dsize);
1feab10d
JK		 948
949 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
950 if (!nested)
951 goto nla_put_failure;
952 if (nla_put_net32(skb, IPSET_ATTR_HASHSIZE,
a0f28dc7 953 htonl(jhash_size(t->htable_bits))) ||
1feab10d
JK		 954 nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem)))
955 goto nla_put_failure;
956#ifdef IP_SET_HASH_WITH_NETMASK
957 if (h->netmask != HOST_MASK &&
958 nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask))
959 goto nla_put_failure;
4d0e5c07
VD		 960#endif
961#ifdef IP_SET_HASH_WITH_MARKMASK
962 if (nla_put_u32(skb, IPSET_ATTR_MARKMASK, h->markmask))
963 goto nla_put_failure;
1feab10d
JK		 964#endif
965 if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
fda75c6d
OS		 966 nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
967 goto nla_put_failure;
968 if (unlikely(ip_set_put_flags(skb, set)))
1feab10d
JK		 969 goto nla_put_failure;
970 ipset_nest_end(skb, nested);
971
972 return 0;
973nla_put_failure:
974 return -EMSGSIZE;
975}
976
c4c99783
JK		 977/* Make possible to run dumping parallel with resizing */
978static void
979mtype_uref(struct ip_set *set, struct netlink_callback *cb, bool start)
980{
981 struct htype *h = set->data;
982 struct htable *t;
983
984 if (start) {
985 rcu_read_lock_bh();
986 t = rcu_dereference_bh_nfnl(h->table);
987 atomic_inc(&t->uref);
988 cb->args[IPSET_CB_PRIVATE] = (unsigned long)t;
989 rcu_read_unlock_bh();
990 } else if (cb->args[IPSET_CB_PRIVATE]) {
991 t = (struct htable *)cb->args[IPSET_CB_PRIVATE];
992 if (atomic_dec_and_test(&t->uref) && atomic_read(&t->ref)) {
993 /* Resizing didn't destroy the hash table */
994 pr_debug("Table destroy by dump: %p\n", t);
995 mtype_ahash_destroy(set, t, false);
996 }
997 cb->args[IPSET_CB_PRIVATE] = 0;
998 }
999}
1000
1feab10d
JK		 1001/* Reply a LIST/SAVE request: dump the elements of the specified set */
1002static int
1003mtype_list(const struct ip_set *set,
1004 struct sk_buff *skb, struct netlink_callback *cb)
1005{
c4c99783 1006 const struct htable *t;
1feab10d
JK		 1007 struct nlattr *atd, *nested;
1008 const struct hbucket *n;
1009 const struct mtype_elem *e;
93302880 1010 u32 first = cb->args[IPSET_CB_ARG0];
1feab10d
JK		 1011 /* We assume that one hash bucket fills into one page */
1012 void *incomplete;
1013 int i;
1014
1015 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
1016 if (!atd)
1017 return -EMSGSIZE;
1018 pr_debug("list hash set %s\n", set->name);
c4c99783 1019 t = (const struct htable *)cb->args[IPSET_CB_PRIVATE];
93302880
JK		 1020 for (; cb->args[IPSET_CB_ARG0] < jhash_size(t->htable_bits);
1021 cb->args[IPSET_CB_ARG0]++) {
1feab10d 1022 incomplete = skb_tail_pointer(skb);
93302880
JK		 1023 n = hbucket(t, cb->args[IPSET_CB_ARG0]);
1024 pr_debug("cb->arg bucket: %lu, t %p n %p\n",
1025 cb->args[IPSET_CB_ARG0], t, n);
1feab10d 1026 for (i = 0; i < n->pos; i++) {
ca134ce8 1027 e = ahash_data(n, i, set->dsize);
1feab10d 1028 if (SET_WITH_TIMEOUT(set) &&
ca134ce8 1029 ip_set_timeout_expired(ext_timeout(e, set)))
1feab10d
JK		 1030 continue;
1031 pr_debug("list hash %lu hbucket %p i %u, data %p\n",
93302880 1032 cb->args[IPSET_CB_ARG0], n, i, e);
1feab10d
JK		 1033 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
1034 if (!nested) {
93302880 1035 if (cb->args[IPSET_CB_ARG0] == first) {
1feab10d
JK		 1036 nla_nest_cancel(skb, atd);
1037 return -EMSGSIZE;
1038 } else
1039 goto nla_put_failure;
1040 }
1041 if (mtype_data_list(skb, e))
1042 goto nla_put_failure;
3fd986b3 1043 if (ip_set_put_extensions(skb, set, e, true))
fda75c6d 1044 goto nla_put_failure;
1feab10d
JK		 1045 ipset_nest_end(skb, nested);
1046 }
1047 }
1048 ipset_nest_end(skb, atd);
1049 /* Set listing finished */
93302880 1050 cb->args[IPSET_CB_ARG0] = 0;
1feab10d
JK		 1051
1052 return 0;
1053
1054nla_put_failure:
1055 nlmsg_trim(skb, incomplete);
93302880 1056 if (unlikely(first == cb->args[IPSET_CB_ARG0])) {
b167a37c
JP		 1057 pr_warn("Can't list set %s: one bucket does not fit into a message. Please report it!\n",
1058 set->name);
93302880 1059 cb->args[IPSET_CB_ARG0] = 0;
1feab10d
JK		 1060 return -EMSGSIZE;
1061 }
122ebbf2 1062 ipset_nest_end(skb, atd);
1feab10d
JK		 1063 return 0;
1064}
1065
1066static int
35b8dcf8
JK		 1067IPSET_TOKEN(MTYPE, _kadt)(struct ip_set *set, const struct sk_buff *skb,
1068 const struct xt_action_param *par,
1069 enum ipset_adt adt, struct ip_set_adt_opt *opt);
1feab10d
JK		 1070
1071static int
35b8dcf8
JK		 1072IPSET_TOKEN(MTYPE, _uadt)(struct ip_set *set, struct nlattr *tb[],
1073 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
1feab10d
JK		 1074
1075static const struct ip_set_type_variant mtype_variant = {
1076 .kadt = mtype_kadt,
1077 .uadt = mtype_uadt,
1078 .adt = {
1079 [IPSET_ADD] = mtype_add,
1080 [IPSET_DEL] = mtype_del,
1081 [IPSET_TEST] = mtype_test,
1082 },
1083 .destroy = mtype_destroy,
1084 .flush = mtype_flush,
1085 .head = mtype_head,
1086 .list = mtype_list,
c4c99783 1087 .uref = mtype_uref,
1feab10d
JK		 1088 .resize = mtype_resize,
1089 .same_set = mtype_same_set,
1090};
1091
1092#ifdef IP_SET_EMIT_CREATE
1093static int
1785e8f4
VL		 1094IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
1095 struct nlattr *tb[], u32 flags)
1feab10d
JK		 1096{
1097 u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
4d0e5c07
VD		 1098#ifdef IP_SET_HASH_WITH_MARKMASK
1099 u32 markmask;
1100#endif
1feab10d
JK		 1101 u8 hbits;
1102#ifdef IP_SET_HASH_WITH_NETMASK
1103 u8 netmask;
1104#endif
1105 size_t hsize;
43ef29c9 1106 struct htype *h;
a0f28dc7 1107 struct htable *t;
1feab10d 1108
07034aea 1109#ifndef IP_SET_PROTO_UNDEF
1feab10d
JK		 1110 if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
1111 return -IPSET_ERR_INVALID_FAMILY;
07034aea 1112#endif
4d0e5c07
VD		 1113
1114#ifdef IP_SET_HASH_WITH_MARKMASK
1115 markmask = 0xffffffff;
1116#endif
1feab10d
JK		 1117#ifdef IP_SET_HASH_WITH_NETMASK
1118 netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
1119 pr_debug("Create set %s with family %s\n",
1120 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
1121#endif
1122
1123 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
1124 !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
4d0e5c07
VD		 1125#ifdef IP_SET_HASH_WITH_MARKMASK
1126 !ip_set_optattr_netorder(tb, IPSET_ATTR_MARKMASK) ||
1127#endif
1feab10d
JK		 1128 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
1129 !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
1130 return -IPSET_ERR_PROTOCOL;
1131
1132 if (tb[IPSET_ATTR_HASHSIZE]) {
1133 hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
1134 if (hashsize < IPSET_MIMINAL_HASHSIZE)
1135 hashsize = IPSET_MIMINAL_HASHSIZE;
1136 }
1137
1138 if (tb[IPSET_ATTR_MAXELEM])
1139 maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
1140
1141#ifdef IP_SET_HASH_WITH_NETMASK
1142 if (tb[IPSET_ATTR_NETMASK]) {
1143 netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
1144
1145 if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
1146 (set->family == NFPROTO_IPV6 && netmask > 128) ||
1147 netmask == 0)
1148 return -IPSET_ERR_INVALID_NETMASK;
1149 }
1150#endif
4d0e5c07
VD		 1151#ifdef IP_SET_HASH_WITH_MARKMASK
1152 if (tb[IPSET_ATTR_MARKMASK]) {
1153 markmask = ntohl(nla_get_u32(tb[IPSET_ATTR_MARKMASK]));
1154
ecc245c2 1155 if (markmask == 0)
4d0e5c07
VD		 1156 return -IPSET_ERR_INVALID_MARKMASK;
1157 }
1158#endif
1feab10d
JK		 1159
1160 hsize = sizeof(*h);
1161#ifdef IP_SET_HASH_WITH_NETS
77b4311d 1162 hsize += sizeof(struct net_prefixes) * NLEN(set->family);
1feab10d
JK		 1163#endif
1164 h = kzalloc(hsize, GFP_KERNEL);
1165 if (!h)
1166 return -ENOMEM;
1167
1168 h->maxelem = maxelem;
1169#ifdef IP_SET_HASH_WITH_NETMASK
1170 h->netmask = netmask;
4d0e5c07
VD		 1171#endif
1172#ifdef IP_SET_HASH_WITH_MARKMASK
1173 h->markmask = markmask;
1feab10d
JK		 1174#endif
1175 get_random_bytes(&h->initval, sizeof(h->initval));
ca134ce8 1176 set->timeout = IPSET_NO_TIMEOUT;
1feab10d
JK		 1177
1178 hbits = htable_bits(hashsize);
1179 hsize = htable_size(hbits);
1180 if (hsize == 0) {
1181 kfree(h);
1182 return -ENOMEM;
1183 }
a0f28dc7
JK		 1184 t = ip_set_alloc(hsize);
1185 if (!t) {
1feab10d
JK		 1186 kfree(h);
1187 return -ENOMEM;
1188 }
a0f28dc7
JK		 1189 t->htable_bits = hbits;
1190 rcu_assign_pointer(h->table, t);
1feab10d
JK		 1191
1192 set->data = h;
07034aea 1193#ifndef IP_SET_PROTO_UNDEF
40cd63bf 1194 if (set->family == NFPROTO_IPV4) {
07034aea 1195#endif
35b8dcf8 1196 set->variant = &IPSET_TOKEN(HTYPE, 4_variant);
03c8b234
JK		 1197 set->dsize = ip_set_elem_len(set, tb,
1198 sizeof(struct IPSET_TOKEN(HTYPE, 4_elem)));
07034aea 1199#ifndef IP_SET_PROTO_UNDEF
03c8b234 1200 } else {
35b8dcf8 1201 set->variant = &IPSET_TOKEN(HTYPE, 6_variant);
03c8b234
JK		 1202 set->dsize = ip_set_elem_len(set, tb,
1203 sizeof(struct IPSET_TOKEN(HTYPE, 6_elem)));
1204 }
07034aea 1205#endif
03c8b234 1206 if (tb[IPSET_ATTR_TIMEOUT]) {
ca134ce8 1207 set->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
07034aea 1208#ifndef IP_SET_PROTO_UNDEF
03c8b234 1209 if (set->family == NFPROTO_IPV4)
07034aea 1210#endif
35b8dcf8
JK		 1211 IPSET_TOKEN(HTYPE, 4_gc_init)(set,
1212 IPSET_TOKEN(HTYPE, 4_gc));
07034aea 1213#ifndef IP_SET_PROTO_UNDEF
03c8b234 1214 else
35b8dcf8
JK		 1215 IPSET_TOKEN(HTYPE, 6_gc_init)(set,
1216 IPSET_TOKEN(HTYPE, 6_gc));
07034aea 1217#endif
1feab10d 1218 }
1feab10d 1219 pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
a0f28dc7
JK		 1220 set->name, jhash_size(t->htable_bits),
1221 t->htable_bits, h->maxelem, set->data, t);
1feab10d
JK		 1222
1223 return 0;
1224}
1225#endif /* IP_SET_EMIT_CREATE */
58cc06da
SP		 1226
1227#undef HKEY_DATALEN
Linux kernel - Deliverables
This page took 0.295193 seconds and 5 git commands to generate.