[deliverable/linux.git] / net / netfilter / ipset / ip_set_hash_net.c

/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

/* Kernel module implementing an IP set type: the hash:net type */

#include <linux/jhash.h>
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/errno.h>
#include <linux/random.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/netlink.h>

#include <linux/netfilter.h>
#include <linux/netfilter/ipset/pfxlen.h>
#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <linux/netfilter/ipset/ip_set_hash.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("hash:net type of IP sets");
MODULE_ALIAS("ip_set_hash:net");

/* Type specific function prefix */
#define TYPE		hash_net

static bool
hash_net_same_set(const struct ip_set *a, const struct ip_set *b);

#define hash_net4_same_set	hash_net_same_set
#define hash_net6_same_set	hash_net_same_set

/* The type variant functions: IPv4 */

/* Member elements without timeout */
struct hash_net4_elem {
	__be32 ip;
	u16 padding0;
	u8 nomatch;
	u8 cidr;
};

/* Member elements with timeout support */
struct hash_net4_telem {
	__be32 ip;
	u16 padding0;
	u8 nomatch;
	u8 cidr;
	unsigned long timeout;
};

static inline bool
hash_net4_data_equal(const struct hash_net4_elem *ip1,
		     const struct hash_net4_elem *ip2,
		     u32 *multi)
{
	return ip1->ip == ip2->ip &&
	       ip1->cidr == ip2->cidr;
}

static inline bool
hash_net4_data_isnull(const struct hash_net4_elem *elem)
{
	return elem->cidr == 0;
}

static inline void
hash_net4_data_copy(struct hash_net4_elem *dst,
		    const struct hash_net4_elem *src)
{
	dst->ip = src->ip;
	dst->cidr = src->cidr;
	dst->nomatch = src->nomatch;
}

static inline void
hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
{
	dst->nomatch = flags & IPSET_FLAG_NOMATCH;
}

static inline bool
hash_net4_data_match(const struct hash_net4_elem *elem)
{
	return !elem->nomatch;
}

static inline void
hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
{
	elem->ip &= ip_set_netmask(cidr);
	elem->cidr = cidr;
}

/* Zero CIDR values cannot be stored */
static inline void
hash_net4_data_zero_out(struct hash_net4_elem *elem)
{
	elem->cidr = 0;
}

static bool
hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
{
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

static bool
hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data)
{
	const struct hash_net4_telem *tdata =
		(const struct hash_net4_telem *)data;
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, tdata->cidr) ||
	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
			  htonl(ip_set_timeout_get(tdata->timeout))) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

#define IP_SET_HASH_WITH_NETS

#define PF		4
#define HOST_MASK	32
#include <linux/netfilter/ipset/ip_set_ahash.h>

static inline void
hash_net4_data_next(struct ip_set_hash *h,
		    const struct hash_net4_elem *d)
{
	h->next.ip = ntohl(d->ip);
}

static int
hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
	       const struct xt_action_param *par,
	       enum ipset_adt adt, const struct ip_set_adt_opt *opt)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_net4_elem data = {
		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
	};

	if (data.cidr == 0)
		return -EINVAL;
	if (adt == IPSET_TEST)
		data.cidr = HOST_MASK;

	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
	data.ip &= ip_set_netmask(data.cidr);

	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
}

static int
hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_net4_elem data = { .cidr = HOST_MASK };
	u32 timeout = h->timeout;
	u32 ip = 0, ip_to, last;
	int ret;

	if (unlikely(!tb[IPSET_ATTR_IP] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
		return -IPSET_ERR_PROTOCOL;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
	if (ret)
		return ret;

	if (tb[IPSET_ATTR_CIDR]) {
		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
		if (!data.cidr || data.cidr > HOST_MASK)
			return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_TIMEOUT]) {
		if (!with_timeout(h->timeout))
			return -IPSET_ERR_TIMEOUT;
		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	}

	if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
		if (cadt_flags & IPSET_FLAG_NOMATCH)
			flags |= (cadt_flags << 16);
	}

	if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
		data.ip = htonl(ip & ip_set_hostmask(data.cidr));
		ret = adtfn(set, &data, timeout, flags);
		return ip_set_eexist(ret, flags) ? 0 : ret;
	}

	ip_to = ip;
	if (tb[IPSET_ATTR_IP_TO]) {
		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
		if (ret)
			return ret;
		if (ip_to < ip)
			swap(ip, ip_to);
		if (ip + UINT_MAX == ip_to)
			return -IPSET_ERR_HASH_RANGE;
	}
	if (retried)
		ip = h->next.ip;
	while (!after(ip, ip_to)) {
		data.ip = htonl(ip);
		last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
		ret = adtfn(set, &data, timeout, flags);
		if (ret && !ip_set_eexist(ret, flags))
			return ret;
		else
			ret = 0;
		ip = last + 1;
	}
	return ret;
}

static bool
hash_net_same_set(const struct ip_set *a, const struct ip_set *b)
{
	const struct ip_set_hash *x = a->data;
	const struct ip_set_hash *y = b->data;

	/* Resizing changes htable_bits, so we ignore it */
	return x->maxelem == y->maxelem &&
	       x->timeout == y->timeout;
}

/* The type variant functions: IPv6 */

struct hash_net6_elem {
	union nf_inet_addr ip;
	u16 padding0;
	u8 nomatch;
	u8 cidr;
};

struct hash_net6_telem {
	union nf_inet_addr ip;
	u16 padding0;
	u8 nomatch;
	u8 cidr;
	unsigned long timeout;
};

static inline bool
hash_net6_data_equal(const struct hash_net6_elem *ip1,
		     const struct hash_net6_elem *ip2,
		     u32 *multi)
{
	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
	       ip1->cidr == ip2->cidr;
}

static inline bool
hash_net6_data_isnull(const struct hash_net6_elem *elem)
{
	return elem->cidr == 0;
}

static inline void
hash_net6_data_copy(struct hash_net6_elem *dst,
		    const struct hash_net6_elem *src)
{
	dst->ip.in6 = src->ip.in6;
	dst->cidr = src->cidr;
	dst->nomatch = src->nomatch;
}

static inline void
hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
{
	dst->nomatch = flags & IPSET_FLAG_NOMATCH;
}

static inline bool
hash_net6_data_match(const struct hash_net6_elem *elem)
{
	return !elem->nomatch;
}

static inline void
hash_net6_data_zero_out(struct hash_net6_elem *elem)
{
	elem->cidr = 0;
}

static inline void
ip6_netmask(union nf_inet_addr *ip, u8 prefix)
{
	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
}

static inline void
hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
{
	ip6_netmask(&elem->ip, cidr);
	elem->cidr = cidr;
}

static bool
hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
{
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

static bool
hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data)
{
	const struct hash_net6_telem *e =
		(const struct hash_net6_telem *)data;
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, e->cidr) ||
	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
			  htonl(ip_set_timeout_get(e->timeout))) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return 1;
}

#undef PF
#undef HOST_MASK

#define PF		6
#define HOST_MASK	128
#include <linux/netfilter/ipset/ip_set_ahash.h>

static inline void
hash_net6_data_next(struct ip_set_hash *h,
		    const struct hash_net6_elem *d)
{
}

static int
hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
	       const struct xt_action_param *par,
	       enum ipset_adt adt, const struct ip_set_adt_opt *opt)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_net6_elem data = {
		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
	};

	if (data.cidr == 0)
		return -EINVAL;
	if (adt == IPSET_TEST)
		data.cidr = HOST_MASK;

	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
	ip6_netmask(&data.ip, data.cidr);

	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
}

static int
hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	const struct ip_set_hash *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_net6_elem data = { .cidr = HOST_MASK };
	u32 timeout = h->timeout;
	int ret;

	if (unlikely(!tb[IPSET_ATTR_IP] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
		return -IPSET_ERR_PROTOCOL;
	if (unlikely(tb[IPSET_ATTR_IP_TO]))
		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
	if (ret)
		return ret;

	if (tb[IPSET_ATTR_CIDR])
		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);

	if (!data.cidr || data.cidr > HOST_MASK)
		return -IPSET_ERR_INVALID_CIDR;

	ip6_netmask(&data.ip, data.cidr);

	if (tb[IPSET_ATTR_TIMEOUT]) {
		if (!with_timeout(h->timeout))
			return -IPSET_ERR_TIMEOUT;
		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	}

	if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
		if (cadt_flags & IPSET_FLAG_NOMATCH)
			flags |= (cadt_flags << 16);
	}

	ret = adtfn(set, &data, timeout, flags);

	return ip_set_eexist(ret, flags) ? 0 : ret;
}

/* Create hash:ip type of sets */

static int
hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
{
	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
	struct ip_set_hash *h;
	u8 hbits;

	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
		return -IPSET_ERR_INVALID_FAMILY;

	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
		return -IPSET_ERR_PROTOCOL;

	if (tb[IPSET_ATTR_HASHSIZE]) {
		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
		if (hashsize < IPSET_MIMINAL_HASHSIZE)
			hashsize = IPSET_MIMINAL_HASHSIZE;
	}

	if (tb[IPSET_ATTR_MAXELEM])
		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);

	h = kzalloc(sizeof(*h)
		    + sizeof(struct ip_set_hash_nets)
		      * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
	if (!h)
		return -ENOMEM;

	h->maxelem = maxelem;
	get_random_bytes(&h->initval, sizeof(h->initval));
	h->timeout = IPSET_NO_TIMEOUT;

	hbits = htable_bits(hashsize);
	h->table = ip_set_alloc(
			sizeof(struct htable)
			+ jhash_size(hbits) * sizeof(struct hbucket));
	if (!h->table) {
		kfree(h);
		return -ENOMEM;
	}
	h->table->htable_bits = hbits;

	set->data = h;

	if (tb[IPSET_ATTR_TIMEOUT]) {
		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);

		set->variant = set->family == NFPROTO_IPV4
			? &hash_net4_tvariant : &hash_net6_tvariant;

		if (set->family == NFPROTO_IPV4)
			hash_net4_gc_init(set);
		else
			hash_net6_gc_init(set);
	} else {
		set->variant = set->family == NFPROTO_IPV4
			? &hash_net4_variant : &hash_net6_variant;
	}

	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
		 set->name, jhash_size(h->table->htable_bits),
		 h->table->htable_bits, h->maxelem, set->data, h->table);

	return 0;
}

static struct ip_set_type hash_net_type __read_mostly = {
	.name		= "hash:net",
	.protocol	= IPSET_PROTOCOL,
	.features	= IPSET_TYPE_IP,
	.dimension	= IPSET_DIM_ONE,
	.family		= NFPROTO_UNSPEC,
	.revision_min	= 0,
	/*		= 1 	   Range as input support for IPv4 added */
	.revision_max	= 2,	/* nomatch flag support added */
	.create		= hash_net_create,
	.create_policy	= {
		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
	},
	.adt_policy	= {
		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
	},
	.me		= THIS_MODULE,
};

static int __init
hash_net_init(void)
{
	return ip_set_type_register(&hash_net_type);
}

static void __exit
hash_net_fini(void)
{
	ip_set_type_unregister(&hash_net_type);
}

module_init(hash_net_init);
module_exit(hash_net_fini);
Commit	Line	Data
b3837029 JK	1	/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	2	*
	3	* This program is free software; you can redistribute it and/or modify
	4	* it under the terms of the GNU General Public License version 2 as
	5	* published by the Free Software Foundation.
	6	*/
	7
	8	/* Kernel module implementing an IP set type: the hash:net type */
	9
	10	#include <linux/jhash.h>
	11	#include <linux/module.h>
	12	#include <linux/ip.h>
	13	#include <linux/skbuff.h>
	14	#include <linux/errno.h>
b3837029 JK	15	#include <linux/random.h>
	16	#include <net/ip.h>
	17	#include <net/ipv6.h>
	18	#include <net/netlink.h>
	19
	20	#include <linux/netfilter.h>
	21	#include <linux/netfilter/ipset/pfxlen.h>
	22	#include <linux/netfilter/ipset/ip_set.h>
	23	#include <linux/netfilter/ipset/ip_set_timeout.h>
	24	#include <linux/netfilter/ipset/ip_set_hash.h>
	25
	26	MODULE_LICENSE("GPL");
	27	MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
	28	MODULE_DESCRIPTION("hash:net type of IP sets");
	29	MODULE_ALIAS("ip_set_hash:net");
	30
	31	/* Type specific function prefix */
	32	#define TYPE hash_net
	33
	34	static bool
	35	hash_net_same_set(const struct ip_set a, const struct ip_set b);
	36
	37	#define hash_net4_same_set hash_net_same_set
	38	#define hash_net6_same_set hash_net_same_set
	39
	40	/* The type variant functions: IPv4 */
	41
	42	/* Member elements without timeout */
	43	struct hash_net4_elem {
	44	__be32 ip;
	45	u16 padding0;
2a7cef2a	46	u8 nomatch;
b3837029 JK	47	u8 cidr;
	48	};
	49
	50	/* Member elements with timeout support */
	51	struct hash_net4_telem {
	52	__be32 ip;
	53	u16 padding0;
2a7cef2a	54	u8 nomatch;
b3837029 JK	55	u8 cidr;
	56	unsigned long timeout;
	57	};
	58
	59	static inline bool
	60	hash_net4_data_equal(const struct hash_net4_elem *ip1,
89dc79b7 JK	61	const struct hash_net4_elem *ip2,
89dc79b7 JK	62	u32 *multi)
b3837029	63	{
2a7cef2a JK	64	return ip1->ip == ip2->ip &&
2a7cef2a JK	65	ip1->cidr == ip2->cidr;
b3837029 JK	66	}
	67
	68	static inline bool
	69	hash_net4_data_isnull(const struct hash_net4_elem *elem)
	70	{
	71	return elem->cidr == 0;
	72	}
	73
	74	static inline void
	75	hash_net4_data_copy(struct hash_net4_elem *dst,
	76	const struct hash_net4_elem *src)
	77	{
	78	dst->ip = src->ip;
	79	dst->cidr = src->cidr;
2a7cef2a JK	80	dst->nomatch = src->nomatch;
	81	}
	82
	83	static inline void
	84	hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
	85	{
	86	dst->nomatch = flags & IPSET_FLAG_NOMATCH;
	87	}
	88
	89	static inline bool
	90	hash_net4_data_match(const struct hash_net4_elem *elem)
	91	{
	92	return !elem->nomatch;
b3837029 JK	93	}
	94
	95	static inline void
	96	hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
	97	{
	98	elem->ip &= ip_set_netmask(cidr);
	99	elem->cidr = cidr;
	100	}
	101
	102	/* Zero CIDR values cannot be stored */
	103	static inline void
	104	hash_net4_data_zero_out(struct hash_net4_elem *elem)
	105	{
	106	elem->cidr = 0;
	107	}
	108
	109	static bool
	110	hash_net4_data_list(struct sk_buff skb, const struct hash_net4_elem data)
	111	{
2a7cef2a JK	112	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
2a7cef2a JK	113
7cf7899d DM	114	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) \|\|
	115	nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) \|\|
	116	(flags &&
	117	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
	118	goto nla_put_failure;
b3837029 JK	119	return 0;
	120
	121	nla_put_failure:
	122	return 1;
	123	}
	124
	125	static bool
	126	hash_net4_data_tlist(struct sk_buff skb, const struct hash_net4_elem data)
	127	{
	128	const struct hash_net4_telem *tdata =
	129	(const struct hash_net4_telem *)data;
2a7cef2a	130	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
b3837029	131
7cf7899d DM	132	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) \|\|
	133	nla_put_u8(skb, IPSET_ATTR_CIDR, tdata->cidr) \|\|
	134	nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
	135	htonl(ip_set_timeout_get(tdata->timeout))) \|\|
	136	(flags &&
	137	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
	138	goto nla_put_failure;
b3837029 JK	139	return 0;
	140
	141	nla_put_failure:
	142	return 1;
	143	}
	144
	145	#define IP_SET_HASH_WITH_NETS
	146
	147	#define PF 4
	148	#define HOST_MASK 32
	149	#include <linux/netfilter/ipset/ip_set_ahash.h>
	150
3d14b171 JK	151	static inline void
	152	hash_net4_data_next(struct ip_set_hash *h,
	153	const struct hash_net4_elem *d)
	154	{
d0d9e0a5	155	h->next.ip = ntohl(d->ip);
3d14b171 JK	156	}
3d14b171 JK	157
b3837029 JK	158	static int
b3837029 JK	159	hash_net4_kadt(struct ip_set set, const struct sk_buff skb,
b66554cf	160	const struct xt_action_param *par,
ac8cc925	161	enum ipset_adt adt, const struct ip_set_adt_opt *opt)
b3837029 JK	162	{
	163	const struct ip_set_hash *h = set->data;
	164	ipset_adtfn adtfn = set->variant->adt[adt];
9b03a5ef JK	165	struct hash_net4_elem data = {
	166	.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
	167	};
b3837029 JK	168
	169	if (data.cidr == 0)
	170	return -EINVAL;
	171	if (adt == IPSET_TEST)
	172	data.cidr = HOST_MASK;
	173
ac8cc925	174	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
b3837029 JK	175	data.ip &= ip_set_netmask(data.cidr);
b3837029 JK	176
ac8cc925	177	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
b3837029 JK	178	}
	179
	180	static int
	181	hash_net4_uadt(struct ip_set set, struct nlattr tb[],
3d14b171	182	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
b3837029 JK	183	{
	184	const struct ip_set_hash *h = set->data;
	185	ipset_adtfn adtfn = set->variant->adt[adt];
	186	struct hash_net4_elem data = { .cidr = HOST_MASK };
	187	u32 timeout = h->timeout;
d0d9e0a5	188	u32 ip = 0, ip_to, last;
b3837029 JK	189	int ret;
	190
	191	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
2a7cef2a JK	192	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) \|\|
2a7cef2a JK	193	!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
b3837029 JK	194	return -IPSET_ERR_PROTOCOL;
	195
	196	if (tb[IPSET_ATTR_LINENO])
	197	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	198
d0d9e0a5	199	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
b3837029 JK	200	if (ret)
	201	return ret;
	202
d0d9e0a5	203	if (tb[IPSET_ATTR_CIDR]) {
b3837029	204	data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
2a7cef2a	205	if (!data.cidr \|\| data.cidr > HOST_MASK)
d0d9e0a5 JK	206	return -IPSET_ERR_INVALID_CIDR;
d0d9e0a5 JK	207	}
b3837029 JK	208
	209	if (tb[IPSET_ATTR_TIMEOUT]) {
	210	if (!with_timeout(h->timeout))
	211	return -IPSET_ERR_TIMEOUT;
	212	timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	213	}
15b4d93f	214
2a7cef2a JK	215	if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
	216	u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
	217	if (cadt_flags & IPSET_FLAG_NOMATCH)
	218	flags \|= (cadt_flags << 16);
	219	}
	220
d0d9e0a5 JK	221	if (adt == IPSET_TEST \|\| !tb[IPSET_ATTR_IP_TO]) {
	222	data.ip = htonl(ip & ip_set_hostmask(data.cidr));
	223	ret = adtfn(set, &data, timeout, flags);
	224	return ip_set_eexist(ret, flags) ? 0 : ret;
	225	}
b3837029	226
d0d9e0a5 JK	227	ip_to = ip;
	228	if (tb[IPSET_ATTR_IP_TO]) {
	229	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
	230	if (ret)
	231	return ret;
	232	if (ip_to < ip)
	233	swap(ip, ip_to);
	234	if (ip + UINT_MAX == ip_to)
	235	return -IPSET_ERR_HASH_RANGE;
	236	}
	237	if (retried)
15b4d93f	238	ip = h->next.ip;
d0d9e0a5 JK	239	while (!after(ip, ip_to)) {
	240	data.ip = htonl(ip);
	241	last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
	242	ret = adtfn(set, &data, timeout, flags);
	243	if (ret && !ip_set_eexist(ret, flags))
	244	return ret;
	245	else
	246	ret = 0;
	247	ip = last + 1;
	248	}
	249	return ret;
b3837029 JK	250	}
	251
	252	static bool
	253	hash_net_same_set(const struct ip_set a, const struct ip_set b)
	254	{
	255	const struct ip_set_hash *x = a->data;
	256	const struct ip_set_hash *y = b->data;
	257
	258	/* Resizing changes htable_bits, so we ignore it */
	259	return x->maxelem == y->maxelem &&
	260	x->timeout == y->timeout;
	261	}
	262
	263	/* The type variant functions: IPv6 */
	264
	265	struct hash_net6_elem {
	266	union nf_inet_addr ip;
	267	u16 padding0;
2a7cef2a	268	u8 nomatch;
b3837029 JK	269	u8 cidr;
	270	};
	271
	272	struct hash_net6_telem {
	273	union nf_inet_addr ip;
	274	u16 padding0;
2a7cef2a	275	u8 nomatch;
b3837029 JK	276	u8 cidr;
	277	unsigned long timeout;
	278	};
	279
	280	static inline bool
	281	hash_net6_data_equal(const struct hash_net6_elem *ip1,
89dc79b7 JK	282	const struct hash_net6_elem *ip2,
89dc79b7 JK	283	u32 *multi)
b3837029 JK	284	{
	285	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
	286	ip1->cidr == ip2->cidr;
	287	}
	288
	289	static inline bool
	290	hash_net6_data_isnull(const struct hash_net6_elem *elem)
	291	{
	292	return elem->cidr == 0;
	293	}
	294
	295	static inline void
	296	hash_net6_data_copy(struct hash_net6_elem *dst,
	297	const struct hash_net6_elem *src)
	298	{
4e3fd7a0	299	dst->ip.in6 = src->ip.in6;
b3837029	300	dst->cidr = src->cidr;
2a7cef2a JK	301	dst->nomatch = src->nomatch;
	302	}
	303
	304	static inline void
	305	hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
	306	{
	307	dst->nomatch = flags & IPSET_FLAG_NOMATCH;
	308	}
	309
	310	static inline bool
	311	hash_net6_data_match(const struct hash_net6_elem *elem)
	312	{
	313	return !elem->nomatch;
b3837029 JK	314	}
	315
	316	static inline void
	317	hash_net6_data_zero_out(struct hash_net6_elem *elem)
	318	{
	319	elem->cidr = 0;
	320	}
	321
	322	static inline void
	323	ip6_netmask(union nf_inet_addr *ip, u8 prefix)
	324	{
	325	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
	326	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
	327	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
	328	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
	329	}
	330
	331	static inline void
	332	hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
	333	{
	334	ip6_netmask(&elem->ip, cidr);
	335	elem->cidr = cidr;
	336	}
	337
	338	static bool
	339	hash_net6_data_list(struct sk_buff skb, const struct hash_net6_elem data)
	340	{
2a7cef2a JK	341	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
2a7cef2a JK	342
7cf7899d DM	343	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) \|\|
	344	nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) \|\|
	345	(flags &&
	346	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
	347	goto nla_put_failure;
b3837029 JK	348	return 0;
	349
	350	nla_put_failure:
	351	return 1;
	352	}
	353
	354	static bool
	355	hash_net6_data_tlist(struct sk_buff skb, const struct hash_net6_elem data)
	356	{
	357	const struct hash_net6_telem *e =
	358	(const struct hash_net6_telem *)data;
2a7cef2a	359	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
b3837029	360
7cf7899d DM	361	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) \|\|
	362	nla_put_u8(skb, IPSET_ATTR_CIDR, e->cidr) \|\|
	363	nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
	364	htonl(ip_set_timeout_get(e->timeout))) \|\|
	365	(flags &&
	366	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
	367	goto nla_put_failure;
b3837029 JK	368	return 0;
	369
	370	nla_put_failure:
	371	return 1;
	372	}
	373
	374	#undef PF
	375	#undef HOST_MASK
	376
	377	#define PF 6
	378	#define HOST_MASK 128
	379	#include <linux/netfilter/ipset/ip_set_ahash.h>
	380
3d14b171 JK	381	static inline void
	382	hash_net6_data_next(struct ip_set_hash *h,
	383	const struct hash_net6_elem *d)
	384	{
	385	}
	386
b3837029 JK	387	static int
b3837029 JK	388	hash_net6_kadt(struct ip_set set, const struct sk_buff skb,
b66554cf	389	const struct xt_action_param *par,
ac8cc925	390	enum ipset_adt adt, const struct ip_set_adt_opt *opt)
b3837029 JK	391	{
	392	const struct ip_set_hash *h = set->data;
	393	ipset_adtfn adtfn = set->variant->adt[adt];
9b03a5ef JK	394	struct hash_net6_elem data = {
	395	.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
	396	};
b3837029 JK	397
	398	if (data.cidr == 0)
	399	return -EINVAL;
	400	if (adt == IPSET_TEST)
	401	data.cidr = HOST_MASK;
	402
ac8cc925	403	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
b3837029 JK	404	ip6_netmask(&data.ip, data.cidr);
b3837029 JK	405
ac8cc925	406	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
b3837029 JK	407	}
	408
	409	static int
	410	hash_net6_uadt(struct ip_set set, struct nlattr tb[],
3d14b171	411	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
b3837029 JK	412	{
	413	const struct ip_set_hash *h = set->data;
	414	ipset_adtfn adtfn = set->variant->adt[adt];
	415	struct hash_net6_elem data = { .cidr = HOST_MASK };
	416	u32 timeout = h->timeout;
	417	int ret;
	418
	419	if (unlikely(!tb[IPSET_ATTR_IP] \|\|
2a7cef2a JK	420	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) \|\|
2a7cef2a JK	421	!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
b3837029	422	return -IPSET_ERR_PROTOCOL;
d0d9e0a5 JK	423	if (unlikely(tb[IPSET_ATTR_IP_TO]))
d0d9e0a5 JK	424	return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
b3837029 JK	425
	426	if (tb[IPSET_ATTR_LINENO])
	427	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	428
	429	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
	430	if (ret)
	431	return ret;
	432
	433	if (tb[IPSET_ATTR_CIDR])
	434	data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
	435
2a7cef2a	436	if (!data.cidr \|\| data.cidr > HOST_MASK)
b3837029 JK	437	return -IPSET_ERR_INVALID_CIDR;
	438
	439	ip6_netmask(&data.ip, data.cidr);
	440
	441	if (tb[IPSET_ATTR_TIMEOUT]) {
	442	if (!with_timeout(h->timeout))
	443	return -IPSET_ERR_TIMEOUT;
	444	timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	445	}
	446
2a7cef2a JK	447	if (tb[IPSET_ATTR_CADT_FLAGS] && adt == IPSET_ADD) {
	448	u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
	449	if (cadt_flags & IPSET_FLAG_NOMATCH)
	450	flags \|= (cadt_flags << 16);
	451	}
	452
5416219e	453	ret = adtfn(set, &data, timeout, flags);
b3837029 JK	454
	455	return ip_set_eexist(ret, flags) ? 0 : ret;
	456	}
	457
	458	/* Create hash:ip type of sets */
	459
	460	static int
	461	hash_net_create(struct ip_set set, struct nlattr tb[], u32 flags)
	462	{
	463	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
	464	struct ip_set_hash *h;
	465	u8 hbits;
	466
c15f1c83	467	if (!(set->family == NFPROTO_IPV4 \|\| set->family == NFPROTO_IPV6))
b3837029 JK	468	return -IPSET_ERR_INVALID_FAMILY;
	469
	470	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) \|\|
	471	!ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) \|\|
	472	!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
	473	return -IPSET_ERR_PROTOCOL;
	474
	475	if (tb[IPSET_ATTR_HASHSIZE]) {
	476	hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
	477	if (hashsize < IPSET_MIMINAL_HASHSIZE)
	478	hashsize = IPSET_MIMINAL_HASHSIZE;
	479	}
	480
	481	if (tb[IPSET_ATTR_MAXELEM])
	482	maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
	483
	484	h = kzalloc(sizeof(*h)
	485	+ sizeof(struct ip_set_hash_nets)
c15f1c83	486	* (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
b3837029 JK	487	if (!h)
	488	return -ENOMEM;
	489
	490	h->maxelem = maxelem;
	491	get_random_bytes(&h->initval, sizeof(h->initval));
	492	h->timeout = IPSET_NO_TIMEOUT;
	493
	494	hbits = htable_bits(hashsize);
	495	h->table = ip_set_alloc(
	496	sizeof(struct htable)
	497	+ jhash_size(hbits) * sizeof(struct hbucket));
	498	if (!h->table) {
	499	kfree(h);
	500	return -ENOMEM;
	501	}
	502	h->table->htable_bits = hbits;
	503
	504	set->data = h;
	505
	506	if (tb[IPSET_ATTR_TIMEOUT]) {
	507	h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
	508
c15f1c83	509	set->variant = set->family == NFPROTO_IPV4
b3837029 JK	510	? &hash_net4_tvariant : &hash_net6_tvariant;
b3837029 JK	511
c15f1c83	512	if (set->family == NFPROTO_IPV4)
b3837029 JK	513	hash_net4_gc_init(set);
	514	else
	515	hash_net6_gc_init(set);
	516	} else {
c15f1c83	517	set->variant = set->family == NFPROTO_IPV4
b3837029 JK	518	? &hash_net4_variant : &hash_net6_variant;
	519	}
	520
	521	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
	522	set->name, jhash_size(h->table->htable_bits),
	523	h->table->htable_bits, h->maxelem, set->data, h->table);
	524
	525	return 0;
	526	}
	527
	528	static struct ip_set_type hash_net_type __read_mostly = {
	529	.name = "hash:net",
	530	.protocol = IPSET_PROTOCOL,
	531	.features = IPSET_TYPE_IP,
	532	.dimension = IPSET_DIM_ONE,
c15f1c83	533	.family = NFPROTO_UNSPEC,
f1e00b39	534	.revision_min = 0,
2a7cef2a JK	535	/* = 1 Range as input support for IPv4 added */
2a7cef2a JK	536	.revision_max = 2, /* nomatch flag support added */
b3837029 JK	537	.create = hash_net_create,
	538	.create_policy = {
	539	[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
	540	[IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
	541	[IPSET_ATTR_PROBES] = { .type = NLA_U8 },
	542	[IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
	543	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	544	},
	545	.adt_policy = {
	546	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
d0d9e0a5	547	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
b3837029 JK	548	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
b3837029 JK	549	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
2a7cef2a	550	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
b3837029 JK	551	},
	552	.me = THIS_MODULE,
	553	};
	554
	555	static int __init
	556	hash_net_init(void)
	557	{
	558	return ip_set_type_register(&hash_net_type);
	559	}
	560
	561	static void __exit
	562	hash_net_fini(void)
	563	{
	564	ip_set_type_unregister(&hash_net_type);
	565	}
	566
	567	module_init(hash_net_init);
	568	module_exit(hash_net_fini);