[deliverable/linux.git] / net / netfilter / ipset / ip_set_hash_netnet.c

/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 * Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

/* Kernel module implementing an IP set type: the hash:net type */

#include <linux/jhash.h>
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/errno.h>
#include <linux/random.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/netlink.h>

#include <linux/netfilter.h>
#include <linux/netfilter/ipset/pfxlen.h>
#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_hash.h>

#define IPSET_TYPE_REV_MIN	0
/*				1	   Forceadd support added */
#define IPSET_TYPE_REV_MAX	2	/* skbinfo support added */

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>");
IP_SET_MODULE_DESC("hash:net,net", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
MODULE_ALIAS("ip_set_hash:net,net");

/* Type specific function prefix */
#define HTYPE		hash_netnet
#define IP_SET_HASH_WITH_NETS
#define IPSET_NET_COUNT 2

/* IPv4 variants */

/* Member elements  */
struct hash_netnet4_elem {
	union {
		__be32 ip[2];
		__be64 ipcmp;
	};
	u8 nomatch;
	u8 padding;
	union {
		u8 cidr[2];
		u16 ccmp;
	};
};

/* Common functions */

static inline bool
hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
		     const struct hash_netnet4_elem *ip2,
		     u32 *multi)
{
	return ip1->ipcmp == ip2->ipcmp &&
	       ip1->ccmp == ip2->ccmp;
}

static inline int
hash_netnet4_do_data_match(const struct hash_netnet4_elem *elem)
{
	return elem->nomatch ? -ENOTEMPTY : 1;
}

static inline void
hash_netnet4_data_set_flags(struct hash_netnet4_elem *elem, u32 flags)
{
	elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
}

static inline void
hash_netnet4_data_reset_flags(struct hash_netnet4_elem *elem, u8 *flags)
{
	swap(*flags, elem->nomatch);
}

static inline void
hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem,
			  struct hash_netnet4_elem *orig)
{
	elem->ip[1] = orig->ip[1];
}

static inline void
hash_netnet4_data_netmask(struct hash_netnet4_elem *elem, u8 cidr, bool inner)
{
	if (inner) {
		elem->ip[1] &= ip_set_netmask(cidr);
		elem->cidr[1] = cidr;
	} else {
		elem->ip[0] &= ip_set_netmask(cidr);
		elem->cidr[0] = cidr;
	}
}

static bool
hash_netnet4_data_list(struct sk_buff *skb,
		    const struct hash_netnet4_elem *data)
{
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip[1]) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return false;

nla_put_failure:
	return true;
}

static inline void
hash_netnet4_data_next(struct hash_netnet4_elem *next,
		    const struct hash_netnet4_elem *d)
{
	next->ipcmp = d->ipcmp;
}

#define MTYPE		hash_netnet4
#define HOST_MASK	32
#include "ip_set_hash_gen.h"

static int
hash_netnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
	       const struct xt_action_param *par,
	       enum ipset_adt adt, struct ip_set_adt_opt *opt)
{
	const struct hash_netnet *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_netnet4_elem e = { };
	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);

	e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
	e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
	if (adt == IPSET_TEST)
		e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) | HOST_MASK;

	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
	ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1]);
	e.ip[0] &= ip_set_netmask(e.cidr[0]);
	e.ip[1] &= ip_set_netmask(e.cidr[1]);

	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
}

static int
hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	const struct hash_netnet *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_netnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
	u32 ip = 0, ip_to = 0, last;
	u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
	int ret;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
		return -IPSET_ERR_PROTOCOL;

	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
	if (ret)
		return ret;

	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
	if (ret)
		return ret;

	ret = ip_set_get_extensions(set, tb, &ext);
	if (ret)
		return ret;

	if (tb[IPSET_ATTR_CIDR]) {
		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
			return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_CIDR2]) {
		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
			return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_CADT_FLAGS]) {
		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
		if (cadt_flags & IPSET_FLAG_NOMATCH)
			flags |= (IPSET_FLAG_NOMATCH << 16);
	}

	if (adt == IPSET_TEST || !(tb[IPSET_ATTR_IP_TO] ||
				   tb[IPSET_ATTR_IP2_TO])) {
		e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0]));
		e.ip[1] = htonl(ip2_from & ip_set_hostmask(e.cidr[1]));
		ret = adtfn(set, &e, &ext, &ext, flags);
		return ip_set_enomatch(ret, flags, adt, set) ? -ret :
		       ip_set_eexist(ret, flags) ? 0 : ret;
	}

	ip_to = ip;
	if (tb[IPSET_ATTR_IP_TO]) {
		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
		if (ret)
			return ret;
		if (ip_to < ip)
			swap(ip, ip_to);
		if (unlikely(ip + UINT_MAX == ip_to))
			return -IPSET_ERR_HASH_RANGE;
	} else
		ip_set_mask_from_to(ip, ip_to, e.cidr[0]);

	ip2_to = ip2_from;
	if (tb[IPSET_ATTR_IP2_TO]) {
		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
		if (ret)
			return ret;
		if (ip2_to < ip2_from)
			swap(ip2_from, ip2_to);
		if (unlikely(ip2_from + UINT_MAX == ip2_to))
			return -IPSET_ERR_HASH_RANGE;
	} else
		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);

	if (retried)
		ip = ntohl(h->next.ip[0]);

	while (!after(ip, ip_to)) {
		e.ip[0] = htonl(ip);
		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
		ip2 = (retried &&
		       ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
						   : ip2_from;
		while (!after(ip2, ip2_to)) {
			e.ip[1] = htonl(ip2);
			last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
			ret = adtfn(set, &e, &ext, &ext, flags);
			if (ret && !ip_set_eexist(ret, flags))
				return ret;
			else
				ret = 0;
			ip2 = last2 + 1;
		}
		ip = last + 1;
	}
	return ret;
}

/* IPv6 variants */

struct hash_netnet6_elem {
	union nf_inet_addr ip[2];
	u8 nomatch;
	u8 padding;
	union {
		u8 cidr[2];
		u16 ccmp;
	};
};

/* Common functions */

static inline bool
hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1,
		     const struct hash_netnet6_elem *ip2,
		     u32 *multi)
{
	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
	       ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
	       ip1->ccmp == ip2->ccmp;
}

static inline int
hash_netnet6_do_data_match(const struct hash_netnet6_elem *elem)
{
	return elem->nomatch ? -ENOTEMPTY : 1;
}

static inline void
hash_netnet6_data_set_flags(struct hash_netnet6_elem *elem, u32 flags)
{
	elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
}

static inline void
hash_netnet6_data_reset_flags(struct hash_netnet6_elem *elem, u8 *flags)
{
	swap(*flags, elem->nomatch);
}

static inline void
hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem,
			  struct hash_netnet6_elem *orig)
{
	elem->ip[1] = orig->ip[1];
}

static inline void
hash_netnet6_data_netmask(struct hash_netnet6_elem *elem, u8 cidr, bool inner)
{
	if (inner) {
		ip6_netmask(&elem->ip[1], cidr);
		elem->cidr[1] = cidr;
	} else {
		ip6_netmask(&elem->ip[0], cidr);
		elem->cidr[0] = cidr;
	}
}

static bool
hash_netnet6_data_list(struct sk_buff *skb,
		    const struct hash_netnet6_elem *data)
{
	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;

	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip[1].in6) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) ||
	    (flags &&
	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
		goto nla_put_failure;
	return false;

nla_put_failure:
	return true;
}

static inline void
hash_netnet6_data_next(struct hash_netnet4_elem *next,
		    const struct hash_netnet6_elem *d)
{
}

#undef MTYPE
#undef HOST_MASK

#define MTYPE		hash_netnet6
#define HOST_MASK	128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"

static int
hash_netnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
	       const struct xt_action_param *par,
	       enum ipset_adt adt, struct ip_set_adt_opt *opt)
{
	const struct hash_netnet *h = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_netnet6_elem e = { };
	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);

	e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
	e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
	if (adt == IPSET_TEST)
		e.ccmp = (HOST_MASK << (sizeof(u8)*8)) | HOST_MASK;

	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
	ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6);
	ip6_netmask(&e.ip[0], e.cidr[0]);
	ip6_netmask(&e.ip[1], e.cidr[1]);

	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
}

static int
hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
	ipset_adtfn adtfn = set->variant->adt[adt];
	struct hash_netnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
	int ret;

	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
		return -IPSET_ERR_PROTOCOL;
	if (unlikely(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_IP2_TO]))
		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
	if (ret)
		return ret;

	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]);
	if (ret)
		return ret;

	ret = ip_set_get_extensions(set, tb, &ext);
	if (ret)
		return ret;

	if (tb[IPSET_ATTR_CIDR]) {
		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
			return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_CIDR2]) {
		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
			return -IPSET_ERR_INVALID_CIDR;
	}

	ip6_netmask(&e.ip[0], e.cidr[0]);
	ip6_netmask(&e.ip[1], e.cidr[1]);

	if (tb[IPSET_ATTR_CADT_FLAGS]) {
		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
		if (cadt_flags & IPSET_FLAG_NOMATCH)
			flags |= (IPSET_FLAG_NOMATCH << 16);
	}

	ret = adtfn(set, &e, &ext, &ext, flags);

	return ip_set_enomatch(ret, flags, adt, set) ? -ret :
	       ip_set_eexist(ret, flags) ? 0 : ret;
}

static struct ip_set_type hash_netnet_type __read_mostly = {
	.name		= "hash:net,net",
	.protocol	= IPSET_PROTOCOL,
	.features	= IPSET_TYPE_IP | IPSET_TYPE_IP2 | IPSET_TYPE_NOMATCH,
	.dimension	= IPSET_DIM_TWO,
	.family		= NFPROTO_UNSPEC,
	.revision_min	= IPSET_TYPE_REV_MIN,
	.revision_max	= IPSET_TYPE_REV_MAX,
	.create		= hash_netnet_create,
	.create_policy	= {
		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
	},
	.adt_policy	= {
		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
		[IPSET_ATTR_IP2]	= { .type = NLA_NESTED },
		[IPSET_ATTR_IP2_TO]	= { .type = NLA_NESTED },
		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
		[IPSET_ATTR_CIDR2]	= { .type = NLA_U8 },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
					    .len  = IPSET_MAX_COMMENT_SIZE },
		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
	},
	.me		= THIS_MODULE,
};

static int __init
hash_netnet_init(void)
{
	return ip_set_type_register(&hash_netnet_type);
}

static void __exit
hash_netnet_fini(void)
{
	ip_set_type_unregister(&hash_netnet_type);
}

module_init(hash_netnet_init);
module_exit(hash_netnet_fini);
Commit	Line	Data
ea53ac5b OS	1	/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	2	* Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License version 2 as
	6	* published by the Free Software Foundation.
	7	*/
	8
	9	/* Kernel module implementing an IP set type: the hash:net type */
	10
	11	#include <linux/jhash.h>
	12	#include <linux/module.h>
	13	#include <linux/ip.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/errno.h>
	16	#include <linux/random.h>
	17	#include <net/ip.h>
	18	#include <net/ipv6.h>
	19	#include <net/netlink.h>
	20
	21	#include <linux/netfilter.h>
	22	#include <linux/netfilter/ipset/pfxlen.h>
	23	#include <linux/netfilter/ipset/ip_set.h>
	24	#include <linux/netfilter/ipset/ip_set_hash.h>
	25
	26	#define IPSET_TYPE_REV_MIN 0
af331419 AD	27	/* 1 Forceadd support added */
af331419 AD	28	#define IPSET_TYPE_REV_MAX 2 /* skbinfo support added */
ea53ac5b OS	29
	30	MODULE_LICENSE("GPL");
	31	MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>");
	32	IP_SET_MODULE_DESC("hash:net,net", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
	33	MODULE_ALIAS("ip_set_hash:net,net");
	34
	35	/* Type specific function prefix */
	36	#define HTYPE hash_netnet
	37	#define IP_SET_HASH_WITH_NETS
	38	#define IPSET_NET_COUNT 2
	39
	40	/* IPv4 variants */
	41
	42	/* Member elements */
	43	struct hash_netnet4_elem {
	44	union {
	45	__be32 ip[2];
	46	__be64 ipcmp;
	47	};
	48	u8 nomatch;
cac37639	49	u8 padding;
ea53ac5b OS	50	union {
	51	u8 cidr[2];
	52	u16 ccmp;
	53	};
	54	};
	55
	56	/* Common functions */
	57
	58	static inline bool
	59	hash_netnet4_data_equal(const struct hash_netnet4_elem *ip1,
	60	const struct hash_netnet4_elem *ip2,
	61	u32 *multi)
	62	{
	63	return ip1->ipcmp == ip2->ipcmp &&
b49faea7	64	ip1->ccmp == ip2->ccmp;
ea53ac5b OS	65	}
	66
	67	static inline int
	68	hash_netnet4_do_data_match(const struct hash_netnet4_elem *elem)
	69	{
	70	return elem->nomatch ? -ENOTEMPTY : 1;
	71	}
	72
	73	static inline void
	74	hash_netnet4_data_set_flags(struct hash_netnet4_elem *elem, u32 flags)
	75	{
	76	elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
	77	}
	78
	79	static inline void
	80	hash_netnet4_data_reset_flags(struct hash_netnet4_elem elem, u8 flags)
	81	{
	82	swap(*flags, elem->nomatch);
	83	}
	84
	85	static inline void
	86	hash_netnet4_data_reset_elem(struct hash_netnet4_elem *elem,
	87	struct hash_netnet4_elem *orig)
	88	{
	89	elem->ip[1] = orig->ip[1];
	90	}
	91
	92	static inline void
	93	hash_netnet4_data_netmask(struct hash_netnet4_elem *elem, u8 cidr, bool inner)
	94	{
	95	if (inner) {
	96	elem->ip[1] &= ip_set_netmask(cidr);
	97	elem->cidr[1] = cidr;
	98	} else {
	99	elem->ip[0] &= ip_set_netmask(cidr);
	100	elem->cidr[0] = cidr;
	101	}
	102	}
	103
	104	static bool
	105	hash_netnet4_data_list(struct sk_buff *skb,
	106	const struct hash_netnet4_elem *data)
	107	{
	108	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
	109
	110	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) \|\|
	111	nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip[1]) \|\|
	112	nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) \|\|
	113	nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) \|\|
	114	(flags &&
	115	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
	116	goto nla_put_failure;
9562cf28	117	return false;
ea53ac5b OS	118
ea53ac5b OS	119	nla_put_failure:
9562cf28	120	return true;
ea53ac5b OS	121	}
	122
	123	static inline void
	124	hash_netnet4_data_next(struct hash_netnet4_elem *next,
	125	const struct hash_netnet4_elem *d)
	126	{
	127	next->ipcmp = d->ipcmp;
	128	}
	129
	130	#define MTYPE hash_netnet4
ea53ac5b OS	131	#define HOST_MASK 32
	132	#include "ip_set_hash_gen.h"
	133
	134	static int
	135	hash_netnet4_kadt(struct ip_set set, const struct sk_buff skb,
	136	const struct xt_action_param *par,
	137	enum ipset_adt adt, struct ip_set_adt_opt *opt)
	138	{
	139	const struct hash_netnet *h = set->data;
	140	ipset_adtfn adtfn = set->variant->adt[adt];
1a869205	141	struct hash_netnet4_elem e = { };
ea53ac5b OS	142	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
ea53ac5b OS	143
1a869205 JK	144	e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
1a869205 JK	145	e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
ea53ac5b OS	146	if (adt == IPSET_TEST)
	147	e.ccmp = (HOST_MASK << (sizeof(e.cidr[0]) * 8)) \| HOST_MASK;
	148
	149	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
	150	ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1]);
	151	e.ip[0] &= ip_set_netmask(e.cidr[0]);
	152	e.ip[1] &= ip_set_netmask(e.cidr[1]);
	153
	154	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
	155	}
	156
	157	static int
	158	hash_netnet4_uadt(struct ip_set set, struct nlattr tb[],
	159	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
	160	{
	161	const struct hash_netnet *h = set->data;
	162	ipset_adtfn adtfn = set->variant->adt[adt];
aff22758	163	struct hash_netnet4_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
ea53ac5b OS	164	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
	165	u32 ip = 0, ip_to = 0, last;
	166	u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
ea53ac5b OS	167	int ret;
ea53ac5b OS	168
a212e08e SP	169	if (tb[IPSET_ATTR_LINENO])
	170	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	171
ea53ac5b	172	if (unlikely(!tb[IPSET_ATTR_IP] \|\| !tb[IPSET_ATTR_IP2] \|\|
7dd37bc8	173	!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
ea53ac5b OS	174	return -IPSET_ERR_PROTOCOL;
ea53ac5b OS	175
8e55d2e5 SP	176	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
	177	if (ret)
	178	return ret;
	179
	180	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
	181	if (ret)
	182	return ret;
	183
	184	ret = ip_set_get_extensions(set, tb, &ext);
ea53ac5b OS	185	if (ret)
	186	return ret;
	187
	188	if (tb[IPSET_ATTR_CIDR]) {
aff22758 SP	189	e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
aff22758 SP	190	if (!e.cidr[0] \|\| e.cidr[0] > HOST_MASK)
ea53ac5b	191	return -IPSET_ERR_INVALID_CIDR;
ea53ac5b OS	192	}
	193
	194	if (tb[IPSET_ATTR_CIDR2]) {
aff22758 SP	195	e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
aff22758 SP	196	if (!e.cidr[1] \|\| e.cidr[1] > HOST_MASK)
ea53ac5b	197	return -IPSET_ERR_INVALID_CIDR;
ea53ac5b OS	198	}
	199
	200	if (tb[IPSET_ATTR_CADT_FLAGS]) {
	201	u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
	202	if (cadt_flags & IPSET_FLAG_NOMATCH)
	203	flags \|= (IPSET_FLAG_NOMATCH << 16);
	204	}
	205
6e41ee68	206	if (adt == IPSET_TEST \|\| !(tb[IPSET_ATTR_IP_TO] \|\|
ea53ac5b OS	207	tb[IPSET_ATTR_IP2_TO])) {
	208	e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0]));
	209	e.ip[1] = htonl(ip2_from & ip_set_hostmask(e.cidr[1]));
	210	ret = adtfn(set, &e, &ext, &ext, flags);
	211	return ip_set_enomatch(ret, flags, adt, set) ? -ret :
	212	ip_set_eexist(ret, flags) ? 0 : ret;
	213	}
	214
	215	ip_to = ip;
	216	if (tb[IPSET_ATTR_IP_TO]) {
	217	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
	218	if (ret)
	219	return ret;
	220	if (ip_to < ip)
	221	swap(ip, ip_to);
6e41ee68	222	if (unlikely(ip + UINT_MAX == ip_to))
ea53ac5b	223	return -IPSET_ERR_HASH_RANGE;
6e41ee68 SP	224	} else
6e41ee68 SP	225	ip_set_mask_from_to(ip, ip_to, e.cidr[0]);
ea53ac5b OS	226
	227	ip2_to = ip2_from;
	228	if (tb[IPSET_ATTR_IP2_TO]) {
	229	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
	230	if (ret)
	231	return ret;
	232	if (ip2_to < ip2_from)
	233	swap(ip2_from, ip2_to);
6e41ee68	234	if (unlikely(ip2_from + UINT_MAX == ip2_to))
ea53ac5b	235	return -IPSET_ERR_HASH_RANGE;
6e41ee68 SP	236	} else
6e41ee68 SP	237	ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
ea53ac5b OS	238
	239	if (retried)
	240	ip = ntohl(h->next.ip[0]);
	241
	242	while (!after(ip, ip_to)) {
	243	e.ip[0] = htonl(ip);
aff22758	244	last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
ea53ac5b OS	245	ip2 = (retried &&
	246	ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
	247	: ip2_from;
	248	while (!after(ip2, ip2_to)) {
	249	e.ip[1] = htonl(ip2);
aff22758	250	last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
ea53ac5b OS	251	ret = adtfn(set, &e, &ext, &ext, flags);
	252	if (ret && !ip_set_eexist(ret, flags))
	253	return ret;
	254	else
	255	ret = 0;
	256	ip2 = last2 + 1;
	257	}
	258	ip = last + 1;
	259	}
	260	return ret;
	261	}
	262
	263	/* IPv6 variants */
	264
	265	struct hash_netnet6_elem {
	266	union nf_inet_addr ip[2];
	267	u8 nomatch;
cac37639	268	u8 padding;
ea53ac5b OS	269	union {
	270	u8 cidr[2];
	271	u16 ccmp;
	272	};
	273	};
	274
	275	/* Common functions */
	276
	277	static inline bool
	278	hash_netnet6_data_equal(const struct hash_netnet6_elem *ip1,
	279	const struct hash_netnet6_elem *ip2,
	280	u32 *multi)
	281	{
	282	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
	283	ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
	284	ip1->ccmp == ip2->ccmp;
	285	}
	286
	287	static inline int
	288	hash_netnet6_do_data_match(const struct hash_netnet6_elem *elem)
	289	{
	290	return elem->nomatch ? -ENOTEMPTY : 1;
	291	}
	292
	293	static inline void
	294	hash_netnet6_data_set_flags(struct hash_netnet6_elem *elem, u32 flags)
	295	{
	296	elem->nomatch = (flags >> 16) & IPSET_FLAG_NOMATCH;
	297	}
	298
	299	static inline void
	300	hash_netnet6_data_reset_flags(struct hash_netnet6_elem elem, u8 flags)
	301	{
	302	swap(*flags, elem->nomatch);
	303	}
	304
	305	static inline void
	306	hash_netnet6_data_reset_elem(struct hash_netnet6_elem *elem,
	307	struct hash_netnet6_elem *orig)
	308	{
	309	elem->ip[1] = orig->ip[1];
	310	}
	311
	312	static inline void
	313	hash_netnet6_data_netmask(struct hash_netnet6_elem *elem, u8 cidr, bool inner)
	314	{
	315	if (inner) {
	316	ip6_netmask(&elem->ip[1], cidr);
	317	elem->cidr[1] = cidr;
	318	} else {
	319	ip6_netmask(&elem->ip[0], cidr);
	320	elem->cidr[0] = cidr;
	321	}
	322	}
	323
	324	static bool
	325	hash_netnet6_data_list(struct sk_buff *skb,
	326	const struct hash_netnet6_elem *data)
	327	{
	328	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
	329
	330	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) \|\|
	331	nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip[1].in6) \|\|
	332	nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) \|\|
333	nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[1]) \|\|
334	(flags &&
335	nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
336	goto nla_put_failure;
9562cf28	337	return false;
ea53ac5b OS	338
ea53ac5b OS	339	nla_put_failure:
9562cf28	340	return true;
ea53ac5b OS	341	}
	342
	343	static inline void
	344	hash_netnet6_data_next(struct hash_netnet4_elem *next,
	345	const struct hash_netnet6_elem *d)
	346	{
	347	}
	348
	349	#undef MTYPE
ea53ac5b OS	350	#undef HOST_MASK
	351
	352	#define MTYPE hash_netnet6
ea53ac5b OS	353	#define HOST_MASK 128
	354	#define IP_SET_EMIT_CREATE
	355	#include "ip_set_hash_gen.h"
	356
	357	static int
	358	hash_netnet6_kadt(struct ip_set set, const struct sk_buff skb,
	359	const struct xt_action_param *par,
	360	enum ipset_adt adt, struct ip_set_adt_opt *opt)
	361	{
	362	const struct hash_netnet *h = set->data;
	363	ipset_adtfn adtfn = set->variant->adt[adt];
1a869205	364	struct hash_netnet6_elem e = { };
ea53ac5b OS	365	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
ea53ac5b OS	366
1a869205 JK	367	e.cidr[0] = IP_SET_INIT_CIDR(h->nets[0].cidr[0], HOST_MASK);
1a869205 JK	368	e.cidr[1] = IP_SET_INIT_CIDR(h->nets[0].cidr[1], HOST_MASK);
ea53ac5b OS	369	if (adt == IPSET_TEST)
	370	e.ccmp = (HOST_MASK << (sizeof(u8)*8)) \| HOST_MASK;
	371
	372	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
	373	ip6addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip[1].in6);
	374	ip6_netmask(&e.ip[0], e.cidr[0]);
	375	ip6_netmask(&e.ip[1], e.cidr[1]);
	376
	377	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
	378	}
	379
	380	static int
	381	hash_netnet6_uadt(struct ip_set set, struct nlattr tb[],
	382	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
	383	{
	384	ipset_adtfn adtfn = set->variant->adt[adt];
aff22758	385	struct hash_netnet6_elem e = { .cidr = { HOST_MASK, HOST_MASK, }, };
ea53ac5b OS	386	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
	387	int ret;
	388
a212e08e SP	389	if (tb[IPSET_ATTR_LINENO])
	390	*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
	391
ea53ac5b	392	if (unlikely(!tb[IPSET_ATTR_IP] \|\| !tb[IPSET_ATTR_IP2] \|\|
7dd37bc8	393	!ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
ea53ac5b OS	394	return -IPSET_ERR_PROTOCOL;
	395	if (unlikely(tb[IPSET_ATTR_IP_TO] \|\| tb[IPSET_ATTR_IP2_TO]))
	396	return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
	397
8e55d2e5 SP	398	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
	399	if (ret)
	400	return ret;
	401
	402	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]);
	403	if (ret)
	404	return ret;
	405
	406	ret = ip_set_get_extensions(set, tb, &ext);
ea53ac5b OS	407	if (ret)
	408	return ret;
	409
aff22758	410	if (tb[IPSET_ATTR_CIDR]) {
ea53ac5b	411	e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
aff22758 SP	412	if (!e.cidr[0] \|\| e.cidr[0] > HOST_MASK)
	413	return -IPSET_ERR_INVALID_CIDR;
	414	}
ea53ac5b	415
aff22758	416	if (tb[IPSET_ATTR_CIDR2]) {
ea53ac5b	417	e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
aff22758 SP	418	if (!e.cidr[1] \|\| e.cidr[1] > HOST_MASK)
	419	return -IPSET_ERR_INVALID_CIDR;
	420	}
ea53ac5b OS	421
	422	ip6_netmask(&e.ip[0], e.cidr[0]);
	423	ip6_netmask(&e.ip[1], e.cidr[1]);
	424
	425	if (tb[IPSET_ATTR_CADT_FLAGS]) {
	426	u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
	427	if (cadt_flags & IPSET_FLAG_NOMATCH)
	428	flags \|= (IPSET_FLAG_NOMATCH << 16);
	429	}
	430
	431	ret = adtfn(set, &e, &ext, &ext, flags);
	432
	433	return ip_set_enomatch(ret, flags, adt, set) ? -ret :
	434	ip_set_eexist(ret, flags) ? 0 : ret;
	435	}
	436
	437	static struct ip_set_type hash_netnet_type __read_mostly = {
	438	.name = "hash:net,net",
	439	.protocol = IPSET_PROTOCOL,
	440	.features = IPSET_TYPE_IP \| IPSET_TYPE_IP2 \| IPSET_TYPE_NOMATCH,
	441	.dimension = IPSET_DIM_TWO,
	442	.family = NFPROTO_UNSPEC,
	443	.revision_min = IPSET_TYPE_REV_MIN,
	444	.revision_max = IPSET_TYPE_REV_MAX,
	445	.create = hash_netnet_create,
	446	.create_policy = {
	447	[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
	448	[IPSET_ATTR_MAXELEM] = { .type = NLA_U32 },
	449	[IPSET_ATTR_PROBES] = { .type = NLA_U8 },
	450	[IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
	451	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	452	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
	453	},
	454	.adt_policy = {
	455	[IPSET_ATTR_IP] = { .type = NLA_NESTED },
	456	[IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
	457	[IPSET_ATTR_IP2] = { .type = NLA_NESTED },
	458	[IPSET_ATTR_IP2_TO] = { .type = NLA_NESTED },
	459	[IPSET_ATTR_CIDR] = { .type = NLA_U8 },
	460	[IPSET_ATTR_CIDR2] = { .type = NLA_U8 },
	461	[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
	462	[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
	463	[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
	464	[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
03726186 SP	465	[IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
03726186 SP	466	.len = IPSET_MAX_COMMENT_SIZE },
af331419 AD	467	[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
	468	[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
	469	[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
ea53ac5b OS	470	},
	471	.me = THIS_MODULE,
	472	};
	473
	474	static int __init
	475	hash_netnet_init(void)
	476	{
	477	return ip_set_type_register(&hash_netnet_type);
	478	}
	479
	480	static void __exit
	481	hash_netnet_fini(void)
	482	{
	483	ip_set_type_unregister(&hash_netnet_type);
	484	}
	485
	486	module_init(hash_netnet_init);
	487	module_exit(hash_netnet_fini);