Commit | Line | Data |
---|---|---|
5d50e1d8 | 1 | /* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
21f45020 JK |
2 | * |
3 | * This program is free software; you can redistribute it and/or modify | |
4 | * it under the terms of the GNU General Public License version 2 as | |
5 | * published by the Free Software Foundation. | |
6 | */ | |
7 | ||
8 | /* Kernel module implementing an IP set type: the hash:net,port type */ | |
9 | ||
10 | #include <linux/jhash.h> | |
11 | #include <linux/module.h> | |
12 | #include <linux/ip.h> | |
13 | #include <linux/skbuff.h> | |
14 | #include <linux/errno.h> | |
21f45020 JK |
15 | #include <linux/random.h> |
16 | #include <net/ip.h> | |
17 | #include <net/ipv6.h> | |
18 | #include <net/netlink.h> | |
19 | ||
20 | #include <linux/netfilter.h> | |
21 | #include <linux/netfilter/ipset/pfxlen.h> | |
22 | #include <linux/netfilter/ipset/ip_set.h> | |
21f45020 JK |
23 | #include <linux/netfilter/ipset/ip_set_getport.h> |
24 | #include <linux/netfilter/ipset/ip_set_hash.h> | |
25 | ||
35b8dcf8 JK |
26 | #define IPSET_TYPE_REV_MIN 0 |
27 | /* 1 SCTP and UDPLITE support added */ | |
28 | /* 2 Range as input support for IPv4 added */ | |
29 | /* 3 nomatch flag support added */ | |
fda75c6d | 30 | /* 4 Counters support added */ |
07cf8f5a | 31 | /* 5 Comments support added */ |
af331419 AD |
32 | /* 6 Forceadd support added */ |
33 | #define IPSET_TYPE_REV_MAX 7 /* skbinfo support added */ | |
10111a6e | 34 | |
21f45020 JK |
35 | MODULE_LICENSE("GPL"); |
36 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
35b8dcf8 | 37 | IP_SET_MODULE_DESC("hash:net,port", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX); |
21f45020 JK |
38 | MODULE_ALIAS("ip_set_hash:net,port"); |
39 | ||
40 | /* Type specific function prefix */ | |
5d50e1d8 JK |
41 | #define HTYPE hash_netport |
42 | #define IP_SET_HASH_WITH_PROTO | |
43 | #define IP_SET_HASH_WITH_NETS | |
21f45020 | 44 | |
2a7cef2a JK |
45 | /* We squeeze the "nomatch" flag into cidr: we don't support cidr == 0 |
46 | * However this way we have to store internally cidr - 1, | |
47 | * dancing back and forth. | |
48 | */ | |
49 | #define IP_SET_HASH_WITH_NETS_PACKED | |
50 | ||
03c8b234 | 51 | /* IPv4 variant */ |
5d50e1d8 JK |
52 | |
53 | /* Member elements */ | |
21f45020 JK |
54 | struct hash_netport4_elem { |
55 | __be32 ip; | |
56 | __be16 port; | |
57 | u8 proto; | |
2a7cef2a JK |
58 | u8 cidr:7; |
59 | u8 nomatch:1; | |
21f45020 JK |
60 | }; |
61 | ||
5d50e1d8 JK |
62 | /* Common functions */ |
63 | ||
21f45020 JK |
64 | static inline bool |
65 | hash_netport4_data_equal(const struct hash_netport4_elem *ip1, | |
89dc79b7 JK |
66 | const struct hash_netport4_elem *ip2, |
67 | u32 *multi) | |
21f45020 JK |
68 | { |
69 | return ip1->ip == ip2->ip && | |
70 | ip1->port == ip2->port && | |
71 | ip1->proto == ip2->proto && | |
72 | ip1->cidr == ip2->cidr; | |
73 | } | |
74 | ||
5d50e1d8 JK |
75 | static inline int |
76 | hash_netport4_do_data_match(const struct hash_netport4_elem *elem) | |
21f45020 | 77 | { |
5d50e1d8 | 78 | return elem->nomatch ? -ENOTEMPTY : 1; |
21f45020 JK |
79 | } |
80 | ||
81 | static inline void | |
5d50e1d8 | 82 | hash_netport4_data_set_flags(struct hash_netport4_elem *elem, u32 flags) |
21f45020 | 83 | { |
5d50e1d8 | 84 | elem->nomatch = !!((flags >> 16) & IPSET_FLAG_NOMATCH); |
2a7cef2a JK |
85 | } |
86 | ||
87 | static inline void | |
5d50e1d8 | 88 | hash_netport4_data_reset_flags(struct hash_netport4_elem *elem, u8 *flags) |
2a7cef2a | 89 | { |
5d50e1d8 | 90 | swap(*flags, elem->nomatch); |
21f45020 JK |
91 | } |
92 | ||
93 | static inline void | |
94 | hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr) | |
95 | { | |
96 | elem->ip &= ip_set_netmask(cidr); | |
2a7cef2a | 97 | elem->cidr = cidr - 1; |
21f45020 JK |
98 | } |
99 | ||
21f45020 JK |
100 | static bool |
101 | hash_netport4_data_list(struct sk_buff *skb, | |
102 | const struct hash_netport4_elem *data) | |
103 | { | |
2a7cef2a JK |
104 | u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; |
105 | ||
7cf7899d DM |
106 | if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) || |
107 | nla_put_net16(skb, IPSET_ATTR_PORT, data->port) || | |
108 | nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) || | |
109 | nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) || | |
110 | (flags && | |
111 | nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) | |
112 | goto nla_put_failure; | |
728a7e69 | 113 | return false; |
21f45020 JK |
114 | |
115 | nla_put_failure: | |
728a7e69 | 116 | return true; |
21f45020 JK |
117 | } |
118 | ||
5d50e1d8 JK |
119 | static inline void |
120 | hash_netport4_data_next(struct hash_netport4_elem *next, | |
121 | const struct hash_netport4_elem *d) | |
21f45020 | 122 | { |
5d50e1d8 JK |
123 | next->ip = d->ip; |
124 | next->port = d->port; | |
21f45020 JK |
125 | } |
126 | ||
5d50e1d8 | 127 | #define MTYPE hash_netport4 |
21f45020 | 128 | #define HOST_MASK 32 |
5d50e1d8 | 129 | #include "ip_set_hash_gen.h" |
3d14b171 | 130 | |
21f45020 JK |
131 | static int |
132 | hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb, | |
b66554cf | 133 | const struct xt_action_param *par, |
5d50e1d8 | 134 | enum ipset_adt adt, struct ip_set_adt_opt *opt) |
21f45020 | 135 | { |
5d50e1d8 | 136 | const struct hash_netport *h = set->data; |
21f45020 | 137 | ipset_adtfn adtfn = set->variant->adt[adt]; |
5d50e1d8 | 138 | struct hash_netport4_elem e = { |
f690cbae | 139 | .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), |
9b03a5ef | 140 | }; |
ca134ce8 | 141 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); |
21f45020 | 142 | |
21f45020 | 143 | if (adt == IPSET_TEST) |
5d50e1d8 | 144 | e.cidr = HOST_MASK - 1; |
21f45020 | 145 | |
ac8cc925 | 146 | if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC, |
5d50e1d8 | 147 | &e.port, &e.proto)) |
21f45020 JK |
148 | return -EINVAL; |
149 | ||
5d50e1d8 JK |
150 | ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); |
151 | e.ip &= ip_set_netmask(e.cidr + 1); | |
21f45020 | 152 | |
5d50e1d8 | 153 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); |
21f45020 JK |
154 | } |
155 | ||
156 | static int | |
157 | hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[], | |
3d14b171 | 158 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) |
21f45020 | 159 | { |
5d50e1d8 | 160 | const struct hash_netport *h = set->data; |
21f45020 | 161 | ipset_adtfn adtfn = set->variant->adt[adt]; |
5d50e1d8 | 162 | struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 }; |
ca134ce8 | 163 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); |
20b2fab4 | 164 | u32 port, port_to, p = 0, ip = 0, ip_to = 0, last; |
5e0c1eb7 | 165 | bool with_ports = false; |
2a7cef2a | 166 | u8 cidr; |
21f45020 JK |
167 | int ret; |
168 | ||
a212e08e SP |
169 | if (tb[IPSET_ATTR_LINENO]) |
170 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | |
171 | ||
21f45020 JK |
172 | if (unlikely(!tb[IPSET_ATTR_IP] || |
173 | !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || | |
174 | !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || | |
7dd37bc8 | 175 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) |
21f45020 JK |
176 | return -IPSET_ERR_PROTOCOL; |
177 | ||
8e55d2e5 SP |
178 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); |
179 | if (ret) | |
180 | return ret; | |
181 | ||
182 | ret = ip_set_get_extensions(set, tb, &ext); | |
21f45020 JK |
183 | if (ret) |
184 | return ret; | |
185 | ||
d0d9e0a5 | 186 | if (tb[IPSET_ATTR_CIDR]) { |
2a7cef2a JK |
187 | cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); |
188 | if (!cidr || cidr > HOST_MASK) | |
15b4d93f | 189 | return -IPSET_ERR_INVALID_CIDR; |
5d50e1d8 | 190 | e.cidr = cidr - 1; |
d0d9e0a5 | 191 | } |
21f45020 | 192 | |
d25472e4 | 193 | e.port = nla_get_be16(tb[IPSET_ATTR_PORT]); |
21f45020 JK |
194 | |
195 | if (tb[IPSET_ATTR_PROTO]) { | |
5d50e1d8 JK |
196 | e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); |
197 | with_ports = ip_set_proto_with_ports(e.proto); | |
21f45020 | 198 | |
5d50e1d8 | 199 | if (e.proto == 0) |
21f45020 | 200 | return -IPSET_ERR_INVALID_PROTO; |
ca0f6a5c | 201 | } else { |
21f45020 | 202 | return -IPSET_ERR_MISSING_PROTO; |
ca0f6a5c | 203 | } |
21f45020 | 204 | |
5d50e1d8 JK |
205 | if (!(with_ports || e.proto == IPPROTO_ICMP)) |
206 | e.port = 0; | |
21f45020 | 207 | |
d0d9e0a5 | 208 | with_ports = with_ports && tb[IPSET_ATTR_PORT_TO]; |
2a7cef2a | 209 | |
43c56e59 | 210 | if (tb[IPSET_ATTR_CADT_FLAGS]) { |
2a7cef2a | 211 | u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); |
ca0f6a5c | 212 | |
2a7cef2a | 213 | if (cadt_flags & IPSET_FLAG_NOMATCH) |
43c56e59 | 214 | flags |= (IPSET_FLAG_NOMATCH << 16); |
2a7cef2a JK |
215 | } |
216 | ||
d0d9e0a5 | 217 | if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) { |
5d50e1d8 JK |
218 | e.ip = htonl(ip & ip_set_hostmask(e.cidr + 1)); |
219 | ret = adtfn(set, &e, &ext, &ext, flags); | |
0f1799ba | 220 | return ip_set_enomatch(ret, flags, adt, set) ? -ret : |
43c56e59 | 221 | ip_set_eexist(ret, flags) ? 0 : ret; |
21f45020 JK |
222 | } |
223 | ||
5d50e1d8 | 224 | port = port_to = ntohs(e.port); |
d0d9e0a5 JK |
225 | if (tb[IPSET_ATTR_PORT_TO]) { |
226 | port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); | |
227 | if (port_to < port) | |
228 | swap(port, port_to); | |
229 | } | |
230 | if (tb[IPSET_ATTR_IP_TO]) { | |
231 | ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); | |
232 | if (ret) | |
233 | return ret; | |
234 | if (ip_to < ip) | |
235 | swap(ip, ip_to); | |
236 | if (ip + UINT_MAX == ip_to) | |
237 | return -IPSET_ERR_HASH_RANGE; | |
ca0f6a5c | 238 | } else { |
5d50e1d8 | 239 | ip_set_mask_from_to(ip, ip_to, e.cidr + 1); |
ca0f6a5c | 240 | } |
21f45020 | 241 | |
3d14b171 | 242 | if (retried) |
6e27c9b4 | 243 | ip = ntohl(h->next.ip); |
d0d9e0a5 | 244 | while (!after(ip, ip_to)) { |
5d50e1d8 | 245 | e.ip = htonl(ip); |
2a7cef2a | 246 | last = ip_set_range_to_cidr(ip, ip_to, &cidr); |
5d50e1d8 | 247 | e.cidr = cidr - 1; |
6e27c9b4 JK |
248 | p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) |
249 | : port; | |
d0d9e0a5 | 250 | for (; p <= port_to; p++) { |
5d50e1d8 JK |
251 | e.port = htons(p); |
252 | ret = adtfn(set, &e, &ext, &ext, flags); | |
d0d9e0a5 JK |
253 | |
254 | if (ret && !ip_set_eexist(ret, flags)) | |
255 | return ret; | |
ca0f6a5c JK |
256 | |
257 | ret = 0; | |
d0d9e0a5 JK |
258 | } |
259 | ip = last + 1; | |
21f45020 JK |
260 | } |
261 | return ret; | |
262 | } | |
263 | ||
03c8b234 | 264 | /* IPv6 variant */ |
21f45020 JK |
265 | |
266 | struct hash_netport6_elem { | |
267 | union nf_inet_addr ip; | |
268 | __be16 port; | |
269 | u8 proto; | |
2a7cef2a JK |
270 | u8 cidr:7; |
271 | u8 nomatch:1; | |
21f45020 JK |
272 | }; |
273 | ||
5d50e1d8 JK |
274 | /* Common functions */ |
275 | ||
21f45020 JK |
276 | static inline bool |
277 | hash_netport6_data_equal(const struct hash_netport6_elem *ip1, | |
89dc79b7 JK |
278 | const struct hash_netport6_elem *ip2, |
279 | u32 *multi) | |
21f45020 | 280 | { |
29e3b160 | 281 | return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) && |
21f45020 JK |
282 | ip1->port == ip2->port && |
283 | ip1->proto == ip2->proto && | |
284 | ip1->cidr == ip2->cidr; | |
285 | } | |
286 | ||
5d50e1d8 JK |
287 | static inline int |
288 | hash_netport6_do_data_match(const struct hash_netport6_elem *elem) | |
2a7cef2a | 289 | { |
5d50e1d8 | 290 | return elem->nomatch ? -ENOTEMPTY : 1; |
2a7cef2a JK |
291 | } |
292 | ||
6eb4c7e9 | 293 | static inline void |
5d50e1d8 | 294 | hash_netport6_data_set_flags(struct hash_netport6_elem *elem, u32 flags) |
2a7cef2a | 295 | { |
5d50e1d8 | 296 | elem->nomatch = !!((flags >> 16) & IPSET_FLAG_NOMATCH); |
2a7cef2a JK |
297 | } |
298 | ||
21f45020 | 299 | static inline void |
5d50e1d8 | 300 | hash_netport6_data_reset_flags(struct hash_netport6_elem *elem, u8 *flags) |
21f45020 | 301 | { |
5d50e1d8 | 302 | swap(*flags, elem->nomatch); |
21f45020 JK |
303 | } |
304 | ||
21f45020 JK |
305 | static inline void |
306 | hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr) | |
307 | { | |
308 | ip6_netmask(&elem->ip, cidr); | |
2a7cef2a | 309 | elem->cidr = cidr - 1; |
21f45020 JK |
310 | } |
311 | ||
312 | static bool | |
313 | hash_netport6_data_list(struct sk_buff *skb, | |
314 | const struct hash_netport6_elem *data) | |
315 | { | |
2a7cef2a JK |
316 | u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; |
317 | ||
7cf7899d DM |
318 | if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) || |
319 | nla_put_net16(skb, IPSET_ATTR_PORT, data->port) || | |
320 | nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) || | |
321 | nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) || | |
322 | (flags && | |
323 | nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) | |
324 | goto nla_put_failure; | |
728a7e69 | 325 | return false; |
21f45020 JK |
326 | |
327 | nla_put_failure: | |
728a7e69 | 328 | return true; |
21f45020 JK |
329 | } |
330 | ||
5d50e1d8 JK |
331 | static inline void |
332 | hash_netport6_data_next(struct hash_netport4_elem *next, | |
333 | const struct hash_netport6_elem *d) | |
21f45020 | 334 | { |
5d50e1d8 | 335 | next->port = d->port; |
21f45020 JK |
336 | } |
337 | ||
5d50e1d8 | 338 | #undef MTYPE |
21f45020 JK |
339 | #undef HOST_MASK |
340 | ||
5d50e1d8 | 341 | #define MTYPE hash_netport6 |
21f45020 | 342 | #define HOST_MASK 128 |
5d50e1d8 JK |
343 | #define IP_SET_EMIT_CREATE |
344 | #include "ip_set_hash_gen.h" | |
3d14b171 | 345 | |
21f45020 JK |
346 | static int |
347 | hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb, | |
b66554cf | 348 | const struct xt_action_param *par, |
5d50e1d8 | 349 | enum ipset_adt adt, struct ip_set_adt_opt *opt) |
21f45020 | 350 | { |
5d50e1d8 | 351 | const struct hash_netport *h = set->data; |
21f45020 | 352 | ipset_adtfn adtfn = set->variant->adt[adt]; |
5d50e1d8 | 353 | struct hash_netport6_elem e = { |
f690cbae | 354 | .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), |
9b03a5ef | 355 | }; |
ca134ce8 | 356 | struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); |
21f45020 | 357 | |
21f45020 | 358 | if (adt == IPSET_TEST) |
5d50e1d8 | 359 | e.cidr = HOST_MASK - 1; |
21f45020 | 360 | |
ac8cc925 | 361 | if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC, |
5d50e1d8 | 362 | &e.port, &e.proto)) |
21f45020 JK |
363 | return -EINVAL; |
364 | ||
5d50e1d8 JK |
365 | ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); |
366 | ip6_netmask(&e.ip, e.cidr + 1); | |
21f45020 | 367 | |
5d50e1d8 | 368 | return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); |
21f45020 JK |
369 | } |
370 | ||
371 | static int | |
372 | hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[], | |
3d14b171 | 373 | enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) |
21f45020 | 374 | { |
5d50e1d8 | 375 | const struct hash_netport *h = set->data; |
21f45020 | 376 | ipset_adtfn adtfn = set->variant->adt[adt]; |
5d50e1d8 | 377 | struct hash_netport6_elem e = { .cidr = HOST_MASK - 1 }; |
ca134ce8 | 378 | struct ip_set_ext ext = IP_SET_INIT_UEXT(set); |
21f45020 | 379 | u32 port, port_to; |
5e0c1eb7 | 380 | bool with_ports = false; |
2a7cef2a | 381 | u8 cidr; |
21f45020 JK |
382 | int ret; |
383 | ||
a212e08e SP |
384 | if (tb[IPSET_ATTR_LINENO]) |
385 | *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); | |
386 | ||
21f45020 JK |
387 | if (unlikely(!tb[IPSET_ATTR_IP] || |
388 | !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || | |
389 | !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || | |
7dd37bc8 | 390 | !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) |
21f45020 | 391 | return -IPSET_ERR_PROTOCOL; |
d0d9e0a5 JK |
392 | if (unlikely(tb[IPSET_ATTR_IP_TO])) |
393 | return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; | |
21f45020 | 394 | |
8e55d2e5 SP |
395 | ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); |
396 | if (ret) | |
397 | return ret; | |
398 | ||
399 | ret = ip_set_get_extensions(set, tb, &ext); | |
21f45020 JK |
400 | if (ret) |
401 | return ret; | |
402 | ||
2a7cef2a JK |
403 | if (tb[IPSET_ATTR_CIDR]) { |
404 | cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); | |
405 | if (!cidr || cidr > HOST_MASK) | |
406 | return -IPSET_ERR_INVALID_CIDR; | |
5d50e1d8 | 407 | e.cidr = cidr - 1; |
2a7cef2a | 408 | } |
5d50e1d8 | 409 | ip6_netmask(&e.ip, e.cidr + 1); |
21f45020 | 410 | |
d25472e4 | 411 | e.port = nla_get_be16(tb[IPSET_ATTR_PORT]); |
21f45020 JK |
412 | |
413 | if (tb[IPSET_ATTR_PROTO]) { | |
5d50e1d8 JK |
414 | e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); |
415 | with_ports = ip_set_proto_with_ports(e.proto); | |
21f45020 | 416 | |
5d50e1d8 | 417 | if (e.proto == 0) |
21f45020 | 418 | return -IPSET_ERR_INVALID_PROTO; |
ca0f6a5c | 419 | } else { |
21f45020 | 420 | return -IPSET_ERR_MISSING_PROTO; |
ca0f6a5c | 421 | } |
21f45020 | 422 | |
5d50e1d8 JK |
423 | if (!(with_ports || e.proto == IPPROTO_ICMPV6)) |
424 | e.port = 0; | |
21f45020 | 425 | |
43c56e59 | 426 | if (tb[IPSET_ATTR_CADT_FLAGS]) { |
2a7cef2a | 427 | u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); |
ca0f6a5c | 428 | |
2a7cef2a | 429 | if (cadt_flags & IPSET_FLAG_NOMATCH) |
43c56e59 | 430 | flags |= (IPSET_FLAG_NOMATCH << 16); |
2a7cef2a JK |
431 | } |
432 | ||
5e0c1eb7 | 433 | if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) { |
5d50e1d8 | 434 | ret = adtfn(set, &e, &ext, &ext, flags); |
0f1799ba | 435 | return ip_set_enomatch(ret, flags, adt, set) ? -ret : |
43c56e59 | 436 | ip_set_eexist(ret, flags) ? 0 : ret; |
21f45020 JK |
437 | } |
438 | ||
5d50e1d8 | 439 | port = ntohs(e.port); |
21f45020 JK |
440 | port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); |
441 | if (port > port_to) | |
442 | swap(port, port_to); | |
443 | ||
3d14b171 | 444 | if (retried) |
6e27c9b4 | 445 | port = ntohs(h->next.port); |
21f45020 | 446 | for (; port <= port_to; port++) { |
5d50e1d8 JK |
447 | e.port = htons(port); |
448 | ret = adtfn(set, &e, &ext, &ext, flags); | |
21f45020 JK |
449 | |
450 | if (ret && !ip_set_eexist(ret, flags)) | |
451 | return ret; | |
ca0f6a5c JK |
452 | |
453 | ret = 0; | |
21f45020 JK |
454 | } |
455 | return ret; | |
456 | } | |
457 | ||
21f45020 JK |
458 | static struct ip_set_type hash_netport_type __read_mostly = { |
459 | .name = "hash:net,port", | |
460 | .protocol = IPSET_PROTOCOL, | |
3e0304a5 | 461 | .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_NOMATCH, |
21f45020 | 462 | .dimension = IPSET_DIM_TWO, |
c15f1c83 | 463 | .family = NFPROTO_UNSPEC, |
35b8dcf8 JK |
464 | .revision_min = IPSET_TYPE_REV_MIN, |
465 | .revision_max = IPSET_TYPE_REV_MAX, | |
21f45020 JK |
466 | .create = hash_netport_create, |
467 | .create_policy = { | |
468 | [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, | |
469 | [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, | |
470 | [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, | |
471 | [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, | |
472 | [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, | |
473 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | |
5d50e1d8 | 474 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
21f45020 JK |
475 | }, |
476 | .adt_policy = { | |
477 | [IPSET_ATTR_IP] = { .type = NLA_NESTED }, | |
d0d9e0a5 | 478 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, |
21f45020 JK |
479 | [IPSET_ATTR_PORT] = { .type = NLA_U16 }, |
480 | [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, | |
481 | [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, | |
482 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | |
483 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | |
484 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | |
2a7cef2a | 485 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
00d71b27 JK |
486 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
487 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | |
03726186 SP |
488 | [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING, |
489 | .len = IPSET_MAX_COMMENT_SIZE }, | |
af331419 AD |
490 | [IPSET_ATTR_SKBMARK] = { .type = NLA_U64 }, |
491 | [IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 }, | |
492 | [IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 }, | |
21f45020 JK |
493 | }, |
494 | .me = THIS_MODULE, | |
495 | }; | |
496 | ||
497 | static int __init | |
498 | hash_netport_init(void) | |
499 | { | |
500 | return ip_set_type_register(&hash_netport_type); | |
501 | } | |
502 | ||
503 | static void __exit | |
504 | hash_netport_fini(void) | |
505 | { | |
18f84d41 | 506 | rcu_barrier(); |
21f45020 JK |
507 | ip_set_type_unregister(&hash_netport_type); |
508 | } | |
509 | ||
510 | module_init(hash_netport_init); | |
511 | module_exit(hash_netport_fini); |