Doug / smarc-fsl-linux-kernel | Embedian Git Server

Browse Code »

Commit f5caadbb3d8fc0b71533e880c684b2230bdb76ac

Authored by David S. Miller 2011-07-22 03:39:35 +0800

2 parents 0ca87f05ba 0f598f0b4c

Exists in master and in 6 other branches

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

Showing 15 changed files Inline Diff

include/linux/audit.h
include/linux/netfilter/ipset/ip_set_ahash.h
include/linux/netfilter/nfnetlink.h
include/linux/netfilter/nfnetlink_queue.h
kernel/audit.c
net/netfilter/ipset/ip_set_hash_ip.c
net/netfilter/ipset/ip_set_hash_ipport.c
net/netfilter/ipset/ip_set_hash_ipportip.c
net/netfilter/ipset/ip_set_hash_ipportnet.c
net/netfilter/ipset/ip_set_hash_net.c
net/netfilter/ipset/ip_set_hash_netiface.c
net/netfilter/ipset/ip_set_hash_netport.c
net/netfilter/nfnetlink.c
net/netfilter/nfnetlink_queue.c
net/netfilter/xt_AUDIT.c

include/linux/audit.h

Diff comments View file @ f5caadb

 /* audit.h -- Auditing support
  *
  * Copyright 2003-2004 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  *
  */
 #ifndef _LINUX_AUDIT_H_
 #define _LINUX_AUDIT_H_
 #include <linux/types.h>
 #include <linux/elf-em.h>
 /* The netlink messages for the audit system is divided into blocks:
  * 1000 - 1099 are for commanding the audit system
  * 1100 - 1199 user space trusted application messages
  * 1200 - 1299 messages internal to the audit daemon
  * 1300 - 1399 audit event messages
  * 1400 - 1499 SE Linux use
  * 1500 - 1599 kernel LSPP events
  * 1600 - 1699 kernel crypto events
  * 1700 - 1799 kernel anomaly records
  * 1800 - 1899 kernel integrity events
  * 1900 - 1999 future kernel use
  * 2000 is for otherwise unclassified kernel audit messages (legacy)
  * 2001 - 2099 unused (kernel)
  * 2100 - 2199 user space anomaly records
  * 2200 - 2299 user space actions taken in response to anomalies
  * 2300 - 2399 user space generated LSPP events
  * 2400 - 2499 user space crypto events
  * 2500 - 2999 future user space (maybe integrity labels and related events)
  *
  * Messages from 1000-1199 are bi-directional. 1200-1299 & 2100 - 2999 are
  * exclusively user space. 1300-2099 is kernel --> user space
  * communication.
  */
 #define AUDIT_GET		1000	/* Get status */
 #define AUDIT_SET		1001	/* Set status (enable/disable/auditd) */
 #define AUDIT_LIST		1002	/* List syscall rules -- deprecated */
 #define AUDIT_ADD		1003	/* Add syscall rule -- deprecated */
 #define AUDIT_DEL		1004	/* Delete syscall rule -- deprecated */
 #define AUDIT_USER		1005	/* Message from userspace -- deprecated */
 #define AUDIT_LOGIN		1006	/* Define the login id and information */
 #define AUDIT_WATCH_INS		1007	/* Insert file/dir watch entry */
 #define AUDIT_WATCH_REM		1008	/* Remove file/dir watch entry */
 #define AUDIT_WATCH_LIST	1009	/* List all file/dir watches */
 #define AUDIT_SIGNAL_INFO	1010	/* Get info about sender of signal to auditd */
 #define AUDIT_ADD_RULE		1011	/* Add syscall filtering rule */
 #define AUDIT_DEL_RULE		1012	/* Delete syscall filtering rule */
 #define AUDIT_LIST_RULES	1013	/* List syscall filtering rules */
 #define AUDIT_TRIM		1014	/* Trim junk from watched tree */
 #define AUDIT_MAKE_EQUIV	1015	/* Append to watched tree */
 #define AUDIT_TTY_GET		1016	/* Get TTY auditing status */
 #define AUDIT_TTY_SET		1017	/* Set TTY auditing status */
 #define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */
 #define AUDIT_USER_AVC		1107	/* We filter this differently */
 #define AUDIT_USER_TTY		1124	/* Non-ICANON TTY input meaning */
 #define AUDIT_LAST_USER_MSG	1199
 #define AUDIT_FIRST_USER_MSG2	2100	/* More user space messages */
 #define AUDIT_LAST_USER_MSG2	2999
 #define AUDIT_DAEMON_START      1200    /* Daemon startup record */
 #define AUDIT_DAEMON_END        1201    /* Daemon normal stop record */
 #define AUDIT_DAEMON_ABORT      1202    /* Daemon error stop record */
 #define AUDIT_DAEMON_CONFIG     1203    /* Daemon config change */
 #define AUDIT_SYSCALL		1300	/* Syscall event */
 /* #define AUDIT_FS_WATCH	1301	 * Deprecated */
 #define AUDIT_PATH		1302	/* Filename path information */
 #define AUDIT_IPC		1303	/* IPC record */
 #define AUDIT_SOCKETCALL	1304	/* sys_socketcall arguments */
 #define AUDIT_CONFIG_CHANGE	1305	/* Audit system configuration change */
 #define AUDIT_SOCKADDR		1306	/* sockaddr copied as syscall arg */
 #define AUDIT_CWD		1307	/* Current working directory */
 #define AUDIT_EXECVE		1309	/* execve arguments */
 #define AUDIT_IPC_SET_PERM	1311	/* IPC new permissions record type */
 #define AUDIT_MQ_OPEN		1312	/* POSIX MQ open record type */
 #define AUDIT_MQ_SENDRECV	1313	/* POSIX MQ send/receive record type */
 #define AUDIT_MQ_NOTIFY		1314	/* POSIX MQ notify record type */
 #define AUDIT_MQ_GETSETATTR	1315	/* POSIX MQ get/set attribute record type */
 #define AUDIT_KERNEL_OTHER	1316	/* For use by 3rd party modules */
 #define AUDIT_FD_PAIR		1317    /* audit record for pipe/socketpair */
 #define AUDIT_OBJ_PID		1318	/* ptrace target */
 #define AUDIT_TTY		1319	/* Input on an administrative TTY */
 #define AUDIT_EOE		1320	/* End of multi-record event */
 #define AUDIT_BPRM_FCAPS	1321	/* Information about fcaps increasing perms */
 #define AUDIT_CAPSET		1322	/* Record showing argument to sys_capset */
 #define AUDIT_MMAP		1323	/* Record showing descriptor and flags in mmap */
 #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */
 #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
 #define AUDIT_AVC_PATH		1402	/* dentry, vfsmount pair from avc */
 #define AUDIT_MAC_POLICY_LOAD	1403	/* Policy file load */
 #define AUDIT_MAC_STATUS	1404	/* Changed enforcing,permissive,off */
 #define AUDIT_MAC_CONFIG_CHANGE	1405	/* Changes to booleans */
 #define AUDIT_MAC_UNLBL_ALLOW	1406	/* NetLabel: allow unlabeled traffic */
 #define AUDIT_MAC_CIPSOV4_ADD	1407	/* NetLabel: add CIPSOv4 DOI entry */
 #define AUDIT_MAC_CIPSOV4_DEL	1408	/* NetLabel: del CIPSOv4 DOI entry */
 #define AUDIT_MAC_MAP_ADD	1409	/* NetLabel: add LSM domain mapping */
 #define AUDIT_MAC_MAP_DEL	1410	/* NetLabel: del LSM domain mapping */
 #define AUDIT_MAC_IPSEC_ADDSA	1411	/* Not used */
 #define AUDIT_MAC_IPSEC_DELSA	1412	/* Not used  */
 #define AUDIT_MAC_IPSEC_ADDSPD	1413	/* Not used */
 #define AUDIT_MAC_IPSEC_DELSPD	1414	/* Not used */
 #define AUDIT_MAC_IPSEC_EVENT	1415	/* Audit an IPSec event */
 #define AUDIT_MAC_UNLBL_STCADD	1416	/* NetLabel: add a static label */
 #define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
 #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */
 #define AUDIT_ANOM_ABEND            1701 /* Process ended abnormally */
 #define AUDIT_INTEGRITY_DATA	    1800 /* Data integrity verification */
 #define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
 #define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
 #define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
 #define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
 #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 /* Rule flags */
 #define AUDIT_FILTER_USER	0x00	/* Apply rule to user-generated messages */
 #define AUDIT_FILTER_TASK	0x01	/* Apply rule at task creation (not syscall) */
 #define AUDIT_FILTER_ENTRY	0x02	/* Apply rule at syscall entry */
 #define AUDIT_FILTER_WATCH	0x03	/* Apply rule to file system watches */
 #define AUDIT_FILTER_EXIT	0x04	/* Apply rule at syscall exit */
 #define AUDIT_FILTER_TYPE	0x05	/* Apply rule at audit_log_start */
 #define AUDIT_NR_FILTERS	6
 #define AUDIT_FILTER_PREPEND	0x10	/* Prepend to front of list */
 /* Rule actions */
 #define AUDIT_NEVER    0	/* Do not build context if rule matches */
 #define AUDIT_POSSIBLE 1	/* Build context if rule matches  */
 #define AUDIT_ALWAYS   2	/* Generate audit record if rule matches */
 /* Rule structure sizes -- if these change, different AUDIT_ADD and
  * AUDIT_LIST commands must be implemented. */
 #define AUDIT_MAX_FIELDS   64
 #define AUDIT_MAX_KEY_LEN  256
 #define AUDIT_BITMASK_SIZE 64
 #define AUDIT_WORD(nr) ((__u32)((nr)/32))
 #define AUDIT_BIT(nr)  (1 << ((nr) - AUDIT_WORD(nr)*32))
 #define AUDIT_SYSCALL_CLASSES 16
 #define AUDIT_CLASS_DIR_WRITE 0
 #define AUDIT_CLASS_DIR_WRITE_32 1
 #define AUDIT_CLASS_CHATTR 2
 #define AUDIT_CLASS_CHATTR_32 3
 #define AUDIT_CLASS_READ 4
 #define AUDIT_CLASS_READ_32 5
 #define AUDIT_CLASS_WRITE 6
 #define AUDIT_CLASS_WRITE_32 7
 #define AUDIT_CLASS_SIGNAL 8
 #define AUDIT_CLASS_SIGNAL_32 9
 /* This bitmask is used to validate user input.  It represents all bits that
  * are currently used in an audit field constant understood by the kernel.
  * If you are adding a new #define AUDIT_<whatever>, please ensure that
  * AUDIT_UNUSED_BITS is updated if need be. */
 #define AUDIT_UNUSED_BITS	0x07FFFC00
 /* Rule fields */
 				/* These are useful when checking the
 				 * task structure at task creation time
 				 * (AUDIT_PER_TASK).  */
 #define AUDIT_PID	0
 #define AUDIT_UID	1
 #define AUDIT_EUID	2
 #define AUDIT_SUID	3
 #define AUDIT_FSUID	4
 #define AUDIT_GID	5
 #define AUDIT_EGID	6
 #define AUDIT_SGID	7
 #define AUDIT_FSGID	8
 #define AUDIT_LOGINUID	9
 #define AUDIT_PERS	10
 #define AUDIT_ARCH	11
 #define AUDIT_MSGTYPE	12
 #define AUDIT_SUBJ_USER	13	/* security label user */
 #define AUDIT_SUBJ_ROLE	14	/* security label role */
 #define AUDIT_SUBJ_TYPE	15	/* security label type */
 #define AUDIT_SUBJ_SEN	16	/* security label sensitivity label */
 #define AUDIT_SUBJ_CLR	17	/* security label clearance label */
 #define AUDIT_PPID	18
 #define AUDIT_OBJ_USER	19
 #define AUDIT_OBJ_ROLE	20
 #define AUDIT_OBJ_TYPE	21
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
 #define AUDIT_DEVMAJOR	100
 #define AUDIT_DEVMINOR	101
 #define AUDIT_INODE	102
 #define AUDIT_EXIT	103
 #define AUDIT_SUCCESS   104	/* exit >= 0; value ignored */
 #define AUDIT_WATCH	105
 #define AUDIT_PERM	106
 #define AUDIT_DIR	107
 #define AUDIT_FILETYPE	108
 #define AUDIT_ARG0      200
 #define AUDIT_ARG1      (AUDIT_ARG0+1)
 #define AUDIT_ARG2      (AUDIT_ARG0+2)
 #define AUDIT_ARG3      (AUDIT_ARG0+3)
 #define AUDIT_FILTERKEY	210
 #define AUDIT_NEGATE			0x80000000
 /* These are the supported operators.
  *	4  2  1  8
  *	=  >  <  ?
  *	----------
  *	0  0  0	 0	00	nonsense
  *	0  0  0	 1	08	&  bit mask
  *	0  0  1	 0	10	<
  *	0  1  0	 0	20	>
  *	0  1  1	 0	30	!=
  *	1  0  0	 0	40	=
  *	1  0  0	 1	48	&=  bit test
  *	1  0  1	 0	50	<=
  *	1  1  0	 0	60	>=
  *	1  1  1	 1	78	all operators
  */
 #define AUDIT_BIT_MASK			0x08000000
 #define AUDIT_LESS_THAN			0x10000000
 #define AUDIT_GREATER_THAN		0x20000000
 #define AUDIT_NOT_EQUAL			0x30000000
 #define AUDIT_EQUAL			0x40000000
 #define AUDIT_BIT_TEST			(AUDIT_BIT_MASK|AUDIT_EQUAL)
 #define AUDIT_LESS_THAN_OR_EQUAL	(AUDIT_LESS_THAN|AUDIT_EQUAL)
 #define AUDIT_GREATER_THAN_OR_EQUAL	(AUDIT_GREATER_THAN|AUDIT_EQUAL)
 #define AUDIT_OPERATORS			(AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
 enum {
 	Audit_equal,
 	Audit_not_equal,
 	Audit_bitmask,
 	Audit_bittest,
 	Audit_lt,
 	Audit_gt,
 	Audit_le,
 	Audit_ge,
 	Audit_bad
 };
 /* Status symbols */
 				/* Mask values */
 #define AUDIT_STATUS_ENABLED		0x0001
 #define AUDIT_STATUS_FAILURE		0x0002
 #define AUDIT_STATUS_PID		0x0004
 #define AUDIT_STATUS_RATE_LIMIT		0x0008
 #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
 				/* Failure-to-log actions */
 #define AUDIT_FAIL_SILENT	0
 #define AUDIT_FAIL_PRINTK	1
 #define AUDIT_FAIL_PANIC	2
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
 #define AUDIT_ARCH_CRIS		(EM_CRIS|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_FRV		(EM_FRV)
 #define AUDIT_ARCH_H8300	(EM_H8_300)
 #define AUDIT_ARCH_I386		(EM_386|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_IA64		(EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_M32R		(EM_M32R)
 #define AUDIT_ARCH_M68K		(EM_68K)
 #define AUDIT_ARCH_MIPS		(EM_MIPS)
 #define AUDIT_ARCH_MIPSEL	(EM_MIPS|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_MIPS64	(EM_MIPS|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_MIPSEL64	(EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_PARISC	(EM_PARISC)
 #define AUDIT_ARCH_PARISC64	(EM_PARISC|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_PPC		(EM_PPC)
 #define AUDIT_ARCH_PPC64	(EM_PPC64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_S390		(EM_S390)
 #define AUDIT_ARCH_S390X	(EM_S390|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SH		(EM_SH)
 #define AUDIT_ARCH_SHEL		(EM_SH|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_SH64		(EM_SH|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_SHEL64	(EM_SH|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_SPARC	(EM_SPARC)
 #define AUDIT_ARCH_SPARC64	(EM_SPARCV9|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_X86_64	(EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_PERM_EXEC		1
 #define AUDIT_PERM_WRITE	2
 #define AUDIT_PERM_READ		4
 #define AUDIT_PERM_ATTR		8
 struct audit_status {
 	__u32		mask;		/* Bit mask for valid entries */
 	__u32		enabled;	/* 1 = enabled, 0 = disabled */
 	__u32		failure;	/* Failure-to-log action */
 	__u32		pid;		/* pid of auditd process */
 	__u32		rate_limit;	/* messages rate limit (per second) */
 	__u32		backlog_limit;	/* waiting messages limit */
 	__u32		lost;		/* messages lost */
 	__u32		backlog;	/* messages waiting in queue */
 };
 struct audit_tty_status {
 	__u32		enabled; /* 1 = enabled, 0 = disabled */
 };
 /* audit_rule_data supports filter rules with both integer and string
  * fields.  It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
  * AUDIT_LIST_RULES requests.
  */
 struct audit_rule_data {
 	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
 	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
 	__u32		field_count;
 	__u32		mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
 	__u32		fields[AUDIT_MAX_FIELDS];
 	__u32		values[AUDIT_MAX_FIELDS];
 	__u32		fieldflags[AUDIT_MAX_FIELDS];
 	__u32		buflen;	/* total length of string fields */
 	char		buf[0];	/* string fields buffer */
 };
 /* audit_rule is supported to maintain backward compatibility with
  * userspace.  It supports integer fields only and corresponds to
  * AUDIT_ADD, AUDIT_DEL and AUDIT_LIST requests.
  */
 struct audit_rule {		/* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
 	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
 	__u32		action;	/* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
 	__u32		field_count;
 	__u32		mask[AUDIT_BITMASK_SIZE];
 	__u32		fields[AUDIT_MAX_FIELDS];
 	__u32		values[AUDIT_MAX_FIELDS];
 };
 #ifdef __KERNEL__
 #include <linux/sched.h>
 struct audit_sig_info {
 	uid_t		uid;
 	pid_t		pid;
 	char		ctx[0];
 };
 struct audit_buffer;
 struct audit_context;
 struct inode;
 struct netlink_skb_parms;
 struct path;
 struct linux_binprm;
 struct mq_attr;
 struct mqstat;
 struct audit_watch;
 struct audit_tree;
 struct audit_krule {
 	int			vers_ops;
 	u32			flags;
 	u32			listnr;
 	u32			action;
 	u32			mask[AUDIT_BITMASK_SIZE];
 	u32			buflen; /* for data alloc on list rules */
 	u32			field_count;
 	char			*filterkey; /* ties events to rules */
 	struct audit_field	*fields;
 	struct audit_field	*arch_f; /* quick access to arch field */
 	struct audit_field	*inode_f; /* quick access to an inode field */
 	struct audit_watch	*watch;	/* associated watch */
 	struct audit_tree	*tree;	/* associated watched tree */
 	struct list_head	rlist;	/* entry in audit_{watch,tree}.rules list */
 	struct list_head	list;	/* for AUDIT_LIST* purposes only */
 	u64			prio;
 };
 struct audit_field {
 	u32				type;
 	u32				val;
 	u32				op;
 	char				*lsm_str;
 	void				*lsm_rule;
 };
 #define AUDITSC_INVALID 0
 #define AUDITSC_SUCCESS 1
 #define AUDITSC_FAILURE 2
 #define AUDITSC_RESULT(x) ( ((long)(x))<0?AUDITSC_FAILURE:AUDITSC_SUCCESS )
 extern int __init audit_register_class(int class, unsigned *list);
 extern int audit_classify_syscall(int abi, unsigned syscall);
 extern int audit_classify_arch(int arch);
 #ifdef CONFIG_AUDITSYSCALL
 /* These are defined in auditsc.c */
 				/* Public API */
 extern void audit_finish_fork(struct task_struct *child);
 extern int  audit_alloc(struct task_struct *task);
 extern void audit_free(struct task_struct *task);
 extern void audit_syscall_entry(int arch,
 				int major, unsigned long a0, unsigned long a1,
 				unsigned long a2, unsigned long a3);
 extern void audit_syscall_exit(int failed, long return_code);
 extern void __audit_getname(const char *name);
 extern void audit_putname(const char *name);
 extern void __audit_inode(const char *name, const struct dentry *dentry);
 extern void __audit_inode_child(const struct dentry *dentry,
 				const struct inode *parent);
 extern void __audit_ptrace(struct task_struct *t);
 static inline int audit_dummy_context(void)
 {
 	void *p = current->audit_context;
 	return !p || *(int *)p;
 }
 static inline void audit_getname(const char *name)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_getname(name);
 }
 static inline void audit_inode(const char *name, const struct dentry *dentry) {
 	if (unlikely(!audit_dummy_context()))
 		__audit_inode(name, dentry);
 }
 static inline void audit_inode_child(const struct dentry *dentry,
 				     const struct inode *parent) {
 	if (unlikely(!audit_dummy_context()))
 		__audit_inode_child(dentry, parent);
 }
 void audit_core_dumps(long signr);
 static inline void audit_ptrace(struct task_struct *t)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_ptrace(t);
 }
 				/* Private API (for audit.c only) */
 extern unsigned int audit_serial(void);
 extern int auditsc_get_stamp(struct audit_context *ctx,
 			      struct timespec *t, unsigned int *serial);
 extern int  audit_set_loginuid(struct task_struct *task, uid_t loginuid);
 #define audit_get_loginuid(t) ((t)->loginuid)
 #define audit_get_sessionid(t) ((t)->sessionid)
 extern void audit_log_task_context(struct audit_buffer *ab);
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode);
 extern int audit_bprm(struct linux_binprm *bprm);
 extern void audit_socketcall(int nargs, unsigned long *args);
 extern int audit_sockaddr(int len, void *addr);
 extern void __audit_fd_pair(int fd1, int fd2);
 extern int audit_set_macxattr(const char *name);
 extern void __audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr);
 extern void __audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout);
 extern void __audit_mq_notify(mqd_t mqdes, const struct sigevent *notification);
 extern void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat);
 extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
 				  const struct cred *new,
 				  const struct cred *old);
 extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
 extern void __audit_mmap_fd(int fd, int flags);
 static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_ipc_obj(ipcp);
 }
 static inline void audit_fd_pair(int fd1, int fd2)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_fd_pair(fd1, fd2);
 }
 static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_ipc_set_perm(qbytes, uid, gid, mode);
 }
 static inline void audit_mq_open(int oflag, mode_t mode, struct mq_attr *attr)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_mq_open(oflag, mode, attr);
 }
 static inline void audit_mq_sendrecv(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec *abs_timeout)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_mq_sendrecv(mqdes, msg_len, msg_prio, abs_timeout);
 }
 static inline void audit_mq_notify(mqd_t mqdes, const struct sigevent *notification)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_mq_notify(mqdes, notification);
 }
 static inline void audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_mq_getsetattr(mqdes, mqstat);
 }
 static inline int audit_log_bprm_fcaps(struct linux_binprm *bprm,
 				       const struct cred *new,
 				       const struct cred *old)
 {
 	if (unlikely(!audit_dummy_context()))
 		return __audit_log_bprm_fcaps(bprm, new, old);
 	return 0;
 }
 static inline void audit_log_capset(pid_t pid, const struct cred *new,
 				   const struct cred *old)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_log_capset(pid, new, old);
 }
 static inline void audit_mmap_fd(int fd, int flags)
 {
 	if (unlikely(!audit_dummy_context()))
 		__audit_mmap_fd(fd, flags);
 }
 extern int audit_n_rules;
 extern int audit_signals;
 #else
 #define audit_finish_fork(t)
 #define audit_alloc(t) ({ 0; })
 #define audit_free(t) do { ; } while (0)
 #define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
 #define audit_syscall_exit(f,r) do { ; } while (0)
 #define audit_dummy_context() 1
 #define audit_getname(n) do { ; } while (0)
 #define audit_putname(n) do { ; } while (0)
 #define __audit_inode(n,d) do { ; } while (0)
 #define __audit_inode_child(i,p) do { ; } while (0)
 #define audit_inode(n,d) do { (void)(d); } while (0)
 #define audit_inode_child(i,p) do { ; } while (0)
 #define audit_core_dumps(i) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) (0)
 #define audit_get_loginuid(t) (-1)
 #define audit_get_sessionid(t) (-1)
 #define audit_log_task_context(b) do { ; } while (0)
 #define audit_ipc_obj(i) ((void)0)
 #define audit_ipc_set_perm(q,u,g,m) ((void)0)
 #define audit_bprm(p) ({ 0; })
 #define audit_socketcall(n,a) ((void)0)
 #define audit_fd_pair(n,a) ((void)0)
 #define audit_sockaddr(len, addr) ({ 0; })
 #define audit_set_macxattr(n) do { ; } while (0)
 #define audit_mq_open(o,m,a) ((void)0)
 #define audit_mq_sendrecv(d,l,p,t) ((void)0)
 #define audit_mq_notify(d,n) ((void)0)
 #define audit_mq_getsetattr(d,s) ((void)0)
 #define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })
 #define audit_log_capset(pid, ncr, ocr) ((void)0)
 #define audit_mmap_fd(fd, flags) ((void)0)
 #define audit_ptrace(t) ((void)0)
 #define audit_n_rules 0
 #define audit_signals 0
 #endif
 #ifdef CONFIG_AUDIT
 /* These are defined in audit.c */
 				/* Public API */
 extern void		    audit_log(struct audit_context *ctx, gfp_t gfp_mask,
 				      int type, const char *fmt, ...)
 				      __attribute__((format(printf,4,5)));
 extern struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type);
 extern void		    audit_log_format(struct audit_buffer *ab,
 					     const char *fmt, ...)
 			    __attribute__((format(printf,2,3)));
 extern void		    audit_log_end(struct audit_buffer *ab);
 extern int		    audit_string_contains_control(const char *string,
 							  size_t len);
 extern void		    audit_log_n_hex(struct audit_buffer *ab,
 					  const unsigned char *buf,
 					  size_t len);
 extern void		    audit_log_n_string(struct audit_buffer *ab,
 					       const char *buf,
 					       size_t n);
 #define audit_log_string(a,b) audit_log_n_string(a, b, strlen(b));
 extern void		    audit_log_n_untrustedstring(struct audit_buffer *ab,
 							const char *string,
 							size_t n);
 extern void		    audit_log_untrustedstring(struct audit_buffer *ab,
 						      const char *string);
 extern void		    audit_log_d_path(struct audit_buffer *ab,
 					     const char *prefix,
 					     struct path *path);
 extern void		    audit_log_key(struct audit_buffer *ab,
 					  char *key);
 extern void		    audit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern void 		    audit_log_secctx(struct audit_buffer *ab, u32 secid);
+#else
+#define audit_log_secctx(b,s) do { ; } while (0)
+#endif
 extern int		    audit_update_lsm_rules(void);
 				/* Private API (for audit.c only) */
 extern int audit_filter_user(struct netlink_skb_parms *cb);
 extern int audit_filter_type(int type);
 extern int  audit_receive_filter(int type, int pid, int uid, int seq,
 				void *data, size_t datasz, uid_t loginuid,
 				u32 sessionid, u32 sid);
 extern int audit_enabled;
 #else
 #define audit_log(c,g,t,f,...) do { ; } while (0)
 #define audit_log_start(c,g,t) ({ NULL; })
 #define audit_log_vformat(b,f,a) do { ; } while (0)
 #define audit_log_format(b,f,...) do { ; } while (0)
 #define audit_log_end(b) do { ; } while (0)
 #define audit_log_n_hex(a,b,l) do { ; } while (0)
 #define audit_log_n_string(a,c,l) do { ; } while (0)
 #define audit_log_string(a,c) do { ; } while (0)
 #define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)
 #define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b, p, d) do { ; } while (0)
 #define audit_log_key(b, k) do { ; } while (0)
+#define audit_log_secctx(b,s) do { ; } while (0)
 #define audit_enabled 0
 #endif
 #endif
 #endif

include/linux/netfilter/ipset/ip_set_ahash.h

Diff comments View file @ f5caadb

1	#ifndef _IP_SET_AHASH_H	1	#ifndef _IP_SET_AHASH_H
2	#define _IP_SET_AHASH_H	2	#define _IP_SET_AHASH_H
3		3
4	#include <linux/rcupdate.h>	4	#include <linux/rcupdate.h>
5	#include <linux/jhash.h>	5	#include <linux/jhash.h>
6	#include <linux/netfilter/ipset/ip_set_timeout.h>	6	#include <linux/netfilter/ipset/ip_set_timeout.h>
7		7
8	#define CONCAT(a, b, c) a##b##c	8	#define CONCAT(a, b, c) a##b##c
9	#define TOKEN(a, b, c) CONCAT(a, b, c)	9	#define TOKEN(a, b, c) CONCAT(a, b, c)
10		10
11	#define type_pf_next TOKEN(TYPE, PF, _elem)	11	#define type_pf_next TOKEN(TYPE, PF, _elem)
12		12
13	/* Hashing which uses arrays to resolve clashing. The hash table is resized	13	/* Hashing which uses arrays to resolve clashing. The hash table is resized
14	* (doubled) when searching becomes too long.	14	* (doubled) when searching becomes too long.
15	* Internally jhash is used with the assumption that the size of the	15	* Internally jhash is used with the assumption that the size of the
16	* stored data is a multiple of sizeof(u32). If storage supports timeout,	16	* stored data is a multiple of sizeof(u32). If storage supports timeout,
17	* the timeout field must be the last one in the data structure - that field	17	* the timeout field must be the last one in the data structure - that field
18	* is ignored when computing the hash key.	18	* is ignored when computing the hash key.
19	*	19	*
20	* Readers and resizing	20	* Readers and resizing
21	*	21	*
22	* Resizing can be triggered by userspace command only, and those	22	* Resizing can be triggered by userspace command only, and those
23	* are serialized by the nfnl mutex. During resizing the set is	23	* are serialized by the nfnl mutex. During resizing the set is
24	* read-locked, so the only possible concurrent operations are	24	* read-locked, so the only possible concurrent operations are
25	* the kernel side readers. Those must be protected by proper RCU locking.	25	* the kernel side readers. Those must be protected by proper RCU locking.
26	*/	26	*/
27		27
28	/* Number of elements to store in an initial array block */	28	/* Number of elements to store in an initial array block */
29	#define AHASH_INIT_SIZE 4	29	#define AHASH_INIT_SIZE 4
30	/* Max number of elements to store in an array block */	30	/* Max number of elements to store in an array block */
31	#define AHASH_MAX_SIZE (3*4)	31	#define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
32		32
		33	/* Max number of elements can be tuned */
		34	#ifdef IP_SET_HASH_WITH_MULTI
		35	#define AHASH_MAX(h) ((h)->ahash_max)
		36
		37	static inline u8
		38	tune_ahash_max(u8 curr, u32 multi)
		39	{
		40	u32 n;
		41
		42	if (multi < curr)
		43	return curr;
		44
		45	n = curr + AHASH_INIT_SIZE;
		46	/* Currently, at listing one hash bucket must fit into a message.
		47	* Therefore we have a hard limit here.
		48	*/
		49	return n > curr && n <= 64 ? n : curr;
		50	}
		51	#define TUNE_AHASH_MAX(h, multi) \
		52	((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
		53	#else
		54	#define AHASH_MAX(h) AHASH_MAX_SIZE
		55	#define TUNE_AHASH_MAX(h, multi)
		56	#endif
		57
33	/* A hash bucket */	58	/* A hash bucket */
34	struct hbucket {	59	struct hbucket {
35	void value; / the array of the values */	60	void value; / the array of the values */
36	u8 size; /* size of the array */	61	u8 size; /* size of the array */
37	u8 pos; /* position of the first free entry */	62	u8 pos; /* position of the first free entry */
38	};	63	};
39		64
40	/* The hash table: the table size stored here in order to make resizing easy */	65	/* The hash table: the table size stored here in order to make resizing easy */
41	struct htable {	66	struct htable {
42	u8 htable_bits; /* size of hash table == 2^htable_bits */	67	u8 htable_bits; /* size of hash table == 2^htable_bits */
43	struct hbucket bucket[0]; /* hashtable buckets */	68	struct hbucket bucket[0]; /* hashtable buckets */
44	};	69	};
45		70
46	#define hbucket(h, i) (&((h)->bucket[i]))	71	#define hbucket(h, i) (&((h)->bucket[i]))
47		72
48	/* Book-keeping of the prefixes added to the set */	73	/* Book-keeping of the prefixes added to the set */
49	struct ip_set_hash_nets {	74	struct ip_set_hash_nets {
50	u8 cidr; /* the different cidr values in the set */	75	u8 cidr; /* the different cidr values in the set */
51	u32 nets; /* number of elements per cidr */	76	u32 nets; /* number of elements per cidr */
52	};	77	};
53		78
54	/* The generic ip_set hash structure */	79	/* The generic ip_set hash structure */
55	struct ip_set_hash {	80	struct ip_set_hash {
56	struct htable table; / the hash table */	81	struct htable table; / the hash table */
57	u32 maxelem; /* max elements in the hash */	82	u32 maxelem; /* max elements in the hash */
58	u32 elements; /* current element (vs timeout) */	83	u32 elements; /* current element (vs timeout) */
59	u32 initval; /* random jhash init value */	84	u32 initval; /* random jhash init value */
60	u32 timeout; /* timeout value, if enabled */	85	u32 timeout; /* timeout value, if enabled */
61	struct timer_list gc; /* garbage collection when timeout enabled */	86	struct timer_list gc; /* garbage collection when timeout enabled */
62	struct type_pf_next next; /* temporary storage for uadd */	87	struct type_pf_next next; /* temporary storage for uadd */
		88	#ifdef IP_SET_HASH_WITH_MULTI
		89	u8 ahash_max; /* max elements in an array block */
		90	#endif
63	#ifdef IP_SET_HASH_WITH_NETMASK	91	#ifdef IP_SET_HASH_WITH_NETMASK
64	u8 netmask; /* netmask value for subnets to store */	92	u8 netmask; /* netmask value for subnets to store */
65	#endif	93	#endif
66	#ifdef IP_SET_HASH_WITH_RBTREE	94	#ifdef IP_SET_HASH_WITH_RBTREE
67	struct rb_root rbtree;	95	struct rb_root rbtree;
68	#endif	96	#endif
69	#ifdef IP_SET_HASH_WITH_NETS	97	#ifdef IP_SET_HASH_WITH_NETS
70	struct ip_set_hash_nets nets[0]; /* book-keeping of prefixes */	98	struct ip_set_hash_nets nets[0]; /* book-keeping of prefixes */
71	#endif	99	#endif
72	};	100	};
73		101
74	/* Compute htable_bits from the user input parameter hashsize */	102	/* Compute htable_bits from the user input parameter hashsize */
75	static u8	103	static u8
76	htable_bits(u32 hashsize)	104	htable_bits(u32 hashsize)
77	{	105	{
78	/* Assume that hashsize == 2^htable_bits */	106	/* Assume that hashsize == 2^htable_bits */
79	u8 bits = fls(hashsize - 1);	107	u8 bits = fls(hashsize - 1);
80	if (jhash_size(bits) != hashsize)	108	if (jhash_size(bits) != hashsize)
81	/* Round up to the first 2^n value */	109	/* Round up to the first 2^n value */
82	bits = fls(hashsize);	110	bits = fls(hashsize);
83		111
84	return bits;	112	return bits;
85	}	113	}
86		114
87	#ifdef IP_SET_HASH_WITH_NETS	115	#ifdef IP_SET_HASH_WITH_NETS
88		116
89	#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)	117	#define SET_HOST_MASK(family) (family == AF_INET ? 32 : 128)
90		118
91	/* Network cidr size book keeping when the hash stores different	119	/* Network cidr size book keeping when the hash stores different
92	* sized networks */	120	* sized networks */
93	static void	121	static void
94	add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)	122	add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)
95	{	123	{
96	u8 i;	124	u8 i;
97		125
98	++h->nets[cidr-1].nets;	126	++h->nets[cidr-1].nets;
99		127
100	pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets);	128	pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets);
101		129
102	if (h->nets[cidr-1].nets > 1)	130	if (h->nets[cidr-1].nets > 1)
103	return;	131	return;
104		132
105	/* New cidr size */	133	/* New cidr size */
106	for (i = 0; i < host_mask && h->nets[i].cidr; i++) {	134	for (i = 0; i < host_mask && h->nets[i].cidr; i++) {
107	/* Add in increasing prefix order, so larger cidr first */	135	/* Add in increasing prefix order, so larger cidr first */
108	if (h->nets[i].cidr < cidr)	136	if (h->nets[i].cidr < cidr)
109	swap(h->nets[i].cidr, cidr);	137	swap(h->nets[i].cidr, cidr);
110	}	138	}
111	if (i < host_mask)	139	if (i < host_mask)
112	h->nets[i].cidr = cidr;	140	h->nets[i].cidr = cidr;
113	}	141	}
114		142
115	static void	143	static void
116	del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)	144	del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)
117	{	145	{
118	u8 i;	146	u8 i;
119		147
120	--h->nets[cidr-1].nets;	148	--h->nets[cidr-1].nets;
121		149
122	pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets);	150	pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets);
123		151
124	if (h->nets[cidr-1].nets != 0)	152	if (h->nets[cidr-1].nets != 0)
125	return;	153	return;
126		154
127	/* All entries with this cidr size deleted, so cleanup h->cidr[] */	155	/* All entries with this cidr size deleted, so cleanup h->cidr[] */
128	for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) {	156	for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) {
129	if (h->nets[i].cidr == cidr)	157	if (h->nets[i].cidr == cidr)
130	h->nets[i].cidr = cidr = h->nets[i+1].cidr;	158	h->nets[i].cidr = cidr = h->nets[i+1].cidr;
131	}	159	}
132	h->nets[i - 1].cidr = 0;	160	h->nets[i - 1].cidr = 0;
133	}	161	}
134	#endif	162	#endif
135		163
136	/* Destroy the hashtable part of the set */	164	/* Destroy the hashtable part of the set */
137	static void	165	static void
138	ahash_destroy(struct htable *t)	166	ahash_destroy(struct htable *t)
139	{	167	{
140	struct hbucket *n;	168	struct hbucket *n;
141	u32 i;	169	u32 i;
142		170
143	for (i = 0; i < jhash_size(t->htable_bits); i++) {	171	for (i = 0; i < jhash_size(t->htable_bits); i++) {
144	n = hbucket(t, i);	172	n = hbucket(t, i);
145	if (n->size)	173	if (n->size)
146	/* FIXME: use slab cache */	174	/* FIXME: use slab cache */
147	kfree(n->value);	175	kfree(n->value);
148	}	176	}
149		177
150	ip_set_free(t);	178	ip_set_free(t);
151	}	179	}
152		180
153	/* Calculate the actual memory size of the set data */	181	/* Calculate the actual memory size of the set data */
154	static size_t	182	static size_t
155	ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask)	183	ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask)
156	{	184	{
157	u32 i;	185	u32 i;
158	struct htable *t = h->table;	186	struct htable *t = h->table;
159	size_t memsize = sizeof(*h)	187	size_t memsize = sizeof(*h)
160	+ sizeof(*t)	188	+ sizeof(*t)
161	#ifdef IP_SET_HASH_WITH_NETS	189	#ifdef IP_SET_HASH_WITH_NETS
162	+ sizeof(struct ip_set_hash_nets) * host_mask	190	+ sizeof(struct ip_set_hash_nets) * host_mask
163	#endif	191	#endif
164	+ jhash_size(t->htable_bits) * sizeof(struct hbucket);	192	+ jhash_size(t->htable_bits) * sizeof(struct hbucket);
165		193
166	for (i = 0; i < jhash_size(t->htable_bits); i++)	194	for (i = 0; i < jhash_size(t->htable_bits); i++)
167	memsize += t->bucket[i].size * dsize;	195	memsize += t->bucket[i].size * dsize;
168		196
169	return memsize;	197	return memsize;
170	}	198	}
171		199
172	/* Flush a hash type of set: destroy all elements */	200	/* Flush a hash type of set: destroy all elements */
173	static void	201	static void
174	ip_set_hash_flush(struct ip_set *set)	202	ip_set_hash_flush(struct ip_set *set)
175	{	203	{
176	struct ip_set_hash *h = set->data;	204	struct ip_set_hash *h = set->data;
177	struct htable *t = h->table;	205	struct htable *t = h->table;
178	struct hbucket *n;	206	struct hbucket *n;
179	u32 i;	207	u32 i;
180		208
181	for (i = 0; i < jhash_size(t->htable_bits); i++) {	209	for (i = 0; i < jhash_size(t->htable_bits); i++) {
182	n = hbucket(t, i);	210	n = hbucket(t, i);
183	if (n->size) {	211	if (n->size) {
184	n->size = n->pos = 0;	212	n->size = n->pos = 0;
185	/* FIXME: use slab cache */	213	/* FIXME: use slab cache */
186	kfree(n->value);	214	kfree(n->value);
187	}	215	}
188	}	216	}
189	#ifdef IP_SET_HASH_WITH_NETS	217	#ifdef IP_SET_HASH_WITH_NETS
190	memset(h->nets, 0, sizeof(struct ip_set_hash_nets)	218	memset(h->nets, 0, sizeof(struct ip_set_hash_nets)
191	* SET_HOST_MASK(set->family));	219	* SET_HOST_MASK(set->family));
192	#endif	220	#endif
193	h->elements = 0;	221	h->elements = 0;
194	}	222	}
195		223
196	/* Destroy a hash type of set */	224	/* Destroy a hash type of set */
197	static void	225	static void
198	ip_set_hash_destroy(struct ip_set *set)	226	ip_set_hash_destroy(struct ip_set *set)
199	{	227	{
200	struct ip_set_hash *h = set->data;	228	struct ip_set_hash *h = set->data;
201		229
202	if (with_timeout(h->timeout))	230	if (with_timeout(h->timeout))
203	del_timer_sync(&h->gc);	231	del_timer_sync(&h->gc);
204		232
205	ahash_destroy(h->table);	233	ahash_destroy(h->table);
206	#ifdef IP_SET_HASH_WITH_RBTREE	234	#ifdef IP_SET_HASH_WITH_RBTREE
207	rbtree_destroy(&h->rbtree);	235	rbtree_destroy(&h->rbtree);
208	#endif	236	#endif
209	kfree(h);	237	kfree(h);
210		238
211	set->data = NULL;	239	set->data = NULL;
212	}	240	}
213		241
214	#define HKEY(data, initval, htable_bits) \
215	(jhash2((u32 *)(data), sizeof(struct type_pf_elem)/sizeof(u32), initval) \
216	& jhash_mask(htable_bits))
217
218	#endif /* _IP_SET_AHASH_H */	242	#endif /* _IP_SET_AHASH_H */
219		243
		244	#ifndef HKEY_DATALEN
		245	#define HKEY_DATALEN sizeof(struct type_pf_elem)
		246	#endif
		247
		248	#define HKEY(data, initval, htable_bits) \
		249	(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
		250	& jhash_mask(htable_bits))
		251
220	#define CONCAT(a, b, c) a##b##c	252	#define CONCAT(a, b, c) a##b##c
221	#define TOKEN(a, b, c) CONCAT(a, b, c)	253	#define TOKEN(a, b, c) CONCAT(a, b, c)
222		254
223	/* Type/family dependent function prototypes */	255	/* Type/family dependent function prototypes */
224		256
225	#define type_pf_data_equal TOKEN(TYPE, PF, _data_equal)	257	#define type_pf_data_equal TOKEN(TYPE, PF, _data_equal)
226	#define type_pf_data_isnull TOKEN(TYPE, PF, _data_isnull)	258	#define type_pf_data_isnull TOKEN(TYPE, PF, _data_isnull)
227	#define type_pf_data_copy TOKEN(TYPE, PF, _data_copy)	259	#define type_pf_data_copy TOKEN(TYPE, PF, _data_copy)
228	#define type_pf_data_zero_out TOKEN(TYPE, PF, _data_zero_out)	260	#define type_pf_data_zero_out TOKEN(TYPE, PF, _data_zero_out)
229	#define type_pf_data_netmask TOKEN(TYPE, PF, _data_netmask)	261	#define type_pf_data_netmask TOKEN(TYPE, PF, _data_netmask)
230	#define type_pf_data_list TOKEN(TYPE, PF, _data_list)	262	#define type_pf_data_list TOKEN(TYPE, PF, _data_list)
231	#define type_pf_data_tlist TOKEN(TYPE, PF, _data_tlist)	263	#define type_pf_data_tlist TOKEN(TYPE, PF, _data_tlist)
232	#define type_pf_data_next TOKEN(TYPE, PF, _data_next)	264	#define type_pf_data_next TOKEN(TYPE, PF, _data_next)
233		265
234	#define type_pf_elem TOKEN(TYPE, PF, _elem)	266	#define type_pf_elem TOKEN(TYPE, PF, _elem)
235	#define type_pf_telem TOKEN(TYPE, PF, _telem)	267	#define type_pf_telem TOKEN(TYPE, PF, _telem)
236	#define type_pf_data_timeout TOKEN(TYPE, PF, _data_timeout)	268	#define type_pf_data_timeout TOKEN(TYPE, PF, _data_timeout)
237	#define type_pf_data_expired TOKEN(TYPE, PF, _data_expired)	269	#define type_pf_data_expired TOKEN(TYPE, PF, _data_expired)
238	#define type_pf_data_timeout_set TOKEN(TYPE, PF, _data_timeout_set)	270	#define type_pf_data_timeout_set TOKEN(TYPE, PF, _data_timeout_set)
239		271
240	#define type_pf_elem_add TOKEN(TYPE, PF, _elem_add)	272	#define type_pf_elem_add TOKEN(TYPE, PF, _elem_add)
241	#define type_pf_add TOKEN(TYPE, PF, _add)	273	#define type_pf_add TOKEN(TYPE, PF, _add)
242	#define type_pf_del TOKEN(TYPE, PF, _del)	274	#define type_pf_del TOKEN(TYPE, PF, _del)
243	#define type_pf_test_cidrs TOKEN(TYPE, PF, _test_cidrs)	275	#define type_pf_test_cidrs TOKEN(TYPE, PF, _test_cidrs)
244	#define type_pf_test TOKEN(TYPE, PF, _test)	276	#define type_pf_test TOKEN(TYPE, PF, _test)
245		277
246	#define type_pf_elem_tadd TOKEN(TYPE, PF, _elem_tadd)	278	#define type_pf_elem_tadd TOKEN(TYPE, PF, _elem_tadd)
247	#define type_pf_del_telem TOKEN(TYPE, PF, _ahash_del_telem)	279	#define type_pf_del_telem TOKEN(TYPE, PF, _ahash_del_telem)
248	#define type_pf_expire TOKEN(TYPE, PF, _expire)	280	#define type_pf_expire TOKEN(TYPE, PF, _expire)
249	#define type_pf_tadd TOKEN(TYPE, PF, _tadd)	281	#define type_pf_tadd TOKEN(TYPE, PF, _tadd)
250	#define type_pf_tdel TOKEN(TYPE, PF, _tdel)	282	#define type_pf_tdel TOKEN(TYPE, PF, _tdel)
251	#define type_pf_ttest_cidrs TOKEN(TYPE, PF, _ahash_ttest_cidrs)	283	#define type_pf_ttest_cidrs TOKEN(TYPE, PF, _ahash_ttest_cidrs)
252	#define type_pf_ttest TOKEN(TYPE, PF, _ahash_ttest)	284	#define type_pf_ttest TOKEN(TYPE, PF, _ahash_ttest)
253		285
254	#define type_pf_resize TOKEN(TYPE, PF, _resize)	286	#define type_pf_resize TOKEN(TYPE, PF, _resize)
255	#define type_pf_tresize TOKEN(TYPE, PF, _tresize)	287	#define type_pf_tresize TOKEN(TYPE, PF, _tresize)
256	#define type_pf_flush ip_set_hash_flush	288	#define type_pf_flush ip_set_hash_flush
257	#define type_pf_destroy ip_set_hash_destroy	289	#define type_pf_destroy ip_set_hash_destroy
258	#define type_pf_head TOKEN(TYPE, PF, _head)	290	#define type_pf_head TOKEN(TYPE, PF, _head)
259	#define type_pf_list TOKEN(TYPE, PF, _list)	291	#define type_pf_list TOKEN(TYPE, PF, _list)
260	#define type_pf_tlist TOKEN(TYPE, PF, _tlist)	292	#define type_pf_tlist TOKEN(TYPE, PF, _tlist)
261	#define type_pf_same_set TOKEN(TYPE, PF, _same_set)	293	#define type_pf_same_set TOKEN(TYPE, PF, _same_set)
262	#define type_pf_kadt TOKEN(TYPE, PF, _kadt)	294	#define type_pf_kadt TOKEN(TYPE, PF, _kadt)
263	#define type_pf_uadt TOKEN(TYPE, PF, _uadt)	295	#define type_pf_uadt TOKEN(TYPE, PF, _uadt)
264	#define type_pf_gc TOKEN(TYPE, PF, _gc)	296	#define type_pf_gc TOKEN(TYPE, PF, _gc)
265	#define type_pf_gc_init TOKEN(TYPE, PF, _gc_init)	297	#define type_pf_gc_init TOKEN(TYPE, PF, _gc_init)
266	#define type_pf_variant TOKEN(TYPE, PF, _variant)	298	#define type_pf_variant TOKEN(TYPE, PF, _variant)
267	#define type_pf_tvariant TOKEN(TYPE, PF, _tvariant)	299	#define type_pf_tvariant TOKEN(TYPE, PF, _tvariant)
268		300
269	/* Flavour without timeout */	301	/* Flavour without timeout */
270		302
271	/* Get the ith element from the array block n */	303	/* Get the ith element from the array block n */
272	#define ahash_data(n, i) \	304	#define ahash_data(n, i) \
273	((struct type_pf_elem *)((n)->value) + (i))	305	((struct type_pf_elem *)((n)->value) + (i))
274		306
275	/* Add an element to the hash table when resizing the set:	307	/* Add an element to the hash table when resizing the set:
276	* we spare the maintenance of the internal counters. */	308	* we spare the maintenance of the internal counters. */
277	static int	309	static int
278	type_pf_elem_add(struct hbucket n, const struct type_pf_elem value)	310	type_pf_elem_add(struct hbucket n, const struct type_pf_elem value,
		311	u8 ahash_max)
279	{	312	{
280	if (n->pos >= n->size) {	313	if (n->pos >= n->size) {
281	void *tmp;	314	void *tmp;
282		315
283	if (n->size >= AHASH_MAX_SIZE)	316	if (n->size >= ahash_max)
284	/* Trigger rehashing */	317	/* Trigger rehashing */
285	return -EAGAIN;	318	return -EAGAIN;
286		319
287	tmp = kzalloc((n->size + AHASH_INIT_SIZE)	320	tmp = kzalloc((n->size + AHASH_INIT_SIZE)
288	* sizeof(struct type_pf_elem),	321	* sizeof(struct type_pf_elem),
289	GFP_ATOMIC);	322	GFP_ATOMIC);
290	if (!tmp)	323	if (!tmp)
291	return -ENOMEM;	324	return -ENOMEM;
292	if (n->size) {	325	if (n->size) {
293	memcpy(tmp, n->value,	326	memcpy(tmp, n->value,
294	sizeof(struct type_pf_elem) * n->size);	327	sizeof(struct type_pf_elem) * n->size);
295	kfree(n->value);	328	kfree(n->value);
296	}	329	}
297	n->value = tmp;	330	n->value = tmp;
298	n->size += AHASH_INIT_SIZE;	331	n->size += AHASH_INIT_SIZE;
299	}	332	}
300	type_pf_data_copy(ahash_data(n, n->pos++), value);	333	type_pf_data_copy(ahash_data(n, n->pos++), value);
301	return 0;	334	return 0;
302	}	335	}
303		336
304	/* Resize a hash: create a new hash table with doubling the hashsize	337	/* Resize a hash: create a new hash table with doubling the hashsize
305	* and inserting the elements to it. Repeat until we succeed or	338	* and inserting the elements to it. Repeat until we succeed or
306	* fail due to memory pressures. */	339	* fail due to memory pressures. */
307	static int	340	static int
308	type_pf_resize(struct ip_set *set, bool retried)	341	type_pf_resize(struct ip_set *set, bool retried)
309	{	342	{
310	struct ip_set_hash *h = set->data;	343	struct ip_set_hash *h = set->data;
311	struct htable t, orig = h->table;	344	struct htable t, orig = h->table;
312	u8 htable_bits = orig->htable_bits;	345	u8 htable_bits = orig->htable_bits;
313	const struct type_pf_elem *data;	346	const struct type_pf_elem *data;
314	struct hbucket n, m;	347	struct hbucket n, m;
315	u32 i, j;	348	u32 i, j;
316	int ret;	349	int ret;
317		350
318	retry:	351	retry:
319	ret = 0;	352	ret = 0;
320	htable_bits++;	353	htable_bits++;
321	pr_debug("attempt to resize set %s from %u to %u, t %p\n",	354	pr_debug("attempt to resize set %s from %u to %u, t %p\n",
322	set->name, orig->htable_bits, htable_bits, orig);	355	set->name, orig->htable_bits, htable_bits, orig);
323	if (!htable_bits)	356	if (!htable_bits)
324	/* In case we have plenty of memory :-) */	357	/* In case we have plenty of memory :-) */
325	return -IPSET_ERR_HASH_FULL;	358	return -IPSET_ERR_HASH_FULL;
326	t = ip_set_alloc(sizeof(*t)	359	t = ip_set_alloc(sizeof(*t)
327	+ jhash_size(htable_bits) * sizeof(struct hbucket));	360	+ jhash_size(htable_bits) * sizeof(struct hbucket));
328	if (!t)	361	if (!t)
329	return -ENOMEM;	362	return -ENOMEM;
330	t->htable_bits = htable_bits;	363	t->htable_bits = htable_bits;
331		364
332	read_lock_bh(&set->lock);	365	read_lock_bh(&set->lock);
333	for (i = 0; i < jhash_size(orig->htable_bits); i++) {	366	for (i = 0; i < jhash_size(orig->htable_bits); i++) {
334	n = hbucket(orig, i);	367	n = hbucket(orig, i);
335	for (j = 0; j < n->pos; j++) {	368	for (j = 0; j < n->pos; j++) {
336	data = ahash_data(n, j);	369	data = ahash_data(n, j);
337	m = hbucket(t, HKEY(data, h->initval, htable_bits));	370	m = hbucket(t, HKEY(data, h->initval, htable_bits));
338	ret = type_pf_elem_add(m, data);	371	ret = type_pf_elem_add(m, data, AHASH_MAX(h));
339	if (ret < 0) {	372	if (ret < 0) {
340	read_unlock_bh(&set->lock);	373	read_unlock_bh(&set->lock);
341	ahash_destroy(t);	374	ahash_destroy(t);
342	if (ret == -EAGAIN)	375	if (ret == -EAGAIN)
343	goto retry;	376	goto retry;
344	return ret;	377	return ret;
345	}	378	}
346	}	379	}
347	}	380	}
348		381
349	rcu_assign_pointer(h->table, t);	382	rcu_assign_pointer(h->table, t);
350	read_unlock_bh(&set->lock);	383	read_unlock_bh(&set->lock);
351		384
352	/* Give time to other readers of the set */	385	/* Give time to other readers of the set */
353	synchronize_rcu_bh();	386	synchronize_rcu_bh();
354		387
355	pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name,	388	pr_debug("set %s resized from %u (%p) to %u (%p)\n", set->name,
356	orig->htable_bits, orig, t->htable_bits, t);	389	orig->htable_bits, orig, t->htable_bits, t);
357	ahash_destroy(orig);	390	ahash_destroy(orig);
358		391
359	return 0;	392	return 0;
360	}	393	}
361		394
362	static void	395	static inline void
363	type_pf_data_next(struct ip_set_hash h, const struct type_pf_elem d);	396	type_pf_data_next(struct ip_set_hash h, const struct type_pf_elem d);
364		397
365	/* Add an element to a hash and update the internal counters when succeeded,	398	/* Add an element to a hash and update the internal counters when succeeded,
366	* otherwise report the proper error code. */	399	* otherwise report the proper error code. */
367	static int	400	static int
368	type_pf_add(struct ip_set set, void value, u32 timeout, u32 flags)	401	type_pf_add(struct ip_set set, void value, u32 timeout, u32 flags)
369	{	402	{
370	struct ip_set_hash *h = set->data;	403	struct ip_set_hash *h = set->data;
371	struct htable *t;	404	struct htable *t;
372	const struct type_pf_elem *d = value;	405	const struct type_pf_elem *d = value;
373	struct hbucket *n;	406	struct hbucket *n;
374	int i, ret = 0;	407	int i, ret = 0;
375	u32 key;	408	u32 key, multi = 0;
376		409
377	if (h->elements >= h->maxelem)	410	if (h->elements >= h->maxelem)
378	return -IPSET_ERR_HASH_FULL;	411	return -IPSET_ERR_HASH_FULL;
379		412
380	rcu_read_lock_bh();	413	rcu_read_lock_bh();
381	t = rcu_dereference_bh(h->table);	414	t = rcu_dereference_bh(h->table);
382	key = HKEY(value, h->initval, t->htable_bits);	415	key = HKEY(value, h->initval, t->htable_bits);
383	n = hbucket(t, key);	416	n = hbucket(t, key);
384	for (i = 0; i < n->pos; i++)	417	for (i = 0; i < n->pos; i++)
385	if (type_pf_data_equal(ahash_data(n, i), d)) {	418	if (type_pf_data_equal(ahash_data(n, i), d, &multi)) {
386	ret = -IPSET_ERR_EXIST;	419	ret = -IPSET_ERR_EXIST;
387	goto out;	420	goto out;
388	}	421	}
389		422	TUNE_AHASH_MAX(h, multi);
390	ret = type_pf_elem_add(n, value);	423	ret = type_pf_elem_add(n, value, AHASH_MAX(h));
391	if (ret != 0) {	424	if (ret != 0) {
392	if (ret == -EAGAIN)	425	if (ret == -EAGAIN)
393	type_pf_data_next(h, d);	426	type_pf_data_next(h, d);
394	goto out;	427	goto out;
395	}	428	}
396		429
397	#ifdef IP_SET_HASH_WITH_NETS	430	#ifdef IP_SET_HASH_WITH_NETS
398	add_cidr(h, d->cidr, HOST_MASK);	431	add_cidr(h, d->cidr, HOST_MASK);
399	#endif	432	#endif
400	h->elements++;	433	h->elements++;
401	out:	434	out:
402	rcu_read_unlock_bh();	435	rcu_read_unlock_bh();
403	return ret;	436	return ret;
404	}	437	}
405		438
406	/* Delete an element from the hash: swap it with the last element	439	/* Delete an element from the hash: swap it with the last element
407	* and free up space if possible.	440	* and free up space if possible.
408	*/	441	*/
409	static int	442	static int
410	type_pf_del(struct ip_set set, void value, u32 timeout, u32 flags)	443	type_pf_del(struct ip_set set, void value, u32 timeout, u32 flags)
411	{	444	{
412	struct ip_set_hash *h = set->data;	445	struct ip_set_hash *h = set->data;
413	struct htable *t = h->table;	446	struct htable *t = h->table;
414	const struct type_pf_elem *d = value;	447	const struct type_pf_elem *d = value;
415	struct hbucket *n;	448	struct hbucket *n;
416	int i;	449	int i;
417	struct type_pf_elem *data;	450	struct type_pf_elem *data;
418	u32 key;	451	u32 key, multi = 0;
419		452
420	key = HKEY(value, h->initval, t->htable_bits);	453	key = HKEY(value, h->initval, t->htable_bits);
421	n = hbucket(t, key);	454	n = hbucket(t, key);
422	for (i = 0; i < n->pos; i++) {	455	for (i = 0; i < n->pos; i++) {
423	data = ahash_data(n, i);	456	data = ahash_data(n, i);
424	if (!type_pf_data_equal(data, d))	457	if (!type_pf_data_equal(data, d, &multi))
425	continue;	458	continue;
426	if (i != n->pos - 1)	459	if (i != n->pos - 1)
427	/* Not last one */	460	/* Not last one */
428	type_pf_data_copy(data, ahash_data(n, n->pos - 1));	461	type_pf_data_copy(data, ahash_data(n, n->pos - 1));
429		462
430	n->pos--;	463	n->pos--;
431	h->elements--;	464	h->elements--;
432	#ifdef IP_SET_HASH_WITH_NETS	465	#ifdef IP_SET_HASH_WITH_NETS
433	del_cidr(h, d->cidr, HOST_MASK);	466	del_cidr(h, d->cidr, HOST_MASK);
434	#endif	467	#endif
435	if (n->pos + AHASH_INIT_SIZE < n->size) {	468	if (n->pos + AHASH_INIT_SIZE < n->size) {
436	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)	469	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
437	* sizeof(struct type_pf_elem),	470	* sizeof(struct type_pf_elem),
438	GFP_ATOMIC);	471	GFP_ATOMIC);
439	if (!tmp)	472	if (!tmp)
440	return 0;	473	return 0;
441	n->size -= AHASH_INIT_SIZE;	474	n->size -= AHASH_INIT_SIZE;
442	memcpy(tmp, n->value,	475	memcpy(tmp, n->value,
443	n->size * sizeof(struct type_pf_elem));	476	n->size * sizeof(struct type_pf_elem));
444	kfree(n->value);	477	kfree(n->value);
445	n->value = tmp;	478	n->value = tmp;
446	}	479	}
447	return 0;	480	return 0;
448	}	481	}
449		482
450	return -IPSET_ERR_EXIST;	483	return -IPSET_ERR_EXIST;
451	}	484	}
452		485
453	#ifdef IP_SET_HASH_WITH_NETS	486	#ifdef IP_SET_HASH_WITH_NETS
454		487
455	/* Special test function which takes into account the different network	488	/* Special test function which takes into account the different network
456	* sizes added to the set */	489	* sizes added to the set */
457	static int	490	static int
458	type_pf_test_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)	491	type_pf_test_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)
459	{	492	{
460	struct ip_set_hash *h = set->data;	493	struct ip_set_hash *h = set->data;
461	struct htable *t = h->table;	494	struct htable *t = h->table;
462	struct hbucket *n;	495	struct hbucket *n;
463	const struct type_pf_elem *data;	496	const struct type_pf_elem *data;
464	int i, j = 0;	497	int i, j = 0;
465	u32 key;	498	u32 key, multi = 0;
466	u8 host_mask = SET_HOST_MASK(set->family);	499	u8 host_mask = SET_HOST_MASK(set->family);
467		500
468	pr_debug("test by nets\n");	501	pr_debug("test by nets\n");
469	for (; j < host_mask && h->nets[j].cidr; j++) {	502	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
470	type_pf_data_netmask(d, h->nets[j].cidr);	503	type_pf_data_netmask(d, h->nets[j].cidr);
471	key = HKEY(d, h->initval, t->htable_bits);	504	key = HKEY(d, h->initval, t->htable_bits);
472	n = hbucket(t, key);	505	n = hbucket(t, key);
473	for (i = 0; i < n->pos; i++) {	506	for (i = 0; i < n->pos; i++) {
474	data = ahash_data(n, i);	507	data = ahash_data(n, i);
475	if (type_pf_data_equal(data, d))	508	if (type_pf_data_equal(data, d, &multi))
476	return 1;	509	return 1;
477	}	510	}
478	}	511	}
479	return 0;	512	return 0;
480	}	513	}
481	#endif	514	#endif
482		515
483	/* Test whether the element is added to the set */	516	/* Test whether the element is added to the set */
484	static int	517	static int
485	type_pf_test(struct ip_set set, void value, u32 timeout, u32 flags)	518	type_pf_test(struct ip_set set, void value, u32 timeout, u32 flags)
486	{	519	{
487	struct ip_set_hash *h = set->data;	520	struct ip_set_hash *h = set->data;
488	struct htable *t = h->table;	521	struct htable *t = h->table;
489	struct type_pf_elem *d = value;	522	struct type_pf_elem *d = value;
490	struct hbucket *n;	523	struct hbucket *n;
491	const struct type_pf_elem *data;	524	const struct type_pf_elem *data;
492	int i;	525	int i;
493	u32 key;	526	u32 key, multi = 0;
494		527
495	#ifdef IP_SET_HASH_WITH_NETS	528	#ifdef IP_SET_HASH_WITH_NETS
496	/* If we test an IP address and not a network address,	529	/* If we test an IP address and not a network address,
497	* try all possible network sizes */	530	* try all possible network sizes */
498	if (d->cidr == SET_HOST_MASK(set->family))	531	if (d->cidr == SET_HOST_MASK(set->family))
499	return type_pf_test_cidrs(set, d, timeout);	532	return type_pf_test_cidrs(set, d, timeout);
500	#endif	533	#endif
501		534
502	key = HKEY(d, h->initval, t->htable_bits);	535	key = HKEY(d, h->initval, t->htable_bits);
503	n = hbucket(t, key);	536	n = hbucket(t, key);
504	for (i = 0; i < n->pos; i++) {	537	for (i = 0; i < n->pos; i++) {
505	data = ahash_data(n, i);	538	data = ahash_data(n, i);
506	if (type_pf_data_equal(data, d))	539	if (type_pf_data_equal(data, d, &multi))
507	return 1;	540	return 1;
508	}	541	}
509	return 0;	542	return 0;
510	}	543	}
511		544
512	/* Reply a HEADER request: fill out the header part of the set */	545	/* Reply a HEADER request: fill out the header part of the set */
513	static int	546	static int
514	type_pf_head(struct ip_set set, struct sk_buff skb)	547	type_pf_head(struct ip_set set, struct sk_buff skb)
515	{	548	{
516	const struct ip_set_hash *h = set->data;	549	const struct ip_set_hash *h = set->data;
517	struct nlattr *nested;	550	struct nlattr *nested;
518	size_t memsize;	551	size_t memsize;
519		552
520	read_lock_bh(&set->lock);	553	read_lock_bh(&set->lock);
521	memsize = ahash_memsize(h, with_timeout(h->timeout)	554	memsize = ahash_memsize(h, with_timeout(h->timeout)
522	? sizeof(struct type_pf_telem)	555	? sizeof(struct type_pf_telem)
523	: sizeof(struct type_pf_elem),	556	: sizeof(struct type_pf_elem),
524	set->family == AF_INET ? 32 : 128);	557	set->family == AF_INET ? 32 : 128);
525	read_unlock_bh(&set->lock);	558	read_unlock_bh(&set->lock);
526		559
527	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);	560	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
528	if (!nested)	561	if (!nested)
529	goto nla_put_failure;	562	goto nla_put_failure;
530	NLA_PUT_NET32(skb, IPSET_ATTR_HASHSIZE,	563	NLA_PUT_NET32(skb, IPSET_ATTR_HASHSIZE,
531	htonl(jhash_size(h->table->htable_bits)));	564	htonl(jhash_size(h->table->htable_bits)));
532	NLA_PUT_NET32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem));	565	NLA_PUT_NET32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem));
533	#ifdef IP_SET_HASH_WITH_NETMASK	566	#ifdef IP_SET_HASH_WITH_NETMASK
534	if (h->netmask != HOST_MASK)	567	if (h->netmask != HOST_MASK)
535	NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, h->netmask);	568	NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, h->netmask);
536	#endif	569	#endif
537	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));	570	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
538	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize));	571	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize));
539	if (with_timeout(h->timeout))	572	if (with_timeout(h->timeout))
540	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(h->timeout));	573	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(h->timeout));
541	ipset_nest_end(skb, nested);	574	ipset_nest_end(skb, nested);
542		575
543	return 0;	576	return 0;
544	nla_put_failure:	577	nla_put_failure:
545	return -EMSGSIZE;	578	return -EMSGSIZE;
546	}	579	}
547		580
548	/* Reply a LIST/SAVE request: dump the elements of the specified set */	581	/* Reply a LIST/SAVE request: dump the elements of the specified set */
549	static int	582	static int
550	type_pf_list(const struct ip_set *set,	583	type_pf_list(const struct ip_set *set,
551	struct sk_buff skb, struct netlink_callback cb)	584	struct sk_buff skb, struct netlink_callback cb)
552	{	585	{
553	const struct ip_set_hash *h = set->data;	586	const struct ip_set_hash *h = set->data;
554	const struct htable *t = h->table;	587	const struct htable *t = h->table;
555	struct nlattr atd, nested;	588	struct nlattr atd, nested;
556	const struct hbucket *n;	589	const struct hbucket *n;
557	const struct type_pf_elem *data;	590	const struct type_pf_elem *data;
558	u32 first = cb->args[2];	591	u32 first = cb->args[2];
559	/* We assume that one hash bucket fills into one page */	592	/* We assume that one hash bucket fills into one page */
560	void *incomplete;	593	void *incomplete;
561	int i;	594	int i;
562		595
563	atd = ipset_nest_start(skb, IPSET_ATTR_ADT);	596	atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
564	if (!atd)	597	if (!atd)
565	return -EMSGSIZE;	598	return -EMSGSIZE;
566	pr_debug("list hash set %s\n", set->name);	599	pr_debug("list hash set %s\n", set->name);
567	for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) {	600	for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) {
568	incomplete = skb_tail_pointer(skb);	601	incomplete = skb_tail_pointer(skb);
569	n = hbucket(t, cb->args[2]);	602	n = hbucket(t, cb->args[2]);
570	pr_debug("cb->args[2]: %lu, t %p n %p\n", cb->args[2], t, n);	603	pr_debug("cb->args[2]: %lu, t %p n %p\n", cb->args[2], t, n);
571	for (i = 0; i < n->pos; i++) {	604	for (i = 0; i < n->pos; i++) {
572	data = ahash_data(n, i);	605	data = ahash_data(n, i);
573	pr_debug("list hash %lu hbucket %p i %u, data %p\n",	606	pr_debug("list hash %lu hbucket %p i %u, data %p\n",
574	cb->args[2], n, i, data);	607	cb->args[2], n, i, data);
575	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);	608	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
576	if (!nested) {	609	if (!nested) {
577	if (cb->args[2] == first) {	610	if (cb->args[2] == first) {
578	nla_nest_cancel(skb, atd);	611	nla_nest_cancel(skb, atd);
579	return -EMSGSIZE;	612	return -EMSGSIZE;
580	} else	613	} else
581	goto nla_put_failure;	614	goto nla_put_failure;
582	}	615	}
583	if (type_pf_data_list(skb, data))	616	if (type_pf_data_list(skb, data))
584	goto nla_put_failure;	617	goto nla_put_failure;
585	ipset_nest_end(skb, nested);	618	ipset_nest_end(skb, nested);
586	}	619	}
587	}	620	}
588	ipset_nest_end(skb, atd);	621	ipset_nest_end(skb, atd);
589	/* Set listing finished */	622	/* Set listing finished */
590	cb->args[2] = 0;	623	cb->args[2] = 0;
591		624
592	return 0;	625	return 0;
593		626
594	nla_put_failure:	627	nla_put_failure:
595	nlmsg_trim(skb, incomplete);	628	nlmsg_trim(skb, incomplete);
596	ipset_nest_end(skb, atd);	629	ipset_nest_end(skb, atd);
597	if (unlikely(first == cb->args[2])) {	630	if (unlikely(first == cb->args[2])) {
598	pr_warning("Can't list set %s: one bucket does not fit into "	631	pr_warning("Can't list set %s: one bucket does not fit into "
599	"a message. Please report it!\n", set->name);	632	"a message. Please report it!\n", set->name);
600	cb->args[2] = 0;	633	cb->args[2] = 0;
601	return -EMSGSIZE;	634	return -EMSGSIZE;
602	}	635	}
603	return 0;	636	return 0;
604	}	637	}
605		638
606	static int	639	static int
607	type_pf_kadt(struct ip_set set, const struct sk_buff skb,	640	type_pf_kadt(struct ip_set set, const struct sk_buff skb,
608	const struct xt_action_param *par,	641	const struct xt_action_param *par,
609	enum ipset_adt adt, const struct ip_set_adt_opt *opt);	642	enum ipset_adt adt, const struct ip_set_adt_opt *opt);
610	static int	643	static int
611	type_pf_uadt(struct ip_set set, struct nlattr tb[],	644	type_pf_uadt(struct ip_set set, struct nlattr tb[],
612	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);	645	enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
613		646
614	static const struct ip_set_type_variant type_pf_variant = {	647	static const struct ip_set_type_variant type_pf_variant = {
615	.kadt = type_pf_kadt,	648	.kadt = type_pf_kadt,
616	.uadt = type_pf_uadt,	649	.uadt = type_pf_uadt,
617	.adt = {	650	.adt = {
618	[IPSET_ADD] = type_pf_add,	651	[IPSET_ADD] = type_pf_add,
619	[IPSET_DEL] = type_pf_del,	652	[IPSET_DEL] = type_pf_del,
620	[IPSET_TEST] = type_pf_test,	653	[IPSET_TEST] = type_pf_test,
621	},	654	},
622	.destroy = type_pf_destroy,	655	.destroy = type_pf_destroy,
623	.flush = type_pf_flush,	656	.flush = type_pf_flush,
624	.head = type_pf_head,	657	.head = type_pf_head,
625	.list = type_pf_list,	658	.list = type_pf_list,
626	.resize = type_pf_resize,	659	.resize = type_pf_resize,
627	.same_set = type_pf_same_set,	660	.same_set = type_pf_same_set,
628	};	661	};
629		662
630	/* Flavour with timeout support */	663	/* Flavour with timeout support */
631		664
632	#define ahash_tdata(n, i) \	665	#define ahash_tdata(n, i) \
633	(struct type_pf_elem )((struct type_pf_telem )((n)->value) + (i))	666	(struct type_pf_elem )((struct type_pf_telem )((n)->value) + (i))
634		667
635	static inline u32	668	static inline u32
636	type_pf_data_timeout(const struct type_pf_elem *data)	669	type_pf_data_timeout(const struct type_pf_elem *data)
637	{	670	{
638	const struct type_pf_telem *tdata =	671	const struct type_pf_telem *tdata =
639	(const struct type_pf_telem *) data;	672	(const struct type_pf_telem *) data;
640		673
641	return tdata->timeout;	674	return tdata->timeout;
642	}	675	}
643		676
644	static inline bool	677	static inline bool
645	type_pf_data_expired(const struct type_pf_elem *data)	678	type_pf_data_expired(const struct type_pf_elem *data)
646	{	679	{
647	const struct type_pf_telem *tdata =	680	const struct type_pf_telem *tdata =
648	(const struct type_pf_telem *) data;	681	(const struct type_pf_telem *) data;
649		682
650	return ip_set_timeout_expired(tdata->timeout);	683	return ip_set_timeout_expired(tdata->timeout);
651	}	684	}
652		685
653	static inline void	686	static inline void
654	type_pf_data_timeout_set(struct type_pf_elem *data, u32 timeout)	687	type_pf_data_timeout_set(struct type_pf_elem *data, u32 timeout)
655	{	688	{
656	struct type_pf_telem tdata = (struct type_pf_telem ) data;	689	struct type_pf_telem tdata = (struct type_pf_telem ) data;
657		690
658	tdata->timeout = ip_set_timeout_set(timeout);	691	tdata->timeout = ip_set_timeout_set(timeout);
659	}	692	}
660		693
661	static int	694	static int
662	type_pf_elem_tadd(struct hbucket n, const struct type_pf_elem value,	695	type_pf_elem_tadd(struct hbucket n, const struct type_pf_elem value,
663	u32 timeout)	696	u8 ahash_max, u32 timeout)
664	{	697	{
665	struct type_pf_elem *data;	698	struct type_pf_elem *data;
666		699
667	if (n->pos >= n->size) {	700	if (n->pos >= n->size) {
668	void *tmp;	701	void *tmp;
669		702
670	if (n->size >= AHASH_MAX_SIZE)	703	if (n->size >= ahash_max)
671	/* Trigger rehashing */	704	/* Trigger rehashing */
672	return -EAGAIN;	705	return -EAGAIN;
673		706
674	tmp = kzalloc((n->size + AHASH_INIT_SIZE)	707	tmp = kzalloc((n->size + AHASH_INIT_SIZE)
675	* sizeof(struct type_pf_telem),	708	* sizeof(struct type_pf_telem),
676	GFP_ATOMIC);	709	GFP_ATOMIC);
677	if (!tmp)	710	if (!tmp)
678	return -ENOMEM;	711	return -ENOMEM;
679	if (n->size) {	712	if (n->size) {
680	memcpy(tmp, n->value,	713	memcpy(tmp, n->value,
681	sizeof(struct type_pf_telem) * n->size);	714	sizeof(struct type_pf_telem) * n->size);
682	kfree(n->value);	715	kfree(n->value);
683	}	716	}
684	n->value = tmp;	717	n->value = tmp;
685	n->size += AHASH_INIT_SIZE;	718	n->size += AHASH_INIT_SIZE;
686	}	719	}
687	data = ahash_tdata(n, n->pos++);	720	data = ahash_tdata(n, n->pos++);
688	type_pf_data_copy(data, value);	721	type_pf_data_copy(data, value);
689	type_pf_data_timeout_set(data, timeout);	722	type_pf_data_timeout_set(data, timeout);
690	return 0;	723	return 0;
691	}	724	}
692		725
693	/* Delete expired elements from the hashtable */	726	/* Delete expired elements from the hashtable */
694	static void	727	static void
695	type_pf_expire(struct ip_set_hash *h)	728	type_pf_expire(struct ip_set_hash *h)
696	{	729	{
697	struct htable *t = h->table;	730	struct htable *t = h->table;
698	struct hbucket *n;	731	struct hbucket *n;
699	struct type_pf_elem *data;	732	struct type_pf_elem *data;
700	u32 i;	733	u32 i;
701	int j;	734	int j;
702		735
703	for (i = 0; i < jhash_size(t->htable_bits); i++) {	736	for (i = 0; i < jhash_size(t->htable_bits); i++) {
704	n = hbucket(t, i);	737	n = hbucket(t, i);
705	for (j = 0; j < n->pos; j++) {	738	for (j = 0; j < n->pos; j++) {
706	data = ahash_tdata(n, j);	739	data = ahash_tdata(n, j);
707	if (type_pf_data_expired(data)) {	740	if (type_pf_data_expired(data)) {
708	pr_debug("expired %u/%u\n", i, j);	741	pr_debug("expired %u/%u\n", i, j);
709	#ifdef IP_SET_HASH_WITH_NETS	742	#ifdef IP_SET_HASH_WITH_NETS
710	del_cidr(h, data->cidr, HOST_MASK);	743	del_cidr(h, data->cidr, HOST_MASK);
711	#endif	744	#endif
712	if (j != n->pos - 1)	745	if (j != n->pos - 1)
713	/* Not last one */	746	/* Not last one */
714	type_pf_data_copy(data,	747	type_pf_data_copy(data,
715	ahash_tdata(n, n->pos - 1));	748	ahash_tdata(n, n->pos - 1));
716	n->pos--;	749	n->pos--;
717	h->elements--;	750	h->elements--;
718	}	751	}
719	}	752	}
720	if (n->pos + AHASH_INIT_SIZE < n->size) {	753	if (n->pos + AHASH_INIT_SIZE < n->size) {
721	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)	754	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
722	* sizeof(struct type_pf_telem),	755	* sizeof(struct type_pf_telem),
723	GFP_ATOMIC);	756	GFP_ATOMIC);
724	if (!tmp)	757	if (!tmp)
725	/* Still try to delete expired elements */	758	/* Still try to delete expired elements */
726	continue;	759	continue;
727	n->size -= AHASH_INIT_SIZE;	760	n->size -= AHASH_INIT_SIZE;
728	memcpy(tmp, n->value,	761	memcpy(tmp, n->value,
729	n->size * sizeof(struct type_pf_telem));	762	n->size * sizeof(struct type_pf_telem));
730	kfree(n->value);	763	kfree(n->value);
731	n->value = tmp;	764	n->value = tmp;
732	}	765	}
733	}	766	}
734	}	767	}
735		768
736	static int	769	static int
737	type_pf_tresize(struct ip_set *set, bool retried)	770	type_pf_tresize(struct ip_set *set, bool retried)
738	{	771	{
739	struct ip_set_hash *h = set->data;	772	struct ip_set_hash *h = set->data;
740	struct htable t, orig = h->table;	773	struct htable t, orig = h->table;
741	u8 htable_bits = orig->htable_bits;	774	u8 htable_bits = orig->htable_bits;
742	const struct type_pf_elem *data;	775	const struct type_pf_elem *data;
743	struct hbucket n, m;	776	struct hbucket n, m;
744	u32 i, j;	777	u32 i, j;
745	int ret;	778	int ret;
746		779
747	/* Try to cleanup once */	780	/* Try to cleanup once */
748	if (!retried) {	781	if (!retried) {
749	i = h->elements;	782	i = h->elements;
750	write_lock_bh(&set->lock);	783	write_lock_bh(&set->lock);
751	type_pf_expire(set->data);	784	type_pf_expire(set->data);
752	write_unlock_bh(&set->lock);	785	write_unlock_bh(&set->lock);
753	if (h->elements < i)	786	if (h->elements < i)
754	return 0;	787	return 0;
755	}	788	}
756		789
757	retry:	790	retry:
758	ret = 0;	791	ret = 0;
759	htable_bits++;	792	htable_bits++;
760	if (!htable_bits)	793	if (!htable_bits)
761	/* In case we have plenty of memory :-) */	794	/* In case we have plenty of memory :-) */
762	return -IPSET_ERR_HASH_FULL;	795	return -IPSET_ERR_HASH_FULL;
763	t = ip_set_alloc(sizeof(*t)	796	t = ip_set_alloc(sizeof(*t)
764	+ jhash_size(htable_bits) * sizeof(struct hbucket));	797	+ jhash_size(htable_bits) * sizeof(struct hbucket));
765	if (!t)	798	if (!t)
766	return -ENOMEM;	799	return -ENOMEM;
767	t->htable_bits = htable_bits;	800	t->htable_bits = htable_bits;
768		801
769	read_lock_bh(&set->lock);	802	read_lock_bh(&set->lock);
770	for (i = 0; i < jhash_size(orig->htable_bits); i++) {	803	for (i = 0; i < jhash_size(orig->htable_bits); i++) {
771	n = hbucket(orig, i);	804	n = hbucket(orig, i);
772	for (j = 0; j < n->pos; j++) {	805	for (j = 0; j < n->pos; j++) {
773	data = ahash_tdata(n, j);	806	data = ahash_tdata(n, j);
774	m = hbucket(t, HKEY(data, h->initval, htable_bits));	807	m = hbucket(t, HKEY(data, h->initval, htable_bits));
775	ret = type_pf_elem_tadd(m, data,	808	ret = type_pf_elem_tadd(m, data, AHASH_MAX(h),
776	type_pf_data_timeout(data));	809	type_pf_data_timeout(data));
777	if (ret < 0) {	810	if (ret < 0) {
778	read_unlock_bh(&set->lock);	811	read_unlock_bh(&set->lock);
779	ahash_destroy(t);	812	ahash_destroy(t);
780	if (ret == -EAGAIN)	813	if (ret == -EAGAIN)
781	goto retry;	814	goto retry;
782	return ret;	815	return ret;
783	}	816	}
784	}	817	}
785	}	818	}
786		819
787	rcu_assign_pointer(h->table, t);	820	rcu_assign_pointer(h->table, t);
788	read_unlock_bh(&set->lock);	821	read_unlock_bh(&set->lock);
789		822
790	/* Give time to other readers of the set */	823	/* Give time to other readers of the set */
791	synchronize_rcu_bh();	824	synchronize_rcu_bh();
792		825
793	ahash_destroy(orig);	826	ahash_destroy(orig);
794		827
795	return 0;	828	return 0;
796	}	829	}
797		830
798	static int	831	static int
799	type_pf_tadd(struct ip_set set, void value, u32 timeout, u32 flags)	832	type_pf_tadd(struct ip_set set, void value, u32 timeout, u32 flags)
800	{	833	{
801	struct ip_set_hash *h = set->data;	834	struct ip_set_hash *h = set->data;
802	struct htable *t = h->table;	835	struct htable *t = h->table;
803	const struct type_pf_elem *d = value;	836	const struct type_pf_elem *d = value;
804	struct hbucket *n;	837	struct hbucket *n;
805	struct type_pf_elem *data;	838	struct type_pf_elem *data;
806	int ret = 0, i, j = AHASH_MAX_SIZE + 1;	839	int ret = 0, i, j = AHASH_MAX(h) + 1;
807	bool flag_exist = flags & IPSET_FLAG_EXIST;	840	bool flag_exist = flags & IPSET_FLAG_EXIST;
808	u32 key;	841	u32 key, multi = 0;
809		842
810	if (h->elements >= h->maxelem)	843	if (h->elements >= h->maxelem)
811	/* FIXME: when set is full, we slow down here */	844	/* FIXME: when set is full, we slow down here */
812	type_pf_expire(h);	845	type_pf_expire(h);
813	if (h->elements >= h->maxelem)	846	if (h->elements >= h->maxelem)
814	return -IPSET_ERR_HASH_FULL;	847	return -IPSET_ERR_HASH_FULL;
815		848
816	rcu_read_lock_bh();	849	rcu_read_lock_bh();
817	t = rcu_dereference_bh(h->table);	850	t = rcu_dereference_bh(h->table);
818	key = HKEY(d, h->initval, t->htable_bits);	851	key = HKEY(d, h->initval, t->htable_bits);
819	n = hbucket(t, key);	852	n = hbucket(t, key);
820	for (i = 0; i < n->pos; i++) {	853	for (i = 0; i < n->pos; i++) {
821	data = ahash_tdata(n, i);	854	data = ahash_tdata(n, i);
822	if (type_pf_data_equal(data, d)) {	855	if (type_pf_data_equal(data, d, &multi)) {
823	if (type_pf_data_expired(data) \|\| flag_exist)	856	if (type_pf_data_expired(data) \|\| flag_exist)
824	j = i;	857	j = i;
825	else {	858	else {
826	ret = -IPSET_ERR_EXIST;	859	ret = -IPSET_ERR_EXIST;
827	goto out;	860	goto out;
828	}	861	}
829	} else if (j == AHASH_MAX_SIZE + 1 &&	862	} else if (j == AHASH_MAX(h) + 1 &&
830	type_pf_data_expired(data))	863	type_pf_data_expired(data))
831	j = i;	864	j = i;
832	}	865	}
833	if (j != AHASH_MAX_SIZE + 1) {	866	if (j != AHASH_MAX(h) + 1) {
834	data = ahash_tdata(n, j);	867	data = ahash_tdata(n, j);
835	#ifdef IP_SET_HASH_WITH_NETS	868	#ifdef IP_SET_HASH_WITH_NETS
836	del_cidr(h, data->cidr, HOST_MASK);	869	del_cidr(h, data->cidr, HOST_MASK);
837	add_cidr(h, d->cidr, HOST_MASK);	870	add_cidr(h, d->cidr, HOST_MASK);
838	#endif	871	#endif
839	type_pf_data_copy(data, d);	872	type_pf_data_copy(data, d);
840	type_pf_data_timeout_set(data, timeout);	873	type_pf_data_timeout_set(data, timeout);
841	goto out;	874	goto out;
842	}	875	}
843	ret = type_pf_elem_tadd(n, d, timeout);	876	TUNE_AHASH_MAX(h, multi);
		877	ret = type_pf_elem_tadd(n, d, AHASH_MAX(h), timeout);
844	if (ret != 0) {	878	if (ret != 0) {
845	if (ret == -EAGAIN)	879	if (ret == -EAGAIN)
846	type_pf_data_next(h, d);	880	type_pf_data_next(h, d);
847	goto out;	881	goto out;
848	}	882	}
849		883
850	#ifdef IP_SET_HASH_WITH_NETS	884	#ifdef IP_SET_HASH_WITH_NETS
851	add_cidr(h, d->cidr, HOST_MASK);	885	add_cidr(h, d->cidr, HOST_MASK);
852	#endif	886	#endif
853	h->elements++;	887	h->elements++;
854	out:	888	out:
855	rcu_read_unlock_bh();	889	rcu_read_unlock_bh();
856	return ret;	890	return ret;
857	}	891	}
858		892
859	static int	893	static int
860	type_pf_tdel(struct ip_set set, void value, u32 timeout, u32 flags)	894	type_pf_tdel(struct ip_set set, void value, u32 timeout, u32 flags)
861	{	895	{
862	struct ip_set_hash *h = set->data;	896	struct ip_set_hash *h = set->data;
863	struct htable *t = h->table;	897	struct htable *t = h->table;
864	const struct type_pf_elem *d = value;	898	const struct type_pf_elem *d = value;
865	struct hbucket *n;	899	struct hbucket *n;
866	int i;	900	int i;
867	struct type_pf_elem *data;	901	struct type_pf_elem *data;
868	u32 key;	902	u32 key, multi = 0;
869		903
870	key = HKEY(value, h->initval, t->htable_bits);	904	key = HKEY(value, h->initval, t->htable_bits);
871	n = hbucket(t, key);	905	n = hbucket(t, key);
872	for (i = 0; i < n->pos; i++) {	906	for (i = 0; i < n->pos; i++) {
873	data = ahash_tdata(n, i);	907	data = ahash_tdata(n, i);
874	if (!type_pf_data_equal(data, d))	908	if (!type_pf_data_equal(data, d, &multi))
875	continue;	909	continue;
876	if (type_pf_data_expired(data))	910	if (type_pf_data_expired(data))
877	return -IPSET_ERR_EXIST;	911	return -IPSET_ERR_EXIST;
878	if (i != n->pos - 1)	912	if (i != n->pos - 1)
879	/* Not last one */	913	/* Not last one */
880	type_pf_data_copy(data, ahash_tdata(n, n->pos - 1));	914	type_pf_data_copy(data, ahash_tdata(n, n->pos - 1));
881		915
882	n->pos--;	916	n->pos--;
883	h->elements--;	917	h->elements--;
884	#ifdef IP_SET_HASH_WITH_NETS	918	#ifdef IP_SET_HASH_WITH_NETS
885	del_cidr(h, d->cidr, HOST_MASK);	919	del_cidr(h, d->cidr, HOST_MASK);
886	#endif	920	#endif
887	if (n->pos + AHASH_INIT_SIZE < n->size) {	921	if (n->pos + AHASH_INIT_SIZE < n->size) {
888	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)	922	void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
889	* sizeof(struct type_pf_telem),	923	* sizeof(struct type_pf_telem),
890	GFP_ATOMIC);	924	GFP_ATOMIC);
891	if (!tmp)	925	if (!tmp)
892	return 0;	926	return 0;
893	n->size -= AHASH_INIT_SIZE;	927	n->size -= AHASH_INIT_SIZE;
894	memcpy(tmp, n->value,	928	memcpy(tmp, n->value,
895	n->size * sizeof(struct type_pf_telem));	929	n->size * sizeof(struct type_pf_telem));
896	kfree(n->value);	930	kfree(n->value);
897	n->value = tmp;	931	n->value = tmp;
898	}	932	}
899	return 0;	933	return 0;
900	}	934	}
901		935
902	return -IPSET_ERR_EXIST;	936	return -IPSET_ERR_EXIST;
903	}	937	}
904		938
905	#ifdef IP_SET_HASH_WITH_NETS	939	#ifdef IP_SET_HASH_WITH_NETS
906	static int	940	static int
907	type_pf_ttest_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)	941	type_pf_ttest_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)
908	{	942	{
909	struct ip_set_hash *h = set->data;	943	struct ip_set_hash *h = set->data;
910	struct htable *t = h->table;	944	struct htable *t = h->table;
911	struct type_pf_elem *data;	945	struct type_pf_elem *data;
912	struct hbucket *n;	946	struct hbucket *n;
913	int i, j = 0;	947	int i, j = 0;
914	u32 key;	948	u32 key, multi = 0;
915	u8 host_mask = SET_HOST_MASK(set->family);	949	u8 host_mask = SET_HOST_MASK(set->family);
916		950
917	for (; j < host_mask && h->nets[j].cidr; j++) {	951	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
918	type_pf_data_netmask(d, h->nets[j].cidr);	952	type_pf_data_netmask(d, h->nets[j].cidr);
919	key = HKEY(d, h->initval, t->htable_bits);	953	key = HKEY(d, h->initval, t->htable_bits);
920	n = hbucket(t, key);	954	n = hbucket(t, key);
921	for (i = 0; i < n->pos; i++) {	955	for (i = 0; i < n->pos; i++) {
922	data = ahash_tdata(n, i);	956	data = ahash_tdata(n, i);
923	if (type_pf_data_equal(data, d))	957	if (type_pf_data_equal(data, d, &multi))
924	return !type_pf_data_expired(data);	958	return !type_pf_data_expired(data);
925	}	959	}
926	}	960	}
927	return 0;	961	return 0;
928	}	962	}
929	#endif	963	#endif
930		964
931	static int	965	static int
932	type_pf_ttest(struct ip_set set, void value, u32 timeout, u32 flags)	966	type_pf_ttest(struct ip_set set, void value, u32 timeout, u32 flags)
933	{	967	{
934	struct ip_set_hash *h = set->data;	968	struct ip_set_hash *h = set->data;
935	struct htable *t = h->table;	969	struct htable *t = h->table;
936	struct type_pf_elem data, d = value;	970	struct type_pf_elem data, d = value;
937	struct hbucket *n;	971	struct hbucket *n;
938	int i;	972	int i;
939	u32 key;	973	u32 key, multi = 0;
940		974
941	#ifdef IP_SET_HASH_WITH_NETS	975	#ifdef IP_SET_HASH_WITH_NETS
942	if (d->cidr == SET_HOST_MASK(set->family))	976	if (d->cidr == SET_HOST_MASK(set->family))
943	return type_pf_ttest_cidrs(set, d, timeout);	977	return type_pf_ttest_cidrs(set, d, timeout);
944	#endif	978	#endif
945	key = HKEY(d, h->initval, t->htable_bits);	979	key = HKEY(d, h->initval, t->htable_bits);
946	n = hbucket(t, key);	980	n = hbucket(t, key);
947	for (i = 0; i < n->pos; i++) {	981	for (i = 0; i < n->pos; i++) {
948	data = ahash_tdata(n, i);	982	data = ahash_tdata(n, i);
949	if (type_pf_data_equal(data, d))	983	if (type_pf_data_equal(data, d, &multi))
950	return !type_pf_data_expired(data);	984	return !type_pf_data_expired(data);
951	}	985	}
952	return 0;	986	return 0;
953	}	987	}
954		988
955	static int	989	static int
956	type_pf_tlist(const struct ip_set *set,	990	type_pf_tlist(const struct ip_set *set,
957	struct sk_buff skb, struct netlink_callback cb)	991	struct sk_buff skb, struct netlink_callback cb)
958	{	992	{
959	const struct ip_set_hash *h = set->data;	993	const struct ip_set_hash *h = set->data;
960	const struct htable *t = h->table;	994	const struct htable *t = h->table;
961	struct nlattr atd, nested;	995	struct nlattr atd, nested;
962	const struct hbucket *n;	996	const struct hbucket *n;
963	const struct type_pf_elem *data;	997	const struct type_pf_elem *data;
964	u32 first = cb->args[2];	998	u32 first = cb->args[2];
965	/* We assume that one hash bucket fills into one page */	999	/* We assume that one hash bucket fills into one page */
966	void *incomplete;	1000	void *incomplete;
967	int i;	1001	int i;
968		1002
969	atd = ipset_nest_start(skb, IPSET_ATTR_ADT);	1003	atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
970	if (!atd)	1004	if (!atd)
971	return -EMSGSIZE;	1005	return -EMSGSIZE;
972	for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) {	1006	for (; cb->args[2] < jhash_size(t->htable_bits); cb->args[2]++) {
973	incomplete = skb_tail_pointer(skb);	1007	incomplete = skb_tail_pointer(skb);
974	n = hbucket(t, cb->args[2]);	1008	n = hbucket(t, cb->args[2]);
975	for (i = 0; i < n->pos; i++) {	1009	for (i = 0; i < n->pos; i++) {
976	data = ahash_tdata(n, i);	1010	data = ahash_tdata(n, i);
977	pr_debug("list %p %u\n", n, i);	1011	pr_debug("list %p %u\n", n, i);
978	if (type_pf_data_expired(data))	1012	if (type_pf_data_expired(data))
979	continue;	1013	continue;
980	pr_debug("do list %p %u\n", n, i);	1014	pr_debug("do list %p %u\n", n, i);
981	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);	1015	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
982	if (!nested) {	1016	if (!nested) {
983	if (cb->args[2] == first) {	1017	if (cb->args[2] == first) {
984	nla_nest_cancel(skb, atd);	1018	nla_nest_cancel(skb, atd);
985	return -EMSGSIZE;	1019	return -EMSGSIZE;
986	} else	1020	} else
987	goto nla_put_failure;	1021	goto nla_put_failure;
988	}	1022	}
989	if (type_pf_data_tlist(skb, data))	1023	if (type_pf_data_tlist(skb, data))
990	goto nla_put_failure;	1024	goto nla_put_failure;
991	ipset_nest_end(skb, nested);	1025	ipset_nest_end(skb, nested);
992	}	1026	}
993	}	1027	}
994	ipset_nest_end(skb, atd);	1028	ipset_nest_end(skb, atd);
995	/* Set listing finished */	1029	/* Set listing finished */
996	cb->args[2] = 0;	1030	cb->args[2] = 0;
997		1031
998	return 0;	1032	return 0;
999		1033
1000	nla_put_failure:	1034	nla_put_failure:
1001	nlmsg_trim(skb, incomplete);	1035	nlmsg_trim(skb, incomplete);
1002	ipset_nest_end(skb, atd);	1036	ipset_nest_end(skb, atd);
1003	if (unlikely(first == cb->args[2])) {	1037	if (unlikely(first == cb->args[2])) {
1004	pr_warning("Can't list set %s: one bucket does not fit into "	1038	pr_warning("Can't list set %s: one bucket does not fit into "
1005	"a message. Please report it!\n", set->name);	1039	"a message. Please report it!\n", set->name);
1006	cb->args[2] = 0;	1040	cb->args[2] = 0;
1007	return -EMSGSIZE;	1041	return -EMSGSIZE;
1008	}	1042	}
1009	return 0;	1043	return 0;
1010	}	1044	}
1011		1045
1012	static const struct ip_set_type_variant type_pf_tvariant = {	1046	static const struct ip_set_type_variant type_pf_tvariant = {
1013	.kadt = type_pf_kadt,	1047	.kadt = type_pf_kadt,
1014	.uadt = type_pf_uadt,	1048	.uadt = type_pf_uadt,
1015	.adt = {	1049	.adt = {
1016	[IPSET_ADD] = type_pf_tadd,	1050	[IPSET_ADD] = type_pf_tadd,
1017	[IPSET_DEL] = type_pf_tdel,	1051	[IPSET_DEL] = type_pf_tdel,
1018	[IPSET_TEST] = type_pf_ttest,	1052	[IPSET_TEST] = type_pf_ttest,
1019	},	1053	},
1020	.destroy = type_pf_destroy,	1054	.destroy = type_pf_destroy,
1021	.flush = type_pf_flush,	1055	.flush = type_pf_flush,
1022	.head = type_pf_head,	1056	.head = type_pf_head,
1023	.list = type_pf_tlist,	1057	.list = type_pf_tlist,
1024	.resize = type_pf_tresize,	1058	.resize = type_pf_tresize,
1025	.same_set = type_pf_same_set,	1059	.same_set = type_pf_same_set,
1026	};	1060	};
1027		1061
1028	static void	1062	static void
1029	type_pf_gc(unsigned long ul_set)	1063	type_pf_gc(unsigned long ul_set)
1030	{	1064	{
1031	struct ip_set set = (struct ip_set ) ul_set;	1065	struct ip_set set = (struct ip_set ) ul_set;
1032	struct ip_set_hash *h = set->data;	1066	struct ip_set_hash *h = set->data;
1033		1067
1034	pr_debug("called\n");	1068	pr_debug("called\n");
1035	write_lock_bh(&set->lock);	1069	write_lock_bh(&set->lock);
1036	type_pf_expire(h);	1070	type_pf_expire(h);
1037	write_unlock_bh(&set->lock);	1071	write_unlock_bh(&set->lock);
1038		1072
1039	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;	1073	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;
1040	add_timer(&h->gc);	1074	add_timer(&h->gc);
1041	}	1075	}
1042		1076
1043	static void	1077	static void
1044	type_pf_gc_init(struct ip_set *set)	1078	type_pf_gc_init(struct ip_set *set)
1045	{	1079	{
1046	struct ip_set_hash *h = set->data;	1080	struct ip_set_hash *h = set->data;
1047		1081
1048	init_timer(&h->gc);	1082	init_timer(&h->gc);
1049	h->gc.data = (unsigned long) set;	1083	h->gc.data = (unsigned long) set;
1050	h->gc.function = type_pf_gc;	1084	h->gc.function = type_pf_gc;
1051	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;	1085	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;
1052	add_timer(&h->gc);	1086	add_timer(&h->gc);
1053	pr_debug("gc initialized, run in every %u\n",	1087	pr_debug("gc initialized, run in every %u\n",
1054	IPSET_GC_PERIOD(h->timeout));	1088	IPSET_GC_PERIOD(h->timeout));
1055	}	1089	}
1056		1090
		1091	#undef HKEY_DATALEN
		1092	#undef HKEY
1057	#undef type_pf_data_equal	1093	#undef type_pf_data_equal
1058	#undef type_pf_data_isnull	1094	#undef type_pf_data_isnull
1059	#undef type_pf_data_copy	1095	#undef type_pf_data_copy
1060	#undef type_pf_data_zero_out	1096	#undef type_pf_data_zero_out
1061	#undef type_pf_data_list	1097	#undef type_pf_data_list
1062	#undef type_pf_data_tlist	1098	#undef type_pf_data_tlist
1063		1099
1064	#undef type_pf_elem	1100	#undef type_pf_elem
1065	#undef type_pf_telem	1101	#undef type_pf_telem
1066	#undef type_pf_data_timeout	1102	#undef type_pf_data_timeout
1067	#undef type_pf_data_expired	1103	#undef type_pf_data_expired
1068	#undef type_pf_data_netmask	1104	#undef type_pf_data_netmask
1069	#undef type_pf_data_timeout_set	1105	#undef type_pf_data_timeout_set
1070		1106
1071	#undef type_pf_elem_add	1107	#undef type_pf_elem_add
1072	#undef type_pf_add	1108	#undef type_pf_add
1073	#undef type_pf_del	1109	#undef type_pf_del
1074	#undef type_pf_test_cidrs	1110	#undef type_pf_test_cidrs
1075	#undef type_pf_test	1111	#undef type_pf_test
1076		1112
1077	#undef type_pf_elem_tadd	1113	#undef type_pf_elem_tadd
1078	#undef type_pf_expire	1114	#undef type_pf_expire
1079	#undef type_pf_tadd	1115	#undef type_pf_tadd
1080	#undef type_pf_tdel	1116	#undef type_pf_tdel
1081	#undef type_pf_ttest_cidrs	1117	#undef type_pf_ttest_cidrs
1082	#undef type_pf_ttest	1118	#undef type_pf_ttest
1083		1119
1084	#undef type_pf_resize	1120	#undef type_pf_resize
1085	#undef type_pf_tresize	1121	#undef type_pf_tresize
1086	#undef type_pf_flush	1122	#undef type_pf_flush
1087	#undef type_pf_destroy	1123	#undef type_pf_destroy
1088	#undef type_pf_head	1124	#undef type_pf_head
1089	#undef type_pf_list	1125	#undef type_pf_list
1090	#undef type_pf_tlist	1126	#undef type_pf_tlist
1091	#undef type_pf_same_set	1127	#undef type_pf_same_set
1092	#undef type_pf_kadt	1128	#undef type_pf_kadt
1093	#undef type_pf_uadt	1129	#undef type_pf_uadt
1094	#undef type_pf_gc	1130	#undef type_pf_gc

include/linux/netfilter/nfnetlink.h

Diff comments View file @ f5caadb

 #ifndef _NFNETLINK_H
 #define _NFNETLINK_H
 #include <linux/types.h>
 #include <linux/netfilter/nfnetlink_compat.h>
 enum nfnetlink_groups {
 	NFNLGRP_NONE,
 #define NFNLGRP_NONE			NFNLGRP_NONE
 	NFNLGRP_CONNTRACK_NEW,
 #define NFNLGRP_CONNTRACK_NEW		NFNLGRP_CONNTRACK_NEW
 	NFNLGRP_CONNTRACK_UPDATE,
 #define NFNLGRP_CONNTRACK_UPDATE	NFNLGRP_CONNTRACK_UPDATE
 	NFNLGRP_CONNTRACK_DESTROY,
 #define NFNLGRP_CONNTRACK_DESTROY	NFNLGRP_CONNTRACK_DESTROY
 	NFNLGRP_CONNTRACK_EXP_NEW,
 #define	NFNLGRP_CONNTRACK_EXP_NEW	NFNLGRP_CONNTRACK_EXP_NEW
 	NFNLGRP_CONNTRACK_EXP_UPDATE,
 #define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
 	NFNLGRP_CONNTRACK_EXP_DESTROY,
 #define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
 	__NFNLGRP_MAX,
 };
 #define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
 /* General form of address family dependent message.
  */
 struct nfgenmsg {
 	__u8  nfgen_family;		/* AF_xxx */
 	__u8  version;		/* nfnetlink version */
 	__be16    res_id;		/* resource id */
 };
 #define NFNETLINK_V0	0
 /* netfilter netlink message types are split in two pieces:
  * 8 bit subsystem, 8bit operation.
  */
 #define NFNL_SUBSYS_ID(x)	((x & 0xff00) >> 8)
 #define NFNL_MSG_TYPE(x)	(x & 0x00ff)
 /* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
  * won't work anymore */
 #define NFNL_SUBSYS_NONE 		0
 #define NFNL_SUBSYS_CTNETLINK		1
 #define NFNL_SUBSYS_CTNETLINK_EXP	2
 #define NFNL_SUBSYS_QUEUE		3
 #define NFNL_SUBSYS_ULOG		4
 #define NFNL_SUBSYS_OSF			5
 #define NFNL_SUBSYS_IPSET		6
 #define NFNL_SUBSYS_COUNT		7
 #ifdef __KERNEL__
 #include <linux/netlink.h>
 #include <linux/capability.h>
 #include <net/netlink.h>
 struct nfnl_callback {
 	int (*call)(struct sock *nl, struct sk_buff *skb,
 		    const struct nlmsghdr *nlh,
 		    const struct nlattr * const cda[]);
+	int (*call_rcu)(struct sock *nl, struct sk_buff *skb,
+		    const struct nlmsghdr *nlh,
+		    const struct nlattr * const cda[]);
 	const struct nla_policy *policy;	/* netlink attribute policy */
 	const u_int16_t attr_count;		/* number of nlattr's */
 };
 struct nfnetlink_subsystem {
 	const char *name;
 	__u8 subsys_id;			/* nfnetlink subsystem ID */
 	__u8 cb_count;			/* number of callbacks */
 	const struct nfnl_callback *cb;	/* callback for individual types */
 };
 extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
 extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
 extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
 extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group,
 			  int echo, gfp_t flags);
 extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
 extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
 extern void nfnl_lock(void);
 extern void nfnl_unlock(void);
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
 	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
 #endif	/* __KERNEL__ */
 #endif	/* _NFNETLINK_H */

include/linux/netfilter/nfnetlink_queue.h

Diff comments View file @ f5caadb

 #ifndef _NFNETLINK_QUEUE_H
 #define _NFNETLINK_QUEUE_H
 #include <linux/types.h>
 #include <linux/netfilter/nfnetlink.h>
 enum nfqnl_msg_types {
 	NFQNL_MSG_PACKET,		/* packet from kernel to userspace */
 	NFQNL_MSG_VERDICT,		/* verdict from userspace to kernel */
 	NFQNL_MSG_CONFIG,		/* connect to a particular queue */
+	NFQNL_MSG_VERDICT_BATCH,	/* batchv from userspace to kernel */
 	NFQNL_MSG_MAX
 };
 struct nfqnl_msg_packet_hdr {
 	__be32		packet_id;	/* unique ID of packet in queue */
 	__be16		hw_protocol;	/* hw protocol (network order) */
 	__u8	hook;		/* netfilter hook */
 } __attribute__ ((packed));
 struct nfqnl_msg_packet_hw {
 	__be16		hw_addrlen;
 	__u16	_pad;
 	__u8	hw_addr[8];
 };
 struct nfqnl_msg_packet_timestamp {
 	__aligned_be64	sec;
 	__aligned_be64	usec;
 };
 enum nfqnl_attr_type {
 	NFQA_UNSPEC,
 	NFQA_PACKET_HDR,
 	NFQA_VERDICT_HDR,		/* nfqnl_msg_verdict_hrd */
 	NFQA_MARK,			/* __u32 nfmark */
 	NFQA_TIMESTAMP,			/* nfqnl_msg_packet_timestamp */
 	NFQA_IFINDEX_INDEV,		/* __u32 ifindex */
 	NFQA_IFINDEX_OUTDEV,		/* __u32 ifindex */
 	NFQA_IFINDEX_PHYSINDEV,		/* __u32 ifindex */
 	NFQA_IFINDEX_PHYSOUTDEV,	/* __u32 ifindex */
 	NFQA_HWADDR,			/* nfqnl_msg_packet_hw */
 	NFQA_PAYLOAD,			/* opaque data payload */
 	__NFQA_MAX
 };
 #define NFQA_MAX (__NFQA_MAX - 1)
 struct nfqnl_msg_verdict_hdr {
 	__be32 verdict;
 	__be32 id;
 };
 enum nfqnl_msg_config_cmds {
 	NFQNL_CFG_CMD_NONE,
 	NFQNL_CFG_CMD_BIND,
 	NFQNL_CFG_CMD_UNBIND,
 	NFQNL_CFG_CMD_PF_BIND,
 	NFQNL_CFG_CMD_PF_UNBIND,
 };
 struct nfqnl_msg_config_cmd {
 	__u8	command;	/* nfqnl_msg_config_cmds */
 	__u8	_pad;
 	__be16		pf;		/* AF_xxx for PF_[UN]BIND */
 };
 enum nfqnl_config_mode {
 	NFQNL_COPY_NONE,
 	NFQNL_COPY_META,
 	NFQNL_COPY_PACKET,
 };
 struct nfqnl_msg_config_params {
 	__be32		copy_range;
 	__u8	copy_mode;	/* enum nfqnl_config_mode */
 } __attribute__ ((packed));
 enum nfqnl_attr_config {
 	NFQA_CFG_UNSPEC,
 	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
 	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
 	NFQA_CFG_QUEUE_MAXLEN,		/* __u32 */
 	__NFQA_CFG_MAX
 };
 #define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
 #endif /* _NFNETLINK_QUEUE_H */

kernel/audit.c

Diff comments View file @ f5caadb

 /* audit.c -- Auditing support
  * Gateway between the kernel (e.g., selinux) and the user-space audit daemon.
  * System-call specific features have moved to auditsc.c
  *
  * Copyright 2003-2007 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  *
  * Written by Rickard E. (Rik) Faith <faith@redhat.com>
  *
  * Goals: 1) Integrate fully with Security Modules.
  *	  2) Minimal run-time overhead:
  *	     a) Minimal when syscall auditing is disabled (audit_enable=0).
  *	     b) Small when syscall auditing is enabled and no audit record
  *		is generated (defer as much work as possible to record
  *		generation time):
  *		i) context is allocated,
  *		ii) names from getname are stored without a copy, and
  *		iii) inode information stored from path_lookup.
  *	  3) Ability to disable syscall auditing at boot time (audit=0).
  *	  4) Usable by other parts of the kernel (if audit_log* is called,
  *	     then a syscall record will be generated automatically for the
  *	     current syscall).
  *	  5) Netlink interface to user-space.
  *	  6) Support low-overhead kernel-based filtering to minimize the
  *	     information that must be passed to user-space.
  *
  * Example user-space utilities: http://people.redhat.com/sgrubb/audit/
  */
 #include <linux/init.h>
 #include <asm/types.h>
 #include <asm/atomic.h>
 #include <linux/mm.h>
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/err.h>
 #include <linux/kthread.h>
 #include <linux/audit.h>
 #include <net/sock.h>
 #include <net/netlink.h>
 #include <linux/skbuff.h>
+#ifdef CONFIG_SECURITY
+#include <linux/security.h>
+#endif
 #include <linux/netlink.h>
 #include <linux/freezer.h>
 #include <linux/tty.h>
 #include "audit.h"
 /* No auditing will take place until audit_initialized == AUDIT_INITIALIZED.
  * (Initialization happens after skb_init is called.) */
 #define AUDIT_DISABLED		-1
 #define AUDIT_UNINITIALIZED	0
 #define AUDIT_INITIALIZED	1
 static int	audit_initialized;
 #define AUDIT_OFF	0
 #define AUDIT_ON	1
 #define AUDIT_LOCKED	2
 int		audit_enabled;
 int		audit_ever_enabled;
 EXPORT_SYMBOL_GPL(audit_enabled);
 /* Default state when kernel boots without any parameters. */
 static int	audit_default;
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static int	audit_failure = AUDIT_FAIL_PRINTK;
 /*
  * If audit records are to be written to the netlink socket, audit_pid
  * contains the pid of the auditd process and audit_nlk_pid contains
  * the pid to use to send netlink messages to that process.
  */
 int		audit_pid;
 static int	audit_nlk_pid;
 /* If audit_rate_limit is non-zero, limit the rate of sending audit records
  * to that number per second.  This prevents DoS attacks, but results in
  * audit records being dropped. */
 static int	audit_rate_limit;
 /* Number of outstanding audit_buffers allowed. */
 static int	audit_backlog_limit = 64;
 static int	audit_backlog_wait_time = 60 * HZ;
 static int	audit_backlog_wait_overflow = 0;
 /* The identity of the user shutting down the audit system. */
 uid_t		audit_sig_uid = -1;
 pid_t		audit_sig_pid = -1;
 u32		audit_sig_sid = 0;
 /* Records can be lost in several ways:
    0) [suppressed in audit_alloc]
    1) out of memory in audit_log_start [kmalloc of struct audit_buffer]
    2) out of memory in audit_log_move [alloc_skb]
    3) suppressed due to audit_rate_limit
    4) suppressed due to audit_backlog_limit
 */
 static atomic_t    audit_lost = ATOMIC_INIT(0);
 /* The netlink socket. */
 static struct sock *audit_sock;
 /* Hash for inode-based rules */
 struct list_head audit_inode_hash[AUDIT_INODE_BUCKETS];
 /* The audit_freelist is a list of pre-allocated audit buffers (if more
  * than AUDIT_MAXFREE are in use, the audit buffer is freed instead of
  * being placed on the freelist). */
 static DEFINE_SPINLOCK(audit_freelist_lock);
 static int	   audit_freelist_count;
 static LIST_HEAD(audit_freelist);
 static struct sk_buff_head audit_skb_queue;
 /* queue of skbs to send to auditd when/if it comes back */
 static struct sk_buff_head audit_skb_hold_queue;
 static struct task_struct *kauditd_task;
 static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
 static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
 /* Serialize requests from userspace. */
 DEFINE_MUTEX(audit_cmd_mutex);
 /* AUDIT_BUFSIZ is the size of the temporary buffer used for formatting
  * audit records.  Since printk uses a 1024 byte buffer, this buffer
  * should be at least that large. */
 #define AUDIT_BUFSIZ 1024
 /* AUDIT_MAXFREE is the number of empty audit_buffers we keep on the
  * audit_freelist.  Doing so eliminates many kmalloc/kfree calls. */
 #define AUDIT_MAXFREE  (2*NR_CPUS)
 /* The audit_buffer is used when formatting an audit record.  The caller
  * locks briefly to get the record off the freelist or to allocate the
  * buffer, and locks briefly to send the buffer to the netlink layer or
  * to place it on a transmit queue.  Multiple audit_buffers can be in
  * use simultaneously. */
 struct audit_buffer {
 	struct list_head     list;
 	struct sk_buff       *skb;	/* formatted skb ready to send */
 	struct audit_context *ctx;	/* NULL or associated context */
 	gfp_t		     gfp_mask;
 };
 struct audit_reply {
 	int pid;
 	struct sk_buff *skb;
 };
 static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
 {
 	if (ab) {
 		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
 		nlh->nlmsg_pid = pid;
 	}
 }
 void audit_panic(const char *message)
 {
 	switch (audit_failure)
 	{
 	case AUDIT_FAIL_SILENT:
 		break;
 	case AUDIT_FAIL_PRINTK:
 		if (printk_ratelimit())
 			printk(KERN_ERR "audit: %s\n", message);
 		break;
 	case AUDIT_FAIL_PANIC:
 		/* test audit_pid since printk is always losey, why bother? */
 		if (audit_pid)
 			panic("audit: %s\n", message);
 		break;
 	}
 }
 static inline int audit_rate_check(void)
 {
 	static unsigned long	last_check = 0;
 	static int		messages   = 0;
 	static DEFINE_SPINLOCK(lock);
 	unsigned long		flags;
 	unsigned long		now;
 	unsigned long		elapsed;
 	int			retval	   = 0;
 	if (!audit_rate_limit) return 1;
 	spin_lock_irqsave(&lock, flags);
 	if (++messages < audit_rate_limit) {
 		retval = 1;
 	} else {
 		now     = jiffies;
 		elapsed = now - last_check;
 		if (elapsed > HZ) {
 			last_check = now;
 			messages   = 0;
 			retval     = 1;
 		}
 	}
 	spin_unlock_irqrestore(&lock, flags);
 	return retval;
 }
 /**
  * audit_log_lost - conditionally log lost audit message event
  * @message: the message stating reason for lost audit message
  *
  * Emit at least 1 message per second, even if audit_rate_check is
  * throttling.
  * Always increment the lost messages counter.
 */
 void audit_log_lost(const char *message)
 {
 	static unsigned long	last_msg = 0;
 	static DEFINE_SPINLOCK(lock);
 	unsigned long		flags;
 	unsigned long		now;
 	int			print;
 	atomic_inc(&audit_lost);
 	print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
 	if (!print) {
 		spin_lock_irqsave(&lock, flags);
 		now = jiffies;
 		if (now - last_msg > HZ) {
 			print = 1;
 			last_msg = now;
 		}
 		spin_unlock_irqrestore(&lock, flags);
 	}
 	if (print) {
 		if (printk_ratelimit())
 			printk(KERN_WARNING
 				"audit: audit_lost=%d audit_rate_limit=%d "
 				"audit_backlog_limit=%d\n",
 				atomic_read(&audit_lost),
 				audit_rate_limit,
 				audit_backlog_limit);
 		audit_panic(message);
 	}
 }
 static int audit_log_config_change(char *function_name, int new, int old,
 				   uid_t loginuid, u32 sessionid, u32 sid,
 				   int allow_changes)
 {
 	struct audit_buffer *ab;
 	int rc = 0;
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
 	audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
 			 old, loginuid, sessionid);
 	if (sid) {
 		char *ctx = NULL;
 		u32 len;
 		rc = security_secid_to_secctx(sid, &ctx, &len);
 		if (rc) {
 			audit_log_format(ab, " sid=%u", sid);
 			allow_changes = 0; /* Something weird, deny request */
 		} else {
 			audit_log_format(ab, " subj=%s", ctx);
 			security_release_secctx(ctx, len);
 		}
 	}
 	audit_log_format(ab, " res=%d", allow_changes);
 	audit_log_end(ab);
 	return rc;
 }
 static int audit_do_config_change(char *function_name, int *to_change,
 				  int new, uid_t loginuid, u32 sessionid,
 				  u32 sid)
 {
 	int allow_changes, rc = 0, old = *to_change;
 	/* check if we are locked */
 	if (audit_enabled == AUDIT_LOCKED)
 		allow_changes = 0;
 	else
 		allow_changes = 1;
 	if (audit_enabled != AUDIT_OFF) {
 		rc = audit_log_config_change(function_name, new, old, loginuid,
 					     sessionid, sid, allow_changes);
 		if (rc)
 			allow_changes = 0;
 	}
 	/* If we are allowed, make the change */
 	if (allow_changes == 1)
 		*to_change = new;
 	/* Not allowed, update reason */
 	else if (rc == 0)
 		rc = -EPERM;
 	return rc;
 }
 static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
 				u32 sid)
 {
 	return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
 				      limit, loginuid, sessionid, sid);
 }
 static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
 				   u32 sid)
 {
 	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
 				      limit, loginuid, sessionid, sid);
 }
 static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
 {
 	int rc;
 	if (state < AUDIT_OFF || state > AUDIT_LOCKED)
 		return -EINVAL;
 	rc =  audit_do_config_change("audit_enabled", &audit_enabled, state,
 				     loginuid, sessionid, sid);
 	if (!rc)
 		audit_ever_enabled |= !!state;
 	return rc;
 }
 static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
 {
 	if (state != AUDIT_FAIL_SILENT
 	    && state != AUDIT_FAIL_PRINTK
 	    && state != AUDIT_FAIL_PANIC)
 		return -EINVAL;
 	return audit_do_config_change("audit_failure", &audit_failure, state,
 				      loginuid, sessionid, sid);
 }
 /*
  * Queue skbs to be sent to auditd when/if it comes back.  These skbs should
  * already have been sent via prink/syslog and so if these messages are dropped
  * it is not a huge concern since we already passed the audit_log_lost()
  * notification and stuff.  This is just nice to get audit messages during
  * boot before auditd is running or messages generated while auditd is stopped.
  * This only holds messages is audit_default is set, aka booting with audit=1
  * or building your kernel that way.
  */
 static void audit_hold_skb(struct sk_buff *skb)
 {
 	if (audit_default &&
 	    skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)
 		skb_queue_tail(&audit_skb_hold_queue, skb);
 	else
 		kfree_skb(skb);
 }
 /*
  * For one reason or another this nlh isn't getting delivered to the userspace
  * audit daemon, just send it to printk.
  */
 static void audit_printk_skb(struct sk_buff *skb)
 {
 	struct nlmsghdr *nlh = nlmsg_hdr(skb);
 	char *data = NLMSG_DATA(nlh);
 	if (nlh->nlmsg_type != AUDIT_EOE) {
 		if (printk_ratelimit())
 			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, data);
 		else
 			audit_log_lost("printk limit exceeded\n");
 	}
 	audit_hold_skb(skb);
 }
 static void kauditd_send_skb(struct sk_buff *skb)
 {
 	int err;
 	/* take a reference in case we can't send it and we want to hold it */
 	skb_get(skb);
 	err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
 	if (err < 0) {
 		BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */
 		printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
 		audit_log_lost("auditd disappeared\n");
 		audit_pid = 0;
 		/* we might get lucky and get this in the next auditd */
 		audit_hold_skb(skb);
 	} else
 		/* drop the extra reference if sent ok */
 		consume_skb(skb);
 }
 static int kauditd_thread(void *dummy)
 {
 	struct sk_buff *skb;
 	set_freezable();
 	while (!kthread_should_stop()) {
 		/*
 		 * if auditd just started drain the queue of messages already
 		 * sent to syslog/printk.  remember loss here is ok.  we already
 		 * called audit_log_lost() if it didn't go out normally.  so the
 		 * race between the skb_dequeue and the next check for audit_pid
 		 * doesn't matter.
 		 *
 		 * if you ever find kauditd to be too slow we can get a perf win
 		 * by doing our own locking and keeping better track if there
 		 * are messages in this queue.  I don't see the need now, but
 		 * in 5 years when I want to play with this again I'll see this
 		 * note and still have no friggin idea what i'm thinking today.
 		 */
 		if (audit_default && audit_pid) {
 			skb = skb_dequeue(&audit_skb_hold_queue);
 			if (unlikely(skb)) {
 				while (skb && audit_pid) {
 					kauditd_send_skb(skb);
 					skb = skb_dequeue(&audit_skb_hold_queue);
 				}
 			}
 		}
 		skb = skb_dequeue(&audit_skb_queue);
 		wake_up(&audit_backlog_wait);
 		if (skb) {
 			if (audit_pid)
 				kauditd_send_skb(skb);
 			else
 				audit_printk_skb(skb);
 		} else {
 			DECLARE_WAITQUEUE(wait, current);
 			set_current_state(TASK_INTERRUPTIBLE);
 			add_wait_queue(&kauditd_wait, &wait);
 			if (!skb_queue_len(&audit_skb_queue)) {
 				try_to_freeze();
 				schedule();
 			}
 			__set_current_state(TASK_RUNNING);
 			remove_wait_queue(&kauditd_wait, &wait);
 		}
 	}
 	return 0;
 }
 static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid)
 {
 	struct task_struct *tsk;
 	int err;
 	rcu_read_lock();
 	tsk = find_task_by_vpid(pid);
 	if (!tsk) {
 		rcu_read_unlock();
 		return -ESRCH;
 	}
 	get_task_struct(tsk);
 	rcu_read_unlock();
 	err = tty_audit_push_task(tsk, loginuid, sessionid);
 	put_task_struct(tsk);
 	return err;
 }
 int audit_send_list(void *_dest)
 {
 	struct audit_netlink_list *dest = _dest;
 	int pid = dest->pid;
 	struct sk_buff *skb;
 	/* wait for parent to finish and send an ACK */
 	mutex_lock(&audit_cmd_mutex);
 	mutex_unlock(&audit_cmd_mutex);
 	while ((skb = __skb_dequeue(&dest->q)) != NULL)
 		netlink_unicast(audit_sock, skb, pid, 0);
 	kfree(dest);
 	return 0;
 }
 struct sk_buff *audit_make_reply(int pid, int seq, int type, int done,
 				 int multi, const void *payload, int size)
 {
 	struct sk_buff	*skb;
 	struct nlmsghdr	*nlh;
 	void		*data;
 	int		flags = multi ? NLM_F_MULTI : 0;
 	int		t     = done  ? NLMSG_DONE  : type;
 	skb = nlmsg_new(size, GFP_KERNEL);
 	if (!skb)
 		return NULL;
 	nlh	= NLMSG_NEW(skb, pid, seq, t, size, flags);
 	data	= NLMSG_DATA(nlh);
 	memcpy(data, payload, size);
 	return skb;
 nlmsg_failure:			/* Used by NLMSG_NEW */
 	if (skb)
 		kfree_skb(skb);
 	return NULL;
 }
 static int audit_send_reply_thread(void *arg)
 {
 	struct audit_reply *reply = (struct audit_reply *)arg;
 	mutex_lock(&audit_cmd_mutex);
 	mutex_unlock(&audit_cmd_mutex);
 	/* Ignore failure. It'll only happen if the sender goes away,
 	   because our timeout is set to infinite. */
 	netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
 	kfree(reply);
 	return 0;
 }
 /**
  * audit_send_reply - send an audit reply message via netlink
  * @pid: process id to send reply to
  * @seq: sequence number
  * @type: audit message type
  * @done: done (last) flag
  * @multi: multi-part message flag
  * @payload: payload data
  * @size: payload size
  *
  * Allocates an skb, builds the netlink message, and sends it to the pid.
  * No failure notifications.
  */
 static void audit_send_reply(int pid, int seq, int type, int done, int multi,
 			     const void *payload, int size)
 {
 	struct sk_buff *skb;
 	struct task_struct *tsk;
 	struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
 					    GFP_KERNEL);
 	if (!reply)
 		return;
 	skb = audit_make_reply(pid, seq, type, done, multi, payload, size);
 	if (!skb)
 		goto out;
 	reply->pid = pid;
 	reply->skb = skb;
 	tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
 	if (!IS_ERR(tsk))
 		return;
 	kfree_skb(skb);
 out:
 	kfree(reply);
 }
 /*
  * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
  * control messages.
  */
 static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
 	int err = 0;
 	switch (msg_type) {
 	case AUDIT_GET:
 	case AUDIT_LIST:
 	case AUDIT_LIST_RULES:
 	case AUDIT_SET:
 	case AUDIT_ADD:
 	case AUDIT_ADD_RULE:
 	case AUDIT_DEL:
 	case AUDIT_DEL_RULE:
 	case AUDIT_SIGNAL_INFO:
 	case AUDIT_TTY_GET:
 	case AUDIT_TTY_SET:
 	case AUDIT_TRIM:
 	case AUDIT_MAKE_EQUIV:
 		if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
 			err = -EPERM;
 		break;
 	case AUDIT_USER:
 	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 		if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
 			err = -EPERM;
 		break;
 	default:  /* bad msg */
 		err = -EINVAL;
 	}
 	return err;
 }
 static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
 				     u32 pid, u32 uid, uid_t auid, u32 ses,
 				     u32 sid)
 {
 	int rc = 0;
 	char *ctx = NULL;
 	u32 len;
 	if (!audit_enabled) {
 		*ab = NULL;
 		return rc;
 	}
 	*ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
 	audit_log_format(*ab, "user pid=%d uid=%u auid=%u ses=%u",
 			 pid, uid, auid, ses);
 	if (sid) {
 		rc = security_secid_to_secctx(sid, &ctx, &len);
 		if (rc)
 			audit_log_format(*ab, " ssid=%u", sid);
 		else {
 			audit_log_format(*ab, " subj=%s", ctx);
 			security_release_secctx(ctx, len);
 		}
 	}
 	return rc;
 }
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
 	u32			uid, pid, seq, sid;
 	void			*data;
 	struct audit_status	*status_get, status_set;
 	int			err;
 	struct audit_buffer	*ab;
 	u16			msg_type = nlh->nlmsg_type;
 	uid_t			loginuid; /* loginuid of sender */
 	u32			sessionid;
 	struct audit_sig_info   *sig_data;
 	char			*ctx = NULL;
 	u32			len;
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
 		return err;
 	/* As soon as there's any sign of userspace auditd,
 	 * start kauditd to talk to it */
 	if (!kauditd_task)
 		kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
 	if (IS_ERR(kauditd_task)) {
 		err = PTR_ERR(kauditd_task);
 		kauditd_task = NULL;
 		return err;
 	}
 	pid  = NETLINK_CREDS(skb)->pid;
 	uid  = NETLINK_CREDS(skb)->uid;
 	loginuid = audit_get_loginuid(current);
 	sessionid = audit_get_sessionid(current);
 	security_task_getsecid(current, &sid);
 	seq  = nlh->nlmsg_seq;
 	data = NLMSG_DATA(nlh);
 	switch (msg_type) {
 	case AUDIT_GET:
 		status_set.enabled	 = audit_enabled;
 		status_set.failure	 = audit_failure;
 		status_set.pid		 = audit_pid;
 		status_set.rate_limit	 = audit_rate_limit;
 		status_set.backlog_limit = audit_backlog_limit;
 		status_set.lost		 = atomic_read(&audit_lost);
 		status_set.backlog	 = skb_queue_len(&audit_skb_queue);
 		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
 				 &status_set, sizeof(status_set));
 		break;
 	case AUDIT_SET:
 		if (nlh->nlmsg_len < sizeof(struct audit_status))
 			return -EINVAL;
 		status_get   = (struct audit_status *)data;
 		if (status_get->mask & AUDIT_STATUS_ENABLED) {
 			err = audit_set_enabled(status_get->enabled,
 						loginuid, sessionid, sid);
 			if (err < 0)
 				return err;
 		}
 		if (status_get->mask & AUDIT_STATUS_FAILURE) {
 			err = audit_set_failure(status_get->failure,
 						loginuid, sessionid, sid);
 			if (err < 0)
 				return err;
 		}
 		if (status_get->mask & AUDIT_STATUS_PID) {
 			int new_pid = status_get->pid;
 			if (audit_enabled != AUDIT_OFF)
 				audit_log_config_change("audit_pid", new_pid,
 							audit_pid, loginuid,
 							sessionid, sid, 1);
 			audit_pid = new_pid;
 			audit_nlk_pid = NETLINK_CB(skb).pid;
 		}
 		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
 			err = audit_set_rate_limit(status_get->rate_limit,
 						   loginuid, sessionid, sid);
 			if (err < 0)
 				return err;
 		}
 		if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
 			err = audit_set_backlog_limit(status_get->backlog_limit,
 						      loginuid, sessionid, sid);
 		break;
 	case AUDIT_USER:
 	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
 		if (!audit_enabled && msg_type != AUDIT_USER_AVC)
 			return 0;
 		err = audit_filter_user(&NETLINK_CB(skb));
 		if (err == 1) {
 			err = 0;
 			if (msg_type == AUDIT_USER_TTY) {
 				err = audit_prepare_user_tty(pid, loginuid,
 							     sessionid);
 				if (err)
 					break;
 			}
 			audit_log_common_recv_msg(&ab, msg_type, pid, uid,
 						  loginuid, sessionid, sid);
 			if (msg_type != AUDIT_USER_TTY)
 				audit_log_format(ab, " msg='%.1024s'",
 						 (char *)data);
 			else {
 				int size;
 				audit_log_format(ab, " msg=");
 				size = nlmsg_len(nlh);
 				if (size > 0 &&
 				    ((unsigned char *)data)[size - 1] == '\0')
 					size--;
 				audit_log_n_untrustedstring(ab, data, size);
 			}
 			audit_set_pid(ab, pid);
 			audit_log_end(ab);
 		}
 		break;
 	case AUDIT_ADD:
 	case AUDIT_DEL:
 		if (nlmsg_len(nlh) < sizeof(struct audit_rule))
 			return -EINVAL;
 		if (audit_enabled == AUDIT_LOCKED) {
 			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
 						  uid, loginuid, sessionid, sid);
 			audit_log_format(ab, " audit_enabled=%d res=0",
 					 audit_enabled);
 			audit_log_end(ab);
 			return -EPERM;
 		}
 		/* fallthrough */
 	case AUDIT_LIST:
 		err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
 					   uid, seq, data, nlmsg_len(nlh),
 					   loginuid, sessionid, sid);
 		break;
 	case AUDIT_ADD_RULE:
 	case AUDIT_DEL_RULE:
 		if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
 			return -EINVAL;
 		if (audit_enabled == AUDIT_LOCKED) {
 			audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
 						  uid, loginuid, sessionid, sid);
 			audit_log_format(ab, " audit_enabled=%d res=0",
 					 audit_enabled);
 			audit_log_end(ab);
 			return -EPERM;
 		}
 		/* fallthrough */
 	case AUDIT_LIST_RULES:
 		err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
 					   uid, seq, data, nlmsg_len(nlh),
 					   loginuid, sessionid, sid);
 		break;
 	case AUDIT_TRIM:
 		audit_trim_trees();
 		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
 					  uid, loginuid, sessionid, sid);
 		audit_log_format(ab, " op=trim res=1");
 		audit_log_end(ab);
 		break;
 	case AUDIT_MAKE_EQUIV: {
 		void *bufp = data;
 		u32 sizes[2];
 		size_t msglen = nlmsg_len(nlh);
 		char *old, *new;
 		err = -EINVAL;
 		if (msglen < 2 * sizeof(u32))
 			break;
 		memcpy(sizes, bufp, 2 * sizeof(u32));
 		bufp += 2 * sizeof(u32);
 		msglen -= 2 * sizeof(u32);
 		old = audit_unpack_string(&bufp, &msglen, sizes[0]);
 		if (IS_ERR(old)) {
 			err = PTR_ERR(old);
 			break;
 		}
 		new = audit_unpack_string(&bufp, &msglen, sizes[1]);
 		if (IS_ERR(new)) {
 			err = PTR_ERR(new);
 			kfree(old);
 			break;
 		}
 		/* OK, here comes... */
 		err = audit_tag_tree(old, new);
 		audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
 					  uid, loginuid, sessionid, sid);
 		audit_log_format(ab, " op=make_equiv old=");
 		audit_log_untrustedstring(ab, old);
 		audit_log_format(ab, " new=");
 		audit_log_untrustedstring(ab, new);
 		audit_log_format(ab, " res=%d", !err);
 		audit_log_end(ab);
 		kfree(old);
 		kfree(new);
 		break;
 	}
 	case AUDIT_SIGNAL_INFO:
 		len = 0;
 		if (audit_sig_sid) {
 			err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
 			if (err)
 				return err;
 		}
 		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
 		if (!sig_data) {
 			if (audit_sig_sid)
 				security_release_secctx(ctx, len);
 			return -ENOMEM;
 		}
 		sig_data->uid = audit_sig_uid;
 		sig_data->pid = audit_sig_pid;
 		if (audit_sig_sid) {
 			memcpy(sig_data->ctx, ctx, len);
 			security_release_secctx(ctx, len);
 		}
 		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_SIGNAL_INFO,
 				0, 0, sig_data, sizeof(*sig_data) + len);
 		kfree(sig_data);
 		break;
 	case AUDIT_TTY_GET: {
 		struct audit_tty_status s;
 		struct task_struct *tsk;
 		unsigned long flags;
 		rcu_read_lock();
 		tsk = find_task_by_vpid(pid);
 		if (tsk && lock_task_sighand(tsk, &flags)) {
 			s.enabled = tsk->signal->audit_tty != 0;
 			unlock_task_sighand(tsk, &flags);
 		} else
 			err = -ESRCH;
 		rcu_read_unlock();
 		if (!err)
 			audit_send_reply(NETLINK_CB(skb).pid, seq,
 					 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
 		break;
 	}
 	case AUDIT_TTY_SET: {
 		struct audit_tty_status *s;
 		struct task_struct *tsk;
 		unsigned long flags;
 		if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
 			return -EINVAL;
 		s = data;
 		if (s->enabled != 0 && s->enabled != 1)
 			return -EINVAL;
 		rcu_read_lock();
 		tsk = find_task_by_vpid(pid);
 		if (tsk && lock_task_sighand(tsk, &flags)) {
 			tsk->signal->audit_tty = s->enabled != 0;
 			unlock_task_sighand(tsk, &flags);
 		} else
 			err = -ESRCH;
 		rcu_read_unlock();
 		break;
 	}
 	default:
 		err = -EINVAL;
 		break;
 	}
 	return err < 0 ? err : 0;
 }
 /*
  * Get message from skb.  Each message is processed by audit_receive_msg.
  * Malformed skbs with wrong length are discarded silently.
  */
 static void audit_receive_skb(struct sk_buff *skb)
 {
 	struct nlmsghdr *nlh;
 	/*
 	 * len MUST be signed for NLMSG_NEXT to be able to dec it below 0
 	 * if the nlmsg_len was not aligned
 	 */
 	int len;
 	int err;
 	nlh = nlmsg_hdr(skb);
 	len = skb->len;
 	while (NLMSG_OK(nlh, len)) {
 		err = audit_receive_msg(skb, nlh);
 		/* if err or if this message says it wants a response */
 		if (err || (nlh->nlmsg_flags & NLM_F_ACK))
 			netlink_ack(skb, nlh, err);
 		nlh = NLMSG_NEXT(nlh, len);
 	}
 }
 /* Receive messages from netlink socket. */
 static void audit_receive(struct sk_buff  *skb)
 {
 	mutex_lock(&audit_cmd_mutex);
 	audit_receive_skb(skb);
 	mutex_unlock(&audit_cmd_mutex);
 }
 /* Initialize audit support at boot time. */
 static int __init audit_init(void)
 {
 	int i;
 	if (audit_initialized == AUDIT_DISABLED)
 		return 0;
 	printk(KERN_INFO "audit: initializing netlink socket (%s)\n",
 	       audit_default ? "enabled" : "disabled");
 	audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, 0,
 					   audit_receive, NULL, THIS_MODULE);
 	if (!audit_sock)
 		audit_panic("cannot initialize netlink socket");
 	else
 		audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
 	skb_queue_head_init(&audit_skb_queue);
 	skb_queue_head_init(&audit_skb_hold_queue);
 	audit_initialized = AUDIT_INITIALIZED;
 	audit_enabled = audit_default;
 	audit_ever_enabled |= !!audit_default;
 	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
 	for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
 		INIT_LIST_HEAD(&audit_inode_hash[i]);
 	return 0;
 }
 __initcall(audit_init);
 /* Process kernel command-line parameter at boot time.  audit=0 or audit=1. */
 static int __init audit_enable(char *str)
 {
 	audit_default = !!simple_strtol(str, NULL, 0);
 	if (!audit_default)
 		audit_initialized = AUDIT_DISABLED;
 	printk(KERN_INFO "audit: %s", audit_default ? "enabled" : "disabled");
 	if (audit_initialized == AUDIT_INITIALIZED) {
 		audit_enabled = audit_default;
 		audit_ever_enabled |= !!audit_default;
 	} else if (audit_initialized == AUDIT_UNINITIALIZED) {
 		printk(" (after initialization)");
 	} else {
 		printk(" (until reboot)");
 	}
 	printk("\n");
 	return 1;
 }
 __setup("audit=", audit_enable);
 static void audit_buffer_free(struct audit_buffer *ab)
 {
 	unsigned long flags;
 	if (!ab)
 		return;
 	if (ab->skb)
 		kfree_skb(ab->skb);
 	spin_lock_irqsave(&audit_freelist_lock, flags);
 	if (audit_freelist_count > AUDIT_MAXFREE)
 		kfree(ab);
 	else {
 		audit_freelist_count++;
 		list_add(&ab->list, &audit_freelist);
 	}
 	spin_unlock_irqrestore(&audit_freelist_lock, flags);
 }
 static struct audit_buffer * audit_buffer_alloc(struct audit_context *ctx,
 						gfp_t gfp_mask, int type)
 {
 	unsigned long flags;
 	struct audit_buffer *ab = NULL;
 	struct nlmsghdr *nlh;
 	spin_lock_irqsave(&audit_freelist_lock, flags);
 	if (!list_empty(&audit_freelist)) {
 		ab = list_entry(audit_freelist.next,
 				struct audit_buffer, list);
 		list_del(&ab->list);
 		--audit_freelist_count;
 	}
 	spin_unlock_irqrestore(&audit_freelist_lock, flags);
 	if (!ab) {
 		ab = kmalloc(sizeof(*ab), gfp_mask);
 		if (!ab)
 			goto err;
 	}
 	ab->ctx = ctx;
 	ab->gfp_mask = gfp_mask;
 	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
 	if (!ab->skb)
 		goto nlmsg_failure;
 	nlh = NLMSG_NEW(ab->skb, 0, 0, type, 0, 0);
 	return ab;
 nlmsg_failure:                  /* Used by NLMSG_NEW */
 	kfree_skb(ab->skb);
 	ab->skb = NULL;
 err:
 	audit_buffer_free(ab);
 	return NULL;
 }
 /**
  * audit_serial - compute a serial number for the audit record
  *
  * Compute a serial number for the audit record.  Audit records are
  * written to user-space as soon as they are generated, so a complete
  * audit record may be written in several pieces.  The timestamp of the
  * record and this serial number are used by the user-space tools to
  * determine which pieces belong to the same audit record.  The
  * (timestamp,serial) tuple is unique for each syscall and is live from
  * syscall entry to syscall exit.
  *
  * NOTE: Another possibility is to store the formatted records off the
  * audit context (for those records that have a context), and emit them
  * all at syscall exit.  However, this could delay the reporting of
  * significant errors until syscall exit (or never, if the system
  * halts).
  */
 unsigned int audit_serial(void)
 {
 	static DEFINE_SPINLOCK(serial_lock);
 	static unsigned int serial = 0;
 	unsigned long flags;
 	unsigned int ret;
 	spin_lock_irqsave(&serial_lock, flags);
 	do {
 		ret = ++serial;
 	} while (unlikely(!ret));
 	spin_unlock_irqrestore(&serial_lock, flags);
 	return ret;
 }
 static inline void audit_get_stamp(struct audit_context *ctx,
 				   struct timespec *t, unsigned int *serial)
 {
 	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
 		*t = CURRENT_TIME;
 		*serial = audit_serial();
 	}
 }
 /* Obtain an audit buffer.  This routine does locking to obtain the
  * audit buffer, but then no locking is required for calls to
  * audit_log_*format.  If the tsk is a task that is currently in a
  * syscall, then the syscall is marked as auditable and an audit record
  * will be written at syscall exit.  If there is no associated task, tsk
  * should be NULL. */
 /**
  * audit_log_start - obtain an audit buffer
  * @ctx: audit_context (may be NULL)
  * @gfp_mask: type of allocation
  * @type: audit message type
  *
  * Returns audit_buffer pointer on success or NULL on error.
  *
  * Obtain an audit buffer.  This routine does locking to obtain the
  * audit buffer, but then no locking is required for calls to
  * audit_log_*format.  If the task (ctx) is a task that is currently in a
  * syscall, then the syscall is marked as auditable and an audit record
  * will be written at syscall exit.  If there is no associated task, then
  * task context (ctx) should be NULL.
  */
 struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
 	struct audit_buffer	*ab	= NULL;
 	struct timespec		t;
 	unsigned int		uninitialized_var(serial);
 	int reserve;
 	unsigned long timeout_start = jiffies;
 	if (audit_initialized != AUDIT_INITIALIZED)
 		return NULL;
 	if (unlikely(audit_filter_type(type)))
 		return NULL;
 	if (gfp_mask & __GFP_WAIT)
 		reserve = 0;
 	else
 		reserve = 5; /* Allow atomic callers to go up to five
 				entries over the normal backlog limit */
 	while (audit_backlog_limit
 	       && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
 		if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time
 		    && time_before(jiffies, timeout_start + audit_backlog_wait_time)) {
 			/* Wait for auditd to drain the queue a little */
 			DECLARE_WAITQUEUE(wait, current);
 			set_current_state(TASK_INTERRUPTIBLE);
 			add_wait_queue(&audit_backlog_wait, &wait);
 			if (audit_backlog_limit &&
 			    skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
 				schedule_timeout(timeout_start + audit_backlog_wait_time - jiffies);
 			__set_current_state(TASK_RUNNING);
 			remove_wait_queue(&audit_backlog_wait, &wait);
 			continue;
 		}
 		if (audit_rate_check() && printk_ratelimit())
 			printk(KERN_WARNING
 			       "audit: audit_backlog=%d > "
 			       "audit_backlog_limit=%d\n",
 			       skb_queue_len(&audit_skb_queue),
 			       audit_backlog_limit);
 		audit_log_lost("backlog limit exceeded");
 		audit_backlog_wait_time = audit_backlog_wait_overflow;
 		wake_up(&audit_backlog_wait);
 		return NULL;
 	}
 	ab = audit_buffer_alloc(ctx, gfp_mask, type);
 	if (!ab) {
 		audit_log_lost("out of memory in audit_log_start");
 		return NULL;
 	}
 	audit_get_stamp(ab->ctx, &t, &serial);
 	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
 			 t.tv_sec, t.tv_nsec/1000000, serial);
 	return ab;
 }
 /**
  * audit_expand - expand skb in the audit buffer
  * @ab: audit_buffer
  * @extra: space to add at tail of the skb
  *
  * Returns 0 (no space) on failed expansion, or available space if
  * successful.
  */
 static inline int audit_expand(struct audit_buffer *ab, int extra)
 {
 	struct sk_buff *skb = ab->skb;
 	int oldtail = skb_tailroom(skb);
 	int ret = pskb_expand_head(skb, 0, extra, ab->gfp_mask);
 	int newtail = skb_tailroom(skb);
 	if (ret < 0) {
 		audit_log_lost("out of memory in audit_expand");
 		return 0;
 	}
 	skb->truesize += newtail - oldtail;
 	return newtail;
 }
 /*
  * Format an audit message into the audit buffer.  If there isn't enough
  * room in the audit buffer, more room will be allocated and vsnprint
  * will be called a second time.  Currently, we assume that a printk
  * can't format message larger than 1024 bytes, so we don't either.
  */
 static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
 			      va_list args)
 {
 	int len, avail;
 	struct sk_buff *skb;
 	va_list args2;
 	if (!ab)
 		return;
 	BUG_ON(!ab->skb);
 	skb = ab->skb;
 	avail = skb_tailroom(skb);
 	if (avail == 0) {
 		avail = audit_expand(ab, AUDIT_BUFSIZ);
 		if (!avail)
 			goto out;
 	}
 	va_copy(args2, args);
 	len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
 	if (len >= avail) {
 		/* The printk buffer is 1024 bytes long, so if we get
 		 * here and AUDIT_BUFSIZ is at least 1024, then we can
 		 * log everything that printk could have logged. */
 		avail = audit_expand(ab,
 			max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
 		if (!avail)
 			goto out;
 		len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
 	}
 	va_end(args2);
 	if (len > 0)
 		skb_put(skb, len);
 out:
 	return;
 }
 /**
  * audit_log_format - format a message into the audit buffer.
  * @ab: audit_buffer
  * @fmt: format string
  * @...: optional parameters matching @fmt string
  *
  * All the work is done in audit_log_vformat.
  */
 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
 {
 	va_list args;
 	if (!ab)
 		return;
 	va_start(args, fmt);
 	audit_log_vformat(ab, fmt, args);
 	va_end(args);
 }
 /**
  * audit_log_hex - convert a buffer to hex and append it to the audit skb
  * @ab: the audit_buffer
  * @buf: buffer to convert to hex
  * @len: length of @buf to be converted
  *
  * No return value; failure to expand is silently ignored.
  *
  * This function will take the passed buf and convert it into a string of
  * ascii hex digits. The new string is placed onto the skb.
  */
 void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
 		size_t len)
 {
 	int i, avail, new_len;
 	unsigned char *ptr;
 	struct sk_buff *skb;
 	static const unsigned char *hex = "0123456789ABCDEF";
 	if (!ab)
 		return;
 	BUG_ON(!ab->skb);
 	skb = ab->skb;
 	avail = skb_tailroom(skb);
 	new_len = len<<1;
 	if (new_len >= avail) {
 		/* Round the buffer request up to the next multiple */
 		new_len = AUDIT_BUFSIZ*(((new_len-avail)/AUDIT_BUFSIZ) + 1);
 		avail = audit_expand(ab, new_len);
 		if (!avail)
 			return;
 	}
 	ptr = skb_tail_pointer(skb);
 	for (i=0; i<len; i++) {
 		*ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
 		*ptr++ = hex[buf[i] & 0x0F];	  /* Lower nibble */
 	}
 	*ptr = 0;
 	skb_put(skb, len << 1); /* new string is twice the old string */
 }
 /*
  * Format a string of no more than slen characters into the audit buffer,
  * enclosed in quote marks.
  */
 void audit_log_n_string(struct audit_buffer *ab, const char *string,
 			size_t slen)
 {
 	int avail, new_len;
 	unsigned char *ptr;
 	struct sk_buff *skb;
 	if (!ab)
 		return;
 	BUG_ON(!ab->skb);
 	skb = ab->skb;
 	avail = skb_tailroom(skb);
 	new_len = slen + 3;	/* enclosing quotes + null terminator */
 	if (new_len > avail) {
 		avail = audit_expand(ab, new_len);
 		if (!avail)
 			return;
 	}
 	ptr = skb_tail_pointer(skb);
 	*ptr++ = '"';
 	memcpy(ptr, string, slen);
 	ptr += slen;
 	*ptr++ = '"';
 	*ptr = 0;
 	skb_put(skb, slen + 2);	/* don't include null terminator */
 }
 /**
  * audit_string_contains_control - does a string need to be logged in hex
  * @string: string to be checked
  * @len: max length of the string to check
  */
 int audit_string_contains_control(const char *string, size_t len)
 {
 	const unsigned char *p;
 	for (p = string; p < (const unsigned char *)string + len; p++) {
 		if (*p == '"' || *p < 0x21 || *p > 0x7e)
 			return 1;
 	}
 	return 0;
 }
 /**
  * audit_log_n_untrustedstring - log a string that may contain random characters
  * @ab: audit_buffer
  * @len: length of string (not including trailing null)
  * @string: string to be logged
  *
  * This code will escape a string that is passed to it if the string
  * contains a control character, unprintable character, double quote mark,
  * or a space. Unescaped strings will start and end with a double quote mark.
  * Strings that are escaped are printed in hex (2 digits per char).
  *
  * The caller specifies the number of characters in the string to log, which may
  * or may not be the entire string.
  */
 void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string,
 				 size_t len)
 {
 	if (audit_string_contains_control(string, len))
 		audit_log_n_hex(ab, string, len);
 	else
 		audit_log_n_string(ab, string, len);
 }
 /**
  * audit_log_untrustedstring - log a string that may contain random characters
  * @ab: audit_buffer
  * @string: string to be logged
  *
  * Same as audit_log_n_untrustedstring(), except that strlen is used to
  * determine string length.
  */
 void audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
 {
 	audit_log_n_untrustedstring(ab, string, strlen(string));
 }
 /* This is a helper-function to print the escaped d_path */
 void audit_log_d_path(struct audit_buffer *ab, const char *prefix,
 		      struct path *path)
 {
 	char *p, *pathname;
 	if (prefix)
 		audit_log_format(ab, " %s", prefix);
 	/* We will allow 11 spaces for ' (deleted)' to be appended */
 	pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
 	if (!pathname) {
 		audit_log_string(ab, "<no_memory>");
 		return;
 	}
 	p = d_path(path, pathname, PATH_MAX+11);
 	if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX */
 		/* FIXME: can we save some information here? */
 		audit_log_string(ab, "<too_long>");
 	} else
 		audit_log_untrustedstring(ab, p);
 	kfree(pathname);
 }
 void audit_log_key(struct audit_buffer *ab, char *key)
 {
 	audit_log_format(ab, " key=");
 	if (key)
 		audit_log_untrustedstring(ab, key);
 	else
 		audit_log_format(ab, "(null)");
 }
 /**
  * audit_log_end - end one audit record
  * @ab: the audit_buffer
  *
  * The netlink_* functions cannot be called inside an irq context, so
  * the audit buffer is placed on a queue and a tasklet is scheduled to
  * remove them from the queue outside the irq context.  May be called in
  * any context.
  */
 void audit_log_end(struct audit_buffer *ab)
 {
 	if (!ab)
 		return;
 	if (!audit_rate_check()) {
 		audit_log_lost("rate limit exceeded");
 	} else {
 		struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
 		nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
 		if (audit_pid) {
 			skb_queue_tail(&audit_skb_queue, ab->skb);
 			wake_up_interruptible(&kauditd_wait);
 		} else {
 			audit_printk_skb(ab->skb);
 		}
 		ab->skb = NULL;
 	}
 	audit_buffer_free(ab);
 }
 /**
  * audit_log - Log an audit record
  * @ctx: audit context
  * @gfp_mask: type of allocation
  * @type: audit message type
  * @fmt: format string to use
  * @...: variable parameters matching the format string
  *
  * This is a convenience function that calls audit_log_start,
  * audit_log_vformat, and audit_log_end.  It may be called
  * in any context.
  */
 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
 	       const char *fmt, ...)
 {
 	struct audit_buffer *ab;
 	va_list args;
 	ab = audit_log_start(ctx, gfp_mask, type);
 	if (ab) {
 		va_start(args, fmt);
 		audit_log_vformat(ab, fmt, args);
 		va_end(args);
 		audit_log_end(ab);
 	}
 }
+#ifdef CONFIG_SECURITY
+/**
+ * audit_log_secctx - Converts and logs SELinux context
+ * @ab: audit_buffer
+ * @secid: security number
+ *
+ * This is a helper function that calls security_secid_to_secctx to convert
+ * secid to secctx and then adds the (converted) SELinux context to the audit
+ * log by calling audit_log_format, thus also preventing leak of internal secid
+ * to userspace. If secid cannot be converted audit_panic is called.
+ */
+void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+{
+	u32 len;
+	char *secctx;
+	if (security_secid_to_secctx(secid, &secctx, &len)) {
+		audit_panic("Cannot convert secid to context");
+	} else {
+		audit_log_format(ab, " obj=%s", secctx);
+		security_release_secctx(secctx, len);
+	}
+}
+EXPORT_SYMBOL(audit_log_secctx);
+#endif
 EXPORT_SYMBOL(audit_log_start);
 EXPORT_SYMBOL(audit_log_end);
 EXPORT_SYMBOL(audit_log_format);
 EXPORT_SYMBOL(audit_log);

net/netfilter/ipset/ip_set_hash_ip.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:ip type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/tcp.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:ip type of IP sets");
 MODULE_ALIAS("ip_set_hash:ip");
 /* Type specific function prefix */
 #define TYPE		hash_ip
 static bool
 hash_ip_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_ip4_same_set	hash_ip_same_set
 #define hash_ip6_same_set	hash_ip_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_ip4_elem {
 	__be32 ip;
 };
 /* Member elements with timeout support */
 struct hash_ip4_telem {
 	__be32 ip;
 	unsigned long timeout;
 };
 static inline bool
 hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
-		    const struct hash_ip4_elem *ip2)
+		    const struct hash_ip4_elem *ip2,
+		    u32 *multi)
 {
 	return ip1->ip == ip2->ip;
 }
 static inline bool
 hash_ip4_data_isnull(const struct hash_ip4_elem *elem)
 {
 	return elem->ip == 0;
 }
 static inline void
 hash_ip4_data_copy(struct hash_ip4_elem *dst, const struct hash_ip4_elem *src)
 {
 	dst->ip = src->ip;
 }
 /* Zero valued IP addresses cannot be stored */
 static inline void
 hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
 {
 	elem->ip = 0;
 }
 static inline bool
 hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data)
 {
 	const struct hash_ip4_telem *tdata =
 		(const struct hash_ip4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define IP_SET_HASH_WITH_NETMASK
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ip4_data_next(struct ip_set_hash *h, const struct hash_ip4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 }
 static int
 hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	      const struct xt_action_param *par,
 	      enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	__be32 ip;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip);
 	ip &= ip_set_netmask(h->netmask);
 	if (ip == 0)
 		return -EINVAL;
 	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 	      enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	u32 ip, ip_to, hosts, timeout = h->timeout;
 	__be32 nip;
 	int ret = 0;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	ip &= ip_set_hostmask(h->netmask);
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST) {
 		nip = htonl(ip);
 		if (nip == 0)
 			return -IPSET_ERR_HASH_ELEM;
 		return adtfn(set, &nip, timeout, flags);
 	}
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip > ip_to)
 			swap(ip, ip_to);
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (cidr > 32)
 			return -IPSET_ERR_INVALID_CIDR;
 		ip_set_mask_from_to(ip, ip_to, cidr);
 	} else
 		ip_to = ip;
 	hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
 	if (retried)
 		ip = h->next.ip;
 	for (; !before(ip_to, ip); ip += hosts) {
 		nip = htonl(ip);
 		if (nip == 0)
 			return -IPSET_ERR_HASH_ELEM;
 		ret = adtfn(set, &nip, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 	}
 	return ret;
 }
 static bool
 hash_ip_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout &&
 	       x->netmask == y->netmask;
 }
 /* The type variant functions: IPv6 */
 struct hash_ip6_elem {
 	union nf_inet_addr ip;
 };
 struct hash_ip6_telem {
 	union nf_inet_addr ip;
 	unsigned long timeout;
 };
 static inline bool
 hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
-		    const struct hash_ip6_elem *ip2)
+		    const struct hash_ip6_elem *ip2,
+		    u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
 }
 static inline bool
 hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
 {
 	return ipv6_addr_any(&elem->ip.in6);
 }
 static inline void
 hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
 {
 	ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
 }
 static inline void
 hash_ip6_data_zero_out(struct hash_ip6_elem *elem)
 {
 	ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0);
 }
 static inline void
 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 {
 	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
 	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
 	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 static bool
 hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data)
 {
 	const struct hash_ip6_telem *e =
 		(const struct hash_ip6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ip6_data_next(struct ip_set_hash *h, const struct hash_ip6_elem *d)
 {
 }
 static int
 hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb,
 	      const struct xt_action_param *par,
 	      enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	union nf_inet_addr ip;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip.in6);
 	ip6_netmask(&ip, h->netmask);
 	if (ipv6_addr_any(&ip.in6))
 		return -EINVAL;
 	return adtfn(set, &ip, opt_timeout(opt, h), opt->cmdflags);
 }
 static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = {
 	[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 	[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 };
 static int
 hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
 	      enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	union nf_inet_addr ip;
 	u32 timeout = h->timeout;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     tb[IPSET_ATTR_IP_TO] ||
 		     tb[IPSET_ATTR_CIDR]))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	ip6_netmask(&ip, h->netmask);
 	if (ipv6_addr_any(&ip.in6))
 		return -IPSET_ERR_HASH_ELEM;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	ret = adtfn(set, &ip, timeout, flags);
 	return ip_set_eexist(ret, flags) ? 0 : ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 netmask, hbits;
 	struct ip_set_hash *h;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	netmask = set->family == AF_INET ? 32 : 128;
 	pr_debug("Create set %s with family %s\n",
 		 set->name, set->family == AF_INET ? "inet" : "inet6");
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	if (tb[IPSET_ATTR_NETMASK]) {
 		netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
 		if ((set->family == AF_INET && netmask > 32) ||
 		    (set->family == AF_INET6 && netmask > 128) ||
 		    netmask == 0)
 			return -IPSET_ERR_INVALID_NETMASK;
 	}
 	h = kzalloc(sizeof(*h), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	h->netmask = netmask;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_ip4_tvariant : &hash_ip6_tvariant;
 		if (set->family == AF_INET)
 			hash_ip4_gc_init(set);
 		else
 			hash_ip6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_ip4_variant : &hash_ip6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_ip_type __read_mostly = {
 	.name		= "hash:ip",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP,
 	.dimension	= IPSET_DIM_ONE,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= hash_ip_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_NETMASK]	= { .type = NLA_U8  },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_ip_init(void)
 {
 	return ip_set_type_register(&hash_ip_type);
 }
 static void __exit
 hash_ip_fini(void)
 {
 	ip_set_type_unregister(&hash_ip_type);
 }
 module_init(hash_ip_init);
 module_exit(hash_ip_fini);

net/netfilter/ipset/ip_set_hash_ipport.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:ip,port type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/tcp.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_getport.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:ip,port type of IP sets");
 MODULE_ALIAS("ip_set_hash:ip,port");
 /* Type specific function prefix */
 #define TYPE		hash_ipport
 static bool
 hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_ipport4_same_set	hash_ipport_same_set
 #define hash_ipport6_same_set	hash_ipport_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_ipport4_elem {
 	__be32 ip;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 };
 /* Member elements with timeout support */
 struct hash_ipport4_telem {
 	__be32 ip;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipport4_data_equal(const struct hash_ipport4_elem *ip1,
-			const struct hash_ipport4_elem *ip2)
+			const struct hash_ipport4_elem *ip2,
+			u32 *multi)
 {
 	return ip1->ip == ip2->ip &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipport4_data_isnull(const struct hash_ipport4_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipport4_data_copy(struct hash_ipport4_elem *dst,
 		       const struct hash_ipport4_elem *src)
 {
 	dst->ip = src->ip;
 	dst->port = src->port;
 	dst->proto = src->proto;
 }
 static inline void
 hash_ipport4_data_zero_out(struct hash_ipport4_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_ipport4_data_list(struct sk_buff *skb,
 		       const struct hash_ipport4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipport4_data_tlist(struct sk_buff *skb,
 			const struct hash_ipport4_elem *data)
 {
 	const struct hash_ipport4_telem *tdata =
 		(const struct hash_ipport4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipport4_data_next(struct ip_set_hash *h,
 		       const struct hash_ipport4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_ipport4_kadt(struct ip_set *set, const struct sk_buff *skb,
 		  const struct xt_action_param *par,
 		  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport4_elem data = { };
 	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
 		  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport4_elem data = { };
 	u32 ip, ip_to, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMP))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST ||
 	    !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
 	      tb[IPSET_ATTR_PORT_TO])) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	ip = ntohl(data.ip);
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip > ip_to)
 			swap(ip, ip_to);
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (cidr > 32)
 			return -IPSET_ERR_INVALID_CIDR;
 		ip_set_mask_from_to(ip, ip_to, cidr);
 	} else
 		ip_to = ip;
 	port_to = port = ntohs(data.port);
 	if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
 		port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 		if (port > port_to)
 			swap(port, port_to);
 	}
 	if (retried)
 		ip = h->next.ip;
 	for (; !before(ip_to, ip); ip++) {
 		p = retried && ip == h->next.ip ? h->next.port : port;
 		for (; p <= port_to; p++) {
 			data.ip = htonl(ip);
 			data.port = htons(p);
 			ret = adtfn(set, &data, timeout, flags);
 			if (ret && !ip_set_eexist(ret, flags))
 				return ret;
 			else
 				ret = 0;
 		}
 	}
 	return ret;
 }
 static bool
 hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
 struct hash_ipport6_elem {
 	union nf_inet_addr ip;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 };
 struct hash_ipport6_telem {
 	union nf_inet_addr ip;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipport6_data_equal(const struct hash_ipport6_elem *ip1,
-			const struct hash_ipport6_elem *ip2)
+			const struct hash_ipport6_elem *ip2,
+			u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipport6_data_isnull(const struct hash_ipport6_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipport6_data_copy(struct hash_ipport6_elem *dst,
 		       const struct hash_ipport6_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_ipport6_data_zero_out(struct hash_ipport6_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_ipport6_data_list(struct sk_buff *skb,
 		       const struct hash_ipport6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipport6_data_tlist(struct sk_buff *skb,
 			const struct hash_ipport6_elem *data)
 {
 	const struct hash_ipport6_telem *e =
 		(const struct hash_ipport6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipport6_data_next(struct ip_set_hash *h,
 		       const struct hash_ipport6_elem *d)
 {
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_ipport6_kadt(struct ip_set *set, const struct sk_buff *skb,
 		  const struct xt_action_param *par,
 		  enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport6_elem data = { };
 	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
 		  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipport6_elem data = { };
 	u32 port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     tb[IPSET_ATTR_IP_TO] ||
 		     tb[IPSET_ATTR_CIDR]))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMPV6))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	port = ntohs(data.port);
 	port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 	if (port > port_to)
 		swap(port, port_to);
 	if (retried)
 		port = h->next.port;
 	for (; port <= port_to; port++) {
 		data.port = htons(port);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 	}
 	return ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	struct ip_set_hash *h;
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_ipport4_tvariant : &hash_ipport6_tvariant;
 		if (set->family == AF_INET)
 			hash_ipport4_gc_init(set);
 		else
 			hash_ipport6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_ipport4_variant : &hash_ipport6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_ipport_type __read_mostly = {
 	.name		= "hash:ip,port",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT,
 	.dimension	= IPSET_DIM_TWO,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* SCTP and UDPLITE support added */
 	.create		= hash_ipport_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
 		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_ipport_init(void)
 {
 	return ip_set_type_register(&hash_ipport_type);
 }
 static void __exit
 hash_ipport_fini(void)
 {
 	ip_set_type_unregister(&hash_ipport_type);
 }
 module_init(hash_ipport_init);
 module_exit(hash_ipport_fini);

net/netfilter/ipset/ip_set_hash_ipportip.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:ip,port,ip type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/tcp.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_getport.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:ip,port,ip type of IP sets");
 MODULE_ALIAS("ip_set_hash:ip,port,ip");
 /* Type specific function prefix */
 #define TYPE		hash_ipportip
 static bool
 hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_ipportip4_same_set	hash_ipportip_same_set
 #define hash_ipportip6_same_set	hash_ipportip_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_ipportip4_elem {
 	__be32 ip;
 	__be32 ip2;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 };
 /* Member elements with timeout support */
 struct hash_ipportip4_telem {
 	__be32 ip;
 	__be32 ip2;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
-			  const struct hash_ipportip4_elem *ip2)
+			  const struct hash_ipportip4_elem *ip2,
+			  u32 *multi)
 {
 	return ip1->ip == ip2->ip &&
 	       ip1->ip2 == ip2->ip2 &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipportip4_data_isnull(const struct hash_ipportip4_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipportip4_data_copy(struct hash_ipportip4_elem *dst,
 			 const struct hash_ipportip4_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_ipportip4_data_zero_out(struct hash_ipportip4_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_ipportip4_data_list(struct sk_buff *skb,
 		       const struct hash_ipportip4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipportip4_data_tlist(struct sk_buff *skb,
 			const struct hash_ipportip4_elem *data)
 {
 	const struct hash_ipportip4_telem *tdata =
 		(const struct hash_ipportip4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipportip4_data_next(struct ip_set_hash *h,
 			 const struct hash_ipportip4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_ipportip4_kadt(struct ip_set *set, const struct sk_buff *skb,
 		    const struct xt_action_param *par,
 		    enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip4_elem data = { };
 	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
 		    enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip4_elem data = { };
 	u32 ip, ip_to, p = 0, port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMP))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST ||
 	    !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
 	      tb[IPSET_ATTR_PORT_TO])) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	ip = ntohl(data.ip);
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip > ip_to)
 			swap(ip, ip_to);
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (cidr > 32)
 			return -IPSET_ERR_INVALID_CIDR;
 		ip_set_mask_from_to(ip, ip_to, cidr);
 	} else
 		ip_to = ip;
 	port_to = port = ntohs(data.port);
 	if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
 		port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 		if (port > port_to)
 			swap(port, port_to);
 	}
 	if (retried)
 		ip = h->next.ip;
 	for (; !before(ip_to, ip); ip++) {
 		p = retried && ip == h->next.ip ? h->next.port : port;
 		for (; p <= port_to; p++) {
 			data.ip = htonl(ip);
 			data.port = htons(p);
 			ret = adtfn(set, &data, timeout, flags);
 			if (ret && !ip_set_eexist(ret, flags))
 				return ret;
 			else
 				ret = 0;
 		}
 	}
 	return ret;
 }
 static bool
 hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
 struct hash_ipportip6_elem {
 	union nf_inet_addr ip;
 	union nf_inet_addr ip2;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 };
 struct hash_ipportip6_telem {
 	union nf_inet_addr ip;
 	union nf_inet_addr ip2;
 	__be16 port;
 	u8 proto;
 	u8 padding;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1,
-			  const struct hash_ipportip6_elem *ip2)
+			  const struct hash_ipportip6_elem *ip2,
+			  u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipportip6_data_isnull(const struct hash_ipportip6_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipportip6_data_copy(struct hash_ipportip6_elem *dst,
 			 const struct hash_ipportip6_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_ipportip6_data_zero_out(struct hash_ipportip6_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_ipportip6_data_list(struct sk_buff *skb,
 			 const struct hash_ipportip6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipportip6_data_tlist(struct sk_buff *skb,
 			  const struct hash_ipportip6_elem *data)
 {
 	const struct hash_ipportip6_telem *e =
 		(const struct hash_ipportip6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipportip6_data_next(struct ip_set_hash *h,
 			 const struct hash_ipportip6_elem *d)
 {
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_ipportip6_kadt(struct ip_set *set, const struct sk_buff *skb,
 		    const struct xt_action_param *par,
 		    enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip6_elem data = { };
 	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
 		    enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportip6_elem data = { };
 	u32 port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     tb[IPSET_ATTR_IP_TO] ||
 		     tb[IPSET_ATTR_CIDR]))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMPV6))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	port = ntohs(data.port);
 	port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 	if (port > port_to)
 		swap(port, port_to);
 	if (retried)
 		port = h->next.port;
 	for (; port <= port_to; port++) {
 		data.port = htons(port);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 	}
 	return ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	struct ip_set_hash *h;
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_ipportip4_tvariant : &hash_ipportip6_tvariant;
 		if (set->family == AF_INET)
 			hash_ipportip4_gc_init(set);
 		else
 			hash_ipportip6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_ipportip4_variant : &hash_ipportip6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_ipportip_type __read_mostly = {
 	.name		= "hash:ip,port,ip",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
 	.dimension	= IPSET_DIM_THREE,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* SCTP and UDPLITE support added */
 	.create		= hash_ipportip_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP2]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
 		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_ipportip_init(void)
 {
 	return ip_set_type_register(&hash_ipportip_type);
 }
 static void __exit
 hash_ipportip_fini(void)
 {
 	ip_set_type_unregister(&hash_ipportip_type);
 }
 module_init(hash_ipportip_init);
 module_exit(hash_ipportip_fini);

net/netfilter/ipset/ip_set_hash_ipportnet.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:ip,port,net type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/tcp.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_getport.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:ip,port,net type of IP sets");
 MODULE_ALIAS("ip_set_hash:ip,port,net");
 /* Type specific function prefix */
 #define TYPE		hash_ipportnet
 static bool
 hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_ipportnet4_same_set	hash_ipportnet_same_set
 #define hash_ipportnet6_same_set	hash_ipportnet_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_ipportnet4_elem {
 	__be32 ip;
 	__be32 ip2;
 	__be16 port;
 	u8 cidr;
 	u8 proto;
 };
 /* Member elements with timeout support */
 struct hash_ipportnet4_telem {
 	__be32 ip;
 	__be32 ip2;
 	__be16 port;
 	u8 cidr;
 	u8 proto;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
-			   const struct hash_ipportnet4_elem *ip2)
+			   const struct hash_ipportnet4_elem *ip2,
+			   u32 *multi)
 {
 	return ip1->ip == ip2->ip &&
 	       ip1->ip2 == ip2->ip2 &&
 	       ip1->cidr == ip2->cidr &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipportnet4_data_isnull(const struct hash_ipportnet4_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipportnet4_data_copy(struct hash_ipportnet4_elem *dst,
 			  const struct hash_ipportnet4_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_ipportnet4_data_netmask(struct hash_ipportnet4_elem *elem, u8 cidr)
 {
 	elem->ip2 &= ip_set_netmask(cidr);
 	elem->cidr = cidr;
 }
 static inline void
 hash_ipportnet4_data_zero_out(struct hash_ipportnet4_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_ipportnet4_data_list(struct sk_buff *skb,
 			  const struct hash_ipportnet4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipportnet4_data_tlist(struct sk_buff *skb,
 			   const struct hash_ipportnet4_elem *data)
 {
 	const struct hash_ipportnet4_telem *tdata =
 		(const struct hash_ipportnet4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define IP_SET_HASH_WITH_PROTO
 #define IP_SET_HASH_WITH_NETS
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipportnet4_data_next(struct ip_set_hash *h,
 			  const struct hash_ipportnet4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 	h->next.port = ntohs(d->port);
 	h->next.ip2 = ntohl(d->ip2);
 }
 static int
 hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
 		     const struct xt_action_param *par,
 		     enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet4_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2);
 	data.ip2 &= ip_set_netmask(data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 		     enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet4_elem data = { .cidr = HOST_MASK };
 	u32 ip, ip_to, p = 0, port, port_to;
 	u32 ip2_from = 0, ip2_to, ip2_last, ip2;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR2]) {
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
 		if (!data.cidr)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMP))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	with_ports = with_ports && tb[IPSET_ATTR_PORT_TO];
 	if (adt == IPSET_TEST ||
 	    !(tb[IPSET_ATTR_CIDR] || tb[IPSET_ATTR_IP_TO] || with_ports ||
 	      tb[IPSET_ATTR_IP2_TO])) {
 		data.ip = htonl(ip);
 		data.ip2 = htonl(ip2_from & ip_set_hostmask(data.cidr));
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip > ip_to)
 			swap(ip, ip_to);
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (cidr > 32)
 			return -IPSET_ERR_INVALID_CIDR;
 		ip_set_mask_from_to(ip, ip_to, cidr);
 	}
 	port_to = port = ntohs(data.port);
 	if (tb[IPSET_ATTR_PORT_TO]) {
 		port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 		if (port > port_to)
 			swap(port, port_to);
 	}
 	if (tb[IPSET_ATTR_IP2_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
 		if (ret)
 			return ret;
 		if (ip2_from > ip2_to)
 			swap(ip2_from, ip2_to);
 		if (ip2_from + UINT_MAX == ip2_to)
 			return -IPSET_ERR_HASH_RANGE;
 	} else {
 		ip_set_mask_from_to(ip2_from, ip2_to, data.cidr);
 	}
 	if (retried)
 		ip = h->next.ip;
 	for (; !before(ip_to, ip); ip++) {
 		data.ip = htonl(ip);
 		p = retried && ip == h->next.ip ? h->next.port : port;
 		for (; p <= port_to; p++) {
 			data.port = htons(p);
 			ip2 = retried && ip == h->next.ip && p == h->next.port
 				? h->next.ip2 : ip2_from;
 			while (!after(ip2, ip2_to)) {
 				data.ip2 = htonl(ip2);
 				ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
 								&data.cidr);
 				ret = adtfn(set, &data, timeout, flags);
 				if (ret && !ip_set_eexist(ret, flags))
 					return ret;
 				else
 					ret = 0;
 				ip2 = ip2_last + 1;
 			}
 		}
 	}
 	return ret;
 }
 static bool
 hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
 struct hash_ipportnet6_elem {
 	union nf_inet_addr ip;
 	union nf_inet_addr ip2;
 	__be16 port;
 	u8 cidr;
 	u8 proto;
 };
 struct hash_ipportnet6_telem {
 	union nf_inet_addr ip;
 	union nf_inet_addr ip2;
 	__be16 port;
 	u8 cidr;
 	u8 proto;
 	unsigned long timeout;
 };
 static inline bool
 hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
-			   const struct hash_ipportnet6_elem *ip2)
+			   const struct hash_ipportnet6_elem *ip2,
+			   u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
 	       ip1->cidr == ip2->cidr &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto;
 }
 static inline bool
 hash_ipportnet6_data_isnull(const struct hash_ipportnet6_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_ipportnet6_data_copy(struct hash_ipportnet6_elem *dst,
 			  const struct hash_ipportnet6_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_ipportnet6_data_zero_out(struct hash_ipportnet6_elem *elem)
 {
 	elem->proto = 0;
 }
 static inline void
 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 {
 	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
 	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
 	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 static inline void
 hash_ipportnet6_data_netmask(struct hash_ipportnet6_elem *elem, u8 cidr)
 {
 	ip6_netmask(&elem->ip2, cidr);
 	elem->cidr = cidr;
 }
 static bool
 hash_ipportnet6_data_list(struct sk_buff *skb,
 			  const struct hash_ipportnet6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_ipportnet6_data_tlist(struct sk_buff *skb,
 			   const struct hash_ipportnet6_elem *data)
 {
 	const struct hash_ipportnet6_telem *e =
 		(const struct hash_ipportnet6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_ipportnet6_data_next(struct ip_set_hash *h,
 			  const struct hash_ipportnet6_elem *d)
 {
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
 		     const struct xt_action_param *par,
 		     enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet6_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
 	ip6_netmask(&data.ip2, data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
 		     enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_ipportnet6_elem data = { .cidr = HOST_MASK };
 	u32 port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     tb[IPSET_ATTR_IP_TO] ||
 		     tb[IPSET_ATTR_CIDR]))
 		return -IPSET_ERR_PROTOCOL;
 	if (unlikely(tb[IPSET_ATTR_IP_TO]))
 		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR2])
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
 	if (!data.cidr)
 		return -IPSET_ERR_INVALID_CIDR;
 	ip6_netmask(&data.ip2, data.cidr);
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMPV6))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	port = ntohs(data.port);
 	port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 	if (port > port_to)
 		swap(port, port_to);
 	if (retried)
 		port = h->next.port;
 	for (; port <= port_to; port++) {
 		data.port = htons(port);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 	}
 	return ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	struct ip_set_hash *h;
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
 		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_ipportnet4_tvariant
 			: &hash_ipportnet6_tvariant;
 		if (set->family == AF_INET)
 			hash_ipportnet4_gc_init(set);
 		else
 			hash_ipportnet6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_ipportnet4_variant : &hash_ipportnet6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_ipportnet_type __read_mostly = {
 	.name		= "hash:ip,port,net",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
 	.dimension	= IPSET_DIM_THREE,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	/*		  1	   SCTP and UDPLITE support added */
 	.revision_max	= 2,	/* Range as input support for IPv4 added */
 	.create		= hash_ipportnet_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP2]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP2_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
 		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_CIDR2]	= { .type = NLA_U8 },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_ipportnet_init(void)
 {
 	return ip_set_type_register(&hash_ipportnet_type);
 }
 static void __exit
 hash_ipportnet_fini(void)
 {
 	ip_set_type_unregister(&hash_ipportnet_type);
 }
 module_init(hash_ipportnet_init);
 module_exit(hash_ipportnet_fini);

net/netfilter/ipset/ip_set_hash_net.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:net type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:net type of IP sets");
 MODULE_ALIAS("ip_set_hash:net");
 /* Type specific function prefix */
 #define TYPE		hash_net
 static bool
 hash_net_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_net4_same_set	hash_net_same_set
 #define hash_net6_same_set	hash_net_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_net4_elem {
 	__be32 ip;
 	u16 padding0;
 	u8 padding1;
 	u8 cidr;
 };
 /* Member elements with timeout support */
 struct hash_net4_telem {
 	__be32 ip;
 	u16 padding0;
 	u8 padding1;
 	u8 cidr;
 	unsigned long timeout;
 };
 static inline bool
 hash_net4_data_equal(const struct hash_net4_elem *ip1,
-		    const struct hash_net4_elem *ip2)
+		     const struct hash_net4_elem *ip2,
+		     u32 *multi)
 {
 	return ip1->ip == ip2->ip && ip1->cidr == ip2->cidr;
 }
 static inline bool
 hash_net4_data_isnull(const struct hash_net4_elem *elem)
 {
 	return elem->cidr == 0;
 }
 static inline void
 hash_net4_data_copy(struct hash_net4_elem *dst,
 		    const struct hash_net4_elem *src)
 {
 	dst->ip = src->ip;
 	dst->cidr = src->cidr;
 }
 static inline void
 hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
 {
 	elem->ip &= ip_set_netmask(cidr);
 	elem->cidr = cidr;
 }
 /* Zero CIDR values cannot be stored */
 static inline void
 hash_net4_data_zero_out(struct hash_net4_elem *elem)
 {
 	elem->cidr = 0;
 }
 static bool
 hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data)
 {
 	const struct hash_net4_telem *tdata =
 		(const struct hash_net4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, tdata->cidr);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define IP_SET_HASH_WITH_NETS
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_net4_data_next(struct ip_set_hash *h,
 		    const struct hash_net4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 }
 static int
 hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	       const struct xt_action_param *par,
 	       enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_net4_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	data.ip &= ip_set_netmask(data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
 	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_net4_elem data = { .cidr = HOST_MASK };
 	u32 timeout = h->timeout;
 	u32 ip = 0, ip_to, last;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR]) {
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (!data.cidr)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
 		data.ip = htonl(ip & ip_set_hostmask(data.cidr));
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	ip_to = ip;
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip_to < ip)
 			swap(ip, ip_to);
 		if (ip + UINT_MAX == ip_to)
 			return -IPSET_ERR_HASH_RANGE;
 	}
 	if (retried)
 		ip = h->next.ip;
 	while (!after(ip, ip_to)) {
 		data.ip = htonl(ip);
 		last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 		ip = last + 1;
 	}
 	return ret;
 }
 static bool
 hash_net_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
 struct hash_net6_elem {
 	union nf_inet_addr ip;
 	u16 padding0;
 	u8 padding1;
 	u8 cidr;
 };
 struct hash_net6_telem {
 	union nf_inet_addr ip;
 	u16 padding0;
 	u8 padding1;
 	u8 cidr;
 	unsigned long timeout;
 };
 static inline bool
 hash_net6_data_equal(const struct hash_net6_elem *ip1,
-		     const struct hash_net6_elem *ip2)
+		     const struct hash_net6_elem *ip2,
+		     u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ip1->cidr == ip2->cidr;
 }
 static inline bool
 hash_net6_data_isnull(const struct hash_net6_elem *elem)
 {
 	return elem->cidr == 0;
 }
 static inline void
 hash_net6_data_copy(struct hash_net6_elem *dst,
 		    const struct hash_net6_elem *src)
 {
 	ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
 	dst->cidr = src->cidr;
 }
 static inline void
 hash_net6_data_zero_out(struct hash_net6_elem *elem)
 {
 	elem->cidr = 0;
 }
 static inline void
 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 {
 	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
 	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
 	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 static inline void
 hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
 {
 	ip6_netmask(&elem->ip, cidr);
 	elem->cidr = cidr;
 }
 static bool
 hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data)
 {
 	const struct hash_net6_telem *e =
 		(const struct hash_net6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, e->cidr);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_net6_data_next(struct ip_set_hash *h,
 		    const struct hash_net6_elem *d)
 {
 }
 static int
 hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
 	       const struct xt_action_param *par,
 	       enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_net6_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	ip6_netmask(&data.ip, data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
 	       enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_net6_elem data = { .cidr = HOST_MASK };
 	u32 timeout = h->timeout;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (unlikely(tb[IPSET_ATTR_IP_TO]))
 		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR])
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 	if (!data.cidr)
 		return -IPSET_ERR_INVALID_CIDR;
 	ip6_netmask(&data.ip, data.cidr);
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	ret = adtfn(set, &data, timeout, flags);
 	return ip_set_eexist(ret, flags) ? 0 : ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	struct ip_set_hash *h;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
 		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_net4_tvariant : &hash_net6_tvariant;
 		if (set->family == AF_INET)
 			hash_net4_gc_init(set);
 		else
 			hash_net6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_net4_variant : &hash_net6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_net_type __read_mostly = {
 	.name		= "hash:net",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP,
 	.dimension	= IPSET_DIM_ONE,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* Range as input support for IPv4 added */
 	.create		= hash_net_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_net_init(void)
 {
 	return ip_set_type_register(&hash_net_type);
 }
 static void __exit
 hash_net_fini(void)
 {
 	ip_set_type_unregister(&hash_net_type);
 }
 module_init(hash_net_init);
 module_exit(hash_net_fini);

net/netfilter/ipset/ip_set_hash_netiface.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:net,iface type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <linux/rbtree.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:net,iface type of IP sets");
 MODULE_ALIAS("ip_set_hash:net,iface");
 /* Interface name rbtree */
 struct iface_node {
 	struct rb_node node;
 	char iface[IFNAMSIZ];
 };
 #define iface_data(n)	(rb_entry(n, struct iface_node, node)->iface)
 static inline long
 ifname_compare(const char *_a, const char *_b)
 {
 	const long *a = (const long *)_a;
 	const long *b = (const long *)_b;
 	BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
 	if (a[0] != b[0])
 		return a[0] - b[0];
 	if (IFNAMSIZ > sizeof(long)) {
 		if (a[1] != b[1])
 			return a[1] - b[1];
 	}
 	if (IFNAMSIZ > 2 * sizeof(long)) {
 		if (a[2] != b[2])
 			return a[2] - b[2];
 	}
 	if (IFNAMSIZ > 3 * sizeof(long)) {
 		if (a[3] != b[3])
 			return a[3] - b[3];
 	}
 	return 0;
 }
 static void
 rbtree_destroy(struct rb_root *root)
 {
 	struct rb_node *p, *n = root->rb_node;
 	struct iface_node *node;
 	/* Non-recursive destroy, like in ext3 */
 	while (n) {
 		if (n->rb_left) {
 			n = n->rb_left;
 			continue;
 		}
 		if (n->rb_right) {
 			n = n->rb_right;
 			continue;
 		}
 		p = rb_parent(n);
 		node = rb_entry(n, struct iface_node, node);
 		if (!p)
 			*root = RB_ROOT;
 		else if (p->rb_left == n)
 			p->rb_left = NULL;
 		else if (p->rb_right == n)
 			p->rb_right = NULL;
 		kfree(node);
 		n = p;
 	}
 }
 static int
 iface_test(struct rb_root *root, const char **iface)
 {
 	struct rb_node *n = root->rb_node;
 	while (n) {
 		const char *d = iface_data(n);
-		int res = ifname_compare(*iface, d);
+		long res = ifname_compare(*iface, d);
 		if (res < 0)
 			n = n->rb_left;
 		else if (res > 0)
 			n = n->rb_right;
 		else {
 			*iface = d;
 			return 1;
 		}
 	}
 	return 0;
 }
 static int
 iface_add(struct rb_root *root, const char **iface)
 {
 	struct rb_node **n = &(root->rb_node), *p = NULL;
 	struct iface_node *d;
 	while (*n) {
 		char *ifname = iface_data(*n);
-		int res = ifname_compare(*iface, ifname);
+		long res = ifname_compare(*iface, ifname);
 		p = *n;
 		if (res < 0)
 			n = &((*n)->rb_left);
 		else if (res > 0)
 			n = &((*n)->rb_right);
 		else {
 			*iface = ifname;
 			return 0;
 		}
 	}
 	d = kzalloc(sizeof(*d), GFP_ATOMIC);
 	if (!d)
 		return -ENOMEM;
 	strcpy(d->iface, *iface);
 	rb_link_node(&d->node, p, n);
 	rb_insert_color(&d->node, root);
 	*iface = d->iface;
 	return 0;
 }
 /* Type specific function prefix */
 #define TYPE		hash_netiface
 static bool
 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_netiface4_same_set	hash_netiface_same_set
 #define hash_netiface6_same_set	hash_netiface_same_set
 #define STREQ(a, b)	(strcmp(a, b) == 0)
 /* The type variant functions: IPv4 */
+struct hash_netiface4_elem_hashed {
+	__be32 ip;
+	u8 physdev;
+	u8 cidr;
+	u16 padding;
+};
+#define HKEY_DATALEN	sizeof(struct hash_netiface4_elem_hashed)
 /* Member elements without timeout */
 struct hash_netiface4_elem {
 	__be32 ip;
-	const char *iface;
 	u8 physdev;
 	u8 cidr;
 	u16 padding;
+	const char *iface;
 };
 /* Member elements with timeout support */
 struct hash_netiface4_telem {
 	__be32 ip;
-	const char *iface;
 	u8 physdev;
 	u8 cidr;
 	u16 padding;
+	const char *iface;
 	unsigned long timeout;
 };
 static inline bool
 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
-			  const struct hash_netiface4_elem *ip2)
+			  const struct hash_netiface4_elem *ip2,
+			  u32 *multi)
 {
 	return ip1->ip == ip2->ip &&
 	       ip1->cidr == ip2->cidr &&
+	       (++*multi) &&
 	       ip1->physdev == ip2->physdev &&
 	       ip1->iface == ip2->iface;
 }
 static inline bool
 hash_netiface4_data_isnull(const struct hash_netiface4_elem *elem)
 {
 	return elem->cidr == 0;
 }
 static inline void
 hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
 			 const struct hash_netiface4_elem *src) {
 	dst->ip = src->ip;
 	dst->cidr = src->cidr;
 	dst->physdev = src->physdev;
 	dst->iface = src->iface;
 }
 static inline void
 hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
 {
 	elem->ip &= ip_set_netmask(cidr);
 	elem->cidr = cidr;
 }
 static inline void
 hash_netiface4_data_zero_out(struct hash_netiface4_elem *elem)
 {
 	elem->cidr = 0;
 }
 static bool
 hash_netiface4_data_list(struct sk_buff *skb,
 			 const struct hash_netiface4_elem *data)
 {
 	u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
 	if (flags)
 		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_netiface4_data_tlist(struct sk_buff *skb,
 			  const struct hash_netiface4_elem *data)
 {
 	const struct hash_netiface4_telem *tdata =
 		(const struct hash_netiface4_telem *)data;
 	u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
 	if (flags)
 		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define IP_SET_HASH_WITH_NETS
 #define IP_SET_HASH_WITH_RBTREE
+#define IP_SET_HASH_WITH_MULTI
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_netiface4_data_next(struct ip_set_hash *h,
 			 const struct hash_netiface4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 }
 static int
 hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
 		    const struct xt_action_param *par,
 		    enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netiface4_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	int ret;
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	data.ip &= ip_set_netmask(data.cidr);
 #define IFACE(dir)	(par->dir ? par->dir->name : NULL)
 #define PHYSDEV(dir)	(nf_bridge->dir ? nf_bridge->dir->name : NULL)
 #define SRCDIR		(opt->flags & IPSET_DIM_TWO_SRC)
 	if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
 #ifdef CONFIG_BRIDGE_NETFILTER
 		const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 		if (!nf_bridge)
 			return -EINVAL;
 		data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
 		data.physdev = 1;
 #else
 		data.iface = NULL;
 #endif
 	} else
 		data.iface = SRCDIR ? IFACE(in) : IFACE(out);
 	if (!data.iface)
 		return -EINVAL;
 	ret = iface_test(&h->rbtree, &data.iface);
 	if (adt == IPSET_ADD) {
 		if (!ret) {
 			ret = iface_add(&h->rbtree, &data.iface);
 			if (ret)
 				return ret;
 		}
 	} else if (!ret)
 		return ret;
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
 		    enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netiface4_elem data = { .cidr = HOST_MASK };
 	u32 ip = 0, ip_to, last;
 	u32 timeout = h->timeout;
 	char iface[IFNAMSIZ] = {};
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !tb[IPSET_ATTR_IFACE] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR]) {
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (!data.cidr)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
 	data.iface = iface;
 	ret = iface_test(&h->rbtree, &data.iface);
 	if (adt == IPSET_ADD) {
 		if (!ret) {
 			ret = iface_add(&h->rbtree, &data.iface);
 			if (ret)
 				return ret;
 		}
 	} else if (!ret)
 		return ret;
 	if (tb[IPSET_ATTR_CADT_FLAGS]) {
 		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
 		if (cadt_flags & IPSET_FLAG_PHYSDEV)
 			data.physdev = 1;
 	}
 	if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
 		data.ip = htonl(ip & ip_set_hostmask(data.cidr));
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip_to < ip)
 			swap(ip, ip_to);
 		if (ip + UINT_MAX == ip_to)
 			return -IPSET_ERR_HASH_RANGE;
 	} else {
 		ip_set_mask_from_to(ip, ip_to, data.cidr);
 	}
 	if (retried)
 		ip = h->next.ip;
 	while (!after(ip, ip_to)) {
 		data.ip = htonl(ip);
 		last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 		ip = last + 1;
 	}
 	return ret;
 }
 static bool
 hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
+struct hash_netiface6_elem_hashed {
+	union nf_inet_addr ip;
+	u8 physdev;
+	u8 cidr;
+	u16 padding;
+};
+#define HKEY_DATALEN	sizeof(struct hash_netiface6_elem_hashed)
 struct hash_netiface6_elem {
 	union nf_inet_addr ip;
-	const char *iface;
 	u8 physdev;
 	u8 cidr;
 	u16 padding;
+	const char *iface;
 };
 struct hash_netiface6_telem {
 	union nf_inet_addr ip;
-	const char *iface;
 	u8 physdev;
 	u8 cidr;
 	u16 padding;
+	const char *iface;
 	unsigned long timeout;
 };
 static inline bool
 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
-			  const struct hash_netiface6_elem *ip2)
+			  const struct hash_netiface6_elem *ip2,
+			  u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ip1->cidr == ip2->cidr &&
+	       (++*multi) &&
 	       ip1->physdev == ip2->physdev &&
 	       ip1->iface == ip2->iface;
 }
 static inline bool
 hash_netiface6_data_isnull(const struct hash_netiface6_elem *elem)
 {
 	return elem->cidr == 0;
 }
 static inline void
 hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 			 const struct hash_netiface6_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
 }
 static inline void
 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 {
 	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
 	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
 	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 static inline void
 hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
 {
 	ip6_netmask(&elem->ip, cidr);
 	elem->cidr = cidr;
 }
 static bool
 hash_netiface6_data_list(struct sk_buff *skb,
 			 const struct hash_netiface6_elem *data)
 {
 	u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
 	if (flags)
 		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_netiface6_data_tlist(struct sk_buff *skb,
 			  const struct hash_netiface6_elem *data)
 {
 	const struct hash_netiface6_telem *e =
 		(const struct hash_netiface6_telem *)data;
 	u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
 	if (flags)
 		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_netiface6_data_next(struct ip_set_hash *h,
 			 const struct hash_netiface6_elem *d)
 {
 }
 static int
 hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
 		    const struct xt_action_param *par,
 		    enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netiface6_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	int ret;
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	ip6_netmask(&data.ip, data.cidr);
 	if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
 #ifdef CONFIG_BRIDGE_NETFILTER
 		const struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 		if (!nf_bridge)
 			return -EINVAL;
 		data.iface = SRCDIR ? PHYSDEV(physindev) : PHYSDEV(physoutdev);
 		data.physdev = 1;
 #else
 		data.iface = NULL;
 #endif
 	} else
 		data.iface = SRCDIR ? IFACE(in) : IFACE(out);
 	if (!data.iface)
 		return -EINVAL;
 	ret = iface_test(&h->rbtree, &data.iface);
 	if (adt == IPSET_ADD) {
 		if (!ret) {
 			ret = iface_add(&h->rbtree, &data.iface);
 			if (ret)
 				return ret;
 		}
 	} else if (!ret)
 		return ret;
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
 		   enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netiface6_elem data = { .cidr = HOST_MASK };
 	u32 timeout = h->timeout;
 	char iface[IFNAMSIZ] = {};
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !tb[IPSET_ATTR_IFACE] ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
 		return -IPSET_ERR_PROTOCOL;
 	if (unlikely(tb[IPSET_ATTR_IP_TO]))
 		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR])
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 	if (!data.cidr)
 		return -IPSET_ERR_INVALID_CIDR;
 	ip6_netmask(&data.ip, data.cidr);
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
 	data.iface = iface;
 	ret = iface_test(&h->rbtree, &data.iface);
 	if (adt == IPSET_ADD) {
 		if (!ret) {
 			ret = iface_add(&h->rbtree, &data.iface);
 			if (ret)
 				return ret;
 		}
 	} else if (!ret)
 		return ret;
 	if (tb[IPSET_ATTR_CADT_FLAGS]) {
 		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
 		if (cadt_flags & IPSET_FLAG_PHYSDEV)
 			data.physdev = 1;
 	}
 	ret = adtfn(set, &data, timeout, flags);
 	return ip_set_eexist(ret, flags) ? 0 : ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	struct ip_set_hash *h;
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
 		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
+	h->ahash_max = AHASH_MAX_SIZE;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	h->rbtree = RB_ROOT;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_netiface4_tvariant : &hash_netiface6_tvariant;
 		if (set->family == AF_INET)
 			hash_netiface4_gc_init(set);
 		else
 			hash_netiface6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_netiface4_variant : &hash_netiface6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_netiface_type __read_mostly = {
 	.name		= "hash:net,iface",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_IFACE,
 	.dimension	= IPSET_DIM_TWO,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	.create		= hash_netiface_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_IFACE]	= { .type = NLA_NUL_STRING,
 					    .len = IPSET_MAXNAMELEN - 1 },
 		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_netiface_init(void)
 {
 	return ip_set_type_register(&hash_netiface_type);
 }
 static void __exit
 hash_netiface_fini(void)
 {
 	ip_set_type_unregister(&hash_netiface_type);
 }

net/netfilter/ipset/ip_set_hash_netport.c

Diff comments View file @ f5caadb

 /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 /* Kernel module implementing an IP set type: the hash:net,port type */
 #include <linux/jhash.h>
 #include <linux/module.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
 #include <linux/errno.h>
 #include <linux/random.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/ipset/pfxlen.h>
 #include <linux/netfilter/ipset/ip_set.h>
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_getport.h>
 #include <linux/netfilter/ipset/ip_set_hash.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
 MODULE_DESCRIPTION("hash:net,port type of IP sets");
 MODULE_ALIAS("ip_set_hash:net,port");
 /* Type specific function prefix */
 #define TYPE		hash_netport
 static bool
 hash_netport_same_set(const struct ip_set *a, const struct ip_set *b);
 #define hash_netport4_same_set	hash_netport_same_set
 #define hash_netport6_same_set	hash_netport_same_set
 /* The type variant functions: IPv4 */
 /* Member elements without timeout */
 struct hash_netport4_elem {
 	__be32 ip;
 	__be16 port;
 	u8 proto;
 	u8 cidr;
 };
 /* Member elements with timeout support */
 struct hash_netport4_telem {
 	__be32 ip;
 	__be16 port;
 	u8 proto;
 	u8 cidr;
 	unsigned long timeout;
 };
 static inline bool
 hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
-			 const struct hash_netport4_elem *ip2)
+			 const struct hash_netport4_elem *ip2,
+			 u32 *multi)
 {
 	return ip1->ip == ip2->ip &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto &&
 	       ip1->cidr == ip2->cidr;
 }
 static inline bool
 hash_netport4_data_isnull(const struct hash_netport4_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_netport4_data_copy(struct hash_netport4_elem *dst,
 			const struct hash_netport4_elem *src)
 {
 	dst->ip = src->ip;
 	dst->port = src->port;
 	dst->proto = src->proto;
 	dst->cidr = src->cidr;
 }
 static inline void
 hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr)
 {
 	elem->ip &= ip_set_netmask(cidr);
 	elem->cidr = cidr;
 }
 static inline void
 hash_netport4_data_zero_out(struct hash_netport4_elem *elem)
 {
 	elem->proto = 0;
 }
 static bool
 hash_netport4_data_list(struct sk_buff *skb,
 			const struct hash_netport4_elem *data)
 {
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_netport4_data_tlist(struct sk_buff *skb,
 			 const struct hash_netport4_elem *data)
 {
 	const struct hash_netport4_telem *tdata =
 		(const struct hash_netport4_telem *)data;
 	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(tdata->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #define IP_SET_HASH_WITH_PROTO
 #define IP_SET_HASH_WITH_NETS
 #define PF		4
 #define HOST_MASK	32
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_netport4_data_next(struct ip_set_hash *h,
 			const struct hash_netport4_elem *d)
 {
 	h->next.ip = ntohl(d->ip);
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
 		   const struct xt_action_param *par,
 		   enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netport4_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip);
 	data.ip &= ip_set_netmask(data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
 		   enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netport4_elem data = { .cidr = HOST_MASK };
 	u32 port, port_to, p = 0, ip = 0, ip_to, last;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR]) {
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 		if (!data.cidr)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMP))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	with_ports = with_ports && tb[IPSET_ATTR_PORT_TO];
 	if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) {
 		data.ip = htonl(ip & ip_set_hostmask(data.cidr));
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	port = port_to = ntohs(data.port);
 	if (tb[IPSET_ATTR_PORT_TO]) {
 		port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 		if (port_to < port)
 			swap(port, port_to);
 	}
 	if (tb[IPSET_ATTR_IP_TO]) {
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
 		if (ip_to < ip)
 			swap(ip, ip_to);
 		if (ip + UINT_MAX == ip_to)
 			return -IPSET_ERR_HASH_RANGE;
 	} else {
 		ip_set_mask_from_to(ip, ip_to, data.cidr);
 	}
 	if (retried)
 		ip = h->next.ip;
 	while (!after(ip, ip_to)) {
 		data.ip = htonl(ip);
 		last = ip_set_range_to_cidr(ip, ip_to, &data.cidr);
 		p = retried && ip == h->next.ip ? h->next.port : port;
 		for (; p <= port_to; p++) {
 			data.port = htons(p);
 			ret = adtfn(set, &data, timeout, flags);
 			if (ret && !ip_set_eexist(ret, flags))
 				return ret;
 			else
 				ret = 0;
 		}
 		ip = last + 1;
 	}
 	return ret;
 }
 static bool
 hash_netport_same_set(const struct ip_set *a, const struct ip_set *b)
 {
 	const struct ip_set_hash *x = a->data;
 	const struct ip_set_hash *y = b->data;
 	/* Resizing changes htable_bits, so we ignore it */
 	return x->maxelem == y->maxelem &&
 	       x->timeout == y->timeout;
 }
 /* The type variant functions: IPv6 */
 struct hash_netport6_elem {
 	union nf_inet_addr ip;
 	__be16 port;
 	u8 proto;
 	u8 cidr;
 };
 struct hash_netport6_telem {
 	union nf_inet_addr ip;
 	__be16 port;
 	u8 proto;
 	u8 cidr;
 	unsigned long timeout;
 };
 static inline bool
 hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
-			 const struct hash_netport6_elem *ip2)
+			 const struct hash_netport6_elem *ip2,
+			 u32 *multi)
 {
 	return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
 	       ip1->port == ip2->port &&
 	       ip1->proto == ip2->proto &&
 	       ip1->cidr == ip2->cidr;
 }
 static inline bool
 hash_netport6_data_isnull(const struct hash_netport6_elem *elem)
 {
 	return elem->proto == 0;
 }
 static inline void
 hash_netport6_data_copy(struct hash_netport6_elem *dst,
 			const struct hash_netport6_elem *src)
 {
 	memcpy(dst, src, sizeof(*dst));
 }
 static inline void
 hash_netport6_data_zero_out(struct hash_netport6_elem *elem)
 {
 	elem->proto = 0;
 }
 static inline void
 ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 {
 	ip->ip6[0] &= ip_set_netmask6(prefix)[0];
 	ip->ip6[1] &= ip_set_netmask6(prefix)[1];
 	ip->ip6[2] &= ip_set_netmask6(prefix)[2];
 	ip->ip6[3] &= ip_set_netmask6(prefix)[3];
 }
 static inline void
 hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr)
 {
 	ip6_netmask(&elem->ip, cidr);
 	elem->cidr = cidr;
 }
 static bool
 hash_netport6_data_list(struct sk_buff *skb,
 			const struct hash_netport6_elem *data)
 {
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	return 0;
 nla_put_failure:
 	return 1;
 }
 static bool
 hash_netport6_data_tlist(struct sk_buff *skb,
 			 const struct hash_netport6_elem *data)
 {
 	const struct hash_netport6_telem *e =
 		(const struct hash_netport6_telem *)data;
 	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
 	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
 	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
 	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
 	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
 		      htonl(ip_set_timeout_get(e->timeout)));
 	return 0;
 nla_put_failure:
 	return 1;
 }
 #undef PF
 #undef HOST_MASK
 #define PF		6
 #define HOST_MASK	128
 #include <linux/netfilter/ipset/ip_set_ahash.h>
 static inline void
 hash_netport6_data_next(struct ip_set_hash *h,
 			const struct hash_netport6_elem *d)
 {
 	h->next.port = ntohs(d->port);
 }
 static int
 hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
 		   const struct xt_action_param *par,
 		   enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netport6_elem data = {
 		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
 	};
 	if (data.cidr == 0)
 		return -EINVAL;
 	if (adt == IPSET_TEST)
 		data.cidr = HOST_MASK;
 	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
 				 &data.port, &data.proto))
 		return -EINVAL;
 	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
 	ip6_netmask(&data.ip, data.cidr);
 	return adtfn(set, &data, opt_timeout(opt, h), opt->cmdflags);
 }
 static int
 hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
 		   enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
 	const struct ip_set_hash *h = set->data;
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct hash_netport6_elem data = { .cidr = HOST_MASK };
 	u32 port, port_to;
 	u32 timeout = h->timeout;
 	bool with_ports = false;
 	int ret;
 	if (unlikely(!tb[IPSET_ATTR_IP] ||
 		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (unlikely(tb[IPSET_ATTR_IP_TO]))
 		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
 	if (tb[IPSET_ATTR_LINENO])
 		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
 	if (ret)
 		return ret;
 	if (tb[IPSET_ATTR_CIDR])
 		data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 	if (!data.cidr)
 		return -IPSET_ERR_INVALID_CIDR;
 	ip6_netmask(&data.ip, data.cidr);
 	if (tb[IPSET_ATTR_PORT])
 		data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
 	else
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_PROTO]) {
 		data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
 		with_ports = ip_set_proto_with_ports(data.proto);
 		if (data.proto == 0)
 			return -IPSET_ERR_INVALID_PROTO;
 	} else
 		return -IPSET_ERR_MISSING_PROTO;
 	if (!(with_ports || data.proto == IPPROTO_ICMPV6))
 		data.port = 0;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		if (!with_timeout(h->timeout))
 			return -IPSET_ERR_TIMEOUT;
 		timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 	}
 	if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
 		ret = adtfn(set, &data, timeout, flags);
 		return ip_set_eexist(ret, flags) ? 0 : ret;
 	}
 	port = ntohs(data.port);
 	port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
 	if (port > port_to)
 		swap(port, port_to);
 	if (retried)
 		port = h->next.port;
 	for (; port <= port_to; port++) {
 		data.port = htons(port);
 		ret = adtfn(set, &data, timeout, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 		else
 			ret = 0;
 	}
 	return ret;
 }
 /* Create hash:ip type of sets */
 static int
 hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
 	struct ip_set_hash *h;
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 	if (!(set->family == AF_INET || set->family == AF_INET6))
 		return -IPSET_ERR_INVALID_FAMILY;
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 		return -IPSET_ERR_PROTOCOL;
 	if (tb[IPSET_ATTR_HASHSIZE]) {
 		hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
 		if (hashsize < IPSET_MIMINAL_HASHSIZE)
 			hashsize = IPSET_MIMINAL_HASHSIZE;
 	}
 	if (tb[IPSET_ATTR_MAXELEM])
 		maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
 		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 	h->maxelem = maxelem;
 	get_random_bytes(&h->initval, sizeof(h->initval));
 	h->timeout = IPSET_NO_TIMEOUT;
 	hbits = htable_bits(hashsize);
 	h->table = ip_set_alloc(
 			sizeof(struct htable)
 			+ jhash_size(hbits) * sizeof(struct hbucket));
 	if (!h->table) {
 		kfree(h);
 		return -ENOMEM;
 	}
 	h->table->htable_bits = hbits;
 	set->data = h;
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 		set->variant = set->family == AF_INET
 			? &hash_netport4_tvariant : &hash_netport6_tvariant;
 		if (set->family == AF_INET)
 			hash_netport4_gc_init(set);
 		else
 			hash_netport6_gc_init(set);
 	} else {
 		set->variant = set->family == AF_INET
 			? &hash_netport4_variant : &hash_netport6_variant;
 	}
 	pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
 		 set->name, jhash_size(h->table->htable_bits),
 		 h->table->htable_bits, h->maxelem, set->data, h->table);
 	return 0;
 }
 static struct ip_set_type hash_netport_type __read_mostly = {
 	.name		= "hash:net,port",
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT,
 	.dimension	= IPSET_DIM_TWO,
 	.family		= AF_UNSPEC,
 	.revision_min	= 0,
 	/*		  1	   SCTP and UDPLITE support added */
 	.revision_max	= 2,	/* Range as input support for IPv4 added */
 	.create		= hash_netport_create,
 	.create_policy	= {
 		[IPSET_ATTR_HASHSIZE]	= { .type = NLA_U32 },
 		[IPSET_ATTR_MAXELEM]	= { .type = NLA_U32 },
 		[IPSET_ATTR_PROBES]	= { .type = NLA_U8 },
 		[IPSET_ATTR_RESIZE]	= { .type = NLA_U8  },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 	},
 	.adt_policy	= {
 		[IPSET_ATTR_IP]		= { .type = NLA_NESTED },
 		[IPSET_ATTR_IP_TO]	= { .type = NLA_NESTED },
 		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
 		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
 		[IPSET_ATTR_PROTO]	= { .type = NLA_U8 },
 		[IPSET_ATTR_CIDR]	= { .type = NLA_U8 },
 		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
 		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
 	},
 	.me		= THIS_MODULE,
 };
 static int __init
 hash_netport_init(void)
 {
 	return ip_set_type_register(&hash_netport_type);
 }
 static void __exit
 hash_netport_fini(void)
 {
 	ip_set_type_unregister(&hash_netport_type);
 }
 module_init(hash_netport_init);
 module_exit(hash_netport_fini);

net/netfilter/nfnetlink.c

Diff comments View file @ f5caadb

1	/* Netfilter messages via netlink socket. Allows for user space	1	/* Netfilter messages via netlink socket. Allows for user space
2	* protocol helpers and general trouble making from userspace.	2	* protocol helpers and general trouble making from userspace.
3	*	3	*
4	* (C) 2001 by Jay Schulist <jschlst@samba.org>,	4	* (C) 2001 by Jay Schulist <jschlst@samba.org>,
5	* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>	5	* (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6	* (C) 2005,2007 by Pablo Neira Ayuso <pablo@netfilter.org>	6	* (C) 2005,2007 by Pablo Neira Ayuso <pablo@netfilter.org>
7	*	7	*
8	* Initial netfilter messages via netlink development funded and	8	* Initial netfilter messages via netlink development funded and
9	* generally made possible by Network Robots, Inc. (www.networkrobots.com)	9	* generally made possible by Network Robots, Inc. (www.networkrobots.com)
10	*	10	*
11	* Further development of this code funded by Astaro AG (http://www.astaro.com)	11	* Further development of this code funded by Astaro AG (http://www.astaro.com)
12	*	12	*
13	* This software may be used and distributed according to the terms	13	* This software may be used and distributed according to the terms
14	* of the GNU General Public License, incorporated herein by reference.	14	* of the GNU General Public License, incorporated herein by reference.
15	*/	15	*/
16		16
17	#include <linux/module.h>	17	#include <linux/module.h>
18	#include <linux/types.h>	18	#include <linux/types.h>
19	#include <linux/socket.h>	19	#include <linux/socket.h>
20	#include <linux/kernel.h>	20	#include <linux/kernel.h>
21	#include <linux/string.h>	21	#include <linux/string.h>
22	#include <linux/sockios.h>	22	#include <linux/sockios.h>
23	#include <linux/net.h>	23	#include <linux/net.h>
24	#include <linux/skbuff.h>	24	#include <linux/skbuff.h>
25	#include <asm/uaccess.h>	25	#include <asm/uaccess.h>
26	#include <asm/system.h>	26	#include <asm/system.h>
27	#include <net/sock.h>	27	#include <net/sock.h>
28	#include <net/netlink.h>	28	#include <net/netlink.h>
29	#include <linux/init.h>	29	#include <linux/init.h>
30		30
31	#include <linux/netlink.h>	31	#include <linux/netlink.h>
32	#include <linux/netfilter/nfnetlink.h>	32	#include <linux/netfilter/nfnetlink.h>
33		33
34	MODULE_LICENSE("GPL");	34	MODULE_LICENSE("GPL");
35	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");	35	MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
36	MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);	36	MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);
37		37
38	static char __initdata nfversion[] = "0.30";	38	static char __initdata nfversion[] = "0.30";
39		39
40	static const struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT];	40	static const struct nfnetlink_subsystem __rcu *subsys_table[NFNL_SUBSYS_COUNT];
41	static DEFINE_MUTEX(nfnl_mutex);	41	static DEFINE_MUTEX(nfnl_mutex);
42		42
43	void nfnl_lock(void)	43	void nfnl_lock(void)
44	{	44	{
45	mutex_lock(&nfnl_mutex);	45	mutex_lock(&nfnl_mutex);
46	}	46	}
47	EXPORT_SYMBOL_GPL(nfnl_lock);	47	EXPORT_SYMBOL_GPL(nfnl_lock);
48		48
49	void nfnl_unlock(void)	49	void nfnl_unlock(void)
50	{	50	{
51	mutex_unlock(&nfnl_mutex);	51	mutex_unlock(&nfnl_mutex);
52	}	52	}
53	EXPORT_SYMBOL_GPL(nfnl_unlock);	53	EXPORT_SYMBOL_GPL(nfnl_unlock);
54		54
55	int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)	55	int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
56	{	56	{
57	nfnl_lock();	57	nfnl_lock();
58	if (subsys_table[n->subsys_id]) {	58	if (subsys_table[n->subsys_id]) {
59	nfnl_unlock();	59	nfnl_unlock();
60	return -EBUSY;	60	return -EBUSY;
61	}	61	}
62	subsys_table[n->subsys_id] = n;	62	rcu_assign_pointer(subsys_table[n->subsys_id], n);
63	nfnl_unlock();	63	nfnl_unlock();
64		64
65	return 0;	65	return 0;
66	}	66	}
67	EXPORT_SYMBOL_GPL(nfnetlink_subsys_register);	67	EXPORT_SYMBOL_GPL(nfnetlink_subsys_register);
68		68
69	int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n)	69	int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n)
70	{	70	{
71	nfnl_lock();	71	nfnl_lock();
72	subsys_table[n->subsys_id] = NULL;	72	subsys_table[n->subsys_id] = NULL;
73	nfnl_unlock();	73	nfnl_unlock();
74		74	synchronize_rcu();
75	return 0;	75	return 0;
76	}	76	}
77	EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);	77	EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);
78		78
79	static inline const struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)	79	static inline const struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)
80	{	80	{
81	u_int8_t subsys_id = NFNL_SUBSYS_ID(type);	81	u_int8_t subsys_id = NFNL_SUBSYS_ID(type);
82		82
83	if (subsys_id >= NFNL_SUBSYS_COUNT)	83	if (subsys_id >= NFNL_SUBSYS_COUNT)
84	return NULL;	84	return NULL;
85		85
86	return subsys_table[subsys_id];	86	return rcu_dereference(subsys_table[subsys_id]);
87	}	87	}
88		88
89	static inline const struct nfnl_callback *	89	static inline const struct nfnl_callback *
90	nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss)	90	nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss)
91	{	91	{
92	u_int8_t cb_id = NFNL_MSG_TYPE(type);	92	u_int8_t cb_id = NFNL_MSG_TYPE(type);
93		93
94	if (cb_id >= ss->cb_count)	94	if (cb_id >= ss->cb_count)
95	return NULL;	95	return NULL;
96		96
97	return &ss->cb[cb_id];	97	return &ss->cb[cb_id];
98	}	98	}
99		99
100	int nfnetlink_has_listeners(struct net *net, unsigned int group)	100	int nfnetlink_has_listeners(struct net *net, unsigned int group)
101	{	101	{
102	return netlink_has_listeners(net->nfnl, group);	102	return netlink_has_listeners(net->nfnl, group);
103	}	103	}
104	EXPORT_SYMBOL_GPL(nfnetlink_has_listeners);	104	EXPORT_SYMBOL_GPL(nfnetlink_has_listeners);
105		105
106	int nfnetlink_send(struct sk_buff skb, struct net net, u32 pid,	106	int nfnetlink_send(struct sk_buff skb, struct net net, u32 pid,
107	unsigned group, int echo, gfp_t flags)	107	unsigned group, int echo, gfp_t flags)
108	{	108	{
109	return nlmsg_notify(net->nfnl, skb, pid, group, echo, flags);	109	return nlmsg_notify(net->nfnl, skb, pid, group, echo, flags);
110	}	110	}
111	EXPORT_SYMBOL_GPL(nfnetlink_send);	111	EXPORT_SYMBOL_GPL(nfnetlink_send);
112		112
113	int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error)	113	int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error)
114	{	114	{
115	return netlink_set_err(net->nfnl, pid, group, error);	115	return netlink_set_err(net->nfnl, pid, group, error);
116	}	116	}
117	EXPORT_SYMBOL_GPL(nfnetlink_set_err);	117	EXPORT_SYMBOL_GPL(nfnetlink_set_err);
118		118
119	int nfnetlink_unicast(struct sk_buff skb, struct net net, u_int32_t pid, int flags)	119	int nfnetlink_unicast(struct sk_buff skb, struct net net, u_int32_t pid, int flags)
120	{	120	{
121	return netlink_unicast(net->nfnl, skb, pid, flags);	121	return netlink_unicast(net->nfnl, skb, pid, flags);
122	}	122	}
123	EXPORT_SYMBOL_GPL(nfnetlink_unicast);	123	EXPORT_SYMBOL_GPL(nfnetlink_unicast);
124		124
125	/* Process one complete nfnetlink message. */	125	/* Process one complete nfnetlink message. */
126	static int nfnetlink_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)	126	static int nfnetlink_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)
127	{	127	{
128	struct net *net = sock_net(skb->sk);	128	struct net *net = sock_net(skb->sk);
129	const struct nfnl_callback *nc;	129	const struct nfnl_callback *nc;
130	const struct nfnetlink_subsystem *ss;	130	const struct nfnetlink_subsystem *ss;
131	int type, err;	131	int type, err;
132		132
133	if (security_netlink_recv(skb, CAP_NET_ADMIN))	133	if (security_netlink_recv(skb, CAP_NET_ADMIN))
134	return -EPERM;	134	return -EPERM;
135		135
136	/* All the messages must at least contain nfgenmsg */	136	/* All the messages must at least contain nfgenmsg */
137	if (nlh->nlmsg_len < NLMSG_LENGTH(sizeof(struct nfgenmsg)))	137	if (nlh->nlmsg_len < NLMSG_LENGTH(sizeof(struct nfgenmsg)))
138	return 0;	138	return 0;
139		139
140	type = nlh->nlmsg_type;	140	type = nlh->nlmsg_type;
141	replay:	141	replay:
		142	rcu_read_lock();
142	ss = nfnetlink_get_subsys(type);	143	ss = nfnetlink_get_subsys(type);
143	if (!ss) {	144	if (!ss) {
144	#ifdef CONFIG_MODULES	145	#ifdef CONFIG_MODULES
145	nfnl_unlock();	146	rcu_read_unlock();
146	request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));	147	request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));
147	nfnl_lock();	148	rcu_read_lock();
148	ss = nfnetlink_get_subsys(type);	149	ss = nfnetlink_get_subsys(type);
149	if (!ss)	150	if (!ss)
150	#endif	151	#endif
		152	{
		153	rcu_read_unlock();
151	return -EINVAL;	154	return -EINVAL;
		155	}
152	}	156	}
153		157
154	nc = nfnetlink_find_client(type, ss);	158	nc = nfnetlink_find_client(type, ss);
155	if (!nc)	159	if (!nc) {
		160	rcu_read_unlock();
156	return -EINVAL;	161	return -EINVAL;
		162	}
157		163
158	{	164	{
159	int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));	165	int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
160	u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);	166	u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);
161	struct nlattr *cda[ss->cb[cb_id].attr_count + 1];	167	struct nlattr *cda[ss->cb[cb_id].attr_count + 1];
162	struct nlattr attr = (void )nlh + min_len;	168	struct nlattr attr = (void )nlh + min_len;
163	int attrlen = nlh->nlmsg_len - min_len;	169	int attrlen = nlh->nlmsg_len - min_len;
164		170
165	err = nla_parse(cda, ss->cb[cb_id].attr_count,	171	err = nla_parse(cda, ss->cb[cb_id].attr_count,
166	attr, attrlen, ss->cb[cb_id].policy);	172	attr, attrlen, ss->cb[cb_id].policy);
167	if (err < 0)	173	if (err < 0)
168	return err;	174	return err;
169		175
170	err = nc->call(net->nfnl, skb, nlh, (const struct nlattr **)cda);	176	if (nc->call_rcu) {
		177	err = nc->call_rcu(net->nfnl, skb, nlh,
		178	(const struct nlattr **)cda);
		179	rcu_read_unlock();
		180	} else {
		181	rcu_read_unlock();
		182	nfnl_lock();
		183	if (rcu_dereference_protected(
		184	subsys_table[NFNL_SUBSYS_ID(type)],
		185	lockdep_is_held(&nfnl_mutex)) != ss \|\|
		186	nfnetlink_find_client(type, ss) != nc)
		187	err = -EAGAIN;
		188	else
		189	err = nc->call(net->nfnl, skb, nlh,
		190	(const struct nlattr **)cda);
		191	nfnl_unlock();
		192	}
171	if (err == -EAGAIN)	193	if (err == -EAGAIN)
172	goto replay;	194	goto replay;
173	return err;	195	return err;
174	}	196	}
175	}	197	}
176		198
177	static void nfnetlink_rcv(struct sk_buff *skb)	199	static void nfnetlink_rcv(struct sk_buff *skb)
178	{	200	{
179	nfnl_lock();
180	netlink_rcv_skb(skb, &nfnetlink_rcv_msg);	201	netlink_rcv_skb(skb, &nfnetlink_rcv_msg);
181	nfnl_unlock();
182	}	202	}
183		203
184	static int __net_init nfnetlink_net_init(struct net *net)	204	static int __net_init nfnetlink_net_init(struct net *net)
185	{	205	{
186	struct sock *nfnl;	206	struct sock *nfnl;
187		207
188	nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, NFNLGRP_MAX,	208	nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, NFNLGRP_MAX,
189	nfnetlink_rcv, NULL, THIS_MODULE);	209	nfnetlink_rcv, NULL, THIS_MODULE);
190	if (!nfnl)	210	if (!nfnl)
191	return -ENOMEM;	211	return -ENOMEM;
192	net->nfnl_stash = nfnl;	212	net->nfnl_stash = nfnl;
193	rcu_assign_pointer(net->nfnl, nfnl);	213	rcu_assign_pointer(net->nfnl, nfnl);
194	return 0;	214	return 0;
195	}	215	}
196		216
197	static void __net_exit nfnetlink_net_exit_batch(struct list_head *net_exit_list)	217	static void __net_exit nfnetlink_net_exit_batch(struct list_head *net_exit_list)
198	{	218	{
199	struct net *net;	219	struct net *net;
200		220
201	list_for_each_entry(net, net_exit_list, exit_list)	221	list_for_each_entry(net, net_exit_list, exit_list)
202	rcu_assign_pointer(net->nfnl, NULL);	222	rcu_assign_pointer(net->nfnl, NULL);
203	synchronize_net();	223	synchronize_net();
204	list_for_each_entry(net, net_exit_list, exit_list)	224	list_for_each_entry(net, net_exit_list, exit_list)
205	netlink_kernel_release(net->nfnl_stash);	225	netlink_kernel_release(net->nfnl_stash);
206	}	226	}
207		227
208	static struct pernet_operations nfnetlink_net_ops = {	228	static struct pernet_operations nfnetlink_net_ops = {
209	.init = nfnetlink_net_init,	229	.init = nfnetlink_net_init,
210	.exit_batch = nfnetlink_net_exit_batch,	230	.exit_batch = nfnetlink_net_exit_batch,
211	};	231	};
212		232
213	static int __init nfnetlink_init(void)	233	static int __init nfnetlink_init(void)
214	{	234	{
215	pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);	235	pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
216	return register_pernet_subsys(&nfnetlink_net_ops);	236	return register_pernet_subsys(&nfnetlink_net_ops);
217	}	237	}
218		238
219	static void __exit nfnetlink_exit(void)	239	static void __exit nfnetlink_exit(void)
220	{	240	{
221	pr_info("Removing netfilter NETLINK layer.\n");	241	pr_info("Removing netfilter NETLINK layer.\n");
222	unregister_pernet_subsys(&nfnetlink_net_ops);	242	unregister_pernet_subsys(&nfnetlink_net_ops);
223	}	243	}
224	module_init(nfnetlink_init);	244	module_init(nfnetlink_init);

net/netfilter/nfnetlink_queue.c

Diff comments View file @ f5caadb

 /*
  * This is a module which is used for queueing packets and communicating with
  * userspace via nfnetlink.
  *
  * (C) 2005 by Harald Welte <laforge@netfilter.org>
  * (C) 2007 by Patrick McHardy <kaber@trash.net>
  *
  * Based on the old ipv4-only ip_queue.c:
  * (C) 2000-2002 James Morris <jmorris@intercode.com.au>
  * (C) 2003-2005 Netfilter Core Team <coreteam@netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  *
  */
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/init.h>
 #include <linux/spinlock.h>
 #include <linux/slab.h>
 #include <linux/notifier.h>
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/proc_fs.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <linux/list.h>
 #include <net/sock.h>
 #include <net/netfilter/nf_queue.h>
 #include <asm/atomic.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
 #include "../bridge/br_private.h"
 #endif
 #define NFQNL_QMAX_DEFAULT 1024
 struct nfqnl_instance {
 	struct hlist_node hlist;		/* global list of queues */
 	struct rcu_head rcu;
 	int peer_pid;
 	unsigned int queue_maxlen;
 	unsigned int copy_range;
 	unsigned int queue_dropped;
 	unsigned int queue_user_dropped;
 	u_int16_t queue_num;			/* number of this queue */
 	u_int8_t copy_mode;
 /*
  * Following fields are dirtied for each queued packet,
  * keep them in same cache line if possible.
  */
 	spinlock_t	lock;
 	unsigned int	queue_total;
-	atomic_t	id_sequence;		/* 'sequence' of pkt ids */
+	unsigned int	id_sequence;		/* 'sequence' of pkt ids */
 	struct list_head queue_list;		/* packets in queue */
 };
 typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);
 static DEFINE_SPINLOCK(instances_lock);
 #define INSTANCE_BUCKETS	16
 static struct hlist_head instance_table[INSTANCE_BUCKETS] __read_mostly;
 static inline u_int8_t instance_hashfn(u_int16_t queue_num)
 {
 	return ((queue_num >> 8) | queue_num) % INSTANCE_BUCKETS;
 }
 static struct nfqnl_instance *
 instance_lookup(u_int16_t queue_num)
 {
 	struct hlist_head *head;
 	struct hlist_node *pos;
 	struct nfqnl_instance *inst;
 	head = &instance_table[instance_hashfn(queue_num)];
 	hlist_for_each_entry_rcu(inst, pos, head, hlist) {
 		if (inst->queue_num == queue_num)
 			return inst;
 	}
 	return NULL;
 }
 static struct nfqnl_instance *
 instance_create(u_int16_t queue_num, int pid)
 {
 	struct nfqnl_instance *inst;
 	unsigned int h;
 	int err;
 	spin_lock(&instances_lock);
 	if (instance_lookup(queue_num)) {
 		err = -EEXIST;
 		goto out_unlock;
 	}
 	inst = kzalloc(sizeof(*inst), GFP_ATOMIC);
 	if (!inst) {
 		err = -ENOMEM;
 		goto out_unlock;
 	}
 	inst->queue_num = queue_num;
 	inst->peer_pid = pid;
 	inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
 	inst->copy_range = 0xfffff;
 	inst->copy_mode = NFQNL_COPY_NONE;
 	spin_lock_init(&inst->lock);
 	INIT_LIST_HEAD(&inst->queue_list);
 	if (!try_module_get(THIS_MODULE)) {
 		err = -EAGAIN;
 		goto out_free;
 	}
 	h = instance_hashfn(queue_num);
 	hlist_add_head_rcu(&inst->hlist, &instance_table[h]);
 	spin_unlock(&instances_lock);
 	return inst;
 out_free:
 	kfree(inst);
 out_unlock:
 	spin_unlock(&instances_lock);
 	return ERR_PTR(err);
 }
 static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
 			unsigned long data);
 static void
 instance_destroy_rcu(struct rcu_head *head)
 {
 	struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,
 						   rcu);
 	nfqnl_flush(inst, NULL, 0);
 	kfree(inst);
 	module_put(THIS_MODULE);
 }
 static void
 __instance_destroy(struct nfqnl_instance *inst)
 {
 	hlist_del_rcu(&inst->hlist);
 	call_rcu(&inst->rcu, instance_destroy_rcu);
 }
 static void
 instance_destroy(struct nfqnl_instance *inst)
 {
 	spin_lock(&instances_lock);
 	__instance_destroy(inst);
 	spin_unlock(&instances_lock);
 }
 static inline void
 __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
 {
        list_add_tail(&entry->list, &queue->queue_list);
        queue->queue_total++;
 }
+static void
+__dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)
+{
+	list_del(&entry->list);
+	queue->queue_total--;
+}
 static struct nf_queue_entry *
 find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)
 {
 	struct nf_queue_entry *entry = NULL, *i;
 	spin_lock_bh(&queue->lock);
 	list_for_each_entry(i, &queue->queue_list, list) {
 		if (i->id == id) {
 			entry = i;
 			break;
 		}
 	}
-	if (entry) {
+	if (entry)
-		list_del(&entry->list);
+		__dequeue_entry(queue, entry);
-		queue->queue_total--;
-	}
 	spin_unlock_bh(&queue->lock);
 	return entry;
 }
 static void
 nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, unsigned long data)
 {
 	struct nf_queue_entry *entry, *next;
 	spin_lock_bh(&queue->lock);
 	list_for_each_entry_safe(entry, next, &queue->queue_list, list) {
 		if (!cmpfn || cmpfn(entry, data)) {
 			list_del(&entry->list);
 			queue->queue_total--;
 			nf_reinject(entry, NF_DROP);
 		}
 	}
 	spin_unlock_bh(&queue->lock);
 }
 static struct sk_buff *
 nfqnl_build_packet_message(struct nfqnl_instance *queue,
-			   struct nf_queue_entry *entry)
+			   struct nf_queue_entry *entry,
+			   __be32 **packet_id_ptr)
 {
 	sk_buff_data_t old_tail;
 	size_t size;
 	size_t data_len = 0;
 	struct sk_buff *skb;
-	struct nfqnl_msg_packet_hdr pmsg;
+	struct nlattr *nla;
+	struct nfqnl_msg_packet_hdr *pmsg;
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfmsg;
 	struct sk_buff *entskb = entry->skb;
 	struct net_device *indev;
 	struct net_device *outdev;
 	size =    NLMSG_SPACE(sizeof(struct nfgenmsg))
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
 		+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
 		+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
 #ifdef CONFIG_BRIDGE_NETFILTER
 		+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
 		+ nla_total_size(sizeof(u_int32_t))	/* ifindex */
 #endif
 		+ nla_total_size(sizeof(u_int32_t))	/* mark */
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
 	outdev = entry->outdev;
 	switch ((enum nfqnl_config_mode)ACCESS_ONCE(queue->copy_mode)) {
 	case NFQNL_COPY_META:
 	case NFQNL_COPY_NONE:
 		break;
 	case NFQNL_COPY_PACKET:
 		if (entskb->ip_summed == CHECKSUM_PARTIAL &&
 		    skb_checksum_help(entskb))
 			return NULL;
 		data_len = ACCESS_ONCE(queue->copy_range);
 		if (data_len == 0 || data_len > entskb->len)
 			data_len = entskb->len;
 		size += nla_total_size(data_len);
 		break;
 	}
 	skb = alloc_skb(size, GFP_ATOMIC);
 	if (!skb)
 		goto nlmsg_failure;
 	old_tail = skb->tail;
 	nlh = NLMSG_PUT(skb, 0, 0,
 			NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
 			sizeof(struct nfgenmsg));
 	nfmsg = NLMSG_DATA(nlh);
 	nfmsg->nfgen_family = entry->pf;
 	nfmsg->version = NFNETLINK_V0;
 	nfmsg->res_id = htons(queue->queue_num);
-	entry->id = atomic_inc_return(&queue->id_sequence);
+	nla = __nla_reserve(skb, NFQA_PACKET_HDR, sizeof(*pmsg));
-	pmsg.packet_id 		= htonl(entry->id);
+	pmsg = nla_data(nla);
-	pmsg.hw_protocol	= entskb->protocol;
+	pmsg->hw_protocol	= entskb->protocol;
-	pmsg.hook		= entry->hook;
+	pmsg->hook		= entry->hook;
+	*packet_id_ptr		= &pmsg->packet_id;
-	NLA_PUT(skb, NFQA_PACKET_HDR, sizeof(pmsg), &pmsg);
 	indev = entry->indev;
 	if (indev) {
 #ifndef CONFIG_BRIDGE_NETFILTER
 		NLA_PUT_BE32(skb, NFQA_IFINDEX_INDEV, htonl(indev->ifindex));
 #else
 		if (entry->pf == PF_BRIDGE) {
 			/* Case 1: indev is physical input device, we need to
 			 * look for bridge group (when called from
 			 * netfilter_bridge) */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_PHYSINDEV,
 				     htonl(indev->ifindex));
 			/* this is the bridge group "brX" */
 			/* rcu_read_lock()ed by __nf_queue */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_INDEV,
 				     htonl(br_port_get_rcu(indev)->br->dev->ifindex));
 		} else {
 			/* Case 2: indev is bridge group, we need to look for
 			 * physical device (when called from ipv4) */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_INDEV,
 				     htonl(indev->ifindex));
 			if (entskb->nf_bridge && entskb->nf_bridge->physindev)
 				NLA_PUT_BE32(skb, NFQA_IFINDEX_PHYSINDEV,
 					     htonl(entskb->nf_bridge->physindev->ifindex));
 		}
 #endif
 	}
 	if (outdev) {
 #ifndef CONFIG_BRIDGE_NETFILTER
 		NLA_PUT_BE32(skb, NFQA_IFINDEX_OUTDEV, htonl(outdev->ifindex));
 #else
 		if (entry->pf == PF_BRIDGE) {
 			/* Case 1: outdev is physical output device, we need to
 			 * look for bridge group (when called from
 			 * netfilter_bridge) */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_PHYSOUTDEV,
 				     htonl(outdev->ifindex));
 			/* this is the bridge group "brX" */
 			/* rcu_read_lock()ed by __nf_queue */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_OUTDEV,
 				     htonl(br_port_get_rcu(outdev)->br->dev->ifindex));
 		} else {
 			/* Case 2: outdev is bridge group, we need to look for
 			 * physical output device (when called from ipv4) */
 			NLA_PUT_BE32(skb, NFQA_IFINDEX_OUTDEV,
 				     htonl(outdev->ifindex));
 			if (entskb->nf_bridge && entskb->nf_bridge->physoutdev)
 				NLA_PUT_BE32(skb, NFQA_IFINDEX_PHYSOUTDEV,
 					     htonl(entskb->nf_bridge->physoutdev->ifindex));
 		}
 #endif
 	}
 	if (entskb->mark)
 		NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark));
 	if (indev && entskb->dev &&
 	    entskb->mac_header != entskb->network_header) {
 		struct nfqnl_msg_packet_hw phw;
 		int len = dev_parse_header(entskb, phw.hw_addr);
 		if (len) {
 			phw.hw_addrlen = htons(len);
 			NLA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw);
 		}
 	}
 	if (entskb->tstamp.tv64) {
 		struct nfqnl_msg_packet_timestamp ts;
 		struct timeval tv = ktime_to_timeval(entskb->tstamp);
 		ts.sec = cpu_to_be64(tv.tv_sec);
 		ts.usec = cpu_to_be64(tv.tv_usec);
 		NLA_PUT(skb, NFQA_TIMESTAMP, sizeof(ts), &ts);
 	}
 	if (data_len) {
 		struct nlattr *nla;
 		int sz = nla_attr_size(data_len);
 		if (skb_tailroom(skb) < nla_total_size(data_len)) {
 			printk(KERN_WARNING "nf_queue: no tailroom!\n");
 			goto nlmsg_failure;
 		}
 		nla = (struct nlattr *)skb_put(skb, nla_total_size(data_len));
 		nla->nla_type = NFQA_PAYLOAD;
 		nla->nla_len = sz;
 		if (skb_copy_bits(entskb, 0, nla_data(nla), data_len))
 			BUG();
 	}
 	nlh->nlmsg_len = skb->tail - old_tail;
 	return skb;
 nlmsg_failure:
 nla_put_failure:
 	if (skb)
 		kfree_skb(skb);
 	if (net_ratelimit())
 		printk(KERN_ERR "nf_queue: error creating packet message\n");
 	return NULL;
 }
 static int
 nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
 {
 	struct sk_buff *nskb;
 	struct nfqnl_instance *queue;
 	int err = -ENOBUFS;
+	__be32 *packet_id_ptr;
 	/* rcu_read_lock()ed by nf_hook_slow() */
 	queue = instance_lookup(queuenum);
 	if (!queue) {
 		err = -ESRCH;
 		goto err_out;
 	}
 	if (queue->copy_mode == NFQNL_COPY_NONE) {
 		err = -EINVAL;
 		goto err_out;
 	}
-	nskb = nfqnl_build_packet_message(queue, entry);
+	nskb = nfqnl_build_packet_message(queue, entry, &packet_id_ptr);
 	if (nskb == NULL) {
 		err = -ENOMEM;
 		goto err_out;
 	}
 	spin_lock_bh(&queue->lock);
 	if (!queue->peer_pid) {
 		err = -EINVAL;
 		goto err_out_free_nskb;
 	}
 	if (queue->queue_total >= queue->queue_maxlen) {
 		queue->queue_dropped++;
 		if (net_ratelimit())
 			  printk(KERN_WARNING "nf_queue: full at %d entries, "
 				 "dropping packets(s).\n",
 				 queue->queue_total);
 		goto err_out_free_nskb;
 	}
+	entry->id = ++queue->id_sequence;
+	*packet_id_ptr = htonl(entry->id);
 	/* nfnetlink_unicast will either free the nskb or add it to a socket */
 	err = nfnetlink_unicast(nskb, &init_net, queue->peer_pid, MSG_DONTWAIT);
 	if (err < 0) {
 		queue->queue_user_dropped++;
 		goto err_out_unlock;
 	}
 	__enqueue_entry(queue, entry);
 	spin_unlock_bh(&queue->lock);
 	return 0;
 err_out_free_nskb:
 	kfree_skb(nskb);
 err_out_unlock:
 	spin_unlock_bh(&queue->lock);
 err_out:
 	return err;
 }
 static int
 nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e)
 {
 	struct sk_buff *nskb;
 	int diff;
 	diff = data_len - e->skb->len;
 	if (diff < 0) {
 		if (pskb_trim(e->skb, data_len))
 			return -ENOMEM;
 	} else if (diff > 0) {
 		if (data_len > 0xFFFF)
 			return -EINVAL;
 		if (diff > skb_tailroom(e->skb)) {
 			nskb = skb_copy_expand(e->skb, skb_headroom(e->skb),
 					       diff, GFP_ATOMIC);
 			if (!nskb) {
 				printk(KERN_WARNING "nf_queue: OOM "
 				      "in mangle, dropping packet\n");
 				return -ENOMEM;
 			}
 			kfree_skb(e->skb);
 			e->skb = nskb;
 		}
 		skb_put(e->skb, diff);
 	}
 	if (!skb_make_writable(e->skb, data_len))
 		return -ENOMEM;
 	skb_copy_to_linear_data(e->skb, data, data_len);
 	e->skb->ip_summed = CHECKSUM_NONE;
 	return 0;
 }
 static int
 nfqnl_set_mode(struct nfqnl_instance *queue,
 	       unsigned char mode, unsigned int range)
 {
 	int status = 0;
 	spin_lock_bh(&queue->lock);
 	switch (mode) {
 	case NFQNL_COPY_NONE:
 	case NFQNL_COPY_META:
 		queue->copy_mode = mode;
 		queue->copy_range = 0;
 		break;
 	case NFQNL_COPY_PACKET:
 		queue->copy_mode = mode;
 		/* we're using struct nlattr which has 16bit nla_len */
 		if (range > 0xffff)
 			queue->copy_range = 0xffff;
 		else
 			queue->copy_range = range;
 		break;
 	default:
 		status = -EINVAL;
 	}
 	spin_unlock_bh(&queue->lock);
 	return status;
 }
 static int
 dev_cmp(struct nf_queue_entry *entry, unsigned long ifindex)
 {
 	if (entry->indev)
 		if (entry->indev->ifindex == ifindex)
 			return 1;
 	if (entry->outdev)
 		if (entry->outdev->ifindex == ifindex)
 			return 1;
 #ifdef CONFIG_BRIDGE_NETFILTER
 	if (entry->skb->nf_bridge) {
 		if (entry->skb->nf_bridge->physindev &&
 		    entry->skb->nf_bridge->physindev->ifindex == ifindex)
 			return 1;
 		if (entry->skb->nf_bridge->physoutdev &&
 		    entry->skb->nf_bridge->physoutdev->ifindex == ifindex)
 			return 1;
 	}
 #endif
 	return 0;
 }
 /* drop all packets with either indev or outdev == ifindex from all queue
  * instances */
 static void
 nfqnl_dev_drop(int ifindex)
 {
 	int i;
 	rcu_read_lock();
 	for (i = 0; i < INSTANCE_BUCKETS; i++) {
 		struct hlist_node *tmp;
 		struct nfqnl_instance *inst;
 		struct hlist_head *head = &instance_table[i];
 		hlist_for_each_entry_rcu(inst, tmp, head, hlist)
 			nfqnl_flush(inst, dev_cmp, ifindex);
 	}
 	rcu_read_unlock();
 }
 #define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
 static int
 nfqnl_rcv_dev_event(struct notifier_block *this,
 		    unsigned long event, void *ptr)
 {
 	struct net_device *dev = ptr;
 	if (!net_eq(dev_net(dev), &init_net))
 		return NOTIFY_DONE;
 	/* Drop any packets associated with the downed device */
 	if (event == NETDEV_DOWN)
 		nfqnl_dev_drop(dev->ifindex);
 	return NOTIFY_DONE;
 }
 static struct notifier_block nfqnl_dev_notifier = {
 	.notifier_call	= nfqnl_rcv_dev_event,
 };
 static int
 nfqnl_rcv_nl_event(struct notifier_block *this,
 		   unsigned long event, void *ptr)
 {
 	struct netlink_notify *n = ptr;
 	if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
 		int i;
 		/* destroy all instances for this pid */
 		spin_lock(&instances_lock);
 		for (i = 0; i < INSTANCE_BUCKETS; i++) {
 			struct hlist_node *tmp, *t2;
 			struct nfqnl_instance *inst;
 			struct hlist_head *head = &instance_table[i];
 			hlist_for_each_entry_safe(inst, tmp, t2, head, hlist) {
 				if ((n->net == &init_net) &&
 				    (n->pid == inst->peer_pid))
 					__instance_destroy(inst);
 			}
 		}
 		spin_unlock(&instances_lock);
 	}
 	return NOTIFY_DONE;
 }
 static struct notifier_block nfqnl_rtnl_notifier = {
 	.notifier_call	= nfqnl_rcv_nl_event,
 };
 static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
 	[NFQA_VERDICT_HDR]	= { .len = sizeof(struct nfqnl_msg_verdict_hdr) },
 	[NFQA_MARK]		= { .type = NLA_U32 },
 	[NFQA_PAYLOAD]		= { .type = NLA_UNSPEC },
 };
+static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = {
+	[NFQA_VERDICT_HDR]	= { .len = sizeof(struct nfqnl_msg_verdict_hdr) },
+	[NFQA_MARK]		= { .type = NLA_U32 },
+};
+static struct nfqnl_instance *verdict_instance_lookup(u16 queue_num, int nlpid)
+{
+	struct nfqnl_instance *queue;
+	queue = instance_lookup(queue_num);
+	if (!queue)
+		return ERR_PTR(-ENODEV);
+	if (queue->peer_pid != nlpid)
+		return ERR_PTR(-EPERM);
+	return queue;
+}
+static struct nfqnl_msg_verdict_hdr*
+verdicthdr_get(const struct nlattr * const nfqa[])
+{
+	struct nfqnl_msg_verdict_hdr *vhdr;
+	unsigned int verdict;
+	if (!nfqa[NFQA_VERDICT_HDR])
+		return NULL;
+	vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
+	verdict = ntohl(vhdr->verdict);
+	if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT)
+		return NULL;
+	return vhdr;
+}
+static int nfq_id_after(unsigned int id, unsigned int max)
+{
+	return (int)(id - max) > 0;
+}
 static int
+nfqnl_recv_verdict_batch(struct sock *ctnl, struct sk_buff *skb,
+		   const struct nlmsghdr *nlh,
+		   const struct nlattr * const nfqa[])
+{
+	struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
+	struct nf_queue_entry *entry, *tmp;
+	unsigned int verdict, maxid;
+	struct nfqnl_msg_verdict_hdr *vhdr;
+	struct nfqnl_instance *queue;
+	LIST_HEAD(batch_list);
+	u16 queue_num = ntohs(nfmsg->res_id);
+	queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).pid);
+	if (IS_ERR(queue))
+		return PTR_ERR(queue);
+	vhdr = verdicthdr_get(nfqa);
+	if (!vhdr)
+		return -EINVAL;
+	verdict = ntohl(vhdr->verdict);
+	maxid = ntohl(vhdr->id);
+	spin_lock_bh(&queue->lock);
+	list_for_each_entry_safe(entry, tmp, &queue->queue_list, list) {
+		if (nfq_id_after(entry->id, maxid))
+			break;
+		__dequeue_entry(queue, entry);
+		list_add_tail(&entry->list, &batch_list);
+	}
+	spin_unlock_bh(&queue->lock);
+	if (list_empty(&batch_list))
+		return -ENOENT;
+	list_for_each_entry_safe(entry, tmp, &batch_list, list) {
+		if (nfqa[NFQA_MARK])
+			entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK]));
+		nf_reinject(entry, verdict);
+	}
+	return 0;
+}
+static int
 nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
 		   const struct nlmsghdr *nlh,
 		   const struct nlattr * const nfqa[])
 {
 	struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
 	u_int16_t queue_num = ntohs(nfmsg->res_id);
 	struct nfqnl_msg_verdict_hdr *vhdr;
 	struct nfqnl_instance *queue;
 	unsigned int verdict;
 	struct nf_queue_entry *entry;
-	int err;
-	rcu_read_lock();
 	queue = instance_lookup(queue_num);
-	if (!queue) {
+	if (!queue)
-		err = -ENODEV;
-		goto err_out_unlock;
-	}
-	if (queue->peer_pid != NETLINK_CB(skb).pid) {
+	queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).pid);
-		err = -EPERM;
+	if (IS_ERR(queue))
-		goto err_out_unlock;
+		return PTR_ERR(queue);
-	}
-	if (!nfqa[NFQA_VERDICT_HDR]) {
+	vhdr = verdicthdr_get(nfqa);
-		err = -EINVAL;
+	if (!vhdr)
-		goto err_out_unlock;
+		return -EINVAL;
-	}
-	vhdr = nla_data(nfqa[NFQA_VERDICT_HDR]);
 	verdict = ntohl(vhdr->verdict);
-	if ((verdict & NF_VERDICT_MASK) > NF_MAX_VERDICT) {
-		err = -EINVAL;
-		goto err_out_unlock;
-	}
 	entry = find_dequeue_entry(queue, ntohl(vhdr->id));
-	if (entry == NULL) {
+	if (entry == NULL)
-		err = -ENOENT;
+		return -ENOENT;
-		goto err_out_unlock;
-	}
-	rcu_read_unlock();
 	if (nfqa[NFQA_PAYLOAD]) {
 		if (nfqnl_mangle(nla_data(nfqa[NFQA_PAYLOAD]),
 				 nla_len(nfqa[NFQA_PAYLOAD]), entry) < 0)
 			verdict = NF_DROP;
 	}
 	if (nfqa[NFQA_MARK])
 		entry->skb->mark = ntohl(nla_get_be32(nfqa[NFQA_MARK]));
 	nf_reinject(entry, verdict);
 	return 0;
-err_out_unlock:
-	rcu_read_unlock();
-	return err;
 }
 static int
 nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
 		  const struct nlmsghdr *nlh,
 		  const struct nlattr * const nfqa[])
 {
 	return -ENOTSUPP;
 }
 static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
 	[NFQA_CFG_CMD]		= { .len = sizeof(struct nfqnl_msg_config_cmd) },
 	[NFQA_CFG_PARAMS]	= { .len = sizeof(struct nfqnl_msg_config_params) },
 };
 static const struct nf_queue_handler nfqh = {
 	.name 	= "nf_queue",
 	.outfn	= &nfqnl_enqueue_packet,
 };
 static int
 nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
 		  const struct nlmsghdr *nlh,
 		  const struct nlattr * const nfqa[])
 {
 	struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
 	u_int16_t queue_num = ntohs(nfmsg->res_id);
 	struct nfqnl_instance *queue;
 	struct nfqnl_msg_config_cmd *cmd = NULL;
 	int ret = 0;
 	if (nfqa[NFQA_CFG_CMD]) {
 		cmd = nla_data(nfqa[NFQA_CFG_CMD]);
 		/* Commands without queue context - might sleep */
 		switch (cmd->command) {
 		case NFQNL_CFG_CMD_PF_BIND:
 			return nf_register_queue_handler(ntohs(cmd->pf),
 							 &nfqh);
 		case NFQNL_CFG_CMD_PF_UNBIND:
 			return nf_unregister_queue_handler(ntohs(cmd->pf),
 							   &nfqh);
 		}
 	}
 	rcu_read_lock();
 	queue = instance_lookup(queue_num);
 	if (queue && queue->peer_pid != NETLINK_CB(skb).pid) {
 		ret = -EPERM;
 		goto err_out_unlock;
 	}
 	if (cmd != NULL) {
 		switch (cmd->command) {
 		case NFQNL_CFG_CMD_BIND:
 			if (queue) {
 				ret = -EBUSY;
 				goto err_out_unlock;
 			}
 			queue = instance_create(queue_num, NETLINK_CB(skb).pid);
 			if (IS_ERR(queue)) {
 				ret = PTR_ERR(queue);
 				goto err_out_unlock;
 			}
 			break;
 		case NFQNL_CFG_CMD_UNBIND:
 			if (!queue) {
 				ret = -ENODEV;
 				goto err_out_unlock;
 			}
 			instance_destroy(queue);
 			break;
 		case NFQNL_CFG_CMD_PF_BIND:
 		case NFQNL_CFG_CMD_PF_UNBIND:
 			break;
 		default:
 			ret = -ENOTSUPP;
 			break;
 		}
 	}
 	if (nfqa[NFQA_CFG_PARAMS]) {
 		struct nfqnl_msg_config_params *params;
 		if (!queue) {
 			ret = -ENODEV;
 			goto err_out_unlock;
 		}
 		params = nla_data(nfqa[NFQA_CFG_PARAMS]);
 		nfqnl_set_mode(queue, params->copy_mode,
 				ntohl(params->copy_range));
 	}
 	if (nfqa[NFQA_CFG_QUEUE_MAXLEN]) {
 		__be32 *queue_maxlen;
 		if (!queue) {
 			ret = -ENODEV;
 			goto err_out_unlock;
 		}
 		queue_maxlen = nla_data(nfqa[NFQA_CFG_QUEUE_MAXLEN]);
 		spin_lock_bh(&queue->lock);
 		queue->queue_maxlen = ntohl(*queue_maxlen);
 		spin_unlock_bh(&queue->lock);
 	}
 err_out_unlock:
 	rcu_read_unlock();
 	return ret;
 }
 static const struct nfnl_callback nfqnl_cb[NFQNL_MSG_MAX] = {
-	[NFQNL_MSG_PACKET]	= { .call = nfqnl_recv_unsupp,
+	[NFQNL_MSG_PACKET]	= { .call_rcu = nfqnl_recv_unsupp,
 				    .attr_count = NFQA_MAX, },
-	[NFQNL_MSG_VERDICT]	= { .call = nfqnl_recv_verdict,
+	[NFQNL_MSG_VERDICT]	= { .call_rcu = nfqnl_recv_verdict,
 				    .attr_count = NFQA_MAX,
 				    .policy = nfqa_verdict_policy },
 	[NFQNL_MSG_CONFIG]	= { .call = nfqnl_recv_config,
 				    .attr_count = NFQA_CFG_MAX,
 				    .policy = nfqa_cfg_policy },
+	[NFQNL_MSG_VERDICT_BATCH]={ .call_rcu = nfqnl_recv_verdict_batch,
+				    .attr_count = NFQA_MAX,
+				    .policy = nfqa_verdict_batch_policy },
 };
 static const struct nfnetlink_subsystem nfqnl_subsys = {
 	.name		= "nf_queue",
 	.subsys_id	= NFNL_SUBSYS_QUEUE,
 	.cb_count	= NFQNL_MSG_MAX,
 	.cb		= nfqnl_cb,
 };
 #ifdef CONFIG_PROC_FS
 struct iter_state {
 	unsigned int bucket;
 };
 static struct hlist_node *get_first(struct seq_file *seq)
 {
 	struct iter_state *st = seq->private;
 	if (!st)
 		return NULL;
 	for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
 		if (!hlist_empty(&instance_table[st->bucket]))
 			return instance_table[st->bucket].first;
 	}
 	return NULL;
 }
 static struct hlist_node *get_next(struct seq_file *seq, struct hlist_node *h)
 {
 	struct iter_state *st = seq->private;
 	h = h->next;
 	while (!h) {
 		if (++st->bucket >= INSTANCE_BUCKETS)
 			return NULL;
 		h = instance_table[st->bucket].first;
 	}
 	return h;
 }
 static struct hlist_node *get_idx(struct seq_file *seq, loff_t pos)
 {
 	struct hlist_node *head;
 	head = get_first(seq);
 	if (head)
 		while (pos && (head = get_next(seq, head)))
 			pos--;
 	return pos ? NULL : head;
 }
 static void *seq_start(struct seq_file *seq, loff_t *pos)
 	__acquires(instances_lock)
 {
 	spin_lock(&instances_lock);
 	return get_idx(seq, *pos);
 }
 static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
 	(*pos)++;
 	return get_next(s, v);
 }
 static void seq_stop(struct seq_file *s, void *v)
 	__releases(instances_lock)
 {
 	spin_unlock(&instances_lock);
 }
 static int seq_show(struct seq_file *s, void *v)
 {
 	const struct nfqnl_instance *inst = v;
 	return seq_printf(s, "%5d %6d %5d %1d %5d %5d %5d %8d %2d\n",
 			  inst->queue_num,
 			  inst->peer_pid, inst->queue_total,
 			  inst->copy_mode, inst->copy_range,
 			  inst->queue_dropped, inst->queue_user_dropped,
-			  atomic_read(&inst->id_sequence), 1);
+			  inst->id_sequence, 1);
 }
 static const struct seq_operations nfqnl_seq_ops = {
 	.start	= seq_start,
 	.next	= seq_next,
 	.stop	= seq_stop,
 	.show	= seq_show,
 };
 static int nfqnl_open(struct inode *inode, struct file *file)
 {
 	return seq_open_private(file, &nfqnl_seq_ops,
 			sizeof(struct iter_state));
 }
 static const struct file_operations nfqnl_file_ops = {
 	.owner	 = THIS_MODULE,
 	.open	 = nfqnl_open,
 	.read	 = seq_read,
 	.llseek	 = seq_lseek,
 	.release = seq_release_private,
 };
 #endif /* PROC_FS */
 static int __init nfnetlink_queue_init(void)
 {
 	int i, status = -ENOMEM;
 	for (i = 0; i < INSTANCE_BUCKETS; i++)
 		INIT_HLIST_HEAD(&instance_table[i]);
 	netlink_register_notifier(&nfqnl_rtnl_notifier);
 	status = nfnetlink_subsys_register(&nfqnl_subsys);
 	if (status < 0) {
 		printk(KERN_ERR "nf_queue: failed to create netlink socket\n");
 		goto cleanup_netlink_notifier;
 	}
 #ifdef CONFIG_PROC_FS
 	if (!proc_create("nfnetlink_queue", 0440,
 			 proc_net_netfilter, &nfqnl_file_ops))
 		goto cleanup_subsys;
 #endif
 	register_netdevice_notifier(&nfqnl_dev_notifier);
 	return status;
 #ifdef CONFIG_PROC_FS
 cleanup_subsys:
 	nfnetlink_subsys_unregister(&nfqnl_subsys);
 #endif
 cleanup_netlink_notifier:
 	netlink_unregister_notifier(&nfqnl_rtnl_notifier);

net/netfilter/xt_AUDIT.c

Diff comments View file @ f5caadb

 /*
  * Creates audit record for dropped/accepted packets
  *
  * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
  * (C) 2010-2011 Red Hat, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
 */
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/audit.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/if_arp.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_AUDIT.h>
 #include <linux/netfilter_bridge/ebtables.h>
 #include <net/ipv6.h>
 #include <net/ip.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Thomas Graf <tgraf@redhat.com>");
 MODULE_DESCRIPTION("Xtables: creates audit records for dropped/accepted packets");
 MODULE_ALIAS("ipt_AUDIT");
 MODULE_ALIAS("ip6t_AUDIT");
 MODULE_ALIAS("ebt_AUDIT");
 MODULE_ALIAS("arpt_AUDIT");
 static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
 			unsigned int proto, unsigned int offset)
 {
 	switch (proto) {
 	case IPPROTO_TCP:
 	case IPPROTO_UDP:
 	case IPPROTO_UDPLITE: {
 		const __be16 *pptr;
 		__be16 _ports[2];
 		pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
 		if (pptr == NULL) {
 			audit_log_format(ab, " truncated=1");
 			return;
 		}
 		audit_log_format(ab, " sport=%hu dport=%hu",
 				 ntohs(pptr[0]), ntohs(pptr[1]));
 		}
 		break;
 	case IPPROTO_ICMP:
 	case IPPROTO_ICMPV6: {
 		const u8 *iptr;
 		u8 _ih[2];
 		iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
 		if (iptr == NULL) {
 			audit_log_format(ab, " truncated=1");
 			return;
 		}
 		audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
 				 iptr[0], iptr[1]);
 		}
 		break;
 	}
 }
 static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
 {
 	struct iphdr _iph;
 	const struct iphdr *ih;
 	ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
 	if (!ih) {
 		audit_log_format(ab, " truncated=1");
 		return;
 	}
 	audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
 		&ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
 	if (ntohs(ih->frag_off) & IP_OFFSET) {
 		audit_log_format(ab, " frag=1");
 		return;
 	}
 	audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
 }
 static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 {
 	struct ipv6hdr _ip6h;
 	const struct ipv6hdr *ih;
 	u8 nexthdr;
 	int offset;
 	ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
 	if (!ih) {
 		audit_log_format(ab, " truncated=1");
 		return;
 	}
 	nexthdr = ih->nexthdr;
 	offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
 				  &nexthdr);
 	audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
 			 &ih->saddr, &ih->daddr, nexthdr);
 	if (offset)
 		audit_proto(ab, skb, nexthdr, offset);
 }
 static unsigned int
 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	const struct xt_audit_info *info = par->targinfo;
 	struct audit_buffer *ab;
 	ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
 	if (ab == NULL)
 		goto errout;
 	audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
 			 info->type, par->hooknum, skb->len,
 			 par->in ? par->in->name : "?",
 			 par->out ? par->out->name : "?");
 	if (skb->mark)
 		audit_log_format(ab, " mark=%#x", skb->mark);
 	if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
 		audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
 				 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
 				 ntohs(eth_hdr(skb)->h_proto));
 		if (par->family == NFPROTO_BRIDGE) {
 			switch (eth_hdr(skb)->h_proto) {
 			case __constant_htons(ETH_P_IP):
 				audit_ip4(ab, skb);
 				break;
 			case __constant_htons(ETH_P_IPV6):
 				audit_ip6(ab, skb);
 				break;
 			}
 		}
 	}
 	switch (par->family) {
 	case NFPROTO_IPV4:
 		audit_ip4(ab, skb);
 		break;
 	case NFPROTO_IPV6:
 		audit_ip6(ab, skb);
 		break;
 	}
+#ifdef CONFIG_NETWORK_SECMARK
+	if (skb->secmark)
+		audit_log_secctx(ab, skb->secmark);
+#endif
 	audit_log_end(ab);
 errout:
 	return XT_CONTINUE;
 }
 static unsigned int
 audit_tg_ebt(struct sk_buff *skb, const struct xt_action_param *par)
 {
 	audit_tg(skb, par);
 	return EBT_CONTINUE;
 }
 static int audit_tg_check(const struct xt_tgchk_param *par)
 {
 	const struct xt_audit_info *info = par->targinfo;
 	if (info->type > XT_AUDIT_TYPE_MAX) {
 		pr_info("Audit type out of range (valid range: 0..%hhu)\n",
 			XT_AUDIT_TYPE_MAX);
 		return -ERANGE;
 	}
 	return 0;
 }
 static struct xt_target audit_tg_reg[] __read_mostly = {
 	{
 		.name		= "AUDIT",
 		.family		= NFPROTO_UNSPEC,
 		.target		= audit_tg,
 		.targetsize	= sizeof(struct xt_audit_info),
 		.checkentry	= audit_tg_check,
 		.me		= THIS_MODULE,
 	},
 	{
 		.name		= "AUDIT",
 		.family		= NFPROTO_BRIDGE,
 		.target		= audit_tg_ebt,
 		.targetsize	= sizeof(struct xt_audit_info),
 		.checkentry	= audit_tg_check,
 		.me		= THIS_MODULE,
 	},
 };
 static int __init audit_tg_init(void)
 {
 	return xt_register_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
 }
 static void __exit audit_tg_exit(void)
 {
 	xt_unregister_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
 }
 module_init(audit_tg_init);
 module_exit(audit_tg_exit);