search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
netfilter: ipset: bitmap:ip,mac type support
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / net / netfilter / ipset / ip_set_bitmap_ipmac.c
blobd826332d293708de9f8b225dffac7e1b68dbb003
1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10
11 /* Kernel module implementing an IP set type: the bitmap:ip,mac type */
12
13 #include <linux/module.h>
14 #include <linux/ip.h>
15 #include <linux/etherdevice.h>
16 #include <linux/skbuff.h>
17 #include <linux/errno.h>
18 #include <linux/uaccess.h>
19 #include <linux/bitops.h>
20 #include <linux/spinlock.h>
21 #include <linux/if_ether.h>
22 #include <linux/netlink.h>
23 #include <linux/jiffies.h>
24 #include <linux/timer.h>
25 #include <net/netlink.h>
26
27 #include <linux/netfilter/ipset/pfxlen.h>
28 #include <linux/netfilter/ipset/ip_set.h>
29 #include <linux/netfilter/ipset/ip_set_timeout.h>
30 #include <linux/netfilter/ipset/ip_set_bitmap.h>
31
32 MODULE_LICENSE("GPL");
33 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
34 MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
35 MODULE_ALIAS("ip_set_bitmap:ip,mac");
36
37 enum {
38 MAC_EMPTY, /* element is not set */
39 MAC_FILLED, /* element is set with MAC */
40 MAC_UNSET, /* element is set, without MAC */
41 };
42
43 /* Type structure */
44 struct bitmap_ipmac {
45 void *members; /* the set members */
46 u32 first_ip; /* host byte order, included in range */
47 u32 last_ip; /* host byte order, included in range */
48 u32 timeout; /* timeout value */
49 struct timer_list gc; /* garbage collector */
50 size_t dsize; /* size of element */
51 };
52
53 /* ADT structure for generic function args */
54 struct ipmac {
55 u32 id; /* id in array */
56 unsigned char *ether; /* ethernet address */
57 };
58
59 /* Member element without and with timeout */
60
61 struct ipmac_elem {
62 unsigned char ether[ETH_ALEN];
63 unsigned char match;
64 } __attribute__ ((aligned));
65
66 struct ipmac_telem {
67 unsigned char ether[ETH_ALEN];
68 unsigned char match;
69 unsigned long timeout;
70 } __attribute__ ((aligned));
71
72 static inline void *
73 bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
74 {
75 return (void *)((char *)map->members + id * map->dsize);
76 }
77
78 static inline bool
79 bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
80 {
81 const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
82
83 return ip_set_timeout_test(elem->timeout);
84 }
85
86 static inline bool
87 bitmap_expired(const struct bitmap_ipmac *map, u32 id)
88 {
89 const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
90
91 return ip_set_timeout_expired(elem->timeout);
92 }
93
94 static inline int
95 bitmap_ipmac_exist(const struct ipmac_telem *elem)
96 {
97 return elem->match == MAC_UNSET ||
98 (elem->match == MAC_FILLED &&
99 !ip_set_timeout_expired(elem->timeout));
100 }
101
102 /* Base variant */
103
104 static int
105 bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
106 {
107 const struct bitmap_ipmac *map = set->data;
108 const struct ipmac *data = value;
109 const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
110
111 switch (elem->match) {
112 case MAC_UNSET:
113 /* Trigger kernel to fill out the ethernet address */
114 return -EAGAIN;
115 case MAC_FILLED:
116 return data->ether == NULL ||
117 compare_ether_addr(data->ether, elem->ether) == 0;
118 }
119 return 0;
120 }
121
122 static int
123 bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
124 {
125 struct bitmap_ipmac *map = set->data;
126 const struct ipmac *data = value;
127 struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
128
129 switch (elem->match) {
130 case MAC_UNSET:
131 if (!data->ether)
132 /* Already added without ethernet address */
133 return -IPSET_ERR_EXIST;
134 /* Fill the MAC address */
135 memcpy(elem->ether, data->ether, ETH_ALEN);
136 elem->match = MAC_FILLED;
137 break;
138 case MAC_FILLED:
139 return -IPSET_ERR_EXIST;
140 case MAC_EMPTY:
141 if (data->ether) {
142 memcpy(elem->ether, data->ether, ETH_ALEN);
143 elem->match = MAC_FILLED;
144 } else
145 elem->match = MAC_UNSET;
146 }
147
148 return 0;
149 }
150
151 static int
152 bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
153 {
154 struct bitmap_ipmac *map = set->data;
155 const struct ipmac *data = value;
156 struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
157
158 if (elem->match == MAC_EMPTY)
159 return -IPSET_ERR_EXIST;
160
161 elem->match = MAC_EMPTY;
162
163 return 0;
164 }
165
166 static int
167 bitmap_ipmac_list(const struct ip_set *set,
168 struct sk_buff *skb, struct netlink_callback *cb)
169 {
170 const struct bitmap_ipmac *map = set->data;
171 const struct ipmac_elem *elem;
172 struct nlattr *atd, *nested;
173 u32 id, first = cb->args[2];
174 u32 last = map->last_ip - map->first_ip;
175
176 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
177 if (!atd)
178 return -EMSGSIZE;
179 for (; cb->args[2] <= last; cb->args[2]++) {
180 id = cb->args[2];
181 elem = bitmap_ipmac_elem(map, id);
182 if (elem->match == MAC_EMPTY)
183 continue;
184 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
185 if (!nested) {
186 if (id == first) {
187 nla_nest_cancel(skb, atd);
188 return -EMSGSIZE;
189 } else
190 goto nla_put_failure;
191 }
192 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
193 htonl(map->first_ip + id));
194 if (elem->match == MAC_FILLED)
195 NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
196 elem->ether);
197 ipset_nest_end(skb, nested);
198 }
199 ipset_nest_end(skb, atd);
200 /* Set listing finished */
201 cb->args[2] = 0;
202
203 return 0;
204
205 nla_put_failure:
206 nla_nest_cancel(skb, nested);
207 ipset_nest_end(skb, atd);
208 if (unlikely(id == first)) {
209 cb->args[2] = 0;
210 return -EMSGSIZE;
211 }
212 return 0;
213 }
214
215 /* Timeout variant */
216
217 static int
218 bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
219 {
220 const struct bitmap_ipmac *map = set->data;
221 const struct ipmac *data = value;
222 const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
223
224 switch (elem->match) {
225 case MAC_UNSET:
226 /* Trigger kernel to fill out the ethernet address */
227 return -EAGAIN;
228 case MAC_FILLED:
229 return (data->ether == NULL ||
230 compare_ether_addr(data->ether, elem->ether) == 0) &&
231 !bitmap_expired(map, data->id);
232 }
233 return 0;
234 }
235
236 static int
237 bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
238 {
239 struct bitmap_ipmac *map = set->data;
240 const struct ipmac *data = value;
241 struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
242
243 switch (elem->match) {
244 case MAC_UNSET:
245 if (!data->ether)
246 /* Already added without ethernet address */
247 return -IPSET_ERR_EXIST;
248 /* Fill the MAC address and activate the timer */
249 memcpy(elem->ether, data->ether, ETH_ALEN);
250 elem->match = MAC_FILLED;
251 if (timeout == map->timeout)
252 /* Timeout was not specified, get stored one */
253 timeout = elem->timeout;
254 elem->timeout = ip_set_timeout_set(timeout);
255 break;
256 case MAC_FILLED:
257 if (!bitmap_expired(map, data->id))
258 return -IPSET_ERR_EXIST;
259 /* Fall through */
260 case MAC_EMPTY:
261 if (data->ether) {
262 memcpy(elem->ether, data->ether, ETH_ALEN);
263 elem->match = MAC_FILLED;
264 } else
265 elem->match = MAC_UNSET;
266 /* If MAC is unset yet, we store plain timeout value
267 * because the timer is not activated yet
268 * and we can reuse it later when MAC is filled out,
269 * possibly by the kernel */
270 elem->timeout = data->ether ? ip_set_timeout_set(timeout)
271 : timeout;
272 break;
273 }
274
275 return 0;
276 }
277
278 static int
279 bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
280 {
281 struct bitmap_ipmac *map = set->data;
282 const struct ipmac *data = value;
283 struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
284
285 if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
286 return -IPSET_ERR_EXIST;
287
288 elem->match = MAC_EMPTY;
289
290 return 0;
291 }
292
293 static int
294 bitmap_ipmac_tlist(const struct ip_set *set,
295 struct sk_buff *skb, struct netlink_callback *cb)
296 {
297 const struct bitmap_ipmac *map = set->data;
298 const struct ipmac_telem *elem;
299 struct nlattr *atd, *nested;
300 u32 id, first = cb->args[2];
301 u32 timeout, last = map->last_ip - map->first_ip;
302
303 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
304 if (!atd)
305 return -EMSGSIZE;
306 for (; cb->args[2] <= last; cb->args[2]++) {
307 id = cb->args[2];
308 elem = bitmap_ipmac_elem(map, id);
309 if (!bitmap_ipmac_exist(elem))
310 continue;
311 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
312 if (!nested) {
313 if (id == first) {
314 nla_nest_cancel(skb, atd);
315 return -EMSGSIZE;
316 } else
317 goto nla_put_failure;
318 }
319 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
320 htonl(map->first_ip + id));
321 if (elem->match == MAC_FILLED)
322 NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
323 elem->ether);
324 timeout = elem->match == MAC_UNSET ? elem->timeout
325 : ip_set_timeout_get(elem->timeout);
326 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
327 ipset_nest_end(skb, nested);
328 }
329 ipset_nest_end(skb, atd);
330 /* Set listing finished */
331 cb->args[2] = 0;
332
333 return 0;
334
335 nla_put_failure:
336 nla_nest_cancel(skb, nested);
337 ipset_nest_end(skb, atd);
338 return -EMSGSIZE;
339 }
340
341 static int
342 bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
343 enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
344 {
345 struct bitmap_ipmac *map = set->data;
346 ipset_adtfn adtfn = set->variant->adt[adt];
347 struct ipmac data;
348
349 data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
350 if (data.id < map->first_ip || data.id > map->last_ip)
351 return -IPSET_ERR_BITMAP_RANGE;
352
353 /* Backward compatibility: we don't check the second flag */
354 if (skb_mac_header(skb) < skb->head ||
355 (skb_mac_header(skb) + ETH_HLEN) > skb->data)
356 return -EINVAL;
357
358 data.id -= map->first_ip;
359 data.ether = eth_hdr(skb)->h_source;
360
361 return adtfn(set, &data, map->timeout);
362 }
363
364 static int
365 bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
366 enum ipset_adt adt, u32 *lineno, u32 flags)
367 {
368 const struct bitmap_ipmac *map = set->data;
369 ipset_adtfn adtfn = set->variant->adt[adt];
370 struct ipmac data;
371 u32 timeout = map->timeout;
372 int ret = 0;
373
374 if (unlikely(!tb[IPSET_ATTR_IP] ||
375 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
376 return -IPSET_ERR_PROTOCOL;
377
378 if (tb[IPSET_ATTR_LINENO])
379 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
380
381 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
382 if (ret)
383 return ret;
384
385 if (data.id < map->first_ip || data.id > map->last_ip)
386 return -IPSET_ERR_BITMAP_RANGE;
387
388 if (tb[IPSET_ATTR_ETHER])
389 data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
390 else
391 data.ether = NULL;
392
393 if (tb[IPSET_ATTR_TIMEOUT]) {
394 if (!with_timeout(map->timeout))
395 return -IPSET_ERR_TIMEOUT;
396 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
397 }
398
399 data.id -= map->first_ip;
400
401 ret = adtfn(set, &data, timeout);
402
403 return ip_set_eexist(ret, flags) ? 0 : ret;
404 }
405
406 static void
407 bitmap_ipmac_destroy(struct ip_set *set)
408 {
409 struct bitmap_ipmac *map = set->data;
410
411 if (with_timeout(map->timeout))
412 del_timer_sync(&map->gc);
413
414 ip_set_free(map->members);
415 kfree(map);
416
417 set->data = NULL;
418 }
419
420 static void
421 bitmap_ipmac_flush(struct ip_set *set)
422 {
423 struct bitmap_ipmac *map = set->data;
424
425 memset(map->members, 0,
426 (map->last_ip - map->first_ip + 1) * map->dsize);
427 }
428
429 static int
430 bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
431 {
432 const struct bitmap_ipmac *map = set->data;
433 struct nlattr *nested;
434
435 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
436 if (!nested)
437 goto nla_put_failure;
438 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
439 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
440 NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES,
441 htonl(atomic_read(&set->ref) - 1));
442 NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
443 htonl(sizeof(*map)
444 + (map->last_ip - map->first_ip + 1) * map->dsize));
445 if (with_timeout(map->timeout))
446 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
447 ipset_nest_end(skb, nested);
448
449 return 0;
450 nla_put_failure:
451 return -EMSGSIZE;
452 }
453
454 static bool
455 bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
456 {
457 const struct bitmap_ipmac *x = a->data;
458 const struct bitmap_ipmac *y = b->data;
459
460 return x->first_ip == y->first_ip &&
461 x->last_ip == y->last_ip &&
462 x->timeout == y->timeout;
463 }
464
465 static const struct ip_set_type_variant bitmap_ipmac = {
466 .kadt = bitmap_ipmac_kadt,
467 .uadt = bitmap_ipmac_uadt,
468 .adt = {
469 [IPSET_ADD] = bitmap_ipmac_add,
470 [IPSET_DEL] = bitmap_ipmac_del,
471 [IPSET_TEST] = bitmap_ipmac_test,
472 },
473 .destroy = bitmap_ipmac_destroy,
474 .flush = bitmap_ipmac_flush,
475 .head = bitmap_ipmac_head,
476 .list = bitmap_ipmac_list,
477 .same_set = bitmap_ipmac_same_set,
478 };
479
480 static const struct ip_set_type_variant bitmap_tipmac = {
481 .kadt = bitmap_ipmac_kadt,
482 .uadt = bitmap_ipmac_uadt,
483 .adt = {
484 [IPSET_ADD] = bitmap_ipmac_tadd,
485 [IPSET_DEL] = bitmap_ipmac_tdel,
486 [IPSET_TEST] = bitmap_ipmac_ttest,
487 },
488 .destroy = bitmap_ipmac_destroy,
489 .flush = bitmap_ipmac_flush,
490 .head = bitmap_ipmac_head,
491 .list = bitmap_ipmac_tlist,
492 .same_set = bitmap_ipmac_same_set,
493 };
494
495 static void
496 bitmap_ipmac_gc(unsigned long ul_set)
497 {
498 struct ip_set *set = (struct ip_set *) ul_set;
499 struct bitmap_ipmac *map = set->data;
500 struct ipmac_telem *elem;
501 u32 id, last = map->last_ip - map->first_ip;
502
503 /* We run parallel with other readers (test element)
504 * but adding/deleting new entries is locked out */
505 read_lock_bh(&set->lock);
506 for (id = 0; id <= last; id++) {
507 elem = bitmap_ipmac_elem(map, id);
508 if (elem->match == MAC_FILLED &&
509 ip_set_timeout_expired(elem->timeout))
510 elem->match = MAC_EMPTY;
511 }
512 read_unlock_bh(&set->lock);
513
514 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
515 add_timer(&map->gc);
516 }
517
518 static void
519 bitmap_ipmac_gc_init(struct ip_set *set)
520 {
521 struct bitmap_ipmac *map = set->data;
522
523 init_timer(&map->gc);
524 map->gc.data = (unsigned long) set;
525 map->gc.function = bitmap_ipmac_gc;
526 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
527 add_timer(&map->gc);
528 }
529
530 /* Create bitmap:ip,mac type of sets */
531
532 static bool
533 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
534 u32 first_ip, u32 last_ip)
535 {
536 map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
537 if (!map->members)
538 return false;
539 map->first_ip = first_ip;
540 map->last_ip = last_ip;
541 map->timeout = IPSET_NO_TIMEOUT;
542
543 set->data = map;
544 set->family = AF_INET;
545
546 return true;
547 }
548
549 static int
550 bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
551 u32 flags)
552 {
553 u32 first_ip, last_ip, elements;
554 struct bitmap_ipmac *map;
555 int ret;
556
557 if (unlikely(!tb[IPSET_ATTR_IP] ||
558 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
559 return -IPSET_ERR_PROTOCOL;
560
561 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
562 if (ret)
563 return ret;
564
565 if (tb[IPSET_ATTR_IP_TO]) {
566 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
567 if (ret)
568 return ret;
569 if (first_ip > last_ip) {
570 u32 tmp = first_ip;
571
572 first_ip = last_ip;
573 last_ip = tmp;
574 }
575 } else if (tb[IPSET_ATTR_CIDR]) {
576 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
577
578 if (cidr >= 32)
579 return -IPSET_ERR_INVALID_CIDR;
580 last_ip = first_ip | ~ip_set_hostmask(cidr);
581 } else
582 return -IPSET_ERR_PROTOCOL;
583
584 elements = last_ip - first_ip + 1;
585
586 if (elements > IPSET_BITMAP_MAX_RANGE + 1)
587 return -IPSET_ERR_BITMAP_RANGE_SIZE;
588
589 map = kzalloc(sizeof(*map), GFP_KERNEL);
590 if (!map)
591 return -ENOMEM;
592
593 if (tb[IPSET_ATTR_TIMEOUT]) {
594 map->dsize = sizeof(struct ipmac_telem);
595
596 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
597 kfree(map);
598 return -ENOMEM;
599 }
600
601 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
602
603 set->variant = &bitmap_tipmac;
604
605 bitmap_ipmac_gc_init(set);
606 } else {
607 map->dsize = sizeof(struct ipmac_elem);
608
609 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
610 kfree(map);
611 return -ENOMEM;
612 }
613 set->variant = &bitmap_ipmac;
614
615 }
616 return 0;
617 }
618
619 static struct ip_set_type bitmap_ipmac_type = {
620 .name = "bitmap:ip,mac",
621 .protocol = IPSET_PROTOCOL,
622 .features = IPSET_TYPE_IP | IPSET_TYPE_MAC,
623 .dimension = IPSET_DIM_TWO,
624 .family = AF_INET,
625 .revision = 0,
626 .create = bitmap_ipmac_create,
627 .create_policy = {
628 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
629 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
630 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
631 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
632 },
633 .adt_policy = {
634 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
635 [IPSET_ATTR_ETHER] = { .type = NLA_BINARY, .len = ETH_ALEN },
636 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
637 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
638 },
639 .me = THIS_MODULE,
640 };
641
642 static int __init
643 bitmap_ipmac_init(void)
644 {
645 return ip_set_type_register(&bitmap_ipmac_type);
646 }
647
648 static void __exit
649 bitmap_ipmac_fini(void)
650 {
651 ip_set_type_unregister(&bitmap_ipmac_type);
652 }
653
654 module_init(bitmap_ipmac_init);
655 module_exit(bitmap_ipmac_fini);
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree