diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | ipset.8 | 99 | ||||
| -rw-r--r-- | ipset.c | 17 | ||||
| -rw-r--r-- | ipset.h | 4 | ||||
| -rw-r--r-- | ipset_iphash.c | 2 | ||||
| -rw-r--r-- | ipset_ipmap.c | 2 | ||||
| -rw-r--r-- | ipset_ipporthash.c | 374 | ||||
| -rw-r--r-- | ipset_iptree.c | 2 | ||||
| -rw-r--r-- | ipset_macipmap.c | 2 | ||||
| -rw-r--r-- | ipset_nethash.c | 2 | ||||
| -rw-r--r-- | ipset_portmap.c | 7 |
12 files changed, 488 insertions, 32 deletions
@@ -1,3 +1,8 @@ +2.2.5 + - garbage collector of iptree type of sets is fixed: flushing + sets/removing kernel module could corrupt the timer + - new ipporthash type added + - manpage fixes and corrections 2.2.4 - half-fixed memory allocation bug in iphash and nethash finally completely fixed (bug reported by Nikolai Malykh) @@ -8,7 +8,7 @@ ifndef KERNEL_DIR KERNEL_DIR=/usr/src/linux endif -IPSET_VERSION:=2.2.4 +IPSET_VERSION:=2.2.5 PREFIX:=/usr/local LIBDIR:=$(PREFIX)/lib @@ -23,7 +23,7 @@ RELEASE_DIR:=/tmp COPT_FLAGS:=-O2 CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. # -g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG SH_CFLAGS:=$(CFLAGS) -fPIC -SETTYPES:=ipmap portmap macipmap iphash nethash iptree +SETTYPES:=ipmap portmap macipmap iphash nethash iptree ipporthash PROGRAMS=ipset SHARED_LIBS=$(foreach T, $(SETTYPES),libipset_$(T).so) @@ -41,15 +41,15 @@ port numbers or additional informations besides IP addresses: the word IP means a general term here. See the set type definitions below. .P Any entry in a set can be bound to another set, which forms a relationship -between a set element and the set it is bound to. The sets may have a -default binding, which is valid for every set element for which there is -no binding defined at all. There is no need for the entry to be -added to the set for a binding to be defined for it. +between a set element and the set it is bound to. In order to define a +binding it is not required that the entry be already added to the set. +The sets may have a default binding, which is valid for every set element +for which there is no binding defined at all. .P IP set bindings pointing to sets and iptables matches and targets referring to sets creates references, which protects the given sets in -the kernel. A set cannot be removed (destroyed) while there is a reference -pointing to it. +the kernel. A set cannot be removed (destroyed) while there is a single +reference pointing to it. .SH OPTIONS The options that are recognized by .B ipset @@ -62,7 +62,7 @@ need to use only enough letters to ensure that .B ipset can differentiate it from all other options. .TP -.BI "-N, --create " "\fIsetname\fP type type-options" +.BI "-N, --create " "\fIsetname\fP type type-specific-options" Create a set identified with setname and specified type. Type-specific options must be supplied. .TP @@ -93,8 +93,8 @@ iptables rules or .B ipset -bindings pointing to from-setname will point to to-setname -and vice versa. Both sets must exist. +bindings pointing to the content of from-setname will point to +the content of to-setname and vice versa. Both sets must exist. .TP .BI "-L, --list " "[\fIsetname\fP]" List the entries and bindings for the specified set, or for @@ -107,7 +107,7 @@ option can be used to suppress name lookups and generate numeric output. When the .B "-s, --sorted" option is given, the entries are listed sorted (if the given set -supports it). +type supports the operation). .TP .BI "-S, --save " "[\fIsetname\fP]" Save the given set, or all sets if none or the keyword @@ -122,7 +122,8 @@ can be fed from stdin. When generating a session file please note that the supported commands (create set, add element, bind) must appear in a strict order: first create the set, then add all elements. Then create the next set, add all its elements -and so on. Finally you can append all binding commands. +and so on. Finally you can list all binding commands. Also, it is a restore +operation, so the sets being restored must not exist. .TP .BI "-A, --add " "\fIsetname\fP \fIIP\fP" Add an IP to a set. @@ -275,9 +276,9 @@ Options to use when creating an portmap set: Create a portmap set from the specified range. .SS iphash The iphash set type uses a hash to store IP addresses. -In order to avoid clashes in the hash, double-hashing and, as a last +In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. The iphash set type is -fast and great for use to store random addresses. By supplyig the +great to store random addresses. By supplyig the .B "--netmask" option with a CIDR netmask value between 0-32 at creating the set, you will be able to store and match network addresses instead: i.e @@ -306,17 +307,27 @@ When the optional parameter specified, network addresses will be stored in the set instead of IP addresses. .P +Sets created by zero valued resize parameter won't be resized at all. +The lookup time in an iphash type of set approximately linearly grows with +the value of the +.B +probes +parameter. At the same time higher +.B +probes +values result a better utilized hash while smaller values +produce a larger, sparse hash. .SS nethash The nethash set type uses a hash to store different size of network addresses. The .I IP -"address" used in the ipset command must be in the form +"address" used in the ipset commands must be in the form .I IP-address/cidr-size where the CIDR block size must be in the inclusive range of 1-31. -In order to avoid clashes in the hash, -double-hashing and, as a last resort, dynamic growing of the hash performed. +In order to avoid clashes in the hash +double-hashing, and as a last resort, dynamic growing of the hash performed. .P Options to use when creating an nethash set: .TP @@ -332,14 +343,66 @@ Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after .P An IP address will be in a nethash type of set if it is in any of the -netblocks added to the set, where the matching start from the smallest -size of netblock to the biggest ones. When adding/deleting IP addresses +netblocks added to the set and the matching always start from the smallest +size of netblock (most specific netmask) to the biggest ones (least +specific netmasks). When adding/deleting IP addresses to a nethash set by the .I SET netfilter kernel module, it will be added/deleted by the smallest netblock size which can be found in the set. .P +The lookup time in a nethash type of set is approximately linearly +grows with the times of the +.B +probes +parameter and the number of different mask parameters in the hash. +Otherwise the same speed and memory efficiency comments applies here +as at the iphash type. +.SS ipporthash +The ipporthash set type uses a hash to store IP address and port pairs. +In order to avoid clashes in the hash double-hashing, and as a last +resort, dynamic growing of the hash performed. An ipporthash set can +store up to 65536 (B-class network) IP addresses with all possible port +values. When adding, deleting and testing values in an ipporthash type of +set, the entries must be specified as +.B +"IP%port". +.P +The ipporthash types of sets evaluates two src/dst parameters of the +.I +set +match and +.I +SET +target. +.P +Options to use when creating an ipporthash set: +.TP +.BR "--from " from-IP +.TP +.BR "--to " to-IP +Create an ipporthash set from the specified range. +.TP +.BR "--network " IP/mask +Create an ipporthash set from the specified network. +.TP +.BR "--hashsize " hashsize +The initial hash size (default 1024) +.TP +.BR "--probes " probes +How many times try to resolve clashing at adding an IP to the hash +by double-hashing (default 8). +.TP +.BR "--resize " percent +Increase the hash size by this many percent (default 50) when adding +an IP to the hash could not be performed after +.B +probes +number of double-hashing. +.P +The same resizing, speed and memory efficiency comments applies here +as at the iphash type. .SS iptree The iptree set type uses a tree to store IP addresses, optionally with timeout values. @@ -495,6 +495,10 @@ char *ip_tostring(ip_set_ip_t ip, unsigned options) return inet_ntoa(addr); } +char *binding_ip_tostring(struct set *set, ip_set_ip_t ip, unsigned options) +{ + return ip_tostring(ip, options); +} char *ip_tostring_numeric(ip_set_ip_t ip) { return ip_tostring(ip, OPT_NUMERIC); @@ -1039,7 +1043,7 @@ static size_t save_bindings(void *data, size_t offset, size_t len) "Save binding failed, try again later."); printf("-B %s %s -b %s\n", set->name, - set->settype->bindip_tostring(hash->ip, OPT_NUMERIC), + set->settype->bindip_tostring(set, hash->ip, OPT_NUMERIC), set_list[hash->binding]->name); return sizeof(struct ip_set_hash_save); @@ -1624,8 +1628,10 @@ static void set_restore_bind(struct set *set, * Print operation */ -static void print_bindings(void *data, size_t size, unsigned options, - char * (*printip)(ip_set_ip_t ip, unsigned options)) +static void print_bindings(struct set *set, + void *data, size_t size, unsigned options, + char * (*printip)(struct set *set, + ip_set_ip_t ip, unsigned options)) { size_t offset = 0; struct ip_set_hash_list *hash; @@ -1633,7 +1639,7 @@ static void print_bindings(void *data, size_t size, unsigned options, while (offset < size) { hash = (struct ip_set_hash_list *) (data + offset); printf("%s -> %s\n", - printip(hash->ip, options), + printip(set, hash->ip, options), set_list[hash->binding]->name); offset += sizeof(struct ip_set_hash_list); } @@ -1676,7 +1682,8 @@ static size_t print_set(void *data, unsigned options) /* Print bindings */ printf("Bindings:\n"); offset += setlist->members_size; - print_bindings(data + offset, setlist->bindings_size, options, + print_bindings(set, + data + offset, setlist->bindings_size, options, settype->bindip_tostring); printf("\n"); /* One newline between sets */ @@ -146,7 +146,7 @@ struct settype { void (*saveips) (struct set *set, void *data, size_t len, unsigned options); /* Conver a single IP (binding) to string */ - char * (*bindip_tostring)(ip_set_ip_t ip, unsigned options); + char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options); /* Parse an IP at restoring bindings. FIXME */ void (*bindip_parse) (const char *str, ip_set_ip_t * ip); @@ -167,6 +167,8 @@ extern void settype_register(struct settype *settype); extern void exit_error(enum exittype status, char *msg, ...); +extern char *binding_ip_tostring(struct set *set, + ip_set_ip_t ip, unsigned options); extern char *ip_tostring(ip_set_ip_t ip, unsigned options); extern char *ip_tostring_numeric(ip_set_ip_t ip); extern void parse_ip(const char *str, ip_set_ip_t * ip); diff --git a/ipset_iphash.c b/ipset_iphash.c index ac0340e..3272e6e 100644 --- a/ipset_iphash.c +++ b/ipset_iphash.c @@ -284,7 +284,7 @@ static struct settype settype_iphash = { .saveips = &saveips, /* Bindings */ - .bindip_tostring = &ip_tostring, + .bindip_tostring = &binding_ip_tostring, .bindip_parse = &parse_ip, .usage = &usage, diff --git a/ipset_ipmap.c b/ipset_ipmap.c index 50a76c3..2d1c81c 100644 --- a/ipset_ipmap.c +++ b/ipset_ipmap.c @@ -347,7 +347,7 @@ static struct settype settype_ipmap = { .saveips = &saveips, /* Bindings */ - .bindip_tostring = &ip_tostring, + .bindip_tostring = &binding_ip_tostring, .bindip_parse = &parse_ip, .usage = &usage, diff --git a/ipset_ipporthash.c b/ipset_ipporthash.c new file mode 100644 index 0000000..e615cea --- /dev/null +++ b/ipset_ipporthash.c @@ -0,0 +1,374 @@ +/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <time.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <asm/bitops.h> +#include <asm/types.h> + +#include <linux/netfilter_ipv4/ip_set_ipporthash.h> +#include <linux/netfilter_ipv4/ip_set_jhash.h> + +#include "ipset.h" + +#define OPT_CREATE_HASHSIZE 0x01U +#define OPT_CREATE_PROBES 0x02U +#define OPT_CREATE_RESIZE 0x04U +#define OPT_CREATE_NETWORK 0x08U +#define OPT_CREATE_FROM 0x10U +#define OPT_CREATE_TO 0x10U + +/* Initialize the create. */ +void create_init(void *data) +{ + struct ip_set_req_ipporthash_create *mydata = + (struct ip_set_req_ipporthash_create *) data; + + DP("create INIT"); + + /* Default create parameters */ + mydata->hashsize = 1024; + mydata->probes = 8; + mydata->resize = 50; +} + +/* Function which parses command options; returns true if it ate an option */ +int create_parse(int c, char *argv[], void *data, unsigned *flags) +{ + struct ip_set_req_ipporthash_create *mydata = + (struct ip_set_req_ipporthash_create *) data; + ip_set_ip_t value; + + DP("create_parse"); + + switch (c) { + case '1': + + if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize)) + exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg); + + *flags |= OPT_CREATE_HASHSIZE; + + DP("--hashsize %u", mydata->hashsize); + + break; + + case '2': + + if (string_to_number(optarg, 1, 65535, &value)) + exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg); + + mydata->probes = value; + *flags |= OPT_CREATE_PROBES; + + DP("--probes %u", mydata->probes); + + break; + + case '3': + + if (string_to_number(optarg, 0, 65535, &value)) + exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg); + + mydata->resize = value; + *flags |= OPT_CREATE_RESIZE; + + DP("--resize %u", mydata->resize); + + break; + + case '4': + parse_ip(optarg, &mydata->from); + + *flags |= OPT_CREATE_FROM; + + DP("--from %x (%s)", mydata->from, + ip_tostring_numeric(mydata->from)); + + break; + + case '5': + parse_ip(optarg, &mydata->to); + + *flags |= OPT_CREATE_TO; + + DP("--to %x (%s)", mydata->to, + ip_tostring_numeric(mydata->to)); + + break; + + case '6': + parse_ipandmask(optarg, &mydata->from, &mydata->to); + + /* Make to the last of from + mask */ + if (mydata->to) + mydata->to = mydata->from | ~(mydata->to); + else { + mydata->from = 0x00000000; + mydata->to = 0xFFFFFFFF; + } + *flags |= OPT_CREATE_NETWORK; + + DP("--network from %x (%s)", + mydata->from, ip_tostring_numeric(mydata->from)); + DP("--network to %x (%s)", + mydata->to, ip_tostring_numeric(mydata->to)); + + break; + + default: + return 0; + } + + return 1; +} + +/* Final check; exit if not ok. */ +void create_final(void *data, unsigned int flags) +{ + struct ip_set_req_ipporthash_create *mydata = + (struct ip_set_req_ipporthash_create *) data; + +#ifdef IPSET_DEBUG + DP("hashsize %u probes %u resize %u", + mydata->hashsize, mydata->probes, mydata->resize); +#endif + + if (flags == 0) + exit_error(PARAMETER_PROBLEM, + "Need to specify --from and --to, or --network\n"); + + if (flags & OPT_CREATE_NETWORK) { + /* --network */ + if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO)) + exit_error(PARAMETER_PROBLEM, + "Can't specify --from or --to with --network\n"); + } else { + /* --from --to */ + if ((flags & OPT_CREATE_FROM) == 0 + || (flags & OPT_CREATE_TO) == 0) + exit_error(PARAMETER_PROBLEM, + "Need to specify both --from and --to\n"); + } + + DP("from : %x to: %x diff: %x", + mydata->from, mydata->to, + mydata->to - mydata->from); + + if (mydata->from > mydata->to) + exit_error(PARAMETER_PROBLEM, + "From can't be lower than to.\n"); + + if (mydata->to - mydata->from > MAX_RANGE) + exit_error(PARAMETER_PROBLEM, + "Range to large. Max is %d IPs in range\n", + MAX_RANGE+1); +} + +/* Create commandline options */ +static struct option create_opts[] = { + {"hashsize", 1, 0, '1'}, + {"probes", 1, 0, '2'}, + {"resize", 1, 0, '3'}, + {"from", 1, 0, '4'}, + {"to", 1, 0, '5'}, + {"network", 1, 0, '6'}, + {0} +}; + +/* Add, del, test parser */ +ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data) +{ + struct ip_set_req_ipporthash *mydata = + (struct ip_set_req_ipporthash *) data; + char *saved = strdup(optarg); + char *ptr, *tmp = saved; + + DP("ipporthash: %p %p", optarg, data); + + ptr = strsep(&tmp, "%"); + parse_ip(ptr, &mydata->ip); + + if (tmp) + parse_port(tmp, &mydata->port); + else + exit_error(PARAMETER_PROBLEM, + "IP address and port must be specified: ip%%port"); + free(saved); + return 1; +}; + +/* + * Print and save + */ + +void initheader(struct set *set, const void *data) +{ + struct ip_set_req_ipporthash_create *header = + (struct ip_set_req_ipporthash_create *) data; + struct ip_set_ipporthash *map = + (struct ip_set_ipporthash *) set->settype->header; + + memset(map, 0, sizeof(struct ip_set_ipporthash)); + map->hashsize = header->hashsize; + map->probes = header->probes; + map->resize = header->resize; + map->first_ip = header->from; + map->last_ip = header->to; +} + +void printheader(struct set *set, unsigned options) +{ + struct ip_set_ipporthash *mysetdata = + (struct ip_set_ipporthash *) set->settype->header; + + printf(" from: %s", ip_tostring(mysetdata->first_ip, options)); + printf(" to: %s", ip_tostring(mysetdata->last_ip, options)); + printf(" hashsize: %u", mysetdata->hashsize); + printf(" probes: %u", mysetdata->probes); + printf(" resize: %u\n", mysetdata->resize); +} + +void printips(struct set *set, void *data, size_t len, unsigned options) +{ + struct ip_set_ipporthash *mysetdata = + (struct ip_set_ipporthash *) set->settype->header; + size_t offset = 0; + ip_set_ip_t *ipptr, ip; + uint16_t port; + + while (offset < len) { + ipptr = data + offset; + if (*ipptr) { + ip = (*ipptr>>16) + mysetdata->first_ip; + port = (uint16_t) *ipptr; + printf("%s%%%s\n", + ip_tostring(ip, options), + port_tostring(port, options)); + } + offset += sizeof(ip_set_ip_t); + } +} + +void saveheader(struct set *set, unsigned options) +{ + struct ip_set_ipporthash *mysetdata = + (struct ip_set_ipporthash *) set->settype->header; + + printf("-N %s %s --from %s", + set->name, set->settype->typename, + ip_tostring(mysetdata->first_ip, options)); + printf(" --to %s", + ip_tostring(mysetdata->last_ip, options)); + printf(" --hashsize %u --probes %u --resize %u\n", + mysetdata->hashsize, mysetdata->probes, mysetdata->resize); +} + +/* Print save for an IP */ +void saveips(struct set *set, void *data, size_t len, unsigned options) +{ + struct ip_set_ipporthash *mysetdata = + (struct ip_set_ipporthash *) set->settype->header; + size_t offset = 0; + ip_set_ip_t *ipptr, ip; + uint16_t port; + + while (offset < len) { + ipptr = data + offset; + if (*ipptr) { + ip = (*ipptr>>16) + mysetdata->first_ip; + port = (uint16_t) *ipptr; + printf("-A %s %s%%%s\n", set->name, + ip_tostring(ip, options), + port_tostring(port, options)); + } + offset += sizeof(ip_set_ip_t); + } +} + +static char buffer[22]; + +static char * unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options) +{ + struct ip_set_ipporthash *mysetdata = + (struct ip_set_ipporthash *) set->settype->header; + ip_set_ip_t ip, port; + + ip = (bip>>16) + mysetdata->first_ip; + port = (uint16_t) bip; + sprintf(buffer, "%s%%%s", + ip_tostring(ip, options), port_tostring(port, options)); + + return buffer; +} + +void usage(void) +{ + printf + ("-N set ipporthash --from IP --to IP\n" + " [--hashsize hashsize] [--probes probes ] [--resize resize]\n" + "-N set ipporthash --network IP/mask\n" + " [--hashsize hashsize] [--probes probes ] [--resize resize]\n" + "-A set IP\n" + "-D set IP\n" + "-T set IP\n"); +} + +static struct settype settype_ipporthash = { + .typename = SETTYPE_NAME, + .protocol_version = IP_SET_PROTOCOL_VERSION, + + /* Create */ + .create_size = sizeof(struct ip_set_req_ipporthash_create), + .create_init = &create_init, + .create_parse = &create_parse, + .create_final = &create_final, + .create_opts = create_opts, + + /* Add/del/test */ + .adt_size = sizeof(struct ip_set_req_ipporthash), + .adt_parser = &adt_parser, + + /* Printing */ + .header_size = sizeof(struct ip_set_ipporthash), + .initheader = &initheader, + .printheader = &printheader, + .printips = &printips, /* We only have the unsorted version */ + .printips_sorted = &printips, + .saveheader = &saveheader, + .saveips = &saveips, + + /* Bindings */ + .bindip_tostring = &unpack_ipport_tostring, + .bindip_parse = &parse_ip, + + .usage = &usage, +}; + +void _init(void) +{ + settype_register(&settype_ipporthash); + +} diff --git a/ipset_iptree.c b/ipset_iptree.c index dcdc7e3..ef85dc5 100644 --- a/ipset_iptree.c +++ b/ipset_iptree.c @@ -210,7 +210,7 @@ static struct settype settype_iptree = { .saveips = &saveips, /* Bindings */ - .bindip_tostring = &ip_tostring, + .bindip_tostring = &binding_ip_tostring, .bindip_parse = &parse_ip, .usage = &usage, diff --git a/ipset_macipmap.c b/ipset_macipmap.c index 12dbcb9..a0b609d 100644 --- a/ipset_macipmap.c +++ b/ipset_macipmap.c @@ -327,7 +327,7 @@ static struct settype settype_macipmap = { .saveips = &saveips, /* Bindings */ - .bindip_tostring = &ip_tostring, + .bindip_tostring = &binding_ip_tostring, .bindip_parse = &parse_ip, .usage = &usage, diff --git a/ipset_nethash.c b/ipset_nethash.c index 3c6bc9f..6be0dce 100644 --- a/ipset_nethash.c +++ b/ipset_nethash.c @@ -291,7 +291,7 @@ void saveips(struct set *set, void *data, size_t len, unsigned options) } } -static char * net_tostring(ip_set_ip_t ip, unsigned options) +static char * net_tostring(struct set *set, ip_set_ip_t ip, unsigned options) { return unpack_ip_tostring(ip, options); } diff --git a/ipset_portmap.c b/ipset_portmap.c index 631e29e..1c3965b 100644 --- a/ipset_portmap.c +++ b/ipset_portmap.c @@ -165,6 +165,11 @@ void printports_sorted(struct set *set, void *data, size_t len, unsigned options } } +char * binding_port_tostring(struct set *set, ip_set_ip_t ip, unsigned options) +{ + return port_tostring(ip, options); +} + void saveheader(struct set *set, unsigned options) { struct ip_set_portmap *mysetdata = @@ -227,7 +232,7 @@ static struct settype settype_portmap = { .saveips = &saveports, /* Bindings */ - .bindip_tostring = &port_tostring, + .bindip_tostring = &binding_port_tostring, .bindip_parse = &parse_port, .usage = &usage, |