diff options
Diffstat (limited to 'kernel/include')
-rw-r--r-- | kernel/include/linux/jhash.h | 27 | ||||
-rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set.h | 24 | ||||
-rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_compat.h.in | 187 | ||||
-rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in | 15 | ||||
-rw-r--r-- | kernel/include/uapi/linux/netfilter/ipset/ip_set.h | 15 |
5 files changed, 233 insertions, 35 deletions
diff --git a/kernel/include/linux/jhash.h b/kernel/include/linux/jhash.h index c700a77..d144e33 100644 --- a/kernel/include/linux/jhash.h +++ b/kernel/include/linux/jhash.h @@ -1,5 +1,6 @@ #ifndef _LINUX_JHASH_H #define _LINUX_JHASH_H +#include <linux/netfilter/ipset/ip_set_compiler.h> /* jhash.h: Jenkins hash support. * @@ -87,17 +88,17 @@ static inline u32 jhash(const void *key, u32 length, u32 initval) /* Last block: affect all 32 bits of (c) */ /* All the case statements fall through */ switch (length) { - case 12: c += (u32)k[11]<<24; - case 11: c += (u32)k[10]<<16; - case 10: c += (u32)k[9]<<8; - case 9: c += k[8]; - case 8: b += (u32)k[7]<<24; - case 7: b += (u32)k[6]<<16; - case 6: b += (u32)k[5]<<8; - case 5: b += k[4]; - case 4: a += (u32)k[3]<<24; - case 3: a += (u32)k[2]<<16; - case 2: a += (u32)k[1]<<8; + case 12: c += (u32)k[11]<<24; fallthrough; + case 11: c += (u32)k[10]<<16; fallthrough; + case 10: c += (u32)k[9]<<8; fallthrough; + case 9: c += k[8]; fallthrough; + case 8: b += (u32)k[7]<<24; fallthrough; + case 7: b += (u32)k[6]<<16; fallthrough; + case 6: b += (u32)k[5]<<8; fallthrough; + case 5: b += k[4]; fallthrough; + case 4: a += (u32)k[3]<<24; fallthrough; + case 3: a += (u32)k[2]<<16; fallthrough; + case 2: a += (u32)k[1]<<8; fallthrough; case 1: a += k[0]; __jhash_final(a, b, c); case 0: /* Nothing left to add */ @@ -133,8 +134,8 @@ static inline u32 jhash2(const u32 *k, u32 length, u32 initval) /* Handle the last 3 u32's: all the case statements fall through */ switch (length) { - case 3: c += k[2]; - case 2: b += k[1]; + case 3: c += k[2]; fallthrough; + case 2: b += k[1]; fallthrough; case 1: a += k[0]; __jhash_final(a, b, c); case 0: /* Nothing left to add */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h index 2cc7f46..7691b7a 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set.h +++ b/kernel/include/linux/netfilter/ipset/ip_set.h @@ -99,7 +99,7 @@ struct ip_set_counter { struct ip_set_comment_rcu { struct rcu_head rcu; - char str[0]; + char str[]; }; struct ip_set_comment { @@ -189,6 +189,8 @@ struct ip_set_type_variant { /* Return true if "b" set is the same as "a" * according to the create set parameters */ bool (*same_set)(const struct ip_set *a, const struct ip_set *b); + /* Cancel ongoing garbage collectors before destroying the set*/ + void (*cancel_gc)(struct ip_set *set); /* Region-locking is used */ bool region_lock; }; @@ -199,6 +201,12 @@ struct ip_set_region { u32 elements; /* Number of elements vs timeout */ }; +/* Max range where every element is added/deleted in one step */ +#define IPSET_MAX_RANGE (1<<14) + +/* The max revision number supported by any set type + 1 */ +#define IPSET_REVISION_MAX 9 + /* The core set type structure */ struct ip_set_type { struct list_head list; @@ -216,6 +224,8 @@ struct ip_set_type { u8 family; /* Type revisions */ u8 revision_min, revision_max; + /* Revision-specific supported (create) flags */ + u8 create_flags[IPSET_REVISION_MAX+1]; /* Set features to control swapping */ u16 features; @@ -237,6 +247,8 @@ extern void ip_set_type_unregister(struct ip_set_type *set_type); /* A generic IP set */ struct ip_set { + /* For call_cru in destroy */ + struct rcu_head rcu; /* The name of the set */ char name[IPSET_MAXNAMELEN]; /* Lock protecting the set data */ @@ -520,6 +532,16 @@ ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo, *skbinfo = ext->skbinfo; } +static inline void +nf_inet_addr_mask_inplace(union nf_inet_addr *a1, + const union nf_inet_addr *mask) +{ + a1->all[0] &= mask->all[0]; + a1->all[1] &= mask->all[1]; + a1->all[2] &= mask->all[2]; + a1->all[3] &= mask->all[3]; +} + #define IP_SET_INIT_KEXT(skb, opt, set) \ { .bytes = (skb)->len, .packets = 1, .target = true,\ .timeout = ip_set_adt_opt_timeout(opt, set) } diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in index deed058..5746f39 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in +++ b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in @@ -51,11 +51,24 @@ #@HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS #@HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_TYPEDEF_SCTP_SCTPHDR_T #@HAVE_TIMER_SETUP@ HAVE_TIMER_SETUP +#@HAVE_TIMER_SHUTDOWN_SYNC@ HAVE_TIMER_SHUTDOWN_SYNC #@HAVE_STRSCPY@ HAVE_STRSCPY +#@HAVE_STRSCPY_PAD@ HAVE_STRSCPY_PAD #@HAVE_SYNCHRONIZE_RCU_BH@ HAVE_SYNCHRONIZE_RCU_BH #@HAVE_LOCKDEP_NFNL_IS_HELD@ HAVE_LOCKDEP_NFNL_IS_HELD #@HAVE_COND_RESCHED_RCU@ HAVE_COND_RESCHED_RCU #@HAVE_SKB_IIF@ HAVE_SKB_IIF +#@HAVE_LIST_FOR_EACH_ENTRY_RCU_FOUR_ARGS@ HAVE_LIST_FOR_EACH_ENTRY_RCU_FOUR_ARGS +#@HAVE_SKB_PROTOCOL@ HAVE_SKB_PROTOCOL +#@HAVE_NLA_POLICY_EXACT_LEN@ HAVE_NLA_POLICY_EXACT_LEN +#@HAVE_KVZALLOC@ HAVE_KVZALLOC +#@HAVE_GFP_KERNEL_ACCOUNT@ HAVE_GFP_KERNEL_ACCOUNT +#@HAVE_NLA_STRSCPY@ HAVE_NLA_STRSCPY +#@HAVE_NFNL_MSG_PUT@ HAVE_NFNL_MSG_PUT +#@HAVE_NFNL_INFO_IN_NFNL_CALLBACK@ HAVE_NFNL_INFO_IN_NFNL_CALLBACK +#@HAVE_NFNL_CALLBACK_TYPE@ HAVE_NFNL_CALLBACK_TYPE +#@HAVE_EAGAIN_IN_NFNETLINK_UNICAST@ HAVE_EAGAIN_IN_NFNETLINK_UNICAST +#@HAVE_NLMSG_UNICAST@ HAVE_NLMSG_UNICAST #ifdef HAVE_EXPORT_SYMBOL_GPL_IN_MODULE_H #include <linux/module.h> @@ -342,18 +355,44 @@ static inline int nla_put_in6_addr(struct sk_buff *skb, int attrtype, } #endif -#ifdef HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS -#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e) fn(net, nl, skb, nlh, cda, e) -#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e) fn(net, nl, skb, ad, nlh, cda, e) -#define IPSET_SOCK_NET(net, ctnl) net +#ifdef HAVE_NFNL_INFO_IN_NFNL_CALLBACK +#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e, i) fn(skb, i, cda) +#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e, i) fn(net, nl, skb, ad, nlh, cda, i) +#define IPSET_SOCK_NET(n, ctnl, i) (i)->net +#define INFO_NLH(i, n) (i)->nlh +#define INFO_NET(i, n) (i)->net +#define INFO_SK(i, n) (i)->sk +#define CALL_AD(net, ctnl, skb, set, tb, adt, flags, l) call_ad(net, ctnl, skb, set, tb, adt, flags, l) +#elif defined(HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS) +#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e, i) fn(net, nl, skb, nlh, cda, e) +#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e, i) fn(net, nl, skb, ad, nlh, cda, e) +#define IPSET_SOCK_NET(net, ctnl, i) net +#define INFO_NLH(i, n) n +#define INFO_NET(i, n) n +#define INFO_SK(i, n) n +#define CALL_AD(net, ctnl, skb, set, tb, adt, flags, l) call_ad(net, ctnl, skb, set, tb, adt, flags, l) #elif defined(HAVE_NET_IN_NFNL_CALLBACK_FN) -#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e) fn(net, nl, skb, nlh, cda) -#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e) fn(net, nl, skb, ad, nlh, cda) -#define IPSET_SOCK_NET(net, ctnl) net +#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e, i) fn(net, nl, skb, nlh, cda) +#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e, i) fn(net, nl, skb, ad, nlh, cda) +#define IPSET_SOCK_NET(net, ctnl, i) net +#define INFO_NLH(i, n) n +#define INFO_NET(i, n) n +#define INFO_SK(i, n) n +#define CALL_AD(net, ctnl, skb, set, tb, adt, flags, l) call_ad(net, ctnl, skb, set, tb, adt, flags, l) #else -#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e) fn(nl, skb, nlh, cda) -#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e) fn(nl, skb, ad, nlh, cda) -#define IPSET_SOCK_NET(net, ctnl) sock_net(ctnl) +#define IPSET_CBFN(fn, net, nl, skb, nlh, cda, e, i) fn(nl, skb, nlh, cda) +#define IPSET_CBFN_AD(fn, net, nl, skb, ad, nlh, cda, e, i) fn(nl, skb, ad, nlh, cda) +#define IPSET_SOCK_NET(net, ctnl, i) sock_net(ctnl) +#define INFO_NLH(i, n) n +#define INFO_NET(i, n) n +#define INFO_SK(i, n) n +#define CALL_AD(net, ctnl, skb, set, tb, adt, flags, l) call_ad(ctnl, skb, set, tb, adt, flags, l) +#endif + +#ifdef HAVE_NFNL_CALLBACK_TYPE +#define SET_NFNL_CALLBACK_TYPE(t) .type = t, +#else +#define SET_NFNL_CALLBACK_TYPE(t) #endif #ifndef HAVE_TC_SKB_PROTOCOL @@ -369,7 +408,8 @@ static inline int nla_put_in6_addr(struct sk_buff *skb, int attrtype, #define skb_vlan_tag_present vlan_tx_tag_present #endif -static inline __be16 tc_skb_protocol(const struct sk_buff *skb) +#ifndef HAVE_SKB_PROTOCOL +static inline __be16 skb_protocol(const struct sk_buff *skb, bool skip_vlan) { if (skb_vlan_tag_present(skb)) #ifdef HAVE_VLAN_PROTO_IN_SK_BUFF @@ -380,6 +420,7 @@ static inline __be16 tc_skb_protocol(const struct sk_buff *skb) return skb->protocol; } #endif +#endif #ifdef HAVE_XT_NET #define IPSET_DEV_NET(par) xt_net(par) @@ -396,6 +437,36 @@ static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) } #endif +#ifndef HAVE_NFNL_MSG_PUT +#include <linux/netfilter/nfnetlink.h> +static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version, + __be16 res_id) +{ + struct nfgenmsg *nfmsg; + + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = version; + nfmsg->res_id = res_id; +} + +static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid, + u32 seq, int type, int flags, + u8 family, u8 version, + __be16 res_id) +{ + struct nlmsghdr *nlh; + + nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); + if (!nlh) + return NULL; + + nfnl_fill_hdr(nlh, family, version, res_id); + + return nlh; +} +#endif + #ifdef HAVE_NETLINK_EXTENDED_ACK #define NETLINK_ACK(in_skb, nlh, err, extack) netlink_ack(in_skb, nlh, err, extack) #else @@ -436,8 +507,53 @@ static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) struct type *var = set->data #endif +#ifndef HAVE_TIMER_SHUTDOWN_SYNC +#define timer_shutdown_sync(timer) del_timer_sync(timer) +#endif + #ifndef HAVE_STRSCPY -#define strscpy(dst, src, n) (strncpy(dst, src, n) == (dst)) +static inline ssize_t strscpy(char * dest, const char * src, size_t count) +{ + size_t ret = strlcpy(dest, src, count); + + return (ret >= count ? -E2BIG : ret); +} +#endif + +#ifndef HAVE_STRSCPY_PAD +static inline ssize_t strscpy_pad(char *dest, const char *src, size_t count) +{ + ssize_t written; + + written = strscpy(dest, src, count); + if (written < 0 || written == count - 1) + return written; + + memset(dest + written + 1, 0, count - written - 1); + + return written; +} +#endif + +#ifndef HAVE_NLA_STRSCPY +#define nla_strscpy nla_strlcpy +#endif + +#if !defined(HAVE_EAGAIN_IN_NFNETLINK_UNICAST) || !defined(HAVE_NLMSG_UNICAST) +#define NFNETLINK_UNICAST(cntl, skb, net, portid) ipset_nfnetlink_unicast(cntl, skb, portid) +static inline int ipset_nfnetlink_unicast(struct sock *ctnl, struct sk_buff *skb, u32 portid) +{ + int err = netlink_unicast(ctnl, skb, portid, MSG_DONTWAIT); + + if (err > 0) + err = 0; + if (err == -EAGAIN) + err = -ENOBUFS; + + return err; +} +#else +#define NFNETLINK_UNICAST(cntl, skb, net, portid) nfnetlink_unicast(skb, net, portid) #endif #ifndef smp_mb__before_atomic @@ -469,5 +585,52 @@ static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type) #define dev_get_by_index_rcu __dev_get_by_index #endif +#ifdef HAVE_LIST_FOR_EACH_ENTRY_RCU_FOUR_ARGS +#define list_for_each_entry_rcu_compat(pos, head, member, cond) \ + list_for_each_entry_rcu(pos, head, member, cond) +#else +#define list_for_each_entry_rcu_compat(pos, head, member, cond) \ + list_for_each_entry_rcu(pos, head, member) +#endif + +#ifndef HAVE_NLA_POLICY_EXACT_LEN +#define NLA_POLICY_EXACT_LEN(_len) { \ + .type = NLA_UNSPEC, \ + .len = _len \ +} +#endif + +#ifndef HAVE_KVZALLOC +#include <linux/slab.h> +#include <linux/vmalloc.h> +#ifndef GFP_KERNEL_ACCOUNT +#define GFP_KERNEL_ACCOUNT GFP_KERNEL +#endif +static inline void *kvzalloc(size_t size, gfp_t flags) +{ + void *members = NULL; + + if (size < KMALLOC_MAX_SIZE) + members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); + + if (members) { + pr_debug("%p: allocated with kmalloc\n", members); + return members; + } + + members = vzalloc(size); + if (!members) + return NULL; + pr_debug("%p: allocated with vmalloc\n", members); + + return members; +} +#endif + +#ifndef unsafe_memcpy +#define unsafe_memcpy(dst, src, bytes, justification) \ + memcpy(dst, src, bytes) +#endif + #endif /* IP_SET_COMPAT_HEADERS */ #endif /* __IP_SET_COMPAT_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in b/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in new file mode 100644 index 0000000..1b392f8 --- /dev/null +++ b/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in @@ -0,0 +1,15 @@ +#ifndef __IP_SET_COMPILER_H +#define __IP_SET_COMPILER_H + +/* Compiler attributes */ +#ifndef __has_attribute +# define __has_attribute(x) __GCC4_has_attribute_##x +# define __GCC4_has_attribute___fallthrough__ 0 +#endif + +#if __has_attribute(__fallthrough__) +# define fallthrough __attribute__((__fallthrough__)) +#else +# define fallthrough do {} while (0) /* fallthrough */ +#endif +#endif /* __IP_SET_COMPILER_H */ diff --git a/kernel/include/uapi/linux/netfilter/ipset/ip_set.h b/kernel/include/uapi/linux/netfilter/ipset/ip_set.h index 6881329..b81f1ae 100644 --- a/kernel/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/kernel/include/uapi/linux/netfilter/ipset/ip_set.h @@ -3,10 +3,6 @@ * Patrick Schaaf <bof@bof.de> * Martin Josefsson <gandalf@wlug.westbo.se> * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. */ #ifndef _UAPI_IP_SET_H #define _UAPI_IP_SET_H @@ -89,14 +85,15 @@ enum { IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ IPSET_ATTR_MARK, /* 10 */ IPSET_ATTR_MARKMASK, /* 11 */ + IPSET_ATTR_BITMASK, /* 12 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ - IPSET_ATTR_GC, + IPSET_ATTR_INITVAL, /* was unused IPSET_ATTR_GC */ IPSET_ATTR_HASHSIZE, IPSET_ATTR_MAXELEM, IPSET_ATTR_NETMASK, - IPSET_ATTR_PROBES, + IPSET_ATTR_BUCKETSIZE, /* was unused IPSET_ATTR_PROBES */ IPSET_ATTR_RESIZE, IPSET_ATTR_SIZE, /* Kernel-only */ @@ -157,6 +154,7 @@ enum ipset_errno { IPSET_ERR_COMMENT, IPSET_ERR_INVALID_MARKMASK, IPSET_ERR_SKBINFO, + IPSET_ERR_BITMASK_NETMASK_EXCL, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 4352, @@ -186,9 +184,6 @@ enum ipset_cmd_flags { IPSET_FLAG_MAP_SKBPRIO = (1 << IPSET_FLAG_BIT_MAP_SKBPRIO), IPSET_FLAG_BIT_MAP_SKBQUEUE = 10, IPSET_FLAG_MAP_SKBQUEUE = (1 << IPSET_FLAG_BIT_MAP_SKBQUEUE), - IPSET_FLAG_BIT_UPDATE_COUNTERS_FIRST = 11, - IPSET_FLAG_UPDATE_COUNTERS_FIRST = - (1 << IPSET_FLAG_BIT_UPDATE_COUNTERS_FIRST), IPSET_FLAG_CMD_MAX = 15, }; @@ -217,6 +212,8 @@ enum ipset_cadt_flags { enum ipset_create_flags { IPSET_CREATE_FLAG_BIT_FORCEADD = 0, IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD), + IPSET_CREATE_FLAG_BIT_BUCKETSIZE = 1, + IPSET_CREATE_FLAG_BUCKETSIZE = (1 << IPSET_CREATE_FLAG_BIT_BUCKETSIZE), IPSET_CREATE_FLAG_BIT_MAX = 7, }; |