From 5b20d409ef3062b24bbe7667f0daec34523446a6 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Thu, 22 Apr 2010 17:00:42 +0200 Subject: Fifth stage to ipset-5 Rename files in kernel/ and get rid of old ones (2.4.x kernel tree support). --- kernel/include/linux/netfilter/ip_set.h | 561 +++++++++++++++++++++ kernel/include/linux/netfilter/ip_set_bitmaps.h | 120 +++++ kernel/include/linux/netfilter/ip_set_compat.h | 92 ++++ kernel/include/linux/netfilter/ip_set_getport.h | 48 ++ kernel/include/linux/netfilter/ip_set_hashes.h | 314 ++++++++++++ kernel/include/linux/netfilter/ip_set_iphash.h | 30 ++ kernel/include/linux/netfilter/ip_set_ipmap.h | 57 +++ kernel/include/linux/netfilter/ip_set_ipporthash.h | 33 ++ .../include/linux/netfilter/ip_set_ipportiphash.h | 39 ++ .../include/linux/netfilter/ip_set_ipportnethash.h | 42 ++ kernel/include/linux/netfilter/ip_set_iptree.h | 39 ++ kernel/include/linux/netfilter/ip_set_iptreemap.h | 40 ++ kernel/include/linux/netfilter/ip_set_jhash.h | 157 ++++++ kernel/include/linux/netfilter/ip_set_macipmap.h | 39 ++ kernel/include/linux/netfilter/ip_set_malloc.h | 153 ++++++ kernel/include/linux/netfilter/ip_set_nethash.h | 31 ++ kernel/include/linux/netfilter/ip_set_portmap.h | 25 + kernel/include/linux/netfilter/ip_set_setlist.h | 26 + kernel/include/linux/netfilter/ipt_set.h | 21 + 19 files changed, 1867 insertions(+) create mode 100644 kernel/include/linux/netfilter/ip_set.h create mode 100644 kernel/include/linux/netfilter/ip_set_bitmaps.h create mode 100644 kernel/include/linux/netfilter/ip_set_compat.h create mode 100644 kernel/include/linux/netfilter/ip_set_getport.h create mode 100644 kernel/include/linux/netfilter/ip_set_hashes.h create mode 100644 kernel/include/linux/netfilter/ip_set_iphash.h create mode 100644 kernel/include/linux/netfilter/ip_set_ipmap.h create mode 100644 kernel/include/linux/netfilter/ip_set_ipporthash.h create mode 100644 kernel/include/linux/netfilter/ip_set_ipportiphash.h create mode 100644 kernel/include/linux/netfilter/ip_set_ipportnethash.h create mode 100644 kernel/include/linux/netfilter/ip_set_iptree.h create mode 100644 kernel/include/linux/netfilter/ip_set_iptreemap.h create mode 100644 kernel/include/linux/netfilter/ip_set_jhash.h create mode 100644 kernel/include/linux/netfilter/ip_set_macipmap.h create mode 100644 kernel/include/linux/netfilter/ip_set_malloc.h create mode 100644 kernel/include/linux/netfilter/ip_set_nethash.h create mode 100644 kernel/include/linux/netfilter/ip_set_portmap.h create mode 100644 kernel/include/linux/netfilter/ip_set_setlist.h create mode 100644 kernel/include/linux/netfilter/ipt_set.h (limited to 'kernel/include/linux/netfilter') diff --git a/kernel/include/linux/netfilter/ip_set.h b/kernel/include/linux/netfilter/ip_set.h new file mode 100644 index 0000000..da17319 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set.h @@ -0,0 +1,561 @@ +#ifndef _IP_SET_H +#define _IP_SET_H + +/* Copyright (C) 2000-2002 Joakim Axelsson + * Patrick Schaaf + * Martin Josefsson + * Copyright (C) 2003-2004 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#if 0 +#define IP_SET_DEBUG +#endif + +/* + * A sockopt of such quality has hardly ever been seen before on the open + * market! This little beauty, hardly ever used: above 64, so it's + * traditionally used for firewalling, not touched (even once!) by the + * 2.0, 2.2 and 2.4 kernels! + * + * Comes with its own certificate of authenticity, valid anywhere in the + * Free world! + * + * Rusty, 19.4.2000 + */ +#define SO_IP_SET 83 + +/* + * Heavily modify by Joakim Axelsson 08.03.2002 + * - Made it more modulebased + * + * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004 + * - bindings added + * - in order to "deal with" backward compatibility, renamed to ipset + */ + +/* + * Used so that the kernel module and ipset-binary can match their versions + */ +#define IP_SET_PROTOCOL_UNALIGNED 3 +#define IP_SET_PROTOCOL_VERSION 4 + +#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */ + +/* Lets work with our own typedef for representing an IP address. + * We hope to make the code more portable, possibly to IPv6... + * + * The representation works in HOST byte order, because most set types + * will perform arithmetic operations and compare operations. + * + * For now the type is an uint32_t. + * + * Make sure to ONLY use the functions when translating and parsing + * in order to keep the host byte order and make it more portable: + * parse_ip() + * parse_mask() + * parse_ipandmask() + * ip_tostring() + * (Joakim: where are they???) + */ + +typedef uint32_t ip_set_ip_t; + +/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t + * and IP_SET_INVALID_ID if you want to increase the max number of sets. + */ +typedef uint16_t ip_set_id_t; + +#define IP_SET_INVALID_ID 65535 + +/* How deep we follow bindings */ +#define IP_SET_MAX_BINDINGS 6 + +/* + * Option flags for kernel operations (ipt_set_info) + */ +#define IPSET_SRC 0x01 /* Source match/add */ +#define IPSET_DST 0x02 /* Destination match/add */ +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ + +/* + * Set features + */ +#define IPSET_TYPE_IP 0x01 /* IP address type of set */ +#define IPSET_TYPE_PORT 0x02 /* Port type of set */ +#define IPSET_DATA_SINGLE 0x04 /* Single data storage */ +#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */ +#define IPSET_DATA_TRIPLE 0x10 /* Triple data storage */ +#define IPSET_TYPE_IP1 0x20 /* IP address type of set */ +#define IPSET_TYPE_SETNAME 0x40 /* setname type of set */ + +/* Reserved keywords */ +#define IPSET_TOKEN_DEFAULT ":default:" +#define IPSET_TOKEN_ALL ":all:" + +/* SO_IP_SET operation constants, and their request struct types. + * + * Operation ids: + * 0-99: commands with version checking + * 100-199: add/del/test/bind/unbind + * 200-299: list, save, restore + */ + +/* Single shot operations: + * version, create, destroy, flush, rename and swap + * + * Sets are identified by name. + */ + +#define IP_SET_REQ_STD \ + unsigned op; \ + unsigned version; \ + char name[IP_SET_MAXNAMELEN] + +#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */ +struct ip_set_req_create { + IP_SET_REQ_STD; + char typename[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */ +struct ip_set_req_std { + IP_SET_REQ_STD; +}; + +#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */ +/* Uses ip_set_req_std */ + +#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */ +/* Uses ip_set_req_create */ + +#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */ +/* Uses ip_set_req_create */ + +union ip_set_name_index { + char name[IP_SET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned op; + unsigned version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned op; + unsigned version; +}; + +/* Double shots operations: + * add, del, test, bind and unbind. + * + * First we query the kernel to get the index and type of the target set, + * then issue the command. Validity of IP is checked in kernel in order + * to minimalize sockopt operations. + */ + +/* Get minimal set data for add/del/test/bind/unbind IP */ +#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */ +struct ip_set_req_adt_get { + unsigned op; + unsigned version; + union ip_set_name_index set; + char typename[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_REQ_BYINDEX \ + unsigned op; \ + ip_set_id_t index; + +struct ip_set_req_adt { + IP_SET_REQ_BYINDEX; +}; + +#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */ +/* Uses ip_set_req_adt, with type specific addage */ + +#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */ +/* Uses ip_set_req_bind, with type specific addage */ +struct ip_set_req_bind { + IP_SET_REQ_BYINDEX; + char binding[IP_SET_MAXNAMELEN]; +}; + +#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */ +/* Uses ip_set_req_bind, with type speficic addage + * index = 0 means unbinding for all sets */ + +#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */ +/* Uses ip_set_req_bind, with type specific addage */ + +/* Multiple shots operations: list, save, restore. + * + * - check kernel version and query the max number of sets + * - get the basic information on all sets + * and size required for the next step + * - get actual set data: header, data, bindings + */ + +/* Get max_sets and the index of a queried set + */ +#define IP_SET_OP_MAX_SETS 0x00000020 +struct ip_set_req_max_sets { + unsigned op; + unsigned version; + ip_set_id_t max_sets; /* max_sets */ + ip_set_id_t sets; /* real number of sets */ + union ip_set_name_index set; /* index of set if name used */ +}; + +/* Get the id and name of the sets plus size for next step */ +#define IP_SET_OP_LIST_SIZE 0x00000201 +#define IP_SET_OP_SAVE_SIZE 0x00000202 +struct ip_set_req_setnames { + unsigned op; + ip_set_id_t index; /* set to list/save */ + u_int32_t size; /* size to get setdata */ + /* followed by sets number of struct ip_set_name_list */ +}; + +struct ip_set_name_list { + char name[IP_SET_MAXNAMELEN]; + char typename[IP_SET_MAXNAMELEN]; + ip_set_id_t index; + ip_set_id_t id; +}; + +/* The actual list operation */ +#define IP_SET_OP_LIST 0x00000203 +struct ip_set_req_list { + IP_SET_REQ_BYINDEX; + /* sets number of struct ip_set_list in reply */ +}; + +struct ip_set_list { + ip_set_id_t index; + ip_set_id_t binding; + u_int32_t ref; + u_int32_t header_size; /* Set header data of header_size */ + u_int32_t members_size; /* Set members data of members_size */ + u_int32_t bindings_size;/* Set bindings data of bindings_size */ +}; + +struct ip_set_hash_list { + ip_set_ip_t ip; + ip_set_id_t binding; +}; + +/* The save operation */ +#define IP_SET_OP_SAVE 0x00000204 +/* Uses ip_set_req_list, in the reply replaced by + * sets number of struct ip_set_save plus a marker + * ip_set_save followed by ip_set_hash_save structures. + */ +struct ip_set_save { + ip_set_id_t index; + ip_set_id_t binding; + u_int32_t header_size; /* Set header data of header_size */ + u_int32_t members_size; /* Set members data of members_size */ +}; + +/* At restoring, ip == 0 means default binding for the given set: */ +struct ip_set_hash_save { + ip_set_ip_t ip; + ip_set_id_t id; + ip_set_id_t binding; +}; + +/* The restore operation */ +#define IP_SET_OP_RESTORE 0x00000205 +/* Uses ip_set_req_setnames followed by ip_set_restore structures + * plus a marker ip_set_restore, followed by ip_set_hash_save + * structures. + */ +struct ip_set_restore { + char name[IP_SET_MAXNAMELEN]; + char typename[IP_SET_MAXNAMELEN]; + ip_set_id_t index; + u_int32_t header_size; /* Create data of header_size */ + u_int32_t members_size; /* Set members data of members_size */ +}; + +static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b) +{ + return 4 * ((((b - a + 8) / 8) + 3) / 4); +} + +/* General limit for the elements in a set */ +#define MAX_RANGE 0x0000FFFF + +/* Alignment: 'unsigned long' unsupported */ +#define IPSET_ALIGNTO 4 +#define IPSET_ALIGN(len) (((len) + IPSET_ALIGNTO - 1) & ~(IPSET_ALIGNTO - 1)) +#define IPSET_VALIGN(len, old) ((old) ? (len) : IPSET_ALIGN(len)) + +#ifdef __KERNEL__ +#include +#include + +#define ip_set_printk(format, args...) \ + do { \ + printk("%s: %s: ", __FILE__, __FUNCTION__); \ + printk(format "\n" , ## args); \ + } while (0) + +#if defined(IP_SET_DEBUG) +#define DP(format, args...) \ + do { \ + printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\ + printk(format "\n" , ## args); \ + } while (0) +#define IP_SET_ASSERT(x) \ + do { \ + if (!(x)) \ + printk("IP_SET_ASSERT: %s:%i(%s)\n", \ + __FILE__, __LINE__, __FUNCTION__); \ + } while (0) +#else +#define DP(format, args...) +#define IP_SET_ASSERT(x) +#endif + +struct ip_set; + +/* + * The ip_set_type definition - one per set type, e.g. "ipmap". + * + * Each individual set has a pointer, set->type, going to one + * of these structures. Function pointers inside the structure implement + * the real behaviour of the sets. + * + * If not mentioned differently, the implementation behind the function + * pointers of a set_type, is expected to return 0 if ok, and a negative + * errno (e.g. -EINVAL) on error. + */ +struct ip_set_type { + struct list_head list; /* next in list of set types */ + + /* test for IP in set (kernel: iptables -m set src|dst) + * return 0 if not in set, 1 if in set. + */ + int (*testip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + const u_int32_t *flags); + + /* test for IP in set (userspace: ipset -T set IP) + * return 0 if not in set, 1 if in set. + */ + int (*testip) (struct ip_set *set, + const void *data, u_int32_t size); + + /* + * Size of the data structure passed by when + * adding/deletin/testing an entry. + */ + u_int32_t reqsize; + + /* Add IP into set (userspace: ipset -A set IP) + * Return -EEXIST if the address is already in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address was not already in the set, 0 is returned. + */ + int (*addip) (struct ip_set *set, + const void *data, u_int32_t size); + + /* Add IP into set (kernel: iptables ... -j SET set src|dst) + * Return -EEXIST if the address is already in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address was not already in the set, 0 is returned. + */ + int (*addip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + const u_int32_t *flags); + + /* remove IP from set (userspace: ipset -D set --entry x) + * Return -EEXIST if the address is NOT in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address really was in the set, 0 is returned. + */ + int (*delip) (struct ip_set *set, + const void *data, u_int32_t size); + + /* remove IP from set (kernel: iptables ... -j SET --entry x) + * Return -EEXIST if the address is NOT in the set, + * and -ERANGE if the address lies outside the set bounds. + * If the address really was in the set, 0 is returned. + */ + int (*delip_kernel) (struct ip_set *set, + const struct sk_buff * skb, + const u_int32_t *flags); + + /* new set creation - allocated type specific items + */ + int (*create) (struct ip_set *set, + const void *data, u_int32_t size); + + /* retry the operation after successfully tweaking the set + */ + int (*retry) (struct ip_set *set); + + /* set destruction - free type specific items + * There is no return value. + * Can be called only when child sets are destroyed. + */ + void (*destroy) (struct ip_set *set); + + /* set flushing - reset all bits in the set, or something similar. + * There is no return value. + */ + void (*flush) (struct ip_set *set); + + /* Listing: size needed for header + */ + u_int32_t header_size; + + /* Listing: Get the header + * + * Fill in the information in "data". + * This function is always run after list_header_size() under a + * writelock on the set. Therefor is the length of "data" always + * correct. + */ + void (*list_header) (const struct ip_set *set, + void *data); + + /* Listing: Get the size for the set members + */ + int (*list_members_size) (const struct ip_set *set, char dont_align); + + /* Listing: Get the set members + * + * Fill in the information in "data". + * This function is always run after list_member_size() under a + * writelock on the set. Therefor is the length of "data" always + * correct. + */ + void (*list_members) (const struct ip_set *set, + void *data, char dont_align); + + char typename[IP_SET_MAXNAMELEN]; + unsigned char features; + int protocol_version; + + /* Set this to THIS_MODULE if you are a module, otherwise NULL */ + struct module *me; +}; + +extern int ip_set_register_set_type(struct ip_set_type *set_type); +extern void ip_set_unregister_set_type(struct ip_set_type *set_type); + +/* A generic ipset */ +struct ip_set { + char name[IP_SET_MAXNAMELEN]; /* the name of the set */ + rwlock_t lock; /* lock for concurrency control */ + ip_set_id_t id; /* set id for swapping */ + atomic_t ref; /* in kernel and in hash references */ + struct ip_set_type *type; /* the set types */ + void *data; /* pooltype specific data */ +}; + +/* register and unregister set references */ +extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]); +extern ip_set_id_t ip_set_get_byindex(ip_set_id_t index); +extern void ip_set_put_byindex(ip_set_id_t index); +extern ip_set_id_t ip_set_id(ip_set_id_t index); +extern ip_set_id_t __ip_set_get_byname(const char name[IP_SET_MAXNAMELEN], + struct ip_set **set); +extern void __ip_set_put_byindex(ip_set_id_t index); + +/* API for iptables set match, and SET target */ +extern int ip_set_addip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); +extern int ip_set_delip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); +extern int ip_set_testip_kernel(ip_set_id_t id, + const struct sk_buff *skb, + const u_int32_t *flags); + +/* Macros to generate functions */ + +#define STRUCT(pre, type) CONCAT2(pre, type) +#define CONCAT2(pre, type) struct pre##type + +#define FNAME(pre, mid, post) CONCAT3(pre, mid, post) +#define CONCAT3(pre, mid, post) pre##mid##post + +#define UADT0(type, adt, args...) \ +static int \ +FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size)\ +{ \ + const STRUCT(ip_set_req_,type) *req = data; \ + \ + return FNAME(type,_,adt)(set , ## args); \ +} + +#define UADT(type, adt, args...) \ + UADT0(type, adt, req->ip , ## args) + +#define KADT(type, adt, getfn, args...) \ +static int \ +FNAME(type,_k,adt)(struct ip_set *set, \ + const struct sk_buff *skb, \ + const u_int32_t *flags) \ +{ \ + ip_set_ip_t ip = getfn(skb, flags); \ + \ + KADT_CONDITION \ + return FNAME(type,_,adt)(set, ip , ##args); \ +} + +#define REGISTER_MODULE(type) \ +static int __init ip_set_##type##_init(void) \ +{ \ + init_max_page_size(); \ + return ip_set_register_set_type(&ip_set_##type); \ +} \ + \ +static void __exit ip_set_##type##_fini(void) \ +{ \ + /* FIXME: possible race with ip_set_create() */ \ + ip_set_unregister_set_type(&ip_set_##type); \ +} \ + \ +module_init(ip_set_##type##_init); \ +module_exit(ip_set_##type##_fini); + +/* Common functions */ + +static inline ip_set_ip_t +ipaddr(const struct sk_buff *skb, const u_int32_t *flags) +{ + return ntohl(flags[0] & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr); +} + +#define jhash_ip(map, i, ip) jhash_1word(ip, *(map->initval + i)) + +#define pack_ip_port(map, ip, port) \ + (port + ((ip - ((map)->first_ip)) << 16)) + +#endif /* __KERNEL__ */ + +#define UNUSED __attribute__ ((unused)) + +#endif /*_IP_SET_H*/ diff --git a/kernel/include/linux/netfilter/ip_set_bitmaps.h b/kernel/include/linux/netfilter/ip_set_bitmaps.h new file mode 100644 index 0000000..da3493f --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_bitmaps.h @@ -0,0 +1,120 @@ +#ifndef __IP_SET_BITMAPS_H +#define __IP_SET_BITMAPS_H + +/* Macros to generate functions */ + +#ifdef __KERNEL__ +#define BITMAP_CREATE(type) \ +static int \ +type##_create(struct ip_set *set, const void *data, u_int32_t size) \ +{ \ + int newbytes; \ + const struct ip_set_req_##type##_create *req = data; \ + struct ip_set_##type *map; \ + \ + if (req->from > req->to) { \ + DP("bad range"); \ + return -ENOEXEC; \ + } \ + \ + map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL); \ + if (!map) { \ + DP("out of memory for %zu bytes", \ + sizeof(struct ip_set_##type)); \ + return -ENOMEM; \ + } \ + map->first_ip = req->from; \ + map->last_ip = req->to; \ + \ + newbytes = __##type##_create(req, map); \ + if (newbytes < 0) { \ + kfree(map); \ + return newbytes; \ + } \ + \ + map->size = newbytes; \ + map->members = ip_set_malloc(newbytes); \ + if (!map->members) { \ + DP("out of memory for %i bytes", newbytes); \ + kfree(map); \ + return -ENOMEM; \ + } \ + memset(map->members, 0, newbytes); \ + \ + set->data = map; \ + return 0; \ +} + +#define BITMAP_DESTROY(type) \ +static void \ +type##_destroy(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data; \ + \ + ip_set_free(map->members, map->size); \ + kfree(map); \ + \ + set->data = NULL; \ +} + +#define BITMAP_FLUSH(type) \ +static void \ +type##_flush(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data; \ + memset(map->members, 0, map->size); \ +} + +#define BITMAP_LIST_HEADER(type) \ +static void \ +type##_list_header(const struct ip_set *set, void *data) \ +{ \ + const struct ip_set_##type *map = set->data; \ + struct ip_set_req_##type##_create *header = data; \ + \ + header->from = map->first_ip; \ + header->to = map->last_ip; \ + __##type##_list_header(map, header); \ +} + +#define BITMAP_LIST_MEMBERS_SIZE(type, dtype, sizeid, testfn) \ +static int \ +type##_list_members_size(const struct ip_set *set, char dont_align) \ +{ \ + const struct ip_set_##type *map = set->data; \ + ip_set_ip_t i, elements = 0; \ + \ + if (dont_align) \ + return map->size; \ + \ + for (i = 0; i < sizeid; i++) \ + if (testfn) \ + elements++; \ + \ + return elements * IPSET_ALIGN(sizeof(dtype)); \ +} + +#define IP_SET_TYPE(type, __features) \ +struct ip_set_type ip_set_##type = { \ + .typename = #type, \ + .features = __features, \ + .protocol_version = IP_SET_PROTOCOL_VERSION, \ + .create = &type##_create, \ + .destroy = &type##_destroy, \ + .flush = &type##_flush, \ + .reqsize = sizeof(struct ip_set_req_##type), \ + .addip = &type##_uadd, \ + .addip_kernel = &type##_kadd, \ + .delip = &type##_udel, \ + .delip_kernel = &type##_kdel, \ + .testip = &type##_utest, \ + .testip_kernel = &type##_ktest, \ + .header_size = sizeof(struct ip_set_req_##type##_create),\ + .list_header = &type##_list_header, \ + .list_members_size = &type##_list_members_size, \ + .list_members = &type##_list_members, \ + .me = THIS_MODULE, \ +}; +#endif /* __KERNEL */ + +#endif /* __IP_SET_BITMAPS_H */ diff --git a/kernel/include/linux/netfilter/ip_set_compat.h b/kernel/include/linux/netfilter/ip_set_compat.h new file mode 100644 index 0000000..9f17397 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_compat.h @@ -0,0 +1,92 @@ +#ifndef _IP_SET_COMPAT_H +#define _IP_SET_COMPAT_H + +#ifdef __KERNEL__ +#include + +/* Arrgh */ +#ifdef MODULE +#define __MOD_INC(foo) __MOD_INC_USE_COUNT(foo) +#define __MOD_DEC(foo) __MOD_DEC_USE_COUNT(foo) +#else +#define __MOD_INC(foo) 1 +#define __MOD_DEC(foo) +#endif + +/* Backward compatibility */ +#ifndef __nocast +#define __nocast +#endif +#ifndef __bitwise__ +#define __bitwise__ +#endif + +/* Compatibility glue code */ +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) +#include +#define DEFINE_RWLOCK(x) rwlock_t x = RW_LOCK_UNLOCKED +#define try_module_get(x) __MOD_INC(x) +#define module_put(x) __MOD_DEC(x) +#define __clear_bit(nr, addr) clear_bit(nr, addr) +#define __set_bit(nr, addr) set_bit(nr, addr) +#define __test_and_set_bit(nr, addr) test_and_set_bit(nr, addr) +#define __test_and_clear_bit(nr, addr) test_and_clear_bit(nr, addr) + +typedef unsigned __bitwise__ gfp_t; + +static inline void *kzalloc(size_t size, gfp_t flags) +{ + void *data = kmalloc(size, flags); + + if (data) + memset(data, 0, size); + + return data; +} +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,20) +#define __KMEM_CACHE_T__ kmem_cache_t +#else +#define __KMEM_CACHE_T__ struct kmem_cache +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22) +#define ip_hdr(skb) ((skb)->nh.iph) +#define skb_mac_header(skb) ((skb)->mac.raw) +#define eth_hdr(skb) ((struct ethhdr *)skb_mac_header(skb)) +#endif + +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) +#include +#define KMEM_CACHE_CREATE(name, size) \ + kmem_cache_create(name, size, 0, 0, NULL, NULL) +#else +#define KMEM_CACHE_CREATE(name, size) \ + kmem_cache_create(name, size, 0, 0, NULL) +#endif + +#ifndef NIPQUAD +#define NIPQUAD(addr) \ + ((unsigned char *)&addr)[0], \ + ((unsigned char *)&addr)[1], \ + ((unsigned char *)&addr)[2], \ + ((unsigned char *)&addr)[3] +#endif + +#ifndef HIPQUAD +#if defined(__LITTLE_ENDIAN) +#define HIPQUAD(addr) \ + ((unsigned char *)&addr)[3], \ + ((unsigned char *)&addr)[2], \ + ((unsigned char *)&addr)[1], \ + ((unsigned char *)&addr)[0] +#elif defined(__BIG_ENDIAN) +#define HIPQUAD NIPQUAD +#else +#error "Please fix asm/byteorder.h" +#endif /* __LITTLE_ENDIAN */ +#endif + +#endif /* __KERNEL__ */ +#endif /* _IP_SET_COMPAT_H */ diff --git a/kernel/include/linux/netfilter/ip_set_getport.h b/kernel/include/linux/netfilter/ip_set_getport.h new file mode 100644 index 0000000..18ed729 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_getport.h @@ -0,0 +1,48 @@ +#ifndef _IP_SET_GETPORT_H +#define _IP_SET_GETPORT_H + +#ifdef __KERNEL__ + +#define INVALID_PORT (MAX_RANGE + 1) + +/* We must handle non-linear skbs */ +static inline ip_set_ip_t +get_port(const struct sk_buff *skb, const u_int32_t *flags) +{ + struct iphdr *iph = ip_hdr(skb); + u_int16_t offset = ntohs(iph->frag_off) & IP_OFFSET; + switch (iph->protocol) { + case IPPROTO_TCP: { + struct tcphdr tcph; + + /* See comments at tcp_match in ip_tables.c */ + if (offset) + return INVALID_PORT; + + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &tcph, sizeof(tcph)) < 0) + /* No choice either */ + return INVALID_PORT; + + return ntohs(flags[0] & IPSET_SRC ? + tcph.source : tcph.dest); + } + case IPPROTO_UDP: { + struct udphdr udph; + + if (offset) + return INVALID_PORT; + + if (skb_copy_bits(skb, ip_hdr(skb)->ihl*4, &udph, sizeof(udph)) < 0) + /* No choice either */ + return INVALID_PORT; + + return ntohs(flags[0] & IPSET_SRC ? + udph.source : udph.dest); + } + default: + return INVALID_PORT; + } +} +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_GETPORT_H*/ diff --git a/kernel/include/linux/netfilter/ip_set_hashes.h b/kernel/include/linux/netfilter/ip_set_hashes.h new file mode 100644 index 0000000..8eeced3 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_hashes.h @@ -0,0 +1,314 @@ +#ifndef __IP_SET_HASHES_H +#define __IP_SET_HASHES_H + +#define initval_t uint32_t + +/* Macros to generate functions */ + +#ifdef __KERNEL__ +#define HASH_RETRY0(type, dtype, cond) \ +static int \ +type##_retry(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data, *tmp; \ + dtype *elem; \ + void *members; \ + u_int32_t i, hashsize = map->hashsize; \ + int res; \ + \ + if (map->resize == 0) \ + return -ERANGE; \ + \ + again: \ + res = 0; \ + \ + /* Calculate new hash size */ \ + hashsize += (hashsize * map->resize)/100; \ + if (hashsize == map->hashsize) \ + hashsize++; \ + \ + ip_set_printk("rehashing of set %s triggered: " \ + "hashsize grows from %lu to %lu", \ + set->name, \ + (long unsigned)map->hashsize, \ + (long unsigned)hashsize); \ + \ + tmp = kmalloc(sizeof(struct ip_set_##type) \ + + map->probes * sizeof(initval_t), GFP_ATOMIC); \ + if (!tmp) { \ + DP("out of memory for %zu bytes", \ + sizeof(struct ip_set_##type) \ + + map->probes * sizeof(initval_t)); \ + return -ENOMEM; \ + } \ + tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\ + if (!tmp->members) { \ + DP("out of memory for %zu bytes", hashsize * sizeof(dtype));\ + kfree(tmp); \ + return -ENOMEM; \ + } \ + tmp->hashsize = hashsize; \ + tmp->elements = 0; \ + tmp->probes = map->probes; \ + tmp->resize = map->resize; \ + memcpy(tmp->initval, map->initval, map->probes * sizeof(initval_t));\ + __##type##_retry(tmp, map); \ + \ + write_lock_bh(&set->lock); \ + map = set->data; /* Play safe */ \ + for (i = 0; i < map->hashsize && res == 0; i++) { \ + elem = HARRAY_ELEM(map->members, dtype *, i); \ + if (cond) \ + res = __##type##_add(tmp, elem); \ + } \ + if (res) { \ + /* Failure, try again */ \ + write_unlock_bh(&set->lock); \ + harray_free(tmp->members); \ + kfree(tmp); \ + goto again; \ + } \ + \ + /* Success at resizing! */ \ + members = map->members; \ + \ + map->hashsize = tmp->hashsize; \ + map->members = tmp->members; \ + write_unlock_bh(&set->lock); \ + \ + harray_free(members); \ + kfree(tmp); \ + \ + return 0; \ +} + +#define HASH_RETRY(type, dtype) \ + HASH_RETRY0(type, dtype, *elem) + +#define HASH_RETRY2(type, dtype) \ + HASH_RETRY0(type, dtype, elem->ip || elem->ip1) + +#define HASH_CREATE(type, dtype) \ +static int \ +type##_create(struct ip_set *set, const void *data, u_int32_t size) \ +{ \ + const struct ip_set_req_##type##_create *req = data; \ + struct ip_set_##type *map; \ + uint16_t i; \ + \ + if (req->hashsize < 1) { \ + ip_set_printk("hashsize too small"); \ + return -ENOEXEC; \ + } \ + \ + if (req->probes < 1) { \ + ip_set_printk("probes too small"); \ + return -ENOEXEC; \ + } \ + \ + map = kmalloc(sizeof(struct ip_set_##type) \ + + req->probes * sizeof(initval_t), GFP_KERNEL); \ + if (!map) { \ + DP("out of memory for %zu bytes", \ + sizeof(struct ip_set_##type) \ + + req->probes * sizeof(initval_t)); \ + return -ENOMEM; \ + } \ + for (i = 0; i < req->probes; i++) \ + get_random_bytes(((initval_t *) map->initval)+i, 4); \ + map->elements = 0; \ + map->hashsize = req->hashsize; \ + map->probes = req->probes; \ + map->resize = req->resize; \ + if (__##type##_create(req, map)) { \ + kfree(map); \ + return -ENOEXEC; \ + } \ + map->members = harray_malloc(map->hashsize, sizeof(dtype), GFP_KERNEL);\ + if (!map->members) { \ + DP("out of memory for %zu bytes", map->hashsize * sizeof(dtype));\ + kfree(map); \ + return -ENOMEM; \ + } \ + \ + set->data = map; \ + return 0; \ +} + +#define HASH_DESTROY(type) \ +static void \ +type##_destroy(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data; \ + \ + harray_free(map->members); \ + kfree(map); \ + \ + set->data = NULL; \ +} + +#define HASH_FLUSH(type, dtype) \ +static void \ +type##_flush(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data; \ + harray_flush(map->members, map->hashsize, sizeof(dtype)); \ + map->elements = 0; \ +} + +#define HASH_FLUSH_CIDR(type, dtype) \ +static void \ +type##_flush(struct ip_set *set) \ +{ \ + struct ip_set_##type *map = set->data; \ + harray_flush(map->members, map->hashsize, sizeof(dtype)); \ + memset(map->cidr, 0, sizeof(map->cidr)); \ + memset(map->nets, 0, sizeof(map->nets)); \ + map->elements = 0; \ +} + +#define HASH_LIST_HEADER(type) \ +static void \ +type##_list_header(const struct ip_set *set, void *data) \ +{ \ + const struct ip_set_##type *map = set->data; \ + struct ip_set_req_##type##_create *header = data; \ + \ + header->hashsize = map->hashsize; \ + header->probes = map->probes; \ + header->resize = map->resize; \ + __##type##_list_header(map, header); \ +} + +#define HASH_LIST_MEMBERS_SIZE(type, dtype) \ +static int \ +type##_list_members_size(const struct ip_set *set, char dont_align) \ +{ \ + const struct ip_set_##type *map = set->data; \ + \ + return (map->elements * IPSET_VALIGN(sizeof(dtype), dont_align));\ +} + +#define HASH_LIST_MEMBERS(type, dtype) \ +static void \ +type##_list_members(const struct ip_set *set, void *data, char dont_align)\ +{ \ + const struct ip_set_##type *map = set->data; \ + dtype *elem, *d; \ + uint32_t i, n = 0; \ + \ + for (i = 0; i < map->hashsize; i++) { \ + elem = HARRAY_ELEM(map->members, dtype *, i); \ + if (*elem) { \ + d = data + n * IPSET_VALIGN(sizeof(dtype), dont_align);\ + *d = *elem; \ + n++; \ + } \ + } \ +} + +#define HASH_LIST_MEMBERS_MEMCPY(type, dtype, nonzero) \ +static void \ +type##_list_members(const struct ip_set *set, void *data, char dont_align)\ +{ \ + const struct ip_set_##type *map = set->data; \ + dtype *elem; \ + uint32_t i, n = 0; \ + \ + for (i = 0; i < map->hashsize; i++) { \ + elem = HARRAY_ELEM(map->members, dtype *, i); \ + if (nonzero) { \ + memcpy(data + n * IPSET_VALIGN(sizeof(dtype), dont_align),\ + elem, sizeof(dtype)); \ + n++; \ + } \ + } \ +} + +#define IP_SET_RTYPE(type, __features) \ +struct ip_set_type ip_set_##type = { \ + .typename = #type, \ + .features = __features, \ + .protocol_version = IP_SET_PROTOCOL_VERSION, \ + .create = &type##_create, \ + .retry = &type##_retry, \ + .destroy = &type##_destroy, \ + .flush = &type##_flush, \ + .reqsize = sizeof(struct ip_set_req_##type), \ + .addip = &type##_uadd, \ + .addip_kernel = &type##_kadd, \ + .delip = &type##_udel, \ + .delip_kernel = &type##_kdel, \ + .testip = &type##_utest, \ + .testip_kernel = &type##_ktest, \ + .header_size = sizeof(struct ip_set_req_##type##_create),\ + .list_header = &type##_list_header, \ + .list_members_size = &type##_list_members_size, \ + .list_members = &type##_list_members, \ + .me = THIS_MODULE, \ +}; + +/* Helper functions */ +static inline void +add_cidr_size(uint8_t *cidr, uint8_t size) +{ + uint8_t next; + int i; + + for (i = 0; i < 30 && cidr[i]; i++) { + if (cidr[i] < size) { + next = cidr[i]; + cidr[i] = size; + size = next; + } + } + if (i < 30) + cidr[i] = size; +} + +static inline void +del_cidr_size(uint8_t *cidr, uint8_t size) +{ + int i; + + for (i = 0; i < 29 && cidr[i]; i++) { + if (cidr[i] == size) + cidr[i] = size = cidr[i+1]; + } + cidr[29] = 0; +} +#else +#include +#endif /* __KERNEL */ + +#ifndef UINT16_MAX +#define UINT16_MAX 65535 +#endif + +static unsigned char shifts[] = {255, 253, 249, 241, 225, 193, 129, 1}; + +static inline ip_set_ip_t +pack_ip_cidr(ip_set_ip_t ip, unsigned char cidr) +{ + ip_set_ip_t addr, *paddr = &addr; + unsigned char n, t, *a; + + addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr)))); +#ifdef __KERNEL__ + DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr); +#endif + n = cidr / 8; + t = cidr % 8; + a = &((unsigned char *)paddr)[n]; + *a = *a /(1 << (8 - t)) + shifts[t]; +#ifdef __KERNEL__ + DP("n: %u, t: %u, a: %u", n, t, *a); + DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u", + HIPQUAD(ip), cidr, NIPQUAD(addr)); +#endif + + return ntohl(addr); +} + + +#endif /* __IP_SET_HASHES_H */ diff --git a/kernel/include/linux/netfilter/ip_set_iphash.h b/kernel/include/linux/netfilter/ip_set_iphash.h new file mode 100644 index 0000000..0a0c7e8 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_iphash.h @@ -0,0 +1,30 @@ +#ifndef __IP_SET_IPHASH_H +#define __IP_SET_IPHASH_H + +#include +#include + +#define SETTYPE_NAME "iphash" + +struct ip_set_iphash { + ip_set_ip_t *members; /* the iphash proper */ + uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + ip_set_ip_t netmask; /* netmask */ + initval_t initval[0]; /* initvals for jhash_1word */ +}; + +struct ip_set_req_iphash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; + ip_set_ip_t netmask; +}; + +struct ip_set_req_iphash { + ip_set_ip_t ip; +}; + +#endif /* __IP_SET_IPHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_ipmap.h b/kernel/include/linux/netfilter/ip_set_ipmap.h new file mode 100644 index 0000000..d16c0ae --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_ipmap.h @@ -0,0 +1,57 @@ +#ifndef __IP_SET_IPMAP_H +#define __IP_SET_IPMAP_H + +#include +#include + +#define SETTYPE_NAME "ipmap" + +struct ip_set_ipmap { + void *members; /* the ipmap proper */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + ip_set_ip_t netmask; /* subnet netmask */ + ip_set_ip_t sizeid; /* size of set in IPs */ + ip_set_ip_t hosts; /* number of hosts in a subnet */ + u_int32_t size; /* size of the ipmap proper */ +}; + +struct ip_set_req_ipmap_create { + ip_set_ip_t from; + ip_set_ip_t to; + ip_set_ip_t netmask; +}; + +struct ip_set_req_ipmap { + ip_set_ip_t ip; +}; + +static inline unsigned int +mask_to_bits(ip_set_ip_t mask) +{ + unsigned int bits = 32; + ip_set_ip_t maskaddr; + + if (mask == 0xFFFFFFFF) + return bits; + + maskaddr = 0xFFFFFFFE; + while (--bits > 0 && maskaddr != mask) + maskaddr <<= 1; + + return bits; +} + +static inline ip_set_ip_t +range_to_mask(ip_set_ip_t from, ip_set_ip_t to, unsigned int *bits) +{ + ip_set_ip_t mask = 0xFFFFFFFE; + + *bits = 32; + while (--(*bits) > 0 && mask && (to & mask) != from) + mask <<= 1; + + return mask; +} + +#endif /* __IP_SET_IPMAP_H */ diff --git a/kernel/include/linux/netfilter/ip_set_ipporthash.h b/kernel/include/linux/netfilter/ip_set_ipporthash.h new file mode 100644 index 0000000..a3b781a --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_ipporthash.h @@ -0,0 +1,33 @@ +#ifndef __IP_SET_IPPORTHASH_H +#define __IP_SET_IPPORTHASH_H + +#include +#include + +#define SETTYPE_NAME "ipporthash" + +struct ip_set_ipporthash { + ip_set_ip_t *members; /* the ipporthash proper */ + uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + initval_t initval[0]; /* initvals for jhash_1word */ +}; + +struct ip_set_req_ipporthash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; + ip_set_ip_t from; + ip_set_ip_t to; +}; + +struct ip_set_req_ipporthash { + ip_set_ip_t ip; + ip_set_ip_t port; +}; + +#endif /* __IP_SET_IPPORTHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_ipportiphash.h b/kernel/include/linux/netfilter/ip_set_ipportiphash.h new file mode 100644 index 0000000..2202c51 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_ipportiphash.h @@ -0,0 +1,39 @@ +#ifndef __IP_SET_IPPORTIPHASH_H +#define __IP_SET_IPPORTIPHASH_H + +#include +#include + +#define SETTYPE_NAME "ipportiphash" + +struct ipportip { + ip_set_ip_t ip; + ip_set_ip_t ip1; +}; + +struct ip_set_ipportiphash { + struct ipportip *members; /* the ipportip proper */ + uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + initval_t initval[0]; /* initvals for jhash_1word */ +}; + +struct ip_set_req_ipportiphash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; + ip_set_ip_t from; + ip_set_ip_t to; +}; + +struct ip_set_req_ipportiphash { + ip_set_ip_t ip; + ip_set_ip_t port; + ip_set_ip_t ip1; +}; + +#endif /* __IP_SET_IPPORTIPHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_ipportnethash.h b/kernel/include/linux/netfilter/ip_set_ipportnethash.h new file mode 100644 index 0000000..73b2430 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_ipportnethash.h @@ -0,0 +1,42 @@ +#ifndef __IP_SET_IPPORTNETHASH_H +#define __IP_SET_IPPORTNETHASH_H + +#include +#include + +#define SETTYPE_NAME "ipportnethash" + +struct ipportip { + ip_set_ip_t ip; + ip_set_ip_t ip1; +}; + +struct ip_set_ipportnethash { + struct ipportip *members; /* the ipportip proper */ + uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + uint8_t cidr[30]; /* CIDR sizes */ + uint16_t nets[30]; /* nr of nets by CIDR sizes */ + initval_t initval[0]; /* initvals for jhash_1word */ +}; + +struct ip_set_req_ipportnethash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; + ip_set_ip_t from; + ip_set_ip_t to; +}; + +struct ip_set_req_ipportnethash { + ip_set_ip_t ip; + ip_set_ip_t port; + ip_set_ip_t ip1; + uint8_t cidr; +}; + +#endif /* __IP_SET_IPPORTNETHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_iptree.h b/kernel/include/linux/netfilter/ip_set_iptree.h new file mode 100644 index 0000000..36bf5ac --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_iptree.h @@ -0,0 +1,39 @@ +#ifndef __IP_SET_IPTREE_H +#define __IP_SET_IPTREE_H + +#include + +#define SETTYPE_NAME "iptree" + +struct ip_set_iptreed { + unsigned long expires[256]; /* x.x.x.ADDR */ +}; + +struct ip_set_iptreec { + struct ip_set_iptreed *tree[256]; /* x.x.ADDR.* */ +}; + +struct ip_set_iptreeb { + struct ip_set_iptreec *tree[256]; /* x.ADDR.*.* */ +}; + +struct ip_set_iptree { + unsigned int timeout; + unsigned int gc_interval; +#ifdef __KERNEL__ + uint32_t elements; /* number of elements */ + struct timer_list gc; + struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */ +#endif +}; + +struct ip_set_req_iptree_create { + unsigned int timeout; +}; + +struct ip_set_req_iptree { + ip_set_ip_t ip; + unsigned int timeout; +}; + +#endif /* __IP_SET_IPTREE_H */ diff --git a/kernel/include/linux/netfilter/ip_set_iptreemap.h b/kernel/include/linux/netfilter/ip_set_iptreemap.h new file mode 100644 index 0000000..6ea771a --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_iptreemap.h @@ -0,0 +1,40 @@ +#ifndef __IP_SET_IPTREEMAP_H +#define __IP_SET_IPTREEMAP_H + +#include + +#define SETTYPE_NAME "iptreemap" + +#ifdef __KERNEL__ +struct ip_set_iptreemap_d { + unsigned char bitmap[32]; /* x.x.x.y */ +}; + +struct ip_set_iptreemap_c { + struct ip_set_iptreemap_d *tree[256]; /* x.x.y.x */ +}; + +struct ip_set_iptreemap_b { + struct ip_set_iptreemap_c *tree[256]; /* x.y.x.x */ + unsigned char dirty[32]; +}; +#endif + +struct ip_set_iptreemap { + unsigned int gc_interval; +#ifdef __KERNEL__ + struct timer_list gc; + struct ip_set_iptreemap_b *tree[256]; /* y.x.x.x */ +#endif +}; + +struct ip_set_req_iptreemap_create { + unsigned int gc_interval; +}; + +struct ip_set_req_iptreemap { + ip_set_ip_t ip; + ip_set_ip_t end; +}; + +#endif /* __IP_SET_IPTREEMAP_H */ diff --git a/kernel/include/linux/netfilter/ip_set_jhash.h b/kernel/include/linux/netfilter/ip_set_jhash.h new file mode 100644 index 0000000..2000b9f --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_jhash.h @@ -0,0 +1,157 @@ +#ifndef _LINUX_JHASH_H +#define _LINUX_JHASH_H + +/* jhash.h: Jenkins hash support. + * + * Copyright (C) 2006. Bob Jenkins (bob_jenkins@burtleburtle.net) + * + * http://burtleburtle.net/bob/hash/ + * + * These are the credits from Bob's sources: + * + * lookup3.c, by Bob Jenkins, May 2006, Public Domain. + * + * These are functions for producing 32-bit hashes for hash table lookup. + * hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final() + * are externally useful functions. Routines to test the hash are included + * if SELF_TEST is defined. You can use this free for any purpose. It's in + * the public domain. It has no warranty. + * + * Copyright (C) 2009 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * I've modified Bob's hash to be useful in the Linux kernel, and + * any bugs present are my fault. Jozsef + */ + +#define __rot(x,k) (((x)<<(k)) | ((x)>>(32-(k)))) + +/* __jhash_mix - mix 3 32-bit values reversibly. */ +#define __jhash_mix(a,b,c) \ +{ \ + a -= c; a ^= __rot(c, 4); c += b; \ + b -= a; b ^= __rot(a, 6); a += c; \ + c -= b; c ^= __rot(b, 8); b += a; \ + a -= c; a ^= __rot(c,16); c += b; \ + b -= a; b ^= __rot(a,19); a += c; \ + c -= b; c ^= __rot(b, 4); b += a; \ +} + +/* __jhash_final - final mixing of 3 32-bit values (a,b,c) into c */ +#define __jhash_final(a,b,c) \ +{ \ + c ^= b; c -= __rot(b,14); \ + a ^= c; a -= __rot(c,11); \ + b ^= a; b -= __rot(a,25); \ + c ^= b; c -= __rot(b,16); \ + a ^= c; a -= __rot(c,4); \ + b ^= a; b -= __rot(a,14); \ + c ^= b; c -= __rot(b,24); \ +} + +/* The golden ration: an arbitrary value */ +#define JHASH_GOLDEN_RATIO 0xdeadbeef + +/* The most generic version, hashes an arbitrary sequence + * of bytes. No alignment or length assumptions are made about + * the input key. The result depends on endianness. + */ +static inline u32 jhash(const void *key, u32 length, u32 initval) +{ + u32 a,b,c; + const u8 *k = key; + + /* Set up the internal state */ + a = b = c = JHASH_GOLDEN_RATIO + length + initval; + + /* all but the last block: affect some 32 bits of (a,b,c) */ + while (length > 12) { + a += (k[0] + ((u32)k[1]<<8) + ((u32)k[2]<<16) + ((u32)k[3]<<24)); + b += (k[4] + ((u32)k[5]<<8) + ((u32)k[6]<<16) + ((u32)k[7]<<24)); + c += (k[8] + ((u32)k[9]<<8) + ((u32)k[10]<<16) + ((u32)k[11]<<24)); + __jhash_mix(a, b, c); + length -= 12; + k += 12; + } + + /* last block: affect all 32 bits of (c) */ + /* all the case statements fall through */ + switch (length) { + case 12: c += (u32)k[11]<<24; + case 11: c += (u32)k[10]<<16; + case 10: c += (u32)k[9]<<8; + case 9 : c += k[8]; + case 8 : b += (u32)k[7]<<24; + case 7 : b += (u32)k[6]<<16; + case 6 : b += (u32)k[5]<<8; + case 5 : b += k[4]; + case 4 : a += (u32)k[3]<<24; + case 3 : a += (u32)k[2]<<16; + case 2 : a += (u32)k[1]<<8; + case 1 : a += k[0]; + __jhash_final(a, b, c); + case 0 : + break; + } + + return c; +} + +/* A special optimized version that handles 1 or more of u32s. + * The length parameter here is the number of u32s in the key. + */ +static inline u32 jhash2(const u32 *k, u32 length, u32 initval) +{ + u32 a, b, c; + + /* Set up the internal state */ + a = b = c = JHASH_GOLDEN_RATIO + (length<<2) + initval; + + /* handle most of the key */ + while (length > 3) { + a += k[0]; + b += k[1]; + c += k[2]; + __jhash_mix(a, b, c); + length -= 3; + k += 3; + } + + /* handle the last 3 u32's */ + /* all the case statements fall through */ + switch (length) { + case 3: c += k[2]; + case 2: b += k[1]; + case 1: a += k[0]; + __jhash_final(a, b, c); + case 0: /* case 0: nothing left to add */ + break; + } + + return c; +} + +/* A special ultra-optimized versions that knows they are hashing exactly + * 3, 2 or 1 word(s). + */ +static inline u32 jhash_3words(u32 a, u32 b, u32 c, u32 initval) +{ + a += JHASH_GOLDEN_RATIO + initval; + b += JHASH_GOLDEN_RATIO + initval; + c += JHASH_GOLDEN_RATIO + initval; + + __jhash_final(a, b, c); + + return c; +} + +static inline u32 jhash_2words(u32 a, u32 b, u32 initval) +{ + return jhash_3words(0, a, b, initval); +} + +static inline u32 jhash_1word(u32 a, u32 initval) +{ + return jhash_3words(0, 0, a, initval); +} + +#endif /* _LINUX_JHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_macipmap.h b/kernel/include/linux/netfilter/ip_set_macipmap.h new file mode 100644 index 0000000..0615e9f --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_macipmap.h @@ -0,0 +1,39 @@ +#ifndef __IP_SET_MACIPMAP_H +#define __IP_SET_MACIPMAP_H + +#include +#include + +#define SETTYPE_NAME "macipmap" + +/* general flags */ +#define IPSET_MACIP_MATCHUNSET 1 + +/* per ip flags */ +#define IPSET_MACIP_ISSET 1 + +struct ip_set_macipmap { + void *members; /* the macipmap proper */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + u_int32_t flags; + u_int32_t size; /* size of the ipmap proper */ +}; + +struct ip_set_req_macipmap_create { + ip_set_ip_t from; + ip_set_ip_t to; + u_int32_t flags; +}; + +struct ip_set_req_macipmap { + ip_set_ip_t ip; + unsigned char ethernet[ETH_ALEN]; +}; + +struct ip_set_macip { + unsigned short match; + unsigned char ethernet[ETH_ALEN]; +}; + +#endif /* __IP_SET_MACIPMAP_H */ diff --git a/kernel/include/linux/netfilter/ip_set_malloc.h b/kernel/include/linux/netfilter/ip_set_malloc.h new file mode 100644 index 0000000..2a80443 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_malloc.h @@ -0,0 +1,153 @@ +#ifndef _IP_SET_MALLOC_H +#define _IP_SET_MALLOC_H + +#ifdef __KERNEL__ +#include + +static size_t max_malloc_size = 0, max_page_size = 0; +static size_t default_max_malloc_size = 131072; /* Guaranteed: slab.c */ + +static inline int init_max_page_size(void) +{ +/* Compatibility glues to support 2.4.36 */ +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) +#define __GFP_NOWARN 0 + + /* Guaranteed: slab.c */ + max_malloc_size = max_page_size = default_max_malloc_size; +#else + size_t page_size = 0; + +#define CACHE(x) if (max_page_size == 0 || x < max_page_size) \ + page_size = x; +#include +#undef CACHE + if (page_size) { + if (max_malloc_size == 0) + max_malloc_size = page_size; + + max_page_size = page_size; + + return 1; + } +#endif + return 0; +} + +struct harray { + size_t max_elements; + void *arrays[0]; +}; + +static inline void * +__harray_malloc(size_t hashsize, size_t typesize, gfp_t flags) +{ + struct harray *harray; + size_t max_elements, size, i, j; + + BUG_ON(max_page_size == 0); + + if (typesize > max_page_size) + return NULL; + + max_elements = max_page_size/typesize; + size = hashsize/max_elements; + if (hashsize % max_elements) + size++; + + /* Last pointer signals end of arrays */ + harray = kmalloc(sizeof(struct harray) + (size + 1) * sizeof(void *), + flags); + + if (!harray) + return NULL; + + for (i = 0; i < size - 1; i++) { + harray->arrays[i] = kmalloc(max_elements * typesize, flags); + if (!harray->arrays[i]) + goto undo; + memset(harray->arrays[i], 0, max_elements * typesize); + } + harray->arrays[i] = kmalloc((hashsize - i * max_elements) * typesize, + flags); + if (!harray->arrays[i]) + goto undo; + memset(harray->arrays[i], 0, (hashsize - i * max_elements) * typesize); + + harray->max_elements = max_elements; + harray->arrays[size] = NULL; + + return (void *)harray; + + undo: + for (j = 0; j < i; j++) { + kfree(harray->arrays[j]); + } + kfree(harray); + return NULL; +} + +static inline void * +harray_malloc(size_t hashsize, size_t typesize, gfp_t flags) +{ + void *harray; + + do { + harray = __harray_malloc(hashsize, typesize, flags|__GFP_NOWARN); + } while (harray == NULL && init_max_page_size()); + + return harray; +} + +static inline void harray_free(void *h) +{ + struct harray *harray = (struct harray *) h; + size_t i; + + for (i = 0; harray->arrays[i] != NULL; i++) + kfree(harray->arrays[i]); + kfree(harray); +} + +static inline void harray_flush(void *h, size_t hashsize, size_t typesize) +{ + struct harray *harray = (struct harray *) h; + size_t i; + + for (i = 0; harray->arrays[i+1] != NULL; i++) + memset(harray->arrays[i], 0, harray->max_elements * typesize); + memset(harray->arrays[i], 0, + (hashsize - i * harray->max_elements) * typesize); +} + +#define HARRAY_ELEM(h, type, which) \ +({ \ + struct harray *__h = (struct harray *)(h); \ + ((type)((__h)->arrays[(which)/(__h)->max_elements]) \ + + (which)%(__h)->max_elements); \ +}) + +/* General memory allocation and deallocation */ +static inline void * ip_set_malloc(size_t bytes) +{ + BUG_ON(max_malloc_size == 0); + + if (bytes > default_max_malloc_size) + return vmalloc(bytes); + else + return kmalloc(bytes, GFP_KERNEL | __GFP_NOWARN); +} + +static inline void ip_set_free(void * data, size_t bytes) +{ + BUG_ON(max_malloc_size == 0); + + if (bytes > default_max_malloc_size) + vfree(data); + else + kfree(data); +} + +#endif /* __KERNEL__ */ + +#endif /*_IP_SET_MALLOC_H*/ diff --git a/kernel/include/linux/netfilter/ip_set_nethash.h b/kernel/include/linux/netfilter/ip_set_nethash.h new file mode 100644 index 0000000..cf0b794 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_nethash.h @@ -0,0 +1,31 @@ +#ifndef __IP_SET_NETHASH_H +#define __IP_SET_NETHASH_H + +#include +#include + +#define SETTYPE_NAME "nethash" + +struct ip_set_nethash { + ip_set_ip_t *members; /* the nethash proper */ + uint32_t elements; /* number of elements */ + uint32_t hashsize; /* hash size */ + uint16_t probes; /* max number of probes */ + uint16_t resize; /* resize factor in percent */ + uint8_t cidr[30]; /* CIDR sizes */ + uint16_t nets[30]; /* nr of nets by CIDR sizes */ + initval_t initval[0]; /* initvals for jhash_1word */ +}; + +struct ip_set_req_nethash_create { + uint32_t hashsize; + uint16_t probes; + uint16_t resize; +}; + +struct ip_set_req_nethash { + ip_set_ip_t ip; + uint8_t cidr; +}; + +#endif /* __IP_SET_NETHASH_H */ diff --git a/kernel/include/linux/netfilter/ip_set_portmap.h b/kernel/include/linux/netfilter/ip_set_portmap.h new file mode 100644 index 0000000..37f411e --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_portmap.h @@ -0,0 +1,25 @@ +#ifndef __IP_SET_PORTMAP_H +#define __IP_SET_PORTMAP_H + +#include +#include + +#define SETTYPE_NAME "portmap" + +struct ip_set_portmap { + void *members; /* the portmap proper */ + ip_set_ip_t first_ip; /* host byte order, included in range */ + ip_set_ip_t last_ip; /* host byte order, included in range */ + u_int32_t size; /* size of the ipmap proper */ +}; + +struct ip_set_req_portmap_create { + ip_set_ip_t from; + ip_set_ip_t to; +}; + +struct ip_set_req_portmap { + ip_set_ip_t ip; +}; + +#endif /* __IP_SET_PORTMAP_H */ diff --git a/kernel/include/linux/netfilter/ip_set_setlist.h b/kernel/include/linux/netfilter/ip_set_setlist.h new file mode 100644 index 0000000..7cc6ed0 --- /dev/null +++ b/kernel/include/linux/netfilter/ip_set_setlist.h @@ -0,0 +1,26 @@ +#ifndef __IP_SET_SETLIST_H +#define __IP_SET_SETLIST_H + +#include + +#define SETTYPE_NAME "setlist" + +#define IP_SET_SETLIST_ADD_AFTER 0 +#define IP_SET_SETLIST_ADD_BEFORE 1 + +struct ip_set_setlist { + uint8_t size; + ip_set_id_t index[0]; +}; + +struct ip_set_req_setlist_create { + uint8_t size; +}; + +struct ip_set_req_setlist { + char name[IP_SET_MAXNAMELEN]; + char ref[IP_SET_MAXNAMELEN]; + uint8_t before; +}; + +#endif /* __IP_SET_SETLIST_H */ diff --git a/kernel/include/linux/netfilter/ipt_set.h b/kernel/include/linux/netfilter/ipt_set.h new file mode 100644 index 0000000..2a18b93 --- /dev/null +++ b/kernel/include/linux/netfilter/ipt_set.h @@ -0,0 +1,21 @@ +#ifndef _IPT_SET_H +#define _IPT_SET_H + +#include + +struct ipt_set_info { + ip_set_id_t index; + u_int32_t flags[IP_SET_MAX_BINDINGS + 1]; +}; + +/* match info */ +struct ipt_set_info_match { + struct ipt_set_info match_set; +}; + +struct ipt_set_info_target { + struct ipt_set_info add_set; + struct ipt_set_info del_set; +}; + +#endif /*_IPT_SET_H*/ -- cgit v1.2.3