From a96e4fca10506462df4ee4035f0f86f09bd9dc34 Mon Sep 17 00:00:00 2001
From: "/C=EU/ST=EU/CN=Jozsef Kadlecsik/emailAddress=kadlec@blackhole.kfki.hu"
 </C=EU/ST=EU/CN=Jozsef Kadlecsik/emailAddress=kadlec@blackhole.kfki.hu>
Date: Mon, 20 Oct 2008 10:00:26 +0000
Subject: ipset 2.4 release

userspace changes:
  - Added KBUILD_OUTPUT support (Sven Wegener)
  - Fix memory leak in ipset_iptreemap (Sven Wegener)
  - Fix multiple compiler warnings (Sven Wegener)
  - ipportiphash, ipportnethash and setlist types added
  - binding marked as deprecated functionality
  - element separator token changed to ',' in anticipating
    IPv6 addresses, old separator tokens are still supported
  - unnecessary includes removed
  - ipset does not try to resolve IP addresses when listing
    the content of sets (default changed)
  - manpage updated
  - ChangeLog forked for kernel part

kernel part changes:
  - ipportiphash, ipportnethash and setlist types added
  - set type modules reworked to avoid code duplication
    as much as possible, code unification macros
  - expand_macros Makefile target added to help debugging
    code unification macros
  - ip_set_addip_kernel and ip_set_delip_kernel
    changed from void to int, __ip_set_get_byname and
    __ip_set_put_byid added for the sake of setlist type
  - unnecessary includes removed
  - compatibility fix for kernels >= 2.6.27:
    semaphore.h was moved from asm/ to linux/ (James King)
  - ChangeLog forked for kernel part
---
 kernel/ip_set_ipportiphash.c | 212 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 212 insertions(+)
 create mode 100644 kernel/ip_set_ipportiphash.c

(limited to 'kernel/ip_set_ipportiphash.c')

diff --git a/kernel/ip_set_ipportiphash.c b/kernel/ip_set_ipportiphash.c
new file mode 100644
index 0000000..1755c57
--- /dev/null
+++ b/kernel/ip_set_ipportiphash.c
@@ -0,0 +1,212 @@
+/* Copyright (C) 2008 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+/* Kernel module implementing an ip+port+ip hash set */
+
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/skbuff.h>
+#include <linux/jhash.h>
+#include <linux/errno.h>
+#include <asm/uaccess.h>
+#include <asm/bitops.h>
+#include <linux/spinlock.h>
+#include <linux/random.h>
+
+#include <net/ip.h>
+
+#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
+#include <linux/netfilter_ipv4/ip_set_ipportiphash.h>
+#include <linux/netfilter_ipv4/ip_set_getport.h>
+
+static int limit = MAX_RANGE;
+
+#define jhash_ip2(map, i, ipport, ip1)		\
+	jhash_2words(ipport, ip1, *(map->initval + i))
+
+static inline __u32
+ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip,
+		ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	__u32 id;
+	u_int16_t i;
+	struct ipportip *elem;
+
+	*hash_ip = pack_ip_port(map, ip, port);
+	DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u",
+	   set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip));
+	
+	for (i = 0; i < map->probes; i++) {
+		id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize;
+		DP("hash key: %u", id);
+		elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+		if (elem->ip == *hash_ip && elem->ip1 == ip1)
+			return id;
+		/* No shortcut at testing - there can be deleted
+		 * entries. */
+	}
+	return UINT_MAX;
+}
+
+static inline int
+ipportiphash_test(struct ip_set *set, ip_set_ip_t *hash_ip,
+		  ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	return (ipportiphash_id(set, hash_ip, ip, port, ip1) != UINT_MAX);
+}
+
+#define KADT_CONDITION						\
+	ip_set_ip_t port, ip1;					\
+								\
+	if (flags[index+2] == 0)				\
+		return 0;					\
+								\
+	port = get_port(skb, flags[index+1]);			\
+	ip1 = ipaddr(skb, flags[index+2]);			\
+								\
+	if (port == INVALID_PORT)				\
+		return 0;
+
+UADT(ipportiphash, test, req->port, req->ip1)
+KADT(ipportiphash, test, ipaddr, port, ip1)
+
+static inline int
+__ipportip_add(struct ip_set_ipportiphash *map,
+	       ip_set_ip_t hash_ip, ip_set_ip_t ip1)
+{
+	__u32 probe;
+	u_int16_t i;
+	struct ipportip *elem;
+
+	for (i = 0; i < map->probes; i++) {
+		probe = jhash_ip2(map, i, hash_ip, ip1) % map->hashsize;
+		elem = HARRAY_ELEM(map->members, struct ipportip *, probe);
+		if (elem->ip == hash_ip && elem->ip1 == ip1)
+			return -EEXIST;
+		if (!(elem->ip || elem->ip1)) {
+			elem->ip = hash_ip;
+			elem->ip1 = ip1;
+			map->elements++;
+			return 0;
+		}
+	}
+	/* Trigger rehashing */
+	return -EAGAIN;
+}
+
+static inline int
+__ipportiphash_add(struct ip_set_ipportiphash *map,
+		   struct ipportip *elem)
+{
+	return __ipportip_add(map, elem->ip, elem->ip1);
+}
+
+static inline int
+ipportiphash_add(struct ip_set *set, ip_set_ip_t *hash_ip,
+		 ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	
+	if (map->elements > limit)
+		return -ERANGE;
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	*hash_ip = pack_ip_port(map, ip, port);
+	
+	return __ipportip_add(map, *hash_ip, ip1);
+}
+
+UADT(ipportiphash, add, req->port, req->ip1)
+KADT(ipportiphash, add, ipaddr, port, ip1)
+
+static inline void
+__ipportiphash_retry(struct ip_set_ipportiphash *tmp,
+		     struct ip_set_ipportiphash *map)
+{
+	tmp->first_ip = map->first_ip;
+	tmp->last_ip = map->last_ip;
+}
+
+HASH_RETRY2(ipportiphash, struct ipportip)
+
+static inline int
+ipportiphash_del(struct ip_set *set, ip_set_ip_t *hash_ip,
+	       ip_set_ip_t ip, ip_set_ip_t port, ip_set_ip_t ip1)
+{
+	struct ip_set_ipportiphash *map = set->data;
+	ip_set_ip_t id;
+	struct ipportip *elem;
+
+	if (ip < map->first_ip || ip > map->last_ip)
+		return -ERANGE;
+
+	id = ipportiphash_id(set, hash_ip, ip, port, ip1);
+
+	if (id == UINT_MAX)
+		return -EEXIST;
+		
+	elem = HARRAY_ELEM(map->members, struct ipportip *, id);
+	elem->ip = elem->ip1 = 0;
+	map->elements--;
+
+	return 0;
+}
+
+UADT(ipportiphash, del, req->port, req->ip1)
+KADT(ipportiphash, del, ipaddr, port, ip1)
+
+static inline int
+__ipportiphash_create(const struct ip_set_req_ipportiphash_create *req,
+		      struct ip_set_ipportiphash *map)
+{
+	if (req->to - req->from > MAX_RANGE) {
+		ip_set_printk("range too big, %d elements (max %d)",
+			      req->to - req->from + 1, MAX_RANGE+1);
+		return -ENOEXEC;
+	}
+	map->first_ip = req->from;
+	map->last_ip = req->to;
+	return 0;
+}
+
+HASH_CREATE(ipportiphash, struct ipportip)
+HASH_DESTROY(ipportiphash)
+HASH_FLUSH(ipportiphash, struct ipportip)
+
+static inline void
+__ipportiphash_list_header(const struct ip_set_ipportiphash *map,
+			   struct ip_set_req_ipportiphash_create *header)
+{
+	header->from = map->first_ip;
+	header->to = map->last_ip;
+}
+
+HASH_LIST_HEADER(ipportiphash)
+HASH_LIST_MEMBERS_SIZE(ipportiphash, struct ipportip)
+HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip)
+
+IP_SET_RTYPE(ipportiphash, IPSET_TYPE_IP | IPSET_TYPE_PORT
+			   | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("ipportiphash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
+
+REGISTER_MODULE(ipportiphash)
-- 
cgit v1.2.3