ip_set_bitmap_port.c 8.3 KB
Newer Older
1
// SPDX-License-Identifier: GPL-2.0-only
2
/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> */
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

/* Kernel module implementing an IP set type: the bitmap:port type */

#include <linux/module.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
#include <linux/errno.h>
#include <linux/netlink.h>
#include <linux/jiffies.h>
#include <linux/timer.h>
#include <net/netlink.h>

#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_bitmap.h>
#include <linux/netfilter/ipset/ip_set_getport.h>

19
#define IPSET_TYPE_REV_MIN	0
20
/*				1	   Counter support added */
21
22
/*				2	   Comment support added */
#define IPSET_TYPE_REV_MAX	3	/* skbinfo support added */
23

24
MODULE_LICENSE("GPL");
Jozsef Kadlecsik's avatar
Jozsef Kadlecsik committed
25
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>");
26
IP_SET_MODULE_DESC("bitmap:port", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
27
28
MODULE_ALIAS("ip_set_bitmap:port");

29
30
#define MTYPE		bitmap_port

31
32
/* Type structure */
struct bitmap_port {
33
	unsigned long *members;	/* the set members */
34
35
	u16 first_port;		/* host byte order, included in range */
	u16 last_port;		/* host byte order, included in range */
36
	u32 elements;		/* number of max elements in the set */
37
38
	size_t memsize;		/* members size */
	struct timer_list gc;	/* garbage collection */
39
	struct ip_set *set;	/* attached to this ip_set */
40
41
	unsigned char extensions[0]	/* data extensions */
		__aligned(__alignof__(u64));
42
43
};

44
45
46
47
/* ADT structure for generic function args */
struct bitmap_port_adt_elem {
	u16 id;
};
48

49
static u16
50
port_to_id(const struct bitmap_port *m, u16 port)
51
{
52
	return port - m->first_port;
53
54
}

55
/* Common functions */
56

57
static int
58
bitmap_port_do_test(const struct bitmap_port_adt_elem *e,
59
		    const struct bitmap_port *map, size_t dsize)
60
{
61
	return !!test_bit(e->id, map->members);
62
63
}

64
static int
65
bitmap_port_gc_test(u16 id, const struct bitmap_port *map, size_t dsize)
66
{
67
	return !!test_bit(id, map->members);
68
69
}

70
static int
71
bitmap_port_do_add(const struct bitmap_port_adt_elem *e,
72
		   struct bitmap_port *map, u32 flags, size_t dsize)
73
{
74
	return !!test_bit(e->id, map->members);
75
76
}

77
static int
78
79
bitmap_port_do_del(const struct bitmap_port_adt_elem *e,
		   struct bitmap_port *map)
80
{
81
	return !test_and_clear_bit(e->id, map->members);
82
83
}

84
static int
85
86
bitmap_port_do_list(struct sk_buff *skb, const struct bitmap_port *map, u32 id,
		    size_t dsize)
87
{
88
89
	return nla_put_net16(skb, IPSET_ATTR_PORT,
			     htons(map->first_port + id));
90
91
}

92
static int
93
bitmap_port_do_head(struct sk_buff *skb, const struct bitmap_port *map)
94
{
95
96
	return nla_put_net16(skb, IPSET_ATTR_PORT, htons(map->first_port)) ||
	       nla_put_net16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port));
97
98
}

99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
static bool
ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port)
{
	bool ret;
	u8 proto;

	switch (pf) {
	case NFPROTO_IPV4:
		ret = ip_set_get_ip4_port(skb, src, port, &proto);
		break;
	case NFPROTO_IPV6:
		ret = ip_set_get_ip6_port(skb, src, port, &proto);
		break;
	default:
		return false;
	}
	if (!ret)
		return ret;
	switch (proto) {
	case IPPROTO_TCP:
	case IPPROTO_UDP:
		return true;
	default:
		return false;
	}
}

126
127
static int
bitmap_port_kadt(struct ip_set *set, const struct sk_buff *skb,
128
		 const struct xt_action_param *par,
129
		 enum ipset_adt adt, struct ip_set_adt_opt *opt)
130
131
132
{
	struct bitmap_port *map = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
133
	struct bitmap_port_adt_elem e = { .id = 0 };
134
	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
135
136
137
	__be16 __port;
	u16 port = 0;

138
139
	if (!ip_set_get_ip_port(skb, opt->family,
				opt->flags & IPSET_DIM_ONE_SRC, &__port))
140
141
142
143
144
145
146
		return -EINVAL;

	port = ntohs(__port);

	if (port < map->first_port || port > map->last_port)
		return -IPSET_ERR_BITMAP_RANGE;

147
	e.id = port_to_id(map, port);
148

149
	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
150
151
152
153
}

static int
bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
154
		 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
155
156
157
{
	struct bitmap_port *map = set->data;
	ipset_adtfn adtfn = set->variant->adt[adt];
158
	struct bitmap_port_adt_elem e = { .id = 0 };
159
	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
160
	u32 port;	/* wraparound */
161
	u16 port_to;
162
163
	int ret = 0;

164
165
166
	if (tb[IPSET_ATTR_LINENO])
		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

167
	if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
168
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
169
170
171
172
173
		return -IPSET_ERR_PROTOCOL;

	port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
	if (port < map->first_port || port > map->last_port)
		return -IPSET_ERR_BITMAP_RANGE;
174
175
176
	ret = ip_set_get_extensions(set, tb, &ext);
	if (ret)
		return ret;
177
178

	if (adt == IPSET_TEST) {
179
180
		e.id = port_to_id(map, port);
		return adtfn(set, &e, &ext, &ext, flags);
181
182
183
184
185
186
187
188
189
	}

	if (tb[IPSET_ATTR_PORT_TO]) {
		port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
		if (port > port_to) {
			swap(port, port_to);
			if (port < map->first_port)
				return -IPSET_ERR_BITMAP_RANGE;
		}
190
	} else {
191
		port_to = port;
192
	}
193
194
195
196
197

	if (port_to > map->last_port)
		return -IPSET_ERR_BITMAP_RANGE;

	for (; port <= port_to; port++) {
198
199
		e.id = port_to_id(map, port);
		ret = adtfn(set, &e, &ext, &ext, flags);
200
201
202

		if (ret && !ip_set_eexist(ret, flags))
			return ret;
203
204

		ret = 0;
205
206
207
208
209
210
211
212
213
214
215
216
	}
	return ret;
}

static bool
bitmap_port_same_set(const struct ip_set *a, const struct ip_set *b)
{
	const struct bitmap_port *x = a->data;
	const struct bitmap_port *y = b->data;

	return x->first_port == y->first_port &&
	       x->last_port == y->last_port &&
217
	       a->timeout == b->timeout &&
218
	       a->extensions == b->extensions;
219
220
}

221
/* Plain variant */
222

223
struct bitmap_port_elem {
224
225
};

226
#include "ip_set_bitmap_gen.h"
227
228
229
230
231
232
233

/* Create bitmap:ip type of sets */

static bool
init_map_port(struct ip_set *set, struct bitmap_port *map,
	      u16 first_port, u16 last_port)
{
234
	map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
235
236
237
238
	if (!map->members)
		return false;
	map->first_port = first_port;
	map->last_port = last_port;
239
	set->timeout = IPSET_NO_TIMEOUT;
240

241
	map->set = set;
242
	set->data = map;
243
	set->family = NFPROTO_UNSPEC;
244
245
246
247
248

	return true;
}

static int
249
250
bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
		   u32 flags)
251
252
253
{
	struct bitmap_port *map;
	u16 first_port, last_port;
254
	u32 elements;
255
256
257

	if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) ||
258
259
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
260
261
262
263
		return -IPSET_ERR_PROTOCOL;

	first_port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
	last_port = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
264
265
	if (first_port > last_port)
		swap(first_port, last_port);
266

267
268
269
	elements = last_port - first_port + 1;
	set->dsize = ip_set_elem_len(set, tb, 0, 0);
	map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
270
271
272
	if (!map)
		return -ENOMEM;

273
	map->elements = elements;
274
	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
275
	set->variant = &bitmap_port;
276
277
278
279
280
	if (!init_map_port(set, map, first_port, last_port)) {
		kfree(map);
		return -ENOMEM;
	}
	if (tb[IPSET_ATTR_TIMEOUT]) {
281
		set->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
282
		bitmap_port_gc_init(set, bitmap_port_gc);
283
284
285
286
287
288
289
290
291
	}
	return 0;
}

static struct ip_set_type bitmap_port_type = {
	.name		= "bitmap:port",
	.protocol	= IPSET_PROTOCOL,
	.features	= IPSET_TYPE_PORT,
	.dimension	= IPSET_DIM_ONE,
292
	.family		= NFPROTO_UNSPEC,
293
294
	.revision_min	= IPSET_TYPE_REV_MIN,
	.revision_max	= IPSET_TYPE_REV_MAX,
295
296
297
298
299
	.create		= bitmap_port_create,
	.create_policy	= {
		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
300
		[IPSET_ATTR_CADT_FLAGS]	= { .type = NLA_U32 },
301
302
303
304
305
306
	},
	.adt_policy	= {
		[IPSET_ATTR_PORT]	= { .type = NLA_U16 },
		[IPSET_ATTR_PORT_TO]	= { .type = NLA_U16 },
		[IPSET_ATTR_TIMEOUT]	= { .type = NLA_U32 },
		[IPSET_ATTR_LINENO]	= { .type = NLA_U32 },
307
308
		[IPSET_ATTR_BYTES]	= { .type = NLA_U64 },
		[IPSET_ATTR_PACKETS]	= { .type = NLA_U64 },
309
310
		[IPSET_ATTR_COMMENT]	= { .type = NLA_NUL_STRING,
					    .len  = IPSET_MAX_COMMENT_SIZE },
311
312
313
		[IPSET_ATTR_SKBMARK]	= { .type = NLA_U64 },
		[IPSET_ATTR_SKBPRIO]	= { .type = NLA_U32 },
		[IPSET_ATTR_SKBQUEUE]	= { .type = NLA_U16 },
314
315
316
317
318
319
320
321
322
323
324
325
326
	},
	.me		= THIS_MODULE,
};

static int __init
bitmap_port_init(void)
{
	return ip_set_type_register(&bitmap_port_type);
}

static void __exit
bitmap_port_fini(void)
{
327
	rcu_barrier();
328
329
330
331
332
	ip_set_type_unregister(&bitmap_port_type);
}

module_init(bitmap_port_init);
module_exit(bitmap_port_fini);