5e790172deffb36638c8cbf5a0bdfe54067f820d
[linux-2.6.git] / net / netfilter / ipset / ip_set_bitmap_ipmac.c
1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2  *                         Patrick Schaaf <bof@bof.de>
3  *                         Martin Josefsson <gandalf@wlug.westbo.se>
4  * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  */
10
11 /* Kernel module implementing an IP set type: the bitmap:ip,mac type */
12
13 #include <linux/module.h>
14 #include <linux/ip.h>
15 #include <linux/etherdevice.h>
16 #include <linux/skbuff.h>
17 #include <linux/errno.h>
18 #include <linux/if_ether.h>
19 #include <linux/netlink.h>
20 #include <linux/jiffies.h>
21 #include <linux/timer.h>
22 #include <net/netlink.h>
23
24 #include <linux/netfilter/ipset/pfxlen.h>
25 #include <linux/netfilter/ipset/ip_set.h>
26 #include <linux/netfilter/ipset/ip_set_timeout.h>
27 #include <linux/netfilter/ipset/ip_set_bitmap.h>
28
29 MODULE_LICENSE("GPL");
30 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
31 MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
32 MODULE_ALIAS("ip_set_bitmap:ip,mac");
33
34 enum {
35         MAC_EMPTY,              /* element is not set */
36         MAC_FILLED,             /* element is set with MAC */
37         MAC_UNSET,              /* element is set, without MAC */
38 };
39
40 /* Type structure */
41 struct bitmap_ipmac {
42         void *members;          /* the set members */
43         u32 first_ip;           /* host byte order, included in range */
44         u32 last_ip;            /* host byte order, included in range */
45         u32 timeout;            /* timeout value */
46         struct timer_list gc;   /* garbage collector */
47         size_t dsize;           /* size of element */
48 };
49
50 /* ADT structure for generic function args */
51 struct ipmac {
52         u32 id;                 /* id in array */
53         unsigned char *ether;   /* ethernet address */
54 };
55
56 /* Member element without and with timeout */
57
58 struct ipmac_elem {
59         unsigned char ether[ETH_ALEN];
60         unsigned char match;
61 } __attribute__ ((aligned));
62
63 struct ipmac_telem {
64         unsigned char ether[ETH_ALEN];
65         unsigned char match;
66         unsigned long timeout;
67 } __attribute__ ((aligned));
68
69 static inline void *
70 bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
71 {
72         return (void *)((char *)map->members + id * map->dsize);
73 }
74
75 static inline bool
76 bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
77 {
78         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
79
80         return ip_set_timeout_test(elem->timeout);
81 }
82
83 static inline bool
84 bitmap_expired(const struct bitmap_ipmac *map, u32 id)
85 {
86         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
87
88         return ip_set_timeout_expired(elem->timeout);
89 }
90
91 static inline int
92 bitmap_ipmac_exist(const struct ipmac_telem *elem)
93 {
94         return elem->match == MAC_UNSET ||
95                (elem->match == MAC_FILLED &&
96                 !ip_set_timeout_expired(elem->timeout));
97 }
98
99 /* Base variant */
100
101 static int
102 bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
103 {
104         const struct bitmap_ipmac *map = set->data;
105         const struct ipmac *data = value;
106         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
107
108         switch (elem->match) {
109         case MAC_UNSET:
110                 /* Trigger kernel to fill out the ethernet address */
111                 return -EAGAIN;
112         case MAC_FILLED:
113                 return data->ether == NULL ||
114                        compare_ether_addr(data->ether, elem->ether) == 0;
115         }
116         return 0;
117 }
118
119 static int
120 bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
121 {
122         struct bitmap_ipmac *map = set->data;
123         const struct ipmac *data = value;
124         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
125
126         switch (elem->match) {
127         case MAC_UNSET:
128                 if (!data->ether)
129                         /* Already added without ethernet address */
130                         return -IPSET_ERR_EXIST;
131                 /* Fill the MAC address */
132                 memcpy(elem->ether, data->ether, ETH_ALEN);
133                 elem->match = MAC_FILLED;
134                 break;
135         case MAC_FILLED:
136                 return -IPSET_ERR_EXIST;
137         case MAC_EMPTY:
138                 if (data->ether) {
139                         memcpy(elem->ether, data->ether, ETH_ALEN);
140                         elem->match = MAC_FILLED;
141                 } else
142                         elem->match = MAC_UNSET;
143         }
144
145         return 0;
146 }
147
148 static int
149 bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
150 {
151         struct bitmap_ipmac *map = set->data;
152         const struct ipmac *data = value;
153         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
154
155         if (elem->match == MAC_EMPTY)
156                 return -IPSET_ERR_EXIST;
157
158         elem->match = MAC_EMPTY;
159
160         return 0;
161 }
162
163 static int
164 bitmap_ipmac_list(const struct ip_set *set,
165                   struct sk_buff *skb, struct netlink_callback *cb)
166 {
167         const struct bitmap_ipmac *map = set->data;
168         const struct ipmac_elem *elem;
169         struct nlattr *atd, *nested;
170         u32 id, first = cb->args[2];
171         u32 last = map->last_ip - map->first_ip;
172
173         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
174         if (!atd)
175                 return -EMSGSIZE;
176         for (; cb->args[2] <= last; cb->args[2]++) {
177                 id = cb->args[2];
178                 elem = bitmap_ipmac_elem(map, id);
179                 if (elem->match == MAC_EMPTY)
180                         continue;
181                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
182                 if (!nested) {
183                         if (id == first) {
184                                 nla_nest_cancel(skb, atd);
185                                 return -EMSGSIZE;
186                         } else
187                                 goto nla_put_failure;
188                 }
189                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
190                                 htonl(map->first_ip + id));
191                 if (elem->match == MAC_FILLED)
192                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
193                                 elem->ether);
194                 ipset_nest_end(skb, nested);
195         }
196         ipset_nest_end(skb, atd);
197         /* Set listing finished */
198         cb->args[2] = 0;
199
200         return 0;
201
202 nla_put_failure:
203         nla_nest_cancel(skb, nested);
204         ipset_nest_end(skb, atd);
205         if (unlikely(id == first)) {
206                 cb->args[2] = 0;
207                 return -EMSGSIZE;
208         }
209         return 0;
210 }
211
212 /* Timeout variant */
213
214 static int
215 bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
216 {
217         const struct bitmap_ipmac *map = set->data;
218         const struct ipmac *data = value;
219         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
220
221         switch (elem->match) {
222         case MAC_UNSET:
223                 /* Trigger kernel to fill out the ethernet address */
224                 return -EAGAIN;
225         case MAC_FILLED:
226                 return (data->ether == NULL ||
227                         compare_ether_addr(data->ether, elem->ether) == 0) &&
228                        !bitmap_expired(map, data->id);
229         }
230         return 0;
231 }
232
233 static int
234 bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
235 {
236         struct bitmap_ipmac *map = set->data;
237         const struct ipmac *data = value;
238         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
239
240         switch (elem->match) {
241         case MAC_UNSET:
242                 if (!data->ether)
243                         /* Already added without ethernet address */
244                         return -IPSET_ERR_EXIST;
245                 /* Fill the MAC address and activate the timer */
246                 memcpy(elem->ether, data->ether, ETH_ALEN);
247                 elem->match = MAC_FILLED;
248                 if (timeout == map->timeout)
249                         /* Timeout was not specified, get stored one */
250                         timeout = elem->timeout;
251                 elem->timeout = ip_set_timeout_set(timeout);
252                 break;
253         case MAC_FILLED:
254                 if (!bitmap_expired(map, data->id))
255                         return -IPSET_ERR_EXIST;
256                 /* Fall through */
257         case MAC_EMPTY:
258                 if (data->ether) {
259                         memcpy(elem->ether, data->ether, ETH_ALEN);
260                         elem->match = MAC_FILLED;
261                 } else
262                         elem->match = MAC_UNSET;
263                 /* If MAC is unset yet, we store plain timeout value
264                  * because the timer is not activated yet
265                  * and we can reuse it later when MAC is filled out,
266                  * possibly by the kernel */
267                 elem->timeout = data->ether ? ip_set_timeout_set(timeout)
268                                             : timeout;
269                 break;
270         }
271
272         return 0;
273 }
274
275 static int
276 bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
277 {
278         struct bitmap_ipmac *map = set->data;
279         const struct ipmac *data = value;
280         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
281
282         if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
283                 return -IPSET_ERR_EXIST;
284
285         elem->match = MAC_EMPTY;
286
287         return 0;
288 }
289
290 static int
291 bitmap_ipmac_tlist(const struct ip_set *set,
292                    struct sk_buff *skb, struct netlink_callback *cb)
293 {
294         const struct bitmap_ipmac *map = set->data;
295         const struct ipmac_telem *elem;
296         struct nlattr *atd, *nested;
297         u32 id, first = cb->args[2];
298         u32 timeout, last = map->last_ip - map->first_ip;
299
300         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
301         if (!atd)
302                 return -EMSGSIZE;
303         for (; cb->args[2] <= last; cb->args[2]++) {
304                 id = cb->args[2];
305                 elem = bitmap_ipmac_elem(map, id);
306                 if (!bitmap_ipmac_exist(elem))
307                         continue;
308                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
309                 if (!nested) {
310                         if (id == first) {
311                                 nla_nest_cancel(skb, atd);
312                                 return -EMSGSIZE;
313                         } else
314                                 goto nla_put_failure;
315                 }
316                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
317                                 htonl(map->first_ip + id));
318                 if (elem->match == MAC_FILLED)
319                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
320                                 elem->ether);
321                 timeout = elem->match == MAC_UNSET ? elem->timeout
322                                 : ip_set_timeout_get(elem->timeout);
323                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
324                 ipset_nest_end(skb, nested);
325         }
326         ipset_nest_end(skb, atd);
327         /* Set listing finished */
328         cb->args[2] = 0;
329
330         return 0;
331
332 nla_put_failure:
333         nla_nest_cancel(skb, nested);
334         ipset_nest_end(skb, atd);
335         return -EMSGSIZE;
336 }
337
338 static int
339 bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
340                   enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
341 {
342         struct bitmap_ipmac *map = set->data;
343         ipset_adtfn adtfn = set->variant->adt[adt];
344         struct ipmac data;
345
346         data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
347         if (data.id < map->first_ip || data.id > map->last_ip)
348                 return -IPSET_ERR_BITMAP_RANGE;
349
350         /* Backward compatibility: we don't check the second flag */
351         if (skb_mac_header(skb) < skb->head ||
352             (skb_mac_header(skb) + ETH_HLEN) > skb->data)
353                 return -EINVAL;
354
355         data.id -= map->first_ip;
356         data.ether = eth_hdr(skb)->h_source;
357
358         return adtfn(set, &data, map->timeout);
359 }
360
361 static int
362 bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
363                   enum ipset_adt adt, u32 *lineno, u32 flags)
364 {
365         const struct bitmap_ipmac *map = set->data;
366         ipset_adtfn adtfn = set->variant->adt[adt];
367         struct ipmac data;
368         u32 timeout = map->timeout;
369         int ret = 0;
370
371         if (unlikely(!tb[IPSET_ATTR_IP] ||
372                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
373                 return -IPSET_ERR_PROTOCOL;
374
375         if (tb[IPSET_ATTR_LINENO])
376                 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
377
378         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
379         if (ret)
380                 return ret;
381
382         if (data.id < map->first_ip || data.id > map->last_ip)
383                 return -IPSET_ERR_BITMAP_RANGE;
384
385         if (tb[IPSET_ATTR_ETHER])
386                 data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
387         else
388                 data.ether = NULL;
389
390         if (tb[IPSET_ATTR_TIMEOUT]) {
391                 if (!with_timeout(map->timeout))
392                         return -IPSET_ERR_TIMEOUT;
393                 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
394         }
395
396         data.id -= map->first_ip;
397
398         ret = adtfn(set, &data, timeout);
399
400         return ip_set_eexist(ret, flags) ? 0 : ret;
401 }
402
403 static void
404 bitmap_ipmac_destroy(struct ip_set *set)
405 {
406         struct bitmap_ipmac *map = set->data;
407
408         if (with_timeout(map->timeout))
409                 del_timer_sync(&map->gc);
410
411         ip_set_free(map->members);
412         kfree(map);
413
414         set->data = NULL;
415 }
416
417 static void
418 bitmap_ipmac_flush(struct ip_set *set)
419 {
420         struct bitmap_ipmac *map = set->data;
421
422         memset(map->members, 0,
423                (map->last_ip - map->first_ip + 1) * map->dsize);
424 }
425
426 static int
427 bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
428 {
429         const struct bitmap_ipmac *map = set->data;
430         struct nlattr *nested;
431
432         nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
433         if (!nested)
434                 goto nla_put_failure;
435         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
436         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
437         NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES,
438                       htonl(atomic_read(&set->ref) - 1));
439         NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
440                       htonl(sizeof(*map)
441                             + (map->last_ip - map->first_ip + 1) * map->dsize));
442         if (with_timeout(map->timeout))
443                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
444         ipset_nest_end(skb, nested);
445
446         return 0;
447 nla_put_failure:
448         return -EMSGSIZE;
449 }
450
451 static bool
452 bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
453 {
454         const struct bitmap_ipmac *x = a->data;
455         const struct bitmap_ipmac *y = b->data;
456
457         return x->first_ip == y->first_ip &&
458                x->last_ip == y->last_ip &&
459                x->timeout == y->timeout;
460 }
461
462 static const struct ip_set_type_variant bitmap_ipmac = {
463         .kadt   = bitmap_ipmac_kadt,
464         .uadt   = bitmap_ipmac_uadt,
465         .adt    = {
466                 [IPSET_ADD] = bitmap_ipmac_add,
467                 [IPSET_DEL] = bitmap_ipmac_del,
468                 [IPSET_TEST] = bitmap_ipmac_test,
469         },
470         .destroy = bitmap_ipmac_destroy,
471         .flush  = bitmap_ipmac_flush,
472         .head   = bitmap_ipmac_head,
473         .list   = bitmap_ipmac_list,
474         .same_set = bitmap_ipmac_same_set,
475 };
476
477 static const struct ip_set_type_variant bitmap_tipmac = {
478         .kadt   = bitmap_ipmac_kadt,
479         .uadt   = bitmap_ipmac_uadt,
480         .adt    = {
481                 [IPSET_ADD] = bitmap_ipmac_tadd,
482                 [IPSET_DEL] = bitmap_ipmac_tdel,
483                 [IPSET_TEST] = bitmap_ipmac_ttest,
484         },
485         .destroy = bitmap_ipmac_destroy,
486         .flush  = bitmap_ipmac_flush,
487         .head   = bitmap_ipmac_head,
488         .list   = bitmap_ipmac_tlist,
489         .same_set = bitmap_ipmac_same_set,
490 };
491
492 static void
493 bitmap_ipmac_gc(unsigned long ul_set)
494 {
495         struct ip_set *set = (struct ip_set *) ul_set;
496         struct bitmap_ipmac *map = set->data;
497         struct ipmac_telem *elem;
498         u32 id, last = map->last_ip - map->first_ip;
499
500         /* We run parallel with other readers (test element)
501          * but adding/deleting new entries is locked out */
502         read_lock_bh(&set->lock);
503         for (id = 0; id <= last; id++) {
504                 elem = bitmap_ipmac_elem(map, id);
505                 if (elem->match == MAC_FILLED &&
506                     ip_set_timeout_expired(elem->timeout))
507                         elem->match = MAC_EMPTY;
508         }
509         read_unlock_bh(&set->lock);
510
511         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
512         add_timer(&map->gc);
513 }
514
515 static void
516 bitmap_ipmac_gc_init(struct ip_set *set)
517 {
518         struct bitmap_ipmac *map = set->data;
519
520         init_timer(&map->gc);
521         map->gc.data = (unsigned long) set;
522         map->gc.function = bitmap_ipmac_gc;
523         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
524         add_timer(&map->gc);
525 }
526
527 /* Create bitmap:ip,mac type of sets */
528
529 static bool
530 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
531                u32 first_ip, u32 last_ip)
532 {
533         map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
534         if (!map->members)
535                 return false;
536         map->first_ip = first_ip;
537         map->last_ip = last_ip;
538         map->timeout = IPSET_NO_TIMEOUT;
539
540         set->data = map;
541         set->family = AF_INET;
542
543         return true;
544 }
545
546 static int
547 bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
548                     u32 flags)
549 {
550         u32 first_ip, last_ip, elements;
551         struct bitmap_ipmac *map;
552         int ret;
553
554         if (unlikely(!tb[IPSET_ATTR_IP] ||
555                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
556                 return -IPSET_ERR_PROTOCOL;
557
558         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
559         if (ret)
560                 return ret;
561
562         if (tb[IPSET_ATTR_IP_TO]) {
563                 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
564                 if (ret)
565                         return ret;
566                 if (first_ip > last_ip) {
567                         u32 tmp = first_ip;
568
569                         first_ip = last_ip;
570                         last_ip = tmp;
571                 }
572         } else if (tb[IPSET_ATTR_CIDR]) {
573                 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
574
575                 if (cidr >= 32)
576                         return -IPSET_ERR_INVALID_CIDR;
577                 last_ip = first_ip | ~ip_set_hostmask(cidr);
578         } else
579                 return -IPSET_ERR_PROTOCOL;
580
581         elements = last_ip - first_ip + 1;
582
583         if (elements > IPSET_BITMAP_MAX_RANGE + 1)
584                 return -IPSET_ERR_BITMAP_RANGE_SIZE;
585
586         map = kzalloc(sizeof(*map), GFP_KERNEL);
587         if (!map)
588                 return -ENOMEM;
589
590         if (tb[IPSET_ATTR_TIMEOUT]) {
591                 map->dsize = sizeof(struct ipmac_telem);
592
593                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
594                         kfree(map);
595                         return -ENOMEM;
596                 }
597
598                 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
599
600                 set->variant = &bitmap_tipmac;
601
602                 bitmap_ipmac_gc_init(set);
603         } else {
604                 map->dsize = sizeof(struct ipmac_elem);
605
606                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
607                         kfree(map);
608                         return -ENOMEM;
609                 }
610                 set->variant = &bitmap_ipmac;
611
612         }
613         return 0;
614 }
615
616 static struct ip_set_type bitmap_ipmac_type = {
617         .name           = "bitmap:ip,mac",
618         .protocol       = IPSET_PROTOCOL,
619         .features       = IPSET_TYPE_IP | IPSET_TYPE_MAC,
620         .dimension      = IPSET_DIM_TWO,
621         .family         = AF_INET,
622         .revision       = 0,
623         .create         = bitmap_ipmac_create,
624         .create_policy  = {
625                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
626                 [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
627                 [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
628                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
629         },
630         .adt_policy     = {
631                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
632                 [IPSET_ATTR_ETHER]      = { .type = NLA_BINARY, .len  = ETH_ALEN },
633                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
634                 [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
635         },
636         .me             = THIS_MODULE,
637 };
638
639 static int __init
640 bitmap_ipmac_init(void)
641 {
642         return ip_set_type_register(&bitmap_ipmac_type);
643 }
644
645 static void __exit
646 bitmap_ipmac_fini(void)
647 {
648         ip_set_type_unregister(&bitmap_ipmac_type);
649 }
650
651 module_init(bitmap_ipmac_init);
652 module_exit(bitmap_ipmac_fini);