a274300b6a566faee28c3e10d31fdba1bbd212c0
[linux-2.6.git] / net / netfilter / ipset / ip_set_bitmap_ipmac.c
1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2  *                         Patrick Schaaf <bof@bof.de>
3  *                         Martin Josefsson <gandalf@wlug.westbo.se>
4  * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License version 2 as
8  * published by the Free Software Foundation.
9  */
10
11 /* Kernel module implementing an IP set type: the bitmap:ip,mac type */
12
13 #include <linux/module.h>
14 #include <linux/ip.h>
15 #include <linux/etherdevice.h>
16 #include <linux/skbuff.h>
17 #include <linux/errno.h>
18 #include <linux/if_ether.h>
19 #include <linux/netlink.h>
20 #include <linux/jiffies.h>
21 #include <linux/timer.h>
22 #include <net/netlink.h>
23
24 #include <linux/netfilter/ipset/pfxlen.h>
25 #include <linux/netfilter/ipset/ip_set.h>
26 #include <linux/netfilter/ipset/ip_set_timeout.h>
27 #include <linux/netfilter/ipset/ip_set_bitmap.h>
28
29 MODULE_LICENSE("GPL");
30 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
31 MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
32 MODULE_ALIAS("ip_set_bitmap:ip,mac");
33
34 enum {
35         MAC_EMPTY,              /* element is not set */
36         MAC_FILLED,             /* element is set with MAC */
37         MAC_UNSET,              /* element is set, without MAC */
38 };
39
40 /* Type structure */
41 struct bitmap_ipmac {
42         void *members;          /* the set members */
43         u32 first_ip;           /* host byte order, included in range */
44         u32 last_ip;            /* host byte order, included in range */
45         u32 timeout;            /* timeout value */
46         struct timer_list gc;   /* garbage collector */
47         size_t dsize;           /* size of element */
48 };
49
50 /* ADT structure for generic function args */
51 struct ipmac {
52         u32 id;                 /* id in array */
53         unsigned char *ether;   /* ethernet address */
54 };
55
56 /* Member element without and with timeout */
57
58 struct ipmac_elem {
59         unsigned char ether[ETH_ALEN];
60         unsigned char match;
61 } __attribute__ ((aligned));
62
63 struct ipmac_telem {
64         unsigned char ether[ETH_ALEN];
65         unsigned char match;
66         unsigned long timeout;
67 } __attribute__ ((aligned));
68
69 static inline void *
70 bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
71 {
72         return (void *)((char *)map->members + id * map->dsize);
73 }
74
75 static inline bool
76 bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
77 {
78         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
79
80         return ip_set_timeout_test(elem->timeout);
81 }
82
83 static inline bool
84 bitmap_expired(const struct bitmap_ipmac *map, u32 id)
85 {
86         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
87
88         return ip_set_timeout_expired(elem->timeout);
89 }
90
91 static inline int
92 bitmap_ipmac_exist(const struct ipmac_telem *elem)
93 {
94         return elem->match == MAC_UNSET ||
95                (elem->match == MAC_FILLED &&
96                 !ip_set_timeout_expired(elem->timeout));
97 }
98
99 /* Base variant */
100
101 static int
102 bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
103 {
104         const struct bitmap_ipmac *map = set->data;
105         const struct ipmac *data = value;
106         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
107
108         switch (elem->match) {
109         case MAC_UNSET:
110                 /* Trigger kernel to fill out the ethernet address */
111                 return -EAGAIN;
112         case MAC_FILLED:
113                 return data->ether == NULL ||
114                        compare_ether_addr(data->ether, elem->ether) == 0;
115         }
116         return 0;
117 }
118
119 static int
120 bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
121 {
122         struct bitmap_ipmac *map = set->data;
123         const struct ipmac *data = value;
124         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
125
126         switch (elem->match) {
127         case MAC_UNSET:
128                 if (!data->ether)
129                         /* Already added without ethernet address */
130                         return -IPSET_ERR_EXIST;
131                 /* Fill the MAC address */
132                 memcpy(elem->ether, data->ether, ETH_ALEN);
133                 elem->match = MAC_FILLED;
134                 break;
135         case MAC_FILLED:
136                 return -IPSET_ERR_EXIST;
137         case MAC_EMPTY:
138                 if (data->ether) {
139                         memcpy(elem->ether, data->ether, ETH_ALEN);
140                         elem->match = MAC_FILLED;
141                 } else
142                         elem->match = MAC_UNSET;
143         }
144
145         return 0;
146 }
147
148 static int
149 bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
150 {
151         struct bitmap_ipmac *map = set->data;
152         const struct ipmac *data = value;
153         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
154
155         if (elem->match == MAC_EMPTY)
156                 return -IPSET_ERR_EXIST;
157
158         elem->match = MAC_EMPTY;
159
160         return 0;
161 }
162
163 static int
164 bitmap_ipmac_list(const struct ip_set *set,
165                   struct sk_buff *skb, struct netlink_callback *cb)
166 {
167         const struct bitmap_ipmac *map = set->data;
168         const struct ipmac_elem *elem;
169         struct nlattr *atd, *nested;
170         u32 id, first = cb->args[2];
171         u32 last = map->last_ip - map->first_ip;
172
173         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
174         if (!atd)
175                 return -EMSGSIZE;
176         for (; cb->args[2] <= last; cb->args[2]++) {
177                 id = cb->args[2];
178                 elem = bitmap_ipmac_elem(map, id);
179                 if (elem->match == MAC_EMPTY)
180                         continue;
181                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
182                 if (!nested) {
183                         if (id == first) {
184                                 nla_nest_cancel(skb, atd);
185                                 return -EMSGSIZE;
186                         } else
187                                 goto nla_put_failure;
188                 }
189                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
190                                 htonl(map->first_ip + id));
191                 if (elem->match == MAC_FILLED)
192                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
193                                 elem->ether);
194                 ipset_nest_end(skb, nested);
195         }
196         ipset_nest_end(skb, atd);
197         /* Set listing finished */
198         cb->args[2] = 0;
199
200         return 0;
201
202 nla_put_failure:
203         nla_nest_cancel(skb, nested);
204         ipset_nest_end(skb, atd);
205         if (unlikely(id == first)) {
206                 cb->args[2] = 0;
207                 return -EMSGSIZE;
208         }
209         return 0;
210 }
211
212 /* Timeout variant */
213
214 static int
215 bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
216 {
217         const struct bitmap_ipmac *map = set->data;
218         const struct ipmac *data = value;
219         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
220
221         switch (elem->match) {
222         case MAC_UNSET:
223                 /* Trigger kernel to fill out the ethernet address */
224                 return -EAGAIN;
225         case MAC_FILLED:
226                 return (data->ether == NULL ||
227                         compare_ether_addr(data->ether, elem->ether) == 0) &&
228                        !bitmap_expired(map, data->id);
229         }
230         return 0;
231 }
232
233 static int
234 bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
235 {
236         struct bitmap_ipmac *map = set->data;
237         const struct ipmac *data = value;
238         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
239
240         switch (elem->match) {
241         case MAC_UNSET:
242                 if (!data->ether)
243                         /* Already added without ethernet address */
244                         return -IPSET_ERR_EXIST;
245                 /* Fill the MAC address and activate the timer */
246                 memcpy(elem->ether, data->ether, ETH_ALEN);
247                 elem->match = MAC_FILLED;
248                 if (timeout == map->timeout)
249                         /* Timeout was not specified, get stored one */
250                         timeout = elem->timeout;
251                 elem->timeout = ip_set_timeout_set(timeout);
252                 break;
253         case MAC_FILLED:
254                 if (!bitmap_expired(map, data->id))
255                         return -IPSET_ERR_EXIST;
256                 /* Fall through */
257         case MAC_EMPTY:
258                 if (data->ether) {
259                         memcpy(elem->ether, data->ether, ETH_ALEN);
260                         elem->match = MAC_FILLED;
261                 } else
262                         elem->match = MAC_UNSET;
263                 /* If MAC is unset yet, we store plain timeout value
264                  * because the timer is not activated yet
265                  * and we can reuse it later when MAC is filled out,
266                  * possibly by the kernel */
267                 elem->timeout = data->ether ? ip_set_timeout_set(timeout)
268                                             : timeout;
269                 break;
270         }
271
272         return 0;
273 }
274
275 static int
276 bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
277 {
278         struct bitmap_ipmac *map = set->data;
279         const struct ipmac *data = value;
280         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
281
282         if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
283                 return -IPSET_ERR_EXIST;
284
285         elem->match = MAC_EMPTY;
286
287         return 0;
288 }
289
290 static int
291 bitmap_ipmac_tlist(const struct ip_set *set,
292                    struct sk_buff *skb, struct netlink_callback *cb)
293 {
294         const struct bitmap_ipmac *map = set->data;
295         const struct ipmac_telem *elem;
296         struct nlattr *atd, *nested;
297         u32 id, first = cb->args[2];
298         u32 timeout, last = map->last_ip - map->first_ip;
299
300         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
301         if (!atd)
302                 return -EMSGSIZE;
303         for (; cb->args[2] <= last; cb->args[2]++) {
304                 id = cb->args[2];
305                 elem = bitmap_ipmac_elem(map, id);
306                 if (!bitmap_ipmac_exist(elem))
307                         continue;
308                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
309                 if (!nested) {
310                         if (id == first) {
311                                 nla_nest_cancel(skb, atd);
312                                 return -EMSGSIZE;
313                         } else
314                                 goto nla_put_failure;
315                 }
316                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
317                                 htonl(map->first_ip + id));
318                 if (elem->match == MAC_FILLED)
319                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
320                                 elem->ether);
321                 timeout = elem->match == MAC_UNSET ? elem->timeout
322                                 : ip_set_timeout_get(elem->timeout);
323                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
324                 ipset_nest_end(skb, nested);
325         }
326         ipset_nest_end(skb, atd);
327         /* Set listing finished */
328         cb->args[2] = 0;
329
330         return 0;
331
332 nla_put_failure:
333         nla_nest_cancel(skb, nested);
334         ipset_nest_end(skb, atd);
335         return -EMSGSIZE;
336 }
337
338 static int
339 bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
340                   enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
341 {
342         struct bitmap_ipmac *map = set->data;
343         ipset_adtfn adtfn = set->variant->adt[adt];
344         struct ipmac data;
345
346         /* MAC can be src only */
347         if (!(flags & IPSET_DIM_TWO_SRC))
348                 return 0;
349
350         data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
351         if (data.id < map->first_ip || data.id > map->last_ip)
352                 return -IPSET_ERR_BITMAP_RANGE;
353
354         /* Backward compatibility: we don't check the second flag */
355         if (skb_mac_header(skb) < skb->head ||
356             (skb_mac_header(skb) + ETH_HLEN) > skb->data)
357                 return -EINVAL;
358
359         data.id -= map->first_ip;
360         data.ether = eth_hdr(skb)->h_source;
361
362         return adtfn(set, &data, map->timeout);
363 }
364
365 static int
366 bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
367                   enum ipset_adt adt, u32 *lineno, u32 flags)
368 {
369         const struct bitmap_ipmac *map = set->data;
370         ipset_adtfn adtfn = set->variant->adt[adt];
371         struct ipmac data;
372         u32 timeout = map->timeout;
373         int ret = 0;
374
375         if (unlikely(!tb[IPSET_ATTR_IP] ||
376                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
377                 return -IPSET_ERR_PROTOCOL;
378
379         if (tb[IPSET_ATTR_LINENO])
380                 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
381
382         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
383         if (ret)
384                 return ret;
385
386         if (data.id < map->first_ip || data.id > map->last_ip)
387                 return -IPSET_ERR_BITMAP_RANGE;
388
389         if (tb[IPSET_ATTR_ETHER])
390                 data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
391         else
392                 data.ether = NULL;
393
394         if (tb[IPSET_ATTR_TIMEOUT]) {
395                 if (!with_timeout(map->timeout))
396                         return -IPSET_ERR_TIMEOUT;
397                 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
398         }
399
400         data.id -= map->first_ip;
401
402         ret = adtfn(set, &data, timeout);
403
404         return ip_set_eexist(ret, flags) ? 0 : ret;
405 }
406
407 static void
408 bitmap_ipmac_destroy(struct ip_set *set)
409 {
410         struct bitmap_ipmac *map = set->data;
411
412         if (with_timeout(map->timeout))
413                 del_timer_sync(&map->gc);
414
415         ip_set_free(map->members);
416         kfree(map);
417
418         set->data = NULL;
419 }
420
421 static void
422 bitmap_ipmac_flush(struct ip_set *set)
423 {
424         struct bitmap_ipmac *map = set->data;
425
426         memset(map->members, 0,
427                (map->last_ip - map->first_ip + 1) * map->dsize);
428 }
429
430 static int
431 bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
432 {
433         const struct bitmap_ipmac *map = set->data;
434         struct nlattr *nested;
435
436         nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
437         if (!nested)
438                 goto nla_put_failure;
439         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
440         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
441         NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
442         NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
443                       htonl(sizeof(*map)
444                             + (map->last_ip - map->first_ip + 1) * map->dsize));
445         if (with_timeout(map->timeout))
446                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
447         ipset_nest_end(skb, nested);
448
449         return 0;
450 nla_put_failure:
451         return -EMSGSIZE;
452 }
453
454 static bool
455 bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
456 {
457         const struct bitmap_ipmac *x = a->data;
458         const struct bitmap_ipmac *y = b->data;
459
460         return x->first_ip == y->first_ip &&
461                x->last_ip == y->last_ip &&
462                x->timeout == y->timeout;
463 }
464
465 static const struct ip_set_type_variant bitmap_ipmac = {
466         .kadt   = bitmap_ipmac_kadt,
467         .uadt   = bitmap_ipmac_uadt,
468         .adt    = {
469                 [IPSET_ADD] = bitmap_ipmac_add,
470                 [IPSET_DEL] = bitmap_ipmac_del,
471                 [IPSET_TEST] = bitmap_ipmac_test,
472         },
473         .destroy = bitmap_ipmac_destroy,
474         .flush  = bitmap_ipmac_flush,
475         .head   = bitmap_ipmac_head,
476         .list   = bitmap_ipmac_list,
477         .same_set = bitmap_ipmac_same_set,
478 };
479
480 static const struct ip_set_type_variant bitmap_tipmac = {
481         .kadt   = bitmap_ipmac_kadt,
482         .uadt   = bitmap_ipmac_uadt,
483         .adt    = {
484                 [IPSET_ADD] = bitmap_ipmac_tadd,
485                 [IPSET_DEL] = bitmap_ipmac_tdel,
486                 [IPSET_TEST] = bitmap_ipmac_ttest,
487         },
488         .destroy = bitmap_ipmac_destroy,
489         .flush  = bitmap_ipmac_flush,
490         .head   = bitmap_ipmac_head,
491         .list   = bitmap_ipmac_tlist,
492         .same_set = bitmap_ipmac_same_set,
493 };
494
495 static void
496 bitmap_ipmac_gc(unsigned long ul_set)
497 {
498         struct ip_set *set = (struct ip_set *) ul_set;
499         struct bitmap_ipmac *map = set->data;
500         struct ipmac_telem *elem;
501         u32 id, last = map->last_ip - map->first_ip;
502
503         /* We run parallel with other readers (test element)
504          * but adding/deleting new entries is locked out */
505         read_lock_bh(&set->lock);
506         for (id = 0; id <= last; id++) {
507                 elem = bitmap_ipmac_elem(map, id);
508                 if (elem->match == MAC_FILLED &&
509                     ip_set_timeout_expired(elem->timeout))
510                         elem->match = MAC_EMPTY;
511         }
512         read_unlock_bh(&set->lock);
513
514         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
515         add_timer(&map->gc);
516 }
517
518 static void
519 bitmap_ipmac_gc_init(struct ip_set *set)
520 {
521         struct bitmap_ipmac *map = set->data;
522
523         init_timer(&map->gc);
524         map->gc.data = (unsigned long) set;
525         map->gc.function = bitmap_ipmac_gc;
526         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
527         add_timer(&map->gc);
528 }
529
530 /* Create bitmap:ip,mac type of sets */
531
532 static bool
533 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
534                u32 first_ip, u32 last_ip)
535 {
536         map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
537         if (!map->members)
538                 return false;
539         map->first_ip = first_ip;
540         map->last_ip = last_ip;
541         map->timeout = IPSET_NO_TIMEOUT;
542
543         set->data = map;
544         set->family = AF_INET;
545
546         return true;
547 }
548
549 static int
550 bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
551                     u32 flags)
552 {
553         u32 first_ip, last_ip, elements;
554         struct bitmap_ipmac *map;
555         int ret;
556
557         if (unlikely(!tb[IPSET_ATTR_IP] ||
558                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
559                 return -IPSET_ERR_PROTOCOL;
560
561         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
562         if (ret)
563                 return ret;
564
565         if (tb[IPSET_ATTR_IP_TO]) {
566                 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
567                 if (ret)
568                         return ret;
569                 if (first_ip > last_ip) {
570                         u32 tmp = first_ip;
571
572                         first_ip = last_ip;
573                         last_ip = tmp;
574                 }
575         } else if (tb[IPSET_ATTR_CIDR]) {
576                 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
577
578                 if (cidr >= 32)
579                         return -IPSET_ERR_INVALID_CIDR;
580                 last_ip = first_ip | ~ip_set_hostmask(cidr);
581         } else
582                 return -IPSET_ERR_PROTOCOL;
583
584         elements = last_ip - first_ip + 1;
585
586         if (elements > IPSET_BITMAP_MAX_RANGE + 1)
587                 return -IPSET_ERR_BITMAP_RANGE_SIZE;
588
589         map = kzalloc(sizeof(*map), GFP_KERNEL);
590         if (!map)
591                 return -ENOMEM;
592
593         if (tb[IPSET_ATTR_TIMEOUT]) {
594                 map->dsize = sizeof(struct ipmac_telem);
595
596                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
597                         kfree(map);
598                         return -ENOMEM;
599                 }
600
601                 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
602
603                 set->variant = &bitmap_tipmac;
604
605                 bitmap_ipmac_gc_init(set);
606         } else {
607                 map->dsize = sizeof(struct ipmac_elem);
608
609                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
610                         kfree(map);
611                         return -ENOMEM;
612                 }
613                 set->variant = &bitmap_ipmac;
614
615         }
616         return 0;
617 }
618
619 static struct ip_set_type bitmap_ipmac_type = {
620         .name           = "bitmap:ip,mac",
621         .protocol       = IPSET_PROTOCOL,
622         .features       = IPSET_TYPE_IP | IPSET_TYPE_MAC,
623         .dimension      = IPSET_DIM_TWO,
624         .family         = AF_INET,
625         .revision       = 0,
626         .create         = bitmap_ipmac_create,
627         .create_policy  = {
628                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
629                 [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
630                 [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
631                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
632         },
633         .adt_policy     = {
634                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
635                 [IPSET_ATTR_ETHER]      = { .type = NLA_BINARY, .len  = ETH_ALEN },
636                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
637                 [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
638         },
639         .me             = THIS_MODULE,
640 };
641
642 static int __init
643 bitmap_ipmac_init(void)
644 {
645         return ip_set_type_register(&bitmap_ipmac_type);
646 }
647
648 static void __exit
649 bitmap_ipmac_fini(void)
650 {
651         ip_set_type_unregister(&bitmap_ipmac_type);
652 }
653
654 module_init(bitmap_ipmac_init);
655 module_exit(bitmap_ipmac_fini);