projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
TOMOYO: Fix wrong domainname validation.
[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / netfilter / ipset / ip_set_bitmap_ipmac.c
1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 */
10
11 /* Kernel module implementing an IP set type: the bitmap:ip,mac type */
12
13 #include <linux/module.h>
14 #include <linux/ip.h>
15 #include <linux/etherdevice.h>
16 #include <linux/skbuff.h>
17 #include <linux/errno.h>
18 #include <linux/if_ether.h>
19 #include <linux/netlink.h>
20 #include <linux/jiffies.h>
21 #include <linux/timer.h>
22 #include <net/netlink.h>
23
24 #include <linux/netfilter/ipset/pfxlen.h>
25 #include <linux/netfilter/ipset/ip_set.h>
26 #include <linux/netfilter/ipset/ip_set_timeout.h>
27 #include <linux/netfilter/ipset/ip_set_bitmap.h>
28
29 MODULE_LICENSE("GPL");
30 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
31 MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
32 MODULE_ALIAS("ip_set_bitmap:ip,mac");
33
34 enum {
35 MAC_EMPTY, /* element is not set */
36 MAC_FILLED, /* element is set with MAC */
37 MAC_UNSET, /* element is set, without MAC */
38 };
39
40 /* Type structure */
41 struct bitmap_ipmac {
42 void *members; /* the set members */
43 u32 first_ip; /* host byte order, included in range */
44 u32 last_ip; /* host byte order, included in range */
45 u32 timeout; /* timeout value */
46 struct timer_list gc; /* garbage collector */
47 size_t dsize; /* size of element */
48 };
49
50 /* ADT structure for generic function args */
51 struct ipmac {
52 u32 id; /* id in array */
53 unsigned char *ether; /* ethernet address */
54 };
55
56 /* Member element without and with timeout */
57
58 struct ipmac_elem {
59 unsigned char ether[ETH_ALEN];
60 unsigned char match;
61 } __attribute__ ((aligned));
62
63 struct ipmac_telem {
64 unsigned char ether[ETH_ALEN];
65 unsigned char match;
66 unsigned long timeout;
67 } __attribute__ ((aligned));
68
69 static inline void *
70 bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
71 {
72 return (void *)((char *)map->members + id * map->dsize);
73 }
74
75 static inline bool
76 bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
77 {
78 const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
79
80 return ip_set_timeout_test(elem->timeout);
81 }
82
83 static inline bool
84 bitmap_expired(const struct bitmap_ipmac *map, u32 id)
85 {
86 const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
87
88 return ip_set_timeout_expired(elem->timeout);
89 }
90
91 static inline int
92 bitmap_ipmac_exist(const struct ipmac_telem *elem)
93 {
94 return elem->match == MAC_UNSET ||
95 (elem->match == MAC_FILLED &&
96 !ip_set_timeout_expired(elem->timeout));
97 }
98
99 /* Base variant */
100
101 static int
102 bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
103 {
104 const struct bitmap_ipmac *map = set->data;
105 const struct ipmac *data = value;
106 const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
107
108 switch (elem->match) {
109 case MAC_UNSET:
110 /* Trigger kernel to fill out the ethernet address */
111 return -EAGAIN;
112 case MAC_FILLED:
113 return data->ether == NULL ||
114 compare_ether_addr(data->ether, elem->ether) == 0;
115 }
116 return 0;
117 }
118
119 static int
120 bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
121 {
122 struct bitmap_ipmac *map = set->data;
123 const struct ipmac *data = value;
124 struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
125
126 switch (elem->match) {
127 case MAC_UNSET:
128 if (!data->ether)
129 /* Already added without ethernet address */
130 return -IPSET_ERR_EXIST;
131 /* Fill the MAC address */
132 memcpy(elem->ether, data->ether, ETH_ALEN);
133 elem->match = MAC_FILLED;
134 break;
135 case MAC_FILLED:
136 return -IPSET_ERR_EXIST;
137 case MAC_EMPTY:
138 if (data->ether) {
139 memcpy(elem->ether, data->ether, ETH_ALEN);
140 elem->match = MAC_FILLED;
141 } else
142 elem->match = MAC_UNSET;
143 }
144
145 return 0;
146 }
147
148 static int
149 bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
150 {
151 struct bitmap_ipmac *map = set->data;
152 const struct ipmac *data = value;
153 struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
154
155 if (elem->match == MAC_EMPTY)
156 return -IPSET_ERR_EXIST;
157
158 elem->match = MAC_EMPTY;
159
160 return 0;
161 }
162
163 static int
164 bitmap_ipmac_list(const struct ip_set *set,
165 struct sk_buff *skb, struct netlink_callback *cb)
166 {
167 const struct bitmap_ipmac *map = set->data;
168 const struct ipmac_elem *elem;
169 struct nlattr *atd, *nested;
170 u32 id, first = cb->args[2];
171 u32 last = map->last_ip - map->first_ip;
172
173 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
174 if (!atd)
175 return -EMSGSIZE;
176 for (; cb->args[2] <= last; cb->args[2]++) {
177 id = cb->args[2];
178 elem = bitmap_ipmac_elem(map, id);
179 if (elem->match == MAC_EMPTY)
180 continue;
181 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
182 if (!nested) {
183 if (id == first) {
184 nla_nest_cancel(skb, atd);
185 return -EMSGSIZE;
186 } else
187 goto nla_put_failure;
188 }
189 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
190 htonl(map->first_ip + id));
191 if (elem->match == MAC_FILLED)
192 NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
193 elem->ether);
194 ipset_nest_end(skb, nested);
195 }
196 ipset_nest_end(skb, atd);
197 /* Set listing finished */
198 cb->args[2] = 0;
199
200 return 0;
201
202 nla_put_failure:
203 nla_nest_cancel(skb, nested);
204 ipset_nest_end(skb, atd);
205 if (unlikely(id == first)) {
206 cb->args[2] = 0;
207 return -EMSGSIZE;
208 }
209 return 0;
210 }
211
212 /* Timeout variant */
213
214 static int
215 bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
216 {
217 const struct bitmap_ipmac *map = set->data;
218 const struct ipmac *data = value;
219 const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
220
221 switch (elem->match) {
222 case MAC_UNSET:
223 /* Trigger kernel to fill out the ethernet address */
224 return -EAGAIN;
225 case MAC_FILLED:
226 return (data->ether == NULL ||
227 compare_ether_addr(data->ether, elem->ether) == 0) &&
228 !bitmap_expired(map, data->id);
229 }
230 return 0;
231 }
232
233 static int
234 bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
235 {
236 struct bitmap_ipmac *map = set->data;
237 const struct ipmac *data = value;
238 struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
239
240 switch (elem->match) {
241 case MAC_UNSET:
242 if (!data->ether)
243 /* Already added without ethernet address */
244 return -IPSET_ERR_EXIST;
245 /* Fill the MAC address and activate the timer */
246 memcpy(elem->ether, data->ether, ETH_ALEN);
247 elem->match = MAC_FILLED;
248 if (timeout == map->timeout)
249 /* Timeout was not specified, get stored one */
250 timeout = elem->timeout;
251 elem->timeout = ip_set_timeout_set(timeout);
252 break;
253 case MAC_FILLED:
254 if (!bitmap_expired(map, data->id))
255 return -IPSET_ERR_EXIST;
256 /* Fall through */
257 case MAC_EMPTY:
258 if (data->ether) {
259 memcpy(elem->ether, data->ether, ETH_ALEN);
260 elem->match = MAC_FILLED;
261 } else
262 elem->match = MAC_UNSET;
263 /* If MAC is unset yet, we store plain timeout value
264 * because the timer is not activated yet
265 * and we can reuse it later when MAC is filled out,
266 * possibly by the kernel */
267 elem->timeout = data->ether ? ip_set_timeout_set(timeout)
268 : timeout;
269 break;
270 }
271
272 return 0;
273 }
274
275 static int
276 bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
277 {
278 struct bitmap_ipmac *map = set->data;
279 const struct ipmac *data = value;
280 struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
281
282 if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
283 return -IPSET_ERR_EXIST;
284
285 elem->match = MAC_EMPTY;
286
287 return 0;
288 }
289
290 static int
291 bitmap_ipmac_tlist(const struct ip_set *set,
292 struct sk_buff *skb, struct netlink_callback *cb)
293 {
294 const struct bitmap_ipmac *map = set->data;
295 const struct ipmac_telem *elem;
296 struct nlattr *atd, *nested;
297 u32 id, first = cb->args[2];
298 u32 timeout, last = map->last_ip - map->first_ip;
299
300 atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
301 if (!atd)
302 return -EMSGSIZE;
303 for (; cb->args[2] <= last; cb->args[2]++) {
304 id = cb->args[2];
305 elem = bitmap_ipmac_elem(map, id);
306 if (!bitmap_ipmac_exist(elem))
307 continue;
308 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
309 if (!nested) {
310 if (id == first) {
311 nla_nest_cancel(skb, atd);
312 return -EMSGSIZE;
313 } else
314 goto nla_put_failure;
315 }
316 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
317 htonl(map->first_ip + id));
318 if (elem->match == MAC_FILLED)
319 NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
320 elem->ether);
321 timeout = elem->match == MAC_UNSET ? elem->timeout
322 : ip_set_timeout_get(elem->timeout);
323 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
324 ipset_nest_end(skb, nested);
325 }
326 ipset_nest_end(skb, atd);
327 /* Set listing finished */
328 cb->args[2] = 0;
329
330 return 0;
331
332 nla_put_failure:
333 nla_nest_cancel(skb, nested);
334 ipset_nest_end(skb, atd);
335 return -EMSGSIZE;
336 }
337
338 static int
339 bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
340 enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
341 {
342 struct bitmap_ipmac *map = set->data;
343 ipset_adtfn adtfn = set->variant->adt[adt];
344 struct ipmac data;
345
346 data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
347 if (data.id < map->first_ip || data.id > map->last_ip)
348 return -IPSET_ERR_BITMAP_RANGE;
349
350 /* Backward compatibility: we don't check the second flag */
351 if (skb_mac_header(skb) < skb->head ||
352 (skb_mac_header(skb) + ETH_HLEN) > skb->data)
353 return -EINVAL;
354
355 data.id -= map->first_ip;
356 data.ether = eth_hdr(skb)->h_source;
357
358 return adtfn(set, &data, map->timeout);
359 }
360
361 static int
362 bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
363 enum ipset_adt adt, u32 *lineno, u32 flags)
364 {
365 const struct bitmap_ipmac *map = set->data;
366 ipset_adtfn adtfn = set->variant->adt[adt];
367 struct ipmac data;
368 u32 timeout = map->timeout;
369 int ret = 0;
370
371 if (unlikely(!tb[IPSET_ATTR_IP] ||
372 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
373 return -IPSET_ERR_PROTOCOL;
374
375 if (tb[IPSET_ATTR_LINENO])
376 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
377
378 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
379 if (ret)
380 return ret;
381
382 if (data.id < map->first_ip || data.id > map->last_ip)
383 return -IPSET_ERR_BITMAP_RANGE;
384
385 if (tb[IPSET_ATTR_ETHER])
386 data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
387 else
388 data.ether = NULL;
389
390 if (tb[IPSET_ATTR_TIMEOUT]) {
391 if (!with_timeout(map->timeout))
392 return -IPSET_ERR_TIMEOUT;
393 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
394 }
395
396 data.id -= map->first_ip;
397
398 ret = adtfn(set, &data, timeout);
399
400 return ip_set_eexist(ret, flags) ? 0 : ret;
401 }
402
403 static void
404 bitmap_ipmac_destroy(struct ip_set *set)
405 {
406 struct bitmap_ipmac *map = set->data;
407
408 if (with_timeout(map->timeout))
409 del_timer_sync(&map->gc);
410
411 ip_set_free(map->members);
412 kfree(map);
413
414 set->data = NULL;
415 }
416
417 static void
418 bitmap_ipmac_flush(struct ip_set *set)
419 {
420 struct bitmap_ipmac *map = set->data;
421
422 memset(map->members, 0,
423 (map->last_ip - map->first_ip + 1) * map->dsize);
424 }
425
426 static int
427 bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
428 {
429 const struct bitmap_ipmac *map = set->data;
430 struct nlattr *nested;
431
432 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
433 if (!nested)
434 goto nla_put_failure;
435 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
436 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
437 NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
438 NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
439 htonl(sizeof(*map)
440 + (map->last_ip - map->first_ip + 1) * map->dsize));
441 if (with_timeout(map->timeout))
442 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
443 ipset_nest_end(skb, nested);
444
445 return 0;
446 nla_put_failure:
447 return -EMSGSIZE;
448 }
449
450 static bool
451 bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
452 {
453 const struct bitmap_ipmac *x = a->data;
454 const struct bitmap_ipmac *y = b->data;
455
456 return x->first_ip == y->first_ip &&
457 x->last_ip == y->last_ip &&
458 x->timeout == y->timeout;
459 }
460
461 static const struct ip_set_type_variant bitmap_ipmac = {
462 .kadt = bitmap_ipmac_kadt,
463 .uadt = bitmap_ipmac_uadt,
464 .adt = {
465 [IPSET_ADD] = bitmap_ipmac_add,
466 [IPSET_DEL] = bitmap_ipmac_del,
467 [IPSET_TEST] = bitmap_ipmac_test,
468 },
469 .destroy = bitmap_ipmac_destroy,
470 .flush = bitmap_ipmac_flush,
471 .head = bitmap_ipmac_head,
472 .list = bitmap_ipmac_list,
473 .same_set = bitmap_ipmac_same_set,
474 };
475
476 static const struct ip_set_type_variant bitmap_tipmac = {
477 .kadt = bitmap_ipmac_kadt,
478 .uadt = bitmap_ipmac_uadt,
479 .adt = {
480 [IPSET_ADD] = bitmap_ipmac_tadd,
481 [IPSET_DEL] = bitmap_ipmac_tdel,
482 [IPSET_TEST] = bitmap_ipmac_ttest,
483 },
484 .destroy = bitmap_ipmac_destroy,
485 .flush = bitmap_ipmac_flush,
486 .head = bitmap_ipmac_head,
487 .list = bitmap_ipmac_tlist,
488 .same_set = bitmap_ipmac_same_set,
489 };
490
491 static void
492 bitmap_ipmac_gc(unsigned long ul_set)
493 {
494 struct ip_set *set = (struct ip_set *) ul_set;
495 struct bitmap_ipmac *map = set->data;
496 struct ipmac_telem *elem;
497 u32 id, last = map->last_ip - map->first_ip;
498
499 /* We run parallel with other readers (test element)
500 * but adding/deleting new entries is locked out */
501 read_lock_bh(&set->lock);
502 for (id = 0; id <= last; id++) {
503 elem = bitmap_ipmac_elem(map, id);
504 if (elem->match == MAC_FILLED &&
505 ip_set_timeout_expired(elem->timeout))
506 elem->match = MAC_EMPTY;
507 }
508 read_unlock_bh(&set->lock);
509
510 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
511 add_timer(&map->gc);
512 }
513
514 static void
515 bitmap_ipmac_gc_init(struct ip_set *set)
516 {
517 struct bitmap_ipmac *map = set->data;
518
519 init_timer(&map->gc);
520 map->gc.data = (unsigned long) set;
521 map->gc.function = bitmap_ipmac_gc;
522 map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
523 add_timer(&map->gc);
524 }
525
526 /* Create bitmap:ip,mac type of sets */
527
528 static bool
529 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
530 u32 first_ip, u32 last_ip)
531 {
532 map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
533 if (!map->members)
534 return false;
535 map->first_ip = first_ip;
536 map->last_ip = last_ip;
537 map->timeout = IPSET_NO_TIMEOUT;
538
539 set->data = map;
540 set->family = AF_INET;
541
542 return true;
543 }
544
545 static int
546 bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
547 u32 flags)
548 {
549 u32 first_ip, last_ip, elements;
550 struct bitmap_ipmac *map;
551 int ret;
552
553 if (unlikely(!tb[IPSET_ATTR_IP] ||
554 !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
555 return -IPSET_ERR_PROTOCOL;
556
557 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
558 if (ret)
559 return ret;
560
561 if (tb[IPSET_ATTR_IP_TO]) {
562 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
563 if (ret)
564 return ret;
565 if (first_ip > last_ip) {
566 u32 tmp = first_ip;
567
568 first_ip = last_ip;
569 last_ip = tmp;
570 }
571 } else if (tb[IPSET_ATTR_CIDR]) {
572 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
573
574 if (cidr >= 32)
575 return -IPSET_ERR_INVALID_CIDR;
576 last_ip = first_ip | ~ip_set_hostmask(cidr);
577 } else
578 return -IPSET_ERR_PROTOCOL;
579
580 elements = last_ip - first_ip + 1;
581
582 if (elements > IPSET_BITMAP_MAX_RANGE + 1)
583 return -IPSET_ERR_BITMAP_RANGE_SIZE;
584
585 map = kzalloc(sizeof(*map), GFP_KERNEL);
586 if (!map)
587 return -ENOMEM;
588
589 if (tb[IPSET_ATTR_TIMEOUT]) {
590 map->dsize = sizeof(struct ipmac_telem);
591
592 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
593 kfree(map);
594 return -ENOMEM;
595 }
596
597 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
598
599 set->variant = &bitmap_tipmac;
600
601 bitmap_ipmac_gc_init(set);
602 } else {
603 map->dsize = sizeof(struct ipmac_elem);
604
605 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
606 kfree(map);
607 return -ENOMEM;
608 }
609 set->variant = &bitmap_ipmac;
610
611 }
612 return 0;
613 }
614
615 static struct ip_set_type bitmap_ipmac_type = {
616 .name = "bitmap:ip,mac",
617 .protocol = IPSET_PROTOCOL,
618 .features = IPSET_TYPE_IP | IPSET_TYPE_MAC,
619 .dimension = IPSET_DIM_TWO,
620 .family = AF_INET,
621 .revision = 0,
622 .create = bitmap_ipmac_create,
623 .create_policy = {
624 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
625 [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED },
626 [IPSET_ATTR_CIDR] = { .type = NLA_U8 },
627 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
628 },
629 .adt_policy = {
630 [IPSET_ATTR_IP] = { .type = NLA_NESTED },
631 [IPSET_ATTR_ETHER] = { .type = NLA_BINARY, .len = ETH_ALEN },
632 [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
633 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
634 },
635 .me = THIS_MODULE,
636 };
637
638 static int __init
639 bitmap_ipmac_init(void)
640 {
641 return ip_set_type_register(&bitmap_ipmac_type);
642 }
643
644 static void __exit
645 bitmap_ipmac_fini(void)
646 {
647 ip_set_type_unregister(&bitmap_ipmac_type);
648 }
649
650 module_init(bitmap_ipmac_init);
651 module_exit(bitmap_ipmac_fini);
kernel source for telekom puls (alcatel/mediatek)