netfilter: ipset: add markmask for hash:ip,mark data type

Introduce packet mark mask for hash:ip,mark data type. This allows to
set mark bit filter for the ip set.

Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
index 5368f8275774a81da4ea41a3023a3900887e933e..f636f282b142033b8f73a32bf120e0e874a0274c 100644 (file)
--- a/include/uapi/linux/netfilter/ipset/ip_set.h
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -89,6 +89,7 @@ enum {
        IPSET_ATTR_GC,
        IPSET_ATTR_HASHSIZE,
        IPSET_ATTR_MAXELEM,
+       IPSET_ATTR_MARKMASK,
        IPSET_ATTR_NETMASK,
        IPSET_ATTR_PROBES,
        IPSET_ATTR_RESIZE,
@@ -138,6 +139,7 @@ enum ipset_errno {
        IPSET_ERR_EXIST,
        IPSET_ERR_INVALID_CIDR,
        IPSET_ERR_INVALID_NETMASK,
+       IPSET_ERR_INVALID_MARKMASK,
        IPSET_ERR_INVALID_FAMILY,
        IPSET_ERR_TIMEOUT,
        IPSET_ERR_REFERENCED,

diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index be6932ad3a8626d6c06e99091b32f540b7afd338..b1eed81e24c5f50843ad41b80c985ac65804c8df 100644 (file)
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -263,6 +263,9 @@ struct htype {
        u32 maxelem;            /* max elements in the hash */
        u32 elements;           /* current element (vs timeout) */
        u32 initval;            /* random jhash init value */
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       u32 markmask;           /* markmask value for mark mask to store */
+#endif
        struct timer_list gc;   /* garbage collection when timeout enabled */
        struct mtype_elem next; /* temporary storage for uadd */
 #ifdef IP_SET_HASH_WITH_MULTI
@@ -453,6 +456,9 @@ mtype_same_set(const struct ip_set *a, const struct ip_set *b)
               a->timeout == b->timeout &&
 #ifdef IP_SET_HASH_WITH_NETMASK
               x->netmask == y->netmask &&
+#endif
+#ifdef IP_SET_HASH_WITH_MARKMASK
+              x->markmask == y->markmask &&
 #endif
               a->extensions == b->extensions;
 }
@@ -907,6 +913,10 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
        if (h->netmask != HOST_MASK &&
            nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask))
                goto nla_put_failure;
+#endif
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       if (nla_put_u32(skb, IPSET_ATTR_MARKMASK, h->markmask))
+               goto nla_put_failure;
 #endif
        if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
            nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
@@ -1016,6 +1026,9 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
                            struct nlattr *tb[], u32 flags)
 {
        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       u32 markmask;
+#endif
        u8 hbits;
 #ifdef IP_SET_HASH_WITH_NETMASK
        u8 netmask;
@@ -1026,6 +1039,10 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
 
        if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
                return -IPSET_ERR_INVALID_FAMILY;
+
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       markmask = 0xffffffff;
+#endif
 #ifdef IP_SET_HASH_WITH_NETMASK
        netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
        pr_debug("Create set %s with family %s\n",
@@ -1034,6 +1051,9 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
 
        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+#ifdef IP_SET_HASH_WITH_MARKMASK
+                    !ip_set_optattr_netorder(tb, IPSET_ATTR_MARKMASK) ||
+#endif
                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
                     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
                return -IPSET_ERR_PROTOCOL;
@@ -1057,6 +1077,14 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
                        return -IPSET_ERR_INVALID_NETMASK;
        }
 #endif
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       if (tb[IPSET_ATTR_MARKMASK]) {
+               markmask = ntohl(nla_get_u32(tb[IPSET_ATTR_MARKMASK]));
+
+               if ((markmask > 4294967295u) || markmask == 0)
+                       return -IPSET_ERR_INVALID_MARKMASK;
+       }
+#endif
 
        hsize = sizeof(*h);
 #ifdef IP_SET_HASH_WITH_NETS
@@ -1070,6 +1098,9 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
        h->maxelem = maxelem;
 #ifdef IP_SET_HASH_WITH_NETMASK
        h->netmask = netmask;
+#endif
+#ifdef IP_SET_HASH_WITH_MARKMASK
+       h->markmask = markmask;
 #endif
        get_random_bytes(&h->initval, sizeof(h->initval));
        set->timeout = IPSET_NO_TIMEOUT;

diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index e56c0d916facab85326cb51f85ce1b33ce76bfb3..1bf8e8524218ecfdfb6563b9f3a93ba8d891a708 100644 (file)
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -34,6 +34,7 @@ MODULE_ALIAS("ip_set_hash:ip,mark");
 
 /* Type specific function prefix */
 #define HTYPE          hash_ipmark
+#define IP_SET_HASH_WITH_MARKMASK
 
 /* IPv4 variant */
 
@@ -85,11 +86,13 @@ hash_ipmark4_kadt(struct ip_set *set, const struct sk_buff *skb,
                  const struct xt_action_param *par,
                  enum ipset_adt adt, struct ip_set_adt_opt *opt)
 {
+       const struct hash_ipmark *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct hash_ipmark4_elem e = { };
        struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
 
        e.mark = skb->mark;
+       e.mark &= h->markmask;
 
        ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
        return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
@@ -122,6 +125,7 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
                return ret;
 
        e.mark = ntohl(nla_get_u32(tb[IPSET_ATTR_MARK]));
+       e.mark &= h->markmask;
 
        if (adt == IPSET_TEST ||
            !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR])) {
@@ -213,11 +217,13 @@ hash_ipmark6_kadt(struct ip_set *set, const struct sk_buff *skb,
                  const struct xt_action_param *par,
                  enum ipset_adt adt, struct ip_set_adt_opt *opt)
 {
+       const struct hash_ipmark *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct hash_ipmark6_elem e = { };
        struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
 
        e.mark = skb->mark;
+       e.mark &= h->markmask;
 
        ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
        return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
@@ -227,6 +233,7 @@ static int
 hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
                  enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
 {
+       const struct hash_ipmark *h = set->data;
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct hash_ipmark6_elem e = { };
        struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
@@ -250,6 +257,7 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
                return ret;
 
        e.mark = ntohl(nla_get_u32(tb[IPSET_ATTR_MARK]));
+       e.mark &= h->markmask;
 
        if (adt == IPSET_TEST) {
                ret = adtfn(set, &e, &ext, &ext, flags);
@@ -275,6 +283,7 @@ static struct ip_set_type hash_ipmark_type __read_mostly = {
        .revision_max   = IPSET_TYPE_REV_MAX,
        .create         = hash_ipmark_create,
        .create_policy  = {
+               [IPSET_ATTR_MARKMASK]   = { .type = NLA_U32 },
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },