linux-pinenote/net/sched/em_ipset.c

/*
 * net/sched/em_ipset.c	ipset ematch
 *
 * Copyright (c) 2012 Florian Westphal <fw@strlen.de>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 */

#include <linux/gfp.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/skbuff.h>
#include <linux/netfilter/xt_set.h>
#include <linux/ipv6.h>
#include <net/ip.h>
#include <net/pkt_cls.h>

static int em_ipset_change(struct tcf_proto *tp, void *data, int data_len,
			   struct tcf_ematch *em)
{
	struct xt_set_info *set = data;
	ip_set_id_t index;
	struct net *net = dev_net(qdisc_dev(tp->q));

	if (data_len != sizeof(*set))
		return -EINVAL;

	index = ip_set_nfnl_get_byindex(net, set->index);
	if (index == IPSET_INVALID_ID)
		return -ENOENT;

	em->datalen = sizeof(*set);
	em->data = (unsigned long)kmemdup(data, em->datalen, GFP_KERNEL);
	if (em->data)
		return 0;

	ip_set_nfnl_put(net, index);
	return -ENOMEM;
}

static void em_ipset_destroy(struct tcf_proto *p, struct tcf_ematch *em)
{
	const struct xt_set_info *set = (const void *) em->data;
	if (set) {
		ip_set_nfnl_put(dev_net(qdisc_dev(p->q)), set->index);
		kfree((void *) em->data);
	}
}

static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
			  struct tcf_pkt_info *info)
{
	struct ip_set_adt_opt opt;
	struct xt_action_param acpar;
	const struct xt_set_info *set = (const void *) em->data;
	struct net_device *dev, *indev = NULL;
	int ret, network_offset;

	switch (skb->protocol) {
	case htons(ETH_P_IP):
		acpar.family = NFPROTO_IPV4;
		if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
			return 0;
		acpar.thoff = ip_hdrlen(skb);
		break;
	case htons(ETH_P_IPV6):
		acpar.family = NFPROTO_IPV6;
		if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
			return 0;
		/* doesn't call ipv6_find_hdr() because ipset doesn't use thoff, yet */
		acpar.thoff = sizeof(struct ipv6hdr);
		break;
	default:
		return 0;
	}

	acpar.hooknum = 0;

	opt.family = acpar.family;
	opt.dim = set->dim;
	opt.flags = set->flags;
	opt.cmdflags = 0;
	opt.ext.timeout = ~0u;

	network_offset = skb_network_offset(skb);
	skb_pull(skb, network_offset);

	dev = skb->dev;

	rcu_read_lock();

	if (dev && skb->skb_iif)
		indev = dev_get_by_index_rcu(dev_net(dev), skb->skb_iif);

	acpar.in      = indev ? indev : dev;
	acpar.out     = dev;

	ret = ip_set_test(set->index, skb, &acpar, &opt);

	rcu_read_unlock();

	skb_push(skb, network_offset);
	return ret;
}

static struct tcf_ematch_ops em_ipset_ops = {
	.kind	  = TCF_EM_IPSET,
	.change	  = em_ipset_change,
	.destroy  = em_ipset_destroy,
	.match	  = em_ipset_match,
	.owner	  = THIS_MODULE,
	.link	  = LIST_HEAD_INIT(em_ipset_ops.link)
};

static int __init init_em_ipset(void)
{
	return tcf_em_register(&em_ipset_ops);
}

static void __exit exit_em_ipset(void)
{
	tcf_em_unregister(&em_ipset_ops);
}

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_DESCRIPTION("TC extended match for IP sets");

module_init(init_em_ipset);
module_exit(exit_em_ipset);

MODULE_ALIAS_TCF_EMATCH(TCF_EM_IPSET);
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00			`/*`
			`* net/sched/em_ipset.c ipset ematch`
			`*`
			`* Copyright (c) 2012 Florian Westphal <fw@strlen.de>`
			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU General Public License`
			`* version 2 as published by the Free Software Foundation.`
			`*/`

			`#include <linux/gfp.h>`
			`#include <linux/module.h>`
			`#include <linux/types.h>`
			`#include <linux/kernel.h>`
			`#include <linux/string.h>`
			`#include <linux/skbuff.h>`
			`#include <linux/netfilter/xt_set.h>`
			`#include <linux/ipv6.h>`
			`#include <net/ip.h>`
			`#include <net/pkt_cls.h>`

			`static int em_ipset_change(struct tcf_proto tp, void data, int data_len,`
			`struct tcf_ematch *em)`
			`{`
			`struct xt_set_info *set = data;`
			`ip_set_id_t index;`
em_ipset: use dev_net() accessor Randy found that if network namespace not enabled then nd_net does not exist and would cause compilation failure. This is handled correctly by using the dev_net() macro. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-10-16 17:29:34 -07:00			`struct net *net = dev_net(qdisc_dev(tp->q));`
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00
			`if (data_len != sizeof(*set))`
			`return -EINVAL;`

netfiler: ipset: Add net namespace for ipset This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net". The remaining corrections related to the change prototypes of public functions ip_set_. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-09-30 17:07:02 +02:00			`index = ip_set_nfnl_get_byindex(net, set->index);`
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00			`if (index == IPSET_INVALID_ID)`
			`return -ENOENT;`

			`em->datalen = sizeof(*set);`
			`em->data = (unsigned long)kmemdup(data, em->datalen, GFP_KERNEL);`
			`if (em->data)`
			`return 0;`

netfiler: ipset: Add net namespace for ipset This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net". The remaining corrections related to the change prototypes of public functions ip_set_. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-09-30 17:07:02 +02:00			`ip_set_nfnl_put(net, index);`
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00			`return -ENOMEM;`
			`}`

			`static void em_ipset_destroy(struct tcf_proto p, struct tcf_ematch em)`
			`{`
			`const struct xt_set_info set = (const void ) em->data;`
			`if (set) {`
em_ipset: use dev_net() accessor Randy found that if network namespace not enabled then nd_net does not exist and would cause compilation failure. This is handled correctly by using the dev_net() macro. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-10-16 17:29:34 -07:00			`ip_set_nfnl_put(dev_net(qdisc_dev(p->q)), set->index);`
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00			`kfree((void *) em->data);`
			`}`
			`}`

			`static int em_ipset_match(struct sk_buff skb, struct tcf_ematch em,`
			`struct tcf_pkt_info *info)`
			`{`
			`struct ip_set_adt_opt opt;`
			`struct xt_action_param acpar;`
			`const struct xt_set_info set = (const void ) em->data;`
			`struct net_device dev, indev = NULL;`
			`int ret, network_offset;`

			`switch (skb->protocol) {`
			`case htons(ETH_P_IP):`
			`acpar.family = NFPROTO_IPV4;`
			`if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))`
			`return 0;`
			`acpar.thoff = ip_hdrlen(skb);`
			`break;`
			`case htons(ETH_P_IPV6):`
			`acpar.family = NFPROTO_IPV6;`
			`if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))`
			`return 0;`
			`/* doesn't call ipv6_find_hdr() because ipset doesn't use thoff, yet */`
			`acpar.thoff = sizeof(struct ipv6hdr);`
			`break;`
			`default:`
			`return 0;`
			`}`

			`acpar.hooknum = 0;`

			`opt.family = acpar.family;`
			`opt.dim = set->dim;`
			`opt.flags = set->flags;`
			`opt.cmdflags = 0;`
netfilter: ipset: Introduce extensions to elements in the core Introduce extensions to elements in the core and prepare timeout as the first one. This patch also modifies the em_ipset classifier to use the new extension struct layout. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-27 14:28:55 +02:00			`opt.ext.timeout = ~0u;`
net: sched: add ipset ematch Can be used to match packets against netfilter ip sets created via ipset(8). skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'. Since ipset is usually called from netfilter, the ematch initializes a fake xt_action_param, pulls the ip header into the linear area and also sets skb->data to the IP header (otherwise matching Layer 4 set types doesn't work). Tested-by: Mr Dash Four <mr.dash.four@googlemail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-11 10:56:57 +00:00
			`network_offset = skb_network_offset(skb);`
			`skb_pull(skb, network_offset);`

			`dev = skb->dev;`

			`rcu_read_lock();`

			`if (dev && skb->skb_iif)`
			`indev = dev_get_by_index_rcu(dev_net(dev), skb->skb_iif);`

			`acpar.in = indev ? indev : dev;`
			`acpar.out = dev;`

			`ret = ip_set_test(set->index, skb, &acpar, &opt);`

			`rcu_read_unlock();`

			`skb_push(skb, network_offset);`
			`return ret;`
			`}`

			`static struct tcf_ematch_ops em_ipset_ops = {`
			`.kind = TCF_EM_IPSET,`
			`.change = em_ipset_change,`
			`.destroy = em_ipset_destroy,`
			`.match = em_ipset_match,`
			`.owner = THIS_MODULE,`
			`.link = LIST_HEAD_INIT(em_ipset_ops.link)`
			`};`

			`static int __init init_em_ipset(void)`
			`{`
			`return tcf_em_register(&em_ipset_ops);`
			`}`

			`static void __exit exit_em_ipset(void)`
			`{`
			`tcf_em_unregister(&em_ipset_ops);`
			`}`

			`MODULE_LICENSE("GPL");`
			`MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");`
			`MODULE_DESCRIPTION("TC extended match for IP sets");`

			`module_init(init_em_ipset);`
			`module_exit(exit_em_ipset);`

			`MODULE_ALIAS_TCF_EMATCH(TCF_EM_IPSET);`