mbox series

[0/5] RFC: Add new ip/net,port,ip/net,port sets

Message ID 20181216213039.399-1-oliver@uptheinter.net
Headers show
Series RFC: Add new ip/net,port,ip/net,port sets | expand

Message

Oliver Smith Dec. 16, 2018, 9:30 p.m. UTC 
Hi all,

The proceeding patch-set adds three new sets for usage:

* ip,port,ip,port
* ip,port,net,port
* net,port,net,port

I would like to solicit some feedback as I am fairly certain that there
are bugs or possibly backwards-incompatiblity in the implementation
as it stands.

Most notably, I ran into loss of elements when resizing and had to
significantly rework how the insertion is done. For a good example of
this, see the IPv6 uadt function for ip,port,net,port. I suspect there
is an underlying issue that should be resolved and that the current
behaviour is essentially a sub-optimal workaround.

I also have patches that apply to the mainline kernel which are
identical to the code that is part of the main ipset package.

Cheers,
Oliver.

Oliver Smith (5):
  ipset: Support sets with 4 individual elements and an extra port
  ipset: Implement ip,port,ip,port hash set.
  ipset: Implement ip,port,net,port hash set.
  ipset: Implement net,port,net,port hash set.
  lib/ipset.c: Fix a compilation failure when using --enable-debug

 include/libipset/data.h                       |   6 +
 include/libipset/linux_ip_set.h               |   5 +
 include/libipset/types.h                      |   2 +-
 kernel/include/linux/netfilter/ipset/ip_set.h |   4 +-
 .../uapi/linux/netfilter/ipset/ip_set.h       |   5 +
 kernel/net/netfilter/ipset/Kbuild             |   2 +
 kernel/net/netfilter/ipset/Kconfig            |  31 +-
 .../ipset/ip_set_hash_ipportipport.c          | 436 ++++++++++++
 .../ipset/ip_set_hash_ipportnetport.c         | 612 ++++++++++++++++
 .../ipset/ip_set_hash_netportnetport.c        | 662 ++++++++++++++++++
 lib/Makefile.am                               |   3 +
 lib/data.c                                    |  14 +
 lib/debug.c                                   |   2 +
 lib/ipset.c                                   |   1 +
 lib/ipset_hash_ipportipport.c                 | 144 ++++
 lib/ipset_hash_ipportnetport.c                | 152 ++++
 lib/ipset_hash_netportnetport.c               | 149 ++++
 lib/parse.c                                   |  40 +-
 lib/print.c                                   |  28 +-
 lib/session.c                                 |   8 +
 tests/hash:ip,port,ip,port.t                  | 159 +++++
 tests/hash:ip,port,ip,port.t.list0            |  11 +
 tests/hash:ip,port,ip,port.t.list1            |   7 +
 tests/hash:ip,port,net,port.t                 | 183 +++++
 tests/hash:ip,port,net,port.t.list0           |  11 +
 tests/hash:ip6,port,ip6,port.t                | 115 +++
 tests/hash:ip6,port,ip6,port.t.list0          |  12 +
 tests/hash:ip6,port,ip6,port.t.list1          |   7 +
 tests/hash:ip6,port,net6,port.t               | 143 ++++
 tests/hash:ip6,port,net6,port.t.list0         |  11 +
 tests/hash:net,port,net,port.t                | 191 +++++
 tests/hash:net,port,net,port.t.list0          |  11 +
 tests/hash:net6,port,net6,port.t              | 157 +++++
 tests/hash:net6,port,net6,port.t.list0        |  11 +
 tests/resizet.sh                              |  24 +
 tests/runtest.sh                              |   3 +
 36 files changed, 3344 insertions(+), 18 deletions(-)
 create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c
 create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c
 create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_netportnetport.c
 create mode 100644 lib/ipset_hash_ipportipport.c
 create mode 100644 lib/ipset_hash_ipportnetport.c
 create mode 100644 lib/ipset_hash_netportnetport.c
 create mode 100644 tests/hash:ip,port,ip,port.t
 create mode 100644 tests/hash:ip,port,ip,port.t.list0
 create mode 100644 tests/hash:ip,port,ip,port.t.list1
 create mode 100644 tests/hash:ip,port,net,port.t
 create mode 100644 tests/hash:ip,port,net,port.t.list0
 create mode 100644 tests/hash:ip6,port,ip6,port.t
 create mode 100644 tests/hash:ip6,port,ip6,port.t.list0
 create mode 100644 tests/hash:ip6,port,ip6,port.t.list1
 create mode 100644 tests/hash:ip6,port,net6,port.t
 create mode 100644 tests/hash:ip6,port,net6,port.t.list0
 create mode 100644 tests/hash:net,port,net,port.t
 create mode 100644 tests/hash:net,port,net,port.t.list0
 create mode 100644 tests/hash:net6,port,net6,port.t
 create mode 100644 tests/hash:net6,port,net6,port.t.list0

Comments

Jozsef Kadlecsik Dec. 18, 2018, 12:23 p.m. UTC | #1 
Hi Oliver,

On Sun, 16 Dec 2018, Oliver Smith wrote:

> The proceeding patch-set adds three new sets for usage:
> 
> * ip,port,ip,port
> * ip,port,net,port
> * net,port,net,port
> 
> I would like to solicit some feedback as I am fairly certain that there 
> are bugs or possibly backwards-incompatiblity in the implementation as 
> it stands.

Before discussing the implementation, I'd like to know the user case at 
which the four dimensional sets are useful. The client port numbers are 
randomly chosen. So what gives us if we store and lookup that info as 
well?

Best regards,
Jozsef
 
> Most notably, I ran into loss of elements when resizing and had to
> significantly rework how the insertion is done. For a good example of
> this, see the IPv6 uadt function for ip,port,net,port. I suspect there
> is an underlying issue that should be resolved and that the current
> behaviour is essentially a sub-optimal workaround.
> 
> I also have patches that apply to the mainline kernel which are
> identical to the code that is part of the main ipset package.
> 
> Cheers,
> Oliver.
> 
> Oliver Smith (5):
>   ipset: Support sets with 4 individual elements and an extra port
>   ipset: Implement ip,port,ip,port hash set.
>   ipset: Implement ip,port,net,port hash set.
>   ipset: Implement net,port,net,port hash set.
>   lib/ipset.c: Fix a compilation failure when using --enable-debug
> 
>  include/libipset/data.h                       |   6 +
>  include/libipset/linux_ip_set.h               |   5 +
>  include/libipset/types.h                      |   2 +-
>  kernel/include/linux/netfilter/ipset/ip_set.h |   4 +-
>  .../uapi/linux/netfilter/ipset/ip_set.h       |   5 +
>  kernel/net/netfilter/ipset/Kbuild             |   2 +
>  kernel/net/netfilter/ipset/Kconfig            |  31 +-
>  .../ipset/ip_set_hash_ipportipport.c          | 436 ++++++++++++
>  .../ipset/ip_set_hash_ipportnetport.c         | 612 ++++++++++++++++
>  .../ipset/ip_set_hash_netportnetport.c        | 662 ++++++++++++++++++
>  lib/Makefile.am                               |   3 +
>  lib/data.c                                    |  14 +
>  lib/debug.c                                   |   2 +
>  lib/ipset.c                                   |   1 +
>  lib/ipset_hash_ipportipport.c                 | 144 ++++
>  lib/ipset_hash_ipportnetport.c                | 152 ++++
>  lib/ipset_hash_netportnetport.c               | 149 ++++
>  lib/parse.c                                   |  40 +-
>  lib/print.c                                   |  28 +-
>  lib/session.c                                 |   8 +
>  tests/hash:ip,port,ip,port.t                  | 159 +++++
>  tests/hash:ip,port,ip,port.t.list0            |  11 +
>  tests/hash:ip,port,ip,port.t.list1            |   7 +
>  tests/hash:ip,port,net,port.t                 | 183 +++++
>  tests/hash:ip,port,net,port.t.list0           |  11 +
>  tests/hash:ip6,port,ip6,port.t                | 115 +++
>  tests/hash:ip6,port,ip6,port.t.list0          |  12 +
>  tests/hash:ip6,port,ip6,port.t.list1          |   7 +
>  tests/hash:ip6,port,net6,port.t               | 143 ++++
>  tests/hash:ip6,port,net6,port.t.list0         |  11 +
>  tests/hash:net,port,net,port.t                | 191 +++++
>  tests/hash:net,port,net,port.t.list0          |  11 +
>  tests/hash:net6,port,net6,port.t              | 157 +++++
>  tests/hash:net6,port,net6,port.t.list0        |  11 +
>  tests/resizet.sh                              |  24 +
>  tests/runtest.sh                              |   3 +
>  36 files changed, 3344 insertions(+), 18 deletions(-)
>  create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c
>  create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c
>  create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_netportnetport.c
>  create mode 100644 lib/ipset_hash_ipportipport.c
>  create mode 100644 lib/ipset_hash_ipportnetport.c
>  create mode 100644 lib/ipset_hash_netportnetport.c
>  create mode 100644 tests/hash:ip,port,ip,port.t
>  create mode 100644 tests/hash:ip,port,ip,port.t.list0
>  create mode 100644 tests/hash:ip,port,ip,port.t.list1
>  create mode 100644 tests/hash:ip,port,net,port.t
>  create mode 100644 tests/hash:ip,port,net,port.t.list0
>  create mode 100644 tests/hash:ip6,port,ip6,port.t
>  create mode 100644 tests/hash:ip6,port,ip6,port.t.list0
>  create mode 100644 tests/hash:ip6,port,ip6,port.t.list1
>  create mode 100644 tests/hash:ip6,port,net6,port.t
>  create mode 100644 tests/hash:ip6,port,net6,port.t.list0
>  create mode 100644 tests/hash:net,port,net,port.t
>  create mode 100644 tests/hash:net,port,net,port.t.list0
>  create mode 100644 tests/hash:net6,port,net6,port.t
>  create mode 100644 tests/hash:net6,port,net6,port.t.list0
> 
> -- 
> 2.19.2
> 
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary