From patchwork Sun Dec 16 21:30:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Smith X-Patchwork-Id: 1014207 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=uptheinter.net Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=uptheinter.net header.i=@uptheinter.net header.b="iBMBuZdn"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43HyKb6HWnz9sB5 for ; Mon, 17 Dec 2018 08:36:51 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730940AbeLPVgl (ORCPT ); Sun, 16 Dec 2018 16:36:41 -0500 Received: from mail.uptheinter.net ([77.74.193.35]:39823 "EHLO mail.uptheinter.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730919AbeLPVgk (ORCPT ); Sun, 16 Dec 2018 16:36:40 -0500 Received: from localhost (localhost [127.0.0.1]) by mail.uptheinter.net (Postfix) with ESMTP id A8F4FA26EC for ; Sun, 16 Dec 2018 21:31:01 +0000 (GMT) X-DKIM: Sendmail DKIM Filter v2.7.2 mail.uptheinter.net A8F4FA26EC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uptheinter.net; s=default; t=1544995861; bh=gSCw/XJ2ctzzaq4MXcx6TY/YAmqDAbxdxzsow6t Y0eA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding; b=iBMBuZdn+ILeDji7sgsbNR1U I6B5aK6OIweoywaMUQZQrT5W4NU9wvgtA4JDU8yvAw0UwJmkPK6l4f31IyESRNKSyts Emd9rz0Yf2+93cz+6oDyWytCN/76s+7MA7R2iZZF9jH2IX+KAfbTMLsrNQ1jBgUl8Gg NyJioMAbCxGmU= X-Virus-Scanned: amavisd-new at example.com Received: from mail.uptheinter.net ([127.0.0.1]) by localhost (mail.uptheinter.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9CkiPEEy2OUA for ; Sun, 16 Dec 2018 21:30:52 +0000 (GMT) From: Oliver Smith To: netfilter-devel@vger.kernel.org Subject: [PATCH 3/5] ipset: Implement ip,port,net,port hash set. Date: Sun, 16 Dec 2018 21:30:37 +0000 Message-Id: <20181216213039.399-4-oliver@uptheinter.net> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181216213039.399-1-oliver@uptheinter.net> References: <20181216213039.399-1-oliver@uptheinter.net> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This commit adds a new set providing storage for one IP address, a subnet and two ports. The most common use case for this is matching a source IP/net+port to a destination IP/net+port. Ranges of ports are supported using the logic that every port in range A (the second argument) will have an entry created for all values in range B (the fourth argument) For example: ipset add 1.1.1.1,11-12,2.2.2.2/24,13-14 Will result in: * 1.1.1.1,11,2.2.2.0/24,13 * 1.1.1.1,11,2.2.2.0/24,14 * 1.1.1.1,12,2.2.2.0/24,13 * 1.1.1.1,12,2.2.2.0/24,14 Tests have been added to verify the functionality. Signed-off-by: Oliver Smith --- kernel/net/netfilter/ipset/Kbuild | 1 + kernel/net/netfilter/ipset/Kconfig | 10 + .../ipset/ip_set_hash_ipportnetport.c | 612 ++++++++++++++++++ lib/Makefile.am | 1 + lib/ipset_hash_ipportnetport.c | 152 +++++ tests/hash:ip,port,net,port.t | 183 ++++++ tests/hash:ip,port,net,port.t.list0 | 11 + tests/hash:ip6,port,net6,port.t | 143 ++++ tests/hash:ip6,port,net6,port.t.list0 | 11 + tests/resizet.sh | 8 + tests/runtest.sh | 1 + 11 files changed, 1133 insertions(+) create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c create mode 100644 lib/ipset_hash_ipportnetport.c create mode 100644 tests/hash:ip,port,net,port.t create mode 100644 tests/hash:ip,port,net,port.t.list0 create mode 100644 tests/hash:ip6,port,net6,port.t create mode 100644 tests/hash:ip6,port,net6,port.t.list0 diff --git a/kernel/net/netfilter/ipset/Kbuild b/kernel/net/netfilter/ipset/Kbuild index 9f624d6..8ec680b 100644 --- a/kernel/net/netfilter/ipset/Kbuild +++ b/kernel/net/netfilter/ipset/Kbuild @@ -9,6 +9,7 @@ obj-m += ip_set_hash_ipportnet.o ip_set_hash_ipmac.o ip_set_hash_ipmark.o obj-m += ip_set_hash_net.o ip_set_hash_netport.o ip_set_hash_netiface.o obj-m += ip_set_hash_netnet.o ip_set_hash_netportnet.o ip_set_hash_mac.o obj-m += ip_set_hash_ipportipport.o +obj-m += ip_set_hash_ipportnetport.o obj-m += ip_set_list_set.o # It's for me... diff --git a/kernel/net/netfilter/ipset/Kconfig b/kernel/net/netfilter/ipset/Kconfig index b9bf30a..2de1664 100644 --- a/kernel/net/netfilter/ipset/Kconfig +++ b/kernel/net/netfilter/ipset/Kconfig @@ -109,6 +109,16 @@ config IP_SET_HASH_IPPORTNET To compile it as a module, choose M here. If unsure, say N. +config IP_SET_HASH_IPPORTNETPORT + tristate "hash:ip,port,net,port set support" + depends on IP_SET + help + This option adds the hash:ip,port,net,port set type support, by which + one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6 + network address/prefix quadruples in a set. + + To compile it as a module, choose M here. If unsure, say N. + config IP_SET_HASH_IPMAC tristate "hash:ip,mac set support" depends on IP_SET diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c b/kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c new file mode 100644 index 0000000..e47f969 --- /dev/null +++ b/kernel/net/netfilter/ipset/ip_set_hash_ipportnetport.c @@ -0,0 +1,612 @@ +/* Copyright (C) 2003-2013 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* Kernel module implementing an IP set type: the hash:ip,port,net type */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define IPSET_TYPE_REV_MIN 0 +#define IPSET_TYPE_REV_MAX 0 + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Oliver Smith "); +IP_SET_MODULE_DESC("hash:ip,port,net,port", IPSET_TYPE_REV_MIN, + IPSET_TYPE_REV_MAX); +MODULE_ALIAS("ip_set_hash:ip,port,net,port"); + +/* Type specific function prefix */ +#define HTYPE hash_ipportnetport + +/* We squeeze the "nomatch" flag into cidr: we don't support cidr == 0 + * However this way we have to store internally cidr - 1, + * dancing back and forth. + */ +#define IP_SET_HASH_WITH_NETS_PACKED +#define IP_SET_HASH_WITH_PROTO +#define IP_SET_HASH_WITH_NETS + +/* IPv4 variant */ + +/* Member elements */ +struct hash_ipportnetport4_elem { + __be32 ip; + __be32 ip2; + union { + __be16 port[2]; + __be32 portcmp; + }; + u8 cidr:7; + u8 nomatch:1; + u8 proto; +}; + +/* Common functions */ + +static inline bool +hash_ipportnetport4_data_equal(const struct hash_ipportnetport4_elem *ip1, + const struct hash_ipportnetport4_elem *ip2, + u32 *multi) +{ + return ip1->ip == ip2->ip && + ip1->ip2 == ip2->ip2 && + ip1->cidr == ip2->cidr && + ip1->portcmp == ip2->portcmp && + ip1->proto == ip2->proto; +} + +static inline int +hash_ipportnetport4_do_data_match(const struct hash_ipportnetport4_elem *elem) +{ + return elem->nomatch ? -ENOTEMPTY : 1; +} + +static inline void +hash_ipportnetport4_data_set_flags(struct hash_ipportnetport4_elem *elem, + u32 flags) +{ + elem->nomatch = !!((flags >> 16) & IPSET_FLAG_NOMATCH); +} + +static inline void +hash_ipportnetport4_data_reset_flags(struct hash_ipportnetport4_elem *elem, + u8 *flags) +{ + swap(*flags, elem->nomatch); +} + +static inline void +hash_ipportnetport4_data_netmask(struct hash_ipportnetport4_elem *elem, u8 cidr) +{ + elem->ip2 &= ip_set_netmask(cidr); + elem->cidr = cidr - 1; +} + +static bool +hash_ipportnetport4_data_list(struct sk_buff *skb, + const struct hash_ipportnetport4_elem *data) +{ + u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; + + if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) || + nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) || + nla_put_net16(skb, IPSET_ATTR_PORT, data->port[0]) || + nla_put_net16(skb, IPSET_ATTR_PORT2, data->port[1]) || + nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) || + nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) || + (flags && + nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) + goto nla_put_failure; + return false; + +nla_put_failure: + return true; +} + +static inline void +hash_ipportnetport4_data_next(struct hash_ipportnetport4_elem *next, + const struct hash_ipportnetport4_elem *d) +{ + next->ip = d->ip; + next->portcmp = d->portcmp; + next->ip2 = d->ip2; +} + +#define MTYPE hash_ipportnetport4 +#define HOST_MASK 32 +#include "ip_set_hash_gen.h" + +static int +hash_ipportnetport4_kadt(struct ip_set *set, const struct sk_buff *skb, + const struct xt_action_param *par, + enum ipset_adt adt, struct ip_set_adt_opt *opt) +{ + const struct hash_ipportnetport4 *h = set->data; + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportnetport4_elem e = { + .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), + }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + + if (adt == IPSET_TEST) + e.cidr = HOST_MASK - 1; + + if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC, + &e.port[0], &e.proto)) + return -EINVAL; + if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_FOUR_SRC, + &e.port[1], &e.proto)) + return -EINVAL; + + ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); + ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2); + e.ip2 &= ip_set_netmask(e.cidr + 1); + + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); +} + +static int +hash_ipportnetport4_uadt(struct ip_set *set, struct nlattr *tb[], + enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) +{ + const struct hash_ipportnetport4 *h = set->data; + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportnetport4_elem e = { .cidr = HOST_MASK - 1 }; + struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + u32 ip = 0, ip_to = 0, p = 0, p2 = 0, port, port_to, port2, port2_to; + u32 ip2_from = 0, ip2_to = 0, ip2; + bool with_ports = false; + u8 cidr; + int ret; + + if (tb[IPSET_ATTR_LINENO]) + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); + + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT2) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT2_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) + return -IPSET_ERR_PROTOCOL; + + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip); + if (ret) + return ret; + + ret = ip_set_get_extensions(set, tb, &ext); + if (ret) + return ret; + + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from); + if (ret) + return ret; + + if (tb[IPSET_ATTR_CIDR2]) { + cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]); + if (!cidr || cidr > HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + e.cidr = cidr - 1; + } + + e.port[0] = nla_get_be16(tb[IPSET_ATTR_PORT]); + e.port[1] = nla_get_be16(tb[IPSET_ATTR_PORT2]); + + if (tb[IPSET_ATTR_PROTO]) { + e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); + with_ports = ip_set_proto_with_ports(e.proto); + + if (e.proto == 0) + return -IPSET_ERR_INVALID_PROTO; + } else { + return -IPSET_ERR_MISSING_PROTO; + } + + if (!(with_ports || e.proto == IPPROTO_ICMP)) + e.portcmp = 0; + + if (tb[IPSET_ATTR_CADT_FLAGS]) { + u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); + + if (cadt_flags & IPSET_FLAG_NOMATCH) + flags |= (IPSET_FLAG_NOMATCH << 16); + } + + with_ports = with_ports && (tb[IPSET_ATTR_PORT_TO] || + tb[IPSET_ATTR_PORT2_TO]); + if (adt == IPSET_TEST || + !(tb[IPSET_ATTR_CIDR] || tb[IPSET_ATTR_IP_TO] || with_ports || + tb[IPSET_ATTR_IP2_TO])) { + e.ip = htonl(ip); + e.ip2 = htonl(ip2_from & ip_set_hostmask(e.cidr + 1)); + ret = adtfn(set, &e, &ext, &ext, flags); + return ip_set_enomatch(ret, flags, adt, set) ? -ret : + ip_set_eexist(ret, flags) ? 0 : ret; + } + + ip_to = ip; + if (tb[IPSET_ATTR_IP_TO]) { + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); + if (ret) + return ret; + if (ip > ip_to) + swap(ip, ip_to); + } else if (tb[IPSET_ATTR_CIDR]) { + cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + + if (!cidr || cidr > HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + ip_set_mask_from_to(ip, ip_to, cidr); + } + + port_to = port = ntohs(e.port[0]); + if (tb[IPSET_ATTR_PORT_TO]) { + port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]); + if (port > port_to) + swap(port, port_to); + } + + port2_to = port2 = ntohs(e.port[1]); + if (tb[IPSET_ATTR_PORT2_TO]) { + port2_to = ip_set_get_h16(tb[IPSET_ATTR_PORT2_TO]); + if (port2 > port2_to) + swap(port2, port2_to); + } + + ip2_to = ip2_from; + if (tb[IPSET_ATTR_IP2_TO]) { + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to); + if (ret) + return ret; + if (ip2_from > ip2_to) + swap(ip2_from, ip2_to); + if (ip2_from + UINT_MAX == ip2_to) + return -IPSET_ERR_HASH_RANGE; + } else { + ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1); + } + + if (retried) { + ip = ntohl(h->next.ip); + p = ntohs(h->next.port[0]); + p2 = ntohs(h->next.port[1]); + ip2 = ntohl(h->next.ip2); + } else { + p = port; + p2 = port2; + ip2 = ip2_from; + } + for (; ip <= ip_to; ip++) { + e.ip = htonl(ip); + for (; p <= port_to; p++) { + e.port[0] = htons(p); + for (; p2 <= port2_to; p2++) { + e.port[1] = htons(p2); + do { + e.ip2 = htonl(ip2); + ip2 = ip_set_range_to_cidr(ip2, + ip2_to, + &cidr); + e.cidr = cidr - 1; + ret = adtfn(set, &e, &ext, &ext, flags); + + if (ret && !ip_set_eexist(ret, flags)) + return ret; + + ret = 0; + } while (ip2++ < ip2_to); + ip2 = ip2_from; + } + p2 = port2; + } + p = port; + } + return ret; +} + +/* IPv6 variant */ + +struct hash_ipportnetport6_elem { + union nf_inet_addr ip; + union nf_inet_addr ip2; + union { + __be16 port[2]; + __be32 portcmp; + }; + u8 cidr:7; + u8 nomatch:1; + u8 proto; + u16 padding; +}; + +/* Common functions */ + +static inline bool +hash_ipportnetport6_data_equal(const struct hash_ipportnetport6_elem *ip1, + const struct hash_ipportnetport6_elem *ip2, + u32 *multi) +{ + return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) && + ipv6_addr_equal(&ip1->ip2.in6, &ip2->ip2.in6) && + ip1->cidr == ip2->cidr && + ip1->portcmp == ip2->portcmp && + ip1->proto == ip2->proto; +} + +static inline int +hash_ipportnetport6_do_data_match(const struct hash_ipportnetport6_elem *elem) +{ + return elem->nomatch ? -ENOTEMPTY : 1; +} + +static inline void +hash_ipportnetport6_data_set_flags(struct hash_ipportnetport6_elem *elem, + u32 flags) +{ + elem->nomatch = !!((flags >> 16) & IPSET_FLAG_NOMATCH); +} + +static inline void +hash_ipportnetport6_data_reset_flags(struct hash_ipportnetport6_elem *elem, + u8 *flags) +{ + swap(*flags, elem->nomatch); +} + +static inline void +hash_ipportnetport6_data_netmask(struct hash_ipportnetport6_elem *elem, u8 cidr) +{ + ip6_netmask(&elem->ip2, cidr); + elem->cidr = cidr - 1; +} + +static bool +hash_ipportnetport6_data_list(struct sk_buff *skb, + const struct hash_ipportnetport6_elem *data) +{ + u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0; + + if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) || + nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) || + nla_put_net16(skb, IPSET_ATTR_PORT, data->port[0]) || + nla_put_net16(skb, IPSET_ATTR_PORT2, data->port[1]) || + nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) || + nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) || + (flags && + nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags)))) + goto nla_put_failure; + return false; + +nla_put_failure: + return true; +} + +static inline void +hash_ipportnetport6_data_next(struct hash_ipportnetport6_elem *next, + const struct hash_ipportnetport6_elem *d) +{ + next->portcmp = d->portcmp; +} + +#undef MTYPE +#undef HOST_MASK + +#define MTYPE hash_ipportnetport6 +#define HOST_MASK 128 +#define IP_SET_EMIT_CREATE +#include "ip_set_hash_gen.h" + +static int +hash_ipportnetport6_kadt(struct ip_set *set, const struct sk_buff *skb, + const struct xt_action_param *par, + enum ipset_adt adt, struct ip_set_adt_opt *opt) +{ + const struct hash_ipportnetport6 *h = set->data; + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportnetport6_elem e = { + .cidr = INIT_CIDR(h->nets[0].cidr[0], HOST_MASK), + }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + + if (adt == IPSET_TEST) + e.cidr = HOST_MASK - 1; + + if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC, + &e.port[0], &e.proto)) + return -EINVAL; + if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_FOUR_SRC, + &e.port[1], &e.proto)) + return -EINVAL; + + ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); + ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2.in6); + ip6_netmask(&e.ip2, e.cidr + 1); + + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); +} + +static int +hash_ipportnetport6_uadt(struct ip_set *set, struct nlattr *tb[], + enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) +{ + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportnetport6_elem e = { .cidr = HOST_MASK - 1 }; + struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + u32 port, port_to, port2, port2_to, p2; + bool with_ports = false; + u8 cidr; + int ret; + + if (tb[IPSET_ATTR_LINENO]) + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); + + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT2) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT2_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS))) + return -IPSET_ERR_PROTOCOL; + if (unlikely(tb[IPSET_ATTR_IP_TO])) + return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; + if (unlikely(tb[IPSET_ATTR_CIDR])) { + cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + + if (cidr != HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + } + + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); + if (ret) + return ret; + + ret = ip_set_get_extensions(set, tb, &ext); + if (ret) + return ret; + + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip2); + if (ret) + return ret; + + if (tb[IPSET_ATTR_CIDR2]) { + cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]); + if (!cidr || cidr > HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + e.cidr = cidr - 1; + } + + ip6_netmask(&e.ip2, e.cidr + 1); + + e.port[0] = nla_get_be16(tb[IPSET_ATTR_PORT]); + e.port[1] = nla_get_be16(tb[IPSET_ATTR_PORT2]); + + if (tb[IPSET_ATTR_PROTO]) { + e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); + with_ports = ip_set_proto_with_ports(e.proto); + + if (e.proto == 0) + return -IPSET_ERR_INVALID_PROTO; + } else { + return -IPSET_ERR_MISSING_PROTO; + } + + if (!(with_ports || e.proto == IPPROTO_ICMPV6)) + e.portcmp = 0; + + if (tb[IPSET_ATTR_CADT_FLAGS]) { + u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]); + + if (cadt_flags & IPSET_FLAG_NOMATCH) + flags |= (IPSET_FLAG_NOMATCH << 16); + } + + if (adt == IPSET_TEST || !with_ports || (!tb[IPSET_ATTR_PORT_TO] && + !tb[IPSET_ATTR_PORT2_TO])) { + ret = adtfn(set, &e, &ext, &ext, flags); + return ip_set_enomatch(ret, flags, adt, set) ? -ret : + ip_set_eexist(ret, flags) ? 0 : ret; + } + + port = ntohs(e.port[0]); + port2 = ntohs(e.port[1]); + port_to = with_ports && tb[IPSET_ATTR_PORT_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]) : port; + port2_to = with_ports && tb[IPSET_ATTR_PORT2_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT2_TO]) : port2; + if (port > port_to) + swap(port, port_to); + if (port2 > port2_to) + swap(port2, port2_to); + + for (; port <= port_to; port++) { + e.port[0] = htons(port); + for (p2 = port2; p2 <= port2_to; p2++) { + e.port[1] = htons(p2); + ret = adtfn(set, &e, &ext, &ext, flags); + + if (ret == -EAGAIN && !ip_set_eexist(ret, flags) ) + return ret; + + ret = 0; + } + } + return ret; +} + +static struct ip_set_type hash_ipportnetport_type __read_mostly = { + .name = "hash:ip,port,net,port", + .protocol = IPSET_PROTOCOL, + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2 | + IPSET_TYPE_PORT2 | IPSET_TYPE_NOMATCH, + .dimension = IPSET_DIM_FOUR, + .family = NFPROTO_UNSPEC, + .revision_min = IPSET_TYPE_REV_MIN, + .revision_max = IPSET_TYPE_REV_MAX, + .create = hash_ipportnetport_create, + .create_policy = { + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + }, + .adt_policy = { + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP2] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP2_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT2] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT2_TO] = { .type = NLA_U16 }, + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, + [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, + [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, + [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, + [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING, + .len = IPSET_MAX_COMMENT_SIZE }, + [IPSET_ATTR_SKBMARK] = { .type = NLA_U64 }, + [IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 }, + [IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 }, + }, + .me = THIS_MODULE, +}; + +static int __init +hash_ipportnetport_init(void) +{ + return ip_set_type_register(&hash_ipportnetport_type); +} + +static void __exit +hash_ipportnetport_fini(void) +{ + rcu_barrier(); + ip_set_type_unregister(&hash_ipportnetport_type); +} + +module_init(hash_ipportnetport_init); +module_exit(hash_ipportnetport_fini); diff --git a/lib/Makefile.am b/lib/Makefile.am index f80df27..21ad735 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -10,6 +10,7 @@ IPSET_SETTYPE_LIST = \ ipset_hash_ipportip.c \ ipset_hash_ipportnet.c \ ipset_hash_ipportipport.c \ + ipset_hash_ipportnetport.c \ ipset_hash_net.c \ ipset_hash_netnet.c \ ipset_hash_netportnet.c \ diff --git a/lib/ipset_hash_ipportnetport.c b/lib/ipset_hash_ipportnetport.c new file mode 100644 index 0000000..f2a0d3b --- /dev/null +++ b/lib/ipset_hash_ipportnetport.c @@ -0,0 +1,152 @@ +/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include /* IPSET_OPT_* */ +#include /* parser functions */ +#include /* printing functions */ +#include /* ipset_port_usage */ +#include /* prototypes */ + +/* skbinfo support */ +static struct ipset_type ipset_hash_ipportnetport0 = { + .name = "hash:ip,port,net,port", + .alias = { "ipportnetporthash", NULL }, + .revision = 0, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_FOUR, + .elem = { + [IPSET_DIM_ONE - 1] = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + [IPSET_DIM_TWO - 1] = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT + }, + [IPSET_DIM_THREE - 1] = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP2 + }, + [IPSET_DIM_FOUR - 1] = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT2 + }, + }, + .cmd = { + [IPSET_CREATE] = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_IGNORED_FROM, + IPSET_ARG_IGNORED_TO, + IPSET_ARG_IGNORED_NETWORK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + [IPSET_ADD] = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_NOMATCH, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_PORT2_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP,[PROTO:]PORT,IP[/CIDR],PORT", + }, + [IPSET_DEL] = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_PORT2_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP,[PROTO:]PORT,IP[/CIDR],PORT", + }, + [IPSET_TEST] = { + .args = { + IPSET_ARG_NOMATCH, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2), + .help = "IP,[PROTO:]PORT,IP[/CIDR],PORT", + }, + }, + .usage = "where depending on the INET family\n" + " IP are valid IPv4 or IPv6 addresses (or hostnames),\n" + " CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " in the first IP component is supported for IPv4.\n" + " Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n" + " port range is supported both for IPv4 and IPv6.", + .usagefn = ipset_port_usage, + .description = "Initial revision", +}; + +void _init(void); +void _init(void) +{ + ipset_type_add(&ipset_hash_ipportnetport0); +} diff --git a/tests/hash:ip,port,net,port.t b/tests/hash:ip,port,net,port.t new file mode 100644 index 0000000..39098c0 --- /dev/null +++ b/tests/hash:ip,port,net,port.t @@ -0,0 +1,183 @@ +# Create a set with timeout +0 ipset create test hash:ip,port,net,port timeout 4 +# Add partly zero valued element +0 ipset add test 2.0.0.1,0,192.168.0.0/24,0 +# Test partly zero valued element +0 ipset test test 2.0.0.1,0,192.168.0.0/24,0 +# Delete partly zero valued element +0 ipset del test 2.0.0.1,0,192.168.0.0/24,0 +# Add first random value +0 ipset add test 2.0.0.1,5,192.168.0.0/24,1 +# Add second random value +0 ipset add test 2.1.0.0,128,10.0.0.0/16,2 +# Test first random value +0 ipset test test 2.0.0.1,5,192.168.0.0/24,1 +# Test second random value +0 ipset test test 2.1.0.0,128,10.0.0.0/16,2 +# Test value not added to the set +1 ipset test test 2.0.0.1,4,10.0.0.0/16,1 +# Delete value not added to the set +1 ipset del test 2.0.0.1,6,10.0.0.0/16,1 +# Test value before first random value +1 ipset test test 2.0.0.0,5,192.168.0.0/24,1 +# Test value after second random value +1 ipset test test 2.1.0.1,128,10.0.0.0/16,2 +# Try to add value before first random value +0 ipset add test 2.0.0.0,5,192.168.0.0/25,5 +# Try to add value after second random value +0 ipset add test 2.1.0.1,128,10.0.0.0/17,6 +# List set +0 ipset list test | grep -v Revision: | sed 's/timeout ./timeout x/' > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip,port,net,port.t.list0 +# Sleep 5s so that elements can time out +0 sleep 5 +# List set +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Flush test set +0 ipset flush test +# Delete set +0 ipset destroy test +# Create set to add a range +0 ipset new test hash:ip,port,net,port hashsize 64 +# Add a range which forces a resizing +0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.1/24,55-59 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 15360 +# Destroy set +0 ipset -X test +# Create set to add a range and with range notation in the network +0 ipset new test hash:ip,port,net,port hashsize 64 +# Add a range which forces a resizing +0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.0-192.168.2.255,99 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 6144 +# Destroy set +0 ipset -X test +# Create test set with timeout support +0 ipset create test hash:ip,port,net,port timeout 30 +# Add a non-matching IP address entry +0 ipset -A test 2.2.2.2,80,1.1.1.1,123 nomatch +# Add an overlapping matching small net +0 ipset -A test 2.2.2.2,80,1.1.1.0/30,123 +# Add an overlapping non-matching larger net +0 ipset -A test 2.2.2.2,80,1.1.1.0/28,123 nomatch +# Add an even larger matching net +0 ipset -A test 2.2.2.2,80,1.1.1.0/26,123 +# Check non-matching IP +1 ipset -T test 2.2.2.2,80,1.1.1.1,123 +# Check matching IP from non-matching small net +0 ipset -T test 2.2.2.2,80,1.1.1.3,123 +# Check non-matching IP from larger net +1 ipset -T test 2.2.2.2,80,1.1.1.4,123 +# Check matching IP from even larger net +0 ipset -T test 2.2.2.2,80,1.1.1.16,123 +# Update non-matching IP to matching one +0 ipset -! -A test 2.2.2.2,80,1.1.1.1,123 +# Delete overlapping small net +0 ipset -D test 2.2.2.2,80,1.1.1.0/30,123 +# Check matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.1,123 +# Add overlapping small net +0 ipset -A test 2.2.2.2,80,1.1.1.0/30,123 +# Update matching IP as a non-matching one, with shorter timeout +0 ipset -! -A test 2.2.2.2,80,1.1.1.1,123 nomatch timeout 2 +# Check non-matching IP +1 ipset -T test 2.2.2.2,80,1.1.1.1,123 +# Sleep 3s so that element can time out +0 sleep 3 +# Check non-matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.1,123 +# Check matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.3,123 +# Delete test set +0 ipset destroy test +# Create set +0 ipset create test hash:ip,port,net,port +# Add a single element +0 ipset add test 10.0.0.1,tcp:80,2.2.2.0/24,22 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 2 +# Delete the single element +0 ipset del test 10.0.0.1,tcp:80,2.2.2.0/24,22 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24,44-45 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 21 +# Delete the IP range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24,44-45 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add a port range +0 ipset add test 10.0.0.1,tcp:80-89,2.2.2.0/24,11-13 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 31 +# Delete the port range +0 ipset del test 10.0.0.1,tcp:80-89,2.2.2.0/24,11-13 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP and port range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24,1111 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 101 +# Delete the IP and port range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24,1111 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Destroy set +0 ipset -X test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -4 ipportnetport +# Nomatch: Check that resizing keeps the nomatch flag +0 ./resizen.sh -4 ipportnetport +# Counters: create set +0 ipset n test hash:ip,port,net,port counters +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200,3 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2.0.0.1,80,192.168.199.200,3 +# Counters: check counters +0 ./check_counters test 2.0.0.1 5 3456 +# Counters: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200,3 +# Counters: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200,3 +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1,1 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2.0.0.20 12 9876 +# Counters: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1,1 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2.0.0.20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:ip,port,net,port counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200,23 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2.0.0.1,80,192.168.199.200,23 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200,23 +# Counters and timeout: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200,23 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1,23 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1,23 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2.0.0.20,453,10.0.0.1,23 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:ip,port,net,port.t.list0 b/tests/hash:ip,port,net,port.t.list0 new file mode 100644 index 0000000..2378069 --- /dev/null +++ b/tests/hash:ip,port,net,port.t.list0 @@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port,net,port +Header: family inet hashsize 1024 maxelem 65536 timeout x +Size in memory: 1096 +References: 0 +Number of entries: 4 +Members: +2.0.0.0,tcp:5,192.168.0.0/25,tcp:5 timeout x +2.0.0.1,tcp:5,192.168.0.0/24,tcp:1 timeout x +2.1.0.0,tcp:128,10.0.0.0/16,tcp:2 timeout x +2.1.0.1,tcp:128,10.0.0.0/17,tcp:6 timeout x diff --git a/tests/hash:ip6,port,net6,port.t b/tests/hash:ip6,port,net6,port.t new file mode 100644 index 0000000..a65fa6d --- /dev/null +++ b/tests/hash:ip6,port,net6,port.t @@ -0,0 +1,143 @@ +# Range: Create a set +0 ipset -N test ipportnetporthash -6 +# Range: Add zero valued element +1 ipset -A test 2:0:0::1,0,0:0:0::0/0,0 +# Range: Test zero valued element +1 ipset -T test 2:0:0::1,0,0:0:0::0/0,0 +# Range: Delete zero valued element +1 ipset -D test 2:0:0::1,0,0:0:0::0/0,0 +# Range: Add almost zero valued element +0 ipset -A test 2:0:0::1,0,0:0:0::0/24,0 +# Range: Test almost zero valued element +0 ipset -T test 2:0:0::1,0,0:0:0::0/24,0 +# Range: Delete almost zero valued element +0 ipset -D test 2:0:0::1,0,0:0:0::0/24,0 +# Range: Add first random value +0 ipset -A test 2:0:0::1,5,1:1:1::1/24,123 +# Range: Add second random value +0 ipset -A test 2:1:0::0,128,2:2:2::2/12,321 +# Range: Test first random value +0 ipset -T test 2:0:0::1,5,1:1:1::2,123 +# Range: Test second random value +0 ipset -T test 2:1:0::0,128,2:2:2::0,321 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::1,5,2:1:1::255,123 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::1,6,1:1:1::1,321 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::2,6,1:1:1::1,212 +# Range: Test value before first random value +1 ipset -T test 2:0:0::0,5,1:1:1::1,123 +# Range: Test value after second random value +1 ipset -T test 2:1:0::1,128,2:2:2::2,321 +# Range: Try to add value before first random value +0 ipset -A test 2:0:0::0,5,1:1:1::1/24,123 +# Range: Try to add value after second random value +0 ipset -A test 2:1:0::1,128,2:2:2::2/12,321 +# Range: List set +0 ipset -L test | grep -v Revision: > .foo0 && ./sort.sh .foo0 +# Range: Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip6,port,net6,port.t.list0 +# Range: Flush test set +0 ipset -F test +# Range: Delete test set +0 ipset -X test +# Create set to add a range +0 ipset new test hash:ip,port,net,port -6 hashsize 64 +# Add a range which forces a resizing +0 ipset add test 1::1,tcp:1-1000,2::2/12,20001-20015 +# Check that correct number of elements are added +0 n=`ipset list test|grep 1::1|wc -l` && test $n -eq 15000 +# Destroy set +0 ipset -X test +# Create test set with timeout support +0 ipset create test hash:ip,port,net,port family inet6 timeout 30 +# Add a non-matching IP address entry +0 ipset -A test 2:2:2::2,80,1:1:1::1,88 nomatch +# Add an overlapping matching small net +0 ipset -A test 2:2:2::2,80,1:1:1::/124,88 +# Add an overlapping non-matching larger net +0 ipset -A test 2:2:2::2,80,1:1:1::/120,88 nomatch +# Add an even larger matching net +0 ipset -A test 2:2:2::2,80,1:1:1::/116,88 +# Check non-matching IP +1 ipset -T test 2:2:2::2,80,1:1:1::1,88 +# Check matching IP from non-matching small net +0 ipset -T test 2:2:2::2,80,1:1:1::F,88 +# Check non-matching IP from larger net +1 ipset -T test 2:2:2::2,80,1:1:1::10,88 +# Check matching IP from even larger net +0 ipset -T test 2:2:2::2,80,1:1:1::100,88 +# Update non-matching IP to matching one +0 ipset -! -A test 2:2:2::2,80,1:1:1::1,88 +# Delete overlapping small net +0 ipset -D test 2:2:2::2,80,1:1:1::/124,88 +# Check matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::1,88 +# Add overlapping small net +0 ipset -A test 2:2:2::2,80,1:1:1::/124,88 +# Update matching IP as a non-matching one, with shorter timeout +0 ipset -! -A test 2:2:2::2,80,1:1:1::1,88 nomatch timeout 2 +# Check non-matching IP +1 ipset -T test 2:2:2::2,80,1:1:1::1,88 +# Sleep 3s so that element can time out +0 sleep 3 +# Check non-matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::1,88 +# Check matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::F,88 +# Delete test set +0 ipset destroy test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -6 ipportnetport +# Nomatch: Check that resizing keeps the nomatch flag +0 ./resizen.sh -6 ipportnetport +# Counters: create set +0 ipset n test hash:ip,port,net,port -6 counters +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1/64,99 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1/64,99 +# Counters: check counters +0 ./check_counters test 2::1 5 3456 +# Counters: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1/64,99 +# Counters: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1/64,99 +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54,99 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2::20 12 9876 +# Counters: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54,99 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2::20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:ip,port,net,port -6 counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1/64,9 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1/64,9 +# Counters and timeout: check counters +0 ./check_extensions test 2::1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1/64,9 +# Counters and timeout: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1/64,9 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54,9 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54,9 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54,9 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:ip6,port,net6,port.t.list0 b/tests/hash:ip6,port,net6,port.t.list0 new file mode 100644 index 0000000..46a3a62 --- /dev/null +++ b/tests/hash:ip6,port,net6,port.t.list0 @@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port,net,port +Header: family inet6 hashsize 1024 maxelem 65536 +Size in memory: 1864 +References: 0 +Number of entries: 4 +Members: +2:1::,tcp:128,::/12,tcp:321 +2:1::1,tcp:128,::/12,tcp:321 +2::,tcp:5,1::/24,tcp:123 +2::1,tcp:5,1::/24,tcp:123 diff --git a/tests/resizet.sh b/tests/resizet.sh index df52a0d..f864b9a 100755 --- a/tests/resizet.sh +++ b/tests/resizet.sh @@ -61,6 +61,14 @@ case "$2" in done done ;; + ipportnetport) + $ipset n test hash:ip,port,net,port $1 hashsize 64 timeout 100 + for x in `seq 0 16`; do + for y in `seq 0 255`; do + $ipset a test $ip$x$sep$y,1023,$ip2/$net,22 + done + done + ;; ipportnet) $ipset n test hash:ip,port,net $1 hashsize 64 timeout 100 for x in `seq 0 16`; do diff --git a/tests/runtest.sh b/tests/runtest.sh index da5b988..b0ca1e6 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -15,6 +15,7 @@ tests="$tests nethash hash:net hash:net6 hash:net,port hash:net6,port" tests="$tests hash:ip,port,net hash:ip6,port,net6 hash:net,net hash:net6,net6" tests="$tests hash:net,port,net hash:net6,port,net6" tests="$tests hash:ip,port,ip,port hash:ip6,port,ip6,port" +tests="$tests hash:ip,port,net,port hash:ip6,port,net6,port" tests="$tests hash:net,iface.t hash:mac.t" tests="$tests comment setlist restore" # tests="$tests iptree iptreemap"