From patchwork Sun Dec 16 21:30:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Smith X-Patchwork-Id: 1014208 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=uptheinter.net Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=uptheinter.net header.i=@uptheinter.net header.b="uNjS7h8P"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43HyKc6zYXz9sBQ for ; Mon, 17 Dec 2018 08:36:52 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730943AbeLPVgm (ORCPT ); Sun, 16 Dec 2018 16:36:42 -0500 Received: from mail.uptheinter.net ([77.74.193.35]:39814 "EHLO mail.uptheinter.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727256AbeLPVgm (ORCPT ); Sun, 16 Dec 2018 16:36:42 -0500 X-Greylist: delayed 345 seconds by postgrey-1.27 at vger.kernel.org; Sun, 16 Dec 2018 16:36:33 EST Received: from localhost (localhost [127.0.0.1]) by mail.uptheinter.net (Postfix) with ESMTP id 5F79EA2634 for ; Sun, 16 Dec 2018 21:31:02 +0000 (GMT) X-DKIM: Sendmail DKIM Filter v2.7.2 mail.uptheinter.net 5F79EA2634 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uptheinter.net; s=default; t=1544995862; bh=N4DRokbDrhNrip4vPMLq5K2G5qAUF4tIQKLKlff wqsw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Transfer-Encoding; b=uNjS7h8PPTc9Eo8ThxjdgZ/A nmntg8Tb/+0Pr4pk/Y8vkigshc7aDNYqPIK1L6HgD2tORQfjsvfsOOH5QubzenYBaRf XW8VvcgxAneAPvVuVu5ED5vIXsxzZdHjl0RBD/9V2w6FGm4RhMFisMJJfjgrSNmqPLV c6s7dQPU4Z1NI= X-Virus-Scanned: amavisd-new at example.com Received: from mail.uptheinter.net ([127.0.0.1]) by localhost (mail.uptheinter.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qwkScNaSxDol for ; Sun, 16 Dec 2018 21:30:53 +0000 (GMT) From: Oliver Smith To: netfilter-devel@vger.kernel.org Subject: [PATCH 2/5] ipset: Implement ip,port,ip,port hash set. Date: Sun, 16 Dec 2018 21:30:36 +0000 Message-Id: <20181216213039.399-3-oliver@uptheinter.net> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181216213039.399-1-oliver@uptheinter.net> References: <20181216213039.399-1-oliver@uptheinter.net> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This commit adds a new set providing storage for two IP addresses and two ports. The most common use case for this is matching a source IP+port to a destination IP+port. Ranges of ports are supported using the logic that every port in range A (the second argument) will have an entry created for all values in range B (the fourth argument) For example: ipset add 1.1.1.1,11-12,2.2.2.2,13-14 Will result in: * 1.1.1.1,11,2.2.2.2,13 * 1.1.1.1,11,2.2.2.2,14 * 1.1.1.1,12,2.2.2.2,13 * 1.1.1.1,12,2.2.2.2,14 Tests have been added to verify the functionality. Signed-off-by: Oliver Smith --- kernel/net/netfilter/ipset/Kbuild | 1 + kernel/net/netfilter/ipset/Kconfig | 10 + .../ipset/ip_set_hash_ipportipport.c | 436 ++++++++++++++++++ lib/Makefile.am | 1 + lib/ipset_hash_ipportipport.c | 144 ++++++ tests/hash:ip,port,ip,port.t | 159 +++++++ tests/hash:ip,port,ip,port.t.list0 | 11 + tests/hash:ip,port,ip,port.t.list1 | 7 + tests/hash:ip6,port,ip6,port.t | 115 +++++ tests/hash:ip6,port,ip6,port.t.list0 | 12 + tests/hash:ip6,port,ip6,port.t.list1 | 7 + tests/resizet.sh | 8 + tests/runtest.sh | 1 + 13 files changed, 912 insertions(+) create mode 100644 kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c create mode 100644 lib/ipset_hash_ipportipport.c create mode 100644 tests/hash:ip,port,ip,port.t create mode 100644 tests/hash:ip,port,ip,port.t.list0 create mode 100644 tests/hash:ip,port,ip,port.t.list1 create mode 100644 tests/hash:ip6,port,ip6,port.t create mode 100644 tests/hash:ip6,port,ip6,port.t.list0 create mode 100644 tests/hash:ip6,port,ip6,port.t.list1 diff --git a/kernel/net/netfilter/ipset/Kbuild b/kernel/net/netfilter/ipset/Kbuild index 6a1ac92..9f624d6 100644 --- a/kernel/net/netfilter/ipset/Kbuild +++ b/kernel/net/netfilter/ipset/Kbuild @@ -8,6 +8,7 @@ obj-m += ip_set_hash_ip.o ip_set_hash_ipport.o ip_set_hash_ipportip.o obj-m += ip_set_hash_ipportnet.o ip_set_hash_ipmac.o ip_set_hash_ipmark.o obj-m += ip_set_hash_net.o ip_set_hash_netport.o ip_set_hash_netiface.o obj-m += ip_set_hash_netnet.o ip_set_hash_netportnet.o ip_set_hash_mac.o +obj-m += ip_set_hash_ipportipport.o obj-m += ip_set_list_set.o # It's for me... diff --git a/kernel/net/netfilter/ipset/Kconfig b/kernel/net/netfilter/ipset/Kconfig index 4083a80..b9bf30a 100644 --- a/kernel/net/netfilter/ipset/Kconfig +++ b/kernel/net/netfilter/ipset/Kconfig @@ -89,6 +89,16 @@ config IP_SET_HASH_IPPORTIP To compile it as a module, choose M here. If unsure, say N. +config IP_SET_HASH_IPPORTIPPORT + tristate "hash:ip,port,ip,port set support" + depends on IP_SET + help + This option adds the hash:ip,port,ip,port set type support, by which + one can store IPv4/IPv6 address, protocol/two ports, and IPv4/IPv6 + address quadruples in a set. + + To compile it as a module, choose M here. If unsure, say N. + config IP_SET_HASH_IPPORTNET tristate "hash:ip,port,net set support" depends on IP_SET diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c b/kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c new file mode 100644 index 0000000..448b338 --- /dev/null +++ b/kernel/net/netfilter/ipset/ip_set_hash_ipportipport.c @@ -0,0 +1,436 @@ +/* Copyright (C) 2003-2013 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +/* Kernel module implementing an IP set type: the hash:ip,port,ip type */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define IPSET_TYPE_REV_MIN 0 +#define IPSET_TYPE_REV_MAX 0 + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Oliver Smith "); +IP_SET_MODULE_DESC("hash:ip,port,ip,port", IPSET_TYPE_REV_MIN, + IPSET_TYPE_REV_MAX); +MODULE_ALIAS("ip_set_hash:ip,port,ip,port"); + +/* Type specific function prefix */ +#define HTYPE hash_ipportipport + +/* IPv4 variant */ + +/* Member elements */ +struct hash_ipportipport4_elem { + __be32 ip; + __be32 ip2; + union { + __be16 port[2]; + __be32 portcmp; + }; + u8 proto; +}; + +static inline bool +hash_ipportipport4_data_equal(const struct hash_ipportipport4_elem *ip1, + const struct hash_ipportipport4_elem *ip2, + u32 *multi) +{ + return ip1->ip == ip2->ip && + ip1->ip2 == ip2->ip2 && + ip1->portcmp == ip2->portcmp && + ip1->proto == ip2->proto; +} + +static bool +hash_ipportipport4_data_list(struct sk_buff *skb, + const struct hash_ipportipport4_elem *data) +{ + if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) || + nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) || + nla_put_net16(skb, IPSET_ATTR_PORT, data->port[0]) || + nla_put_net16(skb, IPSET_ATTR_PORT2, data->port[1]) || + nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto)) + goto nla_put_failure; + return false; + +nla_put_failure: + return true; +} + +static inline void +hash_ipportipport4_data_next(struct hash_ipportipport4_elem *next, + const struct hash_ipportipport4_elem *d) +{ + next->ip = d->ip; + next->portcmp = d->portcmp; +} + +/* Common functions */ +#define MTYPE hash_ipportipport4 +#define HOST_MASK 32 +#include "ip_set_hash_gen.h" + +static int +hash_ipportipport4_kadt(struct ip_set *set, const struct sk_buff *skb, + const struct xt_action_param *par, + enum ipset_adt adt, struct ip_set_adt_opt *opt) +{ + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportipport4_elem e = { .ip = 0 }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + + if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC, + &e.port[0], &e.proto)) + return -EINVAL; + if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_FOUR_SRC, + &e.port[1], &e.proto)) + return -EINVAL; + + ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); + ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2); + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); +} + +static int +hash_ipportipport4_uadt(struct ip_set *set, struct nlattr *tb[], + enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) +{ + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportipport4_elem e = { .ip = 0 }; + struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + u32 ip, ip_to = 0, p, port, port_to, p2, port2, port2_to; + bool with_ports = false; + int ret; + + if (tb[IPSET_ATTR_LINENO]) + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); + + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT2) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT2_TO))) + return -IPSET_ERR_PROTOCOL; + + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip); + if (ret) + return ret; + + ret = ip_set_get_extensions(set, tb, &ext); + if (ret) + return ret; + + ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &e.ip2); + if (ret) + return ret; + + e.port[0] = nla_get_be16(tb[IPSET_ATTR_PORT]); + e.port[1] = nla_get_be16(tb[IPSET_ATTR_PORT2]); + + if (tb[IPSET_ATTR_PROTO]) { + e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); + with_ports = ip_set_proto_with_ports(e.proto); + + if (e.proto == 0) + return -IPSET_ERR_INVALID_PROTO; + } else { + return -IPSET_ERR_MISSING_PROTO; + } + + if (!(with_ports || e.proto == IPPROTO_ICMP)) + e.portcmp = 0; + + if (adt == IPSET_TEST || + (!(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR]) && + !tb[IPSET_ATTR_PORT_TO] && !tb[IPSET_ATTR_PORT2_TO])) { + ret = adtfn(set, &e, &ext, &ext, flags); + return ip_set_eexist(ret, flags) ? 0 : ret; + } + + ip_to = ip = ntohl(e.ip); + if (tb[IPSET_ATTR_IP_TO]) { + ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); + if (ret) + return ret; + if (ip > ip_to) + swap(ip, ip_to); + } else if (tb[IPSET_ATTR_CIDR]) { + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + + if (!cidr || cidr > HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + ip_set_mask_from_to(ip, ip_to, cidr); + } + + port = ntohs(e.port[0]); + port2 = ntohs(e.port[1]); + port_to = with_ports && tb[IPSET_ATTR_PORT_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]) : port; + port2_to = with_ports && tb[IPSET_ATTR_PORT2_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT2_TO]) : port2; + + if (port > port_to) + swap(port, port_to); + if (port2 > port2_to) + swap(port2, port2_to); + + for (; ip <= ip_to; ip++) { + e.ip = htonl(ip); + for (p = port; p <= port_to; p++) { + e.port[0] = htons(p); + for (p2 = port2; p2 <= port2_to; p2++) { + e.port[1] = htons(p2); + ret = adtfn(set, &e, &ext, &ext, flags); + + if (ret == -EAGAIN && !ip_set_eexist(ret, flags)) + return ret; + + ret = 0; + } + } + } + return ret; +} + +/* IPv6 variant */ + +struct hash_ipportipport6_elem { + union nf_inet_addr ip; + union nf_inet_addr ip2; + union { + __be16 port[2]; + __be32 portcmp; + }; + u8 proto; + u8 padding; +}; + +/* Common functions */ + +static inline bool +hash_ipportipport6_data_equal(const struct hash_ipportipport6_elem *ip1, + const struct hash_ipportipport6_elem *ip2, + u32 *multi) +{ + return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) && + ipv6_addr_equal(&ip1->ip2.in6, &ip2->ip2.in6) && + ip1->portcmp == ip2->portcmp && + ip1->proto == ip2->proto; +} + +static bool +hash_ipportipport6_data_list(struct sk_buff *skb, + const struct hash_ipportipport6_elem *data) +{ + if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) || + nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) || + nla_put_net16(skb, IPSET_ATTR_PORT, data->port[0]) || + nla_put_net16(skb, IPSET_ATTR_PORT2, data->port[1]) || + nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto)) + goto nla_put_failure; + return false; + +nla_put_failure: + return true; +} + +static inline void +hash_ipportipport6_data_next(struct hash_ipportipport6_elem *next, + const struct hash_ipportipport6_elem *d) +{ + next->portcmp = d->portcmp; +} + +#undef MTYPE +#undef HOST_MASK + +#define MTYPE hash_ipportipport6 +#define HOST_MASK 128 +#define IP_SET_EMIT_CREATE +#include "ip_set_hash_gen.h" + +static int +hash_ipportipport6_kadt(struct ip_set *set, const struct sk_buff *skb, + const struct xt_action_param *par, + enum ipset_adt adt, struct ip_set_adt_opt *opt) +{ + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportipport6_elem e = { .ip = { .all = { 0 } } }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + + if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC, + &e.port[0], &e.proto)) + return -EINVAL; + if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_FOUR_SRC, + &e.port[1], &e.proto)) + return -EINVAL; + + ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); + ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2.in6); + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); +} + +static int +hash_ipportipport6_uadt(struct ip_set *set, struct nlattr *tb[], + enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) +{ + ipset_adtfn adtfn = set->variant->adt[adt]; + struct hash_ipportipport6_elem e = { .ip = { .all = { 0 } } }; + struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + u32 port, port_to, port2, port2_to, p2; + bool with_ports = false; + int ret; + + if (tb[IPSET_ATTR_LINENO]) + *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]); + + if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) || + !ip_set_attr_netorder(tb, IPSET_ATTR_PORT2) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) || + !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT2_TO))) + return -IPSET_ERR_PROTOCOL; + if (unlikely(tb[IPSET_ATTR_IP_TO])) + return -IPSET_ERR_HASH_RANGE_UNSUPPORTED; + if (unlikely(tb[IPSET_ATTR_CIDR])) { + u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); + + if (cidr != HOST_MASK) + return -IPSET_ERR_INVALID_CIDR; + } + + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip); + if (ret) + return ret; + + ret = ip_set_get_extensions(set, tb, &ext); + if (ret) + return ret; + + ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip2); + if (ret) + return ret; + + e.port[0] = nla_get_be16(tb[IPSET_ATTR_PORT]); + e.port[1] = nla_get_be16(tb[IPSET_ATTR_PORT2]); + + if (tb[IPSET_ATTR_PROTO]) { + e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]); + with_ports = ip_set_proto_with_ports(e.proto); + + if (e.proto == 0) + return -IPSET_ERR_INVALID_PROTO; + } else { + return -IPSET_ERR_MISSING_PROTO; + } + + if (!(with_ports || e.proto == IPPROTO_ICMPV6)) + e.portcmp = 0; + + if (adt == IPSET_TEST || !with_ports || (!tb[IPSET_ATTR_PORT_TO] && + !tb[IPSET_ATTR_PORT2_TO])) { + ret = adtfn(set, &e, &ext, &ext, flags); + return ip_set_eexist(ret, flags) ? 0 : ret; + } + + port = ntohs(e.port[0]); + port2 = ntohs(e.port[1]); + port_to = with_ports && tb[IPSET_ATTR_PORT_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]) : port; + port2_to = with_ports && tb[IPSET_ATTR_PORT2_TO] ? + ip_set_get_h16(tb[IPSET_ATTR_PORT2_TO]) : port2; + if (port > port_to) + swap(port, port_to); + if (port2 > port2_to) + swap(port2, port2_to); + + for (; port <= port_to; port++) { + e.port[0] = htons(port); + for (p2 = port2; p2 <= port2_to; p2++) { + e.port[1] = htons(p2); + ret = adtfn(set, &e, &ext, &ext, flags); + + if (ret == -EAGAIN && !ip_set_eexist(ret, flags)) + return ret; + + ret = 0; + } + } + return ret; +} + +static struct ip_set_type hash_ipportipport_type __read_mostly = { + .name = "hash:ip,port,ip,port", + .protocol = IPSET_PROTOCOL, + .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2 | + IPSET_TYPE_PORT2, + .dimension = IPSET_DIM_FOUR, + .family = NFPROTO_UNSPEC, + .revision_min = IPSET_TYPE_REV_MIN, + .revision_max = IPSET_TYPE_REV_MAX, + .create = hash_ipportipport_create, + .create_policy = { + [IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 }, + [IPSET_ATTR_MAXELEM] = { .type = NLA_U32 }, + [IPSET_ATTR_PROBES] = { .type = NLA_U8 }, + [IPSET_ATTR_RESIZE] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, + }, + .adt_policy = { + [IPSET_ATTR_IP] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, + [IPSET_ATTR_IP2] = { .type = NLA_NESTED }, + [IPSET_ATTR_PORT] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT_TO] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT2] = { .type = NLA_U16 }, + [IPSET_ATTR_PORT2_TO] = { .type = NLA_U16 }, + [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, + [IPSET_ATTR_PROTO] = { .type = NLA_U8 }, + [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, + [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, + [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, + [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING, + .len = IPSET_MAX_COMMENT_SIZE }, + [IPSET_ATTR_SKBMARK] = { .type = NLA_U64 }, + [IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 }, + [IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 }, + }, + .me = THIS_MODULE, +}; + +static int __init +hash_ipportipport_init(void) +{ + return ip_set_type_register(&hash_ipportipport_type); +} + +static void __exit +hash_ipportipport_fini(void) +{ + rcu_barrier(); + ip_set_type_unregister(&hash_ipportipport_type); +} + +module_init(hash_ipportipport_init); +module_exit(hash_ipportipport_fini); diff --git a/lib/Makefile.am b/lib/Makefile.am index 3a82417..f80df27 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -9,6 +9,7 @@ IPSET_SETTYPE_LIST = \ ipset_hash_ipmark.c \ ipset_hash_ipportip.c \ ipset_hash_ipportnet.c \ + ipset_hash_ipportipport.c \ ipset_hash_net.c \ ipset_hash_netnet.c \ ipset_hash_netportnet.c \ diff --git a/lib/ipset_hash_ipportipport.c b/lib/ipset_hash_ipportipport.c new file mode 100644 index 0000000..7c1b10b --- /dev/null +++ b/lib/ipset_hash_ipportipport.c @@ -0,0 +1,144 @@ +/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include /* IPSET_OPT_* */ +#include /* parser functions */ +#include /* printing functions */ +#include /* ipset_port_usage */ +#include /* prototypes */ + +/* skbinfo support */ +static struct ipset_type ipset_hash_ipportipport0 = { + .name = "hash:ip,port,ip,port", + .alias = { "ipportipporthash", NULL }, + .revision = 0, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_FOUR, + .elem = { + [IPSET_DIM_ONE - 1] = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + [IPSET_DIM_TWO - 1] = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT + }, + [IPSET_DIM_THREE - 1] = { + .parse = ipset_parse_single_ip, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP2 + }, + [IPSET_DIM_FOUR - 1] = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT2 + }, + }, + .cmd = { + [IPSET_CREATE] = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_IGNORED_FROM, + IPSET_ARG_IGNORED_TO, + IPSET_ARG_IGNORED_NETWORK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + [IPSET_ADD] = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_PORT2_TO) + | IPSET_FLAG(IPSET_OPT_IP2), + .help = "IP,[PROTO:]PORT,IP,PORT", + }, + [IPSET_DEL] = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_PORT2_TO) + | IPSET_FLAG(IPSET_OPT_IP2), + .help = "IP,[PROTO:]PORT,IP,PORT", + }, + [IPSET_TEST] = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT2) + | IPSET_FLAG(IPSET_OPT_IP2), + .help = "IP,[PROTO:]PORT,IP,PORT", + }, + }, + .usage = "where depending on the INET family\n" + " IP is a valid IPv4 or IPv6 address (or hostname).\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " in the first IP component is supported for IPv4.\n" + " Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n" + " port range is supported both for IPv4 and IPv6.", + .usagefn = ipset_port_usage, + .description = "Initial revision", +}; + +void _init(void); +void _init(void) +{ + ipset_type_add(&ipset_hash_ipportipport0); +} diff --git a/tests/hash:ip,port,ip,port.t b/tests/hash:ip,port,ip,port.t new file mode 100644 index 0000000..e150da7 --- /dev/null +++ b/tests/hash:ip,port,ip,port.t @@ -0,0 +1,159 @@ +# Create a set with timeout +0 ipset create test hash:ip,port,ip,port timeout 4 +# Add partly zero valued element +0 ipset add test 2.0.0.1,0,0.0.0.0,0 +# Test partly zero valued element +0 ipset test test 2.0.0.1,0,0.0.0.0,0 +# Delete party zero valued element +0 ipset del test 2.0.0.1,0,0.0.0.0,0 +# Add almost zero valued element +0 ipset add test 2.0.0.1,0,0.0.0.1,0 +# Test almost zero valued element +0 ipset test test 2.0.0.1,0,0.0.0.1,0 +# Delete almost zero valued element +0 ipset del test 2.0.0.1,0,0.0.0.1,0 +# Add first random value +0 ipset add test 2.0.0.1,5,1.1.1.1,10 +# Add second random value +0 ipset add test 2.1.0.0,128,2.2.2.2,11 +# Test first random value +0 ipset test test 2.0.0.1,5,1.1.1.1,10 +# Test second random value +0 ipset test test 2.1.0.0,128,2.2.2.2,11 +# Test value not added to the set +1 ipset test test 2.0.0.1,5,1.1.1.2,11 +# Test value not added to the set +1 ipset test test 2.0.0.1,6,1.1.1.1,10 +# Test value not added to the set +1 ipset test test 2.0.0.2,6,1.1.1.1,23 +# Test value before first random value +1 ipset test test 2.0.0.0,5,1.1.1.1,10 +# Test value after second random value +1 ipset test test 2.1.0.1,128,2.2.2.2,11 +# Try to add value before first random value +0 ipset add test 2.0.0.0,5,1.1.1.1,10 +# Try to add value after second random value +0 ipset add test 2.1.0.1,128,2.2.2.2,11 +# List set +0 ipset list test | grep -v Revision: | sed 's/timeout ./timeout x/' > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip,port,ip,port.t.list0 +# Sleep 5s so that elements can time out +0 sleep 5 +# List set +0 ipset list test | grep -v Revision: > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip,port,ip,port.t.list1 +# Flush test set +0 ipset flush test +# Add multiple elements in one step +0 ipset add test 1.1.1.1-1.1.1.4,80-84,2.2.2.2,55-56 +# Delete multiple elements in one step +0 ipset del test 1.1.1.2-1.1.1.3,tcp:81-82,2.2.2.2,55-56 +# Check number of elements after multi-add/multi-del +0 n=`ipset save test|wc -l` && test $n -eq 33 +# Delete test set +0 ipset destroy test +# Create set to add a range +0 ipset new test hash:ip,port,ip,port hashsize 64 +# Add a range which forces a resizing +0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.1,99 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 3072 +# Destroy set +0 ipset -X test +# Create set to add a range +0 ipset new test hash:ip,port,ip,port hashsize 64 +# Add a range which forces a resizing +0 ipset add test 10.0.0.0,tcp:1-1000,192.168.0.1,51-60 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 10000 +# Destroy set +0 ipset -X test +# Create set +0 ipset create test hash:ip,port,ip,port +# Add a single element +0 ipset add test 10.0.0.1,tcp:80,2.2.2.1,23 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 2 +# Delete the single element +0 ipset del test 10.0.0.1,tcp:80,2.2.2.1,23 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.1,30-32 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 31 +# Delete the IP range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.1,30-32 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add a port range +0 ipset add test 10.0.0.1,tcp:80-89,2.2.2.1,12 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 11 +# Delete the port range +0 ipset del test 10.0.0.1,tcp:80-89,2.2.2.1,12 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP and port range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.1,55 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 101 +# Delete the IP and port range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.1,55 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Destroy set +0 ipset -X test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -4 ipportipport +# Counters: create set +0 ipset n test hash:ip,port,ip,port counters +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200,99 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2.0.0.1,80,192.168.199.200,99 +# Counters: check counters +0 ./check_counters test 2.0.0.1 5 3456 +# Counters: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200,99 +# Counters: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200,99 +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1,12 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2.0.0.20 12 9876 +# Counters: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1,12 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2.0.0.20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:ip,port,ip,port counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200,13 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2.0.0.1,80,192.168.199.200,13 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200,13 +# Counters and timeout: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200,13 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1,1 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1,1 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2.0.0.20,453,10.0.0.1,1 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:ip,port,ip,port.t.list0 b/tests/hash:ip,port,ip,port.t.list0 new file mode 100644 index 0000000..01044f4 --- /dev/null +++ b/tests/hash:ip,port,ip,port.t.list0 @@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port,ip,port +Header: family inet hashsize 1024 maxelem 65536 timeout x +Size in memory: 608 +References: 0 +Number of entries: 4 +Members: +2.0.0.0,tcp:5,1.1.1.1,tcp:10 timeout x +2.0.0.1,tcp:5,1.1.1.1,tcp:10 timeout x +2.1.0.0,tcp:128,2.2.2.2,tcp:11 timeout x +2.1.0.1,tcp:128,2.2.2.2,tcp:11 timeout x diff --git a/tests/hash:ip,port,ip,port.t.list1 b/tests/hash:ip,port,ip,port.t.list1 new file mode 100644 index 0000000..cc944c8 --- /dev/null +++ b/tests/hash:ip,port,ip,port.t.list1 @@ -0,0 +1,7 @@ +Name: test +Type: hash:ip,port,ip,port +Header: family inet hashsize 1024 maxelem 65536 timeout 4 +Size in memory: 608 +References: 0 +Number of entries: 0 +Members: diff --git a/tests/hash:ip6,port,ip6,port.t b/tests/hash:ip6,port,ip6,port.t new file mode 100644 index 0000000..e79667b --- /dev/null +++ b/tests/hash:ip6,port,ip6,port.t @@ -0,0 +1,115 @@ +# Create a set with timeout +0 ipset create test hash:ip,port,ip,port family inet6 timeout 4 +# Add partly zero valued element +0 ipset add test 2:0:0::1,0,0:0:0::0,0 +# Test partly zero valued element +0 ipset test test 2:0:0::1,0,0:0:0::0,0 +# Delete party zero valued element +0 ipset del test 2:0:0::1,0,0:0:0::0,0 +# Add almost zero valued element +0 ipset add test 2:0:0::1,0,0:0:0::1,0 +# Test almost zero valued element +0 ipset test test 2:0:0::1,0,0:0:0::1,0 +# Delete almost zero valued element +0 ipset del test 2:0:0::1,0,0:0:0::1,0 +# Add first random value +0 ipset add test 2:0:0::1,5,1:1:1::1,1 +# Add second random value +0 ipset add test 2:1:0::0,128,2:2:2::2,2 +# Test first random value +0 ipset test test 2:0:0::1,5,1:1:1::1,1 +# Test second random value +0 ipset test test 2:1:0::0,128,2:2:2::2,2 +# Test value not added to the set +1 ipset test test 2:0:0::1,5,1:1:1::2,1 +# Test value not added to the set +1 ipset test test 2:0:0::1,6,1:1:1::1,2 +# Test value not added to the set +1 ipset test test 2:0:0::2,6,1:1:1::1,2 +# Test value before first random value +1 ipset test test 2:0:0::0,5,1:1:1::1,1 +# Test value after second random value +1 ipset test test 2:1:0::1,128,2:2:2::2,2 +# Try to add value before first random value +0 ipset add test 2:0:0::0,5,1:1:1::1,1 +# Try to add value after second random value +0 ipset add test 2:1:0::1,128,2:2:2::2,1 +# List set +0 ipset list test | grep -v Revision: | sed 's/timeout ./timeout x/' > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip6,port,ip6,port.t.list0 +# Sleep 5s so that elements can time out +0 sleep 5 +# List set +0 ipset list test | grep -v Revision: > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:ip6,port,ip6,port.t.list1 +# Flush test set +0 ipset flush test +# Add multiple elements in one step +0 ipset add test 1::1,udp:80-85,2::2,1-2 +# Delete multiple elements in one step +0 ipset del test 1::1,udp:81-85,2::2,1-2 +# Check elements after multiple add/del +0 ipset test test 1::1,udp:80,2::2,2 +# Delete test set +0 ipset destroy test +# Create set to add a range +0 ipset new test hash:ip,port,ip,port -6 hashsize 64 +# Add a range which forces a resizing +0 ipset add test 1::1,tcp:80-1105,2::2,99-100 +# Check that correct number of elements are added +0 n=`ipset list test|grep 1::1|wc -l` && test $n -eq 2052 +# Destroy set +0 ipset -X test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -6 ipportipport +# Counters: create set +0 ipset n test hash:ip,port,ip,port -6 counters +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1,22 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1,22 +# Counters: check counters +0 ./check_counters test 2::1 5 3456 +# Counters: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1,22 +# Counters: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1,22 +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab,33 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2::20 12 9876 +# Counters: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab,33 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2::20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:ip,port,ip,port -6 counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1,11 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1,11 +# Counters and timeout: check counters +0 ./check_extensions test 2::1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1,11 +# Counters and timeout: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1,11 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab,12 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab,12 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab,12 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:ip6,port,ip6,port.t.list0 b/tests/hash:ip6,port,ip6,port.t.list0 new file mode 100644 index 0000000..6cd9169 --- /dev/null +++ b/tests/hash:ip6,port,ip6,port.t.list0 @@ -0,0 +1,12 @@ +Name: test +Type: hash:ip,port,ip,port +Header: family inet6 hashsize 1024 maxelem 65536 timeout x +Size in memory: 1016 +References: 0 +Size in memory: 9104 +Number of entries: 4 +Members: +2:1::,tcp:128,2:2:2::2,tcp:2 timeout x +2:1::1,tcp:128,2:2:2::2,tcp:1 timeout x +2::,tcp:5,1:1:1::1,tcp:1 timeout x +2::1,tcp:5,1:1:1::1,tcp:1 timeout x diff --git a/tests/hash:ip6,port,ip6,port.t.list1 b/tests/hash:ip6,port,ip6,port.t.list1 new file mode 100644 index 0000000..1a38350 --- /dev/null +++ b/tests/hash:ip6,port,ip6,port.t.list1 @@ -0,0 +1,7 @@ +Name: test +Type: hash:ip,port,ip,port +Header: family inet6 hashsize 1024 maxelem 65536 timeout 4 +Size in memory: 1016 +References: 0 +Number of entries: 0 +Members: diff --git a/tests/resizet.sh b/tests/resizet.sh index eed4abf..df52a0d 100755 --- a/tests/resizet.sh +++ b/tests/resizet.sh @@ -45,6 +45,14 @@ case "$2" in done done ;; + ipportipport) + $ipset n test hash:ip,port,ip,port $1 hashsize 64 timeout 100 + for x in `seq 0 16`; do + for y in `seq 0 255`; do + $ipset a test $ip$x$sep$y,1023,$ip2,10 + done + done + ;; ipportip) $ipset n test hash:ip,port,ip $1 hashsize 64 timeout 100 for x in `seq 0 16`; do diff --git a/tests/runtest.sh b/tests/runtest.sh index 7afa1dd..da5b988 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -14,6 +14,7 @@ tests="$tests ipportiphash hash:ip,port,ip hash:ip6,port,ip6" tests="$tests nethash hash:net hash:net6 hash:net,port hash:net6,port" tests="$tests hash:ip,port,net hash:ip6,port,net6 hash:net,net hash:net6,net6" tests="$tests hash:net,port,net hash:net6,port,net6" +tests="$tests hash:ip,port,ip,port hash:ip6,port,ip6,port" tests="$tests hash:net,iface.t hash:mac.t" tests="$tests comment setlist restore" # tests="$tests iptree iptreemap"