#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:35 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:21 2006
+# Wed Jan 3 21:45:29 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:21 2006
+# Wed Jan 3 21:45:29 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:22 2006
+# Wed Jan 3 21:45:29 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:22 2006
+# Wed Jan 3 21:45:30 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:22 2006
+# Wed Jan 3 21:45:30 2007
#
CONFIG_X86_32=y
CONFIG_LOCKDEP_SUPPORT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:23 2006
+# Wed Jan 3 21:45:30 2007
#
CONFIG_X86_32=y
CONFIG_LOCKDEP_SUPPORT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:23 2006
+# Wed Jan 3 21:45:31 2007
#
CONFIG_X86_32=y
CONFIG_LOCKDEP_SUPPORT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:23 2006
+# Wed Jan 3 21:45:31 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:24 2006
+# Wed Jan 3 21:45:31 2007
#
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:24 2006
+# Wed Jan 3 21:45:32 2007
#
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:24 2006
+# Wed Jan 3 21:45:32 2007
#
# CONFIG_PPC64 is not set
CONFIG_PPC32=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:25 2006
+# Wed Jan 3 21:45:32 2007
#
# CONFIG_PPC64 is not set
CONFIG_PPC32=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:25 2006
+# Wed Jan 3 21:45:32 2007
#
CONFIG_PPC64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:25 2006
+# Wed Jan 3 21:45:33 2007
#
CONFIG_PPC64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:25 2006
+# Wed Jan 3 21:45:33 2007
#
CONFIG_PPC64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:26 2006
+# Wed Jan 3 21:45:33 2007
#
CONFIG_MMU=y
CONFIG_LOCKDEP_SUPPORT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:26 2006
+# Wed Jan 3 21:45:34 2007
#
CONFIG_MMU=y
CONFIG_LOCKDEP_SUPPORT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:34 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:34 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:34 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:34 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.18.6
-# Thu Dec 28 22:01:27 2006
+# Wed Jan 3 21:45:35 2007
#
CONFIG_X86_64=y
CONFIG_64BIT=y
struct ip_set_iphash {
ip_set_ip_t *members; /* the iphash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
struct ip_set_ipporthash {
ip_set_ip_t *members; /* the ipporthash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
unsigned int timeout;
unsigned int gc_interval;
#ifdef __KERNEL__
+ uint32_t elements; /* number of elements */
struct timer_list gc;
struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */
#endif
struct ip_set_nethash {
ip_set_ip_t *members; /* the nethash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Allows altering the ARP packet payload: source and destination
hardware and network addresses.
+config IP_NF_SET
+ tristate "IP set support"
+ depends on INET && NETFILTER
+ help
+ This option adds IP set support to the kernel.
+ In order to define and use sets, you need the userspace utility
+ ipset(8).
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_MAX
+ int "Maximum number of IP sets"
+ default 256
+ range 2 65534
+ depends on IP_NF_SET
+ help
+ You can define here default value of the maximum number
+ of IP sets for the kernel.
+
+ The value can be overriden by the 'max_sets' module
+ parameter of the 'ip_set' module.
+
+config IP_NF_SET_HASHSIZE
+ int "Hash size for bindings of IP sets"
+ default 1024
+ depends on IP_NF_SET
+ help
+ You can define here default value of the hash size for
+ bindings of IP sets.
+
+ The value can be overriden by the 'hash_size' module
+ parameter of the 'ip_set' module.
+
+config IP_NF_SET_IPMAP
+ tristate "ipmap set support"
+ depends on IP_NF_SET
+ help
+ This option adds the ipmap set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_MACIPMAP
+ tristate "macipmap set support"
+ depends on IP_NF_SET
+ help
+ This option adds the macipmap set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_PORTMAP
+ tristate "portmap set support"
+ depends on IP_NF_SET
+ help
+ This option adds the portmap set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_IPHASH
+ tristate "iphash set support"
+ depends on IP_NF_SET
+ help
+ This option adds the iphash set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_NETHASH
+ tristate "nethash set support"
+ depends on IP_NF_SET
+ help
+ This option adds the nethash set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_IPPORTHASH
+ tristate "ipporthash set support"
+ depends on IP_NF_SET
+ help
+ This option adds the ipporthash set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_SET_IPTREE
+ tristate "iptree set support"
+ depends on IP_NF_SET
+ help
+ This option adds the iptree set type support.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_MATCH_SET
+ tristate "set match support"
+ depends on IP_NF_SET
+ help
+ Set matching matches against given IP sets.
+ You need the ipset utility to create and set up the sets.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+config IP_NF_TARGET_SET
+ tristate "SET target support"
+ depends on IP_NF_SET
+ help
+ The SET target makes possible to add/delete entries
+ in IP sets.
+ You need the ipset utility to create and set up the sets.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
+
endmenu
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
+obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
# targets
obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o
+
+# sets
+obj-$(CONFIG_IP_NF_SET) += ip_set.o
+obj-$(CONFIG_IP_NF_SET_IPMAP) += ip_set_ipmap.o
+obj-$(CONFIG_IP_NF_SET_PORTMAP) += ip_set_portmap.o
+obj-$(CONFIG_IP_NF_SET_MACIPMAP) += ip_set_macipmap.o
+obj-$(CONFIG_IP_NF_SET_IPHASH) += ip_set_iphash.o
+obj-$(CONFIG_IP_NF_SET_NETHASH) += ip_set_nethash.o
+obj-$(CONFIG_IP_NF_SET_IPPORTHASH) += ip_set_ipporthash.o
+obj-$(CONFIG_IP_NF_SET_IPTREE) += ip_set_iptree.o
# generic ARP tables
obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
/* Kernel module for IP set management */
+#include <linux/version.h>
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
#include <linux/config.h>
+#endif
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kmod.h>
#include <linux/spinlock.h>
#include <linux/vmalloc.h>
-#define ASSERT_READ_LOCK(x) /* dont use that */
+#define ASSERT_READ_LOCK(x)
#define ASSERT_WRITE_LOCK(x)
-#include <linux/netfilter_ipv4/listhelp.h>
#include <linux/netfilter_ipv4/ip_set.h>
static struct list_head set_type_list; /* all registered sets */
* Binding routines
*/
-static inline int
-ip_hash_cmp(const struct ip_set_hash *set_hash,
- ip_set_id_t id, ip_set_ip_t ip)
+static inline struct ip_set_hash *
+__ip_set_find(u_int32_t key, ip_set_id_t id, ip_set_ip_t ip)
{
- return set_hash->id == id && set_hash->ip == ip;
+ struct ip_set_hash *set_hash;
+
+ list_for_each_entry(set_hash, &ip_set_hash[key], list)
+ if (set_hash->id == id && set_hash->ip == ip)
+ return set_hash;
+
+ return NULL;
}
static ip_set_id_t
IP_SET_ASSERT(ip_set_list[id]);
DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip));
- set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp,
- struct ip_set_hash *, id, ip);
+ set_hash = __ip_set_find(key, id, ip);
DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name,
HIPQUAD(ip),
IP_SET_ASSERT(ip_set_list[id]);
DP("set: %s, ip: %u.%u.%u.%u", ip_set_list[id]->name, HIPQUAD(ip));
write_lock_bh(&ip_set_lock);
- set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp,
- struct ip_set_hash *, id, ip);
+ set_hash = __ip_set_find(key, id, ip);
DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name,
HIPQUAD(ip),
set_hash != NULL ? ip_set_list[set_hash->binding]->name : "");
DP("set: %s, ip: %u.%u.%u.%u, binding: %s", ip_set_list[id]->name,
HIPQUAD(ip), ip_set_list[binding]->name);
write_lock_bh(&ip_set_lock);
- set_hash = LIST_FIND(&ip_set_hash[key], ip_hash_cmp,
- struct ip_set_hash *, id, ip);
+ set_hash = __ip_set_find(key, id, ip);
if (!set_hash) {
set_hash = kmalloc(sizeof(struct ip_set_hash), GFP_KERNEL);
if (!set_hash) {
/* Register and deregister settype */
-static inline int
-set_type_equal(const struct ip_set_type *set_type, const char *str2)
-{
- return !strncmp(set_type->typename, str2, IP_SET_MAXNAMELEN - 1);
-}
-
static inline struct ip_set_type *
find_set_type(const char *name)
{
- return LIST_FIND(&set_type_list,
- set_type_equal,
- struct ip_set_type *,
- name);
+ struct ip_set_type *set_type;
+
+ list_for_each_entry(set_type, &set_type_list, list)
+ if (!strncmp(set_type->typename, name, IP_SET_MAXNAMELEN - 1))
+ return set_type;
+ return NULL;
}
int
ret = -EFAULT;
goto unlock;
}
- list_append(&set_type_list, set_type);
+ list_add(&set_type->list, &set_type_list);
DP("'%s' registered.", set_type->typename);
unlock:
write_unlock_bh(&ip_set_lock);
set_type->typename);
goto unlock;
}
- LIST_DELETE(&set_type_list, set_type);
+ list_del(&set_type->list);
module_put(THIS_MODULE);
DP("'%s' unregistered.", set_type->typename);
unlock:
size_t size)
{
struct ip_set *set;
- ip_set_id_t index, id;
+ ip_set_id_t index = 0, id;
int res = 0;
DP("setname: %s, typename: %s, id: %u", name, typename, restore);
set->type->list_header(set, data + *used);
*used += set_save->header_size;
- DP("set header filled: %s, used: %u %p %p", set->name, *used,
- data, data + *used);
+ DP("set header filled: %s, used: %u(%u) %p %p", set->name, *used,
+ set_save->header_size, data, data + *used);
/* Get and ensure set specific members size */
set_save->members_size = set->type->list_members_size(set);
if (*used + set_save->members_size > len)
set->type->list_members(set, data + *used);
*used += set_save->members_size;
read_unlock_bh(&set->lock);
- DP("set members filled: %s, used: %u %p %p", set->name, *used,
- data, data + *used);
+ DP("set members filled: %s, used: %u(%u) %p %p", set->name, *used,
+ set_save->members_size, data, data + *used);
return 0;
unlock_set:
/* Marker */
set_save = (struct ip_set_save *) (data + *used);
set_save->index = IP_SET_INVALID_ID;
+ set_save->header_size = 0;
+ set_save->members_size = 0;
*used += sizeof(struct ip_set_save);
DP("marker added used %u, len %u", *used, len);
struct ip_set_req_create *req_create
= (struct ip_set_req_create *) data;
- if (len <= sizeof(struct ip_set_req_create)) {
- ip_set_printk("short CREATE data (want >%zu, got %u)",
+ if (len < sizeof(struct ip_set_req_create)) {
+ ip_set_printk("short CREATE data (want >=%zu, got %u)",
sizeof(struct ip_set_req_create), len);
res = -EINVAL;
goto done;
req_setnames->size += sizeof(struct ip_set_list)
+ set->type->header_size
+ set->type->list_members_size(set);
+ /* Sets are identified by id in the hash */
FOREACH_HASH_DO(__set_hash_bindings_size_list,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
case IP_SET_OP_SAVE_SIZE: {
+ set->type->header_size
+ set->type->list_members_size(set);
FOREACH_HASH_DO(__set_hash_bindings_size_save,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
default:
#include <linux/netfilter_ipv4/ip_set_iphash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip)
{
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
__u32 probe;
u_int16_t i;
ip_set_ip_t *elem;
+
+ if (!ip || map->elements > limit)
+ return -ERANGE;
*hash_ip = ip & map->netmask;
return -EEXIST;
if (!*elem) {
*elem = *hash_ip;
+ map->elements++;
return 0;
}
}
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->netmask = map->netmask;
__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
- ip_set_ip_t id = hash_id(set, ip, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+
+ if (!ip)
+ return -ERANGE;
+ id = hash_id(set, ip, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("iphash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
/* We must handle non-linear skbs */
static inline ip_set_ip_t
get_port(const struct sk_buff *skb, u_int32_t flags)
return -EEXIST;
if (!*elem) {
*elem = hash_ip;
+ map->elements++;
return 0;
}
}
__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port,
ip_set_ip_t *hash_ip)
{
+ if (map->elements > limit)
+ return -ERANGE;
if (ip < map->first_ip || ip > map->last_ip)
return -ERANGE;
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->first_ip = map->first_ip;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
{
struct ip_set_ipporthash *map = (struct ip_set_ipporthash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("ipporthash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
#include <linux/netfilter_ipv4/ip_set_iptree.h>
+static int limit = MAX_RANGE;
+
/* Garbage collection interval in seconds: */
#define IPTREE_GC_TIME 5*60
/* Sleep so many milliseconds before trying again
struct ip_set_iptreec *ctree;
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+
+ if (!ip)
+ return -ERANGE;
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
unsigned char a,b,c,d;
int ret = 0;
+ if (!ip || map->elements > limit)
+ /* We could call the garbage collector
+ * but it's probably overkill */
+ return -ERANGE;
+
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
DP("%u %u %u %u timeout %u", a, b, c, d, timeout);
if (dtree->expires[d] == 0)
dtree->expires[d] = 1;
DP("%u %lu", d, dtree->expires[d]);
+ if (ret == 0)
+ map->elements++;
return ret;
}
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+ if (!ip)
+ return -ERANGE;
+
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
DELIP_WALK(map, a, btree);
if (dtree->expires[d]) {
dtree->expires[d] = 0;
+ map->elements--;
return 0;
}
return -EEXIST;
a, b, c, d,
dtree->expires[d], jiffies);
if (map->timeout
- && time_before(dtree->expires[d], jiffies))
+ && time_before(dtree->expires[d], jiffies)) {
dtree->expires[d] = 0;
- else
+ map->elements--;
+ } else
k = 1;
}
}
}
memset(map, 0, sizeof(*map));
map->timeout = req->timeout;
+ map->elements = 0;
set->data = map;
init_gc_timer(set);
LOOP_WALK_END;
kmem_cache_free(branch_cachep, btree);
LOOP_WALK_END;
+ map->elements = 0;
}
static void destroy(struct ip_set *set)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("iptree type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
#include <linux/netfilter_ipv4/ip_set_nethash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip)
{
{
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
- return (hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
+ return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
}
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
return -EEXIST;
if (!*elem) {
*elem = ip;
+ map->elements++;
return 0;
}
}
__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
+ if (!ip || map->elements > limit)
+ return -ERANGE;
+
*hash_ip = pack(ip, cidr);
DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
- ip_set_ip_t id = hash_id_cidr(map, ip, cidr, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+ if (!ip)
+ return -ERANGE;
+
+ id = hash_id_cidr(map, ip, cidr, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
memset(map->cidr, 0, 30 * sizeof(unsigned char));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("nethash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
#include <linux/netdevice.h>
#include <linux/if.h>
#include <linux/inetdevice.h>
+#include <linux/version.h>
#include <net/protocol.h>
#include <net/checksum.h>
#include <linux/netfilter_ipv4.h>
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_target *target,
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
const void *targinfo,
void *userinfo)
+#else
+ const void *targinfo)
+#endif
{
const struct ipt_set_info_target *info = targinfo;
static int
checkentry(const char *tablename,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
+ const void *e,
+#else
const struct ipt_entry *e,
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_target *target,
+#endif
void *targinfo,
- unsigned int targinfosize, unsigned int hook_mask)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+ unsigned int targinfosize,
+#endif
+ unsigned int hook_mask)
{
struct ipt_set_info_target *info =
(struct ipt_set_info_target *) targinfo;
ip_set_id_t index;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targinfosize != IPT_ALIGN(sizeof(*info))) {
DP("bad target info size %u", targinfosize);
return 0;
}
+#endif
if (info->add_set.index != IP_SET_INVALID_ID) {
index = ip_set_get_byindex(info->add_set.index);
return 1;
}
-static void destroy(void *targetinfo, unsigned int targetsize)
+static void destroy(
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_target *target,
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+ void *targetinfo, unsigned int targetsize)
+#else
+ void *targetinfo)
+#endif
{
struct ipt_set_info_target *info = targetinfo;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (targetsize != IPT_ALIGN(sizeof(struct ipt_set_info_target))) {
ip_set_printk("invalid targetsize %d", targetsize);
return;
}
-
+#endif
if (info->add_set.index != IP_SET_INVALID_ID)
ip_set_put(info->add_set.index);
if (info->del_set.index != IP_SET_INVALID_ID)
static struct ipt_target SET_target = {
.name = "SET",
.target = target,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ .targetsize = sizeof(struct ipt_set_info_target),
+#endif
.checkentry = checkentry,
.destroy = destroy,
.me = THIS_MODULE
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("iptables IP set target module");
-static int __init init(void)
+static int __init ipt_SET_init(void)
{
return ipt_register_target(&SET_target);
}
-static void __exit fini(void)
+static void __exit ipt_SET_fini(void)
{
ipt_unregister_target(&SET_target);
}
-module_init(init);
-module_exit(fini);
+module_init(ipt_SET_init);
+module_exit(ipt_SET_fini);
#include <linux/module.h>
#include <linux/ip.h>
#include <linux/skbuff.h>
+#include <linux/version.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_set.h>
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_match *match,
+#endif
const void *matchinfo,
- int offset,
- int *hotdrop)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
+ int offset, unsigned int protoff, int *hotdrop)
+#else
+ int offset, int *hotdrop)
+#endif
{
const struct ipt_set_info_match *info = matchinfo;
static int
checkentry(const char *tablename,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,16)
+ const void *inf,
+#else
const struct ipt_ip *ip,
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_match *match,
+#endif
void *matchinfo,
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
unsigned int matchsize,
+#endif
unsigned int hook_mask)
{
struct ipt_set_info_match *info =
(struct ipt_set_info_match *) matchinfo;
ip_set_id_t index;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
ip_set_printk("invalid matchsize %d", matchsize);
return 0;
}
+#endif
index = ip_set_get_byindex(info->match_set.index);
return 1;
}
-static void destroy(void *matchinfo, unsigned int matchsize)
+static void destroy(
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ const struct xt_match *match,
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
+ void *matchinfo, unsigned int matchsize)
+#else
+ void *matchinfo)
+#endif
{
struct ipt_set_info_match *info = matchinfo;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
ip_set_printk("invalid matchsize %d", matchsize);
return;
}
-
+#endif
ip_set_put(info->match_set.index);
}
static struct ipt_match set_match = {
.name = "set",
.match = &match,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17)
+ .matchsize = sizeof(struct ipt_set_info_match),
+#endif
.checkentry = &checkentry,
.destroy = &destroy,
.me = THIS_MODULE
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_DESCRIPTION("iptables IP set match module");
-static int __init init(void)
+static int __init ipt_ipset_init(void)
{
return ipt_register_match(&set_match);
}
-static void __exit fini(void)
+static void __exit ipt_ipset_fini(void)
{
ipt_unregister_match(&set_match);
}
-module_init(init);
-module_exit(fini);
+module_init(ipt_ipset_init);
+module_exit(ipt_ipset_fini);
/usr/include/gnu/stubs.h \
/usr/include/bits/wordsize.h \
/usr/include/gnu/stubs-32.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/bits/types.h \
/usr/include/bits/typesizes.h \
/usr/include/libio.h \
/usr/include/wchar.h \
/usr/include/bits/wchar.h \
/usr/include/gconv.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/sys_errlist.h \
/usr/include/bits/stdio.h \
/usr/include/bits/posix_opt.h \
/usr/include/bits/confname.h \
/usr/include/getopt.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/limits.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/syslimits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/limits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/syslimits.h \
/usr/include/limits.h \
/usr/include/bits/posix1_lim.h \
/usr/include/bits/local_lim.h \
/usr/include/bits/wordsize.h \
/usr/include/gnu/stubs-32.h \
/usr/include/bits/types.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/bits/typesizes.h \
/usr/include/time.h \
/usr/include/endian.h \
/usr/include/wchar.h \
/usr/include/bits/wchar.h \
/usr/include/gconv.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/sys_errlist.h \
/usr/include/bits/stdio.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/limits.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/syslimits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/limits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/syslimits.h \
/usr/include/limits.h \
/usr/include/bits/posix1_lim.h \
/usr/include/bits/local_lim.h \
/usr/include/bits/wordsize.h \
/usr/include/gnu/stubs-32.h \
/usr/include/bits/types.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/bits/typesizes.h \
/usr/include/endian.h \
/usr/include/bits/endian.h \
/usr/include/wchar.h \
/usr/include/bits/wchar.h \
/usr/include/gconv.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/sys_errlist.h \
/usr/include/bits/stdio.h \
scripts/kconfig/lkc.h \
$(wildcard include/config/list.h) \
scripts/kconfig/expr.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdbool.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdbool.h \
/usr/include/libintl.h \
/usr/include/locale.h \
/usr/include/bits/locale.h \
/usr/include/gnu/stubs.h \
/usr/include/bits/wordsize.h \
/usr/include/gnu/stubs-32.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/sys/types.h \
/usr/include/bits/types.h \
/usr/include/bits/typesizes.h \
/usr/include/wchar.h \
/usr/include/bits/wchar.h \
/usr/include/gconv.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/sys_errlist.h \
/usr/include/bits/stdio.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdbool.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdbool.h \
/usr/include/libintl.h \
/usr/include/locale.h \
/usr/include/bits/locale.h \
/usr/include/signal.h \
/usr/include/bits/sigset.h \
/usr/include/bits/types.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/bits/typesizes.h \
/usr/include/bits/signum.h \
/usr/include/time.h \
/usr/include/sys/select.h \
/usr/include/bits/select.h \
/usr/include/sys/sysmacros.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/limits.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/syslimits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/limits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/syslimits.h \
/usr/include/limits.h \
/usr/include/bits/posix1_lim.h \
/usr/include/bits/local_lim.h \
/usr/include/linux/limits.h \
/usr/include/bits/posix2_lim.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/stdlib.h \
/usr/include/alloca.h \
/usr/include/string.h \
/usr/include/bits/stdio_lim.h \
/usr/include/bits/sys_errlist.h \
/usr/include/bits/stdio.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdbool.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdbool.h \
/usr/include/libintl.h \
scripts/kconfig/lkc_proto.h \
/usr/include/bits/wordsize.h \
/usr/include/gnu/stubs-32.h \
/usr/include/bits/types.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stddef.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stddef.h \
/usr/include/bits/typesizes.h \
/usr/include/endian.h \
/usr/include/bits/endian.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdarg.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdarg.h \
/usr/include/stdio.h \
/usr/include/libio.h \
/usr/include/_G_config.h \
/usr/include/string.h \
/usr/include/bits/string.h \
/usr/include/bits/string2.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/stdbool.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/stdbool.h \
scripts/kconfig/lkc.h \
$(wildcard include/config/list.h) \
scripts/kconfig/expr.h \
/usr/include/bits/errno.h \
/usr/include/linux/errno.h \
/usr/include/asm/errno.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/limits.h \
- /usr/lib/gcc/i386-redhat-linux/4.0.1/include/syslimits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/limits.h \
+ /usr/lib/gcc/i386-redhat-linux/4.0.2/include/syslimits.h \
/usr/include/limits.h \
/usr/include/bits/posix1_lim.h \
/usr/include/bits/local_lim.h \
/usr/include/bits/posix_opt.h \
/usr/include/bits/confname.h \
/usr/include/getopt.h \
- scripts/kconfig/lkc.h \
scripts/kconfig/util.c \
- scripts/kconfig/lkc.h \
scripts/kconfig/confdata.c \
$(wildcard include/config/config.h) \
$(wildcard include/config/.h) \
/usr/include/bits/stat.h \
/usr/include/fcntl.h \
/usr/include/bits/fcntl.h \
- scripts/kconfig/lkc.h \
scripts/kconfig/expr.c \
- scripts/kconfig/lkc.h \
scripts/kconfig/symbol.c \
/usr/include/regex.h \
/usr/include/sys/utsname.h \
/usr/include/bits/utsname.h \
- scripts/kconfig/lkc.h \
scripts/kconfig/menu.c \
- scripts/kconfig/lkc.h \
scripts/kconfig/zconf.tab.o: $(deps_scripts/kconfig/zconf.tab.o)