[netfilter-cvslog] r3308 - in trunk/patch-o-matic-ng/set:
linux/include/linux/netfilter_ipv4 linux/net/ipv4/netfilter
linux-2.6/include/linux/netfilter_ipv4 linux-2.6/net/ipv4/netfilter
kadlec at netfilter.org
kadlec at netfilter.org
Mon Dec 6 10:33:00 CET 2004
Author: kadlec at netfilter.org
Date: 2004-12-06 10:32:59 +0100 (Mon, 06 Dec 2004)
New Revision: 3308
Added:
trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h
trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h
Modified:
trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h
trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h
trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c
trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h
trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h
trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c
trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c
trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c
trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c
trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c
Log:
macipmap bugfix with normalized memory management (JK)
Modified: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,8 +66,8 @@
#define IP_SET_INVALID_ID 65535
-/* How deep we follow bindings (minus one) */
-#define IP_SET_MAX_BINDINGS 7
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS 6
/*
* Option flags for kernel operations (ipt_set_info)
Added: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ip_set_malloc.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -0,0 +1,27 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
+#ifdef __KERNEL__
+
+/* Memory allocation and deallocation */
+static size_t max_malloc_size = 131072; /* Guaranteed: slab.c */
+
+static inline void * ip_set_malloc(size_t bytes)
+{
+ if (bytes > max_malloc_size)
+ return vmalloc(bytes);
+ else
+ return kmalloc(bytes, GFP_KERNEL);
+}
+
+static inline void ip_set_free(void * data, size_t bytes)
+{
+ if (bytes > max_malloc_size)
+ vfree(data);
+ else
+ kfree(data);
+}
+
+#endif /* __KERNEL__ */
+
+#endif /*_IP_SET_MALLOC_H*/
Modified: trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/include/linux/netfilter_ipv4/ipt_set.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -5,7 +5,7 @@
struct ipt_set_info {
ip_set_id_t index;
- u_int32_t flags[IP_SET_MAX_BINDINGS];
+ u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
};
/* match info */
Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -1087,16 +1087,22 @@
set_list->ref = atomic_read(&set->ref);
/* Fill in set spefific header data */
+ DP("call list_header");
set->type->list_header(set, data + *used);
+ DP("call list_header, done");
*used += set_list->header_size;
/* Get and ensure set specific members size */
+ DP("call list_members_size");
set_list->members_size = set->type->list_members_size(set);
+ DP("call list_members_size, done");
if (*used + set_list->members_size > len)
goto unlock_set;
/* Fill in set spefific members data */
+ DP("call list_members");
set->type->list_members(set, data + *used);
+ DP("call list_members, done");
*used += set_list->members_size;
read_unlock_bh(&set->lock);
Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_iphash.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -22,6 +22,7 @@
#include <net/ip.h>
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
#include <linux/netfilter_ipv4/ip_set_iphash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
#include <linux/netfilter_ipv4/ip_set_prime.h>
@@ -176,7 +177,7 @@
tmp.hashsize = hashsize;
newbytes = hashsize * sizeof(ip_set_ip_t);
- tmp.members = vmalloc(newbytes);
+ tmp.members = ip_set_malloc(newbytes);
if (!tmp.members) {
DP("out of memory for %d bytes", newbytes);
return -ENOMEM;
@@ -191,20 +192,22 @@
}
if (res) {
/* Failure, try again */
- vfree(tmp.members);
write_unlock_bh(&set->lock);
+ ip_set_free(tmp.members, newbytes);
goto again;
}
/* Success at resizing! */
members = map->members;
+ hashsize = map->hashsize;
+
map->initval = tmp.initval;
map->prime = tmp.prime;
map->hashsize = tmp.hashsize;
map->members = tmp.members;
write_unlock_bh(&set->lock);
- vfree(members);
+ ip_set_free(members, hashsize * sizeof(ip_set_ip_t));
return 0;
}
@@ -280,7 +283,7 @@
map->resize = req->resize;
map->netmask = req->netmask;
newbytes = map->hashsize * sizeof(ip_set_ip_t);
- map->members = vmalloc(newbytes);
+ map->members = ip_set_malloc(newbytes);
if (!map->members) {
DP("out of memory for %d bytes", newbytes);
kfree(map);
@@ -296,7 +299,7 @@
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
- vfree(map->members);
+ ip_set_free(map->members, map->hashsize * sizeof(ip_set_ip_t));
kfree(map);
set->data = NULL;
Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ip_set_macipmap.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -23,6 +23,7 @@
#include <linux/if_ether.h>
#include <linux/vmalloc.h>
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
#include <linux/netfilter_ipv4/ip_set_macipmap.h>
static int
@@ -47,8 +48,6 @@
set->name, NIPQUAD(req->ip), NIPQUAD(*hash_ip));
if (test_bit(IPSET_MACIP_ISSET,
&table[req->ip - map->first_ip].flags)) {
- /* Is mac pointer valid?
- * If so, compare... */
return (memcmp(req->ethernet,
&table[req->ip - map->first_ip].ethernet,
ETH_ALEN) == 0);
@@ -192,6 +191,11 @@
hash_ip);
}
+static inline size_t members_size(ip_set_id_t from, ip_set_id_t to)
+{
+ return (size_t)((to - from + 1) * sizeof(struct ip_set_macip));
+}
+
static int create(struct ip_set *set, const void *data, size_t size)
{
int newbytes;
@@ -229,8 +233,9 @@
map->flags = req->flags;
map->first_ip = req->from;
map->last_ip = req->to;
- newbytes = (req->to - req->from + 1) * sizeof(struct ip_set_macip);
- map->members = vmalloc(newbytes);
+ newbytes = members_size(map->first_ip, map->last_ip);
+ map->members = ip_set_malloc(newbytes);
+ DP("members: %u %p", newbytes, map->members);
if (!map->members) {
DP("out of memory for %d bytes", newbytes);
kfree(map);
@@ -247,7 +252,7 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- vfree(map->members);
+ ip_set_free(map->members, members_size(map->first_ip, map->last_ip));
kfree(map);
set->data = NULL;
@@ -257,8 +262,7 @@
{
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- memset(map->members, 0, (map->last_ip - map->first_ip)
- * sizeof(struct ip_set_macip));
+ memset(map->members, 0, members_size(map->first_ip, map->last_ip));
}
static int list_header_size(const struct ip_set *set)
@@ -286,8 +290,8 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- return (map->last_ip
- - map->first_ip + 1) * sizeof(struct ip_set_macip);
+ DP("%u", members_size(map->first_ip, map->last_ip));
+ return members_size(map->first_ip, map->last_ip);
}
static void list_members(const struct ip_set *set, void *data)
@@ -295,9 +299,9 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- int bytes = (map->last_ip -
- - map->first_ip + 1) * sizeof(struct ip_set_macip);
+ int bytes = members_size(map->first_ip, map->last_ip);
+ DP("members: %u %p", bytes, map->members);
memcpy(data, map->members, bytes);
}
Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_SET.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -78,7 +78,11 @@
return 0; /* error */
}
}
-
+ if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+ || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+ ip_set_printk("That's nasty!");
+ return 0; /* error */
+ }
return 1;
}
Modified: trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux/net/ipv4/netfilter/ipt_set.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -68,6 +68,10 @@
info->match_set.index);
return 0; /* error */
}
+ if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+ ip_set_printk("That's nasty!");
+ return 0; /* error */
+ }
return 1;
}
Modified: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,8 +66,8 @@
#define IP_SET_INVALID_ID 65535
-/* How deep we follow bindings (minus one) */
-#define IP_SET_MAX_BINDINGS 7
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS 6
/*
* Option flags for kernel operations (ipt_set_info)
Added: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_malloc.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -0,0 +1,34 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
+#ifdef __KERNEL__
+
+/* Memory allocation and deallocation */
+static size_t max_malloc_size = 0;
+
+static inline void init_max_malloc_size(void)
+{
+#define CACHE(x) max_malloc_size = x;
+#include <linux/kmalloc_sizes.h>
+#undef CACHE
+}
+
+static inline void * ip_set_malloc(size_t bytes)
+{
+ if (bytes > max_malloc_size)
+ return vmalloc(bytes);
+ else
+ return kmalloc(bytes, GFP_KERNEL);
+}
+
+static inline void ip_set_free(void * data, size_t bytes)
+{
+ if (bytes > max_malloc_size)
+ vfree(data);
+ else
+ kfree(data);
+}
+
+#endif /* __KERNEL__ */
+
+#endif /*_IP_SET_MALLOC_H*/
Modified: trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/include/linux/netfilter_ipv4/ipt_set.h 2004-12-06 09:32:59 UTC (rev 3308)
@@ -5,7 +5,7 @@
struct ipt_set_info {
ip_set_id_t index;
- u_int32_t flags[IP_SET_MAX_BINDINGS];
+ u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
};
/* match info */
Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -21,6 +21,7 @@
#include <net/ip.h>
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
#include <linux/netfilter_ipv4/ip_set_iphash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
#include <linux/netfilter_ipv4/ip_set_prime.h>
@@ -175,7 +176,7 @@
tmp.hashsize = hashsize;
newbytes = hashsize * sizeof(ip_set_ip_t);
- tmp.members = vmalloc(newbytes);
+ tmp.members = ip_set_malloc(newbytes);
if (!tmp.members) {
DP("out of memory for %d bytes", newbytes);
return -ENOMEM;
@@ -190,20 +191,22 @@
}
if (res) {
/* Failure, try again */
- vfree(tmp.members);
write_unlock_bh(&set->lock);
+ ip_set_free(tmp.members, newbytes);
goto again;
}
/* Success at resizing! */
members = map->members;
+ hashsize = map->hashsize;
+
map->initval = tmp.initval;
map->prime = tmp.prime;
map->hashsize = tmp.hashsize;
map->members = tmp.members;
write_unlock_bh(&set->lock);
- vfree(members);
+ ip_set_free(members, hashsize * sizeof(ip_set_ip_t));
return 0;
}
@@ -279,7 +282,7 @@
map->resize = req->resize;
map->netmask = req->netmask;
newbytes = map->hashsize * sizeof(ip_set_ip_t);
- map->members = vmalloc(newbytes);
+ map->members = ip_set_malloc(newbytes);
if (!map->members) {
DP("out of memory for %d bytes", newbytes);
kfree(map);
@@ -295,7 +298,7 @@
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
- vfree(map->members);
+ ip_set_free(map->members, map->hashsize * sizeof(ip_set_ip_t));
kfree(map);
set->data = NULL;
@@ -367,6 +370,7 @@
static int __init init(void)
{
+ init_max_malloc_size();
return ip_set_register_set_type(&ip_set_iphash);
}
Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ip_set_macipmap.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -22,6 +22,7 @@
#include <linux/if_ether.h>
#include <linux/vmalloc.h>
+#include <linux/netfilter_ipv4/ip_set_malloc.h>
#include <linux/netfilter_ipv4/ip_set_macipmap.h>
static int
@@ -46,8 +47,6 @@
set->name, NIPQUAD(req->ip), NIPQUAD(*hash_ip));
if (test_bit(IPSET_MACIP_ISSET,
(void *) &table[req->ip - map->first_ip].flags)) {
- /* Is mac pointer valid?
- * If so, compare... */
return (memcmp(req->ethernet,
&table[req->ip - map->first_ip].ethernet,
ETH_ALEN) == 0);
@@ -192,6 +191,11 @@
hash_ip);
}
+static inline size_t members_size(ip_set_id_t from, ip_set_id_t to)
+{
+ return (size_t)((to - from + 1) * sizeof(struct ip_set_macip));
+}
+
static int create(struct ip_set *set, const void *data, size_t size)
{
int newbytes;
@@ -229,8 +233,8 @@
map->flags = req->flags;
map->first_ip = req->from;
map->last_ip = req->to;
- newbytes = (req->to - req->from + 1) * sizeof(struct ip_set_macip);
- map->members = vmalloc(newbytes);
+ newbytes = members_size(map->first_ip, map->last_ip);
+ map->members = ip_set_malloc(newbytes);
if (!map->members) {
DP("out of memory for %d bytes", newbytes);
kfree(map);
@@ -247,7 +251,7 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- vfree(map->members);
+ ip_set_free(map->members, members_size(map->first_ip, map->last_ip));
kfree(map);
set->data = NULL;
@@ -257,8 +261,7 @@
{
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- memset(map->members, 0, (map->last_ip - map->first_ip)
- * sizeof(struct ip_set_macip));
+ memset(map->members, 0, members_size(map->first_ip, map->last_ip));
}
static int list_header_size(const struct ip_set *set)
@@ -286,8 +289,7 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- return (map->last_ip
- - map->first_ip + 1) * sizeof(struct ip_set_macip);
+ return members_size(map->first_ip, map->last_ip);
}
static void list_members(const struct ip_set *set, void *data)
@@ -295,8 +297,7 @@
struct ip_set_macipmap *map =
(struct ip_set_macipmap *) set->data;
- int bytes = (map->last_ip -
- - map->first_ip + 1) * sizeof(struct ip_set_macip);
+ int bytes = members_size(map->first_ip, map->last_ip);
memcpy(data, map->members, bytes);
}
@@ -328,6 +329,7 @@
static int __init init(void)
{
+ init_max_malloc_size();
return ip_set_register_set_type(&ip_set_macipmap);
}
Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -78,6 +78,11 @@
return 0; /* error */
}
}
+ if (info->add_set.flags[IP_SET_MAX_BINDINGS] != 0
+ || info->del_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+ ip_set_printk("That's nasty!");
+ return 0; /* error */
+ }
return 1;
}
Modified: trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
===================================================================
--- trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c 2004-12-01 13:34:59 UTC (rev 3307)
+++ trunk/patch-o-matic-ng/set/linux-2.6/net/ipv4/netfilter/ipt_set.c 2004-12-06 09:32:59 UTC (rev 3308)
@@ -66,6 +66,10 @@
info->match_set.index);
return 0; /* error */
}
+ if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+ ip_set_printk("That's nasty!");
+ return 0; /* error */
+ }
return 1;
}
More information about the netfilter-cvslog
mailing list