[netfilter-cvslog] r6592 - in trunk/patch-o-matic-ng/patchlets/set:
linux/include/linux/netfilter_ipv4 linux/net/ipv4/netfilter
linux-2.6/include/linux/netfilter_ipv4 linux-2.6/net/ipv4/netfilter
kadlec at netfilter.org
kadlec at netfilter.org
Mon May 8 11:52:52 CEST 2006
Author: kadlec at netfilter.org
Date: 2006-05-08 11:52:48 +0200 (Mon, 08 May 2006)
New Revision: 6592
Modified:
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iptree.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_nethash.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iphash.h
trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h
trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iptree.h
trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_nethash.h
trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set.c
trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iphash.c
trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_ipporthash.c
trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iptree.c
trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_nethash.c
Log:
The kernel part modifications in ipset-2.2.9.
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iphash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iphash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iphash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -8,6 +8,7 @@
struct ip_set_iphash {
ip_set_ip_t *members; /* the iphash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -9,6 +9,7 @@
struct ip_set_ipporthash {
ip_set_ip_t *members; /* the ipporthash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iptree.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iptree.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_iptree.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -22,6 +22,7 @@
unsigned int timeout;
unsigned int gc_interval;
#ifdef __KERNEL__
+ uint32_t elements; /* number of elements */
struct timer_list gc;
struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */
#endif
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_nethash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_nethash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/include/linux/netfilter_ipv4/ip_set_nethash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -8,6 +8,7 @@
struct ip_set_nethash {
ip_set_ip_t *members; /* the nethash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -1426,8 +1426,8 @@
struct ip_set_req_create *req_create
= (struct ip_set_req_create *) data;
- if (len <= sizeof(struct ip_set_req_create)) {
- ip_set_printk("short CREATE data (want >%zu, got %u)",
+ if (len < sizeof(struct ip_set_req_create)) {
+ ip_set_printk("short CREATE data (want >=%zu, got %u)",
sizeof(struct ip_set_req_create), len);
res = -EINVAL;
goto done;
@@ -1781,8 +1781,9 @@
req_setnames->size += sizeof(struct ip_set_list)
+ set->type->header_size
+ set->type->list_members_size(set);
+ /* Sets are identified by id in the hash */
FOREACH_HASH_DO(__set_hash_bindings_size_list,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
case IP_SET_OP_SAVE_SIZE: {
@@ -1790,7 +1791,7 @@
+ set->type->header_size
+ set->type->list_members_size(set);
FOREACH_HASH_DO(__set_hash_bindings_size_save,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
default:
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iphash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iphash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -26,6 +26,8 @@
#include <linux/netfilter_ipv4/ip_set_iphash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip)
{
@@ -59,7 +61,7 @@
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
@@ -99,6 +101,9 @@
u_int16_t i;
ip_set_ip_t *elem;
+ if (!ip || map->elements > limit)
+ return -ERANGE;
+
*hash_ip = ip & map->netmask;
for (i = 0; i < map->probes; i++) {
@@ -108,6 +113,7 @@
return -EEXIST;
if (!*elem) {
*elem = *hash_ip;
+ map->elements++;
return 0;
}
}
@@ -184,6 +190,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->netmask = map->netmask;
@@ -221,14 +228,18 @@
__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
- ip_set_ip_t id = hash_id(set, ip, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+
+ if (!ip)
+ return -ERANGE;
+ id = hash_id(set, ip, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -297,6 +308,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -326,6 +338,7 @@
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -383,6 +396,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("iphash type of IP sets");
+MODULE_PARM(limit, "i");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_ipporthash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_ipporthash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_ipporthash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -28,6 +28,8 @@
#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
/* We must handle non-linear skbs */
static inline ip_set_ip_t
get_port(const struct sk_buff *skb, u_int32_t flags)
@@ -176,6 +178,7 @@
return -EEXIST;
if (!*elem) {
*elem = hash_ip;
+ map->elements++;
return 0;
}
}
@@ -187,6 +190,8 @@
__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port,
ip_set_ip_t *hash_ip)
{
+ if (map->elements > limit)
+ return -ERANGE;
if (ip < map->first_ip || ip > map->last_ip)
return -ERANGE;
@@ -283,6 +288,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->first_ip = map->first_ip;
@@ -335,6 +341,7 @@
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -421,6 +428,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -451,6 +459,7 @@
{
struct ip_set_ipporthash *map = (struct ip_set_ipporthash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -509,6 +518,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("ipporthash type of IP sets");
+MODULE_PARM(limit, "i");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iptree.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iptree.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_iptree.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -22,6 +22,8 @@
#include <linux/netfilter_ipv4/ip_set_iptree.h>
+static int limit = MAX_RANGE;
+
/* Garbage collection interval in seconds: */
#define IPTREE_GC_TIME 5*60
/* Sleep so many milliseconds before trying again
@@ -53,6 +55,9 @@
struct ip_set_iptreec *ctree;
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+
+ if (!ip)
+ return -ERANGE;
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
@@ -129,6 +134,11 @@
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
int ret = 0;
+
+ if (!ip || map->elements > limit)
+ /* We could call the garbage collector
+ * but it's probably overkill */
+ return -ERANGE;
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
@@ -144,6 +154,8 @@
if (dtree->expires[d] == 0)
dtree->expires[d] = 1;
DP("%u %lu", d, dtree->expires[d]);
+ if (ret == 0)
+ map->elements++;
return ret;
}
@@ -202,6 +214,9 @@
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+ if (!ip)
+ return -ERANGE;
+
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
DELIP_WALK(map, a, btree);
@@ -210,6 +225,7 @@
if (dtree->expires[d]) {
dtree->expires[d] = 0;
+ map->elements--;
return 0;
}
return -EEXIST;
@@ -275,9 +291,10 @@
a, b, c, d,
dtree->expires[d], jiffies);
if (map->timeout
- && time_before(dtree->expires[d], jiffies))
+ && time_before(dtree->expires[d], jiffies)) {
dtree->expires[d] = 0;
- else
+ map->elements--;
+ } else
k = 1;
}
}
@@ -358,6 +375,7 @@
}
memset(map, 0, sizeof(*map));
map->timeout = req->timeout;
+ map->elements = 0;
set->data = map;
init_gc_timer(set);
@@ -381,6 +399,7 @@
LOOP_WALK_END;
kmem_cache_free(branch_cachep, btree);
LOOP_WALK_END;
+ map->elements = 0;
}
static void destroy(struct ip_set *set)
@@ -496,6 +515,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("iptree type of IP sets");
+MODULE_PARM(limit, "i");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_nethash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_nethash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux/net/ipv4/netfilter/ip_set_nethash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -26,6 +26,8 @@
#include <linux/netfilter_ipv4/ip_set_nethash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip)
{
@@ -75,13 +77,13 @@
{
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
- return (hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
+ return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
}
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
@@ -129,6 +131,7 @@
return -EEXIST;
if (!*elem) {
*elem = ip;
+ map->elements++;
return 0;
}
}
@@ -140,6 +143,9 @@
__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
+ if (!ip || map->elements > limit)
+ return -ERANGE;
+
*hash_ip = pack(ip, cidr);
DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
@@ -247,6 +253,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
@@ -284,14 +291,18 @@
__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
- ip_set_ip_t id = hash_id_cidr(map, ip, cidr, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+ if (!ip)
+ return -ERANGE;
+
+ id = hash_id_cidr(map, ip, cidr, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -365,6 +376,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -395,6 +407,7 @@
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
memset(map->cidr, 0, 30 * sizeof(unsigned char));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -451,6 +464,7 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("nethash type of IP sets");
+MODULE_PARM(limit, "i");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iphash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -8,6 +8,7 @@
struct ip_set_iphash {
ip_set_ip_t *members; /* the iphash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_ipporthash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -9,6 +9,7 @@
struct ip_set_ipporthash {
ip_set_ip_t *members; /* the ipporthash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_iptree.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -22,6 +22,7 @@
unsigned int timeout;
unsigned int gc_interval;
#ifdef __KERNEL__
+ uint32_t elements; /* number of elements */
struct timer_list gc;
struct ip_set_iptreeb *tree[256]; /* ADDR.*.*.* */
#endif
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/include/linux/netfilter_ipv4/ip_set_nethash.h 2006-05-08 09:52:48 UTC (rev 6592)
@@ -8,6 +8,7 @@
struct ip_set_nethash {
ip_set_ip_t *members; /* the nethash proper */
+ uint32_t elements; /* number of elements */
uint32_t hashsize; /* hash size */
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -1413,8 +1413,8 @@
struct ip_set_req_create *req_create
= (struct ip_set_req_create *) data;
- if (len <= sizeof(struct ip_set_req_create)) {
- ip_set_printk("short CREATE data (want >%zu, got %u)",
+ if (len < sizeof(struct ip_set_req_create)) {
+ ip_set_printk("short CREATE data (want >=%zu, got %u)",
sizeof(struct ip_set_req_create), len);
res = -EINVAL;
goto done;
@@ -1768,8 +1768,9 @@
req_setnames->size += sizeof(struct ip_set_list)
+ set->type->header_size
+ set->type->list_members_size(set);
+ /* Sets are identified by id in the hash */
FOREACH_HASH_DO(__set_hash_bindings_size_list,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
case IP_SET_OP_SAVE_SIZE: {
@@ -1777,7 +1778,7 @@
+ set->type->header_size
+ set->type->list_members_size(set);
FOREACH_HASH_DO(__set_hash_bindings_size_save,
- i, &req_setnames->size);
+ set->id, &req_setnames->size);
break;
}
default:
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iphash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -25,6 +25,8 @@
#include <linux/netfilter_ipv4/ip_set_iphash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_iphash *map, uint16_t i, ip_set_ip_t ip)
{
@@ -58,7 +60,7 @@
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
@@ -97,6 +99,9 @@
__u32 probe;
u_int16_t i;
ip_set_ip_t *elem;
+
+ if (!ip || map->elements > limit)
+ return -ERANGE;
*hash_ip = ip & map->netmask;
@@ -107,6 +112,7 @@
return -EEXIST;
if (!*elem) {
*elem = *hash_ip;
+ map->elements++;
return 0;
}
}
@@ -183,6 +189,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->netmask = map->netmask;
@@ -220,14 +227,18 @@
__delip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
- ip_set_ip_t id = hash_id(set, ip, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+ if (!ip)
+ return -ERANGE;
+
+ id = hash_id(set, ip, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -296,6 +307,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -325,6 +337,7 @@
{
struct ip_set_iphash *map = (struct ip_set_iphash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -382,6 +395,8 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("iphash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_ipporthash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -27,6 +27,8 @@
#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
/* We must handle non-linear skbs */
static inline ip_set_ip_t
get_port(const struct sk_buff *skb, u_int32_t flags)
@@ -175,6 +177,7 @@
return -EEXIST;
if (!*elem) {
*elem = hash_ip;
+ map->elements++;
return 0;
}
}
@@ -186,6 +189,8 @@
__addip(struct ip_set_ipporthash *map, ip_set_ip_t ip, ip_set_ip_t port,
ip_set_ip_t *hash_ip)
{
+ if (map->elements > limit)
+ return -ERANGE;
if (ip < map->first_ip || ip > map->last_ip)
return -ERANGE;
@@ -282,6 +287,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
tmp->first_ip = map->first_ip;
@@ -334,6 +340,7 @@
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -420,6 +427,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -450,6 +458,7 @@
{
struct ip_set_ipporthash *map = (struct ip_set_ipporthash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -508,6 +517,8 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("ipporthash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iptree.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iptree.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_iptree.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -26,6 +26,8 @@
#include <linux/netfilter_ipv4/ip_set_iptree.h>
+static int limit = MAX_RANGE;
+
/* Garbage collection interval in seconds: */
#define IPTREE_GC_TIME 5*60
/* Sleep so many milliseconds before trying again
@@ -57,6 +59,9 @@
struct ip_set_iptreec *ctree;
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+
+ if (!ip)
+ return -ERANGE;
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
@@ -134,6 +139,11 @@
unsigned char a,b,c,d;
int ret = 0;
+ if (!ip || map->elements > limit)
+ /* We could call the garbage collector
+ * but it's probably overkill */
+ return -ERANGE;
+
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
DP("%u %u %u %u timeout %u", a, b, c, d, timeout);
@@ -148,6 +158,8 @@
if (dtree->expires[d] == 0)
dtree->expires[d] = 1;
DP("%u %lu", d, dtree->expires[d]);
+ if (ret == 0)
+ map->elements++;
return ret;
}
@@ -206,6 +218,9 @@
struct ip_set_iptreed *dtree;
unsigned char a,b,c,d;
+ if (!ip)
+ return -ERANGE;
+
*hash_ip = ip;
ABCD(a, b, c, d, hash_ip);
DELIP_WALK(map, a, btree);
@@ -214,6 +229,7 @@
if (dtree->expires[d]) {
dtree->expires[d] = 0;
+ map->elements--;
return 0;
}
return -EEXIST;
@@ -279,9 +295,10 @@
a, b, c, d,
dtree->expires[d], jiffies);
if (map->timeout
- && time_before(dtree->expires[d], jiffies))
+ && time_before(dtree->expires[d], jiffies)) {
dtree->expires[d] = 0;
- else
+ map->elements--;
+ } else
k = 1;
}
}
@@ -362,6 +379,7 @@
}
memset(map, 0, sizeof(*map));
map->timeout = req->timeout;
+ map->elements = 0;
set->data = map;
init_gc_timer(set);
@@ -385,6 +403,7 @@
LOOP_WALK_END;
kmem_cache_free(branch_cachep, btree);
LOOP_WALK_END;
+ map->elements = 0;
}
static void destroy(struct ip_set *set)
@@ -500,6 +519,8 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("iptree type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_nethash.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_nethash.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ip_set_nethash.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -25,6 +25,8 @@
#include <linux/netfilter_ipv4/ip_set_nethash.h>
#include <linux/netfilter_ipv4/ip_set_jhash.h>
+static int limit = MAX_RANGE;
+
static inline __u32
jhash_ip(const struct ip_set_nethash *map, uint16_t i, ip_set_ip_t ip)
{
@@ -74,13 +76,13 @@
{
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
- return (hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
+ return (ip && hash_id_cidr(map, ip, cidr, hash_ip) != UINT_MAX);
}
static inline int
__testip(struct ip_set *set, ip_set_ip_t ip, ip_set_ip_t *hash_ip)
{
- return (hash_id(set, ip, hash_ip) != UINT_MAX);
+ return (ip && hash_id(set, ip, hash_ip) != UINT_MAX);
}
static int
@@ -128,6 +130,7 @@
return -EEXIST;
if (!*elem) {
*elem = ip;
+ map->elements++;
return 0;
}
}
@@ -139,6 +142,9 @@
__addip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
+ if (!ip || map->elements > limit)
+ return -ERANGE;
+
*hash_ip = pack(ip, cidr);
DP("%u.%u.%u.%u/%u, %u.%u.%u.%u", HIPQUAD(ip), cidr, HIPQUAD(*hash_ip));
@@ -246,6 +252,7 @@
return -ENOMEM;
}
tmp->hashsize = hashsize;
+ tmp->elements = 0;
tmp->probes = map->probes;
tmp->resize = map->resize;
memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));
@@ -283,14 +290,18 @@
__delip(struct ip_set_nethash *map, ip_set_ip_t ip, unsigned char cidr,
ip_set_ip_t *hash_ip)
{
- ip_set_ip_t id = hash_id_cidr(map, ip, cidr, hash_ip);
- ip_set_ip_t *elem;
+ ip_set_ip_t id, *elem;
+ if (!ip)
+ return -ERANGE;
+
+ id = hash_id_cidr(map, ip, cidr, hash_ip);
if (id == UINT_MAX)
return -EEXIST;
elem = HARRAY_ELEM(map->members, ip_set_ip_t *, id);
*elem = 0;
+ map->elements--;
return 0;
}
@@ -364,6 +375,7 @@
}
for (i = 0; i < req->probes; i++)
get_random_bytes(((uint32_t *) map->initval)+i, 4);
+ map->elements = 0;
map->hashsize = req->hashsize;
map->probes = req->probes;
map->resize = req->resize;
@@ -394,6 +406,7 @@
struct ip_set_nethash *map = (struct ip_set_nethash *) set->data;
harray_flush(map->members, map->hashsize, sizeof(ip_set_ip_t));
memset(map->cidr, 0, 30 * sizeof(unsigned char));
+ map->elements = 0;
}
static void list_header(const struct ip_set *set, void *data)
@@ -450,6 +463,8 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>");
MODULE_DESCRIPTION("nethash type of IP sets");
+module_param(limit, int, 0600);
+MODULE_PARM_DESC(limit, "maximal number of elements stored in the sets");
static int __init init(void)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_SET.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -48,7 +48,7 @@
static int
checkentry(const char *tablename,
- const void *e,
+ const struct ipt_entry *e,
void *targinfo,
unsigned int targinfosize, unsigned int hook_mask)
{
Modified: trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_set.c
===================================================================
--- trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_set.c 2006-05-08 09:36:40 UTC (rev 6591)
+++ trunk/patch-o-matic-ng/patchlets/set/linux-2.6/net/ipv4/netfilter/ipt_set.c 2006-05-08 09:52:48 UTC (rev 6592)
@@ -34,7 +34,6 @@
const struct net_device *out,
const void *matchinfo,
int offset,
- unsigned int protoff,
int *hotdrop)
{
const struct ipt_set_info_match *info = matchinfo;
@@ -46,7 +45,7 @@
static int
checkentry(const char *tablename,
- const void *ip,
+ const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
More information about the netfilter-cvslog
mailing list