123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384 |
- /*
- * NetLabel Network Address Lists
- *
- * This file contains network address list functions used to manage ordered
- * lists of network addresses for use by the NetLabel subsystem. The NetLabel
- * system manages static and dynamic label mappings for network protocols such
- * as CIPSO and RIPSO.
- *
- * Author: Paul Moore <paul@paul-moore.com>
- *
- */
- /*
- * (c) Copyright Hewlett-Packard Development Company, L.P., 2008
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
- * the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- *
- */
- #include <linux/types.h>
- #include <linux/rcupdate.h>
- #include <linux/list.h>
- #include <linux/spinlock.h>
- #include <linux/in.h>
- #include <linux/in6.h>
- #include <linux/ip.h>
- #include <linux/ipv6.h>
- #include <net/ip.h>
- #include <net/ipv6.h>
- #include <linux/audit.h>
- #include "netlabel_addrlist.h"
- /*
- * Address List Functions
- */
- /**
- * netlbl_af4list_search - Search for a matching IPv4 address entry
- * @addr: IPv4 address
- * @head: the list head
- *
- * Description:
- * Searches the IPv4 address list given by @head. If a matching address entry
- * is found it is returned, otherwise NULL is returned. The caller is
- * responsible for calling the rcu_read_[un]lock() functions.
- *
- */
- struct netlbl_af4list *netlbl_af4list_search(__be32 addr,
- struct list_head *head)
- {
- struct netlbl_af4list *iter;
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid && (addr & iter->mask) == iter->addr)
- return iter;
- return NULL;
- }
- /**
- * netlbl_af4list_search_exact - Search for an exact IPv4 address entry
- * @addr: IPv4 address
- * @mask: IPv4 address mask
- * @head: the list head
- *
- * Description:
- * Searches the IPv4 address list given by @head. If an exact match if found
- * it is returned, otherwise NULL is returned. The caller is responsible for
- * calling the rcu_read_[un]lock() functions.
- *
- */
- struct netlbl_af4list *netlbl_af4list_search_exact(__be32 addr,
- __be32 mask,
- struct list_head *head)
- {
- struct netlbl_af4list *iter;
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid && iter->addr == addr && iter->mask == mask)
- return iter;
- return NULL;
- }
- #if IS_ENABLED(CONFIG_IPV6)
- /**
- * netlbl_af6list_search - Search for a matching IPv6 address entry
- * @addr: IPv6 address
- * @head: the list head
- *
- * Description:
- * Searches the IPv6 address list given by @head. If a matching address entry
- * is found it is returned, otherwise NULL is returned. The caller is
- * responsible for calling the rcu_read_[un]lock() functions.
- *
- */
- struct netlbl_af6list *netlbl_af6list_search(const struct in6_addr *addr,
- struct list_head *head)
- {
- struct netlbl_af6list *iter;
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid &&
- ipv6_masked_addr_cmp(&iter->addr, &iter->mask, addr) == 0)
- return iter;
- return NULL;
- }
- /**
- * netlbl_af6list_search_exact - Search for an exact IPv6 address entry
- * @addr: IPv6 address
- * @mask: IPv6 address mask
- * @head: the list head
- *
- * Description:
- * Searches the IPv6 address list given by @head. If an exact match if found
- * it is returned, otherwise NULL is returned. The caller is responsible for
- * calling the rcu_read_[un]lock() functions.
- *
- */
- struct netlbl_af6list *netlbl_af6list_search_exact(const struct in6_addr *addr,
- const struct in6_addr *mask,
- struct list_head *head)
- {
- struct netlbl_af6list *iter;
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid &&
- ipv6_addr_equal(&iter->addr, addr) &&
- ipv6_addr_equal(&iter->mask, mask))
- return iter;
- return NULL;
- }
- #endif /* IPv6 */
- /**
- * netlbl_af4list_add - Add a new IPv4 address entry to a list
- * @entry: address entry
- * @head: the list head
- *
- * Description:
- * Add a new address entry to the list pointed to by @head. On success zero is
- * returned, otherwise a negative value is returned. The caller is responsible
- * for calling the necessary locking functions.
- *
- */
- int netlbl_af4list_add(struct netlbl_af4list *entry, struct list_head *head)
- {
- struct netlbl_af4list *iter;
- iter = netlbl_af4list_search(entry->addr, head);
- if (iter != NULL &&
- iter->addr == entry->addr && iter->mask == entry->mask)
- return -EEXIST;
- /* in order to speed up address searches through the list (the common
- * case) we need to keep the list in order based on the size of the
- * address mask such that the entry with the widest mask (smallest
- * numerical value) appears first in the list */
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid &&
- ntohl(entry->mask) > ntohl(iter->mask)) {
- __list_add_rcu(&entry->list,
- iter->list.prev,
- &iter->list);
- return 0;
- }
- list_add_tail_rcu(&entry->list, head);
- return 0;
- }
- #if IS_ENABLED(CONFIG_IPV6)
- /**
- * netlbl_af6list_add - Add a new IPv6 address entry to a list
- * @entry: address entry
- * @head: the list head
- *
- * Description:
- * Add a new address entry to the list pointed to by @head. On success zero is
- * returned, otherwise a negative value is returned. The caller is responsible
- * for calling the necessary locking functions.
- *
- */
- int netlbl_af6list_add(struct netlbl_af6list *entry, struct list_head *head)
- {
- struct netlbl_af6list *iter;
- iter = netlbl_af6list_search(&entry->addr, head);
- if (iter != NULL &&
- ipv6_addr_equal(&iter->addr, &entry->addr) &&
- ipv6_addr_equal(&iter->mask, &entry->mask))
- return -EEXIST;
- /* in order to speed up address searches through the list (the common
- * case) we need to keep the list in order based on the size of the
- * address mask such that the entry with the widest mask (smallest
- * numerical value) appears first in the list */
- list_for_each_entry_rcu(iter, head, list)
- if (iter->valid &&
- ipv6_addr_cmp(&entry->mask, &iter->mask) > 0) {
- __list_add_rcu(&entry->list,
- iter->list.prev,
- &iter->list);
- return 0;
- }
- list_add_tail_rcu(&entry->list, head);
- return 0;
- }
- #endif /* IPv6 */
- /**
- * netlbl_af4list_remove_entry - Remove an IPv4 address entry
- * @entry: address entry
- *
- * Description:
- * Remove the specified IP address entry. The caller is responsible for
- * calling the necessary locking functions.
- *
- */
- void netlbl_af4list_remove_entry(struct netlbl_af4list *entry)
- {
- entry->valid = 0;
- list_del_rcu(&entry->list);
- }
- /**
- * netlbl_af4list_remove - Remove an IPv4 address entry
- * @addr: IP address
- * @mask: IP address mask
- * @head: the list head
- *
- * Description:
- * Remove an IP address entry from the list pointed to by @head. Returns the
- * entry on success, NULL on failure. The caller is responsible for calling
- * the necessary locking functions.
- *
- */
- struct netlbl_af4list *netlbl_af4list_remove(__be32 addr, __be32 mask,
- struct list_head *head)
- {
- struct netlbl_af4list *entry;
- entry = netlbl_af4list_search_exact(addr, mask, head);
- if (entry == NULL)
- return NULL;
- netlbl_af4list_remove_entry(entry);
- return entry;
- }
- #if IS_ENABLED(CONFIG_IPV6)
- /**
- * netlbl_af6list_remove_entry - Remove an IPv6 address entry
- * @entry: address entry
- *
- * Description:
- * Remove the specified IP address entry. The caller is responsible for
- * calling the necessary locking functions.
- *
- */
- void netlbl_af6list_remove_entry(struct netlbl_af6list *entry)
- {
- entry->valid = 0;
- list_del_rcu(&entry->list);
- }
- /**
- * netlbl_af6list_remove - Remove an IPv6 address entry
- * @addr: IP address
- * @mask: IP address mask
- * @head: the list head
- *
- * Description:
- * Remove an IP address entry from the list pointed to by @head. Returns the
- * entry on success, NULL on failure. The caller is responsible for calling
- * the necessary locking functions.
- *
- */
- struct netlbl_af6list *netlbl_af6list_remove(const struct in6_addr *addr,
- const struct in6_addr *mask,
- struct list_head *head)
- {
- struct netlbl_af6list *entry;
- entry = netlbl_af6list_search_exact(addr, mask, head);
- if (entry == NULL)
- return NULL;
- netlbl_af6list_remove_entry(entry);
- return entry;
- }
- #endif /* IPv6 */
- /*
- * Audit Helper Functions
- */
- #ifdef CONFIG_AUDIT
- /**
- * netlbl_af4list_audit_addr - Audit an IPv4 address
- * @audit_buf: audit buffer
- * @src: true if source address, false if destination
- * @dev: network interface
- * @addr: IP address
- * @mask: IP address mask
- *
- * Description:
- * Write the IPv4 address and address mask, if necessary, to @audit_buf.
- *
- */
- void netlbl_af4list_audit_addr(struct audit_buffer *audit_buf,
- int src, const char *dev,
- __be32 addr, __be32 mask)
- {
- u32 mask_val = ntohl(mask);
- char *dir = (src ? "src" : "dst");
- if (dev != NULL)
- audit_log_format(audit_buf, " netif=%s", dev);
- audit_log_format(audit_buf, " %s=%pI4", dir, &addr);
- if (mask_val != 0xffffffff) {
- u32 mask_len = 0;
- while (mask_val > 0) {
- mask_val <<= 1;
- mask_len++;
- }
- audit_log_format(audit_buf, " %s_prefixlen=%d", dir, mask_len);
- }
- }
- #if IS_ENABLED(CONFIG_IPV6)
- /**
- * netlbl_af6list_audit_addr - Audit an IPv6 address
- * @audit_buf: audit buffer
- * @src: true if source address, false if destination
- * @dev: network interface
- * @addr: IP address
- * @mask: IP address mask
- *
- * Description:
- * Write the IPv6 address and address mask, if necessary, to @audit_buf.
- *
- */
- void netlbl_af6list_audit_addr(struct audit_buffer *audit_buf,
- int src,
- const char *dev,
- const struct in6_addr *addr,
- const struct in6_addr *mask)
- {
- char *dir = (src ? "src" : "dst");
- if (dev != NULL)
- audit_log_format(audit_buf, " netif=%s", dev);
- audit_log_format(audit_buf, " %s=%pI6", dir, addr);
- if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
- u32 mask_len = 0;
- u32 mask_val;
- int iter = -1;
- while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
- mask_len += 32;
- mask_val = ntohl(mask->s6_addr32[iter]);
- while (mask_val > 0) {
- mask_val <<= 1;
- mask_len++;
- }
- audit_log_format(audit_buf, " %s_prefixlen=%d", dir, mask_len);
- }
- }
- #endif /* IPv6 */
- #endif /* CONFIG_AUDIT */
|