Re: [PATCH v2] netfilter: ipset: refactor hash types to use address/cidr arrays.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Oliver,

On Tue, 3 Sep 2013, Oliver wrote:

> From: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> 
> We now use an array in the structs for hash types so that they can be
> arbitrarily expanded to situate as many ip/cidr values as required.
> 
> The primary purpose of this change is in preparation for the
> hash:net,net ipset type, it otherwise carries no change in
> functionality. As an aside, small comparison optimisations could
> additionally be made in the future by making a union from the compared
> types that encompasses them (such as bundling together cidr values).
> 
> Signed-off-by: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> ---
>  kernel/net/netfilter/ipset/ip_set_hash_gen.h       |  90 +++++++++++--------
>  kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c | 100 ++++++++++-----------
>  kernel/net/netfilter/ipset/ip_set_hash_net.c       |  78 ++++++++--------
>  kernel/net/netfilter/ipset/ip_set_hash_netiface.c  |  88 +++++++++---------
>  kernel/net/netfilter/ipset/ip_set_hash_netport.c   |  74 +++++++--------
>  5 files changed, 220 insertions(+), 210 deletions(-)
> 
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_gen.h b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> index cb6bba2..dff6295 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> @@ -37,6 +37,10 @@
>  /* Max number of elements to store in an array block */
>  #define AHASH_MAX_SIZE			(3*AHASH_INIT_SIZE)
>  
> +#ifndef IPSET_NET_COUNT
> +#define IPSET_NET_COUNT		1
> +#endif
> +
>  /* Max number of elements can be tuned */
>  #ifdef IP_SET_HASH_WITH_MULTI
>  #define AHASH_MAX(h)			((h)->ahash_max)
> @@ -79,8 +83,8 @@ struct htable {
>  
>  /* Book-keeping of the prefixes added to the set */
>  struct net_prefixes {
> -	u8 cidr;		/* the different cidr values in the set */
> -	u32 nets;		/* number of elements per cidr */
> +	u8 cidr[IPSET_NET_COUNT];	/* cidr values in the set */
> +	u32 nets[IPSET_NET_COUNT];	/* number of elements per cidr */
>  };
>  
>  /* Compute the hash table size */
> @@ -296,46 +300,51 @@ struct htype {
>  /* Network cidr size book keeping when the hash stores different
>   * sized networks */
>  static void
> -mtype_add_cidr(struct htype *h, u8 cidr, u8 nets_length)
> +mtype_add_cidr(struct htype *h, const u8 cidr[], u8 nets_length)

I do remember you asked it and I confused you: no, the hash types need not 
be changed for this (see below), mtype_add_cidr requires just a new arg as 
to which member of the cidr/net array of struct htype to be updated.

>  {
>  	int i, j;
> +	u8 x;
>  
> -	/* Add in increasing prefix order, so larger cidr first */
> -	for (i = 0, j = -1; i < nets_length && h->nets[i].nets; i++) {
> -		if (j != -1)
> -			continue;
> -		else if (h->nets[i].cidr < cidr)
> -			j = i;
> -		else if (h->nets[i].cidr == cidr) {
> -			h->nets[i].nets++;
> -			return;
> +	for (x = 0; x < IPSET_NET_COUNT; x++) {
> +		/* Add in increasing prefix order, so larger cidr first */
> +		for (i = 0, j = -1; i < nets_length && h->nets[i].nets[x]; i++) {
> +			if (j != -1)
> +				continue;
> +			else if (h->nets[i].cidr[x] < CIDR(cidr[x]))
> +				j = i;
> +			else if (h->nets[i].cidr[x] == CIDR(cidr[x])) {
> +				h->nets[i].nets[x]++;
> +				goto next;
> +			}
>  		}
> -	}
> -	if (j != -1) {
> -		for (; i > j; i--) {
> -			h->nets[i].cidr = h->nets[i - 1].cidr;
> -			h->nets[i].nets = h->nets[i - 1].nets;
> +		if (j != -1) {
> +			for (; i > j; i--) {
> +				h->nets[i].cidr[x] = h->nets[i - 1].cidr[x];
> +				h->nets[i].nets[x] = h->nets[i - 1].nets[x];
> +			}
>  		}
> +		h->nets[i].cidr[x] = CIDR(cidr[x]);
> +		h->nets[i].nets[x] = 1;
> +next:		;
>  	}
> -	h->nets[i].cidr = cidr;
> -	h->nets[i].nets = 1;
>  }
>  
>  static void
> -mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length)
> +mtype_del_cidr(struct htype *h, const u8 cidr[], u8 nets_length)
>  {
> -	u8 i, j;
> -
> -	for (i = 0; i < nets_length - 1 && h->nets[i].cidr != cidr; i++)
> -		;
> -	h->nets[i].nets--;
> +	u8 i, j, x;
> +	for (x = 0; x < IPSET_NET_COUNT; x++) {
> +		for (i = 0; i < nets_length - 1 && h->nets[i].cidr[x] != CIDR(cidr[x]); i++)
> +			;
> +		h->nets[i].nets[x]--;
>  
> -	if (h->nets[i].nets != 0)
> -		return;
> +		if (h->nets[i].nets[x] != 0)
> +			continue;
>  
> -	for (j = i; j < nets_length - 1 && h->nets[j].nets; j++) {
> -		h->nets[j].cidr = h->nets[j + 1].cidr;
> -		h->nets[j].nets = h->nets[j + 1].nets;
> +		for (j = i; j < nets_length - 1 && h->nets[j].nets[x]; j++) {
> +			h->nets[j].cidr[x] = h->nets[j + 1].cidr[x];
> +			h->nets[j].nets[x] = h->nets[j + 1].nets[x];
> +		}
>  	}
>  }
>  #endif
> @@ -454,8 +463,7 @@ mtype_expire(struct htype *h, u8 nets_length, size_t dsize)
>  			if (ip_set_timeout_expired(ext_timeout(data, h))) {
>  				pr_debug("expired %u/%u\n", i, j);
>  #ifdef IP_SET_HASH_WITH_NETS
> -				mtype_del_cidr(h, CIDR(data->cidr),
> -					       nets_length);
> +				mtype_del_cidr(h, data->cidr, nets_length);
>  #endif
>  				if (j != n->pos - 1)
>  					/* Not last one */
> @@ -641,8 +649,8 @@ reuse_slot:
>  		/* Fill out reused slot */
>  		data = ahash_data(n, j, h->dsize);
>  #ifdef IP_SET_HASH_WITH_NETS
> -		mtype_del_cidr(h, CIDR(data->cidr), NETS_LENGTH(set->family));
> -		mtype_add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
> +		mtype_del_cidr(h, data->cidr, NETS_LENGTH(set->family));
> +		mtype_add_cidr(h, d->cidr, NETS_LENGTH(set->family));
>  #endif
>  	} else {
>  		/* Use/create a new slot */
> @@ -655,7 +663,7 @@ reuse_slot:
>  		}
>  		data = ahash_data(n, n->pos++, h->dsize);
>  #ifdef IP_SET_HASH_WITH_NETS
> -		mtype_add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
> +		mtype_add_cidr(h, d->cidr, NETS_LENGTH(set->family));
>  #endif
>  		h->elements++;
>  	}
> @@ -707,7 +715,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
>  		n->pos--;
>  		h->elements--;
>  #ifdef IP_SET_HASH_WITH_NETS
> -		mtype_del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
> +		mtype_del_cidr(h, d->cidr, NETS_LENGTH(set->family));
>  #endif
>  		if (n->pos + AHASH_INIT_SIZE < n->size) {
>  			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
> @@ -759,8 +767,8 @@ mtype_test_cidrs(struct ip_set *set, struct mtype_elem *d,
>  	u8 nets_length = NETS_LENGTH(set->family);
>  
>  	pr_debug("test by nets\n");
> -	for (; j < nets_length && h->nets[j].nets && !multi; j++) {
> -		mtype_data_netmask(d, h->nets[j].cidr);
> +	for (; j < nets_length && h->nets[j].nets[0] && !multi; j++) {
> +		mtype_data_netmask(d, h->nets[j].cidr[0]);
>  		key = HKEY(d, h->initval, t->htable_bits);
>  		n = hbucket(t, key);
>  		for (i = 0; i < n->pos; i++) {
> @@ -803,7 +811,11 @@ mtype_test(struct ip_set *set, void *value, const struct ip_set_ext *ext,
>  #ifdef IP_SET_HASH_WITH_NETS
>  	/* If we test an IP address and not a network address,
>  	 * try all possible network sizes */
> -	if (CIDR(d->cidr) == SET_HOST_MASK(set->family)) {
> +	for (i = 0; i < IPSET_NET_COUNT; i++) {
> +		if (CIDR(d->cidr[i]) != SET_HOST_MASK(set->family))
> +			break;
> +	}
> +	if (i == IPSET_NET_COUNT) {
>  		ret = mtype_test_cidrs(set, d, ext, mext, flags);
>  		goto out;
>  	}
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c b/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
> index 02ed91e..69e014f 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
> @@ -50,10 +50,9 @@ MODULE_ALIAS("ip_set_hash:ip,port,net");
>  
>  /* Member elements */
>  struct hash_ipportnet4_elem {
> -	__be32 ip;
> -	__be32 ip2;
> +	__be32 ip[2];
>  	__be16 port;
> -	u8 cidr:7;
> +	u8 cidr[1];
>  	u8 nomatch:1;
>  	u8 proto;
>  } __attribute__((aligned(sizeof(void*))));

Don't change the cidr to array in the member elemets: that way the 
structure is enlarged unnecessary. This is the confusion I caused, sorry.

Best regards,
Jozsef

> @@ -65,9 +64,9 @@ hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
>  			   const struct hash_ipportnet4_elem *ip2,
>  			   u32 *multi)
>  {
> -	return ip1->ip == ip2->ip &&
> -	       ip1->ip2 == ip2->ip2 &&
> -	       ip1->cidr == ip2->cidr &&
> +	return ip1->ip[0] == ip2->ip[0] &&
> +	       ip1->ip[1] == ip2->ip[1] &&
> +	       ip1->cidr[0] == ip2->cidr[0] &&
>  	       ip1->port == ip2->port &&
>  	       ip1->proto == ip2->proto;
>  }
> @@ -93,8 +92,8 @@ hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem *elem, u8 *flags)
>  static inline void
>  hash_ipportnet4_data_netmask(struct hash_ipportnet4_elem *elem, u8 cidr)
>  {
> -	elem->ip2 &= ip_set_netmask(cidr);
> -	elem->cidr = cidr - 1;
> +	elem->ip[0] &= ip_set_netmask(cidr);
> +	elem->cidr[0] = cidr - 1;
>  }
>  
>  static bool
> @@ -103,10 +102,10 @@ hash_ipportnet4_data_list(struct sk_buff *skb,
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
> -	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) ||
> +	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
> +	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip[1]) ||
>  	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[0] + 1) ||
>  	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -121,9 +120,9 @@ static inline void
>  hash_ipportnet4_data_next(struct hash_ipportnet4_elem *next,
>  			  const struct hash_ipportnet4_elem *d)
>  {
> -	next->ip = d->ip;
> +	next->ip[0] = d->ip[0];
>  	next->port = d->port;
> -	next->ip2 = d->ip2;
> +	next->ip[1] = d->ip[1];
>  }
>  
>  #define MTYPE		hash_ipportnet4
> @@ -139,20 +138,20 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_ipportnet *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_ipportnet4_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] - 1 : HOST_MASK - 1
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK - 1;
> +		e.cidr[0] = HOST_MASK - 1;
>  
>  	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
>  				 &e.port, &e.proto))
>  		return -EINVAL;
>  
> -	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
> -	ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2);
> -	e.ip2 &= ip_set_netmask(e.cidr + 1);
> +	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
> +	ip4addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip[1]);
> +	e.ip[1] &= ip_set_netmask(e.cidr[0] + 1);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -163,7 +162,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_ipportnet *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 };
> +	struct hash_ipportnet4_elem e = { .cidr[0] = HOST_MASK - 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 ip = 0, ip_to = 0, p = 0, port, port_to;
>  	u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
> @@ -196,7 +195,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
>  		if (!cidr || cidr > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
> -		e.cidr = cidr - 1;
> +		e.cidr[0] = cidr - 1;
>  	}
>  
>  	if (tb[IPSET_ATTR_PORT])
> @@ -226,8 +225,8 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
>  	if (adt == IPSET_TEST ||
>  	    !(tb[IPSET_ATTR_CIDR] || tb[IPSET_ATTR_IP_TO] || with_ports ||
>  	      tb[IPSET_ATTR_IP2_TO])) {
> -		e.ip = htonl(ip);
> -		e.ip2 = htonl(ip2_from & ip_set_hostmask(e.cidr + 1));
> +		e.ip[0] = htonl(ip);
> +		e.ip[1] = htonl(ip2_from & ip_set_hostmask(e.cidr[0] + 1));
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  		return ip_set_enomatch(ret, flags, adt, set) ? -ret :
>  		       ip_set_eexist(ret, flags) ? 0 : ret;
> @@ -265,25 +264,25 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		if (ip2_from + UINT_MAX == ip2_to)
>  			return -IPSET_ERR_HASH_RANGE;
>  	} else
> -		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1);
> +		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[0] + 1);
>  
>  	if (retried)
> -		ip = ntohl(h->next.ip);
> +		ip = ntohl(h->next.ip[0]);
>  	for (; !before(ip_to, ip); ip++) {
> -		e.ip = htonl(ip);
> -		p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
> +		e.ip[0] = htonl(ip);
> +		p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
>  						       : port;
>  		for (; p <= port_to; p++) {
>  			e.port = htons(p);
>  			ip2 = retried
> -			      && ip == ntohl(h->next.ip)
> +			      && ip == ntohl(h->next.ip[0])
>  			      && p == ntohs(h->next.port)
> -				? ntohl(h->next.ip2) : ip2_from;
> +				? ntohl(h->next.ip[1]) : ip2_from;
>  			while (!after(ip2, ip2_to)) {
> -				e.ip2 = htonl(ip2);
> +				e.ip[1] = htonl(ip2);
>  				ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
>  								&cidr);
> -				e.cidr = cidr - 1;
> +				e.cidr[0] = cidr - 1;
>  				ret = adtfn(set, &e, &ext, &ext, flags);
>  
>  				if (ret && !ip_set_eexist(ret, flags))
> @@ -300,10 +299,9 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
>  /* IPv6 variants */
>  
>  struct hash_ipportnet6_elem {
> -	union nf_inet_addr ip;
> -	union nf_inet_addr ip2;
> +	union nf_inet_addr ip[2];
>  	__be16 port;
> -	u8 cidr:7;
> +	u8 cidr[1];
>  	u8 nomatch:1;
>  	u8 proto;
>  } __attribute__((aligned(sizeof(void*))));
> @@ -315,9 +313,9 @@ hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
>  			   const struct hash_ipportnet6_elem *ip2,
>  			   u32 *multi)
>  {
> -	return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
> -	       ipv6_addr_equal(&ip1->ip2.in6, &ip2->ip2.in6) &&
> -	       ip1->cidr == ip2->cidr &&
> +	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
> +	       ipv6_addr_equal(&ip1->ip[1].in6, &ip2->ip[1].in6) &&
> +	       ip1->cidr[0] == ip2->cidr[0] &&
>  	       ip1->port == ip2->port &&
>  	       ip1->proto == ip2->proto;
>  }
> @@ -343,8 +341,8 @@ hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem *elem, u8 *flags)
>  static inline void
>  hash_ipportnet6_data_netmask(struct hash_ipportnet6_elem *elem, u8 cidr)
>  {
> -	ip6_netmask(&elem->ip2, cidr);
> -	elem->cidr = cidr - 1;
> +	ip6_netmask(&elem->ip[1], cidr);
> +	elem->cidr[0] = cidr - 1;
>  }
>  
>  static bool
> @@ -353,10 +351,10 @@ hash_ipportnet6_data_list(struct sk_buff *skb,
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
> -	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
> +	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
> +	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip[1].in6) ||
>  	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr[0] + 1) ||
>  	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -392,20 +390,20 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_ipportnet *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_ipportnet6_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] - 1 : HOST_MASK - 1
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK - 1;
> +		e.cidr[0] = HOST_MASK - 1;
>  
>  	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
>  				 &e.port, &e.proto))
>  		return -EINVAL;
>  
> -	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
> -	ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip2.in6);
> -	ip6_netmask(&e.ip2, e.cidr + 1);
> +	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
> +	ip6addrptr(skb, opt->flags & IPSET_DIM_THREE_SRC, &e.ip[1].in6);
> +	ip6_netmask(&e.ip[1], e.cidr[0] + 1);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -416,7 +414,7 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_ipportnet *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_ipportnet6_elem e = { .cidr = HOST_MASK - 1 };
> +	struct hash_ipportnet6_elem e = { .cidr[0] = HOST_MASK - 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 port, port_to;
>  	bool with_ports = false;
> @@ -439,12 +437,12 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
>  	if (tb[IPSET_ATTR_LINENO])
>  		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>  
> -	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
> +	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
>  	      ip_set_get_extensions(set, tb, &ext);
>  	if (ret)
>  		return ret;
>  
> -	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip2);
> +	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]);
>  	if (ret)
>  		return ret;
>  
> @@ -452,10 +450,10 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
>  		cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
>  		if (!cidr || cidr > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
> -		e.cidr = cidr - 1;
> +		e.cidr[0] = cidr - 1;
>  	}
>  
> -	ip6_netmask(&e.ip2, e.cidr + 1);
> +	ip6_netmask(&e.ip[1], e.cidr[0] + 1);
>  
>  	if (tb[IPSET_ATTR_PORT])
>  		e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_net.c b/kernel/net/netfilter/ipset/ip_set_hash_net.c
> index 3d2ea5d..adbbca5 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_net.c
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_net.c
> @@ -40,10 +40,10 @@ MODULE_ALIAS("ip_set_hash:net");
>  
>  /* Member elements  */
>  struct hash_net4_elem {
> -	__be32 ip;
> +	__be32 ip[1];
>  	u16 padding0;
>  	u8 nomatch;
> -	u8 cidr;
> +	u8 cidr[1];
>  } __attribute__((aligned(sizeof(void*))));
>  
>  /* Common functions */
> @@ -53,8 +53,8 @@ hash_net4_data_equal(const struct hash_net4_elem *ip1,
>  		     const struct hash_net4_elem *ip2,
>  		     u32 *multi)
>  {
> -	return ip1->ip == ip2->ip &&
> -	       ip1->cidr == ip2->cidr;
> +	return ip1->ip[0] == ip2->ip[0] &&
> +	       ip1->cidr[0] == ip2->cidr[0];
>  }
>  
>  static inline int
> @@ -78,8 +78,8 @@ hash_net4_data_reset_flags(struct hash_net4_elem *elem, u8 *flags)
>  static inline void
>  hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
>  {
> -	elem->ip &= ip_set_netmask(cidr);
> -	elem->cidr = cidr;
> +	elem->ip[0] &= ip_set_netmask(cidr);
> +	elem->cidr[0] = cidr;
>  }
>  
>  static bool
> @@ -87,8 +87,8 @@ hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
> +	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
>  		goto nla_put_failure;
> @@ -102,7 +102,7 @@ static inline void
>  hash_net4_data_next(struct hash_net4_elem *next,
>  		    const struct hash_net4_elem *d)
>  {
> -	next->ip = d->ip;
> +	next->ip[0] = d->ip[0];
>  }
>  
>  #define MTYPE		hash_net4
> @@ -118,17 +118,17 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_net *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_net4_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
> -	if (e.cidr == 0)
> +	if (e.cidr[0] == 0)
>  		return -EINVAL;
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK;
> +		e.cidr[0] = HOST_MASK;
>  
> -	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
> -	e.ip &= ip_set_netmask(e.cidr);
> +	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
> +	e.ip[0] &= ip_set_netmask(e.cidr[0]);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -139,7 +139,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_net *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_net4_elem e = { .cidr = HOST_MASK };
> +	struct hash_net4_elem e = { .cidr[0] = HOST_MASK };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 ip = 0, ip_to = 0, last;
>  	int ret;
> @@ -160,8 +160,8 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		return ret;
>  
>  	if (tb[IPSET_ATTR_CIDR]) {
> -		e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> -		if (!e.cidr || e.cidr > HOST_MASK)
> +		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> +		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
>  	}
>  
> @@ -172,7 +172,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
>  	}
>  
>  	if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
> -		e.ip = htonl(ip & ip_set_hostmask(e.cidr));
> +		e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0]));
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  		return ip_set_enomatch(ret, flags, adt, set) ? -ret:
>  		       ip_set_eexist(ret, flags) ? 0 : ret;
> @@ -189,10 +189,10 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
>  			return -IPSET_ERR_HASH_RANGE;
>  	}
>  	if (retried)
> -		ip = ntohl(h->next.ip);
> +		ip = ntohl(h->next.ip[0]);
>  	while (!after(ip, ip_to)) {
> -		e.ip = htonl(ip);
> -		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
> +		e.ip[0] = htonl(ip);
> +		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  		if (ret && !ip_set_eexist(ret, flags))
>  			return ret;
> @@ -206,10 +206,10 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
>  /* IPv6 variants */
>  
>  struct hash_net6_elem {
> -	union nf_inet_addr ip;
> +	union nf_inet_addr ip[1];
>  	u16 padding0;
>  	u8 nomatch;
> -	u8 cidr;
> +	u8 cidr[1];
>  } __attribute__((aligned(sizeof(void*))));
>  
>  /* Common functions */
> @@ -219,8 +219,8 @@ hash_net6_data_equal(const struct hash_net6_elem *ip1,
>  		     const struct hash_net6_elem *ip2,
>  		     u32 *multi)
>  {
> -	return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
> -	       ip1->cidr == ip2->cidr;
> +	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
> +	       ip1->cidr[0] == ip2->cidr[0];
>  }
>  
>  static inline int
> @@ -244,8 +244,8 @@ hash_net6_data_reset_flags(struct hash_net6_elem *elem, u8 *flags)
>  static inline void
>  hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
>  {
> -	ip6_netmask(&elem->ip, cidr);
> -	elem->cidr = cidr;
> +	ip6_netmask(&elem->ip[0], cidr);
> +	elem->cidr[0] = cidr;
>  }
>  
>  static bool
> @@ -253,8 +253,8 @@ hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
> +	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
>  		goto nla_put_failure;
> @@ -288,17 +288,17 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_net *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_net6_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
> -	if (e.cidr == 0)
> +	if (e.cidr[0] == 0)
>  		return -EINVAL;
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK;
> +		e.cidr[0] = HOST_MASK;
>  
> -	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
> -	ip6_netmask(&e.ip, e.cidr);
> +	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
> +	ip6_netmask(&e.ip[0], e.cidr[0]);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -309,7 +309,7 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_net *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_net6_elem e = { .cidr = HOST_MASK };
> +	struct hash_net6_elem e = { .cidr[0] = HOST_MASK };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	int ret;
>  
> @@ -325,18 +325,18 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
>  	if (tb[IPSET_ATTR_LINENO])
>  		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>  
> -	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
> +	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
>  	      ip_set_get_extensions(set, tb, &ext);
>  	if (ret)
>  		return ret;
>  
>  	if (tb[IPSET_ATTR_CIDR])
> -		e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> +		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>  
> -	if (!e.cidr || e.cidr > HOST_MASK)
> +	if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
>  		return -IPSET_ERR_INVALID_CIDR;
>  
> -	ip6_netmask(&e.ip, e.cidr);
> +	ip6_netmask(&e.ip[0], e.cidr[0]);
>  
>  	if (tb[IPSET_ATTR_CADT_FLAGS]) {
>  		u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_netiface.c b/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
> index 06cc27b..d41fba1 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
> @@ -137,17 +137,17 @@ iface_add(struct rb_root *root, const char **iface)
>  /* IPv4 variants */
>  
>  struct hash_netiface4_elem_hashed {
> -	__be32 ip;
> +	__be32 ip[1];
>  	u8 physdev;
> -	u8 cidr;
> +	u8 cidr[1];
>  	u8 nomatch;
>  	u8 elem;
>  };
>  
>  struct hash_netiface4_elem {
> -	__be32 ip;
> +	__be32 ip[1];
>  	u8 physdev;
> -	u8 cidr;
> +	u8 cidr[1];
>  	u8 nomatch;
>  	u8 elem;
>  	const char *iface;
> @@ -160,8 +160,8 @@ hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
>  			  const struct hash_netiface4_elem *ip2,
>  			  u32 *multi)
>  {
> -	return ip1->ip == ip2->ip &&
> -	       ip1->cidr == ip2->cidr &&
> +	return ip1->ip[0] == ip2->ip[0] &&
> +	       ip1->cidr[0] == ip2->cidr[0] &&
>  	       (++*multi) &&
>  	       ip1->physdev == ip2->physdev &&
>  	       ip1->iface == ip2->iface;
> @@ -188,8 +188,8 @@ hash_netiface4_data_reset_flags(struct hash_netiface4_elem *elem, u8 *flags)
>  static inline void
>  hash_netiface4_data_netmask(struct hash_netiface4_elem *elem, u8 cidr)
>  {
> -	elem->ip &= ip_set_netmask(cidr);
> -	elem->cidr = cidr;
> +	elem->ip[0] &= ip_set_netmask(cidr);
> +	elem->cidr[0] = cidr;
>  }
>  
>  static bool
> @@ -200,8 +200,8 @@ hash_netiface4_data_list(struct sk_buff *skb,
>  
>  	if (data->nomatch)
>  		flags |= IPSET_FLAG_NOMATCH;
> -	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
> +	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
>  	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -216,7 +216,7 @@ static inline void
>  hash_netiface4_data_next(struct hash_netiface4_elem *next,
>  			 const struct hash_netiface4_elem *d)
>  {
> -	next->ip = d->ip;
> +	next->ip[0] = d->ip[0];
>  }
>  
>  #define MTYPE		hash_netiface4
> @@ -233,19 +233,19 @@ hash_netiface4_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	struct hash_netiface *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_netiface4_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK,
>  		.elem = 1,
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  	int ret;
>  
> -	if (e.cidr == 0)
> +	if (e.cidr[0] == 0)
>  		return -EINVAL;
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK;
> +		e.cidr[0] = HOST_MASK;
>  
> -	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
> -	e.ip &= ip_set_netmask(e.cidr);
> +	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
> +	e.ip[0] &= ip_set_netmask(e.cidr[0]);
>  
>  #define IFACE(dir)	(par->dir ? par->dir->name : NULL)
>  #define PHYSDEV(dir)	(nf_bridge->dir ? nf_bridge->dir->name : NULL)
> @@ -286,7 +286,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	struct hash_netiface *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
> +	struct hash_netiface4_elem e = { .cidr[0] = HOST_MASK, .elem = 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 ip = 0, ip_to = 0, last;
>  	char iface[IFNAMSIZ];
> @@ -309,8 +309,8 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		return ret;
>  
>  	if (tb[IPSET_ATTR_CIDR]) {
> -		e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> -		if (e.cidr > HOST_MASK)
> +		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> +		if (e.cidr[0] > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
>  	}
>  
> @@ -334,7 +334,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
>  			flags |= (IPSET_FLAG_NOMATCH << 16);
>  	}
>  	if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
> -		e.ip = htonl(ip & ip_set_hostmask(e.cidr));
> +		e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0]));
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  		return ip_set_enomatch(ret, flags, adt, set) ? -ret :
>  		       ip_set_eexist(ret, flags) ? 0 : ret;
> @@ -349,13 +349,13 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		if (ip + UINT_MAX == ip_to)
>  			return -IPSET_ERR_HASH_RANGE;
>  	} else
> -		ip_set_mask_from_to(ip, ip_to, e.cidr);
> +		ip_set_mask_from_to(ip, ip_to, e.cidr[0]);
>  
>  	if (retried)
> -		ip = ntohl(h->next.ip);
> +		ip = ntohl(h->next.ip[0]);
>  	while (!after(ip, ip_to)) {
> -		e.ip = htonl(ip);
> -		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
> +		e.ip[0] = htonl(ip);
> +		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  
>  		if (ret && !ip_set_eexist(ret, flags))
> @@ -370,17 +370,17 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
>  /* IPv6 variants */
>  
>  struct hash_netiface6_elem_hashed {
> -	union nf_inet_addr ip;
> +	union nf_inet_addr ip[1];
>  	u8 physdev;
> -	u8 cidr;
> +	u8 cidr[1];
>  	u8 nomatch;
>  	u8 elem;
>  };
>  
>  struct hash_netiface6_elem {
> -	union nf_inet_addr ip;
> +	union nf_inet_addr ip[1];
>  	u8 physdev;
> -	u8 cidr;
> +	u8 cidr[1];
>  	u8 nomatch;
>  	u8 elem;
>  	const char *iface;
> @@ -393,8 +393,8 @@ hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
>  			  const struct hash_netiface6_elem *ip2,
>  			  u32 *multi)
>  {
> -	return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
> -	       ip1->cidr == ip2->cidr &&
> +	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
> +	       ip1->cidr[0] == ip2->cidr[0] &&
>  	       (++*multi) &&
>  	       ip1->physdev == ip2->physdev &&
>  	       ip1->iface == ip2->iface;
> @@ -421,8 +421,8 @@ hash_netiface6_data_reset_flags(struct hash_netiface6_elem *elem, u8 *flags)
>  static inline void
>  hash_netiface6_data_netmask(struct hash_netiface6_elem *elem, u8 cidr)
>  {
> -	ip6_netmask(&elem->ip, cidr);
> -	elem->cidr = cidr;
> +	ip6_netmask(&elem->ip[0], cidr);
> +	elem->cidr[0] = cidr;
>  }
>  
>  static bool
> @@ -433,8 +433,8 @@ hash_netiface6_data_list(struct sk_buff *skb,
>  
>  	if (data->nomatch)
>  		flags |= IPSET_FLAG_NOMATCH;
> -	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
> +	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0]) ||
>  	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -471,19 +471,19 @@ hash_netiface6_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	struct hash_netiface *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_netiface6_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK,
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] : HOST_MASK,
>  		.elem = 1,
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  	int ret;
>  
> -	if (e.cidr == 0)
> +	if (e.cidr[0] == 0)
>  		return -EINVAL;
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK;
> +		e.cidr[0] = HOST_MASK;
>  
> -	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
> -	ip6_netmask(&e.ip, e.cidr);
> +	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
> +	ip6_netmask(&e.ip[0], e.cidr[0]);
>  
>  	if (opt->cmdflags & IPSET_FLAG_PHYSDEV) {
>  #ifdef CONFIG_BRIDGE_NETFILTER
> @@ -520,7 +520,7 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	struct hash_netiface *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_netiface6_elem e = { .cidr = HOST_MASK, .elem = 1 };
> +	struct hash_netiface6_elem e = { .cidr[0] = HOST_MASK, .elem = 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	char iface[IFNAMSIZ];
>  	int ret;
> @@ -538,16 +538,16 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
>  	if (tb[IPSET_ATTR_LINENO])
>  		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>  
> -	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
> +	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
>  	      ip_set_get_extensions(set, tb, &ext);
>  	if (ret)
>  		return ret;
>  
>  	if (tb[IPSET_ATTR_CIDR])
> -		e.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> -	if (e.cidr > HOST_MASK)
> +		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
> +	if (e.cidr[0] > HOST_MASK)
>  		return -IPSET_ERR_INVALID_CIDR;
> -	ip6_netmask(&e.ip, e.cidr);
> +	ip6_netmask(&e.ip[0], e.cidr[0]);
>  
>  	strcpy(iface, nla_data(tb[IPSET_ATTR_IFACE]));
>  	e.iface = iface;
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_netport.c b/kernel/net/netfilter/ipset/ip_set_hash_netport.c
> index 570e6b5..cc8a330 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_netport.c
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_netport.c
> @@ -49,10 +49,10 @@ MODULE_ALIAS("ip_set_hash:net,port");
>  
>  /* Member elements */
>  struct hash_netport4_elem {
> -	__be32 ip;
> +	__be32 ip[1];
>  	__be16 port;
>  	u8 proto;
> -	u8 cidr:7;
> +	u8 cidr[1];
>  	u8 nomatch:1;
>  } __attribute__((aligned(sizeof(void*))));
>  
> @@ -63,10 +63,10 @@ hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
>  			 const struct hash_netport4_elem *ip2,
>  			 u32 *multi)
>  {
> -	return ip1->ip == ip2->ip &&
> +	return ip1->ip[0] == ip2->ip[0] &&
>  	       ip1->port == ip2->port &&
>  	       ip1->proto == ip2->proto &&
> -	       ip1->cidr == ip2->cidr;
> +	       ip1->cidr[0] == ip2->cidr[0];
>  }
>  
>  static inline int
> @@ -90,8 +90,8 @@ hash_netport4_data_reset_flags(struct hash_netport4_elem *elem, u8 *flags)
>  static inline void
>  hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr)
>  {
> -	elem->ip &= ip_set_netmask(cidr);
> -	elem->cidr = cidr - 1;
> +	elem->ip[0] &= ip_set_netmask(cidr);
> +	elem->cidr[0] = cidr - 1;
>  }
>  
>  static bool
> @@ -100,9 +100,9 @@ hash_netport4_data_list(struct sk_buff *skb,
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
> +	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip[0]) ||
>  	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0] + 1) ||
>  	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -117,7 +117,7 @@ static inline void
>  hash_netport4_data_next(struct hash_netport4_elem *next,
>  			const struct hash_netport4_elem *d)
>  {
> -	next->ip = d->ip;
> +	next->ip[0] = d->ip[0];
>  	next->port = d->port;
>  }
>  
> @@ -134,19 +134,19 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_netport *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_netport4_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] - 1 : HOST_MASK - 1
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK - 1;
> +		e.cidr[0] = HOST_MASK - 1;
>  
>  	if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
>  				 &e.port, &e.proto))
>  		return -EINVAL;
>  
> -	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip);
> -	e.ip &= ip_set_netmask(e.cidr + 1);
> +	ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0]);
> +	e.ip[0] &= ip_set_netmask(e.cidr[0] + 1);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -157,7 +157,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_netport *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 };
> +	struct hash_netport4_elem e = { .cidr[0] = HOST_MASK - 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 port, port_to, p = 0, ip = 0, ip_to = 0, last;
>  	bool with_ports = false;
> @@ -185,7 +185,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>  		if (!cidr || cidr > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
> -		e.cidr = cidr - 1;
> +		e.cidr[0] = cidr - 1;
>  	}
>  
>  	if (tb[IPSET_ATTR_PORT])
> @@ -214,7 +214,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
>  	}
>  
>  	if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) {
> -		e.ip = htonl(ip & ip_set_hostmask(e.cidr + 1));
> +		e.ip[0] = htonl(ip & ip_set_hostmask(e.cidr[0] + 1));
>  		ret = adtfn(set, &e, &ext, &ext, flags);
>  		return ip_set_enomatch(ret, flags, adt, set) ? -ret :
>  		       ip_set_eexist(ret, flags) ? 0 : ret;
> @@ -235,15 +235,15 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
>  		if (ip + UINT_MAX == ip_to)
>  			return -IPSET_ERR_HASH_RANGE;
>  	} else
> -		ip_set_mask_from_to(ip, ip_to, e.cidr + 1);
> +		ip_set_mask_from_to(ip, ip_to, e.cidr[0] + 1);
>  
>  	if (retried)
> -		ip = ntohl(h->next.ip);
> +		ip = ntohl(h->next.ip[0]);
>  	while (!after(ip, ip_to)) {
> -		e.ip = htonl(ip);
> +		e.ip[0] = htonl(ip);
>  		last = ip_set_range_to_cidr(ip, ip_to, &cidr);
> -		e.cidr = cidr - 1;
> -		p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
> +		e.cidr[0] = cidr - 1;
> +		p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
>  						       : port;
>  		for (; p <= port_to; p++) {
>  			e.port = htons(p);
> @@ -262,10 +262,10 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
>  /* IPv6 variants */
>  
>  struct hash_netport6_elem {
> -	union nf_inet_addr ip;
> +	union nf_inet_addr ip[1];
>  	__be16 port;
>  	u8 proto;
> -	u8 cidr:7;
> +	u8 cidr[1];
>  	u8 nomatch:1;
>  } __attribute__((aligned(sizeof(void*))));
>  
> @@ -276,10 +276,10 @@ hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
>  			 const struct hash_netport6_elem *ip2,
>  			 u32 *multi)
>  {
> -	return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6) &&
> +	return ipv6_addr_equal(&ip1->ip[0].in6, &ip2->ip[0].in6) &&
>  	       ip1->port == ip2->port &&
>  	       ip1->proto == ip2->proto &&
> -	       ip1->cidr == ip2->cidr;
> +	       ip1->cidr[0] == ip2->cidr[0];
>  }
>  
>  static inline int
> @@ -303,8 +303,8 @@ hash_netport6_data_reset_flags(struct hash_netport6_elem *elem, u8 *flags)
>  static inline void
>  hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr)
>  {
> -	ip6_netmask(&elem->ip, cidr);
> -	elem->cidr = cidr - 1;
> +	ip6_netmask(&elem->ip[0], cidr);
> +	elem->cidr[0] = cidr - 1;
>  }
>  
>  static bool
> @@ -313,9 +313,9 @@ hash_netport6_data_list(struct sk_buff *skb,
>  {
>  	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
>  
> -	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
> +	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip[0].in6) ||
>  	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
> -	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
> +	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr[0] + 1) ||
>  	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
>  	    (flags &&
>  	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
> @@ -351,19 +351,19 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
>  	const struct hash_netport *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
>  	struct hash_netport6_elem e = {
> -		.cidr = h->nets[0].cidr ? h->nets[0].cidr - 1 : HOST_MASK - 1,
> +		.cidr[0] = h->nets[0].cidr[0] ? h->nets[0].cidr[0] - 1 : HOST_MASK - 1,
>  	};
>  	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, h);
>  
>  	if (adt == IPSET_TEST)
> -		e.cidr = HOST_MASK - 1;
> +		e.cidr[0] = HOST_MASK - 1;
>  
>  	if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC,
>  				 &e.port, &e.proto))
>  		return -EINVAL;
>  
> -	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
> -	ip6_netmask(&e.ip, e.cidr + 1);
> +	ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip[0].in6);
> +	ip6_netmask(&e.ip[0], e.cidr[0] + 1);
>  
>  	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
>  }
> @@ -374,7 +374,7 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
>  {
>  	const struct hash_netport *h = set->data;
>  	ipset_adtfn adtfn = set->variant->adt[adt];
> -	struct hash_netport6_elem e = { .cidr = HOST_MASK  - 1 };
> +	struct hash_netport6_elem e = { .cidr[0] = HOST_MASK  - 1 };
>  	struct ip_set_ext ext = IP_SET_INIT_UEXT(h);
>  	u32 port, port_to;
>  	bool with_ports = false;
> @@ -395,7 +395,7 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
>  	if (tb[IPSET_ATTR_LINENO])
>  		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
>  
> -	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
> +	ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
>  	      ip_set_get_extensions(set, tb, &ext);
>  	if (ret)
>  		return ret;
> @@ -404,9 +404,9 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
>  		cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
>  		if (!cidr || cidr > HOST_MASK)
>  			return -IPSET_ERR_INVALID_CIDR;
> -		e.cidr = cidr - 1;
> +		e.cidr[0] = cidr - 1;
>  	}
> -	ip6_netmask(&e.ip, e.cidr + 1);
> +	ip6_netmask(&e.ip[0], e.cidr[0] + 1);
>  
>  	if (tb[IPSET_ATTR_PORT])
>  		e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
> -- 
> 1.8.3.2
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux