aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2011-02-01 09:28:35 -0500
committerPatrick McHardy <kaber@trash.net>2011-02-01 09:28:35 -0500
commita7b4f989a629493bb4ec4a354def784d440b32c4 (patch)
tree47f5f6a19cd8fb4cbd44a064edbf03a5b102ea1b
parentf703651ef870bd6b94ddc98ae07488b7d3fd9335 (diff)
netfilter: ipset: IP set core support
The patch adds the IP set core support to the kernel. The IP set core implements a netlink (nfnetlink) based protocol by which one can create, destroy, flush, rename, swap, list, save, restore sets, and add, delete, test elements from userspace. For simplicity (and backward compatibilty and for not to force ip(6)tables to be linked with a netlink library) reasons a small getsockopt-based protocol is also kept in order to communicate with the ip(6)tables match and target. The netlink protocol passes all u16, etc values in network order with NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the NLA_F_NESTED and NLA_F_NET_BYTEORDER flags. For other kernel subsystems (netfilter match and target) the API contains the functions to add, delete and test elements in sets and the required calls to get/put refereces to the sets before those operations can be performed. The set types (which are implemented in independent modules) are stored in a simple RCU protected list. A set type may have variants: for example without timeout or with timeout support, for IPv4 or for IPv6. The sets (i.e. the pointers to the sets) are stored in an array. The sets are identified by their index in the array, which makes possible easy and fast swapping of sets. The array is protected indirectly by the nfnl mutex from nfnetlink. The content of the sets are protected by the rwlock of the set. There are functional differences between the add/del/test functions for the kernel and userspace: - kernel add/del/test: works on the current packet (i.e. one element) - kernel test: may trigger an "add" operation in order to fill out unspecified parts of the element from the packet (like MAC address) - userspace add/del: works on the netlink message and thus possibly on multiple elements from the IPSET_ATTR_ADT container attribute. - userspace add: may trigger resizing of a set Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--include/linux/netfilter/ipset/ip_set.h452
-rw-r--r--include/linux/netfilter/ipset/ip_set_getport.h11
-rw-r--r--include/linux/netfilter/ipset/pfxlen.h35
-rw-r--r--net/netfilter/Kconfig2
-rw-r--r--net/netfilter/Makefile3
-rw-r--r--net/netfilter/ipset/Kconfig26
-rw-r--r--net/netfilter/ipset/Makefile8
-rw-r--r--net/netfilter/ipset/ip_set_core.c1662
-rw-r--r--net/netfilter/ipset/ip_set_getport.c136
-rw-r--r--net/netfilter/ipset/pfxlen.c291
10 files changed, 2626 insertions, 0 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 000000000000..ec333d83f3b4
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,452 @@
1#ifndef _IP_SET_H
2#define _IP_SET_H
3
4/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
5 * Patrick Schaaf <bof@bof.de>
6 * Martin Josefsson <gandalf@wlug.westbo.se>
7 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 */
13
14/* The protocol version */
15#define IPSET_PROTOCOL 6
16
17/* The max length of strings including NUL: set and type identifiers */
18#define IPSET_MAXNAMELEN 32
19
20/* Message types and commands */
21enum ipset_cmd {
22 IPSET_CMD_NONE,
23 IPSET_CMD_PROTOCOL, /* 1: Return protocol version */
24 IPSET_CMD_CREATE, /* 2: Create a new (empty) set */
25 IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */
26 IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */
27 IPSET_CMD_RENAME, /* 5: Rename a set */
28 IPSET_CMD_SWAP, /* 6: Swap two sets */
29 IPSET_CMD_LIST, /* 7: List sets */
30 IPSET_CMD_SAVE, /* 8: Save sets */
31 IPSET_CMD_ADD, /* 9: Add an element to a set */
32 IPSET_CMD_DEL, /* 10: Delete an element from a set */
33 IPSET_CMD_TEST, /* 11: Test an element in a set */
34 IPSET_CMD_HEADER, /* 12: Get set header data only */
35 IPSET_CMD_TYPE, /* 13: Get set type */
36 IPSET_MSG_MAX, /* Netlink message commands */
37
38 /* Commands in userspace: */
39 IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
40 IPSET_CMD_HELP, /* 15: Get help */
41 IPSET_CMD_VERSION, /* 16: Get program version */
42 IPSET_CMD_QUIT, /* 17: Quit from interactive mode */
43
44 IPSET_CMD_MAX,
45
46 IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
47};
48
49/* Attributes at command level */
50enum {
51 IPSET_ATTR_UNSPEC,
52 IPSET_ATTR_PROTOCOL, /* 1: Protocol version */
53 IPSET_ATTR_SETNAME, /* 2: Name of the set */
54 IPSET_ATTR_TYPENAME, /* 3: Typename */
55 IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
56 IPSET_ATTR_REVISION, /* 4: Settype revision */
57 IPSET_ATTR_FAMILY, /* 5: Settype family */
58 IPSET_ATTR_FLAGS, /* 6: Flags at command level */
59 IPSET_ATTR_DATA, /* 7: Nested attributes */
60 IPSET_ATTR_ADT, /* 8: Multiple data containers */
61 IPSET_ATTR_LINENO, /* 9: Restore lineno */
62 IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
63 IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
64 __IPSET_ATTR_CMD_MAX,
65};
66#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
67
68/* CADT specific attributes */
69enum {
70 IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
71 IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
72 IPSET_ATTR_IP_TO, /* 2 */
73 IPSET_ATTR_CIDR, /* 3 */
74 IPSET_ATTR_PORT, /* 4 */
75 IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
76 IPSET_ATTR_PORT_TO, /* 5 */
77 IPSET_ATTR_TIMEOUT, /* 6 */
78 IPSET_ATTR_PROTO, /* 7 */
79 IPSET_ATTR_CADT_FLAGS, /* 8 */
80 IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
81 /* Reserve empty slots */
82 IPSET_ATTR_CADT_MAX = 16,
83 /* Create-only specific attributes */
84 IPSET_ATTR_GC,
85 IPSET_ATTR_HASHSIZE,
86 IPSET_ATTR_MAXELEM,
87 IPSET_ATTR_NETMASK,
88 IPSET_ATTR_PROBES,
89 IPSET_ATTR_RESIZE,
90 IPSET_ATTR_SIZE,
91 /* Kernel-only */
92 IPSET_ATTR_ELEMENTS,
93 IPSET_ATTR_REFERENCES,
94 IPSET_ATTR_MEMSIZE,
95
96 __IPSET_ATTR_CREATE_MAX,
97};
98#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
99
100/* ADT specific attributes */
101enum {
102 IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
103 IPSET_ATTR_NAME,
104 IPSET_ATTR_NAMEREF,
105 IPSET_ATTR_IP2,
106 IPSET_ATTR_CIDR2,
107 __IPSET_ATTR_ADT_MAX,
108};
109#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
110
111/* IP specific attributes */
112enum {
113 IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
114 IPSET_ATTR_IPADDR_IPV6,
115 __IPSET_ATTR_IPADDR_MAX,
116};
117#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
118
119/* Error codes */
120enum ipset_errno {
121 IPSET_ERR_PRIVATE = 4096,
122 IPSET_ERR_PROTOCOL,
123 IPSET_ERR_FIND_TYPE,
124 IPSET_ERR_MAX_SETS,
125 IPSET_ERR_BUSY,
126 IPSET_ERR_EXIST_SETNAME2,
127 IPSET_ERR_TYPE_MISMATCH,
128 IPSET_ERR_EXIST,
129 IPSET_ERR_INVALID_CIDR,
130 IPSET_ERR_INVALID_NETMASK,
131 IPSET_ERR_INVALID_FAMILY,
132 IPSET_ERR_TIMEOUT,
133 IPSET_ERR_REFERENCED,
134 IPSET_ERR_IPADDR_IPV4,
135 IPSET_ERR_IPADDR_IPV6,
136
137 /* Type specific error codes */
138 IPSET_ERR_TYPE_SPECIFIC = 4352,
139};
140
141/* Flags at command level */
142enum ipset_cmd_flags {
143 IPSET_FLAG_BIT_EXIST = 0,
144 IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST),
145};
146
147/* Flags at CADT attribute level */
148enum ipset_cadt_flags {
149 IPSET_FLAG_BIT_BEFORE = 0,
150 IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE),
151};
152
153/* Commands with settype-specific attributes */
154enum ipset_adt {
155 IPSET_ADD,
156 IPSET_DEL,
157 IPSET_TEST,
158 IPSET_ADT_MAX,
159 IPSET_CREATE = IPSET_ADT_MAX,
160 IPSET_CADT_MAX,
161};
162
163#ifdef __KERNEL__
164#include <linux/ip.h>
165#include <linux/ipv6.h>
166#include <linux/netlink.h>
167#include <linux/netfilter.h>
168#include <linux/vmalloc.h>
169#include <net/netlink.h>
170
171/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
172 * and IPSET_INVALID_ID if you want to increase the max number of sets.
173 */
174typedef u16 ip_set_id_t;
175
176#define IPSET_INVALID_ID 65535
177
178enum ip_set_dim {
179 IPSET_DIM_ZERO = 0,
180 IPSET_DIM_ONE,
181 IPSET_DIM_TWO,
182 IPSET_DIM_THREE,
183 /* Max dimension in elements.
184 * If changed, new revision of iptables match/target is required.
185 */
186 IPSET_DIM_MAX = 6,
187};
188
189/* Option flags for kernel operations */
190enum ip_set_kopt {
191 IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
192 IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
193 IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
194 IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
195};
196
197/* Set features */
198enum ip_set_feature {
199 IPSET_TYPE_IP_FLAG = 0,
200 IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG),
201 IPSET_TYPE_PORT_FLAG = 1,
202 IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG),
203 IPSET_TYPE_MAC_FLAG = 2,
204 IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG),
205 IPSET_TYPE_IP2_FLAG = 3,
206 IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG),
207 IPSET_TYPE_NAME_FLAG = 4,
208 IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
209 /* Strictly speaking not a feature, but a flag for dumping:
210 * this settype must be dumped last */
211 IPSET_DUMP_LAST_FLAG = 7,
212 IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG),
213};
214
215struct ip_set;
216
217typedef int (*ipset_adtfn)(struct ip_set *set, void *value, u32 timeout);
218
219/* Set type, variant-specific part */
220struct ip_set_type_variant {
221 /* Kernelspace: test/add/del entries
222 * returns negative error code,
223 * zero for no match/success to add/delete
224 * positive for matching element */
225 int (*kadt)(struct ip_set *set, const struct sk_buff * skb,
226 enum ipset_adt adt, u8 pf, u8 dim, u8 flags);
227
228 /* Userspace: test/add/del entries
229 * returns negative error code,
230 * zero for no match/success to add/delete
231 * positive for matching element */
232 int (*uadt)(struct ip_set *set, struct nlattr *tb[],
233 enum ipset_adt adt, u32 *lineno, u32 flags);
234
235 /* Low level add/del/test functions */
236 ipset_adtfn adt[IPSET_ADT_MAX];
237
238 /* When adding entries and set is full, try to resize the set */
239 int (*resize)(struct ip_set *set, bool retried);
240 /* Destroy the set */
241 void (*destroy)(struct ip_set *set);
242 /* Flush the elements */
243 void (*flush)(struct ip_set *set);
244 /* Expire entries before listing */
245 void (*expire)(struct ip_set *set);
246 /* List set header data */
247 int (*head)(struct ip_set *set, struct sk_buff *skb);
248 /* List elements */
249 int (*list)(const struct ip_set *set, struct sk_buff *skb,
250 struct netlink_callback *cb);
251
252 /* Return true if "b" set is the same as "a"
253 * according to the create set parameters */
254 bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
255};
256
257/* The core set type structure */
258struct ip_set_type {
259 struct list_head list;
260
261 /* Typename */
262 char name[IPSET_MAXNAMELEN];
263 /* Protocol version */
264 u8 protocol;
265 /* Set features to control swapping */
266 u8 features;
267 /* Set type dimension */
268 u8 dimension;
269 /* Supported family: may be AF_UNSPEC for both AF_INET/AF_INET6 */
270 u8 family;
271 /* Type revision */
272 u8 revision;
273
274 /* Create set */
275 int (*create)(struct ip_set *set, struct nlattr *tb[], u32 flags);
276
277 /* Attribute policies */
278 const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];
279 const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1];
280
281 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
282 struct module *me;
283};
284
285/* register and unregister set type */
286extern int ip_set_type_register(struct ip_set_type *set_type);
287extern void ip_set_type_unregister(struct ip_set_type *set_type);
288
289/* A generic IP set */
290struct ip_set {
291 /* The name of the set */
292 char name[IPSET_MAXNAMELEN];
293 /* Lock protecting the set data */
294 rwlock_t lock;
295 /* References to the set */
296 atomic_t ref;
297 /* The core set type */
298 struct ip_set_type *type;
299 /* The type variant doing the real job */
300 const struct ip_set_type_variant *variant;
301 /* The actual INET family of the set */
302 u8 family;
303 /* The type specific data */
304 void *data;
305};
306
307/* register and unregister set references */
308extern ip_set_id_t ip_set_get_byname(const char *name, struct ip_set **set);
309extern void ip_set_put_byindex(ip_set_id_t index);
310extern const char * ip_set_name_byindex(ip_set_id_t index);
311extern ip_set_id_t ip_set_nfnl_get(const char *name);
312extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index);
313extern void ip_set_nfnl_put(ip_set_id_t index);
314
315/* API for iptables set match, and SET target */
316extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb,
317 u8 family, u8 dim, u8 flags);
318extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb,
319 u8 family, u8 dim, u8 flags);
320extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb,
321 u8 family, u8 dim, u8 flags);
322
323/* Utility functions */
324extern void * ip_set_alloc(size_t size);
325extern void ip_set_free(void *members);
326extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr);
327extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);
328
329static inline int
330ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr)
331{
332 __be32 ip;
333 int ret = ip_set_get_ipaddr4(nla, &ip);
334
335 if (ret)
336 return ret;
337 *ipaddr = ntohl(ip);
338 return 0;
339}
340
341/* Ignore IPSET_ERR_EXIST errors if asked to do so? */
342static inline bool
343ip_set_eexist(int ret, u32 flags)
344{
345 return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST);
346}
347
348/* Check the NLA_F_NET_BYTEORDER flag */
349static inline bool
350ip_set_attr_netorder(struct nlattr *tb[], int type)
351{
352 return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
353}
354
355static inline bool
356ip_set_optattr_netorder(struct nlattr *tb[], int type)
357{
358 return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
359}
360
361/* Useful converters */
362static inline u32
363ip_set_get_h32(const struct nlattr *attr)
364{
365 return ntohl(nla_get_be32(attr));
366}
367
368static inline u16
369ip_set_get_h16(const struct nlattr *attr)
370{
371 return ntohs(nla_get_be16(attr));
372}
373
374#define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED)
375#define ipset_nest_end(skb, start) nla_nest_end(skb, start)
376
377#define NLA_PUT_IPADDR4(skb, type, ipaddr) \
378do { \
379 struct nlattr *__nested = ipset_nest_start(skb, type); \
380 \
381 if (!__nested) \
382 goto nla_put_failure; \
383 NLA_PUT_NET32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); \
384 ipset_nest_end(skb, __nested); \
385} while (0)
386
387#define NLA_PUT_IPADDR6(skb, type, ipaddrptr) \
388do { \
389 struct nlattr *__nested = ipset_nest_start(skb, type); \
390 \
391 if (!__nested) \
392 goto nla_put_failure; \
393 NLA_PUT(skb, IPSET_ATTR_IPADDR_IPV6, \
394 sizeof(struct in6_addr), ipaddrptr); \
395 ipset_nest_end(skb, __nested); \
396} while (0)
397
398/* Get address from skbuff */
399static inline __be32
400ip4addr(const struct sk_buff *skb, bool src)
401{
402 return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
403}
404
405static inline void
406ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr)
407{
408 *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
409}
410
411static inline void
412ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr)
413{
414 memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr,
415 sizeof(*addr));
416}
417
418/* Calculate the bytes required to store the inclusive range of a-b */
419static inline int
420bitmap_bytes(u32 a, u32 b)
421{
422 return 4 * ((((b - a + 8) / 8) + 3) / 4);
423}
424
425/* Interface to iptables/ip6tables */
426
427#define SO_IP_SET 83
428
429union ip_set_name_index {
430 char name[IPSET_MAXNAMELEN];
431 ip_set_id_t index;
432};
433
434#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
435struct ip_set_req_get_set {
436 unsigned op;
437 unsigned version;
438 union ip_set_name_index set;
439};
440
441#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
442/* Uses ip_set_req_get_set */
443
444#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
445struct ip_set_req_version {
446 unsigned op;
447 unsigned version;
448};
449
450#endif /* __KERNEL__ */
451
452#endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h
new file mode 100644
index 000000000000..694c433298b8
--- /dev/null
+++ b/include/linux/netfilter/ipset/ip_set_getport.h
@@ -0,0 +1,11 @@
1#ifndef _IP_SET_GETPORT_H
2#define _IP_SET_GETPORT_H
3
4extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
5 __be16 *port, u8 *proto);
6extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
7 __be16 *port, u8 *proto);
8extern bool ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src,
9 __be16 *port);
10
11#endif /*_IP_SET_GETPORT_H*/
diff --git a/include/linux/netfilter/ipset/pfxlen.h b/include/linux/netfilter/ipset/pfxlen.h
new file mode 100644
index 000000000000..0e1fb50da562
--- /dev/null
+++ b/include/linux/netfilter/ipset/pfxlen.h
@@ -0,0 +1,35 @@
1#ifndef _PFXLEN_H
2#define _PFXLEN_H
3
4#include <asm/byteorder.h>
5#include <linux/netfilter.h>
6
7/* Prefixlen maps, by Jan Engelhardt */
8extern const union nf_inet_addr ip_set_netmask_map[];
9extern const union nf_inet_addr ip_set_hostmask_map[];
10
11static inline __be32
12ip_set_netmask(u8 pfxlen)
13{
14 return ip_set_netmask_map[pfxlen].ip;
15}
16
17static inline const __be32 *
18ip_set_netmask6(u8 pfxlen)
19{
20 return &ip_set_netmask_map[pfxlen].ip6[0];
21}
22
23static inline u32
24ip_set_hostmask(u8 pfxlen)
25{
26 return (__force u32) ip_set_hostmask_map[pfxlen].ip;
27}
28
29static inline const __be32 *
30ip_set_hostmask6(u8 pfxlen)
31{
32 return &ip_set_hostmask_map[pfxlen].ip6[0];
33}
34
35#endif /*_PFXLEN_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index faf7412ea453..351abf8ace13 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1052,4 +1052,6 @@ endif # NETFILTER_XTABLES
1052 1052
1053endmenu 1053endmenu
1054 1054
1055source "net/netfilter/ipset/Kconfig"
1056
1055source "net/netfilter/ipvs/Kconfig" 1057source "net/netfilter/ipvs/Kconfig"
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 9ae6878a85b1..510b586ccb7f 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -105,5 +105,8 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
105obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o 105obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
106obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o 106obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
107 107
108# ipset
109obj-$(CONFIG_IP_SET) += ipset/
110
108# IPVS 111# IPVS
109obj-$(CONFIG_IP_VS) += ipvs/ 112obj-$(CONFIG_IP_VS) += ipvs/
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
new file mode 100644
index 000000000000..5ade156dd470
--- /dev/null
+++ b/net/netfilter/ipset/Kconfig
@@ -0,0 +1,26 @@
1menuconfig IP_SET
2 tristate "IP set support"
3 depends on INET && NETFILTER
4 help
5 This option adds IP set support to the kernel.
6 In order to define and use the sets, you need the userspace utility
7 ipset(8). You can use the sets in netfilter via the "set" match
8 and "SET" target.
9
10 To compile it as a module, choose M here. If unsure, say N.
11
12if IP_SET
13
14config IP_SET_MAX
15 int "Maximum number of IP sets"
16 default 256
17 range 2 65534
18 depends on IP_SET
19 help
20 You can define here default value of the maximum number
21 of IP sets for the kernel.
22
23 The value can be overriden by the 'max_sets' module
24 parameter of the 'ip_set' module.
25
26endif # IP_SET
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile
new file mode 100644
index 000000000000..910cd425c067
--- /dev/null
+++ b/net/netfilter/ipset/Makefile
@@ -0,0 +1,8 @@
1#
2# Makefile for the ipset modules
3#
4
5ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
6
7# ipset core
8obj-$(CONFIG_IP_SET) += ip_set.o
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
new file mode 100644
index 000000000000..8a736247e85f
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -0,0 +1,1662 @@
1/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 */
9
10/* Kernel module for IP set management */
11
12#include <linux/init.h>
13#include <linux/module.h>
14#include <linux/moduleparam.h>
15#include <linux/ip.h>
16#include <linux/skbuff.h>
17#include <linux/spinlock.h>
18#include <linux/netlink.h>
19#include <linux/rculist.h>
20#include <linux/version.h>
21#include <net/netlink.h>
22
23#include <linux/netfilter.h>
24#include <linux/netfilter/nfnetlink.h>
25#include <linux/netfilter/ipset/ip_set.h>
26
27static LIST_HEAD(ip_set_type_list); /* all registered set types */
28static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
29
30static struct ip_set **ip_set_list; /* all individual sets */
31static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
32
33#define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
34
35static unsigned int max_sets;
36
37module_param(max_sets, int, 0600);
38MODULE_PARM_DESC(max_sets, "maximal number of sets");
39MODULE_LICENSE("GPL");
40MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
41MODULE_DESCRIPTION("core IP set support");
42MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
43
44/*
45 * The set types are implemented in modules and registered set types
46 * can be found in ip_set_type_list. Adding/deleting types is
47 * serialized by ip_set_type_mutex.
48 */
49
50static inline void
51ip_set_type_lock(void)
52{
53 mutex_lock(&ip_set_type_mutex);
54}
55
56static inline void
57ip_set_type_unlock(void)
58{
59 mutex_unlock(&ip_set_type_mutex);
60}
61
62/* Register and deregister settype */
63
64static struct ip_set_type *
65find_set_type(const char *name, u8 family, u8 revision)
66{
67 struct ip_set_type *type;
68
69 list_for_each_entry_rcu(type, &ip_set_type_list, list)
70 if (STREQ(type->name, name) &&
71 (type->family == family || type->family == AF_UNSPEC) &&
72 type->revision == revision)
73 return type;
74 return NULL;
75}
76
77/* Unlock, try to load a set type module and lock again */
78static int
79try_to_load_type(const char *name)
80{
81 nfnl_unlock();
82 pr_debug("try to load ip_set_%s\n", name);
83 if (request_module("ip_set_%s", name) < 0) {
84 pr_warning("Can't find ip_set type %s\n", name);
85 nfnl_lock();
86 return -IPSET_ERR_FIND_TYPE;
87 }
88 nfnl_lock();
89 return -EAGAIN;
90}
91
92/* Find a set type and reference it */
93static int
94find_set_type_get(const char *name, u8 family, u8 revision,
95 struct ip_set_type **found)
96{
97 rcu_read_lock();
98 *found = find_set_type(name, family, revision);
99 if (*found) {
100 int err = !try_module_get((*found)->me);
101 rcu_read_unlock();
102 return err ? -EFAULT : 0;
103 }
104 rcu_read_unlock();
105
106 return try_to_load_type(name);
107}
108
109/* Find a given set type by name and family.
110 * If we succeeded, the supported minimal and maximum revisions are
111 * filled out.
112 */
113static int
114find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
115{
116 struct ip_set_type *type;
117 bool found = false;
118
119 *min = *max = 0;
120 rcu_read_lock();
121 list_for_each_entry_rcu(type, &ip_set_type_list, list)
122 if (STREQ(type->name, name) &&
123 (type->family == family || type->family == AF_UNSPEC)) {
124 found = true;
125 if (type->revision < *min)
126 *min = type->revision;
127 else if (type->revision > *max)
128 *max = type->revision;
129 }
130 rcu_read_unlock();
131 if (found)
132 return 0;
133
134 return try_to_load_type(name);
135}
136
137#define family_name(f) ((f) == AF_INET ? "inet" : \
138 (f) == AF_INET6 ? "inet6" : "any")
139
140/* Register a set type structure. The type is identified by
141 * the unique triple of name, family and revision.
142 */
143int
144ip_set_type_register(struct ip_set_type *type)
145{
146 int ret = 0;
147
148 if (type->protocol != IPSET_PROTOCOL) {
149 pr_warning("ip_set type %s, family %s, revision %u uses "
150 "wrong protocol version %u (want %u)\n",
151 type->name, family_name(type->family),
152 type->revision, type->protocol, IPSET_PROTOCOL);
153 return -EINVAL;
154 }
155
156 ip_set_type_lock();
157 if (find_set_type(type->name, type->family, type->revision)) {
158 /* Duplicate! */
159 pr_warning("ip_set type %s, family %s, revision %u "
160 "already registered!\n", type->name,
161 family_name(type->family), type->revision);
162 ret = -EINVAL;
163 goto unlock;
164 }
165 list_add_rcu(&type->list, &ip_set_type_list);
166 pr_debug("type %s, family %s, revision %u registered.\n",
167 type->name, family_name(type->family), type->revision);
168unlock:
169 ip_set_type_unlock();
170 return ret;
171}
172EXPORT_SYMBOL_GPL(ip_set_type_register);
173
174/* Unregister a set type. There's a small race with ip_set_create */
175void
176ip_set_type_unregister(struct ip_set_type *type)
177{
178 ip_set_type_lock();
179 if (!find_set_type(type->name, type->family, type->revision)) {
180 pr_warning("ip_set type %s, family %s, revision %u "
181 "not registered\n", type->name,
182 family_name(type->family), type->revision);
183 goto unlock;
184 }
185 list_del_rcu(&type->list);
186 pr_debug("type %s, family %s, revision %u unregistered.\n",
187 type->name, family_name(type->family), type->revision);
188unlock:
189 ip_set_type_unlock();
190
191 synchronize_rcu();
192}
193EXPORT_SYMBOL_GPL(ip_set_type_unregister);
194
195/* Utility functions */
196void *
197ip_set_alloc(size_t size)
198{
199 void *members = NULL;
200
201 if (size < KMALLOC_MAX_SIZE)
202 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
203
204 if (members) {
205 pr_debug("%p: allocated with kmalloc\n", members);
206 return members;
207 }
208
209 members = vzalloc(size);
210 if (!members)
211 return NULL;
212 pr_debug("%p: allocated with vmalloc\n", members);
213
214 return members;
215}
216EXPORT_SYMBOL_GPL(ip_set_alloc);
217
218void
219ip_set_free(void *members)
220{
221 pr_debug("%p: free with %s\n", members,
222 is_vmalloc_addr(members) ? "vfree" : "kfree");
223 if (is_vmalloc_addr(members))
224 vfree(members);
225 else
226 kfree(members);
227}
228EXPORT_SYMBOL_GPL(ip_set_free);
229
230static inline bool
231flag_nested(const struct nlattr *nla)
232{
233 return nla->nla_type & NLA_F_NESTED;
234}
235
236static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
237 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
238 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
239 .len = sizeof(struct in6_addr) },
240};
241
242int
243ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
244{
245 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
246
247 if (unlikely(!flag_nested(nla)))
248 return -IPSET_ERR_PROTOCOL;
249 if (nla_parse(tb, IPSET_ATTR_IPADDR_MAX, nla_data(nla), nla_len(nla),
250 ipaddr_policy))
251 return -IPSET_ERR_PROTOCOL;
252 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
253 return -IPSET_ERR_PROTOCOL;
254
255 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
256 return 0;
257}
258EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
259
260int
261ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
262{
263 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
264
265 if (unlikely(!flag_nested(nla)))
266 return -IPSET_ERR_PROTOCOL;
267
268 if (nla_parse(tb, IPSET_ATTR_IPADDR_MAX, nla_data(nla), nla_len(nla),
269 ipaddr_policy))
270 return -IPSET_ERR_PROTOCOL;
271 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
272 return -IPSET_ERR_PROTOCOL;
273
274 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
275 sizeof(struct in6_addr));
276 return 0;
277}
278EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
279
280/*
281 * Creating/destroying/renaming/swapping affect the existence and
282 * the properties of a set. All of these can be executed from userspace
283 * only and serialized by the nfnl mutex indirectly from nfnetlink.
284 *
285 * Sets are identified by their index in ip_set_list and the index
286 * is used by the external references (set/SET netfilter modules).
287 *
288 * The set behind an index may change by swapping only, from userspace.
289 */
290
291static inline void
292__ip_set_get(ip_set_id_t index)
293{
294 atomic_inc(&ip_set_list[index]->ref);
295}
296
297static inline void
298__ip_set_put(ip_set_id_t index)
299{
300 atomic_dec(&ip_set_list[index]->ref);
301}
302
303/*
304 * Add, del and test set entries from kernel.
305 *
306 * The set behind the index must exist and must be referenced
307 * so it can't be destroyed (or changed) under our foot.
308 */
309
310int
311ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
312 u8 family, u8 dim, u8 flags)
313{
314 struct ip_set *set = ip_set_list[index];
315 int ret = 0;
316
317 BUG_ON(set == NULL || atomic_read(&set->ref) == 0);
318 pr_debug("set %s, index %u\n", set->name, index);
319
320 if (dim < set->type->dimension ||
321 !(family == set->family || set->family == AF_UNSPEC))
322 return 0;
323
324 read_lock_bh(&set->lock);
325 ret = set->variant->kadt(set, skb, IPSET_TEST, family, dim, flags);
326 read_unlock_bh(&set->lock);
327
328 if (ret == -EAGAIN) {
329 /* Type requests element to be completed */
330 pr_debug("element must be competed, ADD is triggered\n");
331 write_lock_bh(&set->lock);
332 set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags);
333 write_unlock_bh(&set->lock);
334 ret = 1;
335 }
336
337 /* Convert error codes to nomatch */
338 return (ret < 0 ? 0 : ret);
339}
340EXPORT_SYMBOL_GPL(ip_set_test);
341
342int
343ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
344 u8 family, u8 dim, u8 flags)
345{
346 struct ip_set *set = ip_set_list[index];
347 int ret;
348
349 BUG_ON(set == NULL || atomic_read(&set->ref) == 0);
350 pr_debug("set %s, index %u\n", set->name, index);
351
352 if (dim < set->type->dimension ||
353 !(family == set->family || set->family == AF_UNSPEC))
354 return 0;
355
356 write_lock_bh(&set->lock);
357 ret = set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags);
358 write_unlock_bh(&set->lock);
359
360 return ret;
361}
362EXPORT_SYMBOL_GPL(ip_set_add);
363
364int
365ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
366 u8 family, u8 dim, u8 flags)
367{
368 struct ip_set *set = ip_set_list[index];
369 int ret = 0;
370
371 BUG_ON(set == NULL || atomic_read(&set->ref) == 0);
372 pr_debug("set %s, index %u\n", set->name, index);
373
374 if (dim < set->type->dimension ||
375 !(family == set->family || set->family == AF_UNSPEC))
376 return 0;
377
378 write_lock_bh(&set->lock);
379 ret = set->variant->kadt(set, skb, IPSET_DEL, family, dim, flags);
380 write_unlock_bh(&set->lock);
381
382 return ret;
383}
384EXPORT_SYMBOL_GPL(ip_set_del);
385
386/*
387 * Find set by name, reference it once. The reference makes sure the
388 * thing pointed to, does not go away under our feet.
389 *
390 * The nfnl mutex must already be activated.
391 */
392ip_set_id_t
393ip_set_get_byname(const char *name, struct ip_set **set)
394{
395 ip_set_id_t i, index = IPSET_INVALID_ID;
396 struct ip_set *s;
397
398 for (i = 0; i < ip_set_max; i++) {
399 s = ip_set_list[i];
400 if (s != NULL && STREQ(s->name, name)) {
401 __ip_set_get(i);
402 index = i;
403 *set = s;
404 }
405 }
406
407 return index;
408}
409EXPORT_SYMBOL_GPL(ip_set_get_byname);
410
411/*
412 * If the given set pointer points to a valid set, decrement
413 * reference count by 1. The caller shall not assume the index
414 * to be valid, after calling this function.
415 *
416 * The nfnl mutex must already be activated.
417 */
418void
419ip_set_put_byindex(ip_set_id_t index)
420{
421 if (ip_set_list[index] != NULL) {
422 BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0);
423 __ip_set_put(index);
424 }
425}
426EXPORT_SYMBOL_GPL(ip_set_put_byindex);
427
428/*
429 * Get the name of a set behind a set index.
430 * We assume the set is referenced, so it does exist and
431 * can't be destroyed. The set cannot be renamed due to
432 * the referencing either.
433 *
434 * The nfnl mutex must already be activated.
435 */
436const char *
437ip_set_name_byindex(ip_set_id_t index)
438{
439 const struct ip_set *set = ip_set_list[index];
440
441 BUG_ON(set == NULL);
442 BUG_ON(atomic_read(&set->ref) == 0);
443
444 /* Referenced, so it's safe */
445 return set->name;
446}
447EXPORT_SYMBOL_GPL(ip_set_name_byindex);
448
449/*
450 * Routines to call by external subsystems, which do not
451 * call nfnl_lock for us.
452 */
453
454/*
455 * Find set by name, reference it once. The reference makes sure the
456 * thing pointed to, does not go away under our feet.
457 *
458 * The nfnl mutex is used in the function.
459 */
460ip_set_id_t
461ip_set_nfnl_get(const char *name)
462{
463 struct ip_set *s;
464 ip_set_id_t index;
465
466 nfnl_lock();
467 index = ip_set_get_byname(name, &s);
468 nfnl_unlock();
469
470 return index;
471}
472EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
473
474/*
475 * Find set by index, reference it once. The reference makes sure the
476 * thing pointed to, does not go away under our feet.
477 *
478 * The nfnl mutex is used in the function.
479 */
480ip_set_id_t
481ip_set_nfnl_get_byindex(ip_set_id_t index)
482{
483 if (index > ip_set_max)
484 return IPSET_INVALID_ID;
485
486 nfnl_lock();
487 if (ip_set_list[index])
488 __ip_set_get(index);
489 else
490 index = IPSET_INVALID_ID;
491 nfnl_unlock();
492
493 return index;
494}
495EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
496
497/*
498 * If the given set pointer points to a valid set, decrement
499 * reference count by 1. The caller shall not assume the index
500 * to be valid, after calling this function.
501 *
502 * The nfnl mutex is used in the function.
503 */
504void
505ip_set_nfnl_put(ip_set_id_t index)
506{
507 nfnl_lock();
508 if (ip_set_list[index] != NULL) {
509 BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0);
510 __ip_set_put(index);
511 }
512 nfnl_unlock();
513}
514EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
515
516/*
517 * Communication protocol with userspace over netlink.
518 *
519 * We already locked by nfnl_lock.
520 */
521
522static inline bool
523protocol_failed(const struct nlattr * const tb[])
524{
525 return !tb[IPSET_ATTR_PROTOCOL] ||
526 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
527}
528
529static inline u32
530flag_exist(const struct nlmsghdr *nlh)
531{
532 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
533}
534
535static struct nlmsghdr *
536start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags,
537 enum ipset_cmd cmd)
538{
539 struct nlmsghdr *nlh;
540 struct nfgenmsg *nfmsg;
541
542 nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
543 sizeof(*nfmsg), flags);
544 if (nlh == NULL)
545 return NULL;
546
547 nfmsg = nlmsg_data(nlh);
548 nfmsg->nfgen_family = AF_INET;
549 nfmsg->version = NFNETLINK_V0;
550 nfmsg->res_id = 0;
551
552 return nlh;
553}
554
555/* Create a set */
556
557static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
558 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
559 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
560 .len = IPSET_MAXNAMELEN - 1 },
561 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
562 .len = IPSET_MAXNAMELEN - 1},
563 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
564 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
565 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
566};
567
568static ip_set_id_t
569find_set_id(const char *name)
570{
571 ip_set_id_t i, index = IPSET_INVALID_ID;
572 const struct ip_set *set;
573
574 for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) {
575 set = ip_set_list[i];
576 if (set != NULL && STREQ(set->name, name))
577 index = i;
578 }
579 return index;
580}
581
582static inline struct ip_set *
583find_set(const char *name)
584{
585 ip_set_id_t index = find_set_id(name);
586
587 return index == IPSET_INVALID_ID ? NULL : ip_set_list[index];
588}
589
590static int
591find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
592{
593 ip_set_id_t i;
594
595 *index = IPSET_INVALID_ID;
596 for (i = 0; i < ip_set_max; i++) {
597 if (ip_set_list[i] == NULL) {
598 if (*index == IPSET_INVALID_ID)
599 *index = i;
600 } else if (STREQ(name, ip_set_list[i]->name)) {
601 /* Name clash */
602 *set = ip_set_list[i];
603 return -EEXIST;
604 }
605 }
606 if (*index == IPSET_INVALID_ID)
607 /* No free slot remained */
608 return -IPSET_ERR_MAX_SETS;
609 return 0;
610}
611
612static int
613ip_set_create(struct sock *ctnl, struct sk_buff *skb,
614 const struct nlmsghdr *nlh,
615 const struct nlattr * const attr[])
616{
617 struct ip_set *set, *clash;
618 ip_set_id_t index = IPSET_INVALID_ID;
619 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
620 const char *name, *typename;
621 u8 family, revision;
622 u32 flags = flag_exist(nlh);
623 int ret = 0;
624
625 if (unlikely(protocol_failed(attr) ||
626 attr[IPSET_ATTR_SETNAME] == NULL ||
627 attr[IPSET_ATTR_TYPENAME] == NULL ||
628 attr[IPSET_ATTR_REVISION] == NULL ||
629 attr[IPSET_ATTR_FAMILY] == NULL ||
630 (attr[IPSET_ATTR_DATA] != NULL &&
631 !flag_nested(attr[IPSET_ATTR_DATA]))))
632 return -IPSET_ERR_PROTOCOL;
633
634 name = nla_data(attr[IPSET_ATTR_SETNAME]);
635 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
636 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
637 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
638 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
639 name, typename, family_name(family), revision);
640
641 /*
642 * First, and without any locks, allocate and initialize
643 * a normal base set structure.
644 */
645 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
646 if (!set)
647 return -ENOMEM;
648 rwlock_init(&set->lock);
649 strlcpy(set->name, name, IPSET_MAXNAMELEN);
650 atomic_set(&set->ref, 0);
651 set->family = family;
652
653 /*
654 * Next, check that we know the type, and take
655 * a reference on the type, to make sure it stays available
656 * while constructing our new set.
657 *
658 * After referencing the type, we try to create the type
659 * specific part of the set without holding any locks.
660 */
661 ret = find_set_type_get(typename, family, revision, &(set->type));
662 if (ret)
663 goto out;
664
665 /*
666 * Without holding any locks, create private part.
667 */
668 if (attr[IPSET_ATTR_DATA] &&
669 nla_parse(tb, IPSET_ATTR_CREATE_MAX,
670 nla_data(attr[IPSET_ATTR_DATA]),
671 nla_len(attr[IPSET_ATTR_DATA]),
672 set->type->create_policy)) {
673 ret = -IPSET_ERR_PROTOCOL;
674 goto put_out;
675 }
676
677 ret = set->type->create(set, tb, flags);
678 if (ret != 0)
679 goto put_out;
680
681 /* BTW, ret==0 here. */
682
683 /*
684 * Here, we have a valid, constructed set and we are protected
685 * by nfnl_lock. Find the first free index in ip_set_list and
686 * check clashing.
687 */
688 if ((ret = find_free_id(set->name, &index, &clash)) != 0) {
689 /* If this is the same set and requested, ignore error */
690 if (ret == -EEXIST &&
691 (flags & IPSET_FLAG_EXIST) &&
692 STREQ(set->type->name, clash->type->name) &&
693 set->type->family == clash->type->family &&
694 set->type->revision == clash->type->revision &&
695 set->variant->same_set(set, clash))
696 ret = 0;
697 goto cleanup;
698 }
699
700 /*
701 * Finally! Add our shiny new set to the list, and be done.
702 */
703 pr_debug("create: '%s' created with index %u!\n", set->name, index);
704 ip_set_list[index] = set;
705
706 return ret;
707
708cleanup:
709 set->variant->destroy(set);
710put_out:
711 module_put(set->type->me);
712out:
713 kfree(set);
714 return ret;
715}
716
717/* Destroy sets */
718
719static const struct nla_policy
720ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
721 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
722 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
723 .len = IPSET_MAXNAMELEN - 1 },
724};
725
726static void
727ip_set_destroy_set(ip_set_id_t index)
728{
729 struct ip_set *set = ip_set_list[index];
730
731 pr_debug("set: %s\n", set->name);
732 ip_set_list[index] = NULL;
733
734 /* Must call it without holding any lock */
735 set->variant->destroy(set);
736 module_put(set->type->me);
737 kfree(set);
738}
739
740static int
741ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
742 const struct nlmsghdr *nlh,
743 const struct nlattr * const attr[])
744{
745 ip_set_id_t i;
746
747 if (unlikely(protocol_failed(attr)))
748 return -IPSET_ERR_PROTOCOL;
749
750 /* References are protected by the nfnl mutex */
751 if (!attr[IPSET_ATTR_SETNAME]) {
752 for (i = 0; i < ip_set_max; i++) {
753 if (ip_set_list[i] != NULL &&
754 (atomic_read(&ip_set_list[i]->ref)))
755 return -IPSET_ERR_BUSY;
756 }
757 for (i = 0; i < ip_set_max; i++) {
758 if (ip_set_list[i] != NULL)
759 ip_set_destroy_set(i);
760 }
761 } else {
762 i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
763 if (i == IPSET_INVALID_ID)
764 return -ENOENT;
765 else if (atomic_read(&ip_set_list[i]->ref))
766 return -IPSET_ERR_BUSY;
767
768 ip_set_destroy_set(i);
769 }
770 return 0;
771}
772
773/* Flush sets */
774
775static void
776ip_set_flush_set(struct ip_set *set)
777{
778 pr_debug("set: %s\n", set->name);
779
780 write_lock_bh(&set->lock);
781 set->variant->flush(set);
782 write_unlock_bh(&set->lock);
783}
784
785static int
786ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
787 const struct nlmsghdr *nlh,
788 const struct nlattr * const attr[])
789{
790 ip_set_id_t i;
791
792 if (unlikely(protocol_failed(attr)))
793 return -EPROTO;
794
795 if (!attr[IPSET_ATTR_SETNAME]) {
796 for (i = 0; i < ip_set_max; i++)
797 if (ip_set_list[i] != NULL)
798 ip_set_flush_set(ip_set_list[i]);
799 } else {
800 i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
801 if (i == IPSET_INVALID_ID)
802 return -ENOENT;
803
804 ip_set_flush_set(ip_set_list[i]);
805 }
806
807 return 0;
808}
809
810/* Rename a set */
811
812static const struct nla_policy
813ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
814 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
815 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
816 .len = IPSET_MAXNAMELEN - 1 },
817 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
818 .len = IPSET_MAXNAMELEN - 1 },
819};
820
821static int
822ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
823 const struct nlmsghdr *nlh,
824 const struct nlattr * const attr[])
825{
826 struct ip_set *set;
827 const char *name2;
828 ip_set_id_t i;
829
830 if (unlikely(protocol_failed(attr) ||
831 attr[IPSET_ATTR_SETNAME] == NULL ||
832 attr[IPSET_ATTR_SETNAME2] == NULL))
833 return -IPSET_ERR_PROTOCOL;
834
835 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
836 if (set == NULL)
837 return -ENOENT;
838 if (atomic_read(&set->ref) != 0)
839 return -IPSET_ERR_REFERENCED;
840
841 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
842 for (i = 0; i < ip_set_max; i++) {
843 if (ip_set_list[i] != NULL &&
844 STREQ(ip_set_list[i]->name, name2))
845 return -IPSET_ERR_EXIST_SETNAME2;
846 }
847 strncpy(set->name, name2, IPSET_MAXNAMELEN);
848
849 return 0;
850}
851
852/* Swap two sets so that name/index points to the other.
853 * References and set names are also swapped.
854 *
855 * We are protected by the nfnl mutex and references are
856 * manipulated only by holding the mutex. The kernel interfaces
857 * do not hold the mutex but the pointer settings are atomic
858 * so the ip_set_list always contains valid pointers to the sets.
859 */
860
861static int
862ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
863 const struct nlmsghdr *nlh,
864 const struct nlattr * const attr[])
865{
866 struct ip_set *from, *to;
867 ip_set_id_t from_id, to_id;
868 char from_name[IPSET_MAXNAMELEN];
869 u32 from_ref;
870
871 if (unlikely(protocol_failed(attr) ||
872 attr[IPSET_ATTR_SETNAME] == NULL ||
873 attr[IPSET_ATTR_SETNAME2] == NULL))
874 return -IPSET_ERR_PROTOCOL;
875
876 from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
877 if (from_id == IPSET_INVALID_ID)
878 return -ENOENT;
879
880 to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2]));
881 if (to_id == IPSET_INVALID_ID)
882 return -IPSET_ERR_EXIST_SETNAME2;
883
884 from = ip_set_list[from_id];
885 to = ip_set_list[to_id];
886
887 /* Features must not change.
888 * Not an artifical restriction anymore, as we must prevent
889 * possible loops created by swapping in setlist type of sets. */
890 if (!(from->type->features == to->type->features &&
891 from->type->family == to->type->family))
892 return -IPSET_ERR_TYPE_MISMATCH;
893
894 /* No magic here: ref munging protected by the nfnl_lock */
895 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
896 from_ref = atomic_read(&from->ref);
897
898 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
899 atomic_set(&from->ref, atomic_read(&to->ref));
900 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
901 atomic_set(&to->ref, from_ref);
902
903 ip_set_list[from_id] = to;
904 ip_set_list[to_id] = from;
905
906 return 0;
907}
908
909/* List/save set data */
910
911#define DUMP_INIT 0L
912#define DUMP_ALL 1L
913#define DUMP_ONE 2L
914#define DUMP_LAST 3L
915
916static int
917ip_set_dump_done(struct netlink_callback *cb)
918{
919 if (cb->args[2]) {
920 pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name);
921 __ip_set_put((ip_set_id_t) cb->args[1]);
922 }
923 return 0;
924}
925
926static inline void
927dump_attrs(struct nlmsghdr *nlh)
928{
929 const struct nlattr *attr;
930 int rem;
931
932 pr_debug("dump nlmsg\n");
933 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
934 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
935 }
936}
937
938static int
939dump_init(struct netlink_callback *cb)
940{
941 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
942 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
943 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
944 struct nlattr *attr = (void *)nlh + min_len;
945 ip_set_id_t index;
946
947 /* Second pass, so parser can't fail */
948 nla_parse(cda, IPSET_ATTR_CMD_MAX,
949 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
950
951 /* cb->args[0] : dump single set/all sets
952 * [1] : set index
953 * [..]: type specific
954 */
955
956 if (!cda[IPSET_ATTR_SETNAME]) {
957 cb->args[0] = DUMP_ALL;
958 return 0;
959 }
960
961 index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME]));
962 if (index == IPSET_INVALID_ID)
963 return -ENOENT;
964
965 cb->args[0] = DUMP_ONE;
966 cb->args[1] = index;
967 return 0;
968}
969
970static int
971ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
972{
973 ip_set_id_t index = IPSET_INVALID_ID, max;
974 struct ip_set *set = NULL;
975 struct nlmsghdr *nlh = NULL;
976 unsigned int flags = NETLINK_CB(cb->skb).pid ? NLM_F_MULTI : 0;
977 int ret = 0;
978
979 if (cb->args[0] == DUMP_INIT) {
980 ret = dump_init(cb);
981 if (ret < 0) {
982 nlh = nlmsg_hdr(cb->skb);
983 /* We have to create and send the error message
984 * manually :-( */
985 if (nlh->nlmsg_flags & NLM_F_ACK)
986 netlink_ack(cb->skb, nlh, ret);
987 return ret;
988 }
989 }
990
991 if (cb->args[1] >= ip_set_max)
992 goto out;
993
994 pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
995 max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
996 for (; cb->args[1] < max; cb->args[1]++) {
997 index = (ip_set_id_t) cb->args[1];
998 set = ip_set_list[index];
999 if (set == NULL) {
1000 if (cb->args[0] == DUMP_ONE) {
1001 ret = -ENOENT;
1002 goto out;
1003 }
1004 continue;
1005 }
1006 /* When dumping all sets, we must dump "sorted"
1007 * so that lists (unions of sets) are dumped last.
1008 */
1009 if (cb->args[0] != DUMP_ONE &&
1010 !((cb->args[0] == DUMP_ALL) ^
1011 (set->type->features & IPSET_DUMP_LAST)))
1012 continue;
1013 pr_debug("List set: %s\n", set->name);
1014 if (!cb->args[2]) {
1015 /* Start listing: make sure set won't be destroyed */
1016 pr_debug("reference set\n");
1017 __ip_set_get(index);
1018 }
1019 nlh = start_msg(skb, NETLINK_CB(cb->skb).pid,
1020 cb->nlh->nlmsg_seq, flags,
1021 IPSET_CMD_LIST);
1022 if (!nlh) {
1023 ret = -EMSGSIZE;
1024 goto release_refcount;
1025 }
1026 NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1027 NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name);
1028 switch (cb->args[2]) {
1029 case 0:
1030 /* Core header data */
1031 NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME,
1032 set->type->name);
1033 NLA_PUT_U8(skb, IPSET_ATTR_FAMILY,
1034 set->family);
1035 NLA_PUT_U8(skb, IPSET_ATTR_REVISION,
1036 set->type->revision);
1037 ret = set->variant->head(set, skb);
1038 if (ret < 0)
1039 goto release_refcount;
1040 /* Fall through and add elements */
1041 default:
1042 read_lock_bh(&set->lock);
1043 ret = set->variant->list(set, skb, cb);
1044 read_unlock_bh(&set->lock);
1045 if (!cb->args[2]) {
1046 /* Set is done, proceed with next one */
1047 if (cb->args[0] == DUMP_ONE)
1048 cb->args[1] = IPSET_INVALID_ID;
1049 else
1050 cb->args[1]++;
1051 }
1052 goto release_refcount;
1053 }
1054 }
1055 goto out;
1056
1057nla_put_failure:
1058 ret = -EFAULT;
1059release_refcount:
1060 /* If there was an error or set is done, release set */
1061 if (ret || !cb->args[2]) {
1062 pr_debug("release set %s\n", ip_set_list[index]->name);
1063 __ip_set_put(index);
1064 }
1065
1066 /* If we dump all sets, continue with dumping last ones */
1067 if (cb->args[0] == DUMP_ALL && cb->args[1] >= max && !cb->args[2])
1068 cb->args[0] = DUMP_LAST;
1069
1070out:
1071 if (nlh) {
1072 nlmsg_end(skb, nlh);
1073 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1074 dump_attrs(nlh);
1075 }
1076
1077 return ret < 0 ? ret : skb->len;
1078}
1079
1080static int
1081ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1082 const struct nlmsghdr *nlh,
1083 const struct nlattr * const attr[])
1084{
1085 if (unlikely(protocol_failed(attr)))
1086 return -IPSET_ERR_PROTOCOL;
1087
1088 return netlink_dump_start(ctnl, skb, nlh,
1089 ip_set_dump_start,
1090 ip_set_dump_done);
1091}
1092
1093/* Add, del and test */
1094
1095static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1096 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1097 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1098 .len = IPSET_MAXNAMELEN - 1 },
1099 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1100 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1101 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1102};
1103
1104static int
1105call_ad(struct sk_buff *skb, struct ip_set *set,
1106 struct nlattr *tb[], enum ipset_adt adt,
1107 u32 flags, bool use_lineno)
1108{
1109 int ret, retried = 0;
1110 u32 lineno = 0;
1111 bool eexist = flags & IPSET_FLAG_EXIST;
1112
1113 do {
1114 write_lock_bh(&set->lock);
1115 ret = set->variant->uadt(set, tb, adt, &lineno, flags);
1116 write_unlock_bh(&set->lock);
1117 } while (ret == -EAGAIN &&
1118 set->variant->resize &&
1119 (ret = set->variant->resize(set, retried++)) == 0);
1120
1121 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1122 return 0;
1123 if (lineno && use_lineno) {
1124 /* Error in restore/batch mode: send back lineno */
1125 struct nlmsghdr *nlh = nlmsg_hdr(skb);
1126 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1127 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1128 struct nlattr *cmdattr = (void *)nlh + min_len;
1129 u32 *errline;
1130
1131 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1132 cmdattr, nlh->nlmsg_len - min_len,
1133 ip_set_adt_policy);
1134
1135 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1136
1137 *errline = lineno;
1138 }
1139
1140 return ret;
1141}
1142
1143static int
1144ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1145 const struct nlmsghdr *nlh,
1146 const struct nlattr * const attr[])
1147{
1148 struct ip_set *set;
1149 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1150 const struct nlattr *nla;
1151 u32 flags = flag_exist(nlh);
1152 bool use_lineno;
1153 int ret = 0;
1154
1155 if (unlikely(protocol_failed(attr) ||
1156 attr[IPSET_ATTR_SETNAME] == NULL ||
1157 !((attr[IPSET_ATTR_DATA] != NULL) ^
1158 (attr[IPSET_ATTR_ADT] != NULL)) ||
1159 (attr[IPSET_ATTR_DATA] != NULL &&
1160 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1161 (attr[IPSET_ATTR_ADT] != NULL &&
1162 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1163 attr[IPSET_ATTR_LINENO] == NULL))))
1164 return -IPSET_ERR_PROTOCOL;
1165
1166 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1167 if (set == NULL)
1168 return -ENOENT;
1169
1170 use_lineno = !!attr[IPSET_ATTR_LINENO];
1171 if (attr[IPSET_ATTR_DATA]) {
1172 if (nla_parse(tb, IPSET_ATTR_ADT_MAX,
1173 nla_data(attr[IPSET_ATTR_DATA]),
1174 nla_len(attr[IPSET_ATTR_DATA]),
1175 set->type->adt_policy))
1176 return -IPSET_ERR_PROTOCOL;
1177 ret = call_ad(skb, set, tb, IPSET_ADD, flags, use_lineno);
1178 } else {
1179 int nla_rem;
1180
1181 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1182 memset(tb, 0, sizeof(tb));
1183 if (nla_type(nla) != IPSET_ATTR_DATA ||
1184 !flag_nested(nla) ||
1185 nla_parse(tb, IPSET_ATTR_ADT_MAX,
1186 nla_data(nla), nla_len(nla),
1187 set->type->adt_policy))
1188 return -IPSET_ERR_PROTOCOL;
1189 ret = call_ad(skb, set, tb, IPSET_ADD,
1190 flags, use_lineno);
1191 if (ret < 0)
1192 return ret;
1193 }
1194 }
1195 return ret;
1196}
1197
1198static int
1199ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1200 const struct nlmsghdr *nlh,
1201 const struct nlattr * const attr[])
1202{
1203 struct ip_set *set;
1204 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1205 const struct nlattr *nla;
1206 u32 flags = flag_exist(nlh);
1207 bool use_lineno;
1208 int ret = 0;
1209
1210 if (unlikely(protocol_failed(attr) ||
1211 attr[IPSET_ATTR_SETNAME] == NULL ||
1212 !((attr[IPSET_ATTR_DATA] != NULL) ^
1213 (attr[IPSET_ATTR_ADT] != NULL)) ||
1214 (attr[IPSET_ATTR_DATA] != NULL &&
1215 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1216 (attr[IPSET_ATTR_ADT] != NULL &&
1217 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1218 attr[IPSET_ATTR_LINENO] == NULL))))
1219 return -IPSET_ERR_PROTOCOL;
1220
1221 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1222 if (set == NULL)
1223 return -ENOENT;
1224
1225 use_lineno = !!attr[IPSET_ATTR_LINENO];
1226 if (attr[IPSET_ATTR_DATA]) {
1227 if (nla_parse(tb, IPSET_ATTR_ADT_MAX,
1228 nla_data(attr[IPSET_ATTR_DATA]),
1229 nla_len(attr[IPSET_ATTR_DATA]),
1230 set->type->adt_policy))
1231 return -IPSET_ERR_PROTOCOL;
1232 ret = call_ad(skb, set, tb, IPSET_DEL, flags, use_lineno);
1233 } else {
1234 int nla_rem;
1235
1236 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1237 memset(tb, 0, sizeof(*tb));
1238 if (nla_type(nla) != IPSET_ATTR_DATA ||
1239 !flag_nested(nla) ||
1240 nla_parse(tb, IPSET_ATTR_ADT_MAX,
1241 nla_data(nla), nla_len(nla),
1242 set->type->adt_policy))
1243 return -IPSET_ERR_PROTOCOL;
1244 ret = call_ad(skb, set, tb, IPSET_DEL,
1245 flags, use_lineno);
1246 if (ret < 0)
1247 return ret;
1248 }
1249 }
1250 return ret;
1251}
1252
1253static int
1254ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1255 const struct nlmsghdr *nlh,
1256 const struct nlattr * const attr[])
1257{
1258 struct ip_set *set;
1259 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1260 int ret = 0;
1261
1262 if (unlikely(protocol_failed(attr) ||
1263 attr[IPSET_ATTR_SETNAME] == NULL ||
1264 attr[IPSET_ATTR_DATA] == NULL ||
1265 !flag_nested(attr[IPSET_ATTR_DATA])))
1266 return -IPSET_ERR_PROTOCOL;
1267
1268 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1269 if (set == NULL)
1270 return -ENOENT;
1271
1272 if (nla_parse(tb, IPSET_ATTR_ADT_MAX,
1273 nla_data(attr[IPSET_ATTR_DATA]),
1274 nla_len(attr[IPSET_ATTR_DATA]),
1275 set->type->adt_policy))
1276 return -IPSET_ERR_PROTOCOL;
1277
1278 read_lock_bh(&set->lock);
1279 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0);
1280 read_unlock_bh(&set->lock);
1281 /* Userspace can't trigger element to be re-added */
1282 if (ret == -EAGAIN)
1283 ret = 1;
1284
1285 return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
1286}
1287
1288/* Get headed data of a set */
1289
1290static int
1291ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1292 const struct nlmsghdr *nlh,
1293 const struct nlattr * const attr[])
1294{
1295 const struct ip_set *set;
1296 struct sk_buff *skb2;
1297 struct nlmsghdr *nlh2;
1298 ip_set_id_t index;
1299 int ret = 0;
1300
1301 if (unlikely(protocol_failed(attr) ||
1302 attr[IPSET_ATTR_SETNAME] == NULL))
1303 return -IPSET_ERR_PROTOCOL;
1304
1305 index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
1306 if (index == IPSET_INVALID_ID)
1307 return -ENOENT;
1308 set = ip_set_list[index];
1309
1310 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1311 if (skb2 == NULL)
1312 return -ENOMEM;
1313
1314 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1315 IPSET_CMD_HEADER);
1316 if (!nlh2)
1317 goto nlmsg_failure;
1318 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1319 NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name);
1320 NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name);
1321 NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family);
1322 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->type->revision);
1323 nlmsg_end(skb2, nlh2);
1324
1325 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1326 if (ret < 0)
1327 return ret;
1328
1329 return 0;
1330
1331nla_put_failure:
1332 nlmsg_cancel(skb2, nlh2);
1333nlmsg_failure:
1334 kfree_skb(skb2);
1335 return -EMSGSIZE;
1336}
1337
1338/* Get type data */
1339
1340static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1341 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1342 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1343 .len = IPSET_MAXNAMELEN - 1 },
1344 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1345};
1346
1347static int
1348ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1349 const struct nlmsghdr *nlh,
1350 const struct nlattr * const attr[])
1351{
1352 struct sk_buff *skb2;
1353 struct nlmsghdr *nlh2;
1354 u8 family, min, max;
1355 const char *typename;
1356 int ret = 0;
1357
1358 if (unlikely(protocol_failed(attr) ||
1359 attr[IPSET_ATTR_TYPENAME] == NULL ||
1360 attr[IPSET_ATTR_FAMILY] == NULL))
1361 return -IPSET_ERR_PROTOCOL;
1362
1363 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1364 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1365 ret = find_set_type_minmax(typename, family, &min, &max);
1366 if (ret)
1367 return ret;
1368
1369 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1370 if (skb2 == NULL)
1371 return -ENOMEM;
1372
1373 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1374 IPSET_CMD_TYPE);
1375 if (!nlh2)
1376 goto nlmsg_failure;
1377 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1378 NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename);
1379 NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family);
1380 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max);
1381 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min);
1382 nlmsg_end(skb2, nlh2);
1383
1384 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1385 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1386 if (ret < 0)
1387 return ret;
1388
1389 return 0;
1390
1391nla_put_failure:
1392 nlmsg_cancel(skb2, nlh2);
1393nlmsg_failure:
1394 kfree_skb(skb2);
1395 return -EMSGSIZE;
1396}
1397
1398/* Get protocol version */
1399
1400static const struct nla_policy
1401ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1402 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1403};
1404
1405static int
1406ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1407 const struct nlmsghdr *nlh,
1408 const struct nlattr * const attr[])
1409{
1410 struct sk_buff *skb2;
1411 struct nlmsghdr *nlh2;
1412 int ret = 0;
1413
1414 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1415 return -IPSET_ERR_PROTOCOL;
1416
1417 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1418 if (skb2 == NULL)
1419 return -ENOMEM;
1420
1421 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1422 IPSET_CMD_PROTOCOL);
1423 if (!nlh2)
1424 goto nlmsg_failure;
1425 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1426 nlmsg_end(skb2, nlh2);
1427
1428 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1429 if (ret < 0)
1430 return ret;
1431
1432 return 0;
1433
1434nla_put_failure:
1435 nlmsg_cancel(skb2, nlh2);
1436nlmsg_failure:
1437 kfree_skb(skb2);
1438 return -EMSGSIZE;
1439}
1440
1441static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1442 [IPSET_CMD_CREATE] = {
1443 .call = ip_set_create,
1444 .attr_count = IPSET_ATTR_CMD_MAX,
1445 .policy = ip_set_create_policy,
1446 },
1447 [IPSET_CMD_DESTROY] = {
1448 .call = ip_set_destroy,
1449 .attr_count = IPSET_ATTR_CMD_MAX,
1450 .policy = ip_set_setname_policy,
1451 },
1452 [IPSET_CMD_FLUSH] = {
1453 .call = ip_set_flush,
1454 .attr_count = IPSET_ATTR_CMD_MAX,
1455 .policy = ip_set_setname_policy,
1456 },
1457 [IPSET_CMD_RENAME] = {
1458 .call = ip_set_rename,
1459 .attr_count = IPSET_ATTR_CMD_MAX,
1460 .policy = ip_set_setname2_policy,
1461 },
1462 [IPSET_CMD_SWAP] = {
1463 .call = ip_set_swap,
1464 .attr_count = IPSET_ATTR_CMD_MAX,
1465 .policy = ip_set_setname2_policy,
1466 },
1467 [IPSET_CMD_LIST] = {
1468 .call = ip_set_dump,
1469 .attr_count = IPSET_ATTR_CMD_MAX,
1470 .policy = ip_set_setname_policy,
1471 },
1472 [IPSET_CMD_SAVE] = {
1473 .call = ip_set_dump,
1474 .attr_count = IPSET_ATTR_CMD_MAX,
1475 .policy = ip_set_setname_policy,
1476 },
1477 [IPSET_CMD_ADD] = {
1478 .call = ip_set_uadd,
1479 .attr_count = IPSET_ATTR_CMD_MAX,
1480 .policy = ip_set_adt_policy,
1481 },
1482 [IPSET_CMD_DEL] = {
1483 .call = ip_set_udel,
1484 .attr_count = IPSET_ATTR_CMD_MAX,
1485 .policy = ip_set_adt_policy,
1486 },
1487 [IPSET_CMD_TEST] = {
1488 .call = ip_set_utest,
1489 .attr_count = IPSET_ATTR_CMD_MAX,
1490 .policy = ip_set_adt_policy,
1491 },
1492 [IPSET_CMD_HEADER] = {
1493 .call = ip_set_header,
1494 .attr_count = IPSET_ATTR_CMD_MAX,
1495 .policy = ip_set_setname_policy,
1496 },
1497 [IPSET_CMD_TYPE] = {
1498 .call = ip_set_type,
1499 .attr_count = IPSET_ATTR_CMD_MAX,
1500 .policy = ip_set_type_policy,
1501 },
1502 [IPSET_CMD_PROTOCOL] = {
1503 .call = ip_set_protocol,
1504 .attr_count = IPSET_ATTR_CMD_MAX,
1505 .policy = ip_set_protocol_policy,
1506 },
1507};
1508
1509static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1510 .name = "ip_set",
1511 .subsys_id = NFNL_SUBSYS_IPSET,
1512 .cb_count = IPSET_MSG_MAX,
1513 .cb = ip_set_netlink_subsys_cb,
1514};
1515
1516/* Interface to iptables/ip6tables */
1517
1518static int
1519ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1520{
1521 unsigned *op;
1522 void *data;
1523 int copylen = *len, ret = 0;
1524
1525 if (!capable(CAP_NET_ADMIN))
1526 return -EPERM;
1527 if (optval != SO_IP_SET)
1528 return -EBADF;
1529 if (*len < sizeof(unsigned))
1530 return -EINVAL;
1531
1532 data = vmalloc(*len);
1533 if (!data)
1534 return -ENOMEM;
1535 if (copy_from_user(data, user, *len) != 0) {
1536 ret = -EFAULT;
1537 goto done;
1538 }
1539 op = (unsigned *) data;
1540
1541 if (*op < IP_SET_OP_VERSION) {
1542 /* Check the version at the beginning of operations */
1543 struct ip_set_req_version *req_version = data;
1544 if (req_version->version != IPSET_PROTOCOL) {
1545 ret = -EPROTO;
1546 goto done;
1547 }
1548 }
1549
1550 switch (*op) {
1551 case IP_SET_OP_VERSION: {
1552 struct ip_set_req_version *req_version = data;
1553
1554 if (*len != sizeof(struct ip_set_req_version)) {
1555 ret = -EINVAL;
1556 goto done;
1557 }
1558
1559 req_version->version = IPSET_PROTOCOL;
1560 ret = copy_to_user(user, req_version,
1561 sizeof(struct ip_set_req_version));
1562 goto done;
1563 }
1564 case IP_SET_OP_GET_BYNAME: {
1565 struct ip_set_req_get_set *req_get = data;
1566
1567 if (*len != sizeof(struct ip_set_req_get_set)) {
1568 ret = -EINVAL;
1569 goto done;
1570 }
1571 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1572 nfnl_lock();
1573 req_get->set.index = find_set_id(req_get->set.name);
1574 nfnl_unlock();
1575 goto copy;
1576 }
1577 case IP_SET_OP_GET_BYINDEX: {
1578 struct ip_set_req_get_set *req_get = data;
1579
1580 if (*len != sizeof(struct ip_set_req_get_set) ||
1581 req_get->set.index >= ip_set_max) {
1582 ret = -EINVAL;
1583 goto done;
1584 }
1585 nfnl_lock();
1586 strncpy(req_get->set.name,
1587 ip_set_list[req_get->set.index]
1588 ? ip_set_list[req_get->set.index]->name : "",
1589 IPSET_MAXNAMELEN);
1590 nfnl_unlock();
1591 goto copy;
1592 }
1593 default:
1594 ret = -EBADMSG;
1595 goto done;
1596 } /* end of switch(op) */
1597
1598copy:
1599 ret = copy_to_user(user, data, copylen);
1600
1601done:
1602 vfree(data);
1603 if (ret > 0)
1604 ret = 0;
1605 return ret;
1606}
1607
1608static struct nf_sockopt_ops so_set __read_mostly = {
1609 .pf = PF_INET,
1610 .get_optmin = SO_IP_SET,
1611 .get_optmax = SO_IP_SET + 1,
1612 .get = &ip_set_sockfn_get,
1613 .owner = THIS_MODULE,
1614};
1615
1616static int __init
1617ip_set_init(void)
1618{
1619 int ret;
1620
1621 if (max_sets)
1622 ip_set_max = max_sets;
1623 if (ip_set_max >= IPSET_INVALID_ID)
1624 ip_set_max = IPSET_INVALID_ID - 1;
1625
1626 ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max,
1627 GFP_KERNEL);
1628 if (!ip_set_list) {
1629 pr_err("ip_set: Unable to create ip_set_list\n");
1630 return -ENOMEM;
1631 }
1632
1633 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1634 if (ret != 0) {
1635 pr_err("ip_set: cannot register with nfnetlink.\n");
1636 kfree(ip_set_list);
1637 return ret;
1638 }
1639 ret = nf_register_sockopt(&so_set);
1640 if (ret != 0) {
1641 pr_err("SO_SET registry failed: %d\n", ret);
1642 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1643 kfree(ip_set_list);
1644 return ret;
1645 }
1646
1647 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1648 return 0;
1649}
1650
1651static void __exit
1652ip_set_fini(void)
1653{
1654 /* There can't be any existing set */
1655 nf_unregister_sockopt(&so_set);
1656 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1657 kfree(ip_set_list);
1658 pr_debug("these are the famous last words\n");
1659}
1660
1661module_init(ip_set_init);
1662module_exit(ip_set_fini);
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
new file mode 100644
index 000000000000..76737bba28ee
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -0,0 +1,136 @@
1/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License version 2 as
5 * published by the Free Software Foundation.
6 */
7
8/* Get Layer-4 data from the packets */
9
10#include <linux/ip.h>
11#include <linux/skbuff.h>
12#include <linux/icmp.h>
13#include <linux/icmpv6.h>
14#include <linux/netfilter_ipv6/ip6_tables.h>
15#include <net/ip.h>
16
17#include <linux/netfilter/ipset/ip_set_getport.h>
18
19/* We must handle non-linear skbs */
20static bool
21get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
22 bool src, __be16 *port, u8 *proto)
23{
24 switch (protocol) {
25 case IPPROTO_TCP: {
26 struct tcphdr _tcph;
27 const struct tcphdr *th;
28
29 th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph);
30 if (th == NULL)
31 /* No choice either */
32 return false;
33
34 *port = src ? th->source : th->dest;
35 break;
36 }
37 case IPPROTO_UDP: {
38 struct udphdr _udph;
39 const struct udphdr *uh;
40
41 uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph);
42 if (uh == NULL)
43 /* No choice either */
44 return false;
45
46 *port = src ? uh->source : uh->dest;
47 break;
48 }
49 case IPPROTO_ICMP: {
50 struct icmphdr _ich;
51 const struct icmphdr *ic;
52
53 ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
54 if (ic == NULL)
55 return false;
56
57 *port = (__force __be16)htons((ic->type << 8) | ic->code);
58 break;
59 }
60 case IPPROTO_ICMPV6: {
61 struct icmp6hdr _ich;
62 const struct icmp6hdr *ic;
63
64 ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
65 if (ic == NULL)
66 return false;
67
68 *port = (__force __be16)
69 htons((ic->icmp6_type << 8) | ic->icmp6_code);
70 break;
71 }
72 default:
73 break;
74 }
75 *proto = protocol;
76
77 return true;
78}
79
80bool
81ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
82 __be16 *port, u8 *proto)
83{
84 const struct iphdr *iph = ip_hdr(skb);
85 unsigned int protooff = ip_hdrlen(skb);
86 int protocol = iph->protocol;
87
88 /* See comments at tcp_match in ip_tables.c */
89 if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET))
90 return false;
91
92 return get_port(skb, protocol, protooff, src, port, proto);
93}
94EXPORT_SYMBOL_GPL(ip_set_get_ip4_port);
95
96bool
97ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
98 __be16 *port, u8 *proto)
99{
100 unsigned int protooff = 0;
101 int protocol;
102 unsigned short fragoff;
103
104 protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff);
105 if (protocol <= 0 || fragoff)
106 return false;
107
108 return get_port(skb, protocol, protooff, src, port, proto);
109}
110EXPORT_SYMBOL_GPL(ip_set_get_ip6_port);
111
112bool
113ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port)
114{
115 bool ret;
116 u8 proto;
117
118 switch (pf) {
119 case AF_INET:
120 ret = ip_set_get_ip4_port(skb, src, port, &proto);
121 case AF_INET6:
122 ret = ip_set_get_ip6_port(skb, src, port, &proto);
123 default:
124 return false;
125 }
126 if (!ret)
127 return ret;
128 switch (proto) {
129 case IPPROTO_TCP:
130 case IPPROTO_UDP:
131 return true;
132 default:
133 return false;
134 }
135}
136EXPORT_SYMBOL_GPL(ip_set_get_ip_port);
diff --git a/net/netfilter/ipset/pfxlen.c b/net/netfilter/ipset/pfxlen.c
new file mode 100644
index 000000000000..23f8c8162214
--- /dev/null
+++ b/net/netfilter/ipset/pfxlen.c
@@ -0,0 +1,291 @@
1#include <linux/netfilter/ipset/pfxlen.h>
2
3/*
4 * Prefixlen maps for fast conversions, by Jan Engelhardt.
5 */
6
7#define E(a, b, c, d) \
8 {.ip6 = { \
9 __constant_htonl(a), __constant_htonl(b), \
10 __constant_htonl(c), __constant_htonl(d), \
11 } }
12
13/*
14 * This table works for both IPv4 and IPv6;
15 * just use prefixlen_netmask_map[prefixlength].ip.
16 */
17const union nf_inet_addr ip_set_netmask_map[] = {
18 E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
19 E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
20 E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
21 E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
22 E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
23 E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
24 E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
25 E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
26 E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
27 E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
28 E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
29 E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
30 E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
31 E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
32 E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
33 E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
34 E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
35 E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
36 E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
37 E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
38 E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
39 E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
40 E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
41 E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
42 E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
43 E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
44 E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
45 E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
46 E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
47 E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
48 E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
49 E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
50 E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
51 E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
52 E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
53 E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
54 E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
55 E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
56 E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
57 E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
58 E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
59 E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
60 E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
61 E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
62 E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
63 E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
64 E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
65 E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
66 E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
67 E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
68 E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
69 E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
70 E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
71 E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
72 E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
73 E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
74 E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
75 E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
76 E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
77 E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
78 E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
79 E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
80 E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
81 E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
82 E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
83 E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
84 E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
85 E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
86 E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
87 E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
88 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
89 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
90 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
91 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
92 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
93 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
94 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
95 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
96 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
97 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
98 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
99 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
100 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
101 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
102 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
103 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
104 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
105 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
106 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
107 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
108 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
109 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
110 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
111 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
112 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
113 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
114 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
115 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
116 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
117 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
118 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
119 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
120 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
121 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
122 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
123 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
124 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
125 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
126 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
127 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
128 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
129 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
130 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
131 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
132 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
133 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
134 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
135 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
136 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
137 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
138 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
139 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
140 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
141 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
142 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
143 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
144 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
145 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
146 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
147};
148EXPORT_SYMBOL_GPL(ip_set_netmask_map);
149
150#undef E
151#define E(a, b, c, d) \
152 {.ip6 = { (__force __be32) a, (__force __be32) b, \
153 (__force __be32) c, (__force __be32) d, \
154 } }
155
156/*
157 * This table works for both IPv4 and IPv6;
158 * just use prefixlen_hostmask_map[prefixlength].ip.
159 */
160const union nf_inet_addr ip_set_hostmask_map[] = {
161 E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
162 E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
163 E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
164 E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
165 E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
166 E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
167 E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
168 E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
169 E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
170 E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
171 E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
172 E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
173 E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
174 E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
175 E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
176 E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
177 E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
178 E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
179 E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
180 E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
181 E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
182 E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
183 E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
184 E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
185 E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
186 E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
187 E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
188 E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
189 E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
190 E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
191 E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
192 E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
193 E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
194 E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
195 E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
196 E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
197 E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
198 E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
199 E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
200 E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
201 E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
202 E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
203 E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
204 E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
205 E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
206 E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
207 E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
208 E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
209 E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
210 E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
211 E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
212 E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
213 E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
214 E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
215 E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
216 E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
217 E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
218 E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
219 E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
220 E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
221 E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
222 E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
223 E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
224 E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
225 E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
226 E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
227 E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
228 E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
229 E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
230 E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
231 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
232 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
233 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
234 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
235 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
236 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
237 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
238 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
239 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
240 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
241 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
242 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
243 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
244 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
245 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
246 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
247 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
248 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
249 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
250 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
251 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
252 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
253 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
254 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
255 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
256 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
257 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
258 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
259 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
260 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
261 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
262 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
263 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
264 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
265 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
266 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
267 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
268 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
269 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
270 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
271 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
272 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
273 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
274 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
275 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
276 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
277 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
278 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
279 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
280 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
281 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
282 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
283 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
284 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
285 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
286 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
287 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
288 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
289 E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
290};
291EXPORT_SYMBOL_GPL(ip_set_hostmask_map);