diff options
-rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 452 | ||||
-rw-r--r-- | include/linux/netfilter/ipset/ip_set_getport.h | 11 | ||||
-rw-r--r-- | include/linux/netfilter/ipset/pfxlen.h | 35 | ||||
-rw-r--r-- | net/netfilter/Kconfig | 2 | ||||
-rw-r--r-- | net/netfilter/Makefile | 3 | ||||
-rw-r--r-- | net/netfilter/ipset/Kconfig | 26 | ||||
-rw-r--r-- | net/netfilter/ipset/Makefile | 8 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_core.c | 1662 | ||||
-rw-r--r-- | net/netfilter/ipset/ip_set_getport.c | 136 | ||||
-rw-r--r-- | net/netfilter/ipset/pfxlen.c | 291 |
10 files changed, 2626 insertions, 0 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h new file mode 100644 index 000000000000..ec333d83f3b4 --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set.h | |||
@@ -0,0 +1,452 @@ | |||
1 | #ifndef _IP_SET_H | ||
2 | #define _IP_SET_H | ||
3 | |||
4 | /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> | ||
5 | * Patrick Schaaf <bof@bof.de> | ||
6 | * Martin Josefsson <gandalf@wlug.westbo.se> | ||
7 | * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or modify | ||
10 | * it under the terms of the GNU General Public License version 2 as | ||
11 | * published by the Free Software Foundation. | ||
12 | */ | ||
13 | |||
14 | /* The protocol version */ | ||
15 | #define IPSET_PROTOCOL 6 | ||
16 | |||
17 | /* The max length of strings including NUL: set and type identifiers */ | ||
18 | #define IPSET_MAXNAMELEN 32 | ||
19 | |||
20 | /* Message types and commands */ | ||
21 | enum ipset_cmd { | ||
22 | IPSET_CMD_NONE, | ||
23 | IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ | ||
24 | IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ | ||
25 | IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ | ||
26 | IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ | ||
27 | IPSET_CMD_RENAME, /* 5: Rename a set */ | ||
28 | IPSET_CMD_SWAP, /* 6: Swap two sets */ | ||
29 | IPSET_CMD_LIST, /* 7: List sets */ | ||
30 | IPSET_CMD_SAVE, /* 8: Save sets */ | ||
31 | IPSET_CMD_ADD, /* 9: Add an element to a set */ | ||
32 | IPSET_CMD_DEL, /* 10: Delete an element from a set */ | ||
33 | IPSET_CMD_TEST, /* 11: Test an element in a set */ | ||
34 | IPSET_CMD_HEADER, /* 12: Get set header data only */ | ||
35 | IPSET_CMD_TYPE, /* 13: Get set type */ | ||
36 | IPSET_MSG_MAX, /* Netlink message commands */ | ||
37 | |||
38 | /* Commands in userspace: */ | ||
39 | IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ | ||
40 | IPSET_CMD_HELP, /* 15: Get help */ | ||
41 | IPSET_CMD_VERSION, /* 16: Get program version */ | ||
42 | IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ | ||
43 | |||
44 | IPSET_CMD_MAX, | ||
45 | |||
46 | IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ | ||
47 | }; | ||
48 | |||
49 | /* Attributes at command level */ | ||
50 | enum { | ||
51 | IPSET_ATTR_UNSPEC, | ||
52 | IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ | ||
53 | IPSET_ATTR_SETNAME, /* 2: Name of the set */ | ||
54 | IPSET_ATTR_TYPENAME, /* 3: Typename */ | ||
55 | IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ | ||
56 | IPSET_ATTR_REVISION, /* 4: Settype revision */ | ||
57 | IPSET_ATTR_FAMILY, /* 5: Settype family */ | ||
58 | IPSET_ATTR_FLAGS, /* 6: Flags at command level */ | ||
59 | IPSET_ATTR_DATA, /* 7: Nested attributes */ | ||
60 | IPSET_ATTR_ADT, /* 8: Multiple data containers */ | ||
61 | IPSET_ATTR_LINENO, /* 9: Restore lineno */ | ||
62 | IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ | ||
63 | IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ | ||
64 | __IPSET_ATTR_CMD_MAX, | ||
65 | }; | ||
66 | #define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) | ||
67 | |||
68 | /* CADT specific attributes */ | ||
69 | enum { | ||
70 | IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, | ||
71 | IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, | ||
72 | IPSET_ATTR_IP_TO, /* 2 */ | ||
73 | IPSET_ATTR_CIDR, /* 3 */ | ||
74 | IPSET_ATTR_PORT, /* 4 */ | ||
75 | IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, | ||
76 | IPSET_ATTR_PORT_TO, /* 5 */ | ||
77 | IPSET_ATTR_TIMEOUT, /* 6 */ | ||
78 | IPSET_ATTR_PROTO, /* 7 */ | ||
79 | IPSET_ATTR_CADT_FLAGS, /* 8 */ | ||
80 | IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ | ||
81 | /* Reserve empty slots */ | ||
82 | IPSET_ATTR_CADT_MAX = 16, | ||
83 | /* Create-only specific attributes */ | ||
84 | IPSET_ATTR_GC, | ||
85 | IPSET_ATTR_HASHSIZE, | ||
86 | IPSET_ATTR_MAXELEM, | ||
87 | IPSET_ATTR_NETMASK, | ||
88 | IPSET_ATTR_PROBES, | ||
89 | IPSET_ATTR_RESIZE, | ||
90 | IPSET_ATTR_SIZE, | ||
91 | /* Kernel-only */ | ||
92 | IPSET_ATTR_ELEMENTS, | ||
93 | IPSET_ATTR_REFERENCES, | ||
94 | IPSET_ATTR_MEMSIZE, | ||
95 | |||
96 | __IPSET_ATTR_CREATE_MAX, | ||
97 | }; | ||
98 | #define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) | ||
99 | |||
100 | /* ADT specific attributes */ | ||
101 | enum { | ||
102 | IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, | ||
103 | IPSET_ATTR_NAME, | ||
104 | IPSET_ATTR_NAMEREF, | ||
105 | IPSET_ATTR_IP2, | ||
106 | IPSET_ATTR_CIDR2, | ||
107 | __IPSET_ATTR_ADT_MAX, | ||
108 | }; | ||
109 | #define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) | ||
110 | |||
111 | /* IP specific attributes */ | ||
112 | enum { | ||
113 | IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, | ||
114 | IPSET_ATTR_IPADDR_IPV6, | ||
115 | __IPSET_ATTR_IPADDR_MAX, | ||
116 | }; | ||
117 | #define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) | ||
118 | |||
119 | /* Error codes */ | ||
120 | enum ipset_errno { | ||
121 | IPSET_ERR_PRIVATE = 4096, | ||
122 | IPSET_ERR_PROTOCOL, | ||
123 | IPSET_ERR_FIND_TYPE, | ||
124 | IPSET_ERR_MAX_SETS, | ||
125 | IPSET_ERR_BUSY, | ||
126 | IPSET_ERR_EXIST_SETNAME2, | ||
127 | IPSET_ERR_TYPE_MISMATCH, | ||
128 | IPSET_ERR_EXIST, | ||
129 | IPSET_ERR_INVALID_CIDR, | ||
130 | IPSET_ERR_INVALID_NETMASK, | ||
131 | IPSET_ERR_INVALID_FAMILY, | ||
132 | IPSET_ERR_TIMEOUT, | ||
133 | IPSET_ERR_REFERENCED, | ||
134 | IPSET_ERR_IPADDR_IPV4, | ||
135 | IPSET_ERR_IPADDR_IPV6, | ||
136 | |||
137 | /* Type specific error codes */ | ||
138 | IPSET_ERR_TYPE_SPECIFIC = 4352, | ||
139 | }; | ||
140 | |||
141 | /* Flags at command level */ | ||
142 | enum ipset_cmd_flags { | ||
143 | IPSET_FLAG_BIT_EXIST = 0, | ||
144 | IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), | ||
145 | }; | ||
146 | |||
147 | /* Flags at CADT attribute level */ | ||
148 | enum ipset_cadt_flags { | ||
149 | IPSET_FLAG_BIT_BEFORE = 0, | ||
150 | IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), | ||
151 | }; | ||
152 | |||
153 | /* Commands with settype-specific attributes */ | ||
154 | enum ipset_adt { | ||
155 | IPSET_ADD, | ||
156 | IPSET_DEL, | ||
157 | IPSET_TEST, | ||
158 | IPSET_ADT_MAX, | ||
159 | IPSET_CREATE = IPSET_ADT_MAX, | ||
160 | IPSET_CADT_MAX, | ||
161 | }; | ||
162 | |||
163 | #ifdef __KERNEL__ | ||
164 | #include <linux/ip.h> | ||
165 | #include <linux/ipv6.h> | ||
166 | #include <linux/netlink.h> | ||
167 | #include <linux/netfilter.h> | ||
168 | #include <linux/vmalloc.h> | ||
169 | #include <net/netlink.h> | ||
170 | |||
171 | /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t | ||
172 | * and IPSET_INVALID_ID if you want to increase the max number of sets. | ||
173 | */ | ||
174 | typedef u16 ip_set_id_t; | ||
175 | |||
176 | #define IPSET_INVALID_ID 65535 | ||
177 | |||
178 | enum ip_set_dim { | ||
179 | IPSET_DIM_ZERO = 0, | ||
180 | IPSET_DIM_ONE, | ||
181 | IPSET_DIM_TWO, | ||
182 | IPSET_DIM_THREE, | ||
183 | /* Max dimension in elements. | ||
184 | * If changed, new revision of iptables match/target is required. | ||
185 | */ | ||
186 | IPSET_DIM_MAX = 6, | ||
187 | }; | ||
188 | |||
189 | /* Option flags for kernel operations */ | ||
190 | enum ip_set_kopt { | ||
191 | IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), | ||
192 | IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), | ||
193 | IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), | ||
194 | IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), | ||
195 | }; | ||
196 | |||
197 | /* Set features */ | ||
198 | enum ip_set_feature { | ||
199 | IPSET_TYPE_IP_FLAG = 0, | ||
200 | IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG), | ||
201 | IPSET_TYPE_PORT_FLAG = 1, | ||
202 | IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG), | ||
203 | IPSET_TYPE_MAC_FLAG = 2, | ||
204 | IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG), | ||
205 | IPSET_TYPE_IP2_FLAG = 3, | ||
206 | IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG), | ||
207 | IPSET_TYPE_NAME_FLAG = 4, | ||
208 | IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), | ||
209 | /* Strictly speaking not a feature, but a flag for dumping: | ||
210 | * this settype must be dumped last */ | ||
211 | IPSET_DUMP_LAST_FLAG = 7, | ||
212 | IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), | ||
213 | }; | ||
214 | |||
215 | struct ip_set; | ||
216 | |||
217 | typedef int (*ipset_adtfn)(struct ip_set *set, void *value, u32 timeout); | ||
218 | |||
219 | /* Set type, variant-specific part */ | ||
220 | struct ip_set_type_variant { | ||
221 | /* Kernelspace: test/add/del entries | ||
222 | * returns negative error code, | ||
223 | * zero for no match/success to add/delete | ||
224 | * positive for matching element */ | ||
225 | int (*kadt)(struct ip_set *set, const struct sk_buff * skb, | ||
226 | enum ipset_adt adt, u8 pf, u8 dim, u8 flags); | ||
227 | |||
228 | /* Userspace: test/add/del entries | ||
229 | * returns negative error code, | ||
230 | * zero for no match/success to add/delete | ||
231 | * positive for matching element */ | ||
232 | int (*uadt)(struct ip_set *set, struct nlattr *tb[], | ||
233 | enum ipset_adt adt, u32 *lineno, u32 flags); | ||
234 | |||
235 | /* Low level add/del/test functions */ | ||
236 | ipset_adtfn adt[IPSET_ADT_MAX]; | ||
237 | |||
238 | /* When adding entries and set is full, try to resize the set */ | ||
239 | int (*resize)(struct ip_set *set, bool retried); | ||
240 | /* Destroy the set */ | ||
241 | void (*destroy)(struct ip_set *set); | ||
242 | /* Flush the elements */ | ||
243 | void (*flush)(struct ip_set *set); | ||
244 | /* Expire entries before listing */ | ||
245 | void (*expire)(struct ip_set *set); | ||
246 | /* List set header data */ | ||
247 | int (*head)(struct ip_set *set, struct sk_buff *skb); | ||
248 | /* List elements */ | ||
249 | int (*list)(const struct ip_set *set, struct sk_buff *skb, | ||
250 | struct netlink_callback *cb); | ||
251 | |||
252 | /* Return true if "b" set is the same as "a" | ||
253 | * according to the create set parameters */ | ||
254 | bool (*same_set)(const struct ip_set *a, const struct ip_set *b); | ||
255 | }; | ||
256 | |||
257 | /* The core set type structure */ | ||
258 | struct ip_set_type { | ||
259 | struct list_head list; | ||
260 | |||
261 | /* Typename */ | ||
262 | char name[IPSET_MAXNAMELEN]; | ||
263 | /* Protocol version */ | ||
264 | u8 protocol; | ||
265 | /* Set features to control swapping */ | ||
266 | u8 features; | ||
267 | /* Set type dimension */ | ||
268 | u8 dimension; | ||
269 | /* Supported family: may be AF_UNSPEC for both AF_INET/AF_INET6 */ | ||
270 | u8 family; | ||
271 | /* Type revision */ | ||
272 | u8 revision; | ||
273 | |||
274 | /* Create set */ | ||
275 | int (*create)(struct ip_set *set, struct nlattr *tb[], u32 flags); | ||
276 | |||
277 | /* Attribute policies */ | ||
278 | const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1]; | ||
279 | const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1]; | ||
280 | |||
281 | /* Set this to THIS_MODULE if you are a module, otherwise NULL */ | ||
282 | struct module *me; | ||
283 | }; | ||
284 | |||
285 | /* register and unregister set type */ | ||
286 | extern int ip_set_type_register(struct ip_set_type *set_type); | ||
287 | extern void ip_set_type_unregister(struct ip_set_type *set_type); | ||
288 | |||
289 | /* A generic IP set */ | ||
290 | struct ip_set { | ||
291 | /* The name of the set */ | ||
292 | char name[IPSET_MAXNAMELEN]; | ||
293 | /* Lock protecting the set data */ | ||
294 | rwlock_t lock; | ||
295 | /* References to the set */ | ||
296 | atomic_t ref; | ||
297 | /* The core set type */ | ||
298 | struct ip_set_type *type; | ||
299 | /* The type variant doing the real job */ | ||
300 | const struct ip_set_type_variant *variant; | ||
301 | /* The actual INET family of the set */ | ||
302 | u8 family; | ||
303 | /* The type specific data */ | ||
304 | void *data; | ||
305 | }; | ||
306 | |||
307 | /* register and unregister set references */ | ||
308 | extern ip_set_id_t ip_set_get_byname(const char *name, struct ip_set **set); | ||
309 | extern void ip_set_put_byindex(ip_set_id_t index); | ||
310 | extern const char * ip_set_name_byindex(ip_set_id_t index); | ||
311 | extern ip_set_id_t ip_set_nfnl_get(const char *name); | ||
312 | extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index); | ||
313 | extern void ip_set_nfnl_put(ip_set_id_t index); | ||
314 | |||
315 | /* API for iptables set match, and SET target */ | ||
316 | extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb, | ||
317 | u8 family, u8 dim, u8 flags); | ||
318 | extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb, | ||
319 | u8 family, u8 dim, u8 flags); | ||
320 | extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, | ||
321 | u8 family, u8 dim, u8 flags); | ||
322 | |||
323 | /* Utility functions */ | ||
324 | extern void * ip_set_alloc(size_t size); | ||
325 | extern void ip_set_free(void *members); | ||
326 | extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); | ||
327 | extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); | ||
328 | |||
329 | static inline int | ||
330 | ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) | ||
331 | { | ||
332 | __be32 ip; | ||
333 | int ret = ip_set_get_ipaddr4(nla, &ip); | ||
334 | |||
335 | if (ret) | ||
336 | return ret; | ||
337 | *ipaddr = ntohl(ip); | ||
338 | return 0; | ||
339 | } | ||
340 | |||
341 | /* Ignore IPSET_ERR_EXIST errors if asked to do so? */ | ||
342 | static inline bool | ||
343 | ip_set_eexist(int ret, u32 flags) | ||
344 | { | ||
345 | return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); | ||
346 | } | ||
347 | |||
348 | /* Check the NLA_F_NET_BYTEORDER flag */ | ||
349 | static inline bool | ||
350 | ip_set_attr_netorder(struct nlattr *tb[], int type) | ||
351 | { | ||
352 | return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); | ||
353 | } | ||
354 | |||
355 | static inline bool | ||
356 | ip_set_optattr_netorder(struct nlattr *tb[], int type) | ||
357 | { | ||
358 | return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); | ||
359 | } | ||
360 | |||
361 | /* Useful converters */ | ||
362 | static inline u32 | ||
363 | ip_set_get_h32(const struct nlattr *attr) | ||
364 | { | ||
365 | return ntohl(nla_get_be32(attr)); | ||
366 | } | ||
367 | |||
368 | static inline u16 | ||
369 | ip_set_get_h16(const struct nlattr *attr) | ||
370 | { | ||
371 | return ntohs(nla_get_be16(attr)); | ||
372 | } | ||
373 | |||
374 | #define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED) | ||
375 | #define ipset_nest_end(skb, start) nla_nest_end(skb, start) | ||
376 | |||
377 | #define NLA_PUT_IPADDR4(skb, type, ipaddr) \ | ||
378 | do { \ | ||
379 | struct nlattr *__nested = ipset_nest_start(skb, type); \ | ||
380 | \ | ||
381 | if (!__nested) \ | ||
382 | goto nla_put_failure; \ | ||
383 | NLA_PUT_NET32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); \ | ||
384 | ipset_nest_end(skb, __nested); \ | ||
385 | } while (0) | ||
386 | |||
387 | #define NLA_PUT_IPADDR6(skb, type, ipaddrptr) \ | ||
388 | do { \ | ||
389 | struct nlattr *__nested = ipset_nest_start(skb, type); \ | ||
390 | \ | ||
391 | if (!__nested) \ | ||
392 | goto nla_put_failure; \ | ||
393 | NLA_PUT(skb, IPSET_ATTR_IPADDR_IPV6, \ | ||
394 | sizeof(struct in6_addr), ipaddrptr); \ | ||
395 | ipset_nest_end(skb, __nested); \ | ||
396 | } while (0) | ||
397 | |||
398 | /* Get address from skbuff */ | ||
399 | static inline __be32 | ||
400 | ip4addr(const struct sk_buff *skb, bool src) | ||
401 | { | ||
402 | return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; | ||
403 | } | ||
404 | |||
405 | static inline void | ||
406 | ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr) | ||
407 | { | ||
408 | *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; | ||
409 | } | ||
410 | |||
411 | static inline void | ||
412 | ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) | ||
413 | { | ||
414 | memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr, | ||
415 | sizeof(*addr)); | ||
416 | } | ||
417 | |||
418 | /* Calculate the bytes required to store the inclusive range of a-b */ | ||
419 | static inline int | ||
420 | bitmap_bytes(u32 a, u32 b) | ||
421 | { | ||
422 | return 4 * ((((b - a + 8) / 8) + 3) / 4); | ||
423 | } | ||
424 | |||
425 | /* Interface to iptables/ip6tables */ | ||
426 | |||
427 | #define SO_IP_SET 83 | ||
428 | |||
429 | union ip_set_name_index { | ||
430 | char name[IPSET_MAXNAMELEN]; | ||
431 | ip_set_id_t index; | ||
432 | }; | ||
433 | |||
434 | #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ | ||
435 | struct ip_set_req_get_set { | ||
436 | unsigned op; | ||
437 | unsigned version; | ||
438 | union ip_set_name_index set; | ||
439 | }; | ||
440 | |||
441 | #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ | ||
442 | /* Uses ip_set_req_get_set */ | ||
443 | |||
444 | #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ | ||
445 | struct ip_set_req_version { | ||
446 | unsigned op; | ||
447 | unsigned version; | ||
448 | }; | ||
449 | |||
450 | #endif /* __KERNEL__ */ | ||
451 | |||
452 | #endif /*_IP_SET_H */ | ||
diff --git a/include/linux/netfilter/ipset/ip_set_getport.h b/include/linux/netfilter/ipset/ip_set_getport.h new file mode 100644 index 000000000000..694c433298b8 --- /dev/null +++ b/include/linux/netfilter/ipset/ip_set_getport.h | |||
@@ -0,0 +1,11 @@ | |||
1 | #ifndef _IP_SET_GETPORT_H | ||
2 | #define _IP_SET_GETPORT_H | ||
3 | |||
4 | extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src, | ||
5 | __be16 *port, u8 *proto); | ||
6 | extern bool ip_set_get_ip6_port(const struct sk_buff *skb, bool src, | ||
7 | __be16 *port, u8 *proto); | ||
8 | extern bool ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, | ||
9 | __be16 *port); | ||
10 | |||
11 | #endif /*_IP_SET_GETPORT_H*/ | ||
diff --git a/include/linux/netfilter/ipset/pfxlen.h b/include/linux/netfilter/ipset/pfxlen.h new file mode 100644 index 000000000000..0e1fb50da562 --- /dev/null +++ b/include/linux/netfilter/ipset/pfxlen.h | |||
@@ -0,0 +1,35 @@ | |||
1 | #ifndef _PFXLEN_H | ||
2 | #define _PFXLEN_H | ||
3 | |||
4 | #include <asm/byteorder.h> | ||
5 | #include <linux/netfilter.h> | ||
6 | |||
7 | /* Prefixlen maps, by Jan Engelhardt */ | ||
8 | extern const union nf_inet_addr ip_set_netmask_map[]; | ||
9 | extern const union nf_inet_addr ip_set_hostmask_map[]; | ||
10 | |||
11 | static inline __be32 | ||
12 | ip_set_netmask(u8 pfxlen) | ||
13 | { | ||
14 | return ip_set_netmask_map[pfxlen].ip; | ||
15 | } | ||
16 | |||
17 | static inline const __be32 * | ||
18 | ip_set_netmask6(u8 pfxlen) | ||
19 | { | ||
20 | return &ip_set_netmask_map[pfxlen].ip6[0]; | ||
21 | } | ||
22 | |||
23 | static inline u32 | ||
24 | ip_set_hostmask(u8 pfxlen) | ||
25 | { | ||
26 | return (__force u32) ip_set_hostmask_map[pfxlen].ip; | ||
27 | } | ||
28 | |||
29 | static inline const __be32 * | ||
30 | ip_set_hostmask6(u8 pfxlen) | ||
31 | { | ||
32 | return &ip_set_hostmask_map[pfxlen].ip6[0]; | ||
33 | } | ||
34 | |||
35 | #endif /*_PFXLEN_H */ | ||
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index faf7412ea453..351abf8ace13 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
@@ -1052,4 +1052,6 @@ endif # NETFILTER_XTABLES | |||
1052 | 1052 | ||
1053 | endmenu | 1053 | endmenu |
1054 | 1054 | ||
1055 | source "net/netfilter/ipset/Kconfig" | ||
1056 | |||
1055 | source "net/netfilter/ipvs/Kconfig" | 1057 | source "net/netfilter/ipvs/Kconfig" |
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 9ae6878a85b1..510b586ccb7f 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile | |||
@@ -105,5 +105,8 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o | |||
105 | obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o | 105 | obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o |
106 | obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o | 106 | obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o |
107 | 107 | ||
108 | # ipset | ||
109 | obj-$(CONFIG_IP_SET) += ipset/ | ||
110 | |||
108 | # IPVS | 111 | # IPVS |
109 | obj-$(CONFIG_IP_VS) += ipvs/ | 112 | obj-$(CONFIG_IP_VS) += ipvs/ |
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig new file mode 100644 index 000000000000..5ade156dd470 --- /dev/null +++ b/net/netfilter/ipset/Kconfig | |||
@@ -0,0 +1,26 @@ | |||
1 | menuconfig IP_SET | ||
2 | tristate "IP set support" | ||
3 | depends on INET && NETFILTER | ||
4 | help | ||
5 | This option adds IP set support to the kernel. | ||
6 | In order to define and use the sets, you need the userspace utility | ||
7 | ipset(8). You can use the sets in netfilter via the "set" match | ||
8 | and "SET" target. | ||
9 | |||
10 | To compile it as a module, choose M here. If unsure, say N. | ||
11 | |||
12 | if IP_SET | ||
13 | |||
14 | config IP_SET_MAX | ||
15 | int "Maximum number of IP sets" | ||
16 | default 256 | ||
17 | range 2 65534 | ||
18 | depends on IP_SET | ||
19 | help | ||
20 | You can define here default value of the maximum number | ||
21 | of IP sets for the kernel. | ||
22 | |||
23 | The value can be overriden by the 'max_sets' module | ||
24 | parameter of the 'ip_set' module. | ||
25 | |||
26 | endif # IP_SET | ||
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile new file mode 100644 index 000000000000..910cd425c067 --- /dev/null +++ b/net/netfilter/ipset/Makefile | |||
@@ -0,0 +1,8 @@ | |||
1 | # | ||
2 | # Makefile for the ipset modules | ||
3 | # | ||
4 | |||
5 | ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o | ||
6 | |||
7 | # ipset core | ||
8 | obj-$(CONFIG_IP_SET) += ip_set.o | ||
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c new file mode 100644 index 000000000000..8a736247e85f --- /dev/null +++ b/net/netfilter/ipset/ip_set_core.c | |||
@@ -0,0 +1,1662 @@ | |||
1 | /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> | ||
2 | * Patrick Schaaf <bof@bof.de> | ||
3 | * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License version 2 as | ||
7 | * published by the Free Software Foundation. | ||
8 | */ | ||
9 | |||
10 | /* Kernel module for IP set management */ | ||
11 | |||
12 | #include <linux/init.h> | ||
13 | #include <linux/module.h> | ||
14 | #include <linux/moduleparam.h> | ||
15 | #include <linux/ip.h> | ||
16 | #include <linux/skbuff.h> | ||
17 | #include <linux/spinlock.h> | ||
18 | #include <linux/netlink.h> | ||
19 | #include <linux/rculist.h> | ||
20 | #include <linux/version.h> | ||
21 | #include <net/netlink.h> | ||
22 | |||
23 | #include <linux/netfilter.h> | ||
24 | #include <linux/netfilter/nfnetlink.h> | ||
25 | #include <linux/netfilter/ipset/ip_set.h> | ||
26 | |||
27 | static LIST_HEAD(ip_set_type_list); /* all registered set types */ | ||
28 | static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */ | ||
29 | |||
30 | static struct ip_set **ip_set_list; /* all individual sets */ | ||
31 | static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */ | ||
32 | |||
33 | #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0) | ||
34 | |||
35 | static unsigned int max_sets; | ||
36 | |||
37 | module_param(max_sets, int, 0600); | ||
38 | MODULE_PARM_DESC(max_sets, "maximal number of sets"); | ||
39 | MODULE_LICENSE("GPL"); | ||
40 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | ||
41 | MODULE_DESCRIPTION("core IP set support"); | ||
42 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); | ||
43 | |||
44 | /* | ||
45 | * The set types are implemented in modules and registered set types | ||
46 | * can be found in ip_set_type_list. Adding/deleting types is | ||
47 | * serialized by ip_set_type_mutex. | ||
48 | */ | ||
49 | |||
50 | static inline void | ||
51 | ip_set_type_lock(void) | ||
52 | { | ||
53 | mutex_lock(&ip_set_type_mutex); | ||
54 | } | ||
55 | |||
56 | static inline void | ||
57 | ip_set_type_unlock(void) | ||
58 | { | ||
59 | mutex_unlock(&ip_set_type_mutex); | ||
60 | } | ||
61 | |||
62 | /* Register and deregister settype */ | ||
63 | |||
64 | static struct ip_set_type * | ||
65 | find_set_type(const char *name, u8 family, u8 revision) | ||
66 | { | ||
67 | struct ip_set_type *type; | ||
68 | |||
69 | list_for_each_entry_rcu(type, &ip_set_type_list, list) | ||
70 | if (STREQ(type->name, name) && | ||
71 | (type->family == family || type->family == AF_UNSPEC) && | ||
72 | type->revision == revision) | ||
73 | return type; | ||
74 | return NULL; | ||
75 | } | ||
76 | |||
77 | /* Unlock, try to load a set type module and lock again */ | ||
78 | static int | ||
79 | try_to_load_type(const char *name) | ||
80 | { | ||
81 | nfnl_unlock(); | ||
82 | pr_debug("try to load ip_set_%s\n", name); | ||
83 | if (request_module("ip_set_%s", name) < 0) { | ||
84 | pr_warning("Can't find ip_set type %s\n", name); | ||
85 | nfnl_lock(); | ||
86 | return -IPSET_ERR_FIND_TYPE; | ||
87 | } | ||
88 | nfnl_lock(); | ||
89 | return -EAGAIN; | ||
90 | } | ||
91 | |||
92 | /* Find a set type and reference it */ | ||
93 | static int | ||
94 | find_set_type_get(const char *name, u8 family, u8 revision, | ||
95 | struct ip_set_type **found) | ||
96 | { | ||
97 | rcu_read_lock(); | ||
98 | *found = find_set_type(name, family, revision); | ||
99 | if (*found) { | ||
100 | int err = !try_module_get((*found)->me); | ||
101 | rcu_read_unlock(); | ||
102 | return err ? -EFAULT : 0; | ||
103 | } | ||
104 | rcu_read_unlock(); | ||
105 | |||
106 | return try_to_load_type(name); | ||
107 | } | ||
108 | |||
109 | /* Find a given set type by name and family. | ||
110 | * If we succeeded, the supported minimal and maximum revisions are | ||
111 | * filled out. | ||
112 | */ | ||
113 | static int | ||
114 | find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max) | ||
115 | { | ||
116 | struct ip_set_type *type; | ||
117 | bool found = false; | ||
118 | |||
119 | *min = *max = 0; | ||
120 | rcu_read_lock(); | ||
121 | list_for_each_entry_rcu(type, &ip_set_type_list, list) | ||
122 | if (STREQ(type->name, name) && | ||
123 | (type->family == family || type->family == AF_UNSPEC)) { | ||
124 | found = true; | ||
125 | if (type->revision < *min) | ||
126 | *min = type->revision; | ||
127 | else if (type->revision > *max) | ||
128 | *max = type->revision; | ||
129 | } | ||
130 | rcu_read_unlock(); | ||
131 | if (found) | ||
132 | return 0; | ||
133 | |||
134 | return try_to_load_type(name); | ||
135 | } | ||
136 | |||
137 | #define family_name(f) ((f) == AF_INET ? "inet" : \ | ||
138 | (f) == AF_INET6 ? "inet6" : "any") | ||
139 | |||
140 | /* Register a set type structure. The type is identified by | ||
141 | * the unique triple of name, family and revision. | ||
142 | */ | ||
143 | int | ||
144 | ip_set_type_register(struct ip_set_type *type) | ||
145 | { | ||
146 | int ret = 0; | ||
147 | |||
148 | if (type->protocol != IPSET_PROTOCOL) { | ||
149 | pr_warning("ip_set type %s, family %s, revision %u uses " | ||
150 | "wrong protocol version %u (want %u)\n", | ||
151 | type->name, family_name(type->family), | ||
152 | type->revision, type->protocol, IPSET_PROTOCOL); | ||
153 | return -EINVAL; | ||
154 | } | ||
155 | |||
156 | ip_set_type_lock(); | ||
157 | if (find_set_type(type->name, type->family, type->revision)) { | ||
158 | /* Duplicate! */ | ||
159 | pr_warning("ip_set type %s, family %s, revision %u " | ||
160 | "already registered!\n", type->name, | ||
161 | family_name(type->family), type->revision); | ||
162 | ret = -EINVAL; | ||
163 | goto unlock; | ||
164 | } | ||
165 | list_add_rcu(&type->list, &ip_set_type_list); | ||
166 | pr_debug("type %s, family %s, revision %u registered.\n", | ||
167 | type->name, family_name(type->family), type->revision); | ||
168 | unlock: | ||
169 | ip_set_type_unlock(); | ||
170 | return ret; | ||
171 | } | ||
172 | EXPORT_SYMBOL_GPL(ip_set_type_register); | ||
173 | |||
174 | /* Unregister a set type. There's a small race with ip_set_create */ | ||
175 | void | ||
176 | ip_set_type_unregister(struct ip_set_type *type) | ||
177 | { | ||
178 | ip_set_type_lock(); | ||
179 | if (!find_set_type(type->name, type->family, type->revision)) { | ||
180 | pr_warning("ip_set type %s, family %s, revision %u " | ||
181 | "not registered\n", type->name, | ||
182 | family_name(type->family), type->revision); | ||
183 | goto unlock; | ||
184 | } | ||
185 | list_del_rcu(&type->list); | ||
186 | pr_debug("type %s, family %s, revision %u unregistered.\n", | ||
187 | type->name, family_name(type->family), type->revision); | ||
188 | unlock: | ||
189 | ip_set_type_unlock(); | ||
190 | |||
191 | synchronize_rcu(); | ||
192 | } | ||
193 | EXPORT_SYMBOL_GPL(ip_set_type_unregister); | ||
194 | |||
195 | /* Utility functions */ | ||
196 | void * | ||
197 | ip_set_alloc(size_t size) | ||
198 | { | ||
199 | void *members = NULL; | ||
200 | |||
201 | if (size < KMALLOC_MAX_SIZE) | ||
202 | members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); | ||
203 | |||
204 | if (members) { | ||
205 | pr_debug("%p: allocated with kmalloc\n", members); | ||
206 | return members; | ||
207 | } | ||
208 | |||
209 | members = vzalloc(size); | ||
210 | if (!members) | ||
211 | return NULL; | ||
212 | pr_debug("%p: allocated with vmalloc\n", members); | ||
213 | |||
214 | return members; | ||
215 | } | ||
216 | EXPORT_SYMBOL_GPL(ip_set_alloc); | ||
217 | |||
218 | void | ||
219 | ip_set_free(void *members) | ||
220 | { | ||
221 | pr_debug("%p: free with %s\n", members, | ||
222 | is_vmalloc_addr(members) ? "vfree" : "kfree"); | ||
223 | if (is_vmalloc_addr(members)) | ||
224 | vfree(members); | ||
225 | else | ||
226 | kfree(members); | ||
227 | } | ||
228 | EXPORT_SYMBOL_GPL(ip_set_free); | ||
229 | |||
230 | static inline bool | ||
231 | flag_nested(const struct nlattr *nla) | ||
232 | { | ||
233 | return nla->nla_type & NLA_F_NESTED; | ||
234 | } | ||
235 | |||
236 | static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = { | ||
237 | [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 }, | ||
238 | [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY, | ||
239 | .len = sizeof(struct in6_addr) }, | ||
240 | }; | ||
241 | |||
242 | int | ||
243 | ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) | ||
244 | { | ||
245 | struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; | ||
246 | |||
247 | if (unlikely(!flag_nested(nla))) | ||
248 | return -IPSET_ERR_PROTOCOL; | ||
249 | if (nla_parse(tb, IPSET_ATTR_IPADDR_MAX, nla_data(nla), nla_len(nla), | ||
250 | ipaddr_policy)) | ||
251 | return -IPSET_ERR_PROTOCOL; | ||
252 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) | ||
253 | return -IPSET_ERR_PROTOCOL; | ||
254 | |||
255 | *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]); | ||
256 | return 0; | ||
257 | } | ||
258 | EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4); | ||
259 | |||
260 | int | ||
261 | ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) | ||
262 | { | ||
263 | struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; | ||
264 | |||
265 | if (unlikely(!flag_nested(nla))) | ||
266 | return -IPSET_ERR_PROTOCOL; | ||
267 | |||
268 | if (nla_parse(tb, IPSET_ATTR_IPADDR_MAX, nla_data(nla), nla_len(nla), | ||
269 | ipaddr_policy)) | ||
270 | return -IPSET_ERR_PROTOCOL; | ||
271 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) | ||
272 | return -IPSET_ERR_PROTOCOL; | ||
273 | |||
274 | memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]), | ||
275 | sizeof(struct in6_addr)); | ||
276 | return 0; | ||
277 | } | ||
278 | EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6); | ||
279 | |||
280 | /* | ||
281 | * Creating/destroying/renaming/swapping affect the existence and | ||
282 | * the properties of a set. All of these can be executed from userspace | ||
283 | * only and serialized by the nfnl mutex indirectly from nfnetlink. | ||
284 | * | ||
285 | * Sets are identified by their index in ip_set_list and the index | ||
286 | * is used by the external references (set/SET netfilter modules). | ||
287 | * | ||
288 | * The set behind an index may change by swapping only, from userspace. | ||
289 | */ | ||
290 | |||
291 | static inline void | ||
292 | __ip_set_get(ip_set_id_t index) | ||
293 | { | ||
294 | atomic_inc(&ip_set_list[index]->ref); | ||
295 | } | ||
296 | |||
297 | static inline void | ||
298 | __ip_set_put(ip_set_id_t index) | ||
299 | { | ||
300 | atomic_dec(&ip_set_list[index]->ref); | ||
301 | } | ||
302 | |||
303 | /* | ||
304 | * Add, del and test set entries from kernel. | ||
305 | * | ||
306 | * The set behind the index must exist and must be referenced | ||
307 | * so it can't be destroyed (or changed) under our foot. | ||
308 | */ | ||
309 | |||
310 | int | ||
311 | ip_set_test(ip_set_id_t index, const struct sk_buff *skb, | ||
312 | u8 family, u8 dim, u8 flags) | ||
313 | { | ||
314 | struct ip_set *set = ip_set_list[index]; | ||
315 | int ret = 0; | ||
316 | |||
317 | BUG_ON(set == NULL || atomic_read(&set->ref) == 0); | ||
318 | pr_debug("set %s, index %u\n", set->name, index); | ||
319 | |||
320 | if (dim < set->type->dimension || | ||
321 | !(family == set->family || set->family == AF_UNSPEC)) | ||
322 | return 0; | ||
323 | |||
324 | read_lock_bh(&set->lock); | ||
325 | ret = set->variant->kadt(set, skb, IPSET_TEST, family, dim, flags); | ||
326 | read_unlock_bh(&set->lock); | ||
327 | |||
328 | if (ret == -EAGAIN) { | ||
329 | /* Type requests element to be completed */ | ||
330 | pr_debug("element must be competed, ADD is triggered\n"); | ||
331 | write_lock_bh(&set->lock); | ||
332 | set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags); | ||
333 | write_unlock_bh(&set->lock); | ||
334 | ret = 1; | ||
335 | } | ||
336 | |||
337 | /* Convert error codes to nomatch */ | ||
338 | return (ret < 0 ? 0 : ret); | ||
339 | } | ||
340 | EXPORT_SYMBOL_GPL(ip_set_test); | ||
341 | |||
342 | int | ||
343 | ip_set_add(ip_set_id_t index, const struct sk_buff *skb, | ||
344 | u8 family, u8 dim, u8 flags) | ||
345 | { | ||
346 | struct ip_set *set = ip_set_list[index]; | ||
347 | int ret; | ||
348 | |||
349 | BUG_ON(set == NULL || atomic_read(&set->ref) == 0); | ||
350 | pr_debug("set %s, index %u\n", set->name, index); | ||
351 | |||
352 | if (dim < set->type->dimension || | ||
353 | !(family == set->family || set->family == AF_UNSPEC)) | ||
354 | return 0; | ||
355 | |||
356 | write_lock_bh(&set->lock); | ||
357 | ret = set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags); | ||
358 | write_unlock_bh(&set->lock); | ||
359 | |||
360 | return ret; | ||
361 | } | ||
362 | EXPORT_SYMBOL_GPL(ip_set_add); | ||
363 | |||
364 | int | ||
365 | ip_set_del(ip_set_id_t index, const struct sk_buff *skb, | ||
366 | u8 family, u8 dim, u8 flags) | ||
367 | { | ||
368 | struct ip_set *set = ip_set_list[index]; | ||
369 | int ret = 0; | ||
370 | |||
371 | BUG_ON(set == NULL || atomic_read(&set->ref) == 0); | ||
372 | pr_debug("set %s, index %u\n", set->name, index); | ||
373 | |||
374 | if (dim < set->type->dimension || | ||
375 | !(family == set->family || set->family == AF_UNSPEC)) | ||
376 | return 0; | ||
377 | |||
378 | write_lock_bh(&set->lock); | ||
379 | ret = set->variant->kadt(set, skb, IPSET_DEL, family, dim, flags); | ||
380 | write_unlock_bh(&set->lock); | ||
381 | |||
382 | return ret; | ||
383 | } | ||
384 | EXPORT_SYMBOL_GPL(ip_set_del); | ||
385 | |||
386 | /* | ||
387 | * Find set by name, reference it once. The reference makes sure the | ||
388 | * thing pointed to, does not go away under our feet. | ||
389 | * | ||
390 | * The nfnl mutex must already be activated. | ||
391 | */ | ||
392 | ip_set_id_t | ||
393 | ip_set_get_byname(const char *name, struct ip_set **set) | ||
394 | { | ||
395 | ip_set_id_t i, index = IPSET_INVALID_ID; | ||
396 | struct ip_set *s; | ||
397 | |||
398 | for (i = 0; i < ip_set_max; i++) { | ||
399 | s = ip_set_list[i]; | ||
400 | if (s != NULL && STREQ(s->name, name)) { | ||
401 | __ip_set_get(i); | ||
402 | index = i; | ||
403 | *set = s; | ||
404 | } | ||
405 | } | ||
406 | |||
407 | return index; | ||
408 | } | ||
409 | EXPORT_SYMBOL_GPL(ip_set_get_byname); | ||
410 | |||
411 | /* | ||
412 | * If the given set pointer points to a valid set, decrement | ||
413 | * reference count by 1. The caller shall not assume the index | ||
414 | * to be valid, after calling this function. | ||
415 | * | ||
416 | * The nfnl mutex must already be activated. | ||
417 | */ | ||
418 | void | ||
419 | ip_set_put_byindex(ip_set_id_t index) | ||
420 | { | ||
421 | if (ip_set_list[index] != NULL) { | ||
422 | BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0); | ||
423 | __ip_set_put(index); | ||
424 | } | ||
425 | } | ||
426 | EXPORT_SYMBOL_GPL(ip_set_put_byindex); | ||
427 | |||
428 | /* | ||
429 | * Get the name of a set behind a set index. | ||
430 | * We assume the set is referenced, so it does exist and | ||
431 | * can't be destroyed. The set cannot be renamed due to | ||
432 | * the referencing either. | ||
433 | * | ||
434 | * The nfnl mutex must already be activated. | ||
435 | */ | ||
436 | const char * | ||
437 | ip_set_name_byindex(ip_set_id_t index) | ||
438 | { | ||
439 | const struct ip_set *set = ip_set_list[index]; | ||
440 | |||
441 | BUG_ON(set == NULL); | ||
442 | BUG_ON(atomic_read(&set->ref) == 0); | ||
443 | |||
444 | /* Referenced, so it's safe */ | ||
445 | return set->name; | ||
446 | } | ||
447 | EXPORT_SYMBOL_GPL(ip_set_name_byindex); | ||
448 | |||
449 | /* | ||
450 | * Routines to call by external subsystems, which do not | ||
451 | * call nfnl_lock for us. | ||
452 | */ | ||
453 | |||
454 | /* | ||
455 | * Find set by name, reference it once. The reference makes sure the | ||
456 | * thing pointed to, does not go away under our feet. | ||
457 | * | ||
458 | * The nfnl mutex is used in the function. | ||
459 | */ | ||
460 | ip_set_id_t | ||
461 | ip_set_nfnl_get(const char *name) | ||
462 | { | ||
463 | struct ip_set *s; | ||
464 | ip_set_id_t index; | ||
465 | |||
466 | nfnl_lock(); | ||
467 | index = ip_set_get_byname(name, &s); | ||
468 | nfnl_unlock(); | ||
469 | |||
470 | return index; | ||
471 | } | ||
472 | EXPORT_SYMBOL_GPL(ip_set_nfnl_get); | ||
473 | |||
474 | /* | ||
475 | * Find set by index, reference it once. The reference makes sure the | ||
476 | * thing pointed to, does not go away under our feet. | ||
477 | * | ||
478 | * The nfnl mutex is used in the function. | ||
479 | */ | ||
480 | ip_set_id_t | ||
481 | ip_set_nfnl_get_byindex(ip_set_id_t index) | ||
482 | { | ||
483 | if (index > ip_set_max) | ||
484 | return IPSET_INVALID_ID; | ||
485 | |||
486 | nfnl_lock(); | ||
487 | if (ip_set_list[index]) | ||
488 | __ip_set_get(index); | ||
489 | else | ||
490 | index = IPSET_INVALID_ID; | ||
491 | nfnl_unlock(); | ||
492 | |||
493 | return index; | ||
494 | } | ||
495 | EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex); | ||
496 | |||
497 | /* | ||
498 | * If the given set pointer points to a valid set, decrement | ||
499 | * reference count by 1. The caller shall not assume the index | ||
500 | * to be valid, after calling this function. | ||
501 | * | ||
502 | * The nfnl mutex is used in the function. | ||
503 | */ | ||
504 | void | ||
505 | ip_set_nfnl_put(ip_set_id_t index) | ||
506 | { | ||
507 | nfnl_lock(); | ||
508 | if (ip_set_list[index] != NULL) { | ||
509 | BUG_ON(atomic_read(&ip_set_list[index]->ref) == 0); | ||
510 | __ip_set_put(index); | ||
511 | } | ||
512 | nfnl_unlock(); | ||
513 | } | ||
514 | EXPORT_SYMBOL_GPL(ip_set_nfnl_put); | ||
515 | |||
516 | /* | ||
517 | * Communication protocol with userspace over netlink. | ||
518 | * | ||
519 | * We already locked by nfnl_lock. | ||
520 | */ | ||
521 | |||
522 | static inline bool | ||
523 | protocol_failed(const struct nlattr * const tb[]) | ||
524 | { | ||
525 | return !tb[IPSET_ATTR_PROTOCOL] || | ||
526 | nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL; | ||
527 | } | ||
528 | |||
529 | static inline u32 | ||
530 | flag_exist(const struct nlmsghdr *nlh) | ||
531 | { | ||
532 | return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST; | ||
533 | } | ||
534 | |||
535 | static struct nlmsghdr * | ||
536 | start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags, | ||
537 | enum ipset_cmd cmd) | ||
538 | { | ||
539 | struct nlmsghdr *nlh; | ||
540 | struct nfgenmsg *nfmsg; | ||
541 | |||
542 | nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8), | ||
543 | sizeof(*nfmsg), flags); | ||
544 | if (nlh == NULL) | ||
545 | return NULL; | ||
546 | |||
547 | nfmsg = nlmsg_data(nlh); | ||
548 | nfmsg->nfgen_family = AF_INET; | ||
549 | nfmsg->version = NFNETLINK_V0; | ||
550 | nfmsg->res_id = 0; | ||
551 | |||
552 | return nlh; | ||
553 | } | ||
554 | |||
555 | /* Create a set */ | ||
556 | |||
557 | static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
558 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
559 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | ||
560 | .len = IPSET_MAXNAMELEN - 1 }, | ||
561 | [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, | ||
562 | .len = IPSET_MAXNAMELEN - 1}, | ||
563 | [IPSET_ATTR_REVISION] = { .type = NLA_U8 }, | ||
564 | [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, | ||
565 | [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, | ||
566 | }; | ||
567 | |||
568 | static ip_set_id_t | ||
569 | find_set_id(const char *name) | ||
570 | { | ||
571 | ip_set_id_t i, index = IPSET_INVALID_ID; | ||
572 | const struct ip_set *set; | ||
573 | |||
574 | for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) { | ||
575 | set = ip_set_list[i]; | ||
576 | if (set != NULL && STREQ(set->name, name)) | ||
577 | index = i; | ||
578 | } | ||
579 | return index; | ||
580 | } | ||
581 | |||
582 | static inline struct ip_set * | ||
583 | find_set(const char *name) | ||
584 | { | ||
585 | ip_set_id_t index = find_set_id(name); | ||
586 | |||
587 | return index == IPSET_INVALID_ID ? NULL : ip_set_list[index]; | ||
588 | } | ||
589 | |||
590 | static int | ||
591 | find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set) | ||
592 | { | ||
593 | ip_set_id_t i; | ||
594 | |||
595 | *index = IPSET_INVALID_ID; | ||
596 | for (i = 0; i < ip_set_max; i++) { | ||
597 | if (ip_set_list[i] == NULL) { | ||
598 | if (*index == IPSET_INVALID_ID) | ||
599 | *index = i; | ||
600 | } else if (STREQ(name, ip_set_list[i]->name)) { | ||
601 | /* Name clash */ | ||
602 | *set = ip_set_list[i]; | ||
603 | return -EEXIST; | ||
604 | } | ||
605 | } | ||
606 | if (*index == IPSET_INVALID_ID) | ||
607 | /* No free slot remained */ | ||
608 | return -IPSET_ERR_MAX_SETS; | ||
609 | return 0; | ||
610 | } | ||
611 | |||
612 | static int | ||
613 | ip_set_create(struct sock *ctnl, struct sk_buff *skb, | ||
614 | const struct nlmsghdr *nlh, | ||
615 | const struct nlattr * const attr[]) | ||
616 | { | ||
617 | struct ip_set *set, *clash; | ||
618 | ip_set_id_t index = IPSET_INVALID_ID; | ||
619 | struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {}; | ||
620 | const char *name, *typename; | ||
621 | u8 family, revision; | ||
622 | u32 flags = flag_exist(nlh); | ||
623 | int ret = 0; | ||
624 | |||
625 | if (unlikely(protocol_failed(attr) || | ||
626 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
627 | attr[IPSET_ATTR_TYPENAME] == NULL || | ||
628 | attr[IPSET_ATTR_REVISION] == NULL || | ||
629 | attr[IPSET_ATTR_FAMILY] == NULL || | ||
630 | (attr[IPSET_ATTR_DATA] != NULL && | ||
631 | !flag_nested(attr[IPSET_ATTR_DATA])))) | ||
632 | return -IPSET_ERR_PROTOCOL; | ||
633 | |||
634 | name = nla_data(attr[IPSET_ATTR_SETNAME]); | ||
635 | typename = nla_data(attr[IPSET_ATTR_TYPENAME]); | ||
636 | family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); | ||
637 | revision = nla_get_u8(attr[IPSET_ATTR_REVISION]); | ||
638 | pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n", | ||
639 | name, typename, family_name(family), revision); | ||
640 | |||
641 | /* | ||
642 | * First, and without any locks, allocate and initialize | ||
643 | * a normal base set structure. | ||
644 | */ | ||
645 | set = kzalloc(sizeof(struct ip_set), GFP_KERNEL); | ||
646 | if (!set) | ||
647 | return -ENOMEM; | ||
648 | rwlock_init(&set->lock); | ||
649 | strlcpy(set->name, name, IPSET_MAXNAMELEN); | ||
650 | atomic_set(&set->ref, 0); | ||
651 | set->family = family; | ||
652 | |||
653 | /* | ||
654 | * Next, check that we know the type, and take | ||
655 | * a reference on the type, to make sure it stays available | ||
656 | * while constructing our new set. | ||
657 | * | ||
658 | * After referencing the type, we try to create the type | ||
659 | * specific part of the set without holding any locks. | ||
660 | */ | ||
661 | ret = find_set_type_get(typename, family, revision, &(set->type)); | ||
662 | if (ret) | ||
663 | goto out; | ||
664 | |||
665 | /* | ||
666 | * Without holding any locks, create private part. | ||
667 | */ | ||
668 | if (attr[IPSET_ATTR_DATA] && | ||
669 | nla_parse(tb, IPSET_ATTR_CREATE_MAX, | ||
670 | nla_data(attr[IPSET_ATTR_DATA]), | ||
671 | nla_len(attr[IPSET_ATTR_DATA]), | ||
672 | set->type->create_policy)) { | ||
673 | ret = -IPSET_ERR_PROTOCOL; | ||
674 | goto put_out; | ||
675 | } | ||
676 | |||
677 | ret = set->type->create(set, tb, flags); | ||
678 | if (ret != 0) | ||
679 | goto put_out; | ||
680 | |||
681 | /* BTW, ret==0 here. */ | ||
682 | |||
683 | /* | ||
684 | * Here, we have a valid, constructed set and we are protected | ||
685 | * by nfnl_lock. Find the first free index in ip_set_list and | ||
686 | * check clashing. | ||
687 | */ | ||
688 | if ((ret = find_free_id(set->name, &index, &clash)) != 0) { | ||
689 | /* If this is the same set and requested, ignore error */ | ||
690 | if (ret == -EEXIST && | ||
691 | (flags & IPSET_FLAG_EXIST) && | ||
692 | STREQ(set->type->name, clash->type->name) && | ||
693 | set->type->family == clash->type->family && | ||
694 | set->type->revision == clash->type->revision && | ||
695 | set->variant->same_set(set, clash)) | ||
696 | ret = 0; | ||
697 | goto cleanup; | ||
698 | } | ||
699 | |||
700 | /* | ||
701 | * Finally! Add our shiny new set to the list, and be done. | ||
702 | */ | ||
703 | pr_debug("create: '%s' created with index %u!\n", set->name, index); | ||
704 | ip_set_list[index] = set; | ||
705 | |||
706 | return ret; | ||
707 | |||
708 | cleanup: | ||
709 | set->variant->destroy(set); | ||
710 | put_out: | ||
711 | module_put(set->type->me); | ||
712 | out: | ||
713 | kfree(set); | ||
714 | return ret; | ||
715 | } | ||
716 | |||
717 | /* Destroy sets */ | ||
718 | |||
719 | static const struct nla_policy | ||
720 | ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
721 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
722 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | ||
723 | .len = IPSET_MAXNAMELEN - 1 }, | ||
724 | }; | ||
725 | |||
726 | static void | ||
727 | ip_set_destroy_set(ip_set_id_t index) | ||
728 | { | ||
729 | struct ip_set *set = ip_set_list[index]; | ||
730 | |||
731 | pr_debug("set: %s\n", set->name); | ||
732 | ip_set_list[index] = NULL; | ||
733 | |||
734 | /* Must call it without holding any lock */ | ||
735 | set->variant->destroy(set); | ||
736 | module_put(set->type->me); | ||
737 | kfree(set); | ||
738 | } | ||
739 | |||
740 | static int | ||
741 | ip_set_destroy(struct sock *ctnl, struct sk_buff *skb, | ||
742 | const struct nlmsghdr *nlh, | ||
743 | const struct nlattr * const attr[]) | ||
744 | { | ||
745 | ip_set_id_t i; | ||
746 | |||
747 | if (unlikely(protocol_failed(attr))) | ||
748 | return -IPSET_ERR_PROTOCOL; | ||
749 | |||
750 | /* References are protected by the nfnl mutex */ | ||
751 | if (!attr[IPSET_ATTR_SETNAME]) { | ||
752 | for (i = 0; i < ip_set_max; i++) { | ||
753 | if (ip_set_list[i] != NULL && | ||
754 | (atomic_read(&ip_set_list[i]->ref))) | ||
755 | return -IPSET_ERR_BUSY; | ||
756 | } | ||
757 | for (i = 0; i < ip_set_max; i++) { | ||
758 | if (ip_set_list[i] != NULL) | ||
759 | ip_set_destroy_set(i); | ||
760 | } | ||
761 | } else { | ||
762 | i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
763 | if (i == IPSET_INVALID_ID) | ||
764 | return -ENOENT; | ||
765 | else if (atomic_read(&ip_set_list[i]->ref)) | ||
766 | return -IPSET_ERR_BUSY; | ||
767 | |||
768 | ip_set_destroy_set(i); | ||
769 | } | ||
770 | return 0; | ||
771 | } | ||
772 | |||
773 | /* Flush sets */ | ||
774 | |||
775 | static void | ||
776 | ip_set_flush_set(struct ip_set *set) | ||
777 | { | ||
778 | pr_debug("set: %s\n", set->name); | ||
779 | |||
780 | write_lock_bh(&set->lock); | ||
781 | set->variant->flush(set); | ||
782 | write_unlock_bh(&set->lock); | ||
783 | } | ||
784 | |||
785 | static int | ||
786 | ip_set_flush(struct sock *ctnl, struct sk_buff *skb, | ||
787 | const struct nlmsghdr *nlh, | ||
788 | const struct nlattr * const attr[]) | ||
789 | { | ||
790 | ip_set_id_t i; | ||
791 | |||
792 | if (unlikely(protocol_failed(attr))) | ||
793 | return -EPROTO; | ||
794 | |||
795 | if (!attr[IPSET_ATTR_SETNAME]) { | ||
796 | for (i = 0; i < ip_set_max; i++) | ||
797 | if (ip_set_list[i] != NULL) | ||
798 | ip_set_flush_set(ip_set_list[i]); | ||
799 | } else { | ||
800 | i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
801 | if (i == IPSET_INVALID_ID) | ||
802 | return -ENOENT; | ||
803 | |||
804 | ip_set_flush_set(ip_set_list[i]); | ||
805 | } | ||
806 | |||
807 | return 0; | ||
808 | } | ||
809 | |||
810 | /* Rename a set */ | ||
811 | |||
812 | static const struct nla_policy | ||
813 | ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
814 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
815 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | ||
816 | .len = IPSET_MAXNAMELEN - 1 }, | ||
817 | [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, | ||
818 | .len = IPSET_MAXNAMELEN - 1 }, | ||
819 | }; | ||
820 | |||
821 | static int | ||
822 | ip_set_rename(struct sock *ctnl, struct sk_buff *skb, | ||
823 | const struct nlmsghdr *nlh, | ||
824 | const struct nlattr * const attr[]) | ||
825 | { | ||
826 | struct ip_set *set; | ||
827 | const char *name2; | ||
828 | ip_set_id_t i; | ||
829 | |||
830 | if (unlikely(protocol_failed(attr) || | ||
831 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
832 | attr[IPSET_ATTR_SETNAME2] == NULL)) | ||
833 | return -IPSET_ERR_PROTOCOL; | ||
834 | |||
835 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
836 | if (set == NULL) | ||
837 | return -ENOENT; | ||
838 | if (atomic_read(&set->ref) != 0) | ||
839 | return -IPSET_ERR_REFERENCED; | ||
840 | |||
841 | name2 = nla_data(attr[IPSET_ATTR_SETNAME2]); | ||
842 | for (i = 0; i < ip_set_max; i++) { | ||
843 | if (ip_set_list[i] != NULL && | ||
844 | STREQ(ip_set_list[i]->name, name2)) | ||
845 | return -IPSET_ERR_EXIST_SETNAME2; | ||
846 | } | ||
847 | strncpy(set->name, name2, IPSET_MAXNAMELEN); | ||
848 | |||
849 | return 0; | ||
850 | } | ||
851 | |||
852 | /* Swap two sets so that name/index points to the other. | ||
853 | * References and set names are also swapped. | ||
854 | * | ||
855 | * We are protected by the nfnl mutex and references are | ||
856 | * manipulated only by holding the mutex. The kernel interfaces | ||
857 | * do not hold the mutex but the pointer settings are atomic | ||
858 | * so the ip_set_list always contains valid pointers to the sets. | ||
859 | */ | ||
860 | |||
861 | static int | ||
862 | ip_set_swap(struct sock *ctnl, struct sk_buff *skb, | ||
863 | const struct nlmsghdr *nlh, | ||
864 | const struct nlattr * const attr[]) | ||
865 | { | ||
866 | struct ip_set *from, *to; | ||
867 | ip_set_id_t from_id, to_id; | ||
868 | char from_name[IPSET_MAXNAMELEN]; | ||
869 | u32 from_ref; | ||
870 | |||
871 | if (unlikely(protocol_failed(attr) || | ||
872 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
873 | attr[IPSET_ATTR_SETNAME2] == NULL)) | ||
874 | return -IPSET_ERR_PROTOCOL; | ||
875 | |||
876 | from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
877 | if (from_id == IPSET_INVALID_ID) | ||
878 | return -ENOENT; | ||
879 | |||
880 | to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2])); | ||
881 | if (to_id == IPSET_INVALID_ID) | ||
882 | return -IPSET_ERR_EXIST_SETNAME2; | ||
883 | |||
884 | from = ip_set_list[from_id]; | ||
885 | to = ip_set_list[to_id]; | ||
886 | |||
887 | /* Features must not change. | ||
888 | * Not an artifical restriction anymore, as we must prevent | ||
889 | * possible loops created by swapping in setlist type of sets. */ | ||
890 | if (!(from->type->features == to->type->features && | ||
891 | from->type->family == to->type->family)) | ||
892 | return -IPSET_ERR_TYPE_MISMATCH; | ||
893 | |||
894 | /* No magic here: ref munging protected by the nfnl_lock */ | ||
895 | strncpy(from_name, from->name, IPSET_MAXNAMELEN); | ||
896 | from_ref = atomic_read(&from->ref); | ||
897 | |||
898 | strncpy(from->name, to->name, IPSET_MAXNAMELEN); | ||
899 | atomic_set(&from->ref, atomic_read(&to->ref)); | ||
900 | strncpy(to->name, from_name, IPSET_MAXNAMELEN); | ||
901 | atomic_set(&to->ref, from_ref); | ||
902 | |||
903 | ip_set_list[from_id] = to; | ||
904 | ip_set_list[to_id] = from; | ||
905 | |||
906 | return 0; | ||
907 | } | ||
908 | |||
909 | /* List/save set data */ | ||
910 | |||
911 | #define DUMP_INIT 0L | ||
912 | #define DUMP_ALL 1L | ||
913 | #define DUMP_ONE 2L | ||
914 | #define DUMP_LAST 3L | ||
915 | |||
916 | static int | ||
917 | ip_set_dump_done(struct netlink_callback *cb) | ||
918 | { | ||
919 | if (cb->args[2]) { | ||
920 | pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name); | ||
921 | __ip_set_put((ip_set_id_t) cb->args[1]); | ||
922 | } | ||
923 | return 0; | ||
924 | } | ||
925 | |||
926 | static inline void | ||
927 | dump_attrs(struct nlmsghdr *nlh) | ||
928 | { | ||
929 | const struct nlattr *attr; | ||
930 | int rem; | ||
931 | |||
932 | pr_debug("dump nlmsg\n"); | ||
933 | nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) { | ||
934 | pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len); | ||
935 | } | ||
936 | } | ||
937 | |||
938 | static int | ||
939 | dump_init(struct netlink_callback *cb) | ||
940 | { | ||
941 | struct nlmsghdr *nlh = nlmsg_hdr(cb->skb); | ||
942 | int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); | ||
943 | struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; | ||
944 | struct nlattr *attr = (void *)nlh + min_len; | ||
945 | ip_set_id_t index; | ||
946 | |||
947 | /* Second pass, so parser can't fail */ | ||
948 | nla_parse(cda, IPSET_ATTR_CMD_MAX, | ||
949 | attr, nlh->nlmsg_len - min_len, ip_set_setname_policy); | ||
950 | |||
951 | /* cb->args[0] : dump single set/all sets | ||
952 | * [1] : set index | ||
953 | * [..]: type specific | ||
954 | */ | ||
955 | |||
956 | if (!cda[IPSET_ATTR_SETNAME]) { | ||
957 | cb->args[0] = DUMP_ALL; | ||
958 | return 0; | ||
959 | } | ||
960 | |||
961 | index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME])); | ||
962 | if (index == IPSET_INVALID_ID) | ||
963 | return -ENOENT; | ||
964 | |||
965 | cb->args[0] = DUMP_ONE; | ||
966 | cb->args[1] = index; | ||
967 | return 0; | ||
968 | } | ||
969 | |||
970 | static int | ||
971 | ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb) | ||
972 | { | ||
973 | ip_set_id_t index = IPSET_INVALID_ID, max; | ||
974 | struct ip_set *set = NULL; | ||
975 | struct nlmsghdr *nlh = NULL; | ||
976 | unsigned int flags = NETLINK_CB(cb->skb).pid ? NLM_F_MULTI : 0; | ||
977 | int ret = 0; | ||
978 | |||
979 | if (cb->args[0] == DUMP_INIT) { | ||
980 | ret = dump_init(cb); | ||
981 | if (ret < 0) { | ||
982 | nlh = nlmsg_hdr(cb->skb); | ||
983 | /* We have to create and send the error message | ||
984 | * manually :-( */ | ||
985 | if (nlh->nlmsg_flags & NLM_F_ACK) | ||
986 | netlink_ack(cb->skb, nlh, ret); | ||
987 | return ret; | ||
988 | } | ||
989 | } | ||
990 | |||
991 | if (cb->args[1] >= ip_set_max) | ||
992 | goto out; | ||
993 | |||
994 | pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]); | ||
995 | max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max; | ||
996 | for (; cb->args[1] < max; cb->args[1]++) { | ||
997 | index = (ip_set_id_t) cb->args[1]; | ||
998 | set = ip_set_list[index]; | ||
999 | if (set == NULL) { | ||
1000 | if (cb->args[0] == DUMP_ONE) { | ||
1001 | ret = -ENOENT; | ||
1002 | goto out; | ||
1003 | } | ||
1004 | continue; | ||
1005 | } | ||
1006 | /* When dumping all sets, we must dump "sorted" | ||
1007 | * so that lists (unions of sets) are dumped last. | ||
1008 | */ | ||
1009 | if (cb->args[0] != DUMP_ONE && | ||
1010 | !((cb->args[0] == DUMP_ALL) ^ | ||
1011 | (set->type->features & IPSET_DUMP_LAST))) | ||
1012 | continue; | ||
1013 | pr_debug("List set: %s\n", set->name); | ||
1014 | if (!cb->args[2]) { | ||
1015 | /* Start listing: make sure set won't be destroyed */ | ||
1016 | pr_debug("reference set\n"); | ||
1017 | __ip_set_get(index); | ||
1018 | } | ||
1019 | nlh = start_msg(skb, NETLINK_CB(cb->skb).pid, | ||
1020 | cb->nlh->nlmsg_seq, flags, | ||
1021 | IPSET_CMD_LIST); | ||
1022 | if (!nlh) { | ||
1023 | ret = -EMSGSIZE; | ||
1024 | goto release_refcount; | ||
1025 | } | ||
1026 | NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); | ||
1027 | NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name); | ||
1028 | switch (cb->args[2]) { | ||
1029 | case 0: | ||
1030 | /* Core header data */ | ||
1031 | NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME, | ||
1032 | set->type->name); | ||
1033 | NLA_PUT_U8(skb, IPSET_ATTR_FAMILY, | ||
1034 | set->family); | ||
1035 | NLA_PUT_U8(skb, IPSET_ATTR_REVISION, | ||
1036 | set->type->revision); | ||
1037 | ret = set->variant->head(set, skb); | ||
1038 | if (ret < 0) | ||
1039 | goto release_refcount; | ||
1040 | /* Fall through and add elements */ | ||
1041 | default: | ||
1042 | read_lock_bh(&set->lock); | ||
1043 | ret = set->variant->list(set, skb, cb); | ||
1044 | read_unlock_bh(&set->lock); | ||
1045 | if (!cb->args[2]) { | ||
1046 | /* Set is done, proceed with next one */ | ||
1047 | if (cb->args[0] == DUMP_ONE) | ||
1048 | cb->args[1] = IPSET_INVALID_ID; | ||
1049 | else | ||
1050 | cb->args[1]++; | ||
1051 | } | ||
1052 | goto release_refcount; | ||
1053 | } | ||
1054 | } | ||
1055 | goto out; | ||
1056 | |||
1057 | nla_put_failure: | ||
1058 | ret = -EFAULT; | ||
1059 | release_refcount: | ||
1060 | /* If there was an error or set is done, release set */ | ||
1061 | if (ret || !cb->args[2]) { | ||
1062 | pr_debug("release set %s\n", ip_set_list[index]->name); | ||
1063 | __ip_set_put(index); | ||
1064 | } | ||
1065 | |||
1066 | /* If we dump all sets, continue with dumping last ones */ | ||
1067 | if (cb->args[0] == DUMP_ALL && cb->args[1] >= max && !cb->args[2]) | ||
1068 | cb->args[0] = DUMP_LAST; | ||
1069 | |||
1070 | out: | ||
1071 | if (nlh) { | ||
1072 | nlmsg_end(skb, nlh); | ||
1073 | pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len); | ||
1074 | dump_attrs(nlh); | ||
1075 | } | ||
1076 | |||
1077 | return ret < 0 ? ret : skb->len; | ||
1078 | } | ||
1079 | |||
1080 | static int | ||
1081 | ip_set_dump(struct sock *ctnl, struct sk_buff *skb, | ||
1082 | const struct nlmsghdr *nlh, | ||
1083 | const struct nlattr * const attr[]) | ||
1084 | { | ||
1085 | if (unlikely(protocol_failed(attr))) | ||
1086 | return -IPSET_ERR_PROTOCOL; | ||
1087 | |||
1088 | return netlink_dump_start(ctnl, skb, nlh, | ||
1089 | ip_set_dump_start, | ||
1090 | ip_set_dump_done); | ||
1091 | } | ||
1092 | |||
1093 | /* Add, del and test */ | ||
1094 | |||
1095 | static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
1096 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
1097 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | ||
1098 | .len = IPSET_MAXNAMELEN - 1 }, | ||
1099 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | ||
1100 | [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, | ||
1101 | [IPSET_ATTR_ADT] = { .type = NLA_NESTED }, | ||
1102 | }; | ||
1103 | |||
1104 | static int | ||
1105 | call_ad(struct sk_buff *skb, struct ip_set *set, | ||
1106 | struct nlattr *tb[], enum ipset_adt adt, | ||
1107 | u32 flags, bool use_lineno) | ||
1108 | { | ||
1109 | int ret, retried = 0; | ||
1110 | u32 lineno = 0; | ||
1111 | bool eexist = flags & IPSET_FLAG_EXIST; | ||
1112 | |||
1113 | do { | ||
1114 | write_lock_bh(&set->lock); | ||
1115 | ret = set->variant->uadt(set, tb, adt, &lineno, flags); | ||
1116 | write_unlock_bh(&set->lock); | ||
1117 | } while (ret == -EAGAIN && | ||
1118 | set->variant->resize && | ||
1119 | (ret = set->variant->resize(set, retried++)) == 0); | ||
1120 | |||
1121 | if (!ret || (ret == -IPSET_ERR_EXIST && eexist)) | ||
1122 | return 0; | ||
1123 | if (lineno && use_lineno) { | ||
1124 | /* Error in restore/batch mode: send back lineno */ | ||
1125 | struct nlmsghdr *nlh = nlmsg_hdr(skb); | ||
1126 | int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); | ||
1127 | struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; | ||
1128 | struct nlattr *cmdattr = (void *)nlh + min_len; | ||
1129 | u32 *errline; | ||
1130 | |||
1131 | nla_parse(cda, IPSET_ATTR_CMD_MAX, | ||
1132 | cmdattr, nlh->nlmsg_len - min_len, | ||
1133 | ip_set_adt_policy); | ||
1134 | |||
1135 | errline = nla_data(cda[IPSET_ATTR_LINENO]); | ||
1136 | |||
1137 | *errline = lineno; | ||
1138 | } | ||
1139 | |||
1140 | return ret; | ||
1141 | } | ||
1142 | |||
1143 | static int | ||
1144 | ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, | ||
1145 | const struct nlmsghdr *nlh, | ||
1146 | const struct nlattr * const attr[]) | ||
1147 | { | ||
1148 | struct ip_set *set; | ||
1149 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | ||
1150 | const struct nlattr *nla; | ||
1151 | u32 flags = flag_exist(nlh); | ||
1152 | bool use_lineno; | ||
1153 | int ret = 0; | ||
1154 | |||
1155 | if (unlikely(protocol_failed(attr) || | ||
1156 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
1157 | !((attr[IPSET_ATTR_DATA] != NULL) ^ | ||
1158 | (attr[IPSET_ATTR_ADT] != NULL)) || | ||
1159 | (attr[IPSET_ATTR_DATA] != NULL && | ||
1160 | !flag_nested(attr[IPSET_ATTR_DATA])) || | ||
1161 | (attr[IPSET_ATTR_ADT] != NULL && | ||
1162 | (!flag_nested(attr[IPSET_ATTR_ADT]) || | ||
1163 | attr[IPSET_ATTR_LINENO] == NULL)))) | ||
1164 | return -IPSET_ERR_PROTOCOL; | ||
1165 | |||
1166 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
1167 | if (set == NULL) | ||
1168 | return -ENOENT; | ||
1169 | |||
1170 | use_lineno = !!attr[IPSET_ATTR_LINENO]; | ||
1171 | if (attr[IPSET_ATTR_DATA]) { | ||
1172 | if (nla_parse(tb, IPSET_ATTR_ADT_MAX, | ||
1173 | nla_data(attr[IPSET_ATTR_DATA]), | ||
1174 | nla_len(attr[IPSET_ATTR_DATA]), | ||
1175 | set->type->adt_policy)) | ||
1176 | return -IPSET_ERR_PROTOCOL; | ||
1177 | ret = call_ad(skb, set, tb, IPSET_ADD, flags, use_lineno); | ||
1178 | } else { | ||
1179 | int nla_rem; | ||
1180 | |||
1181 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { | ||
1182 | memset(tb, 0, sizeof(tb)); | ||
1183 | if (nla_type(nla) != IPSET_ATTR_DATA || | ||
1184 | !flag_nested(nla) || | ||
1185 | nla_parse(tb, IPSET_ATTR_ADT_MAX, | ||
1186 | nla_data(nla), nla_len(nla), | ||
1187 | set->type->adt_policy)) | ||
1188 | return -IPSET_ERR_PROTOCOL; | ||
1189 | ret = call_ad(skb, set, tb, IPSET_ADD, | ||
1190 | flags, use_lineno); | ||
1191 | if (ret < 0) | ||
1192 | return ret; | ||
1193 | } | ||
1194 | } | ||
1195 | return ret; | ||
1196 | } | ||
1197 | |||
1198 | static int | ||
1199 | ip_set_udel(struct sock *ctnl, struct sk_buff *skb, | ||
1200 | const struct nlmsghdr *nlh, | ||
1201 | const struct nlattr * const attr[]) | ||
1202 | { | ||
1203 | struct ip_set *set; | ||
1204 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | ||
1205 | const struct nlattr *nla; | ||
1206 | u32 flags = flag_exist(nlh); | ||
1207 | bool use_lineno; | ||
1208 | int ret = 0; | ||
1209 | |||
1210 | if (unlikely(protocol_failed(attr) || | ||
1211 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
1212 | !((attr[IPSET_ATTR_DATA] != NULL) ^ | ||
1213 | (attr[IPSET_ATTR_ADT] != NULL)) || | ||
1214 | (attr[IPSET_ATTR_DATA] != NULL && | ||
1215 | !flag_nested(attr[IPSET_ATTR_DATA])) || | ||
1216 | (attr[IPSET_ATTR_ADT] != NULL && | ||
1217 | (!flag_nested(attr[IPSET_ATTR_ADT]) || | ||
1218 | attr[IPSET_ATTR_LINENO] == NULL)))) | ||
1219 | return -IPSET_ERR_PROTOCOL; | ||
1220 | |||
1221 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
1222 | if (set == NULL) | ||
1223 | return -ENOENT; | ||
1224 | |||
1225 | use_lineno = !!attr[IPSET_ATTR_LINENO]; | ||
1226 | if (attr[IPSET_ATTR_DATA]) { | ||
1227 | if (nla_parse(tb, IPSET_ATTR_ADT_MAX, | ||
1228 | nla_data(attr[IPSET_ATTR_DATA]), | ||
1229 | nla_len(attr[IPSET_ATTR_DATA]), | ||
1230 | set->type->adt_policy)) | ||
1231 | return -IPSET_ERR_PROTOCOL; | ||
1232 | ret = call_ad(skb, set, tb, IPSET_DEL, flags, use_lineno); | ||
1233 | } else { | ||
1234 | int nla_rem; | ||
1235 | |||
1236 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { | ||
1237 | memset(tb, 0, sizeof(*tb)); | ||
1238 | if (nla_type(nla) != IPSET_ATTR_DATA || | ||
1239 | !flag_nested(nla) || | ||
1240 | nla_parse(tb, IPSET_ATTR_ADT_MAX, | ||
1241 | nla_data(nla), nla_len(nla), | ||
1242 | set->type->adt_policy)) | ||
1243 | return -IPSET_ERR_PROTOCOL; | ||
1244 | ret = call_ad(skb, set, tb, IPSET_DEL, | ||
1245 | flags, use_lineno); | ||
1246 | if (ret < 0) | ||
1247 | return ret; | ||
1248 | } | ||
1249 | } | ||
1250 | return ret; | ||
1251 | } | ||
1252 | |||
1253 | static int | ||
1254 | ip_set_utest(struct sock *ctnl, struct sk_buff *skb, | ||
1255 | const struct nlmsghdr *nlh, | ||
1256 | const struct nlattr * const attr[]) | ||
1257 | { | ||
1258 | struct ip_set *set; | ||
1259 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | ||
1260 | int ret = 0; | ||
1261 | |||
1262 | if (unlikely(protocol_failed(attr) || | ||
1263 | attr[IPSET_ATTR_SETNAME] == NULL || | ||
1264 | attr[IPSET_ATTR_DATA] == NULL || | ||
1265 | !flag_nested(attr[IPSET_ATTR_DATA]))) | ||
1266 | return -IPSET_ERR_PROTOCOL; | ||
1267 | |||
1268 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
1269 | if (set == NULL) | ||
1270 | return -ENOENT; | ||
1271 | |||
1272 | if (nla_parse(tb, IPSET_ATTR_ADT_MAX, | ||
1273 | nla_data(attr[IPSET_ATTR_DATA]), | ||
1274 | nla_len(attr[IPSET_ATTR_DATA]), | ||
1275 | set->type->adt_policy)) | ||
1276 | return -IPSET_ERR_PROTOCOL; | ||
1277 | |||
1278 | read_lock_bh(&set->lock); | ||
1279 | ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0); | ||
1280 | read_unlock_bh(&set->lock); | ||
1281 | /* Userspace can't trigger element to be re-added */ | ||
1282 | if (ret == -EAGAIN) | ||
1283 | ret = 1; | ||
1284 | |||
1285 | return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST; | ||
1286 | } | ||
1287 | |||
1288 | /* Get headed data of a set */ | ||
1289 | |||
1290 | static int | ||
1291 | ip_set_header(struct sock *ctnl, struct sk_buff *skb, | ||
1292 | const struct nlmsghdr *nlh, | ||
1293 | const struct nlattr * const attr[]) | ||
1294 | { | ||
1295 | const struct ip_set *set; | ||
1296 | struct sk_buff *skb2; | ||
1297 | struct nlmsghdr *nlh2; | ||
1298 | ip_set_id_t index; | ||
1299 | int ret = 0; | ||
1300 | |||
1301 | if (unlikely(protocol_failed(attr) || | ||
1302 | attr[IPSET_ATTR_SETNAME] == NULL)) | ||
1303 | return -IPSET_ERR_PROTOCOL; | ||
1304 | |||
1305 | index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | ||
1306 | if (index == IPSET_INVALID_ID) | ||
1307 | return -ENOENT; | ||
1308 | set = ip_set_list[index]; | ||
1309 | |||
1310 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | ||
1311 | if (skb2 == NULL) | ||
1312 | return -ENOMEM; | ||
1313 | |||
1314 | nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, | ||
1315 | IPSET_CMD_HEADER); | ||
1316 | if (!nlh2) | ||
1317 | goto nlmsg_failure; | ||
1318 | NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); | ||
1319 | NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name); | ||
1320 | NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name); | ||
1321 | NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family); | ||
1322 | NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->type->revision); | ||
1323 | nlmsg_end(skb2, nlh2); | ||
1324 | |||
1325 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); | ||
1326 | if (ret < 0) | ||
1327 | return ret; | ||
1328 | |||
1329 | return 0; | ||
1330 | |||
1331 | nla_put_failure: | ||
1332 | nlmsg_cancel(skb2, nlh2); | ||
1333 | nlmsg_failure: | ||
1334 | kfree_skb(skb2); | ||
1335 | return -EMSGSIZE; | ||
1336 | } | ||
1337 | |||
1338 | /* Get type data */ | ||
1339 | |||
1340 | static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
1341 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
1342 | [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, | ||
1343 | .len = IPSET_MAXNAMELEN - 1 }, | ||
1344 | [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, | ||
1345 | }; | ||
1346 | |||
1347 | static int | ||
1348 | ip_set_type(struct sock *ctnl, struct sk_buff *skb, | ||
1349 | const struct nlmsghdr *nlh, | ||
1350 | const struct nlattr * const attr[]) | ||
1351 | { | ||
1352 | struct sk_buff *skb2; | ||
1353 | struct nlmsghdr *nlh2; | ||
1354 | u8 family, min, max; | ||
1355 | const char *typename; | ||
1356 | int ret = 0; | ||
1357 | |||
1358 | if (unlikely(protocol_failed(attr) || | ||
1359 | attr[IPSET_ATTR_TYPENAME] == NULL || | ||
1360 | attr[IPSET_ATTR_FAMILY] == NULL)) | ||
1361 | return -IPSET_ERR_PROTOCOL; | ||
1362 | |||
1363 | family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); | ||
1364 | typename = nla_data(attr[IPSET_ATTR_TYPENAME]); | ||
1365 | ret = find_set_type_minmax(typename, family, &min, &max); | ||
1366 | if (ret) | ||
1367 | return ret; | ||
1368 | |||
1369 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | ||
1370 | if (skb2 == NULL) | ||
1371 | return -ENOMEM; | ||
1372 | |||
1373 | nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, | ||
1374 | IPSET_CMD_TYPE); | ||
1375 | if (!nlh2) | ||
1376 | goto nlmsg_failure; | ||
1377 | NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); | ||
1378 | NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename); | ||
1379 | NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family); | ||
1380 | NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max); | ||
1381 | NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min); | ||
1382 | nlmsg_end(skb2, nlh2); | ||
1383 | |||
1384 | pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len); | ||
1385 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); | ||
1386 | if (ret < 0) | ||
1387 | return ret; | ||
1388 | |||
1389 | return 0; | ||
1390 | |||
1391 | nla_put_failure: | ||
1392 | nlmsg_cancel(skb2, nlh2); | ||
1393 | nlmsg_failure: | ||
1394 | kfree_skb(skb2); | ||
1395 | return -EMSGSIZE; | ||
1396 | } | ||
1397 | |||
1398 | /* Get protocol version */ | ||
1399 | |||
1400 | static const struct nla_policy | ||
1401 | ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
1402 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
1403 | }; | ||
1404 | |||
1405 | static int | ||
1406 | ip_set_protocol(struct sock *ctnl, struct sk_buff *skb, | ||
1407 | const struct nlmsghdr *nlh, | ||
1408 | const struct nlattr * const attr[]) | ||
1409 | { | ||
1410 | struct sk_buff *skb2; | ||
1411 | struct nlmsghdr *nlh2; | ||
1412 | int ret = 0; | ||
1413 | |||
1414 | if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL)) | ||
1415 | return -IPSET_ERR_PROTOCOL; | ||
1416 | |||
1417 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | ||
1418 | if (skb2 == NULL) | ||
1419 | return -ENOMEM; | ||
1420 | |||
1421 | nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0, | ||
1422 | IPSET_CMD_PROTOCOL); | ||
1423 | if (!nlh2) | ||
1424 | goto nlmsg_failure; | ||
1425 | NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); | ||
1426 | nlmsg_end(skb2, nlh2); | ||
1427 | |||
1428 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); | ||
1429 | if (ret < 0) | ||
1430 | return ret; | ||
1431 | |||
1432 | return 0; | ||
1433 | |||
1434 | nla_put_failure: | ||
1435 | nlmsg_cancel(skb2, nlh2); | ||
1436 | nlmsg_failure: | ||
1437 | kfree_skb(skb2); | ||
1438 | return -EMSGSIZE; | ||
1439 | } | ||
1440 | |||
1441 | static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { | ||
1442 | [IPSET_CMD_CREATE] = { | ||
1443 | .call = ip_set_create, | ||
1444 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1445 | .policy = ip_set_create_policy, | ||
1446 | }, | ||
1447 | [IPSET_CMD_DESTROY] = { | ||
1448 | .call = ip_set_destroy, | ||
1449 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1450 | .policy = ip_set_setname_policy, | ||
1451 | }, | ||
1452 | [IPSET_CMD_FLUSH] = { | ||
1453 | .call = ip_set_flush, | ||
1454 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1455 | .policy = ip_set_setname_policy, | ||
1456 | }, | ||
1457 | [IPSET_CMD_RENAME] = { | ||
1458 | .call = ip_set_rename, | ||
1459 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1460 | .policy = ip_set_setname2_policy, | ||
1461 | }, | ||
1462 | [IPSET_CMD_SWAP] = { | ||
1463 | .call = ip_set_swap, | ||
1464 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1465 | .policy = ip_set_setname2_policy, | ||
1466 | }, | ||
1467 | [IPSET_CMD_LIST] = { | ||
1468 | .call = ip_set_dump, | ||
1469 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1470 | .policy = ip_set_setname_policy, | ||
1471 | }, | ||
1472 | [IPSET_CMD_SAVE] = { | ||
1473 | .call = ip_set_dump, | ||
1474 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1475 | .policy = ip_set_setname_policy, | ||
1476 | }, | ||
1477 | [IPSET_CMD_ADD] = { | ||
1478 | .call = ip_set_uadd, | ||
1479 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1480 | .policy = ip_set_adt_policy, | ||
1481 | }, | ||
1482 | [IPSET_CMD_DEL] = { | ||
1483 | .call = ip_set_udel, | ||
1484 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1485 | .policy = ip_set_adt_policy, | ||
1486 | }, | ||
1487 | [IPSET_CMD_TEST] = { | ||
1488 | .call = ip_set_utest, | ||
1489 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1490 | .policy = ip_set_adt_policy, | ||
1491 | }, | ||
1492 | [IPSET_CMD_HEADER] = { | ||
1493 | .call = ip_set_header, | ||
1494 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1495 | .policy = ip_set_setname_policy, | ||
1496 | }, | ||
1497 | [IPSET_CMD_TYPE] = { | ||
1498 | .call = ip_set_type, | ||
1499 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1500 | .policy = ip_set_type_policy, | ||
1501 | }, | ||
1502 | [IPSET_CMD_PROTOCOL] = { | ||
1503 | .call = ip_set_protocol, | ||
1504 | .attr_count = IPSET_ATTR_CMD_MAX, | ||
1505 | .policy = ip_set_protocol_policy, | ||
1506 | }, | ||
1507 | }; | ||
1508 | |||
1509 | static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = { | ||
1510 | .name = "ip_set", | ||
1511 | .subsys_id = NFNL_SUBSYS_IPSET, | ||
1512 | .cb_count = IPSET_MSG_MAX, | ||
1513 | .cb = ip_set_netlink_subsys_cb, | ||
1514 | }; | ||
1515 | |||
1516 | /* Interface to iptables/ip6tables */ | ||
1517 | |||
1518 | static int | ||
1519 | ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) | ||
1520 | { | ||
1521 | unsigned *op; | ||
1522 | void *data; | ||
1523 | int copylen = *len, ret = 0; | ||
1524 | |||
1525 | if (!capable(CAP_NET_ADMIN)) | ||
1526 | return -EPERM; | ||
1527 | if (optval != SO_IP_SET) | ||
1528 | return -EBADF; | ||
1529 | if (*len < sizeof(unsigned)) | ||
1530 | return -EINVAL; | ||
1531 | |||
1532 | data = vmalloc(*len); | ||
1533 | if (!data) | ||
1534 | return -ENOMEM; | ||
1535 | if (copy_from_user(data, user, *len) != 0) { | ||
1536 | ret = -EFAULT; | ||
1537 | goto done; | ||
1538 | } | ||
1539 | op = (unsigned *) data; | ||
1540 | |||
1541 | if (*op < IP_SET_OP_VERSION) { | ||
1542 | /* Check the version at the beginning of operations */ | ||
1543 | struct ip_set_req_version *req_version = data; | ||
1544 | if (req_version->version != IPSET_PROTOCOL) { | ||
1545 | ret = -EPROTO; | ||
1546 | goto done; | ||
1547 | } | ||
1548 | } | ||
1549 | |||
1550 | switch (*op) { | ||
1551 | case IP_SET_OP_VERSION: { | ||
1552 | struct ip_set_req_version *req_version = data; | ||
1553 | |||
1554 | if (*len != sizeof(struct ip_set_req_version)) { | ||
1555 | ret = -EINVAL; | ||
1556 | goto done; | ||
1557 | } | ||
1558 | |||
1559 | req_version->version = IPSET_PROTOCOL; | ||
1560 | ret = copy_to_user(user, req_version, | ||
1561 | sizeof(struct ip_set_req_version)); | ||
1562 | goto done; | ||
1563 | } | ||
1564 | case IP_SET_OP_GET_BYNAME: { | ||
1565 | struct ip_set_req_get_set *req_get = data; | ||
1566 | |||
1567 | if (*len != sizeof(struct ip_set_req_get_set)) { | ||
1568 | ret = -EINVAL; | ||
1569 | goto done; | ||
1570 | } | ||
1571 | req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0'; | ||
1572 | nfnl_lock(); | ||
1573 | req_get->set.index = find_set_id(req_get->set.name); | ||
1574 | nfnl_unlock(); | ||
1575 | goto copy; | ||
1576 | } | ||
1577 | case IP_SET_OP_GET_BYINDEX: { | ||
1578 | struct ip_set_req_get_set *req_get = data; | ||
1579 | |||
1580 | if (*len != sizeof(struct ip_set_req_get_set) || | ||
1581 | req_get->set.index >= ip_set_max) { | ||
1582 | ret = -EINVAL; | ||
1583 | goto done; | ||
1584 | } | ||
1585 | nfnl_lock(); | ||
1586 | strncpy(req_get->set.name, | ||
1587 | ip_set_list[req_get->set.index] | ||
1588 | ? ip_set_list[req_get->set.index]->name : "", | ||
1589 | IPSET_MAXNAMELEN); | ||
1590 | nfnl_unlock(); | ||
1591 | goto copy; | ||
1592 | } | ||
1593 | default: | ||
1594 | ret = -EBADMSG; | ||
1595 | goto done; | ||
1596 | } /* end of switch(op) */ | ||
1597 | |||
1598 | copy: | ||
1599 | ret = copy_to_user(user, data, copylen); | ||
1600 | |||
1601 | done: | ||
1602 | vfree(data); | ||
1603 | if (ret > 0) | ||
1604 | ret = 0; | ||
1605 | return ret; | ||
1606 | } | ||
1607 | |||
1608 | static struct nf_sockopt_ops so_set __read_mostly = { | ||
1609 | .pf = PF_INET, | ||
1610 | .get_optmin = SO_IP_SET, | ||
1611 | .get_optmax = SO_IP_SET + 1, | ||
1612 | .get = &ip_set_sockfn_get, | ||
1613 | .owner = THIS_MODULE, | ||
1614 | }; | ||
1615 | |||
1616 | static int __init | ||
1617 | ip_set_init(void) | ||
1618 | { | ||
1619 | int ret; | ||
1620 | |||
1621 | if (max_sets) | ||
1622 | ip_set_max = max_sets; | ||
1623 | if (ip_set_max >= IPSET_INVALID_ID) | ||
1624 | ip_set_max = IPSET_INVALID_ID - 1; | ||
1625 | |||
1626 | ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max, | ||
1627 | GFP_KERNEL); | ||
1628 | if (!ip_set_list) { | ||
1629 | pr_err("ip_set: Unable to create ip_set_list\n"); | ||
1630 | return -ENOMEM; | ||
1631 | } | ||
1632 | |||
1633 | ret = nfnetlink_subsys_register(&ip_set_netlink_subsys); | ||
1634 | if (ret != 0) { | ||
1635 | pr_err("ip_set: cannot register with nfnetlink.\n"); | ||
1636 | kfree(ip_set_list); | ||
1637 | return ret; | ||
1638 | } | ||
1639 | ret = nf_register_sockopt(&so_set); | ||
1640 | if (ret != 0) { | ||
1641 | pr_err("SO_SET registry failed: %d\n", ret); | ||
1642 | nfnetlink_subsys_unregister(&ip_set_netlink_subsys); | ||
1643 | kfree(ip_set_list); | ||
1644 | return ret; | ||
1645 | } | ||
1646 | |||
1647 | pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL); | ||
1648 | return 0; | ||
1649 | } | ||
1650 | |||
1651 | static void __exit | ||
1652 | ip_set_fini(void) | ||
1653 | { | ||
1654 | /* There can't be any existing set */ | ||
1655 | nf_unregister_sockopt(&so_set); | ||
1656 | nfnetlink_subsys_unregister(&ip_set_netlink_subsys); | ||
1657 | kfree(ip_set_list); | ||
1658 | pr_debug("these are the famous last words\n"); | ||
1659 | } | ||
1660 | |||
1661 | module_init(ip_set_init); | ||
1662 | module_exit(ip_set_fini); | ||
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c new file mode 100644 index 000000000000..76737bba28ee --- /dev/null +++ b/net/netfilter/ipset/ip_set_getport.c | |||
@@ -0,0 +1,136 @@ | |||
1 | /* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
2 | * | ||
3 | * This program is free software; you can redistribute it and/or modify | ||
4 | * it under the terms of the GNU General Public License version 2 as | ||
5 | * published by the Free Software Foundation. | ||
6 | */ | ||
7 | |||
8 | /* Get Layer-4 data from the packets */ | ||
9 | |||
10 | #include <linux/ip.h> | ||
11 | #include <linux/skbuff.h> | ||
12 | #include <linux/icmp.h> | ||
13 | #include <linux/icmpv6.h> | ||
14 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
15 | #include <net/ip.h> | ||
16 | |||
17 | #include <linux/netfilter/ipset/ip_set_getport.h> | ||
18 | |||
19 | /* We must handle non-linear skbs */ | ||
20 | static bool | ||
21 | get_port(const struct sk_buff *skb, int protocol, unsigned int protooff, | ||
22 | bool src, __be16 *port, u8 *proto) | ||
23 | { | ||
24 | switch (protocol) { | ||
25 | case IPPROTO_TCP: { | ||
26 | struct tcphdr _tcph; | ||
27 | const struct tcphdr *th; | ||
28 | |||
29 | th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph); | ||
30 | if (th == NULL) | ||
31 | /* No choice either */ | ||
32 | return false; | ||
33 | |||
34 | *port = src ? th->source : th->dest; | ||
35 | break; | ||
36 | } | ||
37 | case IPPROTO_UDP: { | ||
38 | struct udphdr _udph; | ||
39 | const struct udphdr *uh; | ||
40 | |||
41 | uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph); | ||
42 | if (uh == NULL) | ||
43 | /* No choice either */ | ||
44 | return false; | ||
45 | |||
46 | *port = src ? uh->source : uh->dest; | ||
47 | break; | ||
48 | } | ||
49 | case IPPROTO_ICMP: { | ||
50 | struct icmphdr _ich; | ||
51 | const struct icmphdr *ic; | ||
52 | |||
53 | ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); | ||
54 | if (ic == NULL) | ||
55 | return false; | ||
56 | |||
57 | *port = (__force __be16)htons((ic->type << 8) | ic->code); | ||
58 | break; | ||
59 | } | ||
60 | case IPPROTO_ICMPV6: { | ||
61 | struct icmp6hdr _ich; | ||
62 | const struct icmp6hdr *ic; | ||
63 | |||
64 | ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich); | ||
65 | if (ic == NULL) | ||
66 | return false; | ||
67 | |||
68 | *port = (__force __be16) | ||
69 | htons((ic->icmp6_type << 8) | ic->icmp6_code); | ||
70 | break; | ||
71 | } | ||
72 | default: | ||
73 | break; | ||
74 | } | ||
75 | *proto = protocol; | ||
76 | |||
77 | return true; | ||
78 | } | ||
79 | |||
80 | bool | ||
81 | ip_set_get_ip4_port(const struct sk_buff *skb, bool src, | ||
82 | __be16 *port, u8 *proto) | ||
83 | { | ||
84 | const struct iphdr *iph = ip_hdr(skb); | ||
85 | unsigned int protooff = ip_hdrlen(skb); | ||
86 | int protocol = iph->protocol; | ||
87 | |||
88 | /* See comments at tcp_match in ip_tables.c */ | ||
89 | if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET)) | ||
90 | return false; | ||
91 | |||
92 | return get_port(skb, protocol, protooff, src, port, proto); | ||
93 | } | ||
94 | EXPORT_SYMBOL_GPL(ip_set_get_ip4_port); | ||
95 | |||
96 | bool | ||
97 | ip_set_get_ip6_port(const struct sk_buff *skb, bool src, | ||
98 | __be16 *port, u8 *proto) | ||
99 | { | ||
100 | unsigned int protooff = 0; | ||
101 | int protocol; | ||
102 | unsigned short fragoff; | ||
103 | |||
104 | protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff); | ||
105 | if (protocol <= 0 || fragoff) | ||
106 | return false; | ||
107 | |||
108 | return get_port(skb, protocol, protooff, src, port, proto); | ||
109 | } | ||
110 | EXPORT_SYMBOL_GPL(ip_set_get_ip6_port); | ||
111 | |||
112 | bool | ||
113 | ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port) | ||
114 | { | ||
115 | bool ret; | ||
116 | u8 proto; | ||
117 | |||
118 | switch (pf) { | ||
119 | case AF_INET: | ||
120 | ret = ip_set_get_ip4_port(skb, src, port, &proto); | ||
121 | case AF_INET6: | ||
122 | ret = ip_set_get_ip6_port(skb, src, port, &proto); | ||
123 | default: | ||
124 | return false; | ||
125 | } | ||
126 | if (!ret) | ||
127 | return ret; | ||
128 | switch (proto) { | ||
129 | case IPPROTO_TCP: | ||
130 | case IPPROTO_UDP: | ||
131 | return true; | ||
132 | default: | ||
133 | return false; | ||
134 | } | ||
135 | } | ||
136 | EXPORT_SYMBOL_GPL(ip_set_get_ip_port); | ||
diff --git a/net/netfilter/ipset/pfxlen.c b/net/netfilter/ipset/pfxlen.c new file mode 100644 index 000000000000..23f8c8162214 --- /dev/null +++ b/net/netfilter/ipset/pfxlen.c | |||
@@ -0,0 +1,291 @@ | |||
1 | #include <linux/netfilter/ipset/pfxlen.h> | ||
2 | |||
3 | /* | ||
4 | * Prefixlen maps for fast conversions, by Jan Engelhardt. | ||
5 | */ | ||
6 | |||
7 | #define E(a, b, c, d) \ | ||
8 | {.ip6 = { \ | ||
9 | __constant_htonl(a), __constant_htonl(b), \ | ||
10 | __constant_htonl(c), __constant_htonl(d), \ | ||
11 | } } | ||
12 | |||
13 | /* | ||
14 | * This table works for both IPv4 and IPv6; | ||
15 | * just use prefixlen_netmask_map[prefixlength].ip. | ||
16 | */ | ||
17 | const union nf_inet_addr ip_set_netmask_map[] = { | ||
18 | E(0x00000000, 0x00000000, 0x00000000, 0x00000000), | ||
19 | E(0x80000000, 0x00000000, 0x00000000, 0x00000000), | ||
20 | E(0xC0000000, 0x00000000, 0x00000000, 0x00000000), | ||
21 | E(0xE0000000, 0x00000000, 0x00000000, 0x00000000), | ||
22 | E(0xF0000000, 0x00000000, 0x00000000, 0x00000000), | ||
23 | E(0xF8000000, 0x00000000, 0x00000000, 0x00000000), | ||
24 | E(0xFC000000, 0x00000000, 0x00000000, 0x00000000), | ||
25 | E(0xFE000000, 0x00000000, 0x00000000, 0x00000000), | ||
26 | E(0xFF000000, 0x00000000, 0x00000000, 0x00000000), | ||
27 | E(0xFF800000, 0x00000000, 0x00000000, 0x00000000), | ||
28 | E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000), | ||
29 | E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000), | ||
30 | E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000), | ||
31 | E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000), | ||
32 | E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000), | ||
33 | E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000), | ||
34 | E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000), | ||
35 | E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000), | ||
36 | E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000), | ||
37 | E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000), | ||
38 | E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000), | ||
39 | E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000), | ||
40 | E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000), | ||
41 | E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000), | ||
42 | E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000), | ||
43 | E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000), | ||
44 | E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000), | ||
45 | E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000), | ||
46 | E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000), | ||
47 | E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000), | ||
48 | E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000), | ||
49 | E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000), | ||
50 | E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000), | ||
51 | E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000), | ||
52 | E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000), | ||
53 | E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000), | ||
54 | E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000), | ||
55 | E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000), | ||
56 | E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000), | ||
57 | E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000), | ||
58 | E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000), | ||
59 | E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000), | ||
60 | E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000), | ||
61 | E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000), | ||
62 | E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000), | ||
63 | E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000), | ||
64 | E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000), | ||
65 | E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000), | ||
66 | E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000), | ||
67 | E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000), | ||
68 | E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000), | ||
69 | E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000), | ||
70 | E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000), | ||
71 | E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000), | ||
72 | E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000), | ||
73 | E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000), | ||
74 | E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000), | ||
75 | E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000), | ||
76 | E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000), | ||
77 | E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000), | ||
78 | E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000), | ||
79 | E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000), | ||
80 | E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000), | ||
81 | E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000), | ||
82 | E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000), | ||
83 | E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000), | ||
84 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000), | ||
85 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000), | ||
86 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000), | ||
87 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000), | ||
88 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000), | ||
89 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000), | ||
90 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000), | ||
91 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000), | ||
92 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000), | ||
93 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000), | ||
94 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000), | ||
95 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000), | ||
96 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000), | ||
97 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000), | ||
98 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000), | ||
99 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000), | ||
100 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000), | ||
101 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000), | ||
102 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000), | ||
103 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000), | ||
104 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000), | ||
105 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000), | ||
106 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000), | ||
107 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000), | ||
108 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000), | ||
109 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000), | ||
110 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000), | ||
111 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000), | ||
112 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000), | ||
113 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000), | ||
114 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000), | ||
115 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000), | ||
116 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000), | ||
117 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000), | ||
118 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000), | ||
119 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000), | ||
120 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000), | ||
121 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000), | ||
122 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000), | ||
123 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000), | ||
124 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000), | ||
125 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000), | ||
126 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000), | ||
127 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000), | ||
128 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000), | ||
129 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000), | ||
130 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000), | ||
131 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000), | ||
132 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000), | ||
133 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000), | ||
134 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000), | ||
135 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800), | ||
136 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00), | ||
137 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00), | ||
138 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00), | ||
139 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80), | ||
140 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0), | ||
141 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0), | ||
142 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0), | ||
143 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8), | ||
144 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC), | ||
145 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE), | ||
146 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF), | ||
147 | }; | ||
148 | EXPORT_SYMBOL_GPL(ip_set_netmask_map); | ||
149 | |||
150 | #undef E | ||
151 | #define E(a, b, c, d) \ | ||
152 | {.ip6 = { (__force __be32) a, (__force __be32) b, \ | ||
153 | (__force __be32) c, (__force __be32) d, \ | ||
154 | } } | ||
155 | |||
156 | /* | ||
157 | * This table works for both IPv4 and IPv6; | ||
158 | * just use prefixlen_hostmask_map[prefixlength].ip. | ||
159 | */ | ||
160 | const union nf_inet_addr ip_set_hostmask_map[] = { | ||
161 | E(0x00000000, 0x00000000, 0x00000000, 0x00000000), | ||
162 | E(0x80000000, 0x00000000, 0x00000000, 0x00000000), | ||
163 | E(0xC0000000, 0x00000000, 0x00000000, 0x00000000), | ||
164 | E(0xE0000000, 0x00000000, 0x00000000, 0x00000000), | ||
165 | E(0xF0000000, 0x00000000, 0x00000000, 0x00000000), | ||
166 | E(0xF8000000, 0x00000000, 0x00000000, 0x00000000), | ||
167 | E(0xFC000000, 0x00000000, 0x00000000, 0x00000000), | ||
168 | E(0xFE000000, 0x00000000, 0x00000000, 0x00000000), | ||
169 | E(0xFF000000, 0x00000000, 0x00000000, 0x00000000), | ||
170 | E(0xFF800000, 0x00000000, 0x00000000, 0x00000000), | ||
171 | E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000), | ||
172 | E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000), | ||
173 | E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000), | ||
174 | E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000), | ||
175 | E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000), | ||
176 | E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000), | ||
177 | E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000), | ||
178 | E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000), | ||
179 | E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000), | ||
180 | E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000), | ||
181 | E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000), | ||
182 | E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000), | ||
183 | E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000), | ||
184 | E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000), | ||
185 | E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000), | ||
186 | E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000), | ||
187 | E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000), | ||
188 | E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000), | ||
189 | E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000), | ||
190 | E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000), | ||
191 | E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000), | ||
192 | E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000), | ||
193 | E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000), | ||
194 | E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000), | ||
195 | E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000), | ||
196 | E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000), | ||
197 | E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000), | ||
198 | E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000), | ||
199 | E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000), | ||
200 | E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000), | ||
201 | E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000), | ||
202 | E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000), | ||
203 | E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000), | ||
204 | E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000), | ||
205 | E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000), | ||
206 | E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000), | ||
207 | E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000), | ||
208 | E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000), | ||
209 | E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000), | ||
210 | E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000), | ||
211 | E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000), | ||
212 | E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000), | ||
213 | E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000), | ||
214 | E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000), | ||
215 | E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000), | ||
216 | E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000), | ||
217 | E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000), | ||
218 | E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000), | ||
219 | E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000), | ||
220 | E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000), | ||
221 | E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000), | ||
222 | E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000), | ||
223 | E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000), | ||
224 | E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000), | ||
225 | E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000), | ||
226 | E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000), | ||
227 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000), | ||
228 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000), | ||
229 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000), | ||
230 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000), | ||
231 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000), | ||
232 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000), | ||
233 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000), | ||
234 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000), | ||
235 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000), | ||
236 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000), | ||
237 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000), | ||
238 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000), | ||
239 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000), | ||
240 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000), | ||
241 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000), | ||
242 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000), | ||
243 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000), | ||
244 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000), | ||
245 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000), | ||
246 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000), | ||
247 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000), | ||
248 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000), | ||
249 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000), | ||
250 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000), | ||
251 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000), | ||
252 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000), | ||
253 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000), | ||
254 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000), | ||
255 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000), | ||
256 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000), | ||
257 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000), | ||
258 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000), | ||
259 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000), | ||
260 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000), | ||
261 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000), | ||
262 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000), | ||
263 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000), | ||
264 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000), | ||
265 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000), | ||
266 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000), | ||
267 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000), | ||
268 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000), | ||
269 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000), | ||
270 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000), | ||
271 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000), | ||
272 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000), | ||
273 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000), | ||
274 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000), | ||
275 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000), | ||
276 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000), | ||
277 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000), | ||
278 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800), | ||
279 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00), | ||
280 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00), | ||
281 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00), | ||
282 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80), | ||
283 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0), | ||
284 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0), | ||
285 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0), | ||
286 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8), | ||
287 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC), | ||
288 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE), | ||
289 | E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF), | ||
290 | }; | ||
291 | EXPORT_SYMBOL_GPL(ip_set_hostmask_map); | ||