Commit | Line | Data |
---|---|---|
a7b4f989 JK |
1 | /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> |
2 | * Patrick Schaaf <bof@bof.de> | |
3 | * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | /* Kernel module for IP set management */ | |
11 | ||
12 | #include <linux/init.h> | |
13 | #include <linux/module.h> | |
14 | #include <linux/moduleparam.h> | |
15 | #include <linux/ip.h> | |
16 | #include <linux/skbuff.h> | |
17 | #include <linux/spinlock.h> | |
18 | #include <linux/netlink.h> | |
19 | #include <linux/rculist.h> | |
a7b4f989 JK |
20 | #include <net/netlink.h> |
21 | ||
22 | #include <linux/netfilter.h> | |
b66554cf | 23 | #include <linux/netfilter/x_tables.h> |
a7b4f989 JK |
24 | #include <linux/netfilter/nfnetlink.h> |
25 | #include <linux/netfilter/ipset/ip_set.h> | |
26 | ||
27 | static LIST_HEAD(ip_set_type_list); /* all registered set types */ | |
28 | static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */ | |
2f9f28b2 | 29 | static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */ |
a7b4f989 JK |
30 | |
31 | static struct ip_set **ip_set_list; /* all individual sets */ | |
32 | static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */ | |
33 | ||
34 | #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0) | |
35 | ||
36 | static unsigned int max_sets; | |
37 | ||
38 | module_param(max_sets, int, 0600); | |
39 | MODULE_PARM_DESC(max_sets, "maximal number of sets"); | |
40 | MODULE_LICENSE("GPL"); | |
41 | MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); | |
42 | MODULE_DESCRIPTION("core IP set support"); | |
43 | MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET); | |
44 | ||
45 | /* | |
46 | * The set types are implemented in modules and registered set types | |
47 | * can be found in ip_set_type_list. Adding/deleting types is | |
48 | * serialized by ip_set_type_mutex. | |
49 | */ | |
50 | ||
51 | static inline void | |
52 | ip_set_type_lock(void) | |
53 | { | |
54 | mutex_lock(&ip_set_type_mutex); | |
55 | } | |
56 | ||
57 | static inline void | |
58 | ip_set_type_unlock(void) | |
59 | { | |
60 | mutex_unlock(&ip_set_type_mutex); | |
61 | } | |
62 | ||
63 | /* Register and deregister settype */ | |
64 | ||
65 | static struct ip_set_type * | |
66 | find_set_type(const char *name, u8 family, u8 revision) | |
67 | { | |
68 | struct ip_set_type *type; | |
69 | ||
70 | list_for_each_entry_rcu(type, &ip_set_type_list, list) | |
71 | if (STREQ(type->name, name) && | |
3ace95c0 JK |
72 | (type->family == family || |
73 | type->family == NFPROTO_UNSPEC) && | |
f1e00b39 JK |
74 | revision >= type->revision_min && |
75 | revision <= type->revision_max) | |
a7b4f989 JK |
76 | return type; |
77 | return NULL; | |
78 | } | |
79 | ||
80 | /* Unlock, try to load a set type module and lock again */ | |
088067f4 JK |
81 | static bool |
82 | load_settype(const char *name) | |
a7b4f989 JK |
83 | { |
84 | nfnl_unlock(); | |
85 | pr_debug("try to load ip_set_%s\n", name); | |
86 | if (request_module("ip_set_%s", name) < 0) { | |
87 | pr_warning("Can't find ip_set type %s\n", name); | |
88 | nfnl_lock(); | |
088067f4 | 89 | return false; |
a7b4f989 JK |
90 | } |
91 | nfnl_lock(); | |
088067f4 | 92 | return true; |
a7b4f989 JK |
93 | } |
94 | ||
95 | /* Find a set type and reference it */ | |
088067f4 JK |
96 | #define find_set_type_get(name, family, revision, found) \ |
97 | __find_set_type_get(name, family, revision, found, false) | |
98 | ||
a7b4f989 | 99 | static int |
088067f4 JK |
100 | __find_set_type_get(const char *name, u8 family, u8 revision, |
101 | struct ip_set_type **found, bool retry) | |
a7b4f989 | 102 | { |
5c1aba46 JK |
103 | struct ip_set_type *type; |
104 | int err; | |
105 | ||
088067f4 JK |
106 | if (retry && !load_settype(name)) |
107 | return -IPSET_ERR_FIND_TYPE; | |
108 | ||
a7b4f989 JK |
109 | rcu_read_lock(); |
110 | *found = find_set_type(name, family, revision); | |
111 | if (*found) { | |
5c1aba46 JK |
112 | err = !try_module_get((*found)->me) ? -EFAULT : 0; |
113 | goto unlock; | |
a7b4f989 | 114 | } |
088067f4 JK |
115 | /* Make sure the type is already loaded |
116 | * but we don't support the revision */ | |
5c1aba46 JK |
117 | list_for_each_entry_rcu(type, &ip_set_type_list, list) |
118 | if (STREQ(type->name, name)) { | |
119 | err = -IPSET_ERR_FIND_TYPE; | |
120 | goto unlock; | |
121 | } | |
a7b4f989 JK |
122 | rcu_read_unlock(); |
123 | ||
088067f4 JK |
124 | return retry ? -IPSET_ERR_FIND_TYPE : |
125 | __find_set_type_get(name, family, revision, found, true); | |
5c1aba46 JK |
126 | |
127 | unlock: | |
128 | rcu_read_unlock(); | |
129 | return err; | |
a7b4f989 JK |
130 | } |
131 | ||
132 | /* Find a given set type by name and family. | |
133 | * If we succeeded, the supported minimal and maximum revisions are | |
134 | * filled out. | |
135 | */ | |
088067f4 JK |
136 | #define find_set_type_minmax(name, family, min, max) \ |
137 | __find_set_type_minmax(name, family, min, max, false) | |
138 | ||
a7b4f989 | 139 | static int |
088067f4 JK |
140 | __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max, |
141 | bool retry) | |
a7b4f989 JK |
142 | { |
143 | struct ip_set_type *type; | |
144 | bool found = false; | |
145 | ||
088067f4 JK |
146 | if (retry && !load_settype(name)) |
147 | return -IPSET_ERR_FIND_TYPE; | |
148 | ||
5c1aba46 | 149 | *min = 255; *max = 0; |
a7b4f989 JK |
150 | rcu_read_lock(); |
151 | list_for_each_entry_rcu(type, &ip_set_type_list, list) | |
152 | if (STREQ(type->name, name) && | |
3ace95c0 JK |
153 | (type->family == family || |
154 | type->family == NFPROTO_UNSPEC)) { | |
a7b4f989 | 155 | found = true; |
f1e00b39 JK |
156 | if (type->revision_min < *min) |
157 | *min = type->revision_min; | |
158 | if (type->revision_max > *max) | |
159 | *max = type->revision_max; | |
a7b4f989 JK |
160 | } |
161 | rcu_read_unlock(); | |
162 | if (found) | |
163 | return 0; | |
164 | ||
088067f4 JK |
165 | return retry ? -IPSET_ERR_FIND_TYPE : |
166 | __find_set_type_minmax(name, family, min, max, true); | |
a7b4f989 JK |
167 | } |
168 | ||
c15f1c83 JE |
169 | #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \ |
170 | (f) == NFPROTO_IPV6 ? "inet6" : "any") | |
a7b4f989 JK |
171 | |
172 | /* Register a set type structure. The type is identified by | |
173 | * the unique triple of name, family and revision. | |
174 | */ | |
175 | int | |
176 | ip_set_type_register(struct ip_set_type *type) | |
177 | { | |
178 | int ret = 0; | |
179 | ||
180 | if (type->protocol != IPSET_PROTOCOL) { | |
f1e00b39 | 181 | pr_warning("ip_set type %s, family %s, revision %u:%u uses " |
a7b4f989 JK |
182 | "wrong protocol version %u (want %u)\n", |
183 | type->name, family_name(type->family), | |
f1e00b39 JK |
184 | type->revision_min, type->revision_max, |
185 | type->protocol, IPSET_PROTOCOL); | |
a7b4f989 JK |
186 | return -EINVAL; |
187 | } | |
188 | ||
189 | ip_set_type_lock(); | |
f1e00b39 | 190 | if (find_set_type(type->name, type->family, type->revision_min)) { |
a7b4f989 | 191 | /* Duplicate! */ |
f1e00b39 | 192 | pr_warning("ip_set type %s, family %s with revision min %u " |
a7b4f989 | 193 | "already registered!\n", type->name, |
f1e00b39 | 194 | family_name(type->family), type->revision_min); |
a7b4f989 JK |
195 | ret = -EINVAL; |
196 | goto unlock; | |
197 | } | |
198 | list_add_rcu(&type->list, &ip_set_type_list); | |
f1e00b39 JK |
199 | pr_debug("type %s, family %s, revision %u:%u registered.\n", |
200 | type->name, family_name(type->family), | |
201 | type->revision_min, type->revision_max); | |
a7b4f989 JK |
202 | unlock: |
203 | ip_set_type_unlock(); | |
204 | return ret; | |
205 | } | |
206 | EXPORT_SYMBOL_GPL(ip_set_type_register); | |
207 | ||
208 | /* Unregister a set type. There's a small race with ip_set_create */ | |
209 | void | |
210 | ip_set_type_unregister(struct ip_set_type *type) | |
211 | { | |
212 | ip_set_type_lock(); | |
f1e00b39 JK |
213 | if (!find_set_type(type->name, type->family, type->revision_min)) { |
214 | pr_warning("ip_set type %s, family %s with revision min %u " | |
a7b4f989 | 215 | "not registered\n", type->name, |
f1e00b39 | 216 | family_name(type->family), type->revision_min); |
a7b4f989 JK |
217 | goto unlock; |
218 | } | |
219 | list_del_rcu(&type->list); | |
f1e00b39 JK |
220 | pr_debug("type %s, family %s with revision min %u unregistered.\n", |
221 | type->name, family_name(type->family), type->revision_min); | |
a7b4f989 JK |
222 | unlock: |
223 | ip_set_type_unlock(); | |
224 | ||
225 | synchronize_rcu(); | |
226 | } | |
227 | EXPORT_SYMBOL_GPL(ip_set_type_unregister); | |
228 | ||
229 | /* Utility functions */ | |
230 | void * | |
231 | ip_set_alloc(size_t size) | |
232 | { | |
233 | void *members = NULL; | |
234 | ||
235 | if (size < KMALLOC_MAX_SIZE) | |
236 | members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); | |
237 | ||
238 | if (members) { | |
239 | pr_debug("%p: allocated with kmalloc\n", members); | |
240 | return members; | |
241 | } | |
242 | ||
243 | members = vzalloc(size); | |
244 | if (!members) | |
245 | return NULL; | |
246 | pr_debug("%p: allocated with vmalloc\n", members); | |
247 | ||
248 | return members; | |
249 | } | |
250 | EXPORT_SYMBOL_GPL(ip_set_alloc); | |
251 | ||
252 | void | |
253 | ip_set_free(void *members) | |
254 | { | |
255 | pr_debug("%p: free with %s\n", members, | |
256 | is_vmalloc_addr(members) ? "vfree" : "kfree"); | |
257 | if (is_vmalloc_addr(members)) | |
258 | vfree(members); | |
259 | else | |
260 | kfree(members); | |
261 | } | |
262 | EXPORT_SYMBOL_GPL(ip_set_free); | |
263 | ||
264 | static inline bool | |
265 | flag_nested(const struct nlattr *nla) | |
266 | { | |
267 | return nla->nla_type & NLA_F_NESTED; | |
268 | } | |
269 | ||
270 | static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = { | |
271 | [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 }, | |
272 | [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY, | |
273 | .len = sizeof(struct in6_addr) }, | |
274 | }; | |
275 | ||
276 | int | |
277 | ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) | |
278 | { | |
279 | struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; | |
280 | ||
281 | if (unlikely(!flag_nested(nla))) | |
282 | return -IPSET_ERR_PROTOCOL; | |
8da560ce | 283 | if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy)) |
a7b4f989 JK |
284 | return -IPSET_ERR_PROTOCOL; |
285 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) | |
286 | return -IPSET_ERR_PROTOCOL; | |
287 | ||
288 | *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]); | |
289 | return 0; | |
290 | } | |
291 | EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4); | |
292 | ||
293 | int | |
294 | ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) | |
295 | { | |
296 | struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1]; | |
297 | ||
298 | if (unlikely(!flag_nested(nla))) | |
299 | return -IPSET_ERR_PROTOCOL; | |
300 | ||
8da560ce | 301 | if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy)) |
a7b4f989 JK |
302 | return -IPSET_ERR_PROTOCOL; |
303 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) | |
304 | return -IPSET_ERR_PROTOCOL; | |
305 | ||
306 | memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]), | |
307 | sizeof(struct in6_addr)); | |
308 | return 0; | |
309 | } | |
310 | EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6); | |
311 | ||
312 | /* | |
313 | * Creating/destroying/renaming/swapping affect the existence and | |
314 | * the properties of a set. All of these can be executed from userspace | |
315 | * only and serialized by the nfnl mutex indirectly from nfnetlink. | |
316 | * | |
317 | * Sets are identified by their index in ip_set_list and the index | |
318 | * is used by the external references (set/SET netfilter modules). | |
319 | * | |
320 | * The set behind an index may change by swapping only, from userspace. | |
321 | */ | |
322 | ||
323 | static inline void | |
324 | __ip_set_get(ip_set_id_t index) | |
325 | { | |
2f9f28b2 JK |
326 | write_lock_bh(&ip_set_ref_lock); |
327 | ip_set_list[index]->ref++; | |
328 | write_unlock_bh(&ip_set_ref_lock); | |
a7b4f989 JK |
329 | } |
330 | ||
331 | static inline void | |
332 | __ip_set_put(ip_set_id_t index) | |
333 | { | |
2f9f28b2 JK |
334 | write_lock_bh(&ip_set_ref_lock); |
335 | BUG_ON(ip_set_list[index]->ref == 0); | |
336 | ip_set_list[index]->ref--; | |
337 | write_unlock_bh(&ip_set_ref_lock); | |
a7b4f989 JK |
338 | } |
339 | ||
340 | /* | |
341 | * Add, del and test set entries from kernel. | |
342 | * | |
343 | * The set behind the index must exist and must be referenced | |
344 | * so it can't be destroyed (or changed) under our foot. | |
345 | */ | |
346 | ||
347 | int | |
348 | ip_set_test(ip_set_id_t index, const struct sk_buff *skb, | |
b66554cf | 349 | const struct xt_action_param *par, |
ac8cc925 | 350 | const struct ip_set_adt_opt *opt) |
a7b4f989 JK |
351 | { |
352 | struct ip_set *set = ip_set_list[index]; | |
353 | int ret = 0; | |
354 | ||
2f9f28b2 | 355 | BUG_ON(set == NULL); |
a7b4f989 JK |
356 | pr_debug("set %s, index %u\n", set->name, index); |
357 | ||
ac8cc925 | 358 | if (opt->dim < set->type->dimension || |
c15f1c83 | 359 | !(opt->family == set->family || set->family == NFPROTO_UNSPEC)) |
a7b4f989 JK |
360 | return 0; |
361 | ||
362 | read_lock_bh(&set->lock); | |
b66554cf | 363 | ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt); |
a7b4f989 JK |
364 | read_unlock_bh(&set->lock); |
365 | ||
366 | if (ret == -EAGAIN) { | |
367 | /* Type requests element to be completed */ | |
368 | pr_debug("element must be competed, ADD is triggered\n"); | |
369 | write_lock_bh(&set->lock); | |
b66554cf | 370 | set->variant->kadt(set, skb, par, IPSET_ADD, opt); |
a7b4f989 JK |
371 | write_unlock_bh(&set->lock); |
372 | ret = 1; | |
3e0304a5 JK |
373 | } else { |
374 | /* --return-nomatch: invert matched element */ | |
375 | if ((opt->flags & IPSET_RETURN_NOMATCH) && | |
376 | (set->type->features & IPSET_TYPE_NOMATCH) && | |
377 | (ret > 0 || ret == -ENOTEMPTY)) | |
378 | ret = -ret; | |
a7b4f989 JK |
379 | } |
380 | ||
381 | /* Convert error codes to nomatch */ | |
382 | return (ret < 0 ? 0 : ret); | |
383 | } | |
384 | EXPORT_SYMBOL_GPL(ip_set_test); | |
385 | ||
386 | int | |
387 | ip_set_add(ip_set_id_t index, const struct sk_buff *skb, | |
b66554cf | 388 | const struct xt_action_param *par, |
ac8cc925 | 389 | const struct ip_set_adt_opt *opt) |
a7b4f989 JK |
390 | { |
391 | struct ip_set *set = ip_set_list[index]; | |
392 | int ret; | |
393 | ||
2f9f28b2 | 394 | BUG_ON(set == NULL); |
a7b4f989 JK |
395 | pr_debug("set %s, index %u\n", set->name, index); |
396 | ||
ac8cc925 | 397 | if (opt->dim < set->type->dimension || |
c15f1c83 | 398 | !(opt->family == set->family || set->family == NFPROTO_UNSPEC)) |
a7b4f989 JK |
399 | return 0; |
400 | ||
401 | write_lock_bh(&set->lock); | |
b66554cf | 402 | ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt); |
a7b4f989 JK |
403 | write_unlock_bh(&set->lock); |
404 | ||
405 | return ret; | |
406 | } | |
407 | EXPORT_SYMBOL_GPL(ip_set_add); | |
408 | ||
409 | int | |
410 | ip_set_del(ip_set_id_t index, const struct sk_buff *skb, | |
b66554cf | 411 | const struct xt_action_param *par, |
ac8cc925 | 412 | const struct ip_set_adt_opt *opt) |
a7b4f989 JK |
413 | { |
414 | struct ip_set *set = ip_set_list[index]; | |
415 | int ret = 0; | |
416 | ||
2f9f28b2 | 417 | BUG_ON(set == NULL); |
a7b4f989 JK |
418 | pr_debug("set %s, index %u\n", set->name, index); |
419 | ||
ac8cc925 | 420 | if (opt->dim < set->type->dimension || |
c15f1c83 | 421 | !(opt->family == set->family || set->family == NFPROTO_UNSPEC)) |
a7b4f989 JK |
422 | return 0; |
423 | ||
424 | write_lock_bh(&set->lock); | |
b66554cf | 425 | ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt); |
a7b4f989 JK |
426 | write_unlock_bh(&set->lock); |
427 | ||
428 | return ret; | |
429 | } | |
430 | EXPORT_SYMBOL_GPL(ip_set_del); | |
431 | ||
432 | /* | |
433 | * Find set by name, reference it once. The reference makes sure the | |
434 | * thing pointed to, does not go away under our feet. | |
435 | * | |
a7b4f989 JK |
436 | */ |
437 | ip_set_id_t | |
438 | ip_set_get_byname(const char *name, struct ip_set **set) | |
439 | { | |
440 | ip_set_id_t i, index = IPSET_INVALID_ID; | |
441 | struct ip_set *s; | |
442 | ||
443 | for (i = 0; i < ip_set_max; i++) { | |
444 | s = ip_set_list[i]; | |
445 | if (s != NULL && STREQ(s->name, name)) { | |
446 | __ip_set_get(i); | |
447 | index = i; | |
448 | *set = s; | |
449 | } | |
450 | } | |
451 | ||
452 | return index; | |
453 | } | |
454 | EXPORT_SYMBOL_GPL(ip_set_get_byname); | |
455 | ||
456 | /* | |
457 | * If the given set pointer points to a valid set, decrement | |
458 | * reference count by 1. The caller shall not assume the index | |
459 | * to be valid, after calling this function. | |
460 | * | |
a7b4f989 JK |
461 | */ |
462 | void | |
463 | ip_set_put_byindex(ip_set_id_t index) | |
464 | { | |
2f9f28b2 | 465 | if (ip_set_list[index] != NULL) |
a7b4f989 | 466 | __ip_set_put(index); |
a7b4f989 JK |
467 | } |
468 | EXPORT_SYMBOL_GPL(ip_set_put_byindex); | |
469 | ||
470 | /* | |
471 | * Get the name of a set behind a set index. | |
472 | * We assume the set is referenced, so it does exist and | |
473 | * can't be destroyed. The set cannot be renamed due to | |
474 | * the referencing either. | |
475 | * | |
a7b4f989 JK |
476 | */ |
477 | const char * | |
478 | ip_set_name_byindex(ip_set_id_t index) | |
479 | { | |
480 | const struct ip_set *set = ip_set_list[index]; | |
481 | ||
482 | BUG_ON(set == NULL); | |
2f9f28b2 | 483 | BUG_ON(set->ref == 0); |
a7b4f989 JK |
484 | |
485 | /* Referenced, so it's safe */ | |
486 | return set->name; | |
487 | } | |
488 | EXPORT_SYMBOL_GPL(ip_set_name_byindex); | |
489 | ||
490 | /* | |
491 | * Routines to call by external subsystems, which do not | |
492 | * call nfnl_lock for us. | |
493 | */ | |
494 | ||
495 | /* | |
496 | * Find set by name, reference it once. The reference makes sure the | |
497 | * thing pointed to, does not go away under our feet. | |
498 | * | |
499 | * The nfnl mutex is used in the function. | |
500 | */ | |
501 | ip_set_id_t | |
502 | ip_set_nfnl_get(const char *name) | |
503 | { | |
504 | struct ip_set *s; | |
505 | ip_set_id_t index; | |
506 | ||
507 | nfnl_lock(); | |
508 | index = ip_set_get_byname(name, &s); | |
509 | nfnl_unlock(); | |
510 | ||
511 | return index; | |
512 | } | |
513 | EXPORT_SYMBOL_GPL(ip_set_nfnl_get); | |
514 | ||
515 | /* | |
516 | * Find set by index, reference it once. The reference makes sure the | |
517 | * thing pointed to, does not go away under our feet. | |
518 | * | |
519 | * The nfnl mutex is used in the function. | |
520 | */ | |
521 | ip_set_id_t | |
522 | ip_set_nfnl_get_byindex(ip_set_id_t index) | |
523 | { | |
524 | if (index > ip_set_max) | |
525 | return IPSET_INVALID_ID; | |
526 | ||
527 | nfnl_lock(); | |
528 | if (ip_set_list[index]) | |
529 | __ip_set_get(index); | |
530 | else | |
531 | index = IPSET_INVALID_ID; | |
532 | nfnl_unlock(); | |
533 | ||
534 | return index; | |
535 | } | |
536 | EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex); | |
537 | ||
538 | /* | |
539 | * If the given set pointer points to a valid set, decrement | |
540 | * reference count by 1. The caller shall not assume the index | |
541 | * to be valid, after calling this function. | |
542 | * | |
543 | * The nfnl mutex is used in the function. | |
544 | */ | |
545 | void | |
546 | ip_set_nfnl_put(ip_set_id_t index) | |
547 | { | |
548 | nfnl_lock(); | |
2f9f28b2 | 549 | ip_set_put_byindex(index); |
a7b4f989 JK |
550 | nfnl_unlock(); |
551 | } | |
552 | EXPORT_SYMBOL_GPL(ip_set_nfnl_put); | |
553 | ||
554 | /* | |
555 | * Communication protocol with userspace over netlink. | |
556 | * | |
2f9f28b2 | 557 | * The commands are serialized by the nfnl mutex. |
a7b4f989 JK |
558 | */ |
559 | ||
560 | static inline bool | |
561 | protocol_failed(const struct nlattr * const tb[]) | |
562 | { | |
563 | return !tb[IPSET_ATTR_PROTOCOL] || | |
564 | nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL; | |
565 | } | |
566 | ||
567 | static inline u32 | |
568 | flag_exist(const struct nlmsghdr *nlh) | |
569 | { | |
570 | return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST; | |
571 | } | |
572 | ||
573 | static struct nlmsghdr * | |
15e47304 | 574 | start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags, |
a7b4f989 JK |
575 | enum ipset_cmd cmd) |
576 | { | |
577 | struct nlmsghdr *nlh; | |
578 | struct nfgenmsg *nfmsg; | |
579 | ||
15e47304 | 580 | nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8), |
a7b4f989 JK |
581 | sizeof(*nfmsg), flags); |
582 | if (nlh == NULL) | |
583 | return NULL; | |
584 | ||
585 | nfmsg = nlmsg_data(nlh); | |
c15f1c83 | 586 | nfmsg->nfgen_family = NFPROTO_IPV4; |
a7b4f989 JK |
587 | nfmsg->version = NFNETLINK_V0; |
588 | nfmsg->res_id = 0; | |
589 | ||
590 | return nlh; | |
591 | } | |
592 | ||
593 | /* Create a set */ | |
594 | ||
595 | static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
596 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
597 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | |
598 | .len = IPSET_MAXNAMELEN - 1 }, | |
599 | [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, | |
600 | .len = IPSET_MAXNAMELEN - 1}, | |
601 | [IPSET_ATTR_REVISION] = { .type = NLA_U8 }, | |
602 | [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, | |
603 | [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, | |
604 | }; | |
605 | ||
606 | static ip_set_id_t | |
607 | find_set_id(const char *name) | |
608 | { | |
609 | ip_set_id_t i, index = IPSET_INVALID_ID; | |
610 | const struct ip_set *set; | |
611 | ||
612 | for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) { | |
613 | set = ip_set_list[i]; | |
614 | if (set != NULL && STREQ(set->name, name)) | |
615 | index = i; | |
616 | } | |
617 | return index; | |
618 | } | |
619 | ||
620 | static inline struct ip_set * | |
621 | find_set(const char *name) | |
622 | { | |
623 | ip_set_id_t index = find_set_id(name); | |
624 | ||
625 | return index == IPSET_INVALID_ID ? NULL : ip_set_list[index]; | |
626 | } | |
627 | ||
628 | static int | |
629 | find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set) | |
630 | { | |
631 | ip_set_id_t i; | |
632 | ||
633 | *index = IPSET_INVALID_ID; | |
634 | for (i = 0; i < ip_set_max; i++) { | |
635 | if (ip_set_list[i] == NULL) { | |
636 | if (*index == IPSET_INVALID_ID) | |
637 | *index = i; | |
638 | } else if (STREQ(name, ip_set_list[i]->name)) { | |
639 | /* Name clash */ | |
640 | *set = ip_set_list[i]; | |
641 | return -EEXIST; | |
642 | } | |
643 | } | |
644 | if (*index == IPSET_INVALID_ID) | |
645 | /* No free slot remained */ | |
646 | return -IPSET_ERR_MAX_SETS; | |
647 | return 0; | |
648 | } | |
649 | ||
d31f4d44 TB |
650 | static int |
651 | ip_set_none(struct sock *ctnl, struct sk_buff *skb, | |
652 | const struct nlmsghdr *nlh, | |
653 | const struct nlattr * const attr[]) | |
654 | { | |
655 | return -EOPNOTSUPP; | |
656 | } | |
657 | ||
a7b4f989 JK |
658 | static int |
659 | ip_set_create(struct sock *ctnl, struct sk_buff *skb, | |
660 | const struct nlmsghdr *nlh, | |
661 | const struct nlattr * const attr[]) | |
662 | { | |
9846ada1 | 663 | struct ip_set *set, *clash = NULL; |
a7b4f989 JK |
664 | ip_set_id_t index = IPSET_INVALID_ID; |
665 | struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {}; | |
666 | const char *name, *typename; | |
667 | u8 family, revision; | |
668 | u32 flags = flag_exist(nlh); | |
669 | int ret = 0; | |
670 | ||
671 | if (unlikely(protocol_failed(attr) || | |
672 | attr[IPSET_ATTR_SETNAME] == NULL || | |
673 | attr[IPSET_ATTR_TYPENAME] == NULL || | |
674 | attr[IPSET_ATTR_REVISION] == NULL || | |
675 | attr[IPSET_ATTR_FAMILY] == NULL || | |
676 | (attr[IPSET_ATTR_DATA] != NULL && | |
677 | !flag_nested(attr[IPSET_ATTR_DATA])))) | |
678 | return -IPSET_ERR_PROTOCOL; | |
679 | ||
680 | name = nla_data(attr[IPSET_ATTR_SETNAME]); | |
681 | typename = nla_data(attr[IPSET_ATTR_TYPENAME]); | |
682 | family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); | |
683 | revision = nla_get_u8(attr[IPSET_ATTR_REVISION]); | |
684 | pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n", | |
685 | name, typename, family_name(family), revision); | |
686 | ||
687 | /* | |
688 | * First, and without any locks, allocate and initialize | |
689 | * a normal base set structure. | |
690 | */ | |
691 | set = kzalloc(sizeof(struct ip_set), GFP_KERNEL); | |
692 | if (!set) | |
693 | return -ENOMEM; | |
694 | rwlock_init(&set->lock); | |
695 | strlcpy(set->name, name, IPSET_MAXNAMELEN); | |
a7b4f989 | 696 | set->family = family; |
f1e00b39 | 697 | set->revision = revision; |
a7b4f989 JK |
698 | |
699 | /* | |
700 | * Next, check that we know the type, and take | |
701 | * a reference on the type, to make sure it stays available | |
702 | * while constructing our new set. | |
703 | * | |
704 | * After referencing the type, we try to create the type | |
705 | * specific part of the set without holding any locks. | |
706 | */ | |
707 | ret = find_set_type_get(typename, family, revision, &(set->type)); | |
708 | if (ret) | |
709 | goto out; | |
710 | ||
711 | /* | |
712 | * Without holding any locks, create private part. | |
713 | */ | |
714 | if (attr[IPSET_ATTR_DATA] && | |
8da560ce PM |
715 | nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], |
716 | set->type->create_policy)) { | |
15b4d93f JK |
717 | ret = -IPSET_ERR_PROTOCOL; |
718 | goto put_out; | |
a7b4f989 JK |
719 | } |
720 | ||
721 | ret = set->type->create(set, tb, flags); | |
722 | if (ret != 0) | |
723 | goto put_out; | |
724 | ||
725 | /* BTW, ret==0 here. */ | |
726 | ||
727 | /* | |
728 | * Here, we have a valid, constructed set and we are protected | |
2f9f28b2 JK |
729 | * by the nfnl mutex. Find the first free index in ip_set_list |
730 | * and check clashing. | |
a7b4f989 | 731 | */ |
3ace95c0 JK |
732 | ret = find_free_id(set->name, &index, &clash); |
733 | if (ret != 0) { | |
a7b4f989 JK |
734 | /* If this is the same set and requested, ignore error */ |
735 | if (ret == -EEXIST && | |
736 | (flags & IPSET_FLAG_EXIST) && | |
737 | STREQ(set->type->name, clash->type->name) && | |
738 | set->type->family == clash->type->family && | |
f1e00b39 JK |
739 | set->type->revision_min == clash->type->revision_min && |
740 | set->type->revision_max == clash->type->revision_max && | |
a7b4f989 JK |
741 | set->variant->same_set(set, clash)) |
742 | ret = 0; | |
743 | goto cleanup; | |
744 | } | |
745 | ||
746 | /* | |
747 | * Finally! Add our shiny new set to the list, and be done. | |
748 | */ | |
749 | pr_debug("create: '%s' created with index %u!\n", set->name, index); | |
750 | ip_set_list[index] = set; | |
751 | ||
752 | return ret; | |
753 | ||
754 | cleanup: | |
755 | set->variant->destroy(set); | |
756 | put_out: | |
757 | module_put(set->type->me); | |
758 | out: | |
759 | kfree(set); | |
760 | return ret; | |
761 | } | |
762 | ||
763 | /* Destroy sets */ | |
764 | ||
765 | static const struct nla_policy | |
766 | ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
767 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
768 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | |
769 | .len = IPSET_MAXNAMELEN - 1 }, | |
770 | }; | |
771 | ||
772 | static void | |
773 | ip_set_destroy_set(ip_set_id_t index) | |
774 | { | |
775 | struct ip_set *set = ip_set_list[index]; | |
776 | ||
777 | pr_debug("set: %s\n", set->name); | |
778 | ip_set_list[index] = NULL; | |
779 | ||
780 | /* Must call it without holding any lock */ | |
781 | set->variant->destroy(set); | |
782 | module_put(set->type->me); | |
783 | kfree(set); | |
784 | } | |
785 | ||
786 | static int | |
787 | ip_set_destroy(struct sock *ctnl, struct sk_buff *skb, | |
788 | const struct nlmsghdr *nlh, | |
789 | const struct nlattr * const attr[]) | |
790 | { | |
791 | ip_set_id_t i; | |
2f9f28b2 | 792 | int ret = 0; |
a7b4f989 JK |
793 | |
794 | if (unlikely(protocol_failed(attr))) | |
795 | return -IPSET_ERR_PROTOCOL; | |
796 | ||
2f9f28b2 JK |
797 | /* Commands are serialized and references are |
798 | * protected by the ip_set_ref_lock. | |
799 | * External systems (i.e. xt_set) must call | |
800 | * ip_set_put|get_nfnl_* functions, that way we | |
801 | * can safely check references here. | |
802 | * | |
803 | * list:set timer can only decrement the reference | |
804 | * counter, so if it's already zero, we can proceed | |
805 | * without holding the lock. | |
806 | */ | |
807 | read_lock_bh(&ip_set_ref_lock); | |
a7b4f989 JK |
808 | if (!attr[IPSET_ATTR_SETNAME]) { |
809 | for (i = 0; i < ip_set_max; i++) { | |
2f9f28b2 | 810 | if (ip_set_list[i] != NULL && ip_set_list[i]->ref) { |
9d883232 | 811 | ret = -IPSET_ERR_BUSY; |
2f9f28b2 JK |
812 | goto out; |
813 | } | |
a7b4f989 | 814 | } |
2f9f28b2 | 815 | read_unlock_bh(&ip_set_ref_lock); |
a7b4f989 JK |
816 | for (i = 0; i < ip_set_max; i++) { |
817 | if (ip_set_list[i] != NULL) | |
818 | ip_set_destroy_set(i); | |
819 | } | |
820 | } else { | |
821 | i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | |
2f9f28b2 JK |
822 | if (i == IPSET_INVALID_ID) { |
823 | ret = -ENOENT; | |
824 | goto out; | |
825 | } else if (ip_set_list[i]->ref) { | |
826 | ret = -IPSET_ERR_BUSY; | |
827 | goto out; | |
828 | } | |
829 | read_unlock_bh(&ip_set_ref_lock); | |
a7b4f989 JK |
830 | |
831 | ip_set_destroy_set(i); | |
832 | } | |
833 | return 0; | |
2f9f28b2 JK |
834 | out: |
835 | read_unlock_bh(&ip_set_ref_lock); | |
836 | return ret; | |
a7b4f989 JK |
837 | } |
838 | ||
839 | /* Flush sets */ | |
840 | ||
841 | static void | |
842 | ip_set_flush_set(struct ip_set *set) | |
843 | { | |
844 | pr_debug("set: %s\n", set->name); | |
845 | ||
846 | write_lock_bh(&set->lock); | |
847 | set->variant->flush(set); | |
848 | write_unlock_bh(&set->lock); | |
849 | } | |
850 | ||
851 | static int | |
852 | ip_set_flush(struct sock *ctnl, struct sk_buff *skb, | |
853 | const struct nlmsghdr *nlh, | |
854 | const struct nlattr * const attr[]) | |
855 | { | |
856 | ip_set_id_t i; | |
857 | ||
858 | if (unlikely(protocol_failed(attr))) | |
9184a9cb | 859 | return -IPSET_ERR_PROTOCOL; |
a7b4f989 JK |
860 | |
861 | if (!attr[IPSET_ATTR_SETNAME]) { | |
862 | for (i = 0; i < ip_set_max; i++) | |
863 | if (ip_set_list[i] != NULL) | |
864 | ip_set_flush_set(ip_set_list[i]); | |
865 | } else { | |
866 | i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | |
867 | if (i == IPSET_INVALID_ID) | |
868 | return -ENOENT; | |
869 | ||
870 | ip_set_flush_set(ip_set_list[i]); | |
871 | } | |
872 | ||
873 | return 0; | |
874 | } | |
875 | ||
876 | /* Rename a set */ | |
877 | ||
878 | static const struct nla_policy | |
879 | ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
880 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
881 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | |
882 | .len = IPSET_MAXNAMELEN - 1 }, | |
883 | [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING, | |
884 | .len = IPSET_MAXNAMELEN - 1 }, | |
885 | }; | |
886 | ||
887 | static int | |
888 | ip_set_rename(struct sock *ctnl, struct sk_buff *skb, | |
889 | const struct nlmsghdr *nlh, | |
890 | const struct nlattr * const attr[]) | |
891 | { | |
892 | struct ip_set *set; | |
893 | const char *name2; | |
894 | ip_set_id_t i; | |
2f9f28b2 | 895 | int ret = 0; |
a7b4f989 JK |
896 | |
897 | if (unlikely(protocol_failed(attr) || | |
898 | attr[IPSET_ATTR_SETNAME] == NULL || | |
899 | attr[IPSET_ATTR_SETNAME2] == NULL)) | |
900 | return -IPSET_ERR_PROTOCOL; | |
901 | ||
902 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | |
903 | if (set == NULL) | |
904 | return -ENOENT; | |
2f9f28b2 JK |
905 | |
906 | read_lock_bh(&ip_set_ref_lock); | |
907 | if (set->ref != 0) { | |
908 | ret = -IPSET_ERR_REFERENCED; | |
909 | goto out; | |
910 | } | |
a7b4f989 JK |
911 | |
912 | name2 = nla_data(attr[IPSET_ATTR_SETNAME2]); | |
913 | for (i = 0; i < ip_set_max; i++) { | |
914 | if (ip_set_list[i] != NULL && | |
2f9f28b2 JK |
915 | STREQ(ip_set_list[i]->name, name2)) { |
916 | ret = -IPSET_ERR_EXIST_SETNAME2; | |
917 | goto out; | |
918 | } | |
a7b4f989 JK |
919 | } |
920 | strncpy(set->name, name2, IPSET_MAXNAMELEN); | |
921 | ||
2f9f28b2 JK |
922 | out: |
923 | read_unlock_bh(&ip_set_ref_lock); | |
924 | return ret; | |
a7b4f989 JK |
925 | } |
926 | ||
927 | /* Swap two sets so that name/index points to the other. | |
928 | * References and set names are also swapped. | |
929 | * | |
2f9f28b2 JK |
930 | * The commands are serialized by the nfnl mutex and references are |
931 | * protected by the ip_set_ref_lock. The kernel interfaces | |
a7b4f989 JK |
932 | * do not hold the mutex but the pointer settings are atomic |
933 | * so the ip_set_list always contains valid pointers to the sets. | |
934 | */ | |
935 | ||
936 | static int | |
937 | ip_set_swap(struct sock *ctnl, struct sk_buff *skb, | |
938 | const struct nlmsghdr *nlh, | |
939 | const struct nlattr * const attr[]) | |
940 | { | |
941 | struct ip_set *from, *to; | |
942 | ip_set_id_t from_id, to_id; | |
943 | char from_name[IPSET_MAXNAMELEN]; | |
a7b4f989 JK |
944 | |
945 | if (unlikely(protocol_failed(attr) || | |
946 | attr[IPSET_ATTR_SETNAME] == NULL || | |
947 | attr[IPSET_ATTR_SETNAME2] == NULL)) | |
948 | return -IPSET_ERR_PROTOCOL; | |
949 | ||
950 | from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | |
951 | if (from_id == IPSET_INVALID_ID) | |
952 | return -ENOENT; | |
953 | ||
954 | to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2])); | |
955 | if (to_id == IPSET_INVALID_ID) | |
956 | return -IPSET_ERR_EXIST_SETNAME2; | |
957 | ||
958 | from = ip_set_list[from_id]; | |
959 | to = ip_set_list[to_id]; | |
960 | ||
961 | /* Features must not change. | |
25985edc | 962 | * Not an artificial restriction anymore, as we must prevent |
a7b4f989 JK |
963 | * possible loops created by swapping in setlist type of sets. */ |
964 | if (!(from->type->features == to->type->features && | |
965 | from->type->family == to->type->family)) | |
966 | return -IPSET_ERR_TYPE_MISMATCH; | |
967 | ||
a7b4f989 | 968 | strncpy(from_name, from->name, IPSET_MAXNAMELEN); |
a7b4f989 | 969 | strncpy(from->name, to->name, IPSET_MAXNAMELEN); |
a7b4f989 | 970 | strncpy(to->name, from_name, IPSET_MAXNAMELEN); |
a7b4f989 | 971 | |
2f9f28b2 JK |
972 | write_lock_bh(&ip_set_ref_lock); |
973 | swap(from->ref, to->ref); | |
a7b4f989 JK |
974 | ip_set_list[from_id] = to; |
975 | ip_set_list[to_id] = from; | |
2f9f28b2 | 976 | write_unlock_bh(&ip_set_ref_lock); |
a7b4f989 JK |
977 | |
978 | return 0; | |
979 | } | |
980 | ||
981 | /* List/save set data */ | |
982 | ||
c1e2e043 JK |
983 | #define DUMP_INIT 0 |
984 | #define DUMP_ALL 1 | |
985 | #define DUMP_ONE 2 | |
986 | #define DUMP_LAST 3 | |
987 | ||
988 | #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF) | |
989 | #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16) | |
a7b4f989 JK |
990 | |
991 | static int | |
992 | ip_set_dump_done(struct netlink_callback *cb) | |
993 | { | |
994 | if (cb->args[2]) { | |
995 | pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name); | |
2f9f28b2 | 996 | ip_set_put_byindex((ip_set_id_t) cb->args[1]); |
a7b4f989 JK |
997 | } |
998 | return 0; | |
999 | } | |
1000 | ||
1001 | static inline void | |
1002 | dump_attrs(struct nlmsghdr *nlh) | |
1003 | { | |
1004 | const struct nlattr *attr; | |
1005 | int rem; | |
1006 | ||
1007 | pr_debug("dump nlmsg\n"); | |
1008 | nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) { | |
1009 | pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len); | |
1010 | } | |
1011 | } | |
1012 | ||
1013 | static int | |
1014 | dump_init(struct netlink_callback *cb) | |
1015 | { | |
1016 | struct nlmsghdr *nlh = nlmsg_hdr(cb->skb); | |
1017 | int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); | |
1018 | struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; | |
1019 | struct nlattr *attr = (void *)nlh + min_len; | |
c1e2e043 | 1020 | u32 dump_type; |
a7b4f989 JK |
1021 | ip_set_id_t index; |
1022 | ||
1023 | /* Second pass, so parser can't fail */ | |
1024 | nla_parse(cda, IPSET_ATTR_CMD_MAX, | |
1025 | attr, nlh->nlmsg_len - min_len, ip_set_setname_policy); | |
1026 | ||
1027 | /* cb->args[0] : dump single set/all sets | |
1028 | * [1] : set index | |
1029 | * [..]: type specific | |
1030 | */ | |
1031 | ||
c1e2e043 JK |
1032 | if (cda[IPSET_ATTR_SETNAME]) { |
1033 | index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME])); | |
1034 | if (index == IPSET_INVALID_ID) | |
1035 | return -ENOENT; | |
a7b4f989 | 1036 | |
c1e2e043 JK |
1037 | dump_type = DUMP_ONE; |
1038 | cb->args[1] = index; | |
1039 | } else | |
1040 | dump_type = DUMP_ALL; | |
1041 | ||
1042 | if (cda[IPSET_ATTR_FLAGS]) { | |
1043 | u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]); | |
1044 | dump_type |= (f << 16); | |
1045 | } | |
1046 | cb->args[0] = dump_type; | |
a7b4f989 | 1047 | |
a7b4f989 JK |
1048 | return 0; |
1049 | } | |
1050 | ||
1051 | static int | |
1052 | ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb) | |
1053 | { | |
1054 | ip_set_id_t index = IPSET_INVALID_ID, max; | |
1055 | struct ip_set *set = NULL; | |
1056 | struct nlmsghdr *nlh = NULL; | |
15e47304 | 1057 | unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0; |
c1e2e043 | 1058 | u32 dump_type, dump_flags; |
a7b4f989 JK |
1059 | int ret = 0; |
1060 | ||
c1e2e043 | 1061 | if (!cb->args[0]) { |
a7b4f989 JK |
1062 | ret = dump_init(cb); |
1063 | if (ret < 0) { | |
1064 | nlh = nlmsg_hdr(cb->skb); | |
1065 | /* We have to create and send the error message | |
1066 | * manually :-( */ | |
1067 | if (nlh->nlmsg_flags & NLM_F_ACK) | |
1068 | netlink_ack(cb->skb, nlh, ret); | |
1069 | return ret; | |
1070 | } | |
1071 | } | |
1072 | ||
1073 | if (cb->args[1] >= ip_set_max) | |
1074 | goto out; | |
1075 | ||
c1e2e043 JK |
1076 | dump_type = DUMP_TYPE(cb->args[0]); |
1077 | dump_flags = DUMP_FLAGS(cb->args[0]); | |
1078 | max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max; | |
a8a8a093 | 1079 | dump_last: |
c1e2e043 JK |
1080 | pr_debug("args[0]: %u %u args[1]: %ld\n", |
1081 | dump_type, dump_flags, cb->args[1]); | |
a7b4f989 JK |
1082 | for (; cb->args[1] < max; cb->args[1]++) { |
1083 | index = (ip_set_id_t) cb->args[1]; | |
1084 | set = ip_set_list[index]; | |
1085 | if (set == NULL) { | |
c1e2e043 | 1086 | if (dump_type == DUMP_ONE) { |
a7b4f989 JK |
1087 | ret = -ENOENT; |
1088 | goto out; | |
1089 | } | |
1090 | continue; | |
1091 | } | |
1092 | /* When dumping all sets, we must dump "sorted" | |
1093 | * so that lists (unions of sets) are dumped last. | |
1094 | */ | |
c1e2e043 JK |
1095 | if (dump_type != DUMP_ONE && |
1096 | ((dump_type == DUMP_ALL) == | |
a8a8a093 | 1097 | !!(set->type->features & IPSET_DUMP_LAST))) |
a7b4f989 JK |
1098 | continue; |
1099 | pr_debug("List set: %s\n", set->name); | |
1100 | if (!cb->args[2]) { | |
1101 | /* Start listing: make sure set won't be destroyed */ | |
1102 | pr_debug("reference set\n"); | |
1103 | __ip_set_get(index); | |
1104 | } | |
15e47304 | 1105 | nlh = start_msg(skb, NETLINK_CB(cb->skb).portid, |
a7b4f989 JK |
1106 | cb->nlh->nlmsg_seq, flags, |
1107 | IPSET_CMD_LIST); | |
1108 | if (!nlh) { | |
1109 | ret = -EMSGSIZE; | |
1110 | goto release_refcount; | |
1111 | } | |
7cf7899d DM |
1112 | if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) || |
1113 | nla_put_string(skb, IPSET_ATTR_SETNAME, set->name)) | |
1114 | goto nla_put_failure; | |
c1e2e043 JK |
1115 | if (dump_flags & IPSET_FLAG_LIST_SETNAME) |
1116 | goto next_set; | |
a7b4f989 JK |
1117 | switch (cb->args[2]) { |
1118 | case 0: | |
1119 | /* Core header data */ | |
7cf7899d DM |
1120 | if (nla_put_string(skb, IPSET_ATTR_TYPENAME, |
1121 | set->type->name) || | |
1122 | nla_put_u8(skb, IPSET_ATTR_FAMILY, | |
1123 | set->family) || | |
1124 | nla_put_u8(skb, IPSET_ATTR_REVISION, | |
1125 | set->revision)) | |
1126 | goto nla_put_failure; | |
a7b4f989 JK |
1127 | ret = set->variant->head(set, skb); |
1128 | if (ret < 0) | |
1129 | goto release_refcount; | |
c1e2e043 JK |
1130 | if (dump_flags & IPSET_FLAG_LIST_HEADER) |
1131 | goto next_set; | |
a7b4f989 JK |
1132 | /* Fall through and add elements */ |
1133 | default: | |
1134 | read_lock_bh(&set->lock); | |
1135 | ret = set->variant->list(set, skb, cb); | |
1136 | read_unlock_bh(&set->lock); | |
c1e2e043 | 1137 | if (!cb->args[2]) |
a7b4f989 | 1138 | /* Set is done, proceed with next one */ |
c1e2e043 | 1139 | goto next_set; |
a7b4f989 JK |
1140 | goto release_refcount; |
1141 | } | |
1142 | } | |
a8a8a093 | 1143 | /* If we dump all sets, continue with dumping last ones */ |
c1e2e043 JK |
1144 | if (dump_type == DUMP_ALL) { |
1145 | dump_type = DUMP_LAST; | |
1146 | cb->args[0] = dump_type | (dump_flags << 16); | |
a8a8a093 JK |
1147 | cb->args[1] = 0; |
1148 | goto dump_last; | |
1149 | } | |
a7b4f989 JK |
1150 | goto out; |
1151 | ||
1152 | nla_put_failure: | |
1153 | ret = -EFAULT; | |
c1e2e043 JK |
1154 | next_set: |
1155 | if (dump_type == DUMP_ONE) | |
1156 | cb->args[1] = IPSET_INVALID_ID; | |
1157 | else | |
1158 | cb->args[1]++; | |
a7b4f989 JK |
1159 | release_refcount: |
1160 | /* If there was an error or set is done, release set */ | |
1161 | if (ret || !cb->args[2]) { | |
1162 | pr_debug("release set %s\n", ip_set_list[index]->name); | |
2f9f28b2 | 1163 | ip_set_put_byindex(index); |
be94db9d | 1164 | cb->args[2] = 0; |
a7b4f989 | 1165 | } |
a7b4f989 JK |
1166 | out: |
1167 | if (nlh) { | |
1168 | nlmsg_end(skb, nlh); | |
1169 | pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len); | |
1170 | dump_attrs(nlh); | |
1171 | } | |
1172 | ||
1173 | return ret < 0 ? ret : skb->len; | |
1174 | } | |
1175 | ||
1176 | static int | |
1177 | ip_set_dump(struct sock *ctnl, struct sk_buff *skb, | |
1178 | const struct nlmsghdr *nlh, | |
1179 | const struct nlattr * const attr[]) | |
1180 | { | |
1181 | if (unlikely(protocol_failed(attr))) | |
1182 | return -IPSET_ERR_PROTOCOL; | |
1183 | ||
80d326fa PNA |
1184 | { |
1185 | struct netlink_dump_control c = { | |
1186 | .dump = ip_set_dump_start, | |
1187 | .done = ip_set_dump_done, | |
1188 | }; | |
1189 | return netlink_dump_start(ctnl, skb, nlh, &c); | |
1190 | } | |
a7b4f989 JK |
1191 | } |
1192 | ||
1193 | /* Add, del and test */ | |
1194 | ||
1195 | static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
1196 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
1197 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | |
1198 | .len = IPSET_MAXNAMELEN - 1 }, | |
1199 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | |
1200 | [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, | |
1201 | [IPSET_ATTR_ADT] = { .type = NLA_NESTED }, | |
1202 | }; | |
1203 | ||
1204 | static int | |
5f52bc3c | 1205 | call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, |
a7b4f989 JK |
1206 | struct nlattr *tb[], enum ipset_adt adt, |
1207 | u32 flags, bool use_lineno) | |
1208 | { | |
3d14b171 | 1209 | int ret; |
a7b4f989 | 1210 | u32 lineno = 0; |
3d14b171 | 1211 | bool eexist = flags & IPSET_FLAG_EXIST, retried = false; |
a7b4f989 JK |
1212 | |
1213 | do { | |
1214 | write_lock_bh(&set->lock); | |
3d14b171 | 1215 | ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); |
a7b4f989 | 1216 | write_unlock_bh(&set->lock); |
3d14b171 | 1217 | retried = true; |
a7b4f989 JK |
1218 | } while (ret == -EAGAIN && |
1219 | set->variant->resize && | |
3d14b171 | 1220 | (ret = set->variant->resize(set, retried)) == 0); |
a7b4f989 JK |
1221 | |
1222 | if (!ret || (ret == -IPSET_ERR_EXIST && eexist)) | |
1223 | return 0; | |
1224 | if (lineno && use_lineno) { | |
1225 | /* Error in restore/batch mode: send back lineno */ | |
5f52bc3c JK |
1226 | struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb); |
1227 | struct sk_buff *skb2; | |
1228 | struct nlmsgerr *errmsg; | |
1229 | size_t payload = sizeof(*errmsg) + nlmsg_len(nlh); | |
a7b4f989 JK |
1230 | int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg)); |
1231 | struct nlattr *cda[IPSET_ATTR_CMD_MAX+1]; | |
5f52bc3c | 1232 | struct nlattr *cmdattr; |
a7b4f989 JK |
1233 | u32 *errline; |
1234 | ||
5f52bc3c JK |
1235 | skb2 = nlmsg_new(payload, GFP_KERNEL); |
1236 | if (skb2 == NULL) | |
1237 | return -ENOMEM; | |
15e47304 | 1238 | rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, |
5f52bc3c JK |
1239 | nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); |
1240 | errmsg = nlmsg_data(rep); | |
1241 | errmsg->error = ret; | |
1242 | memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); | |
1243 | cmdattr = (void *)&errmsg->msg + min_len; | |
1244 | ||
a7b4f989 JK |
1245 | nla_parse(cda, IPSET_ATTR_CMD_MAX, |
1246 | cmdattr, nlh->nlmsg_len - min_len, | |
1247 | ip_set_adt_policy); | |
1248 | ||
1249 | errline = nla_data(cda[IPSET_ATTR_LINENO]); | |
1250 | ||
1251 | *errline = lineno; | |
5f52bc3c | 1252 | |
15e47304 | 1253 | netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); |
5f52bc3c JK |
1254 | /* Signal netlink not to send its ACK/errmsg. */ |
1255 | return -EINTR; | |
a7b4f989 JK |
1256 | } |
1257 | ||
1258 | return ret; | |
1259 | } | |
1260 | ||
1261 | static int | |
1262 | ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, | |
1263 | const struct nlmsghdr *nlh, | |
1264 | const struct nlattr * const attr[]) | |
1265 | { | |
1266 | struct ip_set *set; | |
1267 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | |
1268 | const struct nlattr *nla; | |
1269 | u32 flags = flag_exist(nlh); | |
1270 | bool use_lineno; | |
1271 | int ret = 0; | |
1272 | ||
1273 | if (unlikely(protocol_failed(attr) || | |
1274 | attr[IPSET_ATTR_SETNAME] == NULL || | |
1275 | !((attr[IPSET_ATTR_DATA] != NULL) ^ | |
1276 | (attr[IPSET_ATTR_ADT] != NULL)) || | |
1277 | (attr[IPSET_ATTR_DATA] != NULL && | |
1278 | !flag_nested(attr[IPSET_ATTR_DATA])) || | |
1279 | (attr[IPSET_ATTR_ADT] != NULL && | |
1280 | (!flag_nested(attr[IPSET_ATTR_ADT]) || | |
1281 | attr[IPSET_ATTR_LINENO] == NULL)))) | |
1282 | return -IPSET_ERR_PROTOCOL; | |
1283 | ||
1284 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | |
1285 | if (set == NULL) | |
1286 | return -ENOENT; | |
1287 | ||
1288 | use_lineno = !!attr[IPSET_ATTR_LINENO]; | |
1289 | if (attr[IPSET_ATTR_DATA]) { | |
8da560ce PM |
1290 | if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, |
1291 | attr[IPSET_ATTR_DATA], | |
1292 | set->type->adt_policy)) | |
a7b4f989 | 1293 | return -IPSET_ERR_PROTOCOL; |
5f52bc3c JK |
1294 | ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags, |
1295 | use_lineno); | |
a7b4f989 JK |
1296 | } else { |
1297 | int nla_rem; | |
1298 | ||
1299 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { | |
1300 | memset(tb, 0, sizeof(tb)); | |
1301 | if (nla_type(nla) != IPSET_ATTR_DATA || | |
1302 | !flag_nested(nla) || | |
8da560ce PM |
1303 | nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, |
1304 | set->type->adt_policy)) | |
a7b4f989 | 1305 | return -IPSET_ERR_PROTOCOL; |
5f52bc3c | 1306 | ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, |
a7b4f989 JK |
1307 | flags, use_lineno); |
1308 | if (ret < 0) | |
1309 | return ret; | |
1310 | } | |
1311 | } | |
1312 | return ret; | |
1313 | } | |
1314 | ||
1315 | static int | |
1316 | ip_set_udel(struct sock *ctnl, struct sk_buff *skb, | |
1317 | const struct nlmsghdr *nlh, | |
1318 | const struct nlattr * const attr[]) | |
1319 | { | |
1320 | struct ip_set *set; | |
1321 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | |
1322 | const struct nlattr *nla; | |
1323 | u32 flags = flag_exist(nlh); | |
1324 | bool use_lineno; | |
1325 | int ret = 0; | |
1326 | ||
1327 | if (unlikely(protocol_failed(attr) || | |
1328 | attr[IPSET_ATTR_SETNAME] == NULL || | |
1329 | !((attr[IPSET_ATTR_DATA] != NULL) ^ | |
1330 | (attr[IPSET_ATTR_ADT] != NULL)) || | |
1331 | (attr[IPSET_ATTR_DATA] != NULL && | |
1332 | !flag_nested(attr[IPSET_ATTR_DATA])) || | |
1333 | (attr[IPSET_ATTR_ADT] != NULL && | |
1334 | (!flag_nested(attr[IPSET_ATTR_ADT]) || | |
1335 | attr[IPSET_ATTR_LINENO] == NULL)))) | |
1336 | return -IPSET_ERR_PROTOCOL; | |
1337 | ||
1338 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | |
1339 | if (set == NULL) | |
1340 | return -ENOENT; | |
1341 | ||
1342 | use_lineno = !!attr[IPSET_ATTR_LINENO]; | |
1343 | if (attr[IPSET_ATTR_DATA]) { | |
8da560ce PM |
1344 | if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, |
1345 | attr[IPSET_ATTR_DATA], | |
1346 | set->type->adt_policy)) | |
a7b4f989 | 1347 | return -IPSET_ERR_PROTOCOL; |
5f52bc3c JK |
1348 | ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags, |
1349 | use_lineno); | |
a7b4f989 JK |
1350 | } else { |
1351 | int nla_rem; | |
1352 | ||
1353 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { | |
1354 | memset(tb, 0, sizeof(*tb)); | |
1355 | if (nla_type(nla) != IPSET_ATTR_DATA || | |
1356 | !flag_nested(nla) || | |
8da560ce PM |
1357 | nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, |
1358 | set->type->adt_policy)) | |
a7b4f989 | 1359 | return -IPSET_ERR_PROTOCOL; |
5f52bc3c | 1360 | ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, |
a7b4f989 JK |
1361 | flags, use_lineno); |
1362 | if (ret < 0) | |
1363 | return ret; | |
1364 | } | |
1365 | } | |
1366 | return ret; | |
1367 | } | |
1368 | ||
1369 | static int | |
1370 | ip_set_utest(struct sock *ctnl, struct sk_buff *skb, | |
1371 | const struct nlmsghdr *nlh, | |
1372 | const struct nlattr * const attr[]) | |
1373 | { | |
1374 | struct ip_set *set; | |
1375 | struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; | |
1376 | int ret = 0; | |
1377 | ||
1378 | if (unlikely(protocol_failed(attr) || | |
1379 | attr[IPSET_ATTR_SETNAME] == NULL || | |
1380 | attr[IPSET_ATTR_DATA] == NULL || | |
1381 | !flag_nested(attr[IPSET_ATTR_DATA]))) | |
1382 | return -IPSET_ERR_PROTOCOL; | |
1383 | ||
1384 | set = find_set(nla_data(attr[IPSET_ATTR_SETNAME])); | |
1385 | if (set == NULL) | |
1386 | return -ENOENT; | |
1387 | ||
8da560ce PM |
1388 | if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], |
1389 | set->type->adt_policy)) | |
a7b4f989 JK |
1390 | return -IPSET_ERR_PROTOCOL; |
1391 | ||
1392 | read_lock_bh(&set->lock); | |
3d14b171 | 1393 | ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); |
a7b4f989 JK |
1394 | read_unlock_bh(&set->lock); |
1395 | /* Userspace can't trigger element to be re-added */ | |
1396 | if (ret == -EAGAIN) | |
1397 | ret = 1; | |
1398 | ||
1399 | return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST; | |
1400 | } | |
1401 | ||
1402 | /* Get headed data of a set */ | |
1403 | ||
1404 | static int | |
1405 | ip_set_header(struct sock *ctnl, struct sk_buff *skb, | |
1406 | const struct nlmsghdr *nlh, | |
1407 | const struct nlattr * const attr[]) | |
1408 | { | |
1409 | const struct ip_set *set; | |
1410 | struct sk_buff *skb2; | |
1411 | struct nlmsghdr *nlh2; | |
1412 | ip_set_id_t index; | |
1413 | int ret = 0; | |
1414 | ||
1415 | if (unlikely(protocol_failed(attr) || | |
1416 | attr[IPSET_ATTR_SETNAME] == NULL)) | |
1417 | return -IPSET_ERR_PROTOCOL; | |
1418 | ||
1419 | index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME])); | |
1420 | if (index == IPSET_INVALID_ID) | |
1421 | return -ENOENT; | |
1422 | set = ip_set_list[index]; | |
1423 | ||
1424 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | |
1425 | if (skb2 == NULL) | |
1426 | return -ENOMEM; | |
1427 | ||
15e47304 | 1428 | nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, |
a7b4f989 JK |
1429 | IPSET_CMD_HEADER); |
1430 | if (!nlh2) | |
1431 | goto nlmsg_failure; | |
7cf7899d DM |
1432 | if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) || |
1433 | nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) || | |
1434 | nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) || | |
1435 | nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) || | |
1436 | nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision)) | |
1437 | goto nla_put_failure; | |
a7b4f989 JK |
1438 | nlmsg_end(skb2, nlh2); |
1439 | ||
15e47304 | 1440 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); |
a7b4f989 JK |
1441 | if (ret < 0) |
1442 | return ret; | |
1443 | ||
1444 | return 0; | |
1445 | ||
1446 | nla_put_failure: | |
1447 | nlmsg_cancel(skb2, nlh2); | |
1448 | nlmsg_failure: | |
1449 | kfree_skb(skb2); | |
1450 | return -EMSGSIZE; | |
1451 | } | |
1452 | ||
1453 | /* Get type data */ | |
1454 | ||
1455 | static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
1456 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
1457 | [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, | |
1458 | .len = IPSET_MAXNAMELEN - 1 }, | |
1459 | [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, | |
1460 | }; | |
1461 | ||
1462 | static int | |
1463 | ip_set_type(struct sock *ctnl, struct sk_buff *skb, | |
1464 | const struct nlmsghdr *nlh, | |
1465 | const struct nlattr * const attr[]) | |
1466 | { | |
1467 | struct sk_buff *skb2; | |
1468 | struct nlmsghdr *nlh2; | |
1469 | u8 family, min, max; | |
1470 | const char *typename; | |
1471 | int ret = 0; | |
1472 | ||
1473 | if (unlikely(protocol_failed(attr) || | |
1474 | attr[IPSET_ATTR_TYPENAME] == NULL || | |
1475 | attr[IPSET_ATTR_FAMILY] == NULL)) | |
1476 | return -IPSET_ERR_PROTOCOL; | |
1477 | ||
1478 | family = nla_get_u8(attr[IPSET_ATTR_FAMILY]); | |
1479 | typename = nla_data(attr[IPSET_ATTR_TYPENAME]); | |
1480 | ret = find_set_type_minmax(typename, family, &min, &max); | |
1481 | if (ret) | |
1482 | return ret; | |
1483 | ||
1484 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | |
1485 | if (skb2 == NULL) | |
1486 | return -ENOMEM; | |
1487 | ||
15e47304 | 1488 | nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, |
a7b4f989 JK |
1489 | IPSET_CMD_TYPE); |
1490 | if (!nlh2) | |
1491 | goto nlmsg_failure; | |
7cf7899d DM |
1492 | if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) || |
1493 | nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) || | |
1494 | nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) || | |
1495 | nla_put_u8(skb2, IPSET_ATTR_REVISION, max) || | |
1496 | nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min)) | |
1497 | goto nla_put_failure; | |
a7b4f989 JK |
1498 | nlmsg_end(skb2, nlh2); |
1499 | ||
1500 | pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len); | |
15e47304 | 1501 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); |
a7b4f989 JK |
1502 | if (ret < 0) |
1503 | return ret; | |
1504 | ||
1505 | return 0; | |
1506 | ||
1507 | nla_put_failure: | |
1508 | nlmsg_cancel(skb2, nlh2); | |
1509 | nlmsg_failure: | |
1510 | kfree_skb(skb2); | |
1511 | return -EMSGSIZE; | |
1512 | } | |
1513 | ||
1514 | /* Get protocol version */ | |
1515 | ||
1516 | static const struct nla_policy | |
1517 | ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = { | |
1518 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | |
1519 | }; | |
1520 | ||
1521 | static int | |
1522 | ip_set_protocol(struct sock *ctnl, struct sk_buff *skb, | |
1523 | const struct nlmsghdr *nlh, | |
1524 | const struct nlattr * const attr[]) | |
1525 | { | |
1526 | struct sk_buff *skb2; | |
1527 | struct nlmsghdr *nlh2; | |
1528 | int ret = 0; | |
1529 | ||
1530 | if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL)) | |
1531 | return -IPSET_ERR_PROTOCOL; | |
1532 | ||
1533 | skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); | |
1534 | if (skb2 == NULL) | |
1535 | return -ENOMEM; | |
1536 | ||
15e47304 | 1537 | nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0, |
a7b4f989 JK |
1538 | IPSET_CMD_PROTOCOL); |
1539 | if (!nlh2) | |
1540 | goto nlmsg_failure; | |
7cf7899d DM |
1541 | if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL)) |
1542 | goto nla_put_failure; | |
a7b4f989 JK |
1543 | nlmsg_end(skb2, nlh2); |
1544 | ||
15e47304 | 1545 | ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); |
a7b4f989 JK |
1546 | if (ret < 0) |
1547 | return ret; | |
1548 | ||
1549 | return 0; | |
1550 | ||
1551 | nla_put_failure: | |
1552 | nlmsg_cancel(skb2, nlh2); | |
1553 | nlmsg_failure: | |
1554 | kfree_skb(skb2); | |
1555 | return -EMSGSIZE; | |
1556 | } | |
1557 | ||
1558 | static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { | |
d31f4d44 TB |
1559 | [IPSET_CMD_NONE] = { |
1560 | .call = ip_set_none, | |
1561 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1562 | }, | |
a7b4f989 JK |
1563 | [IPSET_CMD_CREATE] = { |
1564 | .call = ip_set_create, | |
1565 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1566 | .policy = ip_set_create_policy, | |
1567 | }, | |
1568 | [IPSET_CMD_DESTROY] = { | |
1569 | .call = ip_set_destroy, | |
1570 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1571 | .policy = ip_set_setname_policy, | |
1572 | }, | |
1573 | [IPSET_CMD_FLUSH] = { | |
1574 | .call = ip_set_flush, | |
1575 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1576 | .policy = ip_set_setname_policy, | |
1577 | }, | |
1578 | [IPSET_CMD_RENAME] = { | |
1579 | .call = ip_set_rename, | |
1580 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1581 | .policy = ip_set_setname2_policy, | |
1582 | }, | |
1583 | [IPSET_CMD_SWAP] = { | |
1584 | .call = ip_set_swap, | |
1585 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1586 | .policy = ip_set_setname2_policy, | |
1587 | }, | |
1588 | [IPSET_CMD_LIST] = { | |
1589 | .call = ip_set_dump, | |
1590 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1591 | .policy = ip_set_setname_policy, | |
1592 | }, | |
1593 | [IPSET_CMD_SAVE] = { | |
1594 | .call = ip_set_dump, | |
1595 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1596 | .policy = ip_set_setname_policy, | |
1597 | }, | |
1598 | [IPSET_CMD_ADD] = { | |
1599 | .call = ip_set_uadd, | |
1600 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1601 | .policy = ip_set_adt_policy, | |
1602 | }, | |
1603 | [IPSET_CMD_DEL] = { | |
1604 | .call = ip_set_udel, | |
1605 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1606 | .policy = ip_set_adt_policy, | |
1607 | }, | |
1608 | [IPSET_CMD_TEST] = { | |
1609 | .call = ip_set_utest, | |
1610 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1611 | .policy = ip_set_adt_policy, | |
1612 | }, | |
1613 | [IPSET_CMD_HEADER] = { | |
1614 | .call = ip_set_header, | |
1615 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1616 | .policy = ip_set_setname_policy, | |
1617 | }, | |
1618 | [IPSET_CMD_TYPE] = { | |
1619 | .call = ip_set_type, | |
1620 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1621 | .policy = ip_set_type_policy, | |
1622 | }, | |
1623 | [IPSET_CMD_PROTOCOL] = { | |
1624 | .call = ip_set_protocol, | |
1625 | .attr_count = IPSET_ATTR_CMD_MAX, | |
1626 | .policy = ip_set_protocol_policy, | |
1627 | }, | |
1628 | }; | |
1629 | ||
1630 | static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = { | |
1631 | .name = "ip_set", | |
1632 | .subsys_id = NFNL_SUBSYS_IPSET, | |
1633 | .cb_count = IPSET_MSG_MAX, | |
1634 | .cb = ip_set_netlink_subsys_cb, | |
1635 | }; | |
1636 | ||
1637 | /* Interface to iptables/ip6tables */ | |
1638 | ||
1639 | static int | |
1640 | ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) | |
1641 | { | |
95c96174 | 1642 | unsigned int *op; |
a7b4f989 JK |
1643 | void *data; |
1644 | int copylen = *len, ret = 0; | |
1645 | ||
df008c91 | 1646 | if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) |
a7b4f989 JK |
1647 | return -EPERM; |
1648 | if (optval != SO_IP_SET) | |
1649 | return -EBADF; | |
95c96174 | 1650 | if (*len < sizeof(unsigned int)) |
a7b4f989 JK |
1651 | return -EINVAL; |
1652 | ||
1653 | data = vmalloc(*len); | |
1654 | if (!data) | |
1655 | return -ENOMEM; | |
1656 | if (copy_from_user(data, user, *len) != 0) { | |
1657 | ret = -EFAULT; | |
1658 | goto done; | |
1659 | } | |
95c96174 | 1660 | op = (unsigned int *) data; |
a7b4f989 JK |
1661 | |
1662 | if (*op < IP_SET_OP_VERSION) { | |
1663 | /* Check the version at the beginning of operations */ | |
1664 | struct ip_set_req_version *req_version = data; | |
1665 | if (req_version->version != IPSET_PROTOCOL) { | |
1666 | ret = -EPROTO; | |
1667 | goto done; | |
1668 | } | |
1669 | } | |
1670 | ||
1671 | switch (*op) { | |
1672 | case IP_SET_OP_VERSION: { | |
1673 | struct ip_set_req_version *req_version = data; | |
1674 | ||
1675 | if (*len != sizeof(struct ip_set_req_version)) { | |
1676 | ret = -EINVAL; | |
1677 | goto done; | |
1678 | } | |
1679 | ||
1680 | req_version->version = IPSET_PROTOCOL; | |
1681 | ret = copy_to_user(user, req_version, | |
1682 | sizeof(struct ip_set_req_version)); | |
1683 | goto done; | |
1684 | } | |
1685 | case IP_SET_OP_GET_BYNAME: { | |
1686 | struct ip_set_req_get_set *req_get = data; | |
1687 | ||
1688 | if (*len != sizeof(struct ip_set_req_get_set)) { | |
1689 | ret = -EINVAL; | |
1690 | goto done; | |
1691 | } | |
1692 | req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0'; | |
1693 | nfnl_lock(); | |
1694 | req_get->set.index = find_set_id(req_get->set.name); | |
1695 | nfnl_unlock(); | |
1696 | goto copy; | |
1697 | } | |
1698 | case IP_SET_OP_GET_BYINDEX: { | |
1699 | struct ip_set_req_get_set *req_get = data; | |
1700 | ||
1701 | if (*len != sizeof(struct ip_set_req_get_set) || | |
1702 | req_get->set.index >= ip_set_max) { | |
1703 | ret = -EINVAL; | |
1704 | goto done; | |
1705 | } | |
1706 | nfnl_lock(); | |
1707 | strncpy(req_get->set.name, | |
1708 | ip_set_list[req_get->set.index] | |
1709 | ? ip_set_list[req_get->set.index]->name : "", | |
1710 | IPSET_MAXNAMELEN); | |
1711 | nfnl_unlock(); | |
1712 | goto copy; | |
1713 | } | |
1714 | default: | |
1715 | ret = -EBADMSG; | |
1716 | goto done; | |
1717 | } /* end of switch(op) */ | |
1718 | ||
1719 | copy: | |
1720 | ret = copy_to_user(user, data, copylen); | |
1721 | ||
1722 | done: | |
1723 | vfree(data); | |
1724 | if (ret > 0) | |
1725 | ret = 0; | |
1726 | return ret; | |
1727 | } | |
1728 | ||
1729 | static struct nf_sockopt_ops so_set __read_mostly = { | |
1730 | .pf = PF_INET, | |
1731 | .get_optmin = SO_IP_SET, | |
1732 | .get_optmax = SO_IP_SET + 1, | |
1733 | .get = &ip_set_sockfn_get, | |
1734 | .owner = THIS_MODULE, | |
1735 | }; | |
1736 | ||
1737 | static int __init | |
1738 | ip_set_init(void) | |
1739 | { | |
1740 | int ret; | |
1741 | ||
1742 | if (max_sets) | |
1743 | ip_set_max = max_sets; | |
1744 | if (ip_set_max >= IPSET_INVALID_ID) | |
1745 | ip_set_max = IPSET_INVALID_ID - 1; | |
1746 | ||
1747 | ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max, | |
1748 | GFP_KERNEL); | |
0a9ee813 | 1749 | if (!ip_set_list) |
a7b4f989 | 1750 | return -ENOMEM; |
a7b4f989 JK |
1751 | |
1752 | ret = nfnetlink_subsys_register(&ip_set_netlink_subsys); | |
1753 | if (ret != 0) { | |
1754 | pr_err("ip_set: cannot register with nfnetlink.\n"); | |
1755 | kfree(ip_set_list); | |
1756 | return ret; | |
1757 | } | |
1758 | ret = nf_register_sockopt(&so_set); | |
1759 | if (ret != 0) { | |
1760 | pr_err("SO_SET registry failed: %d\n", ret); | |
1761 | nfnetlink_subsys_unregister(&ip_set_netlink_subsys); | |
1762 | kfree(ip_set_list); | |
1763 | return ret; | |
1764 | } | |
1765 | ||
1766 | pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL); | |
1767 | return 0; | |
1768 | } | |
1769 | ||
1770 | static void __exit | |
1771 | ip_set_fini(void) | |
1772 | { | |
1773 | /* There can't be any existing set */ | |
1774 | nf_unregister_sockopt(&so_set); | |
1775 | nfnetlink_subsys_unregister(&ip_set_netlink_subsys); | |
1776 | kfree(ip_set_list); | |
1777 | pr_debug("these are the famous last words\n"); | |
1778 | } | |
1779 | ||
1780 | module_init(ip_set_init); | |
1781 | module_exit(ip_set_fini); |