1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/netlink.h>
19 #include <linux/rculist.h>
20 #include <net/netlink.h>
22 #include <linux/netfilter.h>
23 #include <linux/netfilter/x_tables.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/ipset/ip_set.h>
27 static LIST_HEAD(ip_set_type_list
); /* all registered set types */
28 static DEFINE_MUTEX(ip_set_type_mutex
); /* protects ip_set_type_list */
29 static DEFINE_RWLOCK(ip_set_ref_lock
); /* protects the set refs */
31 static struct ip_set
**ip_set_list
; /* all individual sets */
32 static ip_set_id_t ip_set_max
= CONFIG_IP_SET_MAX
; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets
;
38 module_param(max_sets
, int, 0600);
39 MODULE_PARM_DESC(max_sets
, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET
);
46 * The set types are implemented in modules and registered set types
47 * can be found in ip_set_type_list. Adding/deleting types is
48 * serialized by ip_set_type_mutex.
52 ip_set_type_lock(void)
54 mutex_lock(&ip_set_type_mutex
);
58 ip_set_type_unlock(void)
60 mutex_unlock(&ip_set_type_mutex
);
63 /* Register and deregister settype */
65 static struct ip_set_type
*
66 find_set_type(const char *name
, u8 family
, u8 revision
)
68 struct ip_set_type
*type
;
70 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
71 if (STREQ(type
->name
, name
) &&
72 (type
->family
== family
||
73 type
->family
== NFPROTO_UNSPEC
) &&
74 revision
>= type
->revision_min
&&
75 revision
<= type
->revision_max
)
80 /* Unlock, try to load a set type module and lock again */
82 load_settype(const char *name
)
85 pr_debug("try to load ip_set_%s\n", name
);
86 if (request_module("ip_set_%s", name
) < 0) {
87 pr_warning("Can't find ip_set type %s\n", name
);
95 /* Find a set type and reference it */
96 #define find_set_type_get(name, family, revision, found) \
97 __find_set_type_get(name, family, revision, found, false)
100 __find_set_type_get(const char *name
, u8 family
, u8 revision
,
101 struct ip_set_type
**found
, bool retry
)
103 struct ip_set_type
*type
;
106 if (retry
&& !load_settype(name
))
107 return -IPSET_ERR_FIND_TYPE
;
110 *found
= find_set_type(name
, family
, revision
);
112 err
= !try_module_get((*found
)->me
) ? -EFAULT
: 0;
115 /* Make sure the type is already loaded
116 * but we don't support the revision */
117 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
118 if (STREQ(type
->name
, name
)) {
119 err
= -IPSET_ERR_FIND_TYPE
;
124 return retry
? -IPSET_ERR_FIND_TYPE
:
125 __find_set_type_get(name
, family
, revision
, found
, true);
132 /* Find a given set type by name and family.
133 * If we succeeded, the supported minimal and maximum revisions are
136 #define find_set_type_minmax(name, family, min, max) \
137 __find_set_type_minmax(name, family, min, max, false)
140 __find_set_type_minmax(const char *name
, u8 family
, u8
*min
, u8
*max
,
143 struct ip_set_type
*type
;
146 if (retry
&& !load_settype(name
))
147 return -IPSET_ERR_FIND_TYPE
;
149 *min
= 255; *max
= 0;
151 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
152 if (STREQ(type
->name
, name
) &&
153 (type
->family
== family
||
154 type
->family
== NFPROTO_UNSPEC
)) {
156 if (type
->revision_min
< *min
)
157 *min
= type
->revision_min
;
158 if (type
->revision_max
> *max
)
159 *max
= type
->revision_max
;
165 return retry
? -IPSET_ERR_FIND_TYPE
:
166 __find_set_type_minmax(name
, family
, min
, max
, true);
169 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
170 (f) == NFPROTO_IPV6 ? "inet6" : "any")
172 /* Register a set type structure. The type is identified by
173 * the unique triple of name, family and revision.
176 ip_set_type_register(struct ip_set_type
*type
)
180 if (type
->protocol
!= IPSET_PROTOCOL
) {
181 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
182 "wrong protocol version %u (want %u)\n",
183 type
->name
, family_name(type
->family
),
184 type
->revision_min
, type
->revision_max
,
185 type
->protocol
, IPSET_PROTOCOL
);
190 if (find_set_type(type
->name
, type
->family
, type
->revision_min
)) {
192 pr_warning("ip_set type %s, family %s with revision min %u "
193 "already registered!\n", type
->name
,
194 family_name(type
->family
), type
->revision_min
);
198 list_add_rcu(&type
->list
, &ip_set_type_list
);
199 pr_debug("type %s, family %s, revision %u:%u registered.\n",
200 type
->name
, family_name(type
->family
),
201 type
->revision_min
, type
->revision_max
);
203 ip_set_type_unlock();
206 EXPORT_SYMBOL_GPL(ip_set_type_register
);
208 /* Unregister a set type. There's a small race with ip_set_create */
210 ip_set_type_unregister(struct ip_set_type
*type
)
213 if (!find_set_type(type
->name
, type
->family
, type
->revision_min
)) {
214 pr_warning("ip_set type %s, family %s with revision min %u "
215 "not registered\n", type
->name
,
216 family_name(type
->family
), type
->revision_min
);
219 list_del_rcu(&type
->list
);
220 pr_debug("type %s, family %s with revision min %u unregistered.\n",
221 type
->name
, family_name(type
->family
), type
->revision_min
);
223 ip_set_type_unlock();
227 EXPORT_SYMBOL_GPL(ip_set_type_unregister
);
229 /* Utility functions */
231 ip_set_alloc(size_t size
)
233 void *members
= NULL
;
235 if (size
< KMALLOC_MAX_SIZE
)
236 members
= kzalloc(size
, GFP_KERNEL
| __GFP_NOWARN
);
239 pr_debug("%p: allocated with kmalloc\n", members
);
243 members
= vzalloc(size
);
246 pr_debug("%p: allocated with vmalloc\n", members
);
250 EXPORT_SYMBOL_GPL(ip_set_alloc
);
253 ip_set_free(void *members
)
255 pr_debug("%p: free with %s\n", members
,
256 is_vmalloc_addr(members
) ? "vfree" : "kfree");
257 if (is_vmalloc_addr(members
))
262 EXPORT_SYMBOL_GPL(ip_set_free
);
265 flag_nested(const struct nlattr
*nla
)
267 return nla
->nla_type
& NLA_F_NESTED
;
270 static const struct nla_policy ipaddr_policy
[IPSET_ATTR_IPADDR_MAX
+ 1] = {
271 [IPSET_ATTR_IPADDR_IPV4
] = { .type
= NLA_U32
},
272 [IPSET_ATTR_IPADDR_IPV6
] = { .type
= NLA_BINARY
,
273 .len
= sizeof(struct in6_addr
) },
277 ip_set_get_ipaddr4(struct nlattr
*nla
, __be32
*ipaddr
)
279 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
281 if (unlikely(!flag_nested(nla
)))
282 return -IPSET_ERR_PROTOCOL
;
283 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
284 return -IPSET_ERR_PROTOCOL
;
285 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV4
)))
286 return -IPSET_ERR_PROTOCOL
;
288 *ipaddr
= nla_get_be32(tb
[IPSET_ATTR_IPADDR_IPV4
]);
291 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4
);
294 ip_set_get_ipaddr6(struct nlattr
*nla
, union nf_inet_addr
*ipaddr
)
296 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
298 if (unlikely(!flag_nested(nla
)))
299 return -IPSET_ERR_PROTOCOL
;
301 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
302 return -IPSET_ERR_PROTOCOL
;
303 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV6
)))
304 return -IPSET_ERR_PROTOCOL
;
306 memcpy(ipaddr
, nla_data(tb
[IPSET_ATTR_IPADDR_IPV6
]),
307 sizeof(struct in6_addr
));
310 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6
);
313 * Creating/destroying/renaming/swapping affect the existence and
314 * the properties of a set. All of these can be executed from userspace
315 * only and serialized by the nfnl mutex indirectly from nfnetlink.
317 * Sets are identified by their index in ip_set_list and the index
318 * is used by the external references (set/SET netfilter modules).
320 * The set behind an index may change by swapping only, from userspace.
324 __ip_set_get(ip_set_id_t index
)
326 write_lock_bh(&ip_set_ref_lock
);
327 ip_set_list
[index
]->ref
++;
328 write_unlock_bh(&ip_set_ref_lock
);
332 __ip_set_put(ip_set_id_t index
)
334 write_lock_bh(&ip_set_ref_lock
);
335 BUG_ON(ip_set_list
[index
]->ref
== 0);
336 ip_set_list
[index
]->ref
--;
337 write_unlock_bh(&ip_set_ref_lock
);
341 * Add, del and test set entries from kernel.
343 * The set behind the index must exist and must be referenced
344 * so it can't be destroyed (or changed) under our foot.
348 ip_set_test(ip_set_id_t index
, const struct sk_buff
*skb
,
349 const struct xt_action_param
*par
,
350 const struct ip_set_adt_opt
*opt
)
352 struct ip_set
*set
= ip_set_list
[index
];
356 pr_debug("set %s, index %u\n", set
->name
, index
);
358 if (opt
->dim
< set
->type
->dimension
||
359 !(opt
->family
== set
->family
|| set
->family
== NFPROTO_UNSPEC
))
362 read_lock_bh(&set
->lock
);
363 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_TEST
, opt
);
364 read_unlock_bh(&set
->lock
);
366 if (ret
== -EAGAIN
) {
367 /* Type requests element to be completed */
368 pr_debug("element must be competed, ADD is triggered\n");
369 write_lock_bh(&set
->lock
);
370 set
->variant
->kadt(set
, skb
, par
, IPSET_ADD
, opt
);
371 write_unlock_bh(&set
->lock
);
374 /* --return-nomatch: invert matched element */
375 if ((opt
->flags
& IPSET_RETURN_NOMATCH
) &&
376 (set
->type
->features
& IPSET_TYPE_NOMATCH
) &&
377 (ret
> 0 || ret
== -ENOTEMPTY
))
381 /* Convert error codes to nomatch */
382 return (ret
< 0 ? 0 : ret
);
384 EXPORT_SYMBOL_GPL(ip_set_test
);
387 ip_set_add(ip_set_id_t index
, const struct sk_buff
*skb
,
388 const struct xt_action_param
*par
,
389 const struct ip_set_adt_opt
*opt
)
391 struct ip_set
*set
= ip_set_list
[index
];
395 pr_debug("set %s, index %u\n", set
->name
, index
);
397 if (opt
->dim
< set
->type
->dimension
||
398 !(opt
->family
== set
->family
|| set
->family
== NFPROTO_UNSPEC
))
401 write_lock_bh(&set
->lock
);
402 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_ADD
, opt
);
403 write_unlock_bh(&set
->lock
);
407 EXPORT_SYMBOL_GPL(ip_set_add
);
410 ip_set_del(ip_set_id_t index
, const struct sk_buff
*skb
,
411 const struct xt_action_param
*par
,
412 const struct ip_set_adt_opt
*opt
)
414 struct ip_set
*set
= ip_set_list
[index
];
418 pr_debug("set %s, index %u\n", set
->name
, index
);
420 if (opt
->dim
< set
->type
->dimension
||
421 !(opt
->family
== set
->family
|| set
->family
== NFPROTO_UNSPEC
))
424 write_lock_bh(&set
->lock
);
425 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_DEL
, opt
);
426 write_unlock_bh(&set
->lock
);
430 EXPORT_SYMBOL_GPL(ip_set_del
);
433 * Find set by name, reference it once. The reference makes sure the
434 * thing pointed to, does not go away under our feet.
438 ip_set_get_byname(const char *name
, struct ip_set
**set
)
440 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
443 for (i
= 0; i
< ip_set_max
; i
++) {
445 if (s
!= NULL
&& STREQ(s
->name
, name
)) {
454 EXPORT_SYMBOL_GPL(ip_set_get_byname
);
457 * If the given set pointer points to a valid set, decrement
458 * reference count by 1. The caller shall not assume the index
459 * to be valid, after calling this function.
463 ip_set_put_byindex(ip_set_id_t index
)
465 if (ip_set_list
[index
] != NULL
)
468 EXPORT_SYMBOL_GPL(ip_set_put_byindex
);
471 * Get the name of a set behind a set index.
472 * We assume the set is referenced, so it does exist and
473 * can't be destroyed. The set cannot be renamed due to
474 * the referencing either.
478 ip_set_name_byindex(ip_set_id_t index
)
480 const struct ip_set
*set
= ip_set_list
[index
];
483 BUG_ON(set
->ref
== 0);
485 /* Referenced, so it's safe */
488 EXPORT_SYMBOL_GPL(ip_set_name_byindex
);
491 * Routines to call by external subsystems, which do not
492 * call nfnl_lock for us.
496 * Find set by name, reference it once. The reference makes sure the
497 * thing pointed to, does not go away under our feet.
499 * The nfnl mutex is used in the function.
502 ip_set_nfnl_get(const char *name
)
508 index
= ip_set_get_byname(name
, &s
);
513 EXPORT_SYMBOL_GPL(ip_set_nfnl_get
);
516 * Find set by index, reference it once. The reference makes sure the
517 * thing pointed to, does not go away under our feet.
519 * The nfnl mutex is used in the function.
522 ip_set_nfnl_get_byindex(ip_set_id_t index
)
524 if (index
> ip_set_max
)
525 return IPSET_INVALID_ID
;
528 if (ip_set_list
[index
])
531 index
= IPSET_INVALID_ID
;
536 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex
);
539 * If the given set pointer points to a valid set, decrement
540 * reference count by 1. The caller shall not assume the index
541 * to be valid, after calling this function.
543 * The nfnl mutex is used in the function.
546 ip_set_nfnl_put(ip_set_id_t index
)
549 ip_set_put_byindex(index
);
552 EXPORT_SYMBOL_GPL(ip_set_nfnl_put
);
555 * Communication protocol with userspace over netlink.
557 * The commands are serialized by the nfnl mutex.
561 protocol_failed(const struct nlattr
* const tb
[])
563 return !tb
[IPSET_ATTR_PROTOCOL
] ||
564 nla_get_u8(tb
[IPSET_ATTR_PROTOCOL
]) != IPSET_PROTOCOL
;
568 flag_exist(const struct nlmsghdr
*nlh
)
570 return nlh
->nlmsg_flags
& NLM_F_EXCL
? 0 : IPSET_FLAG_EXIST
;
573 static struct nlmsghdr
*
574 start_msg(struct sk_buff
*skb
, u32 portid
, u32 seq
, unsigned int flags
,
577 struct nlmsghdr
*nlh
;
578 struct nfgenmsg
*nfmsg
;
580 nlh
= nlmsg_put(skb
, portid
, seq
, cmd
| (NFNL_SUBSYS_IPSET
<< 8),
581 sizeof(*nfmsg
), flags
);
585 nfmsg
= nlmsg_data(nlh
);
586 nfmsg
->nfgen_family
= NFPROTO_IPV4
;
587 nfmsg
->version
= NFNETLINK_V0
;
595 static const struct nla_policy ip_set_create_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
596 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
597 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
598 .len
= IPSET_MAXNAMELEN
- 1 },
599 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
600 .len
= IPSET_MAXNAMELEN
- 1},
601 [IPSET_ATTR_REVISION
] = { .type
= NLA_U8
},
602 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
603 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
607 find_set_id(const char *name
)
609 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
610 const struct ip_set
*set
;
612 for (i
= 0; index
== IPSET_INVALID_ID
&& i
< ip_set_max
; i
++) {
613 set
= ip_set_list
[i
];
614 if (set
!= NULL
&& STREQ(set
->name
, name
))
620 static inline struct ip_set
*
621 find_set(const char *name
)
623 ip_set_id_t index
= find_set_id(name
);
625 return index
== IPSET_INVALID_ID
? NULL
: ip_set_list
[index
];
629 find_free_id(const char *name
, ip_set_id_t
*index
, struct ip_set
**set
)
633 *index
= IPSET_INVALID_ID
;
634 for (i
= 0; i
< ip_set_max
; i
++) {
635 if (ip_set_list
[i
] == NULL
) {
636 if (*index
== IPSET_INVALID_ID
)
638 } else if (STREQ(name
, ip_set_list
[i
]->name
)) {
640 *set
= ip_set_list
[i
];
644 if (*index
== IPSET_INVALID_ID
)
645 /* No free slot remained */
646 return -IPSET_ERR_MAX_SETS
;
651 ip_set_none(struct sock
*ctnl
, struct sk_buff
*skb
,
652 const struct nlmsghdr
*nlh
,
653 const struct nlattr
* const attr
[])
659 ip_set_create(struct sock
*ctnl
, struct sk_buff
*skb
,
660 const struct nlmsghdr
*nlh
,
661 const struct nlattr
* const attr
[])
663 struct ip_set
*set
, *clash
= NULL
;
664 ip_set_id_t index
= IPSET_INVALID_ID
;
665 struct nlattr
*tb
[IPSET_ATTR_CREATE_MAX
+1] = {};
666 const char *name
, *typename
;
668 u32 flags
= flag_exist(nlh
);
671 if (unlikely(protocol_failed(attr
) ||
672 attr
[IPSET_ATTR_SETNAME
] == NULL
||
673 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
674 attr
[IPSET_ATTR_REVISION
] == NULL
||
675 attr
[IPSET_ATTR_FAMILY
] == NULL
||
676 (attr
[IPSET_ATTR_DATA
] != NULL
&&
677 !flag_nested(attr
[IPSET_ATTR_DATA
]))))
678 return -IPSET_ERR_PROTOCOL
;
680 name
= nla_data(attr
[IPSET_ATTR_SETNAME
]);
681 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
682 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
683 revision
= nla_get_u8(attr
[IPSET_ATTR_REVISION
]);
684 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
685 name
, typename
, family_name(family
), revision
);
688 * First, and without any locks, allocate and initialize
689 * a normal base set structure.
691 set
= kzalloc(sizeof(struct ip_set
), GFP_KERNEL
);
694 rwlock_init(&set
->lock
);
695 strlcpy(set
->name
, name
, IPSET_MAXNAMELEN
);
696 set
->family
= family
;
697 set
->revision
= revision
;
700 * Next, check that we know the type, and take
701 * a reference on the type, to make sure it stays available
702 * while constructing our new set.
704 * After referencing the type, we try to create the type
705 * specific part of the set without holding any locks.
707 ret
= find_set_type_get(typename
, family
, revision
, &(set
->type
));
712 * Without holding any locks, create private part.
714 if (attr
[IPSET_ATTR_DATA
] &&
715 nla_parse_nested(tb
, IPSET_ATTR_CREATE_MAX
, attr
[IPSET_ATTR_DATA
],
716 set
->type
->create_policy
)) {
717 ret
= -IPSET_ERR_PROTOCOL
;
721 ret
= set
->type
->create(set
, tb
, flags
);
725 /* BTW, ret==0 here. */
728 * Here, we have a valid, constructed set and we are protected
729 * by the nfnl mutex. Find the first free index in ip_set_list
730 * and check clashing.
732 ret
= find_free_id(set
->name
, &index
, &clash
);
734 /* If this is the same set and requested, ignore error */
735 if (ret
== -EEXIST
&&
736 (flags
& IPSET_FLAG_EXIST
) &&
737 STREQ(set
->type
->name
, clash
->type
->name
) &&
738 set
->type
->family
== clash
->type
->family
&&
739 set
->type
->revision_min
== clash
->type
->revision_min
&&
740 set
->type
->revision_max
== clash
->type
->revision_max
&&
741 set
->variant
->same_set(set
, clash
))
747 * Finally! Add our shiny new set to the list, and be done.
749 pr_debug("create: '%s' created with index %u!\n", set
->name
, index
);
750 ip_set_list
[index
] = set
;
755 set
->variant
->destroy(set
);
757 module_put(set
->type
->me
);
765 static const struct nla_policy
766 ip_set_setname_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
767 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
768 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
769 .len
= IPSET_MAXNAMELEN
- 1 },
773 ip_set_destroy_set(ip_set_id_t index
)
775 struct ip_set
*set
= ip_set_list
[index
];
777 pr_debug("set: %s\n", set
->name
);
778 ip_set_list
[index
] = NULL
;
780 /* Must call it without holding any lock */
781 set
->variant
->destroy(set
);
782 module_put(set
->type
->me
);
787 ip_set_destroy(struct sock
*ctnl
, struct sk_buff
*skb
,
788 const struct nlmsghdr
*nlh
,
789 const struct nlattr
* const attr
[])
794 if (unlikely(protocol_failed(attr
)))
795 return -IPSET_ERR_PROTOCOL
;
797 /* Commands are serialized and references are
798 * protected by the ip_set_ref_lock.
799 * External systems (i.e. xt_set) must call
800 * ip_set_put|get_nfnl_* functions, that way we
801 * can safely check references here.
803 * list:set timer can only decrement the reference
804 * counter, so if it's already zero, we can proceed
805 * without holding the lock.
807 read_lock_bh(&ip_set_ref_lock
);
808 if (!attr
[IPSET_ATTR_SETNAME
]) {
809 for (i
= 0; i
< ip_set_max
; i
++) {
810 if (ip_set_list
[i
] != NULL
&& ip_set_list
[i
]->ref
) {
811 ret
= -IPSET_ERR_BUSY
;
815 read_unlock_bh(&ip_set_ref_lock
);
816 for (i
= 0; i
< ip_set_max
; i
++) {
817 if (ip_set_list
[i
] != NULL
)
818 ip_set_destroy_set(i
);
821 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
822 if (i
== IPSET_INVALID_ID
) {
825 } else if (ip_set_list
[i
]->ref
) {
826 ret
= -IPSET_ERR_BUSY
;
829 read_unlock_bh(&ip_set_ref_lock
);
831 ip_set_destroy_set(i
);
835 read_unlock_bh(&ip_set_ref_lock
);
842 ip_set_flush_set(struct ip_set
*set
)
844 pr_debug("set: %s\n", set
->name
);
846 write_lock_bh(&set
->lock
);
847 set
->variant
->flush(set
);
848 write_unlock_bh(&set
->lock
);
852 ip_set_flush(struct sock
*ctnl
, struct sk_buff
*skb
,
853 const struct nlmsghdr
*nlh
,
854 const struct nlattr
* const attr
[])
858 if (unlikely(protocol_failed(attr
)))
859 return -IPSET_ERR_PROTOCOL
;
861 if (!attr
[IPSET_ATTR_SETNAME
]) {
862 for (i
= 0; i
< ip_set_max
; i
++)
863 if (ip_set_list
[i
] != NULL
)
864 ip_set_flush_set(ip_set_list
[i
]);
866 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
867 if (i
== IPSET_INVALID_ID
)
870 ip_set_flush_set(ip_set_list
[i
]);
878 static const struct nla_policy
879 ip_set_setname2_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
880 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
881 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
882 .len
= IPSET_MAXNAMELEN
- 1 },
883 [IPSET_ATTR_SETNAME2
] = { .type
= NLA_NUL_STRING
,
884 .len
= IPSET_MAXNAMELEN
- 1 },
888 ip_set_rename(struct sock
*ctnl
, struct sk_buff
*skb
,
889 const struct nlmsghdr
*nlh
,
890 const struct nlattr
* const attr
[])
897 if (unlikely(protocol_failed(attr
) ||
898 attr
[IPSET_ATTR_SETNAME
] == NULL
||
899 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
900 return -IPSET_ERR_PROTOCOL
;
902 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
906 read_lock_bh(&ip_set_ref_lock
);
908 ret
= -IPSET_ERR_REFERENCED
;
912 name2
= nla_data(attr
[IPSET_ATTR_SETNAME2
]);
913 for (i
= 0; i
< ip_set_max
; i
++) {
914 if (ip_set_list
[i
] != NULL
&&
915 STREQ(ip_set_list
[i
]->name
, name2
)) {
916 ret
= -IPSET_ERR_EXIST_SETNAME2
;
920 strncpy(set
->name
, name2
, IPSET_MAXNAMELEN
);
923 read_unlock_bh(&ip_set_ref_lock
);
927 /* Swap two sets so that name/index points to the other.
928 * References and set names are also swapped.
930 * The commands are serialized by the nfnl mutex and references are
931 * protected by the ip_set_ref_lock. The kernel interfaces
932 * do not hold the mutex but the pointer settings are atomic
933 * so the ip_set_list always contains valid pointers to the sets.
937 ip_set_swap(struct sock
*ctnl
, struct sk_buff
*skb
,
938 const struct nlmsghdr
*nlh
,
939 const struct nlattr
* const attr
[])
941 struct ip_set
*from
, *to
;
942 ip_set_id_t from_id
, to_id
;
943 char from_name
[IPSET_MAXNAMELEN
];
945 if (unlikely(protocol_failed(attr
) ||
946 attr
[IPSET_ATTR_SETNAME
] == NULL
||
947 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
948 return -IPSET_ERR_PROTOCOL
;
950 from_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
951 if (from_id
== IPSET_INVALID_ID
)
954 to_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME2
]));
955 if (to_id
== IPSET_INVALID_ID
)
956 return -IPSET_ERR_EXIST_SETNAME2
;
958 from
= ip_set_list
[from_id
];
959 to
= ip_set_list
[to_id
];
961 /* Features must not change.
962 * Not an artificial restriction anymore, as we must prevent
963 * possible loops created by swapping in setlist type of sets. */
964 if (!(from
->type
->features
== to
->type
->features
&&
965 from
->type
->family
== to
->type
->family
))
966 return -IPSET_ERR_TYPE_MISMATCH
;
968 strncpy(from_name
, from
->name
, IPSET_MAXNAMELEN
);
969 strncpy(from
->name
, to
->name
, IPSET_MAXNAMELEN
);
970 strncpy(to
->name
, from_name
, IPSET_MAXNAMELEN
);
972 write_lock_bh(&ip_set_ref_lock
);
973 swap(from
->ref
, to
->ref
);
974 ip_set_list
[from_id
] = to
;
975 ip_set_list
[to_id
] = from
;
976 write_unlock_bh(&ip_set_ref_lock
);
981 /* List/save set data */
988 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
989 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
992 ip_set_dump_done(struct netlink_callback
*cb
)
995 pr_debug("release set %s\n", ip_set_list
[cb
->args
[1]]->name
);
996 ip_set_put_byindex((ip_set_id_t
) cb
->args
[1]);
1002 dump_attrs(struct nlmsghdr
*nlh
)
1004 const struct nlattr
*attr
;
1007 pr_debug("dump nlmsg\n");
1008 nlmsg_for_each_attr(attr
, nlh
, sizeof(struct nfgenmsg
), rem
) {
1009 pr_debug("type: %u, len %u\n", nla_type(attr
), attr
->nla_len
);
1014 dump_init(struct netlink_callback
*cb
)
1016 struct nlmsghdr
*nlh
= nlmsg_hdr(cb
->skb
);
1017 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
1018 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
1019 struct nlattr
*attr
= (void *)nlh
+ min_len
;
1023 /* Second pass, so parser can't fail */
1024 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
1025 attr
, nlh
->nlmsg_len
- min_len
, ip_set_setname_policy
);
1027 /* cb->args[0] : dump single set/all sets
1029 * [..]: type specific
1032 if (cda
[IPSET_ATTR_SETNAME
]) {
1033 index
= find_set_id(nla_data(cda
[IPSET_ATTR_SETNAME
]));
1034 if (index
== IPSET_INVALID_ID
)
1037 dump_type
= DUMP_ONE
;
1038 cb
->args
[1] = index
;
1040 dump_type
= DUMP_ALL
;
1042 if (cda
[IPSET_ATTR_FLAGS
]) {
1043 u32 f
= ip_set_get_h32(cda
[IPSET_ATTR_FLAGS
]);
1044 dump_type
|= (f
<< 16);
1046 cb
->args
[0] = dump_type
;
1052 ip_set_dump_start(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1054 ip_set_id_t index
= IPSET_INVALID_ID
, max
;
1055 struct ip_set
*set
= NULL
;
1056 struct nlmsghdr
*nlh
= NULL
;
1057 unsigned int flags
= NETLINK_CB(cb
->skb
).portid
? NLM_F_MULTI
: 0;
1058 u32 dump_type
, dump_flags
;
1062 ret
= dump_init(cb
);
1064 nlh
= nlmsg_hdr(cb
->skb
);
1065 /* We have to create and send the error message
1067 if (nlh
->nlmsg_flags
& NLM_F_ACK
)
1068 netlink_ack(cb
->skb
, nlh
, ret
);
1073 if (cb
->args
[1] >= ip_set_max
)
1076 dump_type
= DUMP_TYPE(cb
->args
[0]);
1077 dump_flags
= DUMP_FLAGS(cb
->args
[0]);
1078 max
= dump_type
== DUMP_ONE
? cb
->args
[1] + 1 : ip_set_max
;
1080 pr_debug("args[0]: %u %u args[1]: %ld\n",
1081 dump_type
, dump_flags
, cb
->args
[1]);
1082 for (; cb
->args
[1] < max
; cb
->args
[1]++) {
1083 index
= (ip_set_id_t
) cb
->args
[1];
1084 set
= ip_set_list
[index
];
1086 if (dump_type
== DUMP_ONE
) {
1092 /* When dumping all sets, we must dump "sorted"
1093 * so that lists (unions of sets) are dumped last.
1095 if (dump_type
!= DUMP_ONE
&&
1096 ((dump_type
== DUMP_ALL
) ==
1097 !!(set
->type
->features
& IPSET_DUMP_LAST
)))
1099 pr_debug("List set: %s\n", set
->name
);
1101 /* Start listing: make sure set won't be destroyed */
1102 pr_debug("reference set\n");
1103 __ip_set_get(index
);
1105 nlh
= start_msg(skb
, NETLINK_CB(cb
->skb
).portid
,
1106 cb
->nlh
->nlmsg_seq
, flags
,
1110 goto release_refcount
;
1112 if (nla_put_u8(skb
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
) ||
1113 nla_put_string(skb
, IPSET_ATTR_SETNAME
, set
->name
))
1114 goto nla_put_failure
;
1115 if (dump_flags
& IPSET_FLAG_LIST_SETNAME
)
1117 switch (cb
->args
[2]) {
1119 /* Core header data */
1120 if (nla_put_string(skb
, IPSET_ATTR_TYPENAME
,
1122 nla_put_u8(skb
, IPSET_ATTR_FAMILY
,
1124 nla_put_u8(skb
, IPSET_ATTR_REVISION
,
1126 goto nla_put_failure
;
1127 ret
= set
->variant
->head(set
, skb
);
1129 goto release_refcount
;
1130 if (dump_flags
& IPSET_FLAG_LIST_HEADER
)
1132 /* Fall through and add elements */
1134 read_lock_bh(&set
->lock
);
1135 ret
= set
->variant
->list(set
, skb
, cb
);
1136 read_unlock_bh(&set
->lock
);
1138 /* Set is done, proceed with next one */
1140 goto release_refcount
;
1143 /* If we dump all sets, continue with dumping last ones */
1144 if (dump_type
== DUMP_ALL
) {
1145 dump_type
= DUMP_LAST
;
1146 cb
->args
[0] = dump_type
| (dump_flags
<< 16);
1155 if (dump_type
== DUMP_ONE
)
1156 cb
->args
[1] = IPSET_INVALID_ID
;
1160 /* If there was an error or set is done, release set */
1161 if (ret
|| !cb
->args
[2]) {
1162 pr_debug("release set %s\n", ip_set_list
[index
]->name
);
1163 ip_set_put_byindex(index
);
1168 nlmsg_end(skb
, nlh
);
1169 pr_debug("nlmsg_len: %u\n", nlh
->nlmsg_len
);
1173 return ret
< 0 ? ret
: skb
->len
;
1177 ip_set_dump(struct sock
*ctnl
, struct sk_buff
*skb
,
1178 const struct nlmsghdr
*nlh
,
1179 const struct nlattr
* const attr
[])
1181 if (unlikely(protocol_failed(attr
)))
1182 return -IPSET_ERR_PROTOCOL
;
1185 struct netlink_dump_control c
= {
1186 .dump
= ip_set_dump_start
,
1187 .done
= ip_set_dump_done
,
1189 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
1193 /* Add, del and test */
1195 static const struct nla_policy ip_set_adt_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1196 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1197 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
1198 .len
= IPSET_MAXNAMELEN
- 1 },
1199 [IPSET_ATTR_LINENO
] = { .type
= NLA_U32
},
1200 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
1201 [IPSET_ATTR_ADT
] = { .type
= NLA_NESTED
},
1205 call_ad(struct sock
*ctnl
, struct sk_buff
*skb
, struct ip_set
*set
,
1206 struct nlattr
*tb
[], enum ipset_adt adt
,
1207 u32 flags
, bool use_lineno
)
1211 bool eexist
= flags
& IPSET_FLAG_EXIST
, retried
= false;
1214 write_lock_bh(&set
->lock
);
1215 ret
= set
->variant
->uadt(set
, tb
, adt
, &lineno
, flags
, retried
);
1216 write_unlock_bh(&set
->lock
);
1218 } while (ret
== -EAGAIN
&&
1219 set
->variant
->resize
&&
1220 (ret
= set
->variant
->resize(set
, retried
)) == 0);
1222 if (!ret
|| (ret
== -IPSET_ERR_EXIST
&& eexist
))
1224 if (lineno
&& use_lineno
) {
1225 /* Error in restore/batch mode: send back lineno */
1226 struct nlmsghdr
*rep
, *nlh
= nlmsg_hdr(skb
);
1227 struct sk_buff
*skb2
;
1228 struct nlmsgerr
*errmsg
;
1229 size_t payload
= sizeof(*errmsg
) + nlmsg_len(nlh
);
1230 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
1231 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
1232 struct nlattr
*cmdattr
;
1235 skb2
= nlmsg_new(payload
, GFP_KERNEL
);
1238 rep
= __nlmsg_put(skb2
, NETLINK_CB(skb
).portid
,
1239 nlh
->nlmsg_seq
, NLMSG_ERROR
, payload
, 0);
1240 errmsg
= nlmsg_data(rep
);
1241 errmsg
->error
= ret
;
1242 memcpy(&errmsg
->msg
, nlh
, nlh
->nlmsg_len
);
1243 cmdattr
= (void *)&errmsg
->msg
+ min_len
;
1245 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
1246 cmdattr
, nlh
->nlmsg_len
- min_len
,
1249 errline
= nla_data(cda
[IPSET_ATTR_LINENO
]);
1253 netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1254 /* Signal netlink not to send its ACK/errmsg. */
1262 ip_set_uadd(struct sock
*ctnl
, struct sk_buff
*skb
,
1263 const struct nlmsghdr
*nlh
,
1264 const struct nlattr
* const attr
[])
1267 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1268 const struct nlattr
*nla
;
1269 u32 flags
= flag_exist(nlh
);
1273 if (unlikely(protocol_failed(attr
) ||
1274 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1275 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1276 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1277 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1278 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1279 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1280 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1281 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1282 return -IPSET_ERR_PROTOCOL
;
1284 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1288 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1289 if (attr
[IPSET_ATTR_DATA
]) {
1290 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1291 attr
[IPSET_ATTR_DATA
],
1292 set
->type
->adt_policy
))
1293 return -IPSET_ERR_PROTOCOL
;
1294 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_ADD
, flags
,
1299 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1300 memset(tb
, 0, sizeof(tb
));
1301 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1302 !flag_nested(nla
) ||
1303 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1304 set
->type
->adt_policy
))
1305 return -IPSET_ERR_PROTOCOL
;
1306 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_ADD
,
1316 ip_set_udel(struct sock
*ctnl
, struct sk_buff
*skb
,
1317 const struct nlmsghdr
*nlh
,
1318 const struct nlattr
* const attr
[])
1321 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1322 const struct nlattr
*nla
;
1323 u32 flags
= flag_exist(nlh
);
1327 if (unlikely(protocol_failed(attr
) ||
1328 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1329 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1330 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1331 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1332 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1333 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1334 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1335 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1336 return -IPSET_ERR_PROTOCOL
;
1338 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1342 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1343 if (attr
[IPSET_ATTR_DATA
]) {
1344 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1345 attr
[IPSET_ATTR_DATA
],
1346 set
->type
->adt_policy
))
1347 return -IPSET_ERR_PROTOCOL
;
1348 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_DEL
, flags
,
1353 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1354 memset(tb
, 0, sizeof(*tb
));
1355 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1356 !flag_nested(nla
) ||
1357 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1358 set
->type
->adt_policy
))
1359 return -IPSET_ERR_PROTOCOL
;
1360 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_DEL
,
1370 ip_set_utest(struct sock
*ctnl
, struct sk_buff
*skb
,
1371 const struct nlmsghdr
*nlh
,
1372 const struct nlattr
* const attr
[])
1375 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1378 if (unlikely(protocol_failed(attr
) ||
1379 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1380 attr
[IPSET_ATTR_DATA
] == NULL
||
1381 !flag_nested(attr
[IPSET_ATTR_DATA
])))
1382 return -IPSET_ERR_PROTOCOL
;
1384 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1388 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, attr
[IPSET_ATTR_DATA
],
1389 set
->type
->adt_policy
))
1390 return -IPSET_ERR_PROTOCOL
;
1392 read_lock_bh(&set
->lock
);
1393 ret
= set
->variant
->uadt(set
, tb
, IPSET_TEST
, NULL
, 0, 0);
1394 read_unlock_bh(&set
->lock
);
1395 /* Userspace can't trigger element to be re-added */
1399 return ret
< 0 ? ret
: ret
> 0 ? 0 : -IPSET_ERR_EXIST
;
1402 /* Get headed data of a set */
1405 ip_set_header(struct sock
*ctnl
, struct sk_buff
*skb
,
1406 const struct nlmsghdr
*nlh
,
1407 const struct nlattr
* const attr
[])
1409 const struct ip_set
*set
;
1410 struct sk_buff
*skb2
;
1411 struct nlmsghdr
*nlh2
;
1415 if (unlikely(protocol_failed(attr
) ||
1416 attr
[IPSET_ATTR_SETNAME
] == NULL
))
1417 return -IPSET_ERR_PROTOCOL
;
1419 index
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1420 if (index
== IPSET_INVALID_ID
)
1422 set
= ip_set_list
[index
];
1424 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1428 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).portid
, nlh
->nlmsg_seq
, 0,
1432 if (nla_put_u8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
) ||
1433 nla_put_string(skb2
, IPSET_ATTR_SETNAME
, set
->name
) ||
1434 nla_put_string(skb2
, IPSET_ATTR_TYPENAME
, set
->type
->name
) ||
1435 nla_put_u8(skb2
, IPSET_ATTR_FAMILY
, set
->family
) ||
1436 nla_put_u8(skb2
, IPSET_ATTR_REVISION
, set
->revision
))
1437 goto nla_put_failure
;
1438 nlmsg_end(skb2
, nlh2
);
1440 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1447 nlmsg_cancel(skb2
, nlh2
);
1455 static const struct nla_policy ip_set_type_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1456 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1457 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
1458 .len
= IPSET_MAXNAMELEN
- 1 },
1459 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
1463 ip_set_type(struct sock
*ctnl
, struct sk_buff
*skb
,
1464 const struct nlmsghdr
*nlh
,
1465 const struct nlattr
* const attr
[])
1467 struct sk_buff
*skb2
;
1468 struct nlmsghdr
*nlh2
;
1469 u8 family
, min
, max
;
1470 const char *typename
;
1473 if (unlikely(protocol_failed(attr
) ||
1474 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
1475 attr
[IPSET_ATTR_FAMILY
] == NULL
))
1476 return -IPSET_ERR_PROTOCOL
;
1478 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
1479 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
1480 ret
= find_set_type_minmax(typename
, family
, &min
, &max
);
1484 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1488 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).portid
, nlh
->nlmsg_seq
, 0,
1492 if (nla_put_u8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
) ||
1493 nla_put_string(skb2
, IPSET_ATTR_TYPENAME
, typename
) ||
1494 nla_put_u8(skb2
, IPSET_ATTR_FAMILY
, family
) ||
1495 nla_put_u8(skb2
, IPSET_ATTR_REVISION
, max
) ||
1496 nla_put_u8(skb2
, IPSET_ATTR_REVISION_MIN
, min
))
1497 goto nla_put_failure
;
1498 nlmsg_end(skb2
, nlh2
);
1500 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2
->nlmsg_len
);
1501 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1508 nlmsg_cancel(skb2
, nlh2
);
1514 /* Get protocol version */
1516 static const struct nla_policy
1517 ip_set_protocol_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1518 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1522 ip_set_protocol(struct sock
*ctnl
, struct sk_buff
*skb
,
1523 const struct nlmsghdr
*nlh
,
1524 const struct nlattr
* const attr
[])
1526 struct sk_buff
*skb2
;
1527 struct nlmsghdr
*nlh2
;
1530 if (unlikely(attr
[IPSET_ATTR_PROTOCOL
] == NULL
))
1531 return -IPSET_ERR_PROTOCOL
;
1533 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1537 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).portid
, nlh
->nlmsg_seq
, 0,
1538 IPSET_CMD_PROTOCOL
);
1541 if (nla_put_u8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
))
1542 goto nla_put_failure
;
1543 nlmsg_end(skb2
, nlh2
);
1545 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1552 nlmsg_cancel(skb2
, nlh2
);
1558 static const struct nfnl_callback ip_set_netlink_subsys_cb
[IPSET_MSG_MAX
] = {
1559 [IPSET_CMD_NONE
] = {
1560 .call
= ip_set_none
,
1561 .attr_count
= IPSET_ATTR_CMD_MAX
,
1563 [IPSET_CMD_CREATE
] = {
1564 .call
= ip_set_create
,
1565 .attr_count
= IPSET_ATTR_CMD_MAX
,
1566 .policy
= ip_set_create_policy
,
1568 [IPSET_CMD_DESTROY
] = {
1569 .call
= ip_set_destroy
,
1570 .attr_count
= IPSET_ATTR_CMD_MAX
,
1571 .policy
= ip_set_setname_policy
,
1573 [IPSET_CMD_FLUSH
] = {
1574 .call
= ip_set_flush
,
1575 .attr_count
= IPSET_ATTR_CMD_MAX
,
1576 .policy
= ip_set_setname_policy
,
1578 [IPSET_CMD_RENAME
] = {
1579 .call
= ip_set_rename
,
1580 .attr_count
= IPSET_ATTR_CMD_MAX
,
1581 .policy
= ip_set_setname2_policy
,
1583 [IPSET_CMD_SWAP
] = {
1584 .call
= ip_set_swap
,
1585 .attr_count
= IPSET_ATTR_CMD_MAX
,
1586 .policy
= ip_set_setname2_policy
,
1588 [IPSET_CMD_LIST
] = {
1589 .call
= ip_set_dump
,
1590 .attr_count
= IPSET_ATTR_CMD_MAX
,
1591 .policy
= ip_set_setname_policy
,
1593 [IPSET_CMD_SAVE
] = {
1594 .call
= ip_set_dump
,
1595 .attr_count
= IPSET_ATTR_CMD_MAX
,
1596 .policy
= ip_set_setname_policy
,
1599 .call
= ip_set_uadd
,
1600 .attr_count
= IPSET_ATTR_CMD_MAX
,
1601 .policy
= ip_set_adt_policy
,
1604 .call
= ip_set_udel
,
1605 .attr_count
= IPSET_ATTR_CMD_MAX
,
1606 .policy
= ip_set_adt_policy
,
1608 [IPSET_CMD_TEST
] = {
1609 .call
= ip_set_utest
,
1610 .attr_count
= IPSET_ATTR_CMD_MAX
,
1611 .policy
= ip_set_adt_policy
,
1613 [IPSET_CMD_HEADER
] = {
1614 .call
= ip_set_header
,
1615 .attr_count
= IPSET_ATTR_CMD_MAX
,
1616 .policy
= ip_set_setname_policy
,
1618 [IPSET_CMD_TYPE
] = {
1619 .call
= ip_set_type
,
1620 .attr_count
= IPSET_ATTR_CMD_MAX
,
1621 .policy
= ip_set_type_policy
,
1623 [IPSET_CMD_PROTOCOL
] = {
1624 .call
= ip_set_protocol
,
1625 .attr_count
= IPSET_ATTR_CMD_MAX
,
1626 .policy
= ip_set_protocol_policy
,
1630 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly
= {
1632 .subsys_id
= NFNL_SUBSYS_IPSET
,
1633 .cb_count
= IPSET_MSG_MAX
,
1634 .cb
= ip_set_netlink_subsys_cb
,
1637 /* Interface to iptables/ip6tables */
1640 ip_set_sockfn_get(struct sock
*sk
, int optval
, void __user
*user
, int *len
)
1644 int copylen
= *len
, ret
= 0;
1646 if (!ns_capable(sock_net(sk
)->user_ns
, CAP_NET_ADMIN
))
1648 if (optval
!= SO_IP_SET
)
1650 if (*len
< sizeof(unsigned int))
1653 data
= vmalloc(*len
);
1656 if (copy_from_user(data
, user
, *len
) != 0) {
1660 op
= (unsigned int *) data
;
1662 if (*op
< IP_SET_OP_VERSION
) {
1663 /* Check the version at the beginning of operations */
1664 struct ip_set_req_version
*req_version
= data
;
1665 if (req_version
->version
!= IPSET_PROTOCOL
) {
1672 case IP_SET_OP_VERSION
: {
1673 struct ip_set_req_version
*req_version
= data
;
1675 if (*len
!= sizeof(struct ip_set_req_version
)) {
1680 req_version
->version
= IPSET_PROTOCOL
;
1681 ret
= copy_to_user(user
, req_version
,
1682 sizeof(struct ip_set_req_version
));
1685 case IP_SET_OP_GET_BYNAME
: {
1686 struct ip_set_req_get_set
*req_get
= data
;
1688 if (*len
!= sizeof(struct ip_set_req_get_set
)) {
1692 req_get
->set
.name
[IPSET_MAXNAMELEN
- 1] = '\0';
1694 req_get
->set
.index
= find_set_id(req_get
->set
.name
);
1698 case IP_SET_OP_GET_BYINDEX
: {
1699 struct ip_set_req_get_set
*req_get
= data
;
1701 if (*len
!= sizeof(struct ip_set_req_get_set
) ||
1702 req_get
->set
.index
>= ip_set_max
) {
1707 strncpy(req_get
->set
.name
,
1708 ip_set_list
[req_get
->set
.index
]
1709 ? ip_set_list
[req_get
->set
.index
]->name
: "",
1717 } /* end of switch(op) */
1720 ret
= copy_to_user(user
, data
, copylen
);
1729 static struct nf_sockopt_ops so_set __read_mostly
= {
1731 .get_optmin
= SO_IP_SET
,
1732 .get_optmax
= SO_IP_SET
+ 1,
1733 .get
= &ip_set_sockfn_get
,
1734 .owner
= THIS_MODULE
,
1743 ip_set_max
= max_sets
;
1744 if (ip_set_max
>= IPSET_INVALID_ID
)
1745 ip_set_max
= IPSET_INVALID_ID
- 1;
1747 ip_set_list
= kzalloc(sizeof(struct ip_set
*) * ip_set_max
,
1752 ret
= nfnetlink_subsys_register(&ip_set_netlink_subsys
);
1754 pr_err("ip_set: cannot register with nfnetlink.\n");
1758 ret
= nf_register_sockopt(&so_set
);
1760 pr_err("SO_SET registry failed: %d\n", ret
);
1761 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1766 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL
);
1773 /* There can't be any existing set */
1774 nf_unregister_sockopt(&so_set
);
1775 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1777 pr_debug("these are the famous last words\n");
1780 module_init(ip_set_init
);
1781 module_exit(ip_set_fini
);