1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 /* Kernel module which implements the set match and SET target
12 * for netfilter/iptables. */
14 #include <linux/module.h>
15 #include <linux/skbuff.h>
17 #include <linux/netfilter/x_tables.h>
18 #include <linux/netfilter/ipset/ip_set.h>
19 #include <linux/netfilter/ipset/ip_set_timeout.h>
20 #include <uapi/linux/netfilter/xt_set.h>
22 MODULE_LICENSE("GPL");
23 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
24 MODULE_DESCRIPTION("Xtables: IP set match and target module");
25 MODULE_ALIAS("xt_SET");
26 MODULE_ALIAS("ipt_set");
27 MODULE_ALIAS("ip6t_set");
28 MODULE_ALIAS("ipt_SET");
29 MODULE_ALIAS("ip6t_SET");
32 match_set(ip_set_id_t index
, const struct sk_buff
*skb
,
33 const struct xt_action_param
*par
,
34 struct ip_set_adt_opt
*opt
, int inv
)
36 if (ip_set_test(index
, skb
, par
, opt
))
41 #define ADT_OPT(n, f, d, fs, cfs, t) \
42 struct ip_set_adt_opt n = { \
50 /* Revision 0 interface: backward compatible with netfilter/iptables */
53 set_match_v0(const struct sk_buff
*skb
, struct xt_action_param
*par
)
55 const struct xt_set_info_match_v0
*info
= par
->matchinfo
;
56 ADT_OPT(opt
, par
->family
, info
->match_set
.u
.compat
.dim
,
57 info
->match_set
.u
.compat
.flags
, 0, UINT_MAX
);
59 return match_set(info
->match_set
.index
, skb
, par
, &opt
,
60 info
->match_set
.u
.compat
.flags
& IPSET_INV_MATCH
);
64 compat_flags(struct xt_set_info_v0
*info
)
68 /* Fill out compatibility data according to enum ip_set_kopt */
69 info
->u
.compat
.dim
= IPSET_DIM_ZERO
;
70 if (info
->u
.flags
[0] & IPSET_MATCH_INV
)
71 info
->u
.compat
.flags
|= IPSET_INV_MATCH
;
72 for (i
= 0; i
< IPSET_DIM_MAX
-1 && info
->u
.flags
[i
]; i
++) {
74 if (info
->u
.flags
[i
] & IPSET_SRC
)
75 info
->u
.compat
.flags
|= (1<<info
->u
.compat
.dim
);
80 set_match_v0_checkentry(const struct xt_mtchk_param
*par
)
82 struct xt_set_info_match_v0
*info
= par
->matchinfo
;
85 index
= ip_set_nfnl_get_byindex(par
->net
, info
->match_set
.index
);
87 if (index
== IPSET_INVALID_ID
) {
88 pr_warn("Cannot find set identified by id %u to match\n",
89 info
->match_set
.index
);
92 if (info
->match_set
.u
.flags
[IPSET_DIM_MAX
-1] != 0) {
93 pr_warn("Protocol error: set match dimension is over the limit!\n");
94 ip_set_nfnl_put(par
->net
, info
->match_set
.index
);
98 /* Fill out compatibility data */
99 compat_flags(&info
->match_set
);
105 set_match_v0_destroy(const struct xt_mtdtor_param
*par
)
107 struct xt_set_info_match_v0
*info
= par
->matchinfo
;
109 ip_set_nfnl_put(par
->net
, info
->match_set
.index
);
112 /* Revision 1 match */
115 set_match_v1(const struct sk_buff
*skb
, struct xt_action_param
*par
)
117 const struct xt_set_info_match_v1
*info
= par
->matchinfo
;
118 ADT_OPT(opt
, par
->family
, info
->match_set
.dim
,
119 info
->match_set
.flags
, 0, UINT_MAX
);
121 if (opt
.flags
& IPSET_RETURN_NOMATCH
)
122 opt
.cmdflags
|= IPSET_FLAG_RETURN_NOMATCH
;
124 return match_set(info
->match_set
.index
, skb
, par
, &opt
,
125 info
->match_set
.flags
& IPSET_INV_MATCH
);
129 set_match_v1_checkentry(const struct xt_mtchk_param
*par
)
131 struct xt_set_info_match_v1
*info
= par
->matchinfo
;
134 index
= ip_set_nfnl_get_byindex(par
->net
, info
->match_set
.index
);
136 if (index
== IPSET_INVALID_ID
) {
137 pr_warn("Cannot find set identified by id %u to match\n",
138 info
->match_set
.index
);
141 if (info
->match_set
.dim
> IPSET_DIM_MAX
) {
142 pr_warn("Protocol error: set match dimension is over the limit!\n");
143 ip_set_nfnl_put(par
->net
, info
->match_set
.index
);
151 set_match_v1_destroy(const struct xt_mtdtor_param
*par
)
153 struct xt_set_info_match_v1
*info
= par
->matchinfo
;
155 ip_set_nfnl_put(par
->net
, info
->match_set
.index
);
158 /* Revision 3 match */
161 match_counter0(u64 counter
, const struct ip_set_counter_match0
*info
)
164 case IPSET_COUNTER_NONE
:
166 case IPSET_COUNTER_EQ
:
167 return counter
== info
->value
;
168 case IPSET_COUNTER_NE
:
169 return counter
!= info
->value
;
170 case IPSET_COUNTER_LT
:
171 return counter
< info
->value
;
172 case IPSET_COUNTER_GT
:
173 return counter
> info
->value
;
179 set_match_v3(const struct sk_buff
*skb
, struct xt_action_param
*par
)
181 const struct xt_set_info_match_v3
*info
= par
->matchinfo
;
182 ADT_OPT(opt
, par
->family
, info
->match_set
.dim
,
183 info
->match_set
.flags
, info
->flags
, UINT_MAX
);
186 if (info
->packets
.op
!= IPSET_COUNTER_NONE
||
187 info
->bytes
.op
!= IPSET_COUNTER_NONE
)
188 opt
.cmdflags
|= IPSET_FLAG_MATCH_COUNTERS
;
190 ret
= match_set(info
->match_set
.index
, skb
, par
, &opt
,
191 info
->match_set
.flags
& IPSET_INV_MATCH
);
193 if (!(ret
&& opt
.cmdflags
& IPSET_FLAG_MATCH_COUNTERS
))
196 if (!match_counter0(opt
.ext
.packets
, &info
->packets
))
198 return match_counter0(opt
.ext
.bytes
, &info
->bytes
);
201 #define set_match_v3_checkentry set_match_v1_checkentry
202 #define set_match_v3_destroy set_match_v1_destroy
204 /* Revision 4 match */
207 match_counter(u64 counter
, const struct ip_set_counter_match
*info
)
210 case IPSET_COUNTER_NONE
:
212 case IPSET_COUNTER_EQ
:
213 return counter
== info
->value
;
214 case IPSET_COUNTER_NE
:
215 return counter
!= info
->value
;
216 case IPSET_COUNTER_LT
:
217 return counter
< info
->value
;
218 case IPSET_COUNTER_GT
:
219 return counter
> info
->value
;
225 set_match_v4(const struct sk_buff
*skb
, struct xt_action_param
*par
)
227 const struct xt_set_info_match_v4
*info
= par
->matchinfo
;
228 ADT_OPT(opt
, par
->family
, info
->match_set
.dim
,
229 info
->match_set
.flags
, info
->flags
, UINT_MAX
);
232 if (info
->packets
.op
!= IPSET_COUNTER_NONE
||
233 info
->bytes
.op
!= IPSET_COUNTER_NONE
)
234 opt
.cmdflags
|= IPSET_FLAG_MATCH_COUNTERS
;
236 ret
= match_set(info
->match_set
.index
, skb
, par
, &opt
,
237 info
->match_set
.flags
& IPSET_INV_MATCH
);
239 if (!(ret
&& opt
.cmdflags
& IPSET_FLAG_MATCH_COUNTERS
))
242 if (!match_counter(opt
.ext
.packets
, &info
->packets
))
244 return match_counter(opt
.ext
.bytes
, &info
->bytes
);
247 #define set_match_v4_checkentry set_match_v1_checkentry
248 #define set_match_v4_destroy set_match_v1_destroy
250 /* Revision 0 interface: backward compatible with netfilter/iptables */
253 set_target_v0(struct sk_buff
*skb
, const struct xt_action_param
*par
)
255 const struct xt_set_info_target_v0
*info
= par
->targinfo
;
256 ADT_OPT(add_opt
, par
->family
, info
->add_set
.u
.compat
.dim
,
257 info
->add_set
.u
.compat
.flags
, 0, UINT_MAX
);
258 ADT_OPT(del_opt
, par
->family
, info
->del_set
.u
.compat
.dim
,
259 info
->del_set
.u
.compat
.flags
, 0, UINT_MAX
);
261 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
262 ip_set_add(info
->add_set
.index
, skb
, par
, &add_opt
);
263 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
264 ip_set_del(info
->del_set
.index
, skb
, par
, &del_opt
);
270 set_target_v0_checkentry(const struct xt_tgchk_param
*par
)
272 struct xt_set_info_target_v0
*info
= par
->targinfo
;
275 if (info
->add_set
.index
!= IPSET_INVALID_ID
) {
276 index
= ip_set_nfnl_get_byindex(par
->net
, info
->add_set
.index
);
277 if (index
== IPSET_INVALID_ID
) {
278 pr_warn("Cannot find add_set index %u as target\n",
279 info
->add_set
.index
);
284 if (info
->del_set
.index
!= IPSET_INVALID_ID
) {
285 index
= ip_set_nfnl_get_byindex(par
->net
, info
->del_set
.index
);
286 if (index
== IPSET_INVALID_ID
) {
287 pr_warn("Cannot find del_set index %u as target\n",
288 info
->del_set
.index
);
289 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
290 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
294 if (info
->add_set
.u
.flags
[IPSET_DIM_MAX
-1] != 0 ||
295 info
->del_set
.u
.flags
[IPSET_DIM_MAX
-1] != 0) {
296 pr_warn("Protocol error: SET target dimension is over the limit!\n");
297 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
298 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
299 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
300 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
304 /* Fill out compatibility data */
305 compat_flags(&info
->add_set
);
306 compat_flags(&info
->del_set
);
312 set_target_v0_destroy(const struct xt_tgdtor_param
*par
)
314 const struct xt_set_info_target_v0
*info
= par
->targinfo
;
316 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
317 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
318 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
319 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
322 /* Revision 1 target */
325 set_target_v1(struct sk_buff
*skb
, const struct xt_action_param
*par
)
327 const struct xt_set_info_target_v1
*info
= par
->targinfo
;
328 ADT_OPT(add_opt
, par
->family
, info
->add_set
.dim
,
329 info
->add_set
.flags
, 0, UINT_MAX
);
330 ADT_OPT(del_opt
, par
->family
, info
->del_set
.dim
,
331 info
->del_set
.flags
, 0, UINT_MAX
);
333 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
334 ip_set_add(info
->add_set
.index
, skb
, par
, &add_opt
);
335 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
336 ip_set_del(info
->del_set
.index
, skb
, par
, &del_opt
);
342 set_target_v1_checkentry(const struct xt_tgchk_param
*par
)
344 const struct xt_set_info_target_v1
*info
= par
->targinfo
;
347 if (info
->add_set
.index
!= IPSET_INVALID_ID
) {
348 index
= ip_set_nfnl_get_byindex(par
->net
, info
->add_set
.index
);
349 if (index
== IPSET_INVALID_ID
) {
350 pr_warn("Cannot find add_set index %u as target\n",
351 info
->add_set
.index
);
356 if (info
->del_set
.index
!= IPSET_INVALID_ID
) {
357 index
= ip_set_nfnl_get_byindex(par
->net
, info
->del_set
.index
);
358 if (index
== IPSET_INVALID_ID
) {
359 pr_warn("Cannot find del_set index %u as target\n",
360 info
->del_set
.index
);
361 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
362 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
366 if (info
->add_set
.dim
> IPSET_DIM_MAX
||
367 info
->del_set
.dim
> IPSET_DIM_MAX
) {
368 pr_warn("Protocol error: SET target dimension is over the limit!\n");
369 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
370 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
371 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
372 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
380 set_target_v1_destroy(const struct xt_tgdtor_param
*par
)
382 const struct xt_set_info_target_v1
*info
= par
->targinfo
;
384 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
385 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
386 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
387 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
390 /* Revision 2 target */
393 set_target_v2(struct sk_buff
*skb
, const struct xt_action_param
*par
)
395 const struct xt_set_info_target_v2
*info
= par
->targinfo
;
396 ADT_OPT(add_opt
, par
->family
, info
->add_set
.dim
,
397 info
->add_set
.flags
, info
->flags
, info
->timeout
);
398 ADT_OPT(del_opt
, par
->family
, info
->del_set
.dim
,
399 info
->del_set
.flags
, 0, UINT_MAX
);
401 /* Normalize to fit into jiffies */
402 if (add_opt
.ext
.timeout
!= IPSET_NO_TIMEOUT
&&
403 add_opt
.ext
.timeout
> UINT_MAX
/MSEC_PER_SEC
)
404 add_opt
.ext
.timeout
= UINT_MAX
/MSEC_PER_SEC
;
405 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
406 ip_set_add(info
->add_set
.index
, skb
, par
, &add_opt
);
407 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
408 ip_set_del(info
->del_set
.index
, skb
, par
, &del_opt
);
413 #define set_target_v2_checkentry set_target_v1_checkentry
414 #define set_target_v2_destroy set_target_v1_destroy
416 /* Revision 3 target */
419 set_target_v3(struct sk_buff
*skb
, const struct xt_action_param
*par
)
421 const struct xt_set_info_target_v3
*info
= par
->targinfo
;
422 ADT_OPT(add_opt
, par
->family
, info
->add_set
.dim
,
423 info
->add_set
.flags
, info
->flags
, info
->timeout
);
424 ADT_OPT(del_opt
, par
->family
, info
->del_set
.dim
,
425 info
->del_set
.flags
, 0, UINT_MAX
);
426 ADT_OPT(map_opt
, par
->family
, info
->map_set
.dim
,
427 info
->map_set
.flags
, 0, UINT_MAX
);
431 /* Normalize to fit into jiffies */
432 if (add_opt
.ext
.timeout
!= IPSET_NO_TIMEOUT
&&
433 add_opt
.ext
.timeout
> UINT_MAX
/MSEC_PER_SEC
)
434 add_opt
.ext
.timeout
= UINT_MAX
/MSEC_PER_SEC
;
435 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
436 ip_set_add(info
->add_set
.index
, skb
, par
, &add_opt
);
437 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
438 ip_set_del(info
->del_set
.index
, skb
, par
, &del_opt
);
439 if (info
->map_set
.index
!= IPSET_INVALID_ID
) {
440 map_opt
.cmdflags
|= info
->flags
& (IPSET_FLAG_MAP_SKBMARK
|
441 IPSET_FLAG_MAP_SKBPRIO
|
442 IPSET_FLAG_MAP_SKBQUEUE
);
443 ret
= match_set(info
->map_set
.index
, skb
, par
, &map_opt
,
444 info
->map_set
.flags
& IPSET_INV_MATCH
);
447 if (map_opt
.cmdflags
& IPSET_FLAG_MAP_SKBMARK
)
448 skb
->mark
= (skb
->mark
& ~(map_opt
.ext
.skbmarkmask
))
449 ^ (map_opt
.ext
.skbmark
);
450 if (map_opt
.cmdflags
& IPSET_FLAG_MAP_SKBPRIO
)
451 skb
->priority
= map_opt
.ext
.skbprio
;
452 if ((map_opt
.cmdflags
& IPSET_FLAG_MAP_SKBQUEUE
) &&
454 skb
->dev
->real_num_tx_queues
> map_opt
.ext
.skbqueue
)
455 skb_set_queue_mapping(skb
, map_opt
.ext
.skbqueue
);
462 set_target_v3_checkentry(const struct xt_tgchk_param
*par
)
464 const struct xt_set_info_target_v3
*info
= par
->targinfo
;
467 if (info
->add_set
.index
!= IPSET_INVALID_ID
) {
468 index
= ip_set_nfnl_get_byindex(par
->net
,
469 info
->add_set
.index
);
470 if (index
== IPSET_INVALID_ID
) {
471 pr_warn("Cannot find add_set index %u as target\n",
472 info
->add_set
.index
);
477 if (info
->del_set
.index
!= IPSET_INVALID_ID
) {
478 index
= ip_set_nfnl_get_byindex(par
->net
,
479 info
->del_set
.index
);
480 if (index
== IPSET_INVALID_ID
) {
481 pr_warn("Cannot find del_set index %u as target\n",
482 info
->del_set
.index
);
483 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
484 ip_set_nfnl_put(par
->net
,
485 info
->add_set
.index
);
490 if (info
->map_set
.index
!= IPSET_INVALID_ID
) {
491 if (strncmp(par
->table
, "mangle", 7)) {
492 pr_warn("--map-set only usable from mangle table\n");
495 if (((info
->flags
& IPSET_FLAG_MAP_SKBPRIO
) |
496 (info
->flags
& IPSET_FLAG_MAP_SKBQUEUE
)) &&
497 !(par
->hook_mask
& (1 << NF_INET_FORWARD
|
498 1 << NF_INET_LOCAL_OUT
|
499 1 << NF_INET_POST_ROUTING
))) {
500 pr_warn("mapping of prio or/and queue is allowed only"
501 "from OUTPUT/FORWARD/POSTROUTING chains\n");
504 index
= ip_set_nfnl_get_byindex(par
->net
,
505 info
->map_set
.index
);
506 if (index
== IPSET_INVALID_ID
) {
507 pr_warn("Cannot find map_set index %u as target\n",
508 info
->map_set
.index
);
509 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
510 ip_set_nfnl_put(par
->net
,
511 info
->add_set
.index
);
512 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
513 ip_set_nfnl_put(par
->net
,
514 info
->del_set
.index
);
519 if (info
->add_set
.dim
> IPSET_DIM_MAX
||
520 info
->del_set
.dim
> IPSET_DIM_MAX
||
521 info
->map_set
.dim
> IPSET_DIM_MAX
) {
522 pr_warn("Protocol error: SET target dimension "
523 "is over the limit!\n");
524 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
525 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
526 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
527 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
528 if (info
->map_set
.index
!= IPSET_INVALID_ID
)
529 ip_set_nfnl_put(par
->net
, info
->map_set
.index
);
537 set_target_v3_destroy(const struct xt_tgdtor_param
*par
)
539 const struct xt_set_info_target_v3
*info
= par
->targinfo
;
541 if (info
->add_set
.index
!= IPSET_INVALID_ID
)
542 ip_set_nfnl_put(par
->net
, info
->add_set
.index
);
543 if (info
->del_set
.index
!= IPSET_INVALID_ID
)
544 ip_set_nfnl_put(par
->net
, info
->del_set
.index
);
545 if (info
->map_set
.index
!= IPSET_INVALID_ID
)
546 ip_set_nfnl_put(par
->net
, info
->map_set
.index
);
550 static struct xt_match set_matches
[] __read_mostly
= {
553 .family
= NFPROTO_IPV4
,
555 .match
= set_match_v0
,
556 .matchsize
= sizeof(struct xt_set_info_match_v0
),
557 .checkentry
= set_match_v0_checkentry
,
558 .destroy
= set_match_v0_destroy
,
563 .family
= NFPROTO_IPV4
,
565 .match
= set_match_v1
,
566 .matchsize
= sizeof(struct xt_set_info_match_v1
),
567 .checkentry
= set_match_v1_checkentry
,
568 .destroy
= set_match_v1_destroy
,
573 .family
= NFPROTO_IPV6
,
575 .match
= set_match_v1
,
576 .matchsize
= sizeof(struct xt_set_info_match_v1
),
577 .checkentry
= set_match_v1_checkentry
,
578 .destroy
= set_match_v1_destroy
,
581 /* --return-nomatch flag support */
584 .family
= NFPROTO_IPV4
,
586 .match
= set_match_v1
,
587 .matchsize
= sizeof(struct xt_set_info_match_v1
),
588 .checkentry
= set_match_v1_checkentry
,
589 .destroy
= set_match_v1_destroy
,
594 .family
= NFPROTO_IPV6
,
596 .match
= set_match_v1
,
597 .matchsize
= sizeof(struct xt_set_info_match_v1
),
598 .checkentry
= set_match_v1_checkentry
,
599 .destroy
= set_match_v1_destroy
,
602 /* counters support: update, match */
605 .family
= NFPROTO_IPV4
,
607 .match
= set_match_v3
,
608 .matchsize
= sizeof(struct xt_set_info_match_v3
),
609 .checkentry
= set_match_v3_checkentry
,
610 .destroy
= set_match_v3_destroy
,
615 .family
= NFPROTO_IPV6
,
617 .match
= set_match_v3
,
618 .matchsize
= sizeof(struct xt_set_info_match_v3
),
619 .checkentry
= set_match_v3_checkentry
,
620 .destroy
= set_match_v3_destroy
,
623 /* new revision for counters support: update, match */
626 .family
= NFPROTO_IPV4
,
628 .match
= set_match_v4
,
629 .matchsize
= sizeof(struct xt_set_info_match_v4
),
630 .checkentry
= set_match_v4_checkentry
,
631 .destroy
= set_match_v4_destroy
,
636 .family
= NFPROTO_IPV6
,
638 .match
= set_match_v4
,
639 .matchsize
= sizeof(struct xt_set_info_match_v4
),
640 .checkentry
= set_match_v4_checkentry
,
641 .destroy
= set_match_v4_destroy
,
646 static struct xt_target set_targets
[] __read_mostly
= {
650 .family
= NFPROTO_IPV4
,
651 .target
= set_target_v0
,
652 .targetsize
= sizeof(struct xt_set_info_target_v0
),
653 .checkentry
= set_target_v0_checkentry
,
654 .destroy
= set_target_v0_destroy
,
660 .family
= NFPROTO_IPV4
,
661 .target
= set_target_v1
,
662 .targetsize
= sizeof(struct xt_set_info_target_v1
),
663 .checkentry
= set_target_v1_checkentry
,
664 .destroy
= set_target_v1_destroy
,
670 .family
= NFPROTO_IPV6
,
671 .target
= set_target_v1
,
672 .targetsize
= sizeof(struct xt_set_info_target_v1
),
673 .checkentry
= set_target_v1_checkentry
,
674 .destroy
= set_target_v1_destroy
,
677 /* --timeout and --exist flags support */
681 .family
= NFPROTO_IPV4
,
682 .target
= set_target_v2
,
683 .targetsize
= sizeof(struct xt_set_info_target_v2
),
684 .checkentry
= set_target_v2_checkentry
,
685 .destroy
= set_target_v2_destroy
,
691 .family
= NFPROTO_IPV6
,
692 .target
= set_target_v2
,
693 .targetsize
= sizeof(struct xt_set_info_target_v2
),
694 .checkentry
= set_target_v2_checkentry
,
695 .destroy
= set_target_v2_destroy
,
698 /* --map-set support */
702 .family
= NFPROTO_IPV4
,
703 .target
= set_target_v3
,
704 .targetsize
= sizeof(struct xt_set_info_target_v3
),
705 .checkentry
= set_target_v3_checkentry
,
706 .destroy
= set_target_v3_destroy
,
712 .family
= NFPROTO_IPV6
,
713 .target
= set_target_v3
,
714 .targetsize
= sizeof(struct xt_set_info_target_v3
),
715 .checkentry
= set_target_v3_checkentry
,
716 .destroy
= set_target_v3_destroy
,
721 static int __init
xt_set_init(void)
723 int ret
= xt_register_matches(set_matches
, ARRAY_SIZE(set_matches
));
726 ret
= xt_register_targets(set_targets
,
727 ARRAY_SIZE(set_targets
));
729 xt_unregister_matches(set_matches
,
730 ARRAY_SIZE(set_matches
));
735 static void __exit
xt_set_fini(void)
737 xt_unregister_matches(set_matches
, ARRAY_SIZE(set_matches
));
738 xt_unregister_targets(set_targets
, ARRAY_SIZE(set_targets
));
741 module_init(xt_set_init
);
742 module_exit(xt_set_fini
);