release/src/router/dnsmasq/src/ipset.c

   1 /* ipset.c is Copyright (c) 2013 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
   2
   3    This program is free software; you can redistribute it and/or modify
   4    it under the terms of the GNU General Public License as published by
   5    the Free Software Foundation; version 2 dated June, 1991, or
   6    (at your option) version 3 dated 29 June, 2007.
   7
   8    This program is distributed in the hope that it will be useful,
   9    but WITHOUT ANY WARRANTY; without even the implied warranty of
  10    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11    GNU General Public License for more details.
  12
  13    You should have received a copy of the GNU General Public License
  14    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  15 */
  16
  17 #include "dnsmasq.h"
  18
  19 #ifdef HAVE_IPSET
  20
  21 #include <string.h>
  22 #include <errno.h>
  23 #include <sys/types.h>
  24 #include <sys/socket.h>
  25 #include <sys/utsname.h>
  26 #include <arpa/inet.h>
  27 #include <linux/version.h>
  28 #include <linux/netlink.h>
  29 #include <linux/netfilter/nfnetlink.h>
  30 #ifndef NFNL_SUBSYS_IPSET
  31 #define NFNL_SUBSYS_IPSET 6
  32 #define IPSET_ATTR_DATA 7
  33 #define IPSET_ATTR_IP 1
  34 #define IPSET_ATTR_IPADDR_IPV4 1
  35 #define IPSET_ATTR_IPADDR_IPV6 2
  36 #define IPSET_ATTR_PROTOCOL 1
  37 #define IPSET_ATTR_SETNAME 2
  38 #define IPSET_CMD_ADD 9
  39 #define IPSET_CMD_DEL 10
  40 #define IPSET_MAXNAMELEN 32
  41 #define IPSET_PROTOCOL 6
  42 #else
  43 #include <linux/netfilter/ipset/ip_set.h>
  44 #endif
  45
  46 /* data structure size in here is fixed */
  47 #define BUFF_SZ 256
  48
  49 #define NL_ALIGN(len) (((len)+3) & ~(3))
  50 static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
  51 static int ipset_sock, old_kernel;
  52 static char *buffer;
  53
  54 static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
  55 {
  56   struct nlattr *attr = (void *)nlh + NL_ALIGN(nlh->nlmsg_len);
  57   uint16_t payload_len = NL_ALIGN(sizeof(struct nlattr)) + len;
  58   attr->nla_type = type;
  59   attr->nla_len = payload_len;
  60   memcpy((void *)attr + NL_ALIGN(sizeof(struct nlattr)), data, len);
  61   nlh->nlmsg_len += NL_ALIGN(payload_len);
  62 }
  63
  64 void ipset_init(void)
  65 {
  66   struct utsname utsname;
  67   int version;
  68   char *split;
  69
  70   if (uname(&utsname) < 0)
  71     die(_("failed to find kernel version: %s"), NULL, EC_MISC);
  72
  73   split = strtok(utsname.release, ".");
  74   version = (split ? atoi(split) : 0);
  75   split = strtok(NULL, ".");
  76   version = version * 256 + (split ? atoi(split) : 0);
  77   split = strtok(NULL, ".");
  78   version = version * 256 + (split ? atoi(split) : 0);
  79   old_kernel = (version < KERNEL_VERSION(2,6,32));
  80
  81   if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
  82     return;
  83
  84   if (!old_kernel &&
  85       (buffer = safe_malloc(BUFF_SZ)) &&
  86       (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
  87       (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
  88     return;
  89
  90   die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
  91 }
  92
  93 static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove)
  94 {
  95   struct nlmsghdr *nlh;
  96   struct nfgenmsg *nfg;
  97   struct nlattr *nested[2];
  98   uint8_t proto;
  99   int addrsz = INADDRSZ;
 100   ssize_t rc;
 101
 102 #ifdef HAVE_IPV6
 103   if (af == AF_INET6)
 104     addrsz = IN6ADDRSZ;
 105 #endif
 106
 107   if (strlen(setname) >= IPSET_MAXNAMELEN)
 108     {
 109       errno = ENAMETOOLONG;
 110       return -1;
 111     }
 112
 113   memset(buffer, 0, BUFF_SZ);
 114
 115   nlh = (struct nlmsghdr *)buffer;
 116   nlh->nlmsg_len = NL_ALIGN(sizeof(struct nlmsghdr));
 117   nlh->nlmsg_type = (remove ? IPSET_CMD_DEL : IPSET_CMD_ADD) | (NFNL_SUBSYS_IPSET << 8);
 118   nlh->nlmsg_flags = NLM_F_REQUEST;
 119
 120   nfg = (struct nfgenmsg *)(buffer + nlh->nlmsg_len);
 121   nlh->nlmsg_len += NL_ALIGN(sizeof(struct nfgenmsg));
 122   nfg->nfgen_family = af;
 123   nfg->version = NFNETLINK_V0;
 124   nfg->res_id = htons(0);
 125
 126   proto = IPSET_PROTOCOL;
 127   add_attr(nlh, IPSET_ATTR_PROTOCOL, sizeof(proto), &proto);
 128   add_attr(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
 129   nested[0] = (struct nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
 130   nlh->nlmsg_len += NL_ALIGN(sizeof(struct nlattr));
 131   nested[0]->nla_type = NLA_F_NESTED | IPSET_ATTR_DATA;
 132   nested[1] = (struct nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
 133   nlh->nlmsg_len += NL_ALIGN(sizeof(struct nlattr));
 134   nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
 135   add_attr(nlh,
 136            (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
 137            addrsz, &ipaddr->addr);
 138   nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
 139   nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
 140
 141   while ((rc = sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
 142                       (struct sockaddr *)&snl, sizeof(snl))) == -1 && retry_send());
 143   return rc;
 144 }
 145
 146
 147 static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
 148 {
 149   socklen_t size;
 150   struct ip_set_req_adt_get {
 151     unsigned op;
 152     unsigned version;
 153     union {
 154       char name[IPSET_MAXNAMELEN];
 155       uint16_t index;
 156     } set;
 157     char typename[IPSET_MAXNAMELEN];
 158   } req_adt_get;
 159   struct ip_set_req_adt {
 160     unsigned op;
 161     uint16_t index;
 162     uint32_t ip;
 163   } req_adt;
 164
 165   if (strlen(setname) >= sizeof(req_adt_get.set.name))
 166     {
 167       errno = ENAMETOOLONG;
 168       return -1;
 169     }
 170
 171   req_adt_get.op = 0x10;
 172   req_adt_get.version = 3;
 173   strcpy(req_adt_get.set.name, setname);
 174   size = sizeof(req_adt_get);
 175   if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
 176     return -1;
 177   req_adt.op = remove ? 0x102 : 0x101;
 178   req_adt.index = req_adt_get.set.index;
 179   req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
 180   if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
 181     return -1;
 182
 183   return 0;
 184 }
 185
 186
 187
 188 int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
 189 {
 190   int af = AF_INET;
 191
 192 #ifdef HAVE_IPV6
 193   if (flags & F_IPV6)
 194     {
 195       af = AF_INET6;
 196       /* old method only supports IPv4 */
 197       if (old_kernel)
 198         return -1;
 199     }
 200 #endif
 201
 202   return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
 203 }
 204
 205 #endif