1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/netlink.h>
19 #include <linux/rculist.h>
20 #include <linux/version.h>
21 #include <net/netlink.h>
23 #include <linux/netfilter.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/ipset/ip_set.h>
27 static LIST_HEAD(ip_set_type_list
); /* all registered set types */
28 static DEFINE_MUTEX(ip_set_type_mutex
); /* protects ip_set_type_list */
30 static struct ip_set
**ip_set_list
; /* all individual sets */
31 static ip_set_id_t ip_set_max
= CONFIG_IP_SET_MAX
; /* max number of sets */
33 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
35 static unsigned int max_sets
;
37 module_param(max_sets
, int, 0600);
38 MODULE_PARM_DESC(max_sets
, "maximal number of sets");
39 MODULE_LICENSE("GPL");
40 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
41 MODULE_DESCRIPTION("core IP set support");
42 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET
);
45 * The set types are implemented in modules and registered set types
46 * can be found in ip_set_type_list. Adding/deleting types is
47 * serialized by ip_set_type_mutex.
51 ip_set_type_lock(void)
53 mutex_lock(&ip_set_type_mutex
);
57 ip_set_type_unlock(void)
59 mutex_unlock(&ip_set_type_mutex
);
62 /* Register and deregister settype */
64 static struct ip_set_type
*
65 find_set_type(const char *name
, u8 family
, u8 revision
)
67 struct ip_set_type
*type
;
69 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
70 if (STREQ(type
->name
, name
) &&
71 (type
->family
== family
|| type
->family
== AF_UNSPEC
) &&
72 type
->revision
== revision
)
77 /* Unlock, try to load a set type module and lock again */
79 try_to_load_type(const char *name
)
82 pr_debug("try to load ip_set_%s\n", name
);
83 if (request_module("ip_set_%s", name
) < 0) {
84 pr_warning("Can't find ip_set type %s\n", name
);
86 return -IPSET_ERR_FIND_TYPE
;
92 /* Find a set type and reference it */
94 find_set_type_get(const char *name
, u8 family
, u8 revision
,
95 struct ip_set_type
**found
)
98 *found
= find_set_type(name
, family
, revision
);
100 int err
= !try_module_get((*found
)->me
);
102 return err
? -EFAULT
: 0;
106 return try_to_load_type(name
);
109 /* Find a given set type by name and family.
110 * If we succeeded, the supported minimal and maximum revisions are
114 find_set_type_minmax(const char *name
, u8 family
, u8
*min
, u8
*max
)
116 struct ip_set_type
*type
;
121 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
122 if (STREQ(type
->name
, name
) &&
123 (type
->family
== family
|| type
->family
== AF_UNSPEC
)) {
125 if (type
->revision
< *min
)
126 *min
= type
->revision
;
127 else if (type
->revision
> *max
)
128 *max
= type
->revision
;
134 return try_to_load_type(name
);
137 #define family_name(f) ((f) == AF_INET ? "inet" : \
138 (f) == AF_INET6 ? "inet6" : "any")
140 /* Register a set type structure. The type is identified by
141 * the unique triple of name, family and revision.
144 ip_set_type_register(struct ip_set_type
*type
)
148 if (type
->protocol
!= IPSET_PROTOCOL
) {
149 pr_warning("ip_set type %s, family %s, revision %u uses "
150 "wrong protocol version %u (want %u)\n",
151 type
->name
, family_name(type
->family
),
152 type
->revision
, type
->protocol
, IPSET_PROTOCOL
);
157 if (find_set_type(type
->name
, type
->family
, type
->revision
)) {
159 pr_warning("ip_set type %s, family %s, revision %u "
160 "already registered!\n", type
->name
,
161 family_name(type
->family
), type
->revision
);
165 list_add_rcu(&type
->list
, &ip_set_type_list
);
166 pr_debug("type %s, family %s, revision %u registered.\n",
167 type
->name
, family_name(type
->family
), type
->revision
);
169 ip_set_type_unlock();
172 EXPORT_SYMBOL_GPL(ip_set_type_register
);
174 /* Unregister a set type. There's a small race with ip_set_create */
176 ip_set_type_unregister(struct ip_set_type
*type
)
179 if (!find_set_type(type
->name
, type
->family
, type
->revision
)) {
180 pr_warning("ip_set type %s, family %s, revision %u "
181 "not registered\n", type
->name
,
182 family_name(type
->family
), type
->revision
);
185 list_del_rcu(&type
->list
);
186 pr_debug("type %s, family %s, revision %u unregistered.\n",
187 type
->name
, family_name(type
->family
), type
->revision
);
189 ip_set_type_unlock();
193 EXPORT_SYMBOL_GPL(ip_set_type_unregister
);
195 /* Utility functions */
197 ip_set_alloc(size_t size
)
199 void *members
= NULL
;
201 if (size
< KMALLOC_MAX_SIZE
)
202 members
= kzalloc(size
, GFP_KERNEL
| __GFP_NOWARN
);
205 pr_debug("%p: allocated with kmalloc\n", members
);
209 members
= vzalloc(size
);
212 pr_debug("%p: allocated with vmalloc\n", members
);
216 EXPORT_SYMBOL_GPL(ip_set_alloc
);
219 ip_set_free(void *members
)
221 pr_debug("%p: free with %s\n", members
,
222 is_vmalloc_addr(members
) ? "vfree" : "kfree");
223 if (is_vmalloc_addr(members
))
228 EXPORT_SYMBOL_GPL(ip_set_free
);
231 flag_nested(const struct nlattr
*nla
)
233 return nla
->nla_type
& NLA_F_NESTED
;
236 static const struct nla_policy ipaddr_policy
[IPSET_ATTR_IPADDR_MAX
+ 1] = {
237 [IPSET_ATTR_IPADDR_IPV4
] = { .type
= NLA_U32
},
238 [IPSET_ATTR_IPADDR_IPV6
] = { .type
= NLA_BINARY
,
239 .len
= sizeof(struct in6_addr
) },
243 ip_set_get_ipaddr4(struct nlattr
*nla
, __be32
*ipaddr
)
245 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
247 if (unlikely(!flag_nested(nla
)))
248 return -IPSET_ERR_PROTOCOL
;
249 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
250 return -IPSET_ERR_PROTOCOL
;
251 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV4
)))
252 return -IPSET_ERR_PROTOCOL
;
254 *ipaddr
= nla_get_be32(tb
[IPSET_ATTR_IPADDR_IPV4
]);
257 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4
);
260 ip_set_get_ipaddr6(struct nlattr
*nla
, union nf_inet_addr
*ipaddr
)
262 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
264 if (unlikely(!flag_nested(nla
)))
265 return -IPSET_ERR_PROTOCOL
;
267 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
268 return -IPSET_ERR_PROTOCOL
;
269 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV6
)))
270 return -IPSET_ERR_PROTOCOL
;
272 memcpy(ipaddr
, nla_data(tb
[IPSET_ATTR_IPADDR_IPV6
]),
273 sizeof(struct in6_addr
));
276 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6
);
279 * Creating/destroying/renaming/swapping affect the existence and
280 * the properties of a set. All of these can be executed from userspace
281 * only and serialized by the nfnl mutex indirectly from nfnetlink.
283 * Sets are identified by their index in ip_set_list and the index
284 * is used by the external references (set/SET netfilter modules).
286 * The set behind an index may change by swapping only, from userspace.
290 __ip_set_get(ip_set_id_t index
)
292 atomic_inc(&ip_set_list
[index
]->ref
);
296 __ip_set_put(ip_set_id_t index
)
298 atomic_dec(&ip_set_list
[index
]->ref
);
302 * Add, del and test set entries from kernel.
304 * The set behind the index must exist and must be referenced
305 * so it can't be destroyed (or changed) under our foot.
309 ip_set_test(ip_set_id_t index
, const struct sk_buff
*skb
,
310 u8 family
, u8 dim
, u8 flags
)
312 struct ip_set
*set
= ip_set_list
[index
];
315 BUG_ON(set
== NULL
|| atomic_read(&set
->ref
) == 0);
316 pr_debug("set %s, index %u\n", set
->name
, index
);
318 if (dim
< set
->type
->dimension
||
319 !(family
== set
->family
|| set
->family
== AF_UNSPEC
))
322 read_lock_bh(&set
->lock
);
323 ret
= set
->variant
->kadt(set
, skb
, IPSET_TEST
, family
, dim
, flags
);
324 read_unlock_bh(&set
->lock
);
326 if (ret
== -EAGAIN
) {
327 /* Type requests element to be completed */
328 pr_debug("element must be competed, ADD is triggered\n");
329 write_lock_bh(&set
->lock
);
330 set
->variant
->kadt(set
, skb
, IPSET_ADD
, family
, dim
, flags
);
331 write_unlock_bh(&set
->lock
);
335 /* Convert error codes to nomatch */
336 return (ret
< 0 ? 0 : ret
);
338 EXPORT_SYMBOL_GPL(ip_set_test
);
341 ip_set_add(ip_set_id_t index
, const struct sk_buff
*skb
,
342 u8 family
, u8 dim
, u8 flags
)
344 struct ip_set
*set
= ip_set_list
[index
];
347 BUG_ON(set
== NULL
|| atomic_read(&set
->ref
) == 0);
348 pr_debug("set %s, index %u\n", set
->name
, index
);
350 if (dim
< set
->type
->dimension
||
351 !(family
== set
->family
|| set
->family
== AF_UNSPEC
))
354 write_lock_bh(&set
->lock
);
355 ret
= set
->variant
->kadt(set
, skb
, IPSET_ADD
, family
, dim
, flags
);
356 write_unlock_bh(&set
->lock
);
360 EXPORT_SYMBOL_GPL(ip_set_add
);
363 ip_set_del(ip_set_id_t index
, const struct sk_buff
*skb
,
364 u8 family
, u8 dim
, u8 flags
)
366 struct ip_set
*set
= ip_set_list
[index
];
369 BUG_ON(set
== NULL
|| atomic_read(&set
->ref
) == 0);
370 pr_debug("set %s, index %u\n", set
->name
, index
);
372 if (dim
< set
->type
->dimension
||
373 !(family
== set
->family
|| set
->family
== AF_UNSPEC
))
376 write_lock_bh(&set
->lock
);
377 ret
= set
->variant
->kadt(set
, skb
, IPSET_DEL
, family
, dim
, flags
);
378 write_unlock_bh(&set
->lock
);
382 EXPORT_SYMBOL_GPL(ip_set_del
);
385 * Find set by name, reference it once. The reference makes sure the
386 * thing pointed to, does not go away under our feet.
388 * The nfnl mutex must already be activated.
391 ip_set_get_byname(const char *name
, struct ip_set
**set
)
393 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
396 for (i
= 0; i
< ip_set_max
; i
++) {
398 if (s
!= NULL
&& STREQ(s
->name
, name
)) {
407 EXPORT_SYMBOL_GPL(ip_set_get_byname
);
410 * If the given set pointer points to a valid set, decrement
411 * reference count by 1. The caller shall not assume the index
412 * to be valid, after calling this function.
414 * The nfnl mutex must already be activated.
417 ip_set_put_byindex(ip_set_id_t index
)
419 if (ip_set_list
[index
] != NULL
) {
420 BUG_ON(atomic_read(&ip_set_list
[index
]->ref
) == 0);
424 EXPORT_SYMBOL_GPL(ip_set_put_byindex
);
427 * Get the name of a set behind a set index.
428 * We assume the set is referenced, so it does exist and
429 * can't be destroyed. The set cannot be renamed due to
430 * the referencing either.
432 * The nfnl mutex must already be activated.
435 ip_set_name_byindex(ip_set_id_t index
)
437 const struct ip_set
*set
= ip_set_list
[index
];
440 BUG_ON(atomic_read(&set
->ref
) == 0);
442 /* Referenced, so it's safe */
445 EXPORT_SYMBOL_GPL(ip_set_name_byindex
);
448 * Routines to call by external subsystems, which do not
449 * call nfnl_lock for us.
453 * Find set by name, reference it once. The reference makes sure the
454 * thing pointed to, does not go away under our feet.
456 * The nfnl mutex is used in the function.
459 ip_set_nfnl_get(const char *name
)
465 index
= ip_set_get_byname(name
, &s
);
470 EXPORT_SYMBOL_GPL(ip_set_nfnl_get
);
473 * Find set by index, reference it once. The reference makes sure the
474 * thing pointed to, does not go away under our feet.
476 * The nfnl mutex is used in the function.
479 ip_set_nfnl_get_byindex(ip_set_id_t index
)
481 if (index
> ip_set_max
)
482 return IPSET_INVALID_ID
;
485 if (ip_set_list
[index
])
488 index
= IPSET_INVALID_ID
;
493 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex
);
496 * If the given set pointer points to a valid set, decrement
497 * reference count by 1. The caller shall not assume the index
498 * to be valid, after calling this function.
500 * The nfnl mutex is used in the function.
503 ip_set_nfnl_put(ip_set_id_t index
)
506 if (ip_set_list
[index
] != NULL
) {
507 BUG_ON(atomic_read(&ip_set_list
[index
]->ref
) == 0);
512 EXPORT_SYMBOL_GPL(ip_set_nfnl_put
);
515 * Communication protocol with userspace over netlink.
517 * We already locked by nfnl_lock.
521 protocol_failed(const struct nlattr
* const tb
[])
523 return !tb
[IPSET_ATTR_PROTOCOL
] ||
524 nla_get_u8(tb
[IPSET_ATTR_PROTOCOL
]) != IPSET_PROTOCOL
;
528 flag_exist(const struct nlmsghdr
*nlh
)
530 return nlh
->nlmsg_flags
& NLM_F_EXCL
? 0 : IPSET_FLAG_EXIST
;
533 static struct nlmsghdr
*
534 start_msg(struct sk_buff
*skb
, u32 pid
, u32 seq
, unsigned int flags
,
537 struct nlmsghdr
*nlh
;
538 struct nfgenmsg
*nfmsg
;
540 nlh
= nlmsg_put(skb
, pid
, seq
, cmd
| (NFNL_SUBSYS_IPSET
<< 8),
541 sizeof(*nfmsg
), flags
);
545 nfmsg
= nlmsg_data(nlh
);
546 nfmsg
->nfgen_family
= AF_INET
;
547 nfmsg
->version
= NFNETLINK_V0
;
555 static const struct nla_policy ip_set_create_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
556 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
557 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
558 .len
= IPSET_MAXNAMELEN
- 1 },
559 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
560 .len
= IPSET_MAXNAMELEN
- 1},
561 [IPSET_ATTR_REVISION
] = { .type
= NLA_U8
},
562 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
563 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
567 find_set_id(const char *name
)
569 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
570 const struct ip_set
*set
;
572 for (i
= 0; index
== IPSET_INVALID_ID
&& i
< ip_set_max
; i
++) {
573 set
= ip_set_list
[i
];
574 if (set
!= NULL
&& STREQ(set
->name
, name
))
580 static inline struct ip_set
*
581 find_set(const char *name
)
583 ip_set_id_t index
= find_set_id(name
);
585 return index
== IPSET_INVALID_ID
? NULL
: ip_set_list
[index
];
589 find_free_id(const char *name
, ip_set_id_t
*index
, struct ip_set
**set
)
593 *index
= IPSET_INVALID_ID
;
594 for (i
= 0; i
< ip_set_max
; i
++) {
595 if (ip_set_list
[i
] == NULL
) {
596 if (*index
== IPSET_INVALID_ID
)
598 } else if (STREQ(name
, ip_set_list
[i
]->name
)) {
600 *set
= ip_set_list
[i
];
604 if (*index
== IPSET_INVALID_ID
)
605 /* No free slot remained */
606 return -IPSET_ERR_MAX_SETS
;
611 ip_set_create(struct sock
*ctnl
, struct sk_buff
*skb
,
612 const struct nlmsghdr
*nlh
,
613 const struct nlattr
* const attr
[])
615 struct ip_set
*set
, *clash
;
616 ip_set_id_t index
= IPSET_INVALID_ID
;
617 struct nlattr
*tb
[IPSET_ATTR_CREATE_MAX
+1] = {};
618 const char *name
, *typename
;
620 u32 flags
= flag_exist(nlh
);
623 if (unlikely(protocol_failed(attr
) ||
624 attr
[IPSET_ATTR_SETNAME
] == NULL
||
625 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
626 attr
[IPSET_ATTR_REVISION
] == NULL
||
627 attr
[IPSET_ATTR_FAMILY
] == NULL
||
628 (attr
[IPSET_ATTR_DATA
] != NULL
&&
629 !flag_nested(attr
[IPSET_ATTR_DATA
]))))
630 return -IPSET_ERR_PROTOCOL
;
632 name
= nla_data(attr
[IPSET_ATTR_SETNAME
]);
633 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
634 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
635 revision
= nla_get_u8(attr
[IPSET_ATTR_REVISION
]);
636 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
637 name
, typename
, family_name(family
), revision
);
640 * First, and without any locks, allocate and initialize
641 * a normal base set structure.
643 set
= kzalloc(sizeof(struct ip_set
), GFP_KERNEL
);
646 rwlock_init(&set
->lock
);
647 strlcpy(set
->name
, name
, IPSET_MAXNAMELEN
);
648 atomic_set(&set
->ref
, 0);
649 set
->family
= family
;
652 * Next, check that we know the type, and take
653 * a reference on the type, to make sure it stays available
654 * while constructing our new set.
656 * After referencing the type, we try to create the type
657 * specific part of the set without holding any locks.
659 ret
= find_set_type_get(typename
, family
, revision
, &(set
->type
));
664 * Without holding any locks, create private part.
666 if (attr
[IPSET_ATTR_DATA
] &&
667 nla_parse_nested(tb
, IPSET_ATTR_CREATE_MAX
, attr
[IPSET_ATTR_DATA
],
668 set
->type
->create_policy
)) {
669 ret
= -IPSET_ERR_PROTOCOL
;
673 ret
= set
->type
->create(set
, tb
, flags
);
677 /* BTW, ret==0 here. */
680 * Here, we have a valid, constructed set and we are protected
681 * by nfnl_lock. Find the first free index in ip_set_list and
684 if ((ret
= find_free_id(set
->name
, &index
, &clash
)) != 0) {
685 /* If this is the same set and requested, ignore error */
686 if (ret
== -EEXIST
&&
687 (flags
& IPSET_FLAG_EXIST
) &&
688 STREQ(set
->type
->name
, clash
->type
->name
) &&
689 set
->type
->family
== clash
->type
->family
&&
690 set
->type
->revision
== clash
->type
->revision
&&
691 set
->variant
->same_set(set
, clash
))
697 * Finally! Add our shiny new set to the list, and be done.
699 pr_debug("create: '%s' created with index %u!\n", set
->name
, index
);
700 ip_set_list
[index
] = set
;
705 set
->variant
->destroy(set
);
707 module_put(set
->type
->me
);
715 static const struct nla_policy
716 ip_set_setname_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
717 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
718 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
719 .len
= IPSET_MAXNAMELEN
- 1 },
723 ip_set_destroy_set(ip_set_id_t index
)
725 struct ip_set
*set
= ip_set_list
[index
];
727 pr_debug("set: %s\n", set
->name
);
728 ip_set_list
[index
] = NULL
;
730 /* Must call it without holding any lock */
731 set
->variant
->destroy(set
);
732 module_put(set
->type
->me
);
737 ip_set_destroy(struct sock
*ctnl
, struct sk_buff
*skb
,
738 const struct nlmsghdr
*nlh
,
739 const struct nlattr
* const attr
[])
743 if (unlikely(protocol_failed(attr
)))
744 return -IPSET_ERR_PROTOCOL
;
746 /* References are protected by the nfnl mutex */
747 if (!attr
[IPSET_ATTR_SETNAME
]) {
748 for (i
= 0; i
< ip_set_max
; i
++) {
749 if (ip_set_list
[i
] != NULL
&&
750 (atomic_read(&ip_set_list
[i
]->ref
)))
751 return -IPSET_ERR_BUSY
;
753 for (i
= 0; i
< ip_set_max
; i
++) {
754 if (ip_set_list
[i
] != NULL
)
755 ip_set_destroy_set(i
);
758 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
759 if (i
== IPSET_INVALID_ID
)
761 else if (atomic_read(&ip_set_list
[i
]->ref
))
762 return -IPSET_ERR_BUSY
;
764 ip_set_destroy_set(i
);
772 ip_set_flush_set(struct ip_set
*set
)
774 pr_debug("set: %s\n", set
->name
);
776 write_lock_bh(&set
->lock
);
777 set
->variant
->flush(set
);
778 write_unlock_bh(&set
->lock
);
782 ip_set_flush(struct sock
*ctnl
, struct sk_buff
*skb
,
783 const struct nlmsghdr
*nlh
,
784 const struct nlattr
* const attr
[])
788 if (unlikely(protocol_failed(attr
)))
791 if (!attr
[IPSET_ATTR_SETNAME
]) {
792 for (i
= 0; i
< ip_set_max
; i
++)
793 if (ip_set_list
[i
] != NULL
)
794 ip_set_flush_set(ip_set_list
[i
]);
796 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
797 if (i
== IPSET_INVALID_ID
)
800 ip_set_flush_set(ip_set_list
[i
]);
808 static const struct nla_policy
809 ip_set_setname2_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
810 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
811 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
812 .len
= IPSET_MAXNAMELEN
- 1 },
813 [IPSET_ATTR_SETNAME2
] = { .type
= NLA_NUL_STRING
,
814 .len
= IPSET_MAXNAMELEN
- 1 },
818 ip_set_rename(struct sock
*ctnl
, struct sk_buff
*skb
,
819 const struct nlmsghdr
*nlh
,
820 const struct nlattr
* const attr
[])
826 if (unlikely(protocol_failed(attr
) ||
827 attr
[IPSET_ATTR_SETNAME
] == NULL
||
828 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
829 return -IPSET_ERR_PROTOCOL
;
831 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
834 if (atomic_read(&set
->ref
) != 0)
835 return -IPSET_ERR_REFERENCED
;
837 name2
= nla_data(attr
[IPSET_ATTR_SETNAME2
]);
838 for (i
= 0; i
< ip_set_max
; i
++) {
839 if (ip_set_list
[i
] != NULL
&&
840 STREQ(ip_set_list
[i
]->name
, name2
))
841 return -IPSET_ERR_EXIST_SETNAME2
;
843 strncpy(set
->name
, name2
, IPSET_MAXNAMELEN
);
848 /* Swap two sets so that name/index points to the other.
849 * References and set names are also swapped.
851 * We are protected by the nfnl mutex and references are
852 * manipulated only by holding the mutex. The kernel interfaces
853 * do not hold the mutex but the pointer settings are atomic
854 * so the ip_set_list always contains valid pointers to the sets.
858 ip_set_swap(struct sock
*ctnl
, struct sk_buff
*skb
,
859 const struct nlmsghdr
*nlh
,
860 const struct nlattr
* const attr
[])
862 struct ip_set
*from
, *to
;
863 ip_set_id_t from_id
, to_id
;
864 char from_name
[IPSET_MAXNAMELEN
];
867 if (unlikely(protocol_failed(attr
) ||
868 attr
[IPSET_ATTR_SETNAME
] == NULL
||
869 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
870 return -IPSET_ERR_PROTOCOL
;
872 from_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
873 if (from_id
== IPSET_INVALID_ID
)
876 to_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME2
]));
877 if (to_id
== IPSET_INVALID_ID
)
878 return -IPSET_ERR_EXIST_SETNAME2
;
880 from
= ip_set_list
[from_id
];
881 to
= ip_set_list
[to_id
];
883 /* Features must not change.
884 * Not an artifical restriction anymore, as we must prevent
885 * possible loops created by swapping in setlist type of sets. */
886 if (!(from
->type
->features
== to
->type
->features
&&
887 from
->type
->family
== to
->type
->family
))
888 return -IPSET_ERR_TYPE_MISMATCH
;
890 /* No magic here: ref munging protected by the nfnl_lock */
891 strncpy(from_name
, from
->name
, IPSET_MAXNAMELEN
);
892 from_ref
= atomic_read(&from
->ref
);
894 strncpy(from
->name
, to
->name
, IPSET_MAXNAMELEN
);
895 atomic_set(&from
->ref
, atomic_read(&to
->ref
));
896 strncpy(to
->name
, from_name
, IPSET_MAXNAMELEN
);
897 atomic_set(&to
->ref
, from_ref
);
899 ip_set_list
[from_id
] = to
;
900 ip_set_list
[to_id
] = from
;
905 /* List/save set data */
913 ip_set_dump_done(struct netlink_callback
*cb
)
916 pr_debug("release set %s\n", ip_set_list
[cb
->args
[1]]->name
);
917 __ip_set_put((ip_set_id_t
) cb
->args
[1]);
923 dump_attrs(struct nlmsghdr
*nlh
)
925 const struct nlattr
*attr
;
928 pr_debug("dump nlmsg\n");
929 nlmsg_for_each_attr(attr
, nlh
, sizeof(struct nfgenmsg
), rem
) {
930 pr_debug("type: %u, len %u\n", nla_type(attr
), attr
->nla_len
);
935 dump_init(struct netlink_callback
*cb
)
937 struct nlmsghdr
*nlh
= nlmsg_hdr(cb
->skb
);
938 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
939 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
940 struct nlattr
*attr
= (void *)nlh
+ min_len
;
943 /* Second pass, so parser can't fail */
944 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
945 attr
, nlh
->nlmsg_len
- min_len
, ip_set_setname_policy
);
947 /* cb->args[0] : dump single set/all sets
949 * [..]: type specific
952 if (!cda
[IPSET_ATTR_SETNAME
]) {
953 cb
->args
[0] = DUMP_ALL
;
957 index
= find_set_id(nla_data(cda
[IPSET_ATTR_SETNAME
]));
958 if (index
== IPSET_INVALID_ID
)
961 cb
->args
[0] = DUMP_ONE
;
967 ip_set_dump_start(struct sk_buff
*skb
, struct netlink_callback
*cb
)
969 ip_set_id_t index
= IPSET_INVALID_ID
, max
;
970 struct ip_set
*set
= NULL
;
971 struct nlmsghdr
*nlh
= NULL
;
972 unsigned int flags
= NETLINK_CB(cb
->skb
).pid
? NLM_F_MULTI
: 0;
975 if (cb
->args
[0] == DUMP_INIT
) {
978 nlh
= nlmsg_hdr(cb
->skb
);
979 /* We have to create and send the error message
981 if (nlh
->nlmsg_flags
& NLM_F_ACK
)
982 netlink_ack(cb
->skb
, nlh
, ret
);
987 if (cb
->args
[1] >= ip_set_max
)
990 pr_debug("args[0]: %ld args[1]: %ld\n", cb
->args
[0], cb
->args
[1]);
991 max
= cb
->args
[0] == DUMP_ONE
? cb
->args
[1] + 1 : ip_set_max
;
992 for (; cb
->args
[1] < max
; cb
->args
[1]++) {
993 index
= (ip_set_id_t
) cb
->args
[1];
994 set
= ip_set_list
[index
];
996 if (cb
->args
[0] == DUMP_ONE
) {
1002 /* When dumping all sets, we must dump "sorted"
1003 * so that lists (unions of sets) are dumped last.
1005 if (cb
->args
[0] != DUMP_ONE
&&
1006 !((cb
->args
[0] == DUMP_ALL
) ^
1007 (set
->type
->features
& IPSET_DUMP_LAST
)))
1009 pr_debug("List set: %s\n", set
->name
);
1011 /* Start listing: make sure set won't be destroyed */
1012 pr_debug("reference set\n");
1013 __ip_set_get(index
);
1015 nlh
= start_msg(skb
, NETLINK_CB(cb
->skb
).pid
,
1016 cb
->nlh
->nlmsg_seq
, flags
,
1020 goto release_refcount
;
1022 NLA_PUT_U8(skb
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1023 NLA_PUT_STRING(skb
, IPSET_ATTR_SETNAME
, set
->name
);
1024 switch (cb
->args
[2]) {
1026 /* Core header data */
1027 NLA_PUT_STRING(skb
, IPSET_ATTR_TYPENAME
,
1029 NLA_PUT_U8(skb
, IPSET_ATTR_FAMILY
,
1031 NLA_PUT_U8(skb
, IPSET_ATTR_REVISION
,
1032 set
->type
->revision
);
1033 ret
= set
->variant
->head(set
, skb
);
1035 goto release_refcount
;
1036 /* Fall through and add elements */
1038 read_lock_bh(&set
->lock
);
1039 ret
= set
->variant
->list(set
, skb
, cb
);
1040 read_unlock_bh(&set
->lock
);
1042 /* Set is done, proceed with next one */
1043 if (cb
->args
[0] == DUMP_ONE
)
1044 cb
->args
[1] = IPSET_INVALID_ID
;
1048 goto release_refcount
;
1056 /* If there was an error or set is done, release set */
1057 if (ret
|| !cb
->args
[2]) {
1058 pr_debug("release set %s\n", ip_set_list
[index
]->name
);
1059 __ip_set_put(index
);
1062 /* If we dump all sets, continue with dumping last ones */
1063 if (cb
->args
[0] == DUMP_ALL
&& cb
->args
[1] >= max
&& !cb
->args
[2])
1064 cb
->args
[0] = DUMP_LAST
;
1068 nlmsg_end(skb
, nlh
);
1069 pr_debug("nlmsg_len: %u\n", nlh
->nlmsg_len
);
1073 return ret
< 0 ? ret
: skb
->len
;
1077 ip_set_dump(struct sock
*ctnl
, struct sk_buff
*skb
,
1078 const struct nlmsghdr
*nlh
,
1079 const struct nlattr
* const attr
[])
1081 if (unlikely(protocol_failed(attr
)))
1082 return -IPSET_ERR_PROTOCOL
;
1084 return netlink_dump_start(ctnl
, skb
, nlh
,
1089 /* Add, del and test */
1091 static const struct nla_policy ip_set_adt_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1092 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1093 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
1094 .len
= IPSET_MAXNAMELEN
- 1 },
1095 [IPSET_ATTR_LINENO
] = { .type
= NLA_U32
},
1096 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
1097 [IPSET_ATTR_ADT
] = { .type
= NLA_NESTED
},
1101 call_ad(struct sk_buff
*skb
, struct ip_set
*set
,
1102 struct nlattr
*tb
[], enum ipset_adt adt
,
1103 u32 flags
, bool use_lineno
)
1105 int ret
, retried
= 0;
1107 bool eexist
= flags
& IPSET_FLAG_EXIST
;
1110 write_lock_bh(&set
->lock
);
1111 ret
= set
->variant
->uadt(set
, tb
, adt
, &lineno
, flags
);
1112 write_unlock_bh(&set
->lock
);
1113 } while (ret
== -EAGAIN
&&
1114 set
->variant
->resize
&&
1115 (ret
= set
->variant
->resize(set
, retried
++)) == 0);
1117 if (!ret
|| (ret
== -IPSET_ERR_EXIST
&& eexist
))
1119 if (lineno
&& use_lineno
) {
1120 /* Error in restore/batch mode: send back lineno */
1121 struct nlmsghdr
*nlh
= nlmsg_hdr(skb
);
1122 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
1123 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
1124 struct nlattr
*cmdattr
= (void *)nlh
+ min_len
;
1127 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
1128 cmdattr
, nlh
->nlmsg_len
- min_len
,
1131 errline
= nla_data(cda
[IPSET_ATTR_LINENO
]);
1140 ip_set_uadd(struct sock
*ctnl
, struct sk_buff
*skb
,
1141 const struct nlmsghdr
*nlh
,
1142 const struct nlattr
* const attr
[])
1145 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1146 const struct nlattr
*nla
;
1147 u32 flags
= flag_exist(nlh
);
1151 if (unlikely(protocol_failed(attr
) ||
1152 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1153 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1154 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1155 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1156 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1157 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1158 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1159 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1160 return -IPSET_ERR_PROTOCOL
;
1162 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1166 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1167 if (attr
[IPSET_ATTR_DATA
]) {
1168 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1169 attr
[IPSET_ATTR_DATA
],
1170 set
->type
->adt_policy
))
1171 return -IPSET_ERR_PROTOCOL
;
1172 ret
= call_ad(skb
, set
, tb
, IPSET_ADD
, flags
, use_lineno
);
1176 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1177 memset(tb
, 0, sizeof(tb
));
1178 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1179 !flag_nested(nla
) ||
1180 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1181 set
->type
->adt_policy
))
1182 return -IPSET_ERR_PROTOCOL
;
1183 ret
= call_ad(skb
, set
, tb
, IPSET_ADD
,
1193 ip_set_udel(struct sock
*ctnl
, struct sk_buff
*skb
,
1194 const struct nlmsghdr
*nlh
,
1195 const struct nlattr
* const attr
[])
1198 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1199 const struct nlattr
*nla
;
1200 u32 flags
= flag_exist(nlh
);
1204 if (unlikely(protocol_failed(attr
) ||
1205 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1206 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1207 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1208 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1209 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1210 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1211 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1212 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1213 return -IPSET_ERR_PROTOCOL
;
1215 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1219 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1220 if (attr
[IPSET_ATTR_DATA
]) {
1221 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1222 attr
[IPSET_ATTR_DATA
],
1223 set
->type
->adt_policy
))
1224 return -IPSET_ERR_PROTOCOL
;
1225 ret
= call_ad(skb
, set
, tb
, IPSET_DEL
, flags
, use_lineno
);
1229 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1230 memset(tb
, 0, sizeof(*tb
));
1231 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1232 !flag_nested(nla
) ||
1233 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1234 set
->type
->adt_policy
))
1235 return -IPSET_ERR_PROTOCOL
;
1236 ret
= call_ad(skb
, set
, tb
, IPSET_DEL
,
1246 ip_set_utest(struct sock
*ctnl
, struct sk_buff
*skb
,
1247 const struct nlmsghdr
*nlh
,
1248 const struct nlattr
* const attr
[])
1251 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1254 if (unlikely(protocol_failed(attr
) ||
1255 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1256 attr
[IPSET_ATTR_DATA
] == NULL
||
1257 !flag_nested(attr
[IPSET_ATTR_DATA
])))
1258 return -IPSET_ERR_PROTOCOL
;
1260 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1264 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, attr
[IPSET_ATTR_DATA
],
1265 set
->type
->adt_policy
))
1266 return -IPSET_ERR_PROTOCOL
;
1268 read_lock_bh(&set
->lock
);
1269 ret
= set
->variant
->uadt(set
, tb
, IPSET_TEST
, NULL
, 0);
1270 read_unlock_bh(&set
->lock
);
1271 /* Userspace can't trigger element to be re-added */
1275 return ret
< 0 ? ret
: ret
> 0 ? 0 : -IPSET_ERR_EXIST
;
1278 /* Get headed data of a set */
1281 ip_set_header(struct sock
*ctnl
, struct sk_buff
*skb
,
1282 const struct nlmsghdr
*nlh
,
1283 const struct nlattr
* const attr
[])
1285 const struct ip_set
*set
;
1286 struct sk_buff
*skb2
;
1287 struct nlmsghdr
*nlh2
;
1291 if (unlikely(protocol_failed(attr
) ||
1292 attr
[IPSET_ATTR_SETNAME
] == NULL
))
1293 return -IPSET_ERR_PROTOCOL
;
1295 index
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1296 if (index
== IPSET_INVALID_ID
)
1298 set
= ip_set_list
[index
];
1300 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1304 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1308 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1309 NLA_PUT_STRING(skb2
, IPSET_ATTR_SETNAME
, set
->name
);
1310 NLA_PUT_STRING(skb2
, IPSET_ATTR_TYPENAME
, set
->type
->name
);
1311 NLA_PUT_U8(skb2
, IPSET_ATTR_FAMILY
, set
->family
);
1312 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION
, set
->type
->revision
);
1313 nlmsg_end(skb2
, nlh2
);
1315 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1322 nlmsg_cancel(skb2
, nlh2
);
1330 static const struct nla_policy ip_set_type_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1331 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1332 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
1333 .len
= IPSET_MAXNAMELEN
- 1 },
1334 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
1338 ip_set_type(struct sock
*ctnl
, struct sk_buff
*skb
,
1339 const struct nlmsghdr
*nlh
,
1340 const struct nlattr
* const attr
[])
1342 struct sk_buff
*skb2
;
1343 struct nlmsghdr
*nlh2
;
1344 u8 family
, min
, max
;
1345 const char *typename
;
1348 if (unlikely(protocol_failed(attr
) ||
1349 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
1350 attr
[IPSET_ATTR_FAMILY
] == NULL
))
1351 return -IPSET_ERR_PROTOCOL
;
1353 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
1354 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
1355 ret
= find_set_type_minmax(typename
, family
, &min
, &max
);
1359 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1363 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1367 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1368 NLA_PUT_STRING(skb2
, IPSET_ATTR_TYPENAME
, typename
);
1369 NLA_PUT_U8(skb2
, IPSET_ATTR_FAMILY
, family
);
1370 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION
, max
);
1371 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION_MIN
, min
);
1372 nlmsg_end(skb2
, nlh2
);
1374 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2
->nlmsg_len
);
1375 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1382 nlmsg_cancel(skb2
, nlh2
);
1388 /* Get protocol version */
1390 static const struct nla_policy
1391 ip_set_protocol_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1392 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1396 ip_set_protocol(struct sock
*ctnl
, struct sk_buff
*skb
,
1397 const struct nlmsghdr
*nlh
,
1398 const struct nlattr
* const attr
[])
1400 struct sk_buff
*skb2
;
1401 struct nlmsghdr
*nlh2
;
1404 if (unlikely(attr
[IPSET_ATTR_PROTOCOL
] == NULL
))
1405 return -IPSET_ERR_PROTOCOL
;
1407 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1411 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1412 IPSET_CMD_PROTOCOL
);
1415 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1416 nlmsg_end(skb2
, nlh2
);
1418 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1425 nlmsg_cancel(skb2
, nlh2
);
1431 static const struct nfnl_callback ip_set_netlink_subsys_cb
[IPSET_MSG_MAX
] = {
1432 [IPSET_CMD_CREATE
] = {
1433 .call
= ip_set_create
,
1434 .attr_count
= IPSET_ATTR_CMD_MAX
,
1435 .policy
= ip_set_create_policy
,
1437 [IPSET_CMD_DESTROY
] = {
1438 .call
= ip_set_destroy
,
1439 .attr_count
= IPSET_ATTR_CMD_MAX
,
1440 .policy
= ip_set_setname_policy
,
1442 [IPSET_CMD_FLUSH
] = {
1443 .call
= ip_set_flush
,
1444 .attr_count
= IPSET_ATTR_CMD_MAX
,
1445 .policy
= ip_set_setname_policy
,
1447 [IPSET_CMD_RENAME
] = {
1448 .call
= ip_set_rename
,
1449 .attr_count
= IPSET_ATTR_CMD_MAX
,
1450 .policy
= ip_set_setname2_policy
,
1452 [IPSET_CMD_SWAP
] = {
1453 .call
= ip_set_swap
,
1454 .attr_count
= IPSET_ATTR_CMD_MAX
,
1455 .policy
= ip_set_setname2_policy
,
1457 [IPSET_CMD_LIST
] = {
1458 .call
= ip_set_dump
,
1459 .attr_count
= IPSET_ATTR_CMD_MAX
,
1460 .policy
= ip_set_setname_policy
,
1462 [IPSET_CMD_SAVE
] = {
1463 .call
= ip_set_dump
,
1464 .attr_count
= IPSET_ATTR_CMD_MAX
,
1465 .policy
= ip_set_setname_policy
,
1468 .call
= ip_set_uadd
,
1469 .attr_count
= IPSET_ATTR_CMD_MAX
,
1470 .policy
= ip_set_adt_policy
,
1473 .call
= ip_set_udel
,
1474 .attr_count
= IPSET_ATTR_CMD_MAX
,
1475 .policy
= ip_set_adt_policy
,
1477 [IPSET_CMD_TEST
] = {
1478 .call
= ip_set_utest
,
1479 .attr_count
= IPSET_ATTR_CMD_MAX
,
1480 .policy
= ip_set_adt_policy
,
1482 [IPSET_CMD_HEADER
] = {
1483 .call
= ip_set_header
,
1484 .attr_count
= IPSET_ATTR_CMD_MAX
,
1485 .policy
= ip_set_setname_policy
,
1487 [IPSET_CMD_TYPE
] = {
1488 .call
= ip_set_type
,
1489 .attr_count
= IPSET_ATTR_CMD_MAX
,
1490 .policy
= ip_set_type_policy
,
1492 [IPSET_CMD_PROTOCOL
] = {
1493 .call
= ip_set_protocol
,
1494 .attr_count
= IPSET_ATTR_CMD_MAX
,
1495 .policy
= ip_set_protocol_policy
,
1499 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly
= {
1501 .subsys_id
= NFNL_SUBSYS_IPSET
,
1502 .cb_count
= IPSET_MSG_MAX
,
1503 .cb
= ip_set_netlink_subsys_cb
,
1506 /* Interface to iptables/ip6tables */
1509 ip_set_sockfn_get(struct sock
*sk
, int optval
, void __user
*user
, int *len
)
1513 int copylen
= *len
, ret
= 0;
1515 if (!capable(CAP_NET_ADMIN
))
1517 if (optval
!= SO_IP_SET
)
1519 if (*len
< sizeof(unsigned))
1522 data
= vmalloc(*len
);
1525 if (copy_from_user(data
, user
, *len
) != 0) {
1529 op
= (unsigned *) data
;
1531 if (*op
< IP_SET_OP_VERSION
) {
1532 /* Check the version at the beginning of operations */
1533 struct ip_set_req_version
*req_version
= data
;
1534 if (req_version
->version
!= IPSET_PROTOCOL
) {
1541 case IP_SET_OP_VERSION
: {
1542 struct ip_set_req_version
*req_version
= data
;
1544 if (*len
!= sizeof(struct ip_set_req_version
)) {
1549 req_version
->version
= IPSET_PROTOCOL
;
1550 ret
= copy_to_user(user
, req_version
,
1551 sizeof(struct ip_set_req_version
));
1554 case IP_SET_OP_GET_BYNAME
: {
1555 struct ip_set_req_get_set
*req_get
= data
;
1557 if (*len
!= sizeof(struct ip_set_req_get_set
)) {
1561 req_get
->set
.name
[IPSET_MAXNAMELEN
- 1] = '\0';
1563 req_get
->set
.index
= find_set_id(req_get
->set
.name
);
1567 case IP_SET_OP_GET_BYINDEX
: {
1568 struct ip_set_req_get_set
*req_get
= data
;
1570 if (*len
!= sizeof(struct ip_set_req_get_set
) ||
1571 req_get
->set
.index
>= ip_set_max
) {
1576 strncpy(req_get
->set
.name
,
1577 ip_set_list
[req_get
->set
.index
]
1578 ? ip_set_list
[req_get
->set
.index
]->name
: "",
1586 } /* end of switch(op) */
1589 ret
= copy_to_user(user
, data
, copylen
);
1598 static struct nf_sockopt_ops so_set __read_mostly
= {
1600 .get_optmin
= SO_IP_SET
,
1601 .get_optmax
= SO_IP_SET
+ 1,
1602 .get
= &ip_set_sockfn_get
,
1603 .owner
= THIS_MODULE
,
1612 ip_set_max
= max_sets
;
1613 if (ip_set_max
>= IPSET_INVALID_ID
)
1614 ip_set_max
= IPSET_INVALID_ID
- 1;
1616 ip_set_list
= kzalloc(sizeof(struct ip_set
*) * ip_set_max
,
1619 pr_err("ip_set: Unable to create ip_set_list\n");
1623 ret
= nfnetlink_subsys_register(&ip_set_netlink_subsys
);
1625 pr_err("ip_set: cannot register with nfnetlink.\n");
1629 ret
= nf_register_sockopt(&so_set
);
1631 pr_err("SO_SET registry failed: %d\n", ret
);
1632 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1637 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL
);
1644 /* There can't be any existing set */
1645 nf_unregister_sockopt(&so_set
);
1646 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1648 pr_debug("these are the famous last words\n");
1651 module_init(ip_set_init
);
1652 module_exit(ip_set_fini
);