]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - net/netfilter/ipset/ip_set_core.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update my email address
[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / ipset / ip_set_core.c
CommitLineData
a7b4f989
JK		 1/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
fe03d474 3 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org>
a7b4f989
JK		 4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 */
9
10/* Kernel module for IP set management */
11
12#include <linux/init.h>
13#include <linux/module.h>
14#include <linux/moduleparam.h>
15#include <linux/ip.h>
16#include <linux/skbuff.h>
17#include <linux/spinlock.h>
a7b4f989 18#include <linux/rculist.h>
a7b4f989 19#include <net/netlink.h>
1785e8f4
VL		 20#include <net/net_namespace.h>
21#include <net/netns/generic.h>
a7b4f989
JK		 22
23#include <linux/netfilter.h>
b66554cf 24#include <linux/netfilter/x_tables.h>
a7b4f989
JK		 25#include <linux/netfilter/nfnetlink.h>
26#include <linux/netfilter/ipset/ip_set.h>
27
28static LIST_HEAD(ip_set_type_list); /* all registered set types */
29static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
2f9f28b2 30static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
a7b4f989 31
1785e8f4
VL		 32struct ip_set_net {
33 struct ip_set * __rcu *ip_set_list; /* all individual sets */
34 ip_set_id_t ip_set_max; /* max number of sets */
9c1ba5c8
JK		 35 bool is_deleted; /* deleted by ip_set_net_exit */
36 bool is_destroyed; /* all sets are destroyed */
1785e8f4 37};
ca0f6a5c 38
c7d03a00 39static unsigned int ip_set_net_id __read_mostly;
1785e8f4
VL		 40
41static inline struct ip_set_net *ip_set_pernet(struct net *net)
42{
43 return net_generic(net, ip_set_net_id);
44}
a7b4f989 45
9076aea7 46#define IP_SET_INC 64
22496f09 47#define STRNCMP(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
a7b4f989
JK		 48
49static unsigned int max_sets;
50
51module_param(max_sets, int, 0600);
52MODULE_PARM_DESC(max_sets, "maximal number of sets");
53MODULE_LICENSE("GPL");
fe03d474 54MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>");
a7b4f989
JK		 55MODULE_DESCRIPTION("core IP set support");
56MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
57
8a02bdd5 58/* When the nfnl mutex or ip_set_ref_lock is held: */
3e90ebd3 59#define ip_set_dereference(p) \
8a02bdd5
JK		 60 rcu_dereference_protected(p, \
61 lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \
62 lockdep_is_held(&ip_set_ref_lock))
3e90ebd3
PM		 63#define ip_set(inst, id) \
64 ip_set_dereference((inst)->ip_set_list)[id]
8a02bdd5
JK		 65#define ip_set_ref_netlink(inst,id) \
66 rcu_dereference_raw((inst)->ip_set_list)[id]
9076aea7 67
ca0f6a5c 68/* The set types are implemented in modules and registered set types
a7b4f989
JK		 69 * can be found in ip_set_type_list. Adding/deleting types is
70 * serialized by ip_set_type_mutex.
71 */
72
73static inline void
74ip_set_type_lock(void)
75{
76 mutex_lock(&ip_set_type_mutex);
77}
78
79static inline void
80ip_set_type_unlock(void)
81{
82 mutex_unlock(&ip_set_type_mutex);
83}
84
85/* Register and deregister settype */
86
87static struct ip_set_type *
88find_set_type(const char *name, u8 family, u8 revision)
89{
90 struct ip_set_type *type;
91
92 list_for_each_entry_rcu(type, &ip_set_type_list, list)
22496f09 93 if (STRNCMP(type->name, name) &&
3ace95c0
JK		 94 (type->family == family ||
95 type->family == NFPROTO_UNSPEC) &&
f1e00b39
JK		 96 revision >= type->revision_min &&
97 revision <= type->revision_max)
a7b4f989
JK		 98 return type;
99 return NULL;
100}
101
102/* Unlock, try to load a set type module and lock again */
088067f4
JK		 103static bool
104load_settype(const char *name)
a7b4f989 105{
c14b78e7 106 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 107 pr_debug("try to load ip_set_%s\n", name);
108 if (request_module("ip_set_%s", name) < 0) {
b167a37c 109 pr_warn("Can't find ip_set type %s\n", name);
c14b78e7 110 nfnl_lock(NFNL_SUBSYS_IPSET);
088067f4 111 return false;
a7b4f989 112 }
c14b78e7 113 nfnl_lock(NFNL_SUBSYS_IPSET);
088067f4 114 return true;
a7b4f989
JK		 115}
116
117/* Find a set type and reference it */
088067f4
JK		 118#define find_set_type_get(name, family, revision, found) \
119 __find_set_type_get(name, family, revision, found, false)
120
a7b4f989 121static int
088067f4
JK		 122__find_set_type_get(const char *name, u8 family, u8 revision,
123 struct ip_set_type **found, bool retry)
a7b4f989 124{
5c1aba46
JK		 125 struct ip_set_type *type;
126 int err;
127
088067f4
JK		 128 if (retry && !load_settype(name))
129 return -IPSET_ERR_FIND_TYPE;
130
a7b4f989
JK		 131 rcu_read_lock();
132 *found = find_set_type(name, family, revision);
133 if (*found) {
5c1aba46
JK		 134 err = !try_module_get((*found)->me) ? -EFAULT : 0;
135 goto unlock;
a7b4f989 136 }
088067f4 137 /* Make sure the type is already loaded
ca0f6a5c
JK		 138 * but we don't support the revision
139 */
5c1aba46 140 list_for_each_entry_rcu(type, &ip_set_type_list, list)
22496f09 141 if (STRNCMP(type->name, name)) {
5c1aba46
JK		 142 err = -IPSET_ERR_FIND_TYPE;
143 goto unlock;
144 }
a7b4f989
JK		 145 rcu_read_unlock();
146
088067f4
JK		 147 return retry ? -IPSET_ERR_FIND_TYPE :
148 __find_set_type_get(name, family, revision, found, true);
5c1aba46
JK		 149
150unlock:
151 rcu_read_unlock();
152 return err;
a7b4f989
JK		 153}
154
155/* Find a given set type by name and family.
156 * If we succeeded, the supported minimal and maximum revisions are
157 * filled out.
158 */
088067f4
JK		 159#define find_set_type_minmax(name, family, min, max) \
160 __find_set_type_minmax(name, family, min, max, false)
161
a7b4f989 162static int
088067f4
JK		 163__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
164 bool retry)
a7b4f989
JK		 165{
166 struct ip_set_type *type;
167 bool found = false;
168
088067f4
JK		 169 if (retry && !load_settype(name))
170 return -IPSET_ERR_FIND_TYPE;
171
5c1aba46 172 *min = 255; *max = 0;
a7b4f989
JK		 173 rcu_read_lock();
174 list_for_each_entry_rcu(type, &ip_set_type_list, list)
22496f09 175 if (STRNCMP(type->name, name) &&
3ace95c0
JK		 176 (type->family == family ||
177 type->family == NFPROTO_UNSPEC)) {
a7b4f989 178 found = true;
f1e00b39
JK		 179 if (type->revision_min < *min)
180 *min = type->revision_min;
181 if (type->revision_max > *max)
182 *max = type->revision_max;
a7b4f989
JK		 183 }
184 rcu_read_unlock();
185 if (found)
186 return 0;
187
088067f4
JK		 188 return retry ? -IPSET_ERR_FIND_TYPE :
189 __find_set_type_minmax(name, family, min, max, true);
a7b4f989
JK		 190}
191
c15f1c83
JE		 192#define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
193 (f) == NFPROTO_IPV6 ? "inet6" : "any")
a7b4f989
JK		 194
195/* Register a set type structure. The type is identified by
196 * the unique triple of name, family and revision.
197 */
198int
199ip_set_type_register(struct ip_set_type *type)
200{
201 int ret = 0;
202
203 if (type->protocol != IPSET_PROTOCOL) {
b167a37c
JP		 204 pr_warn("ip_set type %s, family %s, revision %u:%u uses wrong protocol version %u (want %u)\n",
205 type->name, family_name(type->family),
206 type->revision_min, type->revision_max,
207 type->protocol, IPSET_PROTOCOL);
a7b4f989
JK		 208 return -EINVAL;
209 }
210
211 ip_set_type_lock();
f1e00b39 212 if (find_set_type(type->name, type->family, type->revision_min)) {
a7b4f989 213 /* Duplicate! */
b167a37c
JP		 214 pr_warn("ip_set type %s, family %s with revision min %u already registered!\n",
215 type->name, family_name(type->family),
216 type->revision_min);
b57b2d1f
JK		 217 ip_set_type_unlock();
218 return -EINVAL;
a7b4f989
JK		 219 }
220 list_add_rcu(&type->list, &ip_set_type_list);
f1e00b39
JK		 221 pr_debug("type %s, family %s, revision %u:%u registered.\n",
222 type->name, family_name(type->family),
223 type->revision_min, type->revision_max);
a7b4f989 224 ip_set_type_unlock();
b57b2d1f 225
a7b4f989
JK		 226 return ret;
227}
228EXPORT_SYMBOL_GPL(ip_set_type_register);
229
230/* Unregister a set type. There's a small race with ip_set_create */
231void
232ip_set_type_unregister(struct ip_set_type *type)
233{
234 ip_set_type_lock();
f1e00b39 235 if (!find_set_type(type->name, type->family, type->revision_min)) {
b167a37c
JP		 236 pr_warn("ip_set type %s, family %s with revision min %u not registered\n",
237 type->name, family_name(type->family),
238 type->revision_min);
b57b2d1f
JK		 239 ip_set_type_unlock();
240 return;
a7b4f989
JK		 241 }
242 list_del_rcu(&type->list);
f1e00b39
JK		 243 pr_debug("type %s, family %s with revision min %u unregistered.\n",
244 type->name, family_name(type->family), type->revision_min);
a7b4f989
JK		 245 ip_set_type_unlock();
246
247 synchronize_rcu();
248}
249EXPORT_SYMBOL_GPL(ip_set_type_unregister);
250
251/* Utility functions */
252void *
253ip_set_alloc(size_t size)
254{
255 void *members = NULL;
256
257 if (size < KMALLOC_MAX_SIZE)
258 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
259
260 if (members) {
261 pr_debug("%p: allocated with kmalloc\n", members);
262 return members;
263 }
264
265 members = vzalloc(size);
266 if (!members)
267 return NULL;
268 pr_debug("%p: allocated with vmalloc\n", members);
269
270 return members;
271}
272EXPORT_SYMBOL_GPL(ip_set_alloc);
273
274void
275ip_set_free(void *members)
276{
277 pr_debug("%p: free with %s\n", members,
278 is_vmalloc_addr(members) ? "vfree" : "kfree");
4cb28970 279 kvfree(members);
a7b4f989
JK		 280}
281EXPORT_SYMBOL_GPL(ip_set_free);
282
283static inline bool
284flag_nested(const struct nlattr *nla)
285{
286 return nla->nla_type & NLA_F_NESTED;
287}
288
289static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
290 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
291 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
292 .len = sizeof(struct in6_addr) },
293};
294
295int
296ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
297{
ca0f6a5c 298 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
a7b4f989
JK		 299
300 if (unlikely(!flag_nested(nla)))
301 return -IPSET_ERR_PROTOCOL;
8cb08174 302 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL))
a7b4f989
JK		 303 return -IPSET_ERR_PROTOCOL;
304 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
305 return -IPSET_ERR_PROTOCOL;
306
307 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
308 return 0;
309}
310EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
311
312int
313ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
314{
ca0f6a5c 315 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
a7b4f989
JK		 316
317 if (unlikely(!flag_nested(nla)))
318 return -IPSET_ERR_PROTOCOL;
319
8cb08174 320 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL))
a7b4f989
JK		 321 return -IPSET_ERR_PROTOCOL;
322 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
323 return -IPSET_ERR_PROTOCOL;
324
325 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
ca0f6a5c 326 sizeof(struct in6_addr));
a7b4f989
JK		 327 return 0;
328}
329EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
330
9e41f26a 331typedef void (*destroyer)(struct ip_set *, void *);
03c8b234
JK		 332/* ipset data extension types, in size order */
333
334const struct ip_set_ext_type ip_set_extensions[] = {
335 [IPSET_EXT_ID_COUNTER] = {
336 .type = IPSET_EXT_COUNTER,
337 .flag = IPSET_FLAG_WITH_COUNTERS,
338 .len = sizeof(struct ip_set_counter),
339 .align = __alignof__(struct ip_set_counter),
340 },
341 [IPSET_EXT_ID_TIMEOUT] = {
342 .type = IPSET_EXT_TIMEOUT,
343 .len = sizeof(unsigned long),
344 .align = __alignof__(unsigned long),
345 },
0e9871e3
AD		 346 [IPSET_EXT_ID_SKBINFO] = {
347 .type = IPSET_EXT_SKBINFO,
348 .flag = IPSET_FLAG_WITH_SKBINFO,
349 .len = sizeof(struct ip_set_skbinfo),
350 .align = __alignof__(struct ip_set_skbinfo),
351 },
68b63f08
OS		 352 [IPSET_EXT_ID_COMMENT] = {
353 .type = IPSET_EXT_COMMENT | IPSET_EXT_DESTROY,
354 .flag = IPSET_FLAG_WITH_COMMENT,
355 .len = sizeof(struct ip_set_comment),
356 .align = __alignof__(struct ip_set_comment),
357 .destroy = (destroyer) ip_set_comment_free,
358 },
03c8b234
JK		 359};
360EXPORT_SYMBOL_GPL(ip_set_extensions);
361
362static inline bool
363add_extension(enum ip_set_ext_id id, u32 flags, struct nlattr *tb[])
364{
365 return ip_set_extensions[id].flag ?
366 (flags & ip_set_extensions[id].flag) :
367 !!tb[IPSET_ATTR_TIMEOUT];
368}
369
370size_t
95ad1f4a
JK		 371ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
372 size_t align)
03c8b234
JK		 373{
374 enum ip_set_ext_id id;
03c8b234
JK		 375 u32 cadt_flags = 0;
376
377 if (tb[IPSET_ATTR_CADT_FLAGS])
378 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
07cf8f5a
JH		 379 if (cadt_flags & IPSET_FLAG_WITH_FORCEADD)
380 set->flags |= IPSET_CREATE_FLAG_FORCEADD;
95ad1f4a
JK		 381 if (!align)
382 align = 1;
03c8b234
JK		 383 for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
384 if (!add_extension(id, cadt_flags, tb))
385 continue;
95ad1f4a
JK		 386 len = ALIGN(len, ip_set_extensions[id].align);
387 set->offset[id] = len;
03c8b234 388 set->extensions |= ip_set_extensions[id].type;
95ad1f4a 389 len += ip_set_extensions[id].len;
03c8b234 390 }
95ad1f4a 391 return ALIGN(len, align);
03c8b234
JK		 392}
393EXPORT_SYMBOL_GPL(ip_set_elem_len);
394
075e64c0
JK		 395int
396ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
397 struct ip_set_ext *ext)
398{
0e9871e3 399 u64 fullmark;
7dd37bc8
SP		 400
401 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
402 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
403 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
404 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
405 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
406 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
407 return -IPSET_ERR_PROTOCOL;
408
075e64c0 409 if (tb[IPSET_ATTR_TIMEOUT]) {
edda0791 410 if (!SET_WITH_TIMEOUT(set))
075e64c0
JK		 411 return -IPSET_ERR_TIMEOUT;
412 ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
413 }
34d666d4 414 if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
edda0791 415 if (!SET_WITH_COUNTER(set))
34d666d4
JK		 416 return -IPSET_ERR_COUNTER;
417 if (tb[IPSET_ATTR_BYTES])
418 ext->bytes = be64_to_cpu(nla_get_be64(
419 tb[IPSET_ATTR_BYTES]));
420 if (tb[IPSET_ATTR_PACKETS])
421 ext->packets = be64_to_cpu(nla_get_be64(
422 tb[IPSET_ATTR_PACKETS]));
423 }
68b63f08 424 if (tb[IPSET_ATTR_COMMENT]) {
edda0791 425 if (!SET_WITH_COMMENT(set))
68b63f08
OS		 426 return -IPSET_ERR_COMMENT;
427 ext->comment = ip_set_comment_uget(tb[IPSET_ATTR_COMMENT]);
428 }
0e9871e3 429 if (tb[IPSET_ATTR_SKBMARK]) {
edda0791 430 if (!SET_WITH_SKBINFO(set))
0e9871e3
AD		 431 return -IPSET_ERR_SKBINFO;
432 fullmark = be64_to_cpu(nla_get_be64(tb[IPSET_ATTR_SKBMARK]));
bec810d9
JK		 433 ext->skbinfo.skbmark = fullmark >> 32;
434 ext->skbinfo.skbmarkmask = fullmark & 0xffffffff;
0e9871e3
AD		 435 }
436 if (tb[IPSET_ATTR_SKBPRIO]) {
edda0791 437 if (!SET_WITH_SKBINFO(set))
0e9871e3 438 return -IPSET_ERR_SKBINFO;
bec810d9
JK		 439 ext->skbinfo.skbprio =
440 be32_to_cpu(nla_get_be32(tb[IPSET_ATTR_SKBPRIO]));
0e9871e3
AD		 441 }
442 if (tb[IPSET_ATTR_SKBQUEUE]) {
edda0791 443 if (!SET_WITH_SKBINFO(set))
0e9871e3 444 return -IPSET_ERR_SKBINFO;
bec810d9
JK		 445 ext->skbinfo.skbqueue =
446 be16_to_cpu(nla_get_be16(tb[IPSET_ATTR_SKBQUEUE]));
0e9871e3 447 }
075e64c0
JK		 448 return 0;
449}
450EXPORT_SYMBOL_GPL(ip_set_get_extensions);
451
a3b1c1eb
DV		 452int
453ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
454 const void *e, bool active)
455{
456 if (SET_WITH_TIMEOUT(set)) {
457 unsigned long *timeout = ext_timeout(e, set);
458
459 if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
460 htonl(active ? ip_set_timeout_get(timeout)
461 : *timeout)))
462 return -EMSGSIZE;
463 }
464 if (SET_WITH_COUNTER(set) &&
465 ip_set_put_counter(skb, ext_counter(e, set)))
466 return -EMSGSIZE;
467 if (SET_WITH_COMMENT(set) &&
468 ip_set_put_comment(skb, ext_comment(e, set)))
469 return -EMSGSIZE;
470 if (SET_WITH_SKBINFO(set) &&
471 ip_set_put_skbinfo(skb, ext_skbinfo(e, set)))
472 return -EMSGSIZE;
473 return 0;
474}
475EXPORT_SYMBOL_GPL(ip_set_put_extensions);
476
4750005a
JK		 477bool
478ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
479 struct ip_set_ext *mext, u32 flags, void *data)
480{
481 if (SET_WITH_TIMEOUT(set) &&
482 ip_set_timeout_expired(ext_timeout(data, set)))
483 return false;
484 if (SET_WITH_COUNTER(set)) {
485 struct ip_set_counter *counter = ext_counter(data, set);
486
487 if (flags & IPSET_FLAG_MATCH_COUNTERS &&
488 !(ip_set_match_counter(ip_set_get_packets(counter),
489 mext->packets, mext->packets_op) &&
490 ip_set_match_counter(ip_set_get_bytes(counter),
491 mext->bytes, mext->bytes_op)))
492 return false;
493 ip_set_update_counter(counter, ext, flags);
494 }
495 if (SET_WITH_SKBINFO(set))
496 ip_set_get_skbinfo(ext_skbinfo(data, set),
497 ext, mext, flags);
498 return true;
499}
500EXPORT_SYMBOL_GPL(ip_set_match_extensions);
501
ca0f6a5c 502/* Creating/destroying/renaming/swapping affect the existence and
a7b4f989
JK		 503 * the properties of a set. All of these can be executed from userspace
504 * only and serialized by the nfnl mutex indirectly from nfnetlink.
505 *
506 * Sets are identified by their index in ip_set_list and the index
507 * is used by the external references (set/SET netfilter modules).
508 *
509 * The set behind an index may change by swapping only, from userspace.
510 */
511
512static inline void
9076aea7 513__ip_set_get(struct ip_set *set)
a7b4f989 514{
2f9f28b2 515 write_lock_bh(&ip_set_ref_lock);
9076aea7 516 set->ref++;
2f9f28b2 517 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 518}
519
520static inline void
9076aea7 521__ip_set_put(struct ip_set *set)
a7b4f989 522{
2f9f28b2 523 write_lock_bh(&ip_set_ref_lock);
9076aea7
JK		 524 BUG_ON(set->ref == 0);
525 set->ref--;
2f9f28b2 526 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 527}
528
596cf3fe
VP		 529/* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need
530 * a separate reference counter
531 */
596cf3fe
VP		 532static inline void
533__ip_set_put_netlink(struct ip_set *set)
534{
535 write_lock_bh(&ip_set_ref_lock);
536 BUG_ON(set->ref_netlink == 0);
537 set->ref_netlink--;
538 write_unlock_bh(&ip_set_ref_lock);
539}
540
ca0f6a5c 541/* Add, del and test set entries from kernel.
a7b4f989
JK		 542 *
543 * The set behind the index must exist and must be referenced
544 * so it can't be destroyed (or changed) under our foot.
545 */
546
9076aea7 547static inline struct ip_set *
1785e8f4 548ip_set_rcu_get(struct net *net, ip_set_id_t index)
9076aea7
JK		 549{
550 struct ip_set *set;
1785e8f4 551 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7
JK		 552
553 rcu_read_lock();
554 /* ip_set_list itself needs to be protected */
1785e8f4 555 set = rcu_dereference(inst->ip_set_list)[index];
9076aea7
JK		 556 rcu_read_unlock();
557
558 return set;
559}
560
a7b4f989
JK		 561int
562ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
075e64c0 563 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
a7b4f989 564{
613dbd95 565 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
a7b4f989
JK		 566 int ret = 0;
567
ca0f6a5c 568 BUG_ON(!set);
a7b4f989
JK		 569 pr_debug("set %s, index %u\n", set->name, index);
570
ac8cc925 571 if (opt->dim < set->type->dimension ||
c15f1c83 572 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
a7b4f989
JK		 573 return 0;
574
b57b2d1f 575 rcu_read_lock_bh();
b66554cf 576 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
b57b2d1f 577 rcu_read_unlock_bh();
a7b4f989
JK		 578
579 if (ret == -EAGAIN) {
580 /* Type requests element to be completed */
1a84db56 581 pr_debug("element must be completed, ADD is triggered\n");
b57b2d1f 582 spin_lock_bh(&set->lock);
b66554cf 583 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
b57b2d1f 584 spin_unlock_bh(&set->lock);
a7b4f989 585 ret = 1;
3e0304a5
JK		 586 } else {
587 /* --return-nomatch: invert matched element */
6e01781d 588 if ((opt->cmdflags & IPSET_FLAG_RETURN_NOMATCH) &&
3e0304a5
JK		 589 (set->type->features & IPSET_TYPE_NOMATCH) &&
590 (ret > 0 || ret == -ENOTEMPTY))
591 ret = -ret;
a7b4f989
JK		 592 }
593
594 /* Convert error codes to nomatch */
595 return (ret < 0 ? 0 : ret);
596}
597EXPORT_SYMBOL_GPL(ip_set_test);
598
599int
600ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
075e64c0 601 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
a7b4f989 602{
613dbd95 603 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
a7b4f989
JK		 604 int ret;
605
ca0f6a5c 606 BUG_ON(!set);
a7b4f989
JK		 607 pr_debug("set %s, index %u\n", set->name, index);
608
ac8cc925 609 if (opt->dim < set->type->dimension ||
c15f1c83 610 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
35f6e63a 611 return -IPSET_ERR_TYPE_MISMATCH;
a7b4f989 612
b57b2d1f 613 spin_lock_bh(&set->lock);
b66554cf 614 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
b57b2d1f 615 spin_unlock_bh(&set->lock);
a7b4f989
JK		 616
617 return ret;
618}
619EXPORT_SYMBOL_GPL(ip_set_add);
620
621int
622ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
075e64c0 623 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
a7b4f989 624{
613dbd95 625 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
a7b4f989
JK		 626 int ret = 0;
627
ca0f6a5c 628 BUG_ON(!set);
a7b4f989
JK		 629 pr_debug("set %s, index %u\n", set->name, index);
630
ac8cc925 631 if (opt->dim < set->type->dimension ||
c15f1c83 632 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
35f6e63a 633 return -IPSET_ERR_TYPE_MISMATCH;
a7b4f989 634
b57b2d1f 635 spin_lock_bh(&set->lock);
b66554cf 636 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
b57b2d1f 637 spin_unlock_bh(&set->lock);
a7b4f989
JK		 638
639 return ret;
640}
641EXPORT_SYMBOL_GPL(ip_set_del);
642
ca0f6a5c 643/* Find set by name, reference it once. The reference makes sure the
a7b4f989
JK		 644 * thing pointed to, does not go away under our feet.
645 *
a7b4f989
JK		 646 */
647ip_set_id_t
1785e8f4 648ip_set_get_byname(struct net *net, const char *name, struct ip_set **set)
a7b4f989
JK		 649{
650 ip_set_id_t i, index = IPSET_INVALID_ID;
651 struct ip_set *s;
1785e8f4 652 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989 653
9076aea7 654 rcu_read_lock();
1785e8f4
VL		 655 for (i = 0; i < inst->ip_set_max; i++) {
656 s = rcu_dereference(inst->ip_set_list)[i];
ca0f6a5c 657 if (s && STRNCMP(s->name, name)) {
9076aea7 658 __ip_set_get(s);
a7b4f989
JK		 659 index = i;
660 *set = s;
9076aea7 661 break;
a7b4f989
JK		 662 }
663 }
9076aea7 664 rcu_read_unlock();
a7b4f989
JK		 665
666 return index;
667}
668EXPORT_SYMBOL_GPL(ip_set_get_byname);
669
ca0f6a5c 670/* If the given set pointer points to a valid set, decrement
a7b4f989
JK		 671 * reference count by 1. The caller shall not assume the index
672 * to be valid, after calling this function.
673 *
a7b4f989 674 */
1785e8f4
VL		 675
676static inline void
677__ip_set_put_byindex(struct ip_set_net *inst, ip_set_id_t index)
a7b4f989 678{
9076aea7
JK		 679 struct ip_set *set;
680
681 rcu_read_lock();
1785e8f4 682 set = rcu_dereference(inst->ip_set_list)[index];
ca0f6a5c 683 if (set)
9076aea7
JK		 684 __ip_set_put(set);
685 rcu_read_unlock();
a7b4f989 686}
1785e8f4
VL		 687
688void
689ip_set_put_byindex(struct net *net, ip_set_id_t index)
690{
691 struct ip_set_net *inst = ip_set_pernet(net);
692
693 __ip_set_put_byindex(inst, index);
694}
a7b4f989
JK		 695EXPORT_SYMBOL_GPL(ip_set_put_byindex);
696
ca0f6a5c 697/* Get the name of a set behind a set index.
439cd39e
SB		 698 * Set itself is protected by RCU, but its name isn't: to protect against
699 * renaming, grab ip_set_ref_lock as reader (see ip_set_rename()) and copy the
700 * name.
a7b4f989 701 */
439cd39e
SB		 702void
703ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name)
a7b4f989 704{
439cd39e 705 struct ip_set *set = ip_set_rcu_get(net, index);
a7b4f989 706
ca0f6a5c 707 BUG_ON(!set);
a7b4f989 708
439cd39e
SB		 709 read_lock_bh(&ip_set_ref_lock);
710 strncpy(name, set->name, IPSET_MAXNAMELEN);
711 read_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 712}
713EXPORT_SYMBOL_GPL(ip_set_name_byindex);
714
ca0f6a5c 715/* Routines to call by external subsystems, which do not
a7b4f989
JK		 716 * call nfnl_lock for us.
717 */
718
ca0f6a5c 719/* Find set by index, reference it once. The reference makes sure the
a7b4f989
JK		 720 * thing pointed to, does not go away under our feet.
721 *
722 * The nfnl mutex is used in the function.
723 */
724ip_set_id_t
1785e8f4 725ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
a7b4f989 726{
9076aea7 727 struct ip_set *set;
1785e8f4 728 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7 729
0f9f5e1b 730 if (index >= inst->ip_set_max)
a7b4f989
JK		 731 return IPSET_INVALID_ID;
732
c14b78e7 733 nfnl_lock(NFNL_SUBSYS_IPSET);
3e90ebd3 734 set = ip_set(inst, index);
9076aea7
JK		 735 if (set)
736 __ip_set_get(set);
a7b4f989
JK		 737 else
738 index = IPSET_INVALID_ID;
c14b78e7 739 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 740
741 return index;
742}
743EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
744
ca0f6a5c 745/* If the given set pointer points to a valid set, decrement
a7b4f989
JK		 746 * reference count by 1. The caller shall not assume the index
747 * to be valid, after calling this function.
748 *
749 * The nfnl mutex is used in the function.
750 */
751void
1785e8f4 752ip_set_nfnl_put(struct net *net, ip_set_id_t index)
a7b4f989 753{
9076aea7 754 struct ip_set *set;
1785e8f4
VL		 755 struct ip_set_net *inst = ip_set_pernet(net);
756
c14b78e7 757 nfnl_lock(NFNL_SUBSYS_IPSET);
1785e8f4 758 if (!inst->is_deleted) { /* already deleted from ip_set_net_exit() */
3e90ebd3 759 set = ip_set(inst, index);
ca0f6a5c 760 if (set)
1785e8f4
VL		 761 __ip_set_put(set);
762 }
c14b78e7 763 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 764}
765EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
766
ca0f6a5c 767/* Communication protocol with userspace over netlink.
a7b4f989 768 *
2f9f28b2 769 * The commands are serialized by the nfnl mutex.
a7b4f989
JK		 770 */
771
23c42a40
JK		 772static inline u8 protocol(const struct nlattr * const tb[])
773{
774 return nla_get_u8(tb[IPSET_ATTR_PROTOCOL]);
775}
776
a7b4f989
JK		 777static inline bool
778protocol_failed(const struct nlattr * const tb[])
779{
23c42a40
JK		 780 return !tb[IPSET_ATTR_PROTOCOL] || protocol(tb) != IPSET_PROTOCOL;
781}
782
783static inline bool
784protocol_min_failed(const struct nlattr * const tb[])
785{
786 return !tb[IPSET_ATTR_PROTOCOL] || protocol(tb) < IPSET_PROTOCOL_MIN;
a7b4f989
JK		 787}
788
789static inline u32
790flag_exist(const struct nlmsghdr *nlh)
791{
792 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
793}
794
795static struct nlmsghdr *
15e47304 796start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
a7b4f989
JK		 797 enum ipset_cmd cmd)
798{
799 struct nlmsghdr *nlh;
800 struct nfgenmsg *nfmsg;
801
dedb67c4 802 nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd),
a7b4f989 803 sizeof(*nfmsg), flags);
ca0f6a5c 804 if (!nlh)
a7b4f989
JK		 805 return NULL;
806
807 nfmsg = nlmsg_data(nlh);
c15f1c83 808 nfmsg->nfgen_family = NFPROTO_IPV4;
a7b4f989
JK		 809 nfmsg->version = NFNETLINK_V0;
810 nfmsg->res_id = 0;
811
812 return nlh;
813}
814
815/* Create a set */
816
817static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
818 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
819 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
820 .len = IPSET_MAXNAMELEN - 1 },
821 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
822 .len = IPSET_MAXNAMELEN - 1},
823 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
824 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
825 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
826};
827
9076aea7 828static struct ip_set *
1785e8f4 829find_set_and_id(struct ip_set_net *inst, const char *name, ip_set_id_t *id)
a7b4f989 830{
9076aea7
JK		 831 struct ip_set *set = NULL;
832 ip_set_id_t i;
a7b4f989 833
9076aea7 834 *id = IPSET_INVALID_ID;
1785e8f4 835 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 836 set = ip_set(inst, i);
ca0f6a5c 837 if (set && STRNCMP(set->name, name)) {
9076aea7
JK		 838 *id = i;
839 break;
840 }
a7b4f989 841 }
9076aea7 842 return (*id == IPSET_INVALID_ID ? NULL : set);
a7b4f989
JK		 843}
844
845static inline struct ip_set *
1785e8f4 846find_set(struct ip_set_net *inst, const char *name)
a7b4f989 847{
9076aea7 848 ip_set_id_t id;
a7b4f989 849
1785e8f4 850 return find_set_and_id(inst, name, &id);
a7b4f989
JK		 851}
852
853static int
1785e8f4
VL		 854find_free_id(struct ip_set_net *inst, const char *name, ip_set_id_t *index,
855 struct ip_set **set)
a7b4f989 856{
9076aea7 857 struct ip_set *s;
a7b4f989
JK		 858 ip_set_id_t i;
859
860 *index = IPSET_INVALID_ID;
1785e8f4 861 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 862 s = ip_set(inst, i);
ca0f6a5c 863 if (!s) {
a7b4f989
JK		 864 if (*index == IPSET_INVALID_ID)
865 *index = i;
22496f09 866 } else if (STRNCMP(name, s->name)) {
a7b4f989 867 /* Name clash */
9076aea7 868 *set = s;
a7b4f989
JK		 869 return -EEXIST;
870 }
871 }
872 if (*index == IPSET_INVALID_ID)
873 /* No free slot remained */
874 return -IPSET_ERR_MAX_SETS;
875 return 0;
876}
877
7b8002a1
PNA		 878static int ip_set_none(struct net *net, struct sock *ctnl, struct sk_buff *skb,
879 const struct nlmsghdr *nlh,
04ba724b
PNA		 880 const struct nlattr * const attr[],
881 struct netlink_ext_ack *extack)
d31f4d44
TB		 882{
883 return -EOPNOTSUPP;
884}
885
7b8002a1
PNA		 886static int ip_set_create(struct net *net, struct sock *ctnl,
887 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 888 const struct nlattr * const attr[],
889 struct netlink_ext_ack *extack)
a7b4f989 890{
1785e8f4 891 struct ip_set_net *inst = ip_set_pernet(net);
9846ada1 892 struct ip_set *set, *clash = NULL;
a7b4f989 893 ip_set_id_t index = IPSET_INVALID_ID;
ca0f6a5c 894 struct nlattr *tb[IPSET_ATTR_CREATE_MAX + 1] = {};
a7b4f989
JK		 895 const char *name, *typename;
896 u8 family, revision;
897 u32 flags = flag_exist(nlh);
898 int ret = 0;
899
23c42a40 900 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c
JK		 901 !attr[IPSET_ATTR_SETNAME] ||
902 !attr[IPSET_ATTR_TYPENAME] ||
903 !attr[IPSET_ATTR_REVISION] ||
904 !attr[IPSET_ATTR_FAMILY] ||
905 (attr[IPSET_ATTR_DATA] &&
a7b4f989
JK		 906 !flag_nested(attr[IPSET_ATTR_DATA]))))
907 return -IPSET_ERR_PROTOCOL;
908
909 name = nla_data(attr[IPSET_ATTR_SETNAME]);
910 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
911 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
912 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
913 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
914 name, typename, family_name(family), revision);
915
ca0f6a5c 916 /* First, and without any locks, allocate and initialize
a7b4f989
JK		 917 * a normal base set structure.
918 */
ca0f6a5c 919 set = kzalloc(sizeof(*set), GFP_KERNEL);
a7b4f989
JK		 920 if (!set)
921 return -ENOMEM;
b57b2d1f 922 spin_lock_init(&set->lock);
a7b4f989 923 strlcpy(set->name, name, IPSET_MAXNAMELEN);
a7b4f989 924 set->family = family;
f1e00b39 925 set->revision = revision;
a7b4f989 926
ca0f6a5c 927 /* Next, check that we know the type, and take
a7b4f989
JK		 928 * a reference on the type, to make sure it stays available
929 * while constructing our new set.
930 *
931 * After referencing the type, we try to create the type
932 * specific part of the set without holding any locks.
933 */
ca0f6a5c 934 ret = find_set_type_get(typename, family, revision, &set->type);
a7b4f989
JK		 935 if (ret)
936 goto out;
937
ca0f6a5c 938 /* Without holding any locks, create private part. */
a7b4f989 939 if (attr[IPSET_ATTR_DATA] &&
8cb08174 940 nla_parse_nested_deprecated(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], set->type->create_policy, NULL)) {
15b4d93f
JK		 941 ret = -IPSET_ERR_PROTOCOL;
942 goto put_out;
a7b4f989
JK		 943 }
944
1785e8f4 945 ret = set->type->create(net, set, tb, flags);
a7b4f989
JK		 946 if (ret != 0)
947 goto put_out;
948
949 /* BTW, ret==0 here. */
950
ca0f6a5c 951 /* Here, we have a valid, constructed set and we are protected
2f9f28b2
JK		 952 * by the nfnl mutex. Find the first free index in ip_set_list
953 * and check clashing.
a7b4f989 954 */
1785e8f4 955 ret = find_free_id(inst, set->name, &index, &clash);
9076aea7 956 if (ret == -EEXIST) {
a7b4f989 957 /* If this is the same set and requested, ignore error */
9076aea7 958 if ((flags & IPSET_FLAG_EXIST) &&
22496f09 959 STRNCMP(set->type->name, clash->type->name) &&
a7b4f989 960 set->type->family == clash->type->family &&
f1e00b39
JK		 961 set->type->revision_min == clash->type->revision_min &&
962 set->type->revision_max == clash->type->revision_max &&
a7b4f989
JK		 963 set->variant->same_set(set, clash))
964 ret = 0;
965 goto cleanup;
9076aea7
JK		 966 } else if (ret == -IPSET_ERR_MAX_SETS) {
967 struct ip_set **list, **tmp;
1785e8f4 968 ip_set_id_t i = inst->ip_set_max + IP_SET_INC;
9076aea7 969
1785e8f4 970 if (i < inst->ip_set_max || i == IPSET_INVALID_ID)
9076aea7
JK		 971 /* Wraparound */
972 goto cleanup;
973
ed956f39 974 list = kvcalloc(i, sizeof(struct ip_set *), GFP_KERNEL);
9076aea7
JK		 975 if (!list)
976 goto cleanup;
977 /* nfnl mutex is held, both lists are valid */
3e90ebd3 978 tmp = ip_set_dereference(inst->ip_set_list);
1785e8f4
VL		 979 memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max);
980 rcu_assign_pointer(inst->ip_set_list, list);
9076aea7
JK		 981 /* Make sure all current packets have passed through */
982 synchronize_net();
983 /* Use new list */
1785e8f4
VL		 984 index = inst->ip_set_max;
985 inst->ip_set_max = i;
ed956f39 986 kvfree(tmp);
9076aea7 987 ret = 0;
ca0f6a5c 988 } else if (ret) {
9076aea7 989 goto cleanup;
ca0f6a5c 990 }
a7b4f989 991
ca0f6a5c 992 /* Finally! Add our shiny new set to the list, and be done. */
a7b4f989 993 pr_debug("create: '%s' created with index %u!\n", set->name, index);
3e90ebd3 994 ip_set(inst, index) = set;
a7b4f989
JK		 995
996 return ret;
997
998cleanup:
999 set->variant->destroy(set);
1000put_out:
1001 module_put(set->type->me);
1002out:
1003 kfree(set);
1004 return ret;
1005}
1006
1007/* Destroy sets */
1008
1009static const struct nla_policy
1010ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
1011 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1012 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1013 .len = IPSET_MAXNAMELEN - 1 },
1014};
1015
1016static void
9c1ba5c8 1017ip_set_destroy_set(struct ip_set *set)
a7b4f989 1018{
a7b4f989 1019 pr_debug("set: %s\n", set->name);
a7b4f989
JK		 1020
1021 /* Must call it without holding any lock */
1022 set->variant->destroy(set);
1023 module_put(set->type->me);
1024 kfree(set);
1025}
1026
7b8002a1
PNA		 1027static int ip_set_destroy(struct net *net, struct sock *ctnl,
1028 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 1029 const struct nlattr * const attr[],
1030 struct netlink_ext_ack *extack)
a7b4f989 1031{
7b8002a1 1032 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7 1033 struct ip_set *s;
a7b4f989 1034 ip_set_id_t i;
2f9f28b2 1035 int ret = 0;
a7b4f989 1036
23c42a40 1037 if (unlikely(protocol_min_failed(attr)))
a7b4f989
JK		 1038 return -IPSET_ERR_PROTOCOL;
1039
45040978
JK		 1040 /* Must wait for flush to be really finished in list:set */
1041 rcu_barrier();
1042
2f9f28b2
JK		 1043 /* Commands are serialized and references are
1044 * protected by the ip_set_ref_lock.
1045 * External systems (i.e. xt_set) must call
1046 * ip_set_put|get_nfnl_* functions, that way we
1047 * can safely check references here.
1048 *
1049 * list:set timer can only decrement the reference
1050 * counter, so if it's already zero, we can proceed
1051 * without holding the lock.
1052 */
1053 read_lock_bh(&ip_set_ref_lock);
a7b4f989 1054 if (!attr[IPSET_ATTR_SETNAME]) {
1785e8f4 1055 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 1056 s = ip_set(inst, i);
596cf3fe 1057 if (s && (s->ref || s->ref_netlink)) {
9d883232 1058 ret = -IPSET_ERR_BUSY;
2f9f28b2
JK		 1059 goto out;
1060 }
a7b4f989 1061 }
9c1ba5c8 1062 inst->is_destroyed = true;
2f9f28b2 1063 read_unlock_bh(&ip_set_ref_lock);
1785e8f4 1064 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 1065 s = ip_set(inst, i);
9c1ba5c8
JK		 1066 if (s) {
1067 ip_set(inst, i) = NULL;
1068 ip_set_destroy_set(s);
1069 }
a7b4f989 1070 }
9c1ba5c8
JK		 1071 /* Modified by ip_set_destroy() only, which is serialized */
1072 inst->is_destroyed = false;
a7b4f989 1073 } else {
1785e8f4
VL		 1074 s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
1075 &i);
ca0f6a5c 1076 if (!s) {
2f9f28b2
JK		 1077 ret = -ENOENT;
1078 goto out;
596cf3fe 1079 } else if (s->ref || s->ref_netlink) {
2f9f28b2
JK		 1080 ret = -IPSET_ERR_BUSY;
1081 goto out;
1082 }
9c1ba5c8 1083 ip_set(inst, i) = NULL;
2f9f28b2 1084 read_unlock_bh(&ip_set_ref_lock);
a7b4f989 1085
9c1ba5c8 1086 ip_set_destroy_set(s);
a7b4f989
JK		 1087 }
1088 return 0;
2f9f28b2
JK		 1089out:
1090 read_unlock_bh(&ip_set_ref_lock);
1091 return ret;
a7b4f989
JK		 1092}
1093
1094/* Flush sets */
1095
1096static void
1097ip_set_flush_set(struct ip_set *set)
1098{
1099 pr_debug("set: %s\n", set->name);
1100
b57b2d1f 1101 spin_lock_bh(&set->lock);
a7b4f989 1102 set->variant->flush(set);
b57b2d1f 1103 spin_unlock_bh(&set->lock);
a7b4f989
JK		 1104}
1105
7b8002a1
PNA		 1106static int ip_set_flush(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1107 const struct nlmsghdr *nlh,
04ba724b
PNA		 1108 const struct nlattr * const attr[],
1109 struct netlink_ext_ack *extack)
a7b4f989 1110{
7b8002a1 1111 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7 1112 struct ip_set *s;
a7b4f989
JK		 1113 ip_set_id_t i;
1114
23c42a40 1115 if (unlikely(protocol_min_failed(attr)))
9184a9cb 1116 return -IPSET_ERR_PROTOCOL;
a7b4f989
JK		 1117
1118 if (!attr[IPSET_ATTR_SETNAME]) {
1785e8f4 1119 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 1120 s = ip_set(inst, i);
ca0f6a5c 1121 if (s)
9076aea7
JK		 1122 ip_set_flush_set(s);
1123 }
a7b4f989 1124 } else {
1785e8f4 1125 s = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
ca0f6a5c 1126 if (!s)
a7b4f989
JK		 1127 return -ENOENT;
1128
9076aea7 1129 ip_set_flush_set(s);
a7b4f989
JK		 1130 }
1131
1132 return 0;
1133}
1134
1135/* Rename a set */
1136
1137static const struct nla_policy
1138ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
1139 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1140 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1141 .len = IPSET_MAXNAMELEN - 1 },
1142 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
1143 .len = IPSET_MAXNAMELEN - 1 },
1144};
1145
7b8002a1
PNA		 1146static int ip_set_rename(struct net *net, struct sock *ctnl,
1147 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 1148 const struct nlattr * const attr[],
1149 struct netlink_ext_ack *extack)
a7b4f989 1150{
7b8002a1 1151 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7 1152 struct ip_set *set, *s;
a7b4f989
JK		 1153 const char *name2;
1154 ip_set_id_t i;
2f9f28b2 1155 int ret = 0;
a7b4f989 1156
23c42a40 1157 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c
JK		 1158 !attr[IPSET_ATTR_SETNAME] ||
1159 !attr[IPSET_ATTR_SETNAME2]))
a7b4f989
JK		 1160 return -IPSET_ERR_PROTOCOL;
1161
1785e8f4 1162 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
ca0f6a5c 1163 if (!set)
a7b4f989 1164 return -ENOENT;
2f9f28b2 1165
439cd39e 1166 write_lock_bh(&ip_set_ref_lock);
2f9f28b2
JK		 1167 if (set->ref != 0) {
1168 ret = -IPSET_ERR_REFERENCED;
1169 goto out;
1170 }
a7b4f989
JK		 1171
1172 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
1785e8f4 1173 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 1174 s = ip_set(inst, i);
ca0f6a5c 1175 if (s && STRNCMP(s->name, name2)) {
2f9f28b2
JK		 1176 ret = -IPSET_ERR_EXIST_SETNAME2;
1177 goto out;
1178 }
a7b4f989
JK		 1179 }
1180 strncpy(set->name, name2, IPSET_MAXNAMELEN);
1181
2f9f28b2 1182out:
439cd39e 1183 write_unlock_bh(&ip_set_ref_lock);
2f9f28b2 1184 return ret;
a7b4f989
JK		 1185}
1186
1187/* Swap two sets so that name/index points to the other.
1188 * References and set names are also swapped.
1189 *
2f9f28b2
JK		 1190 * The commands are serialized by the nfnl mutex and references are
1191 * protected by the ip_set_ref_lock. The kernel interfaces
a7b4f989
JK		 1192 * do not hold the mutex but the pointer settings are atomic
1193 * so the ip_set_list always contains valid pointers to the sets.
1194 */
1195
7b8002a1
PNA		 1196static int ip_set_swap(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1197 const struct nlmsghdr *nlh,
04ba724b
PNA		 1198 const struct nlattr * const attr[],
1199 struct netlink_ext_ack *extack)
a7b4f989 1200{
7b8002a1 1201 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989
JK		 1202 struct ip_set *from, *to;
1203 ip_set_id_t from_id, to_id;
1204 char from_name[IPSET_MAXNAMELEN];
a7b4f989 1205
23c42a40 1206 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c
JK		 1207 !attr[IPSET_ATTR_SETNAME] ||
1208 !attr[IPSET_ATTR_SETNAME2]))
a7b4f989
JK		 1209 return -IPSET_ERR_PROTOCOL;
1210
1785e8f4
VL		 1211 from = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
1212 &from_id);
ca0f6a5c 1213 if (!from)
a7b4f989
JK		 1214 return -ENOENT;
1215
1785e8f4
VL		 1216 to = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME2]),
1217 &to_id);
ca0f6a5c 1218 if (!to)
a7b4f989
JK		 1219 return -IPSET_ERR_EXIST_SETNAME2;
1220
a7b4f989 1221 /* Features must not change.
ca0f6a5c
JK		 1222 * Not an artifical restriction anymore, as we must prevent
1223 * possible loops created by swapping in setlist type of sets.
1224 */
a7b4f989 1225 if (!(from->type->features == to->type->features &&
169faa2e 1226 from->family == to->family))
a7b4f989
JK		 1227 return -IPSET_ERR_TYPE_MISMATCH;
1228
e5173418
RL		 1229 write_lock_bh(&ip_set_ref_lock);
1230
1231 if (from->ref_netlink || to->ref_netlink) {
1232 write_unlock_bh(&ip_set_ref_lock);
596cf3fe 1233 return -EBUSY;
e5173418 1234 }
596cf3fe 1235
a7b4f989 1236 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
a7b4f989 1237 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
a7b4f989 1238 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
a7b4f989 1239
2f9f28b2 1240 swap(from->ref, to->ref);
3e90ebd3
PM		 1241 ip_set(inst, from_id) = to;
1242 ip_set(inst, to_id) = from;
2f9f28b2 1243 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 1244
1245 return 0;
1246}
1247
1248/* List/save set data */
1249
c1e2e043
JK		 1250#define DUMP_INIT 0
1251#define DUMP_ALL 1
1252#define DUMP_ONE 2
1253#define DUMP_LAST 3
1254
1255#define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1256#define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
a7b4f989
JK		 1257
1258static int
1259ip_set_dump_done(struct netlink_callback *cb)
1260{
93302880 1261 if (cb->args[IPSET_CB_ARG0]) {
c4c99783
JK		 1262 struct ip_set_net *inst =
1263 (struct ip_set_net *)cb->args[IPSET_CB_NET];
1264 ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
8a02bdd5 1265 struct ip_set *set = ip_set_ref_netlink(inst, index);
c4c99783
JK		 1266
1267 if (set->variant->uref)
1268 set->variant->uref(set, cb, false);
1269 pr_debug("release set %s\n", set->name);
596cf3fe 1270 __ip_set_put_netlink(set);
a7b4f989
JK		 1271 }
1272 return 0;
1273}
1274
1275static inline void
1276dump_attrs(struct nlmsghdr *nlh)
1277{
1278 const struct nlattr *attr;
1279 int rem;
1280
1281 pr_debug("dump nlmsg\n");
1282 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1283 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1284 }
1285}
1286
1287static int
93302880 1288dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
a7b4f989
JK		 1289{
1290 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
573ce260 1291 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
ca0f6a5c 1292 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
a7b4f989 1293 struct nlattr *attr = (void *)nlh + min_len;
c1e2e043 1294 u32 dump_type;
a7b4f989 1295 ip_set_id_t index;
13c6ba1f 1296 int ret;
a7b4f989 1297
13c6ba1f
JK		 1298 ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, attr,
1299 nlh->nlmsg_len - min_len,
1300 ip_set_setname_policy, NULL);
1301 if (ret)
1302 return ret;
a7b4f989 1303
23c42a40 1304 cb->args[IPSET_CB_PROTO] = nla_get_u8(cda[IPSET_ATTR_PROTOCOL]);
c1e2e043 1305 if (cda[IPSET_ATTR_SETNAME]) {
9076aea7
JK		 1306 struct ip_set *set;
1307
1785e8f4 1308 set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]),
9076aea7 1309 &index);
ca0f6a5c 1310 if (!set)
c1e2e043 1311 return -ENOENT;
a7b4f989 1312
c1e2e043 1313 dump_type = DUMP_ONE;
93302880 1314 cb->args[IPSET_CB_INDEX] = index;
ca0f6a5c 1315 } else {
c1e2e043 1316 dump_type = DUMP_ALL;
ca0f6a5c 1317 }
c1e2e043
JK		 1318
1319 if (cda[IPSET_ATTR_FLAGS]) {
1320 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
ca0f6a5c 1321
c1e2e043
JK		 1322 dump_type |= (f << 16);
1323 }
93302880
JK		 1324 cb->args[IPSET_CB_NET] = (unsigned long)inst;
1325 cb->args[IPSET_CB_DUMP] = dump_type;
a7b4f989 1326
a7b4f989
JK		 1327 return 0;
1328}
1329
1330static int
1331ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1332{
1333 ip_set_id_t index = IPSET_INVALID_ID, max;
1334 struct ip_set *set = NULL;
1335 struct nlmsghdr *nlh = NULL;
15e47304 1336 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
93302880 1337 struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));
c1e2e043 1338 u32 dump_type, dump_flags;
9c1ba5c8 1339 bool is_destroyed;
a7b4f989
JK		 1340 int ret = 0;
1341
93302880
JK		 1342 if (!cb->args[IPSET_CB_DUMP]) {
1343 ret = dump_init(cb, inst);
a7b4f989
JK		 1344 if (ret < 0) {
1345 nlh = nlmsg_hdr(cb->skb);
1346 /* We have to create and send the error message
ca0f6a5c
JK		 1347 * manually :-(
1348 */
a7b4f989 1349 if (nlh->nlmsg_flags & NLM_F_ACK)
2d4bc933 1350 netlink_ack(cb->skb, nlh, ret, NULL);
a7b4f989
JK		 1351 return ret;
1352 }
1353 }
1354
93302880 1355 if (cb->args[IPSET_CB_INDEX] >= inst->ip_set_max)
a7b4f989
JK		 1356 goto out;
1357
93302880
JK		 1358 dump_type = DUMP_TYPE(cb->args[IPSET_CB_DUMP]);
1359 dump_flags = DUMP_FLAGS(cb->args[IPSET_CB_DUMP]);
1360 max = dump_type == DUMP_ONE ? cb->args[IPSET_CB_INDEX] + 1
1361 : inst->ip_set_max;
a8a8a093 1362dump_last:
93302880
JK		 1363 pr_debug("dump type, flag: %u %u index: %ld\n",
1364 dump_type, dump_flags, cb->args[IPSET_CB_INDEX]);
1365 for (; cb->args[IPSET_CB_INDEX] < max; cb->args[IPSET_CB_INDEX]++) {
ca0f6a5c 1366 index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
9c1ba5c8 1367 write_lock_bh(&ip_set_ref_lock);
3e90ebd3 1368 set = ip_set(inst, index);
9c1ba5c8
JK		 1369 is_destroyed = inst->is_destroyed;
1370 if (!set || is_destroyed) {
1371 write_unlock_bh(&ip_set_ref_lock);
c1e2e043 1372 if (dump_type == DUMP_ONE) {
a7b4f989
JK		 1373 ret = -ENOENT;
1374 goto out;
1375 }
9c1ba5c8
JK		 1376 if (is_destroyed) {
1377 /* All sets are just being destroyed */
1378 ret = 0;
1379 goto out;
1380 }
a7b4f989
JK		 1381 continue;
1382 }
1383 /* When dumping all sets, we must dump "sorted"
1384 * so that lists (unions of sets) are dumped last.
1385 */
c1e2e043
JK		 1386 if (dump_type != DUMP_ONE &&
1387 ((dump_type == DUMP_ALL) ==
9c1ba5c8
JK		 1388 !!(set->type->features & IPSET_DUMP_LAST))) {
1389 write_unlock_bh(&ip_set_ref_lock);
a7b4f989 1390 continue;
9c1ba5c8 1391 }
a7b4f989 1392 pr_debug("List set: %s\n", set->name);
93302880 1393 if (!cb->args[IPSET_CB_ARG0]) {
a7b4f989
JK		 1394 /* Start listing: make sure set won't be destroyed */
1395 pr_debug("reference set\n");
596cf3fe 1396 set->ref_netlink++;
a7b4f989 1397 }
9c1ba5c8 1398 write_unlock_bh(&ip_set_ref_lock);
15e47304 1399 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
a7b4f989
JK		 1400 cb->nlh->nlmsg_seq, flags,
1401 IPSET_CMD_LIST);
1402 if (!nlh) {
1403 ret = -EMSGSIZE;
1404 goto release_refcount;
1405 }
23c42a40
JK		 1406 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL,
1407 cb->args[IPSET_CB_PROTO]) ||
7cf7899d
DM		 1408 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1409 goto nla_put_failure;
c1e2e043
JK		 1410 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1411 goto next_set;
93302880 1412 switch (cb->args[IPSET_CB_ARG0]) {
a7b4f989
JK		 1413 case 0:
1414 /* Core header data */
7cf7899d
DM		 1415 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1416 set->type->name) ||
1417 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1418 set->family) ||
1419 nla_put_u8(skb, IPSET_ATTR_REVISION,
1420 set->revision))
1421 goto nla_put_failure;
23c42a40
JK		 1422 if (cb->args[IPSET_CB_PROTO] > IPSET_PROTOCOL_MIN &&
1423 nla_put_net16(skb, IPSET_ATTR_INDEX, htons(index)))
1424 goto nla_put_failure;
a7b4f989
JK		 1425 ret = set->variant->head(set, skb);
1426 if (ret < 0)
1427 goto release_refcount;
c1e2e043
JK		 1428 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1429 goto next_set;
c4c99783
JK		 1430 if (set->variant->uref)
1431 set->variant->uref(set, cb, true);
e8542dce 1432 /* fall through */
a7b4f989 1433 default:
a7b4f989 1434 ret = set->variant->list(set, skb, cb);
93302880 1435 if (!cb->args[IPSET_CB_ARG0])
a7b4f989 1436 /* Set is done, proceed with next one */
c1e2e043 1437 goto next_set;
a7b4f989
JK		 1438 goto release_refcount;
1439 }
1440 }
a8a8a093 1441 /* If we dump all sets, continue with dumping last ones */
c1e2e043
JK		 1442 if (dump_type == DUMP_ALL) {
1443 dump_type = DUMP_LAST;
93302880
JK		 1444 cb->args[IPSET_CB_DUMP] = dump_type | (dump_flags << 16);
1445 cb->args[IPSET_CB_INDEX] = 0;
c4c99783
JK		 1446 if (set && set->variant->uref)
1447 set->variant->uref(set, cb, false);
a8a8a093
JK		 1448 goto dump_last;
1449 }
a7b4f989
JK		 1450 goto out;
1451
1452nla_put_failure:
1453 ret = -EFAULT;
c1e2e043
JK		 1454next_set:
1455 if (dump_type == DUMP_ONE)
93302880 1456 cb->args[IPSET_CB_INDEX] = IPSET_INVALID_ID;
c1e2e043 1457 else
93302880 1458 cb->args[IPSET_CB_INDEX]++;
a7b4f989
JK		 1459release_refcount:
1460 /* If there was an error or set is done, release set */
93302880 1461 if (ret || !cb->args[IPSET_CB_ARG0]) {
8a02bdd5 1462 set = ip_set_ref_netlink(inst, index);
c4c99783
JK		 1463 if (set->variant->uref)
1464 set->variant->uref(set, cb, false);
1465 pr_debug("release set %s\n", set->name);
596cf3fe 1466 __ip_set_put_netlink(set);
93302880 1467 cb->args[IPSET_CB_ARG0] = 0;
a7b4f989 1468 }
a7b4f989
JK		 1469out:
1470 if (nlh) {
1471 nlmsg_end(skb, nlh);
1472 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1473 dump_attrs(nlh);
1474 }
1475
1476 return ret < 0 ? ret : skb->len;
1477}
1478
7b8002a1
PNA		 1479static int ip_set_dump(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1480 const struct nlmsghdr *nlh,
04ba724b
PNA		 1481 const struct nlattr * const attr[],
1482 struct netlink_ext_ack *extack)
a7b4f989 1483{
23c42a40 1484 if (unlikely(protocol_min_failed(attr)))
a7b4f989
JK		 1485 return -IPSET_ERR_PROTOCOL;
1486
80d326fa
PNA		 1487 {
1488 struct netlink_dump_control c = {
1489 .dump = ip_set_dump_start,
1490 .done = ip_set_dump_done,
1491 };
1492 return netlink_dump_start(ctnl, skb, nlh, &c);
1493 }
a7b4f989
JK		 1494}
1495
1496/* Add, del and test */
1497
1498static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1499 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1500 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1501 .len = IPSET_MAXNAMELEN - 1 },
1502 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1503 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1504 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1505};
1506
1507static int
5f52bc3c 1508call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
a7b4f989
JK		 1509 struct nlattr *tb[], enum ipset_adt adt,
1510 u32 flags, bool use_lineno)
1511{
3d14b171 1512 int ret;
a7b4f989 1513 u32 lineno = 0;
3d14b171 1514 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
a7b4f989
JK		 1515
1516 do {
b57b2d1f 1517 spin_lock_bh(&set->lock);
3d14b171 1518 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
b57b2d1f 1519 spin_unlock_bh(&set->lock);
3d14b171 1520 retried = true;
a7b4f989
JK		 1521 } while (ret == -EAGAIN &&
1522 set->variant->resize &&
3d14b171 1523 (ret = set->variant->resize(set, retried)) == 0);
a7b4f989
JK		 1524
1525 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1526 return 0;
1527 if (lineno && use_lineno) {
1528 /* Error in restore/batch mode: send back lineno */
5f52bc3c
JK		 1529 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1530 struct sk_buff *skb2;
1531 struct nlmsgerr *errmsg;
73e64e18
JK		 1532 size_t payload = min(SIZE_MAX,
1533 sizeof(*errmsg) + nlmsg_len(nlh));
573ce260 1534 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
ca0f6a5c 1535 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
5f52bc3c 1536 struct nlattr *cmdattr;
a7b4f989
JK		 1537 u32 *errline;
1538
5f52bc3c 1539 skb2 = nlmsg_new(payload, GFP_KERNEL);
ca0f6a5c 1540 if (!skb2)
5f52bc3c 1541 return -ENOMEM;
15e47304 1542 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
5f52bc3c
JK		 1543 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1544 errmsg = nlmsg_data(rep);
1545 errmsg->error = ret;
1546 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1547 cmdattr = (void *)&errmsg->msg + min_len;
1548
f4f5748b
AP		 1549 ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr,
1550 nlh->nlmsg_len - min_len,
1551 ip_set_adt_policy, NULL);
a7b4f989 1552
f4f5748b
AP		 1553 if (ret) {
1554 nlmsg_free(skb2);
1555 return ret;
1556 }
a7b4f989
JK		 1557 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1558
1559 *errline = lineno;
5f52bc3c 1560
ca0f6a5c
JK		 1561 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid,
1562 MSG_DONTWAIT);
5f52bc3c
JK		 1563 /* Signal netlink not to send its ACK/errmsg. */
1564 return -EINTR;
a7b4f989
JK		 1565 }
1566
1567 return ret;
1568}
1569
f0cb8390
FF		 1570static int ip_set_ad(struct net *net, struct sock *ctnl,
1571 struct sk_buff *skb,
1572 enum ipset_adt adt,
1573 const struct nlmsghdr *nlh,
1574 const struct nlattr * const attr[],
1575 struct netlink_ext_ack *extack)
a7b4f989 1576{
7b8002a1 1577 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989 1578 struct ip_set *set;
ca0f6a5c 1579 struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
a7b4f989
JK		 1580 const struct nlattr *nla;
1581 u32 flags = flag_exist(nlh);
1582 bool use_lineno;
1583 int ret = 0;
1584
23c42a40 1585 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c 1586 !attr[IPSET_ATTR_SETNAME] ||
a7b4f989
JK		 1587 !((attr[IPSET_ATTR_DATA] != NULL) ^
1588 (attr[IPSET_ATTR_ADT] != NULL)) ||
ca0f6a5c 1589 (attr[IPSET_ATTR_DATA] &&
a7b4f989 1590 !flag_nested(attr[IPSET_ATTR_DATA])) ||
ca0f6a5c 1591 (attr[IPSET_ATTR_ADT] &&
a7b4f989 1592 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
ca0f6a5c 1593 !attr[IPSET_ATTR_LINENO]))))
a7b4f989
JK		 1594 return -IPSET_ERR_PROTOCOL;
1595
1785e8f4 1596 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
ca0f6a5c 1597 if (!set)
a7b4f989
JK		 1598 return -ENOENT;
1599
1600 use_lineno = !!attr[IPSET_ATTR_LINENO];
1601 if (attr[IPSET_ATTR_DATA]) {
8cb08174 1602 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL))
a7b4f989 1603 return -IPSET_ERR_PROTOCOL;
f0cb8390 1604 ret = call_ad(ctnl, skb, set, tb, adt, flags,
5f52bc3c 1605 use_lineno);
a7b4f989
JK		 1606 } else {
1607 int nla_rem;
1608
1609 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
a7b4f989
JK		 1610 if (nla_type(nla) != IPSET_ATTR_DATA ||
1611 !flag_nested(nla) ||
8cb08174 1612 nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, nla, set->type->adt_policy, NULL))
a7b4f989 1613 return -IPSET_ERR_PROTOCOL;
f0cb8390 1614 ret = call_ad(ctnl, skb, set, tb, adt,
a7b4f989
JK		 1615 flags, use_lineno);
1616 if (ret < 0)
1617 return ret;
1618 }
1619 }
1620 return ret;
1621}
1622
f0cb8390
FF		 1623static int ip_set_uadd(struct net *net, struct sock *ctnl,
1624 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 1625 const struct nlattr * const attr[],
1626 struct netlink_ext_ack *extack)
a7b4f989 1627{
f0cb8390
FF		 1628 return ip_set_ad(net, ctnl, skb,
1629 IPSET_ADD, nlh, attr, extack);
1630}
a7b4f989 1631
f0cb8390
FF		 1632static int ip_set_udel(struct net *net, struct sock *ctnl,
1633 struct sk_buff *skb, const struct nlmsghdr *nlh,
1634 const struct nlattr * const attr[],
1635 struct netlink_ext_ack *extack)
1636{
1637 return ip_set_ad(net, ctnl, skb,
1638 IPSET_DEL, nlh, attr, extack);
a7b4f989
JK		 1639}
1640
7b8002a1
PNA		 1641static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1642 const struct nlmsghdr *nlh,
04ba724b
PNA		 1643 const struct nlattr * const attr[],
1644 struct netlink_ext_ack *extack)
a7b4f989 1645{
7b8002a1 1646 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989 1647 struct ip_set *set;
ca0f6a5c 1648 struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
a7b4f989
JK		 1649 int ret = 0;
1650
23c42a40 1651 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c
JK		 1652 !attr[IPSET_ATTR_SETNAME] ||
1653 !attr[IPSET_ATTR_DATA] ||
a7b4f989
JK		 1654 !flag_nested(attr[IPSET_ATTR_DATA])))
1655 return -IPSET_ERR_PROTOCOL;
1656
1785e8f4 1657 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
ca0f6a5c 1658 if (!set)
a7b4f989
JK		 1659 return -ENOENT;
1660
8cb08174 1661 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL))
a7b4f989
JK		 1662 return -IPSET_ERR_PROTOCOL;
1663
b57b2d1f 1664 rcu_read_lock_bh();
3d14b171 1665 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
b57b2d1f 1666 rcu_read_unlock_bh();
a7b4f989
JK		 1667 /* Userspace can't trigger element to be re-added */
1668 if (ret == -EAGAIN)
1669 ret = 1;
1670
0f1799ba 1671 return ret > 0 ? 0 : -IPSET_ERR_EXIST;
a7b4f989
JK		 1672}
1673
1674/* Get headed data of a set */
1675
7b8002a1
PNA		 1676static int ip_set_header(struct net *net, struct sock *ctnl,
1677 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 1678 const struct nlattr * const attr[],
1679 struct netlink_ext_ack *extack)
a7b4f989 1680{
7b8002a1 1681 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989
JK		 1682 const struct ip_set *set;
1683 struct sk_buff *skb2;
1684 struct nlmsghdr *nlh2;
a7b4f989
JK		 1685 int ret = 0;
1686
23c42a40 1687 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c 1688 !attr[IPSET_ATTR_SETNAME]))
a7b4f989
JK		 1689 return -IPSET_ERR_PROTOCOL;
1690
1785e8f4 1691 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
ca0f6a5c 1692 if (!set)
a7b4f989 1693 return -ENOENT;
a7b4f989
JK		 1694
1695 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
ca0f6a5c 1696 if (!skb2)
a7b4f989
JK		 1697 return -ENOMEM;
1698
15e47304 1699 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1700 IPSET_CMD_HEADER);
1701 if (!nlh2)
1702 goto nlmsg_failure;
23c42a40 1703 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
7cf7899d
DM		 1704 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1705 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1706 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1707 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1708 goto nla_put_failure;
a7b4f989
JK		 1709 nlmsg_end(skb2, nlh2);
1710
15e47304 1711 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1712 if (ret < 0)
1713 return ret;
1714
1715 return 0;
1716
1717nla_put_failure:
1718 nlmsg_cancel(skb2, nlh2);
1719nlmsg_failure:
1720 kfree_skb(skb2);
1721 return -EMSGSIZE;
1722}
1723
1724/* Get type data */
1725
1726static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1727 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1728 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1729 .len = IPSET_MAXNAMELEN - 1 },
1730 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1731};
1732
7b8002a1
PNA		 1733static int ip_set_type(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1734 const struct nlmsghdr *nlh,
04ba724b
PNA		 1735 const struct nlattr * const attr[],
1736 struct netlink_ext_ack *extack)
a7b4f989
JK		 1737{
1738 struct sk_buff *skb2;
1739 struct nlmsghdr *nlh2;
1740 u8 family, min, max;
1741 const char *typename;
1742 int ret = 0;
1743
23c42a40 1744 if (unlikely(protocol_min_failed(attr) ||
ca0f6a5c
JK		 1745 !attr[IPSET_ATTR_TYPENAME] ||
1746 !attr[IPSET_ATTR_FAMILY]))
a7b4f989
JK		 1747 return -IPSET_ERR_PROTOCOL;
1748
1749 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1750 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1751 ret = find_set_type_minmax(typename, family, &min, &max);
1752 if (ret)
1753 return ret;
1754
1755 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
ca0f6a5c 1756 if (!skb2)
a7b4f989
JK		 1757 return -ENOMEM;
1758
15e47304 1759 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1760 IPSET_CMD_TYPE);
1761 if (!nlh2)
1762 goto nlmsg_failure;
23c42a40 1763 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
7cf7899d
DM		 1764 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1765 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1766 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1767 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1768 goto nla_put_failure;
a7b4f989
JK		 1769 nlmsg_end(skb2, nlh2);
1770
1771 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
15e47304 1772 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1773 if (ret < 0)
1774 return ret;
1775
1776 return 0;
1777
1778nla_put_failure:
1779 nlmsg_cancel(skb2, nlh2);
1780nlmsg_failure:
1781 kfree_skb(skb2);
1782 return -EMSGSIZE;
1783}
1784
1785/* Get protocol version */
1786
1787static const struct nla_policy
1788ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1789 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1790};
1791
7b8002a1
PNA		 1792static int ip_set_protocol(struct net *net, struct sock *ctnl,
1793 struct sk_buff *skb, const struct nlmsghdr *nlh,
04ba724b
PNA		 1794 const struct nlattr * const attr[],
1795 struct netlink_ext_ack *extack)
a7b4f989
JK		 1796{
1797 struct sk_buff *skb2;
1798 struct nlmsghdr *nlh2;
1799 int ret = 0;
1800
ca0f6a5c 1801 if (unlikely(!attr[IPSET_ATTR_PROTOCOL]))
a7b4f989
JK		 1802 return -IPSET_ERR_PROTOCOL;
1803
1804 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
ca0f6a5c 1805 if (!skb2)
a7b4f989
JK		 1806 return -ENOMEM;
1807
15e47304 1808 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1809 IPSET_CMD_PROTOCOL);
1810 if (!nlh2)
1811 goto nlmsg_failure;
7cf7899d
DM		 1812 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1813 goto nla_put_failure;
23c42a40
JK		 1814 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL_MIN, IPSET_PROTOCOL_MIN))
1815 goto nla_put_failure;
1816 nlmsg_end(skb2, nlh2);
1817
1818 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1819 if (ret < 0)
1820 return ret;
1821
1822 return 0;
1823
1824nla_put_failure:
1825 nlmsg_cancel(skb2, nlh2);
1826nlmsg_failure:
1827 kfree_skb(skb2);
1828 return -EMSGSIZE;
1829}
1830
1831/* Get set by name or index, from userspace */
1832
1833static int ip_set_byname(struct net *net, struct sock *ctnl,
1834 struct sk_buff *skb, const struct nlmsghdr *nlh,
1835 const struct nlattr * const attr[],
1836 struct netlink_ext_ack *extack)
1837{
1838 struct ip_set_net *inst = ip_set_pernet(net);
1839 struct sk_buff *skb2;
1840 struct nlmsghdr *nlh2;
1841 ip_set_id_t id = IPSET_INVALID_ID;
1842 const struct ip_set *set;
1843 int ret = 0;
1844
1845 if (unlikely(protocol_failed(attr) ||
1846 !attr[IPSET_ATTR_SETNAME]))
1847 return -IPSET_ERR_PROTOCOL;
1848
1849 set = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), &id);
1850 if (id == IPSET_INVALID_ID)
1851 return -ENOENT;
1852
1853 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1854 if (!skb2)
1855 return -ENOMEM;
1856
1857 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1858 IPSET_CMD_GET_BYNAME);
1859 if (!nlh2)
1860 goto nlmsg_failure;
1861 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
1862 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1863 nla_put_net16(skb2, IPSET_ATTR_INDEX, htons(id)))
1864 goto nla_put_failure;
1865 nlmsg_end(skb2, nlh2);
1866
1867 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1868 if (ret < 0)
1869 return ret;
1870
1871 return 0;
1872
1873nla_put_failure:
1874 nlmsg_cancel(skb2, nlh2);
1875nlmsg_failure:
1876 kfree_skb(skb2);
1877 return -EMSGSIZE;
1878}
1879
1880static const struct nla_policy ip_set_index_policy[IPSET_ATTR_CMD_MAX + 1] = {
1881 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1882 [IPSET_ATTR_INDEX] = { .type = NLA_U16 },
1883};
1884
1885static int ip_set_byindex(struct net *net, struct sock *ctnl,
1886 struct sk_buff *skb, const struct nlmsghdr *nlh,
1887 const struct nlattr * const attr[],
1888 struct netlink_ext_ack *extack)
1889{
1890 struct ip_set_net *inst = ip_set_pernet(net);
1891 struct sk_buff *skb2;
1892 struct nlmsghdr *nlh2;
1893 ip_set_id_t id = IPSET_INVALID_ID;
1894 const struct ip_set *set;
1895 int ret = 0;
1896
1897 if (unlikely(protocol_failed(attr) ||
1898 !attr[IPSET_ATTR_INDEX]))
1899 return -IPSET_ERR_PROTOCOL;
1900
1901 id = ip_set_get_h16(attr[IPSET_ATTR_INDEX]);
1902 if (id >= inst->ip_set_max)
1903 return -ENOENT;
1904 set = ip_set(inst, id);
1905 if (set == NULL)
1906 return -ENOENT;
1907
1908 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1909 if (!skb2)
1910 return -ENOMEM;
1911
1912 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1913 IPSET_CMD_GET_BYINDEX);
1914 if (!nlh2)
1915 goto nlmsg_failure;
1916 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
8e350ce1 1917 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name))
23c42a40 1918 goto nla_put_failure;
a7b4f989
JK		 1919 nlmsg_end(skb2, nlh2);
1920
15e47304 1921 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1922 if (ret < 0)
1923 return ret;
1924
1925 return 0;
1926
1927nla_put_failure:
1928 nlmsg_cancel(skb2, nlh2);
1929nlmsg_failure:
1930 kfree_skb(skb2);
1931 return -EMSGSIZE;
1932}
1933
1934static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
d31f4d44
TB		 1935 [IPSET_CMD_NONE] = {
1936 .call = ip_set_none,
1937 .attr_count = IPSET_ATTR_CMD_MAX,
1938 },
a7b4f989
JK		 1939 [IPSET_CMD_CREATE] = {
1940 .call = ip_set_create,
1941 .attr_count = IPSET_ATTR_CMD_MAX,
1942 .policy = ip_set_create_policy,
1943 },
1944 [IPSET_CMD_DESTROY] = {
1945 .call = ip_set_destroy,
1946 .attr_count = IPSET_ATTR_CMD_MAX,
1947 .policy = ip_set_setname_policy,
1948 },
1949 [IPSET_CMD_FLUSH] = {
1950 .call = ip_set_flush,
1951 .attr_count = IPSET_ATTR_CMD_MAX,
1952 .policy = ip_set_setname_policy,
1953 },
1954 [IPSET_CMD_RENAME] = {
1955 .call = ip_set_rename,
1956 .attr_count = IPSET_ATTR_CMD_MAX,
1957 .policy = ip_set_setname2_policy,
1958 },
1959 [IPSET_CMD_SWAP] = {
1960 .call = ip_set_swap,
1961 .attr_count = IPSET_ATTR_CMD_MAX,
1962 .policy = ip_set_setname2_policy,
1963 },
1964 [IPSET_CMD_LIST] = {
1965 .call = ip_set_dump,
1966 .attr_count = IPSET_ATTR_CMD_MAX,
1967 .policy = ip_set_setname_policy,
1968 },
1969 [IPSET_CMD_SAVE] = {
1970 .call = ip_set_dump,
1971 .attr_count = IPSET_ATTR_CMD_MAX,
1972 .policy = ip_set_setname_policy,
1973 },
1974 [IPSET_CMD_ADD] = {
1975 .call = ip_set_uadd,
1976 .attr_count = IPSET_ATTR_CMD_MAX,
1977 .policy = ip_set_adt_policy,
1978 },
1979 [IPSET_CMD_DEL] = {
1980 .call = ip_set_udel,
1981 .attr_count = IPSET_ATTR_CMD_MAX,
1982 .policy = ip_set_adt_policy,
1983 },
1984 [IPSET_CMD_TEST] = {
1985 .call = ip_set_utest,
1986 .attr_count = IPSET_ATTR_CMD_MAX,
1987 .policy = ip_set_adt_policy,
1988 },
1989 [IPSET_CMD_HEADER] = {
1990 .call = ip_set_header,
1991 .attr_count = IPSET_ATTR_CMD_MAX,
1992 .policy = ip_set_setname_policy,
1993 },
1994 [IPSET_CMD_TYPE] = {
1995 .call = ip_set_type,
1996 .attr_count = IPSET_ATTR_CMD_MAX,
1997 .policy = ip_set_type_policy,
1998 },
1999 [IPSET_CMD_PROTOCOL] = {
2000 .call = ip_set_protocol,
2001 .attr_count = IPSET_ATTR_CMD_MAX,
2002 .policy = ip_set_protocol_policy,
2003 },
23c42a40
JK		 2004 [IPSET_CMD_GET_BYNAME] = {
2005 .call = ip_set_byname,
2006 .attr_count = IPSET_ATTR_CMD_MAX,
2007 .policy = ip_set_setname_policy,
2008 },
2009 [IPSET_CMD_GET_BYINDEX] = {
2010 .call = ip_set_byindex,
2011 .attr_count = IPSET_ATTR_CMD_MAX,
2012 .policy = ip_set_index_policy,
2013 },
a7b4f989
JK		 2014};
2015
2016static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
2017 .name = "ip_set",
2018 .subsys_id = NFNL_SUBSYS_IPSET,
2019 .cb_count = IPSET_MSG_MAX,
2020 .cb = ip_set_netlink_subsys_cb,
2021};
2022
2023/* Interface to iptables/ip6tables */
2024
2025static int
2026ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
2027{
95c96174 2028 unsigned int *op;
a7b4f989
JK		 2029 void *data;
2030 int copylen = *len, ret = 0;
1785e8f4
VL		 2031 struct net *net = sock_net(sk);
2032 struct ip_set_net *inst = ip_set_pernet(net);
a7b4f989 2033
1785e8f4 2034 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
a7b4f989
JK		 2035 return -EPERM;
2036 if (optval != SO_IP_SET)
2037 return -EBADF;
95c96174 2038 if (*len < sizeof(unsigned int))
a7b4f989
JK		 2039 return -EINVAL;
2040
2041 data = vmalloc(*len);
2042 if (!data)
2043 return -ENOMEM;
2044 if (copy_from_user(data, user, *len) != 0) {
2045 ret = -EFAULT;
2046 goto done;
2047 }
68ad546a 2048 op = data;
a7b4f989
JK		 2049
2050 if (*op < IP_SET_OP_VERSION) {
2051 /* Check the version at the beginning of operations */
2052 struct ip_set_req_version *req_version = data;
2196937e
DC		 2053
2054 if (*len < sizeof(struct ip_set_req_version)) {
2055 ret = -EINVAL;
2056 goto done;
2057 }
2058
23c42a40 2059 if (req_version->version < IPSET_PROTOCOL_MIN) {
a7b4f989
JK		 2060 ret = -EPROTO;
2061 goto done;
2062 }
2063 }
2064
2065 switch (*op) {
2066 case IP_SET_OP_VERSION: {
2067 struct ip_set_req_version *req_version = data;
2068
2069 if (*len != sizeof(struct ip_set_req_version)) {
2070 ret = -EINVAL;
2071 goto done;
2072 }
2073
2074 req_version->version = IPSET_PROTOCOL;
2075 ret = copy_to_user(user, req_version,
2076 sizeof(struct ip_set_req_version));
2077 goto done;
2078 }
2079 case IP_SET_OP_GET_BYNAME: {
2080 struct ip_set_req_get_set *req_get = data;
9076aea7 2081 ip_set_id_t id;
a7b4f989
JK		 2082
2083 if (*len != sizeof(struct ip_set_req_get_set)) {
2084 ret = -EINVAL;
2085 goto done;
2086 }
2087 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
c14b78e7 2088 nfnl_lock(NFNL_SUBSYS_IPSET);
1785e8f4 2089 find_set_and_id(inst, req_get->set.name, &id);
9076aea7 2090 req_get->set.index = id;
c14b78e7 2091 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 2092 goto copy;
2093 }
5e04c0c3
JK		 2094 case IP_SET_OP_GET_FNAME: {
2095 struct ip_set_req_get_set_family *req_get = data;
2096 ip_set_id_t id;
2097
2098 if (*len != sizeof(struct ip_set_req_get_set_family)) {
2099 ret = -EINVAL;
2100 goto done;
2101 }
2102 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
2103 nfnl_lock(NFNL_SUBSYS_IPSET);
1785e8f4 2104 find_set_and_id(inst, req_get->set.name, &id);
5e04c0c3
JK		 2105 req_get->set.index = id;
2106 if (id != IPSET_INVALID_ID)
3e90ebd3 2107 req_get->family = ip_set(inst, id)->family;
5e04c0c3
JK		 2108 nfnl_unlock(NFNL_SUBSYS_IPSET);
2109 goto copy;
2110 }
a7b4f989
JK		 2111 case IP_SET_OP_GET_BYINDEX: {
2112 struct ip_set_req_get_set *req_get = data;
9076aea7 2113 struct ip_set *set;
a7b4f989
JK		 2114
2115 if (*len != sizeof(struct ip_set_req_get_set) ||
1785e8f4 2116 req_get->set.index >= inst->ip_set_max) {
a7b4f989
JK		 2117 ret = -EINVAL;
2118 goto done;
2119 }
c14b78e7 2120 nfnl_lock(NFNL_SUBSYS_IPSET);
3e90ebd3 2121 set = ip_set(inst, req_get->set.index);
00ec3ab0
QC		 2122 ret = strscpy(req_get->set.name, set ? set->name : "",
2123 IPSET_MAXNAMELEN);
c14b78e7 2124 nfnl_unlock(NFNL_SUBSYS_IPSET);
00ec3ab0
QC		 2125 if (ret < 0)
2126 goto done;
a7b4f989
JK		 2127 goto copy;
2128 }
2129 default:
2130 ret = -EBADMSG;
2131 goto done;
2132 } /* end of switch(op) */
2133
2134copy:
2135 ret = copy_to_user(user, data, copylen);
2136
2137done:
2138 vfree(data);
2139 if (ret > 0)
2140 ret = 0;
2141 return ret;
2142}
2143
2144static struct nf_sockopt_ops so_set __read_mostly = {
2145 .pf = PF_INET,
2146 .get_optmin = SO_IP_SET,
2147 .get_optmax = SO_IP_SET + 1,
d4ef3835 2148 .get = ip_set_sockfn_get,
a7b4f989
JK		 2149 .owner = THIS_MODULE,
2150};
2151
1785e8f4
VL		 2152static int __net_init
2153ip_set_net_init(struct net *net)
a7b4f989 2154{
1785e8f4 2155 struct ip_set_net *inst = ip_set_pernet(net);
9076aea7 2156 struct ip_set **list;
a7b4f989 2157
1785e8f4
VL		 2158 inst->ip_set_max = max_sets ? max_sets : CONFIG_IP_SET_MAX;
2159 if (inst->ip_set_max >= IPSET_INVALID_ID)
2160 inst->ip_set_max = IPSET_INVALID_ID - 1;
a7b4f989 2161
ed956f39 2162 list = kvcalloc(inst->ip_set_max, sizeof(struct ip_set *), GFP_KERNEL);
9076aea7 2163 if (!list)
a7b4f989 2164 return -ENOMEM;
9c1ba5c8
JK		 2165 inst->is_deleted = false;
2166 inst->is_destroyed = false;
1785e8f4 2167 rcu_assign_pointer(inst->ip_set_list, list);
1785e8f4
VL		 2168 return 0;
2169}
2170
2171static void __net_exit
2172ip_set_net_exit(struct net *net)
2173{
2174 struct ip_set_net *inst = ip_set_pernet(net);
2175
2176 struct ip_set *set = NULL;
2177 ip_set_id_t i;
2178
9c1ba5c8 2179 inst->is_deleted = true; /* flag for ip_set_nfnl_put */
1785e8f4 2180
f998b6b1 2181 nfnl_lock(NFNL_SUBSYS_IPSET);
1785e8f4 2182 for (i = 0; i < inst->ip_set_max; i++) {
3e90ebd3 2183 set = ip_set(inst, i);
9c1ba5c8
JK		 2184 if (set) {
2185 ip_set(inst, i) = NULL;
2186 ip_set_destroy_set(set);
2187 }
1785e8f4 2188 }
f998b6b1 2189 nfnl_unlock(NFNL_SUBSYS_IPSET);
ed956f39 2190 kvfree(rcu_dereference_protected(inst->ip_set_list, 1));
1785e8f4
VL		 2191}
2192
2193static struct pernet_operations ip_set_net_ops = {
2194 .init = ip_set_net_init,
2195 .exit = ip_set_net_exit,
2196 .id = &ip_set_net_id,
a5a179b6 2197 .size = sizeof(struct ip_set_net),
1785e8f4
VL		 2198};
2199
1785e8f4
VL		 2200static int __init
2201ip_set_init(void)
2202{
e23ed762 2203 int ret = register_pernet_subsys(&ip_set_net_ops);
ca0f6a5c 2204
e23ed762
FW		 2205 if (ret) {
2206 pr_err("ip_set: cannot register pernet_subsys.\n");
2207 return ret;
2208 }
2209
2210 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
a7b4f989
JK		 2211 if (ret != 0) {
2212 pr_err("ip_set: cannot register with nfnetlink.\n");
e23ed762 2213 unregister_pernet_subsys(&ip_set_net_ops);
a7b4f989
JK		 2214 return ret;
2215 }
e23ed762 2216
a7b4f989
JK		 2217 ret = nf_register_sockopt(&so_set);
2218 if (ret != 0) {
2219 pr_err("SO_SET registry failed: %d\n", ret);
2220 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
e23ed762 2221 unregister_pernet_subsys(&ip_set_net_ops);
a7b4f989
JK		 2222 return ret;
2223 }
e23ed762 2224
a7b4f989
JK		 2225 return 0;
2226}
2227
2228static void __exit
2229ip_set_fini(void)
2230{
a7b4f989
JK		 2231 nf_unregister_sockopt(&so_set);
2232 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
e23ed762
FW		 2233
2234 unregister_pernet_subsys(&ip_set_net_ops);
a7b4f989
JK		 2235 pr_debug("these are the famous last words\n");
2236}
2237
2238module_init(ip_set_init);
2239module_exit(ip_set_fini);
e5531166
PNA		 2240
2241MODULE_DESCRIPTION("ip_set: protocol " __stringify(IPSET_PROTOCOL));
Ubuntu Hirsute Linux kernel mirror