1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/netlink.h>
19 #include <linux/rculist.h>
20 #include <net/netlink.h>
22 #include <linux/netfilter.h>
23 #include <linux/netfilter/x_tables.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/ipset/ip_set.h>
27 static LIST_HEAD(ip_set_type_list
); /* all registered set types */
28 static DEFINE_MUTEX(ip_set_type_mutex
); /* protects ip_set_type_list */
29 static DEFINE_RWLOCK(ip_set_ref_lock
); /* protects the set refs */
31 static struct ip_set
**ip_set_list
; /* all individual sets */
32 static ip_set_id_t ip_set_max
= CONFIG_IP_SET_MAX
; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets
;
38 module_param(max_sets
, int, 0600);
39 MODULE_PARM_DESC(max_sets
, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET
);
46 * The set types are implemented in modules and registered set types
47 * can be found in ip_set_type_list. Adding/deleting types is
48 * serialized by ip_set_type_mutex.
52 ip_set_type_lock(void)
54 mutex_lock(&ip_set_type_mutex
);
58 ip_set_type_unlock(void)
60 mutex_unlock(&ip_set_type_mutex
);
63 /* Register and deregister settype */
65 static struct ip_set_type
*
66 find_set_type(const char *name
, u8 family
, u8 revision
)
68 struct ip_set_type
*type
;
70 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
71 if (STREQ(type
->name
, name
) &&
72 (type
->family
== family
|| type
->family
== AF_UNSPEC
) &&
73 revision
>= type
->revision_min
&&
74 revision
<= type
->revision_max
)
79 /* Unlock, try to load a set type module and lock again */
81 try_to_load_type(const char *name
)
84 pr_debug("try to load ip_set_%s\n", name
);
85 if (request_module("ip_set_%s", name
) < 0) {
86 pr_warning("Can't find ip_set type %s\n", name
);
88 return -IPSET_ERR_FIND_TYPE
;
94 /* Find a set type and reference it */
96 find_set_type_get(const char *name
, u8 family
, u8 revision
,
97 struct ip_set_type
**found
)
99 struct ip_set_type
*type
;
103 *found
= find_set_type(name
, family
, revision
);
105 err
= !try_module_get((*found
)->me
) ? -EFAULT
: 0;
108 /* Make sure the type is loaded but we don't support the revision */
109 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
110 if (STREQ(type
->name
, name
)) {
111 err
= -IPSET_ERR_FIND_TYPE
;
116 return try_to_load_type(name
);
123 /* Find a given set type by name and family.
124 * If we succeeded, the supported minimal and maximum revisions are
128 find_set_type_minmax(const char *name
, u8 family
, u8
*min
, u8
*max
)
130 struct ip_set_type
*type
;
133 *min
= 255; *max
= 0;
135 list_for_each_entry_rcu(type
, &ip_set_type_list
, list
)
136 if (STREQ(type
->name
, name
) &&
137 (type
->family
== family
|| type
->family
== AF_UNSPEC
)) {
139 if (type
->revision_min
< *min
)
140 *min
= type
->revision_min
;
141 if (type
->revision_max
> *max
)
142 *max
= type
->revision_max
;
148 return try_to_load_type(name
);
151 #define family_name(f) ((f) == AF_INET ? "inet" : \
152 (f) == AF_INET6 ? "inet6" : "any")
154 /* Register a set type structure. The type is identified by
155 * the unique triple of name, family and revision.
158 ip_set_type_register(struct ip_set_type
*type
)
162 if (type
->protocol
!= IPSET_PROTOCOL
) {
163 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
164 "wrong protocol version %u (want %u)\n",
165 type
->name
, family_name(type
->family
),
166 type
->revision_min
, type
->revision_max
,
167 type
->protocol
, IPSET_PROTOCOL
);
172 if (find_set_type(type
->name
, type
->family
, type
->revision_min
)) {
174 pr_warning("ip_set type %s, family %s with revision min %u "
175 "already registered!\n", type
->name
,
176 family_name(type
->family
), type
->revision_min
);
180 list_add_rcu(&type
->list
, &ip_set_type_list
);
181 pr_debug("type %s, family %s, revision %u:%u registered.\n",
182 type
->name
, family_name(type
->family
),
183 type
->revision_min
, type
->revision_max
);
185 ip_set_type_unlock();
188 EXPORT_SYMBOL_GPL(ip_set_type_register
);
190 /* Unregister a set type. There's a small race with ip_set_create */
192 ip_set_type_unregister(struct ip_set_type
*type
)
195 if (!find_set_type(type
->name
, type
->family
, type
->revision_min
)) {
196 pr_warning("ip_set type %s, family %s with revision min %u "
197 "not registered\n", type
->name
,
198 family_name(type
->family
), type
->revision_min
);
201 list_del_rcu(&type
->list
);
202 pr_debug("type %s, family %s with revision min %u unregistered.\n",
203 type
->name
, family_name(type
->family
), type
->revision_min
);
205 ip_set_type_unlock();
209 EXPORT_SYMBOL_GPL(ip_set_type_unregister
);
211 /* Utility functions */
213 ip_set_alloc(size_t size
)
215 void *members
= NULL
;
217 if (size
< KMALLOC_MAX_SIZE
)
218 members
= kzalloc(size
, GFP_KERNEL
| __GFP_NOWARN
);
221 pr_debug("%p: allocated with kmalloc\n", members
);
225 members
= vzalloc(size
);
228 pr_debug("%p: allocated with vmalloc\n", members
);
232 EXPORT_SYMBOL_GPL(ip_set_alloc
);
235 ip_set_free(void *members
)
237 pr_debug("%p: free with %s\n", members
,
238 is_vmalloc_addr(members
) ? "vfree" : "kfree");
239 if (is_vmalloc_addr(members
))
244 EXPORT_SYMBOL_GPL(ip_set_free
);
247 flag_nested(const struct nlattr
*nla
)
249 return nla
->nla_type
& NLA_F_NESTED
;
252 static const struct nla_policy ipaddr_policy
[IPSET_ATTR_IPADDR_MAX
+ 1] = {
253 [IPSET_ATTR_IPADDR_IPV4
] = { .type
= NLA_U32
},
254 [IPSET_ATTR_IPADDR_IPV6
] = { .type
= NLA_BINARY
,
255 .len
= sizeof(struct in6_addr
) },
259 ip_set_get_ipaddr4(struct nlattr
*nla
, __be32
*ipaddr
)
261 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
263 if (unlikely(!flag_nested(nla
)))
264 return -IPSET_ERR_PROTOCOL
;
265 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
266 return -IPSET_ERR_PROTOCOL
;
267 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV4
)))
268 return -IPSET_ERR_PROTOCOL
;
270 *ipaddr
= nla_get_be32(tb
[IPSET_ATTR_IPADDR_IPV4
]);
273 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4
);
276 ip_set_get_ipaddr6(struct nlattr
*nla
, union nf_inet_addr
*ipaddr
)
278 struct nlattr
*tb
[IPSET_ATTR_IPADDR_MAX
+1];
280 if (unlikely(!flag_nested(nla
)))
281 return -IPSET_ERR_PROTOCOL
;
283 if (nla_parse_nested(tb
, IPSET_ATTR_IPADDR_MAX
, nla
, ipaddr_policy
))
284 return -IPSET_ERR_PROTOCOL
;
285 if (unlikely(!ip_set_attr_netorder(tb
, IPSET_ATTR_IPADDR_IPV6
)))
286 return -IPSET_ERR_PROTOCOL
;
288 memcpy(ipaddr
, nla_data(tb
[IPSET_ATTR_IPADDR_IPV6
]),
289 sizeof(struct in6_addr
));
292 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6
);
295 * Creating/destroying/renaming/swapping affect the existence and
296 * the properties of a set. All of these can be executed from userspace
297 * only and serialized by the nfnl mutex indirectly from nfnetlink.
299 * Sets are identified by their index in ip_set_list and the index
300 * is used by the external references (set/SET netfilter modules).
302 * The set behind an index may change by swapping only, from userspace.
306 __ip_set_get(ip_set_id_t index
)
308 write_lock_bh(&ip_set_ref_lock
);
309 ip_set_list
[index
]->ref
++;
310 write_unlock_bh(&ip_set_ref_lock
);
314 __ip_set_put(ip_set_id_t index
)
316 write_lock_bh(&ip_set_ref_lock
);
317 BUG_ON(ip_set_list
[index
]->ref
== 0);
318 ip_set_list
[index
]->ref
--;
319 write_unlock_bh(&ip_set_ref_lock
);
323 * Add, del and test set entries from kernel.
325 * The set behind the index must exist and must be referenced
326 * so it can't be destroyed (or changed) under our foot.
330 ip_set_test(ip_set_id_t index
, const struct sk_buff
*skb
,
331 const struct xt_action_param
*par
,
332 const struct ip_set_adt_opt
*opt
)
334 struct ip_set
*set
= ip_set_list
[index
];
338 pr_debug("set %s, index %u\n", set
->name
, index
);
340 if (opt
->dim
< set
->type
->dimension
||
341 !(opt
->family
== set
->family
|| set
->family
== AF_UNSPEC
))
344 read_lock_bh(&set
->lock
);
345 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_TEST
, opt
);
346 read_unlock_bh(&set
->lock
);
348 if (ret
== -EAGAIN
) {
349 /* Type requests element to be completed */
350 pr_debug("element must be competed, ADD is triggered\n");
351 write_lock_bh(&set
->lock
);
352 set
->variant
->kadt(set
, skb
, par
, IPSET_ADD
, opt
);
353 write_unlock_bh(&set
->lock
);
357 /* Convert error codes to nomatch */
358 return (ret
< 0 ? 0 : ret
);
360 EXPORT_SYMBOL_GPL(ip_set_test
);
363 ip_set_add(ip_set_id_t index
, const struct sk_buff
*skb
,
364 const struct xt_action_param
*par
,
365 const struct ip_set_adt_opt
*opt
)
367 struct ip_set
*set
= ip_set_list
[index
];
371 pr_debug("set %s, index %u\n", set
->name
, index
);
373 if (opt
->dim
< set
->type
->dimension
||
374 !(opt
->family
== set
->family
|| set
->family
== AF_UNSPEC
))
377 write_lock_bh(&set
->lock
);
378 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_ADD
, opt
);
379 write_unlock_bh(&set
->lock
);
383 EXPORT_SYMBOL_GPL(ip_set_add
);
386 ip_set_del(ip_set_id_t index
, const struct sk_buff
*skb
,
387 const struct xt_action_param
*par
,
388 const struct ip_set_adt_opt
*opt
)
390 struct ip_set
*set
= ip_set_list
[index
];
394 pr_debug("set %s, index %u\n", set
->name
, index
);
396 if (opt
->dim
< set
->type
->dimension
||
397 !(opt
->family
== set
->family
|| set
->family
== AF_UNSPEC
))
400 write_lock_bh(&set
->lock
);
401 ret
= set
->variant
->kadt(set
, skb
, par
, IPSET_DEL
, opt
);
402 write_unlock_bh(&set
->lock
);
406 EXPORT_SYMBOL_GPL(ip_set_del
);
409 * Find set by name, reference it once. The reference makes sure the
410 * thing pointed to, does not go away under our feet.
414 ip_set_get_byname(const char *name
, struct ip_set
**set
)
416 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
419 for (i
= 0; i
< ip_set_max
; i
++) {
421 if (s
!= NULL
&& STREQ(s
->name
, name
)) {
430 EXPORT_SYMBOL_GPL(ip_set_get_byname
);
433 * If the given set pointer points to a valid set, decrement
434 * reference count by 1. The caller shall not assume the index
435 * to be valid, after calling this function.
439 ip_set_put_byindex(ip_set_id_t index
)
441 if (ip_set_list
[index
] != NULL
)
444 EXPORT_SYMBOL_GPL(ip_set_put_byindex
);
447 * Get the name of a set behind a set index.
448 * We assume the set is referenced, so it does exist and
449 * can't be destroyed. The set cannot be renamed due to
450 * the referencing either.
454 ip_set_name_byindex(ip_set_id_t index
)
456 const struct ip_set
*set
= ip_set_list
[index
];
459 BUG_ON(set
->ref
== 0);
461 /* Referenced, so it's safe */
464 EXPORT_SYMBOL_GPL(ip_set_name_byindex
);
467 * Routines to call by external subsystems, which do not
468 * call nfnl_lock for us.
472 * Find set by name, reference it once. The reference makes sure the
473 * thing pointed to, does not go away under our feet.
475 * The nfnl mutex is used in the function.
478 ip_set_nfnl_get(const char *name
)
484 index
= ip_set_get_byname(name
, &s
);
489 EXPORT_SYMBOL_GPL(ip_set_nfnl_get
);
492 * Find set by index, reference it once. The reference makes sure the
493 * thing pointed to, does not go away under our feet.
495 * The nfnl mutex is used in the function.
498 ip_set_nfnl_get_byindex(ip_set_id_t index
)
500 if (index
> ip_set_max
)
501 return IPSET_INVALID_ID
;
504 if (ip_set_list
[index
])
507 index
= IPSET_INVALID_ID
;
512 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex
);
515 * If the given set pointer points to a valid set, decrement
516 * reference count by 1. The caller shall not assume the index
517 * to be valid, after calling this function.
519 * The nfnl mutex is used in the function.
522 ip_set_nfnl_put(ip_set_id_t index
)
525 ip_set_put_byindex(index
);
528 EXPORT_SYMBOL_GPL(ip_set_nfnl_put
);
531 * Communication protocol with userspace over netlink.
533 * The commands are serialized by the nfnl mutex.
537 protocol_failed(const struct nlattr
* const tb
[])
539 return !tb
[IPSET_ATTR_PROTOCOL
] ||
540 nla_get_u8(tb
[IPSET_ATTR_PROTOCOL
]) != IPSET_PROTOCOL
;
544 flag_exist(const struct nlmsghdr
*nlh
)
546 return nlh
->nlmsg_flags
& NLM_F_EXCL
? 0 : IPSET_FLAG_EXIST
;
549 static struct nlmsghdr
*
550 start_msg(struct sk_buff
*skb
, u32 pid
, u32 seq
, unsigned int flags
,
553 struct nlmsghdr
*nlh
;
554 struct nfgenmsg
*nfmsg
;
556 nlh
= nlmsg_put(skb
, pid
, seq
, cmd
| (NFNL_SUBSYS_IPSET
<< 8),
557 sizeof(*nfmsg
), flags
);
561 nfmsg
= nlmsg_data(nlh
);
562 nfmsg
->nfgen_family
= AF_INET
;
563 nfmsg
->version
= NFNETLINK_V0
;
571 static const struct nla_policy ip_set_create_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
572 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
573 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
574 .len
= IPSET_MAXNAMELEN
- 1 },
575 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
576 .len
= IPSET_MAXNAMELEN
- 1},
577 [IPSET_ATTR_REVISION
] = { .type
= NLA_U8
},
578 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
579 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
583 find_set_id(const char *name
)
585 ip_set_id_t i
, index
= IPSET_INVALID_ID
;
586 const struct ip_set
*set
;
588 for (i
= 0; index
== IPSET_INVALID_ID
&& i
< ip_set_max
; i
++) {
589 set
= ip_set_list
[i
];
590 if (set
!= NULL
&& STREQ(set
->name
, name
))
596 static inline struct ip_set
*
597 find_set(const char *name
)
599 ip_set_id_t index
= find_set_id(name
);
601 return index
== IPSET_INVALID_ID
? NULL
: ip_set_list
[index
];
605 find_free_id(const char *name
, ip_set_id_t
*index
, struct ip_set
**set
)
609 *index
= IPSET_INVALID_ID
;
610 for (i
= 0; i
< ip_set_max
; i
++) {
611 if (ip_set_list
[i
] == NULL
) {
612 if (*index
== IPSET_INVALID_ID
)
614 } else if (STREQ(name
, ip_set_list
[i
]->name
)) {
616 *set
= ip_set_list
[i
];
620 if (*index
== IPSET_INVALID_ID
)
621 /* No free slot remained */
622 return -IPSET_ERR_MAX_SETS
;
627 ip_set_create(struct sock
*ctnl
, struct sk_buff
*skb
,
628 const struct nlmsghdr
*nlh
,
629 const struct nlattr
* const attr
[])
631 struct ip_set
*set
, *clash
= NULL
;
632 ip_set_id_t index
= IPSET_INVALID_ID
;
633 struct nlattr
*tb
[IPSET_ATTR_CREATE_MAX
+1] = {};
634 const char *name
, *typename
;
636 u32 flags
= flag_exist(nlh
);
639 if (unlikely(protocol_failed(attr
) ||
640 attr
[IPSET_ATTR_SETNAME
] == NULL
||
641 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
642 attr
[IPSET_ATTR_REVISION
] == NULL
||
643 attr
[IPSET_ATTR_FAMILY
] == NULL
||
644 (attr
[IPSET_ATTR_DATA
] != NULL
&&
645 !flag_nested(attr
[IPSET_ATTR_DATA
]))))
646 return -IPSET_ERR_PROTOCOL
;
648 name
= nla_data(attr
[IPSET_ATTR_SETNAME
]);
649 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
650 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
651 revision
= nla_get_u8(attr
[IPSET_ATTR_REVISION
]);
652 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
653 name
, typename
, family_name(family
), revision
);
656 * First, and without any locks, allocate and initialize
657 * a normal base set structure.
659 set
= kzalloc(sizeof(struct ip_set
), GFP_KERNEL
);
662 rwlock_init(&set
->lock
);
663 strlcpy(set
->name
, name
, IPSET_MAXNAMELEN
);
664 set
->family
= family
;
665 set
->revision
= revision
;
668 * Next, check that we know the type, and take
669 * a reference on the type, to make sure it stays available
670 * while constructing our new set.
672 * After referencing the type, we try to create the type
673 * specific part of the set without holding any locks.
675 ret
= find_set_type_get(typename
, family
, revision
, &(set
->type
));
680 * Without holding any locks, create private part.
682 if (attr
[IPSET_ATTR_DATA
] &&
683 nla_parse_nested(tb
, IPSET_ATTR_CREATE_MAX
, attr
[IPSET_ATTR_DATA
],
684 set
->type
->create_policy
)) {
685 ret
= -IPSET_ERR_PROTOCOL
;
689 ret
= set
->type
->create(set
, tb
, flags
);
693 /* BTW, ret==0 here. */
696 * Here, we have a valid, constructed set and we are protected
697 * by the nfnl mutex. Find the first free index in ip_set_list
698 * and check clashing.
700 if ((ret
= find_free_id(set
->name
, &index
, &clash
)) != 0) {
701 /* If this is the same set and requested, ignore error */
702 if (ret
== -EEXIST
&&
703 (flags
& IPSET_FLAG_EXIST
) &&
704 STREQ(set
->type
->name
, clash
->type
->name
) &&
705 set
->type
->family
== clash
->type
->family
&&
706 set
->type
->revision_min
== clash
->type
->revision_min
&&
707 set
->type
->revision_max
== clash
->type
->revision_max
&&
708 set
->variant
->same_set(set
, clash
))
714 * Finally! Add our shiny new set to the list, and be done.
716 pr_debug("create: '%s' created with index %u!\n", set
->name
, index
);
717 ip_set_list
[index
] = set
;
722 set
->variant
->destroy(set
);
724 module_put(set
->type
->me
);
732 static const struct nla_policy
733 ip_set_setname_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
734 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
735 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
736 .len
= IPSET_MAXNAMELEN
- 1 },
740 ip_set_destroy_set(ip_set_id_t index
)
742 struct ip_set
*set
= ip_set_list
[index
];
744 pr_debug("set: %s\n", set
->name
);
745 ip_set_list
[index
] = NULL
;
747 /* Must call it without holding any lock */
748 set
->variant
->destroy(set
);
749 module_put(set
->type
->me
);
754 ip_set_destroy(struct sock
*ctnl
, struct sk_buff
*skb
,
755 const struct nlmsghdr
*nlh
,
756 const struct nlattr
* const attr
[])
761 if (unlikely(protocol_failed(attr
)))
762 return -IPSET_ERR_PROTOCOL
;
764 /* Commands are serialized and references are
765 * protected by the ip_set_ref_lock.
766 * External systems (i.e. xt_set) must call
767 * ip_set_put|get_nfnl_* functions, that way we
768 * can safely check references here.
770 * list:set timer can only decrement the reference
771 * counter, so if it's already zero, we can proceed
772 * without holding the lock.
774 read_lock_bh(&ip_set_ref_lock
);
775 if (!attr
[IPSET_ATTR_SETNAME
]) {
776 for (i
= 0; i
< ip_set_max
; i
++) {
777 if (ip_set_list
[i
] != NULL
&& ip_set_list
[i
]->ref
) {
778 ret
= -IPSET_ERR_BUSY
;
782 read_unlock_bh(&ip_set_ref_lock
);
783 for (i
= 0; i
< ip_set_max
; i
++) {
784 if (ip_set_list
[i
] != NULL
)
785 ip_set_destroy_set(i
);
788 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
789 if (i
== IPSET_INVALID_ID
) {
792 } else if (ip_set_list
[i
]->ref
) {
793 ret
= -IPSET_ERR_BUSY
;
796 read_unlock_bh(&ip_set_ref_lock
);
798 ip_set_destroy_set(i
);
802 read_unlock_bh(&ip_set_ref_lock
);
809 ip_set_flush_set(struct ip_set
*set
)
811 pr_debug("set: %s\n", set
->name
);
813 write_lock_bh(&set
->lock
);
814 set
->variant
->flush(set
);
815 write_unlock_bh(&set
->lock
);
819 ip_set_flush(struct sock
*ctnl
, struct sk_buff
*skb
,
820 const struct nlmsghdr
*nlh
,
821 const struct nlattr
* const attr
[])
825 if (unlikely(protocol_failed(attr
)))
826 return -IPSET_ERR_PROTOCOL
;
828 if (!attr
[IPSET_ATTR_SETNAME
]) {
829 for (i
= 0; i
< ip_set_max
; i
++)
830 if (ip_set_list
[i
] != NULL
)
831 ip_set_flush_set(ip_set_list
[i
]);
833 i
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
834 if (i
== IPSET_INVALID_ID
)
837 ip_set_flush_set(ip_set_list
[i
]);
845 static const struct nla_policy
846 ip_set_setname2_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
847 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
848 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
849 .len
= IPSET_MAXNAMELEN
- 1 },
850 [IPSET_ATTR_SETNAME2
] = { .type
= NLA_NUL_STRING
,
851 .len
= IPSET_MAXNAMELEN
- 1 },
855 ip_set_rename(struct sock
*ctnl
, struct sk_buff
*skb
,
856 const struct nlmsghdr
*nlh
,
857 const struct nlattr
* const attr
[])
864 if (unlikely(protocol_failed(attr
) ||
865 attr
[IPSET_ATTR_SETNAME
] == NULL
||
866 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
867 return -IPSET_ERR_PROTOCOL
;
869 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
873 read_lock_bh(&ip_set_ref_lock
);
875 ret
= -IPSET_ERR_REFERENCED
;
879 name2
= nla_data(attr
[IPSET_ATTR_SETNAME2
]);
880 for (i
= 0; i
< ip_set_max
; i
++) {
881 if (ip_set_list
[i
] != NULL
&&
882 STREQ(ip_set_list
[i
]->name
, name2
)) {
883 ret
= -IPSET_ERR_EXIST_SETNAME2
;
887 strncpy(set
->name
, name2
, IPSET_MAXNAMELEN
);
890 read_unlock_bh(&ip_set_ref_lock
);
894 /* Swap two sets so that name/index points to the other.
895 * References and set names are also swapped.
897 * The commands are serialized by the nfnl mutex and references are
898 * protected by the ip_set_ref_lock. The kernel interfaces
899 * do not hold the mutex but the pointer settings are atomic
900 * so the ip_set_list always contains valid pointers to the sets.
904 ip_set_swap(struct sock
*ctnl
, struct sk_buff
*skb
,
905 const struct nlmsghdr
*nlh
,
906 const struct nlattr
* const attr
[])
908 struct ip_set
*from
, *to
;
909 ip_set_id_t from_id
, to_id
;
910 char from_name
[IPSET_MAXNAMELEN
];
912 if (unlikely(protocol_failed(attr
) ||
913 attr
[IPSET_ATTR_SETNAME
] == NULL
||
914 attr
[IPSET_ATTR_SETNAME2
] == NULL
))
915 return -IPSET_ERR_PROTOCOL
;
917 from_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
918 if (from_id
== IPSET_INVALID_ID
)
921 to_id
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME2
]));
922 if (to_id
== IPSET_INVALID_ID
)
923 return -IPSET_ERR_EXIST_SETNAME2
;
925 from
= ip_set_list
[from_id
];
926 to
= ip_set_list
[to_id
];
928 /* Features must not change.
929 * Not an artificial restriction anymore, as we must prevent
930 * possible loops created by swapping in setlist type of sets. */
931 if (!(from
->type
->features
== to
->type
->features
&&
932 from
->type
->family
== to
->type
->family
))
933 return -IPSET_ERR_TYPE_MISMATCH
;
935 strncpy(from_name
, from
->name
, IPSET_MAXNAMELEN
);
936 strncpy(from
->name
, to
->name
, IPSET_MAXNAMELEN
);
937 strncpy(to
->name
, from_name
, IPSET_MAXNAMELEN
);
939 write_lock_bh(&ip_set_ref_lock
);
940 swap(from
->ref
, to
->ref
);
941 ip_set_list
[from_id
] = to
;
942 ip_set_list
[to_id
] = from
;
943 write_unlock_bh(&ip_set_ref_lock
);
948 /* List/save set data */
955 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
956 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
959 ip_set_dump_done(struct netlink_callback
*cb
)
962 pr_debug("release set %s\n", ip_set_list
[cb
->args
[1]]->name
);
963 ip_set_put_byindex((ip_set_id_t
) cb
->args
[1]);
969 dump_attrs(struct nlmsghdr
*nlh
)
971 const struct nlattr
*attr
;
974 pr_debug("dump nlmsg\n");
975 nlmsg_for_each_attr(attr
, nlh
, sizeof(struct nfgenmsg
), rem
) {
976 pr_debug("type: %u, len %u\n", nla_type(attr
), attr
->nla_len
);
981 dump_init(struct netlink_callback
*cb
)
983 struct nlmsghdr
*nlh
= nlmsg_hdr(cb
->skb
);
984 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
985 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
986 struct nlattr
*attr
= (void *)nlh
+ min_len
;
990 /* Second pass, so parser can't fail */
991 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
992 attr
, nlh
->nlmsg_len
- min_len
, ip_set_setname_policy
);
994 /* cb->args[0] : dump single set/all sets
996 * [..]: type specific
999 if (cda
[IPSET_ATTR_SETNAME
]) {
1000 index
= find_set_id(nla_data(cda
[IPSET_ATTR_SETNAME
]));
1001 if (index
== IPSET_INVALID_ID
)
1004 dump_type
= DUMP_ONE
;
1005 cb
->args
[1] = index
;
1007 dump_type
= DUMP_ALL
;
1009 if (cda
[IPSET_ATTR_FLAGS
]) {
1010 u32 f
= ip_set_get_h32(cda
[IPSET_ATTR_FLAGS
]);
1011 dump_type
|= (f
<< 16);
1013 cb
->args
[0] = dump_type
;
1019 ip_set_dump_start(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1021 ip_set_id_t index
= IPSET_INVALID_ID
, max
;
1022 struct ip_set
*set
= NULL
;
1023 struct nlmsghdr
*nlh
= NULL
;
1024 unsigned int flags
= NETLINK_CB(cb
->skb
).pid
? NLM_F_MULTI
: 0;
1025 u32 dump_type
, dump_flags
;
1029 ret
= dump_init(cb
);
1031 nlh
= nlmsg_hdr(cb
->skb
);
1032 /* We have to create and send the error message
1034 if (nlh
->nlmsg_flags
& NLM_F_ACK
)
1035 netlink_ack(cb
->skb
, nlh
, ret
);
1040 if (cb
->args
[1] >= ip_set_max
)
1043 dump_type
= DUMP_TYPE(cb
->args
[0]);
1044 dump_flags
= DUMP_FLAGS(cb
->args
[0]);
1045 max
= dump_type
== DUMP_ONE
? cb
->args
[1] + 1 : ip_set_max
;
1047 pr_debug("args[0]: %u %u args[1]: %ld\n",
1048 dump_type
, dump_flags
, cb
->args
[1]);
1049 for (; cb
->args
[1] < max
; cb
->args
[1]++) {
1050 index
= (ip_set_id_t
) cb
->args
[1];
1051 set
= ip_set_list
[index
];
1053 if (dump_type
== DUMP_ONE
) {
1059 /* When dumping all sets, we must dump "sorted"
1060 * so that lists (unions of sets) are dumped last.
1062 if (dump_type
!= DUMP_ONE
&&
1063 ((dump_type
== DUMP_ALL
) ==
1064 !!(set
->type
->features
& IPSET_DUMP_LAST
)))
1066 pr_debug("List set: %s\n", set
->name
);
1068 /* Start listing: make sure set won't be destroyed */
1069 pr_debug("reference set\n");
1070 __ip_set_get(index
);
1072 nlh
= start_msg(skb
, NETLINK_CB(cb
->skb
).pid
,
1073 cb
->nlh
->nlmsg_seq
, flags
,
1077 goto release_refcount
;
1079 NLA_PUT_U8(skb
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1080 NLA_PUT_STRING(skb
, IPSET_ATTR_SETNAME
, set
->name
);
1081 if (dump_flags
& IPSET_FLAG_LIST_SETNAME
)
1083 switch (cb
->args
[2]) {
1085 /* Core header data */
1086 NLA_PUT_STRING(skb
, IPSET_ATTR_TYPENAME
,
1088 NLA_PUT_U8(skb
, IPSET_ATTR_FAMILY
,
1090 NLA_PUT_U8(skb
, IPSET_ATTR_REVISION
,
1092 ret
= set
->variant
->head(set
, skb
);
1094 goto release_refcount
;
1095 if (dump_flags
& IPSET_FLAG_LIST_HEADER
)
1097 /* Fall through and add elements */
1099 read_lock_bh(&set
->lock
);
1100 ret
= set
->variant
->list(set
, skb
, cb
);
1101 read_unlock_bh(&set
->lock
);
1103 /* Set is done, proceed with next one */
1105 goto release_refcount
;
1108 /* If we dump all sets, continue with dumping last ones */
1109 if (dump_type
== DUMP_ALL
) {
1110 dump_type
= DUMP_LAST
;
1111 cb
->args
[0] = dump_type
| (dump_flags
<< 16);
1120 if (dump_type
== DUMP_ONE
)
1121 cb
->args
[1] = IPSET_INVALID_ID
;
1125 /* If there was an error or set is done, release set */
1126 if (ret
|| !cb
->args
[2]) {
1127 pr_debug("release set %s\n", ip_set_list
[index
]->name
);
1128 ip_set_put_byindex(index
);
1132 nlmsg_end(skb
, nlh
);
1133 pr_debug("nlmsg_len: %u\n", nlh
->nlmsg_len
);
1137 return ret
< 0 ? ret
: skb
->len
;
1141 ip_set_dump(struct sock
*ctnl
, struct sk_buff
*skb
,
1142 const struct nlmsghdr
*nlh
,
1143 const struct nlattr
* const attr
[])
1145 if (unlikely(protocol_failed(attr
)))
1146 return -IPSET_ERR_PROTOCOL
;
1148 return netlink_dump_start(ctnl
, skb
, nlh
,
1150 ip_set_dump_done
, 0);
1153 /* Add, del and test */
1155 static const struct nla_policy ip_set_adt_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1156 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1157 [IPSET_ATTR_SETNAME
] = { .type
= NLA_NUL_STRING
,
1158 .len
= IPSET_MAXNAMELEN
- 1 },
1159 [IPSET_ATTR_LINENO
] = { .type
= NLA_U32
},
1160 [IPSET_ATTR_DATA
] = { .type
= NLA_NESTED
},
1161 [IPSET_ATTR_ADT
] = { .type
= NLA_NESTED
},
1165 call_ad(struct sock
*ctnl
, struct sk_buff
*skb
, struct ip_set
*set
,
1166 struct nlattr
*tb
[], enum ipset_adt adt
,
1167 u32 flags
, bool use_lineno
)
1171 bool eexist
= flags
& IPSET_FLAG_EXIST
, retried
= false;
1174 write_lock_bh(&set
->lock
);
1175 ret
= set
->variant
->uadt(set
, tb
, adt
, &lineno
, flags
, retried
);
1176 write_unlock_bh(&set
->lock
);
1178 } while (ret
== -EAGAIN
&&
1179 set
->variant
->resize
&&
1180 (ret
= set
->variant
->resize(set
, retried
)) == 0);
1182 if (!ret
|| (ret
== -IPSET_ERR_EXIST
&& eexist
))
1184 if (lineno
&& use_lineno
) {
1185 /* Error in restore/batch mode: send back lineno */
1186 struct nlmsghdr
*rep
, *nlh
= nlmsg_hdr(skb
);
1187 struct sk_buff
*skb2
;
1188 struct nlmsgerr
*errmsg
;
1189 size_t payload
= sizeof(*errmsg
) + nlmsg_len(nlh
);
1190 int min_len
= NLMSG_SPACE(sizeof(struct nfgenmsg
));
1191 struct nlattr
*cda
[IPSET_ATTR_CMD_MAX
+1];
1192 struct nlattr
*cmdattr
;
1195 skb2
= nlmsg_new(payload
, GFP_KERNEL
);
1198 rep
= __nlmsg_put(skb2
, NETLINK_CB(skb
).pid
,
1199 nlh
->nlmsg_seq
, NLMSG_ERROR
, payload
, 0);
1200 errmsg
= nlmsg_data(rep
);
1201 errmsg
->error
= ret
;
1202 memcpy(&errmsg
->msg
, nlh
, nlh
->nlmsg_len
);
1203 cmdattr
= (void *)&errmsg
->msg
+ min_len
;
1205 nla_parse(cda
, IPSET_ATTR_CMD_MAX
,
1206 cmdattr
, nlh
->nlmsg_len
- min_len
,
1209 errline
= nla_data(cda
[IPSET_ATTR_LINENO
]);
1213 netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1214 /* Signal netlink not to send its ACK/errmsg. */
1222 ip_set_uadd(struct sock
*ctnl
, struct sk_buff
*skb
,
1223 const struct nlmsghdr
*nlh
,
1224 const struct nlattr
* const attr
[])
1227 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1228 const struct nlattr
*nla
;
1229 u32 flags
= flag_exist(nlh
);
1233 if (unlikely(protocol_failed(attr
) ||
1234 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1235 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1236 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1237 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1238 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1239 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1240 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1241 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1242 return -IPSET_ERR_PROTOCOL
;
1244 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1248 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1249 if (attr
[IPSET_ATTR_DATA
]) {
1250 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1251 attr
[IPSET_ATTR_DATA
],
1252 set
->type
->adt_policy
))
1253 return -IPSET_ERR_PROTOCOL
;
1254 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_ADD
, flags
,
1259 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1260 memset(tb
, 0, sizeof(tb
));
1261 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1262 !flag_nested(nla
) ||
1263 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1264 set
->type
->adt_policy
))
1265 return -IPSET_ERR_PROTOCOL
;
1266 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_ADD
,
1276 ip_set_udel(struct sock
*ctnl
, struct sk_buff
*skb
,
1277 const struct nlmsghdr
*nlh
,
1278 const struct nlattr
* const attr
[])
1281 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1282 const struct nlattr
*nla
;
1283 u32 flags
= flag_exist(nlh
);
1287 if (unlikely(protocol_failed(attr
) ||
1288 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1289 !((attr
[IPSET_ATTR_DATA
] != NULL
) ^
1290 (attr
[IPSET_ATTR_ADT
] != NULL
)) ||
1291 (attr
[IPSET_ATTR_DATA
] != NULL
&&
1292 !flag_nested(attr
[IPSET_ATTR_DATA
])) ||
1293 (attr
[IPSET_ATTR_ADT
] != NULL
&&
1294 (!flag_nested(attr
[IPSET_ATTR_ADT
]) ||
1295 attr
[IPSET_ATTR_LINENO
] == NULL
))))
1296 return -IPSET_ERR_PROTOCOL
;
1298 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1302 use_lineno
= !!attr
[IPSET_ATTR_LINENO
];
1303 if (attr
[IPSET_ATTR_DATA
]) {
1304 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
,
1305 attr
[IPSET_ATTR_DATA
],
1306 set
->type
->adt_policy
))
1307 return -IPSET_ERR_PROTOCOL
;
1308 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_DEL
, flags
,
1313 nla_for_each_nested(nla
, attr
[IPSET_ATTR_ADT
], nla_rem
) {
1314 memset(tb
, 0, sizeof(*tb
));
1315 if (nla_type(nla
) != IPSET_ATTR_DATA
||
1316 !flag_nested(nla
) ||
1317 nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, nla
,
1318 set
->type
->adt_policy
))
1319 return -IPSET_ERR_PROTOCOL
;
1320 ret
= call_ad(ctnl
, skb
, set
, tb
, IPSET_DEL
,
1330 ip_set_utest(struct sock
*ctnl
, struct sk_buff
*skb
,
1331 const struct nlmsghdr
*nlh
,
1332 const struct nlattr
* const attr
[])
1335 struct nlattr
*tb
[IPSET_ATTR_ADT_MAX
+1] = {};
1338 if (unlikely(protocol_failed(attr
) ||
1339 attr
[IPSET_ATTR_SETNAME
] == NULL
||
1340 attr
[IPSET_ATTR_DATA
] == NULL
||
1341 !flag_nested(attr
[IPSET_ATTR_DATA
])))
1342 return -IPSET_ERR_PROTOCOL
;
1344 set
= find_set(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1348 if (nla_parse_nested(tb
, IPSET_ATTR_ADT_MAX
, attr
[IPSET_ATTR_DATA
],
1349 set
->type
->adt_policy
))
1350 return -IPSET_ERR_PROTOCOL
;
1352 read_lock_bh(&set
->lock
);
1353 ret
= set
->variant
->uadt(set
, tb
, IPSET_TEST
, NULL
, 0, 0);
1354 read_unlock_bh(&set
->lock
);
1355 /* Userspace can't trigger element to be re-added */
1359 return ret
< 0 ? ret
: ret
> 0 ? 0 : -IPSET_ERR_EXIST
;
1362 /* Get headed data of a set */
1365 ip_set_header(struct sock
*ctnl
, struct sk_buff
*skb
,
1366 const struct nlmsghdr
*nlh
,
1367 const struct nlattr
* const attr
[])
1369 const struct ip_set
*set
;
1370 struct sk_buff
*skb2
;
1371 struct nlmsghdr
*nlh2
;
1375 if (unlikely(protocol_failed(attr
) ||
1376 attr
[IPSET_ATTR_SETNAME
] == NULL
))
1377 return -IPSET_ERR_PROTOCOL
;
1379 index
= find_set_id(nla_data(attr
[IPSET_ATTR_SETNAME
]));
1380 if (index
== IPSET_INVALID_ID
)
1382 set
= ip_set_list
[index
];
1384 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1388 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1392 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1393 NLA_PUT_STRING(skb2
, IPSET_ATTR_SETNAME
, set
->name
);
1394 NLA_PUT_STRING(skb2
, IPSET_ATTR_TYPENAME
, set
->type
->name
);
1395 NLA_PUT_U8(skb2
, IPSET_ATTR_FAMILY
, set
->family
);
1396 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION
, set
->revision
);
1397 nlmsg_end(skb2
, nlh2
);
1399 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1406 nlmsg_cancel(skb2
, nlh2
);
1414 static const struct nla_policy ip_set_type_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1415 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1416 [IPSET_ATTR_TYPENAME
] = { .type
= NLA_NUL_STRING
,
1417 .len
= IPSET_MAXNAMELEN
- 1 },
1418 [IPSET_ATTR_FAMILY
] = { .type
= NLA_U8
},
1422 ip_set_type(struct sock
*ctnl
, struct sk_buff
*skb
,
1423 const struct nlmsghdr
*nlh
,
1424 const struct nlattr
* const attr
[])
1426 struct sk_buff
*skb2
;
1427 struct nlmsghdr
*nlh2
;
1428 u8 family
, min
, max
;
1429 const char *typename
;
1432 if (unlikely(protocol_failed(attr
) ||
1433 attr
[IPSET_ATTR_TYPENAME
] == NULL
||
1434 attr
[IPSET_ATTR_FAMILY
] == NULL
))
1435 return -IPSET_ERR_PROTOCOL
;
1437 family
= nla_get_u8(attr
[IPSET_ATTR_FAMILY
]);
1438 typename
= nla_data(attr
[IPSET_ATTR_TYPENAME
]);
1439 ret
= find_set_type_minmax(typename
, family
, &min
, &max
);
1443 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1447 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1451 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1452 NLA_PUT_STRING(skb2
, IPSET_ATTR_TYPENAME
, typename
);
1453 NLA_PUT_U8(skb2
, IPSET_ATTR_FAMILY
, family
);
1454 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION
, max
);
1455 NLA_PUT_U8(skb2
, IPSET_ATTR_REVISION_MIN
, min
);
1456 nlmsg_end(skb2
, nlh2
);
1458 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2
->nlmsg_len
);
1459 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1466 nlmsg_cancel(skb2
, nlh2
);
1472 /* Get protocol version */
1474 static const struct nla_policy
1475 ip_set_protocol_policy
[IPSET_ATTR_CMD_MAX
+ 1] = {
1476 [IPSET_ATTR_PROTOCOL
] = { .type
= NLA_U8
},
1480 ip_set_protocol(struct sock
*ctnl
, struct sk_buff
*skb
,
1481 const struct nlmsghdr
*nlh
,
1482 const struct nlattr
* const attr
[])
1484 struct sk_buff
*skb2
;
1485 struct nlmsghdr
*nlh2
;
1488 if (unlikely(attr
[IPSET_ATTR_PROTOCOL
] == NULL
))
1489 return -IPSET_ERR_PROTOCOL
;
1491 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1495 nlh2
= start_msg(skb2
, NETLINK_CB(skb
).pid
, nlh
->nlmsg_seq
, 0,
1496 IPSET_CMD_PROTOCOL
);
1499 NLA_PUT_U8(skb2
, IPSET_ATTR_PROTOCOL
, IPSET_PROTOCOL
);
1500 nlmsg_end(skb2
, nlh2
);
1502 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
, MSG_DONTWAIT
);
1509 nlmsg_cancel(skb2
, nlh2
);
1515 static const struct nfnl_callback ip_set_netlink_subsys_cb
[IPSET_MSG_MAX
] = {
1516 [IPSET_CMD_CREATE
] = {
1517 .call
= ip_set_create
,
1518 .attr_count
= IPSET_ATTR_CMD_MAX
,
1519 .policy
= ip_set_create_policy
,
1521 [IPSET_CMD_DESTROY
] = {
1522 .call
= ip_set_destroy
,
1523 .attr_count
= IPSET_ATTR_CMD_MAX
,
1524 .policy
= ip_set_setname_policy
,
1526 [IPSET_CMD_FLUSH
] = {
1527 .call
= ip_set_flush
,
1528 .attr_count
= IPSET_ATTR_CMD_MAX
,
1529 .policy
= ip_set_setname_policy
,
1531 [IPSET_CMD_RENAME
] = {
1532 .call
= ip_set_rename
,
1533 .attr_count
= IPSET_ATTR_CMD_MAX
,
1534 .policy
= ip_set_setname2_policy
,
1536 [IPSET_CMD_SWAP
] = {
1537 .call
= ip_set_swap
,
1538 .attr_count
= IPSET_ATTR_CMD_MAX
,
1539 .policy
= ip_set_setname2_policy
,
1541 [IPSET_CMD_LIST
] = {
1542 .call
= ip_set_dump
,
1543 .attr_count
= IPSET_ATTR_CMD_MAX
,
1544 .policy
= ip_set_setname_policy
,
1546 [IPSET_CMD_SAVE
] = {
1547 .call
= ip_set_dump
,
1548 .attr_count
= IPSET_ATTR_CMD_MAX
,
1549 .policy
= ip_set_setname_policy
,
1552 .call
= ip_set_uadd
,
1553 .attr_count
= IPSET_ATTR_CMD_MAX
,
1554 .policy
= ip_set_adt_policy
,
1557 .call
= ip_set_udel
,
1558 .attr_count
= IPSET_ATTR_CMD_MAX
,
1559 .policy
= ip_set_adt_policy
,
1561 [IPSET_CMD_TEST
] = {
1562 .call
= ip_set_utest
,
1563 .attr_count
= IPSET_ATTR_CMD_MAX
,
1564 .policy
= ip_set_adt_policy
,
1566 [IPSET_CMD_HEADER
] = {
1567 .call
= ip_set_header
,
1568 .attr_count
= IPSET_ATTR_CMD_MAX
,
1569 .policy
= ip_set_setname_policy
,
1571 [IPSET_CMD_TYPE
] = {
1572 .call
= ip_set_type
,
1573 .attr_count
= IPSET_ATTR_CMD_MAX
,
1574 .policy
= ip_set_type_policy
,
1576 [IPSET_CMD_PROTOCOL
] = {
1577 .call
= ip_set_protocol
,
1578 .attr_count
= IPSET_ATTR_CMD_MAX
,
1579 .policy
= ip_set_protocol_policy
,
1583 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly
= {
1585 .subsys_id
= NFNL_SUBSYS_IPSET
,
1586 .cb_count
= IPSET_MSG_MAX
,
1587 .cb
= ip_set_netlink_subsys_cb
,
1590 /* Interface to iptables/ip6tables */
1593 ip_set_sockfn_get(struct sock
*sk
, int optval
, void __user
*user
, int *len
)
1597 int copylen
= *len
, ret
= 0;
1599 if (!capable(CAP_NET_ADMIN
))
1601 if (optval
!= SO_IP_SET
)
1603 if (*len
< sizeof(unsigned))
1606 data
= vmalloc(*len
);
1609 if (copy_from_user(data
, user
, *len
) != 0) {
1613 op
= (unsigned *) data
;
1615 if (*op
< IP_SET_OP_VERSION
) {
1616 /* Check the version at the beginning of operations */
1617 struct ip_set_req_version
*req_version
= data
;
1618 if (req_version
->version
!= IPSET_PROTOCOL
) {
1625 case IP_SET_OP_VERSION
: {
1626 struct ip_set_req_version
*req_version
= data
;
1628 if (*len
!= sizeof(struct ip_set_req_version
)) {
1633 req_version
->version
= IPSET_PROTOCOL
;
1634 ret
= copy_to_user(user
, req_version
,
1635 sizeof(struct ip_set_req_version
));
1638 case IP_SET_OP_GET_BYNAME
: {
1639 struct ip_set_req_get_set
*req_get
= data
;
1641 if (*len
!= sizeof(struct ip_set_req_get_set
)) {
1645 req_get
->set
.name
[IPSET_MAXNAMELEN
- 1] = '\0';
1647 req_get
->set
.index
= find_set_id(req_get
->set
.name
);
1651 case IP_SET_OP_GET_BYINDEX
: {
1652 struct ip_set_req_get_set
*req_get
= data
;
1654 if (*len
!= sizeof(struct ip_set_req_get_set
) ||
1655 req_get
->set
.index
>= ip_set_max
) {
1660 strncpy(req_get
->set
.name
,
1661 ip_set_list
[req_get
->set
.index
]
1662 ? ip_set_list
[req_get
->set
.index
]->name
: "",
1670 } /* end of switch(op) */
1673 ret
= copy_to_user(user
, data
, copylen
);
1682 static struct nf_sockopt_ops so_set __read_mostly
= {
1684 .get_optmin
= SO_IP_SET
,
1685 .get_optmax
= SO_IP_SET
+ 1,
1686 .get
= &ip_set_sockfn_get
,
1687 .owner
= THIS_MODULE
,
1696 ip_set_max
= max_sets
;
1697 if (ip_set_max
>= IPSET_INVALID_ID
)
1698 ip_set_max
= IPSET_INVALID_ID
- 1;
1700 ip_set_list
= kzalloc(sizeof(struct ip_set
*) * ip_set_max
,
1705 ret
= nfnetlink_subsys_register(&ip_set_netlink_subsys
);
1707 pr_err("ip_set: cannot register with nfnetlink.\n");
1711 ret
= nf_register_sockopt(&so_set
);
1713 pr_err("SO_SET registry failed: %d\n", ret
);
1714 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1719 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL
);
1726 /* There can't be any existing set */
1727 nf_unregister_sockopt(&so_set
);
1728 nfnetlink_subsys_unregister(&ip_set_netlink_subsys
);
1730 pr_debug("these are the famous last words\n");
1733 module_init(ip_set_init
);
1734 module_exit(ip_set_fini
);