4 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
5 * Patrick Schaaf <bof@bof.de>
6 * Martin Josefsson <gandalf@wlug.westbo.se>
7 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
14 #include <linux/types.h>
16 /* The protocol version */
17 #define IPSET_PROTOCOL 6
19 /* The max length of strings including NUL: set and type identifiers */
20 #define IPSET_MAXNAMELEN 32
22 /* Message types and commands */
25 IPSET_CMD_PROTOCOL
, /* 1: Return protocol version */
26 IPSET_CMD_CREATE
, /* 2: Create a new (empty) set */
27 IPSET_CMD_DESTROY
, /* 3: Destroy a (empty) set */
28 IPSET_CMD_FLUSH
, /* 4: Remove all elements from a set */
29 IPSET_CMD_RENAME
, /* 5: Rename a set */
30 IPSET_CMD_SWAP
, /* 6: Swap two sets */
31 IPSET_CMD_LIST
, /* 7: List sets */
32 IPSET_CMD_SAVE
, /* 8: Save sets */
33 IPSET_CMD_ADD
, /* 9: Add an element to a set */
34 IPSET_CMD_DEL
, /* 10: Delete an element from a set */
35 IPSET_CMD_TEST
, /* 11: Test an element in a set */
36 IPSET_CMD_HEADER
, /* 12: Get set header data only */
37 IPSET_CMD_TYPE
, /* 13: Get set type */
38 IPSET_MSG_MAX
, /* Netlink message commands */
40 /* Commands in userspace: */
41 IPSET_CMD_RESTORE
= IPSET_MSG_MAX
, /* 14: Enter restore mode */
42 IPSET_CMD_HELP
, /* 15: Get help */
43 IPSET_CMD_VERSION
, /* 16: Get program version */
44 IPSET_CMD_QUIT
, /* 17: Quit from interactive mode */
48 IPSET_CMD_COMMIT
= IPSET_CMD_MAX
, /* 18: Commit buffered commands */
51 /* Attributes at command level */
54 IPSET_ATTR_PROTOCOL
, /* 1: Protocol version */
55 IPSET_ATTR_SETNAME
, /* 2: Name of the set */
56 IPSET_ATTR_TYPENAME
, /* 3: Typename */
57 IPSET_ATTR_SETNAME2
= IPSET_ATTR_TYPENAME
, /* Setname at rename/swap */
58 IPSET_ATTR_REVISION
, /* 4: Settype revision */
59 IPSET_ATTR_FAMILY
, /* 5: Settype family */
60 IPSET_ATTR_FLAGS
, /* 6: Flags at command level */
61 IPSET_ATTR_DATA
, /* 7: Nested attributes */
62 IPSET_ATTR_ADT
, /* 8: Multiple data containers */
63 IPSET_ATTR_LINENO
, /* 9: Restore lineno */
64 IPSET_ATTR_PROTOCOL_MIN
, /* 10: Minimal supported version number */
65 IPSET_ATTR_REVISION_MIN
= IPSET_ATTR_PROTOCOL_MIN
, /* type rev min */
68 #define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
70 /* CADT specific attributes */
72 IPSET_ATTR_IP
= IPSET_ATTR_UNSPEC
+ 1,
73 IPSET_ATTR_IP_FROM
= IPSET_ATTR_IP
,
74 IPSET_ATTR_IP_TO
, /* 2 */
75 IPSET_ATTR_CIDR
, /* 3 */
76 IPSET_ATTR_PORT
, /* 4 */
77 IPSET_ATTR_PORT_FROM
= IPSET_ATTR_PORT
,
78 IPSET_ATTR_PORT_TO
, /* 5 */
79 IPSET_ATTR_TIMEOUT
, /* 6 */
80 IPSET_ATTR_PROTO
, /* 7 */
81 IPSET_ATTR_CADT_FLAGS
, /* 8 */
82 IPSET_ATTR_CADT_LINENO
= IPSET_ATTR_LINENO
, /* 9 */
83 /* Reserve empty slots */
84 IPSET_ATTR_CADT_MAX
= 16,
85 /* Create-only specific attributes */
95 IPSET_ATTR_REFERENCES
,
98 __IPSET_ATTR_CREATE_MAX
,
100 #define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1)
102 /* ADT specific attributes */
104 IPSET_ATTR_ETHER
= IPSET_ATTR_CADT_MAX
+ 1,
111 __IPSET_ATTR_ADT_MAX
,
113 #define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1)
115 /* IP specific attributes */
117 IPSET_ATTR_IPADDR_IPV4
= IPSET_ATTR_UNSPEC
+ 1,
118 IPSET_ATTR_IPADDR_IPV6
,
119 __IPSET_ATTR_IPADDR_MAX
,
121 #define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1)
125 IPSET_ERR_PRIVATE
= 4096,
130 IPSET_ERR_EXIST_SETNAME2
,
131 IPSET_ERR_TYPE_MISMATCH
,
133 IPSET_ERR_INVALID_CIDR
,
134 IPSET_ERR_INVALID_NETMASK
,
135 IPSET_ERR_INVALID_FAMILY
,
137 IPSET_ERR_REFERENCED
,
138 IPSET_ERR_IPADDR_IPV4
,
139 IPSET_ERR_IPADDR_IPV6
,
141 /* Type specific error codes */
142 IPSET_ERR_TYPE_SPECIFIC
= 4352,
145 /* Flags at command level */
146 enum ipset_cmd_flags
{
147 IPSET_FLAG_BIT_EXIST
= 0,
148 IPSET_FLAG_EXIST
= (1 << IPSET_FLAG_BIT_EXIST
),
149 IPSET_FLAG_BIT_LIST_SETNAME
= 1,
150 IPSET_FLAG_LIST_SETNAME
= (1 << IPSET_FLAG_BIT_LIST_SETNAME
),
151 IPSET_FLAG_BIT_LIST_HEADER
= 2,
152 IPSET_FLAG_LIST_HEADER
= (1 << IPSET_FLAG_BIT_LIST_HEADER
),
153 IPSET_FLAG_CMD_MAX
= 15, /* Lower half */
156 /* Flags at CADT attribute level */
157 enum ipset_cadt_flags
{
158 IPSET_FLAG_BIT_BEFORE
= 0,
159 IPSET_FLAG_BEFORE
= (1 << IPSET_FLAG_BIT_BEFORE
),
160 IPSET_FLAG_BIT_PHYSDEV
= 1,
161 IPSET_FLAG_PHYSDEV
= (1 << IPSET_FLAG_BIT_PHYSDEV
),
162 IPSET_FLAG_BIT_NOMATCH
= 2,
163 IPSET_FLAG_NOMATCH
= (1 << IPSET_FLAG_BIT_NOMATCH
),
164 IPSET_FLAG_CADT_MAX
= 15, /* Upper half */
167 /* Commands with settype-specific attributes */
173 IPSET_CREATE
= IPSET_ADT_MAX
,
177 /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
178 * and IPSET_INVALID_ID if you want to increase the max number of sets.
180 typedef __u16 ip_set_id_t
;
182 #define IPSET_INVALID_ID 65535
189 /* Max dimension in elements.
190 * If changed, new revision of iptables match/target is required.
195 /* Option flags for kernel operations */
197 IPSET_INV_MATCH
= (1 << IPSET_DIM_ZERO
),
198 IPSET_DIM_ONE_SRC
= (1 << IPSET_DIM_ONE
),
199 IPSET_DIM_TWO_SRC
= (1 << IPSET_DIM_TWO
),
200 IPSET_DIM_THREE_SRC
= (1 << IPSET_DIM_THREE
),
204 #include <linux/ip.h>
205 #include <linux/ipv6.h>
206 #include <linux/netlink.h>
207 #include <linux/netfilter.h>
208 #include <linux/netfilter/x_tables.h>
209 #include <linux/vmalloc.h>
210 #include <net/netlink.h>
213 enum ip_set_feature
{
214 IPSET_TYPE_IP_FLAG
= 0,
215 IPSET_TYPE_IP
= (1 << IPSET_TYPE_IP_FLAG
),
216 IPSET_TYPE_PORT_FLAG
= 1,
217 IPSET_TYPE_PORT
= (1 << IPSET_TYPE_PORT_FLAG
),
218 IPSET_TYPE_MAC_FLAG
= 2,
219 IPSET_TYPE_MAC
= (1 << IPSET_TYPE_MAC_FLAG
),
220 IPSET_TYPE_IP2_FLAG
= 3,
221 IPSET_TYPE_IP2
= (1 << IPSET_TYPE_IP2_FLAG
),
222 IPSET_TYPE_NAME_FLAG
= 4,
223 IPSET_TYPE_NAME
= (1 << IPSET_TYPE_NAME_FLAG
),
224 IPSET_TYPE_IFACE_FLAG
= 5,
225 IPSET_TYPE_IFACE
= (1 << IPSET_TYPE_IFACE_FLAG
),
226 /* Strictly speaking not a feature, but a flag for dumping:
227 * this settype must be dumped last */
228 IPSET_DUMP_LAST_FLAG
= 7,
229 IPSET_DUMP_LAST
= (1 << IPSET_DUMP_LAST_FLAG
),
234 typedef int (*ipset_adtfn
)(struct ip_set
*set
, void *value
,
235 u32 timeout
, u32 flags
);
237 /* Kernel API function options */
238 struct ip_set_adt_opt
{
239 u8 family
; /* Actual protocol family */
240 u8 dim
; /* Dimension of match/target */
241 u8 flags
; /* Direction and negation flags */
242 u32 cmdflags
; /* Command-like flags */
243 u32 timeout
; /* Timeout value */
246 /* Set type, variant-specific part */
247 struct ip_set_type_variant
{
248 /* Kernelspace: test/add/del entries
249 * returns negative error code,
250 * zero for no match/success to add/delete
251 * positive for matching element */
252 int (*kadt
)(struct ip_set
*set
, const struct sk_buff
* skb
,
253 const struct xt_action_param
*par
,
254 enum ipset_adt adt
, const struct ip_set_adt_opt
*opt
);
256 /* Userspace: test/add/del entries
257 * returns negative error code,
258 * zero for no match/success to add/delete
259 * positive for matching element */
260 int (*uadt
)(struct ip_set
*set
, struct nlattr
*tb
[],
261 enum ipset_adt adt
, u32
*lineno
, u32 flags
, bool retried
);
263 /* Low level add/del/test functions */
264 ipset_adtfn adt
[IPSET_ADT_MAX
];
266 /* When adding entries and set is full, try to resize the set */
267 int (*resize
)(struct ip_set
*set
, bool retried
);
268 /* Destroy the set */
269 void (*destroy
)(struct ip_set
*set
);
270 /* Flush the elements */
271 void (*flush
)(struct ip_set
*set
);
272 /* Expire entries before listing */
273 void (*expire
)(struct ip_set
*set
);
274 /* List set header data */
275 int (*head
)(struct ip_set
*set
, struct sk_buff
*skb
);
277 int (*list
)(const struct ip_set
*set
, struct sk_buff
*skb
,
278 struct netlink_callback
*cb
);
280 /* Return true if "b" set is the same as "a"
281 * according to the create set parameters */
282 bool (*same_set
)(const struct ip_set
*a
, const struct ip_set
*b
);
285 /* The core set type structure */
287 struct list_head list
;
290 char name
[IPSET_MAXNAMELEN
];
291 /* Protocol version */
293 /* Set features to control swapping */
295 /* Set type dimension */
298 * Supported family: may be NFPROTO_UNSPEC for both
299 * NFPROTO_IPV4/NFPROTO_IPV6.
303 u8 revision_min
, revision_max
;
306 int (*create
)(struct ip_set
*set
, struct nlattr
*tb
[], u32 flags
);
308 /* Attribute policies */
309 const struct nla_policy create_policy
[IPSET_ATTR_CREATE_MAX
+ 1];
310 const struct nla_policy adt_policy
[IPSET_ATTR_ADT_MAX
+ 1];
312 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
316 /* register and unregister set type */
317 extern int ip_set_type_register(struct ip_set_type
*set_type
);
318 extern void ip_set_type_unregister(struct ip_set_type
*set_type
);
320 /* A generic IP set */
322 /* The name of the set */
323 char name
[IPSET_MAXNAMELEN
];
324 /* Lock protecting the set data */
326 /* References to the set */
328 /* The core set type */
329 struct ip_set_type
*type
;
330 /* The type variant doing the real job */
331 const struct ip_set_type_variant
*variant
;
332 /* The actual INET family of the set */
334 /* The type revision */
336 /* The type specific data */
340 /* register and unregister set references */
341 extern ip_set_id_t
ip_set_get_byname(const char *name
, struct ip_set
**set
);
342 extern void ip_set_put_byindex(ip_set_id_t index
);
343 extern const char *ip_set_name_byindex(ip_set_id_t index
);
344 extern ip_set_id_t
ip_set_nfnl_get(const char *name
);
345 extern ip_set_id_t
ip_set_nfnl_get_byindex(ip_set_id_t index
);
346 extern void ip_set_nfnl_put(ip_set_id_t index
);
348 /* API for iptables set match, and SET target */
350 extern int ip_set_add(ip_set_id_t id
, const struct sk_buff
*skb
,
351 const struct xt_action_param
*par
,
352 const struct ip_set_adt_opt
*opt
);
353 extern int ip_set_del(ip_set_id_t id
, const struct sk_buff
*skb
,
354 const struct xt_action_param
*par
,
355 const struct ip_set_adt_opt
*opt
);
356 extern int ip_set_test(ip_set_id_t id
, const struct sk_buff
*skb
,
357 const struct xt_action_param
*par
,
358 const struct ip_set_adt_opt
*opt
);
360 /* Utility functions */
361 extern void *ip_set_alloc(size_t size
);
362 extern void ip_set_free(void *members
);
363 extern int ip_set_get_ipaddr4(struct nlattr
*nla
, __be32
*ipaddr
);
364 extern int ip_set_get_ipaddr6(struct nlattr
*nla
, union nf_inet_addr
*ipaddr
);
367 ip_set_get_hostipaddr4(struct nlattr
*nla
, u32
*ipaddr
)
370 int ret
= ip_set_get_ipaddr4(nla
, &ip
);
378 /* Ignore IPSET_ERR_EXIST errors if asked to do so? */
380 ip_set_eexist(int ret
, u32 flags
)
382 return ret
== -IPSET_ERR_EXIST
&& (flags
& IPSET_FLAG_EXIST
);
385 /* Check the NLA_F_NET_BYTEORDER flag */
387 ip_set_attr_netorder(struct nlattr
*tb
[], int type
)
389 return tb
[type
] && (tb
[type
]->nla_type
& NLA_F_NET_BYTEORDER
);
393 ip_set_optattr_netorder(struct nlattr
*tb
[], int type
)
395 return !tb
[type
] || (tb
[type
]->nla_type
& NLA_F_NET_BYTEORDER
);
398 /* Useful converters */
400 ip_set_get_h32(const struct nlattr
*attr
)
402 return ntohl(nla_get_be32(attr
));
406 ip_set_get_h16(const struct nlattr
*attr
)
408 return ntohs(nla_get_be16(attr
));
411 #define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED)
412 #define ipset_nest_end(skb, start) nla_nest_end(skb, start)
414 static inline int nla_put_ipaddr4(struct sk_buff
*skb
, int type
, __be32 ipaddr
)
416 struct nlattr
*__nested
= ipset_nest_start(skb
, type
);
421 ret
= nla_put_net32(skb
, IPSET_ATTR_IPADDR_IPV4
, ipaddr
);
423 ipset_nest_end(skb
, __nested
);
427 static inline int nla_put_ipaddr6(struct sk_buff
*skb
, int type
, const struct in6_addr
*ipaddrptr
)
429 struct nlattr
*__nested
= ipset_nest_start(skb
, type
);
434 ret
= nla_put(skb
, IPSET_ATTR_IPADDR_IPV6
,
435 sizeof(struct in6_addr
), ipaddrptr
);
437 ipset_nest_end(skb
, __nested
);
441 /* Get address from skbuff */
443 ip4addr(const struct sk_buff
*skb
, bool src
)
445 return src
? ip_hdr(skb
)->saddr
: ip_hdr(skb
)->daddr
;
449 ip4addrptr(const struct sk_buff
*skb
, bool src
, __be32
*addr
)
451 *addr
= src
? ip_hdr(skb
)->saddr
: ip_hdr(skb
)->daddr
;
455 ip6addrptr(const struct sk_buff
*skb
, bool src
, struct in6_addr
*addr
)
457 memcpy(addr
, src
? &ipv6_hdr(skb
)->saddr
: &ipv6_hdr(skb
)->daddr
,
461 /* Calculate the bytes required to store the inclusive range of a-b */
463 bitmap_bytes(u32 a
, u32 b
)
465 return 4 * ((((b
- a
+ 8) / 8) + 3) / 4);
468 #endif /* __KERNEL__ */
470 /* Interface to iptables/ip6tables */
474 union ip_set_name_index
{
475 char name
[IPSET_MAXNAMELEN
];
479 #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
480 struct ip_set_req_get_set
{
483 union ip_set_name_index set
;
486 #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
487 /* Uses ip_set_req_get_set */
489 #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
490 struct ip_set_req_version
{
495 #endif /*_IP_SET_H */