1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/rculist.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter/nfnetlink.h>
24 #include <linux/netfilter/ipset/ip_set.h>
26 static LIST_HEAD(ip_set_type_list); /* all registered set types */
27 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
28 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
30 static struct ip_set * __rcu *ip_set_list; /* all individual sets */
31 static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets;
38 module_param(max_sets, int, 0600);
39 MODULE_PARM_DESC(max_sets, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
45 /* When the nfnl mutex is held: */
46 #define nfnl_dereference(p) \
47 rcu_dereference_protected(p, 1)
48 #define nfnl_set(id) \
49 nfnl_dereference(ip_set_list)[id]
52 * The set types are implemented in modules and registered set types
53 * can be found in ip_set_type_list. Adding/deleting types is
54 * serialized by ip_set_type_mutex.
58 ip_set_type_lock(void)
60 mutex_lock(&ip_set_type_mutex);
64 ip_set_type_unlock(void)
66 mutex_unlock(&ip_set_type_mutex);
69 /* Register and deregister settype */
71 static struct ip_set_type *
72 find_set_type(const char *name, u8 family, u8 revision)
74 struct ip_set_type *type;
76 list_for_each_entry_rcu(type, &ip_set_type_list, list)
77 if (STREQ(type->name, name) &&
78 (type->family == family ||
79 type->family == NFPROTO_UNSPEC) &&
80 revision >= type->revision_min &&
81 revision <= type->revision_max)
86 /* Unlock, try to load a set type module and lock again */
88 load_settype(const char *name)
90 nfnl_unlock(NFNL_SUBSYS_IPSET);
91 pr_debug("try to load ip_set_%s\n", name);
92 if (request_module("ip_set_%s", name) < 0) {
93 pr_warning("Can't find ip_set type %s\n", name);
94 nfnl_lock(NFNL_SUBSYS_IPSET);
97 nfnl_lock(NFNL_SUBSYS_IPSET);
101 /* Find a set type and reference it */
102 #define find_set_type_get(name, family, revision, found) \
103 __find_set_type_get(name, family, revision, found, false)
106 __find_set_type_get(const char *name, u8 family, u8 revision,
107 struct ip_set_type **found, bool retry)
109 struct ip_set_type *type;
112 if (retry && !load_settype(name))
113 return -IPSET_ERR_FIND_TYPE;
116 *found = find_set_type(name, family, revision);
118 err = !try_module_get((*found)->me) ? -EFAULT : 0;
121 /* Make sure the type is already loaded
122 * but we don't support the revision */
123 list_for_each_entry_rcu(type, &ip_set_type_list, list)
124 if (STREQ(type->name, name)) {
125 err = -IPSET_ERR_FIND_TYPE;
130 return retry ? -IPSET_ERR_FIND_TYPE :
131 __find_set_type_get(name, family, revision, found, true);
138 /* Find a given set type by name and family.
139 * If we succeeded, the supported minimal and maximum revisions are
142 #define find_set_type_minmax(name, family, min, max) \
143 __find_set_type_minmax(name, family, min, max, false)
146 __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
149 struct ip_set_type *type;
152 if (retry && !load_settype(name))
153 return -IPSET_ERR_FIND_TYPE;
155 *min = 255; *max = 0;
157 list_for_each_entry_rcu(type, &ip_set_type_list, list)
158 if (STREQ(type->name, name) &&
159 (type->family == family ||
160 type->family == NFPROTO_UNSPEC)) {
162 if (type->revision_min < *min)
163 *min = type->revision_min;
164 if (type->revision_max > *max)
165 *max = type->revision_max;
171 return retry ? -IPSET_ERR_FIND_TYPE :
172 __find_set_type_minmax(name, family, min, max, true);
175 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
176 (f) == NFPROTO_IPV6 ? "inet6" : "any")
178 /* Register a set type structure. The type is identified by
179 * the unique triple of name, family and revision.
182 ip_set_type_register(struct ip_set_type *type)
186 if (type->protocol != IPSET_PROTOCOL) {
187 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
188 "wrong protocol version %u (want %u)\n",
189 type->name, family_name(type->family),
190 type->revision_min, type->revision_max,
191 type->protocol, IPSET_PROTOCOL);
196 if (find_set_type(type->name, type->family, type->revision_min)) {
198 pr_warning("ip_set type %s, family %s with revision min %u "
199 "already registered!\n", type->name,
200 family_name(type->family), type->revision_min);
204 list_add_rcu(&type->list, &ip_set_type_list);
205 pr_debug("type %s, family %s, revision %u:%u registered.\n",
206 type->name, family_name(type->family),
207 type->revision_min, type->revision_max);
209 ip_set_type_unlock();
212 EXPORT_SYMBOL_GPL(ip_set_type_register);
214 /* Unregister a set type. There's a small race with ip_set_create */
216 ip_set_type_unregister(struct ip_set_type *type)
219 if (!find_set_type(type->name, type->family, type->revision_min)) {
220 pr_warning("ip_set type %s, family %s with revision min %u "
221 "not registered\n", type->name,
222 family_name(type->family), type->revision_min);
225 list_del_rcu(&type->list);
226 pr_debug("type %s, family %s with revision min %u unregistered.\n",
227 type->name, family_name(type->family), type->revision_min);
229 ip_set_type_unlock();
233 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
235 /* Utility functions */
237 ip_set_alloc(size_t size)
239 void *members = NULL;
241 if (size < KMALLOC_MAX_SIZE)
242 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
245 pr_debug("%p: allocated with kmalloc\n", members);
249 members = vzalloc(size);
252 pr_debug("%p: allocated with vmalloc\n", members);
256 EXPORT_SYMBOL_GPL(ip_set_alloc);
259 ip_set_free(void *members)
261 pr_debug("%p: free with %s\n", members,
262 is_vmalloc_addr(members) ? "vfree" : "kfree");
263 if (is_vmalloc_addr(members))
268 EXPORT_SYMBOL_GPL(ip_set_free);
271 flag_nested(const struct nlattr *nla)
273 return nla->nla_type & NLA_F_NESTED;
276 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
277 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
278 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
279 .len = sizeof(struct in6_addr) },
283 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
285 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
287 if (unlikely(!flag_nested(nla)))
288 return -IPSET_ERR_PROTOCOL;
289 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
290 return -IPSET_ERR_PROTOCOL;
291 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
292 return -IPSET_ERR_PROTOCOL;
294 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
297 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
300 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
302 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
304 if (unlikely(!flag_nested(nla)))
305 return -IPSET_ERR_PROTOCOL;
307 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
308 return -IPSET_ERR_PROTOCOL;
309 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
310 return -IPSET_ERR_PROTOCOL;
312 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
313 sizeof(struct in6_addr));
316 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
318 /* ipset data extension types, in size order */
320 const struct ip_set_ext_type ip_set_extensions[] = {
321 [IPSET_EXT_ID_COUNTER] = {
322 .type = IPSET_EXT_COUNTER,
323 .flag = IPSET_FLAG_WITH_COUNTERS,
324 .len = sizeof(struct ip_set_counter),
325 .align = __alignof__(struct ip_set_counter),
327 [IPSET_EXT_ID_TIMEOUT] = {
328 .type = IPSET_EXT_TIMEOUT,
329 .len = sizeof(unsigned long),
330 .align = __alignof__(unsigned long),
333 EXPORT_SYMBOL_GPL(ip_set_extensions);
336 add_extension(enum ip_set_ext_id id, u32 flags, struct nlattr *tb[])
338 return ip_set_extensions[id].flag ?
339 (flags & ip_set_extensions[id].flag) :
340 !!tb[IPSET_ATTR_TIMEOUT];
344 ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
346 enum ip_set_ext_id id;
350 if (tb[IPSET_ATTR_CADT_FLAGS])
351 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
352 for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
353 if (!add_extension(id, cadt_flags, tb))
355 offset += ALIGN(len + offset, ip_set_extensions[id].align);
356 set->offset[id] = offset;
357 set->extensions |= ip_set_extensions[id].type;
358 offset += ip_set_extensions[id].len;
362 EXPORT_SYMBOL_GPL(ip_set_elem_len);
365 ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
366 struct ip_set_ext *ext)
368 if (tb[IPSET_ATTR_TIMEOUT]) {
369 if (!(set->extensions & IPSET_EXT_TIMEOUT))
370 return -IPSET_ERR_TIMEOUT;
371 ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
373 if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
374 if (!(set->extensions & IPSET_EXT_COUNTER))
375 return -IPSET_ERR_COUNTER;
376 if (tb[IPSET_ATTR_BYTES])
377 ext->bytes = be64_to_cpu(nla_get_be64(
378 tb[IPSET_ATTR_BYTES]));
379 if (tb[IPSET_ATTR_PACKETS])
380 ext->packets = be64_to_cpu(nla_get_be64(
381 tb[IPSET_ATTR_PACKETS]));
385 EXPORT_SYMBOL_GPL(ip_set_get_extensions);
388 * Creating/destroying/renaming/swapping affect the existence and
389 * the properties of a set. All of these can be executed from userspace
390 * only and serialized by the nfnl mutex indirectly from nfnetlink.
392 * Sets are identified by their index in ip_set_list and the index
393 * is used by the external references (set/SET netfilter modules).
395 * The set behind an index may change by swapping only, from userspace.
399 __ip_set_get(struct ip_set *set)
401 write_lock_bh(&ip_set_ref_lock);
403 write_unlock_bh(&ip_set_ref_lock);
407 __ip_set_put(struct ip_set *set)
409 write_lock_bh(&ip_set_ref_lock);
410 BUG_ON(set->ref == 0);
412 write_unlock_bh(&ip_set_ref_lock);
416 * Add, del and test set entries from kernel.
418 * The set behind the index must exist and must be referenced
419 * so it can't be destroyed (or changed) under our foot.
422 static inline struct ip_set *
423 ip_set_rcu_get(ip_set_id_t index)
428 /* ip_set_list itself needs to be protected */
429 set = rcu_dereference(ip_set_list)[index];
436 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
437 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
439 struct ip_set *set = ip_set_rcu_get(index);
443 pr_debug("set %s, index %u\n", set->name, index);
445 if (opt->dim < set->type->dimension ||
446 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
449 read_lock_bh(&set->lock);
450 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
451 read_unlock_bh(&set->lock);
453 if (ret == -EAGAIN) {
454 /* Type requests element to be completed */
455 pr_debug("element must be competed, ADD is triggered\n");
456 write_lock_bh(&set->lock);
457 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
458 write_unlock_bh(&set->lock);
461 /* --return-nomatch: invert matched element */
462 if ((opt->cmdflags & IPSET_FLAG_RETURN_NOMATCH) &&
463 (set->type->features & IPSET_TYPE_NOMATCH) &&
464 (ret > 0 || ret == -ENOTEMPTY))
468 /* Convert error codes to nomatch */
469 return (ret < 0 ? 0 : ret);
471 EXPORT_SYMBOL_GPL(ip_set_test);
474 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
475 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
477 struct ip_set *set = ip_set_rcu_get(index);
481 pr_debug("set %s, index %u\n", set->name, index);
483 if (opt->dim < set->type->dimension ||
484 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
487 write_lock_bh(&set->lock);
488 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
489 write_unlock_bh(&set->lock);
493 EXPORT_SYMBOL_GPL(ip_set_add);
496 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
497 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
499 struct ip_set *set = ip_set_rcu_get(index);
503 pr_debug("set %s, index %u\n", set->name, index);
505 if (opt->dim < set->type->dimension ||
506 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
509 write_lock_bh(&set->lock);
510 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
511 write_unlock_bh(&set->lock);
515 EXPORT_SYMBOL_GPL(ip_set_del);
518 * Find set by name, reference it once. The reference makes sure the
519 * thing pointed to, does not go away under our feet.
523 ip_set_get_byname(const char *name, struct ip_set **set)
525 ip_set_id_t i, index = IPSET_INVALID_ID;
529 for (i = 0; i < ip_set_max; i++) {
530 s = rcu_dereference(ip_set_list)[i];
531 if (s != NULL && STREQ(s->name, name)) {
542 EXPORT_SYMBOL_GPL(ip_set_get_byname);
545 * If the given set pointer points to a valid set, decrement
546 * reference count by 1. The caller shall not assume the index
547 * to be valid, after calling this function.
551 ip_set_put_byindex(ip_set_id_t index)
556 set = rcu_dereference(ip_set_list)[index];
561 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
564 * Get the name of a set behind a set index.
565 * We assume the set is referenced, so it does exist and
566 * can't be destroyed. The set cannot be renamed due to
567 * the referencing either.
571 ip_set_name_byindex(ip_set_id_t index)
573 const struct ip_set *set = ip_set_rcu_get(index);
576 BUG_ON(set->ref == 0);
578 /* Referenced, so it's safe */
581 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
584 * Routines to call by external subsystems, which do not
585 * call nfnl_lock for us.
589 * Find set by name, reference it once. The reference makes sure the
590 * thing pointed to, does not go away under our feet.
592 * The nfnl mutex is used in the function.
595 ip_set_nfnl_get(const char *name)
597 ip_set_id_t i, index = IPSET_INVALID_ID;
600 nfnl_lock(NFNL_SUBSYS_IPSET);
601 for (i = 0; i < ip_set_max; i++) {
603 if (s != NULL && STREQ(s->name, name)) {
609 nfnl_unlock(NFNL_SUBSYS_IPSET);
613 EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
616 * Find set by index, reference it once. The reference makes sure the
617 * thing pointed to, does not go away under our feet.
619 * The nfnl mutex is used in the function.
622 ip_set_nfnl_get_byindex(ip_set_id_t index)
626 if (index > ip_set_max)
627 return IPSET_INVALID_ID;
629 nfnl_lock(NFNL_SUBSYS_IPSET);
630 set = nfnl_set(index);
634 index = IPSET_INVALID_ID;
635 nfnl_unlock(NFNL_SUBSYS_IPSET);
639 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
642 * If the given set pointer points to a valid set, decrement
643 * reference count by 1. The caller shall not assume the index
644 * to be valid, after calling this function.
646 * The nfnl mutex is used in the function.
649 ip_set_nfnl_put(ip_set_id_t index)
652 nfnl_lock(NFNL_SUBSYS_IPSET);
653 set = nfnl_set(index);
656 nfnl_unlock(NFNL_SUBSYS_IPSET);
658 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
661 * Communication protocol with userspace over netlink.
663 * The commands are serialized by the nfnl mutex.
667 protocol_failed(const struct nlattr * const tb[])
669 return !tb[IPSET_ATTR_PROTOCOL] ||
670 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
674 flag_exist(const struct nlmsghdr *nlh)
676 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
679 static struct nlmsghdr *
680 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
683 struct nlmsghdr *nlh;
684 struct nfgenmsg *nfmsg;
686 nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
687 sizeof(*nfmsg), flags);
691 nfmsg = nlmsg_data(nlh);
692 nfmsg->nfgen_family = NFPROTO_IPV4;
693 nfmsg->version = NFNETLINK_V0;
701 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
702 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
703 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
704 .len = IPSET_MAXNAMELEN - 1 },
705 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
706 .len = IPSET_MAXNAMELEN - 1},
707 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
708 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
709 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
712 static struct ip_set *
713 find_set_and_id(const char *name, ip_set_id_t *id)
715 struct ip_set *set = NULL;
718 *id = IPSET_INVALID_ID;
719 for (i = 0; i < ip_set_max; i++) {
721 if (set != NULL && STREQ(set->name, name)) {
726 return (*id == IPSET_INVALID_ID ? NULL : set);
729 static inline struct ip_set *
730 find_set(const char *name)
734 return find_set_and_id(name, &id);
738 find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
743 *index = IPSET_INVALID_ID;
744 for (i = 0; i < ip_set_max; i++) {
747 if (*index == IPSET_INVALID_ID)
749 } else if (STREQ(name, s->name)) {
755 if (*index == IPSET_INVALID_ID)
756 /* No free slot remained */
757 return -IPSET_ERR_MAX_SETS;
762 ip_set_none(struct sock *ctnl, struct sk_buff *skb,
763 const struct nlmsghdr *nlh,
764 const struct nlattr * const attr[])
770 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
771 const struct nlmsghdr *nlh,
772 const struct nlattr * const attr[])
774 struct ip_set *set, *clash = NULL;
775 ip_set_id_t index = IPSET_INVALID_ID;
776 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
777 const char *name, *typename;
779 u32 flags = flag_exist(nlh);
782 if (unlikely(protocol_failed(attr) ||
783 attr[IPSET_ATTR_SETNAME] == NULL ||
784 attr[IPSET_ATTR_TYPENAME] == NULL ||
785 attr[IPSET_ATTR_REVISION] == NULL ||
786 attr[IPSET_ATTR_FAMILY] == NULL ||
787 (attr[IPSET_ATTR_DATA] != NULL &&
788 !flag_nested(attr[IPSET_ATTR_DATA]))))
789 return -IPSET_ERR_PROTOCOL;
791 name = nla_data(attr[IPSET_ATTR_SETNAME]);
792 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
793 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
794 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
795 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
796 name, typename, family_name(family), revision);
799 * First, and without any locks, allocate and initialize
800 * a normal base set structure.
802 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
805 rwlock_init(&set->lock);
806 strlcpy(set->name, name, IPSET_MAXNAMELEN);
807 set->family = family;
808 set->revision = revision;
811 * Next, check that we know the type, and take
812 * a reference on the type, to make sure it stays available
813 * while constructing our new set.
815 * After referencing the type, we try to create the type
816 * specific part of the set without holding any locks.
818 ret = find_set_type_get(typename, family, revision, &(set->type));
823 * Without holding any locks, create private part.
825 if (attr[IPSET_ATTR_DATA] &&
826 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
827 set->type->create_policy)) {
828 ret = -IPSET_ERR_PROTOCOL;
832 ret = set->type->create(set, tb, flags);
836 /* BTW, ret==0 here. */
839 * Here, we have a valid, constructed set and we are protected
840 * by the nfnl mutex. Find the first free index in ip_set_list
841 * and check clashing.
843 ret = find_free_id(set->name, &index, &clash);
844 if (ret == -EEXIST) {
845 /* If this is the same set and requested, ignore error */
846 if ((flags & IPSET_FLAG_EXIST) &&
847 STREQ(set->type->name, clash->type->name) &&
848 set->type->family == clash->type->family &&
849 set->type->revision_min == clash->type->revision_min &&
850 set->type->revision_max == clash->type->revision_max &&
851 set->variant->same_set(set, clash))
854 } else if (ret == -IPSET_ERR_MAX_SETS) {
855 struct ip_set **list, **tmp;
856 ip_set_id_t i = ip_set_max + IP_SET_INC;
858 if (i < ip_set_max || i == IPSET_INVALID_ID)
862 list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL);
865 /* nfnl mutex is held, both lists are valid */
866 tmp = nfnl_dereference(ip_set_list);
867 memcpy(list, tmp, sizeof(struct ip_set *) * ip_set_max);
868 rcu_assign_pointer(ip_set_list, list);
869 /* Make sure all current packets have passed through */
880 * Finally! Add our shiny new set to the list, and be done.
882 pr_debug("create: '%s' created with index %u!\n", set->name, index);
883 nfnl_set(index) = set;
888 set->variant->destroy(set);
890 module_put(set->type->me);
898 static const struct nla_policy
899 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
900 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
901 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
902 .len = IPSET_MAXNAMELEN - 1 },
906 ip_set_destroy_set(ip_set_id_t index)
908 struct ip_set *set = nfnl_set(index);
910 pr_debug("set: %s\n", set->name);
911 nfnl_set(index) = NULL;
913 /* Must call it without holding any lock */
914 set->variant->destroy(set);
915 module_put(set->type->me);
920 ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
921 const struct nlmsghdr *nlh,
922 const struct nlattr * const attr[])
928 if (unlikely(protocol_failed(attr)))
929 return -IPSET_ERR_PROTOCOL;
931 /* Commands are serialized and references are
932 * protected by the ip_set_ref_lock.
933 * External systems (i.e. xt_set) must call
934 * ip_set_put|get_nfnl_* functions, that way we
935 * can safely check references here.
937 * list:set timer can only decrement the reference
938 * counter, so if it's already zero, we can proceed
939 * without holding the lock.
941 read_lock_bh(&ip_set_ref_lock);
942 if (!attr[IPSET_ATTR_SETNAME]) {
943 for (i = 0; i < ip_set_max; i++) {
945 if (s != NULL && s->ref) {
946 ret = -IPSET_ERR_BUSY;
950 read_unlock_bh(&ip_set_ref_lock);
951 for (i = 0; i < ip_set_max; i++) {
954 ip_set_destroy_set(i);
957 s = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &i);
962 ret = -IPSET_ERR_BUSY;
965 read_unlock_bh(&ip_set_ref_lock);
967 ip_set_destroy_set(i);
971 read_unlock_bh(&ip_set_ref_lock);
978 ip_set_flush_set(struct ip_set *set)
980 pr_debug("set: %s\n", set->name);
982 write_lock_bh(&set->lock);
983 set->variant->flush(set);
984 write_unlock_bh(&set->lock);
988 ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
989 const struct nlmsghdr *nlh,
990 const struct nlattr * const attr[])
995 if (unlikely(protocol_failed(attr)))
996 return -IPSET_ERR_PROTOCOL;
998 if (!attr[IPSET_ATTR_SETNAME]) {
999 for (i = 0; i < ip_set_max; i++) {
1002 ip_set_flush_set(s);
1005 s = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1009 ip_set_flush_set(s);
1017 static const struct nla_policy
1018 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
1019 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1020 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1021 .len = IPSET_MAXNAMELEN - 1 },
1022 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
1023 .len = IPSET_MAXNAMELEN - 1 },
1027 ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
1028 const struct nlmsghdr *nlh,
1029 const struct nlattr * const attr[])
1031 struct ip_set *set, *s;
1036 if (unlikely(protocol_failed(attr) ||
1037 attr[IPSET_ATTR_SETNAME] == NULL ||
1038 attr[IPSET_ATTR_SETNAME2] == NULL))
1039 return -IPSET_ERR_PROTOCOL;
1041 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1045 read_lock_bh(&ip_set_ref_lock);
1046 if (set->ref != 0) {
1047 ret = -IPSET_ERR_REFERENCED;
1051 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
1052 for (i = 0; i < ip_set_max; i++) {
1054 if (s != NULL && STREQ(s->name, name2)) {
1055 ret = -IPSET_ERR_EXIST_SETNAME2;
1059 strncpy(set->name, name2, IPSET_MAXNAMELEN);
1062 read_unlock_bh(&ip_set_ref_lock);
1066 /* Swap two sets so that name/index points to the other.
1067 * References and set names are also swapped.
1069 * The commands are serialized by the nfnl mutex and references are
1070 * protected by the ip_set_ref_lock. The kernel interfaces
1071 * do not hold the mutex but the pointer settings are atomic
1072 * so the ip_set_list always contains valid pointers to the sets.
1076 ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
1077 const struct nlmsghdr *nlh,
1078 const struct nlattr * const attr[])
1080 struct ip_set *from, *to;
1081 ip_set_id_t from_id, to_id;
1082 char from_name[IPSET_MAXNAMELEN];
1084 if (unlikely(protocol_failed(attr) ||
1085 attr[IPSET_ATTR_SETNAME] == NULL ||
1086 attr[IPSET_ATTR_SETNAME2] == NULL))
1087 return -IPSET_ERR_PROTOCOL;
1089 from = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &from_id);
1093 to = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME2]), &to_id);
1095 return -IPSET_ERR_EXIST_SETNAME2;
1097 /* Features must not change.
1098 * Not an artificial restriction anymore, as we must prevent
1099 * possible loops created by swapping in setlist type of sets. */
1100 if (!(from->type->features == to->type->features &&
1101 from->family == to->family))
1102 return -IPSET_ERR_TYPE_MISMATCH;
1104 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
1105 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
1106 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
1108 write_lock_bh(&ip_set_ref_lock);
1109 swap(from->ref, to->ref);
1110 nfnl_set(from_id) = to;
1111 nfnl_set(to_id) = from;
1112 write_unlock_bh(&ip_set_ref_lock);
1117 /* List/save set data */
1124 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1125 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
1128 ip_set_dump_done(struct netlink_callback *cb)
1131 pr_debug("release set %s\n", nfnl_set(cb->args[1])->name);
1132 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
1138 dump_attrs(struct nlmsghdr *nlh)
1140 const struct nlattr *attr;
1143 pr_debug("dump nlmsg\n");
1144 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1145 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1150 dump_init(struct netlink_callback *cb)
1152 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1153 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1154 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1155 struct nlattr *attr = (void *)nlh + min_len;
1159 /* Second pass, so parser can't fail */
1160 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1161 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1163 /* cb->args[0] : dump single set/all sets
1165 * [..]: type specific
1168 if (cda[IPSET_ATTR_SETNAME]) {
1171 set = find_set_and_id(nla_data(cda[IPSET_ATTR_SETNAME]),
1176 dump_type = DUMP_ONE;
1177 cb->args[1] = index;
1179 dump_type = DUMP_ALL;
1181 if (cda[IPSET_ATTR_FLAGS]) {
1182 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1183 dump_type |= (f << 16);
1185 cb->args[0] = dump_type;
1191 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1193 ip_set_id_t index = IPSET_INVALID_ID, max;
1194 struct ip_set *set = NULL;
1195 struct nlmsghdr *nlh = NULL;
1196 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1197 u32 dump_type, dump_flags;
1201 ret = dump_init(cb);
1203 nlh = nlmsg_hdr(cb->skb);
1204 /* We have to create and send the error message
1206 if (nlh->nlmsg_flags & NLM_F_ACK)
1207 netlink_ack(cb->skb, nlh, ret);
1212 if (cb->args[1] >= ip_set_max)
1215 dump_type = DUMP_TYPE(cb->args[0]);
1216 dump_flags = DUMP_FLAGS(cb->args[0]);
1217 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1219 pr_debug("args[0]: %u %u args[1]: %ld\n",
1220 dump_type, dump_flags, cb->args[1]);
1221 for (; cb->args[1] < max; cb->args[1]++) {
1222 index = (ip_set_id_t) cb->args[1];
1223 set = nfnl_set(index);
1225 if (dump_type == DUMP_ONE) {
1231 /* When dumping all sets, we must dump "sorted"
1232 * so that lists (unions of sets) are dumped last.
1234 if (dump_type != DUMP_ONE &&
1235 ((dump_type == DUMP_ALL) ==
1236 !!(set->type->features & IPSET_DUMP_LAST)))
1238 pr_debug("List set: %s\n", set->name);
1240 /* Start listing: make sure set won't be destroyed */
1241 pr_debug("reference set\n");
1244 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1245 cb->nlh->nlmsg_seq, flags,
1249 goto release_refcount;
1251 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1252 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1253 goto nla_put_failure;
1254 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1256 switch (cb->args[2]) {
1258 /* Core header data */
1259 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1261 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1263 nla_put_u8(skb, IPSET_ATTR_REVISION,
1265 goto nla_put_failure;
1266 ret = set->variant->head(set, skb);
1268 goto release_refcount;
1269 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1271 /* Fall through and add elements */
1273 read_lock_bh(&set->lock);
1274 ret = set->variant->list(set, skb, cb);
1275 read_unlock_bh(&set->lock);
1277 /* Set is done, proceed with next one */
1279 goto release_refcount;
1282 /* If we dump all sets, continue with dumping last ones */
1283 if (dump_type == DUMP_ALL) {
1284 dump_type = DUMP_LAST;
1285 cb->args[0] = dump_type | (dump_flags << 16);
1294 if (dump_type == DUMP_ONE)
1295 cb->args[1] = IPSET_INVALID_ID;
1299 /* If there was an error or set is done, release set */
1300 if (ret || !cb->args[2]) {
1301 pr_debug("release set %s\n", nfnl_set(index)->name);
1302 ip_set_put_byindex(index);
1307 nlmsg_end(skb, nlh);
1308 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1312 return ret < 0 ? ret : skb->len;
1316 ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1317 const struct nlmsghdr *nlh,
1318 const struct nlattr * const attr[])
1320 if (unlikely(protocol_failed(attr)))
1321 return -IPSET_ERR_PROTOCOL;
1324 struct netlink_dump_control c = {
1325 .dump = ip_set_dump_start,
1326 .done = ip_set_dump_done,
1328 return netlink_dump_start(ctnl, skb, nlh, &c);
1332 /* Add, del and test */
1334 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1335 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1336 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1337 .len = IPSET_MAXNAMELEN - 1 },
1338 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1339 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1340 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1344 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1345 struct nlattr *tb[], enum ipset_adt adt,
1346 u32 flags, bool use_lineno)
1350 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1353 write_lock_bh(&set->lock);
1354 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1355 write_unlock_bh(&set->lock);
1357 } while (ret == -EAGAIN &&
1358 set->variant->resize &&
1359 (ret = set->variant->resize(set, retried)) == 0);
1361 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1363 if (lineno && use_lineno) {
1364 /* Error in restore/batch mode: send back lineno */
1365 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1366 struct sk_buff *skb2;
1367 struct nlmsgerr *errmsg;
1368 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1369 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1370 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1371 struct nlattr *cmdattr;
1374 skb2 = nlmsg_new(payload, GFP_KERNEL);
1377 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1378 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1379 errmsg = nlmsg_data(rep);
1380 errmsg->error = ret;
1381 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1382 cmdattr = (void *)&errmsg->msg + min_len;
1384 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1385 cmdattr, nlh->nlmsg_len - min_len,
1388 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1392 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1393 /* Signal netlink not to send its ACK/errmsg. */
1401 ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1402 const struct nlmsghdr *nlh,
1403 const struct nlattr * const attr[])
1406 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1407 const struct nlattr *nla;
1408 u32 flags = flag_exist(nlh);
1412 if (unlikely(protocol_failed(attr) ||
1413 attr[IPSET_ATTR_SETNAME] == NULL ||
1414 !((attr[IPSET_ATTR_DATA] != NULL) ^
1415 (attr[IPSET_ATTR_ADT] != NULL)) ||
1416 (attr[IPSET_ATTR_DATA] != NULL &&
1417 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1418 (attr[IPSET_ATTR_ADT] != NULL &&
1419 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1420 attr[IPSET_ATTR_LINENO] == NULL))))
1421 return -IPSET_ERR_PROTOCOL;
1423 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1427 use_lineno = !!attr[IPSET_ATTR_LINENO];
1428 if (attr[IPSET_ATTR_DATA]) {
1429 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1430 attr[IPSET_ATTR_DATA],
1431 set->type->adt_policy))
1432 return -IPSET_ERR_PROTOCOL;
1433 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1438 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1439 memset(tb, 0, sizeof(tb));
1440 if (nla_type(nla) != IPSET_ATTR_DATA ||
1441 !flag_nested(nla) ||
1442 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1443 set->type->adt_policy))
1444 return -IPSET_ERR_PROTOCOL;
1445 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1455 ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1456 const struct nlmsghdr *nlh,
1457 const struct nlattr * const attr[])
1460 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1461 const struct nlattr *nla;
1462 u32 flags = flag_exist(nlh);
1466 if (unlikely(protocol_failed(attr) ||
1467 attr[IPSET_ATTR_SETNAME] == NULL ||
1468 !((attr[IPSET_ATTR_DATA] != NULL) ^
1469 (attr[IPSET_ATTR_ADT] != NULL)) ||
1470 (attr[IPSET_ATTR_DATA] != NULL &&
1471 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1472 (attr[IPSET_ATTR_ADT] != NULL &&
1473 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1474 attr[IPSET_ATTR_LINENO] == NULL))))
1475 return -IPSET_ERR_PROTOCOL;
1477 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1481 use_lineno = !!attr[IPSET_ATTR_LINENO];
1482 if (attr[IPSET_ATTR_DATA]) {
1483 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1484 attr[IPSET_ATTR_DATA],
1485 set->type->adt_policy))
1486 return -IPSET_ERR_PROTOCOL;
1487 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1492 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1493 memset(tb, 0, sizeof(*tb));
1494 if (nla_type(nla) != IPSET_ATTR_DATA ||
1495 !flag_nested(nla) ||
1496 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1497 set->type->adt_policy))
1498 return -IPSET_ERR_PROTOCOL;
1499 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1509 ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1510 const struct nlmsghdr *nlh,
1511 const struct nlattr * const attr[])
1514 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1517 if (unlikely(protocol_failed(attr) ||
1518 attr[IPSET_ATTR_SETNAME] == NULL ||
1519 attr[IPSET_ATTR_DATA] == NULL ||
1520 !flag_nested(attr[IPSET_ATTR_DATA])))
1521 return -IPSET_ERR_PROTOCOL;
1523 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1527 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1528 set->type->adt_policy))
1529 return -IPSET_ERR_PROTOCOL;
1531 read_lock_bh(&set->lock);
1532 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1533 read_unlock_bh(&set->lock);
1534 /* Userspace can't trigger element to be re-added */
1538 return ret > 0 ? 0 : -IPSET_ERR_EXIST;
1541 /* Get headed data of a set */
1544 ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1545 const struct nlmsghdr *nlh,
1546 const struct nlattr * const attr[])
1548 const struct ip_set *set;
1549 struct sk_buff *skb2;
1550 struct nlmsghdr *nlh2;
1553 if (unlikely(protocol_failed(attr) ||
1554 attr[IPSET_ATTR_SETNAME] == NULL))
1555 return -IPSET_ERR_PROTOCOL;
1557 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1561 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1565 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1569 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1570 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1571 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1572 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1573 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1574 goto nla_put_failure;
1575 nlmsg_end(skb2, nlh2);
1577 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1584 nlmsg_cancel(skb2, nlh2);
1592 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1593 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1594 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1595 .len = IPSET_MAXNAMELEN - 1 },
1596 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1600 ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1601 const struct nlmsghdr *nlh,
1602 const struct nlattr * const attr[])
1604 struct sk_buff *skb2;
1605 struct nlmsghdr *nlh2;
1606 u8 family, min, max;
1607 const char *typename;
1610 if (unlikely(protocol_failed(attr) ||
1611 attr[IPSET_ATTR_TYPENAME] == NULL ||
1612 attr[IPSET_ATTR_FAMILY] == NULL))
1613 return -IPSET_ERR_PROTOCOL;
1615 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1616 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1617 ret = find_set_type_minmax(typename, family, &min, &max);
1621 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1625 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1629 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1630 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1631 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1632 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1633 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1634 goto nla_put_failure;
1635 nlmsg_end(skb2, nlh2);
1637 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1638 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1645 nlmsg_cancel(skb2, nlh2);
1651 /* Get protocol version */
1653 static const struct nla_policy
1654 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1655 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1659 ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1660 const struct nlmsghdr *nlh,
1661 const struct nlattr * const attr[])
1663 struct sk_buff *skb2;
1664 struct nlmsghdr *nlh2;
1667 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1668 return -IPSET_ERR_PROTOCOL;
1670 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1674 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1675 IPSET_CMD_PROTOCOL);
1678 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1679 goto nla_put_failure;
1680 nlmsg_end(skb2, nlh2);
1682 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1689 nlmsg_cancel(skb2, nlh2);
1695 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1696 [IPSET_CMD_NONE] = {
1697 .call = ip_set_none,
1698 .attr_count = IPSET_ATTR_CMD_MAX,
1700 [IPSET_CMD_CREATE] = {
1701 .call = ip_set_create,
1702 .attr_count = IPSET_ATTR_CMD_MAX,
1703 .policy = ip_set_create_policy,
1705 [IPSET_CMD_DESTROY] = {
1706 .call = ip_set_destroy,
1707 .attr_count = IPSET_ATTR_CMD_MAX,
1708 .policy = ip_set_setname_policy,
1710 [IPSET_CMD_FLUSH] = {
1711 .call = ip_set_flush,
1712 .attr_count = IPSET_ATTR_CMD_MAX,
1713 .policy = ip_set_setname_policy,
1715 [IPSET_CMD_RENAME] = {
1716 .call = ip_set_rename,
1717 .attr_count = IPSET_ATTR_CMD_MAX,
1718 .policy = ip_set_setname2_policy,
1720 [IPSET_CMD_SWAP] = {
1721 .call = ip_set_swap,
1722 .attr_count = IPSET_ATTR_CMD_MAX,
1723 .policy = ip_set_setname2_policy,
1725 [IPSET_CMD_LIST] = {
1726 .call = ip_set_dump,
1727 .attr_count = IPSET_ATTR_CMD_MAX,
1728 .policy = ip_set_setname_policy,
1730 [IPSET_CMD_SAVE] = {
1731 .call = ip_set_dump,
1732 .attr_count = IPSET_ATTR_CMD_MAX,
1733 .policy = ip_set_setname_policy,
1736 .call = ip_set_uadd,
1737 .attr_count = IPSET_ATTR_CMD_MAX,
1738 .policy = ip_set_adt_policy,
1741 .call = ip_set_udel,
1742 .attr_count = IPSET_ATTR_CMD_MAX,
1743 .policy = ip_set_adt_policy,
1745 [IPSET_CMD_TEST] = {
1746 .call = ip_set_utest,
1747 .attr_count = IPSET_ATTR_CMD_MAX,
1748 .policy = ip_set_adt_policy,
1750 [IPSET_CMD_HEADER] = {
1751 .call = ip_set_header,
1752 .attr_count = IPSET_ATTR_CMD_MAX,
1753 .policy = ip_set_setname_policy,
1755 [IPSET_CMD_TYPE] = {
1756 .call = ip_set_type,
1757 .attr_count = IPSET_ATTR_CMD_MAX,
1758 .policy = ip_set_type_policy,
1760 [IPSET_CMD_PROTOCOL] = {
1761 .call = ip_set_protocol,
1762 .attr_count = IPSET_ATTR_CMD_MAX,
1763 .policy = ip_set_protocol_policy,
1767 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1769 .subsys_id = NFNL_SUBSYS_IPSET,
1770 .cb_count = IPSET_MSG_MAX,
1771 .cb = ip_set_netlink_subsys_cb,
1774 /* Interface to iptables/ip6tables */
1777 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1781 int copylen = *len, ret = 0;
1783 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1785 if (optval != SO_IP_SET)
1787 if (*len < sizeof(unsigned int))
1790 data = vmalloc(*len);
1793 if (copy_from_user(data, user, *len) != 0) {
1797 op = (unsigned int *) data;
1799 if (*op < IP_SET_OP_VERSION) {
1800 /* Check the version at the beginning of operations */
1801 struct ip_set_req_version *req_version = data;
1802 if (req_version->version != IPSET_PROTOCOL) {
1809 case IP_SET_OP_VERSION: {
1810 struct ip_set_req_version *req_version = data;
1812 if (*len != sizeof(struct ip_set_req_version)) {
1817 req_version->version = IPSET_PROTOCOL;
1818 ret = copy_to_user(user, req_version,
1819 sizeof(struct ip_set_req_version));
1822 case IP_SET_OP_GET_BYNAME: {
1823 struct ip_set_req_get_set *req_get = data;
1826 if (*len != sizeof(struct ip_set_req_get_set)) {
1830 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1831 nfnl_lock(NFNL_SUBSYS_IPSET);
1832 find_set_and_id(req_get->set.name, &id);
1833 req_get->set.index = id;
1834 nfnl_unlock(NFNL_SUBSYS_IPSET);
1837 case IP_SET_OP_GET_FNAME: {
1838 struct ip_set_req_get_set_family *req_get = data;
1841 if (*len != sizeof(struct ip_set_req_get_set_family)) {
1845 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1846 nfnl_lock(NFNL_SUBSYS_IPSET);
1847 find_set_and_id(req_get->set.name, &id);
1848 req_get->set.index = id;
1849 if (id != IPSET_INVALID_ID)
1850 req_get->family = nfnl_set(id)->family;
1851 nfnl_unlock(NFNL_SUBSYS_IPSET);
1854 case IP_SET_OP_GET_BYINDEX: {
1855 struct ip_set_req_get_set *req_get = data;
1858 if (*len != sizeof(struct ip_set_req_get_set) ||
1859 req_get->set.index >= ip_set_max) {
1863 nfnl_lock(NFNL_SUBSYS_IPSET);
1864 set = nfnl_set(req_get->set.index);
1865 strncpy(req_get->set.name, set ? set->name : "",
1867 nfnl_unlock(NFNL_SUBSYS_IPSET);
1873 } /* end of switch(op) */
1876 ret = copy_to_user(user, data, copylen);
1885 static struct nf_sockopt_ops so_set __read_mostly = {
1887 .get_optmin = SO_IP_SET,
1888 .get_optmax = SO_IP_SET + 1,
1889 .get = &ip_set_sockfn_get,
1890 .owner = THIS_MODULE,
1896 struct ip_set **list;
1900 ip_set_max = max_sets;
1901 if (ip_set_max >= IPSET_INVALID_ID)
1902 ip_set_max = IPSET_INVALID_ID - 1;
1904 list = kzalloc(sizeof(struct ip_set *) * ip_set_max, GFP_KERNEL);
1908 rcu_assign_pointer(ip_set_list, list);
1909 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1911 pr_err("ip_set: cannot register with nfnetlink.\n");
1915 ret = nf_register_sockopt(&so_set);
1917 pr_err("SO_SET registry failed: %d\n", ret);
1918 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1923 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1930 struct ip_set **list = rcu_dereference_protected(ip_set_list, 1);
1932 /* There can't be any existing set */
1933 nf_unregister_sockopt(&so_set);
1934 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1936 pr_debug("these are the famous last words\n");
1939 module_init(ip_set_init);
1940 module_exit(ip_set_fini);