1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/rculist.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter/nfnetlink.h>
24 #include <linux/netfilter/ipset/ip_set.h>
26 static LIST_HEAD(ip_set_type_list); /* all registered set types */
27 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
28 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
30 static struct ip_set * __rcu *ip_set_list; /* all individual sets */
31 static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets;
38 module_param(max_sets, int, 0600);
39 MODULE_PARM_DESC(max_sets, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
45 /* When the nfnl mutex is held: */
46 #define nfnl_dereference(p) \
47 rcu_dereference_protected(p, 1)
48 #define nfnl_set(id) \
49 nfnl_dereference(ip_set_list)[id]
52 * The set types are implemented in modules and registered set types
53 * can be found in ip_set_type_list. Adding/deleting types is
54 * serialized by ip_set_type_mutex.
58 ip_set_type_lock(void)
60 mutex_lock(&ip_set_type_mutex);
64 ip_set_type_unlock(void)
66 mutex_unlock(&ip_set_type_mutex);
69 /* Register and deregister settype */
71 static struct ip_set_type *
72 find_set_type(const char *name, u8 family, u8 revision)
74 struct ip_set_type *type;
76 list_for_each_entry_rcu(type, &ip_set_type_list, list)
77 if (STREQ(type->name, name) &&
78 (type->family == family ||
79 type->family == NFPROTO_UNSPEC) &&
80 revision >= type->revision_min &&
81 revision <= type->revision_max)
86 /* Unlock, try to load a set type module and lock again */
88 load_settype(const char *name)
90 nfnl_unlock(NFNL_SUBSYS_IPSET);
91 pr_debug("try to load ip_set_%s\n", name);
92 if (request_module("ip_set_%s", name) < 0) {
93 pr_warning("Can't find ip_set type %s\n", name);
94 nfnl_lock(NFNL_SUBSYS_IPSET);
97 nfnl_lock(NFNL_SUBSYS_IPSET);
101 /* Find a set type and reference it */
102 #define find_set_type_get(name, family, revision, found) \
103 __find_set_type_get(name, family, revision, found, false)
106 __find_set_type_get(const char *name, u8 family, u8 revision,
107 struct ip_set_type **found, bool retry)
109 struct ip_set_type *type;
112 if (retry && !load_settype(name))
113 return -IPSET_ERR_FIND_TYPE;
116 *found = find_set_type(name, family, revision);
118 err = !try_module_get((*found)->me) ? -EFAULT : 0;
121 /* Make sure the type is already loaded
122 * but we don't support the revision */
123 list_for_each_entry_rcu(type, &ip_set_type_list, list)
124 if (STREQ(type->name, name)) {
125 err = -IPSET_ERR_FIND_TYPE;
130 return retry ? -IPSET_ERR_FIND_TYPE :
131 __find_set_type_get(name, family, revision, found, true);
138 /* Find a given set type by name and family.
139 * If we succeeded, the supported minimal and maximum revisions are
142 #define find_set_type_minmax(name, family, min, max) \
143 __find_set_type_minmax(name, family, min, max, false)
146 __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
149 struct ip_set_type *type;
152 if (retry && !load_settype(name))
153 return -IPSET_ERR_FIND_TYPE;
155 *min = 255; *max = 0;
157 list_for_each_entry_rcu(type, &ip_set_type_list, list)
158 if (STREQ(type->name, name) &&
159 (type->family == family ||
160 type->family == NFPROTO_UNSPEC)) {
162 if (type->revision_min < *min)
163 *min = type->revision_min;
164 if (type->revision_max > *max)
165 *max = type->revision_max;
171 return retry ? -IPSET_ERR_FIND_TYPE :
172 __find_set_type_minmax(name, family, min, max, true);
175 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
176 (f) == NFPROTO_IPV6 ? "inet6" : "any")
178 /* Register a set type structure. The type is identified by
179 * the unique triple of name, family and revision.
182 ip_set_type_register(struct ip_set_type *type)
186 if (type->protocol != IPSET_PROTOCOL) {
187 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
188 "wrong protocol version %u (want %u)\n",
189 type->name, family_name(type->family),
190 type->revision_min, type->revision_max,
191 type->protocol, IPSET_PROTOCOL);
196 if (find_set_type(type->name, type->family, type->revision_min)) {
198 pr_warning("ip_set type %s, family %s with revision min %u "
199 "already registered!\n", type->name,
200 family_name(type->family), type->revision_min);
204 list_add_rcu(&type->list, &ip_set_type_list);
205 pr_debug("type %s, family %s, revision %u:%u registered.\n",
206 type->name, family_name(type->family),
207 type->revision_min, type->revision_max);
209 ip_set_type_unlock();
212 EXPORT_SYMBOL_GPL(ip_set_type_register);
214 /* Unregister a set type. There's a small race with ip_set_create */
216 ip_set_type_unregister(struct ip_set_type *type)
219 if (!find_set_type(type->name, type->family, type->revision_min)) {
220 pr_warning("ip_set type %s, family %s with revision min %u "
221 "not registered\n", type->name,
222 family_name(type->family), type->revision_min);
225 list_del_rcu(&type->list);
226 pr_debug("type %s, family %s with revision min %u unregistered.\n",
227 type->name, family_name(type->family), type->revision_min);
229 ip_set_type_unlock();
233 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
235 /* Utility functions */
237 ip_set_alloc(size_t size)
239 void *members = NULL;
241 if (size < KMALLOC_MAX_SIZE)
242 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
245 pr_debug("%p: allocated with kmalloc\n", members);
249 members = vzalloc(size);
252 pr_debug("%p: allocated with vmalloc\n", members);
256 EXPORT_SYMBOL_GPL(ip_set_alloc);
259 ip_set_free(void *members)
261 pr_debug("%p: free with %s\n", members,
262 is_vmalloc_addr(members) ? "vfree" : "kfree");
263 if (is_vmalloc_addr(members))
268 EXPORT_SYMBOL_GPL(ip_set_free);
271 flag_nested(const struct nlattr *nla)
273 return nla->nla_type & NLA_F_NESTED;
276 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
277 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
278 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
279 .len = sizeof(struct in6_addr) },
283 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
285 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
287 if (unlikely(!flag_nested(nla)))
288 return -IPSET_ERR_PROTOCOL;
289 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
290 return -IPSET_ERR_PROTOCOL;
291 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
292 return -IPSET_ERR_PROTOCOL;
294 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
297 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
300 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
302 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
304 if (unlikely(!flag_nested(nla)))
305 return -IPSET_ERR_PROTOCOL;
307 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
308 return -IPSET_ERR_PROTOCOL;
309 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
310 return -IPSET_ERR_PROTOCOL;
312 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
313 sizeof(struct in6_addr));
316 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
319 ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
320 struct ip_set_ext *ext)
322 if (tb[IPSET_ATTR_TIMEOUT]) {
323 if (!(set->extensions & IPSET_EXT_TIMEOUT))
324 return -IPSET_ERR_TIMEOUT;
325 ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
327 if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
328 if (!(set->extensions & IPSET_EXT_COUNTER))
329 return -IPSET_ERR_COUNTER;
330 if (tb[IPSET_ATTR_BYTES])
331 ext->bytes = be64_to_cpu(nla_get_be64(
332 tb[IPSET_ATTR_BYTES]));
333 if (tb[IPSET_ATTR_PACKETS])
334 ext->packets = be64_to_cpu(nla_get_be64(
335 tb[IPSET_ATTR_PACKETS]));
339 EXPORT_SYMBOL_GPL(ip_set_get_extensions);
342 * Creating/destroying/renaming/swapping affect the existence and
343 * the properties of a set. All of these can be executed from userspace
344 * only and serialized by the nfnl mutex indirectly from nfnetlink.
346 * Sets are identified by their index in ip_set_list and the index
347 * is used by the external references (set/SET netfilter modules).
349 * The set behind an index may change by swapping only, from userspace.
353 __ip_set_get(struct ip_set *set)
355 write_lock_bh(&ip_set_ref_lock);
357 write_unlock_bh(&ip_set_ref_lock);
361 __ip_set_put(struct ip_set *set)
363 write_lock_bh(&ip_set_ref_lock);
364 BUG_ON(set->ref == 0);
366 write_unlock_bh(&ip_set_ref_lock);
370 * Add, del and test set entries from kernel.
372 * The set behind the index must exist and must be referenced
373 * so it can't be destroyed (or changed) under our foot.
376 static inline struct ip_set *
377 ip_set_rcu_get(ip_set_id_t index)
382 /* ip_set_list itself needs to be protected */
383 set = rcu_dereference(ip_set_list)[index];
390 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
391 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
393 struct ip_set *set = ip_set_rcu_get(index);
397 pr_debug("set %s, index %u\n", set->name, index);
399 if (opt->dim < set->type->dimension ||
400 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
403 read_lock_bh(&set->lock);
404 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
405 read_unlock_bh(&set->lock);
407 if (ret == -EAGAIN) {
408 /* Type requests element to be completed */
409 pr_debug("element must be competed, ADD is triggered\n");
410 write_lock_bh(&set->lock);
411 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
412 write_unlock_bh(&set->lock);
415 /* --return-nomatch: invert matched element */
416 if ((opt->cmdflags & IPSET_FLAG_RETURN_NOMATCH) &&
417 (set->type->features & IPSET_TYPE_NOMATCH) &&
418 (ret > 0 || ret == -ENOTEMPTY))
422 /* Convert error codes to nomatch */
423 return (ret < 0 ? 0 : ret);
425 EXPORT_SYMBOL_GPL(ip_set_test);
428 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
429 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
431 struct ip_set *set = ip_set_rcu_get(index);
435 pr_debug("set %s, index %u\n", set->name, index);
437 if (opt->dim < set->type->dimension ||
438 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
441 write_lock_bh(&set->lock);
442 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
443 write_unlock_bh(&set->lock);
447 EXPORT_SYMBOL_GPL(ip_set_add);
450 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
451 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
453 struct ip_set *set = ip_set_rcu_get(index);
457 pr_debug("set %s, index %u\n", set->name, index);
459 if (opt->dim < set->type->dimension ||
460 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
463 write_lock_bh(&set->lock);
464 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
465 write_unlock_bh(&set->lock);
469 EXPORT_SYMBOL_GPL(ip_set_del);
472 * Find set by name, reference it once. The reference makes sure the
473 * thing pointed to, does not go away under our feet.
477 ip_set_get_byname(const char *name, struct ip_set **set)
479 ip_set_id_t i, index = IPSET_INVALID_ID;
483 for (i = 0; i < ip_set_max; i++) {
484 s = rcu_dereference(ip_set_list)[i];
485 if (s != NULL && STREQ(s->name, name)) {
496 EXPORT_SYMBOL_GPL(ip_set_get_byname);
499 * If the given set pointer points to a valid set, decrement
500 * reference count by 1. The caller shall not assume the index
501 * to be valid, after calling this function.
505 ip_set_put_byindex(ip_set_id_t index)
510 set = rcu_dereference(ip_set_list)[index];
515 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
518 * Get the name of a set behind a set index.
519 * We assume the set is referenced, so it does exist and
520 * can't be destroyed. The set cannot be renamed due to
521 * the referencing either.
525 ip_set_name_byindex(ip_set_id_t index)
527 const struct ip_set *set = ip_set_rcu_get(index);
530 BUG_ON(set->ref == 0);
532 /* Referenced, so it's safe */
535 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
538 * Routines to call by external subsystems, which do not
539 * call nfnl_lock for us.
543 * Find set by name, reference it once. The reference makes sure the
544 * thing pointed to, does not go away under our feet.
546 * The nfnl mutex is used in the function.
549 ip_set_nfnl_get(const char *name)
551 ip_set_id_t i, index = IPSET_INVALID_ID;
554 nfnl_lock(NFNL_SUBSYS_IPSET);
555 for (i = 0; i < ip_set_max; i++) {
557 if (s != NULL && STREQ(s->name, name)) {
563 nfnl_unlock(NFNL_SUBSYS_IPSET);
567 EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
570 * Find set by index, reference it once. The reference makes sure the
571 * thing pointed to, does not go away under our feet.
573 * The nfnl mutex is used in the function.
576 ip_set_nfnl_get_byindex(ip_set_id_t index)
580 if (index > ip_set_max)
581 return IPSET_INVALID_ID;
583 nfnl_lock(NFNL_SUBSYS_IPSET);
584 set = nfnl_set(index);
588 index = IPSET_INVALID_ID;
589 nfnl_unlock(NFNL_SUBSYS_IPSET);
593 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
596 * If the given set pointer points to a valid set, decrement
597 * reference count by 1. The caller shall not assume the index
598 * to be valid, after calling this function.
600 * The nfnl mutex is used in the function.
603 ip_set_nfnl_put(ip_set_id_t index)
606 nfnl_lock(NFNL_SUBSYS_IPSET);
607 set = nfnl_set(index);
610 nfnl_unlock(NFNL_SUBSYS_IPSET);
612 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
615 * Communication protocol with userspace over netlink.
617 * The commands are serialized by the nfnl mutex.
621 protocol_failed(const struct nlattr * const tb[])
623 return !tb[IPSET_ATTR_PROTOCOL] ||
624 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
628 flag_exist(const struct nlmsghdr *nlh)
630 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
633 static struct nlmsghdr *
634 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
637 struct nlmsghdr *nlh;
638 struct nfgenmsg *nfmsg;
640 nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
641 sizeof(*nfmsg), flags);
645 nfmsg = nlmsg_data(nlh);
646 nfmsg->nfgen_family = NFPROTO_IPV4;
647 nfmsg->version = NFNETLINK_V0;
655 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
656 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
657 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
658 .len = IPSET_MAXNAMELEN - 1 },
659 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
660 .len = IPSET_MAXNAMELEN - 1},
661 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
662 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
663 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
666 static struct ip_set *
667 find_set_and_id(const char *name, ip_set_id_t *id)
669 struct ip_set *set = NULL;
672 *id = IPSET_INVALID_ID;
673 for (i = 0; i < ip_set_max; i++) {
675 if (set != NULL && STREQ(set->name, name)) {
680 return (*id == IPSET_INVALID_ID ? NULL : set);
683 static inline struct ip_set *
684 find_set(const char *name)
688 return find_set_and_id(name, &id);
692 find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
697 *index = IPSET_INVALID_ID;
698 for (i = 0; i < ip_set_max; i++) {
701 if (*index == IPSET_INVALID_ID)
703 } else if (STREQ(name, s->name)) {
709 if (*index == IPSET_INVALID_ID)
710 /* No free slot remained */
711 return -IPSET_ERR_MAX_SETS;
716 ip_set_none(struct sock *ctnl, struct sk_buff *skb,
717 const struct nlmsghdr *nlh,
718 const struct nlattr * const attr[])
724 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
725 const struct nlmsghdr *nlh,
726 const struct nlattr * const attr[])
728 struct ip_set *set, *clash = NULL;
729 ip_set_id_t index = IPSET_INVALID_ID;
730 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
731 const char *name, *typename;
733 u32 flags = flag_exist(nlh);
736 if (unlikely(protocol_failed(attr) ||
737 attr[IPSET_ATTR_SETNAME] == NULL ||
738 attr[IPSET_ATTR_TYPENAME] == NULL ||
739 attr[IPSET_ATTR_REVISION] == NULL ||
740 attr[IPSET_ATTR_FAMILY] == NULL ||
741 (attr[IPSET_ATTR_DATA] != NULL &&
742 !flag_nested(attr[IPSET_ATTR_DATA]))))
743 return -IPSET_ERR_PROTOCOL;
745 name = nla_data(attr[IPSET_ATTR_SETNAME]);
746 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
747 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
748 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
749 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
750 name, typename, family_name(family), revision);
753 * First, and without any locks, allocate and initialize
754 * a normal base set structure.
756 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
759 rwlock_init(&set->lock);
760 strlcpy(set->name, name, IPSET_MAXNAMELEN);
761 set->family = family;
762 set->revision = revision;
765 * Next, check that we know the type, and take
766 * a reference on the type, to make sure it stays available
767 * while constructing our new set.
769 * After referencing the type, we try to create the type
770 * specific part of the set without holding any locks.
772 ret = find_set_type_get(typename, family, revision, &(set->type));
777 * Without holding any locks, create private part.
779 if (attr[IPSET_ATTR_DATA] &&
780 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
781 set->type->create_policy)) {
782 ret = -IPSET_ERR_PROTOCOL;
786 ret = set->type->create(set, tb, flags);
790 /* BTW, ret==0 here. */
793 * Here, we have a valid, constructed set and we are protected
794 * by the nfnl mutex. Find the first free index in ip_set_list
795 * and check clashing.
797 ret = find_free_id(set->name, &index, &clash);
798 if (ret == -EEXIST) {
799 /* If this is the same set and requested, ignore error */
800 if ((flags & IPSET_FLAG_EXIST) &&
801 STREQ(set->type->name, clash->type->name) &&
802 set->type->family == clash->type->family &&
803 set->type->revision_min == clash->type->revision_min &&
804 set->type->revision_max == clash->type->revision_max &&
805 set->variant->same_set(set, clash))
808 } else if (ret == -IPSET_ERR_MAX_SETS) {
809 struct ip_set **list, **tmp;
810 ip_set_id_t i = ip_set_max + IP_SET_INC;
812 if (i < ip_set_max || i == IPSET_INVALID_ID)
816 list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL);
819 /* nfnl mutex is held, both lists are valid */
820 tmp = nfnl_dereference(ip_set_list);
821 memcpy(list, tmp, sizeof(struct ip_set *) * ip_set_max);
822 rcu_assign_pointer(ip_set_list, list);
823 /* Make sure all current packets have passed through */
834 * Finally! Add our shiny new set to the list, and be done.
836 pr_debug("create: '%s' created with index %u!\n", set->name, index);
837 nfnl_set(index) = set;
842 set->variant->destroy(set);
844 module_put(set->type->me);
852 static const struct nla_policy
853 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
854 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
855 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
856 .len = IPSET_MAXNAMELEN - 1 },
860 ip_set_destroy_set(ip_set_id_t index)
862 struct ip_set *set = nfnl_set(index);
864 pr_debug("set: %s\n", set->name);
865 nfnl_set(index) = NULL;
867 /* Must call it without holding any lock */
868 set->variant->destroy(set);
869 module_put(set->type->me);
874 ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
875 const struct nlmsghdr *nlh,
876 const struct nlattr * const attr[])
882 if (unlikely(protocol_failed(attr)))
883 return -IPSET_ERR_PROTOCOL;
885 /* Commands are serialized and references are
886 * protected by the ip_set_ref_lock.
887 * External systems (i.e. xt_set) must call
888 * ip_set_put|get_nfnl_* functions, that way we
889 * can safely check references here.
891 * list:set timer can only decrement the reference
892 * counter, so if it's already zero, we can proceed
893 * without holding the lock.
895 read_lock_bh(&ip_set_ref_lock);
896 if (!attr[IPSET_ATTR_SETNAME]) {
897 for (i = 0; i < ip_set_max; i++) {
899 if (s != NULL && s->ref) {
900 ret = -IPSET_ERR_BUSY;
904 read_unlock_bh(&ip_set_ref_lock);
905 for (i = 0; i < ip_set_max; i++) {
908 ip_set_destroy_set(i);
911 s = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &i);
916 ret = -IPSET_ERR_BUSY;
919 read_unlock_bh(&ip_set_ref_lock);
921 ip_set_destroy_set(i);
925 read_unlock_bh(&ip_set_ref_lock);
932 ip_set_flush_set(struct ip_set *set)
934 pr_debug("set: %s\n", set->name);
936 write_lock_bh(&set->lock);
937 set->variant->flush(set);
938 write_unlock_bh(&set->lock);
942 ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
943 const struct nlmsghdr *nlh,
944 const struct nlattr * const attr[])
949 if (unlikely(protocol_failed(attr)))
950 return -IPSET_ERR_PROTOCOL;
952 if (!attr[IPSET_ATTR_SETNAME]) {
953 for (i = 0; i < ip_set_max; i++) {
959 s = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
971 static const struct nla_policy
972 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
973 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
974 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
975 .len = IPSET_MAXNAMELEN - 1 },
976 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
977 .len = IPSET_MAXNAMELEN - 1 },
981 ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
982 const struct nlmsghdr *nlh,
983 const struct nlattr * const attr[])
985 struct ip_set *set, *s;
990 if (unlikely(protocol_failed(attr) ||
991 attr[IPSET_ATTR_SETNAME] == NULL ||
992 attr[IPSET_ATTR_SETNAME2] == NULL))
993 return -IPSET_ERR_PROTOCOL;
995 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
999 read_lock_bh(&ip_set_ref_lock);
1000 if (set->ref != 0) {
1001 ret = -IPSET_ERR_REFERENCED;
1005 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
1006 for (i = 0; i < ip_set_max; i++) {
1008 if (s != NULL && STREQ(s->name, name2)) {
1009 ret = -IPSET_ERR_EXIST_SETNAME2;
1013 strncpy(set->name, name2, IPSET_MAXNAMELEN);
1016 read_unlock_bh(&ip_set_ref_lock);
1020 /* Swap two sets so that name/index points to the other.
1021 * References and set names are also swapped.
1023 * The commands are serialized by the nfnl mutex and references are
1024 * protected by the ip_set_ref_lock. The kernel interfaces
1025 * do not hold the mutex but the pointer settings are atomic
1026 * so the ip_set_list always contains valid pointers to the sets.
1030 ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
1031 const struct nlmsghdr *nlh,
1032 const struct nlattr * const attr[])
1034 struct ip_set *from, *to;
1035 ip_set_id_t from_id, to_id;
1036 char from_name[IPSET_MAXNAMELEN];
1038 if (unlikely(protocol_failed(attr) ||
1039 attr[IPSET_ATTR_SETNAME] == NULL ||
1040 attr[IPSET_ATTR_SETNAME2] == NULL))
1041 return -IPSET_ERR_PROTOCOL;
1043 from = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &from_id);
1047 to = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME2]), &to_id);
1049 return -IPSET_ERR_EXIST_SETNAME2;
1051 /* Features must not change.
1052 * Not an artificial restriction anymore, as we must prevent
1053 * possible loops created by swapping in setlist type of sets. */
1054 if (!(from->type->features == to->type->features &&
1055 from->family == to->family))
1056 return -IPSET_ERR_TYPE_MISMATCH;
1058 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
1059 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
1060 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
1062 write_lock_bh(&ip_set_ref_lock);
1063 swap(from->ref, to->ref);
1064 nfnl_set(from_id) = to;
1065 nfnl_set(to_id) = from;
1066 write_unlock_bh(&ip_set_ref_lock);
1071 /* List/save set data */
1078 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1079 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
1082 ip_set_dump_done(struct netlink_callback *cb)
1085 pr_debug("release set %s\n", nfnl_set(cb->args[1])->name);
1086 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
1092 dump_attrs(struct nlmsghdr *nlh)
1094 const struct nlattr *attr;
1097 pr_debug("dump nlmsg\n");
1098 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1099 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1104 dump_init(struct netlink_callback *cb)
1106 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1107 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1108 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1109 struct nlattr *attr = (void *)nlh + min_len;
1113 /* Second pass, so parser can't fail */
1114 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1115 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1117 /* cb->args[0] : dump single set/all sets
1119 * [..]: type specific
1122 if (cda[IPSET_ATTR_SETNAME]) {
1125 set = find_set_and_id(nla_data(cda[IPSET_ATTR_SETNAME]),
1130 dump_type = DUMP_ONE;
1131 cb->args[1] = index;
1133 dump_type = DUMP_ALL;
1135 if (cda[IPSET_ATTR_FLAGS]) {
1136 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1137 dump_type |= (f << 16);
1139 cb->args[0] = dump_type;
1145 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1147 ip_set_id_t index = IPSET_INVALID_ID, max;
1148 struct ip_set *set = NULL;
1149 struct nlmsghdr *nlh = NULL;
1150 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1151 u32 dump_type, dump_flags;
1155 ret = dump_init(cb);
1157 nlh = nlmsg_hdr(cb->skb);
1158 /* We have to create and send the error message
1160 if (nlh->nlmsg_flags & NLM_F_ACK)
1161 netlink_ack(cb->skb, nlh, ret);
1166 if (cb->args[1] >= ip_set_max)
1169 dump_type = DUMP_TYPE(cb->args[0]);
1170 dump_flags = DUMP_FLAGS(cb->args[0]);
1171 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1173 pr_debug("args[0]: %u %u args[1]: %ld\n",
1174 dump_type, dump_flags, cb->args[1]);
1175 for (; cb->args[1] < max; cb->args[1]++) {
1176 index = (ip_set_id_t) cb->args[1];
1177 set = nfnl_set(index);
1179 if (dump_type == DUMP_ONE) {
1185 /* When dumping all sets, we must dump "sorted"
1186 * so that lists (unions of sets) are dumped last.
1188 if (dump_type != DUMP_ONE &&
1189 ((dump_type == DUMP_ALL) ==
1190 !!(set->type->features & IPSET_DUMP_LAST)))
1192 pr_debug("List set: %s\n", set->name);
1194 /* Start listing: make sure set won't be destroyed */
1195 pr_debug("reference set\n");
1198 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1199 cb->nlh->nlmsg_seq, flags,
1203 goto release_refcount;
1205 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1206 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1207 goto nla_put_failure;
1208 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1210 switch (cb->args[2]) {
1212 /* Core header data */
1213 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1215 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1217 nla_put_u8(skb, IPSET_ATTR_REVISION,
1219 goto nla_put_failure;
1220 ret = set->variant->head(set, skb);
1222 goto release_refcount;
1223 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1225 /* Fall through and add elements */
1227 read_lock_bh(&set->lock);
1228 ret = set->variant->list(set, skb, cb);
1229 read_unlock_bh(&set->lock);
1231 /* Set is done, proceed with next one */
1233 goto release_refcount;
1236 /* If we dump all sets, continue with dumping last ones */
1237 if (dump_type == DUMP_ALL) {
1238 dump_type = DUMP_LAST;
1239 cb->args[0] = dump_type | (dump_flags << 16);
1248 if (dump_type == DUMP_ONE)
1249 cb->args[1] = IPSET_INVALID_ID;
1253 /* If there was an error or set is done, release set */
1254 if (ret || !cb->args[2]) {
1255 pr_debug("release set %s\n", nfnl_set(index)->name);
1256 ip_set_put_byindex(index);
1261 nlmsg_end(skb, nlh);
1262 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1266 return ret < 0 ? ret : skb->len;
1270 ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1271 const struct nlmsghdr *nlh,
1272 const struct nlattr * const attr[])
1274 if (unlikely(protocol_failed(attr)))
1275 return -IPSET_ERR_PROTOCOL;
1278 struct netlink_dump_control c = {
1279 .dump = ip_set_dump_start,
1280 .done = ip_set_dump_done,
1282 return netlink_dump_start(ctnl, skb, nlh, &c);
1286 /* Add, del and test */
1288 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1289 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1290 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1291 .len = IPSET_MAXNAMELEN - 1 },
1292 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1293 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1294 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1298 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1299 struct nlattr *tb[], enum ipset_adt adt,
1300 u32 flags, bool use_lineno)
1304 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1307 write_lock_bh(&set->lock);
1308 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1309 write_unlock_bh(&set->lock);
1311 } while (ret == -EAGAIN &&
1312 set->variant->resize &&
1313 (ret = set->variant->resize(set, retried)) == 0);
1315 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1317 if (lineno && use_lineno) {
1318 /* Error in restore/batch mode: send back lineno */
1319 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1320 struct sk_buff *skb2;
1321 struct nlmsgerr *errmsg;
1322 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1323 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1324 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1325 struct nlattr *cmdattr;
1328 skb2 = nlmsg_new(payload, GFP_KERNEL);
1331 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1332 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1333 errmsg = nlmsg_data(rep);
1334 errmsg->error = ret;
1335 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1336 cmdattr = (void *)&errmsg->msg + min_len;
1338 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1339 cmdattr, nlh->nlmsg_len - min_len,
1342 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1346 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1347 /* Signal netlink not to send its ACK/errmsg. */
1355 ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1356 const struct nlmsghdr *nlh,
1357 const struct nlattr * const attr[])
1360 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1361 const struct nlattr *nla;
1362 u32 flags = flag_exist(nlh);
1366 if (unlikely(protocol_failed(attr) ||
1367 attr[IPSET_ATTR_SETNAME] == NULL ||
1368 !((attr[IPSET_ATTR_DATA] != NULL) ^
1369 (attr[IPSET_ATTR_ADT] != NULL)) ||
1370 (attr[IPSET_ATTR_DATA] != NULL &&
1371 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1372 (attr[IPSET_ATTR_ADT] != NULL &&
1373 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1374 attr[IPSET_ATTR_LINENO] == NULL))))
1375 return -IPSET_ERR_PROTOCOL;
1377 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1381 use_lineno = !!attr[IPSET_ATTR_LINENO];
1382 if (attr[IPSET_ATTR_DATA]) {
1383 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1384 attr[IPSET_ATTR_DATA],
1385 set->type->adt_policy))
1386 return -IPSET_ERR_PROTOCOL;
1387 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1392 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1393 memset(tb, 0, sizeof(tb));
1394 if (nla_type(nla) != IPSET_ATTR_DATA ||
1395 !flag_nested(nla) ||
1396 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1397 set->type->adt_policy))
1398 return -IPSET_ERR_PROTOCOL;
1399 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1409 ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1410 const struct nlmsghdr *nlh,
1411 const struct nlattr * const attr[])
1414 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1415 const struct nlattr *nla;
1416 u32 flags = flag_exist(nlh);
1420 if (unlikely(protocol_failed(attr) ||
1421 attr[IPSET_ATTR_SETNAME] == NULL ||
1422 !((attr[IPSET_ATTR_DATA] != NULL) ^
1423 (attr[IPSET_ATTR_ADT] != NULL)) ||
1424 (attr[IPSET_ATTR_DATA] != NULL &&
1425 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1426 (attr[IPSET_ATTR_ADT] != NULL &&
1427 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1428 attr[IPSET_ATTR_LINENO] == NULL))))
1429 return -IPSET_ERR_PROTOCOL;
1431 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1435 use_lineno = !!attr[IPSET_ATTR_LINENO];
1436 if (attr[IPSET_ATTR_DATA]) {
1437 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1438 attr[IPSET_ATTR_DATA],
1439 set->type->adt_policy))
1440 return -IPSET_ERR_PROTOCOL;
1441 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1446 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1447 memset(tb, 0, sizeof(*tb));
1448 if (nla_type(nla) != IPSET_ATTR_DATA ||
1449 !flag_nested(nla) ||
1450 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1451 set->type->adt_policy))
1452 return -IPSET_ERR_PROTOCOL;
1453 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1463 ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1464 const struct nlmsghdr *nlh,
1465 const struct nlattr * const attr[])
1468 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1471 if (unlikely(protocol_failed(attr) ||
1472 attr[IPSET_ATTR_SETNAME] == NULL ||
1473 attr[IPSET_ATTR_DATA] == NULL ||
1474 !flag_nested(attr[IPSET_ATTR_DATA])))
1475 return -IPSET_ERR_PROTOCOL;
1477 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1481 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1482 set->type->adt_policy))
1483 return -IPSET_ERR_PROTOCOL;
1485 read_lock_bh(&set->lock);
1486 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1487 read_unlock_bh(&set->lock);
1488 /* Userspace can't trigger element to be re-added */
1492 return ret > 0 ? 0 : -IPSET_ERR_EXIST;
1495 /* Get headed data of a set */
1498 ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1499 const struct nlmsghdr *nlh,
1500 const struct nlattr * const attr[])
1502 const struct ip_set *set;
1503 struct sk_buff *skb2;
1504 struct nlmsghdr *nlh2;
1507 if (unlikely(protocol_failed(attr) ||
1508 attr[IPSET_ATTR_SETNAME] == NULL))
1509 return -IPSET_ERR_PROTOCOL;
1511 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1515 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1519 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1523 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1524 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1525 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1526 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1527 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1528 goto nla_put_failure;
1529 nlmsg_end(skb2, nlh2);
1531 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1538 nlmsg_cancel(skb2, nlh2);
1546 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1547 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1548 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1549 .len = IPSET_MAXNAMELEN - 1 },
1550 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1554 ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1555 const struct nlmsghdr *nlh,
1556 const struct nlattr * const attr[])
1558 struct sk_buff *skb2;
1559 struct nlmsghdr *nlh2;
1560 u8 family, min, max;
1561 const char *typename;
1564 if (unlikely(protocol_failed(attr) ||
1565 attr[IPSET_ATTR_TYPENAME] == NULL ||
1566 attr[IPSET_ATTR_FAMILY] == NULL))
1567 return -IPSET_ERR_PROTOCOL;
1569 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1570 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1571 ret = find_set_type_minmax(typename, family, &min, &max);
1575 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1579 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1583 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1584 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1585 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1586 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1587 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1588 goto nla_put_failure;
1589 nlmsg_end(skb2, nlh2);
1591 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1592 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1599 nlmsg_cancel(skb2, nlh2);
1605 /* Get protocol version */
1607 static const struct nla_policy
1608 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1609 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1613 ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1614 const struct nlmsghdr *nlh,
1615 const struct nlattr * const attr[])
1617 struct sk_buff *skb2;
1618 struct nlmsghdr *nlh2;
1621 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1622 return -IPSET_ERR_PROTOCOL;
1624 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1628 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1629 IPSET_CMD_PROTOCOL);
1632 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1633 goto nla_put_failure;
1634 nlmsg_end(skb2, nlh2);
1636 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1643 nlmsg_cancel(skb2, nlh2);
1649 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1650 [IPSET_CMD_NONE] = {
1651 .call = ip_set_none,
1652 .attr_count = IPSET_ATTR_CMD_MAX,
1654 [IPSET_CMD_CREATE] = {
1655 .call = ip_set_create,
1656 .attr_count = IPSET_ATTR_CMD_MAX,
1657 .policy = ip_set_create_policy,
1659 [IPSET_CMD_DESTROY] = {
1660 .call = ip_set_destroy,
1661 .attr_count = IPSET_ATTR_CMD_MAX,
1662 .policy = ip_set_setname_policy,
1664 [IPSET_CMD_FLUSH] = {
1665 .call = ip_set_flush,
1666 .attr_count = IPSET_ATTR_CMD_MAX,
1667 .policy = ip_set_setname_policy,
1669 [IPSET_CMD_RENAME] = {
1670 .call = ip_set_rename,
1671 .attr_count = IPSET_ATTR_CMD_MAX,
1672 .policy = ip_set_setname2_policy,
1674 [IPSET_CMD_SWAP] = {
1675 .call = ip_set_swap,
1676 .attr_count = IPSET_ATTR_CMD_MAX,
1677 .policy = ip_set_setname2_policy,
1679 [IPSET_CMD_LIST] = {
1680 .call = ip_set_dump,
1681 .attr_count = IPSET_ATTR_CMD_MAX,
1682 .policy = ip_set_setname_policy,
1684 [IPSET_CMD_SAVE] = {
1685 .call = ip_set_dump,
1686 .attr_count = IPSET_ATTR_CMD_MAX,
1687 .policy = ip_set_setname_policy,
1690 .call = ip_set_uadd,
1691 .attr_count = IPSET_ATTR_CMD_MAX,
1692 .policy = ip_set_adt_policy,
1695 .call = ip_set_udel,
1696 .attr_count = IPSET_ATTR_CMD_MAX,
1697 .policy = ip_set_adt_policy,
1699 [IPSET_CMD_TEST] = {
1700 .call = ip_set_utest,
1701 .attr_count = IPSET_ATTR_CMD_MAX,
1702 .policy = ip_set_adt_policy,
1704 [IPSET_CMD_HEADER] = {
1705 .call = ip_set_header,
1706 .attr_count = IPSET_ATTR_CMD_MAX,
1707 .policy = ip_set_setname_policy,
1709 [IPSET_CMD_TYPE] = {
1710 .call = ip_set_type,
1711 .attr_count = IPSET_ATTR_CMD_MAX,
1712 .policy = ip_set_type_policy,
1714 [IPSET_CMD_PROTOCOL] = {
1715 .call = ip_set_protocol,
1716 .attr_count = IPSET_ATTR_CMD_MAX,
1717 .policy = ip_set_protocol_policy,
1721 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1723 .subsys_id = NFNL_SUBSYS_IPSET,
1724 .cb_count = IPSET_MSG_MAX,
1725 .cb = ip_set_netlink_subsys_cb,
1728 /* Interface to iptables/ip6tables */
1731 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1735 int copylen = *len, ret = 0;
1737 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1739 if (optval != SO_IP_SET)
1741 if (*len < sizeof(unsigned int))
1744 data = vmalloc(*len);
1747 if (copy_from_user(data, user, *len) != 0) {
1751 op = (unsigned int *) data;
1753 if (*op < IP_SET_OP_VERSION) {
1754 /* Check the version at the beginning of operations */
1755 struct ip_set_req_version *req_version = data;
1756 if (req_version->version != IPSET_PROTOCOL) {
1763 case IP_SET_OP_VERSION: {
1764 struct ip_set_req_version *req_version = data;
1766 if (*len != sizeof(struct ip_set_req_version)) {
1771 req_version->version = IPSET_PROTOCOL;
1772 ret = copy_to_user(user, req_version,
1773 sizeof(struct ip_set_req_version));
1776 case IP_SET_OP_GET_BYNAME: {
1777 struct ip_set_req_get_set *req_get = data;
1780 if (*len != sizeof(struct ip_set_req_get_set)) {
1784 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1785 nfnl_lock(NFNL_SUBSYS_IPSET);
1786 find_set_and_id(req_get->set.name, &id);
1787 req_get->set.index = id;
1788 nfnl_unlock(NFNL_SUBSYS_IPSET);
1791 case IP_SET_OP_GET_BYINDEX: {
1792 struct ip_set_req_get_set *req_get = data;
1795 if (*len != sizeof(struct ip_set_req_get_set) ||
1796 req_get->set.index >= ip_set_max) {
1800 nfnl_lock(NFNL_SUBSYS_IPSET);
1801 set = nfnl_set(req_get->set.index);
1802 strncpy(req_get->set.name, set ? set->name : "",
1804 nfnl_unlock(NFNL_SUBSYS_IPSET);
1810 } /* end of switch(op) */
1813 ret = copy_to_user(user, data, copylen);
1822 static struct nf_sockopt_ops so_set __read_mostly = {
1824 .get_optmin = SO_IP_SET,
1825 .get_optmax = SO_IP_SET + 1,
1826 .get = &ip_set_sockfn_get,
1827 .owner = THIS_MODULE,
1833 struct ip_set **list;
1837 ip_set_max = max_sets;
1838 if (ip_set_max >= IPSET_INVALID_ID)
1839 ip_set_max = IPSET_INVALID_ID - 1;
1841 list = kzalloc(sizeof(struct ip_set *) * ip_set_max, GFP_KERNEL);
1845 rcu_assign_pointer(ip_set_list, list);
1846 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1848 pr_err("ip_set: cannot register with nfnetlink.\n");
1852 ret = nf_register_sockopt(&so_set);
1854 pr_err("SO_SET registry failed: %d\n", ret);
1855 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1860 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1867 struct ip_set **list = rcu_dereference_protected(ip_set_list, 1);
1869 /* There can't be any existing set */
1870 nf_unregister_sockopt(&so_set);
1871 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1873 pr_debug("these are the famous last words\n");
1876 module_init(ip_set_init);
1877 module_exit(ip_set_fini);