net/netfilter/ipset/ip_set_bitmap_ipmac.c

   1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
   2  *                         Patrick Schaaf <bof@bof.de>
   3  *                         Martin Josefsson <gandalf@wlug.westbo.se>
   4  * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License version 2 as
   8  * published by the Free Software Foundation.
   9  */
  10
  11 /* Kernel module implementing an IP set type: the bitmap:ip,mac type */
  12
  13 #include <linux/module.h>
  14 #include <linux/ip.h>
  15 #include <linux/etherdevice.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/errno.h>
  18 #include <linux/if_ether.h>
  19 #include <linux/netlink.h>
  20 #include <linux/jiffies.h>
  21 #include <linux/timer.h>
  22 #include <net/netlink.h>
  23
  24 #include <linux/netfilter/ipset/pfxlen.h>
  25 #include <linux/netfilter/ipset/ip_set.h>
  26 #include <linux/netfilter/ipset/ip_set_timeout.h>
  27 #include <linux/netfilter/ipset/ip_set_bitmap.h>
  28
  29 MODULE_LICENSE("GPL");
  30 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
  31 MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
  32 MODULE_ALIAS("ip_set_bitmap:ip,mac");
  33
  34 enum {
  35         MAC_EMPTY,              /* element is not set */
  36         MAC_FILLED,             /* element is set with MAC */
  37         MAC_UNSET,              /* element is set, without MAC */
  38 };
  39
  40 /* Type structure */
  41 struct bitmap_ipmac {
  42         void *members;          /* the set members */
  43         u32 first_ip;           /* host byte order, included in range */
  44         u32 last_ip;            /* host byte order, included in range */
  45         u32 timeout;            /* timeout value */
  46         struct timer_list gc;   /* garbage collector */
  47         size_t dsize;           /* size of element */
  48 };
  49
  50 /* ADT structure for generic function args */
  51 struct ipmac {
  52         u32 id;                 /* id in array */
  53         unsigned char *ether;   /* ethernet address */
  54 };
  55
  56 /* Member element without and with timeout */
  57
  58 struct ipmac_elem {
  59         unsigned char ether[ETH_ALEN];
  60         unsigned char match;
  61 } __attribute__ ((aligned));
  62
  63 struct ipmac_telem {
  64         unsigned char ether[ETH_ALEN];
  65         unsigned char match;
  66         unsigned long timeout;
  67 } __attribute__ ((aligned));
  68
  69 static inline void *
  70 bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
  71 {
  72         return (void *)((char *)map->members + id * map->dsize);
  73 }
  74
  75 static inline bool
  76 bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
  77 {
  78         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
  79
  80         return ip_set_timeout_test(elem->timeout);
  81 }
  82
  83 static inline bool
  84 bitmap_expired(const struct bitmap_ipmac *map, u32 id)
  85 {
  86         const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
  87
  88         return ip_set_timeout_expired(elem->timeout);
  89 }
  90
  91 static inline int
  92 bitmap_ipmac_exist(const struct ipmac_telem *elem)
  93 {
  94         return elem->match == MAC_UNSET ||
  95                (elem->match == MAC_FILLED &&
  96                 !ip_set_timeout_expired(elem->timeout));
  97 }
  98
  99 /* Base variant */
 100
 101 static int
 102 bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
 103 {
 104         const struct bitmap_ipmac *map = set->data;
 105         const struct ipmac *data = value;
 106         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
 107
 108         switch (elem->match) {
 109         case MAC_UNSET:
 110                 /* Trigger kernel to fill out the ethernet address */
 111                 return -EAGAIN;
 112         case MAC_FILLED:
 113                 return data->ether == NULL ||
 114                        compare_ether_addr(data->ether, elem->ether) == 0;
 115         }
 116         return 0;
 117 }
 118
 119 static int
 120 bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
 121 {
 122         struct bitmap_ipmac *map = set->data;
 123         const struct ipmac *data = value;
 124         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
 125
 126         switch (elem->match) {
 127         case MAC_UNSET:
 128                 if (!data->ether)
 129                         /* Already added without ethernet address */
 130                         return -IPSET_ERR_EXIST;
 131                 /* Fill the MAC address */
 132                 memcpy(elem->ether, data->ether, ETH_ALEN);
 133                 elem->match = MAC_FILLED;
 134                 break;
 135         case MAC_FILLED:
 136                 return -IPSET_ERR_EXIST;
 137         case MAC_EMPTY:
 138                 if (data->ether) {
 139                         memcpy(elem->ether, data->ether, ETH_ALEN);
 140                         elem->match = MAC_FILLED;
 141                 } else
 142                         elem->match = MAC_UNSET;
 143         }
 144
 145         return 0;
 146 }
 147
 148 static int
 149 bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
 150 {
 151         struct bitmap_ipmac *map = set->data;
 152         const struct ipmac *data = value;
 153         struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
 154
 155         if (elem->match == MAC_EMPTY)
 156                 return -IPSET_ERR_EXIST;
 157
 158         elem->match = MAC_EMPTY;
 159
 160         return 0;
 161 }
 162
 163 static int
 164 bitmap_ipmac_list(const struct ip_set *set,
 165                   struct sk_buff *skb, struct netlink_callback *cb)
 166 {
 167         const struct bitmap_ipmac *map = set->data;
 168         const struct ipmac_elem *elem;
 169         struct nlattr *atd, *nested;
 170         u32 id, first = cb->args[2];
 171         u32 last = map->last_ip - map->first_ip;
 172
 173         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
 174         if (!atd)
 175                 return -EMSGSIZE;
 176         for (; cb->args[2] <= last; cb->args[2]++) {
 177                 id = cb->args[2];
 178                 elem = bitmap_ipmac_elem(map, id);
 179                 if (elem->match == MAC_EMPTY)
 180                         continue;
 181                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 182                 if (!nested) {
 183                         if (id == first) {
 184                                 nla_nest_cancel(skb, atd);
 185                                 return -EMSGSIZE;
 186                         } else
 187                                 goto nla_put_failure;
 188                 }
 189                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
 190                                 htonl(map->first_ip + id));
 191                 if (elem->match == MAC_FILLED)
 192                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
 193                                 elem->ether);
 194                 ipset_nest_end(skb, nested);
 195         }
 196         ipset_nest_end(skb, atd);
 197         /* Set listing finished */
 198         cb->args[2] = 0;
 199
 200         return 0;
 201
 202 nla_put_failure:
 203         nla_nest_cancel(skb, nested);
 204         ipset_nest_end(skb, atd);
 205         if (unlikely(id == first)) {
 206                 cb->args[2] = 0;
 207                 return -EMSGSIZE;
 208         }
 209         return 0;
 210 }
 211
 212 /* Timeout variant */
 213
 214 static int
 215 bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
 216 {
 217         const struct bitmap_ipmac *map = set->data;
 218         const struct ipmac *data = value;
 219         const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
 220
 221         switch (elem->match) {
 222         case MAC_UNSET:
 223                 /* Trigger kernel to fill out the ethernet address */
 224                 return -EAGAIN;
 225         case MAC_FILLED:
 226                 return (data->ether == NULL ||
 227                         compare_ether_addr(data->ether, elem->ether) == 0) &&
 228                        !bitmap_expired(map, data->id);
 229         }
 230         return 0;
 231 }
 232
 233 static int
 234 bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
 235 {
 236         struct bitmap_ipmac *map = set->data;
 237         const struct ipmac *data = value;
 238         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
 239
 240         switch (elem->match) {
 241         case MAC_UNSET:
 242                 if (!data->ether)
 243                         /* Already added without ethernet address */
 244                         return -IPSET_ERR_EXIST;
 245                 /* Fill the MAC address and activate the timer */
 246                 memcpy(elem->ether, data->ether, ETH_ALEN);
 247                 elem->match = MAC_FILLED;
 248                 if (timeout == map->timeout)
 249                         /* Timeout was not specified, get stored one */
 250                         timeout = elem->timeout;
 251                 elem->timeout = ip_set_timeout_set(timeout);
 252                 break;
 253         case MAC_FILLED:
 254                 if (!bitmap_expired(map, data->id))
 255                         return -IPSET_ERR_EXIST;
 256                 /* Fall through */
 257         case MAC_EMPTY:
 258                 if (data->ether) {
 259                         memcpy(elem->ether, data->ether, ETH_ALEN);
 260                         elem->match = MAC_FILLED;
 261                 } else
 262                         elem->match = MAC_UNSET;
 263                 /* If MAC is unset yet, we store plain timeout value
 264                  * because the timer is not activated yet
 265                  * and we can reuse it later when MAC is filled out,
 266                  * possibly by the kernel */
 267                 elem->timeout = data->ether ? ip_set_timeout_set(timeout)
 268                                             : timeout;
 269                 break;
 270         }
 271
 272         return 0;
 273 }
 274
 275 static int
 276 bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
 277 {
 278         struct bitmap_ipmac *map = set->data;
 279         const struct ipmac *data = value;
 280         struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
 281
 282         if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
 283                 return -IPSET_ERR_EXIST;
 284
 285         elem->match = MAC_EMPTY;
 286
 287         return 0;
 288 }
 289
 290 static int
 291 bitmap_ipmac_tlist(const struct ip_set *set,
 292                    struct sk_buff *skb, struct netlink_callback *cb)
 293 {
 294         const struct bitmap_ipmac *map = set->data;
 295         const struct ipmac_telem *elem;
 296         struct nlattr *atd, *nested;
 297         u32 id, first = cb->args[2];
 298         u32 timeout, last = map->last_ip - map->first_ip;
 299
 300         atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
 301         if (!atd)
 302                 return -EMSGSIZE;
 303         for (; cb->args[2] <= last; cb->args[2]++) {
 304                 id = cb->args[2];
 305                 elem = bitmap_ipmac_elem(map, id);
 306                 if (!bitmap_ipmac_exist(elem))
 307                         continue;
 308                 nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 309                 if (!nested) {
 310                         if (id == first) {
 311                                 nla_nest_cancel(skb, atd);
 312                                 return -EMSGSIZE;
 313                         } else
 314                                 goto nla_put_failure;
 315                 }
 316                 NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
 317                                 htonl(map->first_ip + id));
 318                 if (elem->match == MAC_FILLED)
 319                         NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
 320                                 elem->ether);
 321                 timeout = elem->match == MAC_UNSET ? elem->timeout
 322                                 : ip_set_timeout_get(elem->timeout);
 323                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
 324                 ipset_nest_end(skb, nested);
 325         }
 326         ipset_nest_end(skb, atd);
 327         /* Set listing finished */
 328         cb->args[2] = 0;
 329
 330         return 0;
 331
 332 nla_put_failure:
 333         nla_nest_cancel(skb, nested);
 334         ipset_nest_end(skb, atd);
 335         return -EMSGSIZE;
 336 }
 337
 338 static int
 339 bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 340                   enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
 341 {
 342         struct bitmap_ipmac *map = set->data;
 343         ipset_adtfn adtfn = set->variant->adt[adt];
 344         struct ipmac data;
 345
 346         data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
 347         if (data.id < map->first_ip || data.id > map->last_ip)
 348                 return -IPSET_ERR_BITMAP_RANGE;
 349
 350         /* Backward compatibility: we don't check the second flag */
 351         if (skb_mac_header(skb) < skb->head ||
 352             (skb_mac_header(skb) + ETH_HLEN) > skb->data)
 353                 return -EINVAL;
 354
 355         data.id -= map->first_ip;
 356         data.ether = eth_hdr(skb)->h_source;
 357
 358         return adtfn(set, &data, map->timeout);
 359 }
 360
 361 static int
 362 bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
 363                   enum ipset_adt adt, u32 *lineno, u32 flags)
 364 {
 365         const struct bitmap_ipmac *map = set->data;
 366         ipset_adtfn adtfn = set->variant->adt[adt];
 367         struct ipmac data;
 368         u32 timeout = map->timeout;
 369         int ret = 0;
 370
 371         if (unlikely(!tb[IPSET_ATTR_IP] ||
 372                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 373                 return -IPSET_ERR_PROTOCOL;
 374
 375         if (tb[IPSET_ATTR_LINENO])
 376                 *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
 377
 378         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
 379         if (ret)
 380                 return ret;
 381
 382         if (data.id < map->first_ip || data.id > map->last_ip)
 383                 return -IPSET_ERR_BITMAP_RANGE;
 384
 385         if (tb[IPSET_ATTR_ETHER])
 386                 data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
 387         else
 388                 data.ether = NULL;
 389
 390         if (tb[IPSET_ATTR_TIMEOUT]) {
 391                 if (!with_timeout(map->timeout))
 392                         return -IPSET_ERR_TIMEOUT;
 393                 timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 394         }
 395
 396         data.id -= map->first_ip;
 397
 398         ret = adtfn(set, &data, timeout);
 399
 400         return ip_set_eexist(ret, flags) ? 0 : ret;
 401 }
 402
 403 static void
 404 bitmap_ipmac_destroy(struct ip_set *set)
 405 {
 406         struct bitmap_ipmac *map = set->data;
 407
 408         if (with_timeout(map->timeout))
 409                 del_timer_sync(&map->gc);
 410
 411         ip_set_free(map->members);
 412         kfree(map);
 413
 414         set->data = NULL;
 415 }
 416
 417 static void
 418 bitmap_ipmac_flush(struct ip_set *set)
 419 {
 420         struct bitmap_ipmac *map = set->data;
 421
 422         memset(map->members, 0,
 423                (map->last_ip - map->first_ip + 1) * map->dsize);
 424 }
 425
 426 static int
 427 bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
 428 {
 429         const struct bitmap_ipmac *map = set->data;
 430         struct nlattr *nested;
 431
 432         nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 433         if (!nested)
 434                 goto nla_put_failure;
 435         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
 436         NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
 437         NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
 438         NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
 439                       htonl(sizeof(*map)
 440                             + (map->last_ip - map->first_ip + 1) * map->dsize));
 441         if (with_timeout(map->timeout))
 442                 NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
 443         ipset_nest_end(skb, nested);
 444
 445         return 0;
 446 nla_put_failure:
 447         return -EMSGSIZE;
 448 }
 449
 450 static bool
 451 bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
 452 {
 453         const struct bitmap_ipmac *x = a->data;
 454         const struct bitmap_ipmac *y = b->data;
 455
 456         return x->first_ip == y->first_ip &&
 457                x->last_ip == y->last_ip &&
 458                x->timeout == y->timeout;
 459 }
 460
 461 static const struct ip_set_type_variant bitmap_ipmac = {
 462         .kadt   = bitmap_ipmac_kadt,
 463         .uadt   = bitmap_ipmac_uadt,
 464         .adt    = {
 465                 [IPSET_ADD] = bitmap_ipmac_add,
 466                 [IPSET_DEL] = bitmap_ipmac_del,
 467                 [IPSET_TEST] = bitmap_ipmac_test,
 468         },
 469         .destroy = bitmap_ipmac_destroy,
 470         .flush  = bitmap_ipmac_flush,
 471         .head   = bitmap_ipmac_head,
 472         .list   = bitmap_ipmac_list,
 473         .same_set = bitmap_ipmac_same_set,
 474 };
 475
 476 static const struct ip_set_type_variant bitmap_tipmac = {
 477         .kadt   = bitmap_ipmac_kadt,
 478         .uadt   = bitmap_ipmac_uadt,
 479         .adt    = {
 480                 [IPSET_ADD] = bitmap_ipmac_tadd,
 481                 [IPSET_DEL] = bitmap_ipmac_tdel,
 482                 [IPSET_TEST] = bitmap_ipmac_ttest,
 483         },
 484         .destroy = bitmap_ipmac_destroy,
 485         .flush  = bitmap_ipmac_flush,
 486         .head   = bitmap_ipmac_head,
 487         .list   = bitmap_ipmac_tlist,
 488         .same_set = bitmap_ipmac_same_set,
 489 };
 490
 491 static void
 492 bitmap_ipmac_gc(unsigned long ul_set)
 493 {
 494         struct ip_set *set = (struct ip_set *) ul_set;
 495         struct bitmap_ipmac *map = set->data;
 496         struct ipmac_telem *elem;
 497         u32 id, last = map->last_ip - map->first_ip;
 498
 499         /* We run parallel with other readers (test element)
 500          * but adding/deleting new entries is locked out */
 501         read_lock_bh(&set->lock);
 502         for (id = 0; id <= last; id++) {
 503                 elem = bitmap_ipmac_elem(map, id);
 504                 if (elem->match == MAC_FILLED &&
 505                     ip_set_timeout_expired(elem->timeout))
 506                         elem->match = MAC_EMPTY;
 507         }
 508         read_unlock_bh(&set->lock);
 509
 510         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
 511         add_timer(&map->gc);
 512 }
 513
 514 static void
 515 bitmap_ipmac_gc_init(struct ip_set *set)
 516 {
 517         struct bitmap_ipmac *map = set->data;
 518
 519         init_timer(&map->gc);
 520         map->gc.data = (unsigned long) set;
 521         map->gc.function = bitmap_ipmac_gc;
 522         map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
 523         add_timer(&map->gc);
 524 }
 525
 526 /* Create bitmap:ip,mac type of sets */
 527
 528 static bool
 529 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
 530                u32 first_ip, u32 last_ip)
 531 {
 532         map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
 533         if (!map->members)
 534                 return false;
 535         map->first_ip = first_ip;
 536         map->last_ip = last_ip;
 537         map->timeout = IPSET_NO_TIMEOUT;
 538
 539         set->data = map;
 540         set->family = AF_INET;
 541
 542         return true;
 543 }
 544
 545 static int
 546 bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
 547                     u32 flags)
 548 {
 549         u32 first_ip, last_ip, elements;
 550         struct bitmap_ipmac *map;
 551         int ret;
 552
 553         if (unlikely(!tb[IPSET_ATTR_IP] ||
 554                      !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
 555                 return -IPSET_ERR_PROTOCOL;
 556
 557         ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
 558         if (ret)
 559                 return ret;
 560
 561         if (tb[IPSET_ATTR_IP_TO]) {
 562                 ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
 563                 if (ret)
 564                         return ret;
 565                 if (first_ip > last_ip) {
 566                         u32 tmp = first_ip;
 567
 568                         first_ip = last_ip;
 569                         last_ip = tmp;
 570                 }
 571         } else if (tb[IPSET_ATTR_CIDR]) {
 572                 u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 573
 574                 if (cidr >= 32)
 575                         return -IPSET_ERR_INVALID_CIDR;
 576                 last_ip = first_ip | ~ip_set_hostmask(cidr);
 577         } else
 578                 return -IPSET_ERR_PROTOCOL;
 579
 580         elements = last_ip - first_ip + 1;
 581
 582         if (elements > IPSET_BITMAP_MAX_RANGE + 1)
 583                 return -IPSET_ERR_BITMAP_RANGE_SIZE;
 584
 585         map = kzalloc(sizeof(*map), GFP_KERNEL);
 586         if (!map)
 587                 return -ENOMEM;
 588
 589         if (tb[IPSET_ATTR_TIMEOUT]) {
 590                 map->dsize = sizeof(struct ipmac_telem);
 591
 592                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
 593                         kfree(map);
 594                         return -ENOMEM;
 595                 }
 596
 597                 map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 598
 599                 set->variant = &bitmap_tipmac;
 600
 601                 bitmap_ipmac_gc_init(set);
 602         } else {
 603                 map->dsize = sizeof(struct ipmac_elem);
 604
 605                 if (!init_map_ipmac(set, map, first_ip, last_ip)) {
 606                         kfree(map);
 607                         return -ENOMEM;
 608                 }
 609                 set->variant = &bitmap_ipmac;
 610
 611         }
 612         return 0;
 613 }
 614
 615 static struct ip_set_type bitmap_ipmac_type = {
 616         .name           = "bitmap:ip,mac",
 617         .protocol       = IPSET_PROTOCOL,
 618         .features       = IPSET_TYPE_IP | IPSET_TYPE_MAC,
 619         .dimension      = IPSET_DIM_TWO,
 620         .family         = AF_INET,
 621         .revision       = 0,
 622         .create         = bitmap_ipmac_create,
 623         .create_policy  = {
 624                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
 625                 [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
 626                 [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
 627                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
 628         },
 629         .adt_policy     = {
 630                 [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
 631                 [IPSET_ATTR_ETHER]      = { .type = NLA_BINARY, .len  = ETH_ALEN },
 632                 [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
 633                 [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
 634         },
 635         .me             = THIS_MODULE,
 636 };
 637
 638 static int __init
 639 bitmap_ipmac_init(void)
 640 {
 641         return ip_set_type_register(&bitmap_ipmac_type);
 642 }
 643
 644 static void __exit
 645 bitmap_ipmac_fini(void)
 646 {
 647         ip_set_type_unregister(&bitmap_ipmac_type);
 648 }
 649
 650 module_init(bitmap_ipmac_init);
 651 module_exit(bitmap_ipmac_fini);