1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/netlink.h>
19 #include <linux/rculist.h>
20 #include <net/netlink.h>
22 #include <linux/netfilter.h>
23 #include <linux/netfilter/x_tables.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/ipset/ip_set.h>
27 static LIST_HEAD(ip_set_type_list); /* all registered set types */
28 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
29 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
31 static struct ip_set **ip_set_list; /* all individual sets */
32 static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets;
38 module_param(max_sets, int, 0600);
39 MODULE_PARM_DESC(max_sets, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
46 * The set types are implemented in modules and registered set types
47 * can be found in ip_set_type_list. Adding/deleting types is
48 * serialized by ip_set_type_mutex.
52 ip_set_type_lock(void)
54 mutex_lock(&ip_set_type_mutex);
58 ip_set_type_unlock(void)
60 mutex_unlock(&ip_set_type_mutex);
63 /* Register and deregister settype */
65 static struct ip_set_type *
66 find_set_type(const char *name, u8 family, u8 revision)
68 struct ip_set_type *type;
70 list_for_each_entry_rcu(type, &ip_set_type_list, list)
71 if (STREQ(type->name, name) &&
72 (type->family == family || type->family == AF_UNSPEC) &&
73 revision >= type->revision_min &&
74 revision <= type->revision_max)
79 /* Unlock, try to load a set type module and lock again */
81 try_to_load_type(const char *name)
84 pr_debug("try to load ip_set_%s\n", name);
85 if (request_module("ip_set_%s", name) < 0) {
86 pr_warning("Can't find ip_set type %s\n", name);
88 return -IPSET_ERR_FIND_TYPE;
94 /* Find a set type and reference it */
96 find_set_type_get(const char *name, u8 family, u8 revision,
97 struct ip_set_type **found)
99 struct ip_set_type *type;
103 *found = find_set_type(name, family, revision);
105 err = !try_module_get((*found)->me) ? -EFAULT : 0;
108 /* Make sure the type is loaded but we don't support the revision */
109 list_for_each_entry_rcu(type, &ip_set_type_list, list)
110 if (STREQ(type->name, name)) {
111 err = -IPSET_ERR_FIND_TYPE;
116 return try_to_load_type(name);
123 /* Find a given set type by name and family.
124 * If we succeeded, the supported minimal and maximum revisions are
128 find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
130 struct ip_set_type *type;
133 *min = 255; *max = 0;
135 list_for_each_entry_rcu(type, &ip_set_type_list, list)
136 if (STREQ(type->name, name) &&
137 (type->family == family || type->family == AF_UNSPEC)) {
139 if (type->revision_min < *min)
140 *min = type->revision_min;
141 if (type->revision_max > *max)
142 *max = type->revision_max;
148 return try_to_load_type(name);
151 #define family_name(f) ((f) == AF_INET ? "inet" : \
152 (f) == AF_INET6 ? "inet6" : "any")
154 /* Register a set type structure. The type is identified by
155 * the unique triple of name, family and revision.
158 ip_set_type_register(struct ip_set_type *type)
162 if (type->protocol != IPSET_PROTOCOL) {
163 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
164 "wrong protocol version %u (want %u)\n",
165 type->name, family_name(type->family),
166 type->revision_min, type->revision_max,
167 type->protocol, IPSET_PROTOCOL);
172 if (find_set_type(type->name, type->family, type->revision_min)) {
174 pr_warning("ip_set type %s, family %s with revision min %u "
175 "already registered!\n", type->name,
176 family_name(type->family), type->revision_min);
180 list_add_rcu(&type->list, &ip_set_type_list);
181 pr_debug("type %s, family %s, revision %u:%u registered.\n",
182 type->name, family_name(type->family),
183 type->revision_min, type->revision_max);
185 ip_set_type_unlock();
188 EXPORT_SYMBOL_GPL(ip_set_type_register);
190 /* Unregister a set type. There's a small race with ip_set_create */
192 ip_set_type_unregister(struct ip_set_type *type)
195 if (!find_set_type(type->name, type->family, type->revision_min)) {
196 pr_warning("ip_set type %s, family %s with revision min %u "
197 "not registered\n", type->name,
198 family_name(type->family), type->revision_min);
201 list_del_rcu(&type->list);
202 pr_debug("type %s, family %s with revision min %u unregistered.\n",
203 type->name, family_name(type->family), type->revision_min);
205 ip_set_type_unlock();
209 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
211 /* Utility functions */
213 ip_set_alloc(size_t size)
215 void *members = NULL;
217 if (size < KMALLOC_MAX_SIZE)
218 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
221 pr_debug("%p: allocated with kmalloc\n", members);
225 members = vzalloc(size);
228 pr_debug("%p: allocated with vmalloc\n", members);
232 EXPORT_SYMBOL_GPL(ip_set_alloc);
235 ip_set_free(void *members)
237 pr_debug("%p: free with %s\n", members,
238 is_vmalloc_addr(members) ? "vfree" : "kfree");
239 if (is_vmalloc_addr(members))
244 EXPORT_SYMBOL_GPL(ip_set_free);
247 flag_nested(const struct nlattr *nla)
249 return nla->nla_type & NLA_F_NESTED;
252 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
253 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
254 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
255 .len = sizeof(struct in6_addr) },
259 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
261 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
263 if (unlikely(!flag_nested(nla)))
264 return -IPSET_ERR_PROTOCOL;
265 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
266 return -IPSET_ERR_PROTOCOL;
267 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
268 return -IPSET_ERR_PROTOCOL;
270 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
273 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
276 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
278 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
280 if (unlikely(!flag_nested(nla)))
281 return -IPSET_ERR_PROTOCOL;
283 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
284 return -IPSET_ERR_PROTOCOL;
285 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
286 return -IPSET_ERR_PROTOCOL;
288 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
289 sizeof(struct in6_addr));
292 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
295 * Creating/destroying/renaming/swapping affect the existence and
296 * the properties of a set. All of these can be executed from userspace
297 * only and serialized by the nfnl mutex indirectly from nfnetlink.
299 * Sets are identified by their index in ip_set_list and the index
300 * is used by the external references (set/SET netfilter modules).
302 * The set behind an index may change by swapping only, from userspace.
306 __ip_set_get(ip_set_id_t index)
308 write_lock_bh(&ip_set_ref_lock);
309 ip_set_list[index]->ref++;
310 write_unlock_bh(&ip_set_ref_lock);
314 __ip_set_put(ip_set_id_t index)
316 write_lock_bh(&ip_set_ref_lock);
317 BUG_ON(ip_set_list[index]->ref == 0);
318 ip_set_list[index]->ref--;
319 write_unlock_bh(&ip_set_ref_lock);
323 * Add, del and test set entries from kernel.
325 * The set behind the index must exist and must be referenced
326 * so it can't be destroyed (or changed) under our foot.
330 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
331 const struct xt_action_param *par,
332 const struct ip_set_adt_opt *opt)
334 struct ip_set *set = ip_set_list[index];
338 pr_debug("set %s, index %u\n", set->name, index);
340 if (opt->dim < set->type->dimension ||
341 !(opt->family == set->family || set->family == AF_UNSPEC))
344 read_lock_bh(&set->lock);
345 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
346 read_unlock_bh(&set->lock);
348 if (ret == -EAGAIN) {
349 /* Type requests element to be completed */
350 pr_debug("element must be competed, ADD is triggered\n");
351 write_lock_bh(&set->lock);
352 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
353 write_unlock_bh(&set->lock);
357 /* Convert error codes to nomatch */
358 return (ret < 0 ? 0 : ret);
360 EXPORT_SYMBOL_GPL(ip_set_test);
363 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
364 const struct xt_action_param *par,
365 const struct ip_set_adt_opt *opt)
367 struct ip_set *set = ip_set_list[index];
371 pr_debug("set %s, index %u\n", set->name, index);
373 if (opt->dim < set->type->dimension ||
374 !(opt->family == set->family || set->family == AF_UNSPEC))
377 write_lock_bh(&set->lock);
378 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
379 write_unlock_bh(&set->lock);
383 EXPORT_SYMBOL_GPL(ip_set_add);
386 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
387 const struct xt_action_param *par,
388 const struct ip_set_adt_opt *opt)
390 struct ip_set *set = ip_set_list[index];
394 pr_debug("set %s, index %u\n", set->name, index);
396 if (opt->dim < set->type->dimension ||
397 !(opt->family == set->family || set->family == AF_UNSPEC))
400 write_lock_bh(&set->lock);
401 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
402 write_unlock_bh(&set->lock);
406 EXPORT_SYMBOL_GPL(ip_set_del);
409 * Find set by name, reference it once. The reference makes sure the
410 * thing pointed to, does not go away under our feet.
414 ip_set_get_byname(const char *name, struct ip_set **set)
416 ip_set_id_t i, index = IPSET_INVALID_ID;
419 for (i = 0; i < ip_set_max; i++) {
421 if (s != NULL && STREQ(s->name, name)) {
430 EXPORT_SYMBOL_GPL(ip_set_get_byname);
433 * If the given set pointer points to a valid set, decrement
434 * reference count by 1. The caller shall not assume the index
435 * to be valid, after calling this function.
439 ip_set_put_byindex(ip_set_id_t index)
441 if (ip_set_list[index] != NULL)
444 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
447 * Get the name of a set behind a set index.
448 * We assume the set is referenced, so it does exist and
449 * can't be destroyed. The set cannot be renamed due to
450 * the referencing either.
454 ip_set_name_byindex(ip_set_id_t index)
456 const struct ip_set *set = ip_set_list[index];
459 BUG_ON(set->ref == 0);
461 /* Referenced, so it's safe */
464 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
467 * Routines to call by external subsystems, which do not
468 * call nfnl_lock for us.
472 * Find set by name, reference it once. The reference makes sure the
473 * thing pointed to, does not go away under our feet.
475 * The nfnl mutex is used in the function.
478 ip_set_nfnl_get(const char *name)
484 index = ip_set_get_byname(name, &s);
489 EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
492 * Find set by index, reference it once. The reference makes sure the
493 * thing pointed to, does not go away under our feet.
495 * The nfnl mutex is used in the function.
498 ip_set_nfnl_get_byindex(ip_set_id_t index)
500 if (index > ip_set_max)
501 return IPSET_INVALID_ID;
504 if (ip_set_list[index])
507 index = IPSET_INVALID_ID;
512 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
515 * If the given set pointer points to a valid set, decrement
516 * reference count by 1. The caller shall not assume the index
517 * to be valid, after calling this function.
519 * The nfnl mutex is used in the function.
522 ip_set_nfnl_put(ip_set_id_t index)
525 ip_set_put_byindex(index);
528 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
531 * Communication protocol with userspace over netlink.
533 * The commands are serialized by the nfnl mutex.
537 protocol_failed(const struct nlattr * const tb[])
539 return !tb[IPSET_ATTR_PROTOCOL] ||
540 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
544 flag_exist(const struct nlmsghdr *nlh)
546 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
549 static struct nlmsghdr *
550 start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags,
553 struct nlmsghdr *nlh;
554 struct nfgenmsg *nfmsg;
556 nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
557 sizeof(*nfmsg), flags);
561 nfmsg = nlmsg_data(nlh);
562 nfmsg->nfgen_family = AF_INET;
563 nfmsg->version = NFNETLINK_V0;
571 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
572 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
573 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
574 .len = IPSET_MAXNAMELEN - 1 },
575 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
576 .len = IPSET_MAXNAMELEN - 1},
577 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
578 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
579 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
583 find_set_id(const char *name)
585 ip_set_id_t i, index = IPSET_INVALID_ID;
586 const struct ip_set *set;
588 for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) {
589 set = ip_set_list[i];
590 if (set != NULL && STREQ(set->name, name))
596 static inline struct ip_set *
597 find_set(const char *name)
599 ip_set_id_t index = find_set_id(name);
601 return index == IPSET_INVALID_ID ? NULL : ip_set_list[index];
605 find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
609 *index = IPSET_INVALID_ID;
610 for (i = 0; i < ip_set_max; i++) {
611 if (ip_set_list[i] == NULL) {
612 if (*index == IPSET_INVALID_ID)
614 } else if (STREQ(name, ip_set_list[i]->name)) {
616 *set = ip_set_list[i];
620 if (*index == IPSET_INVALID_ID)
621 /* No free slot remained */
622 return -IPSET_ERR_MAX_SETS;
627 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
628 const struct nlmsghdr *nlh,
629 const struct nlattr * const attr[])
631 struct ip_set *set, *clash = NULL;
632 ip_set_id_t index = IPSET_INVALID_ID;
633 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
634 const char *name, *typename;
636 u32 flags = flag_exist(nlh);
639 if (unlikely(protocol_failed(attr) ||
640 attr[IPSET_ATTR_SETNAME] == NULL ||
641 attr[IPSET_ATTR_TYPENAME] == NULL ||
642 attr[IPSET_ATTR_REVISION] == NULL ||
643 attr[IPSET_ATTR_FAMILY] == NULL ||
644 (attr[IPSET_ATTR_DATA] != NULL &&
645 !flag_nested(attr[IPSET_ATTR_DATA]))))
646 return -IPSET_ERR_PROTOCOL;
648 name = nla_data(attr[IPSET_ATTR_SETNAME]);
649 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
650 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
651 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
652 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
653 name, typename, family_name(family), revision);
656 * First, and without any locks, allocate and initialize
657 * a normal base set structure.
659 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
662 rwlock_init(&set->lock);
663 strlcpy(set->name, name, IPSET_MAXNAMELEN);
664 set->family = family;
665 set->revision = revision;
668 * Next, check that we know the type, and take
669 * a reference on the type, to make sure it stays available
670 * while constructing our new set.
672 * After referencing the type, we try to create the type
673 * specific part of the set without holding any locks.
675 ret = find_set_type_get(typename, family, revision, &(set->type));
680 * Without holding any locks, create private part.
682 if (attr[IPSET_ATTR_DATA] &&
683 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
684 set->type->create_policy)) {
685 ret = -IPSET_ERR_PROTOCOL;
689 ret = set->type->create(set, tb, flags);
693 /* BTW, ret==0 here. */
696 * Here, we have a valid, constructed set and we are protected
697 * by the nfnl mutex. Find the first free index in ip_set_list
698 * and check clashing.
700 if ((ret = find_free_id(set->name, &index, &clash)) != 0) {
701 /* If this is the same set and requested, ignore error */
702 if (ret == -EEXIST &&
703 (flags & IPSET_FLAG_EXIST) &&
704 STREQ(set->type->name, clash->type->name) &&
705 set->type->family == clash->type->family &&
706 set->type->revision_min == clash->type->revision_min &&
707 set->type->revision_max == clash->type->revision_max &&
708 set->variant->same_set(set, clash))
714 * Finally! Add our shiny new set to the list, and be done.
716 pr_debug("create: '%s' created with index %u!\n", set->name, index);
717 ip_set_list[index] = set;
722 set->variant->destroy(set);
724 module_put(set->type->me);
732 static const struct nla_policy
733 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
734 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
735 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
736 .len = IPSET_MAXNAMELEN - 1 },
740 ip_set_destroy_set(ip_set_id_t index)
742 struct ip_set *set = ip_set_list[index];
744 pr_debug("set: %s\n", set->name);
745 ip_set_list[index] = NULL;
747 /* Must call it without holding any lock */
748 set->variant->destroy(set);
749 module_put(set->type->me);
754 ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
755 const struct nlmsghdr *nlh,
756 const struct nlattr * const attr[])
761 if (unlikely(protocol_failed(attr)))
762 return -IPSET_ERR_PROTOCOL;
764 /* Commands are serialized and references are
765 * protected by the ip_set_ref_lock.
766 * External systems (i.e. xt_set) must call
767 * ip_set_put|get_nfnl_* functions, that way we
768 * can safely check references here.
770 * list:set timer can only decrement the reference
771 * counter, so if it's already zero, we can proceed
772 * without holding the lock.
774 read_lock_bh(&ip_set_ref_lock);
775 if (!attr[IPSET_ATTR_SETNAME]) {
776 for (i = 0; i < ip_set_max; i++) {
777 if (ip_set_list[i] != NULL && ip_set_list[i]->ref) {
778 ret = -IPSET_ERR_BUSY;
782 read_unlock_bh(&ip_set_ref_lock);
783 for (i = 0; i < ip_set_max; i++) {
784 if (ip_set_list[i] != NULL)
785 ip_set_destroy_set(i);
788 i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
789 if (i == IPSET_INVALID_ID) {
792 } else if (ip_set_list[i]->ref) {
793 ret = -IPSET_ERR_BUSY;
796 read_unlock_bh(&ip_set_ref_lock);
798 ip_set_destroy_set(i);
802 read_unlock_bh(&ip_set_ref_lock);
809 ip_set_flush_set(struct ip_set *set)
811 pr_debug("set: %s\n", set->name);
813 write_lock_bh(&set->lock);
814 set->variant->flush(set);
815 write_unlock_bh(&set->lock);
819 ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
820 const struct nlmsghdr *nlh,
821 const struct nlattr * const attr[])
825 if (unlikely(protocol_failed(attr)))
826 return -IPSET_ERR_PROTOCOL;
828 if (!attr[IPSET_ATTR_SETNAME]) {
829 for (i = 0; i < ip_set_max; i++)
830 if (ip_set_list[i] != NULL)
831 ip_set_flush_set(ip_set_list[i]);
833 i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
834 if (i == IPSET_INVALID_ID)
837 ip_set_flush_set(ip_set_list[i]);
845 static const struct nla_policy
846 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
847 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
848 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
849 .len = IPSET_MAXNAMELEN - 1 },
850 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
851 .len = IPSET_MAXNAMELEN - 1 },
855 ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
856 const struct nlmsghdr *nlh,
857 const struct nlattr * const attr[])
864 if (unlikely(protocol_failed(attr) ||
865 attr[IPSET_ATTR_SETNAME] == NULL ||
866 attr[IPSET_ATTR_SETNAME2] == NULL))
867 return -IPSET_ERR_PROTOCOL;
869 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
873 read_lock_bh(&ip_set_ref_lock);
875 ret = -IPSET_ERR_REFERENCED;
879 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
880 for (i = 0; i < ip_set_max; i++) {
881 if (ip_set_list[i] != NULL &&
882 STREQ(ip_set_list[i]->name, name2)) {
883 ret = -IPSET_ERR_EXIST_SETNAME2;
887 strncpy(set->name, name2, IPSET_MAXNAMELEN);
890 read_unlock_bh(&ip_set_ref_lock);
894 /* Swap two sets so that name/index points to the other.
895 * References and set names are also swapped.
897 * The commands are serialized by the nfnl mutex and references are
898 * protected by the ip_set_ref_lock. The kernel interfaces
899 * do not hold the mutex but the pointer settings are atomic
900 * so the ip_set_list always contains valid pointers to the sets.
904 ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
905 const struct nlmsghdr *nlh,
906 const struct nlattr * const attr[])
908 struct ip_set *from, *to;
909 ip_set_id_t from_id, to_id;
910 char from_name[IPSET_MAXNAMELEN];
912 if (unlikely(protocol_failed(attr) ||
913 attr[IPSET_ATTR_SETNAME] == NULL ||
914 attr[IPSET_ATTR_SETNAME2] == NULL))
915 return -IPSET_ERR_PROTOCOL;
917 from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
918 if (from_id == IPSET_INVALID_ID)
921 to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2]));
922 if (to_id == IPSET_INVALID_ID)
923 return -IPSET_ERR_EXIST_SETNAME2;
925 from = ip_set_list[from_id];
926 to = ip_set_list[to_id];
928 /* Features must not change.
929 * Not an artificial restriction anymore, as we must prevent
930 * possible loops created by swapping in setlist type of sets. */
931 if (!(from->type->features == to->type->features &&
932 from->type->family == to->type->family))
933 return -IPSET_ERR_TYPE_MISMATCH;
935 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
936 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
937 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
939 write_lock_bh(&ip_set_ref_lock);
940 swap(from->ref, to->ref);
941 ip_set_list[from_id] = to;
942 ip_set_list[to_id] = from;
943 write_unlock_bh(&ip_set_ref_lock);
948 /* List/save set data */
955 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
956 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
959 ip_set_dump_done(struct netlink_callback *cb)
962 pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name);
963 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
969 dump_attrs(struct nlmsghdr *nlh)
971 const struct nlattr *attr;
974 pr_debug("dump nlmsg\n");
975 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
976 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
981 dump_init(struct netlink_callback *cb)
983 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
984 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
985 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
986 struct nlattr *attr = (void *)nlh + min_len;
990 /* Second pass, so parser can't fail */
991 nla_parse(cda, IPSET_ATTR_CMD_MAX,
992 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
994 /* cb->args[0] : dump single set/all sets
996 * [..]: type specific
999 if (cda[IPSET_ATTR_SETNAME]) {
1000 index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME]));
1001 if (index == IPSET_INVALID_ID)
1004 dump_type = DUMP_ONE;
1005 cb->args[1] = index;
1007 dump_type = DUMP_ALL;
1009 if (cda[IPSET_ATTR_FLAGS]) {
1010 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1011 dump_type |= (f << 16);
1013 cb->args[0] = dump_type;
1019 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1021 ip_set_id_t index = IPSET_INVALID_ID, max;
1022 struct ip_set *set = NULL;
1023 struct nlmsghdr *nlh = NULL;
1024 unsigned int flags = NETLINK_CB(cb->skb).pid ? NLM_F_MULTI : 0;
1025 u32 dump_type, dump_flags;
1029 ret = dump_init(cb);
1031 nlh = nlmsg_hdr(cb->skb);
1032 /* We have to create and send the error message
1034 if (nlh->nlmsg_flags & NLM_F_ACK)
1035 netlink_ack(cb->skb, nlh, ret);
1040 if (cb->args[1] >= ip_set_max)
1043 dump_type = DUMP_TYPE(cb->args[0]);
1044 dump_flags = DUMP_FLAGS(cb->args[0]);
1045 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1047 pr_debug("args[0]: %u %u args[1]: %ld\n",
1048 dump_type, dump_flags, cb->args[1]);
1049 for (; cb->args[1] < max; cb->args[1]++) {
1050 index = (ip_set_id_t) cb->args[1];
1051 set = ip_set_list[index];
1053 if (dump_type == DUMP_ONE) {
1059 /* When dumping all sets, we must dump "sorted"
1060 * so that lists (unions of sets) are dumped last.
1062 if (dump_type != DUMP_ONE &&
1063 ((dump_type == DUMP_ALL) ==
1064 !!(set->type->features & IPSET_DUMP_LAST)))
1066 pr_debug("List set: %s\n", set->name);
1068 /* Start listing: make sure set won't be destroyed */
1069 pr_debug("reference set\n");
1070 __ip_set_get(index);
1072 nlh = start_msg(skb, NETLINK_CB(cb->skb).pid,
1073 cb->nlh->nlmsg_seq, flags,
1077 goto release_refcount;
1079 NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1080 NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name);
1081 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1083 switch (cb->args[2]) {
1085 /* Core header data */
1086 NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME,
1088 NLA_PUT_U8(skb, IPSET_ATTR_FAMILY,
1090 NLA_PUT_U8(skb, IPSET_ATTR_REVISION,
1092 ret = set->variant->head(set, skb);
1094 goto release_refcount;
1095 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1097 /* Fall through and add elements */
1099 read_lock_bh(&set->lock);
1100 ret = set->variant->list(set, skb, cb);
1101 read_unlock_bh(&set->lock);
1103 /* Set is done, proceed with next one */
1105 goto release_refcount;
1108 /* If we dump all sets, continue with dumping last ones */
1109 if (dump_type == DUMP_ALL) {
1110 dump_type = DUMP_LAST;
1111 cb->args[0] = dump_type | (dump_flags << 16);
1120 if (dump_type == DUMP_ONE)
1121 cb->args[1] = IPSET_INVALID_ID;
1125 /* If there was an error or set is done, release set */
1126 if (ret || !cb->args[2]) {
1127 pr_debug("release set %s\n", ip_set_list[index]->name);
1128 ip_set_put_byindex(index);
1132 nlmsg_end(skb, nlh);
1133 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1137 return ret < 0 ? ret : skb->len;
1141 ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1142 const struct nlmsghdr *nlh,
1143 const struct nlattr * const attr[])
1145 if (unlikely(protocol_failed(attr)))
1146 return -IPSET_ERR_PROTOCOL;
1148 return netlink_dump_start(ctnl, skb, nlh,
1150 ip_set_dump_done, 0);
1153 /* Add, del and test */
1155 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1156 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1157 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1158 .len = IPSET_MAXNAMELEN - 1 },
1159 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1160 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1161 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1165 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1166 struct nlattr *tb[], enum ipset_adt adt,
1167 u32 flags, bool use_lineno)
1171 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1174 write_lock_bh(&set->lock);
1175 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1176 write_unlock_bh(&set->lock);
1178 } while (ret == -EAGAIN &&
1179 set->variant->resize &&
1180 (ret = set->variant->resize(set, retried)) == 0);
1182 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1184 if (lineno && use_lineno) {
1185 /* Error in restore/batch mode: send back lineno */
1186 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1187 struct sk_buff *skb2;
1188 struct nlmsgerr *errmsg;
1189 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1190 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1191 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1192 struct nlattr *cmdattr;
1195 skb2 = nlmsg_new(payload, GFP_KERNEL);
1198 rep = __nlmsg_put(skb2, NETLINK_CB(skb).pid,
1199 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1200 errmsg = nlmsg_data(rep);
1201 errmsg->error = ret;
1202 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1203 cmdattr = (void *)&errmsg->msg + min_len;
1205 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1206 cmdattr, nlh->nlmsg_len - min_len,
1209 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1213 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1214 /* Signal netlink not to send its ACK/errmsg. */
1222 ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1223 const struct nlmsghdr *nlh,
1224 const struct nlattr * const attr[])
1227 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1228 const struct nlattr *nla;
1229 u32 flags = flag_exist(nlh);
1233 if (unlikely(protocol_failed(attr) ||
1234 attr[IPSET_ATTR_SETNAME] == NULL ||
1235 !((attr[IPSET_ATTR_DATA] != NULL) ^
1236 (attr[IPSET_ATTR_ADT] != NULL)) ||
1237 (attr[IPSET_ATTR_DATA] != NULL &&
1238 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1239 (attr[IPSET_ATTR_ADT] != NULL &&
1240 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1241 attr[IPSET_ATTR_LINENO] == NULL))))
1242 return -IPSET_ERR_PROTOCOL;
1244 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1248 use_lineno = !!attr[IPSET_ATTR_LINENO];
1249 if (attr[IPSET_ATTR_DATA]) {
1250 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1251 attr[IPSET_ATTR_DATA],
1252 set->type->adt_policy))
1253 return -IPSET_ERR_PROTOCOL;
1254 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1259 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1260 memset(tb, 0, sizeof(tb));
1261 if (nla_type(nla) != IPSET_ATTR_DATA ||
1262 !flag_nested(nla) ||
1263 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1264 set->type->adt_policy))
1265 return -IPSET_ERR_PROTOCOL;
1266 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1276 ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1277 const struct nlmsghdr *nlh,
1278 const struct nlattr * const attr[])
1281 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1282 const struct nlattr *nla;
1283 u32 flags = flag_exist(nlh);
1287 if (unlikely(protocol_failed(attr) ||
1288 attr[IPSET_ATTR_SETNAME] == NULL ||
1289 !((attr[IPSET_ATTR_DATA] != NULL) ^
1290 (attr[IPSET_ATTR_ADT] != NULL)) ||
1291 (attr[IPSET_ATTR_DATA] != NULL &&
1292 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1293 (attr[IPSET_ATTR_ADT] != NULL &&
1294 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1295 attr[IPSET_ATTR_LINENO] == NULL))))
1296 return -IPSET_ERR_PROTOCOL;
1298 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1302 use_lineno = !!attr[IPSET_ATTR_LINENO];
1303 if (attr[IPSET_ATTR_DATA]) {
1304 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1305 attr[IPSET_ATTR_DATA],
1306 set->type->adt_policy))
1307 return -IPSET_ERR_PROTOCOL;
1308 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1313 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1314 memset(tb, 0, sizeof(*tb));
1315 if (nla_type(nla) != IPSET_ATTR_DATA ||
1316 !flag_nested(nla) ||
1317 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1318 set->type->adt_policy))
1319 return -IPSET_ERR_PROTOCOL;
1320 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1330 ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1331 const struct nlmsghdr *nlh,
1332 const struct nlattr * const attr[])
1335 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1338 if (unlikely(protocol_failed(attr) ||
1339 attr[IPSET_ATTR_SETNAME] == NULL ||
1340 attr[IPSET_ATTR_DATA] == NULL ||
1341 !flag_nested(attr[IPSET_ATTR_DATA])))
1342 return -IPSET_ERR_PROTOCOL;
1344 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1348 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1349 set->type->adt_policy))
1350 return -IPSET_ERR_PROTOCOL;
1352 read_lock_bh(&set->lock);
1353 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1354 read_unlock_bh(&set->lock);
1355 /* Userspace can't trigger element to be re-added */
1359 return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
1362 /* Get headed data of a set */
1365 ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1366 const struct nlmsghdr *nlh,
1367 const struct nlattr * const attr[])
1369 const struct ip_set *set;
1370 struct sk_buff *skb2;
1371 struct nlmsghdr *nlh2;
1375 if (unlikely(protocol_failed(attr) ||
1376 attr[IPSET_ATTR_SETNAME] == NULL))
1377 return -IPSET_ERR_PROTOCOL;
1379 index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
1380 if (index == IPSET_INVALID_ID)
1382 set = ip_set_list[index];
1384 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1388 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1392 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1393 NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name);
1394 NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name);
1395 NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family);
1396 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->revision);
1397 nlmsg_end(skb2, nlh2);
1399 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1406 nlmsg_cancel(skb2, nlh2);
1414 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1415 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1416 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1417 .len = IPSET_MAXNAMELEN - 1 },
1418 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1422 ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1423 const struct nlmsghdr *nlh,
1424 const struct nlattr * const attr[])
1426 struct sk_buff *skb2;
1427 struct nlmsghdr *nlh2;
1428 u8 family, min, max;
1429 const char *typename;
1432 if (unlikely(protocol_failed(attr) ||
1433 attr[IPSET_ATTR_TYPENAME] == NULL ||
1434 attr[IPSET_ATTR_FAMILY] == NULL))
1435 return -IPSET_ERR_PROTOCOL;
1437 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1438 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1439 ret = find_set_type_minmax(typename, family, &min, &max);
1443 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1447 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1451 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1452 NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename);
1453 NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family);
1454 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max);
1455 NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min);
1456 nlmsg_end(skb2, nlh2);
1458 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1459 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1466 nlmsg_cancel(skb2, nlh2);
1472 /* Get protocol version */
1474 static const struct nla_policy
1475 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1476 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1480 ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1481 const struct nlmsghdr *nlh,
1482 const struct nlattr * const attr[])
1484 struct sk_buff *skb2;
1485 struct nlmsghdr *nlh2;
1488 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1489 return -IPSET_ERR_PROTOCOL;
1491 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1495 nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
1496 IPSET_CMD_PROTOCOL);
1499 NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
1500 nlmsg_end(skb2, nlh2);
1502 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1509 nlmsg_cancel(skb2, nlh2);
1515 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1516 [IPSET_CMD_CREATE] = {
1517 .call = ip_set_create,
1518 .attr_count = IPSET_ATTR_CMD_MAX,
1519 .policy = ip_set_create_policy,
1521 [IPSET_CMD_DESTROY] = {
1522 .call = ip_set_destroy,
1523 .attr_count = IPSET_ATTR_CMD_MAX,
1524 .policy = ip_set_setname_policy,
1526 [IPSET_CMD_FLUSH] = {
1527 .call = ip_set_flush,
1528 .attr_count = IPSET_ATTR_CMD_MAX,
1529 .policy = ip_set_setname_policy,
1531 [IPSET_CMD_RENAME] = {
1532 .call = ip_set_rename,
1533 .attr_count = IPSET_ATTR_CMD_MAX,
1534 .policy = ip_set_setname2_policy,
1536 [IPSET_CMD_SWAP] = {
1537 .call = ip_set_swap,
1538 .attr_count = IPSET_ATTR_CMD_MAX,
1539 .policy = ip_set_setname2_policy,
1541 [IPSET_CMD_LIST] = {
1542 .call = ip_set_dump,
1543 .attr_count = IPSET_ATTR_CMD_MAX,
1544 .policy = ip_set_setname_policy,
1546 [IPSET_CMD_SAVE] = {
1547 .call = ip_set_dump,
1548 .attr_count = IPSET_ATTR_CMD_MAX,
1549 .policy = ip_set_setname_policy,
1552 .call = ip_set_uadd,
1553 .attr_count = IPSET_ATTR_CMD_MAX,
1554 .policy = ip_set_adt_policy,
1557 .call = ip_set_udel,
1558 .attr_count = IPSET_ATTR_CMD_MAX,
1559 .policy = ip_set_adt_policy,
1561 [IPSET_CMD_TEST] = {
1562 .call = ip_set_utest,
1563 .attr_count = IPSET_ATTR_CMD_MAX,
1564 .policy = ip_set_adt_policy,
1566 [IPSET_CMD_HEADER] = {
1567 .call = ip_set_header,
1568 .attr_count = IPSET_ATTR_CMD_MAX,
1569 .policy = ip_set_setname_policy,
1571 [IPSET_CMD_TYPE] = {
1572 .call = ip_set_type,
1573 .attr_count = IPSET_ATTR_CMD_MAX,
1574 .policy = ip_set_type_policy,
1576 [IPSET_CMD_PROTOCOL] = {
1577 .call = ip_set_protocol,
1578 .attr_count = IPSET_ATTR_CMD_MAX,
1579 .policy = ip_set_protocol_policy,
1583 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1585 .subsys_id = NFNL_SUBSYS_IPSET,
1586 .cb_count = IPSET_MSG_MAX,
1587 .cb = ip_set_netlink_subsys_cb,
1590 /* Interface to iptables/ip6tables */
1593 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1597 int copylen = *len, ret = 0;
1599 if (!capable(CAP_NET_ADMIN))
1601 if (optval != SO_IP_SET)
1603 if (*len < sizeof(unsigned))
1606 data = vmalloc(*len);
1609 if (copy_from_user(data, user, *len) != 0) {
1613 op = (unsigned *) data;
1615 if (*op < IP_SET_OP_VERSION) {
1616 /* Check the version at the beginning of operations */
1617 struct ip_set_req_version *req_version = data;
1619 if (*len < sizeof(struct ip_set_req_version)) {
1624 if (req_version->version != IPSET_PROTOCOL) {
1631 case IP_SET_OP_VERSION: {
1632 struct ip_set_req_version *req_version = data;
1634 if (*len != sizeof(struct ip_set_req_version)) {
1639 req_version->version = IPSET_PROTOCOL;
1640 ret = copy_to_user(user, req_version,
1641 sizeof(struct ip_set_req_version));
1644 case IP_SET_OP_GET_BYNAME: {
1645 struct ip_set_req_get_set *req_get = data;
1647 if (*len != sizeof(struct ip_set_req_get_set)) {
1651 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1653 req_get->set.index = find_set_id(req_get->set.name);
1657 case IP_SET_OP_GET_BYINDEX: {
1658 struct ip_set_req_get_set *req_get = data;
1660 if (*len != sizeof(struct ip_set_req_get_set) ||
1661 req_get->set.index >= ip_set_max) {
1666 strncpy(req_get->set.name,
1667 ip_set_list[req_get->set.index]
1668 ? ip_set_list[req_get->set.index]->name : "",
1676 } /* end of switch(op) */
1679 ret = copy_to_user(user, data, copylen);
1688 static struct nf_sockopt_ops so_set __read_mostly = {
1690 .get_optmin = SO_IP_SET,
1691 .get_optmax = SO_IP_SET + 1,
1692 .get = &ip_set_sockfn_get,
1693 .owner = THIS_MODULE,
1702 ip_set_max = max_sets;
1703 if (ip_set_max >= IPSET_INVALID_ID)
1704 ip_set_max = IPSET_INVALID_ID - 1;
1706 ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max,
1711 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1713 pr_err("ip_set: cannot register with nfnetlink.\n");
1717 ret = nf_register_sockopt(&so_set);
1719 pr_err("SO_SET registry failed: %d\n", ret);
1720 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1725 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1732 /* There can't be any existing set */
1733 nf_unregister_sockopt(&so_set);
1734 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1736 pr_debug("these are the famous last words\n");
1739 module_init(ip_set_init);
1740 module_exit(ip_set_fini);
git.openpandora.org / pandora-kernel.git / blob