1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 /* Kernel module which implements the set match and SET target
12 * for netfilter/iptables. */
14 #include <linux/module.h>
15 #include <linux/skbuff.h>
17 #include <linux/netfilter/x_tables.h>
18 #include <linux/netfilter/xt_set.h>
19 #include <linux/netfilter/ipset/ip_set_timeout.h>
21 MODULE_LICENSE("GPL");
22 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
23 MODULE_DESCRIPTION("Xtables: IP set match and target module");
24 MODULE_ALIAS("xt_SET");
25 MODULE_ALIAS("ipt_set");
26 MODULE_ALIAS("ip6t_set");
27 MODULE_ALIAS("ipt_SET");
28 MODULE_ALIAS("ip6t_SET");
31 match_set(ip_set_id_t index, const struct sk_buff *skb,
32 const struct xt_action_param *par,
33 struct ip_set_adt_opt *opt, int inv)
35 if (ip_set_test(index, skb, par, opt))
40 #define ADT_OPT(n, f, d, fs, cfs, t) \
41 struct ip_set_adt_opt n = { \
49 /* Revision 0 interface: backward compatible with netfilter/iptables */
52 set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
54 const struct xt_set_info_match_v0 *info = par->matchinfo;
55 ADT_OPT(opt, par->family, info->match_set.u.compat.dim,
56 info->match_set.u.compat.flags, 0, UINT_MAX);
58 return match_set(info->match_set.index, skb, par, &opt,
59 info->match_set.u.compat.flags & IPSET_INV_MATCH);
63 compat_flags(struct xt_set_info_v0 *info)
67 /* Fill out compatibility data according to enum ip_set_kopt */
68 info->u.compat.dim = IPSET_DIM_ZERO;
69 if (info->u.flags[0] & IPSET_MATCH_INV)
70 info->u.compat.flags |= IPSET_INV_MATCH;
71 for (i = 0; i < IPSET_DIM_MAX-1 && info->u.flags[i]; i++) {
73 if (info->u.flags[i] & IPSET_SRC)
74 info->u.compat.flags |= (1<<info->u.compat.dim);
79 set_match_v0_checkentry(const struct xt_mtchk_param *par)
81 struct xt_set_info_match_v0 *info = par->matchinfo;
84 index = ip_set_nfnl_get_byindex(info->match_set.index);
86 if (index == IPSET_INVALID_ID) {
87 pr_warning("Cannot find set indentified by id %u to match\n",
88 info->match_set.index);
91 if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
92 pr_warning("Protocol error: set match dimension "
93 "is over the limit!\n");
94 ip_set_nfnl_put(info->match_set.index);
98 /* Fill out compatibility data */
99 compat_flags(&info->match_set);
105 set_match_v0_destroy(const struct xt_mtdtor_param *par)
107 struct xt_set_info_match_v0 *info = par->matchinfo;
109 ip_set_nfnl_put(info->match_set.index);
113 set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
115 const struct xt_set_info_target_v0 *info = par->targinfo;
116 ADT_OPT(add_opt, par->family, info->add_set.u.compat.dim,
117 info->add_set.u.compat.flags, 0, UINT_MAX);
118 ADT_OPT(del_opt, par->family, info->del_set.u.compat.dim,
119 info->del_set.u.compat.flags, 0, UINT_MAX);
121 if (info->add_set.index != IPSET_INVALID_ID)
122 ip_set_add(info->add_set.index, skb, par, &add_opt);
123 if (info->del_set.index != IPSET_INVALID_ID)
124 ip_set_del(info->del_set.index, skb, par, &del_opt);
130 set_target_v0_checkentry(const struct xt_tgchk_param *par)
132 struct xt_set_info_target_v0 *info = par->targinfo;
135 if (info->add_set.index != IPSET_INVALID_ID) {
136 index = ip_set_nfnl_get_byindex(info->add_set.index);
137 if (index == IPSET_INVALID_ID) {
138 pr_warning("Cannot find add_set index %u as target\n",
139 info->add_set.index);
144 if (info->del_set.index != IPSET_INVALID_ID) {
145 index = ip_set_nfnl_get_byindex(info->del_set.index);
146 if (index == IPSET_INVALID_ID) {
147 pr_warning("Cannot find del_set index %u as target\n",
148 info->del_set.index);
149 if (info->add_set.index != IPSET_INVALID_ID)
150 ip_set_nfnl_put(info->add_set.index);
154 if (info->add_set.u.flags[IPSET_DIM_MAX-1] != 0 ||
155 info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) {
156 pr_warning("Protocol error: SET target dimension "
157 "is over the limit!\n");
158 if (info->add_set.index != IPSET_INVALID_ID)
159 ip_set_nfnl_put(info->add_set.index);
160 if (info->del_set.index != IPSET_INVALID_ID)
161 ip_set_nfnl_put(info->del_set.index);
165 /* Fill out compatibility data */
166 compat_flags(&info->add_set);
167 compat_flags(&info->del_set);
173 set_target_v0_destroy(const struct xt_tgdtor_param *par)
175 const struct xt_set_info_target_v0 *info = par->targinfo;
177 if (info->add_set.index != IPSET_INVALID_ID)
178 ip_set_nfnl_put(info->add_set.index);
179 if (info->del_set.index != IPSET_INVALID_ID)
180 ip_set_nfnl_put(info->del_set.index);
183 /* Revision 1 match and target */
186 set_match_v1(const struct sk_buff *skb, struct xt_action_param *par)
188 const struct xt_set_info_match_v1 *info = par->matchinfo;
189 ADT_OPT(opt, par->family, info->match_set.dim,
190 info->match_set.flags, 0, UINT_MAX);
192 return match_set(info->match_set.index, skb, par, &opt,
193 info->match_set.flags & IPSET_INV_MATCH);
197 set_match_v1_checkentry(const struct xt_mtchk_param *par)
199 struct xt_set_info_match_v1 *info = par->matchinfo;
202 index = ip_set_nfnl_get_byindex(info->match_set.index);
204 if (index == IPSET_INVALID_ID) {
205 pr_warning("Cannot find set indentified by id %u to match\n",
206 info->match_set.index);
209 if (info->match_set.dim > IPSET_DIM_MAX) {
210 pr_warning("Protocol error: set match dimension "
211 "is over the limit!\n");
212 ip_set_nfnl_put(info->match_set.index);
220 set_match_v1_destroy(const struct xt_mtdtor_param *par)
222 struct xt_set_info_match_v1 *info = par->matchinfo;
224 ip_set_nfnl_put(info->match_set.index);
228 set_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
230 const struct xt_set_info_target_v1 *info = par->targinfo;
231 ADT_OPT(add_opt, par->family, info->add_set.dim,
232 info->add_set.flags, 0, UINT_MAX);
233 ADT_OPT(del_opt, par->family, info->del_set.dim,
234 info->del_set.flags, 0, UINT_MAX);
236 if (info->add_set.index != IPSET_INVALID_ID)
237 ip_set_add(info->add_set.index, skb, par, &add_opt);
238 if (info->del_set.index != IPSET_INVALID_ID)
239 ip_set_del(info->del_set.index, skb, par, &del_opt);
245 set_target_v1_checkentry(const struct xt_tgchk_param *par)
247 const struct xt_set_info_target_v1 *info = par->targinfo;
250 if (info->add_set.index != IPSET_INVALID_ID) {
251 index = ip_set_nfnl_get_byindex(info->add_set.index);
252 if (index == IPSET_INVALID_ID) {
253 pr_warning("Cannot find add_set index %u as target\n",
254 info->add_set.index);
259 if (info->del_set.index != IPSET_INVALID_ID) {
260 index = ip_set_nfnl_get_byindex(info->del_set.index);
261 if (index == IPSET_INVALID_ID) {
262 pr_warning("Cannot find del_set index %u as target\n",
263 info->del_set.index);
264 if (info->add_set.index != IPSET_INVALID_ID)
265 ip_set_nfnl_put(info->add_set.index);
269 if (info->add_set.dim > IPSET_DIM_MAX ||
270 info->del_set.dim > IPSET_DIM_MAX) {
271 pr_warning("Protocol error: SET target dimension "
272 "is over the limit!\n");
273 if (info->add_set.index != IPSET_INVALID_ID)
274 ip_set_nfnl_put(info->add_set.index);
275 if (info->del_set.index != IPSET_INVALID_ID)
276 ip_set_nfnl_put(info->del_set.index);
284 set_target_v1_destroy(const struct xt_tgdtor_param *par)
286 const struct xt_set_info_target_v1 *info = par->targinfo;
288 if (info->add_set.index != IPSET_INVALID_ID)
289 ip_set_nfnl_put(info->add_set.index);
290 if (info->del_set.index != IPSET_INVALID_ID)
291 ip_set_nfnl_put(info->del_set.index);
294 /* Revision 2 target */
297 set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
299 const struct xt_set_info_target_v2 *info = par->targinfo;
300 ADT_OPT(add_opt, par->family, info->add_set.dim,
301 info->add_set.flags, info->flags, info->timeout);
302 ADT_OPT(del_opt, par->family, info->del_set.dim,
303 info->del_set.flags, 0, UINT_MAX);
305 /* Normalize to fit into jiffies */
306 if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
307 add_opt.ext.timeout > UINT_MAX/MSEC_PER_SEC)
308 add_opt.ext.timeout = UINT_MAX/MSEC_PER_SEC;
309 if (info->add_set.index != IPSET_INVALID_ID)
310 ip_set_add(info->add_set.index, skb, par, &add_opt);
311 if (info->del_set.index != IPSET_INVALID_ID)
312 ip_set_del(info->del_set.index, skb, par, &del_opt);
317 #define set_target_v2_checkentry set_target_v1_checkentry
318 #define set_target_v2_destroy set_target_v1_destroy
320 static struct xt_match set_matches[] __read_mostly = {
323 .family = NFPROTO_IPV4,
325 .match = set_match_v0,
326 .matchsize = sizeof(struct xt_set_info_match_v0),
327 .checkentry = set_match_v0_checkentry,
328 .destroy = set_match_v0_destroy,
333 .family = NFPROTO_IPV4,
335 .match = set_match_v1,
336 .matchsize = sizeof(struct xt_set_info_match_v1),
337 .checkentry = set_match_v1_checkentry,
338 .destroy = set_match_v1_destroy,
343 .family = NFPROTO_IPV6,
345 .match = set_match_v1,
346 .matchsize = sizeof(struct xt_set_info_match_v1),
347 .checkentry = set_match_v1_checkentry,
348 .destroy = set_match_v1_destroy,
351 /* --return-nomatch flag support */
354 .family = NFPROTO_IPV4,
356 .match = set_match_v1,
357 .matchsize = sizeof(struct xt_set_info_match_v1),
358 .checkentry = set_match_v1_checkentry,
359 .destroy = set_match_v1_destroy,
364 .family = NFPROTO_IPV6,
366 .match = set_match_v1,
367 .matchsize = sizeof(struct xt_set_info_match_v1),
368 .checkentry = set_match_v1_checkentry,
369 .destroy = set_match_v1_destroy,
374 static struct xt_target set_targets[] __read_mostly = {
378 .family = NFPROTO_IPV4,
379 .target = set_target_v0,
380 .targetsize = sizeof(struct xt_set_info_target_v0),
381 .checkentry = set_target_v0_checkentry,
382 .destroy = set_target_v0_destroy,
388 .family = NFPROTO_IPV4,
389 .target = set_target_v1,
390 .targetsize = sizeof(struct xt_set_info_target_v1),
391 .checkentry = set_target_v1_checkentry,
392 .destroy = set_target_v1_destroy,
398 .family = NFPROTO_IPV6,
399 .target = set_target_v1,
400 .targetsize = sizeof(struct xt_set_info_target_v1),
401 .checkentry = set_target_v1_checkentry,
402 .destroy = set_target_v1_destroy,
405 /* --timeout and --exist flags support */
409 .family = NFPROTO_IPV4,
410 .target = set_target_v2,
411 .targetsize = sizeof(struct xt_set_info_target_v2),
412 .checkentry = set_target_v2_checkentry,
413 .destroy = set_target_v2_destroy,
419 .family = NFPROTO_IPV6,
420 .target = set_target_v2,
421 .targetsize = sizeof(struct xt_set_info_target_v2),
422 .checkentry = set_target_v2_checkentry,
423 .destroy = set_target_v2_destroy,
428 static int __init xt_set_init(void)
430 int ret = xt_register_matches(set_matches, ARRAY_SIZE(set_matches));
433 ret = xt_register_targets(set_targets,
434 ARRAY_SIZE(set_targets));
436 xt_unregister_matches(set_matches,
437 ARRAY_SIZE(set_matches));
442 static void __exit xt_set_fini(void)
444 xt_unregister_matches(set_matches, ARRAY_SIZE(set_matches));
445 xt_unregister_targets(set_targets, ARRAY_SIZE(set_targets));
448 module_init(xt_set_init);
449 module_exit(xt_set_fini);