1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
10 /* Kernel module for IP set management */
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/rculist.h>
19 #include <net/netlink.h>
21 #include <linux/netfilter.h>
22 #include <linux/netfilter/x_tables.h>
23 #include <linux/netfilter/nfnetlink.h>
24 #include <linux/netfilter/ipset/ip_set.h>
26 static LIST_HEAD(ip_set_type_list); /* all registered set types */
27 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
28 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
30 static struct ip_set * __rcu *ip_set_list; /* all individual sets */
31 static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36 static unsigned int max_sets;
38 module_param(max_sets, int, 0600);
39 MODULE_PARM_DESC(max_sets, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
45 /* When the nfnl mutex is held: */
46 #define nfnl_dereference(p) \
47 rcu_dereference_protected(p, 1)
48 #define nfnl_set(id) \
49 nfnl_dereference(ip_set_list)[id]
52 * The set types are implemented in modules and registered set types
53 * can be found in ip_set_type_list. Adding/deleting types is
54 * serialized by ip_set_type_mutex.
58 ip_set_type_lock(void)
60 mutex_lock(&ip_set_type_mutex);
64 ip_set_type_unlock(void)
66 mutex_unlock(&ip_set_type_mutex);
69 /* Register and deregister settype */
71 static struct ip_set_type *
72 find_set_type(const char *name, u8 family, u8 revision)
74 struct ip_set_type *type;
76 list_for_each_entry_rcu(type, &ip_set_type_list, list)
77 if (STREQ(type->name, name) &&
78 (type->family == family ||
79 type->family == NFPROTO_UNSPEC) &&
80 revision >= type->revision_min &&
81 revision <= type->revision_max)
86 /* Unlock, try to load a set type module and lock again */
88 load_settype(const char *name)
90 nfnl_unlock(NFNL_SUBSYS_IPSET);
91 pr_debug("try to load ip_set_%s\n", name);
92 if (request_module("ip_set_%s", name) < 0) {
93 pr_warning("Can't find ip_set type %s\n", name);
94 nfnl_lock(NFNL_SUBSYS_IPSET);
97 nfnl_lock(NFNL_SUBSYS_IPSET);
101 /* Find a set type and reference it */
102 #define find_set_type_get(name, family, revision, found) \
103 __find_set_type_get(name, family, revision, found, false)
106 __find_set_type_get(const char *name, u8 family, u8 revision,
107 struct ip_set_type **found, bool retry)
109 struct ip_set_type *type;
112 if (retry && !load_settype(name))
113 return -IPSET_ERR_FIND_TYPE;
116 *found = find_set_type(name, family, revision);
118 err = !try_module_get((*found)->me) ? -EFAULT : 0;
121 /* Make sure the type is already loaded
122 * but we don't support the revision */
123 list_for_each_entry_rcu(type, &ip_set_type_list, list)
124 if (STREQ(type->name, name)) {
125 err = -IPSET_ERR_FIND_TYPE;
130 return retry ? -IPSET_ERR_FIND_TYPE :
131 __find_set_type_get(name, family, revision, found, true);
138 /* Find a given set type by name and family.
139 * If we succeeded, the supported minimal and maximum revisions are
142 #define find_set_type_minmax(name, family, min, max) \
143 __find_set_type_minmax(name, family, min, max, false)
146 __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
149 struct ip_set_type *type;
152 if (retry && !load_settype(name))
153 return -IPSET_ERR_FIND_TYPE;
155 *min = 255; *max = 0;
157 list_for_each_entry_rcu(type, &ip_set_type_list, list)
158 if (STREQ(type->name, name) &&
159 (type->family == family ||
160 type->family == NFPROTO_UNSPEC)) {
162 if (type->revision_min < *min)
163 *min = type->revision_min;
164 if (type->revision_max > *max)
165 *max = type->revision_max;
171 return retry ? -IPSET_ERR_FIND_TYPE :
172 __find_set_type_minmax(name, family, min, max, true);
175 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
176 (f) == NFPROTO_IPV6 ? "inet6" : "any")
178 /* Register a set type structure. The type is identified by
179 * the unique triple of name, family and revision.
182 ip_set_type_register(struct ip_set_type *type)
186 if (type->protocol != IPSET_PROTOCOL) {
187 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
188 "wrong protocol version %u (want %u)\n",
189 type->name, family_name(type->family),
190 type->revision_min, type->revision_max,
191 type->protocol, IPSET_PROTOCOL);
196 if (find_set_type(type->name, type->family, type->revision_min)) {
198 pr_warning("ip_set type %s, family %s with revision min %u "
199 "already registered!\n", type->name,
200 family_name(type->family), type->revision_min);
204 list_add_rcu(&type->list, &ip_set_type_list);
205 pr_debug("type %s, family %s, revision %u:%u registered.\n",
206 type->name, family_name(type->family),
207 type->revision_min, type->revision_max);
209 ip_set_type_unlock();
212 EXPORT_SYMBOL_GPL(ip_set_type_register);
214 /* Unregister a set type. There's a small race with ip_set_create */
216 ip_set_type_unregister(struct ip_set_type *type)
219 if (!find_set_type(type->name, type->family, type->revision_min)) {
220 pr_warning("ip_set type %s, family %s with revision min %u "
221 "not registered\n", type->name,
222 family_name(type->family), type->revision_min);
225 list_del_rcu(&type->list);
226 pr_debug("type %s, family %s with revision min %u unregistered.\n",
227 type->name, family_name(type->family), type->revision_min);
229 ip_set_type_unlock();
233 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
235 /* Utility functions */
237 ip_set_alloc(size_t size)
239 void *members = NULL;
241 if (size < KMALLOC_MAX_SIZE)
242 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
245 pr_debug("%p: allocated with kmalloc\n", members);
249 members = vzalloc(size);
252 pr_debug("%p: allocated with vmalloc\n", members);
256 EXPORT_SYMBOL_GPL(ip_set_alloc);
259 ip_set_free(void *members)
261 pr_debug("%p: free with %s\n", members,
262 is_vmalloc_addr(members) ? "vfree" : "kfree");
263 if (is_vmalloc_addr(members))
268 EXPORT_SYMBOL_GPL(ip_set_free);
271 flag_nested(const struct nlattr *nla)
273 return nla->nla_type & NLA_F_NESTED;
276 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
277 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
278 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
279 .len = sizeof(struct in6_addr) },
283 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
285 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
287 if (unlikely(!flag_nested(nla)))
288 return -IPSET_ERR_PROTOCOL;
289 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
290 return -IPSET_ERR_PROTOCOL;
291 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
292 return -IPSET_ERR_PROTOCOL;
294 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
297 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
300 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
302 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
304 if (unlikely(!flag_nested(nla)))
305 return -IPSET_ERR_PROTOCOL;
307 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
308 return -IPSET_ERR_PROTOCOL;
309 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
310 return -IPSET_ERR_PROTOCOL;
312 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
313 sizeof(struct in6_addr));
316 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
319 * Creating/destroying/renaming/swapping affect the existence and
320 * the properties of a set. All of these can be executed from userspace
321 * only and serialized by the nfnl mutex indirectly from nfnetlink.
323 * Sets are identified by their index in ip_set_list and the index
324 * is used by the external references (set/SET netfilter modules).
326 * The set behind an index may change by swapping only, from userspace.
330 __ip_set_get(struct ip_set *set)
332 write_lock_bh(&ip_set_ref_lock);
334 write_unlock_bh(&ip_set_ref_lock);
338 __ip_set_put(struct ip_set *set)
340 write_lock_bh(&ip_set_ref_lock);
341 BUG_ON(set->ref == 0);
343 write_unlock_bh(&ip_set_ref_lock);
347 * Add, del and test set entries from kernel.
349 * The set behind the index must exist and must be referenced
350 * so it can't be destroyed (or changed) under our foot.
353 static inline struct ip_set *
354 ip_set_rcu_get(ip_set_id_t index)
359 /* ip_set_list itself needs to be protected */
360 set = rcu_dereference(ip_set_list)[index];
367 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
368 const struct xt_action_param *par,
369 const struct ip_set_adt_opt *opt)
371 struct ip_set *set = ip_set_rcu_get(index);
375 pr_debug("set %s, index %u\n", set->name, index);
377 if (opt->dim < set->type->dimension ||
378 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
381 read_lock_bh(&set->lock);
382 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
383 read_unlock_bh(&set->lock);
385 if (ret == -EAGAIN) {
386 /* Type requests element to be completed */
387 pr_debug("element must be competed, ADD is triggered\n");
388 write_lock_bh(&set->lock);
389 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
390 write_unlock_bh(&set->lock);
393 /* --return-nomatch: invert matched element */
394 if ((opt->flags & IPSET_RETURN_NOMATCH) &&
395 (set->type->features & IPSET_TYPE_NOMATCH) &&
396 (ret > 0 || ret == -ENOTEMPTY))
400 /* Convert error codes to nomatch */
401 return (ret < 0 ? 0 : ret);
403 EXPORT_SYMBOL_GPL(ip_set_test);
406 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
407 const struct xt_action_param *par,
408 const struct ip_set_adt_opt *opt)
410 struct ip_set *set = ip_set_rcu_get(index);
414 pr_debug("set %s, index %u\n", set->name, index);
416 if (opt->dim < set->type->dimension ||
417 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
420 write_lock_bh(&set->lock);
421 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
422 write_unlock_bh(&set->lock);
426 EXPORT_SYMBOL_GPL(ip_set_add);
429 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
430 const struct xt_action_param *par,
431 const struct ip_set_adt_opt *opt)
433 struct ip_set *set = ip_set_rcu_get(index);
437 pr_debug("set %s, index %u\n", set->name, index);
439 if (opt->dim < set->type->dimension ||
440 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
443 write_lock_bh(&set->lock);
444 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
445 write_unlock_bh(&set->lock);
449 EXPORT_SYMBOL_GPL(ip_set_del);
452 * Find set by name, reference it once. The reference makes sure the
453 * thing pointed to, does not go away under our feet.
457 ip_set_get_byname(const char *name, struct ip_set **set)
459 ip_set_id_t i, index = IPSET_INVALID_ID;
463 for (i = 0; i < ip_set_max; i++) {
464 s = rcu_dereference(ip_set_list)[i];
465 if (s != NULL && STREQ(s->name, name)) {
476 EXPORT_SYMBOL_GPL(ip_set_get_byname);
479 * If the given set pointer points to a valid set, decrement
480 * reference count by 1. The caller shall not assume the index
481 * to be valid, after calling this function.
485 ip_set_put_byindex(ip_set_id_t index)
490 set = rcu_dereference(ip_set_list)[index];
495 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
498 * Get the name of a set behind a set index.
499 * We assume the set is referenced, so it does exist and
500 * can't be destroyed. The set cannot be renamed due to
501 * the referencing either.
505 ip_set_name_byindex(ip_set_id_t index)
507 const struct ip_set *set = ip_set_rcu_get(index);
510 BUG_ON(set->ref == 0);
512 /* Referenced, so it's safe */
515 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
518 * Routines to call by external subsystems, which do not
519 * call nfnl_lock for us.
523 * Find set by name, reference it once. The reference makes sure the
524 * thing pointed to, does not go away under our feet.
526 * The nfnl mutex is used in the function.
529 ip_set_nfnl_get(const char *name)
531 ip_set_id_t i, index = IPSET_INVALID_ID;
534 nfnl_lock(NFNL_SUBSYS_IPSET);
535 for (i = 0; i < ip_set_max; i++) {
537 if (s != NULL && STREQ(s->name, name)) {
543 nfnl_unlock(NFNL_SUBSYS_IPSET);
547 EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
550 * Find set by index, reference it once. The reference makes sure the
551 * thing pointed to, does not go away under our feet.
553 * The nfnl mutex is used in the function.
556 ip_set_nfnl_get_byindex(ip_set_id_t index)
560 if (index > ip_set_max)
561 return IPSET_INVALID_ID;
563 nfnl_lock(NFNL_SUBSYS_IPSET);
564 set = nfnl_set(index);
568 index = IPSET_INVALID_ID;
569 nfnl_unlock(NFNL_SUBSYS_IPSET);
573 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
576 * If the given set pointer points to a valid set, decrement
577 * reference count by 1. The caller shall not assume the index
578 * to be valid, after calling this function.
580 * The nfnl mutex is used in the function.
583 ip_set_nfnl_put(ip_set_id_t index)
586 nfnl_lock(NFNL_SUBSYS_IPSET);
587 set = nfnl_set(index);
590 nfnl_unlock(NFNL_SUBSYS_IPSET);
592 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
595 * Communication protocol with userspace over netlink.
597 * The commands are serialized by the nfnl mutex.
601 protocol_failed(const struct nlattr * const tb[])
603 return !tb[IPSET_ATTR_PROTOCOL] ||
604 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
608 flag_exist(const struct nlmsghdr *nlh)
610 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
613 static struct nlmsghdr *
614 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
617 struct nlmsghdr *nlh;
618 struct nfgenmsg *nfmsg;
620 nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
621 sizeof(*nfmsg), flags);
625 nfmsg = nlmsg_data(nlh);
626 nfmsg->nfgen_family = NFPROTO_IPV4;
627 nfmsg->version = NFNETLINK_V0;
635 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
636 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
637 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
638 .len = IPSET_MAXNAMELEN - 1 },
639 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
640 .len = IPSET_MAXNAMELEN - 1},
641 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
642 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
643 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
646 static struct ip_set *
647 find_set_and_id(const char *name, ip_set_id_t *id)
649 struct ip_set *set = NULL;
652 *id = IPSET_INVALID_ID;
653 for (i = 0; i < ip_set_max; i++) {
655 if (set != NULL && STREQ(set->name, name)) {
660 return (*id == IPSET_INVALID_ID ? NULL : set);
663 static inline struct ip_set *
664 find_set(const char *name)
668 return find_set_and_id(name, &id);
672 find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
677 *index = IPSET_INVALID_ID;
678 for (i = 0; i < ip_set_max; i++) {
681 if (*index == IPSET_INVALID_ID)
683 } else if (STREQ(name, s->name)) {
689 if (*index == IPSET_INVALID_ID)
690 /* No free slot remained */
691 return -IPSET_ERR_MAX_SETS;
696 ip_set_none(struct sock *ctnl, struct sk_buff *skb,
697 const struct nlmsghdr *nlh,
698 const struct nlattr * const attr[])
704 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
705 const struct nlmsghdr *nlh,
706 const struct nlattr * const attr[])
708 struct ip_set *set, *clash = NULL;
709 ip_set_id_t index = IPSET_INVALID_ID;
710 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
711 const char *name, *typename;
713 u32 flags = flag_exist(nlh);
716 if (unlikely(protocol_failed(attr) ||
717 attr[IPSET_ATTR_SETNAME] == NULL ||
718 attr[IPSET_ATTR_TYPENAME] == NULL ||
719 attr[IPSET_ATTR_REVISION] == NULL ||
720 attr[IPSET_ATTR_FAMILY] == NULL ||
721 (attr[IPSET_ATTR_DATA] != NULL &&
722 !flag_nested(attr[IPSET_ATTR_DATA]))))
723 return -IPSET_ERR_PROTOCOL;
725 name = nla_data(attr[IPSET_ATTR_SETNAME]);
726 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
727 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
728 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
729 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
730 name, typename, family_name(family), revision);
733 * First, and without any locks, allocate and initialize
734 * a normal base set structure.
736 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
739 rwlock_init(&set->lock);
740 strlcpy(set->name, name, IPSET_MAXNAMELEN);
741 set->family = family;
742 set->revision = revision;
745 * Next, check that we know the type, and take
746 * a reference on the type, to make sure it stays available
747 * while constructing our new set.
749 * After referencing the type, we try to create the type
750 * specific part of the set without holding any locks.
752 ret = find_set_type_get(typename, family, revision, &(set->type));
757 * Without holding any locks, create private part.
759 if (attr[IPSET_ATTR_DATA] &&
760 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
761 set->type->create_policy)) {
762 ret = -IPSET_ERR_PROTOCOL;
766 ret = set->type->create(set, tb, flags);
770 /* BTW, ret==0 here. */
773 * Here, we have a valid, constructed set and we are protected
774 * by the nfnl mutex. Find the first free index in ip_set_list
775 * and check clashing.
777 ret = find_free_id(set->name, &index, &clash);
778 if (ret == -EEXIST) {
779 /* If this is the same set and requested, ignore error */
780 if ((flags & IPSET_FLAG_EXIST) &&
781 STREQ(set->type->name, clash->type->name) &&
782 set->type->family == clash->type->family &&
783 set->type->revision_min == clash->type->revision_min &&
784 set->type->revision_max == clash->type->revision_max &&
785 set->variant->same_set(set, clash))
788 } else if (ret == -IPSET_ERR_MAX_SETS) {
789 struct ip_set **list, **tmp;
790 ip_set_id_t i = ip_set_max + IP_SET_INC;
792 if (i < ip_set_max || i == IPSET_INVALID_ID)
796 list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL);
799 /* nfnl mutex is held, both lists are valid */
800 tmp = nfnl_dereference(ip_set_list);
801 memcpy(list, tmp, sizeof(struct ip_set *) * ip_set_max);
802 rcu_assign_pointer(ip_set_list, list);
803 /* Make sure all current packets have passed through */
814 * Finally! Add our shiny new set to the list, and be done.
816 pr_debug("create: '%s' created with index %u!\n", set->name, index);
817 nfnl_set(index) = set;
822 set->variant->destroy(set);
824 module_put(set->type->me);
832 static const struct nla_policy
833 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
834 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
835 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
836 .len = IPSET_MAXNAMELEN - 1 },
840 ip_set_destroy_set(ip_set_id_t index)
842 struct ip_set *set = nfnl_set(index);
844 pr_debug("set: %s\n", set->name);
845 nfnl_set(index) = NULL;
847 /* Must call it without holding any lock */
848 set->variant->destroy(set);
849 module_put(set->type->me);
854 ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
855 const struct nlmsghdr *nlh,
856 const struct nlattr * const attr[])
862 if (unlikely(protocol_failed(attr)))
863 return -IPSET_ERR_PROTOCOL;
865 /* Commands are serialized and references are
866 * protected by the ip_set_ref_lock.
867 * External systems (i.e. xt_set) must call
868 * ip_set_put|get_nfnl_* functions, that way we
869 * can safely check references here.
871 * list:set timer can only decrement the reference
872 * counter, so if it's already zero, we can proceed
873 * without holding the lock.
875 read_lock_bh(&ip_set_ref_lock);
876 if (!attr[IPSET_ATTR_SETNAME]) {
877 for (i = 0; i < ip_set_max; i++) {
879 if (s != NULL && s->ref) {
880 ret = -IPSET_ERR_BUSY;
884 read_unlock_bh(&ip_set_ref_lock);
885 for (i = 0; i < ip_set_max; i++) {
888 ip_set_destroy_set(i);
891 s = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &i);
896 ret = -IPSET_ERR_BUSY;
899 read_unlock_bh(&ip_set_ref_lock);
901 ip_set_destroy_set(i);
905 read_unlock_bh(&ip_set_ref_lock);
912 ip_set_flush_set(struct ip_set *set)
914 pr_debug("set: %s\n", set->name);
916 write_lock_bh(&set->lock);
917 set->variant->flush(set);
918 write_unlock_bh(&set->lock);
922 ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
923 const struct nlmsghdr *nlh,
924 const struct nlattr * const attr[])
929 if (unlikely(protocol_failed(attr)))
930 return -IPSET_ERR_PROTOCOL;
932 if (!attr[IPSET_ATTR_SETNAME]) {
933 for (i = 0; i < ip_set_max; i++) {
939 s = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
951 static const struct nla_policy
952 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
953 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
954 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
955 .len = IPSET_MAXNAMELEN - 1 },
956 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
957 .len = IPSET_MAXNAMELEN - 1 },
961 ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
962 const struct nlmsghdr *nlh,
963 const struct nlattr * const attr[])
965 struct ip_set *set, *s;
970 if (unlikely(protocol_failed(attr) ||
971 attr[IPSET_ATTR_SETNAME] == NULL ||
972 attr[IPSET_ATTR_SETNAME2] == NULL))
973 return -IPSET_ERR_PROTOCOL;
975 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
979 read_lock_bh(&ip_set_ref_lock);
981 ret = -IPSET_ERR_REFERENCED;
985 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
986 for (i = 0; i < ip_set_max; i++) {
988 if (s != NULL && STREQ(s->name, name2)) {
989 ret = -IPSET_ERR_EXIST_SETNAME2;
993 strncpy(set->name, name2, IPSET_MAXNAMELEN);
996 read_unlock_bh(&ip_set_ref_lock);
1000 /* Swap two sets so that name/index points to the other.
1001 * References and set names are also swapped.
1003 * The commands are serialized by the nfnl mutex and references are
1004 * protected by the ip_set_ref_lock. The kernel interfaces
1005 * do not hold the mutex but the pointer settings are atomic
1006 * so the ip_set_list always contains valid pointers to the sets.
1010 ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
1011 const struct nlmsghdr *nlh,
1012 const struct nlattr * const attr[])
1014 struct ip_set *from, *to;
1015 ip_set_id_t from_id, to_id;
1016 char from_name[IPSET_MAXNAMELEN];
1018 if (unlikely(protocol_failed(attr) ||
1019 attr[IPSET_ATTR_SETNAME] == NULL ||
1020 attr[IPSET_ATTR_SETNAME2] == NULL))
1021 return -IPSET_ERR_PROTOCOL;
1023 from = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &from_id);
1027 to = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME2]), &to_id);
1029 return -IPSET_ERR_EXIST_SETNAME2;
1031 /* Features must not change.
1032 * Not an artificial restriction anymore, as we must prevent
1033 * possible loops created by swapping in setlist type of sets. */
1034 if (!(from->type->features == to->type->features &&
1035 from->type->family == to->type->family))
1036 return -IPSET_ERR_TYPE_MISMATCH;
1038 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
1039 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
1040 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
1042 write_lock_bh(&ip_set_ref_lock);
1043 swap(from->ref, to->ref);
1044 nfnl_set(from_id) = to;
1045 nfnl_set(to_id) = from;
1046 write_unlock_bh(&ip_set_ref_lock);
1051 /* List/save set data */
1058 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1059 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
1062 ip_set_dump_done(struct netlink_callback *cb)
1065 pr_debug("release set %s\n", nfnl_set(cb->args[1])->name);
1066 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
1072 dump_attrs(struct nlmsghdr *nlh)
1074 const struct nlattr *attr;
1077 pr_debug("dump nlmsg\n");
1078 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1079 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1084 dump_init(struct netlink_callback *cb)
1086 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1087 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1088 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1089 struct nlattr *attr = (void *)nlh + min_len;
1093 /* Second pass, so parser can't fail */
1094 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1095 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1097 /* cb->args[0] : dump single set/all sets
1099 * [..]: type specific
1102 if (cda[IPSET_ATTR_SETNAME]) {
1105 set = find_set_and_id(nla_data(cda[IPSET_ATTR_SETNAME]),
1110 dump_type = DUMP_ONE;
1111 cb->args[1] = index;
1113 dump_type = DUMP_ALL;
1115 if (cda[IPSET_ATTR_FLAGS]) {
1116 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1117 dump_type |= (f << 16);
1119 cb->args[0] = dump_type;
1125 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1127 ip_set_id_t index = IPSET_INVALID_ID, max;
1128 struct ip_set *set = NULL;
1129 struct nlmsghdr *nlh = NULL;
1130 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1131 u32 dump_type, dump_flags;
1135 ret = dump_init(cb);
1137 nlh = nlmsg_hdr(cb->skb);
1138 /* We have to create and send the error message
1140 if (nlh->nlmsg_flags & NLM_F_ACK)
1141 netlink_ack(cb->skb, nlh, ret);
1146 if (cb->args[1] >= ip_set_max)
1149 dump_type = DUMP_TYPE(cb->args[0]);
1150 dump_flags = DUMP_FLAGS(cb->args[0]);
1151 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1153 pr_debug("args[0]: %u %u args[1]: %ld\n",
1154 dump_type, dump_flags, cb->args[1]);
1155 for (; cb->args[1] < max; cb->args[1]++) {
1156 index = (ip_set_id_t) cb->args[1];
1157 set = nfnl_set(index);
1159 if (dump_type == DUMP_ONE) {
1165 /* When dumping all sets, we must dump "sorted"
1166 * so that lists (unions of sets) are dumped last.
1168 if (dump_type != DUMP_ONE &&
1169 ((dump_type == DUMP_ALL) ==
1170 !!(set->type->features & IPSET_DUMP_LAST)))
1172 pr_debug("List set: %s\n", set->name);
1174 /* Start listing: make sure set won't be destroyed */
1175 pr_debug("reference set\n");
1178 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1179 cb->nlh->nlmsg_seq, flags,
1183 goto release_refcount;
1185 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1186 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1187 goto nla_put_failure;
1188 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1190 switch (cb->args[2]) {
1192 /* Core header data */
1193 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1195 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1197 nla_put_u8(skb, IPSET_ATTR_REVISION,
1199 goto nla_put_failure;
1200 ret = set->variant->head(set, skb);
1202 goto release_refcount;
1203 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1205 /* Fall through and add elements */
1207 read_lock_bh(&set->lock);
1208 ret = set->variant->list(set, skb, cb);
1209 read_unlock_bh(&set->lock);
1211 /* Set is done, proceed with next one */
1213 goto release_refcount;
1216 /* If we dump all sets, continue with dumping last ones */
1217 if (dump_type == DUMP_ALL) {
1218 dump_type = DUMP_LAST;
1219 cb->args[0] = dump_type | (dump_flags << 16);
1228 if (dump_type == DUMP_ONE)
1229 cb->args[1] = IPSET_INVALID_ID;
1233 /* If there was an error or set is done, release set */
1234 if (ret || !cb->args[2]) {
1235 pr_debug("release set %s\n", nfnl_set(index)->name);
1236 ip_set_put_byindex(index);
1241 nlmsg_end(skb, nlh);
1242 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1246 return ret < 0 ? ret : skb->len;
1250 ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1251 const struct nlmsghdr *nlh,
1252 const struct nlattr * const attr[])
1254 if (unlikely(protocol_failed(attr)))
1255 return -IPSET_ERR_PROTOCOL;
1258 struct netlink_dump_control c = {
1259 .dump = ip_set_dump_start,
1260 .done = ip_set_dump_done,
1262 return netlink_dump_start(ctnl, skb, nlh, &c);
1266 /* Add, del and test */
1268 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1269 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1270 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1271 .len = IPSET_MAXNAMELEN - 1 },
1272 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1273 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1274 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1278 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1279 struct nlattr *tb[], enum ipset_adt adt,
1280 u32 flags, bool use_lineno)
1284 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1287 write_lock_bh(&set->lock);
1288 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1289 write_unlock_bh(&set->lock);
1291 } while (ret == -EAGAIN &&
1292 set->variant->resize &&
1293 (ret = set->variant->resize(set, retried)) == 0);
1295 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1297 if (lineno && use_lineno) {
1298 /* Error in restore/batch mode: send back lineno */
1299 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1300 struct sk_buff *skb2;
1301 struct nlmsgerr *errmsg;
1302 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1303 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1304 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1305 struct nlattr *cmdattr;
1308 skb2 = nlmsg_new(payload, GFP_KERNEL);
1311 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1312 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1313 errmsg = nlmsg_data(rep);
1314 errmsg->error = ret;
1315 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1316 cmdattr = (void *)&errmsg->msg + min_len;
1318 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1319 cmdattr, nlh->nlmsg_len - min_len,
1322 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1326 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1327 /* Signal netlink not to send its ACK/errmsg. */
1335 ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1336 const struct nlmsghdr *nlh,
1337 const struct nlattr * const attr[])
1340 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1341 const struct nlattr *nla;
1342 u32 flags = flag_exist(nlh);
1346 if (unlikely(protocol_failed(attr) ||
1347 attr[IPSET_ATTR_SETNAME] == NULL ||
1348 !((attr[IPSET_ATTR_DATA] != NULL) ^
1349 (attr[IPSET_ATTR_ADT] != NULL)) ||
1350 (attr[IPSET_ATTR_DATA] != NULL &&
1351 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1352 (attr[IPSET_ATTR_ADT] != NULL &&
1353 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1354 attr[IPSET_ATTR_LINENO] == NULL))))
1355 return -IPSET_ERR_PROTOCOL;
1357 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1361 use_lineno = !!attr[IPSET_ATTR_LINENO];
1362 if (attr[IPSET_ATTR_DATA]) {
1363 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1364 attr[IPSET_ATTR_DATA],
1365 set->type->adt_policy))
1366 return -IPSET_ERR_PROTOCOL;
1367 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1372 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1373 memset(tb, 0, sizeof(tb));
1374 if (nla_type(nla) != IPSET_ATTR_DATA ||
1375 !flag_nested(nla) ||
1376 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1377 set->type->adt_policy))
1378 return -IPSET_ERR_PROTOCOL;
1379 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1389 ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1390 const struct nlmsghdr *nlh,
1391 const struct nlattr * const attr[])
1394 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1395 const struct nlattr *nla;
1396 u32 flags = flag_exist(nlh);
1400 if (unlikely(protocol_failed(attr) ||
1401 attr[IPSET_ATTR_SETNAME] == NULL ||
1402 !((attr[IPSET_ATTR_DATA] != NULL) ^
1403 (attr[IPSET_ATTR_ADT] != NULL)) ||
1404 (attr[IPSET_ATTR_DATA] != NULL &&
1405 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1406 (attr[IPSET_ATTR_ADT] != NULL &&
1407 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1408 attr[IPSET_ATTR_LINENO] == NULL))))
1409 return -IPSET_ERR_PROTOCOL;
1411 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1415 use_lineno = !!attr[IPSET_ATTR_LINENO];
1416 if (attr[IPSET_ATTR_DATA]) {
1417 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1418 attr[IPSET_ATTR_DATA],
1419 set->type->adt_policy))
1420 return -IPSET_ERR_PROTOCOL;
1421 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1426 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1427 memset(tb, 0, sizeof(*tb));
1428 if (nla_type(nla) != IPSET_ATTR_DATA ||
1429 !flag_nested(nla) ||
1430 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1431 set->type->adt_policy))
1432 return -IPSET_ERR_PROTOCOL;
1433 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1443 ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1444 const struct nlmsghdr *nlh,
1445 const struct nlattr * const attr[])
1448 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1451 if (unlikely(protocol_failed(attr) ||
1452 attr[IPSET_ATTR_SETNAME] == NULL ||
1453 attr[IPSET_ATTR_DATA] == NULL ||
1454 !flag_nested(attr[IPSET_ATTR_DATA])))
1455 return -IPSET_ERR_PROTOCOL;
1457 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1461 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1462 set->type->adt_policy))
1463 return -IPSET_ERR_PROTOCOL;
1465 read_lock_bh(&set->lock);
1466 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1467 read_unlock_bh(&set->lock);
1468 /* Userspace can't trigger element to be re-added */
1472 return (ret < 0 && ret != -ENOTEMPTY) ? ret :
1473 ret > 0 ? 0 : -IPSET_ERR_EXIST;
1476 /* Get headed data of a set */
1479 ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1480 const struct nlmsghdr *nlh,
1481 const struct nlattr * const attr[])
1483 const struct ip_set *set;
1484 struct sk_buff *skb2;
1485 struct nlmsghdr *nlh2;
1488 if (unlikely(protocol_failed(attr) ||
1489 attr[IPSET_ATTR_SETNAME] == NULL))
1490 return -IPSET_ERR_PROTOCOL;
1492 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1496 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1500 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1504 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1505 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1506 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1507 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1508 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1509 goto nla_put_failure;
1510 nlmsg_end(skb2, nlh2);
1512 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1519 nlmsg_cancel(skb2, nlh2);
1527 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1528 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1529 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1530 .len = IPSET_MAXNAMELEN - 1 },
1531 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1535 ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1536 const struct nlmsghdr *nlh,
1537 const struct nlattr * const attr[])
1539 struct sk_buff *skb2;
1540 struct nlmsghdr *nlh2;
1541 u8 family, min, max;
1542 const char *typename;
1545 if (unlikely(protocol_failed(attr) ||
1546 attr[IPSET_ATTR_TYPENAME] == NULL ||
1547 attr[IPSET_ATTR_FAMILY] == NULL))
1548 return -IPSET_ERR_PROTOCOL;
1550 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1551 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1552 ret = find_set_type_minmax(typename, family, &min, &max);
1556 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1560 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1564 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1565 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1566 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1567 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1568 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1569 goto nla_put_failure;
1570 nlmsg_end(skb2, nlh2);
1572 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1573 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1580 nlmsg_cancel(skb2, nlh2);
1586 /* Get protocol version */
1588 static const struct nla_policy
1589 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1590 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1594 ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1595 const struct nlmsghdr *nlh,
1596 const struct nlattr * const attr[])
1598 struct sk_buff *skb2;
1599 struct nlmsghdr *nlh2;
1602 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1603 return -IPSET_ERR_PROTOCOL;
1605 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1609 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1610 IPSET_CMD_PROTOCOL);
1613 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1614 goto nla_put_failure;
1615 nlmsg_end(skb2, nlh2);
1617 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1624 nlmsg_cancel(skb2, nlh2);
1630 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1631 [IPSET_CMD_NONE] = {
1632 .call = ip_set_none,
1633 .attr_count = IPSET_ATTR_CMD_MAX,
1635 [IPSET_CMD_CREATE] = {
1636 .call = ip_set_create,
1637 .attr_count = IPSET_ATTR_CMD_MAX,
1638 .policy = ip_set_create_policy,
1640 [IPSET_CMD_DESTROY] = {
1641 .call = ip_set_destroy,
1642 .attr_count = IPSET_ATTR_CMD_MAX,
1643 .policy = ip_set_setname_policy,
1645 [IPSET_CMD_FLUSH] = {
1646 .call = ip_set_flush,
1647 .attr_count = IPSET_ATTR_CMD_MAX,
1648 .policy = ip_set_setname_policy,
1650 [IPSET_CMD_RENAME] = {
1651 .call = ip_set_rename,
1652 .attr_count = IPSET_ATTR_CMD_MAX,
1653 .policy = ip_set_setname2_policy,
1655 [IPSET_CMD_SWAP] = {
1656 .call = ip_set_swap,
1657 .attr_count = IPSET_ATTR_CMD_MAX,
1658 .policy = ip_set_setname2_policy,
1660 [IPSET_CMD_LIST] = {
1661 .call = ip_set_dump,
1662 .attr_count = IPSET_ATTR_CMD_MAX,
1663 .policy = ip_set_setname_policy,
1665 [IPSET_CMD_SAVE] = {
1666 .call = ip_set_dump,
1667 .attr_count = IPSET_ATTR_CMD_MAX,
1668 .policy = ip_set_setname_policy,
1671 .call = ip_set_uadd,
1672 .attr_count = IPSET_ATTR_CMD_MAX,
1673 .policy = ip_set_adt_policy,
1676 .call = ip_set_udel,
1677 .attr_count = IPSET_ATTR_CMD_MAX,
1678 .policy = ip_set_adt_policy,
1680 [IPSET_CMD_TEST] = {
1681 .call = ip_set_utest,
1682 .attr_count = IPSET_ATTR_CMD_MAX,
1683 .policy = ip_set_adt_policy,
1685 [IPSET_CMD_HEADER] = {
1686 .call = ip_set_header,
1687 .attr_count = IPSET_ATTR_CMD_MAX,
1688 .policy = ip_set_setname_policy,
1690 [IPSET_CMD_TYPE] = {
1691 .call = ip_set_type,
1692 .attr_count = IPSET_ATTR_CMD_MAX,
1693 .policy = ip_set_type_policy,
1695 [IPSET_CMD_PROTOCOL] = {
1696 .call = ip_set_protocol,
1697 .attr_count = IPSET_ATTR_CMD_MAX,
1698 .policy = ip_set_protocol_policy,
1702 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1704 .subsys_id = NFNL_SUBSYS_IPSET,
1705 .cb_count = IPSET_MSG_MAX,
1706 .cb = ip_set_netlink_subsys_cb,
1709 /* Interface to iptables/ip6tables */
1712 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1716 int copylen = *len, ret = 0;
1718 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1720 if (optval != SO_IP_SET)
1722 if (*len < sizeof(unsigned int))
1725 data = vmalloc(*len);
1728 if (copy_from_user(data, user, *len) != 0) {
1732 op = (unsigned int *) data;
1734 if (*op < IP_SET_OP_VERSION) {
1735 /* Check the version at the beginning of operations */
1736 struct ip_set_req_version *req_version = data;
1737 if (req_version->version != IPSET_PROTOCOL) {
1744 case IP_SET_OP_VERSION: {
1745 struct ip_set_req_version *req_version = data;
1747 if (*len != sizeof(struct ip_set_req_version)) {
1752 req_version->version = IPSET_PROTOCOL;
1753 ret = copy_to_user(user, req_version,
1754 sizeof(struct ip_set_req_version));
1757 case IP_SET_OP_GET_BYNAME: {
1758 struct ip_set_req_get_set *req_get = data;
1761 if (*len != sizeof(struct ip_set_req_get_set)) {
1765 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1766 nfnl_lock(NFNL_SUBSYS_IPSET);
1767 find_set_and_id(req_get->set.name, &id);
1768 req_get->set.index = id;
1769 nfnl_unlock(NFNL_SUBSYS_IPSET);
1772 case IP_SET_OP_GET_BYINDEX: {
1773 struct ip_set_req_get_set *req_get = data;
1776 if (*len != sizeof(struct ip_set_req_get_set) ||
1777 req_get->set.index >= ip_set_max) {
1781 nfnl_lock(NFNL_SUBSYS_IPSET);
1782 set = nfnl_set(req_get->set.index);
1783 strncpy(req_get->set.name, set ? set->name : "",
1785 nfnl_unlock(NFNL_SUBSYS_IPSET);
1791 } /* end of switch(op) */
1794 ret = copy_to_user(user, data, copylen);
1803 static struct nf_sockopt_ops so_set __read_mostly = {
1805 .get_optmin = SO_IP_SET,
1806 .get_optmax = SO_IP_SET + 1,
1807 .get = &ip_set_sockfn_get,
1808 .owner = THIS_MODULE,
1814 struct ip_set **list;
1818 ip_set_max = max_sets;
1819 if (ip_set_max >= IPSET_INVALID_ID)
1820 ip_set_max = IPSET_INVALID_ID - 1;
1822 list = kzalloc(sizeof(struct ip_set *) * ip_set_max, GFP_KERNEL);
1826 rcu_assign_pointer(ip_set_list, list);
1827 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1829 pr_err("ip_set: cannot register with nfnetlink.\n");
1833 ret = nf_register_sockopt(&so_set);
1835 pr_err("SO_SET registry failed: %d\n", ret);
1836 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1841 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1848 struct ip_set **list = rcu_dereference_protected(ip_set_list, 1);
1850 /* There can't be any existing set */
1851 nf_unregister_sockopt(&so_set);
1852 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1854 pr_debug("these are the famous last words\n");
1857 module_init(ip_set_init);
1858 module_exit(ip_set_fini);