31
31
match_set(ip_set_id_t index, const struct sk_buff *skb,
32
u8 pf, u8 dim, u8 flags, int inv)
32
const struct xt_action_param *par,
33
const struct ip_set_adt_opt *opt, int inv)
34
if (ip_set_test(index, skb, pf, dim, flags))
35
if (ip_set_test(index, skb, par, opt))
40
#define ADT_OPT(n, f, d, fs, cfs, t) \
41
const struct ip_set_adt_opt n = { \
39
49
/* Revision 0 interface: backward compatible with netfilter/iptables */
41
/* Backward compatibility constrains (incomplete):
42
* 2.6.24: [NETLINK]: Introduce nested and byteorder flag to netlink attribute
43
* 2.6.25: is_vmalloc_addr(): Check if an address is within the vmalloc
45
* 2.6.27: rcu: split list.h and move rcu-protected lists into rculist.h
46
* 2.6.28: netfilter: ctnetlink: remove bogus module dependency between
47
* ctnetlink and nf_nat (nfnl_lock/nfnl_unlock)
48
* 2.6.29: generic swap(): introduce global macro swap(a, b)
49
* 2.6.31: netfilter: passive OS fingerprint xtables match
50
* 2.6.34: rcu: Add lockdep-enabled variants of rcu_dereference()
53
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
54
#error "Linux kernel version too old: must be >= 2.6.34"
57
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
59
#define CHECK_FAIL(err) 0
60
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
62
#define CHECK_FAIL(err) (err)
65
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
67
set_match_v0(const struct sk_buff *skb, const struct xt_match_param *par)
68
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
70
52
set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
73
54
const struct xt_set_info_match_v0 *info = par->matchinfo;
55
ADT_OPT(opt, par->family, info->match_set.u.compat.dim,
56
info->match_set.u.compat.flags, 0, UINT_MAX);
75
return match_set(info->match_set.index, skb, par->family,
76
info->match_set.u.compat.dim,
77
info->match_set.u.compat.flags,
58
return match_set(info->match_set.index, skb, par, &opt,
78
59
info->match_set.u.compat.flags & IPSET_INV_MATCH);
110
86
if (index == IPSET_INVALID_ID) {
111
87
pr_warning("Cannot find set indentified by id %u to match\n",
112
88
info->match_set.index);
113
return CHECK_FAIL(-ENOENT); /* error */
115
91
if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
116
92
pr_warning("Protocol error: set match dimension "
117
93
"is over the limit!\n");
118
94
ip_set_nfnl_put(info->match_set.index);
119
return CHECK_FAIL(-ERANGE); /* error */
122
98
/* Fill out compatibility data */
123
99
compat_flags(&info->match_set);
133
109
ip_set_nfnl_put(info->match_set.index);
136
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
138
set_target_v0(struct sk_buff *skb, const struct xt_target_param *par)
139
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
140
112
static unsigned int
141
113
set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
144
115
const struct xt_set_info_target_v0 *info = par->targinfo;
116
ADT_OPT(add_opt, par->family, info->add_set.u.compat.dim,
117
info->add_set.u.compat.flags, 0, UINT_MAX);
118
ADT_OPT(del_opt, par->family, info->del_set.u.compat.dim,
119
info->del_set.u.compat.flags, 0, UINT_MAX);
146
121
if (info->add_set.index != IPSET_INVALID_ID)
147
ip_set_add(info->add_set.index, skb, par->family,
148
info->add_set.u.compat.dim,
149
info->add_set.u.compat.flags);
122
ip_set_add(info->add_set.index, skb, par, &add_opt);
150
123
if (info->del_set.index != IPSET_INVALID_ID)
151
ip_set_del(info->del_set.index, skb, par->family,
152
info->del_set.u.compat.dim,
153
info->del_set.u.compat.flags);
124
ip_set_del(info->del_set.index, skb, par, &del_opt);
155
126
return XT_CONTINUE;
158
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
160
set_target_v0_checkentry(const struct xt_tgchk_param *par)
161
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
163
130
set_target_v0_checkentry(const struct xt_tgchk_param *par)
166
132
struct xt_set_info_target_v0 *info = par->targinfo;
167
133
ip_set_id_t index;
214
180
ip_set_nfnl_put(info->del_set.index);
217
/* Revision 1: current interface to netfilter/iptables */
183
/* Revision 1 match and target */
219
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
221
set_match(const struct sk_buff *skb, const struct xt_match_param *par)
222
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
224
set_match(const struct sk_buff *skb, struct xt_action_param *par)
186
set_match_v1(const struct sk_buff *skb, struct xt_action_param *par)
227
const struct xt_set_info_match *info = par->matchinfo;
188
const struct xt_set_info_match_v1 *info = par->matchinfo;
189
ADT_OPT(opt, par->family, info->match_set.dim,
190
info->match_set.flags, 0, UINT_MAX);
229
return match_set(info->match_set.index, skb, par->family,
231
info->match_set.flags,
192
return match_set(info->match_set.index, skb, par, &opt,
232
193
info->match_set.flags & IPSET_INV_MATCH);
235
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
237
set_match_checkentry(const struct xt_mtchk_param *par)
238
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
240
set_match_checkentry(const struct xt_mtchk_param *par)
197
set_match_v1_checkentry(const struct xt_mtchk_param *par)
243
struct xt_set_info_match *info = par->matchinfo;
199
struct xt_set_info_match_v1 *info = par->matchinfo;
244
200
ip_set_id_t index;
246
202
index = ip_set_nfnl_get_byindex(info->match_set.index);
248
204
if (index == IPSET_INVALID_ID) {
249
205
pr_warning("Cannot find set indentified by id %u to match\n",
250
206
info->match_set.index);
251
return CHECK_FAIL(-ENOENT); /* error */
253
209
if (info->match_set.dim > IPSET_DIM_MAX) {
254
210
pr_warning("Protocol error: set match dimension "
255
211
"is over the limit!\n");
256
212
ip_set_nfnl_put(info->match_set.index);
257
return CHECK_FAIL(-ERANGE); /* error */
264
set_match_destroy(const struct xt_mtdtor_param *par)
220
set_match_v1_destroy(const struct xt_mtdtor_param *par)
266
struct xt_set_info_match *info = par->matchinfo;
222
struct xt_set_info_match_v1 *info = par->matchinfo;
268
224
ip_set_nfnl_put(info->match_set.index);
271
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
273
set_target(struct sk_buff *skb, const struct xt_target_param *par)
274
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
276
set_target(struct sk_buff *skb, const struct xt_action_param *par)
228
set_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
279
const struct xt_set_info_target *info = par->targinfo;
230
const struct xt_set_info_target_v1 *info = par->targinfo;
231
ADT_OPT(add_opt, par->family, info->add_set.dim,
232
info->add_set.flags, 0, UINT_MAX);
233
ADT_OPT(del_opt, par->family, info->del_set.dim,
234
info->del_set.flags, 0, UINT_MAX);
281
236
if (info->add_set.index != IPSET_INVALID_ID)
282
ip_set_add(info->add_set.index,
285
info->add_set.flags);
237
ip_set_add(info->add_set.index, skb, par, &add_opt);
286
238
if (info->del_set.index != IPSET_INVALID_ID)
287
ip_set_del(info->del_set.index,
290
info->del_set.flags);
239
ip_set_del(info->del_set.index, skb, par, &del_opt);
292
241
return XT_CONTINUE;
295
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
297
set_target_checkentry(const struct xt_tgchk_param *par)
298
#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */
300
set_target_checkentry(const struct xt_tgchk_param *par)
245
set_target_v1_checkentry(const struct xt_tgchk_param *par)
303
const struct xt_set_info_target *info = par->targinfo;
247
const struct xt_set_info_target_v1 *info = par->targinfo;
304
248
ip_set_id_t index;
306
250
if (info->add_set.index != IPSET_INVALID_ID) {
330
274
ip_set_nfnl_put(info->add_set.index);
331
275
if (info->del_set.index != IPSET_INVALID_ID)
332
276
ip_set_nfnl_put(info->del_set.index);
333
return CHECK_FAIL(-ERANGE); /* error */
340
set_target_destroy(const struct xt_tgdtor_param *par)
284
set_target_v1_destroy(const struct xt_tgdtor_param *par)
342
const struct xt_set_info_target *info = par->targinfo;
286
const struct xt_set_info_target_v1 *info = par->targinfo;
344
288
if (info->add_set.index != IPSET_INVALID_ID)
345
289
ip_set_nfnl_put(info->add_set.index);
347
291
ip_set_nfnl_put(info->del_set.index);
294
/* Revision 2 target */
297
set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
299
const struct xt_set_info_target_v2 *info = par->targinfo;
300
ADT_OPT(add_opt, par->family, info->add_set.dim,
301
info->add_set.flags, info->flags, info->timeout);
302
ADT_OPT(del_opt, par->family, info->del_set.dim,
303
info->del_set.flags, 0, UINT_MAX);
305
if (info->add_set.index != IPSET_INVALID_ID)
306
ip_set_add(info->add_set.index, skb, par, &add_opt);
307
if (info->del_set.index != IPSET_INVALID_ID)
308
ip_set_del(info->del_set.index, skb, par, &del_opt);
313
#define set_target_v2_checkentry set_target_v1_checkentry
314
#define set_target_v2_destroy set_target_v1_destroy
350
316
static struct xt_match set_matches[] __read_mostly = {
363
329
.family = NFPROTO_IPV4,
366
.matchsize = sizeof(struct xt_set_info_match),
367
.checkentry = set_match_checkentry,
368
.destroy = set_match_destroy,
331
.match = set_match_v1,
332
.matchsize = sizeof(struct xt_set_info_match_v1),
333
.checkentry = set_match_v1_checkentry,
334
.destroy = set_match_v1_destroy,
369
335
.me = THIS_MODULE
373
339
.family = NFPROTO_IPV6,
376
.matchsize = sizeof(struct xt_set_info_match),
377
.checkentry = set_match_checkentry,
378
.destroy = set_match_destroy,
341
.match = set_match_v1,
342
.matchsize = sizeof(struct xt_set_info_match_v1),
343
.checkentry = set_match_v1_checkentry,
344
.destroy = set_match_v1_destroy,
379
345
.me = THIS_MODULE
397
363
.family = NFPROTO_IPV4,
398
.target = set_target,
399
.targetsize = sizeof(struct xt_set_info_target),
400
.checkentry = set_target_checkentry,
401
.destroy = set_target_destroy,
364
.target = set_target_v1,
365
.targetsize = sizeof(struct xt_set_info_target_v1),
366
.checkentry = set_target_v1_checkentry,
367
.destroy = set_target_v1_destroy,
402
368
.me = THIS_MODULE
407
373
.family = NFPROTO_IPV6,
408
.target = set_target,
409
.targetsize = sizeof(struct xt_set_info_target),
410
.checkentry = set_target_checkentry,
411
.destroy = set_target_destroy,
374
.target = set_target_v1,
375
.targetsize = sizeof(struct xt_set_info_target_v1),
376
.checkentry = set_target_v1_checkentry,
377
.destroy = set_target_v1_destroy,
383
.family = NFPROTO_IPV4,
384
.target = set_target_v2,
385
.targetsize = sizeof(struct xt_set_info_target_v2),
386
.checkentry = set_target_v2_checkentry,
387
.destroy = set_target_v2_destroy,
393
.family = NFPROTO_IPV6,
394
.target = set_target_v2,
395
.targetsize = sizeof(struct xt_set_info_target_v2),
396
.checkentry = set_target_v2_checkentry,
397
.destroy = set_target_v2_destroy,
412
398
.me = THIS_MODULE