1
2
3
4
5
6
7
8
9
10
11
12#include <linux/init.h>
13#include <linux/module.h>
14#include <linux/moduleparam.h>
15#include <linux/ip.h>
16#include <linux/skbuff.h>
17#include <linux/spinlock.h>
18#include <linux/rculist.h>
19#include <net/netlink.h>
20
21#include <linux/netfilter.h>
22#include <linux/netfilter/x_tables.h>
23#include <linux/netfilter/nfnetlink.h>
24#include <linux/netfilter/ipset/ip_set.h>
25
26static LIST_HEAD(ip_set_type_list);
27static DEFINE_MUTEX(ip_set_type_mutex);
28static DEFINE_RWLOCK(ip_set_ref_lock);
29
30static struct ip_set * __rcu *ip_set_list;
31static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX;
32
33#define IP_SET_INC 64
34#define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
35
36static unsigned int max_sets;
37
38module_param(max_sets, int, 0600);
39MODULE_PARM_DESC(max_sets, "maximal number of sets");
40MODULE_LICENSE("GPL");
41MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
42MODULE_DESCRIPTION("core IP set support");
43MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
44
45
46#define nfnl_dereference(p) \
47 rcu_dereference_protected(p, 1)
48#define nfnl_set(id) \
49 nfnl_dereference(ip_set_list)[id]
50
51
52
53
54
55
56
57static inline void
58ip_set_type_lock(void)
59{
60 mutex_lock(&ip_set_type_mutex);
61}
62
63static inline void
64ip_set_type_unlock(void)
65{
66 mutex_unlock(&ip_set_type_mutex);
67}
68
69
70
71static struct ip_set_type *
72find_set_type(const char *name, u8 family, u8 revision)
73{
74 struct ip_set_type *type;
75
76 list_for_each_entry_rcu(type, &ip_set_type_list, list)
77 if (STREQ(type->name, name) &&
78 (type->family == family ||
79 type->family == NFPROTO_UNSPEC) &&
80 revision >= type->revision_min &&
81 revision <= type->revision_max)
82 return type;
83 return NULL;
84}
85
86
87static bool
88load_settype(const char *name)
89{
90 nfnl_unlock(NFNL_SUBSYS_IPSET);
91 pr_debug("try to load ip_set_%s\n", name);
92 if (request_module("ip_set_%s", name) < 0) {
93 pr_warning("Can't find ip_set type %s\n", name);
94 nfnl_lock(NFNL_SUBSYS_IPSET);
95 return false;
96 }
97 nfnl_lock(NFNL_SUBSYS_IPSET);
98 return true;
99}
100
101
102#define find_set_type_get(name, family, revision, found) \
103 __find_set_type_get(name, family, revision, found, false)
104
105static int
106__find_set_type_get(const char *name, u8 family, u8 revision,
107 struct ip_set_type **found, bool retry)
108{
109 struct ip_set_type *type;
110 int err;
111
112 if (retry && !load_settype(name))
113 return -IPSET_ERR_FIND_TYPE;
114
115 rcu_read_lock();
116 *found = find_set_type(name, family, revision);
117 if (*found) {
118 err = !try_module_get((*found)->me) ? -EFAULT : 0;
119 goto unlock;
120 }
121
122
123 list_for_each_entry_rcu(type, &ip_set_type_list, list)
124 if (STREQ(type->name, name)) {
125 err = -IPSET_ERR_FIND_TYPE;
126 goto unlock;
127 }
128 rcu_read_unlock();
129
130 return retry ? -IPSET_ERR_FIND_TYPE :
131 __find_set_type_get(name, family, revision, found, true);
132
133unlock:
134 rcu_read_unlock();
135 return err;
136}
137
138
139
140
141
142#define find_set_type_minmax(name, family, min, max) \
143 __find_set_type_minmax(name, family, min, max, false)
144
145static int
146__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
147 bool retry)
148{
149 struct ip_set_type *type;
150 bool found = false;
151
152 if (retry && !load_settype(name))
153 return -IPSET_ERR_FIND_TYPE;
154
155 *min = 255; *max = 0;
156 rcu_read_lock();
157 list_for_each_entry_rcu(type, &ip_set_type_list, list)
158 if (STREQ(type->name, name) &&
159 (type->family == family ||
160 type->family == NFPROTO_UNSPEC)) {
161 found = true;
162 if (type->revision_min < *min)
163 *min = type->revision_min;
164 if (type->revision_max > *max)
165 *max = type->revision_max;
166 }
167 rcu_read_unlock();
168 if (found)
169 return 0;
170
171 return retry ? -IPSET_ERR_FIND_TYPE :
172 __find_set_type_minmax(name, family, min, max, true);
173}
174
175#define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
176 (f) == NFPROTO_IPV6 ? "inet6" : "any")
177
178
179
180
181int
182ip_set_type_register(struct ip_set_type *type)
183{
184 int ret = 0;
185
186 if (type->protocol != IPSET_PROTOCOL) {
187 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
188 "wrong protocol version %u (want %u)\n",
189 type->name, family_name(type->family),
190 type->revision_min, type->revision_max,
191 type->protocol, IPSET_PROTOCOL);
192 return -EINVAL;
193 }
194
195 ip_set_type_lock();
196 if (find_set_type(type->name, type->family, type->revision_min)) {
197
198 pr_warning("ip_set type %s, family %s with revision min %u "
199 "already registered!\n", type->name,
200 family_name(type->family), type->revision_min);
201 ret = -EINVAL;
202 goto unlock;
203 }
204 list_add_rcu(&type->list, &ip_set_type_list);
205 pr_debug("type %s, family %s, revision %u:%u registered.\n",
206 type->name, family_name(type->family),
207 type->revision_min, type->revision_max);
208unlock:
209 ip_set_type_unlock();
210 return ret;
211}
212EXPORT_SYMBOL_GPL(ip_set_type_register);
213
214
215void
216ip_set_type_unregister(struct ip_set_type *type)
217{
218 ip_set_type_lock();
219 if (!find_set_type(type->name, type->family, type->revision_min)) {
220 pr_warning("ip_set type %s, family %s with revision min %u "
221 "not registered\n", type->name,
222 family_name(type->family), type->revision_min);
223 goto unlock;
224 }
225 list_del_rcu(&type->list);
226 pr_debug("type %s, family %s with revision min %u unregistered.\n",
227 type->name, family_name(type->family), type->revision_min);
228unlock:
229 ip_set_type_unlock();
230
231 synchronize_rcu();
232}
233EXPORT_SYMBOL_GPL(ip_set_type_unregister);
234
235
236void *
237ip_set_alloc(size_t size)
238{
239 void *members = NULL;
240
241 if (size < KMALLOC_MAX_SIZE)
242 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
243
244 if (members) {
245 pr_debug("%p: allocated with kmalloc\n", members);
246 return members;
247 }
248
249 members = vzalloc(size);
250 if (!members)
251 return NULL;
252 pr_debug("%p: allocated with vmalloc\n", members);
253
254 return members;
255}
256EXPORT_SYMBOL_GPL(ip_set_alloc);
257
258void
259ip_set_free(void *members)
260{
261 pr_debug("%p: free with %s\n", members,
262 is_vmalloc_addr(members) ? "vfree" : "kfree");
263 if (is_vmalloc_addr(members))
264 vfree(members);
265 else
266 kfree(members);
267}
268EXPORT_SYMBOL_GPL(ip_set_free);
269
270static inline bool
271flag_nested(const struct nlattr *nla)
272{
273 return nla->nla_type & NLA_F_NESTED;
274}
275
276static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
277 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
278 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
279 .len = sizeof(struct in6_addr) },
280};
281
282int
283ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
284{
285 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
286
287 if (unlikely(!flag_nested(nla)))
288 return -IPSET_ERR_PROTOCOL;
289 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
290 return -IPSET_ERR_PROTOCOL;
291 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
292 return -IPSET_ERR_PROTOCOL;
293
294 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
295 return 0;
296}
297EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
298
299int
300ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
301{
302 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
303
304 if (unlikely(!flag_nested(nla)))
305 return -IPSET_ERR_PROTOCOL;
306
307 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
308 return -IPSET_ERR_PROTOCOL;
309 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
310 return -IPSET_ERR_PROTOCOL;
311
312 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
313 sizeof(struct in6_addr));
314 return 0;
315}
316EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
317
318int
319ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
320 struct ip_set_ext *ext)
321{
322 if (tb[IPSET_ATTR_TIMEOUT]) {
323 if (!(set->extensions & IPSET_EXT_TIMEOUT))
324 return -IPSET_ERR_TIMEOUT;
325 ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
326 }
327 if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
328 if (!(set->extensions & IPSET_EXT_COUNTER))
329 return -IPSET_ERR_COUNTER;
330 if (tb[IPSET_ATTR_BYTES])
331 ext->bytes = be64_to_cpu(nla_get_be64(
332 tb[IPSET_ATTR_BYTES]));
333 if (tb[IPSET_ATTR_PACKETS])
334 ext->packets = be64_to_cpu(nla_get_be64(
335 tb[IPSET_ATTR_PACKETS]));
336 }
337 return 0;
338}
339EXPORT_SYMBOL_GPL(ip_set_get_extensions);
340
341
342
343
344
345
346
347
348
349
350
351
352static inline void
353__ip_set_get(struct ip_set *set)
354{
355 write_lock_bh(&ip_set_ref_lock);
356 set->ref++;
357 write_unlock_bh(&ip_set_ref_lock);
358}
359
360static inline void
361__ip_set_put(struct ip_set *set)
362{
363 write_lock_bh(&ip_set_ref_lock);
364 BUG_ON(set->ref == 0);
365 set->ref--;
366 write_unlock_bh(&ip_set_ref_lock);
367}
368
369
370
371
372
373
374
375
376static inline struct ip_set *
377ip_set_rcu_get(ip_set_id_t index)
378{
379 struct ip_set *set;
380
381 rcu_read_lock();
382
383 set = rcu_dereference(ip_set_list)[index];
384 rcu_read_unlock();
385
386 return set;
387}
388
389int
390ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
391 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
392{
393 struct ip_set *set = ip_set_rcu_get(index);
394 int ret = 0;
395
396 BUG_ON(set == NULL);
397 pr_debug("set %s, index %u\n", set->name, index);
398
399 if (opt->dim < set->type->dimension ||
400 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
401 return 0;
402
403 read_lock_bh(&set->lock);
404 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
405 read_unlock_bh(&set->lock);
406
407 if (ret == -EAGAIN) {
408
409 pr_debug("element must be competed, ADD is triggered\n");
410 write_lock_bh(&set->lock);
411 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
412 write_unlock_bh(&set->lock);
413 ret = 1;
414 } else {
415
416 if ((opt->cmdflags & IPSET_FLAG_RETURN_NOMATCH) &&
417 (set->type->features & IPSET_TYPE_NOMATCH) &&
418 (ret > 0 || ret == -ENOTEMPTY))
419 ret = -ret;
420 }
421
422
423 return (ret < 0 ? 0 : ret);
424}
425EXPORT_SYMBOL_GPL(ip_set_test);
426
427int
428ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
429 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
430{
431 struct ip_set *set = ip_set_rcu_get(index);
432 int ret;
433
434 BUG_ON(set == NULL);
435 pr_debug("set %s, index %u\n", set->name, index);
436
437 if (opt->dim < set->type->dimension ||
438 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
439 return 0;
440
441 write_lock_bh(&set->lock);
442 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
443 write_unlock_bh(&set->lock);
444
445 return ret;
446}
447EXPORT_SYMBOL_GPL(ip_set_add);
448
449int
450ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
451 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
452{
453 struct ip_set *set = ip_set_rcu_get(index);
454 int ret = 0;
455
456 BUG_ON(set == NULL);
457 pr_debug("set %s, index %u\n", set->name, index);
458
459 if (opt->dim < set->type->dimension ||
460 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
461 return 0;
462
463 write_lock_bh(&set->lock);
464 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
465 write_unlock_bh(&set->lock);
466
467 return ret;
468}
469EXPORT_SYMBOL_GPL(ip_set_del);
470
471
472
473
474
475
476ip_set_id_t
477ip_set_get_byname(const char *name, struct ip_set **set)
478{
479 ip_set_id_t i, index = IPSET_INVALID_ID;
480 struct ip_set *s;
481
482 rcu_read_lock();
483 for (i = 0; i < ip_set_max; i++) {
484 s = rcu_dereference(ip_set_list)[i];
485 if (s != NULL && STREQ(s->name, name)) {
486 __ip_set_get(s);
487 index = i;
488 *set = s;
489 break;
490 }
491 }
492 rcu_read_unlock();
493
494 return index;
495}
496EXPORT_SYMBOL_GPL(ip_set_get_byname);
497
498
499
500
501
502
503
504void
505ip_set_put_byindex(ip_set_id_t index)
506{
507 struct ip_set *set;
508
509 rcu_read_lock();
510 set = rcu_dereference(ip_set_list)[index];
511 if (set != NULL)
512 __ip_set_put(set);
513 rcu_read_unlock();
514}
515EXPORT_SYMBOL_GPL(ip_set_put_byindex);
516
517
518
519
520
521
522
523
524const char *
525ip_set_name_byindex(ip_set_id_t index)
526{
527 const struct ip_set *set = ip_set_rcu_get(index);
528
529 BUG_ON(set == NULL);
530 BUG_ON(set->ref == 0);
531
532
533 return set->name;
534}
535EXPORT_SYMBOL_GPL(ip_set_name_byindex);
536
537
538
539
540
541
542
543
544
545
546
547
548ip_set_id_t
549ip_set_nfnl_get(const char *name)
550{
551 ip_set_id_t i, index = IPSET_INVALID_ID;
552 struct ip_set *s;
553
554 nfnl_lock(NFNL_SUBSYS_IPSET);
555 for (i = 0; i < ip_set_max; i++) {
556 s = nfnl_set(i);
557 if (s != NULL && STREQ(s->name, name)) {
558 __ip_set_get(s);
559 index = i;
560 break;
561 }
562 }
563 nfnl_unlock(NFNL_SUBSYS_IPSET);
564
565 return index;
566}
567EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
568
569
570
571
572
573
574
575ip_set_id_t
576ip_set_nfnl_get_byindex(ip_set_id_t index)
577{
578 struct ip_set *set;
579
580 if (index > ip_set_max)
581 return IPSET_INVALID_ID;
582
583 nfnl_lock(NFNL_SUBSYS_IPSET);
584 set = nfnl_set(index);
585 if (set)
586 __ip_set_get(set);
587 else
588 index = IPSET_INVALID_ID;
589 nfnl_unlock(NFNL_SUBSYS_IPSET);
590
591 return index;
592}
593EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
594
595
596
597
598
599
600
601
602void
603ip_set_nfnl_put(ip_set_id_t index)
604{
605 struct ip_set *set;
606 nfnl_lock(NFNL_SUBSYS_IPSET);
607 set = nfnl_set(index);
608 if (set != NULL)
609 __ip_set_put(set);
610 nfnl_unlock(NFNL_SUBSYS_IPSET);
611}
612EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
613
614
615
616
617
618
619
620static inline bool
621protocol_failed(const struct nlattr * const tb[])
622{
623 return !tb[IPSET_ATTR_PROTOCOL] ||
624 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
625}
626
627static inline u32
628flag_exist(const struct nlmsghdr *nlh)
629{
630 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
631}
632
633static struct nlmsghdr *
634start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
635 enum ipset_cmd cmd)
636{
637 struct nlmsghdr *nlh;
638 struct nfgenmsg *nfmsg;
639
640 nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
641 sizeof(*nfmsg), flags);
642 if (nlh == NULL)
643 return NULL;
644
645 nfmsg = nlmsg_data(nlh);
646 nfmsg->nfgen_family = NFPROTO_IPV4;
647 nfmsg->version = NFNETLINK_V0;
648 nfmsg->res_id = 0;
649
650 return nlh;
651}
652
653
654
655static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
656 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
657 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
658 .len = IPSET_MAXNAMELEN - 1 },
659 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
660 .len = IPSET_MAXNAMELEN - 1},
661 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
662 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
663 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
664};
665
666static struct ip_set *
667find_set_and_id(const char *name, ip_set_id_t *id)
668{
669 struct ip_set *set = NULL;
670 ip_set_id_t i;
671
672 *id = IPSET_INVALID_ID;
673 for (i = 0; i < ip_set_max; i++) {
674 set = nfnl_set(i);
675 if (set != NULL && STREQ(set->name, name)) {
676 *id = i;
677 break;
678 }
679 }
680 return (*id == IPSET_INVALID_ID ? NULL : set);
681}
682
683static inline struct ip_set *
684find_set(const char *name)
685{
686 ip_set_id_t id;
687
688 return find_set_and_id(name, &id);
689}
690
691static int
692find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
693{
694 struct ip_set *s;
695 ip_set_id_t i;
696
697 *index = IPSET_INVALID_ID;
698 for (i = 0; i < ip_set_max; i++) {
699 s = nfnl_set(i);
700 if (s == NULL) {
701 if (*index == IPSET_INVALID_ID)
702 *index = i;
703 } else if (STREQ(name, s->name)) {
704
705 *set = s;
706 return -EEXIST;
707 }
708 }
709 if (*index == IPSET_INVALID_ID)
710
711 return -IPSET_ERR_MAX_SETS;
712 return 0;
713}
714
715static int
716ip_set_none(struct sock *ctnl, struct sk_buff *skb,
717 const struct nlmsghdr *nlh,
718 const struct nlattr * const attr[])
719{
720 return -EOPNOTSUPP;
721}
722
723static int
724ip_set_create(struct sock *ctnl, struct sk_buff *skb,
725 const struct nlmsghdr *nlh,
726 const struct nlattr * const attr[])
727{
728 struct ip_set *set, *clash = NULL;
729 ip_set_id_t index = IPSET_INVALID_ID;
730 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
731 const char *name, *typename;
732 u8 family, revision;
733 u32 flags = flag_exist(nlh);
734 int ret = 0;
735
736 if (unlikely(protocol_failed(attr) ||
737 attr[IPSET_ATTR_SETNAME] == NULL ||
738 attr[IPSET_ATTR_TYPENAME] == NULL ||
739 attr[IPSET_ATTR_REVISION] == NULL ||
740 attr[IPSET_ATTR_FAMILY] == NULL ||
741 (attr[IPSET_ATTR_DATA] != NULL &&
742 !flag_nested(attr[IPSET_ATTR_DATA]))))
743 return -IPSET_ERR_PROTOCOL;
744
745 name = nla_data(attr[IPSET_ATTR_SETNAME]);
746 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
747 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
748 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
749 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
750 name, typename, family_name(family), revision);
751
752
753
754
755
756 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
757 if (!set)
758 return -ENOMEM;
759 rwlock_init(&set->lock);
760 strlcpy(set->name, name, IPSET_MAXNAMELEN);
761 set->family = family;
762 set->revision = revision;
763
764
765
766
767
768
769
770
771
772 ret = find_set_type_get(typename, family, revision, &(set->type));
773 if (ret)
774 goto out;
775
776
777
778
779 if (attr[IPSET_ATTR_DATA] &&
780 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
781 set->type->create_policy)) {
782 ret = -IPSET_ERR_PROTOCOL;
783 goto put_out;
784 }
785
786 ret = set->type->create(set, tb, flags);
787 if (ret != 0)
788 goto put_out;
789
790
791
792
793
794
795
796
797 ret = find_free_id(set->name, &index, &clash);
798 if (ret == -EEXIST) {
799
800 if ((flags & IPSET_FLAG_EXIST) &&
801 STREQ(set->type->name, clash->type->name) &&
802 set->type->family == clash->type->family &&
803 set->type->revision_min == clash->type->revision_min &&
804 set->type->revision_max == clash->type->revision_max &&
805 set->variant->same_set(set, clash))
806 ret = 0;
807 goto cleanup;
808 } else if (ret == -IPSET_ERR_MAX_SETS) {
809 struct ip_set **list, **tmp;
810 ip_set_id_t i = ip_set_max + IP_SET_INC;
811
812 if (i < ip_set_max || i == IPSET_INVALID_ID)
813
814 goto cleanup;
815
816 list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL);
817 if (!list)
818 goto cleanup;
819
820 tmp = nfnl_dereference(ip_set_list);
821 memcpy(list, tmp, sizeof(struct ip_set *) * ip_set_max);
822 rcu_assign_pointer(ip_set_list, list);
823
824 synchronize_net();
825
826 index = ip_set_max;
827 ip_set_max = i;
828 kfree(tmp);
829 ret = 0;
830 } else if (ret)
831 goto cleanup;
832
833
834
835
836 pr_debug("create: '%s' created with index %u!\n", set->name, index);
837 nfnl_set(index) = set;
838
839 return ret;
840
841cleanup:
842 set->variant->destroy(set);
843put_out:
844 module_put(set->type->me);
845out:
846 kfree(set);
847 return ret;
848}
849
850
851
852static const struct nla_policy
853ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
854 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
855 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
856 .len = IPSET_MAXNAMELEN - 1 },
857};
858
859static void
860ip_set_destroy_set(ip_set_id_t index)
861{
862 struct ip_set *set = nfnl_set(index);
863
864 pr_debug("set: %s\n", set->name);
865 nfnl_set(index) = NULL;
866
867
868 set->variant->destroy(set);
869 module_put(set->type->me);
870 kfree(set);
871}
872
873static int
874ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
875 const struct nlmsghdr *nlh,
876 const struct nlattr * const attr[])
877{
878 struct ip_set *s;
879 ip_set_id_t i;
880 int ret = 0;
881
882 if (unlikely(protocol_failed(attr)))
883 return -IPSET_ERR_PROTOCOL;
884
885
886
887
888
889
890
891
892
893
894
895 read_lock_bh(&ip_set_ref_lock);
896 if (!attr[IPSET_ATTR_SETNAME]) {
897 for (i = 0; i < ip_set_max; i++) {
898 s = nfnl_set(i);
899 if (s != NULL && s->ref) {
900 ret = -IPSET_ERR_BUSY;
901 goto out;
902 }
903 }
904 read_unlock_bh(&ip_set_ref_lock);
905 for (i = 0; i < ip_set_max; i++) {
906 s = nfnl_set(i);
907 if (s != NULL)
908 ip_set_destroy_set(i);
909 }
910 } else {
911 s = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &i);
912 if (s == NULL) {
913 ret = -ENOENT;
914 goto out;
915 } else if (s->ref) {
916 ret = -IPSET_ERR_BUSY;
917 goto out;
918 }
919 read_unlock_bh(&ip_set_ref_lock);
920
921 ip_set_destroy_set(i);
922 }
923 return 0;
924out:
925 read_unlock_bh(&ip_set_ref_lock);
926 return ret;
927}
928
929
930
931static void
932ip_set_flush_set(struct ip_set *set)
933{
934 pr_debug("set: %s\n", set->name);
935
936 write_lock_bh(&set->lock);
937 set->variant->flush(set);
938 write_unlock_bh(&set->lock);
939}
940
941static int
942ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
943 const struct nlmsghdr *nlh,
944 const struct nlattr * const attr[])
945{
946 struct ip_set *s;
947 ip_set_id_t i;
948
949 if (unlikely(protocol_failed(attr)))
950 return -IPSET_ERR_PROTOCOL;
951
952 if (!attr[IPSET_ATTR_SETNAME]) {
953 for (i = 0; i < ip_set_max; i++) {
954 s = nfnl_set(i);
955 if (s != NULL)
956 ip_set_flush_set(s);
957 }
958 } else {
959 s = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
960 if (s == NULL)
961 return -ENOENT;
962
963 ip_set_flush_set(s);
964 }
965
966 return 0;
967}
968
969
970
971static const struct nla_policy
972ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
973 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
974 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
975 .len = IPSET_MAXNAMELEN - 1 },
976 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
977 .len = IPSET_MAXNAMELEN - 1 },
978};
979
980static int
981ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
982 const struct nlmsghdr *nlh,
983 const struct nlattr * const attr[])
984{
985 struct ip_set *set, *s;
986 const char *name2;
987 ip_set_id_t i;
988 int ret = 0;
989
990 if (unlikely(protocol_failed(attr) ||
991 attr[IPSET_ATTR_SETNAME] == NULL ||
992 attr[IPSET_ATTR_SETNAME2] == NULL))
993 return -IPSET_ERR_PROTOCOL;
994
995 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
996 if (set == NULL)
997 return -ENOENT;
998
999 read_lock_bh(&ip_set_ref_lock);
1000 if (set->ref != 0) {
1001 ret = -IPSET_ERR_REFERENCED;
1002 goto out;
1003 }
1004
1005 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
1006 for (i = 0; i < ip_set_max; i++) {
1007 s = nfnl_set(i);
1008 if (s != NULL && STREQ(s->name, name2)) {
1009 ret = -IPSET_ERR_EXIST_SETNAME2;
1010 goto out;
1011 }
1012 }
1013 strncpy(set->name, name2, IPSET_MAXNAMELEN);
1014
1015out:
1016 read_unlock_bh(&ip_set_ref_lock);
1017 return ret;
1018}
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029static int
1030ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
1031 const struct nlmsghdr *nlh,
1032 const struct nlattr * const attr[])
1033{
1034 struct ip_set *from, *to;
1035 ip_set_id_t from_id, to_id;
1036 char from_name[IPSET_MAXNAMELEN];
1037
1038 if (unlikely(protocol_failed(attr) ||
1039 attr[IPSET_ATTR_SETNAME] == NULL ||
1040 attr[IPSET_ATTR_SETNAME2] == NULL))
1041 return -IPSET_ERR_PROTOCOL;
1042
1043 from = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &from_id);
1044 if (from == NULL)
1045 return -ENOENT;
1046
1047 to = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME2]), &to_id);
1048 if (to == NULL)
1049 return -IPSET_ERR_EXIST_SETNAME2;
1050
1051
1052
1053
1054 if (!(from->type->features == to->type->features &&
1055 from->type->family == to->type->family))
1056 return -IPSET_ERR_TYPE_MISMATCH;
1057
1058 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
1059 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
1060 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
1061
1062 write_lock_bh(&ip_set_ref_lock);
1063 swap(from->ref, to->ref);
1064 nfnl_set(from_id) = to;
1065 nfnl_set(to_id) = from;
1066 write_unlock_bh(&ip_set_ref_lock);
1067
1068 return 0;
1069}
1070
1071
1072
1073#define DUMP_INIT 0
1074#define DUMP_ALL 1
1075#define DUMP_ONE 2
1076#define DUMP_LAST 3
1077
1078#define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1079#define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
1080
1081static int
1082ip_set_dump_done(struct netlink_callback *cb)
1083{
1084 if (cb->args[2]) {
1085 pr_debug("release set %s\n", nfnl_set(cb->args[1])->name);
1086 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
1087 }
1088 return 0;
1089}
1090
1091static inline void
1092dump_attrs(struct nlmsghdr *nlh)
1093{
1094 const struct nlattr *attr;
1095 int rem;
1096
1097 pr_debug("dump nlmsg\n");
1098 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1099 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1100 }
1101}
1102
1103static int
1104dump_init(struct netlink_callback *cb)
1105{
1106 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1107 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1108 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1109 struct nlattr *attr = (void *)nlh + min_len;
1110 u32 dump_type;
1111 ip_set_id_t index;
1112
1113
1114 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1115 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1116
1117
1118
1119
1120
1121
1122 if (cda[IPSET_ATTR_SETNAME]) {
1123 struct ip_set *set;
1124
1125 set = find_set_and_id(nla_data(cda[IPSET_ATTR_SETNAME]),
1126 &index);
1127 if (set == NULL)
1128 return -ENOENT;
1129
1130 dump_type = DUMP_ONE;
1131 cb->args[1] = index;
1132 } else
1133 dump_type = DUMP_ALL;
1134
1135 if (cda[IPSET_ATTR_FLAGS]) {
1136 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1137 dump_type |= (f << 16);
1138 }
1139 cb->args[0] = dump_type;
1140
1141 return 0;
1142}
1143
1144static int
1145ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1146{
1147 ip_set_id_t index = IPSET_INVALID_ID, max;
1148 struct ip_set *set = NULL;
1149 struct nlmsghdr *nlh = NULL;
1150 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1151 u32 dump_type, dump_flags;
1152 int ret = 0;
1153
1154 if (!cb->args[0]) {
1155 ret = dump_init(cb);
1156 if (ret < 0) {
1157 nlh = nlmsg_hdr(cb->skb);
1158
1159
1160 if (nlh->nlmsg_flags & NLM_F_ACK)
1161 netlink_ack(cb->skb, nlh, ret);
1162 return ret;
1163 }
1164 }
1165
1166 if (cb->args[1] >= ip_set_max)
1167 goto out;
1168
1169 dump_type = DUMP_TYPE(cb->args[0]);
1170 dump_flags = DUMP_FLAGS(cb->args[0]);
1171 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1172dump_last:
1173 pr_debug("args[0]: %u %u args[1]: %ld\n",
1174 dump_type, dump_flags, cb->args[1]);
1175 for (; cb->args[1] < max; cb->args[1]++) {
1176 index = (ip_set_id_t) cb->args[1];
1177 set = nfnl_set(index);
1178 if (set == NULL) {
1179 if (dump_type == DUMP_ONE) {
1180 ret = -ENOENT;
1181 goto out;
1182 }
1183 continue;
1184 }
1185
1186
1187
1188 if (dump_type != DUMP_ONE &&
1189 ((dump_type == DUMP_ALL) ==
1190 !!(set->type->features & IPSET_DUMP_LAST)))
1191 continue;
1192 pr_debug("List set: %s\n", set->name);
1193 if (!cb->args[2]) {
1194
1195 pr_debug("reference set\n");
1196 __ip_set_get(set);
1197 }
1198 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1199 cb->nlh->nlmsg_seq, flags,
1200 IPSET_CMD_LIST);
1201 if (!nlh) {
1202 ret = -EMSGSIZE;
1203 goto release_refcount;
1204 }
1205 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1206 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1207 goto nla_put_failure;
1208 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1209 goto next_set;
1210 switch (cb->args[2]) {
1211 case 0:
1212
1213 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1214 set->type->name) ||
1215 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1216 set->family) ||
1217 nla_put_u8(skb, IPSET_ATTR_REVISION,
1218 set->revision))
1219 goto nla_put_failure;
1220 ret = set->variant->head(set, skb);
1221 if (ret < 0)
1222 goto release_refcount;
1223 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1224 goto next_set;
1225
1226 default:
1227 read_lock_bh(&set->lock);
1228 ret = set->variant->list(set, skb, cb);
1229 read_unlock_bh(&set->lock);
1230 if (!cb->args[2])
1231
1232 goto next_set;
1233 goto release_refcount;
1234 }
1235 }
1236
1237 if (dump_type == DUMP_ALL) {
1238 dump_type = DUMP_LAST;
1239 cb->args[0] = dump_type | (dump_flags << 16);
1240 cb->args[1] = 0;
1241 goto dump_last;
1242 }
1243 goto out;
1244
1245nla_put_failure:
1246 ret = -EFAULT;
1247next_set:
1248 if (dump_type == DUMP_ONE)
1249 cb->args[1] = IPSET_INVALID_ID;
1250 else
1251 cb->args[1]++;
1252release_refcount:
1253
1254 if (ret || !cb->args[2]) {
1255 pr_debug("release set %s\n", nfnl_set(index)->name);
1256 ip_set_put_byindex(index);
1257 cb->args[2] = 0;
1258 }
1259out:
1260 if (nlh) {
1261 nlmsg_end(skb, nlh);
1262 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1263 dump_attrs(nlh);
1264 }
1265
1266 return ret < 0 ? ret : skb->len;
1267}
1268
1269static int
1270ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1271 const struct nlmsghdr *nlh,
1272 const struct nlattr * const attr[])
1273{
1274 if (unlikely(protocol_failed(attr)))
1275 return -IPSET_ERR_PROTOCOL;
1276
1277 {
1278 struct netlink_dump_control c = {
1279 .dump = ip_set_dump_start,
1280 .done = ip_set_dump_done,
1281 };
1282 return netlink_dump_start(ctnl, skb, nlh, &c);
1283 }
1284}
1285
1286
1287
1288static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1289 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1290 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1291 .len = IPSET_MAXNAMELEN - 1 },
1292 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1293 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1294 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1295};
1296
1297static int
1298call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1299 struct nlattr *tb[], enum ipset_adt adt,
1300 u32 flags, bool use_lineno)
1301{
1302 int ret;
1303 u32 lineno = 0;
1304 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1305
1306 do {
1307 write_lock_bh(&set->lock);
1308 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1309 write_unlock_bh(&set->lock);
1310 retried = true;
1311 } while (ret == -EAGAIN &&
1312 set->variant->resize &&
1313 (ret = set->variant->resize(set, retried)) == 0);
1314
1315 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1316 return 0;
1317 if (lineno && use_lineno) {
1318
1319 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1320 struct sk_buff *skb2;
1321 struct nlmsgerr *errmsg;
1322 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1323 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1324 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1325 struct nlattr *cmdattr;
1326 u32 *errline;
1327
1328 skb2 = nlmsg_new(payload, GFP_KERNEL);
1329 if (skb2 == NULL)
1330 return -ENOMEM;
1331 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1332 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1333 errmsg = nlmsg_data(rep);
1334 errmsg->error = ret;
1335 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1336 cmdattr = (void *)&errmsg->msg + min_len;
1337
1338 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1339 cmdattr, nlh->nlmsg_len - min_len,
1340 ip_set_adt_policy);
1341
1342 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1343
1344 *errline = lineno;
1345
1346 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1347
1348 return -EINTR;
1349 }
1350
1351 return ret;
1352}
1353
1354static int
1355ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1356 const struct nlmsghdr *nlh,
1357 const struct nlattr * const attr[])
1358{
1359 struct ip_set *set;
1360 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1361 const struct nlattr *nla;
1362 u32 flags = flag_exist(nlh);
1363 bool use_lineno;
1364 int ret = 0;
1365
1366 if (unlikely(protocol_failed(attr) ||
1367 attr[IPSET_ATTR_SETNAME] == NULL ||
1368 !((attr[IPSET_ATTR_DATA] != NULL) ^
1369 (attr[IPSET_ATTR_ADT] != NULL)) ||
1370 (attr[IPSET_ATTR_DATA] != NULL &&
1371 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1372 (attr[IPSET_ATTR_ADT] != NULL &&
1373 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1374 attr[IPSET_ATTR_LINENO] == NULL))))
1375 return -IPSET_ERR_PROTOCOL;
1376
1377 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1378 if (set == NULL)
1379 return -ENOENT;
1380
1381 use_lineno = !!attr[IPSET_ATTR_LINENO];
1382 if (attr[IPSET_ATTR_DATA]) {
1383 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1384 attr[IPSET_ATTR_DATA],
1385 set->type->adt_policy))
1386 return -IPSET_ERR_PROTOCOL;
1387 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1388 use_lineno);
1389 } else {
1390 int nla_rem;
1391
1392 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1393 memset(tb, 0, sizeof(tb));
1394 if (nla_type(nla) != IPSET_ATTR_DATA ||
1395 !flag_nested(nla) ||
1396 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1397 set->type->adt_policy))
1398 return -IPSET_ERR_PROTOCOL;
1399 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1400 flags, use_lineno);
1401 if (ret < 0)
1402 return ret;
1403 }
1404 }
1405 return ret;
1406}
1407
1408static int
1409ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1410 const struct nlmsghdr *nlh,
1411 const struct nlattr * const attr[])
1412{
1413 struct ip_set *set;
1414 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1415 const struct nlattr *nla;
1416 u32 flags = flag_exist(nlh);
1417 bool use_lineno;
1418 int ret = 0;
1419
1420 if (unlikely(protocol_failed(attr) ||
1421 attr[IPSET_ATTR_SETNAME] == NULL ||
1422 !((attr[IPSET_ATTR_DATA] != NULL) ^
1423 (attr[IPSET_ATTR_ADT] != NULL)) ||
1424 (attr[IPSET_ATTR_DATA] != NULL &&
1425 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1426 (attr[IPSET_ATTR_ADT] != NULL &&
1427 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1428 attr[IPSET_ATTR_LINENO] == NULL))))
1429 return -IPSET_ERR_PROTOCOL;
1430
1431 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1432 if (set == NULL)
1433 return -ENOENT;
1434
1435 use_lineno = !!attr[IPSET_ATTR_LINENO];
1436 if (attr[IPSET_ATTR_DATA]) {
1437 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1438 attr[IPSET_ATTR_DATA],
1439 set->type->adt_policy))
1440 return -IPSET_ERR_PROTOCOL;
1441 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1442 use_lineno);
1443 } else {
1444 int nla_rem;
1445
1446 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1447 memset(tb, 0, sizeof(*tb));
1448 if (nla_type(nla) != IPSET_ATTR_DATA ||
1449 !flag_nested(nla) ||
1450 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1451 set->type->adt_policy))
1452 return -IPSET_ERR_PROTOCOL;
1453 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1454 flags, use_lineno);
1455 if (ret < 0)
1456 return ret;
1457 }
1458 }
1459 return ret;
1460}
1461
1462static int
1463ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1464 const struct nlmsghdr *nlh,
1465 const struct nlattr * const attr[])
1466{
1467 struct ip_set *set;
1468 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1469 int ret = 0;
1470
1471 if (unlikely(protocol_failed(attr) ||
1472 attr[IPSET_ATTR_SETNAME] == NULL ||
1473 attr[IPSET_ATTR_DATA] == NULL ||
1474 !flag_nested(attr[IPSET_ATTR_DATA])))
1475 return -IPSET_ERR_PROTOCOL;
1476
1477 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1478 if (set == NULL)
1479 return -ENOENT;
1480
1481 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1482 set->type->adt_policy))
1483 return -IPSET_ERR_PROTOCOL;
1484
1485 read_lock_bh(&set->lock);
1486 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1487 read_unlock_bh(&set->lock);
1488
1489 if (ret == -EAGAIN)
1490 ret = 1;
1491
1492 return (ret < 0 && ret != -ENOTEMPTY) ? ret :
1493 ret > 0 ? 0 : -IPSET_ERR_EXIST;
1494}
1495
1496
1497
1498static int
1499ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1500 const struct nlmsghdr *nlh,
1501 const struct nlattr * const attr[])
1502{
1503 const struct ip_set *set;
1504 struct sk_buff *skb2;
1505 struct nlmsghdr *nlh2;
1506 int ret = 0;
1507
1508 if (unlikely(protocol_failed(attr) ||
1509 attr[IPSET_ATTR_SETNAME] == NULL))
1510 return -IPSET_ERR_PROTOCOL;
1511
1512 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1513 if (set == NULL)
1514 return -ENOENT;
1515
1516 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1517 if (skb2 == NULL)
1518 return -ENOMEM;
1519
1520 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1521 IPSET_CMD_HEADER);
1522 if (!nlh2)
1523 goto nlmsg_failure;
1524 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1525 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1526 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1527 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1528 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1529 goto nla_put_failure;
1530 nlmsg_end(skb2, nlh2);
1531
1532 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1533 if (ret < 0)
1534 return ret;
1535
1536 return 0;
1537
1538nla_put_failure:
1539 nlmsg_cancel(skb2, nlh2);
1540nlmsg_failure:
1541 kfree_skb(skb2);
1542 return -EMSGSIZE;
1543}
1544
1545
1546
1547static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1548 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1549 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1550 .len = IPSET_MAXNAMELEN - 1 },
1551 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1552};
1553
1554static int
1555ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1556 const struct nlmsghdr *nlh,
1557 const struct nlattr * const attr[])
1558{
1559 struct sk_buff *skb2;
1560 struct nlmsghdr *nlh2;
1561 u8 family, min, max;
1562 const char *typename;
1563 int ret = 0;
1564
1565 if (unlikely(protocol_failed(attr) ||
1566 attr[IPSET_ATTR_TYPENAME] == NULL ||
1567 attr[IPSET_ATTR_FAMILY] == NULL))
1568 return -IPSET_ERR_PROTOCOL;
1569
1570 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1571 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1572 ret = find_set_type_minmax(typename, family, &min, &max);
1573 if (ret)
1574 return ret;
1575
1576 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1577 if (skb2 == NULL)
1578 return -ENOMEM;
1579
1580 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1581 IPSET_CMD_TYPE);
1582 if (!nlh2)
1583 goto nlmsg_failure;
1584 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1585 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1586 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1587 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1588 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1589 goto nla_put_failure;
1590 nlmsg_end(skb2, nlh2);
1591
1592 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1593 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1594 if (ret < 0)
1595 return ret;
1596
1597 return 0;
1598
1599nla_put_failure:
1600 nlmsg_cancel(skb2, nlh2);
1601nlmsg_failure:
1602 kfree_skb(skb2);
1603 return -EMSGSIZE;
1604}
1605
1606
1607
1608static const struct nla_policy
1609ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1610 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1611};
1612
1613static int
1614ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1615 const struct nlmsghdr *nlh,
1616 const struct nlattr * const attr[])
1617{
1618 struct sk_buff *skb2;
1619 struct nlmsghdr *nlh2;
1620 int ret = 0;
1621
1622 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1623 return -IPSET_ERR_PROTOCOL;
1624
1625 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1626 if (skb2 == NULL)
1627 return -ENOMEM;
1628
1629 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1630 IPSET_CMD_PROTOCOL);
1631 if (!nlh2)
1632 goto nlmsg_failure;
1633 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1634 goto nla_put_failure;
1635 nlmsg_end(skb2, nlh2);
1636
1637 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1638 if (ret < 0)
1639 return ret;
1640
1641 return 0;
1642
1643nla_put_failure:
1644 nlmsg_cancel(skb2, nlh2);
1645nlmsg_failure:
1646 kfree_skb(skb2);
1647 return -EMSGSIZE;
1648}
1649
1650static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1651 [IPSET_CMD_NONE] = {
1652 .call = ip_set_none,
1653 .attr_count = IPSET_ATTR_CMD_MAX,
1654 },
1655 [IPSET_CMD_CREATE] = {
1656 .call = ip_set_create,
1657 .attr_count = IPSET_ATTR_CMD_MAX,
1658 .policy = ip_set_create_policy,
1659 },
1660 [IPSET_CMD_DESTROY] = {
1661 .call = ip_set_destroy,
1662 .attr_count = IPSET_ATTR_CMD_MAX,
1663 .policy = ip_set_setname_policy,
1664 },
1665 [IPSET_CMD_FLUSH] = {
1666 .call = ip_set_flush,
1667 .attr_count = IPSET_ATTR_CMD_MAX,
1668 .policy = ip_set_setname_policy,
1669 },
1670 [IPSET_CMD_RENAME] = {
1671 .call = ip_set_rename,
1672 .attr_count = IPSET_ATTR_CMD_MAX,
1673 .policy = ip_set_setname2_policy,
1674 },
1675 [IPSET_CMD_SWAP] = {
1676 .call = ip_set_swap,
1677 .attr_count = IPSET_ATTR_CMD_MAX,
1678 .policy = ip_set_setname2_policy,
1679 },
1680 [IPSET_CMD_LIST] = {
1681 .call = ip_set_dump,
1682 .attr_count = IPSET_ATTR_CMD_MAX,
1683 .policy = ip_set_setname_policy,
1684 },
1685 [IPSET_CMD_SAVE] = {
1686 .call = ip_set_dump,
1687 .attr_count = IPSET_ATTR_CMD_MAX,
1688 .policy = ip_set_setname_policy,
1689 },
1690 [IPSET_CMD_ADD] = {
1691 .call = ip_set_uadd,
1692 .attr_count = IPSET_ATTR_CMD_MAX,
1693 .policy = ip_set_adt_policy,
1694 },
1695 [IPSET_CMD_DEL] = {
1696 .call = ip_set_udel,
1697 .attr_count = IPSET_ATTR_CMD_MAX,
1698 .policy = ip_set_adt_policy,
1699 },
1700 [IPSET_CMD_TEST] = {
1701 .call = ip_set_utest,
1702 .attr_count = IPSET_ATTR_CMD_MAX,
1703 .policy = ip_set_adt_policy,
1704 },
1705 [IPSET_CMD_HEADER] = {
1706 .call = ip_set_header,
1707 .attr_count = IPSET_ATTR_CMD_MAX,
1708 .policy = ip_set_setname_policy,
1709 },
1710 [IPSET_CMD_TYPE] = {
1711 .call = ip_set_type,
1712 .attr_count = IPSET_ATTR_CMD_MAX,
1713 .policy = ip_set_type_policy,
1714 },
1715 [IPSET_CMD_PROTOCOL] = {
1716 .call = ip_set_protocol,
1717 .attr_count = IPSET_ATTR_CMD_MAX,
1718 .policy = ip_set_protocol_policy,
1719 },
1720};
1721
1722static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1723 .name = "ip_set",
1724 .subsys_id = NFNL_SUBSYS_IPSET,
1725 .cb_count = IPSET_MSG_MAX,
1726 .cb = ip_set_netlink_subsys_cb,
1727};
1728
1729
1730
1731static int
1732ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1733{
1734 unsigned int *op;
1735 void *data;
1736 int copylen = *len, ret = 0;
1737
1738 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
1739 return -EPERM;
1740 if (optval != SO_IP_SET)
1741 return -EBADF;
1742 if (*len < sizeof(unsigned int))
1743 return -EINVAL;
1744
1745 data = vmalloc(*len);
1746 if (!data)
1747 return -ENOMEM;
1748 if (copy_from_user(data, user, *len) != 0) {
1749 ret = -EFAULT;
1750 goto done;
1751 }
1752 op = (unsigned int *) data;
1753
1754 if (*op < IP_SET_OP_VERSION) {
1755
1756 struct ip_set_req_version *req_version = data;
1757 if (req_version->version != IPSET_PROTOCOL) {
1758 ret = -EPROTO;
1759 goto done;
1760 }
1761 }
1762
1763 switch (*op) {
1764 case IP_SET_OP_VERSION: {
1765 struct ip_set_req_version *req_version = data;
1766
1767 if (*len != sizeof(struct ip_set_req_version)) {
1768 ret = -EINVAL;
1769 goto done;
1770 }
1771
1772 req_version->version = IPSET_PROTOCOL;
1773 ret = copy_to_user(user, req_version,
1774 sizeof(struct ip_set_req_version));
1775 goto done;
1776 }
1777 case IP_SET_OP_GET_BYNAME: {
1778 struct ip_set_req_get_set *req_get = data;
1779 ip_set_id_t id;
1780
1781 if (*len != sizeof(struct ip_set_req_get_set)) {
1782 ret = -EINVAL;
1783 goto done;
1784 }
1785 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1786 nfnl_lock(NFNL_SUBSYS_IPSET);
1787 find_set_and_id(req_get->set.name, &id);
1788 req_get->set.index = id;
1789 nfnl_unlock(NFNL_SUBSYS_IPSET);
1790 goto copy;
1791 }
1792 case IP_SET_OP_GET_BYINDEX: {
1793 struct ip_set_req_get_set *req_get = data;
1794 struct ip_set *set;
1795
1796 if (*len != sizeof(struct ip_set_req_get_set) ||
1797 req_get->set.index >= ip_set_max) {
1798 ret = -EINVAL;
1799 goto done;
1800 }
1801 nfnl_lock(NFNL_SUBSYS_IPSET);
1802 set = nfnl_set(req_get->set.index);
1803 strncpy(req_get->set.name, set ? set->name : "",
1804 IPSET_MAXNAMELEN);
1805 nfnl_unlock(NFNL_SUBSYS_IPSET);
1806 goto copy;
1807 }
1808 default:
1809 ret = -EBADMSG;
1810 goto done;
1811 }
1812
1813copy:
1814 ret = copy_to_user(user, data, copylen);
1815
1816done:
1817 vfree(data);
1818 if (ret > 0)
1819 ret = 0;
1820 return ret;
1821}
1822
1823static struct nf_sockopt_ops so_set __read_mostly = {
1824 .pf = PF_INET,
1825 .get_optmin = SO_IP_SET,
1826 .get_optmax = SO_IP_SET + 1,
1827 .get = &ip_set_sockfn_get,
1828 .owner = THIS_MODULE,
1829};
1830
1831static int __init
1832ip_set_init(void)
1833{
1834 struct ip_set **list;
1835 int ret;
1836
1837 if (max_sets)
1838 ip_set_max = max_sets;
1839 if (ip_set_max >= IPSET_INVALID_ID)
1840 ip_set_max = IPSET_INVALID_ID - 1;
1841
1842 list = kzalloc(sizeof(struct ip_set *) * ip_set_max, GFP_KERNEL);
1843 if (!list)
1844 return -ENOMEM;
1845
1846 rcu_assign_pointer(ip_set_list, list);
1847 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1848 if (ret != 0) {
1849 pr_err("ip_set: cannot register with nfnetlink.\n");
1850 kfree(list);
1851 return ret;
1852 }
1853 ret = nf_register_sockopt(&so_set);
1854 if (ret != 0) {
1855 pr_err("SO_SET registry failed: %d\n", ret);
1856 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1857 kfree(list);
1858 return ret;
1859 }
1860
1861 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1862 return 0;
1863}
1864
1865static void __exit
1866ip_set_fini(void)
1867{
1868 struct ip_set **list = rcu_dereference_protected(ip_set_list, 1);
1869
1870
1871 nf_unregister_sockopt(&so_set);
1872 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1873 kfree(list);
1874 pr_debug("these are the famous last words\n");
1875}
1876
1877module_init(ip_set_init);
1878module_exit(ip_set_fini);
1879
