1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
3 * Patrick Schaaf <bof@bof.de>
4 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org>
7 /* Kernel module for IP set management */
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/moduleparam.h>
13 #include <linux/skbuff.h>
14 #include <linux/spinlock.h>
15 #include <linux/rculist.h>
16 #include <net/netlink.h>
17 #include <net/net_namespace.h>
18 #include <net/netns/generic.h>
20 #include <linux/netfilter.h>
21 #include <linux/netfilter/x_tables.h>
22 #include <linux/netfilter/nfnetlink.h>
23 #include <linux/netfilter/ipset/ip_set.h>
25 static LIST_HEAD(ip_set_type_list); /* all registered set types */
26 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
27 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
30 struct ip_set * __rcu *ip_set_list; /* all individual sets */
31 ip_set_id_t ip_set_max; /* max number of sets */
32 bool is_deleted; /* deleted by ip_set_net_exit */
33 bool is_destroyed; /* all sets are destroyed */
36 static unsigned int ip_set_net_id __read_mostly;
38 static inline struct ip_set_net *ip_set_pernet(struct net *net)
40 return net_generic(net, ip_set_net_id);
44 #define STRNCMP(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
46 static unsigned int max_sets;
48 module_param(max_sets, int, 0600);
49 MODULE_PARM_DESC(max_sets, "maximal number of sets");
50 MODULE_LICENSE("GPL");
51 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>");
52 MODULE_DESCRIPTION("core IP set support");
53 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
55 /* When the nfnl mutex or ip_set_ref_lock is held: */
56 #define ip_set_dereference(p) \
57 rcu_dereference_protected(p, \
58 lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \
59 lockdep_is_held(&ip_set_ref_lock))
60 #define ip_set(inst, id) \
61 ip_set_dereference((inst)->ip_set_list)[id]
62 #define ip_set_ref_netlink(inst,id) \
63 rcu_dereference_raw((inst)->ip_set_list)[id]
65 /* The set types are implemented in modules and registered set types
66 * can be found in ip_set_type_list. Adding/deleting types is
67 * serialized by ip_set_type_mutex.
71 ip_set_type_lock(void)
73 mutex_lock(&ip_set_type_mutex);
77 ip_set_type_unlock(void)
79 mutex_unlock(&ip_set_type_mutex);
82 /* Register and deregister settype */
84 static struct ip_set_type *
85 find_set_type(const char *name, u8 family, u8 revision)
87 struct ip_set_type *type;
89 list_for_each_entry_rcu(type, &ip_set_type_list, list)
90 if (STRNCMP(type->name, name) &&
91 (type->family == family ||
92 type->family == NFPROTO_UNSPEC) &&
93 revision >= type->revision_min &&
94 revision <= type->revision_max)
99 /* Unlock, try to load a set type module and lock again */
101 load_settype(const char *name)
103 nfnl_unlock(NFNL_SUBSYS_IPSET);
104 pr_debug("try to load ip_set_%s\n", name);
105 if (request_module("ip_set_%s", name) < 0) {
106 pr_warn("Can't find ip_set type %s\n", name);
107 nfnl_lock(NFNL_SUBSYS_IPSET);
110 nfnl_lock(NFNL_SUBSYS_IPSET);
114 /* Find a set type and reference it */
115 #define find_set_type_get(name, family, revision, found) \
116 __find_set_type_get(name, family, revision, found, false)
119 __find_set_type_get(const char *name, u8 family, u8 revision,
120 struct ip_set_type **found, bool retry)
122 struct ip_set_type *type;
125 if (retry && !load_settype(name))
126 return -IPSET_ERR_FIND_TYPE;
129 *found = find_set_type(name, family, revision);
131 err = !try_module_get((*found)->me) ? -EFAULT : 0;
134 /* Make sure the type is already loaded
135 * but we don't support the revision
137 list_for_each_entry_rcu(type, &ip_set_type_list, list)
138 if (STRNCMP(type->name, name)) {
139 err = -IPSET_ERR_FIND_TYPE;
144 return retry ? -IPSET_ERR_FIND_TYPE :
145 __find_set_type_get(name, family, revision, found, true);
152 /* Find a given set type by name and family.
153 * If we succeeded, the supported minimal and maximum revisions are
156 #define find_set_type_minmax(name, family, min, max) \
157 __find_set_type_minmax(name, family, min, max, false)
160 __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
163 struct ip_set_type *type;
166 if (retry && !load_settype(name))
167 return -IPSET_ERR_FIND_TYPE;
169 *min = 255; *max = 0;
171 list_for_each_entry_rcu(type, &ip_set_type_list, list)
172 if (STRNCMP(type->name, name) &&
173 (type->family == family ||
174 type->family == NFPROTO_UNSPEC)) {
176 if (type->revision_min < *min)
177 *min = type->revision_min;
178 if (type->revision_max > *max)
179 *max = type->revision_max;
185 return retry ? -IPSET_ERR_FIND_TYPE :
186 __find_set_type_minmax(name, family, min, max, true);
189 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
190 (f) == NFPROTO_IPV6 ? "inet6" : "any")
192 /* Register a set type structure. The type is identified by
193 * the unique triple of name, family and revision.
196 ip_set_type_register(struct ip_set_type *type)
200 if (type->protocol != IPSET_PROTOCOL) {
201 pr_warn("ip_set type %s, family %s, revision %u:%u uses wrong protocol version %u (want %u)\n",
202 type->name, family_name(type->family),
203 type->revision_min, type->revision_max,
204 type->protocol, IPSET_PROTOCOL);
209 if (find_set_type(type->name, type->family, type->revision_min)) {
211 pr_warn("ip_set type %s, family %s with revision min %u already registered!\n",
212 type->name, family_name(type->family),
214 ip_set_type_unlock();
217 list_add_rcu(&type->list, &ip_set_type_list);
218 pr_debug("type %s, family %s, revision %u:%u registered.\n",
219 type->name, family_name(type->family),
220 type->revision_min, type->revision_max);
221 ip_set_type_unlock();
225 EXPORT_SYMBOL_GPL(ip_set_type_register);
227 /* Unregister a set type. There's a small race with ip_set_create */
229 ip_set_type_unregister(struct ip_set_type *type)
232 if (!find_set_type(type->name, type->family, type->revision_min)) {
233 pr_warn("ip_set type %s, family %s with revision min %u not registered\n",
234 type->name, family_name(type->family),
236 ip_set_type_unlock();
239 list_del_rcu(&type->list);
240 pr_debug("type %s, family %s with revision min %u unregistered.\n",
241 type->name, family_name(type->family), type->revision_min);
242 ip_set_type_unlock();
246 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
248 /* Utility functions */
250 ip_set_alloc(size_t size)
252 void *members = NULL;
254 if (size < KMALLOC_MAX_SIZE)
255 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
258 pr_debug("%p: allocated with kmalloc\n", members);
262 members = vzalloc(size);
265 pr_debug("%p: allocated with vmalloc\n", members);
269 EXPORT_SYMBOL_GPL(ip_set_alloc);
272 ip_set_free(void *members)
274 pr_debug("%p: free with %s\n", members,
275 is_vmalloc_addr(members) ? "vfree" : "kfree");
278 EXPORT_SYMBOL_GPL(ip_set_free);
281 flag_nested(const struct nlattr *nla)
283 return nla->nla_type & NLA_F_NESTED;
286 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
287 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
288 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
289 .len = sizeof(struct in6_addr) },
293 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
295 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
297 if (unlikely(!flag_nested(nla)))
298 return -IPSET_ERR_PROTOCOL;
299 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL))
300 return -IPSET_ERR_PROTOCOL;
301 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
302 return -IPSET_ERR_PROTOCOL;
304 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
307 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
310 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
312 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX + 1];
314 if (unlikely(!flag_nested(nla)))
315 return -IPSET_ERR_PROTOCOL;
317 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL))
318 return -IPSET_ERR_PROTOCOL;
319 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
320 return -IPSET_ERR_PROTOCOL;
322 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
323 sizeof(struct in6_addr));
326 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
328 typedef void (*destroyer)(struct ip_set *, void *);
329 /* ipset data extension types, in size order */
331 const struct ip_set_ext_type ip_set_extensions[] = {
332 [IPSET_EXT_ID_COUNTER] = {
333 .type = IPSET_EXT_COUNTER,
334 .flag = IPSET_FLAG_WITH_COUNTERS,
335 .len = sizeof(struct ip_set_counter),
336 .align = __alignof__(struct ip_set_counter),
338 [IPSET_EXT_ID_TIMEOUT] = {
339 .type = IPSET_EXT_TIMEOUT,
340 .len = sizeof(unsigned long),
341 .align = __alignof__(unsigned long),
343 [IPSET_EXT_ID_SKBINFO] = {
344 .type = IPSET_EXT_SKBINFO,
345 .flag = IPSET_FLAG_WITH_SKBINFO,
346 .len = sizeof(struct ip_set_skbinfo),
347 .align = __alignof__(struct ip_set_skbinfo),
349 [IPSET_EXT_ID_COMMENT] = {
350 .type = IPSET_EXT_COMMENT | IPSET_EXT_DESTROY,
351 .flag = IPSET_FLAG_WITH_COMMENT,
352 .len = sizeof(struct ip_set_comment),
353 .align = __alignof__(struct ip_set_comment),
354 .destroy = (destroyer) ip_set_comment_free,
357 EXPORT_SYMBOL_GPL(ip_set_extensions);
360 add_extension(enum ip_set_ext_id id, u32 flags, struct nlattr *tb[])
362 return ip_set_extensions[id].flag ?
363 (flags & ip_set_extensions[id].flag) :
364 !!tb[IPSET_ATTR_TIMEOUT];
368 ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len,
371 enum ip_set_ext_id id;
374 if (tb[IPSET_ATTR_CADT_FLAGS])
375 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
376 if (cadt_flags & IPSET_FLAG_WITH_FORCEADD)
377 set->flags |= IPSET_CREATE_FLAG_FORCEADD;
380 for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
381 if (!add_extension(id, cadt_flags, tb))
383 len = ALIGN(len, ip_set_extensions[id].align);
384 set->offset[id] = len;
385 set->extensions |= ip_set_extensions[id].type;
386 len += ip_set_extensions[id].len;
388 return ALIGN(len, align);
390 EXPORT_SYMBOL_GPL(ip_set_elem_len);
393 ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
394 struct ip_set_ext *ext)
398 if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
399 !ip_set_optattr_netorder(tb, IPSET_ATTR_PACKETS) ||
400 !ip_set_optattr_netorder(tb, IPSET_ATTR_BYTES) ||
401 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBMARK) ||
402 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBPRIO) ||
403 !ip_set_optattr_netorder(tb, IPSET_ATTR_SKBQUEUE)))
404 return -IPSET_ERR_PROTOCOL;
406 if (tb[IPSET_ATTR_TIMEOUT]) {
407 if (!SET_WITH_TIMEOUT(set))
408 return -IPSET_ERR_TIMEOUT;
409 ext->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
411 if (tb[IPSET_ATTR_BYTES] || tb[IPSET_ATTR_PACKETS]) {
412 if (!SET_WITH_COUNTER(set))
413 return -IPSET_ERR_COUNTER;
414 if (tb[IPSET_ATTR_BYTES])
415 ext->bytes = be64_to_cpu(nla_get_be64(
416 tb[IPSET_ATTR_BYTES]));
417 if (tb[IPSET_ATTR_PACKETS])
418 ext->packets = be64_to_cpu(nla_get_be64(
419 tb[IPSET_ATTR_PACKETS]));
421 if (tb[IPSET_ATTR_COMMENT]) {
422 if (!SET_WITH_COMMENT(set))
423 return -IPSET_ERR_COMMENT;
424 ext->comment = ip_set_comment_uget(tb[IPSET_ATTR_COMMENT]);
426 if (tb[IPSET_ATTR_SKBMARK]) {
427 if (!SET_WITH_SKBINFO(set))
428 return -IPSET_ERR_SKBINFO;
429 fullmark = be64_to_cpu(nla_get_be64(tb[IPSET_ATTR_SKBMARK]));
430 ext->skbinfo.skbmark = fullmark >> 32;
431 ext->skbinfo.skbmarkmask = fullmark & 0xffffffff;
433 if (tb[IPSET_ATTR_SKBPRIO]) {
434 if (!SET_WITH_SKBINFO(set))
435 return -IPSET_ERR_SKBINFO;
436 ext->skbinfo.skbprio =
437 be32_to_cpu(nla_get_be32(tb[IPSET_ATTR_SKBPRIO]));
439 if (tb[IPSET_ATTR_SKBQUEUE]) {
440 if (!SET_WITH_SKBINFO(set))
441 return -IPSET_ERR_SKBINFO;
442 ext->skbinfo.skbqueue =
443 be16_to_cpu(nla_get_be16(tb[IPSET_ATTR_SKBQUEUE]));
447 EXPORT_SYMBOL_GPL(ip_set_get_extensions);
450 ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
451 const void *e, bool active)
453 if (SET_WITH_TIMEOUT(set)) {
454 unsigned long *timeout = ext_timeout(e, set);
456 if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
457 htonl(active ? ip_set_timeout_get(timeout)
461 if (SET_WITH_COUNTER(set) &&
462 ip_set_put_counter(skb, ext_counter(e, set)))
464 if (SET_WITH_COMMENT(set) &&
465 ip_set_put_comment(skb, ext_comment(e, set)))
467 if (SET_WITH_SKBINFO(set) &&
468 ip_set_put_skbinfo(skb, ext_skbinfo(e, set)))
472 EXPORT_SYMBOL_GPL(ip_set_put_extensions);
475 ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
476 struct ip_set_ext *mext, u32 flags, void *data)
478 if (SET_WITH_TIMEOUT(set) &&
479 ip_set_timeout_expired(ext_timeout(data, set)))
481 if (SET_WITH_COUNTER(set)) {
482 struct ip_set_counter *counter = ext_counter(data, set);
484 if (flags & IPSET_FLAG_MATCH_COUNTERS &&
485 !(ip_set_match_counter(ip_set_get_packets(counter),
486 mext->packets, mext->packets_op) &&
487 ip_set_match_counter(ip_set_get_bytes(counter),
488 mext->bytes, mext->bytes_op)))
490 ip_set_update_counter(counter, ext, flags);
492 if (SET_WITH_SKBINFO(set))
493 ip_set_get_skbinfo(ext_skbinfo(data, set),
497 EXPORT_SYMBOL_GPL(ip_set_match_extensions);
499 /* Creating/destroying/renaming/swapping affect the existence and
500 * the properties of a set. All of these can be executed from userspace
501 * only and serialized by the nfnl mutex indirectly from nfnetlink.
503 * Sets are identified by their index in ip_set_list and the index
504 * is used by the external references (set/SET netfilter modules).
506 * The set behind an index may change by swapping only, from userspace.
510 __ip_set_get(struct ip_set *set)
512 write_lock_bh(&ip_set_ref_lock);
514 write_unlock_bh(&ip_set_ref_lock);
518 __ip_set_put(struct ip_set *set)
520 write_lock_bh(&ip_set_ref_lock);
521 BUG_ON(set->ref == 0);
523 write_unlock_bh(&ip_set_ref_lock);
526 /* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need
527 * a separate reference counter
530 __ip_set_put_netlink(struct ip_set *set)
532 write_lock_bh(&ip_set_ref_lock);
533 BUG_ON(set->ref_netlink == 0);
535 write_unlock_bh(&ip_set_ref_lock);
538 /* Add, del and test set entries from kernel.
540 * The set behind the index must exist and must be referenced
541 * so it can't be destroyed (or changed) under our foot.
544 static inline struct ip_set *
545 ip_set_rcu_get(struct net *net, ip_set_id_t index)
548 struct ip_set_net *inst = ip_set_pernet(net);
551 /* ip_set_list itself needs to be protected */
552 set = rcu_dereference(inst->ip_set_list)[index];
559 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
560 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
562 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
566 pr_debug("set %s, index %u\n", set->name, index);
568 if (opt->dim < set->type->dimension ||
569 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
573 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
574 rcu_read_unlock_bh();
576 if (ret == -EAGAIN) {
577 /* Type requests element to be completed */
578 pr_debug("element must be completed, ADD is triggered\n");
579 spin_lock_bh(&set->lock);
580 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
581 spin_unlock_bh(&set->lock);
584 /* --return-nomatch: invert matched element */
585 if ((opt->cmdflags & IPSET_FLAG_RETURN_NOMATCH) &&
586 (set->type->features & IPSET_TYPE_NOMATCH) &&
587 (ret > 0 || ret == -ENOTEMPTY))
591 /* Convert error codes to nomatch */
592 return (ret < 0 ? 0 : ret);
594 EXPORT_SYMBOL_GPL(ip_set_test);
597 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
598 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
600 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
604 pr_debug("set %s, index %u\n", set->name, index);
606 if (opt->dim < set->type->dimension ||
607 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
608 return -IPSET_ERR_TYPE_MISMATCH;
610 spin_lock_bh(&set->lock);
611 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
612 spin_unlock_bh(&set->lock);
616 EXPORT_SYMBOL_GPL(ip_set_add);
619 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
620 const struct xt_action_param *par, struct ip_set_adt_opt *opt)
622 struct ip_set *set = ip_set_rcu_get(xt_net(par), index);
626 pr_debug("set %s, index %u\n", set->name, index);
628 if (opt->dim < set->type->dimension ||
629 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
630 return -IPSET_ERR_TYPE_MISMATCH;
632 spin_lock_bh(&set->lock);
633 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
634 spin_unlock_bh(&set->lock);
638 EXPORT_SYMBOL_GPL(ip_set_del);
640 /* Find set by name, reference it once. The reference makes sure the
641 * thing pointed to, does not go away under our feet.
645 ip_set_get_byname(struct net *net, const char *name, struct ip_set **set)
647 ip_set_id_t i, index = IPSET_INVALID_ID;
649 struct ip_set_net *inst = ip_set_pernet(net);
652 for (i = 0; i < inst->ip_set_max; i++) {
653 s = rcu_dereference(inst->ip_set_list)[i];
654 if (s && STRNCMP(s->name, name)) {
665 EXPORT_SYMBOL_GPL(ip_set_get_byname);
667 /* If the given set pointer points to a valid set, decrement
668 * reference count by 1. The caller shall not assume the index
669 * to be valid, after calling this function.
674 __ip_set_put_byindex(struct ip_set_net *inst, ip_set_id_t index)
679 set = rcu_dereference(inst->ip_set_list)[index];
686 ip_set_put_byindex(struct net *net, ip_set_id_t index)
688 struct ip_set_net *inst = ip_set_pernet(net);
690 __ip_set_put_byindex(inst, index);
692 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
694 /* Get the name of a set behind a set index.
695 * Set itself is protected by RCU, but its name isn't: to protect against
696 * renaming, grab ip_set_ref_lock as reader (see ip_set_rename()) and copy the
700 ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name)
702 struct ip_set *set = ip_set_rcu_get(net, index);
706 read_lock_bh(&ip_set_ref_lock);
707 strncpy(name, set->name, IPSET_MAXNAMELEN);
708 read_unlock_bh(&ip_set_ref_lock);
710 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
712 /* Routines to call by external subsystems, which do not
713 * call nfnl_lock for us.
716 /* Find set by index, reference it once. The reference makes sure the
717 * thing pointed to, does not go away under our feet.
719 * The nfnl mutex is used in the function.
722 ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index)
725 struct ip_set_net *inst = ip_set_pernet(net);
727 if (index >= inst->ip_set_max)
728 return IPSET_INVALID_ID;
730 nfnl_lock(NFNL_SUBSYS_IPSET);
731 set = ip_set(inst, index);
735 index = IPSET_INVALID_ID;
736 nfnl_unlock(NFNL_SUBSYS_IPSET);
740 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
742 /* If the given set pointer points to a valid set, decrement
743 * reference count by 1. The caller shall not assume the index
744 * to be valid, after calling this function.
746 * The nfnl mutex is used in the function.
749 ip_set_nfnl_put(struct net *net, ip_set_id_t index)
752 struct ip_set_net *inst = ip_set_pernet(net);
754 nfnl_lock(NFNL_SUBSYS_IPSET);
755 if (!inst->is_deleted) { /* already deleted from ip_set_net_exit() */
756 set = ip_set(inst, index);
760 nfnl_unlock(NFNL_SUBSYS_IPSET);
762 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
764 /* Communication protocol with userspace over netlink.
766 * The commands are serialized by the nfnl mutex.
769 static inline u8 protocol(const struct nlattr * const tb[])
771 return nla_get_u8(tb[IPSET_ATTR_PROTOCOL]);
775 protocol_failed(const struct nlattr * const tb[])
777 return !tb[IPSET_ATTR_PROTOCOL] || protocol(tb) != IPSET_PROTOCOL;
781 protocol_min_failed(const struct nlattr * const tb[])
783 return !tb[IPSET_ATTR_PROTOCOL] || protocol(tb) < IPSET_PROTOCOL_MIN;
787 flag_exist(const struct nlmsghdr *nlh)
789 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
792 static struct nlmsghdr *
793 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
796 struct nlmsghdr *nlh;
797 struct nfgenmsg *nfmsg;
799 nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd),
800 sizeof(*nfmsg), flags);
804 nfmsg = nlmsg_data(nlh);
805 nfmsg->nfgen_family = NFPROTO_IPV4;
806 nfmsg->version = NFNETLINK_V0;
814 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
815 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
816 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
817 .len = IPSET_MAXNAMELEN - 1 },
818 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
819 .len = IPSET_MAXNAMELEN - 1},
820 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
821 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
822 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
825 static struct ip_set *
826 find_set_and_id(struct ip_set_net *inst, const char *name, ip_set_id_t *id)
828 struct ip_set *set = NULL;
831 *id = IPSET_INVALID_ID;
832 for (i = 0; i < inst->ip_set_max; i++) {
833 set = ip_set(inst, i);
834 if (set && STRNCMP(set->name, name)) {
839 return (*id == IPSET_INVALID_ID ? NULL : set);
842 static inline struct ip_set *
843 find_set(struct ip_set_net *inst, const char *name)
847 return find_set_and_id(inst, name, &id);
851 find_free_id(struct ip_set_net *inst, const char *name, ip_set_id_t *index,
857 *index = IPSET_INVALID_ID;
858 for (i = 0; i < inst->ip_set_max; i++) {
861 if (*index == IPSET_INVALID_ID)
863 } else if (STRNCMP(name, s->name)) {
869 if (*index == IPSET_INVALID_ID)
870 /* No free slot remained */
871 return -IPSET_ERR_MAX_SETS;
875 static int ip_set_none(struct net *net, struct sock *ctnl, struct sk_buff *skb,
876 const struct nlmsghdr *nlh,
877 const struct nlattr * const attr[],
878 struct netlink_ext_ack *extack)
883 static int ip_set_create(struct net *net, struct sock *ctnl,
884 struct sk_buff *skb, const struct nlmsghdr *nlh,
885 const struct nlattr * const attr[],
886 struct netlink_ext_ack *extack)
888 struct ip_set_net *inst = ip_set_pernet(net);
889 struct ip_set *set, *clash = NULL;
890 ip_set_id_t index = IPSET_INVALID_ID;
891 struct nlattr *tb[IPSET_ATTR_CREATE_MAX + 1] = {};
892 const char *name, *typename;
894 u32 flags = flag_exist(nlh);
897 if (unlikely(protocol_min_failed(attr) ||
898 !attr[IPSET_ATTR_SETNAME] ||
899 !attr[IPSET_ATTR_TYPENAME] ||
900 !attr[IPSET_ATTR_REVISION] ||
901 !attr[IPSET_ATTR_FAMILY] ||
902 (attr[IPSET_ATTR_DATA] &&
903 !flag_nested(attr[IPSET_ATTR_DATA]))))
904 return -IPSET_ERR_PROTOCOL;
906 name = nla_data(attr[IPSET_ATTR_SETNAME]);
907 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
908 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
909 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
910 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
911 name, typename, family_name(family), revision);
913 /* First, and without any locks, allocate and initialize
914 * a normal base set structure.
916 set = kzalloc(sizeof(*set), GFP_KERNEL);
919 spin_lock_init(&set->lock);
920 strlcpy(set->name, name, IPSET_MAXNAMELEN);
921 set->family = family;
922 set->revision = revision;
924 /* Next, check that we know the type, and take
925 * a reference on the type, to make sure it stays available
926 * while constructing our new set.
928 * After referencing the type, we try to create the type
929 * specific part of the set without holding any locks.
931 ret = find_set_type_get(typename, family, revision, &set->type);
935 /* Without holding any locks, create private part. */
936 if (attr[IPSET_ATTR_DATA] &&
937 nla_parse_nested_deprecated(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], set->type->create_policy, NULL)) {
938 ret = -IPSET_ERR_PROTOCOL;
942 ret = set->type->create(net, set, tb, flags);
946 /* BTW, ret==0 here. */
948 /* Here, we have a valid, constructed set and we are protected
949 * by the nfnl mutex. Find the first free index in ip_set_list
950 * and check clashing.
952 ret = find_free_id(inst, set->name, &index, &clash);
953 if (ret == -EEXIST) {
954 /* If this is the same set and requested, ignore error */
955 if ((flags & IPSET_FLAG_EXIST) &&
956 STRNCMP(set->type->name, clash->type->name) &&
957 set->type->family == clash->type->family &&
958 set->type->revision_min == clash->type->revision_min &&
959 set->type->revision_max == clash->type->revision_max &&
960 set->variant->same_set(set, clash))
963 } else if (ret == -IPSET_ERR_MAX_SETS) {
964 struct ip_set **list, **tmp;
965 ip_set_id_t i = inst->ip_set_max + IP_SET_INC;
967 if (i < inst->ip_set_max || i == IPSET_INVALID_ID)
971 list = kvcalloc(i, sizeof(struct ip_set *), GFP_KERNEL);
974 /* nfnl mutex is held, both lists are valid */
975 tmp = ip_set_dereference(inst->ip_set_list);
976 memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max);
977 rcu_assign_pointer(inst->ip_set_list, list);
978 /* Make sure all current packets have passed through */
981 index = inst->ip_set_max;
982 inst->ip_set_max = i;
989 /* Finally! Add our shiny new set to the list, and be done. */
990 pr_debug("create: '%s' created with index %u!\n", set->name, index);
991 ip_set(inst, index) = set;
996 set->variant->destroy(set);
998 module_put(set->type->me);
1006 static const struct nla_policy
1007 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
1008 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1009 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1010 .len = IPSET_MAXNAMELEN - 1 },
1014 ip_set_destroy_set(struct ip_set *set)
1016 pr_debug("set: %s\n", set->name);
1018 /* Must call it without holding any lock */
1019 set->variant->destroy(set);
1020 module_put(set->type->me);
1024 static int ip_set_destroy(struct net *net, struct sock *ctnl,
1025 struct sk_buff *skb, const struct nlmsghdr *nlh,
1026 const struct nlattr * const attr[],
1027 struct netlink_ext_ack *extack)
1029 struct ip_set_net *inst = ip_set_pernet(net);
1034 if (unlikely(protocol_min_failed(attr)))
1035 return -IPSET_ERR_PROTOCOL;
1037 /* Must wait for flush to be really finished in list:set */
1040 /* Commands are serialized and references are
1041 * protected by the ip_set_ref_lock.
1042 * External systems (i.e. xt_set) must call
1043 * ip_set_put|get_nfnl_* functions, that way we
1044 * can safely check references here.
1046 * list:set timer can only decrement the reference
1047 * counter, so if it's already zero, we can proceed
1048 * without holding the lock.
1050 read_lock_bh(&ip_set_ref_lock);
1051 if (!attr[IPSET_ATTR_SETNAME]) {
1052 for (i = 0; i < inst->ip_set_max; i++) {
1053 s = ip_set(inst, i);
1054 if (s && (s->ref || s->ref_netlink)) {
1055 ret = -IPSET_ERR_BUSY;
1059 inst->is_destroyed = true;
1060 read_unlock_bh(&ip_set_ref_lock);
1061 for (i = 0; i < inst->ip_set_max; i++) {
1062 s = ip_set(inst, i);
1064 ip_set(inst, i) = NULL;
1065 ip_set_destroy_set(s);
1068 /* Modified by ip_set_destroy() only, which is serialized */
1069 inst->is_destroyed = false;
1071 s = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
1076 } else if (s->ref || s->ref_netlink) {
1077 ret = -IPSET_ERR_BUSY;
1080 ip_set(inst, i) = NULL;
1081 read_unlock_bh(&ip_set_ref_lock);
1083 ip_set_destroy_set(s);
1087 read_unlock_bh(&ip_set_ref_lock);
1094 ip_set_flush_set(struct ip_set *set)
1096 pr_debug("set: %s\n", set->name);
1098 spin_lock_bh(&set->lock);
1099 set->variant->flush(set);
1100 spin_unlock_bh(&set->lock);
1103 static int ip_set_flush(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1104 const struct nlmsghdr *nlh,
1105 const struct nlattr * const attr[],
1106 struct netlink_ext_ack *extack)
1108 struct ip_set_net *inst = ip_set_pernet(net);
1112 if (unlikely(protocol_min_failed(attr)))
1113 return -IPSET_ERR_PROTOCOL;
1115 if (!attr[IPSET_ATTR_SETNAME]) {
1116 for (i = 0; i < inst->ip_set_max; i++) {
1117 s = ip_set(inst, i);
1119 ip_set_flush_set(s);
1122 s = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
1126 ip_set_flush_set(s);
1134 static const struct nla_policy
1135 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
1136 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1137 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1138 .len = IPSET_MAXNAMELEN - 1 },
1139 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
1140 .len = IPSET_MAXNAMELEN - 1 },
1143 static int ip_set_rename(struct net *net, struct sock *ctnl,
1144 struct sk_buff *skb, const struct nlmsghdr *nlh,
1145 const struct nlattr * const attr[],
1146 struct netlink_ext_ack *extack)
1148 struct ip_set_net *inst = ip_set_pernet(net);
1149 struct ip_set *set, *s;
1154 if (unlikely(protocol_min_failed(attr) ||
1155 !attr[IPSET_ATTR_SETNAME] ||
1156 !attr[IPSET_ATTR_SETNAME2]))
1157 return -IPSET_ERR_PROTOCOL;
1159 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
1163 write_lock_bh(&ip_set_ref_lock);
1164 if (set->ref != 0) {
1165 ret = -IPSET_ERR_REFERENCED;
1169 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
1170 for (i = 0; i < inst->ip_set_max; i++) {
1171 s = ip_set(inst, i);
1172 if (s && STRNCMP(s->name, name2)) {
1173 ret = -IPSET_ERR_EXIST_SETNAME2;
1177 strncpy(set->name, name2, IPSET_MAXNAMELEN);
1180 write_unlock_bh(&ip_set_ref_lock);
1184 /* Swap two sets so that name/index points to the other.
1185 * References and set names are also swapped.
1187 * The commands are serialized by the nfnl mutex and references are
1188 * protected by the ip_set_ref_lock. The kernel interfaces
1189 * do not hold the mutex but the pointer settings are atomic
1190 * so the ip_set_list always contains valid pointers to the sets.
1193 static int ip_set_swap(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1194 const struct nlmsghdr *nlh,
1195 const struct nlattr * const attr[],
1196 struct netlink_ext_ack *extack)
1198 struct ip_set_net *inst = ip_set_pernet(net);
1199 struct ip_set *from, *to;
1200 ip_set_id_t from_id, to_id;
1201 char from_name[IPSET_MAXNAMELEN];
1203 if (unlikely(protocol_min_failed(attr) ||
1204 !attr[IPSET_ATTR_SETNAME] ||
1205 !attr[IPSET_ATTR_SETNAME2]))
1206 return -IPSET_ERR_PROTOCOL;
1208 from = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]),
1213 to = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME2]),
1216 return -IPSET_ERR_EXIST_SETNAME2;
1218 /* Features must not change.
1219 * Not an artifical restriction anymore, as we must prevent
1220 * possible loops created by swapping in setlist type of sets.
1222 if (!(from->type->features == to->type->features &&
1223 from->family == to->family))
1224 return -IPSET_ERR_TYPE_MISMATCH;
1226 write_lock_bh(&ip_set_ref_lock);
1228 if (from->ref_netlink || to->ref_netlink) {
1229 write_unlock_bh(&ip_set_ref_lock);
1233 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
1234 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
1235 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
1237 swap(from->ref, to->ref);
1238 ip_set(inst, from_id) = to;
1239 ip_set(inst, to_id) = from;
1240 write_unlock_bh(&ip_set_ref_lock);
1245 /* List/save set data */
1252 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1253 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
1256 ip_set_dump_done(struct netlink_callback *cb)
1258 if (cb->args[IPSET_CB_ARG0]) {
1259 struct ip_set_net *inst =
1260 (struct ip_set_net *)cb->args[IPSET_CB_NET];
1261 ip_set_id_t index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
1262 struct ip_set *set = ip_set_ref_netlink(inst, index);
1264 if (set->variant->uref)
1265 set->variant->uref(set, cb, false);
1266 pr_debug("release set %s\n", set->name);
1267 __ip_set_put_netlink(set);
1273 dump_attrs(struct nlmsghdr *nlh)
1275 const struct nlattr *attr;
1278 pr_debug("dump nlmsg\n");
1279 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1280 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1285 dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
1287 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1288 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1289 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
1290 struct nlattr *attr = (void *)nlh + min_len;
1295 ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, attr,
1296 nlh->nlmsg_len - min_len,
1297 ip_set_setname_policy, NULL);
1301 cb->args[IPSET_CB_PROTO] = nla_get_u8(cda[IPSET_ATTR_PROTOCOL]);
1302 if (cda[IPSET_ATTR_SETNAME]) {
1305 set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]),
1310 dump_type = DUMP_ONE;
1311 cb->args[IPSET_CB_INDEX] = index;
1313 dump_type = DUMP_ALL;
1316 if (cda[IPSET_ATTR_FLAGS]) {
1317 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1319 dump_type |= (f << 16);
1321 cb->args[IPSET_CB_NET] = (unsigned long)inst;
1322 cb->args[IPSET_CB_DUMP] = dump_type;
1328 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1330 ip_set_id_t index = IPSET_INVALID_ID, max;
1331 struct ip_set *set = NULL;
1332 struct nlmsghdr *nlh = NULL;
1333 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1334 struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));
1335 u32 dump_type, dump_flags;
1339 if (!cb->args[IPSET_CB_DUMP]) {
1340 ret = dump_init(cb, inst);
1342 nlh = nlmsg_hdr(cb->skb);
1343 /* We have to create and send the error message
1346 if (nlh->nlmsg_flags & NLM_F_ACK)
1347 netlink_ack(cb->skb, nlh, ret, NULL);
1352 if (cb->args[IPSET_CB_INDEX] >= inst->ip_set_max)
1355 dump_type = DUMP_TYPE(cb->args[IPSET_CB_DUMP]);
1356 dump_flags = DUMP_FLAGS(cb->args[IPSET_CB_DUMP]);
1357 max = dump_type == DUMP_ONE ? cb->args[IPSET_CB_INDEX] + 1
1360 pr_debug("dump type, flag: %u %u index: %ld\n",
1361 dump_type, dump_flags, cb->args[IPSET_CB_INDEX]);
1362 for (; cb->args[IPSET_CB_INDEX] < max; cb->args[IPSET_CB_INDEX]++) {
1363 index = (ip_set_id_t)cb->args[IPSET_CB_INDEX];
1364 write_lock_bh(&ip_set_ref_lock);
1365 set = ip_set(inst, index);
1366 is_destroyed = inst->is_destroyed;
1367 if (!set || is_destroyed) {
1368 write_unlock_bh(&ip_set_ref_lock);
1369 if (dump_type == DUMP_ONE) {
1374 /* All sets are just being destroyed */
1380 /* When dumping all sets, we must dump "sorted"
1381 * so that lists (unions of sets) are dumped last.
1383 if (dump_type != DUMP_ONE &&
1384 ((dump_type == DUMP_ALL) ==
1385 !!(set->type->features & IPSET_DUMP_LAST))) {
1386 write_unlock_bh(&ip_set_ref_lock);
1389 pr_debug("List set: %s\n", set->name);
1390 if (!cb->args[IPSET_CB_ARG0]) {
1391 /* Start listing: make sure set won't be destroyed */
1392 pr_debug("reference set\n");
1395 write_unlock_bh(&ip_set_ref_lock);
1396 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1397 cb->nlh->nlmsg_seq, flags,
1401 goto release_refcount;
1403 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL,
1404 cb->args[IPSET_CB_PROTO]) ||
1405 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1406 goto nla_put_failure;
1407 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1409 switch (cb->args[IPSET_CB_ARG0]) {
1411 /* Core header data */
1412 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1414 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1416 nla_put_u8(skb, IPSET_ATTR_REVISION,
1418 goto nla_put_failure;
1419 if (cb->args[IPSET_CB_PROTO] > IPSET_PROTOCOL_MIN &&
1420 nla_put_net16(skb, IPSET_ATTR_INDEX, htons(index)))
1421 goto nla_put_failure;
1422 ret = set->variant->head(set, skb);
1424 goto release_refcount;
1425 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1427 if (set->variant->uref)
1428 set->variant->uref(set, cb, true);
1431 ret = set->variant->list(set, skb, cb);
1432 if (!cb->args[IPSET_CB_ARG0])
1433 /* Set is done, proceed with next one */
1435 goto release_refcount;
1438 /* If we dump all sets, continue with dumping last ones */
1439 if (dump_type == DUMP_ALL) {
1440 dump_type = DUMP_LAST;
1441 cb->args[IPSET_CB_DUMP] = dump_type | (dump_flags << 16);
1442 cb->args[IPSET_CB_INDEX] = 0;
1443 if (set && set->variant->uref)
1444 set->variant->uref(set, cb, false);
1452 if (dump_type == DUMP_ONE)
1453 cb->args[IPSET_CB_INDEX] = IPSET_INVALID_ID;
1455 cb->args[IPSET_CB_INDEX]++;
1457 /* If there was an error or set is done, release set */
1458 if (ret || !cb->args[IPSET_CB_ARG0]) {
1459 set = ip_set_ref_netlink(inst, index);
1460 if (set->variant->uref)
1461 set->variant->uref(set, cb, false);
1462 pr_debug("release set %s\n", set->name);
1463 __ip_set_put_netlink(set);
1464 cb->args[IPSET_CB_ARG0] = 0;
1468 nlmsg_end(skb, nlh);
1469 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1473 return ret < 0 ? ret : skb->len;
1476 static int ip_set_dump(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1477 const struct nlmsghdr *nlh,
1478 const struct nlattr * const attr[],
1479 struct netlink_ext_ack *extack)
1481 if (unlikely(protocol_min_failed(attr)))
1482 return -IPSET_ERR_PROTOCOL;
1485 struct netlink_dump_control c = {
1486 .dump = ip_set_dump_start,
1487 .done = ip_set_dump_done,
1489 return netlink_dump_start(ctnl, skb, nlh, &c);
1493 /* Add, del and test */
1495 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1496 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1497 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1498 .len = IPSET_MAXNAMELEN - 1 },
1499 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1500 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1501 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1505 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1506 struct nlattr *tb[], enum ipset_adt adt,
1507 u32 flags, bool use_lineno)
1511 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1514 spin_lock_bh(&set->lock);
1515 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1516 spin_unlock_bh(&set->lock);
1518 } while (ret == -EAGAIN &&
1519 set->variant->resize &&
1520 (ret = set->variant->resize(set, retried)) == 0);
1522 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1524 if (lineno && use_lineno) {
1525 /* Error in restore/batch mode: send back lineno */
1526 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1527 struct sk_buff *skb2;
1528 struct nlmsgerr *errmsg;
1529 size_t payload = min(SIZE_MAX,
1530 sizeof(*errmsg) + nlmsg_len(nlh));
1531 int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
1532 struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
1533 struct nlattr *cmdattr;
1536 skb2 = nlmsg_new(payload, GFP_KERNEL);
1539 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1540 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1541 errmsg = nlmsg_data(rep);
1542 errmsg->error = ret;
1543 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1544 cmdattr = (void *)&errmsg->msg + min_len;
1546 ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr,
1547 nlh->nlmsg_len - min_len,
1548 ip_set_adt_policy, NULL);
1554 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1558 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid,
1560 /* Signal netlink not to send its ACK/errmsg. */
1567 static int ip_set_ad(struct net *net, struct sock *ctnl,
1568 struct sk_buff *skb,
1570 const struct nlmsghdr *nlh,
1571 const struct nlattr * const attr[],
1572 struct netlink_ext_ack *extack)
1574 struct ip_set_net *inst = ip_set_pernet(net);
1576 struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
1577 const struct nlattr *nla;
1578 u32 flags = flag_exist(nlh);
1582 if (unlikely(protocol_min_failed(attr) ||
1583 !attr[IPSET_ATTR_SETNAME] ||
1584 !((attr[IPSET_ATTR_DATA] != NULL) ^
1585 (attr[IPSET_ATTR_ADT] != NULL)) ||
1586 (attr[IPSET_ATTR_DATA] &&
1587 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1588 (attr[IPSET_ATTR_ADT] &&
1589 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1590 !attr[IPSET_ATTR_LINENO]))))
1591 return -IPSET_ERR_PROTOCOL;
1593 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
1597 use_lineno = !!attr[IPSET_ATTR_LINENO];
1598 if (attr[IPSET_ATTR_DATA]) {
1599 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL))
1600 return -IPSET_ERR_PROTOCOL;
1601 ret = call_ad(ctnl, skb, set, tb, adt, flags,
1606 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1607 if (nla_type(nla) != IPSET_ATTR_DATA ||
1608 !flag_nested(nla) ||
1609 nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, nla, set->type->adt_policy, NULL))
1610 return -IPSET_ERR_PROTOCOL;
1611 ret = call_ad(ctnl, skb, set, tb, adt,
1620 static int ip_set_uadd(struct net *net, struct sock *ctnl,
1621 struct sk_buff *skb, const struct nlmsghdr *nlh,
1622 const struct nlattr * const attr[],
1623 struct netlink_ext_ack *extack)
1625 return ip_set_ad(net, ctnl, skb,
1626 IPSET_ADD, nlh, attr, extack);
1629 static int ip_set_udel(struct net *net, struct sock *ctnl,
1630 struct sk_buff *skb, const struct nlmsghdr *nlh,
1631 const struct nlattr * const attr[],
1632 struct netlink_ext_ack *extack)
1634 return ip_set_ad(net, ctnl, skb,
1635 IPSET_DEL, nlh, attr, extack);
1638 static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1639 const struct nlmsghdr *nlh,
1640 const struct nlattr * const attr[],
1641 struct netlink_ext_ack *extack)
1643 struct ip_set_net *inst = ip_set_pernet(net);
1645 struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
1648 if (unlikely(protocol_min_failed(attr) ||
1649 !attr[IPSET_ATTR_SETNAME] ||
1650 !attr[IPSET_ATTR_DATA] ||
1651 !flag_nested(attr[IPSET_ATTR_DATA])))
1652 return -IPSET_ERR_PROTOCOL;
1654 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
1658 if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL))
1659 return -IPSET_ERR_PROTOCOL;
1662 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1663 rcu_read_unlock_bh();
1664 /* Userspace can't trigger element to be re-added */
1668 return ret > 0 ? 0 : -IPSET_ERR_EXIST;
1671 /* Get headed data of a set */
1673 static int ip_set_header(struct net *net, struct sock *ctnl,
1674 struct sk_buff *skb, const struct nlmsghdr *nlh,
1675 const struct nlattr * const attr[],
1676 struct netlink_ext_ack *extack)
1678 struct ip_set_net *inst = ip_set_pernet(net);
1679 const struct ip_set *set;
1680 struct sk_buff *skb2;
1681 struct nlmsghdr *nlh2;
1684 if (unlikely(protocol_min_failed(attr) ||
1685 !attr[IPSET_ATTR_SETNAME]))
1686 return -IPSET_ERR_PROTOCOL;
1688 set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
1692 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1696 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1700 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
1701 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1702 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1703 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1704 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1705 goto nla_put_failure;
1706 nlmsg_end(skb2, nlh2);
1708 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1715 nlmsg_cancel(skb2, nlh2);
1723 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1724 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1725 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1726 .len = IPSET_MAXNAMELEN - 1 },
1727 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1730 static int ip_set_type(struct net *net, struct sock *ctnl, struct sk_buff *skb,
1731 const struct nlmsghdr *nlh,
1732 const struct nlattr * const attr[],
1733 struct netlink_ext_ack *extack)
1735 struct sk_buff *skb2;
1736 struct nlmsghdr *nlh2;
1737 u8 family, min, max;
1738 const char *typename;
1741 if (unlikely(protocol_min_failed(attr) ||
1742 !attr[IPSET_ATTR_TYPENAME] ||
1743 !attr[IPSET_ATTR_FAMILY]))
1744 return -IPSET_ERR_PROTOCOL;
1746 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1747 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1748 ret = find_set_type_minmax(typename, family, &min, &max);
1752 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1756 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1760 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
1761 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1762 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1763 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1764 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1765 goto nla_put_failure;
1766 nlmsg_end(skb2, nlh2);
1768 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1769 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1776 nlmsg_cancel(skb2, nlh2);
1782 /* Get protocol version */
1784 static const struct nla_policy
1785 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1786 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1789 static int ip_set_protocol(struct net *net, struct sock *ctnl,
1790 struct sk_buff *skb, const struct nlmsghdr *nlh,
1791 const struct nlattr * const attr[],
1792 struct netlink_ext_ack *extack)
1794 struct sk_buff *skb2;
1795 struct nlmsghdr *nlh2;
1798 if (unlikely(!attr[IPSET_ATTR_PROTOCOL]))
1799 return -IPSET_ERR_PROTOCOL;
1801 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1805 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1806 IPSET_CMD_PROTOCOL);
1809 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1810 goto nla_put_failure;
1811 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL_MIN, IPSET_PROTOCOL_MIN))
1812 goto nla_put_failure;
1813 nlmsg_end(skb2, nlh2);
1815 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1822 nlmsg_cancel(skb2, nlh2);
1828 /* Get set by name or index, from userspace */
1830 static int ip_set_byname(struct net *net, struct sock *ctnl,
1831 struct sk_buff *skb, const struct nlmsghdr *nlh,
1832 const struct nlattr * const attr[],
1833 struct netlink_ext_ack *extack)
1835 struct ip_set_net *inst = ip_set_pernet(net);
1836 struct sk_buff *skb2;
1837 struct nlmsghdr *nlh2;
1838 ip_set_id_t id = IPSET_INVALID_ID;
1839 const struct ip_set *set;
1842 if (unlikely(protocol_failed(attr) ||
1843 !attr[IPSET_ATTR_SETNAME]))
1844 return -IPSET_ERR_PROTOCOL;
1846 set = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), &id);
1847 if (id == IPSET_INVALID_ID)
1850 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1854 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1855 IPSET_CMD_GET_BYNAME);
1858 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
1859 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1860 nla_put_net16(skb2, IPSET_ATTR_INDEX, htons(id)))
1861 goto nla_put_failure;
1862 nlmsg_end(skb2, nlh2);
1864 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1871 nlmsg_cancel(skb2, nlh2);
1877 static const struct nla_policy ip_set_index_policy[IPSET_ATTR_CMD_MAX + 1] = {
1878 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1879 [IPSET_ATTR_INDEX] = { .type = NLA_U16 },
1882 static int ip_set_byindex(struct net *net, struct sock *ctnl,
1883 struct sk_buff *skb, const struct nlmsghdr *nlh,
1884 const struct nlattr * const attr[],
1885 struct netlink_ext_ack *extack)
1887 struct ip_set_net *inst = ip_set_pernet(net);
1888 struct sk_buff *skb2;
1889 struct nlmsghdr *nlh2;
1890 ip_set_id_t id = IPSET_INVALID_ID;
1891 const struct ip_set *set;
1894 if (unlikely(protocol_failed(attr) ||
1895 !attr[IPSET_ATTR_INDEX]))
1896 return -IPSET_ERR_PROTOCOL;
1898 id = ip_set_get_h16(attr[IPSET_ATTR_INDEX]);
1899 if (id >= inst->ip_set_max)
1901 set = ip_set(inst, id);
1905 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1909 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1910 IPSET_CMD_GET_BYINDEX);
1913 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, protocol(attr)) ||
1914 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name))
1915 goto nla_put_failure;
1916 nlmsg_end(skb2, nlh2);
1918 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1925 nlmsg_cancel(skb2, nlh2);
1931 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1932 [IPSET_CMD_NONE] = {
1933 .call = ip_set_none,
1934 .attr_count = IPSET_ATTR_CMD_MAX,
1936 [IPSET_CMD_CREATE] = {
1937 .call = ip_set_create,
1938 .attr_count = IPSET_ATTR_CMD_MAX,
1939 .policy = ip_set_create_policy,
1941 [IPSET_CMD_DESTROY] = {
1942 .call = ip_set_destroy,
1943 .attr_count = IPSET_ATTR_CMD_MAX,
1944 .policy = ip_set_setname_policy,
1946 [IPSET_CMD_FLUSH] = {
1947 .call = ip_set_flush,
1948 .attr_count = IPSET_ATTR_CMD_MAX,
1949 .policy = ip_set_setname_policy,
1951 [IPSET_CMD_RENAME] = {
1952 .call = ip_set_rename,
1953 .attr_count = IPSET_ATTR_CMD_MAX,
1954 .policy = ip_set_setname2_policy,
1956 [IPSET_CMD_SWAP] = {
1957 .call = ip_set_swap,
1958 .attr_count = IPSET_ATTR_CMD_MAX,
1959 .policy = ip_set_setname2_policy,
1961 [IPSET_CMD_LIST] = {
1962 .call = ip_set_dump,
1963 .attr_count = IPSET_ATTR_CMD_MAX,
1964 .policy = ip_set_setname_policy,
1966 [IPSET_CMD_SAVE] = {
1967 .call = ip_set_dump,
1968 .attr_count = IPSET_ATTR_CMD_MAX,
1969 .policy = ip_set_setname_policy,
1972 .call = ip_set_uadd,
1973 .attr_count = IPSET_ATTR_CMD_MAX,
1974 .policy = ip_set_adt_policy,
1977 .call = ip_set_udel,
1978 .attr_count = IPSET_ATTR_CMD_MAX,
1979 .policy = ip_set_adt_policy,
1981 [IPSET_CMD_TEST] = {
1982 .call = ip_set_utest,
1983 .attr_count = IPSET_ATTR_CMD_MAX,
1984 .policy = ip_set_adt_policy,
1986 [IPSET_CMD_HEADER] = {
1987 .call = ip_set_header,
1988 .attr_count = IPSET_ATTR_CMD_MAX,
1989 .policy = ip_set_setname_policy,
1991 [IPSET_CMD_TYPE] = {
1992 .call = ip_set_type,
1993 .attr_count = IPSET_ATTR_CMD_MAX,
1994 .policy = ip_set_type_policy,
1996 [IPSET_CMD_PROTOCOL] = {
1997 .call = ip_set_protocol,
1998 .attr_count = IPSET_ATTR_CMD_MAX,
1999 .policy = ip_set_protocol_policy,
2001 [IPSET_CMD_GET_BYNAME] = {
2002 .call = ip_set_byname,
2003 .attr_count = IPSET_ATTR_CMD_MAX,
2004 .policy = ip_set_setname_policy,
2006 [IPSET_CMD_GET_BYINDEX] = {
2007 .call = ip_set_byindex,
2008 .attr_count = IPSET_ATTR_CMD_MAX,
2009 .policy = ip_set_index_policy,
2013 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
2015 .subsys_id = NFNL_SUBSYS_IPSET,
2016 .cb_count = IPSET_MSG_MAX,
2017 .cb = ip_set_netlink_subsys_cb,
2020 /* Interface to iptables/ip6tables */
2023 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
2027 int copylen = *len, ret = 0;
2028 struct net *net = sock_net(sk);
2029 struct ip_set_net *inst = ip_set_pernet(net);
2031 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2033 if (optval != SO_IP_SET)
2035 if (*len < sizeof(unsigned int))
2038 data = vmalloc(*len);
2041 if (copy_from_user(data, user, *len) != 0) {
2047 if (*op < IP_SET_OP_VERSION) {
2048 /* Check the version at the beginning of operations */
2049 struct ip_set_req_version *req_version = data;
2051 if (*len < sizeof(struct ip_set_req_version)) {
2056 if (req_version->version < IPSET_PROTOCOL_MIN) {
2063 case IP_SET_OP_VERSION: {
2064 struct ip_set_req_version *req_version = data;
2066 if (*len != sizeof(struct ip_set_req_version)) {
2071 req_version->version = IPSET_PROTOCOL;
2072 ret = copy_to_user(user, req_version,
2073 sizeof(struct ip_set_req_version));
2076 case IP_SET_OP_GET_BYNAME: {
2077 struct ip_set_req_get_set *req_get = data;
2080 if (*len != sizeof(struct ip_set_req_get_set)) {
2084 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
2085 nfnl_lock(NFNL_SUBSYS_IPSET);
2086 find_set_and_id(inst, req_get->set.name, &id);
2087 req_get->set.index = id;
2088 nfnl_unlock(NFNL_SUBSYS_IPSET);
2091 case IP_SET_OP_GET_FNAME: {
2092 struct ip_set_req_get_set_family *req_get = data;
2095 if (*len != sizeof(struct ip_set_req_get_set_family)) {
2099 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
2100 nfnl_lock(NFNL_SUBSYS_IPSET);
2101 find_set_and_id(inst, req_get->set.name, &id);
2102 req_get->set.index = id;
2103 if (id != IPSET_INVALID_ID)
2104 req_get->family = ip_set(inst, id)->family;
2105 nfnl_unlock(NFNL_SUBSYS_IPSET);
2108 case IP_SET_OP_GET_BYINDEX: {
2109 struct ip_set_req_get_set *req_get = data;
2112 if (*len != sizeof(struct ip_set_req_get_set) ||
2113 req_get->set.index >= inst->ip_set_max) {
2117 nfnl_lock(NFNL_SUBSYS_IPSET);
2118 set = ip_set(inst, req_get->set.index);
2119 ret = strscpy(req_get->set.name, set ? set->name : "",
2121 nfnl_unlock(NFNL_SUBSYS_IPSET);
2129 } /* end of switch(op) */
2132 ret = copy_to_user(user, data, copylen);
2141 static struct nf_sockopt_ops so_set __read_mostly = {
2143 .get_optmin = SO_IP_SET,
2144 .get_optmax = SO_IP_SET + 1,
2145 .get = ip_set_sockfn_get,
2146 .owner = THIS_MODULE,
2149 static int __net_init
2150 ip_set_net_init(struct net *net)
2152 struct ip_set_net *inst = ip_set_pernet(net);
2153 struct ip_set **list;
2155 inst->ip_set_max = max_sets ? max_sets : CONFIG_IP_SET_MAX;
2156 if (inst->ip_set_max >= IPSET_INVALID_ID)
2157 inst->ip_set_max = IPSET_INVALID_ID - 1;
2159 list = kvcalloc(inst->ip_set_max, sizeof(struct ip_set *), GFP_KERNEL);
2162 inst->is_deleted = false;
2163 inst->is_destroyed = false;
2164 rcu_assign_pointer(inst->ip_set_list, list);
2168 static void __net_exit
2169 ip_set_net_exit(struct net *net)
2171 struct ip_set_net *inst = ip_set_pernet(net);
2173 struct ip_set *set = NULL;
2176 inst->is_deleted = true; /* flag for ip_set_nfnl_put */
2178 nfnl_lock(NFNL_SUBSYS_IPSET);
2179 for (i = 0; i < inst->ip_set_max; i++) {
2180 set = ip_set(inst, i);
2182 ip_set(inst, i) = NULL;
2183 ip_set_destroy_set(set);
2186 nfnl_unlock(NFNL_SUBSYS_IPSET);
2187 kvfree(rcu_dereference_protected(inst->ip_set_list, 1));
2190 static struct pernet_operations ip_set_net_ops = {
2191 .init = ip_set_net_init,
2192 .exit = ip_set_net_exit,
2193 .id = &ip_set_net_id,
2194 .size = sizeof(struct ip_set_net),
2200 int ret = register_pernet_subsys(&ip_set_net_ops);
2203 pr_err("ip_set: cannot register pernet_subsys.\n");
2207 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
2209 pr_err("ip_set: cannot register with nfnetlink.\n");
2210 unregister_pernet_subsys(&ip_set_net_ops);
2214 ret = nf_register_sockopt(&so_set);
2216 pr_err("SO_SET registry failed: %d\n", ret);
2217 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
2218 unregister_pernet_subsys(&ip_set_net_ops);
2228 nf_unregister_sockopt(&so_set);
2229 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
2231 unregister_pernet_subsys(&ip_set_net_ops);
2232 pr_debug("these are the famous last words\n");
2235 module_init(ip_set_init);
2236 module_exit(ip_set_fini);
2238 MODULE_DESCRIPTION("ip_set: protocol " __stringify(IPSET_PROTOCOL));
git.samba.org / sfrench / cifs-2.6.git / blob