4 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
5 * Patrick Schaaf <bof@bof.de>
6 * Martin Josefsson <gandalf@wlug.westbo.se>
7 * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
19 * A sockopt of such quality has hardly ever been seen before on the open
20 * market! This little beauty, hardly ever used: above 64, so it's
21 * traditionally used for firewalling, not touched (even once!) by the
22 * 2.0, 2.2 and 2.4 kernels!
24 * Comes with its own certificate of authenticity, valid anywhere in the
32 * Heavily modify by Joakim Axelsson 08.03.2002
33 * - Made it more modulebased
35 * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
37 * - in order to "deal with" backward compatibility, renamed to ipset
41 * Used so that the kernel module and ipset-binary can match their versions
43 #define IP_SET_PROTOCOL_VERSION 2
45 #define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
47 /* Lets work with our own typedef for representing an IP address.
48 * We hope to make the code more portable, possibly to IPv6...
50 * The representation works in HOST byte order, because most set types
51 * will perform arithmetic operations and compare operations.
53 * For now the type is an uint32_t.
55 * Make sure to ONLY use the functions when translating and parsing
56 * in order to keep the host byte order and make it more portable:
61 * (Joakim: where are they???)
64 typedef uint32_t ip_set_ip_t;
66 /* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
67 * and IP_SET_INVALID_ID if you want to increase the max number of sets.
69 typedef uint16_t ip_set_id_t;
71 #define IP_SET_INVALID_ID 65535
73 /* How deep we follow bindings */
74 #define IP_SET_MAX_BINDINGS 6
77 * Option flags for kernel operations (ipt_set_info)
79 #define IPSET_SRC 0x01 /* Source match/add */
80 #define IPSET_DST 0x02 /* Destination match/add */
81 #define IPSET_MATCH_INV 0x04 /* Inverse matching */
86 #define IPSET_TYPE_IP 0x01 /* IP address type of set */
87 #define IPSET_TYPE_PORT 0x02 /* Port type of set */
88 #define IPSET_DATA_SINGLE 0x04 /* Single data storage */
89 #define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
91 /* Reserved keywords */
92 #define IPSET_TOKEN_DEFAULT ":default:"
93 #define IPSET_TOKEN_ALL ":all:"
95 /* SO_IP_SET operation constants, and their request struct types.
98 * 0-99: commands with version checking
99 * 100-199: add/del/test/bind/unbind
100 * 200-299: list, save, restore
103 /* Single shot operations:
104 * version, create, destroy, flush, rename and swap
106 * Sets are identified by name.
109 #define IP_SET_REQ_STD \
112 char name[IP_SET_MAXNAMELEN]
114 #define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
115 struct ip_set_req_create {
117 char typename[IP_SET_MAXNAMELEN];
120 #define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
121 struct ip_set_req_std {
125 #define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
126 /* Uses ip_set_req_std */
128 #define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
129 /* Uses ip_set_req_create */
131 #define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
132 /* Uses ip_set_req_create */
134 union ip_set_name_index {
135 char name[IP_SET_MAXNAMELEN];
139 #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
140 struct ip_set_req_get_set {
143 union ip_set_name_index set;
146 #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
147 /* Uses ip_set_req_get_set */
149 #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
150 struct ip_set_req_version {
155 /* Double shots operations:
156 * add, del, test, bind and unbind.
158 * First we query the kernel to get the index and type of the target set,
159 * then issue the command. Validity of IP is checked in kernel in order
160 * to minimalize sockopt operations.
163 /* Get minimal set data for add/del/test/bind/unbind IP */
164 #define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
165 struct ip_set_req_adt_get {
168 union ip_set_name_index set;
169 char typename[IP_SET_MAXNAMELEN];
172 #define IP_SET_REQ_BYINDEX \
176 struct ip_set_req_adt {
180 #define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
181 /* Uses ip_set_req_adt, with type specific addage */
183 #define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
184 /* Uses ip_set_req_adt, with type specific addage */
186 #define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
187 /* Uses ip_set_req_adt, with type specific addage */
189 #define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
190 /* Uses ip_set_req_bind, with type specific addage */
191 struct ip_set_req_bind {
193 char binding[IP_SET_MAXNAMELEN];
196 #define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
197 /* Uses ip_set_req_bind, with type speficic addage
198 * index = 0 means unbinding for all sets */
200 #define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
201 /* Uses ip_set_req_bind, with type specific addage */
203 /* Multiple shots operations: list, save, restore.
205 * - check kernel version and query the max number of sets
206 * - get the basic information on all sets
207 * and size required for the next step
208 * - get actual set data: header, data, bindings
211 /* Get max_sets and the index of a queried set
213 #define IP_SET_OP_MAX_SETS 0x00000020
214 struct ip_set_req_max_sets {
217 ip_set_id_t max_sets; /* max_sets */
218 ip_set_id_t sets; /* real number of sets */
219 union ip_set_name_index set; /* index of set if name used */
222 /* Get the id and name of the sets plus size for next step */
223 #define IP_SET_OP_LIST_SIZE 0x00000201
224 #define IP_SET_OP_SAVE_SIZE 0x00000202
225 struct ip_set_req_setnames {
227 ip_set_id_t index; /* set to list/save */
228 size_t size; /* size to get setdata/bindings */
229 /* followed by sets number of struct ip_set_name_list */
232 struct ip_set_name_list {
233 char name[IP_SET_MAXNAMELEN];
234 char typename[IP_SET_MAXNAMELEN];
239 /* The actual list operation */
240 #define IP_SET_OP_LIST 0x00000203
241 struct ip_set_req_list {
243 /* sets number of struct ip_set_list in reply */
250 size_t header_size; /* Set header data of header_size */
251 size_t members_size; /* Set members data of members_size */
252 size_t bindings_size; /* Set bindings data of bindings_size */
255 struct ip_set_hash_list {
260 /* The save operation */
261 #define IP_SET_OP_SAVE 0x00000204
262 /* Uses ip_set_req_list, in the reply replaced by
263 * sets number of struct ip_set_save plus a marker
264 * ip_set_save followed by ip_set_hash_save structures.
269 size_t header_size; /* Set header data of header_size */
270 size_t members_size; /* Set members data of members_size */
273 /* At restoring, ip == 0 means default binding for the given set: */
274 struct ip_set_hash_save {
280 /* The restore operation */
281 #define IP_SET_OP_RESTORE 0x00000205
282 /* Uses ip_set_req_setnames followed by ip_set_restore structures
283 * plus a marker ip_set_restore, followed by ip_set_hash_save
286 struct ip_set_restore {
287 char name[IP_SET_MAXNAMELEN];
288 char typename[IP_SET_MAXNAMELEN];
290 size_t header_size; /* Create data of header_size */
291 size_t members_size; /* Set members data of members_size */
294 static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
296 return 4 * ((((b - a + 8) / 8) + 3) / 4);
301 #define ip_set_printk(format, args...) \
303 printk("%s: %s: ", __FILE__, __FUNCTION__); \
304 printk(format "\n" , ## args); \
307 #if defined(IP_SET_DEBUG)
308 #define DP(format, args...) \
310 printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
311 printk(format "\n" , ## args); \
313 #define IP_SET_ASSERT(x) \
316 printk("IP_SET_ASSERT: %s:%i(%s)\n", \
317 __FILE__, __LINE__, __FUNCTION__); \
320 #define DP(format, args...)
321 #define IP_SET_ASSERT(x)
327 * The ip_set_type definition - one per set type, e.g. "ipmap".
329 * Each individual set has a pointer, set->type, going to one
330 * of these structures. Function pointers inside the structure implement
331 * the real behaviour of the sets.
333 * If not mentioned differently, the implementation behind the function
334 * pointers of a set_type, is expected to return 0 if ok, and a negative
335 * errno (e.g. -EINVAL) on error.
338 struct list_head list; /* next in list of set types */
340 /* test for IP in set (kernel: iptables -m set src|dst)
341 * return 0 if not in set, 1 if in set.
343 int (*testip_kernel) (struct ip_set *set,
344 const struct sk_buff * skb,
346 const u_int32_t *flags,
347 unsigned char index);
349 /* test for IP in set (userspace: ipset -T set IP)
350 * return 0 if not in set, 1 if in set.
352 int (*testip) (struct ip_set *set,
353 const void *data, size_t size,
357 * Size of the data structure passed by when
358 * adding/deletin/testing an entry.
362 /* Add IP into set (userspace: ipset -A set IP)
363 * Return -EEXIST if the address is already in the set,
364 * and -ERANGE if the address lies outside the set bounds.
365 * If the address was not already in the set, 0 is returned.
367 int (*addip) (struct ip_set *set,
368 const void *data, size_t size,
371 /* Add IP into set (kernel: iptables ... -j SET set src|dst)
372 * Return -EEXIST if the address is already in the set,
373 * and -ERANGE if the address lies outside the set bounds.
374 * If the address was not already in the set, 0 is returned.
376 int (*addip_kernel) (struct ip_set *set,
377 const struct sk_buff * skb,
379 const u_int32_t *flags,
380 unsigned char index);
382 /* remove IP from set (userspace: ipset -D set --entry x)
383 * Return -EEXIST if the address is NOT in the set,
384 * and -ERANGE if the address lies outside the set bounds.
385 * If the address really was in the set, 0 is returned.
387 int (*delip) (struct ip_set *set,
388 const void *data, size_t size,
391 /* remove IP from set (kernel: iptables ... -j SET --entry x)
392 * Return -EEXIST if the address is NOT in the set,
393 * and -ERANGE if the address lies outside the set bounds.
394 * If the address really was in the set, 0 is returned.
396 int (*delip_kernel) (struct ip_set *set,
397 const struct sk_buff * skb,
399 const u_int32_t *flags,
400 unsigned char index);
402 /* new set creation - allocated type specific items
404 int (*create) (struct ip_set *set,
405 const void *data, size_t size);
407 /* retry the operation after successfully tweaking the set
409 int (*retry) (struct ip_set *set);
411 /* set destruction - free type specific items
412 * There is no return value.
413 * Can be called only when child sets are destroyed.
415 void (*destroy) (struct ip_set *set);
417 /* set flushing - reset all bits in the set, or something similar.
418 * There is no return value.
420 void (*flush) (struct ip_set *set);
422 /* Listing: size needed for header
426 /* Listing: Get the header
428 * Fill in the information in "data".
429 * This function is always run after list_header_size() under a
430 * writelock on the set. Therefor is the length of "data" always
433 void (*list_header) (const struct ip_set *set,
436 /* Listing: Get the size for the set members
438 int (*list_members_size) (const struct ip_set *set);
440 /* Listing: Get the set members
442 * Fill in the information in "data".
443 * This function is always run after list_member_size() under a
444 * writelock on the set. Therefor is the length of "data" always
447 void (*list_members) (const struct ip_set *set,
450 char typename[IP_SET_MAXNAMELEN];
451 unsigned char features;
452 int protocol_version;
454 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
458 extern int ip_set_register_set_type(struct ip_set_type *set_type);
459 extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
461 /* A generic ipset */
463 char name[IP_SET_MAXNAMELEN]; /* the name of the set */
464 rwlock_t lock; /* lock for concurrency control */
465 ip_set_id_t id; /* set id for swapping */
466 ip_set_id_t binding; /* default binding for the set */
467 atomic_t ref; /* in kernel and in hash references */
468 struct ip_set_type *type; /* the set types */
469 void *data; /* pooltype specific data */
472 /* Structure to bind set elements to sets */
474 struct list_head list; /* list of clashing entries in hash */
475 ip_set_ip_t ip; /* ip from set */
476 ip_set_id_t id; /* set id */
477 ip_set_id_t binding; /* set we bind the element to */
480 /* register and unregister set references */
481 extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
482 extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
483 extern void ip_set_put(ip_set_id_t id);
485 /* API for iptables set match, and SET target */
486 extern void ip_set_addip_kernel(ip_set_id_t id,
487 const struct sk_buff *skb,
488 const u_int32_t *flags);
489 extern void ip_set_delip_kernel(ip_set_id_t id,
490 const struct sk_buff *skb,
491 const u_int32_t *flags);
492 extern int ip_set_testip_kernel(ip_set_id_t id,
493 const struct sk_buff *skb,
494 const u_int32_t *flags);
496 #endif /* __KERNEL__ */