--- /dev/null
+2.2.8
+ - Nasty off-by-one bug fixed in iptree type of sets
+ (bug reported by Pablo Sole)
+
+2.2.7
+ All patches were submitted by Jones Desougi
+ - missing or confusing error message fixes for ipporthash
+ - minor correction in debugging in nethash
+ - copy-paste bug in kernel set types at memory allocation
+ checking fixed
+ - unified memory allocations in ipset
+
+2.2.6
+ - memory allocation in iptree is changed to GFP_ATOMIC because
+ we hold a lock (bug reported by Radek Hladik)
+ - compatibility fix: __nocast is not defined in all 2.6 branches
+ (problem reported by Ming-Ching Tiew)
+ - manpage corrections
+
+2.2.5
+ - garbage collector of iptree type of sets is fixed: flushing
+ sets/removing kernel module could corrupt the timer
+ - new ipporthash type added
+ - manpage fixes and corrections
+
+2.2.4
+ - half-fixed memory allocation bug in iphash and nethash finally
+ completely fixed (bug reported by Nikolai Malykh)
+ - restrictions to enter zero-valued entries into all non-hash type sets
+ were removed
+ - Too strict check on the set size of ipmap type was corrected
+
+2.2.3
+ - memory allocation bug in iphash and nethash in connection with the SET
+ target was fixed (bug reported by Nikolai Malykh)
+ - lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is
+ updated accordingly (Cardoso Didier, Samir Bellabes)
+ - manpage is updated to clearly state the command order in restore mode
+
+2.2.2
+ - Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen
+ - Compiler warning in the non-SMP case fixed (Marcus Sundberg)
+ - slab cache names shrunk in order to be compatible with 2.4.* (Marcus
+ Sundberg)
+
+2.2.1
+ - Magic number in ip_set_nethash.h was mistyped (bug reported by Rob
+ Carlson)
+ - ipset can now test IP addresses in nethash type of sets (i.e. addresses
+ in netblocks added to the set)
+
+2.2.0
+ - Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
+ - Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford
+ Wolf)
+ - Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
+ - More careful resizing by avoiding locking completely
+ - stdin stored internally in a temporary file, so we can feed 'ipset -R'
+ from a pipe
+ - iptree maptype added
+
+2.1
+ - Lock debugging used with debugless lock definiton (Piotr Chytla and
+ others).
+ - Bindings were not properly filled out at listing (kernel)
+ - When listing sets from kernel, id was not added to the set structure
+ (ipset)
+ - nethash maptype added
+ - ipset manpage corrections (macipmap)
+
+2.0.1
+ - Missing -fPIC in Makefile (Robert Iakobashvili)
+ - Cut'n'paste bug at saving macipmap types (Vincent Bernat).
+ - Bug in printing/saving SET targets reported and fixed by Michal
+ Pokrywka
+
+2.0
+ - Chaining of sets are changed: child sets replaced by bindings
+ - Kernel-userspace communication reorganized to minimize the number
+ of syscalls
+ - Save and restore functionality implemented
+ - iphash type reworked: clashing resolved by double-hashing and by
+ dynamically growing the set
+
+1.0
+ - Renamed to ipset
+ - Rewritten to support child pools
+ - portmap, iphash pool support added
+ - too much other mods here and there to list...
+
--- /dev/null
+Original changelog as ippool:
+
+0.3.2b
+- Fixed missing kfree(pool) (Martin Josefsson)
+
+0.3.2a
+- Added libipt_pool.c and libipt_POOL.c (Martin Josefsson)
+
+
+0.3.2
+- Passes pointers to skb's around instead of ip's in the (Martin Josefsson)
+ kernel modules.
+- Added a new pooltype, macipmap, which matches ip's (Martin Josefsson)
+ against macaddresses.
+- Cleaned up a lot of typedefs. (Martin Josefsson)
+- Fixed an unlocking of the wrong lock. (Martin Josefsson)
+- Fixed a refcount bug when allocated memory was too (Martin Josefsson)
+ small.
+- Fixed a free() of unallocated memory. (Martin Josefsson)
+- Switched from kmalloc/kfree to vmalloc/vfree for (Martin Josefsson)
+ pool-listings/additions.
+
+
+0.3.1
+- Changed the API between userspace modules and base. (Joakim Axelsson)
+ Moved the memberdata pointer to module self.
+ As a result of this Protocolversion is increased to 4.
+- Fixed problems with crashing null-pooltype (Joakim Axelsson)
+- Fixed problems with compiling warnings (Joakim Axelsson)
+ in null pooltype.
+
+
+0.3.0:
+- Changed the listing to use getsockopt. (Joakim Axelsson)
+ /proc is left for debuging purpose.
+ This is a mayor change.
+ Protocolversion is increased to 3
+- Added support for --quiet (Joakim Axelsson)
+- Added support for --sorted (Joakim Axelsson)
+- Added support for --numeric (Joakim Axelsson)
+- Added support for --exact (Joakim Axelsson)
+- Added -Z (Zero) which zero's the counter (Joakim Axelsson)
+ on one or all pools.
+- Added support for --debug that prints all debug-messages (Joakim Axelsosn)
+ in userspace. Need to be compiled with
+ IP_POOL_DEBUG tho.
+- Added null pooltype. For demostration and (Joakim Axelsson)
+ pooltype skeleton mostly
+- Fixed bug with possibly renaming to an already (Joakim Axelsson)
+ existing pool.
+- Change error to OTHER_PROBLEM on add and del IP. (Joakim Axelsson)
+
+0.2.1-0.2.3
+- Better handling of references (Patrick Schaaf)
+- Various bugfixes (Patrick Schaaf)
+- Cleaning up the code in kernelspace (Patrick Schaaf)
+
+0.2.0:
+- Rewrote the entrie system. Modulized it. (Joakim Axelsson)
--- /dev/null
+#!/usr/bin/make
+
+######################################################################
+# YOU SHOULD NOT NEED TO TOUCH ANYTHING BELOW THIS LINE
+######################################################################
+
+ifndef KERNEL_DIR
+KERNEL_DIR=/usr/src/linux
+endif
+
+IPSET_VERSION:=2.2.8
+
+PREFIX:=/usr/local
+LIBDIR:=$(PREFIX)/lib
+BINDIR:=$(PREFIX)/sbin
+MANDIR:=$(PREFIX)/man
+INCDIR:=$(PREFIX)/include
+IPSET_LIB_DIR:=$(LIBDIR)/ipset
+
+# directory for new iptables releases
+RELEASE_DIR:=/tmp
+
+COPT_FLAGS:=-O2
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. # -g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
+SH_CFLAGS:=$(CFLAGS) -fPIC
+SETTYPES:=ipmap portmap macipmap iphash nethash iptree ipporthash
+
+PROGRAMS=ipset
+SHARED_LIBS=$(foreach T, $(SETTYPES),libipset_$(T).so)
+INSTALL=$(DESTDIR)$(BINDIR)/ipset $(DESTDIR)$(MANDIR)/man8/ipset.8
+INSTALL+=$(foreach T, $(SETTYPES), $(DESTDIR)$(LIBDIR)/ipset/libipset_$(T).so)
+
+all: $(PROGRAMS) $(SHARED_LIBS)
+
+install: all $(INSTALL)
+
+clean: $(EXTRA_CLEANS)
+ rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~
+
+#The ipset(8) self
+ipset.o: ipset.c
+ $(CC) $(CFLAGS) -DIPSET_VERSION=\"$(IPSET_VERSION)\" -DIPSET_LIB_DIR=\"$(IPSET_LIB_DIR)\" -c -o $@ $<
+
+ipset: ipset.o
+ $(CC) $(CFLAGS) -ldl -rdynamic -o $@ $^
+
+#Pooltypes
+ipset_%.o: ipset_%.c
+ $(CC) $(SH_CFLAGS) -o $@ -c $<
+
+libipset_%.so: ipset_%.o
+ $(LD) -shared -o $@ $<
+
+$(DESTDIR)$(LIBDIR)/ipset/libipset_%.so: libipset_%.so
+ @[ -d $(DESTDIR)$(LIBDIR)/ipset ] || mkdir -p $(DESTDIR)$(LIBDIR)/ipset
+ cp $< $@
+
+$(DESTDIR)$(BINDIR)/ipset: ipset
+ @[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
+ cp $< $@
+
+$(DESTDIR)$(MANDIR)/man8/ipset.8: ipset.8
+ @[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
+ cp $< $@
--- /dev/null
+- rewrite kernel-userspace communication from sockopt to netlink
+- IPv6 support
--- /dev/null
+.TH IPSET 8 "Feb 05, 2004" "" ""
+.\"
+.\" Man page written by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ipset \- administration tool for IP sets
+.SH SYNOPSIS
+.BR "ipset -N " "set type-specification [options]"
+.br
+.BR "ipset -[XFLSHh] " "[set] [options]"
+.br
+.BR "ipset -[EW] " "from-set to-set"
+.br
+.BR "ipset -[ADU] " "set entry"
+.br
+.BR "ipset -B " "set entry -b binding"
+.br
+.BR "ipset -T " "set entry [-b binding]"
+.br
+.BR "ipset -R "
+.SH DESCRIPTION
+.B ipset
+is used to set up, maintain and inspect so called IP sets in the Linux
+kernel. Depending on the type, an IP set may store IP addresses, (TCP/UDP)
+port numbers or additional informations besides IP addresses: the word IP
+means a general term here. See the set type definitions below.
+.P
+Any entry in a set can be bound to another set, which forms a relationship
+between a set element and the set it is bound to. In order to define a
+binding it is not required that the entry be already added to the set.
+The sets may have a default binding, which is valid for every set element
+for which there is no binding defined at all.
+.P
+IP set bindings pointing to sets and iptables matches and targets
+referring to sets creates references, which protects the given sets in
+the kernel. A set cannot be removed (destroyed) while there is a single
+reference pointing to it.
+.SH OPTIONS
+The options that are recognized by
+.B ipset
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the specific action to perform. Only one of them
+can be specified on the command line unless otherwise specified
+below. For all the long versions of the command and option names, you
+need to use only enough letters to ensure that
+.B ipset
+can differentiate it from all other options.
+.TP
+.BI "-N, --create " "\fIsetname\fP type type-specific-options"
+Create a set identified with setname and specified type.
+Type-specific options must be supplied.
+.TP
+.BI "-X, --destroy " "[\fIsetname\fP]"
+Destroy the specified set, or all sets if none or the keyword
+.B
+:all:
+is specified.
+Before destroying the set, all bindings belonging to the
+set elements and the default binding of the set are removed.
+
+If the set has got references, nothing is done.
+.TP
+.BI "-F, --flush " "[\fIsetname\fP]"
+Delete all entries from the specified set, or flush
+all sets if none or the keyword
+.B
+:all:
+is given. Bindings are not affected by the flush operation.
+.TP
+.BI "-E, --rename " "\fIfrom-setname\fP \fIto-setname\fP"
+Rename a set. Set identified by to-setname must not exist.
+.TP
+.BI "-W, --swap " "\fIfrom-setname\fP \fIto-setname\fP"
+Swap two sets as they referenced in the Linux kernel.
+.B
+iptables
+rules or
+.B
+ipset
+bindings pointing to the content of from-setname will point to
+the content of to-setname and vice versa. Both sets must exist.
+.TP
+.BI "-L, --list " "[\fIsetname\fP]"
+List the entries and bindings for the specified set, or for
+all sets if none or the keyword
+.B
+:all:
+is given. The
+.B "-n, --numeric"
+option can be used to suppress name lookups and generate numeric
+output. When the
+.B "-s, --sorted"
+option is given, the entries are listed sorted (if the given set
+type supports the operation).
+.TP
+.BI "-S, --save " "[\fIsetname\fP]"
+Save the given set, or all sets if none or the keyword
+.B
+:all:
+is specified to stdout in a format that --restore can read.
+.TP
+.BI "-R, --restore "
+Restore a saved session generated by --save. The saved session
+can be fed from stdin.
+
+When generating a session file please note that the supported commands
+(create set, add element, bind) must appear in a strict order: first create
+the set, then add all elements. Then create the next set, add all its elements
+and so on. Finally you can list all binding commands. Also, it is a restore
+operation, so the sets being restored must not exist.
+.TP
+.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
+Add an IP to a set.
+.TP
+.BI "-D, --del " "\fIsetname\fP \fIIP\fP"
+Delete an IP from a set.
+.TP
+.BI "-T, --test " "\fIsetname\fP \fIIP
+Test wether an IP is in a set or not. Exit status number is zero
+if the tested IP is in the set and nonzero if it is missing from
+the set.
+.TP
+.BI "-T, --test " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
+Test wether the IP belonging to the set points to the specified binding.
+Exit status number is zero if the binding points to the specified set,
+otherwise it is nonzero. The keyword
+.B
+:default:
+can be used to test the default binding of the set.
+.TP
+.BI "-B, --bind " "\fIsetname\fP \fIIP\fP \fI--binding\fP \fIto-setname\fP"
+Bind the IP in setname to to-setname.
+.TP
+.BI "-U, --unbind " "\fIsetname\fP \fIIP\fP"
+Delete the binding belonging to IP in set setname.
+.TP
+.BI "-H, --help " "[settype]"
+Print help and settype specific help if settype specified.
+.P
+At the
+.B
+-B, -U
+and
+.B
+-T
+commands you can use the token
+.B
+:default:
+to bind, unbind or test the default binding of a set instead
+of an IP. At the
+.B
+-U
+command you can use the token
+.B
+:all:
+to destroy the bindings of all elements of a set.
+.SS "OTHER OPTIONS"
+The following additional options can be specified:
+.TP
+.B "-b, --binding setname"
+The option specifies the value of the binding for the
+.B "-B"
+binding command, for which it is a mandatory option.
+You can use it in the
+.B "-T"
+test command as well to test bindings.
+.TP
+.B "-s, --sorted"
+Sorted output. When listing sets, entries are listed sorted.
+.TP
+.B "-n, --numeric"
+Numeric output. When listing sets, bindings, IP addresses and
+port numbers will be printed in numeric format. By default the
+program will try to display them as host names, network names
+or services (whenever applicable), which can trigger
+.B
+slow
+DNS
+lookups.
+.TP
+.B "-q, --quiet"
+Suppress any output to stdout and stderr. ipset will still return
+possible errors.
+.SH SET TYPES
+ipset supports the following set types:
+.SS ipmap
+The ipmap set type uses a memory range, where each bit represents
+one IP address. An ipmap set can store up to 65536 (B-class network)
+IP addresses. The ipmap set type is very fast and memory cheap, great
+for use when one want to match certain IPs in a range. Using the
+.B "--netmask"
+option with a CIDR netmask value between 0-32 when creating an ipmap
+set, you will be able to store and match network addresses: i.e an
+IP address will be in the set if the value resulted by masking the address
+with the specified netmask can be found in the set.
+.P
+Options to use when creating an ipmap set:
+.TP
+.BR "--from " from-IP
+.TP
+.BR "--to " to-IP
+Create an ipmap set from the specified range.
+.TP
+.BR "--network " IP/mask
+Create an ipmap set from the specified network.
+.TP
+.BR "--netmask " CIDR-netmask
+When the optional
+.B "--netmask"
+parameter specified, network addresses will be
+stored in the set instead of IP addresses, and the from-IP parameter
+must be a network address.
+.SS macipmap
+The macipmap set type uses a memory range, where each 8 bytes
+represents one IP and a MAC addresses. A macipmap set type can store
+up to 65536 (B-class network) IP addresses with MAC.
+When adding an entry to a macipmap set, you must specify the entry as
+.I IP%MAC.
+When deleting or testing macipmap entries, the
+.I %MAC
+part is not mandatory.
+.P
+Options to use when creating an macipmap set:
+.TP
+.BR "--from " from-IP
+.TP
+.BR "--to " to-IP
+Create a macipmap set from the specified range.
+.TP
+.BR "--network " IP/mask
+Create a macipmap set from the specified network.
+.TP
+.BR "--matchunset"
+When the optional
+.B "--matchunset"
+parameter specified, IP addresses which could be stored
+in the set but not set yet, will always match.
+.P
+Please note, the
+.I
+set
+and
+.I
+SET
+netfilter kernel modules
+.B
+always
+use the source MAC address from the packet to match, add or delete
+entries from a macipmap type of set.
+.SS portmap
+The portmap set type uses a memory range, where each bit represents
+one port. A portmap set type can store up to 65536 ports.
+The portmap set type is very fast and memory cheap.
+.P
+Options to use when creating an portmap set:
+.TP
+.BR "--from " from-port
+.TP
+.BR "--to " to-port
+Create a portmap set from the specified range.
+.SS iphash
+The iphash set type uses a hash to store IP addresses.
+In order to avoid clashes in the hash double-hashing, and as a last
+resort, dynamic growing of the hash performed. The iphash set type is
+great to store random addresses. By supplyig the
+.B "--netmask"
+option with a CIDR netmask value between 0-32 at creating the set,
+you will be able to store and match network addresses instead: i.e
+an IP address will be in the set if the value of the address
+masked with the specified netmask can be found in the set.
+.P
+Options to use when creating an iphash set:
+.TP
+.BR "--hashsize " hashsize
+The initial hash size (default 1024)
+.TP
+.BR "--probes " probes
+How many times try to resolve clashing at adding an IP to the hash
+by double-hashing (default 8).
+.TP
+.BR "--resize " percent
+Increase the hash size by this many percent (default 50) when adding
+an IP to the hash could not be performed after
+.B
+probes
+number of double-hashing.
+.TP
+.BR "--netmask " CIDR-netmask
+When the optional
+.B "--netmask"
+parameter specified, network addresses will be
+stored in the set instead of IP addresses.
+.P
+Sets created by zero valued resize parameter won't be resized at all.
+The lookup time in an iphash type of set approximately linearly grows with
+the value of the
+.B
+probes
+parameter. At the same time higher
+.B
+probes
+values result a better utilized hash while smaller values
+produce a larger, sparse hash.
+.SS nethash
+The nethash set type uses a hash to store different size of
+network addresses. The
+.I
+IP
+"address" used in the ipset commands must be in the form
+.I
+IP-address/cidr-size
+where the CIDR block size must be in the inclusive range of 1-31.
+In order to avoid clashes in the hash
+double-hashing, and as a last resort, dynamic growing of the hash performed.
+.P
+Options to use when creating an nethash set:
+.TP
+.BR "--hashsize " hashsize
+The initial hash size (default 1024)
+.TP
+.BR "--probes " probes
+How many times try to resolve clashing at adding an IP to the hash
+by double-hashing (default 4).
+.TP
+.BR "--resize " percent
+Increase the hash size by this many percent (default 50) when adding
+an IP to the hash could not be performed after
+.P
+An IP address will be in a nethash type of set if it is in any of the
+netblocks added to the set and the matching always start from the smallest
+size of netblock (most specific netmask) to the biggest ones (least
+specific netmasks). When adding/deleting IP addresses
+to a nethash set by the
+.I
+SET
+netfilter kernel module, it will be added/deleted by the smallest
+netblock size which can be found in the set.
+.P
+The lookup time in a nethash type of set is approximately linearly
+grows with the times of the
+.B
+probes
+parameter and the number of different mask parameters in the hash.
+Otherwise the same speed and memory efficiency comments applies here
+as at the iphash type.
+.SS ipporthash
+The ipporthash set type uses a hash to store IP address and port pairs.
+In order to avoid clashes in the hash double-hashing, and as a last
+resort, dynamic growing of the hash performed. An ipporthash set can
+store up to 65536 (B-class network) IP addresses with all possible port
+values. When adding, deleting and testing values in an ipporthash type of
+set, the entries must be specified as
+.B
+"IP%port".
+.P
+The ipporthash types of sets evaluates two src/dst parameters of the
+.I
+set
+match and
+.I
+SET
+target.
+.P
+Options to use when creating an ipporthash set:
+.TP
+.BR "--from " from-IP
+.TP
+.BR "--to " to-IP
+Create an ipporthash set from the specified range.
+.TP
+.BR "--network " IP/mask
+Create an ipporthash set from the specified network.
+.TP
+.BR "--hashsize " hashsize
+The initial hash size (default 1024)
+.TP
+.BR "--probes " probes
+How many times try to resolve clashing at adding an IP to the hash
+by double-hashing (default 8).
+.TP
+.BR "--resize " percent
+Increase the hash size by this many percent (default 50) when adding
+an IP to the hash could not be performed after
+.B
+probes
+number of double-hashing.
+.P
+The same resizing, speed and memory efficiency comments applies here
+as at the iphash type.
+.SS iptree
+The iptree set type uses a tree to store IP addresses, optionally
+with timeout values.
+.P
+Options to use when creating an iptree set:
+.TP
+.BR "--timeout " value
+The timeout value for the entries in seconds (default 0)
+.P
+If a set was created with a nonzero valued
+.B "--timeout"
+parameter then one may add IP addresses to the set with a specific
+timeout value using the syntax
+.I IP%timeout-value.
+.SH GENERAL RESTRICTIONS
+Setnames starting with colon (:) cannot be defined. Zero valued set
+entries cannot be used with hash type of sets.
+.SH COMMENTS
+If you want to store same size subnets from a given network
+(say /24 blocks from a /8 network), use the ipmap set type.
+If you want to store random same size networks (say random /24 blocks),
+use the iphash set type. If you have got random size of netblocks,
+use nethash.
+.SH DIAGNOSTICS
+Various error messages are printed to standard error. The exit code
+is 0 for correct functioning. Errors which appear to be caused by
+invalid or abused command line parameters cause an exit code of 2, and
+other errors cause an exit code of 1.
+.SH BUGS
+Bugs? No, just funny features. :-)
+OK, just kidding...
+.SH SEE ALSO
+.BR iptables (8),
+.SH AUTHORS
+Jozsef Kadlecsik wrote ipset, which is based on ippool by
+Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
+.\" .. and did I mention that we are incredibly cool people?
+.\" .. sexy, too ..
+.\" .. witty, charming, powerful ..
+.\" .. and most of all, modest ..
--- /dev/null
+/* Copyright 2000-2002 Joakim Axelsson (gozem@linux.nu)
+ * Patrick Schaaf (bof@bof.de)
+ * Copyright 2003-2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <arpa/inet.h>
+#include <stdarg.h>
+#include <netdb.h>
+#include <dlfcn.h>
+#include <asm/bitops.h>
+
+#include "ipset.h"
+
+char program_name[] = "ipset";
+char program_version[] = IPSET_VERSION;
+
+/* The list of loaded set types */
+static struct settype *all_settypes = NULL;
+
+/* Array of sets */
+struct set **set_list = NULL;
+ip_set_id_t max_sets = 0;
+
+/* Suppress output to stdout and stderr? */
+static int option_quiet = 0;
+
+/* Data for restore mode */
+static int restore = 0;
+void *restore_data = NULL;
+struct ip_set_restore *restore_set = NULL;
+size_t restore_offset = 0, restore_size;
+unsigned line = 0;
+
+#define TEMPFILE_PATTERN "/ipsetXXXXXX"
+
+#ifdef IPSET_DEBUG
+int option_debug = 0;
+#endif
+
+#define OPTION_OFFSET 256
+static unsigned int global_option_offset = 0;
+
+/* Most of these command parsing functions are borrowed from iptables.c */
+
+static const char cmdflags[] = { ' ', /* CMD_NONE */
+ 'N', 'X', 'F', 'E', 'W', 'L', 'S', 'R',
+ 'A', 'D', 'T', 'B', 'U', 'H', 'V',
+};
+
+/* Options */
+#define OPT_NONE 0x0000U
+#define OPT_NUMERIC 0x0001U /* -n */
+#define OPT_SORTED 0x0002U /* -s */
+#define OPT_QUIET 0x0004U /* -q */
+#define OPT_DEBUG 0x0008U /* -z */
+#define OPT_BINDING 0x0010U /* -b */
+#define NUMBER_OF_OPT 5
+static const char optflags[] =
+ { 'n', 's', 'q', 'z', 'b' };
+
+static struct option opts_long[] = {
+ /* set operations */
+ {"create", 1, 0, 'N'},
+ {"destroy", 2, 0, 'X'},
+ {"flush", 2, 0, 'F'},
+ {"rename", 1, 0, 'E'},
+ {"swap", 1, 0, 'W'},
+ {"list", 2, 0, 'L'},
+
+ {"save", 2, 0, 'S'},
+ {"restore", 0, 0, 'R'},
+
+ /* ip in set operations */
+ {"add", 1, 0, 'A'},
+ {"del", 1, 0, 'D'},
+ {"test", 1, 0, 'T'},
+
+ /* binding operations */
+ {"bind", 1, 0, 'B'},
+ {"unbind", 1, 0, 'U'},
+
+ /* free options */
+ {"numeric", 0, 0, 'n'},
+ {"sorted", 0, 0, 's'},
+ {"quiet", 0, 0, 'q'},
+ {"binding", 1, 0, 'b'},
+
+#ifdef IPSET_DEBUG
+ /* debug (if compiled with it) */
+ {"debug", 0, 0, 'z'},
+#endif
+
+ /* version and help */
+ {"version", 0, 0, 'V'},
+ {"help", 2, 0, 'H'},
+
+ /* end */
+ {0}
+};
+
+static char opts_short[] =
+ "-N:X::F::E:W:L::S::RA:D:T:B:U:nsqzb:Vh::H::";
+
+/* Table of legal combinations of commands and options. If any of the
+ * given commands make an option legal, that option is legal.
+ * Key:
+ * + compulsory
+ * x illegal
+ * optional
+ */
+
+static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] = {
+ /* -n -s -q -z -b */
+ /*CREATE*/ {'x', 'x', ' ', ' ', 'x'},
+ /*DESTROY*/ {'x', 'x', ' ', ' ', 'x'},
+ /*FLUSH*/ {'x', 'x', ' ', ' ', 'x'},
+ /*RENAME*/ {'x', 'x', ' ', ' ', 'x'},
+ /*SWAP*/ {'x', 'x', ' ', ' ', 'x'},
+ /*LIST*/ {' ', ' ', 'x', ' ', 'x'},
+ /*SAVE*/ {'x', 'x', ' ', ' ', 'x'},
+ /*RESTORE*/ {'x', 'x', ' ', ' ', 'x'},
+ /*ADD*/ {'x', 'x', ' ', ' ', 'x'},
+ /*DEL*/ {'x', 'x', ' ', ' ', 'x'},
+ /*TEST*/ {'x', 'x', ' ', ' ', ' '},
+ /*BIND*/ {'x', 'x', ' ', ' ', '+'},
+ /*UNBIND*/ {'x', 'x', ' ', ' ', 'x'},
+ /*HELP*/ {'x', 'x', 'x', ' ', 'x'},
+ /*VERSION*/ {'x', 'x', 'x', ' ', 'x'},
+};
+
+/* Main parser function */
+int parse_commandline(int argc, char *argv[]);
+
+void exit_tryhelp(int status)
+{
+ fprintf(stderr,
+ "Try `%s -H' or '%s --help' for more information.\n",
+ program_name, program_name);
+ exit(status);
+}
+
+void exit_error(enum exittype status, char *msg, ...)
+{
+ va_list args;
+
+ if (!option_quiet) {
+ va_start(args, msg);
+ fprintf(stderr, "%s v%s: ", program_name, program_version);
+ vfprintf(stderr, msg, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ if (line)
+ fprintf(stderr, "Restore failed at line %u:\n", line);
+ if (status == PARAMETER_PROBLEM)
+ exit_tryhelp(status);
+ if (status == VERSION_PROBLEM)
+ fprintf(stderr,
+ "Perhaps %s or your kernel needs to be upgraded.\n",
+ program_name);
+ }
+
+ exit(status);
+}
+
+void ipset_printf(char *msg, ...)
+{
+ va_list args;
+
+ if (!option_quiet) {
+ va_start(args, msg);
+ vfprintf(stdout, msg, args);
+ va_end(args);
+ fprintf(stdout, "\n");
+ }
+}
+
+static void generic_opt_check(int command, int options)
+{
+ int i, j, legal = 0;
+
+ /* Check that commands are valid with options. Complicated by the
+ * fact that if an option is legal with *any* command given, it is
+ * legal overall (ie. -z and -l).
+ */
+ for (i = 0; i < NUMBER_OF_OPT; i++) {
+ legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
+
+ for (j = 1; j <= NUMBER_OF_CMD; j++) {
+ if (command != j)
+ continue;
+
+ if (!(options & (1 << i))) {
+ if (commands_v_options[j-1][i] == '+')
+ exit_error(PARAMETER_PROBLEM,
+ "You need to supply the `-%c' "
+ "option for this command\n",
+ optflags[i]);
+ } else {
+ if (commands_v_options[j-1][i] != 'x')
+ legal = 1;
+ else if (legal == 0)
+ legal = -1;
+ }
+ }
+ if (legal == -1)
+ exit_error(PARAMETER_PROBLEM,
+ "Illegal option `-%c' with this command\n",
+ optflags[i]);
+ }
+}
+
+static char opt2char(int option)
+{
+ const char *ptr;
+ for (ptr = optflags; option > 1; option >>= 1, ptr++);
+
+ return *ptr;
+}
+
+static char cmd2char(int option)
+{
+ if (option <= CMD_NONE || option > NUMBER_OF_CMD)
+ return ' ';
+
+ return cmdflags[option];
+}
+
+static int kernel_getsocket(void)
+{
+ int sockfd = -1;
+
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd < 0)
+ exit_error(OTHER_PROBLEM,
+ "You need to be root to perform this command.");
+
+ return sockfd;
+}
+
+static void kernel_error(unsigned cmd, int err)
+{
+ unsigned int i;
+ struct translate_error {
+ int err;
+ unsigned cmd;
+ char *message;
+ } table[] =
+ { /* Generic error codes */
+ { EPERM, 0, "Missing capability" },
+ { EBADF, 0, "Invalid socket option" },
+ { EINVAL, 0, "Size mismatch for expected socket data" },
+ { ENOMEM, 0, "Not enough memory" },
+ { EFAULT, 0, "Failed to copy data" },
+ { EPROTO, 0, "ipset kernel/userspace version mismatch" },
+ { EBADMSG, 0, "Unknown command" },
+ /* Per command error codes */
+ /* Reserved ones for add/del/test to handle internally:
+ * EEXIST
+ */
+ { ENOENT, CMD_CREATE, "Unknown set type" },
+ { ENOENT, 0, "Unknown set" },
+ { EAGAIN, 0, "Sets are busy, try again later" },
+ { ERANGE, CMD_CREATE, "No free slot remained to add a new set" },
+ { ERANGE, 0, "IP/port is outside of the set" },
+ { ENOEXEC, CMD_CREATE, "Invalid parameters to create a set" },
+ { ENOEXEC, CMD_SWAP, "Sets with different types cannot be swapped" },
+ { EEXIST, CMD_CREATE, "Set already exists" },
+ { EEXIST, CMD_RENAME, "Set with new name already exists" },
+ { EBUSY, 0, "Set is in use, operation not permitted" },
+ };
+ for (i = 0; i < sizeof(table)/sizeof(struct translate_error); i++) {
+ if ((table[i].cmd == cmd || table[i].cmd == 0)
+ && table[i].err == err)
+ exit_error(err == EPROTO ? VERSION_PROBLEM
+ : OTHER_PROBLEM,
+ table[i].message);
+ }
+ exit_error(OTHER_PROBLEM, "Error from kernel: %s", strerror(err));
+}
+
+static void kernel_getfrom(unsigned cmd, void *data, size_t * size)
+{
+ int res;
+ int sockfd = kernel_getsocket();
+
+ /* Send! */
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+
+ DP("res=%d errno=%d", res, errno);
+
+ if (res != 0)
+ kernel_error(cmd, errno);
+}
+
+static int kernel_sendto_handleerrno(unsigned cmd, unsigned op,
+ void *data, size_t size)
+{
+ int res;
+ int sockfd = kernel_getsocket();
+
+ /* Send! */
+ res = setsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+
+ DP("res=%d errno=%d", res, errno);
+
+ if (res != 0) {
+ if (errno == EEXIST)
+ return -1;
+ else
+ kernel_error(cmd, errno);
+ }
+
+ return 0; /* all ok */
+}
+
+static void kernel_sendto(unsigned cmd, void *data, size_t size)
+{
+ int res;
+ int sockfd = kernel_getsocket();
+
+ /* Send! */
+ res = setsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+
+ DP("res=%d errno=%d", res, errno);
+
+ if (res != 0)
+ kernel_error(cmd, errno);
+}
+
+static int kernel_getfrom_handleerrno(unsigned cmd, void *data, size_t * size)
+{
+ int res;
+ int sockfd = kernel_getsocket();
+
+ /* Send! */
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+
+ DP("res=%d errno=%d", res, errno);
+
+ if (res != 0) {
+ if (errno == EAGAIN)
+ return -1;
+ else
+ kernel_error(cmd, errno);
+ }
+
+ return 0; /* all ok */
+}
+
+static void check_protocolversion(void)
+{
+ struct ip_set_req_version req_version;
+ size_t size = sizeof(struct ip_set_req_version);
+ int sockfd = kernel_getsocket();
+ int res;
+
+ req_version.op = IP_SET_OP_VERSION;
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
+
+ if (res != 0) {
+ ipset_printf("I'm of protocol version %u.\n"
+ "Kernel module is not loaded in, "
+ "cannot verify kernel version.",
+ IP_SET_PROTOCOL_VERSION);
+ return;
+ }
+ if (req_version.version != IP_SET_PROTOCOL_VERSION)
+ exit_error(OTHER_PROBLEM,
+ "Kernel ipset code is of protocol version %u."
+ "I'm of protocol version %u.\n"
+ "Please upgrade your kernel and/or ipset(8) utillity.",
+ req_version.version, IP_SET_PROTOCOL_VERSION);
+}
+
+static void set_command(int *cmd, const int newcmd)
+{
+ if (*cmd != CMD_NONE)
+ exit_error(PARAMETER_PROBLEM, "Can't use -%c with -%c\n",
+ cmd2char(*cmd), cmd2char(newcmd));
+ *cmd = newcmd;
+}
+
+static void add_option(unsigned int *options, unsigned int option)
+{
+ if (*options & option)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple -%c flags not allowed",
+ opt2char(option));
+ *options |= option;
+}
+
+void *ipset_malloc(size_t size)
+{
+ void *p;
+
+ if (size == 0)
+ return NULL;
+
+ if ((p = malloc(size)) == NULL) {
+ perror("ipset: not enough memory");
+ exit(1);
+ }
+ return p;
+}
+
+char *ipset_strdup(const char *s)
+{
+ char *p;
+
+ if ((p = strdup(s)) == NULL) {
+ perror("ipset: not enough memory");
+ exit(1);
+ }
+ return p;
+}
+
+void ipset_free(void **data)
+{
+ if (*data == NULL)
+ return;
+
+ free(*data);
+ *data = NULL;
+}
+
+static struct option *merge_options(struct option *oldopts,
+ const struct option *newopts,
+ unsigned int *option_offset)
+{
+ unsigned int num_old, num_new, i;
+ struct option *merge;
+
+ for (num_old = 0; oldopts[num_old].name; num_old++);
+ for (num_new = 0; newopts[num_new].name; num_new++);
+
+ global_option_offset += OPTION_OFFSET;
+ *option_offset = global_option_offset;
+
+ merge = ipset_malloc(sizeof(struct option) * (num_new + num_old + 1));
+ memcpy(merge, oldopts, num_old * sizeof(struct option));
+ for (i = 0; i < num_new; i++) {
+ merge[num_old + i] = newopts[i];
+ merge[num_old + i].val += *option_offset;
+ }
+ memset(merge + num_old + num_new, 0, sizeof(struct option));
+
+ return merge;
+}
+
+static char *ip_tohost(const struct in_addr *addr)
+{
+ struct hostent *host;
+
+ if ((host = gethostbyaddr((char *) addr,
+ sizeof(struct in_addr),
+ AF_INET)) != NULL) {
+ DP("%s", host->h_name);
+ return (char *) host->h_name;
+ }
+
+ return (char *) NULL;
+}
+
+static char *ip_tonetwork(const struct in_addr *addr)
+{
+ struct netent *net;
+
+ if ((net = getnetbyaddr((long) ntohl(addr->s_addr),
+ AF_INET)) != NULL) {
+ DP("%s", net->n_name);
+ return (char *) net->n_name;
+ }
+
+ return (char *) NULL;
+}
+
+/* Return a string representation of an IP address.
+ * Please notice that a pointer to static char* area is returned.
+ */
+char *ip_tostring(ip_set_ip_t ip, unsigned options)
+{
+ struct in_addr addr;
+ addr.s_addr = htonl(ip);
+
+ if (!(options & OPT_NUMERIC)) {
+ char *name;
+ if ((name = ip_tohost(&addr)) != NULL ||
+ (name = ip_tonetwork(&addr)) != NULL)
+ return name;
+ }
+
+ return inet_ntoa(addr);
+}
+
+char *binding_ip_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
+{
+ return ip_tostring(ip, options);
+}
+char *ip_tostring_numeric(ip_set_ip_t ip)
+{
+ return ip_tostring(ip, OPT_NUMERIC);
+}
+
+/* Fills the 'ip' with the parsed ip or host in host byte order */
+void parse_ip(const char *str, ip_set_ip_t * ip)
+{
+ struct hostent *host;
+ struct in_addr addr;
+
+ DP("%s", str);
+
+ if (inet_aton(str, &addr) != 0) {
+ *ip = ntohl(addr.s_addr); /* We want host byte order */
+ return;
+ }
+
+ host = gethostbyname(str);
+ if (host != NULL) {
+ if (host->h_addrtype != AF_INET ||
+ host->h_length != sizeof(struct in_addr))
+ exit_error(PARAMETER_PROBLEM,
+ "host/network `%s' not an internet name",
+ str);
+ if (host->h_addr_list[1] != 0)
+ exit_error(PARAMETER_PROBLEM,
+ "host/network `%s' resolves to serveral ip-addresses. "
+ "Please specify one.", str);
+
+ *ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
+ return;
+ }
+
+ exit_error(PARAMETER_PROBLEM, "host/network `%s' not found", str);
+}
+
+/* Fills 'mask' with the parsed mask in host byte order */
+void parse_mask(const char *str, ip_set_ip_t * mask)
+{
+ struct in_addr addr;
+ unsigned int bits;
+
+ DP("%s", str);
+
+ if (str == NULL) {
+ /* no mask at all defaults to 32 bits */
+ *mask = 0xFFFFFFFF;
+ return;
+ }
+ if (strchr(str, '.') && inet_aton(str, &addr) != 0) {
+ *mask = ntohl(addr.s_addr); /* We want host byte order */
+ return;
+ }
+ if (sscanf(str, "%d", &bits) != 1 || bits < 0 || bits > 32)
+ exit_error(PARAMETER_PROBLEM,
+ "invalid mask `%s' specified", str);
+
+ DP("bits: %d", bits);
+
+ *mask = bits != 0 ? 0xFFFFFFFF << (32 - bits) : 0L;
+}
+
+/* Combines parse_ip and parse_mask */
+void
+parse_ipandmask(const char *str, ip_set_ip_t * ip, ip_set_ip_t * mask)
+{
+ char buf[256];
+ char *p;
+
+ strncpy(buf, str, sizeof(buf) - 1);
+ buf[255] = '\0';
+
+ if ((p = strrchr(buf, '/')) != NULL) {
+ *p = '\0';
+ parse_mask(p + 1, mask);
+ } else
+ parse_mask(NULL, mask);
+
+ /* if a null mask is given, the name is ignored, like in "any/0" */
+ if (*mask == 0U)
+ *ip = 0U;
+ else
+ parse_ip(buf, ip);
+
+ DP("%s ip: %08X (%s) mask: %08X",
+ str, *ip, ip_tostring_numeric(*ip), *mask);
+
+ /* Apply the netmask */
+ *ip &= *mask;
+
+ DP("%s ip: %08X (%s) mask: %08X",
+ str, *ip, ip_tostring_numeric(*ip), *mask);
+}
+
+/* Return a string representation of a port
+ * Please notice that a pointer to static char* area is returned
+ * and we assume TCP protocol.
+ */
+char *port_tostring(ip_set_ip_t port, unsigned options)
+{
+ struct servent *service;
+ static char name[] = "65535";
+
+ if (!(options & OPT_NUMERIC)) {
+ if ((service = getservbyport(htons(port), "tcp")))
+ return service->s_name;
+ }
+ sprintf(name, "%u", port);
+ return name;
+}
+
+int
+string_to_number(const char *str, unsigned int min, unsigned int max,
+ ip_set_ip_t *port)
+{
+ long number;
+ char *end;
+
+ /* Handle hex, octal, etc. */
+ errno = 0;
+ number = strtol(str, &end, 0);
+ if (*end == '\0' && end != str) {
+ /* we parsed a number, let's see if we want this */
+ if (errno != ERANGE && min <= number && number <= max) {
+ *port = number;
+ return 0;
+ }
+ }
+ return -1;
+}
+
+static int
+string_to_port(const char *str, ip_set_ip_t *port)
+{
+ struct servent *service;
+
+ if ((service = getservbyname(str, "tcp")) != NULL) {
+ *port = ntohs((unsigned short) service->s_port);
+ return 0;
+ }
+
+ return -1;
+}
+
+/* Fills the 'ip' with the parsed port in host byte order */
+void parse_port(const char *str, ip_set_ip_t *port)
+{
+ if ((string_to_number(str, 0, 65535, port) != 0)
+ && (string_to_port(str, port) != 0))
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid TCP port `%s' specified", str);
+}
+
+/*
+ * Settype functions
+ */
+static struct settype *settype_find(const char *typename)
+{
+ struct settype *runner = all_settypes;
+
+ DP("%s", typename);
+
+ while (runner != NULL) {
+ if (strncmp(runner->typename, typename,
+ IP_SET_MAXNAMELEN) == 0)
+ return runner;
+
+ runner = runner->next;
+ }
+
+ return NULL; /* not found */
+}
+
+static struct settype *settype_load(const char *typename)
+{
+ char path[sizeof(IPSET_LIB_DIR) + sizeof(IPSET_LIB_NAME) +
+ strlen(typename)];
+ struct settype *settype;
+
+ /* do some search in list */
+ settype = settype_find(typename);
+ if (settype != NULL)
+ return settype; /* found */
+
+ /* Else we have to load it */
+ sprintf(path, IPSET_LIB_DIR IPSET_LIB_NAME, typename);
+
+ if (dlopen(path, RTLD_NOW)) {
+ /* Found library. */
+
+ settype = settype_find(typename);
+
+ if (settype != NULL)
+ return settype;
+ }
+
+ /* Can't load the settype */
+ exit_error(PARAMETER_PROBLEM,
+ "Couldn't load settype `%s':%s\n",
+ typename, dlerror());
+
+ return NULL; /* Never executed, but keep compilers happy */
+}
+
+static char *check_set_name(char *setname)
+{
+ if (strlen(setname) > IP_SET_MAXNAMELEN - 1)
+ exit_error(PARAMETER_PROBLEM,
+ "Setname '%s' too long, max %d characters.",
+ setname, IP_SET_MAXNAMELEN - 1);
+
+ return setname;
+}
+
+static struct settype *check_set_typename(const char *typename)
+{
+ if (strlen(typename) > IP_SET_MAXNAMELEN - 1)
+ exit_error(PARAMETER_PROBLEM,
+ "Typename '%s' too long, max %d characters.",
+ typename, IP_SET_MAXNAMELEN - 1);
+
+ return settype_load(typename);
+}
+
+#define MAX(a,b) ((a) > (b) ? (a) : (b))
+
+/* Register a new set type */
+void settype_register(struct settype *settype)
+{
+ struct settype *chk;
+ size_t size;
+
+ DP("%s", settype->typename);
+
+ /* Check if this typename already exists */
+ chk = settype_find(settype->typename);
+
+ if (chk != NULL)
+ exit_error(OTHER_PROBLEM,
+ "Set type '%s' already registered!\n",
+ settype->typename);
+
+ /* Check version */
+ if (settype->protocol_version != IP_SET_PROTOCOL_VERSION)
+ exit_error(OTHER_PROBLEM,
+ "Set type %s is of wrong protocol version %u!"
+ " I'm of version %u.\n", settype->typename,
+ settype->protocol_version,
+ IP_SET_PROTOCOL_VERSION);
+
+ /* Initialize internal data */
+ settype->header = ipset_malloc(settype->header_size);
+ size = MAX(settype->create_size, settype->adt_size);
+ settype->data = ipset_malloc(size);
+
+ /* Insert first */
+ settype->next = all_settypes;
+ all_settypes = settype;
+
+ DP("%s registered", settype->typename);
+}
+
+/* Find set functions */
+static struct set *set_find_byid(ip_set_id_t id)
+{
+ struct set *set = NULL;
+ ip_set_id_t i;
+
+ for (i = 0; i < max_sets; i++)
+ if (set_list[i] && set_list[i]->id == id) {
+ set = set_list[i];
+ break;
+ }
+
+ if (set == NULL)
+ exit_error(PARAMETER_PROBLEM,
+ "Set identified by id %u is not found", id);
+ return set;
+}
+
+static struct set *set_find_byname(const char *name)
+{
+ struct set *set = NULL;
+ ip_set_id_t i;
+
+ for (i = 0; i < max_sets; i++)
+ if (set_list[i]
+ && strncmp(set_list[i]->name, name,
+ IP_SET_MAXNAMELEN) == 0) {
+ set = set_list[i];
+ break;
+ }
+ if (set == NULL)
+ exit_error(PARAMETER_PROBLEM,
+ "Set %s is not found", name);
+ return set;
+}
+
+static ip_set_id_t set_find_free_index(const char *name)
+{
+ ip_set_id_t i, index = IP_SET_INVALID_ID;
+
+ for (i = 0; i < max_sets; i++) {
+ if (index == IP_SET_INVALID_ID
+ && set_list[i] == NULL)
+ index = i;
+ if (set_list[i] != NULL
+ && strncmp(set_list[i]->name, name,
+ IP_SET_MAXNAMELEN) == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Set %s is already defined, cannot be restored",
+ name);
+ }
+
+ if (index == IP_SET_INVALID_ID)
+ exit_error(PARAMETER_PROBLEM,
+ "Set %s cannot be restored, "
+ "max number of set %u reached",
+ name, max_sets);
+
+ return index;
+}
+
+/*
+ * Send create set order to kernel
+ */
+static void set_create(const char *name, struct settype *settype)
+{
+ struct ip_set_req_create req_create;
+ size_t size;
+ void *data;
+
+ DP("%s %s", name, settype->typename);
+
+ req_create.op = IP_SET_OP_CREATE;
+ req_create.version = IP_SET_PROTOCOL_VERSION;
+ strcpy(req_create.name, name);
+ strcpy(req_create.typename, settype->typename);
+
+ /* Final checks */
+ settype->create_final(settype->data, settype->flags);
+
+ /* Alloc memory for the data to send */
+ size = sizeof(struct ip_set_req_create) + settype->create_size;
+ data = ipset_malloc(size);
+
+ /* Add up ip_set_req_create and the settype data */
+ memcpy(data, &req_create, sizeof(struct ip_set_req_create));
+ memcpy(data + sizeof(struct ip_set_req_create),
+ settype->data, settype->create_size);
+
+ kernel_sendto(CMD_CREATE, data, size);
+ free(data);
+}
+
+static void set_restore_create(const char *name, struct settype *settype)
+{
+ struct set *set;
+
+ DP("%s %s %u %u %u %u", name, settype->typename,
+ restore_offset, sizeof(struct ip_set_restore),
+ settype->create_size, restore_size);
+
+ /* Sanity checking */
+ if (restore_offset
+ + sizeof(struct ip_set_restore)
+ + settype->create_size > restore_size)
+ exit_error(PARAMETER_PROBLEM,
+ "Giving up, restore file is screwed up!");
+
+ /* Final checks */
+ settype->create_final(settype->data, settype->flags);
+
+ /* Fill out restore_data */
+ restore_set = (struct ip_set_restore *)
+ (restore_data + restore_offset);
+ strcpy(restore_set->name, name);
+ strcpy(restore_set->typename, settype->typename);
+ restore_set->index = set_find_free_index(name);
+ restore_set->header_size = settype->create_size;
+ restore_set->members_size = 0;
+
+ DP("name %s, restore index %u", restore_set->name, restore_set->index);
+ /* Add settype data */
+
+ memcpy(restore_data + restore_offset + sizeof(struct ip_set_restore),
+ settype->data, settype->create_size);
+
+ restore_offset += sizeof(struct ip_set_restore)
+ + settype->create_size;
+
+ /* Add set to set_list */
+ set = ipset_malloc(sizeof(struct set));
+ strcpy(set->name, name);
+ set->settype = settype;
+ set->index = restore_set->index;
+ set_list[restore_set->index] = set;
+}
+
+/*
+ * Send destroy/flush order to kernel for one or all sets
+ */
+static void set_destroy(const char *name, unsigned op, unsigned cmd)
+{
+ struct ip_set_req_std req;
+
+ DP("%s %s", cmd == CMD_DESTROY ? "destroy" : "flush", name);
+
+ req.op = op;
+ req.version = IP_SET_PROTOCOL_VERSION;
+ strcpy(req.name, name);
+
+ kernel_sendto(cmd, &req, sizeof(struct ip_set_req_std));
+}
+
+/*
+ * Send rename/swap order to kernel
+ */
+static void set_rename(const char *name, const char *newname,
+ unsigned op, unsigned cmd)
+{
+ struct ip_set_req_create req;
+
+ DP("%s %s %s", cmd == CMD_RENAME ? "rename" : "swap",
+ name, newname);
+
+ req.op = op;
+ req.version = IP_SET_PROTOCOL_VERSION;
+ strcpy(req.name, name);
+ strcpy(req.typename, newname);
+
+ kernel_sendto(cmd, &req,
+ sizeof(struct ip_set_req_create));
+}
+
+/*
+ * Send MAX_SETS, LIST_SIZE and/or SAVE_SIZE orders to kernel
+ */
+static size_t load_set_list(const char name[IP_SET_MAXNAMELEN],
+ ip_set_id_t *index,
+ unsigned op, unsigned cmd)
+{
+ void *data = NULL;
+ struct ip_set_req_max_sets req_max_sets;
+ struct ip_set_name_list *name_list;
+ struct set *set;
+ ip_set_id_t i;
+ size_t size, req_size;
+ int repeated = 0, res = 0;
+
+ DP("%s %s", cmd == CMD_MAX_SETS ? "MAX_SETS"
+ : cmd == CMD_LIST_SIZE ? "LIST_SIZE"
+ : "SAVE_SIZE",
+ name);
+
+tryagain:
+ if (set_list) {
+ for (i = 0; i < max_sets; i++)
+ if (set_list[i])
+ free(set_list[i]);
+ free(set_list);
+ set_list = NULL;
+ }
+ /* Get max_sets */
+ req_max_sets.op = IP_SET_OP_MAX_SETS;
+ req_max_sets.version = IP_SET_PROTOCOL_VERSION;
+ strcpy(req_max_sets.set.name, name);
+ size = sizeof(req_max_sets);
+ kernel_getfrom(CMD_MAX_SETS, &req_max_sets, &size);
+
+ DP("got MAX_SETS: sets %d, max_sets %d",
+ req_max_sets.sets, req_max_sets.max_sets);
+
+ max_sets = req_max_sets.max_sets;
+ set_list = ipset_malloc(max_sets * sizeof(struct set *));
+ memset(set_list, 0, max_sets * sizeof(struct set *));
+ *index = req_max_sets.set.index;
+
+ if (req_max_sets.sets == 0)
+ /* No sets in kernel */
+ return 0;
+
+ /* Get setnames */
+ size = req_size = sizeof(struct ip_set_req_setnames)
+ + req_max_sets.sets * sizeof(struct ip_set_name_list);
+ data = ipset_malloc(size);
+ ((struct ip_set_req_setnames *) data)->op = op;
+ ((struct ip_set_req_setnames *) data)->index = *index;
+
+ res = kernel_getfrom_handleerrno(cmd, data, &size);
+
+ if (res != 0 || size != req_size) {
+ free(data);
+ if (repeated++ < LIST_TRIES)
+ goto tryagain;
+ exit_error(OTHER_PROBLEM,
+ "Tried to get sets from kernel %d times"
+ " and failed. Please try again when the load on"
+ " the sets has gone down.", LIST_TRIES);
+ }
+
+ /* Load in setnames */
+ size = sizeof(struct ip_set_req_setnames);
+ while (size + sizeof(struct ip_set_name_list) <= req_size) {
+ name_list = (struct ip_set_name_list *)
+ (data + size);
+ set = ipset_malloc(sizeof(struct set));
+ strcpy(set->name, name_list->name);
+ set->index = name_list->index;
+ set->id = name_list->id;
+ set->settype = settype_load(name_list->typename);
+ set_list[name_list->index] = set;
+ DP("loaded %s, type %s, index %u",
+ set->name, set->settype->typename, set->index);
+ size += sizeof(struct ip_set_name_list);
+ }
+ /* Size to get set members, bindings */
+ size = ((struct ip_set_req_setnames *)data)->size;
+ free(data);
+
+ return size;
+}
+
+/*
+ * Save operation
+ */
+static size_t save_bindings(void *data, size_t offset, size_t len)
+{
+ struct ip_set_hash_save *hash =
+ (struct ip_set_hash_save *) (data + offset);
+ struct set *set;
+
+ DP("offset %u, len %u", offset, len);
+ if (offset + sizeof(struct ip_set_hash_save) > len)
+ exit_error(OTHER_PROBLEM,
+ "Save operation failed, try again later.");
+
+ set = set_find_byid(hash->id);
+ if (!(set && set_list[hash->binding]))
+ exit_error(OTHER_PROBLEM,
+ "Save binding failed, try again later.");
+ printf("-B %s %s -b %s\n",
+ set->name,
+ set->settype->bindip_tostring(set, hash->ip, OPT_NUMERIC),
+ set_list[hash->binding]->name);
+
+ return sizeof(struct ip_set_hash_save);
+}
+
+static size_t save_set(void *data, int *bindings,
+ size_t offset, size_t len)
+{
+ struct ip_set_save *set_save =
+ (struct ip_set_save *) (data + offset);
+ struct set *set;
+ struct settype *settype;
+ size_t used;
+
+ DP("offset %u, len %u", offset, len);
+ if (offset + sizeof(struct ip_set_save) > len
+ || offset + sizeof(struct ip_set_save)
+ + set_save->header_size + set_save->members_size > len)
+ exit_error(OTHER_PROBLEM,
+ "Save operation failed, try again later.");
+
+ if (set_save->index == IP_SET_INVALID_ID) {
+ /* Marker */
+ *bindings = 1;
+ return sizeof(struct ip_set_save);
+ }
+ set = set_list[set_save->index];
+ if (!set)
+ exit_error(OTHER_PROBLEM,
+ "Save set failed, try again later.");
+ settype = set->settype;
+
+ /* Init set header */
+ used = sizeof(struct ip_set_save);
+ settype->initheader(set, data + offset + used);
+
+ /* Print create set */
+ settype->saveheader(set, OPT_NUMERIC);
+
+ /* Print add IPs */
+ used += set_save->header_size;
+ settype->saveips(set, data + offset + used,
+ set_save->members_size, OPT_NUMERIC);
+
+ return (used + set_save->members_size);
+}
+
+static size_t save_default_bindings(void *data, int *bindings)
+{
+ struct ip_set_save *set_save = (struct ip_set_save *) data;
+ struct set *set;
+
+ if (set_save->index == IP_SET_INVALID_ID) {
+ /* Marker */
+ *bindings = 1;
+ return sizeof(struct ip_set_save);
+ }
+
+ set = set_list[set_save->index];
+ DP("%s, binding %u", set->name, set_save->binding);
+ if (set_save->binding != IP_SET_INVALID_ID) {
+ if (!set_list[set_save->binding])
+ exit_error(OTHER_PROBLEM,
+ "Save set failed, try again later.");
+
+ printf("-B %s %s -b %s\n",
+ set->name, IPSET_TOKEN_DEFAULT,
+ set_list[set_save->binding]->name);
+ }
+ return (sizeof(struct ip_set_save)
+ + set_save->header_size
+ + set_save->members_size);
+}
+
+static int try_save_sets(const char name[IP_SET_MAXNAMELEN])
+{
+ void *data = NULL;
+ size_t size, req_size = 0;
+ ip_set_id_t index;
+ int res = 0, bindings = 0;
+ time_t now = time(NULL);
+
+ /* Load set_list from kernel */
+ size = load_set_list(name, &index,
+ IP_SET_OP_SAVE_SIZE, CMD_SAVE);
+
+ if (size) {
+ /* Get sets, bindings and print them */
+ /* Take into account marker */
+ req_size = (size += sizeof(struct ip_set_save));
+ data = ipset_malloc(size);
+ ((struct ip_set_req_list *) data)->op = IP_SET_OP_SAVE;
+ ((struct ip_set_req_list *) data)->index = index;
+ res = kernel_getfrom_handleerrno(CMD_SAVE, data, &size);
+
+ if (res != 0 || size != req_size) {
+ free(data);
+ return -EAGAIN;
+ }
+ }
+
+ printf("# Generated by ipset %s on %s", IPSET_VERSION, ctime(&now));
+ size = 0;
+ while (size < req_size) {
+ DP("size: %u, req_size: %u", size, req_size);
+ if (bindings)
+ size += save_bindings(data, size, req_size);
+ else
+ size += save_set(data, &bindings, size, req_size);
+ }
+ /* Re-read data to save default bindings */
+ bindings = 0;
+ size = 0;
+ while (size < req_size && bindings == 0)
+ size += save_default_bindings(data + size, &bindings);
+
+ printf("COMMIT\n");
+ now = time(NULL);
+ printf("# Completed on %s", ctime(&now));
+ ipset_free(&data);
+ return res;
+}
+
+/*
+ * Performs a save to stdout
+ */
+static void set_save(const char name[IP_SET_MAXNAMELEN])
+{
+ int i;
+
+ DP("%s", name);
+ for (i = 0; i < LIST_TRIES; i++)
+ if (try_save_sets(name) == 0)
+ return;
+
+ if (errno == EAGAIN)
+ exit_error(OTHER_PROBLEM,
+ "Tried to save sets from kernel %d times"
+ " and failed. Please try again when the load on"
+ " the sets has gone down.", LIST_TRIES);
+ else
+ kernel_error(CMD_SAVE, errno);
+}
+
+/*
+ * Restore operation
+ */
+
+/* global new argv and argc */
+static char *newargv[255];
+static int newargc = 0;
+
+/* Build faked argv from parsed line */
+static void build_argv(int line, char *buffer) {
+ char *ptr;
+ int i;
+
+ /* Reset */
+ for (i = 1; i < newargc; i++)
+ free(newargv[i]);
+ newargc = 1;
+
+ ptr = strtok(buffer, " \t\n");
+ newargv[newargc++] = ipset_strdup(ptr);
+ while ((ptr = strtok(NULL, " \t\n")) != NULL) {
+ if ((newargc + 1) < sizeof(newargv)/sizeof(char *))
+ newargv[newargc++] = ipset_strdup(ptr);
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Line %d is too long to restore\n", line);
+ }
+}
+
+static FILE *create_tempfile(void)
+{
+ char buffer[1024];
+ char *tmpdir = NULL;
+ char *filename;
+ int fd;
+ FILE *file;
+
+ if (!(tmpdir = getenv("TMPDIR")) && !(tmpdir = getenv("TMP")))
+ tmpdir = "/tmp";
+ filename = ipset_malloc(strlen(tmpdir) + strlen(TEMPFILE_PATTERN) + 1);
+ strcpy(filename, tmpdir);
+ strcat(filename, TEMPFILE_PATTERN);
+
+ (void) umask(077); /* Create with restrictive permissions */
+ fd = mkstemp(filename);
+ if (fd == -1)
+ exit_error(OTHER_PROBLEM, "Could not create temporary file.");
+ if (!(file = fdopen(fd, "r+")))
+ exit_error(OTHER_PROBLEM, "Could not open temporary file.");
+ if (unlink(filename) == -1)
+ exit_error(OTHER_PROBLEM, "Could not unlink temporary file.");
+ free(filename);
+
+ while (fgets(buffer, sizeof(buffer), stdin)) {
+ fputs(buffer, file);
+ }
+ fseek(file, 0L, SEEK_SET);
+
+ return file;
+}
+
+/*
+ * Performs a restore from a file
+ */
+static void set_restore(char *argv0)
+{
+ char buffer[1024];
+ char *ptr, *name = NULL;
+ char cmd = ' ';
+ int line = 0, first_pass, i, bindings = 0;
+ struct settype *settype = NULL;
+ struct ip_set_req_setnames *header;
+ ip_set_id_t index;
+ FILE *in;
+ int res;
+
+ /* Create and store stdin in temporary file */
+ in = create_tempfile();
+
+ /* Load existing sets from kernel */
+ load_set_list(IPSET_TOKEN_ALL, &index,
+ IP_SET_OP_LIST_SIZE, CMD_RESTORE);
+
+ restore_size = sizeof(struct ip_set_req_setnames)/* header */
+ + sizeof(struct ip_set_restore); /* marker */
+ DP("restore_size: %u", restore_size);
+ /* First pass: calculate required amount of data */
+ while (fgets(buffer, sizeof(buffer), in)) {
+ line++;
+
+ if (buffer[0] == '\n')
+ continue;
+ else if (buffer[0] == '#')
+ continue;
+ else if (strcmp(buffer, "COMMIT\n") == 0) {
+ /* Enable restore mode */
+ restore = 1;
+ break;
+ }
+
+ /* -N, -A or -B */
+ ptr = strtok(buffer, " \t\n");
+ DP("ptr: %s", ptr);
+ if (ptr == NULL
+ || ptr[0] != '-'
+ || !(ptr[1] == 'N'
+ || ptr[1] == 'A'
+ || ptr[1] == 'B')
+ || ptr[2] != '\0') {
+ exit_error(PARAMETER_PROBLEM,
+ "Line %u does not start as a valid restore command\n",
+ line);
+ }
+ cmd = ptr[1];
+ /* setname */
+ ptr = strtok(NULL, " \t\n");
+ DP("setname: %s", ptr);
+ if (ptr == NULL)
+ exit_error(PARAMETER_PROBLEM,
+ "Missing set name in line %u\n",
+ line);
+ DP("cmd %c", cmd);
+ switch (cmd) {
+ case 'N': {
+ name = check_set_name(ptr);
+ /* settype */
+ ptr = strtok(NULL, " \t\n");
+ if (ptr == NULL)
+ exit_error(PARAMETER_PROBLEM,
+ "Missing settype in line %u\n",
+ line);
+ if (bindings)
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid line %u: create must precede bindings\n",
+ line);
+ settype = check_set_typename(ptr);
+ restore_size += sizeof(struct ip_set_restore)
+ + settype->create_size;
+ DP("restore_size (N): %u", restore_size);
+ break;
+ }
+ case 'A': {
+ if (name == NULL
+ || strncmp(name, ptr, sizeof(name)) != 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Add IP to set %s in line %u without "
+ "preceding corresponding create set line\n",
+ ptr, line);
+ if (bindings)
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid line %u: adding entries must precede bindings\n",
+ line);
+ restore_size += settype->adt_size;
+ DP("restore_size (A): %u", restore_size);
+ break;
+ }
+ case 'B': {
+ bindings = 1;
+ restore_size += sizeof(struct ip_set_hash_save);
+ DP("restore_size (B): %u", restore_size);
+ break;
+ }
+ default: {
+ exit_error(PARAMETER_PROBLEM,
+ "Unrecognized restore command in line %u\n",
+ line);
+ }
+ } /* end of switch */
+ }
+ /* Sanity checking */
+ if (!restore)
+ exit_error(PARAMETER_PROBLEM,
+ "Missing COMMIT line\n");
+ DP("restore_size: %u", restore_size);
+ restore_data = ipset_malloc(restore_size);
+ header = (struct ip_set_req_setnames *) restore_data;
+ header->op = IP_SET_OP_RESTORE;
+ header->size = restore_size;
+ restore_offset = sizeof(struct ip_set_req_setnames);
+
+ /* Rewind to scan the file again */
+ fseek(in, 0L, SEEK_SET);
+ first_pass = line;
+ line = 0;
+
+ /* Initialize newargv/newargc */
+ newargv[newargc++] = ipset_strdup(argv0);
+
+ /* Second pass: build up restore request */
+ while (fgets(buffer, sizeof(buffer), in)) {
+ line++;
+
+ if (buffer[0] == '\n')
+ continue;
+ else if (buffer[0] == '#')
+ continue;
+ else if (strcmp(buffer, "COMMIT\n") == 0)
+ goto do_restore;
+ DP("restoring: %s", buffer);
+ /* Build faked argv, argc */
+ build_argv(line, buffer);
+ for (i = 0; i < newargc; i++)
+ DP("argv[%u]: %s", i, newargv[i]);
+
+ /* Parse line */
+ parse_commandline(newargc, newargv);
+ }
+ exit_error(PARAMETER_PROBLEM,
+ "Broken restore file\n");
+ do_restore:
+ if (bindings == 0
+ && restore_size ==
+ (restore_offset + sizeof(struct ip_set_restore))) {
+ /* No bindings */
+ struct ip_set_restore *marker =
+ (struct ip_set_restore *) (restore_data + restore_offset);
+
+ DP("restore marker");
+ marker->index = IP_SET_INVALID_ID;
+ marker->header_size = marker->members_size = 0;
+ restore_offset += sizeof(struct ip_set_restore);
+ }
+ if (restore_size != restore_offset)
+ exit_error(PARAMETER_PROBLEM,
+ "Giving up, restore file is screwed up!");
+ res = kernel_getfrom_handleerrno(CMD_RESTORE, restore_data, &restore_size);
+
+ if (res != 0) {
+ if (restore_size != sizeof(struct ip_set_req_setnames))
+ exit_error(PARAMETER_PROBLEM,
+ "Communication with kernel failed (%u %u)!",
+ restore_size, sizeof(struct ip_set_req_setnames));
+ /* Check errors */
+ header = (struct ip_set_req_setnames *) restore_data;
+ if (header->size != 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Committing restoring failed at line %u!",
+ header->size);
+ }
+}
+
+/*
+ * Send ADT_GET order to kernel for a set
+ */
+static struct set *set_adt_get(const char *name)
+{
+ struct ip_set_req_adt_get req_adt_get;
+ struct set *set;
+ size_t size;
+
+ DP("%s", name);
+
+ req_adt_get.op = IP_SET_OP_ADT_GET;
+ req_adt_get.version = IP_SET_PROTOCOL_VERSION;
+ strcpy(req_adt_get.set.name, name);
+ size = sizeof(struct ip_set_req_adt_get);
+
+ kernel_getfrom(CMD_ADT_GET, &req_adt_get, &size);
+
+ set = ipset_malloc(sizeof(struct set));
+ strcpy(set->name, name);
+ set->index = req_adt_get.set.index;
+ set->settype = settype_load(req_adt_get.typename);
+
+ return set;
+}
+
+/*
+ * Send add/del/test order to kernel for a set
+ */
+static int set_adtip(struct set *set, const char *adt,
+ unsigned op, unsigned cmd)
+{
+ struct ip_set_req_adt *req_adt;
+ size_t size;
+ void *data;
+ int res = 0;
+
+ DP("%s -> %s", set->name, adt);
+
+ /* Alloc memory for the data to send */
+ size = sizeof(struct ip_set_req_adt) + set->settype->adt_size ;
+ DP("alloc size %i", size);
+ data = ipset_malloc(size);
+
+ /* Fill out the request */
+ req_adt = (struct ip_set_req_adt *) data;
+ req_adt->op = op;
+ req_adt->index = set->index;
+ memcpy(data + sizeof(struct ip_set_req_adt),
+ set->settype->data, set->settype->adt_size);
+
+ if (kernel_sendto_handleerrno(cmd, op, data, size) == -1)
+ switch (op) {
+ case IP_SET_OP_ADD_IP:
+ exit_error(OTHER_PROBLEM, "%s is already in set %s.",
+ adt, set->name);
+ break;
+ case IP_SET_OP_DEL_IP:
+ exit_error(OTHER_PROBLEM, "%s is not in set %s.",
+ adt, set->name);
+ break;
+ case IP_SET_OP_TEST_IP:
+ ipset_printf("%s is in set %s.", adt, set->name);
+ res = 0;
+ break;
+ default:
+ break;
+ }
+ else
+ switch (op) {
+ case IP_SET_OP_TEST_IP:
+ ipset_printf("%s is NOT in set %s.", adt, set->name);
+ res = 1;
+ break;
+ default:
+ break;
+ }
+ free(data);
+
+ return res;
+}
+
+static void set_restore_add(struct set *set, const char *adt)
+{
+ DP("%s %s", set->name, adt);
+ /* Sanity checking */
+ if (restore_offset + set->settype->adt_size > restore_size)
+ exit_error(PARAMETER_PROBLEM,
+ "Giving up, restore file is screwed up!");
+
+ memcpy(restore_data + restore_offset,
+ set->settype->data, set->settype->adt_size);
+ restore_set->members_size += set->settype->adt_size;
+ restore_offset += set->settype->adt_size;
+}
+
+/*
+ * Send bind/unbind/test binding order to kernel for a set
+ */
+static int set_bind(struct set *set, const char *adt,
+ const char *binding,
+ unsigned op, unsigned cmd)
+{
+ struct ip_set_req_bind *req_bind;
+ size_t size;
+ void *data;
+ int res = 0;
+
+ /* set may be null: '-U :all: :all:|:default:' */
+ DP("(%s, %s) -> %s", set ? set->name : IPSET_TOKEN_ALL, adt, binding);
+
+ /* Alloc memory for the data to send */
+ size = sizeof(struct ip_set_req_bind);
+ if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
+ /* Set default binding */
+ size += IP_SET_MAXNAMELEN;
+ else if (!(op == IP_SET_OP_UNBIND_SET && set == NULL))
+ size += set->settype->adt_size;
+ DP("alloc size %i", size);
+ data = ipset_malloc(size);
+
+ /* Fill out the request */
+ req_bind = (struct ip_set_req_bind *) data;
+ req_bind->op = op;
+ req_bind->index = set ? set->index : IP_SET_INVALID_ID;
+ if (adt[0] == ':') {
+ /* ':default:' and ':all:' */
+ strncpy(req_bind->binding, adt, IP_SET_MAXNAMELEN);
+ if (op != IP_SET_OP_UNBIND_SET && adt[0] == ':')
+ strncpy(data + sizeof(struct ip_set_req_bind),
+ binding, IP_SET_MAXNAMELEN);
+ } else {
+ strncpy(req_bind->binding, binding, IP_SET_MAXNAMELEN);
+ memcpy(data + sizeof(struct ip_set_req_bind),
+ set->settype->data, set->settype->adt_size);
+ }
+
+ if (op == IP_SET_OP_TEST_BIND_SET) {
+ if (kernel_sendto_handleerrno(cmd, op, data, size) == -1) {
+ ipset_printf("%s in set %s is bound to %s.",
+ adt, set->name, binding);
+ res = 0;
+ } else {
+ ipset_printf("%s in set %s is NOT bound to %s.",
+ adt, set->name, binding);
+ res = 1;
+ }
+ } else
+ kernel_sendto(cmd, data, size);
+ free(data);
+
+ return res;
+}
+
+static void set_restore_bind(struct set *set,
+ const char *adt,
+ const char *binding)
+{
+ struct ip_set_hash_save *hash_restore;
+
+ if (restore == 1) {
+ /* Marker */
+ struct ip_set_restore *marker =
+ (struct ip_set_restore *) (restore_data + restore_offset);
+
+ DP("restore marker");
+ if (restore_offset + sizeof(struct ip_set_restore)
+ > restore_size)
+ exit_error(PARAMETER_PROBLEM,
+ "Giving up, restore file is screwed up!");
+ marker->index = IP_SET_INVALID_ID;
+ marker->header_size = marker->members_size = 0;
+ restore_offset += sizeof(struct ip_set_restore);
+ restore = 2;
+ }
+ /* Sanity checking */
+ if (restore_offset + sizeof(struct ip_set_hash_save) > restore_size)
+ exit_error(PARAMETER_PROBLEM,
+ "Giving up, restore file is screwed up!");
+
+ hash_restore = (struct ip_set_hash_save *) (restore_data + restore_offset);
+ DP("%s -> %s", adt, binding);
+ if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0)
+ hash_restore->ip = 0;
+ else
+ set->settype->bindip_parse(adt, &hash_restore->ip);
+ hash_restore->id = set->index;
+ hash_restore->binding = (set_find_byname(binding))->index;
+ DP("id %u, ip %u, binding %u",
+ hash_restore->id, hash_restore->ip, hash_restore->binding);
+ restore_offset += sizeof(struct ip_set_hash_save);
+}
+
+/*
+ * Print operation
+ */
+
+static void print_bindings(struct set *set,
+ void *data, size_t size, unsigned options,
+ char * (*printip)(struct set *set,
+ ip_set_ip_t ip, unsigned options))
+{
+ size_t offset = 0;
+ struct ip_set_hash_list *hash;
+
+ while (offset < size) {
+ hash = (struct ip_set_hash_list *) (data + offset);
+ printf("%s -> %s\n",
+ printip(set, hash->ip, options),
+ set_list[hash->binding]->name);
+ offset += sizeof(struct ip_set_hash_list);
+ }
+}
+
+/* Help function to set_list() */
+static size_t print_set(void *data, unsigned options)
+{
+ struct ip_set_list *setlist = (struct ip_set_list *) data;
+ struct set *set = set_list[setlist->index];
+ struct settype *settype = set->settype;
+ size_t offset;
+
+ /* Pretty print the set */
+ printf("Name: %s\n", set->name);
+ printf("Type: %s\n", settype->typename);
+ printf("References: %d\n", setlist->ref);
+ printf("Default binding: %s\n",
+ setlist->binding == IP_SET_INVALID_ID ? ""
+ : set_list[setlist->binding]->name);
+
+ /* Init header */
+ offset = sizeof(struct ip_set_list);
+ settype->initheader(set, data + offset);
+
+ /* Pretty print the type header */
+ printf("Header:");
+ settype->printheader(set, options);
+
+ /* Pretty print all IPs */
+ printf("Members:\n");
+ offset += setlist->header_size;
+ if (options & OPT_SORTED)
+ settype->printips_sorted(set, data + offset,
+ setlist->members_size, options);
+ else
+ settype->printips(set, data + offset,
+ setlist->members_size, options);
+
+ /* Print bindings */
+ printf("Bindings:\n");
+ offset += setlist->members_size;
+ print_bindings(set,
+ data + offset, setlist->bindings_size, options,
+ settype->bindip_tostring);
+
+ printf("\n"); /* One newline between sets */
+
+ return (offset + setlist->bindings_size);
+}
+
+static int try_list_sets(const char name[IP_SET_MAXNAMELEN],
+ unsigned options)
+{
+ void *data = NULL;
+ ip_set_id_t index;
+ size_t size, req_size;
+ int res = 0;
+
+ DP("%s", name);
+ /* Load set_list from kernel */
+ size = req_size = load_set_list(name, &index,
+ IP_SET_OP_LIST_SIZE, CMD_LIST);
+
+ if (size) {
+ /* Get sets and print them */
+ data = ipset_malloc(size);
+ ((struct ip_set_req_list *) data)->op = IP_SET_OP_LIST;
+ ((struct ip_set_req_list *) data)->index = index;
+ res = kernel_getfrom_handleerrno(CMD_LIST, data, &size);
+ DP("get_lists getsockopt() res=%d errno=%d", res, errno);
+
+ if (res != 0 || size != req_size) {
+ free(data);
+ return -EAGAIN;
+ }
+ size = 0;
+ }
+ while (size != req_size)
+ size += print_set(data + size, options);
+
+ ipset_free(&data);
+ return res;
+}
+
+/* Print a set or all sets
+ * All sets: name = NULL
+ */
+static void list_sets(const char name[IP_SET_MAXNAMELEN], unsigned options)
+{
+ int i;
+
+ DP("%s", name);
+ for (i = 0; i < LIST_TRIES; i++)
+ if (try_list_sets(name, options) == 0)
+ return;
+
+ if (errno == EAGAIN)
+ exit_error(OTHER_PROBLEM,
+ "Tried to list sets from kernel %d times"
+ " and failed. Please try again when the load on"
+ " the sets has gone down.", LIST_TRIES);
+ else
+ kernel_error(CMD_LIST, errno);
+}
+
+/* Prints help
+ * If settype is non null help for that type is printed as well
+ */
+static void set_help(const struct settype *settype)
+{
+#ifdef IPSET_DEBUG
+ char debughelp[] =
+ " --debug -z Enable debugging\n\n";
+#else
+ char debughelp[] = "\n";
+#endif
+
+ printf("%s v%s\n\n"
+ "Usage: %s -N new-set settype [options]\n"
+ " %s -[XFLSH] [set] [options]\n"
+ " %s -[EW] from-set to-set\n"
+ " %s -[ADTU] set IP\n"
+ " %s -B set IP option\n"
+ " %s -R\n"
+ " %s -h (print this help information)\n\n",
+ program_name, program_version,
+ program_name, program_name, program_name,
+ program_name, program_name, program_name,
+ program_name);
+
+ printf("Commands:\n"
+ "Either long or short options are allowed.\n"
+ " --create -N setname settype <options>\n"
+ " Create a new set\n"
+ " --destroy -X [setname]\n"
+ " Destroy a set or all sets\n"
+ " --flush -F [setname]\n"
+ " Flush a set or all sets\n"
+ " --rename -E from-set to-set\n"
+ " Rename from-set to to-set\n"
+ " --swap -W from-set to-set\n"
+ " Swap the content of two existing sets\n"
+ " --list -L [setname] [options]\n"
+ " List the IPs in a set or all sets\n"
+ " --save -S [setname]\n"
+ " Save the set or all sets to stdout\n"
+ " --restore -R [option]\n"
+ " Restores a saved state\n"
+ " --add -A setname IP\n"
+ " Add an IP to a set\n"
+ " --del -D setname IP\n"
+ " Deletes an IP from a set\n"
+ " --test -T setname IP \n"
+ " Tests if an IP exists in a set.\n"
+ " --bind -B setname IP|:default: -b bind-setname\n"
+ " Bind the IP in setname to bind-setname.\n"
+ " --unbind -U setname IP|:all:|:default:\n"
+ " Delete binding belonging to IP,\n"
+ " all bindings or default binding of setname.\n"
+ " --unbind -U :all: :all:|:default:\n"
+ " Delete all bindings or all default bindings.\n"
+ " --help -H [settype]\n"
+ " Prints this help, and settype specific help\n"
+ " --version -V\n"
+ " Prints version information\n\n"
+ "Options:\n"
+ " --sorted -s Numeric sort of the IPs in -L\n"
+ " --numeric -n Numeric output of addresses in a -L\n"
+ " --quiet -q Suppress any output to stdout and stderr.\n"
+ " --binding -b Specifies the binding for -B\n");
+ printf(debughelp);
+
+ if (settype != NULL) {
+ printf("Type '%s' specific:\n", settype->typename);
+ settype->usage();
+ }
+}
+
+static int find_cmd(const char option)
+{
+ int i;
+
+ for (i = 1; i <= NUMBER_OF_CMD; i++)
+ if (cmdflags[i] == option)
+ return i;
+
+ return CMD_NONE;
+}
+
+static int parse_adt_cmdline(unsigned command,
+ const char *name,
+ char *adt,
+ struct set **set,
+ struct settype **settype)
+{
+ int res = 0;
+
+ /* -U :all: :all:|:default: */
+ if (command == CMD_UNBIND) {
+ if (strcmp(name, IPSET_TOKEN_ALL) == 0) {
+ if (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
+ || strcmp(adt, IPSET_TOKEN_ALL) == 0) {
+ *set = NULL;
+ *settype = NULL;
+ return 1;
+ } else
+ exit_error(PARAMETER_PROBLEM,
+ "-U %s requires %s or %s as binding name",
+ IPSET_TOKEN_ALL,
+ IPSET_TOKEN_DEFAULT,
+ IPSET_TOKEN_ALL);
+ }
+ }
+ *set = restore ? set_find_byname(name)
+ : set_adt_get(name);
+
+ /* Reset space for adt data */
+ *settype = (*set)->settype;
+ memset((*settype)->data, 0, (*settype)->adt_size);
+
+ if ((command == CMD_TEST
+ || command == CMD_BIND
+ || command == CMD_UNBIND)
+ && (strcmp(adt, IPSET_TOKEN_DEFAULT) == 0
+ || strcmp(adt, IPSET_TOKEN_ALL) == 0))
+ res = 1;
+ else
+ res = (*settype)->adt_parser(
+ command,
+ adt,
+ (*settype)->data);
+
+ return res;
+}
+
+/* Main worker function */
+int parse_commandline(int argc, char *argv[])
+{
+ int res = 0;
+ unsigned command = CMD_NONE;
+ unsigned options = 0;
+ int c;
+
+ char *name = NULL; /* All except -H, -R */
+ char *newname = NULL; /* -E, -W */
+ char *adt = NULL; /* -A, -D, -T, -B, -U */
+ char *binding = NULL; /* -B */
+ struct set *set = NULL; /* -A, -D, -T, -B, -U */
+ struct settype *settype = NULL; /* -N, -H */
+ char all_sets[] = IPSET_TOKEN_ALL;
+
+ struct option *opts = opts_long;
+
+ /* Suppress error messages: we may add new options if we
+ demand-load a protocol. */
+ opterr = 0;
+ /* Reset optind to 0 for restore */
+ optind = 0;
+
+ while ((c = getopt_long(argc, argv, opts_short, opts, NULL)) != -1) {
+
+ DP("commandline parsed: opt %c (%s)", c, argv[optind]);
+
+ switch (c) {
+ /*
+ * Command selection
+ */
+ case 'h':
+ case 'H':{ /* Help: -H [typename [options]] */
+ check_protocolversion();
+ set_command(&command, CMD_HELP);
+
+ if (optarg)
+ settype = check_set_typename(optarg);
+ else if (optind < argc
+ && argv[optind][0] != '-')
+ settype = check_set_typename(argv[optind++]);
+
+ break;
+ }
+
+ case 'V':{ /* Version */
+ printf("%s v%s Protocol version %u.\n",
+ program_name, program_version,
+ IP_SET_PROTOCOL_VERSION);
+ check_protocolversion();
+ exit(0);
+ }
+
+ case 'N':{ /* Create: -N name typename options */
+ set_command(&command, CMD_CREATE);
+
+ name = check_set_name(optarg);
+
+ /* Protect reserved names (binding) */
+ if (name[0] == ':')
+ exit_error(PARAMETER_PROBLEM,
+ "setname might not start with colon",
+ cmd2char(CMD_CREATE));
+
+ if (optind < argc
+ && argv[optind][0] != '-')
+ settype = check_set_typename(argv[optind++]);
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "-%c requires setname and settype",
+ cmd2char(CMD_CREATE));
+
+ DP("merge options");
+ /* Merge the create options */
+ opts = merge_options(opts,
+ settype->create_opts,
+ &settype->option_offset);
+
+ /* Reset space for create data */
+ memset(settype->data, 0, settype->create_size);
+
+ /* Zero the flags */
+ settype->flags = 0;
+
+ DP("call create_init");
+ /* Call the settype create_init */
+ settype->create_init(settype->data);
+
+ break;
+ }
+
+ case 'X': /* Destroy */
+ case 'F': /* Flush */
+ case 'L': /* List */
+ case 'S':{ /* Save */
+ set_command(&command, find_cmd(c));
+
+ if (optarg)
+ name = check_set_name(optarg);
+ else if (optind < argc
+ && argv[optind][0] != '-')
+ name = check_set_name(argv[optind++]);
+ else
+ name = all_sets;
+
+ break;
+ }
+
+ case 'R':{ /* Restore */
+ set_command(&command, find_cmd(c));
+
+ break;
+ }
+
+ case 'E': /* Rename */
+ case 'W':{ /* Swap */
+ set_command(&command, find_cmd(c));
+ name = check_set_name(optarg);
+
+ if (optind < argc
+ && argv[optind][0] != '-')
+ newname = check_set_name(argv[optind++]);
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "-%c requires a setname "
+ "and the new name for that set",
+ cmd2char(CMD_RENAME));
+
+ break;
+ }
+
+ case 'A': /* Add IP */
+ case 'D': /* Del IP */
+ case 'T': /* Test IP */
+ case 'B': /* Bind IP */
+ case 'U':{ /* Unbind IP */
+ set_command(&command, find_cmd(c));
+
+ name = check_set_name(optarg);
+
+ /* IP */
+ if (optind < argc
+ && argv[optind][0] != '-')
+ adt = argv[optind++];
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "-%c requires setname and IP",
+ c);
+
+ res = parse_adt_cmdline(command, name, adt,
+ &set, &settype);
+
+ if (!res)
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown arg `%s'",
+ argv[optind - 1]);
+
+ break;
+ }
+
+ /* options */
+
+ case 'n':
+ add_option(&options, OPT_NUMERIC);
+ break;
+
+ case 's':
+ add_option(&options, OPT_SORTED);
+ break;
+
+ case 'q':
+ add_option(&options, OPT_QUIET);
+ option_quiet = 1;
+ break;
+
+#ifdef IPSET_DEBUG
+ case 'z': /* debug */
+ add_option(&options, OPT_DEBUG);
+ option_debug = 1;
+ break;
+#endif
+
+ case 'b':
+ add_option(&options, OPT_BINDING);
+ binding = check_set_name(optarg);
+ break;
+
+ case 1: /* non option */
+ printf("Bad argument `%s'\n", optarg);
+ exit_tryhelp(2);
+ break; /*always good */
+
+ default:{
+ DP("default");
+
+ switch (command) {
+ case CMD_CREATE:
+ res = settype->create_parse(
+ c - settype->option_offset,
+ argv,
+ settype->data,
+ &settype->flags);
+ break;
+
+ default:
+ res = 0; /* failed */
+ } /* switch (command) */
+
+
+ if (!res)
+ exit_error(PARAMETER_PROBLEM,
+ "Unknown arg `%s'",
+ argv[optind - 1]);
+
+ }
+
+ DP("next arg");
+ } /* switch */
+
+ } /* while( getopt_long() ) */
+
+
+ if (optind < argc)
+ exit_error(PARAMETER_PROBLEM,
+ "unknown arguments found on commandline");
+ if (command == CMD_NONE)
+ exit_error(PARAMETER_PROBLEM, "no command specified");
+
+ /* Check options */
+ generic_opt_check(command, options);
+
+ DP("cmd: %c", cmd2char(command));
+
+ switch (command) {
+ case CMD_CREATE:
+ DP("CMD_CREATE");
+ if (restore)
+ set_restore_create(name, settype);
+ else
+ set_create(name, settype);
+ break;
+
+ case CMD_DESTROY:
+ set_destroy(name, IP_SET_OP_DESTROY, CMD_DESTROY);
+ break;
+
+ case CMD_FLUSH:
+ set_destroy(name, IP_SET_OP_FLUSH, CMD_FLUSH);
+ break;
+
+ case CMD_RENAME:
+ set_rename(name, newname, IP_SET_OP_RENAME, CMD_RENAME);
+ break;
+
+ case CMD_SWAP:
+ set_rename(name, newname, IP_SET_OP_SWAP, CMD_SWAP);
+ break;
+
+ case CMD_LIST:
+ list_sets(name, options);
+ break;
+
+ case CMD_SAVE:
+ set_save(name);
+ break;
+
+ case CMD_RESTORE:
+ set_restore(argv[0]);
+ break;
+
+ case CMD_ADD:
+ if (restore)
+ set_restore_add(set, adt);
+ else
+ set_adtip(set, adt, IP_SET_OP_ADD_IP, CMD_ADD);
+ break;
+
+ case CMD_DEL:
+ set_adtip(set, adt, IP_SET_OP_DEL_IP, CMD_DEL);
+ break;
+
+ case CMD_TEST:
+ if (binding)
+ res = set_bind(set, adt, binding,
+ IP_SET_OP_TEST_BIND_SET, CMD_TEST);
+ else
+ res = set_adtip(set, adt,
+ IP_SET_OP_TEST_IP, CMD_TEST);
+ break;
+
+ case CMD_BIND:
+ if (restore)
+ set_restore_bind(set, adt, binding);
+ else
+ set_bind(set, adt, binding,
+ IP_SET_OP_BIND_SET, CMD_BIND);
+ break;
+
+ case CMD_UNBIND:
+ set_bind(set, adt, "", IP_SET_OP_UNBIND_SET, CMD_UNBIND);
+ break;
+
+ case CMD_HELP:
+ set_help(settype);
+ break;
+
+ default:
+ /* Will never happen */
+ break; /* Keep the compiler happy */
+
+ } /* switch( command ) */
+
+ return res;
+}
+
+
+int main(int argc, char *argv[])
+{
+ return parse_commandline(argc, argv);
+
+}
--- /dev/null
+#ifndef __IPSET_H
+#define __IPSET_H
+
+/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
+ * Patrick Schaaf (bof@bof.de)
+ * Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <getopt.h>
+#include <sys/types.h>
+#include <netdb.h>
+
+#include <linux/netfilter_ipv4/ip_set.h>
+
+#define IPSET_LIB_NAME "/libipset_%s.so"
+#define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe"
+
+#define LIST_TRIES 5
+
+#ifdef IPSET_DEBUG
+extern int option_debug;
+#define DP(format, args...) if (option_debug) \
+ do { \
+ fprintf(stderr, "%s: %s (DBG): ", __FILE__, __FUNCTION__);\
+ fprintf(stderr, format "\n" , ## args); \
+ } while (0)
+#else
+#define DP(format, args...)
+#endif
+
+/* Commands */
+enum set_commands {
+ CMD_NONE,
+ CMD_CREATE, /* -N */
+ CMD_DESTROY, /* -X */
+ CMD_FLUSH, /* -F */
+ CMD_RENAME, /* -E */
+ CMD_SWAP, /* -W */
+ CMD_LIST, /* -L */
+ CMD_SAVE, /* -S */
+ CMD_RESTORE, /* -R */
+ CMD_ADD, /* -A */
+ CMD_DEL, /* -D */
+ CMD_TEST, /* -T */
+ CMD_BIND, /* -B */
+ CMD_UNBIND, /* -U */
+ CMD_HELP, /* -H */
+ CMD_VERSION, /* -V */
+ NUMBER_OF_CMD = CMD_VERSION,
+ /* Internal commands */
+ CMD_MAX_SETS,
+ CMD_LIST_SIZE,
+ CMD_SAVE_SIZE,
+ CMD_ADT_GET,
+};
+
+enum exittype {
+ OTHER_PROBLEM = 1,
+ PARAMETER_PROBLEM,
+ VERSION_PROBLEM
+};
+
+/* The view of an ipset in userspace */
+struct set {
+ char name[IP_SET_MAXNAMELEN]; /* Name of the set */
+ ip_set_id_t id; /* Unique set id */
+ ip_set_id_t index; /* Array index */
+ unsigned ref; /* References in kernel */
+ struct settype *settype; /* Pointer to set type functions */
+};
+
+struct settype {
+ struct settype *next;
+
+ char typename[IP_SET_MAXNAMELEN];
+
+ int protocol_version;
+
+ /*
+ * Create set
+ */
+
+ /* Size of create data. Will be sent to kernel */
+ size_t create_size;
+
+ /* Initialize the create. */
+ void (*create_init) (void *data);
+
+ /* Function which parses command options; returns true if it ate an option */
+ int (*create_parse) (int c, char *argv[], void *data,
+ unsigned *flags);
+
+ /* Final check; exit if not ok. */
+ void (*create_final) (void *data, unsigned int flags);
+
+ /* Pointer to list of extra command-line options for create */
+ struct option *create_opts;
+
+ /*
+ * Add/del/test IP
+ */
+
+ /* Size of data. Will be sent to kernel */
+ size_t adt_size;
+
+ /* Function which parses command options */
+ ip_set_ip_t (*adt_parser) (unsigned cmd, const char *optarg, void *data);
+
+ /*
+ * Printing
+ */
+
+ /* Size of header. */
+ size_t header_size;
+
+ /* Initialize the type-header */
+ void (*initheader) (struct set *set, const void *data);
+
+ /* Pretty print the type-header */
+ void (*printheader) (struct set *set, unsigned options);
+
+ /* Pretty print all IPs */
+ void (*printips) (struct set *set, void *data, size_t len, unsigned options);
+
+ /* Pretty print all IPs sorted */
+ void (*printips_sorted) (struct set *set, void *data, size_t len, unsigned options);
+
+ /* Print save arguments for creating the set */
+ void (*saveheader) (struct set *set, unsigned options);
+
+ /* Print save for all IPs */
+ void (*saveips) (struct set *set, void *data, size_t len, unsigned options);
+
+ /* Conver a single IP (binding) to string */
+ char * (*bindip_tostring)(struct set *set, ip_set_ip_t ip, unsigned options);
+
+ /* Parse an IP at restoring bindings. FIXME */
+ void (*bindip_parse) (const char *str, ip_set_ip_t * ip);
+
+ /* Print usage */
+ void (*usage) (void);
+
+ /* Internal data */
+ void *header;
+ void *data;
+ unsigned int option_offset;
+ unsigned int flags;
+};
+
+extern void settype_register(struct settype *settype);
+
+/* extern void unregister_settype(set_type_t *set_type); */
+
+extern void exit_error(enum exittype status, char *msg, ...);
+
+extern char *binding_ip_tostring(struct set *set,
+ ip_set_ip_t ip, unsigned options);
+extern char *ip_tostring(ip_set_ip_t ip, unsigned options);
+extern char *ip_tostring_numeric(ip_set_ip_t ip);
+extern void parse_ip(const char *str, ip_set_ip_t * ip);
+extern void parse_mask(const char *str, ip_set_ip_t * mask);
+extern void parse_ipandmask(const char *str, ip_set_ip_t * ip,
+ ip_set_ip_t * mask);
+extern char *port_tostring(ip_set_ip_t port, unsigned options);
+extern void parse_port(const char *str, ip_set_ip_t * port);
+extern int string_to_number(const char *str, unsigned int min, unsigned int max,
+ ip_set_ip_t *port);
+
+extern void *ipset_malloc(size_t size);
+extern char *ipset_strdup(const char *);
+extern void ipset_free(void **data);
+
+#endif /* __IPSET_H */
--- /dev/null
+/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+#include <asm/types.h>
+
+#include <linux/netfilter_ipv4/ip_set_iphash.h>
+#include <linux/netfilter_ipv4/ip_set_jhash.h>
+
+#include "ipset.h"
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_HASHSIZE 0x01U
+#define OPT_CREATE_PROBES 0x02U
+#define OPT_CREATE_RESIZE 0x04U
+#define OPT_CREATE_NETMASK 0x08U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ struct ip_set_req_iphash_create *mydata =
+ (struct ip_set_req_iphash_create *) data;
+
+ DP("create INIT");
+
+ /* Default create parameters */
+ mydata->hashsize = 1024;
+ mydata->probes = 8;
+ mydata->resize = 50;
+
+ mydata->netmask = 0xFFFFFFFF;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_iphash_create *mydata =
+ (struct ip_set_req_iphash_create *) data;
+ unsigned int bits;
+ ip_set_ip_t value;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+
+ if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
+ exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
+
+ *flags |= OPT_CREATE_HASHSIZE;
+
+ DP("--hashsize %u", mydata->hashsize);
+
+ break;
+
+ case '2':
+
+ if (string_to_number(optarg, 1, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
+
+ mydata->probes = value;
+ *flags |= OPT_CREATE_PROBES;
+
+ DP("--probes %u", mydata->probes);
+
+ break;
+
+ case '3':
+
+ if (string_to_number(optarg, 0, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
+
+ mydata->resize = value;
+ *flags |= OPT_CREATE_RESIZE;
+
+ DP("--resize %u", mydata->resize);
+
+ break;
+
+ case '4':
+
+ if (string_to_number(optarg, 0, 32, &bits))
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid netmask `%s' specified", optarg);
+
+ if (bits != 0)
+ mydata->netmask = 0xFFFFFFFF << (32 - bits);
+
+ *flags |= OPT_CREATE_NETMASK;
+
+ DP("--netmask %x", mydata->netmask);
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+#ifdef IPSET_DEBUG
+ struct ip_set_req_iphash_create *mydata =
+ (struct ip_set_req_iphash_create *) data;
+
+ DP("hashsize %u probes %u resize %u",
+ mydata->hashsize, mydata->probes, mydata->resize);
+#endif
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"hashsize", 1, 0, '1'},
+ {"probes", 1, 0, '2'},
+ {"resize", 1, 0, '3'},
+ {"netmask", 1, 0, '4'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_iphash *mydata =
+ (struct ip_set_req_iphash *) data;
+
+ parse_ip(optarg, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", optarg);
+
+ return mydata->ip;
+};
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_iphash_create *header =
+ (struct ip_set_req_iphash_create *) data;
+ struct ip_set_iphash *map =
+ (struct ip_set_iphash *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_iphash));
+ map->hashsize = header->hashsize;
+ map->probes = header->probes;
+ map->resize = header->resize;
+ map->netmask = header->netmask;
+}
+
+unsigned int
+mask_to_bits(ip_set_ip_t mask)
+{
+ unsigned int bits = 32;
+ ip_set_ip_t maskaddr;
+
+ if (mask == 0xFFFFFFFF)
+ return bits;
+
+ maskaddr = 0xFFFFFFFE;
+ while (--bits >= 0 && maskaddr != mask)
+ maskaddr <<= 1;
+
+ return bits;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_iphash *mysetdata =
+ (struct ip_set_iphash *) set->settype->header;
+
+ printf(" hashsize: %u", mysetdata->hashsize);
+ printf(" probes: %u", mysetdata->probes);
+ printf(" resize: %u", mysetdata->resize);
+ if (mysetdata->netmask == 0xFFFFFFFF)
+ printf("\n");
+ else
+ printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
+}
+
+void printips(struct set *set, void *data, size_t len, unsigned options)
+{
+ size_t offset = 0;
+ ip_set_ip_t *ip;
+
+ while (offset < len) {
+ ip = data + offset;
+ if (*ip)
+ printf("%s\n", ip_tostring(*ip, options));
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_iphash *mysetdata =
+ (struct ip_set_iphash *) set->settype->header;
+
+ printf("-N %s %s --hashsize %u --probes %u --resize %u",
+ set->name, set->settype->typename,
+ mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
+ if (mysetdata->netmask == 0xFFFFFFFF)
+ printf("\n");
+ else
+ printf(" --netmask %d\n", mask_to_bits(mysetdata->netmask));
+}
+
+/* Print save for an IP */
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ size_t offset = 0;
+ ip_set_ip_t *ip;
+
+ while (offset < len) {
+ ip = data + offset;
+ if (*ip)
+ printf("-A %s %s\n", set->name,
+ ip_tostring(*ip, options));
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+void usage(void)
+{
+ printf
+ ("-N set iphash [--hashsize hashsize] [--probes probes ]\n"
+ " [--resize resize] [--netmask CIDR-netmask]\n"
+ "-A set IP\n"
+ "-D set IP\n"
+ "-T set IP\n");
+}
+
+static struct settype settype_iphash = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_iphash_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_iphash),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_iphash),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips, /* We only have the unsorted version */
+ .printips_sorted = &printips,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &binding_ip_tostring,
+ .bindip_parse = &parse_ip,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_iphash);
+
+}
--- /dev/null
+/* Copyright 2000-2004 Joakim Axelsson (gozem@linux.nu)
+ * Patrick Schaaf (bof@bof.de)
+ * Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+
+#include <linux/netfilter_ipv4/ip_set_ipmap.h>
+#include "ipset.h"
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_FROM 0x01U
+#define OPT_CREATE_TO 0x02U
+#define OPT_CREATE_NETWORK 0x04U
+#define OPT_CREATE_NETMASK 0x08U
+
+#define OPT_ADDDEL_IP 0x01U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ struct ip_set_req_ipmap_create *mydata =
+ (struct ip_set_req_ipmap_create *) data;
+
+ DP("create INIT");
+ mydata->netmask = 0xFFFFFFFF;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_ipmap_create *mydata =
+ (struct ip_set_req_ipmap_create *) data;
+ unsigned int bits;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+ parse_ip(optarg, &mydata->from);
+
+ *flags |= OPT_CREATE_FROM;
+
+ DP("--from %x (%s)", mydata->from,
+ ip_tostring_numeric(mydata->from));
+
+ break;
+
+ case '2':
+ parse_ip(optarg, &mydata->to);
+
+ *flags |= OPT_CREATE_TO;
+
+ DP("--to %x (%s)", mydata->to,
+ ip_tostring_numeric(mydata->to));
+
+ break;
+
+ case '3':
+ parse_ipandmask(optarg, &mydata->from, &mydata->to);
+
+ /* Make to the last of from + mask */
+ if (mydata->to)
+ mydata->to = mydata->from | ~(mydata->to);
+ else {
+ mydata->from = 0x00000000;
+ mydata->to = 0xFFFFFFFF;
+ }
+ *flags |= OPT_CREATE_NETWORK;
+
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
+
+ break;
+
+ case '4':
+ if (string_to_number(optarg, 0, 32, &bits))
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid netmask `%s' specified", optarg);
+
+ if (bits != 0)
+ mydata->netmask = 0xFFFFFFFF << (32 - bits);
+
+ *flags |= OPT_CREATE_NETMASK;
+
+ DP("--netmask %x", mydata->netmask);
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+#define ERRSTRLEN 256
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+ struct ip_set_req_ipmap_create *mydata =
+ (struct ip_set_req_ipmap_create *) data;
+ ip_set_ip_t range;
+ char errstr[ERRSTRLEN];
+
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify --from and --to, or --network\n");
+
+ if (flags & OPT_CREATE_NETWORK) {
+ /* --network */
+ if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --from or --to with --network\n");
+ } else {
+ /* --from --to */
+ if ((flags & OPT_CREATE_FROM) == 0
+ || (flags & OPT_CREATE_TO) == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify both --from and --to\n");
+ }
+
+ DP("from : %x to: %x diff: %x",
+ mydata->from, mydata->to,
+ mydata->to - mydata->from);
+
+ if (mydata->from > mydata->to)
+ exit_error(PARAMETER_PROBLEM,
+ "From can't be lower than to.\n");
+
+ if (flags & OPT_CREATE_NETMASK) {
+ unsigned int mask_bits, netmask_bits;
+ ip_set_ip_t mask;
+
+ if ((mydata->from & mydata->netmask) != mydata->from)
+ exit_error(PARAMETER_PROBLEM,
+ "%s is not a network address according to netmask %d\n",
+ ip_tostring_numeric(mydata->from),
+ mask_to_bits(mydata->netmask));
+
+ mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
+ if (!mask
+ && (mydata->from || mydata->to != 0xFFFFFFFF)) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
+ exit_error(PARAMETER_PROBLEM,
+ "%s-%s is not a full network (%x)\n",
+ errstr,
+ ip_tostring_numeric(mydata->to), mask);
+ }
+ netmask_bits = mask_to_bits(mydata->netmask);
+
+ if (netmask_bits <= mask_bits) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
+ exit_error(PARAMETER_PROBLEM,
+ "%d netmask specifies larger or equal netblock than %s-%s (%d)\n",
+ netmask_bits,
+ errstr,
+ ip_tostring_numeric(mydata->to),
+ mask_bits);
+ }
+ range = (1<<(netmask_bits - mask_bits)) - 1;
+ } else {
+ range = mydata->to - mydata->from;
+ }
+ if (range > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range to large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"from", 1, 0, '1'},
+ {"to", 1, 0, '2'},
+ {"network", 1, 0, '3'},
+ {"netmask", 1, 0, '4'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_ipmap *mydata =
+ (struct ip_set_req_ipmap *) data;
+
+ DP("ipmap: %p %p", optarg, data);
+
+ parse_ip(optarg, &mydata->ip);
+ DP("%s", ip_tostring_numeric(mydata->ip));
+
+ return 1;
+}
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_ipmap_create *header =
+ (struct ip_set_req_ipmap_create *) data;
+ struct ip_set_ipmap *map =
+ (struct ip_set_ipmap *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_ipmap));
+ map->first_ip = header->from;
+ map->last_ip = header->to;
+ map->netmask = header->netmask;
+
+ if (map->netmask == 0xFFFFFFFF) {
+ map->hosts = 1;
+ map->sizeid = map->last_ip - map->first_ip + 1;
+ } else {
+ unsigned int mask_bits, netmask_bits;
+ ip_set_ip_t mask;
+
+ mask = range_to_mask(header->from, header->to, &mask_bits);
+ netmask_bits = mask_to_bits(header->netmask);
+
+ DP("bits: %i %i", mask_bits, netmask_bits);
+ map->hosts = 2 << (32 - netmask_bits - 1);
+ map->sizeid = 2 << (netmask_bits - mask_bits - 1);
+ }
+
+ DP("%i %i", map->hosts, map->sizeid );
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_ipmap *mysetdata =
+ (struct ip_set_ipmap *) set->settype->header;
+
+ printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
+ printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
+ if (mysetdata->netmask == 0xFFFFFFFF)
+ printf("\n");
+ else
+ printf(" netmask: %d\n", mask_to_bits(mysetdata->netmask));
+}
+
+void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_ipmap *mysetdata =
+ (struct ip_set_ipmap *) set->settype->header;
+ ip_set_ip_t id;
+
+ for (id = 0; id < mysetdata->sizeid; id++)
+ if (test_bit(id, data))
+ printf("%s\n",
+ ip_tostring(mysetdata->first_ip
+ + id * mysetdata->hosts,
+ options));
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_ipmap *mysetdata =
+ (struct ip_set_ipmap *) set->settype->header;
+
+ printf("-N %s %s --from %s",
+ set->name, set->settype->typename,
+ ip_tostring(mysetdata->first_ip, options));
+ printf(" --to %s",
+ ip_tostring(mysetdata->last_ip, options));
+ if (mysetdata->netmask == 0xFFFFFFFF)
+ printf("\n");
+ else
+ printf(" --netmask %d\n",
+ mask_to_bits(mysetdata->netmask));
+}
+
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_ipmap *mysetdata =
+ (struct ip_set_ipmap *) set->settype->header;
+ ip_set_ip_t id;
+
+ DP("%s", set->name);
+ for (id = 0; id < mysetdata->sizeid; id++)
+ if (test_bit(id, data))
+ printf("-A %s %s\n",
+ set->name,
+ ip_tostring(mysetdata->first_ip
+ + id * mysetdata->hosts,
+ options));
+}
+
+void usage(void)
+{
+ printf
+ ("-N set ipmap --from IP --to IP [--netmask CIDR-netmask]\n"
+ "-N set ipmap --network IP/mask [--netmask CIDR-netmask]\n"
+ "-A set IP\n"
+ "-D set IP\n"
+ "-T set IP\n");
+}
+
+static struct settype settype_ipmap = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_ipmap_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_ipmap),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_ipmap),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips_sorted, /* We only have sorted version */
+ .printips_sorted = &printips_sorted,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &binding_ip_tostring,
+ .bindip_parse = &parse_ip,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_ipmap);
+
+}
--- /dev/null
+/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+#include <asm/types.h>
+
+#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
+#include <linux/netfilter_ipv4/ip_set_jhash.h>
+
+#include "ipset.h"
+
+#define OPT_CREATE_HASHSIZE 0x01U
+#define OPT_CREATE_PROBES 0x02U
+#define OPT_CREATE_RESIZE 0x04U
+#define OPT_CREATE_NETWORK 0x08U
+#define OPT_CREATE_FROM 0x10U
+#define OPT_CREATE_TO 0x20U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ struct ip_set_req_ipporthash_create *mydata =
+ (struct ip_set_req_ipporthash_create *) data;
+
+ DP("create INIT");
+
+ /* Default create parameters */
+ mydata->hashsize = 1024;
+ mydata->probes = 8;
+ mydata->resize = 50;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_ipporthash_create *mydata =
+ (struct ip_set_req_ipporthash_create *) data;
+ ip_set_ip_t value;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+
+ if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
+ exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
+
+ *flags |= OPT_CREATE_HASHSIZE;
+
+ DP("--hashsize %u", mydata->hashsize);
+
+ break;
+
+ case '2':
+
+ if (string_to_number(optarg, 1, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
+
+ mydata->probes = value;
+ *flags |= OPT_CREATE_PROBES;
+
+ DP("--probes %u", mydata->probes);
+
+ break;
+
+ case '3':
+
+ if (string_to_number(optarg, 0, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
+
+ mydata->resize = value;
+ *flags |= OPT_CREATE_RESIZE;
+
+ DP("--resize %u", mydata->resize);
+
+ break;
+
+ case '4':
+ parse_ip(optarg, &mydata->from);
+
+ *flags |= OPT_CREATE_FROM;
+
+ DP("--from %x (%s)", mydata->from,
+ ip_tostring_numeric(mydata->from));
+
+ break;
+
+ case '5':
+ parse_ip(optarg, &mydata->to);
+
+ *flags |= OPT_CREATE_TO;
+
+ DP("--to %x (%s)", mydata->to,
+ ip_tostring_numeric(mydata->to));
+
+ break;
+
+ case '6':
+ parse_ipandmask(optarg, &mydata->from, &mydata->to);
+
+ /* Make to the last of from + mask */
+ if (mydata->to)
+ mydata->to = mydata->from | ~(mydata->to);
+ else {
+ mydata->from = 0x00000000;
+ mydata->to = 0xFFFFFFFF;
+ }
+ *flags |= OPT_CREATE_NETWORK;
+
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+ struct ip_set_req_ipporthash_create *mydata =
+ (struct ip_set_req_ipporthash_create *) data;
+
+#ifdef IPSET_DEBUG
+ DP("hashsize %u probes %u resize %u",
+ mydata->hashsize, mydata->probes, mydata->resize);
+#endif
+
+ if (flags & OPT_CREATE_NETWORK) {
+ /* --network */
+ if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --from or --to with --network\n");
+ } else if (flags & (OPT_CREATE_FROM | OPT_CREATE_TO)) {
+ /* --from --to */
+ if (!(flags & OPT_CREATE_FROM) || !(flags & OPT_CREATE_TO))
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify both --from and --to\n");
+ } else {
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify --from and --to, or --network\n");
+
+ }
+
+ DP("from : %x to: %x diff: %x",
+ mydata->from, mydata->to,
+ mydata->to - mydata->from);
+
+ if (mydata->from > mydata->to)
+ exit_error(PARAMETER_PROBLEM,
+ "From can't be higher than to.\n");
+
+ if (mydata->to - mydata->from > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range to large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"hashsize", 1, 0, '1'},
+ {"probes", 1, 0, '2'},
+ {"resize", 1, 0, '3'},
+ {"from", 1, 0, '4'},
+ {"to", 1, 0, '5'},
+ {"network", 1, 0, '6'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_ipporthash *mydata =
+ (struct ip_set_req_ipporthash *) data;
+ char *saved = ipset_strdup(optarg);
+ char *ptr, *tmp = saved;
+
+ DP("ipporthash: %p %p", optarg, data);
+
+ ptr = strsep(&tmp, "%");
+ parse_ip(ptr, &mydata->ip);
+
+ if (tmp)
+ parse_port(tmp, &mydata->port);
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "IP address and port must be specified: ip%%port");
+ free(saved);
+ return 1;
+};
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_ipporthash_create *header =
+ (struct ip_set_req_ipporthash_create *) data;
+ struct ip_set_ipporthash *map =
+ (struct ip_set_ipporthash *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_ipporthash));
+ map->hashsize = header->hashsize;
+ map->probes = header->probes;
+ map->resize = header->resize;
+ map->first_ip = header->from;
+ map->last_ip = header->to;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_ipporthash *mysetdata =
+ (struct ip_set_ipporthash *) set->settype->header;
+
+ printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
+ printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
+ printf(" hashsize: %u", mysetdata->hashsize);
+ printf(" probes: %u", mysetdata->probes);
+ printf(" resize: %u\n", mysetdata->resize);
+}
+
+void printips(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_ipporthash *mysetdata =
+ (struct ip_set_ipporthash *) set->settype->header;
+ size_t offset = 0;
+ ip_set_ip_t *ipptr, ip;
+ uint16_t port;
+
+ while (offset < len) {
+ ipptr = data + offset;
+ if (*ipptr) {
+ ip = (*ipptr>>16) + mysetdata->first_ip;
+ port = (uint16_t) *ipptr;
+ printf("%s%%%s\n",
+ ip_tostring(ip, options),
+ port_tostring(port, options));
+ }
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_ipporthash *mysetdata =
+ (struct ip_set_ipporthash *) set->settype->header;
+
+ printf("-N %s %s --from %s",
+ set->name, set->settype->typename,
+ ip_tostring(mysetdata->first_ip, options));
+ printf(" --to %s",
+ ip_tostring(mysetdata->last_ip, options));
+ printf(" --hashsize %u --probes %u --resize %u\n",
+ mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
+}
+
+/* Print save for an IP */
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_ipporthash *mysetdata =
+ (struct ip_set_ipporthash *) set->settype->header;
+ size_t offset = 0;
+ ip_set_ip_t *ipptr, ip;
+ uint16_t port;
+
+ while (offset < len) {
+ ipptr = data + offset;
+ if (*ipptr) {
+ ip = (*ipptr>>16) + mysetdata->first_ip;
+ port = (uint16_t) *ipptr;
+ printf("-A %s %s%%%s\n", set->name,
+ ip_tostring(ip, options),
+ port_tostring(port, options));
+ }
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+static char buffer[22];
+
+static char * unpack_ipport_tostring(struct set *set, ip_set_ip_t bip, unsigned options)
+{
+ struct ip_set_ipporthash *mysetdata =
+ (struct ip_set_ipporthash *) set->settype->header;
+ ip_set_ip_t ip, port;
+
+ ip = (bip>>16) + mysetdata->first_ip;
+ port = (uint16_t) bip;
+ sprintf(buffer, "%s%%%s",
+ ip_tostring(ip, options), port_tostring(port, options));
+
+ return buffer;
+}
+
+void usage(void)
+{
+ printf
+ ("-N set ipporthash --from IP --to IP\n"
+ " [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+ "-N set ipporthash --network IP/mask\n"
+ " [--hashsize hashsize] [--probes probes ] [--resize resize]\n"
+ "-A set IP%%port\n"
+ "-D set IP%%port\n"
+ "-T set IP%%port\n");
+}
+
+static struct settype settype_ipporthash = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_ipporthash_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_ipporthash),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_ipporthash),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips, /* We only have the unsorted version */
+ .printips_sorted = &printips,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &unpack_ipport_tostring,
+ .bindip_parse = &parse_ip,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_ipporthash);
+
+}
--- /dev/null
+/* Copyright 2005 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <linux/netfilter_ipv4/ip_set_iptree.h>
+#include "ipset.h"
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_TIMEOUT 0x01U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ struct ip_set_req_iptree_create *mydata =
+ (struct ip_set_req_iptree_create *) data;
+
+ DP("create INIT");
+ mydata->timeout = 0;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_iptree_create *mydata =
+ (struct ip_set_req_iptree_create *) data;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+ string_to_number(optarg, 0, UINT_MAX, &mydata->timeout);
+
+ *flags |= OPT_CREATE_TIMEOUT;
+
+ DP("--timeout %u", mydata->timeout);
+
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"timeout", 1, 0, '1'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_iptree *mydata =
+ (struct ip_set_req_iptree *) data;
+ char *saved = ipset_strdup(optarg);
+ char *ptr, *tmp = saved;
+
+ DP("iptree: %p %p", optarg, data);
+
+ ptr = strsep(&tmp, "%");
+ parse_ip(ptr, &mydata->ip);
+
+ if (tmp)
+ string_to_number(tmp, 0, UINT_MAX, &mydata->timeout);
+ else
+ mydata->timeout = 0;
+
+ free(saved);
+ return 1;
+}
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_iptree_create *header =
+ (struct ip_set_req_iptree_create *) data;
+ struct ip_set_iptree *map =
+ (struct ip_set_iptree *) set->settype->header;
+
+ map->timeout = header->timeout;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_iptree *mysetdata =
+ (struct ip_set_iptree *) set->settype->header;
+
+ if (mysetdata->timeout)
+ printf(" timeout: %u", mysetdata->timeout);
+ printf("\n");
+}
+
+void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_iptree *mysetdata =
+ (struct ip_set_iptree *) set->settype->header;
+ struct ip_set_req_iptree *req;
+ size_t offset = 0;
+
+ while (len >= offset + sizeof(struct ip_set_req_iptree)) {
+ req = (struct ip_set_req_iptree *)(data + offset);
+ if (mysetdata->timeout)
+ printf("%s%%%u\n", ip_tostring(req->ip, options),
+ req->timeout);
+ else
+ printf("%s\n", ip_tostring(req->ip, options));
+ offset += sizeof(struct ip_set_req_iptree);
+ }
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_iptree *mysetdata =
+ (struct ip_set_iptree *) set->settype->header;
+
+ if (mysetdata->timeout)
+ printf("-N %s %s --timeout %u\n",
+ set->name, set->settype->typename,
+ mysetdata->timeout);
+ else
+ printf("-N %s %s\n",
+ set->name, set->settype->typename);
+}
+
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_iptree *mysetdata =
+ (struct ip_set_iptree *) set->settype->header;
+ struct ip_set_req_iptree *req;
+ size_t offset = 0;
+
+ DP("%s", set->name);
+
+ while (len >= offset + sizeof(struct ip_set_req_iptree)) {
+ req = (struct ip_set_req_iptree *)(data + offset);
+ if (mysetdata->timeout)
+ printf("-A %s %s%%%u\n",
+ set->name,
+ ip_tostring(req->ip, options),
+ req->timeout);
+ else
+ printf("-A %s %s\n",
+ set->name,
+ ip_tostring(req->ip, options));
+ offset += sizeof(struct ip_set_req_iptree);
+ }
+}
+
+void usage(void)
+{
+ printf
+ ("-N set iptree [--timeout value]\n"
+ "-A set IP[%%timeout]\n"
+ "-D set IP\n"
+ "-T set IP\n");
+}
+
+static struct settype settype_iptree = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_iptree_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_iptree),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_iptree),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips_sorted, /* We only have sorted version */
+ .printips_sorted = &printips_sorted,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &binding_ip_tostring,
+ .bindip_parse = &parse_ip,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_iptree);
+
+}
--- /dev/null
+/* Copyright 2000, 2001, 2002 Joakim Axelsson (gozem@linux.nu)
+ * Patrick Schaaf (bof@bof.de)
+ * Martin Josefsson (gandalf@wlug.westbo.se)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+#include <linux/if_ether.h>
+
+#include <linux/netfilter_ipv4/ip_set_macipmap.h>
+#include "ipset.h"
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_FROM 0x01U
+#define OPT_CREATE_TO 0x02U
+#define OPT_CREATE_NETWORK 0x04U
+#define OPT_CREATE_MATCHUNSET 0x08U
+
+#define OPT_ADDDEL_IP 0x01U
+#define OPT_ADDDEL_MAC 0x02U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ DP("create INIT");
+ /* Nothing */
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_macipmap_create *mydata =
+ (struct ip_set_req_macipmap_create *) data;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+ parse_ip(optarg, &mydata->from);
+
+ *flags |= OPT_CREATE_FROM;
+
+ DP("--from %x (%s)", mydata->from,
+ ip_tostring_numeric(mydata->from));
+
+ break;
+
+ case '2':
+ parse_ip(optarg, &mydata->to);
+
+ *flags |= OPT_CREATE_TO;
+
+ DP("--to %x (%s)", mydata->to,
+ ip_tostring_numeric(mydata->to));
+
+ break;
+
+ case '3':
+ parse_ipandmask(optarg, &mydata->from, &mydata->to);
+
+ /* Make to the last of from + mask */
+ mydata->to = mydata->from | (~mydata->to);
+
+ *flags |= OPT_CREATE_NETWORK;
+
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
+
+ break;
+
+ case '4':
+ mydata->flags |= IPSET_MACIP_MATCHUNSET;
+
+ *flags |= OPT_CREATE_MATCHUNSET;
+
+ DP("--matchunset");
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+ struct ip_set_req_macipmap_create *mydata =
+ (struct ip_set_req_macipmap_create *) data;
+
+ if (flags == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify --from and --to, or --network\n");
+
+ if (flags & OPT_CREATE_NETWORK) {
+ /* --network */
+ if ((flags & OPT_CREATE_FROM) || (flags & OPT_CREATE_TO))
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --from or --to with --network\n");
+ } else {
+ /* --from --to */
+ if ((flags & OPT_CREATE_FROM) == 0
+ || (flags & OPT_CREATE_TO) == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify both --from and --to\n");
+ }
+
+
+ DP("from : %x to: %x diff: %d match unset: %d", mydata->from,
+ mydata->to, mydata->to - mydata->from,
+ flags & OPT_CREATE_MATCHUNSET);
+
+ if (mydata->from > mydata->to)
+ exit_error(PARAMETER_PROBLEM,
+ "From can't be lower than to.\n");
+
+ if (mydata->to - mydata->from > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range too large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"from", 1, 0, '1'},
+ {"to", 1, 0, '2'},
+ {"network", 1, 0, '3'},
+ {"matchunset", 0, 0, '4'},
+ {0}
+};
+
+static void parse_mac(const char *mac, unsigned char *ethernet)
+{
+ unsigned int i = 0;
+
+ if (strlen(mac) != ETH_ALEN * 3 - 1)
+ exit_error(PARAMETER_PROBLEM, "Bad mac address `%s'", mac);
+
+ for (i = 0; i < ETH_ALEN; i++) {
+ long number;
+ char *end;
+
+ number = strtol(mac + i * 3, &end, 16);
+
+ if (end == mac + i * 3 + 2 && number >= 0 && number <= 255)
+ ethernet[i] = number;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Bad mac address `%s'", mac);
+ }
+}
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_macipmap *mydata =
+ (struct ip_set_req_macipmap *) data;
+ char *saved = ipset_strdup(optarg);
+ char *ptr, *tmp = saved;
+
+ DP("macipmap: %p %p", optarg, data);
+
+ ptr = strsep(&tmp, "%");
+ parse_ip(ptr, &mydata->ip);
+
+ if (tmp)
+ parse_mac(tmp, mydata->ethernet);
+ else
+ memset(mydata->ethernet, 0, ETH_ALEN);
+
+ free(saved);
+ return 1;
+}
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_macipmap_create *header =
+ (struct ip_set_req_macipmap_create *) data;
+ struct ip_set_macipmap *map =
+ (struct ip_set_macipmap *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_macipmap));
+ map->first_ip = header->from;
+ map->last_ip = header->to;
+ map->flags = header->flags;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_macipmap *mysetdata =
+ (struct ip_set_macipmap *) set->settype->header;
+
+ printf(" from: %s", ip_tostring(mysetdata->first_ip, options));
+ printf(" to: %s", ip_tostring(mysetdata->last_ip, options));
+
+ if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
+ printf(" matchunset");
+ printf("\n");
+}
+
+static void print_mac(unsigned char macaddress[ETH_ALEN])
+{
+ unsigned int i;
+
+ printf("%02X", macaddress[0]);
+ for (i = 1; i < ETH_ALEN; i++)
+ printf(":%02X", macaddress[i]);
+}
+
+void printips_sorted(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_macipmap *mysetdata =
+ (struct ip_set_macipmap *) set->settype->header;
+ struct ip_set_macip *table =
+ (struct ip_set_macip *) data;
+ u_int32_t addr = mysetdata->first_ip;
+
+ while (addr <= mysetdata->last_ip) {
+ if (test_bit(IPSET_MACIP_ISSET,
+ (void *)&table[addr - mysetdata->first_ip].flags)) {
+ printf("%s%%", ip_tostring(addr, options));
+ print_mac(table[addr - mysetdata->first_ip].
+ ethernet);
+ printf("\n");
+ }
+ addr++;
+ }
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_macipmap *mysetdata =
+ (struct ip_set_macipmap *) set->settype->header;
+
+ printf("-N %s %s --from %s",
+ set->name, set->settype->typename,
+ ip_tostring(mysetdata->first_ip, options));
+ printf(" --to %s", ip_tostring(mysetdata->last_ip, options));
+
+ if (mysetdata->flags & IPSET_MACIP_MATCHUNSET)
+ printf(" --matchunset");
+ printf("\n");
+}
+
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_macipmap *mysetdata =
+ (struct ip_set_macipmap *) set->settype->header;
+ struct ip_set_macip *table =
+ (struct ip_set_macip *) data;
+ u_int32_t addr = mysetdata->first_ip;
+
+ while (addr <= mysetdata->last_ip) {
+ if (test_bit(IPSET_MACIP_ISSET,
+ (void *)&table[addr - mysetdata->first_ip].flags)) {
+ printf("-A %s %s%%",
+ set->name, ip_tostring(addr, options));
+ print_mac(table[addr - mysetdata->first_ip].
+ ethernet);
+ printf("\n");
+ }
+ addr++;
+ }
+}
+
+void usage(void)
+{
+ printf
+ ("-N set macipmap --from IP --to IP [--matchunset]\n"
+ "-N set macipmap --network IP/mask [--matchunset]\n"
+ "-A set IP%%MAC\n"
+ "-D set IP[%%MAC]\n"
+ "-T set IP[%%MAC]\n");
+}
+
+static struct settype settype_macipmap = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_macipmap_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_macipmap),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_macipmap),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips_sorted, /* We only have sorted version */
+ .printips_sorted = &printips_sorted,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &binding_ip_tostring,
+ .bindip_parse = &parse_ip,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_macipmap);
+
+}
--- /dev/null
+/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+#include <asm/types.h>
+
+#include <linux/netfilter_ipv4/ip_set_nethash.h>
+#include <linux/netfilter_ipv4/ip_set_jhash.h>
+
+#include "ipset.h"
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_HASHSIZE 0x01U
+#define OPT_CREATE_PROBES 0x02U
+#define OPT_CREATE_RESIZE 0x04U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ struct ip_set_req_nethash_create *mydata =
+ (struct ip_set_req_nethash_create *) data;
+
+ DP("create INIT");
+
+ /* Default create parameters */
+ mydata->hashsize = 1024;
+ mydata->probes = 4;
+ mydata->resize = 50;
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_nethash_create *mydata =
+ (struct ip_set_req_nethash_create *) data;
+ ip_set_ip_t value;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+
+ if (string_to_number(optarg, 1, UINT_MAX - 1, &mydata->hashsize))
+ exit_error(PARAMETER_PROBLEM, "Invalid hashsize `%s' specified", optarg);
+
+ *flags |= OPT_CREATE_HASHSIZE;
+
+ DP("--hashsize %u", mydata->hashsize);
+
+ break;
+
+ case '2':
+
+ if (string_to_number(optarg, 1, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid probes `%s' specified", optarg);
+
+ mydata->probes = value;
+ *flags |= OPT_CREATE_PROBES;
+
+ DP("--probes %u", mydata->probes);
+
+ break;
+
+ case '3':
+
+ if (string_to_number(optarg, 0, 65535, &value))
+ exit_error(PARAMETER_PROBLEM, "Invalid resize `%s' specified", optarg);
+
+ mydata->resize = value;
+ *flags |= OPT_CREATE_RESIZE;
+
+ DP("--resize %u", mydata->resize);
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+#ifdef IPSET_DEBUG
+ struct ip_set_req_nethash_create *mydata =
+ (struct ip_set_req_nethash_create *) data;
+
+ DP("hashsize %u probes %u resize %u",
+ mydata->hashsize, mydata->probes, mydata->resize);
+#endif
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"hashsize", 1, 0, '1'},
+ {"probes", 1, 0, '2'},
+ {"resize", 1, 0, '3'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_nethash *mydata =
+ (struct ip_set_req_nethash *) data;
+ char *saved = ipset_strdup(optarg);
+ char *ptr, *tmp = saved;
+ ip_set_ip_t cidr;
+
+ ptr = strsep(&tmp, "/");
+
+ if (tmp == NULL) {
+ if (cmd == CMD_TEST)
+ cidr = 32;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "Missing cidr from `%s'", optarg);
+ } else
+ if (string_to_number(tmp, 1, 31, &cidr))
+ exit_error(PARAMETER_PROBLEM,
+ "Out of range cidr `%s' specified", optarg);
+
+ mydata->cidr = cidr;
+ parse_ip(ptr, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", ptr);
+ free(saved);
+
+ return mydata->ip;
+};
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_nethash_create *header =
+ (struct ip_set_req_nethash_create *) data;
+ struct ip_set_nethash *map =
+ (struct ip_set_nethash *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_nethash));
+ map->hashsize = header->hashsize;
+ map->probes = header->probes;
+ map->resize = header->resize;
+}
+
+unsigned int
+mask_to_bits(ip_set_ip_t mask)
+{
+ unsigned int bits = 32;
+ ip_set_ip_t maskaddr;
+
+ if (mask == 0xFFFFFFFF)
+ return bits;
+
+ maskaddr = 0xFFFFFFFE;
+ while (--bits >= 0 && maskaddr != mask)
+ maskaddr <<= 1;
+
+ return bits;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_nethash *mysetdata =
+ (struct ip_set_nethash *) set->settype->header;
+
+ printf(" hashsize: %u", mysetdata->hashsize);
+ printf(" probes: %u", mysetdata->probes);
+ printf(" resize: %u\n", mysetdata->resize);
+}
+
+static char buf[20];
+
+static char * unpack_ip_tostring(ip_set_ip_t ip, unsigned options)
+{
+ int i, j = 3;
+ unsigned char a, b;
+
+ ip = htonl(ip);
+ for (i = 3; i >= 0; i--)
+ if (((unsigned char *)&ip)[i] != 0) {
+ j = i;
+ break;
+ }
+
+ a = ((unsigned char *)&ip)[j];
+ if (a <= 128) {
+ a = (a - 1) * 2;
+ b = 7;
+ } else if (a <= 192) {
+ a = (a - 129) * 4;
+ b = 6;
+ } else if (a <= 224) {
+ a = (a - 193) * 8;
+ b = 5;
+ } else if (a <= 240) {
+ a = (a - 225) * 16;
+ b = 4;
+ } else if (a <= 248) {
+ a = (a - 241) * 32;
+ b = 3;
+ } else if (a <= 252) {
+ a = (a - 249) * 64;
+ b = 2;
+ } else if (a <= 254) {
+ a = (a - 253) * 128;
+ b = 1;
+ } else {
+ a = b = 0;
+ }
+ ((unsigned char *)&ip)[j] = a;
+ b += j * 8;
+
+ sprintf(buf, "%u.%u.%u.%u/%u",
+ ((unsigned char *)&ip)[0],
+ ((unsigned char *)&ip)[1],
+ ((unsigned char *)&ip)[2],
+ ((unsigned char *)&ip)[3],
+ b);
+
+ DP("%s %s", ip_tostring(ntohl(ip), options), buf);
+ return buf;
+}
+
+void printips(struct set *set, void *data, size_t len, unsigned options)
+{
+ size_t offset = 0;
+ ip_set_ip_t *ip;
+
+ while (offset < len) {
+ ip = data + offset;
+ if (*ip)
+ printf("%s\n", unpack_ip_tostring(*ip, options));
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_nethash *mysetdata =
+ (struct ip_set_nethash *) set->settype->header;
+
+ printf("-N %s %s --hashsize %u --probes %u --resize %u\n",
+ set->name, set->settype->typename,
+ mysetdata->hashsize, mysetdata->probes, mysetdata->resize);
+}
+
+/* Print save for an IP */
+void saveips(struct set *set, void *data, size_t len, unsigned options)
+{
+ size_t offset = 0;
+ ip_set_ip_t *ip;
+
+ while (offset < len) {
+ ip = data + offset;
+ if (*ip)
+ printf("-A %s %s\n", set->name,
+ unpack_ip_tostring(*ip, options));
+ offset += sizeof(ip_set_ip_t);
+ }
+}
+
+static char * net_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
+{
+ return unpack_ip_tostring(ip, options);
+}
+
+static void parse_net(const char *str, ip_set_ip_t *ip)
+{
+ char *saved = strdup(str);
+ char *ptr, *tmp = saved;
+ ip_set_ip_t cidr;
+
+ ptr = strsep(&tmp, "/");
+
+ if (tmp == NULL)
+ exit_error(PARAMETER_PROBLEM,
+ "Missing cidr from `%s'", str);
+
+ if (string_to_number(tmp, 1, 31, &cidr))
+ exit_error(PARAMETER_PROBLEM,
+ "Out of range cidr `%s' specified", str);
+
+ parse_ip(ptr, ip);
+ free(saved);
+
+ *ip = pack(*ip, cidr);
+}
+
+void usage(void)
+{
+ printf
+ ("-N set nethash [--hashsize hashsize] [--probes probes ]\n"
+ " [--resize resize]\n"
+ "-A set IP/cidr\n"
+ "-D set IP/cidr\n"
+ "-T set IP/cidr\n");
+}
+
+static struct settype settype_nethash = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_nethash_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_nethash),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_nethash),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printips, /* We only have the unsorted version */
+ .printips_sorted = &printips,
+ .saveheader = &saveheader,
+ .saveips = &saveips,
+
+ /* Bindings */
+ .bindip_tostring = &net_tostring,
+ .bindip_parse = &parse_net,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_nethash);
+
+}
--- /dev/null
+/* Copyright 2004 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <asm/bitops.h>
+
+#include <linux/netfilter_ipv4/ip_set_portmap.h>
+#include "ipset.h"
+
+
+#define BUFLEN 30;
+
+#define OPT_CREATE_FROM 0x01U
+#define OPT_CREATE_TO 0x02U
+
+#define OPT_ADDDEL_PORT 0x01U
+
+/* Initialize the create. */
+void create_init(void *data)
+{
+ DP("create INIT");
+ /* Nothing */
+}
+
+/* Function which parses command options; returns true if it ate an option */
+int create_parse(int c, char *argv[], void *data, unsigned *flags)
+{
+ struct ip_set_req_portmap_create *mydata =
+ (struct ip_set_req_portmap_create *) data;
+
+ DP("create_parse");
+
+ switch (c) {
+ case '1':
+ parse_port(optarg, &mydata->from);
+
+ *flags |= OPT_CREATE_FROM;
+
+ DP("--from %x (%s)", mydata->from,
+ port_tostring(mydata->from, 0));
+
+ break;
+
+ case '2':
+ parse_port(optarg, &mydata->to);
+
+ *flags |= OPT_CREATE_TO;
+
+ DP("--to %x (%s)", mydata->to,
+ port_tostring(mydata->to, 0));
+
+ break;
+
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Final check; exit if not ok. */
+void create_final(void *data, unsigned int flags)
+{
+ struct ip_set_req_portmap_create *mydata =
+ (struct ip_set_req_portmap_create *) data;
+
+ if (flags == 0) {
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify --from and --to\n");
+ } else {
+ /* --from --to */
+ if ((flags & OPT_CREATE_FROM) == 0
+ || (flags & OPT_CREATE_TO) == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "Need to specify both --from and --to\n");
+ }
+
+ DP("from : %x to: %x diff: %d", mydata->from, mydata->to,
+ mydata->to - mydata->from);
+
+ if (mydata->from > mydata->to)
+ exit_error(PARAMETER_PROBLEM,
+ "From can't be lower than to.\n");
+
+ if (mydata->to - mydata->from > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range too large. Max is %d ports in range\n",
+ MAX_RANGE+1);
+}
+
+/* Create commandline options */
+static struct option create_opts[] = {
+ {"from", 1, 0, '1'},
+ {"to", 1, 0, '2'},
+ {0}
+};
+
+/* Add, del, test parser */
+ip_set_ip_t adt_parser(unsigned cmd, const char *optarg, void *data)
+{
+ struct ip_set_req_portmap *mydata =
+ (struct ip_set_req_portmap *) data;
+
+ parse_port(optarg, &mydata->port);
+ DP("%s", port_tostring(mydata->port, 0));
+
+ return 1;
+}
+
+/*
+ * Print and save
+ */
+
+void initheader(struct set *set, const void *data)
+{
+ struct ip_set_req_portmap_create *header =
+ (struct ip_set_req_portmap_create *) data;
+ struct ip_set_portmap *map =
+ (struct ip_set_portmap *) set->settype->header;
+
+ memset(map, 0, sizeof(struct ip_set_portmap));
+ map->first_port = header->from;
+ map->last_port = header->to;
+}
+
+void printheader(struct set *set, unsigned options)
+{
+ struct ip_set_portmap *mysetdata =
+ (struct ip_set_portmap *) set->settype->header;
+
+ printf(" from: %s", port_tostring(mysetdata->first_port, options));
+ printf(" to: %s\n", port_tostring(mysetdata->last_port, options));
+}
+
+void printports_sorted(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_portmap *mysetdata =
+ (struct ip_set_portmap *) set->settype->header;
+ u_int32_t addr = mysetdata->first_port;
+
+ DP("%u -- %u", mysetdata->first_port, mysetdata->last_port);
+ while (addr <= mysetdata->last_port) {
+ if (test_bit(addr - mysetdata->first_port, data))
+ printf("%s\n", port_tostring(addr, options));
+ addr++;
+ }
+}
+
+char * binding_port_tostring(struct set *set, ip_set_ip_t ip, unsigned options)
+{
+ return port_tostring(ip, options);
+}
+
+void saveheader(struct set *set, unsigned options)
+{
+ struct ip_set_portmap *mysetdata =
+ (struct ip_set_portmap *) set->settype->header;
+
+ printf("-N %s %s --from %s",
+ set->name,
+ set->settype->typename,
+ port_tostring(mysetdata->first_port, options));
+ printf(" --to %s\n",
+ port_tostring(mysetdata->last_port, options));
+}
+
+void saveports(struct set *set, void *data, size_t len, unsigned options)
+{
+ struct ip_set_portmap *mysetdata =
+ (struct ip_set_portmap *) set->settype->header;
+ u_int32_t addr = mysetdata->first_port;
+
+ while (addr <= mysetdata->last_port) {
+ if (test_bit(addr - mysetdata->first_port, data))
+ printf("-A %s %s\n",
+ set->name,
+ port_tostring(addr, options));
+ addr++;
+ }
+}
+
+void usage(void)
+{
+ printf
+ ("-N set portmap --from PORT --to PORT\n"
+ "-A set PORT\n"
+ "-D set PORT\n"
+ "-T set PORT\n");
+}
+
+static struct settype settype_portmap = {
+ .typename = SETTYPE_NAME,
+ .protocol_version = IP_SET_PROTOCOL_VERSION,
+
+ /* Create */
+ .create_size = sizeof(struct ip_set_req_portmap_create),
+ .create_init = &create_init,
+ .create_parse = &create_parse,
+ .create_final = &create_final,
+ .create_opts = create_opts,
+
+ /* Add/del/test */
+ .adt_size = sizeof(struct ip_set_req_portmap),
+ .adt_parser = &adt_parser,
+
+ /* Printing */
+ .header_size = sizeof(struct ip_set_portmap),
+ .initheader = &initheader,
+ .printheader = &printheader,
+ .printips = &printports_sorted, /* We only have sorted version */
+ .printips_sorted = &printports_sorted,
+ .saveheader = &saveheader,
+ .saveips = &saveports,
+
+ /* Bindings */
+ .bindip_tostring = &binding_port_tostring,
+ .bindip_parse = &parse_port,
+
+ .usage = &usage,
+};
+
+void _init(void)
+{
+ settype_register(&settype_portmap);
+
+}
--- /dev/null
+#ifndef _LIBIPT_SET_H
+#define _LIBIPT_SET_H
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+
+static int get_set_getsockopt(void *data, size_t * size)
+{
+ int sockfd = -1;
+ sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+ if (sockfd < 0)
+ exit_error(OTHER_PROBLEM,
+ "Can't open socket to ipset.\n");
+ /* Send! */
+ return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+}
+
+static void
+parse_bindings(const char *optarg, struct ipt_set_info *info)
+{
+ char *saved = strdup(optarg);
+ char *ptr, *tmp = saved;
+ int i = 0;
+
+ while (i < IP_SET_MAX_BINDINGS && tmp != NULL) {
+ ptr = strsep(&tmp, ",");
+ if (strncmp(ptr, "src", 3) == 0)
+ info->flags[i++] |= IPSET_SRC;
+ else if (strncmp(ptr, "dst", 3) == 0)
+ info->flags[i++] |= IPSET_DST;
+ else
+ exit_error(PARAMETER_PROBLEM,
+ "You must spefify (the comma separated list of) 'src' or 'dst'.");
+ }
+
+ if (tmp)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't follow bindings deeper than %i.",
+ IP_SET_MAX_BINDINGS);
+
+ free(saved);
+}
+
+#endif /*_LIBIPT_SET_H*/