This commit was manufactured by cvs2svn to create branch 'vserver'.

[linux-2.6.git] / net / ipv4 / netfilter / ipt_set.c

diff --git a/net/ipv4/netfilter/ipt_set.c b/net/ipv4/netfilter/ipt_set.c
new file mode 100644 (file)
index 0000000..9e36c81
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_set.c
@@ -0,0 +1,112 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+/* Kernel module to match an IP set. */
+
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ipt_set.h>
+
+static inline int
+match_set(const struct ipt_set_info *info,
+         const struct sk_buff *skb,
+         int inv)
+{      
+       if (ip_set_testip_kernel(info->index, skb, info->flags))
+               inv = !inv;
+       return inv;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+       const struct ipt_set_info_match *info = matchinfo;
+               
+       return match_set(&info->match_set,
+                        skb,
+                        info->match_set.flags[0] & IPSET_MATCH_INV);
+}
+
+static int
+checkentry(const char *tablename,
+          const struct ipt_ip *ip,
+          void *matchinfo,
+          unsigned int matchsize,
+          unsigned int hook_mask)
+{
+       struct ipt_set_info_match *info = 
+               (struct ipt_set_info_match *) matchinfo;
+       ip_set_id_t index;
+
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
+               ip_set_printk("invalid matchsize %d", matchsize);
+               return 0;
+       }
+
+       index = ip_set_get_byindex(info->match_set.index);
+               
+       if (index == IP_SET_INVALID_ID) {
+               ip_set_printk("Cannot find set indentified by id %u to match",
+                             info->match_set.index);
+               return 0;       /* error */
+       }
+       if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
+               ip_set_printk("That's nasty!");
+               return 0;       /* error */
+       }
+
+       return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchsize)
+{
+       struct ipt_set_info_match *info = matchinfo;
+
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
+               ip_set_printk("invalid matchsize %d", matchsize);
+               return;
+       }
+
+       ip_set_put(info->match_set.index);
+}
+
+static struct ipt_match set_match = {
+       .name           = "set",
+       .match          = &match,
+       .checkentry     = &checkentry,
+       .destroy        = &destroy,
+       .me             = THIS_MODULE
+};
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("iptables IP set match module");
+
+static int __init init(void)
+{
+       return ipt_register_match(&set_match);
+}
+
+static void __exit fini(void)
+{
+       ipt_unregister_match(&set_match);
+}
+
+module_init(init);
+module_exit(fini);