ip_set.h 14.3 KB
Newer Older
1
/* SPDX-License-Identifier: GPL-2.0-only */
2
3
4
/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
 *                         Patrick Schaaf <bof@bof.de>
 *                         Martin Josefsson <gandalf@wlug.westbo.se>
Jozsef Kadlecsik's avatar
Jozsef Kadlecsik committed
5
 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org>
6
 */
7
8
#ifndef _IP_SET_H
#define _IP_SET_H
9

10
11
12
13
14
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
15
#include <linux/stringify.h>
16
17
#include <linux/vmalloc.h>
#include <net/netlink.h>
18
#include <uapi/linux/netfilter/ipset/ip_set.h>
19

20
21
22
23
24
#define _IP_SET_MODULE_DESC(a, b, c)		\
	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
#define IP_SET_MODULE_DESC(a, b, c)		\
	_IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c))

25
26
27
28
29
30
31
32
33
34
35
36
/* Set features */
enum ip_set_feature {
	IPSET_TYPE_IP_FLAG = 0,
	IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG),
	IPSET_TYPE_PORT_FLAG = 1,
	IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG),
	IPSET_TYPE_MAC_FLAG = 2,
	IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG),
	IPSET_TYPE_IP2_FLAG = 3,
	IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG),
	IPSET_TYPE_NAME_FLAG = 4,
	IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
37
38
	IPSET_TYPE_IFACE_FLAG = 5,
	IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
39
40
41
	IPSET_TYPE_MARK_FLAG = 6,
	IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG),
	IPSET_TYPE_NOMATCH_FLAG = 7,
42
	IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),
43
44
	/* Strictly speaking not a feature, but a flag for dumping:
	 * this settype must be dumped last */
45
	IPSET_DUMP_LAST_FLAG = 8,
46
47
48
	IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG),
};

49
50
/* Set extensions */
enum ip_set_extension {
51
	IPSET_EXT_BIT_TIMEOUT = 0,
52
	IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT),
53
	IPSET_EXT_BIT_COUNTER = 1,
54
	IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER),
55
56
	IPSET_EXT_BIT_COMMENT = 2,
	IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT),
57
58
	IPSET_EXT_BIT_SKBINFO = 3,
	IPSET_EXT_SKBINFO = (1 << IPSET_EXT_BIT_SKBINFO),
59
60
61
	/* Mark set with an extension which needs to call destroy */
	IPSET_EXT_BIT_DESTROY = 7,
	IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY),
62
63
64
};

#define SET_WITH_TIMEOUT(s)	((s)->extensions & IPSET_EXT_TIMEOUT)
65
#define SET_WITH_COUNTER(s)	((s)->extensions & IPSET_EXT_COUNTER)
66
#define SET_WITH_COMMENT(s)	((s)->extensions & IPSET_EXT_COMMENT)
67
#define SET_WITH_SKBINFO(s)	((s)->extensions & IPSET_EXT_SKBINFO)
68
#define SET_WITH_FORCEADD(s)	((s)->flags & IPSET_CREATE_FLAG_FORCEADD)
69

70
71
72
73
/* Extension id, in size order */
enum ip_set_ext_id {
	IPSET_EXT_ID_COUNTER = 0,
	IPSET_EXT_ID_TIMEOUT,
74
	IPSET_EXT_ID_SKBINFO,
75
	IPSET_EXT_ID_COMMENT,
76
77
78
	IPSET_EXT_ID_MAX,
};

79
80
struct ip_set;

81
82
/* Extension type */
struct ip_set_ext_type {
83
	/* Destroy extension private data (can be NULL) */
84
	void (*destroy)(struct ip_set *set, void *ext);
85
86
87
88
89
90
91
92
93
	enum ip_set_extension type;
	enum ipset_cadt_flags flag;
	/* Size and minimal alignment */
	u8 len;
	u8 align;
};

extern const struct ip_set_ext_type ip_set_extensions[];

94
95
96
97
98
struct ip_set_counter {
	atomic64_t bytes;
	atomic64_t packets;
};

99
100
101
102
103
struct ip_set_comment_rcu {
	struct rcu_head rcu;
	char str[0];
};

104
struct ip_set_comment {
105
	struct ip_set_comment_rcu __rcu *c;
106
};
107

108
109
110
111
112
struct ip_set_skbinfo {
	u32 skbmark;
	u32 skbmarkmask;
	u32 skbprio;
	u16 skbqueue;
113
114
115
116
117
118
119
120
121
	u16 __pad;
};

struct ip_set_ext {
	struct ip_set_skbinfo skbinfo;
	u64 packets;
	u64 bytes;
	char *comment;
	u32 timeout;
122
123
	u8 packets_op;
	u8 bytes_op;
124
125
};

126
struct ip_set;
127

128
#define ext_timeout(e, s)	\
129
((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT]))
130
#define ext_counter(e, s)	\
131
((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER]))
132
#define ext_comment(e, s)	\
133
((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT]))
134
#define ext_skbinfo(e, s)	\
135
((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO]))
136

137
typedef int (*ipset_adtfn)(struct ip_set *set, void *value,
138
			   const struct ip_set_ext *ext,
139
			   struct ip_set_ext *mext, u32 cmdflags);
140

141
142
143
144
145
146
/* Kernel API function options */
struct ip_set_adt_opt {
	u8 family;		/* Actual protocol family */
	u8 dim;			/* Dimension of match/target */
	u8 flags;		/* Direction and negation flags */
	u32 cmdflags;		/* Command-like flags */
147
	struct ip_set_ext ext;	/* Extensions */
148
149
};

150
151
152
153
154
155
/* Set type, variant-specific part */
struct ip_set_type_variant {
	/* Kernelspace: test/add/del entries
	 *		returns negative error code,
	 *			zero for no match/success to add/delete
	 *			positive for matching element */
156
	int (*kadt)(struct ip_set *set, const struct sk_buff *skb,
157
		    const struct xt_action_param *par,
158
		    enum ipset_adt adt, struct ip_set_adt_opt *opt);
159
160
161
162
163
164

	/* Userspace: test/add/del entries
	 *		returns negative error code,
	 *			zero for no match/success to add/delete
	 *			positive for matching element */
	int (*uadt)(struct ip_set *set, struct nlattr *tb[],
165
		    enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

	/* Low level add/del/test functions */
	ipset_adtfn adt[IPSET_ADT_MAX];

	/* When adding entries and set is full, try to resize the set */
	int (*resize)(struct ip_set *set, bool retried);
	/* Destroy the set */
	void (*destroy)(struct ip_set *set);
	/* Flush the elements */
	void (*flush)(struct ip_set *set);
	/* Expire entries before listing */
	void (*expire)(struct ip_set *set);
	/* List set header data */
	int (*head)(struct ip_set *set, struct sk_buff *skb);
	/* List elements */
	int (*list)(const struct ip_set *set, struct sk_buff *skb,
		    struct netlink_callback *cb);
183
184
185
	/* Keep listing private when resizing runs parallel */
	void (*uref)(struct ip_set *set, struct netlink_callback *cb,
		     bool start);
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

	/* Return true if "b" set is the same as "a"
	 * according to the create set parameters */
	bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
};

/* The core set type structure */
struct ip_set_type {
	struct list_head list;

	/* Typename */
	char name[IPSET_MAXNAMELEN];
	/* Protocol version */
	u8 protocol;
	/* Set type dimension */
	u8 dimension;
202
203
204
205
	/*
	 * Supported family: may be NFPROTO_UNSPEC for both
	 * NFPROTO_IPV4/NFPROTO_IPV6.
	 */
206
	u8 family;
207
208
	/* Type revisions */
	u8 revision_min, revision_max;
209
210
	/* Set features to control swapping */
	u16 features;
211
212

	/* Create set */
213
214
	int (*create)(struct net *net, struct ip_set *set,
		      struct nlattr *tb[], u32 flags);
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232

	/* Attribute policies */
	const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];
	const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1];

	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
	struct module *me;
};

/* register and unregister set type */
extern int ip_set_type_register(struct ip_set_type *set_type);
extern void ip_set_type_unregister(struct ip_set_type *set_type);

/* A generic IP set */
struct ip_set {
	/* The name of the set */
	char name[IPSET_MAXNAMELEN];
	/* Lock protecting the set data */
233
	spinlock_t lock;
234
	/* References to the set */
235
	u32 ref;
236
237
238
239
	/* References to the set for netlink events like dump,
	 * ref can be swapped out by ip_set_swap
	 */
	u32 ref_netlink;
240
241
242
243
244
245
	/* The core set type */
	struct ip_set_type *type;
	/* The type variant doing the real job */
	const struct ip_set_type_variant *variant;
	/* The actual INET family of the set */
	u8 family;
246
247
	/* The type revision */
	u8 revision;
248
249
	/* Extensions */
	u8 extensions;
250
251
	/* Create flags */
	u8 flags;
252
253
	/* Default timeout value, if enabled */
	u32 timeout;
254
255
	/* Number of elements (vs timeout) */
	u32 elements;
256
257
	/* Size of the dynamic extensions (vs timeout) */
	size_t ext_size;
258
259
260
261
	/* Element data size */
	size_t dsize;
	/* Offsets to extensions in elements */
	size_t offset[IPSET_EXT_ID_MAX];
262
263
264
265
	/* The type specific data */
	void *data;
};

266
267
268
269
270
271
static inline void
ip_set_ext_destroy(struct ip_set *set, void *data)
{
	/* Check that the extension is enabled for the set and
	 * call it's destroy function for its extension part in data.
	 */
272
273
274
275
276
	if (SET_WITH_COMMENT(set)) {
		struct ip_set_comment *c = ext_comment(data, set);

		ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(set, c);
	}
277
278
}

279
int ip_set_put_flags(struct sk_buff *skb, struct ip_set *set);
280

281
282
/* Netlink CB args */
enum {
283
	IPSET_CB_NET = 0,	/* net namespace */
284
	IPSET_CB_PROTO,		/* ipset protocol */
285
286
287
288
	IPSET_CB_DUMP,		/* dump single set/all sets */
	IPSET_CB_INDEX,		/* set index */
	IPSET_CB_PRIVATE,	/* set private data */
	IPSET_CB_ARG0,		/* type specific */
289
290
};

291
/* register and unregister set references */
292
293
294
extern ip_set_id_t ip_set_get_byname(struct net *net,
				     const char *name, struct ip_set **set);
extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
295
extern void ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name);
296
297
extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
298
299

/* API for iptables set match, and SET target */
300

301
extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb,
302
		      const struct xt_action_param *par,
303
		      struct ip_set_adt_opt *opt);
304
extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb,
305
		      const struct xt_action_param *par,
306
		      struct ip_set_adt_opt *opt);
307
extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb,
308
		       const struct xt_action_param *par,
309
		       struct ip_set_adt_opt *opt);
310
311

/* Utility functions */
312
extern void *ip_set_alloc(size_t size);
313
314
315
extern void ip_set_free(void *members);
extern int ip_set_get_ipaddr4(struct nlattr *nla,  __be32 *ipaddr);
extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);
316
extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[],
317
			      size_t len, size_t align);
318
319
extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
				 struct ip_set_ext *ext);
320
321
extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
				 const void *e, bool active);
322
323
324
325
extern bool ip_set_match_extensions(struct ip_set *set,
				    const struct ip_set_ext *ext,
				    struct ip_set_ext *mext,
				    u32 flags, void *data);
326
327
328
329
330
331

static inline int
ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr)
{
	__be32 ip;
	int ret = ip_set_get_ipaddr4(nla, &ip);
332

333
334
335
336
337
338
339
340
341
342
343
344
345
	if (ret)
		return ret;
	*ipaddr = ntohl(ip);
	return 0;
}

/* Ignore IPSET_ERR_EXIST errors if asked to do so? */
static inline bool
ip_set_eexist(int ret, u32 flags)
{
	return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST);
}

346
347
/* Match elements marked with nomatch */
static inline bool
348
ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set)
349
350
{
	return adt == IPSET_TEST &&
351
352
353
	       (set->type->features & IPSET_TYPE_NOMATCH) &&
	       ((flags >> 16) & IPSET_FLAG_NOMATCH) &&
	       (ret > 0 || ret == -ENOTEMPTY);
354
355
}

356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
/* Check the NLA_F_NET_BYTEORDER flag */
static inline bool
ip_set_attr_netorder(struct nlattr *tb[], int type)
{
	return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
}

static inline bool
ip_set_optattr_netorder(struct nlattr *tb[], int type)
{
	return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
}

/* Useful converters */
static inline u32
ip_set_get_h32(const struct nlattr *attr)
{
	return ntohl(nla_get_be32(attr));
}

static inline u16
ip_set_get_h16(const struct nlattr *attr)
{
	return ntohs(nla_get_be16(attr));
}

382
383
static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr)
{
384
	struct nlattr *__nested = nla_nest_start(skb, type);
385
386
387
388
	int ret;

	if (!__nested)
		return -EMSGSIZE;
389
	ret = nla_put_in_addr(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr);
390
	if (!ret)
391
		nla_nest_end(skb, __nested);
392
393
394
	return ret;
}

395
396
static inline int nla_put_ipaddr6(struct sk_buff *skb, int type,
				  const struct in6_addr *ipaddrptr)
397
{
398
	struct nlattr *__nested = nla_nest_start(skb, type);
399
400
401
402
	int ret;

	if (!__nested)
		return -EMSGSIZE;
403
	ret = nla_put_in6_addr(skb, IPSET_ATTR_IPADDR_IPV6, ipaddrptr);
404
	if (!ret)
405
		nla_nest_end(skb, __nested);
406
407
	return ret;
}
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428

/* Get address from skbuff */
static inline __be32
ip4addr(const struct sk_buff *skb, bool src)
{
	return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
}

static inline void
ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr)
{
	*addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
}

static inline void
ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr)
{
	memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr,
	       sizeof(*addr));
}

429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
/* How often should the gc be run by default */
#define IPSET_GC_TIME			(3 * 60)

/* Timeout period depending on the timeout value of the given set */
#define IPSET_GC_PERIOD(timeout) \
	((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)

/* Entry is set with no timeout value */
#define IPSET_ELEM_PERMANENT	0

/* Set is defined with timeout support: timeout value may be 0 */
#define IPSET_NO_TIMEOUT	UINT_MAX

/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
#define IPSET_MAX_TIMEOUT	(UINT_MAX >> 1)/MSEC_PER_SEC

#define ip_set_adt_opt_timeout(opt, set)	\
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)

static inline unsigned int
ip_set_timeout_uget(struct nlattr *tb)
{
	unsigned int timeout = ip_set_get_h32(tb);

	/* Normalize to fit into jiffies */
	if (timeout > IPSET_MAX_TIMEOUT)
		timeout = IPSET_MAX_TIMEOUT;

	return timeout;
}

static inline bool
ip_set_timeout_expired(const unsigned long *t)
{
	return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
}

static inline void
ip_set_timeout_set(unsigned long *timeout, u32 value)
{
	unsigned long t;

	if (!value) {
		*timeout = IPSET_ELEM_PERMANENT;
		return;
	}

	t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
	if (t == IPSET_ELEM_PERMANENT)
		/* Bingo! :-) */
		t--;
	*timeout = t;
}

483
484
void ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
			 const struct ip_set_ext *ext);
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501

static inline void
ip_set_init_counter(struct ip_set_counter *counter,
		    const struct ip_set_ext *ext)
{
	if (ext->bytes != ULLONG_MAX)
		atomic64_set(&(counter)->bytes, (long long)(ext->bytes));
	if (ext->packets != ULLONG_MAX)
		atomic64_set(&(counter)->packets, (long long)(ext->packets));
}

static inline void
ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
		    const struct ip_set_ext *ext)
{
	*skbinfo = ext->skbinfo;
}
502

503
#define IP_SET_INIT_KEXT(skb, opt, set)			\
504
	{ .bytes = (skb)->len, .packets = 1,		\
505
	  .timeout = ip_set_adt_opt_timeout(opt, set) }
506

507
#define IP_SET_INIT_UEXT(set)				\
508
	{ .bytes = ULLONG_MAX, .packets = ULLONG_MAX,	\
509
	  .timeout = (set)->timeout }
510

511
512
513
#define IPSET_CONCAT(a, b)		a##b
#define IPSET_TOKEN(a, b)		IPSET_CONCAT(a, b)

514
#endif /*_IP_SET_H */