Attachment #2698 for bug #16326

View | Details | Raw Unified | Return to bug 16326
Collapse All | Expand All




#ifndef _IP_SET_H
#define _IP_SET_H

/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
 *                         Patrick Schaaf <bof@bof.de>
 *                         Martin Josefsson <gandalf@wlug.westbo.se>
 * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.  
 */

#if 0
#define IP_SET_DEBUG
#endif

/*
 * A sockopt of such quality has hardly ever been seen before on the open
 * market!  This little beauty, hardly ever used: above 64, so it's
 * traditionally used for firewalling, not touched (even once!) by the
 * 2.0, 2.2 and 2.4 kernels!
 *
 * Comes with its own certificate of authenticity, valid anywhere in the
 * Free world!
 *
 * Rusty, 19.4.2000
 */
#define SO_IP_SET 		83

/*
 * Heavily modify by Joakim Axelsson 08.03.2002
 * - Made it more modulebased
 *
 * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
 * - bindings added
 * - in order to "deal with" backward compatibility, renamed to ipset
 */

/* 
 * Used so that the kernel module and ipset-binary can match their versions 
 */
#define IP_SET_PROTOCOL_VERSION 2

#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */

/* Lets work with our own typedef for representing an IP address.
 * We hope to make the code more portable, possibly to IPv6...
 *
 * The representation works in HOST byte order, because most set types
 * will perform arithmetic operations and compare operations.
 * 
 * For now the type is an uint32_t.
 *
 * Make sure to ONLY use the functions when translating and parsing
 * in order to keep the host byte order and make it more portable:
 *  parse_ip()
 *  parse_mask()
 *  parse_ipandmask()
 *  ip_tostring()
 * (Joakim: where are they???)
 */

typedef uint32_t ip_set_ip_t;

/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
 * and IP_SET_INVALID_ID if you want to increase the max number of sets.
 */
typedef uint16_t ip_set_id_t;

#define IP_SET_INVALID_ID	65535

/* How deep we follow bindings */
#define IP_SET_MAX_BINDINGS	6

/*
 * Option flags for kernel operations (ipt_set_info)
 */
#define IPSET_SRC 		0x01	/* Source match/add */
#define IPSET_DST		0x02	/* Destination match/add */
#define IPSET_MATCH_INV		0x04	/* Inverse matching */

/*
 * Set features
 */
#define IPSET_TYPE_IP		0x01	/* IP address type of set */
#define IPSET_TYPE_PORT		0x02	/* Port type of set */
#define IPSET_DATA_SINGLE	0x04	/* Single data storage */
#define IPSET_DATA_DOUBLE	0x08	/* Double data storage */

/* Reserved keywords */
#define IPSET_TOKEN_DEFAULT	":default:"
#define IPSET_TOKEN_ALL		":all:"

/* SO_IP_SET operation constants, and their request struct types.
 *
 * Operation ids:
 *	  0-99:	 commands with version checking
 *	100-199: add/del/test/bind/unbind
 *	200-299: list, save, restore
 */

/* Single shot operations: 
 * version, create, destroy, flush, rename and swap 
 *
 * Sets are identified by name.
 */

#define IP_SET_REQ_STD		\
	unsigned op;		\
	unsigned version;	\
	char name[IP_SET_MAXNAMELEN]

#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
struct ip_set_req_create {
	IP_SET_REQ_STD;
	char typename[IP_SET_MAXNAMELEN];
};

#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
struct ip_set_req_std {
	IP_SET_REQ_STD;
};

#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
/* Uses ip_set_req_std */

#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
/* Uses ip_set_req_create */

#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
/* Uses ip_set_req_create */

union ip_set_name_index {
	char name[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
};

#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
struct ip_set_req_get_set {
	unsigned op;
	unsigned version;
	union ip_set_name_index set;
};

#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
/* Uses ip_set_req_get_set */

#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
struct ip_set_req_version {
	unsigned op;
	unsigned version;
};

/* Double shots operations: 
 * add, del, test, bind and unbind.
 *
 * First we query the kernel to get the index and type of the target set,
 * then issue the command. Validity of IP is checked in kernel in order
 * to minimalize sockopt operations.
 */

/* Get minimal set data for add/del/test/bind/unbind IP */
#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
struct ip_set_req_adt_get {
	unsigned op;
	unsigned version;
	union ip_set_name_index set;
	char typename[IP_SET_MAXNAMELEN];
};

#define IP_SET_REQ_BYINDEX	\
	unsigned op;		\
	ip_set_id_t index;

struct ip_set_req_adt {
	IP_SET_REQ_BYINDEX;
};

#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */
struct ip_set_req_bind {
	IP_SET_REQ_BYINDEX;
	char binding[IP_SET_MAXNAMELEN];
};

#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
/* Uses ip_set_req_bind, with type speficic addage 
 * index = 0 means unbinding for all sets */

#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */

/* Multiple shots operations: list, save, restore.
 *
 * - check kernel version and query the max number of sets
 * - get the basic information on all sets
 *   and size required for the next step
 * - get actual set data: header, data, bindings
 */

/* Get max_sets and the index of a queried set
 */
#define IP_SET_OP_MAX_SETS	0x00000020
struct ip_set_req_max_sets {
	unsigned op;
	unsigned version;
	ip_set_id_t max_sets;		/* max_sets */
	ip_set_id_t sets;		/* real number of sets */
	union ip_set_name_index set;	/* index of set if name used */
};

/* Get the id and name of the sets plus size for next step */
#define IP_SET_OP_LIST_SIZE	0x00000201
#define IP_SET_OP_SAVE_SIZE	0x00000202
struct ip_set_req_setnames {
	unsigned op;
	ip_set_id_t index;		/* set to list/save */
	size_t size;			/* size to get setdata/bindings */
	/* followed by sets number of struct ip_set_name_list */
};

struct ip_set_name_list {
	char name[IP_SET_MAXNAMELEN];
	char typename[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
	ip_set_id_t id;
};

/* The actual list operation */
#define IP_SET_OP_LIST		0x00000203
struct ip_set_req_list {
	IP_SET_REQ_BYINDEX;
	/* sets number of struct ip_set_list in reply */ 
};

struct ip_set_list {
	ip_set_id_t index;
	ip_set_id_t binding;
	u_int32_t ref;
	size_t header_size;	/* Set header data of header_size */
	size_t members_size;	/* Set members data of members_size */
	size_t bindings_size;	/* Set bindings data of bindings_size */
};

struct ip_set_hash_list {
	ip_set_ip_t ip;
	ip_set_id_t binding;
};

/* The save operation */
#define IP_SET_OP_SAVE		0x00000204
/* Uses ip_set_req_list, in the reply replaced by
 * sets number of struct ip_set_save plus a marker
 * ip_set_save followed by ip_set_hash_save structures.
 */
struct ip_set_save {
	ip_set_id_t index;
	ip_set_id_t binding;
	size_t header_size;	/* Set header data of header_size */
	size_t members_size;	/* Set members data of members_size */
};

/* At restoring, ip == 0 means default binding for the given set: */
struct ip_set_hash_save {
	ip_set_ip_t ip;
	ip_set_id_t id;
	ip_set_id_t binding;
};

/* The restore operation */
#define IP_SET_OP_RESTORE	0x00000205
/* Uses ip_set_req_setnames followed by ip_set_restore structures
 * plus a marker ip_set_restore, followed by ip_set_hash_save 
 * structures.
 */
struct ip_set_restore {
	char name[IP_SET_MAXNAMELEN];
	char typename[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
	size_t header_size;	/* Create data of header_size */
	size_t members_size;	/* Set members data of members_size */
};

static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
{
	return 4 * ((((b - a + 8) / 8) + 3) / 4);
}

#ifdef __KERNEL__

#define ip_set_printk(format, args...) 			\
	do {							\
		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
		printk(format "\n" , ## args);			\
	} while (0)

#if defined(IP_SET_DEBUG)
#define DP(format, args...) 					\
	do {							\
		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
		printk(format "\n" , ## args);			\
	} while (0)
#define IP_SET_ASSERT(x)					\
	do {							\
		if (!(x))					\
			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
				__FILE__, __LINE__, __FUNCTION__); \
	} while (0)
#else
#define DP(format, args...)
#define IP_SET_ASSERT(x)
#endif

struct ip_set;

/*
 * The ip_set_type definition - one per set type, e.g. "ipmap".
 *
 * Each individual set has a pointer, set->type, going to one
 * of these structures. Function pointers inside the structure implement
 * the real behaviour of the sets.
 *
 * If not mentioned differently, the implementation behind the function
 * pointers of a set_type, is expected to return 0 if ok, and a negative
 * errno (e.g. -EINVAL) on error.
 */
struct ip_set_type {
	struct list_head list;	/* next in list of set types */

	/* test for IP in set (kernel: iptables -m set src|dst)
	 * return 0 if not in set, 1 if in set.
	 */
	int (*testip_kernel) (struct ip_set *set,
			      const struct sk_buff * skb, 
			      ip_set_ip_t *ip,
			      const u_int32_t *flags,
			      unsigned char index);

	/* test for IP in set (userspace: ipset -T set IP)
	 * return 0 if not in set, 1 if in set.
	 */
	int (*testip) (struct ip_set *set,
		       const void *data, size_t size,
		       ip_set_ip_t *ip);

	/*
	 * Size of the data structure passed by when
	 * adding/deletin/testing an entry.
	 */
	size_t reqsize;

	/* Add IP into set (userspace: ipset -A set IP)
	 * Return -EEXIST if the address is already in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address was not already in the set, 0 is returned.
	 */
	int (*addip) (struct ip_set *set, 
		      const void *data, size_t size,
		      ip_set_ip_t *ip);

	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
	 * Return -EEXIST if the address is already in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address was not already in the set, 0 is returned.
	 */
	int (*addip_kernel) (struct ip_set *set,
			     const struct sk_buff * skb, 
			     ip_set_ip_t *ip,
			     const u_int32_t *flags,
			     unsigned char index);

	/* remove IP from set (userspace: ipset -D set --entry x)
	 * Return -EEXIST if the address is NOT in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address really was in the set, 0 is returned.
	 */
	int (*delip) (struct ip_set *set, 
		      const void *data, size_t size,
		      ip_set_ip_t *ip);

	/* remove IP from set (kernel: iptables ... -j SET --entry x)
	 * Return -EEXIST if the address is NOT in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address really was in the set, 0 is returned.
	 */
	int (*delip_kernel) (struct ip_set *set,
			     const struct sk_buff * skb, 
			     ip_set_ip_t *ip,
			     const u_int32_t *flags,
			     unsigned char index);

	/* new set creation - allocated type specific items
	 */
	int (*create) (struct ip_set *set,
		       const void *data, size_t size);

	/* retry the operation after successfully tweaking the set
	 */
	int (*retry) (struct ip_set *set);

	/* set destruction - free type specific items
	 * There is no return value.
	 * Can be called only when child sets are destroyed.
	 */
	void (*destroy) (struct ip_set *set);

	/* set flushing - reset all bits in the set, or something similar.
	 * There is no return value.
	 */
	void (*flush) (struct ip_set *set);

	/* Listing: size needed for header
	 */
	size_t header_size;

	/* Listing: Get the header
	 *
	 * Fill in the information in "data".
	 * This function is always run after list_header_size() under a 
	 * writelock on the set. Therefor is the length of "data" always 
	 * correct. 
	 */
	void (*list_header) (const struct ip_set *set, 
			     void *data);

	/* Listing: Get the size for the set members
	 */
	int (*list_members_size) (const struct ip_set *set);

	/* Listing: Get the set members
	 *
	 * Fill in the information in "data".
	 * This function is always run after list_member_size() under a 
	 * writelock on the set. Therefor is the length of "data" always 
	 * correct. 
	 */
	void (*list_members) (const struct ip_set *set,
			      void *data);

	char typename[IP_SET_MAXNAMELEN];
	unsigned char features;
	int protocol_version;

	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
	struct module *me;
};

extern int ip_set_register_set_type(struct ip_set_type *set_type);
extern void ip_set_unregister_set_type(struct ip_set_type *set_type);

/* A generic ipset */
struct ip_set {
	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
	rwlock_t lock;			/* lock for concurrency control */
	ip_set_id_t id;			/* set id for swapping */
	ip_set_id_t binding;		/* default binding for the set */
	atomic_t ref;			/* in kernel and in hash references */
	struct ip_set_type *type; 	/* the set types */
	void *data;			/* pooltype specific data */
};

/* Structure to bind set elements to sets */
struct ip_set_hash {
	struct list_head list;		/* list of clashing entries in hash */
	ip_set_ip_t ip;			/* ip from set */
	ip_set_id_t id;			/* set id */
	ip_set_id_t binding;		/* set we bind the element to */
};

/* register and unregister set references */
extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
extern void ip_set_put(ip_set_id_t id);

/* API for iptables set match, and SET target */
extern void ip_set_addip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);
extern void ip_set_delip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);
extern int ip_set_testip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);

#endif				/* __KERNEL__ */

#endif /*_IP_SET_H*/




#ifndef _IPT_SET_H
#define _IPT_SET_H

#include "ip_set.h"

struct ipt_set_info {
	ip_set_id_t index;
	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
};

/* match info */
struct ipt_set_info_match {
	struct ipt_set_info match_set;
};

struct ipt_set_info_target {
	struct ipt_set_info add_set;
	struct ipt_set_info del_set;
};

#endif /*_IPT_SET_H*/

Lines 18-24 Link Here

(-)iptables-1.4.0.orig/extensions/libipt_set.c (-1 / +1 lines)
18	#include <errno.h>	18	#include <errno.h>
19		19
20	#include <iptables.h>	20	#include <iptables.h>
21	#include <linux/netfilter_ipv4/ipt_set.h>	21	#include "ipt_set.h"
22	#include "libipt_set.h"	22	#include "libipt_set.h"
23		23
24	/* Function which prints out usage message. */	24	/* Function which prints out usage message. */

Lines 5-11 Link Here

(-)iptables-1.4.0.orig/extensions/Makefile (-1 / +1 lines)
5	# header files are present in the include/linux directory of this iptables	5	# header files are present in the include/linux directory of this iptables
6	# package (HW)	6	# package (HW)
7	#	7	#
8	PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG	8	PF_EXT_SLIB:=ah addrtype conntrack ecn icmp iprange owner policy realm recent set tos ttl unclean CLUSTERIP DNAT ECN LOG MASQUERADE MIRROR NETMAP REDIRECT REJECT SAME SNAT TOS TTL ULOG
9	PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT	9	PF6_EXT_SLIB:=ah dst eui64 frag hbh hl icmp6 ipv6header mh owner policy rt HL LOG REJECT
10	PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE	10	PFX_EXT_SLIB:=connbytes connmark connlimit comment dccp dscp esp hashlimit helper length limit mac mark multiport physdev pkttype quota sctp state statistic standard string tcp tcpmss time u32 udp CLASSIFY CONNMARK DSCP MARK NFLOG NFQUEUE NOTRACK TCPMSS TRACE
11		11

Return to bug 16326

Line 0 Link Here

(-)iptables-1.4.0.orig/extensions/ip_set.h (+498 lines)
		1	#ifndef _IP_SET_H
		2	#define _IP_SET_H
		3
		4	/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
		5	* Patrick Schaaf <bof@bof.de>
		6	* Martin Josefsson <gandalf@wlug.westbo.se>
		7	* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
		8	*
		9	* This program is free software; you can redistribute it and/or modify
		10	* it under the terms of the GNU General Public License version 2 as
		11	* published by the Free Software Foundation.
		12	*/
		13
		14	#if 0
		15	#define IP_SET_DEBUG
		16	#endif
		17
		18	/*
		19	* A sockopt of such quality has hardly ever been seen before on the open
		20	* market! This little beauty, hardly ever used: above 64, so it's
		21	* traditionally used for firewalling, not touched (even once!) by the
		22	* 2.0, 2.2 and 2.4 kernels!
		23	*
		24	* Comes with its own certificate of authenticity, valid anywhere in the
		25	* Free world!
		26	*
		27	* Rusty, 19.4.2000
		28	*/
		29	#define SO_IP_SET 83
		30
		31	/*
		32	* Heavily modify by Joakim Axelsson 08.03.2002
		33	* - Made it more modulebased
		34	*
		35	* Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
		36	* - bindings added
		37	* - in order to "deal with" backward compatibility, renamed to ipset
		38	*/
		39
		40	/*
		41	* Used so that the kernel module and ipset-binary can match their versions
		42	*/
		43	#define IP_SET_PROTOCOL_VERSION 2
		44
		45	#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
		46
		47	/* Lets work with our own typedef for representing an IP address.
		48	* We hope to make the code more portable, possibly to IPv6...
		49	*
		50	* The representation works in HOST byte order, because most set types
		51	* will perform arithmetic operations and compare operations.
		52	*
		53	* For now the type is an uint32_t.
		54	*
		55	* Make sure to ONLY use the functions when translating and parsing
		56	* in order to keep the host byte order and make it more portable:
		57	* parse_ip()
		58	* parse_mask()
		59	* parse_ipandmask()
		60	* ip_tostring()
		61	* (Joakim: where are they???)
		62	*/
		63
		64	typedef uint32_t ip_set_ip_t;
65
66	/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
67	* and IP_SET_INVALID_ID if you want to increase the max number of sets.
68	*/
69	typedef uint16_t ip_set_id_t;
70
71	#define IP_SET_INVALID_ID 65535
72
73	/* How deep we follow bindings */
74	#define IP_SET_MAX_BINDINGS 6
75
76	/*
77	* Option flags for kernel operations (ipt_set_info)
78	*/
79	#define IPSET_SRC 0x01 /* Source match/add */
80	#define IPSET_DST 0x02 /* Destination match/add */
81	#define IPSET_MATCH_INV 0x04 /* Inverse matching */
82
83	/*
84	* Set features
85	*/
86	#define IPSET_TYPE_IP 0x01 /* IP address type of set */
87	#define IPSET_TYPE_PORT 0x02 /* Port type of set */
88	#define IPSET_DATA_SINGLE 0x04 /* Single data storage */
89	#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
90
91	/* Reserved keywords */
92	#define IPSET_TOKEN_DEFAULT ":default:"
93	#define IPSET_TOKEN_ALL ":all:"
94
95	/* SO_IP_SET operation constants, and their request struct types.
96	*
97	* Operation ids:
98	* 0-99: commands with version checking
99	* 100-199: add/del/test/bind/unbind
100	* 200-299: list, save, restore
101	*/
102
103	/* Single shot operations:
104	* version, create, destroy, flush, rename and swap
105	*
106	* Sets are identified by name.
107	*/
108
109	#define IP_SET_REQ_STD \
110	unsigned op; \
111	unsigned version; \
112	char name[IP_SET_MAXNAMELEN]
113
114	#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
115	struct ip_set_req_create {
116	IP_SET_REQ_STD;
117	char typename[IP_SET_MAXNAMELEN];
118	};
119
120	#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
121	struct ip_set_req_std {
122	IP_SET_REQ_STD;
123	};
124
125	#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
126	/* Uses ip_set_req_std */
127
128	#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
129	/* Uses ip_set_req_create */
130
131	#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
132	/* Uses ip_set_req_create */
133
134	union ip_set_name_index {
135	char name[IP_SET_MAXNAMELEN];
136	ip_set_id_t index;
137	};
138
139	#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
140	struct ip_set_req_get_set {
141	unsigned op;
142	unsigned version;
143	union ip_set_name_index set;
144	};
145
146	#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
147	/* Uses ip_set_req_get_set */
148
149	#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
150	struct ip_set_req_version {
151	unsigned op;
152	unsigned version;
153	};
154
155	/* Double shots operations:
156	* add, del, test, bind and unbind.
157	*
158	* First we query the kernel to get the index and type of the target set,
159	* then issue the command. Validity of IP is checked in kernel in order
160	* to minimalize sockopt operations.
161	*/
162
163	/* Get minimal set data for add/del/test/bind/unbind IP */
164	#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
165	struct ip_set_req_adt_get {
166	unsigned op;
167	unsigned version;
168	union ip_set_name_index set;
169	char typename[IP_SET_MAXNAMELEN];
170	};
171
172	#define IP_SET_REQ_BYINDEX \
173	unsigned op; \
174	ip_set_id_t index;
175
176	struct ip_set_req_adt {
177	IP_SET_REQ_BYINDEX;
178	};
179
180	#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
181	/* Uses ip_set_req_adt, with type specific addage */
182
183	#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
184	/* Uses ip_set_req_adt, with type specific addage */
185
186	#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
187	/* Uses ip_set_req_adt, with type specific addage */
188
189	#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
190	/* Uses ip_set_req_bind, with type specific addage */
191	struct ip_set_req_bind {
192	IP_SET_REQ_BYINDEX;
193	char binding[IP_SET_MAXNAMELEN];
194	};
195
196	#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
197	/* Uses ip_set_req_bind, with type speficic addage
198	* index = 0 means unbinding for all sets */
199
200	#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
201	/* Uses ip_set_req_bind, with type specific addage */
202
203	/* Multiple shots operations: list, save, restore.
204	*
205	* - check kernel version and query the max number of sets
206	* - get the basic information on all sets
207	* and size required for the next step
208	* - get actual set data: header, data, bindings
209	*/
210
211	/* Get max_sets and the index of a queried set
212	*/
213	#define IP_SET_OP_MAX_SETS 0x00000020
214	struct ip_set_req_max_sets {
215	unsigned op;
216	unsigned version;
217	ip_set_id_t max_sets; /* max_sets */
218	ip_set_id_t sets; /* real number of sets */
219	union ip_set_name_index set; /* index of set if name used */
220	};
221
222	/* Get the id and name of the sets plus size for next step */
223	#define IP_SET_OP_LIST_SIZE 0x00000201
224	#define IP_SET_OP_SAVE_SIZE 0x00000202
225	struct ip_set_req_setnames {
226	unsigned op;
227	ip_set_id_t index; /* set to list/save */
228	size_t size; /* size to get setdata/bindings */
229	/* followed by sets number of struct ip_set_name_list */
230	};
231
232	struct ip_set_name_list {
233	char name[IP_SET_MAXNAMELEN];
234	char typename[IP_SET_MAXNAMELEN];
235	ip_set_id_t index;
236	ip_set_id_t id;
237	};
238
239	/* The actual list operation */
240	#define IP_SET_OP_LIST 0x00000203
241	struct ip_set_req_list {
242	IP_SET_REQ_BYINDEX;
243	/* sets number of struct ip_set_list in reply */
244	};
245
246	struct ip_set_list {
247	ip_set_id_t index;
248	ip_set_id_t binding;
249	u_int32_t ref;
250	size_t header_size; /* Set header data of header_size */
251	size_t members_size; /* Set members data of members_size */
252	size_t bindings_size; /* Set bindings data of bindings_size */
253	};
254
255	struct ip_set_hash_list {
256	ip_set_ip_t ip;
257	ip_set_id_t binding;
258	};
259
260	/* The save operation */
261	#define IP_SET_OP_SAVE 0x00000204
262	/* Uses ip_set_req_list, in the reply replaced by
263	* sets number of struct ip_set_save plus a marker
264	* ip_set_save followed by ip_set_hash_save structures.
265	*/
266	struct ip_set_save {
267	ip_set_id_t index;
268	ip_set_id_t binding;
269	size_t header_size; /* Set header data of header_size */
270	size_t members_size; /* Set members data of members_size */
271	};
272
273	/* At restoring, ip == 0 means default binding for the given set: */
274	struct ip_set_hash_save {
275	ip_set_ip_t ip;
276	ip_set_id_t id;
277	ip_set_id_t binding;
278	};
279
280	/* The restore operation */
281	#define IP_SET_OP_RESTORE 0x00000205
282	/* Uses ip_set_req_setnames followed by ip_set_restore structures
283	* plus a marker ip_set_restore, followed by ip_set_hash_save
284	* structures.
285	*/
286	struct ip_set_restore {
287	char name[IP_SET_MAXNAMELEN];
288	char typename[IP_SET_MAXNAMELEN];
289	ip_set_id_t index;
290	size_t header_size; /* Create data of header_size */
291	size_t members_size; /* Set members data of members_size */
292	};
293
294	static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
295	{
296	return 4 * ((((b - a + 8) / 8) + 3) / 4);
297	}
298
299	#ifdef __KERNEL__
300
301	#define ip_set_printk(format, args...) \
302	do { \
303	printk("%s: %s: ", __FILE__, __FUNCTION__); \
304	printk(format "\n" , ## args); \
305	} while (0)
306
307	#if defined(IP_SET_DEBUG)
308	#define DP(format, args...) \
309	do { \
310	printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
311	printk(format "\n" , ## args); \
312	} while (0)
313	#define IP_SET_ASSERT(x) \
314	do { \
315	if (!(x)) \
316	printk("IP_SET_ASSERT: %s:%i(%s)\n", \
317	__FILE__, __LINE__, __FUNCTION__); \
318	} while (0)
319	#else
320	#define DP(format, args...)
321	#define IP_SET_ASSERT(x)
322	#endif
323
324	struct ip_set;
325
326	/*
327	* The ip_set_type definition - one per set type, e.g. "ipmap".
328	*
329	* Each individual set has a pointer, set->type, going to one
330	* of these structures. Function pointers inside the structure implement
331	* the real behaviour of the sets.
332	*
333	* If not mentioned differently, the implementation behind the function
334	* pointers of a set_type, is expected to return 0 if ok, and a negative
335	* errno (e.g. -EINVAL) on error.
336	*/
337	struct ip_set_type {
338	struct list_head list; /* next in list of set types */
339
340	/* test for IP in set (kernel: iptables -m set src\|dst)
341	* return 0 if not in set, 1 if in set.
342	*/
343	int (testip_kernel) (struct ip_set set,
344	const struct sk_buff * skb,
345	ip_set_ip_t *ip,
346	const u_int32_t *flags,
347	unsigned char index);
348
349	/* test for IP in set (userspace: ipset -T set IP)
350	* return 0 if not in set, 1 if in set.
351	*/
352	int (testip) (struct ip_set set,
353	const void *data, size_t size,
354	ip_set_ip_t *ip);
355
356	/*
357	* Size of the data structure passed by when
358	* adding/deletin/testing an entry.
359	*/
360	size_t reqsize;
361
362	/* Add IP into set (userspace: ipset -A set IP)
363	* Return -EEXIST if the address is already in the set,
364	* and -ERANGE if the address lies outside the set bounds.
365	* If the address was not already in the set, 0 is returned.
366	*/
367	int (addip) (struct ip_set set,
368	const void *data, size_t size,
369	ip_set_ip_t *ip);
370
371	/* Add IP into set (kernel: iptables ... -j SET set src\|dst)
372	* Return -EEXIST if the address is already in the set,
373	* and -ERANGE if the address lies outside the set bounds.
374	* If the address was not already in the set, 0 is returned.
375	*/
376	int (addip_kernel) (struct ip_set set,
377	const struct sk_buff * skb,
378	ip_set_ip_t *ip,
379	const u_int32_t *flags,
380	unsigned char index);
381
382	/* remove IP from set (userspace: ipset -D set --entry x)
383	* Return -EEXIST if the address is NOT in the set,
384	* and -ERANGE if the address lies outside the set bounds.
385	* If the address really was in the set, 0 is returned.
386	*/
387	int (delip) (struct ip_set set,
388	const void *data, size_t size,
389	ip_set_ip_t *ip);
390
391	/* remove IP from set (kernel: iptables ... -j SET --entry x)
392	* Return -EEXIST if the address is NOT in the set,
393	* and -ERANGE if the address lies outside the set bounds.
394	* If the address really was in the set, 0 is returned.
395	*/
396	int (delip_kernel) (struct ip_set set,
397	const struct sk_buff * skb,
398	ip_set_ip_t *ip,
399	const u_int32_t *flags,
400	unsigned char index);
401
402	/* new set creation - allocated type specific items
403	*/
404	int (create) (struct ip_set set,
405	const void *data, size_t size);
406
407	/* retry the operation after successfully tweaking the set
408	*/
409	int (retry) (struct ip_set set);
410
411	/* set destruction - free type specific items
412	* There is no return value.
413	* Can be called only when child sets are destroyed.
414	*/
415	void (destroy) (struct ip_set set);
416
417	/* set flushing - reset all bits in the set, or something similar.
418	* There is no return value.
419	*/
420	void (flush) (struct ip_set set);
421
422	/* Listing: size needed for header
423	*/
424	size_t header_size;
425
426	/* Listing: Get the header
427	*
428	* Fill in the information in "data".
429	* This function is always run after list_header_size() under a
430	* writelock on the set. Therefor is the length of "data" always
431	* correct.
432	*/
433	void (list_header) (const struct ip_set set,
434	void *data);
435
436	/* Listing: Get the size for the set members
437	*/
438	int (list_members_size) (const struct ip_set set);
439
440	/* Listing: Get the set members
441	*
442	* Fill in the information in "data".
443	* This function is always run after list_member_size() under a
444	* writelock on the set. Therefor is the length of "data" always
445	* correct.
446	*/
447	void (list_members) (const struct ip_set set,
448	void *data);
449
450	char typename[IP_SET_MAXNAMELEN];
451	unsigned char features;
452	int protocol_version;
453
454	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
455	struct module *me;
456	};
457
458	extern int ip_set_register_set_type(struct ip_set_type *set_type);
459	extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
460
461	/* A generic ipset */
462	struct ip_set {
463	char name[IP_SET_MAXNAMELEN]; /* the name of the set */
464	rwlock_t lock; /* lock for concurrency control */
465	ip_set_id_t id; /* set id for swapping */
466	ip_set_id_t binding; /* default binding for the set */
467	atomic_t ref; /* in kernel and in hash references */
468	struct ip_set_type type; / the set types */
469	void data; / pooltype specific data */
470	};
471
472	/* Structure to bind set elements to sets */
473	struct ip_set_hash {
474	struct list_head list; /* list of clashing entries in hash */
475	ip_set_ip_t ip; /* ip from set */
476	ip_set_id_t id; /* set id */
477	ip_set_id_t binding; /* set we bind the element to */
478	};
479
480	/* register and unregister set references */
481	extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
482	extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
483	extern void ip_set_put(ip_set_id_t id);
484
485	/* API for iptables set match, and SET target */
486	extern void ip_set_addip_kernel(ip_set_id_t id,
487	const struct sk_buff *skb,
488	const u_int32_t *flags);
489	extern void ip_set_delip_kernel(ip_set_id_t id,
490	const struct sk_buff *skb,
491	const u_int32_t *flags);
492	extern int ip_set_testip_kernel(ip_set_id_t id,
493	const struct sk_buff *skb,
494	const u_int32_t *flags);
495
496	#endif /* __KERNEL__ */
497
498	#endif /_IP_SET_H/

Line 0 Link Here

(-)iptables-1.4.0.orig/extensions/ipt_set.h (+21 lines)
	1	#ifndef _IPT_SET_H
	2	#define _IPT_SET_H
	3
	4	#include "ip_set.h"
	5
	6	struct ipt_set_info {
	7	ip_set_id_t index;
	8	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
	9	};
	10
	11	/* match info */
	12	struct ipt_set_info_match {
	13	struct ipt_set_info match_set;
	14	};
	15
	16	struct ipt_set_info_target {
	17	struct ipt_set_info add_set;
	18	struct ipt_set_info del_set;
	19	};
	20
	21	#endif /_IPT_SET_H/