Attachment #2749 for bug #16326

View | Details | Raw Unified | Return to bug 16326
Collapse All | Expand All




#ifndef _IP_SET_H
#define _IP_SET_H

/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
 *                         Patrick Schaaf <bof@bof.de>
 *                         Martin Josefsson <gandalf@wlug.westbo.se>
 * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.  
 */

#if 0
#define IP_SET_DEBUG
#endif

/*
 * A sockopt of such quality has hardly ever been seen before on the open
 * market!  This little beauty, hardly ever used: above 64, so it's
 * traditionally used for firewalling, not touched (even once!) by the
 * 2.0, 2.2 and 2.4 kernels!
 *
 * Comes with its own certificate of authenticity, valid anywhere in the
 * Free world!
 *
 * Rusty, 19.4.2000
 */
#define SO_IP_SET 		83

/*
 * Heavily modify by Joakim Axelsson 08.03.2002
 * - Made it more modulebased
 *
 * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
 * - bindings added
 * - in order to "deal with" backward compatibility, renamed to ipset
 */

/* 
 * Used so that the kernel module and ipset-binary can match their versions 
 */
#define IP_SET_PROTOCOL_VERSION 2

#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */

/* Lets work with our own typedef for representing an IP address.
 * We hope to make the code more portable, possibly to IPv6...
 *
 * The representation works in HOST byte order, because most set types
 * will perform arithmetic operations and compare operations.
 * 
 * For now the type is an uint32_t.
 *
 * Make sure to ONLY use the functions when translating and parsing
 * in order to keep the host byte order and make it more portable:
 *  parse_ip()
 *  parse_mask()
 *  parse_ipandmask()
 *  ip_tostring()
 * (Joakim: where are they???)
 */

typedef uint32_t ip_set_ip_t;

/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
 * and IP_SET_INVALID_ID if you want to increase the max number of sets.
 */
typedef uint16_t ip_set_id_t;

#define IP_SET_INVALID_ID	65535

/* How deep we follow bindings */
#define IP_SET_MAX_BINDINGS	6

/*
 * Option flags for kernel operations (ipt_set_info)
 */
#define IPSET_SRC 		0x01	/* Source match/add */
#define IPSET_DST		0x02	/* Destination match/add */
#define IPSET_MATCH_INV		0x04	/* Inverse matching */

/*
 * Set features
 */
#define IPSET_TYPE_IP		0x01	/* IP address type of set */
#define IPSET_TYPE_PORT		0x02	/* Port type of set */
#define IPSET_DATA_SINGLE	0x04	/* Single data storage */
#define IPSET_DATA_DOUBLE	0x08	/* Double data storage */

/* Reserved keywords */
#define IPSET_TOKEN_DEFAULT	":default:"
#define IPSET_TOKEN_ALL		":all:"

/* SO_IP_SET operation constants, and their request struct types.
 *
 * Operation ids:
 *	  0-99:	 commands with version checking
 *	100-199: add/del/test/bind/unbind
 *	200-299: list, save, restore
 */

/* Single shot operations: 
 * version, create, destroy, flush, rename and swap 
 *
 * Sets are identified by name.
 */

#define IP_SET_REQ_STD		\
	unsigned op;		\
	unsigned version;	\
	char name[IP_SET_MAXNAMELEN]

#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
struct ip_set_req_create {
	IP_SET_REQ_STD;
	char typename[IP_SET_MAXNAMELEN];
};

#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
struct ip_set_req_std {
	IP_SET_REQ_STD;
};

#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
/* Uses ip_set_req_std */

#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
/* Uses ip_set_req_create */

#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
/* Uses ip_set_req_create */

union ip_set_name_index {
	char name[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
};

#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
struct ip_set_req_get_set {
	unsigned op;
	unsigned version;
	union ip_set_name_index set;
};

#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
/* Uses ip_set_req_get_set */

#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
struct ip_set_req_version {
	unsigned op;
	unsigned version;
};

/* Double shots operations: 
 * add, del, test, bind and unbind.
 *
 * First we query the kernel to get the index and type of the target set,
 * then issue the command. Validity of IP is checked in kernel in order
 * to minimalize sockopt operations.
 */

/* Get minimal set data for add/del/test/bind/unbind IP */
#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
struct ip_set_req_adt_get {
	unsigned op;
	unsigned version;
	union ip_set_name_index set;
	char typename[IP_SET_MAXNAMELEN];
};

#define IP_SET_REQ_BYINDEX	\
	unsigned op;		\
	ip_set_id_t index;

struct ip_set_req_adt {
	IP_SET_REQ_BYINDEX;
};

#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
/* Uses ip_set_req_adt, with type specific addage */

#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */
struct ip_set_req_bind {
	IP_SET_REQ_BYINDEX;
	char binding[IP_SET_MAXNAMELEN];
};

#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
/* Uses ip_set_req_bind, with type speficic addage 
 * index = 0 means unbinding for all sets */

#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */

/* Multiple shots operations: list, save, restore.
 *
 * - check kernel version and query the max number of sets
 * - get the basic information on all sets
 *   and size required for the next step
 * - get actual set data: header, data, bindings
 */

/* Get max_sets and the index of a queried set
 */
#define IP_SET_OP_MAX_SETS	0x00000020
struct ip_set_req_max_sets {
	unsigned op;
	unsigned version;
	ip_set_id_t max_sets;		/* max_sets */
	ip_set_id_t sets;		/* real number of sets */
	union ip_set_name_index set;	/* index of set if name used */
};

/* Get the id and name of the sets plus size for next step */
#define IP_SET_OP_LIST_SIZE	0x00000201
#define IP_SET_OP_SAVE_SIZE	0x00000202
struct ip_set_req_setnames {
	unsigned op;
	ip_set_id_t index;		/* set to list/save */
	size_t size;			/* size to get setdata/bindings */
	/* followed by sets number of struct ip_set_name_list */
};

struct ip_set_name_list {
	char name[IP_SET_MAXNAMELEN];
	char typename[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
	ip_set_id_t id;
};

/* The actual list operation */
#define IP_SET_OP_LIST		0x00000203
struct ip_set_req_list {
	IP_SET_REQ_BYINDEX;
	/* sets number of struct ip_set_list in reply */ 
};

struct ip_set_list {
	ip_set_id_t index;
	ip_set_id_t binding;
	u_int32_t ref;
	size_t header_size;	/* Set header data of header_size */
	size_t members_size;	/* Set members data of members_size */
	size_t bindings_size;	/* Set bindings data of bindings_size */
};

struct ip_set_hash_list {
	ip_set_ip_t ip;
	ip_set_id_t binding;
};

/* The save operation */
#define IP_SET_OP_SAVE		0x00000204
/* Uses ip_set_req_list, in the reply replaced by
 * sets number of struct ip_set_save plus a marker
 * ip_set_save followed by ip_set_hash_save structures.
 */
struct ip_set_save {
	ip_set_id_t index;
	ip_set_id_t binding;
	size_t header_size;	/* Set header data of header_size */
	size_t members_size;	/* Set members data of members_size */
};

/* At restoring, ip == 0 means default binding for the given set: */
struct ip_set_hash_save {
	ip_set_ip_t ip;
	ip_set_id_t id;
	ip_set_id_t binding;
};

/* The restore operation */
#define IP_SET_OP_RESTORE	0x00000205
/* Uses ip_set_req_setnames followed by ip_set_restore structures
 * plus a marker ip_set_restore, followed by ip_set_hash_save 
 * structures.
 */
struct ip_set_restore {
	char name[IP_SET_MAXNAMELEN];
	char typename[IP_SET_MAXNAMELEN];
	ip_set_id_t index;
	size_t header_size;	/* Create data of header_size */
	size_t members_size;	/* Set members data of members_size */
};

static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
{
	return 4 * ((((b - a + 8) / 8) + 3) / 4);
}

#ifdef __KERNEL__

#define ip_set_printk(format, args...) 			\
	do {							\
		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
		printk(format "\n" , ## args);			\
	} while (0)

#if defined(IP_SET_DEBUG)
#define DP(format, args...) 					\
	do {							\
		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
		printk(format "\n" , ## args);			\
	} while (0)
#define IP_SET_ASSERT(x)					\
	do {							\
		if (!(x))					\
			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
				__FILE__, __LINE__, __FUNCTION__); \
	} while (0)
#else
#define DP(format, args...)
#define IP_SET_ASSERT(x)
#endif

struct ip_set;

/*
 * The ip_set_type definition - one per set type, e.g. "ipmap".
 *
 * Each individual set has a pointer, set->type, going to one
 * of these structures. Function pointers inside the structure implement
 * the real behaviour of the sets.
 *
 * If not mentioned differently, the implementation behind the function
 * pointers of a set_type, is expected to return 0 if ok, and a negative
 * errno (e.g. -EINVAL) on error.
 */
struct ip_set_type {
	struct list_head list;	/* next in list of set types */

	/* test for IP in set (kernel: iptables -m set src|dst)
	 * return 0 if not in set, 1 if in set.
	 */
	int (*testip_kernel) (struct ip_set *set,
			      const struct sk_buff * skb, 
			      ip_set_ip_t *ip,
			      const u_int32_t *flags,
			      unsigned char index);

	/* test for IP in set (userspace: ipset -T set IP)
	 * return 0 if not in set, 1 if in set.
	 */
	int (*testip) (struct ip_set *set,
		       const void *data, size_t size,
		       ip_set_ip_t *ip);

	/*
	 * Size of the data structure passed by when
	 * adding/deletin/testing an entry.
	 */
	size_t reqsize;

	/* Add IP into set (userspace: ipset -A set IP)
	 * Return -EEXIST if the address is already in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address was not already in the set, 0 is returned.
	 */
	int (*addip) (struct ip_set *set, 
		      const void *data, size_t size,
		      ip_set_ip_t *ip);

	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
	 * Return -EEXIST if the address is already in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address was not already in the set, 0 is returned.
	 */
	int (*addip_kernel) (struct ip_set *set,
			     const struct sk_buff * skb, 
			     ip_set_ip_t *ip,
			     const u_int32_t *flags,
			     unsigned char index);

	/* remove IP from set (userspace: ipset -D set --entry x)
	 * Return -EEXIST if the address is NOT in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address really was in the set, 0 is returned.
	 */
	int (*delip) (struct ip_set *set, 
		      const void *data, size_t size,
		      ip_set_ip_t *ip);

	/* remove IP from set (kernel: iptables ... -j SET --entry x)
	 * Return -EEXIST if the address is NOT in the set,
	 * and -ERANGE if the address lies outside the set bounds.
	 * If the address really was in the set, 0 is returned.
	 */
	int (*delip_kernel) (struct ip_set *set,
			     const struct sk_buff * skb, 
			     ip_set_ip_t *ip,
			     const u_int32_t *flags,
			     unsigned char index);

	/* new set creation - allocated type specific items
	 */
	int (*create) (struct ip_set *set,
		       const void *data, size_t size);

	/* retry the operation after successfully tweaking the set
	 */
	int (*retry) (struct ip_set *set);

	/* set destruction - free type specific items
	 * There is no return value.
	 * Can be called only when child sets are destroyed.
	 */
	void (*destroy) (struct ip_set *set);

	/* set flushing - reset all bits in the set, or something similar.
	 * There is no return value.
	 */
	void (*flush) (struct ip_set *set);

	/* Listing: size needed for header
	 */
	size_t header_size;

	/* Listing: Get the header
	 *
	 * Fill in the information in "data".
	 * This function is always run after list_header_size() under a 
	 * writelock on the set. Therefor is the length of "data" always 
	 * correct. 
	 */
	void (*list_header) (const struct ip_set *set, 
			     void *data);

	/* Listing: Get the size for the set members
	 */
	int (*list_members_size) (const struct ip_set *set);

	/* Listing: Get the set members
	 *
	 * Fill in the information in "data".
	 * This function is always run after list_member_size() under a 
	 * writelock on the set. Therefor is the length of "data" always 
	 * correct. 
	 */
	void (*list_members) (const struct ip_set *set,
			      void *data);

	char typename[IP_SET_MAXNAMELEN];
	unsigned char features;
	int protocol_version;

	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
	struct module *me;
};

extern int ip_set_register_set_type(struct ip_set_type *set_type);
extern void ip_set_unregister_set_type(struct ip_set_type *set_type);

/* A generic ipset */
struct ip_set {
	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
	rwlock_t lock;			/* lock for concurrency control */
	ip_set_id_t id;			/* set id for swapping */
	ip_set_id_t binding;		/* default binding for the set */
	atomic_t ref;			/* in kernel and in hash references */
	struct ip_set_type *type; 	/* the set types */
	void *data;			/* pooltype specific data */
};

/* Structure to bind set elements to sets */
struct ip_set_hash {
	struct list_head list;		/* list of clashing entries in hash */
	ip_set_ip_t ip;			/* ip from set */
	ip_set_id_t id;			/* set id */
	ip_set_id_t binding;		/* set we bind the element to */
};

/* register and unregister set references */
extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
extern void ip_set_put(ip_set_id_t id);

/* API for iptables set match, and SET target */
extern void ip_set_addip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);
extern void ip_set_delip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);
extern int ip_set_testip_kernel(ip_set_id_t id,
				const struct sk_buff *skb,
				const u_int32_t *flags);

#endif				/* __KERNEL__ */

#endif /*_IP_SET_H*/




#ifndef _IPT_SET_H
#define _IPT_SET_H

#include <linux/netfilter_ipv4/ip_set.h>

struct ipt_set_info {
	ip_set_id_t index;
	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
};

/* match info */
struct ipt_set_info_match {
	struct ipt_set_info match_set;
};

struct ipt_set_info_target {
	struct ipt_set_info add_set;
	struct ipt_set_info del_set;
};

#endif /*_IPT_SET_H*/

Lines 1-2 Link Here

(-)iptables-1.4.0/extensions/.set-test (-2 lines)
1	#! /bin/sh
2	[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ip_set.h ] && echo set SET

Return to bug 16326

Line 0 Link Here

(-)iptables-1.4.0/include/linux/netfilter_ipv4/ip_set.h (+498 lines)
		1	#ifndef _IP_SET_H
		2	#define _IP_SET_H
		3
		4	/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
		5	* Patrick Schaaf <bof@bof.de>
		6	* Martin Josefsson <gandalf@wlug.westbo.se>
		7	* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
		8	*
		9	* This program is free software; you can redistribute it and/or modify
		10	* it under the terms of the GNU General Public License version 2 as
		11	* published by the Free Software Foundation.
		12	*/
		13
		14	#if 0
		15	#define IP_SET_DEBUG
		16	#endif
		17
		18	/*
		19	* A sockopt of such quality has hardly ever been seen before on the open
		20	* market! This little beauty, hardly ever used: above 64, so it's
		21	* traditionally used for firewalling, not touched (even once!) by the
		22	* 2.0, 2.2 and 2.4 kernels!
		23	*
		24	* Comes with its own certificate of authenticity, valid anywhere in the
		25	* Free world!
		26	*
		27	* Rusty, 19.4.2000
		28	*/
		29	#define SO_IP_SET 83
		30
		31	/*
		32	* Heavily modify by Joakim Axelsson 08.03.2002
		33	* - Made it more modulebased
		34	*
		35	* Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
		36	* - bindings added
		37	* - in order to "deal with" backward compatibility, renamed to ipset
		38	*/
		39
		40	/*
		41	* Used so that the kernel module and ipset-binary can match their versions
		42	*/
		43	#define IP_SET_PROTOCOL_VERSION 2
		44
		45	#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
		46
		47	/* Lets work with our own typedef for representing an IP address.
		48	* We hope to make the code more portable, possibly to IPv6...
		49	*
		50	* The representation works in HOST byte order, because most set types
		51	* will perform arithmetic operations and compare operations.
		52	*
		53	* For now the type is an uint32_t.
		54	*
		55	* Make sure to ONLY use the functions when translating and parsing
		56	* in order to keep the host byte order and make it more portable:
		57	* parse_ip()
		58	* parse_mask()
		59	* parse_ipandmask()
		60	* ip_tostring()
		61	* (Joakim: where are they???)
		62	*/
		63
		64	typedef uint32_t ip_set_ip_t;
65
66	/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
67	* and IP_SET_INVALID_ID if you want to increase the max number of sets.
68	*/
69	typedef uint16_t ip_set_id_t;
70
71	#define IP_SET_INVALID_ID 65535
72
73	/* How deep we follow bindings */
74	#define IP_SET_MAX_BINDINGS 6
75
76	/*
77	* Option flags for kernel operations (ipt_set_info)
78	*/
79	#define IPSET_SRC 0x01 /* Source match/add */
80	#define IPSET_DST 0x02 /* Destination match/add */
81	#define IPSET_MATCH_INV 0x04 /* Inverse matching */
82
83	/*
84	* Set features
85	*/
86	#define IPSET_TYPE_IP 0x01 /* IP address type of set */
87	#define IPSET_TYPE_PORT 0x02 /* Port type of set */
88	#define IPSET_DATA_SINGLE 0x04 /* Single data storage */
89	#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
90
91	/* Reserved keywords */
92	#define IPSET_TOKEN_DEFAULT ":default:"
93	#define IPSET_TOKEN_ALL ":all:"
94
95	/* SO_IP_SET operation constants, and their request struct types.
96	*
97	* Operation ids:
98	* 0-99: commands with version checking
99	* 100-199: add/del/test/bind/unbind
100	* 200-299: list, save, restore
101	*/
102
103	/* Single shot operations:
104	* version, create, destroy, flush, rename and swap
105	*
106	* Sets are identified by name.
107	*/
108
109	#define IP_SET_REQ_STD \
110	unsigned op; \
111	unsigned version; \
112	char name[IP_SET_MAXNAMELEN]
113
114	#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
115	struct ip_set_req_create {
116	IP_SET_REQ_STD;
117	char typename[IP_SET_MAXNAMELEN];
118	};
119
120	#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
121	struct ip_set_req_std {
122	IP_SET_REQ_STD;
123	};
124
125	#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
126	/* Uses ip_set_req_std */
127
128	#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
129	/* Uses ip_set_req_create */
130
131	#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
132	/* Uses ip_set_req_create */
133
134	union ip_set_name_index {
135	char name[IP_SET_MAXNAMELEN];
136	ip_set_id_t index;
137	};
138
139	#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
140	struct ip_set_req_get_set {
141	unsigned op;
142	unsigned version;
143	union ip_set_name_index set;
144	};
145
146	#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
147	/* Uses ip_set_req_get_set */
148
149	#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
150	struct ip_set_req_version {
151	unsigned op;
152	unsigned version;
153	};
154
155	/* Double shots operations:
156	* add, del, test, bind and unbind.
157	*
158	* First we query the kernel to get the index and type of the target set,
159	* then issue the command. Validity of IP is checked in kernel in order
160	* to minimalize sockopt operations.
161	*/
162
163	/* Get minimal set data for add/del/test/bind/unbind IP */
164	#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
165	struct ip_set_req_adt_get {
166	unsigned op;
167	unsigned version;
168	union ip_set_name_index set;
169	char typename[IP_SET_MAXNAMELEN];
170	};
171
172	#define IP_SET_REQ_BYINDEX \
173	unsigned op; \
174	ip_set_id_t index;
175
176	struct ip_set_req_adt {
177	IP_SET_REQ_BYINDEX;
178	};
179
180	#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
181	/* Uses ip_set_req_adt, with type specific addage */
182
183	#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
184	/* Uses ip_set_req_adt, with type specific addage */
185
186	#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
187	/* Uses ip_set_req_adt, with type specific addage */
188
189	#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
190	/* Uses ip_set_req_bind, with type specific addage */
191	struct ip_set_req_bind {
192	IP_SET_REQ_BYINDEX;
193	char binding[IP_SET_MAXNAMELEN];
194	};
195
196	#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
197	/* Uses ip_set_req_bind, with type speficic addage
198	* index = 0 means unbinding for all sets */
199
200	#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
201	/* Uses ip_set_req_bind, with type specific addage */
202
203	/* Multiple shots operations: list, save, restore.
204	*
205	* - check kernel version and query the max number of sets
206	* - get the basic information on all sets
207	* and size required for the next step
208	* - get actual set data: header, data, bindings
209	*/
210
211	/* Get max_sets and the index of a queried set
212	*/
213	#define IP_SET_OP_MAX_SETS 0x00000020
214	struct ip_set_req_max_sets {
215	unsigned op;
216	unsigned version;
217	ip_set_id_t max_sets; /* max_sets */
218	ip_set_id_t sets; /* real number of sets */
219	union ip_set_name_index set; /* index of set if name used */
220	};
221
222	/* Get the id and name of the sets plus size for next step */
223	#define IP_SET_OP_LIST_SIZE 0x00000201
224	#define IP_SET_OP_SAVE_SIZE 0x00000202
225	struct ip_set_req_setnames {
226	unsigned op;
227	ip_set_id_t index; /* set to list/save */
228	size_t size; /* size to get setdata/bindings */
229	/* followed by sets number of struct ip_set_name_list */
230	};
231
232	struct ip_set_name_list {
233	char name[IP_SET_MAXNAMELEN];
234	char typename[IP_SET_MAXNAMELEN];
235	ip_set_id_t index;
236	ip_set_id_t id;
237	};
238
239	/* The actual list operation */
240	#define IP_SET_OP_LIST 0x00000203
241	struct ip_set_req_list {
242	IP_SET_REQ_BYINDEX;
243	/* sets number of struct ip_set_list in reply */
244	};
245
246	struct ip_set_list {
247	ip_set_id_t index;
248	ip_set_id_t binding;
249	u_int32_t ref;
250	size_t header_size; /* Set header data of header_size */
251	size_t members_size; /* Set members data of members_size */
252	size_t bindings_size; /* Set bindings data of bindings_size */
253	};
254
255	struct ip_set_hash_list {
256	ip_set_ip_t ip;
257	ip_set_id_t binding;
258	};
259
260	/* The save operation */
261	#define IP_SET_OP_SAVE 0x00000204
262	/* Uses ip_set_req_list, in the reply replaced by
263	* sets number of struct ip_set_save plus a marker
264	* ip_set_save followed by ip_set_hash_save structures.
265	*/
266	struct ip_set_save {
267	ip_set_id_t index;
268	ip_set_id_t binding;
269	size_t header_size; /* Set header data of header_size */
270	size_t members_size; /* Set members data of members_size */
271	};
272
273	/* At restoring, ip == 0 means default binding for the given set: */
274	struct ip_set_hash_save {
275	ip_set_ip_t ip;
276	ip_set_id_t id;
277	ip_set_id_t binding;
278	};
279
280	/* The restore operation */
281	#define IP_SET_OP_RESTORE 0x00000205
282	/* Uses ip_set_req_setnames followed by ip_set_restore structures
283	* plus a marker ip_set_restore, followed by ip_set_hash_save
284	* structures.
285	*/
286	struct ip_set_restore {
287	char name[IP_SET_MAXNAMELEN];
288	char typename[IP_SET_MAXNAMELEN];
289	ip_set_id_t index;
290	size_t header_size; /* Create data of header_size */
291	size_t members_size; /* Set members data of members_size */
292	};
293
294	static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
295	{
296	return 4 * ((((b - a + 8) / 8) + 3) / 4);
297	}
298
299	#ifdef __KERNEL__
300
301	#define ip_set_printk(format, args...) \
302	do { \
303	printk("%s: %s: ", __FILE__, __FUNCTION__); \
304	printk(format "\n" , ## args); \
305	} while (0)
306
307	#if defined(IP_SET_DEBUG)
308	#define DP(format, args...) \
309	do { \
310	printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
311	printk(format "\n" , ## args); \
312	} while (0)
313	#define IP_SET_ASSERT(x) \
314	do { \
315	if (!(x)) \
316	printk("IP_SET_ASSERT: %s:%i(%s)\n", \
317	__FILE__, __LINE__, __FUNCTION__); \
318	} while (0)
319	#else
320	#define DP(format, args...)
321	#define IP_SET_ASSERT(x)
322	#endif
323
324	struct ip_set;
325
326	/*
327	* The ip_set_type definition - one per set type, e.g. "ipmap".
328	*
329	* Each individual set has a pointer, set->type, going to one
330	* of these structures. Function pointers inside the structure implement
331	* the real behaviour of the sets.
332	*
333	* If not mentioned differently, the implementation behind the function
334	* pointers of a set_type, is expected to return 0 if ok, and a negative
335	* errno (e.g. -EINVAL) on error.
336	*/
337	struct ip_set_type {
338	struct list_head list; /* next in list of set types */
339
340	/* test for IP in set (kernel: iptables -m set src\|dst)
341	* return 0 if not in set, 1 if in set.
342	*/
343	int (testip_kernel) (struct ip_set set,
344	const struct sk_buff * skb,
345	ip_set_ip_t *ip,
346	const u_int32_t *flags,
347	unsigned char index);
348
349	/* test for IP in set (userspace: ipset -T set IP)
350	* return 0 if not in set, 1 if in set.
351	*/
352	int (testip) (struct ip_set set,
353	const void *data, size_t size,
354	ip_set_ip_t *ip);
355
356	/*
357	* Size of the data structure passed by when
358	* adding/deletin/testing an entry.
359	*/
360	size_t reqsize;
361
362	/* Add IP into set (userspace: ipset -A set IP)
363	* Return -EEXIST if the address is already in the set,
364	* and -ERANGE if the address lies outside the set bounds.
365	* If the address was not already in the set, 0 is returned.
366	*/
367	int (addip) (struct ip_set set,
368	const void *data, size_t size,
369	ip_set_ip_t *ip);
370
371	/* Add IP into set (kernel: iptables ... -j SET set src\|dst)
372	* Return -EEXIST if the address is already in the set,
373	* and -ERANGE if the address lies outside the set bounds.
374	* If the address was not already in the set, 0 is returned.
375	*/
376	int (addip_kernel) (struct ip_set set,
377	const struct sk_buff * skb,
378	ip_set_ip_t *ip,
379	const u_int32_t *flags,
380	unsigned char index);
381
382	/* remove IP from set (userspace: ipset -D set --entry x)
383	* Return -EEXIST if the address is NOT in the set,
384	* and -ERANGE if the address lies outside the set bounds.
385	* If the address really was in the set, 0 is returned.
386	*/
387	int (delip) (struct ip_set set,
388	const void *data, size_t size,
389	ip_set_ip_t *ip);
390
391	/* remove IP from set (kernel: iptables ... -j SET --entry x)
392	* Return -EEXIST if the address is NOT in the set,
393	* and -ERANGE if the address lies outside the set bounds.
394	* If the address really was in the set, 0 is returned.
395	*/
396	int (delip_kernel) (struct ip_set set,
397	const struct sk_buff * skb,
398	ip_set_ip_t *ip,
399	const u_int32_t *flags,
400	unsigned char index);
401
402	/* new set creation - allocated type specific items
403	*/
404	int (create) (struct ip_set set,
405	const void *data, size_t size);
406
407	/* retry the operation after successfully tweaking the set
408	*/
409	int (retry) (struct ip_set set);
410
411	/* set destruction - free type specific items
412	* There is no return value.
413	* Can be called only when child sets are destroyed.
414	*/
415	void (destroy) (struct ip_set set);
416
417	/* set flushing - reset all bits in the set, or something similar.
418	* There is no return value.
419	*/
420	void (flush) (struct ip_set set);
421
422	/* Listing: size needed for header
423	*/
424	size_t header_size;
425
426	/* Listing: Get the header
427	*
428	* Fill in the information in "data".
429	* This function is always run after list_header_size() under a
430	* writelock on the set. Therefor is the length of "data" always
431	* correct.
432	*/
433	void (list_header) (const struct ip_set set,
434	void *data);
435
436	/* Listing: Get the size for the set members
437	*/
438	int (list_members_size) (const struct ip_set set);
439
440	/* Listing: Get the set members
441	*
442	* Fill in the information in "data".
443	* This function is always run after list_member_size() under a
444	* writelock on the set. Therefor is the length of "data" always
445	* correct.
446	*/
447	void (list_members) (const struct ip_set set,
448	void *data);
449
450	char typename[IP_SET_MAXNAMELEN];
451	unsigned char features;
452	int protocol_version;
453
454	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
455	struct module *me;
456	};
457
458	extern int ip_set_register_set_type(struct ip_set_type *set_type);
459	extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
460
461	/* A generic ipset */
462	struct ip_set {
463	char name[IP_SET_MAXNAMELEN]; /* the name of the set */
464	rwlock_t lock; /* lock for concurrency control */
465	ip_set_id_t id; /* set id for swapping */
466	ip_set_id_t binding; /* default binding for the set */
467	atomic_t ref; /* in kernel and in hash references */
468	struct ip_set_type type; / the set types */
469	void data; / pooltype specific data */
470	};
471
472	/* Structure to bind set elements to sets */
473	struct ip_set_hash {
474	struct list_head list; /* list of clashing entries in hash */
475	ip_set_ip_t ip; /* ip from set */
476	ip_set_id_t id; /* set id */
477	ip_set_id_t binding; /* set we bind the element to */
478	};
479
480	/* register and unregister set references */
481	extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
482	extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
483	extern void ip_set_put(ip_set_id_t id);
484
485	/* API for iptables set match, and SET target */
486	extern void ip_set_addip_kernel(ip_set_id_t id,
487	const struct sk_buff *skb,
488	const u_int32_t *flags);
489	extern void ip_set_delip_kernel(ip_set_id_t id,
490	const struct sk_buff *skb,
491	const u_int32_t *flags);
492	extern int ip_set_testip_kernel(ip_set_id_t id,
493	const struct sk_buff *skb,
494	const u_int32_t *flags);
495
496	#endif /* __KERNEL__ */
497
498	#endif /_IP_SET_H/

Line 0 Link Here

(-)iptables-1.4.0/include/linux/netfilter_ipv4/ipt_set.h (+21 lines)
	1	#ifndef _IPT_SET_H
	2	#define _IPT_SET_H
	3
	4	#include <linux/netfilter_ipv4/ip_set.h>
	5
	6	struct ipt_set_info {
	7	ip_set_id_t index;
	8	u_int32_t flags[IP_SET_MAX_BINDINGS + 1];
	9	};
	10
	11	/* match info */
	12	struct ipt_set_info_match {
	13	struct ipt_set_info match_set;
	14	};
	15
	16	struct ipt_set_info_target {
	17	struct ipt_set_info add_set;
	18	struct ipt_set_info del_set;
	19	};
	20
	21	#endif /_IPT_SET_H/