1#ifndef _IP_SET_H
2#define _IP_SET_H
3
4/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
5 *                         Patrick Schaaf <bof@bof.de>
6 *                         Martin Josefsson <gandalf@wlug.westbo.se>
7 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 */
13
14#include <linux/types.h>
15
16/* The protocol version */
17#define IPSET_PROTOCOL		6
18
19/* The max length of strings including NUL: set and type identifiers */
20#define IPSET_MAXNAMELEN	32
21
22/* Message types and commands */
23enum ipset_cmd {
24	IPSET_CMD_NONE,
25	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
26	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
27	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
28	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
29	IPSET_CMD_RENAME,	/* 5: Rename a set */
30	IPSET_CMD_SWAP,		/* 6: Swap two sets */
31	IPSET_CMD_LIST,		/* 7: List sets */
32	IPSET_CMD_SAVE,		/* 8: Save sets */
33	IPSET_CMD_ADD,		/* 9: Add an element to a set */
34	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
35	IPSET_CMD_TEST,		/* 11: Test an element in a set */
36	IPSET_CMD_HEADER,	/* 12: Get set header data only */
37	IPSET_CMD_TYPE,		/* 13: Get set type */
38	IPSET_MSG_MAX,		/* Netlink message commands */
39
40	/* Commands in userspace: */
41	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
42	IPSET_CMD_HELP,		/* 15: Get help */
43	IPSET_CMD_VERSION,	/* 16: Get program version */
44	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
45
46	IPSET_CMD_MAX,
47
48	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
49};
50
51/* Attributes at command level */
52enum {
53	IPSET_ATTR_UNSPEC,
54	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
55	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
56	IPSET_ATTR_TYPENAME,	/* 3: Typename */
57	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
58	IPSET_ATTR_REVISION,	/* 4: Settype revision */
59	IPSET_ATTR_FAMILY,	/* 5: Settype family */
60	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
61	IPSET_ATTR_DATA,	/* 7: Nested attributes */
62	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
63	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
64	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
65	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
66	__IPSET_ATTR_CMD_MAX,
67};
68#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
69
70/* CADT specific attributes */
71enum {
72	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
73	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
74	IPSET_ATTR_IP_TO,	/* 2 */
75	IPSET_ATTR_CIDR,	/* 3 */
76	IPSET_ATTR_PORT,	/* 4 */
77	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
78	IPSET_ATTR_PORT_TO,	/* 5 */
79	IPSET_ATTR_TIMEOUT,	/* 6 */
80	IPSET_ATTR_PROTO,	/* 7 */
81	IPSET_ATTR_CADT_FLAGS,	/* 8 */
82	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
83	/* Reserve empty slots */
84	IPSET_ATTR_CADT_MAX = 16,
85	/* Create-only specific attributes */
86	IPSET_ATTR_GC,
87	IPSET_ATTR_HASHSIZE,
88	IPSET_ATTR_MAXELEM,
89	IPSET_ATTR_NETMASK,
90	IPSET_ATTR_PROBES,
91	IPSET_ATTR_RESIZE,
92	IPSET_ATTR_SIZE,
93	/* Kernel-only */
94	IPSET_ATTR_ELEMENTS,
95	IPSET_ATTR_REFERENCES,
96	IPSET_ATTR_MEMSIZE,
97
98	__IPSET_ATTR_CREATE_MAX,
99};
100#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
101
102/* ADT specific attributes */
103enum {
104	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
105	IPSET_ATTR_NAME,
106	IPSET_ATTR_NAMEREF,
107	IPSET_ATTR_IP2,
108	IPSET_ATTR_CIDR2,
109	IPSET_ATTR_IP2_TO,
110	IPSET_ATTR_IFACE,
111	__IPSET_ATTR_ADT_MAX,
112};
113#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
114
115/* IP specific attributes */
116enum {
117	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
118	IPSET_ATTR_IPADDR_IPV6,
119	__IPSET_ATTR_IPADDR_MAX,
120};
121#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
122
123/* Error codes */
124enum ipset_errno {
125	IPSET_ERR_PRIVATE = 4096,
126	IPSET_ERR_PROTOCOL,
127	IPSET_ERR_FIND_TYPE,
128	IPSET_ERR_MAX_SETS,
129	IPSET_ERR_BUSY,
130	IPSET_ERR_EXIST_SETNAME2,
131	IPSET_ERR_TYPE_MISMATCH,
132	IPSET_ERR_EXIST,
133	IPSET_ERR_INVALID_CIDR,
134	IPSET_ERR_INVALID_NETMASK,
135	IPSET_ERR_INVALID_FAMILY,
136	IPSET_ERR_TIMEOUT,
137	IPSET_ERR_REFERENCED,
138	IPSET_ERR_IPADDR_IPV4,
139	IPSET_ERR_IPADDR_IPV6,
140
141	/* Type specific error codes */
142	IPSET_ERR_TYPE_SPECIFIC = 4352,
143};
144
145/* Flags at command level */
146enum ipset_cmd_flags {
147	IPSET_FLAG_BIT_EXIST	= 0,
148	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
149	IPSET_FLAG_BIT_LIST_SETNAME = 1,
150	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
151	IPSET_FLAG_BIT_LIST_HEADER = 2,
152	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
153	IPSET_FLAG_CMD_MAX = 15,	/* Lower half */
154};
155
156/* Flags at CADT attribute level */
157enum ipset_cadt_flags {
158	IPSET_FLAG_BIT_BEFORE	= 0,
159	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
160	IPSET_FLAG_BIT_PHYSDEV	= 1,
161	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
162	IPSET_FLAG_BIT_NOMATCH	= 2,
163	IPSET_FLAG_NOMATCH	= (1 << IPSET_FLAG_BIT_NOMATCH),
164	IPSET_FLAG_CADT_MAX	= 15,	/* Upper half */
165};
166
167/* Commands with settype-specific attributes */
168enum ipset_adt {
169	IPSET_ADD,
170	IPSET_DEL,
171	IPSET_TEST,
172	IPSET_ADT_MAX,
173	IPSET_CREATE = IPSET_ADT_MAX,
174	IPSET_CADT_MAX,
175};
176
177/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
178 * and IPSET_INVALID_ID if you want to increase the max number of sets.
179 */
180typedef __u16 ip_set_id_t;
181
182#define IPSET_INVALID_ID		65535
183
184enum ip_set_dim {
185	IPSET_DIM_ZERO = 0,
186	IPSET_DIM_ONE,
187	IPSET_DIM_TWO,
188	IPSET_DIM_THREE,
189	/* Max dimension in elements.
190	 * If changed, new revision of iptables match/target is required.
191	 */
192	IPSET_DIM_MAX = 6,
193};
194
195/* Option flags for kernel operations */
196enum ip_set_kopt {
197	IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
198	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
199	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
200	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
201};
202
203#ifdef __KERNEL__
204#include <linux/ip.h>
205#include <linux/ipv6.h>
206#include <linux/netlink.h>
207#include <linux/netfilter.h>
208#include <linux/netfilter/x_tables.h>
209#include <linux/vmalloc.h>
210#include <net/netlink.h>
211
212/* Set features */
213enum ip_set_feature {
214	IPSET_TYPE_IP_FLAG = 0,
215	IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG),
216	IPSET_TYPE_PORT_FLAG = 1,
217	IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG),
218	IPSET_TYPE_MAC_FLAG = 2,
219	IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG),
220	IPSET_TYPE_IP2_FLAG = 3,
221	IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG),
222	IPSET_TYPE_NAME_FLAG = 4,
223	IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
224	IPSET_TYPE_IFACE_FLAG = 5,
225	IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
226	/* Strictly speaking not a feature, but a flag for dumping:
227	 * this settype must be dumped last */
228	IPSET_DUMP_LAST_FLAG = 7,
229	IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG),
230};
231
232struct ip_set;
233
234typedef int (*ipset_adtfn)(struct ip_set *set, void *value,
235			   u32 timeout, u32 flags);
236
237/* Kernel API function options */
238struct ip_set_adt_opt {
239	u8 family;		/* Actual protocol family */
240	u8 dim;			/* Dimension of match/target */
241	u8 flags;		/* Direction and negation flags */
242	u32 cmdflags;		/* Command-like flags */
243	u32 timeout;		/* Timeout value */
244};
245
246/* Set type, variant-specific part */
247struct ip_set_type_variant {
248	/* Kernelspace: test/add/del entries
249	 *		returns negative error code,
250	 *			zero for no match/success to add/delete
251	 *			positive for matching element */
252	int (*kadt)(struct ip_set *set, const struct sk_buff * skb,
253		    const struct xt_action_param *par,
254		    enum ipset_adt adt, const struct ip_set_adt_opt *opt);
255
256	/* Userspace: test/add/del entries
257	 *		returns negative error code,
258	 *			zero for no match/success to add/delete
259	 *			positive for matching element */
260	int (*uadt)(struct ip_set *set, struct nlattr *tb[],
261		    enum ipset_adt adt, u32 *lineno, u32 flags, bool retried);
262
263	/* Low level add/del/test functions */
264	ipset_adtfn adt[IPSET_ADT_MAX];
265
266	/* When adding entries and set is full, try to resize the set */
267	int (*resize)(struct ip_set *set, bool retried);
268	/* Destroy the set */
269	void (*destroy)(struct ip_set *set);
270	/* Flush the elements */
271	void (*flush)(struct ip_set *set);
272	/* Expire entries before listing */
273	void (*expire)(struct ip_set *set);
274	/* List set header data */
275	int (*head)(struct ip_set *set, struct sk_buff *skb);
276	/* List elements */
277	int (*list)(const struct ip_set *set, struct sk_buff *skb,
278		    struct netlink_callback *cb);
279
280	/* Return true if "b" set is the same as "a"
281	 * according to the create set parameters */
282	bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
283};
284
285/* The core set type structure */
286struct ip_set_type {
287	struct list_head list;
288
289	/* Typename */
290	char name[IPSET_MAXNAMELEN];
291	/* Protocol version */
292	u8 protocol;
293	/* Set features to control swapping */
294	u8 features;
295	/* Set type dimension */
296	u8 dimension;
297	/*
298	 * Supported family: may be NFPROTO_UNSPEC for both
299	 * NFPROTO_IPV4/NFPROTO_IPV6.
300	 */
301	u8 family;
302	/* Type revisions */
303	u8 revision_min, revision_max;
304
305	/* Create set */
306	int (*create)(struct ip_set *set, struct nlattr *tb[], u32 flags);
307
308	/* Attribute policies */
309	const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1];
310	const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1];
311
312	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
313	struct module *me;
314};
315
316/* register and unregister set type */
317extern int ip_set_type_register(struct ip_set_type *set_type);
318extern void ip_set_type_unregister(struct ip_set_type *set_type);
319
320/* A generic IP set */
321struct ip_set {
322	/* The name of the set */
323	char name[IPSET_MAXNAMELEN];
324	/* Lock protecting the set data */
325	rwlock_t lock;
326	/* References to the set */
327	u32 ref;
328	/* The core set type */
329	struct ip_set_type *type;
330	/* The type variant doing the real job */
331	const struct ip_set_type_variant *variant;
332	/* The actual INET family of the set */
333	u8 family;
334	/* The type revision */
335	u8 revision;
336	/* The type specific data */
337	void *data;
338};
339
340/* register and unregister set references */
341extern ip_set_id_t ip_set_get_byname(const char *name, struct ip_set **set);
342extern void ip_set_put_byindex(ip_set_id_t index);
343extern const char *ip_set_name_byindex(ip_set_id_t index);
344extern ip_set_id_t ip_set_nfnl_get(const char *name);
345extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index);
346extern void ip_set_nfnl_put(ip_set_id_t index);
347
348/* API for iptables set match, and SET target */
349
350extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb,
351		      const struct xt_action_param *par,
352		      const struct ip_set_adt_opt *opt);
353extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb,
354		      const struct xt_action_param *par,
355		      const struct ip_set_adt_opt *opt);
356extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb,
357		       const struct xt_action_param *par,
358		       const struct ip_set_adt_opt *opt);
359
360/* Utility functions */
361extern void *ip_set_alloc(size_t size);
362extern void ip_set_free(void *members);
363extern int ip_set_get_ipaddr4(struct nlattr *nla,  __be32 *ipaddr);
364extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr);
365
366static inline int
367ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr)
368{
369	__be32 ip;
370	int ret = ip_set_get_ipaddr4(nla, &ip);
371
372	if (ret)
373		return ret;
374	*ipaddr = ntohl(ip);
375	return 0;
376}
377
378/* Ignore IPSET_ERR_EXIST errors if asked to do so? */
379static inline bool
380ip_set_eexist(int ret, u32 flags)
381{
382	return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST);
383}
384
385/* Check the NLA_F_NET_BYTEORDER flag */
386static inline bool
387ip_set_attr_netorder(struct nlattr *tb[], int type)
388{
389	return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
390}
391
392static inline bool
393ip_set_optattr_netorder(struct nlattr *tb[], int type)
394{
395	return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER);
396}
397
398/* Useful converters */
399static inline u32
400ip_set_get_h32(const struct nlattr *attr)
401{
402	return ntohl(nla_get_be32(attr));
403}
404
405static inline u16
406ip_set_get_h16(const struct nlattr *attr)
407{
408	return ntohs(nla_get_be16(attr));
409}
410
411#define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED)
412#define ipset_nest_end(skb, start)  nla_nest_end(skb, start)
413
414#define NLA_PUT_IPADDR4(skb, type, ipaddr)			\
415do {								\
416	struct nlattr *__nested = ipset_nest_start(skb, type);	\
417								\
418	if (!__nested)						\
419		goto nla_put_failure;				\
420	NLA_PUT_NET32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr);	\
421	ipset_nest_end(skb, __nested);				\
422} while (0)
423
424#define NLA_PUT_IPADDR6(skb, type, ipaddrptr)			\
425do {								\
426	struct nlattr *__nested = ipset_nest_start(skb, type);	\
427								\
428	if (!__nested)						\
429		goto nla_put_failure;				\
430	NLA_PUT(skb, IPSET_ATTR_IPADDR_IPV6,			\
431		sizeof(struct in6_addr), ipaddrptr);		\
432	ipset_nest_end(skb, __nested);				\
433} while (0)
434
435/* Get address from skbuff */
436static inline __be32
437ip4addr(const struct sk_buff *skb, bool src)
438{
439	return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
440}
441
442static inline void
443ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr)
444{
445	*addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr;
446}
447
448static inline void
449ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr)
450{
451	memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr,
452	       sizeof(*addr));
453}
454
455/* Calculate the bytes required to store the inclusive range of a-b */
456static inline int
457bitmap_bytes(u32 a, u32 b)
458{
459	return 4 * ((((b - a + 8) / 8) + 3) / 4);
460}
461
462#endif /* __KERNEL__ */
463
464/* Interface to iptables/ip6tables */
465
466#define SO_IP_SET		83
467
468union ip_set_name_index {
469	char name[IPSET_MAXNAMELEN];
470	ip_set_id_t index;
471};
472
473#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
474struct ip_set_req_get_set {
475	unsigned op;
476	unsigned version;
477	union ip_set_name_index set;
478};
479
480#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
481/* Uses ip_set_req_get_set */
482
483#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
484struct ip_set_req_version {
485	unsigned op;
486	unsigned version;
487};
488
489#endif /*_IP_SET_H */
490