1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 3 * Patrick Schaaf <bof@bof.de> 4 * Martin Josefsson <gandalf@wlug.westbo.se> 5 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> 6 */ 7 #ifndef _IP_SET_H 8 #define _IP_SET_H 9 10 #include <linux/ip.h> 11 #include <linux/ipv6.h> 12 #include <linux/netlink.h> 13 #include <linux/netfilter.h> 14 #include <linux/netfilter/x_tables.h> 15 #include <linux/stringify.h> 16 #include <linux/vmalloc.h> 17 #include <net/netlink.h> 18 #include <uapi/linux/netfilter/ipset/ip_set.h> 19 20 #define _IP_SET_MODULE_DESC(a, b, c) \ 21 MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) 22 #define IP_SET_MODULE_DESC(a, b, c) \ 23 _IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c)) 24 25 /* Set features */ 26 enum ip_set_feature { 27 IPSET_TYPE_IP_FLAG = 0, 28 IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG), 29 IPSET_TYPE_PORT_FLAG = 1, 30 IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG), 31 IPSET_TYPE_MAC_FLAG = 2, 32 IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG), 33 IPSET_TYPE_IP2_FLAG = 3, 34 IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG), 35 IPSET_TYPE_NAME_FLAG = 4, 36 IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), 37 IPSET_TYPE_IFACE_FLAG = 5, 38 IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), 39 IPSET_TYPE_MARK_FLAG = 6, 40 IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG), 41 IPSET_TYPE_NOMATCH_FLAG = 7, 42 IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), 43 /* Strictly speaking not a feature, but a flag for dumping: 44 * this settype must be dumped last */ 45 IPSET_DUMP_LAST_FLAG = 8, 46 IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), 47 }; 48 49 /* Set extensions */ 50 enum ip_set_extension { 51 IPSET_EXT_BIT_TIMEOUT = 0, 52 IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT), 53 IPSET_EXT_BIT_COUNTER = 1, 54 IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER), 55 IPSET_EXT_BIT_COMMENT = 2, 56 IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT), 57 IPSET_EXT_BIT_SKBINFO = 3, 58 IPSET_EXT_SKBINFO = (1 << IPSET_EXT_BIT_SKBINFO), 59 /* Mark set with an extension which needs to call destroy */ 60 IPSET_EXT_BIT_DESTROY = 7, 61 IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY), 62 }; 63 64 #define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT) 65 #define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER) 66 #define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT) 67 #define SET_WITH_SKBINFO(s) ((s)->extensions & IPSET_EXT_SKBINFO) 68 #define SET_WITH_FORCEADD(s) ((s)->flags & IPSET_CREATE_FLAG_FORCEADD) 69 70 /* Extension id, in size order */ 71 enum ip_set_ext_id { 72 IPSET_EXT_ID_COUNTER = 0, 73 IPSET_EXT_ID_TIMEOUT, 74 IPSET_EXT_ID_SKBINFO, 75 IPSET_EXT_ID_COMMENT, 76 IPSET_EXT_ID_MAX, 77 }; 78 79 struct ip_set; 80 81 /* Extension type */ 82 struct ip_set_ext_type { 83 /* Destroy extension private data (can be NULL) */ 84 void (*destroy)(struct ip_set *set, void *ext); 85 enum ip_set_extension type; 86 enum ipset_cadt_flags flag; 87 /* Size and minimal alignment */ 88 u8 len; 89 u8 align; 90 }; 91 92 extern const struct ip_set_ext_type ip_set_extensions[]; 93 94 struct ip_set_counter { 95 atomic64_t bytes; 96 atomic64_t packets; 97 }; 98 99 struct ip_set_comment_rcu { 100 struct rcu_head rcu; 101 char str[]; 102 }; 103 104 struct ip_set_comment { 105 struct ip_set_comment_rcu __rcu *c; 106 }; 107 108 struct ip_set_skbinfo { 109 u32 skbmark; 110 u32 skbmarkmask; 111 u32 skbprio; 112 u16 skbqueue; 113 u16 __pad; 114 }; 115 116 struct ip_set_ext { 117 struct ip_set_skbinfo skbinfo; 118 u64 packets; 119 u64 bytes; 120 char *comment; 121 u32 timeout; 122 u8 packets_op; 123 u8 bytes_op; 124 bool target; 125 }; 126 127 #define ext_timeout(e, s) \ 128 ((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])) 129 #define ext_counter(e, s) \ 130 ((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])) 131 #define ext_comment(e, s) \ 132 ((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])) 133 #define ext_skbinfo(e, s) \ 134 ((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO])) 135 136 typedef int (*ipset_adtfn)(struct ip_set *set, void *value, 137 const struct ip_set_ext *ext, 138 struct ip_set_ext *mext, u32 cmdflags); 139 140 /* Kernel API function options */ 141 struct ip_set_adt_opt { 142 u8 family; /* Actual protocol family */ 143 u8 dim; /* Dimension of match/target */ 144 u8 flags; /* Direction and negation flags */ 145 u32 cmdflags; /* Command-like flags */ 146 struct ip_set_ext ext; /* Extensions */ 147 }; 148 149 /* Set type, variant-specific part */ 150 struct ip_set_type_variant { 151 /* Kernelspace: test/add/del entries 152 * returns negative error code, 153 * zero for no match/success to add/delete 154 * positive for matching element */ 155 int (*kadt)(struct ip_set *set, const struct sk_buff *skb, 156 const struct xt_action_param *par, 157 enum ipset_adt adt, struct ip_set_adt_opt *opt); 158 159 /* Userspace: test/add/del entries 160 * returns negative error code, 161 * zero for no match/success to add/delete 162 * positive for matching element */ 163 int (*uadt)(struct ip_set *set, struct nlattr *tb[], 164 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried); 165 166 /* Low level add/del/test functions */ 167 ipset_adtfn adt[IPSET_ADT_MAX]; 168 169 /* When adding entries and set is full, try to resize the set */ 170 int (*resize)(struct ip_set *set, bool retried); 171 /* Destroy the set */ 172 void (*destroy)(struct ip_set *set); 173 /* Flush the elements */ 174 void (*flush)(struct ip_set *set); 175 /* Expire entries before listing */ 176 void (*expire)(struct ip_set *set); 177 /* List set header data */ 178 int (*head)(struct ip_set *set, struct sk_buff *skb); 179 /* List elements */ 180 int (*list)(const struct ip_set *set, struct sk_buff *skb, 181 struct netlink_callback *cb); 182 /* Keep listing private when resizing runs parallel */ 183 void (*uref)(struct ip_set *set, struct netlink_callback *cb, 184 bool start); 185 186 /* Return true if "b" set is the same as "a" 187 * according to the create set parameters */ 188 bool (*same_set)(const struct ip_set *a, const struct ip_set *b); 189 /* Region-locking is used */ 190 bool region_lock; 191 }; 192 193 struct ip_set_region { 194 spinlock_t lock; /* Region lock */ 195 size_t ext_size; /* Size of the dynamic extensions */ 196 u32 elements; /* Number of elements vs timeout */ 197 }; 198 199 /* Max range where every element is added/deleted in one step */ 200 #define IPSET_MAX_RANGE (1<<20) 201 202 /* The max revision number supported by any set type + 1 */ 203 #define IPSET_REVISION_MAX 9 204 205 /* The core set type structure */ 206 struct ip_set_type { 207 struct list_head list; 208 209 /* Typename */ 210 char name[IPSET_MAXNAMELEN]; 211 /* Protocol version */ 212 u8 protocol; 213 /* Set type dimension */ 214 u8 dimension; 215 /* 216 * Supported family: may be NFPROTO_UNSPEC for both 217 * NFPROTO_IPV4/NFPROTO_IPV6. 218 */ 219 u8 family; 220 /* Type revisions */ 221 u8 revision_min, revision_max; 222 /* Revision-specific supported (create) flags */ 223 u8 create_flags[IPSET_REVISION_MAX+1]; 224 /* Set features to control swapping */ 225 u16 features; 226 227 /* Create set */ 228 int (*create)(struct net *net, struct ip_set *set, 229 struct nlattr *tb[], u32 flags); 230 231 /* Attribute policies */ 232 const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1]; 233 const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1]; 234 235 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 236 struct module *me; 237 }; 238 239 /* register and unregister set type */ 240 extern int ip_set_type_register(struct ip_set_type *set_type); 241 extern void ip_set_type_unregister(struct ip_set_type *set_type); 242 243 /* A generic IP set */ 244 struct ip_set { 245 /* The name of the set */ 246 char name[IPSET_MAXNAMELEN]; 247 /* Lock protecting the set data */ 248 spinlock_t lock; 249 /* References to the set */ 250 u32 ref; 251 /* References to the set for netlink events like dump, 252 * ref can be swapped out by ip_set_swap 253 */ 254 u32 ref_netlink; 255 /* The core set type */ 256 struct ip_set_type *type; 257 /* The type variant doing the real job */ 258 const struct ip_set_type_variant *variant; 259 /* The actual INET family of the set */ 260 u8 family; 261 /* The type revision */ 262 u8 revision; 263 /* Extensions */ 264 u8 extensions; 265 /* Create flags */ 266 u8 flags; 267 /* Default timeout value, if enabled */ 268 u32 timeout; 269 /* Number of elements (vs timeout) */ 270 u32 elements; 271 /* Size of the dynamic extensions (vs timeout) */ 272 size_t ext_size; 273 /* Element data size */ 274 size_t dsize; 275 /* Offsets to extensions in elements */ 276 size_t offset[IPSET_EXT_ID_MAX]; 277 /* The type specific data */ 278 void *data; 279 }; 280 281 static inline void ip_set_ext_destroy(struct ip_set * set,void * data)282 ip_set_ext_destroy(struct ip_set *set, void *data) 283 { 284 /* Check that the extension is enabled for the set and 285 * call it's destroy function for its extension part in data. 286 */ 287 if (SET_WITH_COMMENT(set)) { 288 struct ip_set_comment *c = ext_comment(data, set); 289 290 ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(set, c); 291 } 292 } 293 294 int ip_set_put_flags(struct sk_buff *skb, struct ip_set *set); 295 296 /* Netlink CB args */ 297 enum { 298 IPSET_CB_NET = 0, /* net namespace */ 299 IPSET_CB_PROTO, /* ipset protocol */ 300 IPSET_CB_DUMP, /* dump single set/all sets */ 301 IPSET_CB_INDEX, /* set index */ 302 IPSET_CB_PRIVATE, /* set private data */ 303 IPSET_CB_ARG0, /* type specific */ 304 }; 305 306 /* register and unregister set references */ 307 extern ip_set_id_t ip_set_get_byname(struct net *net, 308 const char *name, struct ip_set **set); 309 extern void ip_set_put_byindex(struct net *net, ip_set_id_t index); 310 extern void ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name); 311 extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index); 312 extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index); 313 314 /* API for iptables set match, and SET target */ 315 316 extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb, 317 const struct xt_action_param *par, 318 struct ip_set_adt_opt *opt); 319 extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb, 320 const struct xt_action_param *par, 321 struct ip_set_adt_opt *opt); 322 extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, 323 const struct xt_action_param *par, 324 struct ip_set_adt_opt *opt); 325 326 /* Utility functions */ 327 extern void *ip_set_alloc(size_t size); 328 extern void ip_set_free(void *members); 329 extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); 330 extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); 331 extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], 332 size_t len, size_t align); 333 extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[], 334 struct ip_set_ext *ext); 335 extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set, 336 const void *e, bool active); 337 extern bool ip_set_match_extensions(struct ip_set *set, 338 const struct ip_set_ext *ext, 339 struct ip_set_ext *mext, 340 u32 flags, void *data); 341 342 static inline int ip_set_get_hostipaddr4(struct nlattr * nla,u32 * ipaddr)343 ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) 344 { 345 __be32 ip; 346 int ret = ip_set_get_ipaddr4(nla, &ip); 347 348 if (ret) 349 return ret; 350 *ipaddr = ntohl(ip); 351 return 0; 352 } 353 354 /* Ignore IPSET_ERR_EXIST errors if asked to do so? */ 355 static inline bool ip_set_eexist(int ret,u32 flags)356 ip_set_eexist(int ret, u32 flags) 357 { 358 return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); 359 } 360 361 /* Match elements marked with nomatch */ 362 static inline bool ip_set_enomatch(int ret,u32 flags,enum ipset_adt adt,struct ip_set * set)363 ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set) 364 { 365 return adt == IPSET_TEST && 366 (set->type->features & IPSET_TYPE_NOMATCH) && 367 ((flags >> 16) & IPSET_FLAG_NOMATCH) && 368 (ret > 0 || ret == -ENOTEMPTY); 369 } 370 371 /* Check the NLA_F_NET_BYTEORDER flag */ 372 static inline bool ip_set_attr_netorder(struct nlattr * tb[],int type)373 ip_set_attr_netorder(struct nlattr *tb[], int type) 374 { 375 return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 376 } 377 378 static inline bool ip_set_optattr_netorder(struct nlattr * tb[],int type)379 ip_set_optattr_netorder(struct nlattr *tb[], int type) 380 { 381 return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 382 } 383 384 /* Useful converters */ 385 static inline u32 ip_set_get_h32(const struct nlattr * attr)386 ip_set_get_h32(const struct nlattr *attr) 387 { 388 return ntohl(nla_get_be32(attr)); 389 } 390 391 static inline u16 ip_set_get_h16(const struct nlattr * attr)392 ip_set_get_h16(const struct nlattr *attr) 393 { 394 return ntohs(nla_get_be16(attr)); 395 } 396 nla_put_ipaddr4(struct sk_buff * skb,int type,__be32 ipaddr)397 static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr) 398 { 399 struct nlattr *__nested = nla_nest_start(skb, type); 400 int ret; 401 402 if (!__nested) 403 return -EMSGSIZE; 404 ret = nla_put_in_addr(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); 405 if (!ret) 406 nla_nest_end(skb, __nested); 407 return ret; 408 } 409 nla_put_ipaddr6(struct sk_buff * skb,int type,const struct in6_addr * ipaddrptr)410 static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, 411 const struct in6_addr *ipaddrptr) 412 { 413 struct nlattr *__nested = nla_nest_start(skb, type); 414 int ret; 415 416 if (!__nested) 417 return -EMSGSIZE; 418 ret = nla_put_in6_addr(skb, IPSET_ATTR_IPADDR_IPV6, ipaddrptr); 419 if (!ret) 420 nla_nest_end(skb, __nested); 421 return ret; 422 } 423 424 /* Get address from skbuff */ 425 static inline __be32 ip4addr(const struct sk_buff * skb,bool src)426 ip4addr(const struct sk_buff *skb, bool src) 427 { 428 return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 429 } 430 431 static inline void ip4addrptr(const struct sk_buff * skb,bool src,__be32 * addr)432 ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr) 433 { 434 *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 435 } 436 437 static inline void ip6addrptr(const struct sk_buff * skb,bool src,struct in6_addr * addr)438 ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) 439 { 440 memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr, 441 sizeof(*addr)); 442 } 443 444 /* How often should the gc be run by default */ 445 #define IPSET_GC_TIME (3 * 60) 446 447 /* Timeout period depending on the timeout value of the given set */ 448 #define IPSET_GC_PERIOD(timeout) \ 449 ((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1) 450 451 /* Entry is set with no timeout value */ 452 #define IPSET_ELEM_PERMANENT 0 453 454 /* Set is defined with timeout support: timeout value may be 0 */ 455 #define IPSET_NO_TIMEOUT UINT_MAX 456 457 /* Max timeout value, see msecs_to_jiffies() in jiffies.h */ 458 #define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC 459 460 #define ip_set_adt_opt_timeout(opt, set) \ 461 ((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout) 462 463 static inline unsigned int ip_set_timeout_uget(struct nlattr * tb)464 ip_set_timeout_uget(struct nlattr *tb) 465 { 466 unsigned int timeout = ip_set_get_h32(tb); 467 468 /* Normalize to fit into jiffies */ 469 if (timeout > IPSET_MAX_TIMEOUT) 470 timeout = IPSET_MAX_TIMEOUT; 471 472 return timeout; 473 } 474 475 static inline bool ip_set_timeout_expired(const unsigned long * t)476 ip_set_timeout_expired(const unsigned long *t) 477 { 478 return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t); 479 } 480 481 static inline void ip_set_timeout_set(unsigned long * timeout,u32 value)482 ip_set_timeout_set(unsigned long *timeout, u32 value) 483 { 484 unsigned long t; 485 486 if (!value) { 487 *timeout = IPSET_ELEM_PERMANENT; 488 return; 489 } 490 491 t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies; 492 if (t == IPSET_ELEM_PERMANENT) 493 /* Bingo! :-) */ 494 t--; 495 *timeout = t; 496 } 497 498 void ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment, 499 const struct ip_set_ext *ext); 500 501 static inline void ip_set_init_counter(struct ip_set_counter * counter,const struct ip_set_ext * ext)502 ip_set_init_counter(struct ip_set_counter *counter, 503 const struct ip_set_ext *ext) 504 { 505 if (ext->bytes != ULLONG_MAX) 506 atomic64_set(&(counter)->bytes, (long long)(ext->bytes)); 507 if (ext->packets != ULLONG_MAX) 508 atomic64_set(&(counter)->packets, (long long)(ext->packets)); 509 } 510 511 static inline void ip_set_init_skbinfo(struct ip_set_skbinfo * skbinfo,const struct ip_set_ext * ext)512 ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo, 513 const struct ip_set_ext *ext) 514 { 515 *skbinfo = ext->skbinfo; 516 } 517 518 #define IP_SET_INIT_KEXT(skb, opt, set) \ 519 { .bytes = (skb)->len, .packets = 1, .target = true,\ 520 .timeout = ip_set_adt_opt_timeout(opt, set) } 521 522 #define IP_SET_INIT_UEXT(set) \ 523 { .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \ 524 .timeout = (set)->timeout } 525 526 #define IPSET_CONCAT(a, b) a##b 527 #define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b) 528 529 #endif /*_IP_SET_H */ 530
