Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ip_set_core.c
Go to the documentation of this file.
1 /* Copyright (C) 2000-2002 Joakim Axelsson <[email protected]>
2  * Patrick Schaaf <[email protected]>
3  * Copyright (C) 2003-2011 Jozsef Kadlecsik <[email protected]>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  */
9 
10 /* Kernel module for IP set management */
11 
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/moduleparam.h>
15 #include <linux/ip.h>
16 #include <linux/skbuff.h>
17 #include <linux/spinlock.h>
18 #include <linux/netlink.h>
19 #include <linux/rculist.h>
20 #include <net/netlink.h>
21 
22 #include <linux/netfilter.h>
23 #include <linux/netfilter/x_tables.h>
24 #include <linux/netfilter/nfnetlink.h>
25 #include <linux/netfilter/ipset/ip_set.h>
26 
27 static LIST_HEAD(ip_set_type_list); /* all registered set types */
28 static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
29 static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
30 
31 static struct ip_set **ip_set_list; /* all individual sets */
32 static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
33 
34 #define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
35 
36 static unsigned int max_sets;
37 
38 module_param(max_sets, int, 0600);
39 MODULE_PARM_DESC(max_sets, "maximal number of sets");
40 MODULE_LICENSE("GPL");
41 MODULE_AUTHOR("Jozsef Kadlecsik <[email protected]>");
42 MODULE_DESCRIPTION("core IP set support");
43 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
44 
45 /*
46  * The set types are implemented in modules and registered set types
47  * can be found in ip_set_type_list. Adding/deleting types is
48  * serialized by ip_set_type_mutex.
49  */
50 
51 static inline void
52 ip_set_type_lock(void)
53 {
54  mutex_lock(&ip_set_type_mutex);
55 }
56 
57 static inline void
58 ip_set_type_unlock(void)
59 {
60  mutex_unlock(&ip_set_type_mutex);
61 }
62 
63 /* Register and deregister settype */
64 
65 static struct ip_set_type *
66 find_set_type(const char *name, u8 family, u8 revision)
67 {
68  struct ip_set_type *type;
69 
70  list_for_each_entry_rcu(type, &ip_set_type_list, list)
71  if (STREQ(type->name, name) &&
72  (type->family == family ||
73  type->family == NFPROTO_UNSPEC) &&
74  revision >= type->revision_min &&
75  revision <= type->revision_max)
76  return type;
77  return NULL;
78 }
79 
80 /* Unlock, try to load a set type module and lock again */
81 static bool
82 load_settype(const char *name)
83 {
84  nfnl_unlock();
85  pr_debug("try to load ip_set_%s\n", name);
86  if (request_module("ip_set_%s", name) < 0) {
87  pr_warning("Can't find ip_set type %s\n", name);
88  nfnl_lock();
89  return false;
90  }
91  nfnl_lock();
92  return true;
93 }
94 
95 /* Find a set type and reference it */
96 #define find_set_type_get(name, family, revision, found) \
97  __find_set_type_get(name, family, revision, found, false)
98 
99 static int
100 __find_set_type_get(const char *name, u8 family, u8 revision,
101  struct ip_set_type **found, bool retry)
102 {
103  struct ip_set_type *type;
104  int err;
105 
106  if (retry && !load_settype(name))
107  return -IPSET_ERR_FIND_TYPE;
108 
109  rcu_read_lock();
110  *found = find_set_type(name, family, revision);
111  if (*found) {
112  err = !try_module_get((*found)->me) ? -EFAULT : 0;
113  goto unlock;
114  }
115  /* Make sure the type is already loaded
116  * but we don't support the revision */
117  list_for_each_entry_rcu(type, &ip_set_type_list, list)
118  if (STREQ(type->name, name)) {
119  err = -IPSET_ERR_FIND_TYPE;
120  goto unlock;
121  }
122  rcu_read_unlock();
123 
124  return retry ? -IPSET_ERR_FIND_TYPE :
125  __find_set_type_get(name, family, revision, found, true);
126 
127 unlock:
128  rcu_read_unlock();
129  return err;
130 }
131 
132 /* Find a given set type by name and family.
133  * If we succeeded, the supported minimal and maximum revisions are
134  * filled out.
135  */
136 #define find_set_type_minmax(name, family, min, max) \
137  __find_set_type_minmax(name, family, min, max, false)
138 
139 static int
140 __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
141  bool retry)
142 {
143  struct ip_set_type *type;
144  bool found = false;
145 
146  if (retry && !load_settype(name))
147  return -IPSET_ERR_FIND_TYPE;
148 
149  *min = 255; *max = 0;
150  rcu_read_lock();
151  list_for_each_entry_rcu(type, &ip_set_type_list, list)
152  if (STREQ(type->name, name) &&
153  (type->family == family ||
154  type->family == NFPROTO_UNSPEC)) {
155  found = true;
156  if (type->revision_min < *min)
157  *min = type->revision_min;
158  if (type->revision_max > *max)
159  *max = type->revision_max;
160  }
161  rcu_read_unlock();
162  if (found)
163  return 0;
164 
165  return retry ? -IPSET_ERR_FIND_TYPE :
166  __find_set_type_minmax(name, family, min, max, true);
167 }
168 
169 #define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
170  (f) == NFPROTO_IPV6 ? "inet6" : "any")
171 
172 /* Register a set type structure. The type is identified by
173  * the unique triple of name, family and revision.
174  */
175 int
176 ip_set_type_register(struct ip_set_type *type)
177 {
178  int ret = 0;
179 
180  if (type->protocol != IPSET_PROTOCOL) {
181  pr_warning("ip_set type %s, family %s, revision %u:%u uses "
182  "wrong protocol version %u (want %u)\n",
183  type->name, family_name(type->family),
184  type->revision_min, type->revision_max,
185  type->protocol, IPSET_PROTOCOL);
186  return -EINVAL;
187  }
188 
189  ip_set_type_lock();
190  if (find_set_type(type->name, type->family, type->revision_min)) {
191  /* Duplicate! */
192  pr_warning("ip_set type %s, family %s with revision min %u "
193  "already registered!\n", type->name,
194  family_name(type->family), type->revision_min);
195  ret = -EINVAL;
196  goto unlock;
197  }
198  list_add_rcu(&type->list, &ip_set_type_list);
199  pr_debug("type %s, family %s, revision %u:%u registered.\n",
200  type->name, family_name(type->family),
201  type->revision_min, type->revision_max);
202 unlock:
203  ip_set_type_unlock();
204  return ret;
205 }
206 EXPORT_SYMBOL_GPL(ip_set_type_register);
207 
208 /* Unregister a set type. There's a small race with ip_set_create */
209 void
210 ip_set_type_unregister(struct ip_set_type *type)
211 {
212  ip_set_type_lock();
213  if (!find_set_type(type->name, type->family, type->revision_min)) {
214  pr_warning("ip_set type %s, family %s with revision min %u "
215  "not registered\n", type->name,
216  family_name(type->family), type->revision_min);
217  goto unlock;
218  }
219  list_del_rcu(&type->list);
220  pr_debug("type %s, family %s with revision min %u unregistered.\n",
221  type->name, family_name(type->family), type->revision_min);
222 unlock:
223  ip_set_type_unlock();
224 
225  synchronize_rcu();
226 }
227 EXPORT_SYMBOL_GPL(ip_set_type_unregister);
228 
229 /* Utility functions */
230 void *
231 ip_set_alloc(size_t size)
232 {
233  void *members = NULL;
234 
235  if (size < KMALLOC_MAX_SIZE)
236  members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
237 
238  if (members) {
239  pr_debug("%p: allocated with kmalloc\n", members);
240  return members;
241  }
242 
243  members = vzalloc(size);
244  if (!members)
245  return NULL;
246  pr_debug("%p: allocated with vmalloc\n", members);
247 
248  return members;
249 }
250 EXPORT_SYMBOL_GPL(ip_set_alloc);
251 
252 void
253 ip_set_free(void *members)
254 {
255  pr_debug("%p: free with %s\n", members,
256  is_vmalloc_addr(members) ? "vfree" : "kfree");
257  if (is_vmalloc_addr(members))
258  vfree(members);
259  else
260  kfree(members);
261 }
262 EXPORT_SYMBOL_GPL(ip_set_free);
263 
264 static inline bool
265 flag_nested(const struct nlattr *nla)
266 {
267  return nla->nla_type & NLA_F_NESTED;
268 }
269 
270 static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
271  [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
272  [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
273  .len = sizeof(struct in6_addr) },
274 };
275 
276 int
277 ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
278 {
279  struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
280 
281  if (unlikely(!flag_nested(nla)))
282  return -IPSET_ERR_PROTOCOL;
283  if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
284  return -IPSET_ERR_PROTOCOL;
285  if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
286  return -IPSET_ERR_PROTOCOL;
287 
288  *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
289  return 0;
290 }
291 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
292 
293 int
294 ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
295 {
296  struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
297 
298  if (unlikely(!flag_nested(nla)))
299  return -IPSET_ERR_PROTOCOL;
300 
301  if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
302  return -IPSET_ERR_PROTOCOL;
303  if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
304  return -IPSET_ERR_PROTOCOL;
305 
306  memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
307  sizeof(struct in6_addr));
308  return 0;
309 }
310 EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
311 
312 /*
313  * Creating/destroying/renaming/swapping affect the existence and
314  * the properties of a set. All of these can be executed from userspace
315  * only and serialized by the nfnl mutex indirectly from nfnetlink.
316  *
317  * Sets are identified by their index in ip_set_list and the index
318  * is used by the external references (set/SET netfilter modules).
319  *
320  * The set behind an index may change by swapping only, from userspace.
321  */
322 
323 static inline void
324 __ip_set_get(ip_set_id_t index)
325 {
326  write_lock_bh(&ip_set_ref_lock);
327  ip_set_list[index]->ref++;
328  write_unlock_bh(&ip_set_ref_lock);
329 }
330 
331 static inline void
332 __ip_set_put(ip_set_id_t index)
333 {
334  write_lock_bh(&ip_set_ref_lock);
335  BUG_ON(ip_set_list[index]->ref == 0);
336  ip_set_list[index]->ref--;
337  write_unlock_bh(&ip_set_ref_lock);
338 }
339 
340 /*
341  * Add, del and test set entries from kernel.
342  *
343  * The set behind the index must exist and must be referenced
344  * so it can't be destroyed (or changed) under our foot.
345  */
346 
347 int
348 ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
349  const struct xt_action_param *par,
350  const struct ip_set_adt_opt *opt)
351 {
352  struct ip_set *set = ip_set_list[index];
353  int ret = 0;
354 
355  BUG_ON(set == NULL);
356  pr_debug("set %s, index %u\n", set->name, index);
357 
358  if (opt->dim < set->type->dimension ||
359  !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
360  return 0;
361 
362  read_lock_bh(&set->lock);
363  ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
364  read_unlock_bh(&set->lock);
365 
366  if (ret == -EAGAIN) {
367  /* Type requests element to be completed */
368  pr_debug("element must be competed, ADD is triggered\n");
369  write_lock_bh(&set->lock);
370  set->variant->kadt(set, skb, par, IPSET_ADD, opt);
371  write_unlock_bh(&set->lock);
372  ret = 1;
373  } else {
374  /* --return-nomatch: invert matched element */
375  if ((opt->flags & IPSET_RETURN_NOMATCH) &&
376  (set->type->features & IPSET_TYPE_NOMATCH) &&
377  (ret > 0 || ret == -ENOTEMPTY))
378  ret = -ret;
379  }
380 
381  /* Convert error codes to nomatch */
382  return (ret < 0 ? 0 : ret);
383 }
384 EXPORT_SYMBOL_GPL(ip_set_test);
385 
386 int
387 ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
388  const struct xt_action_param *par,
389  const struct ip_set_adt_opt *opt)
390 {
391  struct ip_set *set = ip_set_list[index];
392  int ret;
393 
394  BUG_ON(set == NULL);
395  pr_debug("set %s, index %u\n", set->name, index);
396 
397  if (opt->dim < set->type->dimension ||
398  !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
399  return 0;
400 
401  write_lock_bh(&set->lock);
402  ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
403  write_unlock_bh(&set->lock);
404 
405  return ret;
406 }
407 EXPORT_SYMBOL_GPL(ip_set_add);
408 
409 int
410 ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
411  const struct xt_action_param *par,
412  const struct ip_set_adt_opt *opt)
413 {
414  struct ip_set *set = ip_set_list[index];
415  int ret = 0;
416 
417  BUG_ON(set == NULL);
418  pr_debug("set %s, index %u\n", set->name, index);
419 
420  if (opt->dim < set->type->dimension ||
421  !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
422  return 0;
423 
424  write_lock_bh(&set->lock);
425  ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
426  write_unlock_bh(&set->lock);
427 
428  return ret;
429 }
430 EXPORT_SYMBOL_GPL(ip_set_del);
431 
432 /*
433  * Find set by name, reference it once. The reference makes sure the
434  * thing pointed to, does not go away under our feet.
435  *
436  */
437 ip_set_id_t
438 ip_set_get_byname(const char *name, struct ip_set **set)
439 {
440  ip_set_id_t i, index = IPSET_INVALID_ID;
441  struct ip_set *s;
442 
443  for (i = 0; i < ip_set_max; i++) {
444  s = ip_set_list[i];
445  if (s != NULL && STREQ(s->name, name)) {
446  __ip_set_get(i);
447  index = i;
448  *set = s;
449  }
450  }
451 
452  return index;
453 }
454 EXPORT_SYMBOL_GPL(ip_set_get_byname);
455 
456 /*
457  * If the given set pointer points to a valid set, decrement
458  * reference count by 1. The caller shall not assume the index
459  * to be valid, after calling this function.
460  *
461  */
462 void
463 ip_set_put_byindex(ip_set_id_t index)
464 {
465  if (ip_set_list[index] != NULL)
466  __ip_set_put(index);
467 }
468 EXPORT_SYMBOL_GPL(ip_set_put_byindex);
469 
470 /*
471  * Get the name of a set behind a set index.
472  * We assume the set is referenced, so it does exist and
473  * can't be destroyed. The set cannot be renamed due to
474  * the referencing either.
475  *
476  */
477 const char *
478 ip_set_name_byindex(ip_set_id_t index)
479 {
480  const struct ip_set *set = ip_set_list[index];
481 
482  BUG_ON(set == NULL);
483  BUG_ON(set->ref == 0);
484 
485  /* Referenced, so it's safe */
486  return set->name;
487 }
488 EXPORT_SYMBOL_GPL(ip_set_name_byindex);
489 
490 /*
491  * Routines to call by external subsystems, which do not
492  * call nfnl_lock for us.
493  */
494 
495 /*
496  * Find set by name, reference it once. The reference makes sure the
497  * thing pointed to, does not go away under our feet.
498  *
499  * The nfnl mutex is used in the function.
500  */
501 ip_set_id_t
502 ip_set_nfnl_get(const char *name)
503 {
504  struct ip_set *s;
505  ip_set_id_t index;
506 
507  nfnl_lock();
508  index = ip_set_get_byname(name, &s);
509  nfnl_unlock();
510 
511  return index;
512 }
513 EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
514 
515 /*
516  * Find set by index, reference it once. The reference makes sure the
517  * thing pointed to, does not go away under our feet.
518  *
519  * The nfnl mutex is used in the function.
520  */
521 ip_set_id_t
522 ip_set_nfnl_get_byindex(ip_set_id_t index)
523 {
524  if (index > ip_set_max)
525  return IPSET_INVALID_ID;
526 
527  nfnl_lock();
528  if (ip_set_list[index])
529  __ip_set_get(index);
530  else
531  index = IPSET_INVALID_ID;
532  nfnl_unlock();
533 
534  return index;
535 }
536 EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
537 
538 /*
539  * If the given set pointer points to a valid set, decrement
540  * reference count by 1. The caller shall not assume the index
541  * to be valid, after calling this function.
542  *
543  * The nfnl mutex is used in the function.
544  */
545 void
546 ip_set_nfnl_put(ip_set_id_t index)
547 {
548  nfnl_lock();
549  ip_set_put_byindex(index);
550  nfnl_unlock();
551 }
552 EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
553 
554 /*
555  * Communication protocol with userspace over netlink.
556  *
557  * The commands are serialized by the nfnl mutex.
558  */
559 
560 static inline bool
561 protocol_failed(const struct nlattr * const tb[])
562 {
563  return !tb[IPSET_ATTR_PROTOCOL] ||
564  nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
565 }
566 
567 static inline u32
568 flag_exist(const struct nlmsghdr *nlh)
569 {
570  return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
571 }
572 
573 static struct nlmsghdr *
574 start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
575  enum ipset_cmd cmd)
576 {
577  struct nlmsghdr *nlh;
578  struct nfgenmsg *nfmsg;
579 
580  nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
581  sizeof(*nfmsg), flags);
582  if (nlh == NULL)
583  return NULL;
584 
585  nfmsg = nlmsg_data(nlh);
586  nfmsg->nfgen_family = NFPROTO_IPV4;
587  nfmsg->version = NFNETLINK_V0;
588  nfmsg->res_id = 0;
589 
590  return nlh;
591 }
592 
593 /* Create a set */
594 
595 static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
596  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
597  [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
598  .len = IPSET_MAXNAMELEN - 1 },
599  [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
600  .len = IPSET_MAXNAMELEN - 1},
601  [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
602  [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
603  [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
604 };
605 
606 static ip_set_id_t
607 find_set_id(const char *name)
608 {
609  ip_set_id_t i, index = IPSET_INVALID_ID;
610  const struct ip_set *set;
611 
612  for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) {
613  set = ip_set_list[i];
614  if (set != NULL && STREQ(set->name, name))
615  index = i;
616  }
617  return index;
618 }
619 
620 static inline struct ip_set *
621 find_set(const char *name)
622 {
623  ip_set_id_t index = find_set_id(name);
624 
625  return index == IPSET_INVALID_ID ? NULL : ip_set_list[index];
626 }
627 
628 static int
629 find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
630 {
631  ip_set_id_t i;
632 
633  *index = IPSET_INVALID_ID;
634  for (i = 0; i < ip_set_max; i++) {
635  if (ip_set_list[i] == NULL) {
636  if (*index == IPSET_INVALID_ID)
637  *index = i;
638  } else if (STREQ(name, ip_set_list[i]->name)) {
639  /* Name clash */
640  *set = ip_set_list[i];
641  return -EEXIST;
642  }
643  }
644  if (*index == IPSET_INVALID_ID)
645  /* No free slot remained */
646  return -IPSET_ERR_MAX_SETS;
647  return 0;
648 }
649 
650 static int
651 ip_set_none(struct sock *ctnl, struct sk_buff *skb,
652  const struct nlmsghdr *nlh,
653  const struct nlattr * const attr[])
654 {
655  return -EOPNOTSUPP;
656 }
657 
658 static int
659 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
660  const struct nlmsghdr *nlh,
661  const struct nlattr * const attr[])
662 {
663  struct ip_set *set, *clash = NULL;
664  ip_set_id_t index = IPSET_INVALID_ID;
665  struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
666  const char *name, *typename;
667  u8 family, revision;
668  u32 flags = flag_exist(nlh);
669  int ret = 0;
670 
671  if (unlikely(protocol_failed(attr) ||
672  attr[IPSET_ATTR_SETNAME] == NULL ||
673  attr[IPSET_ATTR_TYPENAME] == NULL ||
674  attr[IPSET_ATTR_REVISION] == NULL ||
675  attr[IPSET_ATTR_FAMILY] == NULL ||
676  (attr[IPSET_ATTR_DATA] != NULL &&
677  !flag_nested(attr[IPSET_ATTR_DATA]))))
678  return -IPSET_ERR_PROTOCOL;
679 
680  name = nla_data(attr[IPSET_ATTR_SETNAME]);
681  typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
682  family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
683  revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
684  pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
685  name, typename, family_name(family), revision);
686 
687  /*
688  * First, and without any locks, allocate and initialize
689  * a normal base set structure.
690  */
691  set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
692  if (!set)
693  return -ENOMEM;
694  rwlock_init(&set->lock);
695  strlcpy(set->name, name, IPSET_MAXNAMELEN);
696  set->family = family;
697  set->revision = revision;
698 
699  /*
700  * Next, check that we know the type, and take
701  * a reference on the type, to make sure it stays available
702  * while constructing our new set.
703  *
704  * After referencing the type, we try to create the type
705  * specific part of the set without holding any locks.
706  */
707  ret = find_set_type_get(typename, family, revision, &(set->type));
708  if (ret)
709  goto out;
710 
711  /*
712  * Without holding any locks, create private part.
713  */
714  if (attr[IPSET_ATTR_DATA] &&
715  nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
716  set->type->create_policy)) {
717  ret = -IPSET_ERR_PROTOCOL;
718  goto put_out;
719  }
720 
721  ret = set->type->create(set, tb, flags);
722  if (ret != 0)
723  goto put_out;
724 
725  /* BTW, ret==0 here. */
726 
727  /*
728  * Here, we have a valid, constructed set and we are protected
729  * by the nfnl mutex. Find the first free index in ip_set_list
730  * and check clashing.
731  */
732  ret = find_free_id(set->name, &index, &clash);
733  if (ret != 0) {
734  /* If this is the same set and requested, ignore error */
735  if (ret == -EEXIST &&
736  (flags & IPSET_FLAG_EXIST) &&
737  STREQ(set->type->name, clash->type->name) &&
738  set->type->family == clash->type->family &&
739  set->type->revision_min == clash->type->revision_min &&
740  set->type->revision_max == clash->type->revision_max &&
741  set->variant->same_set(set, clash))
742  ret = 0;
743  goto cleanup;
744  }
745 
746  /*
747  * Finally! Add our shiny new set to the list, and be done.
748  */
749  pr_debug("create: '%s' created with index %u!\n", set->name, index);
750  ip_set_list[index] = set;
751 
752  return ret;
753 
754 cleanup:
755  set->variant->destroy(set);
756 put_out:
757  module_put(set->type->me);
758 out:
759  kfree(set);
760  return ret;
761 }
762 
763 /* Destroy sets */
764 
765 static const struct nla_policy
766 ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
767  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
768  [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
769  .len = IPSET_MAXNAMELEN - 1 },
770 };
771 
772 static void
773 ip_set_destroy_set(ip_set_id_t index)
774 {
775  struct ip_set *set = ip_set_list[index];
776 
777  pr_debug("set: %s\n", set->name);
778  ip_set_list[index] = NULL;
779 
780  /* Must call it without holding any lock */
781  set->variant->destroy(set);
782  module_put(set->type->me);
783  kfree(set);
784 }
785 
786 static int
787 ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
788  const struct nlmsghdr *nlh,
789  const struct nlattr * const attr[])
790 {
791  ip_set_id_t i;
792  int ret = 0;
793 
794  if (unlikely(protocol_failed(attr)))
795  return -IPSET_ERR_PROTOCOL;
796 
797  /* Commands are serialized and references are
798  * protected by the ip_set_ref_lock.
799  * External systems (i.e. xt_set) must call
800  * ip_set_put|get_nfnl_* functions, that way we
801  * can safely check references here.
802  *
803  * list:set timer can only decrement the reference
804  * counter, so if it's already zero, we can proceed
805  * without holding the lock.
806  */
807  read_lock_bh(&ip_set_ref_lock);
808  if (!attr[IPSET_ATTR_SETNAME]) {
809  for (i = 0; i < ip_set_max; i++) {
810  if (ip_set_list[i] != NULL && ip_set_list[i]->ref) {
811  ret = -IPSET_ERR_BUSY;
812  goto out;
813  }
814  }
815  read_unlock_bh(&ip_set_ref_lock);
816  for (i = 0; i < ip_set_max; i++) {
817  if (ip_set_list[i] != NULL)
818  ip_set_destroy_set(i);
819  }
820  } else {
821  i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
822  if (i == IPSET_INVALID_ID) {
823  ret = -ENOENT;
824  goto out;
825  } else if (ip_set_list[i]->ref) {
826  ret = -IPSET_ERR_BUSY;
827  goto out;
828  }
829  read_unlock_bh(&ip_set_ref_lock);
830 
831  ip_set_destroy_set(i);
832  }
833  return 0;
834 out:
835  read_unlock_bh(&ip_set_ref_lock);
836  return ret;
837 }
838 
839 /* Flush sets */
840 
841 static void
842 ip_set_flush_set(struct ip_set *set)
843 {
844  pr_debug("set: %s\n", set->name);
845 
846  write_lock_bh(&set->lock);
847  set->variant->flush(set);
848  write_unlock_bh(&set->lock);
849 }
850 
851 static int
852 ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
853  const struct nlmsghdr *nlh,
854  const struct nlattr * const attr[])
855 {
856  ip_set_id_t i;
857 
858  if (unlikely(protocol_failed(attr)))
859  return -IPSET_ERR_PROTOCOL;
860 
861  if (!attr[IPSET_ATTR_SETNAME]) {
862  for (i = 0; i < ip_set_max; i++)
863  if (ip_set_list[i] != NULL)
864  ip_set_flush_set(ip_set_list[i]);
865  } else {
866  i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
867  if (i == IPSET_INVALID_ID)
868  return -ENOENT;
869 
870  ip_set_flush_set(ip_set_list[i]);
871  }
872 
873  return 0;
874 }
875 
876 /* Rename a set */
877 
878 static const struct nla_policy
879 ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
880  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
881  [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
882  .len = IPSET_MAXNAMELEN - 1 },
883  [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
884  .len = IPSET_MAXNAMELEN - 1 },
885 };
886 
887 static int
888 ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
889  const struct nlmsghdr *nlh,
890  const struct nlattr * const attr[])
891 {
892  struct ip_set *set;
893  const char *name2;
894  ip_set_id_t i;
895  int ret = 0;
896 
897  if (unlikely(protocol_failed(attr) ||
898  attr[IPSET_ATTR_SETNAME] == NULL ||
899  attr[IPSET_ATTR_SETNAME2] == NULL))
900  return -IPSET_ERR_PROTOCOL;
901 
902  set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
903  if (set == NULL)
904  return -ENOENT;
905 
906  read_lock_bh(&ip_set_ref_lock);
907  if (set->ref != 0) {
908  ret = -IPSET_ERR_REFERENCED;
909  goto out;
910  }
911 
912  name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
913  for (i = 0; i < ip_set_max; i++) {
914  if (ip_set_list[i] != NULL &&
915  STREQ(ip_set_list[i]->name, name2)) {
916  ret = -IPSET_ERR_EXIST_SETNAME2;
917  goto out;
918  }
919  }
920  strncpy(set->name, name2, IPSET_MAXNAMELEN);
921 
922 out:
923  read_unlock_bh(&ip_set_ref_lock);
924  return ret;
925 }
926 
927 /* Swap two sets so that name/index points to the other.
928  * References and set names are also swapped.
929  *
930  * The commands are serialized by the nfnl mutex and references are
931  * protected by the ip_set_ref_lock. The kernel interfaces
932  * do not hold the mutex but the pointer settings are atomic
933  * so the ip_set_list always contains valid pointers to the sets.
934  */
935 
936 static int
937 ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
938  const struct nlmsghdr *nlh,
939  const struct nlattr * const attr[])
940 {
941  struct ip_set *from, *to;
942  ip_set_id_t from_id, to_id;
943  char from_name[IPSET_MAXNAMELEN];
944 
945  if (unlikely(protocol_failed(attr) ||
946  attr[IPSET_ATTR_SETNAME] == NULL ||
947  attr[IPSET_ATTR_SETNAME2] == NULL))
948  return -IPSET_ERR_PROTOCOL;
949 
950  from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
951  if (from_id == IPSET_INVALID_ID)
952  return -ENOENT;
953 
954  to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2]));
955  if (to_id == IPSET_INVALID_ID)
956  return -IPSET_ERR_EXIST_SETNAME2;
957 
958  from = ip_set_list[from_id];
959  to = ip_set_list[to_id];
960 
961  /* Features must not change.
962  * Not an artificial restriction anymore, as we must prevent
963  * possible loops created by swapping in setlist type of sets. */
964  if (!(from->type->features == to->type->features &&
965  from->type->family == to->type->family))
966  return -IPSET_ERR_TYPE_MISMATCH;
967 
968  strncpy(from_name, from->name, IPSET_MAXNAMELEN);
969  strncpy(from->name, to->name, IPSET_MAXNAMELEN);
970  strncpy(to->name, from_name, IPSET_MAXNAMELEN);
971 
972  write_lock_bh(&ip_set_ref_lock);
973  swap(from->ref, to->ref);
974  ip_set_list[from_id] = to;
975  ip_set_list[to_id] = from;
976  write_unlock_bh(&ip_set_ref_lock);
977 
978  return 0;
979 }
980 
981 /* List/save set data */
982 
983 #define DUMP_INIT 0
984 #define DUMP_ALL 1
985 #define DUMP_ONE 2
986 #define DUMP_LAST 3
987 
988 #define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
989 #define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
990 
991 static int
992 ip_set_dump_done(struct netlink_callback *cb)
993 {
994  if (cb->args[2]) {
995  pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name);
996  ip_set_put_byindex((ip_set_id_t) cb->args[1]);
997  }
998  return 0;
999 }
1000 
1001 static inline void
1002 dump_attrs(struct nlmsghdr *nlh)
1003 {
1004  const struct nlattr *attr;
1005  int rem;
1006 
1007  pr_debug("dump nlmsg\n");
1008  nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1009  pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1010  }
1011 }
1012 
1013 static int
1014 dump_init(struct netlink_callback *cb)
1015 {
1016  struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1017  int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1018  struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1019  struct nlattr *attr = (void *)nlh + min_len;
1020  u32 dump_type;
1021  ip_set_id_t index;
1022 
1023  /* Second pass, so parser can't fail */
1024  nla_parse(cda, IPSET_ATTR_CMD_MAX,
1025  attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1026 
1027  /* cb->args[0] : dump single set/all sets
1028  * [1] : set index
1029  * [..]: type specific
1030  */
1031 
1032  if (cda[IPSET_ATTR_SETNAME]) {
1033  index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME]));
1034  if (index == IPSET_INVALID_ID)
1035  return -ENOENT;
1036 
1037  dump_type = DUMP_ONE;
1038  cb->args[1] = index;
1039  } else
1040  dump_type = DUMP_ALL;
1041 
1042  if (cda[IPSET_ATTR_FLAGS]) {
1043  u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1044  dump_type |= (f << 16);
1045  }
1046  cb->args[0] = dump_type;
1047 
1048  return 0;
1049 }
1050 
1051 static int
1052 ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1053 {
1054  ip_set_id_t index = IPSET_INVALID_ID, max;
1055  struct ip_set *set = NULL;
1056  struct nlmsghdr *nlh = NULL;
1057  unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
1058  u32 dump_type, dump_flags;
1059  int ret = 0;
1060 
1061  if (!cb->args[0]) {
1062  ret = dump_init(cb);
1063  if (ret < 0) {
1064  nlh = nlmsg_hdr(cb->skb);
1065  /* We have to create and send the error message
1066  * manually :-( */
1067  if (nlh->nlmsg_flags & NLM_F_ACK)
1068  netlink_ack(cb->skb, nlh, ret);
1069  return ret;
1070  }
1071  }
1072 
1073  if (cb->args[1] >= ip_set_max)
1074  goto out;
1075 
1076  dump_type = DUMP_TYPE(cb->args[0]);
1077  dump_flags = DUMP_FLAGS(cb->args[0]);
1078  max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
1079 dump_last:
1080  pr_debug("args[0]: %u %u args[1]: %ld\n",
1081  dump_type, dump_flags, cb->args[1]);
1082  for (; cb->args[1] < max; cb->args[1]++) {
1083  index = (ip_set_id_t) cb->args[1];
1084  set = ip_set_list[index];
1085  if (set == NULL) {
1086  if (dump_type == DUMP_ONE) {
1087  ret = -ENOENT;
1088  goto out;
1089  }
1090  continue;
1091  }
1092  /* When dumping all sets, we must dump "sorted"
1093  * so that lists (unions of sets) are dumped last.
1094  */
1095  if (dump_type != DUMP_ONE &&
1096  ((dump_type == DUMP_ALL) ==
1097  !!(set->type->features & IPSET_DUMP_LAST)))
1098  continue;
1099  pr_debug("List set: %s\n", set->name);
1100  if (!cb->args[2]) {
1101  /* Start listing: make sure set won't be destroyed */
1102  pr_debug("reference set\n");
1103  __ip_set_get(index);
1104  }
1105  nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
1106  cb->nlh->nlmsg_seq, flags,
1107  IPSET_CMD_LIST);
1108  if (!nlh) {
1109  ret = -EMSGSIZE;
1110  goto release_refcount;
1111  }
1112  if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1113  nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1114  goto nla_put_failure;
1115  if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1116  goto next_set;
1117  switch (cb->args[2]) {
1118  case 0:
1119  /* Core header data */
1120  if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1121  set->type->name) ||
1122  nla_put_u8(skb, IPSET_ATTR_FAMILY,
1123  set->family) ||
1124  nla_put_u8(skb, IPSET_ATTR_REVISION,
1125  set->revision))
1126  goto nla_put_failure;
1127  ret = set->variant->head(set, skb);
1128  if (ret < 0)
1129  goto release_refcount;
1130  if (dump_flags & IPSET_FLAG_LIST_HEADER)
1131  goto next_set;
1132  /* Fall through and add elements */
1133  default:
1134  read_lock_bh(&set->lock);
1135  ret = set->variant->list(set, skb, cb);
1136  read_unlock_bh(&set->lock);
1137  if (!cb->args[2])
1138  /* Set is done, proceed with next one */
1139  goto next_set;
1140  goto release_refcount;
1141  }
1142  }
1143  /* If we dump all sets, continue with dumping last ones */
1144  if (dump_type == DUMP_ALL) {
1145  dump_type = DUMP_LAST;
1146  cb->args[0] = dump_type | (dump_flags << 16);
1147  cb->args[1] = 0;
1148  goto dump_last;
1149  }
1150  goto out;
1151 
1152 nla_put_failure:
1153  ret = -EFAULT;
1154 next_set:
1155  if (dump_type == DUMP_ONE)
1156  cb->args[1] = IPSET_INVALID_ID;
1157  else
1158  cb->args[1]++;
1159 release_refcount:
1160  /* If there was an error or set is done, release set */
1161  if (ret || !cb->args[2]) {
1162  pr_debug("release set %s\n", ip_set_list[index]->name);
1163  ip_set_put_byindex(index);
1164  cb->args[2] = 0;
1165  }
1166 out:
1167  if (nlh) {
1168  nlmsg_end(skb, nlh);
1169  pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1170  dump_attrs(nlh);
1171  }
1172 
1173  return ret < 0 ? ret : skb->len;
1174 }
1175 
1176 static int
1177 ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1178  const struct nlmsghdr *nlh,
1179  const struct nlattr * const attr[])
1180 {
1181  if (unlikely(protocol_failed(attr)))
1182  return -IPSET_ERR_PROTOCOL;
1183 
1184  {
1185  struct netlink_dump_control c = {
1186  .dump = ip_set_dump_start,
1187  .done = ip_set_dump_done,
1188  };
1189  return netlink_dump_start(ctnl, skb, nlh, &c);
1190  }
1191 }
1192 
1193 /* Add, del and test */
1194 
1195 static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1196  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1197  [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1198  .len = IPSET_MAXNAMELEN - 1 },
1199  [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1200  [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1201  [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1202 };
1203 
1204 static int
1205 call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
1206  struct nlattr *tb[], enum ipset_adt adt,
1207  u32 flags, bool use_lineno)
1208 {
1209  int ret;
1210  u32 lineno = 0;
1211  bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
1212 
1213  do {
1214  write_lock_bh(&set->lock);
1215  ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
1216  write_unlock_bh(&set->lock);
1217  retried = true;
1218  } while (ret == -EAGAIN &&
1219  set->variant->resize &&
1220  (ret = set->variant->resize(set, retried)) == 0);
1221 
1222  if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1223  return 0;
1224  if (lineno && use_lineno) {
1225  /* Error in restore/batch mode: send back lineno */
1226  struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1227  struct sk_buff *skb2;
1228  struct nlmsgerr *errmsg;
1229  size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
1230  int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1231  struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1232  struct nlattr *cmdattr;
1233  u32 *errline;
1234 
1235  skb2 = nlmsg_new(payload, GFP_KERNEL);
1236  if (skb2 == NULL)
1237  return -ENOMEM;
1238  rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
1239  nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1240  errmsg = nlmsg_data(rep);
1241  errmsg->error = ret;
1242  memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1243  cmdattr = (void *)&errmsg->msg + min_len;
1244 
1245  nla_parse(cda, IPSET_ATTR_CMD_MAX,
1246  cmdattr, nlh->nlmsg_len - min_len,
1247  ip_set_adt_policy);
1248 
1249  errline = nla_data(cda[IPSET_ATTR_LINENO]);
1250 
1251  *errline = lineno;
1252 
1253  netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1254  /* Signal netlink not to send its ACK/errmsg. */
1255  return -EINTR;
1256  }
1257 
1258  return ret;
1259 }
1260 
1261 static int
1262 ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1263  const struct nlmsghdr *nlh,
1264  const struct nlattr * const attr[])
1265 {
1266  struct ip_set *set;
1267  struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1268  const struct nlattr *nla;
1269  u32 flags = flag_exist(nlh);
1270  bool use_lineno;
1271  int ret = 0;
1272 
1273  if (unlikely(protocol_failed(attr) ||
1274  attr[IPSET_ATTR_SETNAME] == NULL ||
1275  !((attr[IPSET_ATTR_DATA] != NULL) ^
1276  (attr[IPSET_ATTR_ADT] != NULL)) ||
1277  (attr[IPSET_ATTR_DATA] != NULL &&
1278  !flag_nested(attr[IPSET_ATTR_DATA])) ||
1279  (attr[IPSET_ATTR_ADT] != NULL &&
1280  (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1281  attr[IPSET_ATTR_LINENO] == NULL))))
1282  return -IPSET_ERR_PROTOCOL;
1283 
1284  set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1285  if (set == NULL)
1286  return -ENOENT;
1287 
1288  use_lineno = !!attr[IPSET_ATTR_LINENO];
1289  if (attr[IPSET_ATTR_DATA]) {
1290  if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1291  attr[IPSET_ATTR_DATA],
1292  set->type->adt_policy))
1293  return -IPSET_ERR_PROTOCOL;
1294  ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1295  use_lineno);
1296  } else {
1297  int nla_rem;
1298 
1299  nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1300  memset(tb, 0, sizeof(tb));
1301  if (nla_type(nla) != IPSET_ATTR_DATA ||
1302  !flag_nested(nla) ||
1303  nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1304  set->type->adt_policy))
1305  return -IPSET_ERR_PROTOCOL;
1306  ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
1307  flags, use_lineno);
1308  if (ret < 0)
1309  return ret;
1310  }
1311  }
1312  return ret;
1313 }
1314 
1315 static int
1316 ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1317  const struct nlmsghdr *nlh,
1318  const struct nlattr * const attr[])
1319 {
1320  struct ip_set *set;
1321  struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1322  const struct nlattr *nla;
1323  u32 flags = flag_exist(nlh);
1324  bool use_lineno;
1325  int ret = 0;
1326 
1327  if (unlikely(protocol_failed(attr) ||
1328  attr[IPSET_ATTR_SETNAME] == NULL ||
1329  !((attr[IPSET_ATTR_DATA] != NULL) ^
1330  (attr[IPSET_ATTR_ADT] != NULL)) ||
1331  (attr[IPSET_ATTR_DATA] != NULL &&
1332  !flag_nested(attr[IPSET_ATTR_DATA])) ||
1333  (attr[IPSET_ATTR_ADT] != NULL &&
1334  (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1335  attr[IPSET_ATTR_LINENO] == NULL))))
1336  return -IPSET_ERR_PROTOCOL;
1337 
1338  set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1339  if (set == NULL)
1340  return -ENOENT;
1341 
1342  use_lineno = !!attr[IPSET_ATTR_LINENO];
1343  if (attr[IPSET_ATTR_DATA]) {
1344  if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1345  attr[IPSET_ATTR_DATA],
1346  set->type->adt_policy))
1347  return -IPSET_ERR_PROTOCOL;
1348  ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1349  use_lineno);
1350  } else {
1351  int nla_rem;
1352 
1353  nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1354  memset(tb, 0, sizeof(*tb));
1355  if (nla_type(nla) != IPSET_ATTR_DATA ||
1356  !flag_nested(nla) ||
1357  nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1358  set->type->adt_policy))
1359  return -IPSET_ERR_PROTOCOL;
1360  ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
1361  flags, use_lineno);
1362  if (ret < 0)
1363  return ret;
1364  }
1365  }
1366  return ret;
1367 }
1368 
1369 static int
1370 ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1371  const struct nlmsghdr *nlh,
1372  const struct nlattr * const attr[])
1373 {
1374  struct ip_set *set;
1375  struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1376  int ret = 0;
1377 
1378  if (unlikely(protocol_failed(attr) ||
1379  attr[IPSET_ATTR_SETNAME] == NULL ||
1380  attr[IPSET_ATTR_DATA] == NULL ||
1381  !flag_nested(attr[IPSET_ATTR_DATA])))
1382  return -IPSET_ERR_PROTOCOL;
1383 
1384  set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1385  if (set == NULL)
1386  return -ENOENT;
1387 
1388  if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1389  set->type->adt_policy))
1390  return -IPSET_ERR_PROTOCOL;
1391 
1392  read_lock_bh(&set->lock);
1393  ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
1394  read_unlock_bh(&set->lock);
1395  /* Userspace can't trigger element to be re-added */
1396  if (ret == -EAGAIN)
1397  ret = 1;
1398 
1399  return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
1400 }
1401 
1402 /* Get headed data of a set */
1403 
1404 static int
1405 ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1406  const struct nlmsghdr *nlh,
1407  const struct nlattr * const attr[])
1408 {
1409  const struct ip_set *set;
1410  struct sk_buff *skb2;
1411  struct nlmsghdr *nlh2;
1412  ip_set_id_t index;
1413  int ret = 0;
1414 
1415  if (unlikely(protocol_failed(attr) ||
1416  attr[IPSET_ATTR_SETNAME] == NULL))
1417  return -IPSET_ERR_PROTOCOL;
1418 
1419  index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
1420  if (index == IPSET_INVALID_ID)
1421  return -ENOENT;
1422  set = ip_set_list[index];
1423 
1424  skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1425  if (skb2 == NULL)
1426  return -ENOMEM;
1427 
1428  nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1429  IPSET_CMD_HEADER);
1430  if (!nlh2)
1431  goto nlmsg_failure;
1432  if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1433  nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1434  nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1435  nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1436  nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1437  goto nla_put_failure;
1438  nlmsg_end(skb2, nlh2);
1439 
1440  ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1441  if (ret < 0)
1442  return ret;
1443 
1444  return 0;
1445 
1446 nla_put_failure:
1447  nlmsg_cancel(skb2, nlh2);
1448 nlmsg_failure:
1449  kfree_skb(skb2);
1450  return -EMSGSIZE;
1451 }
1452 
1453 /* Get type data */
1454 
1455 static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1456  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1457  [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1458  .len = IPSET_MAXNAMELEN - 1 },
1459  [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1460 };
1461 
1462 static int
1463 ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1464  const struct nlmsghdr *nlh,
1465  const struct nlattr * const attr[])
1466 {
1467  struct sk_buff *skb2;
1468  struct nlmsghdr *nlh2;
1469  u8 family, min, max;
1470  const char *typename;
1471  int ret = 0;
1472 
1473  if (unlikely(protocol_failed(attr) ||
1474  attr[IPSET_ATTR_TYPENAME] == NULL ||
1475  attr[IPSET_ATTR_FAMILY] == NULL))
1476  return -IPSET_ERR_PROTOCOL;
1477 
1478  family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1479  typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1480  ret = find_set_type_minmax(typename, family, &min, &max);
1481  if (ret)
1482  return ret;
1483 
1484  skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1485  if (skb2 == NULL)
1486  return -ENOMEM;
1487 
1488  nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1489  IPSET_CMD_TYPE);
1490  if (!nlh2)
1491  goto nlmsg_failure;
1492  if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1493  nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1494  nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1495  nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1496  nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1497  goto nla_put_failure;
1498  nlmsg_end(skb2, nlh2);
1499 
1500  pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
1501  ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1502  if (ret < 0)
1503  return ret;
1504 
1505  return 0;
1506 
1507 nla_put_failure:
1508  nlmsg_cancel(skb2, nlh2);
1509 nlmsg_failure:
1510  kfree_skb(skb2);
1511  return -EMSGSIZE;
1512 }
1513 
1514 /* Get protocol version */
1515 
1516 static const struct nla_policy
1517 ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1518  [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1519 };
1520 
1521 static int
1522 ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1523  const struct nlmsghdr *nlh,
1524  const struct nlattr * const attr[])
1525 {
1526  struct sk_buff *skb2;
1527  struct nlmsghdr *nlh2;
1528  int ret = 0;
1529 
1530  if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1531  return -IPSET_ERR_PROTOCOL;
1532 
1533  skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1534  if (skb2 == NULL)
1535  return -ENOMEM;
1536 
1537  nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
1538  IPSET_CMD_PROTOCOL);
1539  if (!nlh2)
1540  goto nlmsg_failure;
1541  if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1542  goto nla_put_failure;
1543  nlmsg_end(skb2, nlh2);
1544 
1545  ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1546  if (ret < 0)
1547  return ret;
1548 
1549  return 0;
1550 
1551 nla_put_failure:
1552  nlmsg_cancel(skb2, nlh2);
1553 nlmsg_failure:
1554  kfree_skb(skb2);
1555  return -EMSGSIZE;
1556 }
1557 
1558 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
1559  [IPSET_CMD_NONE] = {
1560  .call = ip_set_none,
1561  .attr_count = IPSET_ATTR_CMD_MAX,
1562  },
1563  [IPSET_CMD_CREATE] = {
1564  .call = ip_set_create,
1565  .attr_count = IPSET_ATTR_CMD_MAX,
1566  .policy = ip_set_create_policy,
1567  },
1568  [IPSET_CMD_DESTROY] = {
1569  .call = ip_set_destroy,
1570  .attr_count = IPSET_ATTR_CMD_MAX,
1571  .policy = ip_set_setname_policy,
1572  },
1573  [IPSET_CMD_FLUSH] = {
1574  .call = ip_set_flush,
1575  .attr_count = IPSET_ATTR_CMD_MAX,
1576  .policy = ip_set_setname_policy,
1577  },
1578  [IPSET_CMD_RENAME] = {
1579  .call = ip_set_rename,
1580  .attr_count = IPSET_ATTR_CMD_MAX,
1581  .policy = ip_set_setname2_policy,
1582  },
1583  [IPSET_CMD_SWAP] = {
1584  .call = ip_set_swap,
1585  .attr_count = IPSET_ATTR_CMD_MAX,
1586  .policy = ip_set_setname2_policy,
1587  },
1588  [IPSET_CMD_LIST] = {
1589  .call = ip_set_dump,
1590  .attr_count = IPSET_ATTR_CMD_MAX,
1591  .policy = ip_set_setname_policy,
1592  },
1593  [IPSET_CMD_SAVE] = {
1594  .call = ip_set_dump,
1595  .attr_count = IPSET_ATTR_CMD_MAX,
1596  .policy = ip_set_setname_policy,
1597  },
1598  [IPSET_CMD_ADD] = {
1599  .call = ip_set_uadd,
1600  .attr_count = IPSET_ATTR_CMD_MAX,
1601  .policy = ip_set_adt_policy,
1602  },
1603  [IPSET_CMD_DEL] = {
1604  .call = ip_set_udel,
1605  .attr_count = IPSET_ATTR_CMD_MAX,
1606  .policy = ip_set_adt_policy,
1607  },
1608  [IPSET_CMD_TEST] = {
1609  .call = ip_set_utest,
1610  .attr_count = IPSET_ATTR_CMD_MAX,
1611  .policy = ip_set_adt_policy,
1612  },
1613  [IPSET_CMD_HEADER] = {
1614  .call = ip_set_header,
1615  .attr_count = IPSET_ATTR_CMD_MAX,
1616  .policy = ip_set_setname_policy,
1617  },
1618  [IPSET_CMD_TYPE] = {
1619  .call = ip_set_type,
1620  .attr_count = IPSET_ATTR_CMD_MAX,
1621  .policy = ip_set_type_policy,
1622  },
1623  [IPSET_CMD_PROTOCOL] = {
1624  .call = ip_set_protocol,
1625  .attr_count = IPSET_ATTR_CMD_MAX,
1626  .policy = ip_set_protocol_policy,
1627  },
1628 };
1629 
1630 static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1631  .name = "ip_set",
1632  .subsys_id = NFNL_SUBSYS_IPSET,
1633  .cb_count = IPSET_MSG_MAX,
1634  .cb = ip_set_netlink_subsys_cb,
1635 };
1636 
1637 /* Interface to iptables/ip6tables */
1638 
1639 static int
1640 ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1641 {
1642  unsigned int *op;
1643  void *data;
1644  int copylen = *len, ret = 0;
1645 
1646  if (!capable(CAP_NET_ADMIN))
1647  return -EPERM;
1648  if (optval != SO_IP_SET)
1649  return -EBADF;
1650  if (*len < sizeof(unsigned int))
1651  return -EINVAL;
1652 
1653  data = vmalloc(*len);
1654  if (!data)
1655  return -ENOMEM;
1656  if (copy_from_user(data, user, *len) != 0) {
1657  ret = -EFAULT;
1658  goto done;
1659  }
1660  op = (unsigned int *) data;
1661 
1662  if (*op < IP_SET_OP_VERSION) {
1663  /* Check the version at the beginning of operations */
1664  struct ip_set_req_version *req_version = data;
1665  if (req_version->version != IPSET_PROTOCOL) {
1666  ret = -EPROTO;
1667  goto done;
1668  }
1669  }
1670 
1671  switch (*op) {
1672  case IP_SET_OP_VERSION: {
1673  struct ip_set_req_version *req_version = data;
1674 
1675  if (*len != sizeof(struct ip_set_req_version)) {
1676  ret = -EINVAL;
1677  goto done;
1678  }
1679 
1680  req_version->version = IPSET_PROTOCOL;
1681  ret = copy_to_user(user, req_version,
1682  sizeof(struct ip_set_req_version));
1683  goto done;
1684  }
1685  case IP_SET_OP_GET_BYNAME: {
1686  struct ip_set_req_get_set *req_get = data;
1687 
1688  if (*len != sizeof(struct ip_set_req_get_set)) {
1689  ret = -EINVAL;
1690  goto done;
1691  }
1692  req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
1693  nfnl_lock();
1694  req_get->set.index = find_set_id(req_get->set.name);
1695  nfnl_unlock();
1696  goto copy;
1697  }
1698  case IP_SET_OP_GET_BYINDEX: {
1699  struct ip_set_req_get_set *req_get = data;
1700 
1701  if (*len != sizeof(struct ip_set_req_get_set) ||
1702  req_get->set.index >= ip_set_max) {
1703  ret = -EINVAL;
1704  goto done;
1705  }
1706  nfnl_lock();
1707  strncpy(req_get->set.name,
1708  ip_set_list[req_get->set.index]
1709  ? ip_set_list[req_get->set.index]->name : "",
1710  IPSET_MAXNAMELEN);
1711  nfnl_unlock();
1712  goto copy;
1713  }
1714  default:
1715  ret = -EBADMSG;
1716  goto done;
1717  } /* end of switch(op) */
1718 
1719 copy:
1720  ret = copy_to_user(user, data, copylen);
1721 
1722 done:
1723  vfree(data);
1724  if (ret > 0)
1725  ret = 0;
1726  return ret;
1727 }
1728 
1729 static struct nf_sockopt_ops so_set __read_mostly = {
1730  .pf = PF_INET,
1731  .get_optmin = SO_IP_SET,
1732  .get_optmax = SO_IP_SET + 1,
1733  .get = &ip_set_sockfn_get,
1734  .owner = THIS_MODULE,
1735 };
1736 
1737 static int __init
1738 ip_set_init(void)
1739 {
1740  int ret;
1741 
1742  if (max_sets)
1743  ip_set_max = max_sets;
1744  if (ip_set_max >= IPSET_INVALID_ID)
1745  ip_set_max = IPSET_INVALID_ID - 1;
1746 
1747  ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max,
1748  GFP_KERNEL);
1749  if (!ip_set_list)
1750  return -ENOMEM;
1751 
1752  ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1753  if (ret != 0) {
1754  pr_err("ip_set: cannot register with nfnetlink.\n");
1755  kfree(ip_set_list);
1756  return ret;
1757  }
1758  ret = nf_register_sockopt(&so_set);
1759  if (ret != 0) {
1760  pr_err("SO_SET registry failed: %d\n", ret);
1761  nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1762  kfree(ip_set_list);
1763  return ret;
1764  }
1765 
1766  pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1767  return 0;
1768 }
1769 
1770 static void __exit
1771 ip_set_fini(void)
1772 {
1773  /* There can't be any existing set */
1774  nf_unregister_sockopt(&so_set);
1775  nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
1776  kfree(ip_set_list);
1777  pr_debug("these are the famous last words\n");
1778 }
1779 
1780 module_init(ip_set_init);
1781 module_exit(ip_set_fini);
Generated on Thu Jan 10 2013 15:00:08 for Linux Kernel by   doxygen 1.8.2