1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
3 * Patrick Schaaf <bof@bof.de>
4 * Martin Josefsson <gandalf@wlug.westbo.se>
5 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org>
8 /* Kernel module which implements the set match and SET target
9 * for netfilter/iptables.
12 #include <linux/module.h>
13 #include <linux/skbuff.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter/ipset/ip_set.h>
17 #include <uapi/linux/netfilter/xt_set.h>
19 MODULE_LICENSE("GPL");
20 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>");
21 MODULE_DESCRIPTION("Xtables: IP set match and target module");
22 MODULE_ALIAS("xt_SET");
23 MODULE_ALIAS("ipt_set");
24 MODULE_ALIAS("ip6t_set");
25 MODULE_ALIAS("ipt_SET");
26 MODULE_ALIAS("ip6t_SET");
29 match_set(ip_set_id_t index, const struct sk_buff *skb,
30 const struct xt_action_param *par,
31 struct ip_set_adt_opt *opt, int inv)
33 if (ip_set_test(index, skb, par, opt))
38 #define ADT_OPT(n, f, d, fs, cfs, t, p, b, po, bo) \
39 struct ip_set_adt_opt n = { \
47 .ext.packets_op = po, \
51 /* Revision 0 interface: backward compatible with netfilter/iptables */
54 set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
56 const struct xt_set_info_match_v0 *info = par->matchinfo;
58 ADT_OPT(opt, xt_family(par), info->match_set.u.compat.dim,
59 info->match_set.u.compat.flags, 0, UINT_MAX,
62 return match_set(info->match_set.index, skb, par, &opt,
63 info->match_set.u.compat.flags & IPSET_INV_MATCH);
67 compat_flags(struct xt_set_info_v0 *info)
71 /* Fill out compatibility data according to enum ip_set_kopt */
72 info->u.compat.dim = IPSET_DIM_ZERO;
73 if (info->u.flags[0] & IPSET_MATCH_INV)
74 info->u.compat.flags |= IPSET_INV_MATCH;
75 for (i = 0; i < IPSET_DIM_MAX - 1 && info->u.flags[i]; i++) {
77 if (info->u.flags[i] & IPSET_SRC)
78 info->u.compat.flags |= (1 << info->u.compat.dim);
83 set_match_v0_checkentry(const struct xt_mtchk_param *par)
85 struct xt_set_info_match_v0 *info = par->matchinfo;
88 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
90 if (index == IPSET_INVALID_ID) {
91 pr_info_ratelimited("Cannot find set identified by id %u to match\n",
92 info->match_set.index);
95 if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
96 pr_info_ratelimited("set match dimension is over the limit!\n");
97 ip_set_nfnl_put(par->net, info->match_set.index);
101 /* Fill out compatibility data */
102 compat_flags(&info->match_set);
108 set_match_v0_destroy(const struct xt_mtdtor_param *par)
110 struct xt_set_info_match_v0 *info = par->matchinfo;
112 ip_set_nfnl_put(par->net, info->match_set.index);
115 /* Revision 1 match */
118 set_match_v1(const struct sk_buff *skb, struct xt_action_param *par)
120 const struct xt_set_info_match_v1 *info = par->matchinfo;
122 ADT_OPT(opt, xt_family(par), info->match_set.dim,
123 info->match_set.flags, 0, UINT_MAX,
126 if (opt.flags & IPSET_RETURN_NOMATCH)
127 opt.cmdflags |= IPSET_FLAG_RETURN_NOMATCH;
129 return match_set(info->match_set.index, skb, par, &opt,
130 info->match_set.flags & IPSET_INV_MATCH);
134 set_match_v1_checkentry(const struct xt_mtchk_param *par)
136 struct xt_set_info_match_v1 *info = par->matchinfo;
139 index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
141 if (index == IPSET_INVALID_ID) {
142 pr_info_ratelimited("Cannot find set identified by id %u to match\n",
143 info->match_set.index);
146 if (info->match_set.dim > IPSET_DIM_MAX) {
147 pr_info_ratelimited("set match dimension is over the limit!\n");
148 ip_set_nfnl_put(par->net, info->match_set.index);
156 set_match_v1_destroy(const struct xt_mtdtor_param *par)
158 struct xt_set_info_match_v1 *info = par->matchinfo;
160 ip_set_nfnl_put(par->net, info->match_set.index);
163 /* Revision 3 match */
166 set_match_v3(const struct sk_buff *skb, struct xt_action_param *par)
168 const struct xt_set_info_match_v3 *info = par->matchinfo;
170 ADT_OPT(opt, xt_family(par), info->match_set.dim,
171 info->match_set.flags, info->flags, UINT_MAX,
172 info->packets.value, info->bytes.value,
173 info->packets.op, info->bytes.op);
175 if (info->packets.op != IPSET_COUNTER_NONE ||
176 info->bytes.op != IPSET_COUNTER_NONE)
177 opt.cmdflags |= IPSET_FLAG_MATCH_COUNTERS;
179 return match_set(info->match_set.index, skb, par, &opt,
180 info->match_set.flags & IPSET_INV_MATCH);
183 #define set_match_v3_checkentry set_match_v1_checkentry
184 #define set_match_v3_destroy set_match_v1_destroy
186 /* Revision 4 match */
189 set_match_v4(const struct sk_buff *skb, struct xt_action_param *par)
191 const struct xt_set_info_match_v4 *info = par->matchinfo;
193 ADT_OPT(opt, xt_family(par), info->match_set.dim,
194 info->match_set.flags, info->flags, UINT_MAX,
195 info->packets.value, info->bytes.value,
196 info->packets.op, info->bytes.op);
198 if (info->packets.op != IPSET_COUNTER_NONE ||
199 info->bytes.op != IPSET_COUNTER_NONE)
200 opt.cmdflags |= IPSET_FLAG_MATCH_COUNTERS;
202 return match_set(info->match_set.index, skb, par, &opt,
203 info->match_set.flags & IPSET_INV_MATCH);
206 #define set_match_v4_checkentry set_match_v1_checkentry
207 #define set_match_v4_destroy set_match_v1_destroy
209 /* Revision 0 interface: backward compatible with netfilter/iptables */
212 set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
214 const struct xt_set_info_target_v0 *info = par->targinfo;
216 ADT_OPT(add_opt, xt_family(par), info->add_set.u.compat.dim,
217 info->add_set.u.compat.flags, 0, UINT_MAX,
219 ADT_OPT(del_opt, xt_family(par), info->del_set.u.compat.dim,
220 info->del_set.u.compat.flags, 0, UINT_MAX,
223 if (info->add_set.index != IPSET_INVALID_ID)
224 ip_set_add(info->add_set.index, skb, par, &add_opt);
225 if (info->del_set.index != IPSET_INVALID_ID)
226 ip_set_del(info->del_set.index, skb, par, &del_opt);
232 set_target_v0_checkentry(const struct xt_tgchk_param *par)
234 struct xt_set_info_target_v0 *info = par->targinfo;
237 if (info->add_set.index != IPSET_INVALID_ID) {
238 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
239 if (index == IPSET_INVALID_ID) {
240 pr_info_ratelimited("Cannot find add_set index %u as target\n",
241 info->add_set.index);
246 if (info->del_set.index != IPSET_INVALID_ID) {
247 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
248 if (index == IPSET_INVALID_ID) {
249 pr_info_ratelimited("Cannot find del_set index %u as target\n",
250 info->del_set.index);
251 if (info->add_set.index != IPSET_INVALID_ID)
252 ip_set_nfnl_put(par->net, info->add_set.index);
256 if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 ||
257 info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
258 pr_info_ratelimited("SET target dimension over the limit!\n");
259 if (info->add_set.index != IPSET_INVALID_ID)
260 ip_set_nfnl_put(par->net, info->add_set.index);
261 if (info->del_set.index != IPSET_INVALID_ID)
262 ip_set_nfnl_put(par->net, info->del_set.index);
266 /* Fill out compatibility data */
267 compat_flags(&info->add_set);
268 compat_flags(&info->del_set);
274 set_target_v0_destroy(const struct xt_tgdtor_param *par)
276 const struct xt_set_info_target_v0 *info = par->targinfo;
278 if (info->add_set.index != IPSET_INVALID_ID)
279 ip_set_nfnl_put(par->net, info->add_set.index);
280 if (info->del_set.index != IPSET_INVALID_ID)
281 ip_set_nfnl_put(par->net, info->del_set.index);
284 /* Revision 1 target */
287 set_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
289 const struct xt_set_info_target_v1 *info = par->targinfo;
291 ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
292 info->add_set.flags, 0, UINT_MAX,
294 ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
295 info->del_set.flags, 0, UINT_MAX,
298 if (info->add_set.index != IPSET_INVALID_ID)
299 ip_set_add(info->add_set.index, skb, par, &add_opt);
300 if (info->del_set.index != IPSET_INVALID_ID)
301 ip_set_del(info->del_set.index, skb, par, &del_opt);
307 set_target_v1_checkentry(const struct xt_tgchk_param *par)
309 const struct xt_set_info_target_v1 *info = par->targinfo;
312 if (info->add_set.index != IPSET_INVALID_ID) {
313 index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
314 if (index == IPSET_INVALID_ID) {
315 pr_info_ratelimited("Cannot find add_set index %u as target\n",
316 info->add_set.index);
321 if (info->del_set.index != IPSET_INVALID_ID) {
322 index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
323 if (index == IPSET_INVALID_ID) {
324 pr_info_ratelimited("Cannot find del_set index %u as target\n",
325 info->del_set.index);
326 if (info->add_set.index != IPSET_INVALID_ID)
327 ip_set_nfnl_put(par->net, info->add_set.index);
331 if (info->add_set.dim > IPSET_DIM_MAX ||
332 info->del_set.dim > IPSET_DIM_MAX) {
333 pr_info_ratelimited("SET target dimension over the limit!\n");
334 if (info->add_set.index != IPSET_INVALID_ID)
335 ip_set_nfnl_put(par->net, info->add_set.index);
336 if (info->del_set.index != IPSET_INVALID_ID)
337 ip_set_nfnl_put(par->net, info->del_set.index);
345 set_target_v1_destroy(const struct xt_tgdtor_param *par)
347 const struct xt_set_info_target_v1 *info = par->targinfo;
349 if (info->add_set.index != IPSET_INVALID_ID)
350 ip_set_nfnl_put(par->net, info->add_set.index);
351 if (info->del_set.index != IPSET_INVALID_ID)
352 ip_set_nfnl_put(par->net, info->del_set.index);
355 /* Revision 2 target */
358 set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
360 const struct xt_set_info_target_v2 *info = par->targinfo;
362 ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
363 info->add_set.flags, info->flags, info->timeout,
365 ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
366 info->del_set.flags, 0, UINT_MAX,
369 /* Normalize to fit into jiffies */
370 if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
371 add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
372 add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
373 if (info->add_set.index != IPSET_INVALID_ID)
374 ip_set_add(info->add_set.index, skb, par, &add_opt);
375 if (info->del_set.index != IPSET_INVALID_ID)
376 ip_set_del(info->del_set.index, skb, par, &del_opt);
381 #define set_target_v2_checkentry set_target_v1_checkentry
382 #define set_target_v2_destroy set_target_v1_destroy
384 /* Revision 3 target */
386 #define MOPT(opt, member) ((opt).ext.skbinfo.member)
389 set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
391 const struct xt_set_info_target_v3 *info = par->targinfo;
394 ADT_OPT(add_opt, xt_family(par), info->add_set.dim,
395 info->add_set.flags, info->flags, info->timeout,
397 ADT_OPT(del_opt, xt_family(par), info->del_set.dim,
398 info->del_set.flags, 0, UINT_MAX,
400 ADT_OPT(map_opt, xt_family(par), info->map_set.dim,
401 info->map_set.flags, 0, UINT_MAX,
404 /* Normalize to fit into jiffies */
405 if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
406 add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
407 add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
408 if (info->add_set.index != IPSET_INVALID_ID)
409 ip_set_add(info->add_set.index, skb, par, &add_opt);
410 if (info->del_set.index != IPSET_INVALID_ID)
411 ip_set_del(info->del_set.index, skb, par, &del_opt);
412 if (info->map_set.index != IPSET_INVALID_ID) {
413 map_opt.cmdflags |= info->flags & (IPSET_FLAG_MAP_SKBMARK |
414 IPSET_FLAG_MAP_SKBPRIO |
415 IPSET_FLAG_MAP_SKBQUEUE);
416 ret = match_set(info->map_set.index, skb, par, &map_opt,
417 info->map_set.flags & IPSET_INV_MATCH);
420 if (map_opt.cmdflags & IPSET_FLAG_MAP_SKBMARK)
421 skb->mark = (skb->mark & ~MOPT(map_opt,skbmarkmask))
422 ^ MOPT(map_opt, skbmark);
423 if (map_opt.cmdflags & IPSET_FLAG_MAP_SKBPRIO)
424 skb->priority = MOPT(map_opt, skbprio);
425 if ((map_opt.cmdflags & IPSET_FLAG_MAP_SKBQUEUE) &&
427 skb->dev->real_num_tx_queues > MOPT(map_opt, skbqueue))
428 skb_set_queue_mapping(skb, MOPT(map_opt, skbqueue));
434 set_target_v3_checkentry(const struct xt_tgchk_param *par)
436 const struct xt_set_info_target_v3 *info = par->targinfo;
440 if (info->add_set.index != IPSET_INVALID_ID) {
441 index = ip_set_nfnl_get_byindex(par->net,
442 info->add_set.index);
443 if (index == IPSET_INVALID_ID) {
444 pr_info_ratelimited("Cannot find add_set index %u as target\n",
445 info->add_set.index);
450 if (info->del_set.index != IPSET_INVALID_ID) {
451 index = ip_set_nfnl_get_byindex(par->net,
452 info->del_set.index);
453 if (index == IPSET_INVALID_ID) {
454 pr_info_ratelimited("Cannot find del_set index %u as target\n",
455 info->del_set.index);
461 if (info->map_set.index != IPSET_INVALID_ID) {
462 if (strncmp(par->table, "mangle", 7)) {
463 pr_info_ratelimited("--map-set only usable from mangle table\n");
467 if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) |
468 (info->flags & IPSET_FLAG_MAP_SKBQUEUE)) &&
469 (par->hook_mask & ~(1 << NF_INET_FORWARD |
470 1 << NF_INET_LOCAL_OUT |
471 1 << NF_INET_POST_ROUTING))) {
472 pr_info_ratelimited("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");
476 index = ip_set_nfnl_get_byindex(par->net,
477 info->map_set.index);
478 if (index == IPSET_INVALID_ID) {
479 pr_info_ratelimited("Cannot find map_set index %u as target\n",
480 info->map_set.index);
486 if (info->add_set.dim > IPSET_DIM_MAX ||
487 info->del_set.dim > IPSET_DIM_MAX ||
488 info->map_set.dim > IPSET_DIM_MAX) {
489 pr_info_ratelimited("SET target dimension over the limit!\n");
496 if (info->map_set.index != IPSET_INVALID_ID)
497 ip_set_nfnl_put(par->net, info->map_set.index);
499 if (info->del_set.index != IPSET_INVALID_ID)
500 ip_set_nfnl_put(par->net, info->del_set.index);
502 if (info->add_set.index != IPSET_INVALID_ID)
503 ip_set_nfnl_put(par->net, info->add_set.index);
508 set_target_v3_destroy(const struct xt_tgdtor_param *par)
510 const struct xt_set_info_target_v3 *info = par->targinfo;
512 if (info->add_set.index != IPSET_INVALID_ID)
513 ip_set_nfnl_put(par->net, info->add_set.index);
514 if (info->del_set.index != IPSET_INVALID_ID)
515 ip_set_nfnl_put(par->net, info->del_set.index);
516 if (info->map_set.index != IPSET_INVALID_ID)
517 ip_set_nfnl_put(par->net, info->map_set.index);
520 static struct xt_match set_matches[] __read_mostly = {
523 .family = NFPROTO_IPV4,
525 .match = set_match_v0,
526 .matchsize = sizeof(struct xt_set_info_match_v0),
527 .checkentry = set_match_v0_checkentry,
528 .destroy = set_match_v0_destroy,
533 .family = NFPROTO_IPV4,
535 .match = set_match_v1,
536 .matchsize = sizeof(struct xt_set_info_match_v1),
537 .checkentry = set_match_v1_checkentry,
538 .destroy = set_match_v1_destroy,
543 .family = NFPROTO_IPV6,
545 .match = set_match_v1,
546 .matchsize = sizeof(struct xt_set_info_match_v1),
547 .checkentry = set_match_v1_checkentry,
548 .destroy = set_match_v1_destroy,
551 /* --return-nomatch flag support */
554 .family = NFPROTO_IPV4,
556 .match = set_match_v1,
557 .matchsize = sizeof(struct xt_set_info_match_v1),
558 .checkentry = set_match_v1_checkentry,
559 .destroy = set_match_v1_destroy,
564 .family = NFPROTO_IPV6,
566 .match = set_match_v1,
567 .matchsize = sizeof(struct xt_set_info_match_v1),
568 .checkentry = set_match_v1_checkentry,
569 .destroy = set_match_v1_destroy,
572 /* counters support: update, match */
575 .family = NFPROTO_IPV4,
577 .match = set_match_v3,
578 .matchsize = sizeof(struct xt_set_info_match_v3),
579 .checkentry = set_match_v3_checkentry,
580 .destroy = set_match_v3_destroy,
585 .family = NFPROTO_IPV6,
587 .match = set_match_v3,
588 .matchsize = sizeof(struct xt_set_info_match_v3),
589 .checkentry = set_match_v3_checkentry,
590 .destroy = set_match_v3_destroy,
593 /* new revision for counters support: update, match */
596 .family = NFPROTO_IPV4,
598 .match = set_match_v4,
599 .matchsize = sizeof(struct xt_set_info_match_v4),
600 .checkentry = set_match_v4_checkentry,
601 .destroy = set_match_v4_destroy,
606 .family = NFPROTO_IPV6,
608 .match = set_match_v4,
609 .matchsize = sizeof(struct xt_set_info_match_v4),
610 .checkentry = set_match_v4_checkentry,
611 .destroy = set_match_v4_destroy,
616 static struct xt_target set_targets[] __read_mostly = {
620 .family = NFPROTO_IPV4,
621 .target = set_target_v0,
622 .targetsize = sizeof(struct xt_set_info_target_v0),
623 .checkentry = set_target_v0_checkentry,
624 .destroy = set_target_v0_destroy,
630 .family = NFPROTO_IPV4,
631 .target = set_target_v1,
632 .targetsize = sizeof(struct xt_set_info_target_v1),
633 .checkentry = set_target_v1_checkentry,
634 .destroy = set_target_v1_destroy,
640 .family = NFPROTO_IPV6,
641 .target = set_target_v1,
642 .targetsize = sizeof(struct xt_set_info_target_v1),
643 .checkentry = set_target_v1_checkentry,
644 .destroy = set_target_v1_destroy,
647 /* --timeout and --exist flags support */
651 .family = NFPROTO_IPV4,
652 .target = set_target_v2,
653 .targetsize = sizeof(struct xt_set_info_target_v2),
654 .checkentry = set_target_v2_checkentry,
655 .destroy = set_target_v2_destroy,
661 .family = NFPROTO_IPV6,
662 .target = set_target_v2,
663 .targetsize = sizeof(struct xt_set_info_target_v2),
664 .checkentry = set_target_v2_checkentry,
665 .destroy = set_target_v2_destroy,
668 /* --map-set support */
672 .family = NFPROTO_IPV4,
673 .target = set_target_v3,
674 .targetsize = sizeof(struct xt_set_info_target_v3),
675 .checkentry = set_target_v3_checkentry,
676 .destroy = set_target_v3_destroy,
682 .family = NFPROTO_IPV6,
683 .target = set_target_v3,
684 .targetsize = sizeof(struct xt_set_info_target_v3),
685 .checkentry = set_target_v3_checkentry,
686 .destroy = set_target_v3_destroy,
691 static int __init xt_set_init(void)
693 int ret = xt_register_matches(set_matches, ARRAY_SIZE(set_matches));
696 ret = xt_register_targets(set_targets,
697 ARRAY_SIZE(set_targets));
699 xt_unregister_matches(set_matches,
700 ARRAY_SIZE(set_matches));
705 static void __exit xt_set_fini(void)
707 xt_unregister_matches(set_matches, ARRAY_SIZE(set_matches));
708 xt_unregister_targets(set_targets, ARRAY_SIZE(set_targets));
711 module_init(xt_set_init);
712 module_exit(xt_set_fini);
projects / linux-2.6-microblaze.git / blob