1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 3 * Patrick Schaaf <bof@bof.de> 4 * Martin Josefsson <gandalf@wlug.westbo.se> 5 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> 6 */ 7 #ifndef _IP_SET_H 8 #define _IP_SET_H 9 10 #include <linux/ip.h> 11 #include <linux/ipv6.h> 12 #include <linux/netlink.h> 13 #include <linux/netfilter.h> 14 #include <linux/netfilter/x_tables.h> 15 #include <linux/stringify.h> 16 #include <linux/vmalloc.h> 17 #include <net/netlink.h> 18 #include <uapi/linux/netfilter/ipset/ip_set.h> 19 20 #define _IP_SET_MODULE_DESC(a, b, c) \ 21 MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) 22 #define IP_SET_MODULE_DESC(a, b, c) \ 23 _IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c)) 24 25 /* Set features */ 26 enum ip_set_feature { 27 IPSET_TYPE_IP_FLAG = 0, 28 IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG), 29 IPSET_TYPE_PORT_FLAG = 1, 30 IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG), 31 IPSET_TYPE_MAC_FLAG = 2, 32 IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG), 33 IPSET_TYPE_IP2_FLAG = 3, 34 IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG), 35 IPSET_TYPE_NAME_FLAG = 4, 36 IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), 37 IPSET_TYPE_IFACE_FLAG = 5, 38 IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), 39 IPSET_TYPE_MARK_FLAG = 6, 40 IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG), 41 IPSET_TYPE_NOMATCH_FLAG = 7, 42 IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), 43 /* Strictly speaking not a feature, but a flag for dumping: 44 * this settype must be dumped last */ 45 IPSET_DUMP_LAST_FLAG = 8, 46 IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), 47 }; 48 49 /* Set extensions */ 50 enum ip_set_extension { 51 IPSET_EXT_BIT_TIMEOUT = 0, 52 IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT), 53 IPSET_EXT_BIT_COUNTER = 1, 54 IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER), 55 IPSET_EXT_BIT_COMMENT = 2, 56 IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT), 57 IPSET_EXT_BIT_SKBINFO = 3, 58 IPSET_EXT_SKBINFO = (1 << IPSET_EXT_BIT_SKBINFO), 59 /* Mark set with an extension which needs to call destroy */ 60 IPSET_EXT_BIT_DESTROY = 7, 61 IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY), 62 }; 63 64 #define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT) 65 #define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER) 66 #define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT) 67 #define SET_WITH_SKBINFO(s) ((s)->extensions & IPSET_EXT_SKBINFO) 68 #define SET_WITH_FORCEADD(s) ((s)->flags & IPSET_CREATE_FLAG_FORCEADD) 69 70 /* Extension id, in size order */ 71 enum ip_set_ext_id { 72 IPSET_EXT_ID_COUNTER = 0, 73 IPSET_EXT_ID_TIMEOUT, 74 IPSET_EXT_ID_SKBINFO, 75 IPSET_EXT_ID_COMMENT, 76 IPSET_EXT_ID_MAX, 77 }; 78 79 struct ip_set; 80 81 /* Extension type */ 82 struct ip_set_ext_type { 83 /* Destroy extension private data (can be NULL) */ 84 void (*destroy)(struct ip_set *set, void *ext); 85 enum ip_set_extension type; 86 enum ipset_cadt_flags flag; 87 /* Size and minimal alignment */ 88 u8 len; 89 u8 align; 90 }; 91 92 extern const struct ip_set_ext_type ip_set_extensions[]; 93 94 struct ip_set_counter { 95 atomic64_t bytes; 96 atomic64_t packets; 97 }; 98 99 struct ip_set_comment_rcu { 100 struct rcu_head rcu; 101 char str[]; 102 }; 103 104 struct ip_set_comment { 105 struct ip_set_comment_rcu __rcu *c; 106 }; 107 108 struct ip_set_skbinfo { 109 u32 skbmark; 110 u32 skbmarkmask; 111 u32 skbprio; 112 u16 skbqueue; 113 u16 __pad; 114 }; 115 116 struct ip_set_ext { 117 struct ip_set_skbinfo skbinfo; 118 u64 packets; 119 u64 bytes; 120 char *comment; 121 u32 timeout; 122 u8 packets_op; 123 u8 bytes_op; 124 bool target; 125 }; 126 127 #define ext_timeout(e, s) \ 128 ((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])) 129 #define ext_counter(e, s) \ 130 ((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])) 131 #define ext_comment(e, s) \ 132 ((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])) 133 #define ext_skbinfo(e, s) \ 134 ((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO])) 135 136 typedef int (*ipset_adtfn)(struct ip_set *set, void *value, 137 const struct ip_set_ext *ext, 138 struct ip_set_ext *mext, u32 cmdflags); 139 140 /* Kernel API function options */ 141 struct ip_set_adt_opt { 142 u8 family; /* Actual protocol family */ 143 u8 dim; /* Dimension of match/target */ 144 u8 flags; /* Direction and negation flags */ 145 u32 cmdflags; /* Command-like flags */ 146 struct ip_set_ext ext; /* Extensions */ 147 }; 148 149 /* Set type, variant-specific part */ 150 struct ip_set_type_variant { 151 /* Kernelspace: test/add/del entries 152 * returns negative error code, 153 * zero for no match/success to add/delete 154 * positive for matching element */ 155 int (*kadt)(struct ip_set *set, const struct sk_buff *skb, 156 const struct xt_action_param *par, 157 enum ipset_adt adt, struct ip_set_adt_opt *opt); 158 159 /* Userspace: test/add/del entries 160 * returns negative error code, 161 * zero for no match/success to add/delete 162 * positive for matching element */ 163 int (*uadt)(struct ip_set *set, struct nlattr *tb[], 164 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried); 165 166 /* Low level add/del/test functions */ 167 ipset_adtfn adt[IPSET_ADT_MAX]; 168 169 /* When adding entries and set is full, try to resize the set */ 170 int (*resize)(struct ip_set *set, bool retried); 171 /* Destroy the set */ 172 void (*destroy)(struct ip_set *set); 173 /* Flush the elements */ 174 void (*flush)(struct ip_set *set); 175 /* Expire entries before listing */ 176 void (*expire)(struct ip_set *set); 177 /* List set header data */ 178 int (*head)(struct ip_set *set, struct sk_buff *skb); 179 /* List elements */ 180 int (*list)(const struct ip_set *set, struct sk_buff *skb, 181 struct netlink_callback *cb); 182 /* Keep listing private when resizing runs parallel */ 183 void (*uref)(struct ip_set *set, struct netlink_callback *cb, 184 bool start); 185 186 /* Return true if "b" set is the same as "a" 187 * according to the create set parameters */ 188 bool (*same_set)(const struct ip_set *a, const struct ip_set *b); 189 /* Cancel ongoing garbage collectors before destroying the set*/ 190 void (*cancel_gc)(struct ip_set *set); 191 /* Region-locking is used */ 192 bool region_lock; 193 }; 194 195 struct ip_set_region { 196 spinlock_t lock; /* Region lock */ 197 size_t ext_size; /* Size of the dynamic extensions */ 198 u32 elements; /* Number of elements vs timeout */ 199 }; 200 201 /* Max range where every element is added/deleted in one step */ 202 #define IPSET_MAX_RANGE (1<<14) 203 204 /* The max revision number supported by any set type + 1 */ 205 #define IPSET_REVISION_MAX 9 206 207 /* The core set type structure */ 208 struct ip_set_type { 209 struct list_head list; 210 211 /* Typename */ 212 char name[IPSET_MAXNAMELEN]; 213 /* Protocol version */ 214 u8 protocol; 215 /* Set type dimension */ 216 u8 dimension; 217 /* 218 * Supported family: may be NFPROTO_UNSPEC for both 219 * NFPROTO_IPV4/NFPROTO_IPV6. 220 */ 221 u8 family; 222 /* Type revisions */ 223 u8 revision_min, revision_max; 224 /* Revision-specific supported (create) flags */ 225 u8 create_flags[IPSET_REVISION_MAX+1]; 226 /* Set features to control swapping */ 227 u16 features; 228 229 /* Create set */ 230 int (*create)(struct net *net, struct ip_set *set, 231 struct nlattr *tb[], u32 flags); 232 233 /* Attribute policies */ 234 const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1]; 235 const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1]; 236 237 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 238 struct module *me; 239 }; 240 241 /* register and unregister set type */ 242 extern int ip_set_type_register(struct ip_set_type *set_type); 243 extern void ip_set_type_unregister(struct ip_set_type *set_type); 244 245 /* A generic IP set */ 246 struct ip_set { 247 /* For call_cru in destroy */ 248 struct rcu_head rcu; 249 /* The name of the set */ 250 char name[IPSET_MAXNAMELEN]; 251 /* Lock protecting the set data */ 252 spinlock_t lock; 253 /* References to the set */ 254 u32 ref; 255 /* References to the set for netlink events like dump, 256 * ref can be swapped out by ip_set_swap 257 */ 258 u32 ref_netlink; 259 /* The core set type */ 260 struct ip_set_type *type; 261 /* The type variant doing the real job */ 262 const struct ip_set_type_variant *variant; 263 /* The actual INET family of the set */ 264 u8 family; 265 /* The type revision */ 266 u8 revision; 267 /* Extensions */ 268 u8 extensions; 269 /* Create flags */ 270 u8 flags; 271 /* Default timeout value, if enabled */ 272 u32 timeout; 273 /* Number of elements (vs timeout) */ 274 u32 elements; 275 /* Size of the dynamic extensions (vs timeout) */ 276 size_t ext_size; 277 /* Element data size */ 278 size_t dsize; 279 /* Offsets to extensions in elements */ 280 size_t offset[IPSET_EXT_ID_MAX]; 281 /* The type specific data */ 282 void *data; 283 }; 284 285 static inline void 286 ip_set_ext_destroy(struct ip_set *set, void *data) 287 { 288 /* Check that the extension is enabled for the set and 289 * call it's destroy function for its extension part in data. 290 */ 291 if (SET_WITH_COMMENT(set)) { 292 struct ip_set_comment *c = ext_comment(data, set); 293 294 ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(set, c); 295 } 296 } 297 298 int ip_set_put_flags(struct sk_buff *skb, struct ip_set *set); 299 300 /* Netlink CB args */ 301 enum { 302 IPSET_CB_NET = 0, /* net namespace */ 303 IPSET_CB_PROTO, /* ipset protocol */ 304 IPSET_CB_DUMP, /* dump single set/all sets */ 305 IPSET_CB_INDEX, /* set index */ 306 IPSET_CB_PRIVATE, /* set private data */ 307 IPSET_CB_ARG0, /* type specific */ 308 }; 309 310 /* register and unregister set references */ 311 extern ip_set_id_t ip_set_get_byname(struct net *net, 312 const char *name, struct ip_set **set); 313 extern void ip_set_put_byindex(struct net *net, ip_set_id_t index); 314 extern void ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name); 315 extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index); 316 extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index); 317 318 /* API for iptables set match, and SET target */ 319 320 extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb, 321 const struct xt_action_param *par, 322 struct ip_set_adt_opt *opt); 323 extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb, 324 const struct xt_action_param *par, 325 struct ip_set_adt_opt *opt); 326 extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, 327 const struct xt_action_param *par, 328 struct ip_set_adt_opt *opt); 329 330 /* Utility functions */ 331 extern void *ip_set_alloc(size_t size); 332 extern void ip_set_free(void *members); 333 extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); 334 extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); 335 extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], 336 size_t len, size_t align); 337 extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[], 338 struct ip_set_ext *ext); 339 extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set, 340 const void *e, bool active); 341 extern bool ip_set_match_extensions(struct ip_set *set, 342 const struct ip_set_ext *ext, 343 struct ip_set_ext *mext, 344 u32 flags, void *data); 345 346 static inline int 347 ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) 348 { 349 __be32 ip; 350 int ret = ip_set_get_ipaddr4(nla, &ip); 351 352 if (ret) 353 return ret; 354 *ipaddr = ntohl(ip); 355 return 0; 356 } 357 358 /* Ignore IPSET_ERR_EXIST errors if asked to do so? */ 359 static inline bool 360 ip_set_eexist(int ret, u32 flags) 361 { 362 return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); 363 } 364 365 /* Match elements marked with nomatch */ 366 static inline bool 367 ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set) 368 { 369 return adt == IPSET_TEST && 370 (set->type->features & IPSET_TYPE_NOMATCH) && 371 ((flags >> 16) & IPSET_FLAG_NOMATCH) && 372 (ret > 0 || ret == -ENOTEMPTY); 373 } 374 375 /* Check the NLA_F_NET_BYTEORDER flag */ 376 static inline bool 377 ip_set_attr_netorder(struct nlattr *tb[], int type) 378 { 379 return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 380 } 381 382 static inline bool 383 ip_set_optattr_netorder(struct nlattr *tb[], int type) 384 { 385 return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 386 } 387 388 /* Useful converters */ 389 static inline u32 390 ip_set_get_h32(const struct nlattr *attr) 391 { 392 return ntohl(nla_get_be32(attr)); 393 } 394 395 static inline u16 396 ip_set_get_h16(const struct nlattr *attr) 397 { 398 return ntohs(nla_get_be16(attr)); 399 } 400 401 static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr) 402 { 403 struct nlattr *__nested = nla_nest_start(skb, type); 404 int ret; 405 406 if (!__nested) 407 return -EMSGSIZE; 408 ret = nla_put_in_addr(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); 409 if (!ret) 410 nla_nest_end(skb, __nested); 411 return ret; 412 } 413 414 static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, 415 const struct in6_addr *ipaddrptr) 416 { 417 struct nlattr *__nested = nla_nest_start(skb, type); 418 int ret; 419 420 if (!__nested) 421 return -EMSGSIZE; 422 ret = nla_put_in6_addr(skb, IPSET_ATTR_IPADDR_IPV6, ipaddrptr); 423 if (!ret) 424 nla_nest_end(skb, __nested); 425 return ret; 426 } 427 428 /* Get address from skbuff */ 429 static inline __be32 430 ip4addr(const struct sk_buff *skb, bool src) 431 { 432 return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 433 } 434 435 static inline void 436 ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr) 437 { 438 *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 439 } 440 441 static inline void 442 ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) 443 { 444 memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr, 445 sizeof(*addr)); 446 } 447 448 /* How often should the gc be run by default */ 449 #define IPSET_GC_TIME (3 * 60) 450 451 /* Timeout period depending on the timeout value of the given set */ 452 #define IPSET_GC_PERIOD(timeout) \ 453 ((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1) 454 455 /* Entry is set with no timeout value */ 456 #define IPSET_ELEM_PERMANENT 0 457 458 /* Set is defined with timeout support: timeout value may be 0 */ 459 #define IPSET_NO_TIMEOUT UINT_MAX 460 461 /* Max timeout value, see msecs_to_jiffies() in jiffies.h */ 462 #define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC 463 464 #define ip_set_adt_opt_timeout(opt, set) \ 465 ((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout) 466 467 static inline unsigned int 468 ip_set_timeout_uget(struct nlattr *tb) 469 { 470 unsigned int timeout = ip_set_get_h32(tb); 471 472 /* Normalize to fit into jiffies */ 473 if (timeout > IPSET_MAX_TIMEOUT) 474 timeout = IPSET_MAX_TIMEOUT; 475 476 return timeout; 477 } 478 479 static inline bool 480 ip_set_timeout_expired(const unsigned long *t) 481 { 482 return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t); 483 } 484 485 static inline void 486 ip_set_timeout_set(unsigned long *timeout, u32 value) 487 { 488 unsigned long t; 489 490 if (!value) { 491 *timeout = IPSET_ELEM_PERMANENT; 492 return; 493 } 494 495 t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies; 496 if (t == IPSET_ELEM_PERMANENT) 497 /* Bingo! :-) */ 498 t--; 499 *timeout = t; 500 } 501 502 void ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment, 503 const struct ip_set_ext *ext); 504 505 static inline void 506 ip_set_init_counter(struct ip_set_counter *counter, 507 const struct ip_set_ext *ext) 508 { 509 if (ext->bytes != ULLONG_MAX) 510 atomic64_set(&(counter)->bytes, (long long)(ext->bytes)); 511 if (ext->packets != ULLONG_MAX) 512 atomic64_set(&(counter)->packets, (long long)(ext->packets)); 513 } 514 515 static inline void 516 ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo, 517 const struct ip_set_ext *ext) 518 { 519 *skbinfo = ext->skbinfo; 520 } 521 522 static inline void 523 nf_inet_addr_mask_inplace(union nf_inet_addr *a1, 524 const union nf_inet_addr *mask) 525 { 526 a1->all[0] &= mask->all[0]; 527 a1->all[1] &= mask->all[1]; 528 a1->all[2] &= mask->all[2]; 529 a1->all[3] &= mask->all[3]; 530 } 531 532 #define IP_SET_INIT_KEXT(skb, opt, set) \ 533 { .bytes = (skb)->len, .packets = 1, .target = true,\ 534 .timeout = ip_set_adt_opt_timeout(opt, set) } 535 536 #define IP_SET_INIT_UEXT(set) \ 537 { .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \ 538 .timeout = (set)->timeout } 539 540 #define IPSET_CONCAT(a, b) a##b 541 #define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b) 542 543 #endif /*_IP_SET_H */ 544