Google Git
Sign in
googlers / maze / iptables / 6d7d91e86729e3b2bcca6821409e8d78e83430e7 / . / include / linux / netfilter_ipv4 / ip_set.h
blob: 92a746e9df69353b5ba061664a4cc3281205c8cd [file] [log] [blame]
#ifndef _IP_SET_H
#define _IP_SET_H
/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
* Patrick Schaaf <bof@bof.de>
* Martin Josefsson <gandalf@wlug.westbo.se>
* Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#if 0
#define IP_SET_DEBUG
#endif
/*
* A sockopt of such quality has hardly ever been seen before on the open
* market! This little beauty, hardly ever used: above 64, so it's
* traditionally used for firewalling, not touched (even once!) by the
* 2.0, 2.2 and 2.4 kernels!
*
* Comes with its own certificate of authenticity, valid anywhere in the
* Free world!
*
* Rusty, 19.4.2000
*/
#define SO_IP_SET 83
/*
* Heavily modify by Joakim Axelsson 08.03.2002
* - Made it more modulebased
*
* Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
* - bindings added
* - in order to "deal with" backward compatibility, renamed to ipset
*/
/*
* Used so that the kernel module and ipset-binary can match their versions
*/
#define IP_SET_PROTOCOL_VERSION 2
#define IP_SET_MAXNAMELEN 32 /* set names and set typenames */
/* Lets work with our own typedef for representing an IP address.
* We hope to make the code more portable, possibly to IPv6...
*
* The representation works in HOST byte order, because most set types
* will perform arithmetic operations and compare operations.
*
* For now the type is an uint32_t.
*
* Make sure to ONLY use the functions when translating and parsing
* in order to keep the host byte order and make it more portable:
* parse_ip()
* parse_mask()
* parse_ipandmask()
* ip_tostring()
* (Joakim: where are they???)
*/
typedef uint32_t ip_set_ip_t;
/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
* and IP_SET_INVALID_ID if you want to increase the max number of sets.
*/
typedef uint16_t ip_set_id_t;
#define IP_SET_INVALID_ID 65535
/* How deep we follow bindings */
#define IP_SET_MAX_BINDINGS 6
/*
* Option flags for kernel operations (ipt_set_info)
*/
#define IPSET_SRC 0x01 /* Source match/add */
#define IPSET_DST 0x02 /* Destination match/add */
#define IPSET_MATCH_INV 0x04 /* Inverse matching */
/*
* Set features
*/
#define IPSET_TYPE_IP 0x01 /* IP address type of set */
#define IPSET_TYPE_PORT 0x02 /* Port type of set */
#define IPSET_DATA_SINGLE 0x04 /* Single data storage */
#define IPSET_DATA_DOUBLE 0x08 /* Double data storage */
/* Reserved keywords */
#define IPSET_TOKEN_DEFAULT ":default:"
#define IPSET_TOKEN_ALL ":all:"
/* SO_IP_SET operation constants, and their request struct types.
*
* Operation ids:
* 0-99: commands with version checking
* 100-199: add/del/test/bind/unbind
* 200-299: list, save, restore
*/
/* Single shot operations:
* version, create, destroy, flush, rename and swap
*
* Sets are identified by name.
*/
#define IP_SET_REQ_STD \
unsigned op; \
unsigned version; \
char name[IP_SET_MAXNAMELEN]
#define IP_SET_OP_CREATE 0x00000001 /* Create a new (empty) set */
struct ip_set_req_create {
IP_SET_REQ_STD;
char typename[IP_SET_MAXNAMELEN];
};
#define IP_SET_OP_DESTROY 0x00000002 /* Remove a (empty) set */
struct ip_set_req_std {
IP_SET_REQ_STD;
};
#define IP_SET_OP_FLUSH 0x00000003 /* Remove all IPs in a set */
/* Uses ip_set_req_std */
#define IP_SET_OP_RENAME 0x00000004 /* Rename a set */
/* Uses ip_set_req_create */
#define IP_SET_OP_SWAP 0x00000005 /* Swap two sets */
/* Uses ip_set_req_create */
union ip_set_name_index {
char name[IP_SET_MAXNAMELEN];
ip_set_id_t index;
};
#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
struct ip_set_req_get_set {
unsigned op;
unsigned version;
union ip_set_name_index set;
};
#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
/* Uses ip_set_req_get_set */
#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
struct ip_set_req_version {
unsigned op;
unsigned version;
};
/* Double shots operations:
* add, del, test, bind and unbind.
*
* First we query the kernel to get the index and type of the target set,
* then issue the command. Validity of IP is checked in kernel in order
* to minimalize sockopt operations.
*/
/* Get minimal set data for add/del/test/bind/unbind IP */
#define IP_SET_OP_ADT_GET 0x00000010 /* Get set and type */
struct ip_set_req_adt_get {
unsigned op;
unsigned version;
union ip_set_name_index set;
char typename[IP_SET_MAXNAMELEN];
};
#define IP_SET_REQ_BYINDEX \
unsigned op; \
ip_set_id_t index;
struct ip_set_req_adt {
IP_SET_REQ_BYINDEX;
};
#define IP_SET_OP_ADD_IP 0x00000101 /* Add an IP to a set */
/* Uses ip_set_req_adt, with type specific addage */
#define IP_SET_OP_DEL_IP 0x00000102 /* Remove an IP from a set */
/* Uses ip_set_req_adt, with type specific addage */
#define IP_SET_OP_TEST_IP 0x00000103 /* Test an IP in a set */
/* Uses ip_set_req_adt, with type specific addage */
#define IP_SET_OP_BIND_SET 0x00000104 /* Bind an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */
struct ip_set_req_bind {
IP_SET_REQ_BYINDEX;
char binding[IP_SET_MAXNAMELEN];
};
#define IP_SET_OP_UNBIND_SET 0x00000105 /* Unbind an IP from a set */
/* Uses ip_set_req_bind, with type speficic addage
* index = 0 means unbinding for all sets */
#define IP_SET_OP_TEST_BIND_SET 0x00000106 /* Test binding an IP to a set */
/* Uses ip_set_req_bind, with type specific addage */
/* Multiple shots operations: list, save, restore.
*
* - check kernel version and query the max number of sets
* - get the basic information on all sets
* and size required for the next step
* - get actual set data: header, data, bindings
*/
/* Get max_sets and the index of a queried set
*/
#define IP_SET_OP_MAX_SETS 0x00000020
struct ip_set_req_max_sets {
unsigned op;
unsigned version;
ip_set_id_t max_sets; /* max_sets */
ip_set_id_t sets; /* real number of sets */
union ip_set_name_index set; /* index of set if name used */
};
/* Get the id and name of the sets plus size for next step */
#define IP_SET_OP_LIST_SIZE 0x00000201
#define IP_SET_OP_SAVE_SIZE 0x00000202
struct ip_set_req_setnames {
unsigned op;
ip_set_id_t index; /* set to list/save */
size_t size; /* size to get setdata/bindings */
/* followed by sets number of struct ip_set_name_list */
};
struct ip_set_name_list {
char name[IP_SET_MAXNAMELEN];
char typename[IP_SET_MAXNAMELEN];
ip_set_id_t index;
ip_set_id_t id;
};
/* The actual list operation */
#define IP_SET_OP_LIST 0x00000203
struct ip_set_req_list {
IP_SET_REQ_BYINDEX;
/* sets number of struct ip_set_list in reply */
};
struct ip_set_list {
ip_set_id_t index;
ip_set_id_t binding;
u_int32_t ref;
size_t header_size; /* Set header data of header_size */
size_t members_size; /* Set members data of members_size */
size_t bindings_size; /* Set bindings data of bindings_size */
};
struct ip_set_hash_list {
ip_set_ip_t ip;
ip_set_id_t binding;
};
/* The save operation */
#define IP_SET_OP_SAVE 0x00000204
/* Uses ip_set_req_list, in the reply replaced by
* sets number of struct ip_set_save plus a marker
* ip_set_save followed by ip_set_hash_save structures.
*/
struct ip_set_save {
ip_set_id_t index;
ip_set_id_t binding;
size_t header_size; /* Set header data of header_size */
size_t members_size; /* Set members data of members_size */
};
/* At restoring, ip == 0 means default binding for the given set: */
struct ip_set_hash_save {
ip_set_ip_t ip;
ip_set_id_t id;
ip_set_id_t binding;
};
/* The restore operation */
#define IP_SET_OP_RESTORE 0x00000205
/* Uses ip_set_req_setnames followed by ip_set_restore structures
* plus a marker ip_set_restore, followed by ip_set_hash_save
* structures.
*/
struct ip_set_restore {
char name[IP_SET_MAXNAMELEN];
char typename[IP_SET_MAXNAMELEN];
ip_set_id_t index;
size_t header_size; /* Create data of header_size */
size_t members_size; /* Set members data of members_size */
};
static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
{
return 4 * ((((b - a + 8) / 8) + 3) / 4);
}
#ifdef __KERNEL__
#define ip_set_printk(format, args...) \
do { \
printk("%s: %s: ", __FILE__, __FUNCTION__); \
printk(format "\n" , ## args); \
} while (0)
#if defined(IP_SET_DEBUG)
#define DP(format, args...) \
do { \
printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
printk(format "\n" , ## args); \
} while (0)
#define IP_SET_ASSERT(x) \
do { \
if (!(x)) \
printk("IP_SET_ASSERT: %s:%i(%s)\n", \
__FILE__, __LINE__, __FUNCTION__); \
} while (0)
#else
#define DP(format, args...)
#define IP_SET_ASSERT(x)
#endif
struct ip_set;
/*
* The ip_set_type definition - one per set type, e.g. "ipmap".
*
* Each individual set has a pointer, set->type, going to one
* of these structures. Function pointers inside the structure implement
* the real behaviour of the sets.
*
* If not mentioned differently, the implementation behind the function
* pointers of a set_type, is expected to return 0 if ok, and a negative
* errno (e.g. -EINVAL) on error.
*/
struct ip_set_type {
struct list_head list; /* next in list of set types */
/* test for IP in set (kernel: iptables -m set src|dst)
* return 0 if not in set, 1 if in set.
*/
int (*testip_kernel) (struct ip_set *set,
const struct sk_buff * skb,
ip_set_ip_t *ip,
const u_int32_t *flags,
unsigned char index);
/* test for IP in set (userspace: ipset -T set IP)
* return 0 if not in set, 1 if in set.
*/
int (*testip) (struct ip_set *set,
const void *data, size_t size,
ip_set_ip_t *ip);
/*
* Size of the data structure passed by when
* adding/deletin/testing an entry.
*/
size_t reqsize;
/* Add IP into set (userspace: ipset -A set IP)
* Return -EEXIST if the address is already in the set,
* and -ERANGE if the address lies outside the set bounds.
* If the address was not already in the set, 0 is returned.
*/
int (*addip) (struct ip_set *set,
const void *data, size_t size,
ip_set_ip_t *ip);
/* Add IP into set (kernel: iptables ... -j SET set src|dst)
* Return -EEXIST if the address is already in the set,
* and -ERANGE if the address lies outside the set bounds.
* If the address was not already in the set, 0 is returned.
*/
int (*addip_kernel) (struct ip_set *set,
const struct sk_buff * skb,
ip_set_ip_t *ip,
const u_int32_t *flags,
unsigned char index);
/* remove IP from set (userspace: ipset -D set --entry x)
* Return -EEXIST if the address is NOT in the set,
* and -ERANGE if the address lies outside the set bounds.
* If the address really was in the set, 0 is returned.
*/
int (*delip) (struct ip_set *set,
const void *data, size_t size,
ip_set_ip_t *ip);
/* remove IP from set (kernel: iptables ... -j SET --entry x)
* Return -EEXIST if the address is NOT in the set,
* and -ERANGE if the address lies outside the set bounds.
* If the address really was in the set, 0 is returned.
*/
int (*delip_kernel) (struct ip_set *set,
const struct sk_buff * skb,
ip_set_ip_t *ip,
const u_int32_t *flags,
unsigned char index);
/* new set creation - allocated type specific items
*/
int (*create) (struct ip_set *set,
const void *data, size_t size);
/* retry the operation after successfully tweaking the set
*/
int (*retry) (struct ip_set *set);
/* set destruction - free type specific items
* There is no return value.
* Can be called only when child sets are destroyed.
*/
void (*destroy) (struct ip_set *set);
/* set flushing - reset all bits in the set, or something similar.
* There is no return value.
*/
void (*flush) (struct ip_set *set);
/* Listing: size needed for header
*/
size_t header_size;
/* Listing: Get the header
*
* Fill in the information in "data".
* This function is always run after list_header_size() under a
* writelock on the set. Therefor is the length of "data" always
* correct.
*/
void (*list_header) (const struct ip_set *set,
void *data);
/* Listing: Get the size for the set members
*/
int (*list_members_size) (const struct ip_set *set);
/* Listing: Get the set members
*
* Fill in the information in "data".
* This function is always run after list_member_size() under a
* writelock on the set. Therefor is the length of "data" always
* correct.
*/
void (*list_members) (const struct ip_set *set,
void *data);
char typename[IP_SET_MAXNAMELEN];
unsigned char features;
int protocol_version;
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
};
extern int ip_set_register_set_type(struct ip_set_type *set_type);
extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
/* A generic ipset */
struct ip_set {
char name[IP_SET_MAXNAMELEN]; /* the name of the set */
rwlock_t lock; /* lock for concurrency control */
ip_set_id_t id; /* set id for swapping */
ip_set_id_t binding; /* default binding for the set */
atomic_t ref; /* in kernel and in hash references */
struct ip_set_type *type; /* the set types */
void *data; /* pooltype specific data */
};
/* Structure to bind set elements to sets */
struct ip_set_hash {
struct list_head list; /* list of clashing entries in hash */
ip_set_ip_t ip; /* ip from set */
ip_set_id_t id; /* set id */
ip_set_id_t binding; /* set we bind the element to */
};
/* register and unregister set references */
extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
extern void ip_set_put(ip_set_id_t id);
/* API for iptables set match, and SET target */
extern void ip_set_addip_kernel(ip_set_id_t id,
const struct sk_buff *skb,
const u_int32_t *flags);
extern void ip_set_delip_kernel(ip_set_id_t id,
const struct sk_buff *skb,
const u_int32_t *flags);
extern int ip_set_testip_kernel(ip_set_id_t id,
const struct sk_buff *skb,
const u_int32_t *flags);
#endif /* __KERNEL__ */
#endif /*_IP_SET_H*/