1356143Scy/** 2356143Scy * ipset.h 3356143Scy * 4356143Scy * Author: Kevin Chou 5356143Scy * Email: k9982874@gmail.com 6356143Scy */ 7356143Scy#ifndef IPSET_H 8356143Scy#define IPSET_H 9356143Scy/** \file 10356143Scy * 11356143Scy * This file implements the ipset module. It can handle packets by putting 12356143Scy * the A and AAAA addresses that are configured in unbound.conf as type 13356143Scy * ipset (local-zone statements) into a firewall rule IPSet. For firewall 14356143Scy * blacklist and whitelist usage. 15356143Scy * 16356143Scy * To use the IPset module, install the libmnl-dev (or libmnl-devel) package 17356143Scy * and configure with --enable-ipset. And compile. Then enable the ipset 18356143Scy * module in unbound.conf with module-config: "ipset validator iterator" 19356143Scy * then create it with ipset -N blacklist iphash and then add 20356143Scy * local-zone: "example.com." ipset 21356143Scy * statements for the zones where you want the addresses of the names 22356143Scy * looked up added to the set. 23356143Scy * 24356143Scy * Set the name of the set with 25356143Scy * ipset: 26356143Scy * name-v4: "blacklist" 27356143Scy * name-v6: "blacklist6" 28356143Scy * in unbound.conf. The set can be used in this way: 29356143Scy * iptables -A INPUT -m set --set blacklist src -j DROP 30356143Scy * ip6tables -A INPUT -m set --set blacklist6 src -j DROP 31356143Scy */ 32356143Scy 33356143Scy#include "util/module.h" 34356143Scy 35356143Scy#ifdef __cplusplus 36356143Scyextern "C" { 37356143Scy#endif 38356143Scy 39356143Scystruct ipset_env { 40356143Scy void* mnl; 41356143Scy 42356143Scy int v4_enabled; 43356143Scy int v6_enabled; 44356143Scy 45356143Scy const char *name_v4; 46356143Scy const char *name_v6; 47356143Scy}; 48356143Scy 49356143Scystruct ipset_qstate { 50356143Scy int dummy; 51356143Scy}; 52356143Scy 53356143Scy/** Init the ipset module */ 54356143Scyint ipset_init(struct module_env* env, int id); 55356143Scy/** Deinit the ipset module */ 56356143Scyvoid ipset_deinit(struct module_env* env, int id); 57356143Scy/** Operate on an event on a query (in qstate). */ 58356143Scyvoid ipset_operate(struct module_qstate* qstate, enum module_ev event, 59356143Scy int id, struct outbound_entry* outbound); 60356143Scy/** Subordinate query done, inform this super request of its conclusion */ 61356143Scyvoid ipset_inform_super(struct module_qstate* qstate, int id, 62356143Scy struct module_qstate* super); 63356143Scy/** clear the ipset query-specific contents out of qstate */ 64356143Scyvoid ipset_clear(struct module_qstate* qstate, int id); 65356143Scy/** return memory estimate for ipset module */ 66356143Scysize_t ipset_get_mem(struct module_env* env, int id); 67356143Scy 68356143Scy/** 69356143Scy * Get the function block with pointers to the ipset functions 70356143Scy * @return the function block for "ipset". 71356143Scy */ 72356143Scystruct module_func_block* ipset_get_funcblock(void); 73356143Scy 74356143Scy#ifdef __cplusplus 75356143Scy} 76356143Scy#endif 77356143Scy 78356143Scy#endif /* IPSET_H */ 79356143Scy 80