1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> 3 * Patrick Schaaf <bof@bof.de> 4 * Martin Josefsson <gandalf@wlug.westbo.se> 5 * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> 6 */ 7#ifndef _IP_SET_H 8#define _IP_SET_H 9 10#include <linux/ip.h> 11#include <linux/ipv6.h> 12#include <linux/netlink.h> 13#include <linux/netfilter.h> 14#include <linux/netfilter/x_tables.h> 15#include <linux/stringify.h> 16#include <linux/vmalloc.h> 17#include <net/netlink.h> 18#include <uapi/linux/netfilter/ipset/ip_set.h> 19 20#define _IP_SET_MODULE_DESC(a, b, c) \ 21 MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) 22#define IP_SET_MODULE_DESC(a, b, c) \ 23 _IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c)) 24 25/* Set features */ 26enum ip_set_feature { 27 IPSET_TYPE_IP_FLAG = 0, 28 IPSET_TYPE_IP = (1 << IPSET_TYPE_IP_FLAG), 29 IPSET_TYPE_PORT_FLAG = 1, 30 IPSET_TYPE_PORT = (1 << IPSET_TYPE_PORT_FLAG), 31 IPSET_TYPE_MAC_FLAG = 2, 32 IPSET_TYPE_MAC = (1 << IPSET_TYPE_MAC_FLAG), 33 IPSET_TYPE_IP2_FLAG = 3, 34 IPSET_TYPE_IP2 = (1 << IPSET_TYPE_IP2_FLAG), 35 IPSET_TYPE_NAME_FLAG = 4, 36 IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), 37 IPSET_TYPE_IFACE_FLAG = 5, 38 IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), 39 IPSET_TYPE_MARK_FLAG = 6, 40 IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG), 41 IPSET_TYPE_NOMATCH_FLAG = 7, 42 IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), 43 /* Strictly speaking not a feature, but a flag for dumping: 44 * this settype must be dumped last */ 45 IPSET_DUMP_LAST_FLAG = 8, 46 IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), 47}; 48 49/* Set extensions */ 50enum ip_set_extension { 51 IPSET_EXT_BIT_TIMEOUT = 0, 52 IPSET_EXT_TIMEOUT = (1 << IPSET_EXT_BIT_TIMEOUT), 53 IPSET_EXT_BIT_COUNTER = 1, 54 IPSET_EXT_COUNTER = (1 << IPSET_EXT_BIT_COUNTER), 55 IPSET_EXT_BIT_COMMENT = 2, 56 IPSET_EXT_COMMENT = (1 << IPSET_EXT_BIT_COMMENT), 57 IPSET_EXT_BIT_SKBINFO = 3, 58 IPSET_EXT_SKBINFO = (1 << IPSET_EXT_BIT_SKBINFO), 59 /* Mark set with an extension which needs to call destroy */ 60 IPSET_EXT_BIT_DESTROY = 7, 61 IPSET_EXT_DESTROY = (1 << IPSET_EXT_BIT_DESTROY), 62}; 63 64#define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT) 65#define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER) 66#define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT) 67#define SET_WITH_SKBINFO(s) ((s)->extensions & IPSET_EXT_SKBINFO) 68#define SET_WITH_FORCEADD(s) ((s)->flags & IPSET_CREATE_FLAG_FORCEADD) 69 70/* Extension id, in size order */ 71enum ip_set_ext_id { 72 IPSET_EXT_ID_COUNTER = 0, 73 IPSET_EXT_ID_TIMEOUT, 74 IPSET_EXT_ID_SKBINFO, 75 IPSET_EXT_ID_COMMENT, 76 IPSET_EXT_ID_MAX, 77}; 78 79struct ip_set; 80 81/* Extension type */ 82struct ip_set_ext_type { 83 /* Destroy extension private data (can be NULL) */ 84 void (*destroy)(struct ip_set *set, void *ext); 85 enum ip_set_extension type; 86 enum ipset_cadt_flags flag; 87 /* Size and minimal alignment */ 88 u8 len; 89 u8 align; 90}; 91 92extern const struct ip_set_ext_type ip_set_extensions[]; 93 94struct ip_set_counter { 95 atomic64_t bytes; 96 atomic64_t packets; 97}; 98 99struct ip_set_comment_rcu { 100 struct rcu_head rcu; 101 char str[]; 102}; 103 104struct ip_set_comment { 105 struct ip_set_comment_rcu __rcu *c; 106}; 107 108struct ip_set_skbinfo { 109 u32 skbmark; 110 u32 skbmarkmask; 111 u32 skbprio; 112 u16 skbqueue; 113 u16 __pad; 114}; 115 116struct ip_set_ext { 117 struct ip_set_skbinfo skbinfo; 118 u64 packets; 119 u64 bytes; 120 char *comment; 121 u32 timeout; 122 u8 packets_op; 123 u8 bytes_op; 124 bool target; 125}; 126 127#define ext_timeout(e, s) \ 128((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])) 129#define ext_counter(e, s) \ 130((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])) 131#define ext_comment(e, s) \ 132((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])) 133#define ext_skbinfo(e, s) \ 134((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO])) 135 136typedef int (*ipset_adtfn)(struct ip_set *set, void *value, 137 const struct ip_set_ext *ext, 138 struct ip_set_ext *mext, u32 cmdflags); 139 140/* Kernel API function options */ 141struct ip_set_adt_opt { 142 u8 family; /* Actual protocol family */ 143 u8 dim; /* Dimension of match/target */ 144 u8 flags; /* Direction and negation flags */ 145 u32 cmdflags; /* Command-like flags */ 146 struct ip_set_ext ext; /* Extensions */ 147}; 148 149/* Set type, variant-specific part */ 150struct ip_set_type_variant { 151 /* Kernelspace: test/add/del entries 152 * returns negative error code, 153 * zero for no match/success to add/delete 154 * positive for matching element */ 155 int (*kadt)(struct ip_set *set, const struct sk_buff *skb, 156 const struct xt_action_param *par, 157 enum ipset_adt adt, struct ip_set_adt_opt *opt); 158 159 /* Userspace: test/add/del entries 160 * returns negative error code, 161 * zero for no match/success to add/delete 162 * positive for matching element */ 163 int (*uadt)(struct ip_set *set, struct nlattr *tb[], 164 enum ipset_adt adt, u32 *lineno, u32 flags, bool retried); 165 166 /* Low level add/del/test functions */ 167 ipset_adtfn adt[IPSET_ADT_MAX]; 168 169 /* When adding entries and set is full, try to resize the set */ 170 int (*resize)(struct ip_set *set, bool retried); 171 /* Destroy the set */ 172 void (*destroy)(struct ip_set *set); 173 /* Flush the elements */ 174 void (*flush)(struct ip_set *set); 175 /* Expire entries before listing */ 176 void (*expire)(struct ip_set *set); 177 /* List set header data */ 178 int (*head)(struct ip_set *set, struct sk_buff *skb); 179 /* List elements */ 180 int (*list)(const struct ip_set *set, struct sk_buff *skb, 181 struct netlink_callback *cb); 182 /* Keep listing private when resizing runs parallel */ 183 void (*uref)(struct ip_set *set, struct netlink_callback *cb, 184 bool start); 185 186 /* Return true if "b" set is the same as "a" 187 * according to the create set parameters */ 188 bool (*same_set)(const struct ip_set *a, const struct ip_set *b); 189 /* Cancel ongoing garbage collectors before destroying the set*/ 190 void (*cancel_gc)(struct ip_set *set); 191 /* Region-locking is used */ 192 bool region_lock; 193}; 194 195struct ip_set_region { 196 spinlock_t lock; /* Region lock */ 197 size_t ext_size; /* Size of the dynamic extensions */ 198 u32 elements; /* Number of elements vs timeout */ 199}; 200 201/* Max range where every element is added/deleted in one step */ 202#define IPSET_MAX_RANGE (1<<14) 203 204/* The max revision number supported by any set type + 1 */ 205#define IPSET_REVISION_MAX 9 206 207/* The core set type structure */ 208struct ip_set_type { 209 struct list_head list; 210 211 /* Typename */ 212 char name[IPSET_MAXNAMELEN]; 213 /* Protocol version */ 214 u8 protocol; 215 /* Set type dimension */ 216 u8 dimension; 217 /* 218 * Supported family: may be NFPROTO_UNSPEC for both 219 * NFPROTO_IPV4/NFPROTO_IPV6. 220 */ 221 u8 family; 222 /* Type revisions */ 223 u8 revision_min, revision_max; 224 /* Revision-specific supported (create) flags */ 225 u8 create_flags[IPSET_REVISION_MAX+1]; 226 /* Set features to control swapping */ 227 u16 features; 228 229 /* Create set */ 230 int (*create)(struct net *net, struct ip_set *set, 231 struct nlattr *tb[], u32 flags); 232 233 /* Attribute policies */ 234 const struct nla_policy create_policy[IPSET_ATTR_CREATE_MAX + 1]; 235 const struct nla_policy adt_policy[IPSET_ATTR_ADT_MAX + 1]; 236 237 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 238 struct module *me; 239}; 240 241/* register and unregister set type */ 242extern int ip_set_type_register(struct ip_set_type *set_type); 243extern void ip_set_type_unregister(struct ip_set_type *set_type); 244 245/* A generic IP set */ 246struct ip_set { 247 /* For call_cru in destroy */ 248 struct rcu_head rcu; 249 /* The name of the set */ 250 char name[IPSET_MAXNAMELEN]; 251 /* Lock protecting the set data */ 252 spinlock_t lock; 253 /* References to the set */ 254 u32 ref; 255 /* References to the set for netlink events like dump, 256 * ref can be swapped out by ip_set_swap 257 */ 258 u32 ref_netlink; 259 /* The core set type */ 260 struct ip_set_type *type; 261 /* The type variant doing the real job */ 262 const struct ip_set_type_variant *variant; 263 /* The actual INET family of the set */ 264 u8 family; 265 /* The type revision */ 266 u8 revision; 267 /* Extensions */ 268 u8 extensions; 269 /* Create flags */ 270 u8 flags; 271 /* Default timeout value, if enabled */ 272 u32 timeout; 273 /* Number of elements (vs timeout) */ 274 u32 elements; 275 /* Size of the dynamic extensions (vs timeout) */ 276 size_t ext_size; 277 /* Element data size */ 278 size_t dsize; 279 /* Offsets to extensions in elements */ 280 size_t offset[IPSET_EXT_ID_MAX]; 281 /* The type specific data */ 282 void *data; 283}; 284 285static inline void 286ip_set_ext_destroy(struct ip_set *set, void *data) 287{ 288 /* Check that the extension is enabled for the set and 289 * call it's destroy function for its extension part in data. 290 */ 291 if (SET_WITH_COMMENT(set)) { 292 struct ip_set_comment *c = ext_comment(data, set); 293 294 ip_set_extensions[IPSET_EXT_ID_COMMENT].destroy(set, c); 295 } 296} 297 298int ip_set_put_flags(struct sk_buff *skb, struct ip_set *set); 299 300/* Netlink CB args */ 301enum { 302 IPSET_CB_NET = 0, /* net namespace */ 303 IPSET_CB_PROTO, /* ipset protocol */ 304 IPSET_CB_DUMP, /* dump single set/all sets */ 305 IPSET_CB_INDEX, /* set index */ 306 IPSET_CB_PRIVATE, /* set private data */ 307 IPSET_CB_ARG0, /* type specific */ 308}; 309 310/* register and unregister set references */ 311extern ip_set_id_t ip_set_get_byname(struct net *net, 312 const char *name, struct ip_set **set); 313extern void ip_set_put_byindex(struct net *net, ip_set_id_t index); 314extern void ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name); 315extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index); 316extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index); 317 318/* API for iptables set match, and SET target */ 319 320extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb, 321 const struct xt_action_param *par, 322 struct ip_set_adt_opt *opt); 323extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb, 324 const struct xt_action_param *par, 325 struct ip_set_adt_opt *opt); 326extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, 327 const struct xt_action_param *par, 328 struct ip_set_adt_opt *opt); 329 330/* Utility functions */ 331extern void *ip_set_alloc(size_t size); 332extern void ip_set_free(void *members); 333extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); 334extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); 335extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], 336 size_t len, size_t align); 337extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[], 338 struct ip_set_ext *ext); 339extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set, 340 const void *e, bool active); 341extern bool ip_set_match_extensions(struct ip_set *set, 342 const struct ip_set_ext *ext, 343 struct ip_set_ext *mext, 344 u32 flags, void *data); 345 346static inline int 347ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) 348{ 349 __be32 ip; 350 int ret = ip_set_get_ipaddr4(nla, &ip); 351 352 if (ret) 353 return ret; 354 *ipaddr = ntohl(ip); 355 return 0; 356} 357 358/* Ignore IPSET_ERR_EXIST errors if asked to do so? */ 359static inline bool 360ip_set_eexist(int ret, u32 flags) 361{ 362 return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); 363} 364 365/* Match elements marked with nomatch */ 366static inline bool 367ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set) 368{ 369 return adt == IPSET_TEST && 370 (set->type->features & IPSET_TYPE_NOMATCH) && 371 ((flags >> 16) & IPSET_FLAG_NOMATCH) && 372 (ret > 0 || ret == -ENOTEMPTY); 373} 374 375/* Check the NLA_F_NET_BYTEORDER flag */ 376static inline bool 377ip_set_attr_netorder(struct nlattr *tb[], int type) 378{ 379 return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 380} 381 382static inline bool 383ip_set_optattr_netorder(struct nlattr *tb[], int type) 384{ 385 return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); 386} 387 388/* Useful converters */ 389static inline u32 390ip_set_get_h32(const struct nlattr *attr) 391{ 392 return ntohl(nla_get_be32(attr)); 393} 394 395static inline u16 396ip_set_get_h16(const struct nlattr *attr) 397{ 398 return ntohs(nla_get_be16(attr)); 399} 400 401static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr) 402{ 403 struct nlattr *__nested = nla_nest_start(skb, type); 404 int ret; 405 406 if (!__nested) 407 return -EMSGSIZE; 408 ret = nla_put_in_addr(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr); 409 if (!ret) 410 nla_nest_end(skb, __nested); 411 return ret; 412} 413 414static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, 415 const struct in6_addr *ipaddrptr) 416{ 417 struct nlattr *__nested = nla_nest_start(skb, type); 418 int ret; 419 420 if (!__nested) 421 return -EMSGSIZE; 422 ret = nla_put_in6_addr(skb, IPSET_ATTR_IPADDR_IPV6, ipaddrptr); 423 if (!ret) 424 nla_nest_end(skb, __nested); 425 return ret; 426} 427 428/* Get address from skbuff */ 429static inline __be32 430ip4addr(const struct sk_buff *skb, bool src) 431{ 432 return src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 433} 434 435static inline void 436ip4addrptr(const struct sk_buff *skb, bool src, __be32 *addr) 437{ 438 *addr = src ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr; 439} 440 441static inline void 442ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr) 443{ 444 memcpy(addr, src ? &ipv6_hdr(skb)->saddr : &ipv6_hdr(skb)->daddr, 445 sizeof(*addr)); 446} 447 448/* How often should the gc be run by default */ 449#define IPSET_GC_TIME (3 * 60) 450 451/* Timeout period depending on the timeout value of the given set */ 452#define IPSET_GC_PERIOD(timeout) \ 453 ((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1) 454 455/* Entry is set with no timeout value */ 456#define IPSET_ELEM_PERMANENT 0 457 458/* Set is defined with timeout support: timeout value may be 0 */ 459#define IPSET_NO_TIMEOUT UINT_MAX 460 461/* Max timeout value, see msecs_to_jiffies() in jiffies.h */ 462#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC 463 464#define ip_set_adt_opt_timeout(opt, set) \ 465((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout) 466 467static inline unsigned int 468ip_set_timeout_uget(struct nlattr *tb) 469{ 470 unsigned int timeout = ip_set_get_h32(tb); 471 472 /* Normalize to fit into jiffies */ 473 if (timeout > IPSET_MAX_TIMEOUT) 474 timeout = IPSET_MAX_TIMEOUT; 475 476 return timeout; 477} 478 479static inline bool 480ip_set_timeout_expired(const unsigned long *t) 481{ 482 return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t); 483} 484 485static inline void 486ip_set_timeout_set(unsigned long *timeout, u32 value) 487{ 488 unsigned long t; 489 490 if (!value) { 491 *timeout = IPSET_ELEM_PERMANENT; 492 return; 493 } 494 495 t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies; 496 if (t == IPSET_ELEM_PERMANENT) 497 /* Bingo! :-) */ 498 t--; 499 *timeout = t; 500} 501 502void ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment, 503 const struct ip_set_ext *ext); 504 505static inline void 506ip_set_init_counter(struct ip_set_counter *counter, 507 const struct ip_set_ext *ext) 508{ 509 if (ext->bytes != ULLONG_MAX) 510 atomic64_set(&(counter)->bytes, (long long)(ext->bytes)); 511 if (ext->packets != ULLONG_MAX) 512 atomic64_set(&(counter)->packets, (long long)(ext->packets)); 513} 514 515static inline void 516ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo, 517 const struct ip_set_ext *ext) 518{ 519 *skbinfo = ext->skbinfo; 520} 521 522static inline void 523nf_inet_addr_mask_inplace(union nf_inet_addr *a1, 524 const union nf_inet_addr *mask) 525{ 526 a1->all[0] &= mask->all[0]; 527 a1->all[1] &= mask->all[1]; 528 a1->all[2] &= mask->all[2]; 529 a1->all[3] &= mask->all[3]; 530} 531 532#define IP_SET_INIT_KEXT(skb, opt, set) \ 533 { .bytes = (skb)->len, .packets = 1, .target = true,\ 534 .timeout = ip_set_adt_opt_timeout(opt, set) } 535 536#define IP_SET_INIT_UEXT(set) \ 537 { .bytes = ULLONG_MAX, .packets = ULLONG_MAX, \ 538 .timeout = (set)->timeout } 539 540#define IPSET_CONCAT(a, b) a##b 541#define IPSET_TOKEN(a, b) IPSET_CONCAT(a, b) 542 543#endif /*_IP_SET_H */ 544