projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
net: add ETH_P_802_3_MIN
[linux-block.git] / net / netfilter / ipset / ip_set_core.c
CommitLineData
a7b4f989
JK		 1/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 */
9
10/* Kernel module for IP set management */
11
12#include <linux/init.h>
13#include <linux/module.h>
14#include <linux/moduleparam.h>
15#include <linux/ip.h>
16#include <linux/skbuff.h>
17#include <linux/spinlock.h>
18#include <linux/netlink.h>
19#include <linux/rculist.h>
a7b4f989
JK		 20#include <net/netlink.h>
21
22#include <linux/netfilter.h>
b66554cf 23#include <linux/netfilter/x_tables.h>
a7b4f989
JK		 24#include <linux/netfilter/nfnetlink.h>
25#include <linux/netfilter/ipset/ip_set.h>
26
27static LIST_HEAD(ip_set_type_list); /* all registered set types */
28static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
2f9f28b2 29static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
a7b4f989 30
9076aea7 31static struct ip_set * __rcu *ip_set_list; /* all individual sets */
a7b4f989
JK		 32static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
33
9076aea7 34#define IP_SET_INC 64
a7b4f989
JK		 35#define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
36
37static unsigned int max_sets;
38
39module_param(max_sets, int, 0600);
40MODULE_PARM_DESC(max_sets, "maximal number of sets");
41MODULE_LICENSE("GPL");
42MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
43MODULE_DESCRIPTION("core IP set support");
44MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
45
9076aea7
JK		 46/* When the nfnl mutex is held: */
47#define nfnl_dereference(p) \
48 rcu_dereference_protected(p, 1)
49#define nfnl_set(id) \
50 nfnl_dereference(ip_set_list)[id]
51
a7b4f989
JK		 52/*
53 * The set types are implemented in modules and registered set types
54 * can be found in ip_set_type_list. Adding/deleting types is
55 * serialized by ip_set_type_mutex.
56 */
57
58static inline void
59ip_set_type_lock(void)
60{
61 mutex_lock(&ip_set_type_mutex);
62}
63
64static inline void
65ip_set_type_unlock(void)
66{
67 mutex_unlock(&ip_set_type_mutex);
68}
69
70/* Register and deregister settype */
71
72static struct ip_set_type *
73find_set_type(const char *name, u8 family, u8 revision)
74{
75 struct ip_set_type *type;
76
77 list_for_each_entry_rcu(type, &ip_set_type_list, list)
78 if (STREQ(type->name, name) &&
3ace95c0
JK		 79 (type->family == family ||
80 type->family == NFPROTO_UNSPEC) &&
f1e00b39
JK		 81 revision >= type->revision_min &&
82 revision <= type->revision_max)
a7b4f989
JK		 83 return type;
84 return NULL;
85}
86
87/* Unlock, try to load a set type module and lock again */
088067f4
JK		 88static bool
89load_settype(const char *name)
a7b4f989 90{
c14b78e7 91 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 92 pr_debug("try to load ip_set_%s\n", name);
93 if (request_module("ip_set_%s", name) < 0) {
94 pr_warning("Can't find ip_set type %s\n", name);
c14b78e7 95 nfnl_lock(NFNL_SUBSYS_IPSET);
088067f4 96 return false;
a7b4f989 97 }
c14b78e7 98 nfnl_lock(NFNL_SUBSYS_IPSET);
088067f4 99 return true;
a7b4f989
JK		 100}
101
102/* Find a set type and reference it */
088067f4
JK		 103#define find_set_type_get(name, family, revision, found) \
104 __find_set_type_get(name, family, revision, found, false)
105
a7b4f989 106static int
088067f4
JK		 107__find_set_type_get(const char *name, u8 family, u8 revision,
108 struct ip_set_type **found, bool retry)
a7b4f989 109{
5c1aba46
JK		 110 struct ip_set_type *type;
111 int err;
112
088067f4
JK		 113 if (retry && !load_settype(name))
114 return -IPSET_ERR_FIND_TYPE;
115
a7b4f989
JK		 116 rcu_read_lock();
117 *found = find_set_type(name, family, revision);
118 if (*found) {
5c1aba46
JK		 119 err = !try_module_get((*found)->me) ? -EFAULT : 0;
120 goto unlock;
a7b4f989 121 }
088067f4
JK		 122 /* Make sure the type is already loaded
123 * but we don't support the revision */
5c1aba46
JK		 124 list_for_each_entry_rcu(type, &ip_set_type_list, list)
125 if (STREQ(type->name, name)) {
126 err = -IPSET_ERR_FIND_TYPE;
127 goto unlock;
128 }
a7b4f989
JK		 129 rcu_read_unlock();
130
088067f4
JK		 131 return retry ? -IPSET_ERR_FIND_TYPE :
132 __find_set_type_get(name, family, revision, found, true);
5c1aba46
JK		 133
134unlock:
135 rcu_read_unlock();
136 return err;
a7b4f989
JK		 137}
138
139/* Find a given set type by name and family.
140 * If we succeeded, the supported minimal and maximum revisions are
141 * filled out.
142 */
088067f4
JK		 143#define find_set_type_minmax(name, family, min, max) \
144 __find_set_type_minmax(name, family, min, max, false)
145
a7b4f989 146static int
088067f4
JK		 147__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
148 bool retry)
a7b4f989
JK		 149{
150 struct ip_set_type *type;
151 bool found = false;
152
088067f4
JK		 153 if (retry && !load_settype(name))
154 return -IPSET_ERR_FIND_TYPE;
155
5c1aba46 156 *min = 255; *max = 0;
a7b4f989
JK		 157 rcu_read_lock();
158 list_for_each_entry_rcu(type, &ip_set_type_list, list)
159 if (STREQ(type->name, name) &&
3ace95c0
JK		 160 (type->family == family ||
161 type->family == NFPROTO_UNSPEC)) {
a7b4f989 162 found = true;
f1e00b39
JK		 163 if (type->revision_min < *min)
164 *min = type->revision_min;
165 if (type->revision_max > *max)
166 *max = type->revision_max;
a7b4f989
JK		 167 }
168 rcu_read_unlock();
169 if (found)
170 return 0;
171
088067f4
JK		 172 return retry ? -IPSET_ERR_FIND_TYPE :
173 __find_set_type_minmax(name, family, min, max, true);
a7b4f989
JK		 174}
175
c15f1c83
JE		 176#define family_name(f) ((f) == NFPROTO_IPV4 ? "inet" : \
177 (f) == NFPROTO_IPV6 ? "inet6" : "any")
a7b4f989
JK		 178
179/* Register a set type structure. The type is identified by
180 * the unique triple of name, family and revision.
181 */
182int
183ip_set_type_register(struct ip_set_type *type)
184{
185 int ret = 0;
186
187 if (type->protocol != IPSET_PROTOCOL) {
f1e00b39 188 pr_warning("ip_set type %s, family %s, revision %u:%u uses "
a7b4f989
JK		 189 "wrong protocol version %u (want %u)\n",
190 type->name, family_name(type->family),
f1e00b39
JK		 191 type->revision_min, type->revision_max,
192 type->protocol, IPSET_PROTOCOL);
a7b4f989
JK		 193 return -EINVAL;
194 }
195
196 ip_set_type_lock();
f1e00b39 197 if (find_set_type(type->name, type->family, type->revision_min)) {
a7b4f989 198 /* Duplicate! */
f1e00b39 199 pr_warning("ip_set type %s, family %s with revision min %u "
a7b4f989 200 "already registered!\n", type->name,
f1e00b39 201 family_name(type->family), type->revision_min);
a7b4f989
JK		 202 ret = -EINVAL;
203 goto unlock;
204 }
205 list_add_rcu(&type->list, &ip_set_type_list);
f1e00b39
JK		 206 pr_debug("type %s, family %s, revision %u:%u registered.\n",
207 type->name, family_name(type->family),
208 type->revision_min, type->revision_max);
a7b4f989
JK		 209unlock:
210 ip_set_type_unlock();
211 return ret;
212}
213EXPORT_SYMBOL_GPL(ip_set_type_register);
214
215/* Unregister a set type. There's a small race with ip_set_create */
216void
217ip_set_type_unregister(struct ip_set_type *type)
218{
219 ip_set_type_lock();
f1e00b39
JK		 220 if (!find_set_type(type->name, type->family, type->revision_min)) {
221 pr_warning("ip_set type %s, family %s with revision min %u "
a7b4f989 222 "not registered\n", type->name,
f1e00b39 223 family_name(type->family), type->revision_min);
a7b4f989
JK		 224 goto unlock;
225 }
226 list_del_rcu(&type->list);
f1e00b39
JK		 227 pr_debug("type %s, family %s with revision min %u unregistered.\n",
228 type->name, family_name(type->family), type->revision_min);
a7b4f989
JK		 229unlock:
230 ip_set_type_unlock();
231
232 synchronize_rcu();
233}
234EXPORT_SYMBOL_GPL(ip_set_type_unregister);
235
236/* Utility functions */
237void *
238ip_set_alloc(size_t size)
239{
240 void *members = NULL;
241
242 if (size < KMALLOC_MAX_SIZE)
243 members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
244
245 if (members) {
246 pr_debug("%p: allocated with kmalloc\n", members);
247 return members;
248 }
249
250 members = vzalloc(size);
251 if (!members)
252 return NULL;
253 pr_debug("%p: allocated with vmalloc\n", members);
254
255 return members;
256}
257EXPORT_SYMBOL_GPL(ip_set_alloc);
258
259void
260ip_set_free(void *members)
261{
262 pr_debug("%p: free with %s\n", members,
263 is_vmalloc_addr(members) ? "vfree" : "kfree");
264 if (is_vmalloc_addr(members))
265 vfree(members);
266 else
267 kfree(members);
268}
269EXPORT_SYMBOL_GPL(ip_set_free);
270
271static inline bool
272flag_nested(const struct nlattr *nla)
273{
274 return nla->nla_type & NLA_F_NESTED;
275}
276
277static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
278 [IPSET_ATTR_IPADDR_IPV4] = { .type = NLA_U32 },
279 [IPSET_ATTR_IPADDR_IPV6] = { .type = NLA_BINARY,
280 .len = sizeof(struct in6_addr) },
281};
282
283int
284ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr)
285{
286 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
287
288 if (unlikely(!flag_nested(nla)))
289 return -IPSET_ERR_PROTOCOL;
8da560ce 290 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
a7b4f989
JK		 291 return -IPSET_ERR_PROTOCOL;
292 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
293 return -IPSET_ERR_PROTOCOL;
294
295 *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
296 return 0;
297}
298EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
299
300int
301ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
302{
303 struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
304
305 if (unlikely(!flag_nested(nla)))
306 return -IPSET_ERR_PROTOCOL;
307
8da560ce 308 if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
a7b4f989
JK		 309 return -IPSET_ERR_PROTOCOL;
310 if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
311 return -IPSET_ERR_PROTOCOL;
312
313 memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
314 sizeof(struct in6_addr));
315 return 0;
316}
317EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
318
319/*
320 * Creating/destroying/renaming/swapping affect the existence and
321 * the properties of a set. All of these can be executed from userspace
322 * only and serialized by the nfnl mutex indirectly from nfnetlink.
323 *
324 * Sets are identified by their index in ip_set_list and the index
325 * is used by the external references (set/SET netfilter modules).
326 *
327 * The set behind an index may change by swapping only, from userspace.
328 */
329
330static inline void
9076aea7 331__ip_set_get(struct ip_set *set)
a7b4f989 332{
2f9f28b2 333 write_lock_bh(&ip_set_ref_lock);
9076aea7 334 set->ref++;
2f9f28b2 335 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 336}
337
338static inline void
9076aea7 339__ip_set_put(struct ip_set *set)
a7b4f989 340{
2f9f28b2 341 write_lock_bh(&ip_set_ref_lock);
9076aea7
JK		 342 BUG_ON(set->ref == 0);
343 set->ref--;
2f9f28b2 344 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 345}
346
347/*
348 * Add, del and test set entries from kernel.
349 *
350 * The set behind the index must exist and must be referenced
351 * so it can't be destroyed (or changed) under our foot.
352 */
353
9076aea7
JK		 354static inline struct ip_set *
355ip_set_rcu_get(ip_set_id_t index)
356{
357 struct ip_set *set;
358
359 rcu_read_lock();
360 /* ip_set_list itself needs to be protected */
361 set = rcu_dereference(ip_set_list)[index];
362 rcu_read_unlock();
363
364 return set;
365}
366
a7b4f989
JK		 367int
368ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
b66554cf 369 const struct xt_action_param *par,
ac8cc925 370 const struct ip_set_adt_opt *opt)
a7b4f989 371{
9076aea7 372 struct ip_set *set = ip_set_rcu_get(index);
a7b4f989
JK		 373 int ret = 0;
374
2f9f28b2 375 BUG_ON(set == NULL);
a7b4f989
JK		 376 pr_debug("set %s, index %u\n", set->name, index);
377
ac8cc925 378 if (opt->dim < set->type->dimension ||
c15f1c83 379 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
a7b4f989
JK		 380 return 0;
381
382 read_lock_bh(&set->lock);
b66554cf 383 ret = set->variant->kadt(set, skb, par, IPSET_TEST, opt);
a7b4f989
JK		 384 read_unlock_bh(&set->lock);
385
386 if (ret == -EAGAIN) {
387 /* Type requests element to be completed */
388 pr_debug("element must be competed, ADD is triggered\n");
389 write_lock_bh(&set->lock);
b66554cf 390 set->variant->kadt(set, skb, par, IPSET_ADD, opt);
a7b4f989
JK		 391 write_unlock_bh(&set->lock);
392 ret = 1;
3e0304a5
JK		 393 } else {
394 /* --return-nomatch: invert matched element */
395 if ((opt->flags & IPSET_RETURN_NOMATCH) &&
396 (set->type->features & IPSET_TYPE_NOMATCH) &&
397 (ret > 0 || ret == -ENOTEMPTY))
398 ret = -ret;
a7b4f989
JK		 399 }
400
401 /* Convert error codes to nomatch */
402 return (ret < 0 ? 0 : ret);
403}
404EXPORT_SYMBOL_GPL(ip_set_test);
405
406int
407ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
b66554cf 408 const struct xt_action_param *par,
ac8cc925 409 const struct ip_set_adt_opt *opt)
a7b4f989 410{
9076aea7 411 struct ip_set *set = ip_set_rcu_get(index);
a7b4f989
JK		 412 int ret;
413
2f9f28b2 414 BUG_ON(set == NULL);
a7b4f989
JK		 415 pr_debug("set %s, index %u\n", set->name, index);
416
ac8cc925 417 if (opt->dim < set->type->dimension ||
c15f1c83 418 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
a7b4f989
JK		 419 return 0;
420
421 write_lock_bh(&set->lock);
b66554cf 422 ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
a7b4f989
JK		 423 write_unlock_bh(&set->lock);
424
425 return ret;
426}
427EXPORT_SYMBOL_GPL(ip_set_add);
428
429int
430ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
b66554cf 431 const struct xt_action_param *par,
ac8cc925 432 const struct ip_set_adt_opt *opt)
a7b4f989 433{
9076aea7 434 struct ip_set *set = ip_set_rcu_get(index);
a7b4f989
JK		 435 int ret = 0;
436
2f9f28b2 437 BUG_ON(set == NULL);
a7b4f989
JK		 438 pr_debug("set %s, index %u\n", set->name, index);
439
ac8cc925 440 if (opt->dim < set->type->dimension ||
c15f1c83 441 !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
a7b4f989
JK		 442 return 0;
443
444 write_lock_bh(&set->lock);
b66554cf 445 ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
a7b4f989
JK		 446 write_unlock_bh(&set->lock);
447
448 return ret;
449}
450EXPORT_SYMBOL_GPL(ip_set_del);
451
452/*
453 * Find set by name, reference it once. The reference makes sure the
454 * thing pointed to, does not go away under our feet.
455 *
a7b4f989
JK		 456 */
457ip_set_id_t
458ip_set_get_byname(const char *name, struct ip_set **set)
459{
460 ip_set_id_t i, index = IPSET_INVALID_ID;
461 struct ip_set *s;
462
9076aea7 463 rcu_read_lock();
a7b4f989 464 for (i = 0; i < ip_set_max; i++) {
9076aea7 465 s = rcu_dereference(ip_set_list)[i];
a7b4f989 466 if (s != NULL && STREQ(s->name, name)) {
9076aea7 467 __ip_set_get(s);
a7b4f989
JK		 468 index = i;
469 *set = s;
9076aea7 470 break;
a7b4f989
JK		 471 }
472 }
9076aea7 473 rcu_read_unlock();
a7b4f989
JK		 474
475 return index;
476}
477EXPORT_SYMBOL_GPL(ip_set_get_byname);
478
479/*
480 * If the given set pointer points to a valid set, decrement
481 * reference count by 1. The caller shall not assume the index
482 * to be valid, after calling this function.
483 *
a7b4f989
JK		 484 */
485void
486ip_set_put_byindex(ip_set_id_t index)
487{
9076aea7
JK		 488 struct ip_set *set;
489
490 rcu_read_lock();
491 set = rcu_dereference(ip_set_list)[index];
492 if (set != NULL)
493 __ip_set_put(set);
494 rcu_read_unlock();
a7b4f989
JK		 495}
496EXPORT_SYMBOL_GPL(ip_set_put_byindex);
497
498/*
499 * Get the name of a set behind a set index.
500 * We assume the set is referenced, so it does exist and
501 * can't be destroyed. The set cannot be renamed due to
502 * the referencing either.
503 *
a7b4f989
JK		 504 */
505const char *
506ip_set_name_byindex(ip_set_id_t index)
507{
9076aea7 508 const struct ip_set *set = ip_set_rcu_get(index);
a7b4f989
JK		 509
510 BUG_ON(set == NULL);
2f9f28b2 511 BUG_ON(set->ref == 0);
a7b4f989
JK		 512
513 /* Referenced, so it's safe */
514 return set->name;
515}
516EXPORT_SYMBOL_GPL(ip_set_name_byindex);
517
518/*
519 * Routines to call by external subsystems, which do not
520 * call nfnl_lock for us.
521 */
522
523/*
524 * Find set by name, reference it once. The reference makes sure the
525 * thing pointed to, does not go away under our feet.
526 *
527 * The nfnl mutex is used in the function.
528 */
529ip_set_id_t
530ip_set_nfnl_get(const char *name)
531{
9076aea7 532 ip_set_id_t i, index = IPSET_INVALID_ID;
a7b4f989 533 struct ip_set *s;
a7b4f989 534
c14b78e7 535 nfnl_lock(NFNL_SUBSYS_IPSET);
9076aea7
JK		 536 for (i = 0; i < ip_set_max; i++) {
537 s = nfnl_set(i);
538 if (s != NULL && STREQ(s->name, name)) {
539 __ip_set_get(s);
540 index = i;
541 break;
542 }
543 }
c14b78e7 544 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 545
546 return index;
547}
548EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
549
550/*
551 * Find set by index, reference it once. The reference makes sure the
552 * thing pointed to, does not go away under our feet.
553 *
554 * The nfnl mutex is used in the function.
555 */
556ip_set_id_t
557ip_set_nfnl_get_byindex(ip_set_id_t index)
558{
9076aea7
JK		 559 struct ip_set *set;
560
a7b4f989
JK		 561 if (index > ip_set_max)
562 return IPSET_INVALID_ID;
563
c14b78e7 564 nfnl_lock(NFNL_SUBSYS_IPSET);
9076aea7
JK		 565 set = nfnl_set(index);
566 if (set)
567 __ip_set_get(set);
a7b4f989
JK		 568 else
569 index = IPSET_INVALID_ID;
c14b78e7 570 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 571
572 return index;
573}
574EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
575
576/*
577 * If the given set pointer points to a valid set, decrement
578 * reference count by 1. The caller shall not assume the index
579 * to be valid, after calling this function.
580 *
581 * The nfnl mutex is used in the function.
582 */
583void
584ip_set_nfnl_put(ip_set_id_t index)
585{
9076aea7 586 struct ip_set *set;
c14b78e7 587 nfnl_lock(NFNL_SUBSYS_IPSET);
9076aea7
JK		 588 set = nfnl_set(index);
589 if (set != NULL)
590 __ip_set_put(set);
c14b78e7 591 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 592}
593EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
594
595/*
596 * Communication protocol with userspace over netlink.
597 *
2f9f28b2 598 * The commands are serialized by the nfnl mutex.
a7b4f989
JK		 599 */
600
601static inline bool
602protocol_failed(const struct nlattr * const tb[])
603{
604 return !tb[IPSET_ATTR_PROTOCOL] ||
605 nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
606}
607
608static inline u32
609flag_exist(const struct nlmsghdr *nlh)
610{
611 return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
612}
613
614static struct nlmsghdr *
15e47304 615start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
a7b4f989
JK		 616 enum ipset_cmd cmd)
617{
618 struct nlmsghdr *nlh;
619 struct nfgenmsg *nfmsg;
620
15e47304 621 nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
a7b4f989
JK		 622 sizeof(*nfmsg), flags);
623 if (nlh == NULL)
624 return NULL;
625
626 nfmsg = nlmsg_data(nlh);
c15f1c83 627 nfmsg->nfgen_family = NFPROTO_IPV4;
a7b4f989
JK		 628 nfmsg->version = NFNETLINK_V0;
629 nfmsg->res_id = 0;
630
631 return nlh;
632}
633
634/* Create a set */
635
636static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
637 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
638 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
639 .len = IPSET_MAXNAMELEN - 1 },
640 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
641 .len = IPSET_MAXNAMELEN - 1},
642 [IPSET_ATTR_REVISION] = { .type = NLA_U8 },
643 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
644 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
645};
646
9076aea7
JK		 647static struct ip_set *
648find_set_and_id(const char *name, ip_set_id_t *id)
a7b4f989 649{
9076aea7
JK		 650 struct ip_set *set = NULL;
651 ip_set_id_t i;
a7b4f989 652
9076aea7
JK		 653 *id = IPSET_INVALID_ID;
654 for (i = 0; i < ip_set_max; i++) {
655 set = nfnl_set(i);
656 if (set != NULL && STREQ(set->name, name)) {
657 *id = i;
658 break;
659 }
a7b4f989 660 }
9076aea7 661 return (*id == IPSET_INVALID_ID ? NULL : set);
a7b4f989
JK		 662}
663
664static inline struct ip_set *
665find_set(const char *name)
666{
9076aea7 667 ip_set_id_t id;
a7b4f989 668
9076aea7 669 return find_set_and_id(name, &id);
a7b4f989
JK		 670}
671
672static int
673find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
674{
9076aea7 675 struct ip_set *s;
a7b4f989
JK		 676 ip_set_id_t i;
677
678 *index = IPSET_INVALID_ID;
679 for (i = 0; i < ip_set_max; i++) {
9076aea7
JK		 680 s = nfnl_set(i);
681 if (s == NULL) {
a7b4f989
JK		 682 if (*index == IPSET_INVALID_ID)
683 *index = i;
9076aea7 684 } else if (STREQ(name, s->name)) {
a7b4f989 685 /* Name clash */
9076aea7 686 *set = s;
a7b4f989
JK		 687 return -EEXIST;
688 }
689 }
690 if (*index == IPSET_INVALID_ID)
691 /* No free slot remained */
692 return -IPSET_ERR_MAX_SETS;
693 return 0;
694}
695
d31f4d44
TB		 696static int
697ip_set_none(struct sock *ctnl, struct sk_buff *skb,
698 const struct nlmsghdr *nlh,
699 const struct nlattr * const attr[])
700{
701 return -EOPNOTSUPP;
702}
703
a7b4f989
JK		 704static int
705ip_set_create(struct sock *ctnl, struct sk_buff *skb,
706 const struct nlmsghdr *nlh,
707 const struct nlattr * const attr[])
708{
9846ada1 709 struct ip_set *set, *clash = NULL;
a7b4f989
JK		 710 ip_set_id_t index = IPSET_INVALID_ID;
711 struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
712 const char *name, *typename;
713 u8 family, revision;
714 u32 flags = flag_exist(nlh);
715 int ret = 0;
716
717 if (unlikely(protocol_failed(attr) ||
718 attr[IPSET_ATTR_SETNAME] == NULL ||
719 attr[IPSET_ATTR_TYPENAME] == NULL ||
720 attr[IPSET_ATTR_REVISION] == NULL ||
721 attr[IPSET_ATTR_FAMILY] == NULL ||
722 (attr[IPSET_ATTR_DATA] != NULL &&
723 !flag_nested(attr[IPSET_ATTR_DATA]))))
724 return -IPSET_ERR_PROTOCOL;
725
726 name = nla_data(attr[IPSET_ATTR_SETNAME]);
727 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
728 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
729 revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
730 pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
731 name, typename, family_name(family), revision);
732
733 /*
734 * First, and without any locks, allocate and initialize
735 * a normal base set structure.
736 */
737 set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
738 if (!set)
739 return -ENOMEM;
740 rwlock_init(&set->lock);
741 strlcpy(set->name, name, IPSET_MAXNAMELEN);
a7b4f989 742 set->family = family;
f1e00b39 743 set->revision = revision;
a7b4f989
JK		 744
745 /*
746 * Next, check that we know the type, and take
747 * a reference on the type, to make sure it stays available
748 * while constructing our new set.
749 *
750 * After referencing the type, we try to create the type
751 * specific part of the set without holding any locks.
752 */
753 ret = find_set_type_get(typename, family, revision, &(set->type));
754 if (ret)
755 goto out;
756
757 /*
758 * Without holding any locks, create private part.
759 */
760 if (attr[IPSET_ATTR_DATA] &&
8da560ce
PM		 761 nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
762 set->type->create_policy)) {
15b4d93f
JK		 763 ret = -IPSET_ERR_PROTOCOL;
764 goto put_out;
a7b4f989
JK		 765 }
766
767 ret = set->type->create(set, tb, flags);
768 if (ret != 0)
769 goto put_out;
770
771 /* BTW, ret==0 here. */
772
773 /*
774 * Here, we have a valid, constructed set and we are protected
2f9f28b2
JK		 775 * by the nfnl mutex. Find the first free index in ip_set_list
776 * and check clashing.
a7b4f989 777 */
3ace95c0 778 ret = find_free_id(set->name, &index, &clash);
9076aea7 779 if (ret == -EEXIST) {
a7b4f989 780 /* If this is the same set and requested, ignore error */
9076aea7 781 if ((flags & IPSET_FLAG_EXIST) &&
a7b4f989
JK		 782 STREQ(set->type->name, clash->type->name) &&
783 set->type->family == clash->type->family &&
f1e00b39
JK		 784 set->type->revision_min == clash->type->revision_min &&
785 set->type->revision_max == clash->type->revision_max &&
a7b4f989
JK		 786 set->variant->same_set(set, clash))
787 ret = 0;
788 goto cleanup;
9076aea7
JK		 789 } else if (ret == -IPSET_ERR_MAX_SETS) {
790 struct ip_set **list, **tmp;
791 ip_set_id_t i = ip_set_max + IP_SET_INC;
792
793 if (i < ip_set_max || i == IPSET_INVALID_ID)
794 /* Wraparound */
795 goto cleanup;
796
797 list = kzalloc(sizeof(struct ip_set *) * i, GFP_KERNEL);
798 if (!list)
799 goto cleanup;
800 /* nfnl mutex is held, both lists are valid */
801 tmp = nfnl_dereference(ip_set_list);
802 memcpy(list, tmp, sizeof(struct ip_set *) * ip_set_max);
803 rcu_assign_pointer(ip_set_list, list);
804 /* Make sure all current packets have passed through */
805 synchronize_net();
806 /* Use new list */
807 index = ip_set_max;
808 ip_set_max = i;
809 kfree(tmp);
810 ret = 0;
811 } else if (ret)
812 goto cleanup;
a7b4f989
JK		 813
814 /*
815 * Finally! Add our shiny new set to the list, and be done.
816 */
817 pr_debug("create: '%s' created with index %u!\n", set->name, index);
9076aea7 818 nfnl_set(index) = set;
a7b4f989
JK		 819
820 return ret;
821
822cleanup:
823 set->variant->destroy(set);
824put_out:
825 module_put(set->type->me);
826out:
827 kfree(set);
828 return ret;
829}
830
831/* Destroy sets */
832
833static const struct nla_policy
834ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
835 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
836 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
837 .len = IPSET_MAXNAMELEN - 1 },
838};
839
840static void
841ip_set_destroy_set(ip_set_id_t index)
842{
9076aea7 843 struct ip_set *set = nfnl_set(index);
a7b4f989
JK		 844
845 pr_debug("set: %s\n", set->name);
9076aea7 846 nfnl_set(index) = NULL;
a7b4f989
JK		 847
848 /* Must call it without holding any lock */
849 set->variant->destroy(set);
850 module_put(set->type->me);
851 kfree(set);
852}
853
854static int
855ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
856 const struct nlmsghdr *nlh,
857 const struct nlattr * const attr[])
858{
9076aea7 859 struct ip_set *s;
a7b4f989 860 ip_set_id_t i;
2f9f28b2 861 int ret = 0;
a7b4f989
JK		 862
863 if (unlikely(protocol_failed(attr)))
864 return -IPSET_ERR_PROTOCOL;
865
2f9f28b2
JK		 866 /* Commands are serialized and references are
867 * protected by the ip_set_ref_lock.
868 * External systems (i.e. xt_set) must call
869 * ip_set_put|get_nfnl_* functions, that way we
870 * can safely check references here.
871 *
872 * list:set timer can only decrement the reference
873 * counter, so if it's already zero, we can proceed
874 * without holding the lock.
875 */
876 read_lock_bh(&ip_set_ref_lock);
a7b4f989
JK		 877 if (!attr[IPSET_ATTR_SETNAME]) {
878 for (i = 0; i < ip_set_max; i++) {
9076aea7
JK		 879 s = nfnl_set(i);
880 if (s != NULL && s->ref) {
9d883232 881 ret = -IPSET_ERR_BUSY;
2f9f28b2
JK		 882 goto out;
883 }
a7b4f989 884 }
2f9f28b2 885 read_unlock_bh(&ip_set_ref_lock);
a7b4f989 886 for (i = 0; i < ip_set_max; i++) {
9076aea7
JK		 887 s = nfnl_set(i);
888 if (s != NULL)
a7b4f989
JK		 889 ip_set_destroy_set(i);
890 }
891 } else {
9076aea7
JK		 892 s = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &i);
893 if (s == NULL) {
2f9f28b2
JK		 894 ret = -ENOENT;
895 goto out;
9076aea7 896 } else if (s->ref) {
2f9f28b2
JK		 897 ret = -IPSET_ERR_BUSY;
898 goto out;
899 }
900 read_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 901
902 ip_set_destroy_set(i);
903 }
904 return 0;
2f9f28b2
JK		 905out:
906 read_unlock_bh(&ip_set_ref_lock);
907 return ret;
a7b4f989
JK		 908}
909
910/* Flush sets */
911
912static void
913ip_set_flush_set(struct ip_set *set)
914{
915 pr_debug("set: %s\n", set->name);
916
917 write_lock_bh(&set->lock);
918 set->variant->flush(set);
919 write_unlock_bh(&set->lock);
920}
921
922static int
923ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
924 const struct nlmsghdr *nlh,
925 const struct nlattr * const attr[])
926{
9076aea7 927 struct ip_set *s;
a7b4f989
JK		 928 ip_set_id_t i;
929
930 if (unlikely(protocol_failed(attr)))
9184a9cb 931 return -IPSET_ERR_PROTOCOL;
a7b4f989
JK		 932
933 if (!attr[IPSET_ATTR_SETNAME]) {
9076aea7
JK		 934 for (i = 0; i < ip_set_max; i++) {
935 s = nfnl_set(i);
936 if (s != NULL)
937 ip_set_flush_set(s);
938 }
a7b4f989 939 } else {
9076aea7
JK		 940 s = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
941 if (s == NULL)
a7b4f989
JK		 942 return -ENOENT;
943
9076aea7 944 ip_set_flush_set(s);
a7b4f989
JK		 945 }
946
947 return 0;
948}
949
950/* Rename a set */
951
952static const struct nla_policy
953ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
954 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
955 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
956 .len = IPSET_MAXNAMELEN - 1 },
957 [IPSET_ATTR_SETNAME2] = { .type = NLA_NUL_STRING,
958 .len = IPSET_MAXNAMELEN - 1 },
959};
960
961static int
962ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
963 const struct nlmsghdr *nlh,
964 const struct nlattr * const attr[])
965{
9076aea7 966 struct ip_set *set, *s;
a7b4f989
JK		 967 const char *name2;
968 ip_set_id_t i;
2f9f28b2 969 int ret = 0;
a7b4f989
JK		 970
971 if (unlikely(protocol_failed(attr) ||
972 attr[IPSET_ATTR_SETNAME] == NULL ||
973 attr[IPSET_ATTR_SETNAME2] == NULL))
974 return -IPSET_ERR_PROTOCOL;
975
976 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
977 if (set == NULL)
978 return -ENOENT;
2f9f28b2
JK		 979
980 read_lock_bh(&ip_set_ref_lock);
981 if (set->ref != 0) {
982 ret = -IPSET_ERR_REFERENCED;
983 goto out;
984 }
a7b4f989
JK		 985
986 name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
987 for (i = 0; i < ip_set_max; i++) {
9076aea7
JK		 988 s = nfnl_set(i);
989 if (s != NULL && STREQ(s->name, name2)) {
2f9f28b2
JK		 990 ret = -IPSET_ERR_EXIST_SETNAME2;
991 goto out;
992 }
a7b4f989
JK		 993 }
994 strncpy(set->name, name2, IPSET_MAXNAMELEN);
995
2f9f28b2
JK		 996out:
997 read_unlock_bh(&ip_set_ref_lock);
998 return ret;
a7b4f989
JK		 999}
1000
1001/* Swap two sets so that name/index points to the other.
1002 * References and set names are also swapped.
1003 *
2f9f28b2
JK		 1004 * The commands are serialized by the nfnl mutex and references are
1005 * protected by the ip_set_ref_lock. The kernel interfaces
a7b4f989
JK		 1006 * do not hold the mutex but the pointer settings are atomic
1007 * so the ip_set_list always contains valid pointers to the sets.
1008 */
1009
1010static int
1011ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
1012 const struct nlmsghdr *nlh,
1013 const struct nlattr * const attr[])
1014{
1015 struct ip_set *from, *to;
1016 ip_set_id_t from_id, to_id;
1017 char from_name[IPSET_MAXNAMELEN];
a7b4f989
JK		 1018
1019 if (unlikely(protocol_failed(attr) ||
1020 attr[IPSET_ATTR_SETNAME] == NULL ||
1021 attr[IPSET_ATTR_SETNAME2] == NULL))
1022 return -IPSET_ERR_PROTOCOL;
1023
9076aea7
JK		 1024 from = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME]), &from_id);
1025 if (from == NULL)
a7b4f989
JK		 1026 return -ENOENT;
1027
9076aea7
JK		 1028 to = find_set_and_id(nla_data(attr[IPSET_ATTR_SETNAME2]), &to_id);
1029 if (to == NULL)
a7b4f989
JK		 1030 return -IPSET_ERR_EXIST_SETNAME2;
1031
a7b4f989 1032 /* Features must not change.
25985edc 1033 * Not an artificial restriction anymore, as we must prevent
a7b4f989
JK		 1034 * possible loops created by swapping in setlist type of sets. */
1035 if (!(from->type->features == to->type->features &&
1036 from->type->family == to->type->family))
1037 return -IPSET_ERR_TYPE_MISMATCH;
1038
a7b4f989 1039 strncpy(from_name, from->name, IPSET_MAXNAMELEN);
a7b4f989 1040 strncpy(from->name, to->name, IPSET_MAXNAMELEN);
a7b4f989 1041 strncpy(to->name, from_name, IPSET_MAXNAMELEN);
a7b4f989 1042
2f9f28b2
JK		 1043 write_lock_bh(&ip_set_ref_lock);
1044 swap(from->ref, to->ref);
9076aea7
JK		 1045 nfnl_set(from_id) = to;
1046 nfnl_set(to_id) = from;
2f9f28b2 1047 write_unlock_bh(&ip_set_ref_lock);
a7b4f989
JK		 1048
1049 return 0;
1050}
1051
1052/* List/save set data */
1053
c1e2e043
JK		 1054#define DUMP_INIT 0
1055#define DUMP_ALL 1
1056#define DUMP_ONE 2
1057#define DUMP_LAST 3
1058
1059#define DUMP_TYPE(arg) (((u32)(arg)) & 0x0000FFFF)
1060#define DUMP_FLAGS(arg) (((u32)(arg)) >> 16)
a7b4f989
JK		 1061
1062static int
1063ip_set_dump_done(struct netlink_callback *cb)
1064{
1065 if (cb->args[2]) {
9076aea7 1066 pr_debug("release set %s\n", nfnl_set(cb->args[1])->name);
2f9f28b2 1067 ip_set_put_byindex((ip_set_id_t) cb->args[1]);
a7b4f989
JK		 1068 }
1069 return 0;
1070}
1071
1072static inline void
1073dump_attrs(struct nlmsghdr *nlh)
1074{
1075 const struct nlattr *attr;
1076 int rem;
1077
1078 pr_debug("dump nlmsg\n");
1079 nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
1080 pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
1081 }
1082}
1083
1084static int
1085dump_init(struct netlink_callback *cb)
1086{
1087 struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
1088 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1089 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
1090 struct nlattr *attr = (void *)nlh + min_len;
c1e2e043 1091 u32 dump_type;
a7b4f989
JK		 1092 ip_set_id_t index;
1093
1094 /* Second pass, so parser can't fail */
1095 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1096 attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
1097
1098 /* cb->args[0] : dump single set/all sets
1099 * [1] : set index
1100 * [..]: type specific
1101 */
1102
c1e2e043 1103 if (cda[IPSET_ATTR_SETNAME]) {
9076aea7
JK		 1104 struct ip_set *set;
1105
1106 set = find_set_and_id(nla_data(cda[IPSET_ATTR_SETNAME]),
1107 &index);
1108 if (set == NULL)
c1e2e043 1109 return -ENOENT;
a7b4f989 1110
c1e2e043
JK		 1111 dump_type = DUMP_ONE;
1112 cb->args[1] = index;
1113 } else
1114 dump_type = DUMP_ALL;
1115
1116 if (cda[IPSET_ATTR_FLAGS]) {
1117 u32 f = ip_set_get_h32(cda[IPSET_ATTR_FLAGS]);
1118 dump_type |= (f << 16);
1119 }
1120 cb->args[0] = dump_type;
a7b4f989 1121
a7b4f989
JK		 1122 return 0;
1123}
1124
1125static int
1126ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
1127{
1128 ip_set_id_t index = IPSET_INVALID_ID, max;
1129 struct ip_set *set = NULL;
1130 struct nlmsghdr *nlh = NULL;
15e47304 1131 unsigned int flags = NETLINK_CB(cb->skb).portid ? NLM_F_MULTI : 0;
c1e2e043 1132 u32 dump_type, dump_flags;
a7b4f989
JK		 1133 int ret = 0;
1134
c1e2e043 1135 if (!cb->args[0]) {
a7b4f989
JK		 1136 ret = dump_init(cb);
1137 if (ret < 0) {
1138 nlh = nlmsg_hdr(cb->skb);
1139 /* We have to create and send the error message
1140 * manually :-( */
1141 if (nlh->nlmsg_flags & NLM_F_ACK)
1142 netlink_ack(cb->skb, nlh, ret);
1143 return ret;
1144 }
1145 }
1146
1147 if (cb->args[1] >= ip_set_max)
1148 goto out;
1149
c1e2e043
JK		 1150 dump_type = DUMP_TYPE(cb->args[0]);
1151 dump_flags = DUMP_FLAGS(cb->args[0]);
1152 max = dump_type == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
a8a8a093 1153dump_last:
c1e2e043
JK		 1154 pr_debug("args[0]: %u %u args[1]: %ld\n",
1155 dump_type, dump_flags, cb->args[1]);
a7b4f989
JK		 1156 for (; cb->args[1] < max; cb->args[1]++) {
1157 index = (ip_set_id_t) cb->args[1];
9076aea7 1158 set = nfnl_set(index);
a7b4f989 1159 if (set == NULL) {
c1e2e043 1160 if (dump_type == DUMP_ONE) {
a7b4f989
JK		 1161 ret = -ENOENT;
1162 goto out;
1163 }
1164 continue;
1165 }
1166 /* When dumping all sets, we must dump "sorted"
1167 * so that lists (unions of sets) are dumped last.
1168 */
c1e2e043
JK		 1169 if (dump_type != DUMP_ONE &&
1170 ((dump_type == DUMP_ALL) ==
a8a8a093 1171 !!(set->type->features & IPSET_DUMP_LAST)))
a7b4f989
JK		 1172 continue;
1173 pr_debug("List set: %s\n", set->name);
1174 if (!cb->args[2]) {
1175 /* Start listing: make sure set won't be destroyed */
1176 pr_debug("reference set\n");
9076aea7 1177 __ip_set_get(set);
a7b4f989 1178 }
15e47304 1179 nlh = start_msg(skb, NETLINK_CB(cb->skb).portid,
a7b4f989
JK		 1180 cb->nlh->nlmsg_seq, flags,
1181 IPSET_CMD_LIST);
1182 if (!nlh) {
1183 ret = -EMSGSIZE;
1184 goto release_refcount;
1185 }
7cf7899d
DM		 1186 if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1187 nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
1188 goto nla_put_failure;
c1e2e043
JK		 1189 if (dump_flags & IPSET_FLAG_LIST_SETNAME)
1190 goto next_set;
a7b4f989
JK		 1191 switch (cb->args[2]) {
1192 case 0:
1193 /* Core header data */
7cf7899d
DM		 1194 if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
1195 set->type->name) ||
1196 nla_put_u8(skb, IPSET_ATTR_FAMILY,
1197 set->family) ||
1198 nla_put_u8(skb, IPSET_ATTR_REVISION,
1199 set->revision))
1200 goto nla_put_failure;
a7b4f989
JK		 1201 ret = set->variant->head(set, skb);
1202 if (ret < 0)
1203 goto release_refcount;
c1e2e043
JK		 1204 if (dump_flags & IPSET_FLAG_LIST_HEADER)
1205 goto next_set;
a7b4f989
JK		 1206 /* Fall through and add elements */
1207 default:
1208 read_lock_bh(&set->lock);
1209 ret = set->variant->list(set, skb, cb);
1210 read_unlock_bh(&set->lock);
c1e2e043 1211 if (!cb->args[2])
a7b4f989 1212 /* Set is done, proceed with next one */
c1e2e043 1213 goto next_set;
a7b4f989
JK		 1214 goto release_refcount;
1215 }
1216 }
a8a8a093 1217 /* If we dump all sets, continue with dumping last ones */
c1e2e043
JK		 1218 if (dump_type == DUMP_ALL) {
1219 dump_type = DUMP_LAST;
1220 cb->args[0] = dump_type | (dump_flags << 16);
a8a8a093
JK		 1221 cb->args[1] = 0;
1222 goto dump_last;
1223 }
a7b4f989
JK		 1224 goto out;
1225
1226nla_put_failure:
1227 ret = -EFAULT;
c1e2e043
JK		 1228next_set:
1229 if (dump_type == DUMP_ONE)
1230 cb->args[1] = IPSET_INVALID_ID;
1231 else
1232 cb->args[1]++;
a7b4f989
JK		 1233release_refcount:
1234 /* If there was an error or set is done, release set */
1235 if (ret || !cb->args[2]) {
9076aea7 1236 pr_debug("release set %s\n", nfnl_set(index)->name);
2f9f28b2 1237 ip_set_put_byindex(index);
be94db9d 1238 cb->args[2] = 0;
a7b4f989 1239 }
a7b4f989
JK		 1240out:
1241 if (nlh) {
1242 nlmsg_end(skb, nlh);
1243 pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
1244 dump_attrs(nlh);
1245 }
1246
1247 return ret < 0 ? ret : skb->len;
1248}
1249
1250static int
1251ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
1252 const struct nlmsghdr *nlh,
1253 const struct nlattr * const attr[])
1254{
1255 if (unlikely(protocol_failed(attr)))
1256 return -IPSET_ERR_PROTOCOL;
1257
80d326fa
PNA		 1258 {
1259 struct netlink_dump_control c = {
1260 .dump = ip_set_dump_start,
1261 .done = ip_set_dump_done,
1262 };
1263 return netlink_dump_start(ctnl, skb, nlh, &c);
1264 }
a7b4f989
JK		 1265}
1266
1267/* Add, del and test */
1268
1269static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
1270 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1271 [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING,
1272 .len = IPSET_MAXNAMELEN - 1 },
1273 [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
1274 [IPSET_ATTR_DATA] = { .type = NLA_NESTED },
1275 [IPSET_ATTR_ADT] = { .type = NLA_NESTED },
1276};
1277
1278static int
5f52bc3c 1279call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
a7b4f989
JK		 1280 struct nlattr *tb[], enum ipset_adt adt,
1281 u32 flags, bool use_lineno)
1282{
3d14b171 1283 int ret;
a7b4f989 1284 u32 lineno = 0;
3d14b171 1285 bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
a7b4f989
JK		 1286
1287 do {
1288 write_lock_bh(&set->lock);
3d14b171 1289 ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
a7b4f989 1290 write_unlock_bh(&set->lock);
3d14b171 1291 retried = true;
a7b4f989
JK		 1292 } while (ret == -EAGAIN &&
1293 set->variant->resize &&
3d14b171 1294 (ret = set->variant->resize(set, retried)) == 0);
a7b4f989
JK		 1295
1296 if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
1297 return 0;
1298 if (lineno && use_lineno) {
1299 /* Error in restore/batch mode: send back lineno */
5f52bc3c
JK		 1300 struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
1301 struct sk_buff *skb2;
1302 struct nlmsgerr *errmsg;
1303 size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
a7b4f989
JK		 1304 int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
1305 struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
5f52bc3c 1306 struct nlattr *cmdattr;
a7b4f989
JK		 1307 u32 *errline;
1308
5f52bc3c
JK		 1309 skb2 = nlmsg_new(payload, GFP_KERNEL);
1310 if (skb2 == NULL)
1311 return -ENOMEM;
15e47304 1312 rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
5f52bc3c
JK		 1313 nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
1314 errmsg = nlmsg_data(rep);
1315 errmsg->error = ret;
1316 memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
1317 cmdattr = (void *)&errmsg->msg + min_len;
1318
a7b4f989
JK		 1319 nla_parse(cda, IPSET_ATTR_CMD_MAX,
1320 cmdattr, nlh->nlmsg_len - min_len,
1321 ip_set_adt_policy);
1322
1323 errline = nla_data(cda[IPSET_ATTR_LINENO]);
1324
1325 *errline = lineno;
5f52bc3c 1326
15e47304 1327 netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
5f52bc3c
JK		 1328 /* Signal netlink not to send its ACK/errmsg. */
1329 return -EINTR;
a7b4f989
JK		 1330 }
1331
1332 return ret;
1333}
1334
1335static int
1336ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
1337 const struct nlmsghdr *nlh,
1338 const struct nlattr * const attr[])
1339{
1340 struct ip_set *set;
1341 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1342 const struct nlattr *nla;
1343 u32 flags = flag_exist(nlh);
1344 bool use_lineno;
1345 int ret = 0;
1346
1347 if (unlikely(protocol_failed(attr) ||
1348 attr[IPSET_ATTR_SETNAME] == NULL ||
1349 !((attr[IPSET_ATTR_DATA] != NULL) ^
1350 (attr[IPSET_ATTR_ADT] != NULL)) ||
1351 (attr[IPSET_ATTR_DATA] != NULL &&
1352 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1353 (attr[IPSET_ATTR_ADT] != NULL &&
1354 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1355 attr[IPSET_ATTR_LINENO] == NULL))))
1356 return -IPSET_ERR_PROTOCOL;
1357
1358 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1359 if (set == NULL)
1360 return -ENOENT;
1361
1362 use_lineno = !!attr[IPSET_ATTR_LINENO];
1363 if (attr[IPSET_ATTR_DATA]) {
8da560ce
PM		 1364 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1365 attr[IPSET_ATTR_DATA],
1366 set->type->adt_policy))
a7b4f989 1367 return -IPSET_ERR_PROTOCOL;
5f52bc3c
JK		 1368 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
1369 use_lineno);
a7b4f989
JK		 1370 } else {
1371 int nla_rem;
1372
1373 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1374 memset(tb, 0, sizeof(tb));
1375 if (nla_type(nla) != IPSET_ATTR_DATA ||
1376 !flag_nested(nla) ||
8da560ce
PM		 1377 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1378 set->type->adt_policy))
a7b4f989 1379 return -IPSET_ERR_PROTOCOL;
5f52bc3c 1380 ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
a7b4f989
JK		 1381 flags, use_lineno);
1382 if (ret < 0)
1383 return ret;
1384 }
1385 }
1386 return ret;
1387}
1388
1389static int
1390ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
1391 const struct nlmsghdr *nlh,
1392 const struct nlattr * const attr[])
1393{
1394 struct ip_set *set;
1395 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1396 const struct nlattr *nla;
1397 u32 flags = flag_exist(nlh);
1398 bool use_lineno;
1399 int ret = 0;
1400
1401 if (unlikely(protocol_failed(attr) ||
1402 attr[IPSET_ATTR_SETNAME] == NULL ||
1403 !((attr[IPSET_ATTR_DATA] != NULL) ^
1404 (attr[IPSET_ATTR_ADT] != NULL)) ||
1405 (attr[IPSET_ATTR_DATA] != NULL &&
1406 !flag_nested(attr[IPSET_ATTR_DATA])) ||
1407 (attr[IPSET_ATTR_ADT] != NULL &&
1408 (!flag_nested(attr[IPSET_ATTR_ADT]) ||
1409 attr[IPSET_ATTR_LINENO] == NULL))))
1410 return -IPSET_ERR_PROTOCOL;
1411
1412 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1413 if (set == NULL)
1414 return -ENOENT;
1415
1416 use_lineno = !!attr[IPSET_ATTR_LINENO];
1417 if (attr[IPSET_ATTR_DATA]) {
8da560ce
PM		 1418 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
1419 attr[IPSET_ATTR_DATA],
1420 set->type->adt_policy))
a7b4f989 1421 return -IPSET_ERR_PROTOCOL;
5f52bc3c
JK		 1422 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
1423 use_lineno);
a7b4f989
JK		 1424 } else {
1425 int nla_rem;
1426
1427 nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
1428 memset(tb, 0, sizeof(*tb));
1429 if (nla_type(nla) != IPSET_ATTR_DATA ||
1430 !flag_nested(nla) ||
8da560ce
PM		 1431 nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
1432 set->type->adt_policy))
a7b4f989 1433 return -IPSET_ERR_PROTOCOL;
5f52bc3c 1434 ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
a7b4f989
JK		 1435 flags, use_lineno);
1436 if (ret < 0)
1437 return ret;
1438 }
1439 }
1440 return ret;
1441}
1442
1443static int
1444ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
1445 const struct nlmsghdr *nlh,
1446 const struct nlattr * const attr[])
1447{
1448 struct ip_set *set;
1449 struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
1450 int ret = 0;
1451
1452 if (unlikely(protocol_failed(attr) ||
1453 attr[IPSET_ATTR_SETNAME] == NULL ||
1454 attr[IPSET_ATTR_DATA] == NULL ||
1455 !flag_nested(attr[IPSET_ATTR_DATA])))
1456 return -IPSET_ERR_PROTOCOL;
1457
1458 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1459 if (set == NULL)
1460 return -ENOENT;
1461
8da560ce
PM		 1462 if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
1463 set->type->adt_policy))
a7b4f989
JK		 1464 return -IPSET_ERR_PROTOCOL;
1465
1466 read_lock_bh(&set->lock);
3d14b171 1467 ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
a7b4f989
JK		 1468 read_unlock_bh(&set->lock);
1469 /* Userspace can't trigger element to be re-added */
1470 if (ret == -EAGAIN)
1471 ret = 1;
1472
dd82088d
JK		 1473 return (ret < 0 && ret != -ENOTEMPTY) ? ret :
1474 ret > 0 ? 0 : -IPSET_ERR_EXIST;
a7b4f989
JK		 1475}
1476
1477/* Get headed data of a set */
1478
1479static int
1480ip_set_header(struct sock *ctnl, struct sk_buff *skb,
1481 const struct nlmsghdr *nlh,
1482 const struct nlattr * const attr[])
1483{
1484 const struct ip_set *set;
1485 struct sk_buff *skb2;
1486 struct nlmsghdr *nlh2;
a7b4f989
JK		 1487 int ret = 0;
1488
1489 if (unlikely(protocol_failed(attr) ||
1490 attr[IPSET_ATTR_SETNAME] == NULL))
1491 return -IPSET_ERR_PROTOCOL;
1492
9076aea7
JK		 1493 set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
1494 if (set == NULL)
a7b4f989 1495 return -ENOENT;
a7b4f989
JK		 1496
1497 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1498 if (skb2 == NULL)
1499 return -ENOMEM;
1500
15e47304 1501 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1502 IPSET_CMD_HEADER);
1503 if (!nlh2)
1504 goto nlmsg_failure;
7cf7899d
DM		 1505 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1506 nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
1507 nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
1508 nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
1509 nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
1510 goto nla_put_failure;
a7b4f989
JK		 1511 nlmsg_end(skb2, nlh2);
1512
15e47304 1513 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1514 if (ret < 0)
1515 return ret;
1516
1517 return 0;
1518
1519nla_put_failure:
1520 nlmsg_cancel(skb2, nlh2);
1521nlmsg_failure:
1522 kfree_skb(skb2);
1523 return -EMSGSIZE;
1524}
1525
1526/* Get type data */
1527
1528static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
1529 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1530 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
1531 .len = IPSET_MAXNAMELEN - 1 },
1532 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
1533};
1534
1535static int
1536ip_set_type(struct sock *ctnl, struct sk_buff *skb,
1537 const struct nlmsghdr *nlh,
1538 const struct nlattr * const attr[])
1539{
1540 struct sk_buff *skb2;
1541 struct nlmsghdr *nlh2;
1542 u8 family, min, max;
1543 const char *typename;
1544 int ret = 0;
1545
1546 if (unlikely(protocol_failed(attr) ||
1547 attr[IPSET_ATTR_TYPENAME] == NULL ||
1548 attr[IPSET_ATTR_FAMILY] == NULL))
1549 return -IPSET_ERR_PROTOCOL;
1550
1551 family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
1552 typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
1553 ret = find_set_type_minmax(typename, family, &min, &max);
1554 if (ret)
1555 return ret;
1556
1557 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1558 if (skb2 == NULL)
1559 return -ENOMEM;
1560
15e47304 1561 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1562 IPSET_CMD_TYPE);
1563 if (!nlh2)
1564 goto nlmsg_failure;
7cf7899d
DM		 1565 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
1566 nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
1567 nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
1568 nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
1569 nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
1570 goto nla_put_failure;
a7b4f989
JK		 1571 nlmsg_end(skb2, nlh2);
1572
1573 pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
15e47304 1574 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1575 if (ret < 0)
1576 return ret;
1577
1578 return 0;
1579
1580nla_put_failure:
1581 nlmsg_cancel(skb2, nlh2);
1582nlmsg_failure:
1583 kfree_skb(skb2);
1584 return -EMSGSIZE;
1585}
1586
1587/* Get protocol version */
1588
1589static const struct nla_policy
1590ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
1591 [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 },
1592};
1593
1594static int
1595ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
1596 const struct nlmsghdr *nlh,
1597 const struct nlattr * const attr[])
1598{
1599 struct sk_buff *skb2;
1600 struct nlmsghdr *nlh2;
1601 int ret = 0;
1602
1603 if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
1604 return -IPSET_ERR_PROTOCOL;
1605
1606 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1607 if (skb2 == NULL)
1608 return -ENOMEM;
1609
15e47304 1610 nlh2 = start_msg(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 0,
a7b4f989
JK		 1611 IPSET_CMD_PROTOCOL);
1612 if (!nlh2)
1613 goto nlmsg_failure;
7cf7899d
DM		 1614 if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
1615 goto nla_put_failure;
a7b4f989
JK		 1616 nlmsg_end(skb2, nlh2);
1617
15e47304 1618 ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
a7b4f989
JK		 1619 if (ret < 0)
1620 return ret;
1621
1622 return 0;
1623
1624nla_put_failure:
1625 nlmsg_cancel(skb2, nlh2);
1626nlmsg_failure:
1627 kfree_skb(skb2);
1628 return -EMSGSIZE;
1629}
1630
1631static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
d31f4d44
TB		 1632 [IPSET_CMD_NONE] = {
1633 .call = ip_set_none,
1634 .attr_count = IPSET_ATTR_CMD_MAX,
1635 },
a7b4f989
JK		 1636 [IPSET_CMD_CREATE] = {
1637 .call = ip_set_create,
1638 .attr_count = IPSET_ATTR_CMD_MAX,
1639 .policy = ip_set_create_policy,
1640 },
1641 [IPSET_CMD_DESTROY] = {
1642 .call = ip_set_destroy,
1643 .attr_count = IPSET_ATTR_CMD_MAX,
1644 .policy = ip_set_setname_policy,
1645 },
1646 [IPSET_CMD_FLUSH] = {
1647 .call = ip_set_flush,
1648 .attr_count = IPSET_ATTR_CMD_MAX,
1649 .policy = ip_set_setname_policy,
1650 },
1651 [IPSET_CMD_RENAME] = {
1652 .call = ip_set_rename,
1653 .attr_count = IPSET_ATTR_CMD_MAX,
1654 .policy = ip_set_setname2_policy,
1655 },
1656 [IPSET_CMD_SWAP] = {
1657 .call = ip_set_swap,
1658 .attr_count = IPSET_ATTR_CMD_MAX,
1659 .policy = ip_set_setname2_policy,
1660 },
1661 [IPSET_CMD_LIST] = {
1662 .call = ip_set_dump,
1663 .attr_count = IPSET_ATTR_CMD_MAX,
1664 .policy = ip_set_setname_policy,
1665 },
1666 [IPSET_CMD_SAVE] = {
1667 .call = ip_set_dump,
1668 .attr_count = IPSET_ATTR_CMD_MAX,
1669 .policy = ip_set_setname_policy,
1670 },
1671 [IPSET_CMD_ADD] = {
1672 .call = ip_set_uadd,
1673 .attr_count = IPSET_ATTR_CMD_MAX,
1674 .policy = ip_set_adt_policy,
1675 },
1676 [IPSET_CMD_DEL] = {
1677 .call = ip_set_udel,
1678 .attr_count = IPSET_ATTR_CMD_MAX,
1679 .policy = ip_set_adt_policy,
1680 },
1681 [IPSET_CMD_TEST] = {
1682 .call = ip_set_utest,
1683 .attr_count = IPSET_ATTR_CMD_MAX,
1684 .policy = ip_set_adt_policy,
1685 },
1686 [IPSET_CMD_HEADER] = {
1687 .call = ip_set_header,
1688 .attr_count = IPSET_ATTR_CMD_MAX,
1689 .policy = ip_set_setname_policy,
1690 },
1691 [IPSET_CMD_TYPE] = {
1692 .call = ip_set_type,
1693 .attr_count = IPSET_ATTR_CMD_MAX,
1694 .policy = ip_set_type_policy,
1695 },
1696 [IPSET_CMD_PROTOCOL] = {
1697 .call = ip_set_protocol,
1698 .attr_count = IPSET_ATTR_CMD_MAX,
1699 .policy = ip_set_protocol_policy,
1700 },
1701};
1702
1703static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
1704 .name = "ip_set",
1705 .subsys_id = NFNL_SUBSYS_IPSET,
1706 .cb_count = IPSET_MSG_MAX,
1707 .cb = ip_set_netlink_subsys_cb,
1708};
1709
1710/* Interface to iptables/ip6tables */
1711
1712static int
1713ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
1714{
95c96174 1715 unsigned int *op;
a7b4f989
JK		 1716 void *data;
1717 int copylen = *len, ret = 0;
1718
df008c91 1719 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
a7b4f989
JK		 1720 return -EPERM;
1721 if (optval != SO_IP_SET)
1722 return -EBADF;
95c96174 1723 if (*len < sizeof(unsigned int))
a7b4f989
JK		 1724 return -EINVAL;
1725
1726 data = vmalloc(*len);
1727 if (!data)
1728 return -ENOMEM;
1729 if (copy_from_user(data, user, *len) != 0) {
1730 ret = -EFAULT;
1731 goto done;
1732 }
95c96174 1733 op = (unsigned int *) data;
a7b4f989
JK		 1734
1735 if (*op < IP_SET_OP_VERSION) {
1736 /* Check the version at the beginning of operations */
1737 struct ip_set_req_version *req_version = data;
1738 if (req_version->version != IPSET_PROTOCOL) {
1739 ret = -EPROTO;
1740 goto done;
1741 }
1742 }
1743
1744 switch (*op) {
1745 case IP_SET_OP_VERSION: {
1746 struct ip_set_req_version *req_version = data;
1747
1748 if (*len != sizeof(struct ip_set_req_version)) {
1749 ret = -EINVAL;
1750 goto done;
1751 }
1752
1753 req_version->version = IPSET_PROTOCOL;
1754 ret = copy_to_user(user, req_version,
1755 sizeof(struct ip_set_req_version));
1756 goto done;
1757 }
1758 case IP_SET_OP_GET_BYNAME: {
1759 struct ip_set_req_get_set *req_get = data;
9076aea7 1760 ip_set_id_t id;
a7b4f989
JK		 1761
1762 if (*len != sizeof(struct ip_set_req_get_set)) {
1763 ret = -EINVAL;
1764 goto done;
1765 }
1766 req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
c14b78e7 1767 nfnl_lock(NFNL_SUBSYS_IPSET);
9076aea7
JK		 1768 find_set_and_id(req_get->set.name, &id);
1769 req_get->set.index = id;
c14b78e7 1770 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 1771 goto copy;
1772 }
1773 case IP_SET_OP_GET_BYINDEX: {
1774 struct ip_set_req_get_set *req_get = data;
9076aea7 1775 struct ip_set *set;
a7b4f989
JK		 1776
1777 if (*len != sizeof(struct ip_set_req_get_set) ||
1778 req_get->set.index >= ip_set_max) {
1779 ret = -EINVAL;
1780 goto done;
1781 }
c14b78e7 1782 nfnl_lock(NFNL_SUBSYS_IPSET);
9076aea7
JK		 1783 set = nfnl_set(req_get->set.index);
1784 strncpy(req_get->set.name, set ? set->name : "",
a7b4f989 1785 IPSET_MAXNAMELEN);
c14b78e7 1786 nfnl_unlock(NFNL_SUBSYS_IPSET);
a7b4f989
JK		 1787 goto copy;
1788 }
1789 default:
1790 ret = -EBADMSG;
1791 goto done;
1792 } /* end of switch(op) */
1793
1794copy:
1795 ret = copy_to_user(user, data, copylen);
1796
1797done:
1798 vfree(data);
1799 if (ret > 0)
1800 ret = 0;
1801 return ret;
1802}
1803
1804static struct nf_sockopt_ops so_set __read_mostly = {
1805 .pf = PF_INET,
1806 .get_optmin = SO_IP_SET,
1807 .get_optmax = SO_IP_SET + 1,
1808 .get = &ip_set_sockfn_get,
1809 .owner = THIS_MODULE,
1810};
1811
1812static int __init
1813ip_set_init(void)
1814{
9076aea7 1815 struct ip_set **list;
a7b4f989
JK		 1816 int ret;
1817
1818 if (max_sets)
1819 ip_set_max = max_sets;
1820 if (ip_set_max >= IPSET_INVALID_ID)
1821 ip_set_max = IPSET_INVALID_ID - 1;
1822
9076aea7
JK		 1823 list = kzalloc(sizeof(struct ip_set *) * ip_set_max, GFP_KERNEL);
1824 if (!list)
a7b4f989 1825 return -ENOMEM;
a7b4f989 1826
9076aea7 1827 rcu_assign_pointer(ip_set_list, list);
a7b4f989
JK		 1828 ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
1829 if (ret != 0) {
1830 pr_err("ip_set: cannot register with nfnetlink.\n");
9076aea7 1831 kfree(list);
a7b4f989
JK		 1832 return ret;
1833 }
1834 ret = nf_register_sockopt(&so_set);
1835 if (ret != 0) {
1836 pr_err("SO_SET registry failed: %d\n", ret);
1837 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
9076aea7 1838 kfree(list);
a7b4f989
JK		 1839 return ret;
1840 }
1841
1842 pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
1843 return 0;
1844}
1845
1846static void __exit
1847ip_set_fini(void)
1848{
9076aea7
JK		 1849 struct ip_set **list = rcu_dereference_protected(ip_set_list, 1);
1850
a7b4f989
JK		 1851 /* There can't be any existing set */
1852 nf_unregister_sockopt(&so_set);
1853 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
9076aea7 1854 kfree(list);
a7b4f989
JK		 1855 pr_debug("these are the famous last words\n");
1856}
1857
1858module_init(ip_set_init);
1859module_exit(ip_set_fini);
Linux 6.x block layer and io_uring tree(s)