Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ac8cc925 authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik Committed by Patrick McHardy
Browse files

netfilter: ipset: options and flags support added to the kernel API 



The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.

Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 483e9ea3

include/linux/netfilter/ipset/ip_set.h

+14 −4
Original line number Original line Diff line number Diff line
@@ -217,6 +217,15 @@ struct ip_set; 
typedef int (*ipset_adtfn)(struct ip_set *set, void *value,

typedef int (*ipset_adtfn)(struct ip_set *set, void *value,

			   u32 timeout, u32 flags);

			   u32 timeout, u32 flags);





/* Kernel API function options */

struct ip_set_adt_opt {

	u8 family;		/* Actual protocol family */

	u8 dim;			/* Dimension of match/target */

	u8 flags;		/* Direction and negation flags */

	u32 cmdflags;		/* Command-like flags */

	u32 timeout;		/* Timeout value */

};



/* Set type, variant-specific part */

/* Set type, variant-specific part */

struct ip_set_type_variant {

struct ip_set_type_variant {

	/* Kernelspace: test/add/del entries

	/* Kernelspace: test/add/del entries
@@ -224,7 +233,7 @@ struct ip_set_type_variant { 
	 *			zero for no match/success to add/delete

	 *			zero for no match/success to add/delete

	 *			positive for matching element */

	 *			positive for matching element */

	int (*kadt)(struct ip_set *set, const struct sk_buff * skb,

	int (*kadt)(struct ip_set *set, const struct sk_buff * skb,

		    enum ipset_adt adt, u8 pf, u8 dim, u8 flags);

		    enum ipset_adt adt, const struct ip_set_adt_opt *opt);





	/* Userspace: test/add/del entries

	/* Userspace: test/add/del entries

	 *		returns negative error code,

	 *		returns negative error code,
@@ -314,12 +323,13 @@ extern ip_set_id_t ip_set_nfnl_get_byindex(ip_set_id_t index); 
extern void ip_set_nfnl_put(ip_set_id_t index);

extern void ip_set_nfnl_put(ip_set_id_t index);





/* API for iptables set match, and SET target */

/* API for iptables set match, and SET target */



extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb,

extern int ip_set_add(ip_set_id_t id, const struct sk_buff *skb,

		      u8 family, u8 dim, u8 flags);

		      const struct ip_set_adt_opt *opt);

extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb,

extern int ip_set_del(ip_set_id_t id, const struct sk_buff *skb,

		      u8 family, u8 dim, u8 flags);

		      const struct ip_set_adt_opt *opt);

extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb,

extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb,

		       u8 family, u8 dim, u8 flags);

		       const struct ip_set_adt_opt *opt);





/* Utility functions */

/* Utility functions */

extern void * ip_set_alloc(size_t size);

extern void * ip_set_alloc(size_t size);

include/linux/netfilter/ipset/ip_set_ahash.h

+1 −1
Original line number Original line Diff line number Diff line
@@ -586,7 +586,7 @@ type_pf_list(const struct ip_set *set, 




static int

static int

type_pf_kadt(struct ip_set *set, const struct sk_buff * skb,

type_pf_kadt(struct ip_set *set, const struct sk_buff * skb,

	     enum ipset_adt adt, u8 pf, u8 dim, u8 flags);

	     enum ipset_adt adt, const struct ip_set_adt_opt *opt);

static int

static int

type_pf_uadt(struct ip_set *set, struct nlattr *tb[],

type_pf_uadt(struct ip_set *set, struct nlattr *tb[],

	     enum ipset_adt adt, u32 *lineno, u32 flags);

	     enum ipset_adt adt, u32 *lineno, u32 flags);

include/linux/netfilter/ipset/ip_set_timeout.h

+3 −0
Original line number Original line Diff line number Diff line
@@ -22,6 +22,9 @@ 




#define with_timeout(timeout)	((timeout) != IPSET_NO_TIMEOUT)

#define with_timeout(timeout)	((timeout) != IPSET_NO_TIMEOUT)





#define opt_timeout(opt, map)	\

	(with_timeout((opt)->timeout) ? (opt)->timeout : (map)->timeout)



static inline unsigned int

static inline unsigned int

ip_set_timeout_uget(struct nlattr *tb)

ip_set_timeout_uget(struct nlattr *tb)

{

{

include/linux/netfilter/xt_set.h

+12 −3
Original line number Original line Diff line number Diff line
@@ -35,7 +35,7 @@ struct xt_set_info_target_v0 { 
	struct xt_set_info_v0 del_set;

	struct xt_set_info_v0 del_set;

};

};





/* Revision 1: current interface to netfilter/iptables */

/* Revision 1  match and target */





struct xt_set_info {

struct xt_set_info {

	ip_set_id_t index;

	ip_set_id_t index;
@@ -44,13 +44,22 @@ struct xt_set_info { 
};

};





/* match and target infos */

/* match and target infos */

struct xt_set_info_match {

struct xt_set_info_match_v1 {

	struct xt_set_info match_set;

	struct xt_set_info match_set;

};

};





struct xt_set_info_target {

struct xt_set_info_target_v1 {

	struct xt_set_info add_set;

	struct xt_set_info add_set;

	struct xt_set_info del_set;

	struct xt_set_info del_set;

};

};





/* Revision 2 target */



struct xt_set_info_target_v2 {

	struct xt_set_info add_set;

	struct xt_set_info del_set;

	u32 flags;

	u32 timeout;

};



#endif /*_XT_SET_H*/
 
#endif /*_XT_SET_H*/

net/netfilter/ipset/ip_set_bitmap_ip.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -219,19 +219,19 @@ bitmap_ip_tlist(const struct ip_set *set, 




static int

static int

bitmap_ip_kadt(struct ip_set *set, const struct sk_buff *skb,

bitmap_ip_kadt(struct ip_set *set, const struct sk_buff *skb,

	       enum ipset_adt adt, u8 pf, u8 dim, u8 flags)

	       enum ipset_adt adt, const struct ip_set_adt_opt *opt)

{

{

	struct bitmap_ip *map = set->data;

	struct bitmap_ip *map = set->data;

	ipset_adtfn adtfn = set->variant->adt[adt];

	ipset_adtfn adtfn = set->variant->adt[adt];

	u32 ip;

	u32 ip;





	ip = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));

	ip = ntohl(ip4addr(skb, opt->flags & IPSET_DIM_ONE_SRC));

	if (ip < map->first_ip || ip > map->last_ip)

	if (ip < map->first_ip || ip > map->last_ip)

		return -IPSET_ERR_BITMAP_RANGE;

		return -IPSET_ERR_BITMAP_RANGE;





	ip = ip_to_id(map, ip);

	ip = ip_to_id(map, ip);





	return adtfn(set, &ip, map->timeout, flags);

	return adtfn(set, &ip, opt_timeout(opt, map), opt->cmdflags);

}

}





static int

static int