AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include \
-I/usr/local/include
-# -Wconversion -> false warnings
-# -Wcast-qual -> false warnings
-# -Wpointer-arith -> we need it
+# -Wconversion -> we need it
# -Wunreachable-code -> fails with ntoh*
if DISABLE_EXTRA_FLAGS
else
AM_CFLAGS = -std=gnu99 \
-Wall \
- -Wextra \
-Waggregate-return \
-Wbad-function-cast \
-Wcast-align \
+ -Wcast-qual \
+ -Wextra \
-Wfloat-equal \
+ -Wformat-nonliteral \
+ -Wformat=2 \
-Winit-self \
-Winline \
-Wmissing-declarations \
-Wmissing-format-attribute \
-Wmissing-prototypes \
-Wnested-externs \
+ -Wno-missing-field-initializers \
-Wold-style-definition \
-Wpacked \
+ -Wpointer-arith \
-Wredundant-decls \
-Wshadow \
-Wsign-compare \
-Wswitch-default \
-Wundef \
-Wwrite-strings \
- -Wno-missing-field-initializers \
-Werror
endif
SUBDIRS = lib src
modules:
- cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` V=$V IP_SET_MAX=$(IP_SET_MAX) modules
+ cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` V=$V \
+ IP_SET_MAX=$(IP_SET_MAX) \
+ NETLINK_DUMP_CONST=$(NETLINK_DUMP_CONST) \
+ NFNL_CB_CONST=$(NFNL_CB_CONST) modules
modules_install:
cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` modules_install
This is the ipset source tree. Follow these steps to install ipset:
-0. You need the source tree of your kernel (version >= 2.6.16)
- and it have to be configured, modules compiled.
+0. You need the source tree of your kernel (version >= 2.6.31)
+ and it have to be configured, modules compiled. Please apply
+ the netlink.patch against your kernel tree (with kernel <= 2.6.31.1
+ please use the patch netlink.patch-2.6.31.1). Recompile and
+ install the patched kernel.
-1. Initialize the environment
+1. Initialize the compiling environment for ipset
% ./autogen.sh
2. Run `./configure` and then compile the ipset binary and the kernel
modules.
+ The ipset source code depends on the libmnl library.
+
Configure parameters can be used to to override the default path
to the kernel source tree (/lib/modules/`uname -r`/build),
the maximum number of sets (256), the default hash sizes (1024)
or disable the extra compiler warning flags if your compiler
- does not support all of them.
+ does not support all of them. See `./configure --help`.
% ./configure
% make
# make install
# make modules_install
- After installing the modules, you can run the testsuite as well:
+ After installing the modules, you can run the testsuite as well.
+ Please note, several assumptions must be met for the testsuite:
+
+ - no sets defined
+ - iptables/ip6tables rules are not set up
+ - the destination for kernel logs is /var/log/kern.log
+ - the networks 10.255.255.0/24 and 1002:1002:1002:1002::/64
+ are not in use
+ - sendip utility is installed
# make tests
--- /dev/null
+#! /usr/bin/awk -f
+
+# nfnetlink.h && netlink.h
+
+{ if (/^(struct nfnl_callback|extern int netlink_dump)/) { check=1 } }
+{ if (check == 1 && /(^};|...\);)/) { check=0 } }
+
+{ if (check == 1 && /const struct nlmsghdr/) { print "const" } }
AC_ARG_WITH([kernel],
AS_HELP_STRING([--with-kernel=PATH],
[Path to kernel source/build directory]),
- [KBUILDDOR="$withval";])
+ [KBUILDDIR="$withval";])
AM_CONDITIONAL(WITH_KBUILDDIR, test "$KBUILDDIR" != "")
AC_SUBST(KBUILDDIR)
+dnl Sigh: check kernel version dependencies
+if test "$KBUILDDIR" != ""
+then
+ kbuilddir="$KBUILDDIR"
+else
+ kbuilddir="/lib/modules/`uname -r`/build"
+fi
+
+if test ! -e "$kbuilddir/include/linux/netfilter/nfnetlink.h"
+then
+ AC_MSG_ERROR([Invalid kernel build directory $kbuilddir])
+fi
+
+dnl Check kernel dependencies: nfnetlink.h
+NFNL_CB_CONST="`./check_const $kbuilddir/include/linux/netfilter/nfnetlink.h`"
+AC_SUBST(NFNL_CB_CONST)
+
+dnl Check kernel dependencies: netlink.h
+NETLINK_DUMP_CONST="`./check_const $kbuilddir/include/linux/netlink.h`"
+AC_SUBST(NETLINK_DUMP_CONST)
+
dnl Maximal number of sets supported by the kernel, default 256
AC_ARG_WITH([maxsets],
AS_HELP_STRING([--with-maxsets=256],
EXTRA_CFLAGS := -I$(M)/include \
- -DCONFIG_IP_SET_MAX=$(IP_SET_MAX)
+ -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) \
+ -DNETLINK_DUMP_CONST=$(NETLINK_DUMP_CONST) \
+ -DNFNL_CB_CONST=$(NFNL_CB_CONST)
obj-m += ip_set.o xt_set.o
obj-m += ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o ip_set_bitmap_port.o
The value can be overriden by the 'max_sets' module
parameter of the 'ip_set' module.
-config IP_SET_IPMAP
- tristate "ipmap set support"
+config IP_SET_BITMAP_IP
+ tristate "bitmap:ip set support"
depends on IP_SET
help
- This option adds the ipmap set type support.
+ This option adds the bitmap:ip set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_MACIPMAP
- tristate "macipmap set support"
+config IP_SET_BITMAP_IPMAC
+ tristate "bitmap:ip,mac set support"
depends on IP_SET
help
- This option adds the macipmap set type support.
+ This option adds the bitmap:ip,mac set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_PORTMAP
- tristate "portmap set support"
+config IP_SET_BITMAP_PORT
+ tristate "bitmap:port set support"
depends on IP_SET
help
- This option adds the portmap set type support.
+ This option adds the bitmap:port set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPHASH
- tristate "iphash set support"
+config IP_SET_HASH_IP
+ tristate "hash:ip set support"
depends on IP_SET
help
- This option adds the iphash set type support.
+ This option adds the hash:ip set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_NETHASH
- tristate "nethash set support"
+config IP_SET_HASH_NET
+ tristate "hash:net set support"
depends on IP_SET
help
- This option adds the nethash set type support.
+ This option adds the hash:net set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPPORTHASH
- tristate "ipporthash set support"
+config IP_SET_HASH_IPPORT
+ tristate "hash:ip,port set support"
depends on IP_SET
help
- This option adds the ipporthash set type support.
+ This option adds the hash:ip,port set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPPORTIPHASH
- tristate "ipportiphash set support"
+config IP_SET_HASH_IPPORTIP
+ tristate "hash:ip,port,ip set support"
depends on IP_SET
help
- This option adds the ipportiphash set type support.
+ This option adds the hash:ip,port,ip set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPPORTNETHASH
- tristate "ipportnethash set support"
+config IP_SET_HASH_IPPORTNET
+ tristate "hash:ip,port,net set support"
depends on IP_SET
help
- This option adds the ipportnethash set type support.
+ This option adds the hash:ip,port,net set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPTREE
- tristate "iptree set support"
+config IP_SET_LIST_SET
+ tristate "list:set set support"
depends on IP_SET
help
- This option adds the iptree set type support.
+ This option adds the list:set set type support.
To compile it as a module, choose M here. If unsure, say N.
-config IP_SET_IPTREEMAP
- tristate "iptreemap set support"
- depends on IP_SET
- help
- This option adds the iptreemap set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_SET_SETLIST
- tristate "setlist set support"
- depends on IP_SET
- help
- This option adds the setlist set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_MATCH_SET
+config NETFILTER_XT_MATCH_SET
tristate "set match support"
depends on IP_SET
help
To compile it as a module, choose M here. If unsure, say N.
-config IP_TARGET_SET
+config NETFILTER_XT_TARGET_SET
tristate "SET target support"
depends on IP_SET
help
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/netlink.h>
+#include <linux/vmalloc.h>
#include <net/netlink.h>
/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
#ifdef __KERNEL__
+#ifdef CONFIG_DEBUG_KERNEL
/* Complete debug messages */
#define pr_fmt(fmt) "%s %s[%i]: " fmt "\n", __FILE__, __func__, __LINE__
+#endif
#include <linux/kernel.h>
*/
static inline bool
-protocol_failed(const struct nlattr * const tb[])
+protocol_failed(NFNL_CB_CONST struct nlattr * NFNL_CB_CONST tb[])
{
return !tb[IPSET_ATTR_PROTOCOL]
|| nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
static int
ip_set_create(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set, *clash;
ip_set_id_t index = IPSET_INVALID_ID;
static int
ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
ip_set_id_t i;
static int
ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
ip_set_id_t i;
static int
ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set;
const char *name2;
static int
ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *from, *to;
ip_set_id_t from_id, to_id;
static int
ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
ip_set_id_t index;
static int
call_ad(struct sock *ctnl, struct sk_buff *skb,
- const struct nlattr * const attr[],
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[],
struct ip_set *set, const struct nlattr *nla,
enum ipset_adt adt, u32 flags)
{
static int
ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set;
const struct nlattr *nla;
static int
ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set;
const struct nlattr *nla;
static int
ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set;
int ret = 0;
static int
ip_set_header(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct ip_set *set;
struct sk_buff *skb2;
static int
ip_set_type(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct sk_buff *skb2;
struct nlmsghdr *nlh2;
static int
ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
- const struct nlmsghdr *nlh,
- const struct nlattr * const attr[])
+ NFNL_CB_CONST struct nlmsghdr *nlh,
+ NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[])
{
struct sk_buff *skb2;
struct nlmsghdr *nlh2;
return ret;
}
- pr_notice("ip_set with protocol version %u loaded", IPSET_PROTOCOL);
+ pr_notice("ip_set: protocol %u", IPSET_PROTOCOL);
return 0;
}
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct bitmap_ip *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
u32 ip, ip_to, id;
int ret = 0;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct bitmap_ip_timeout *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
u32 ip, ip_to, id, timeout = map->timeout;
int ret = 0;
bitmap_ip_create(struct ip_set *set, struct nlattr *head, int len,
u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u32 first_ip, last_ip, hosts, elements;
u8 netmask = 32;
struct ipmac_elem {
unsigned char ether[ETH_ALEN];
unsigned char match;
-};
+} __attribute__ ((aligned));
struct ipmac_telem {
unsigned char ether[ETH_ALEN];
unsigned char match;
unsigned long timeout;
-};
+} __attribute__ ((aligned));
static inline void *
bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct bitmap_ipmac *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct ipmac data;
u32 timeout = map->timeout;
bitmap_ipmac_create(struct ip_set *set, struct nlattr *head, int len,
u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u32 first_ip, last_ip, elements;
struct bitmap_ipmac *map;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct bitmap_port *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
u32 port; /* wraparound */
u16 id, port_to;
int ret = 0;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
const struct bitmap_port_timeout *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
u16 id, port_to;
u32 port, timeout = map->timeout; /* wraparound */
int ret = 0;
bitmap_port_create(struct ip_set *set, struct nlattr *head, int len,
u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u16 first_port, last_port;
if (nla_parse(tb, IPSET_ATTR_CREATE_MAX, head, len,
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
u32 ip, nip, ip_to, hosts, timeout = h->timeout;
int ret = 0;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
union nf_inet_addr *ip;
u32 timeout = h->timeout;
static int
hash_ip_create(struct ip_set *set, struct nlattr *head, int len, u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 netmask;
struct chash *h;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipport4_elem data = { .proto = h->proto };
u32 timeout = h->timeout;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipport6_elem data = { .proto = h->proto };
u32 timeout = h->timeout;
static int
hash_ipport_create(struct ip_set *set, struct nlattr *head, int len, u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
struct chash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportip4_elem data = { .proto = h->proto };
u32 timeout = h->timeout;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportip6_elem data = { .proto = h->proto };
u32 timeout = h->timeout;
hash_ipportip_create(struct ip_set *set, struct nlattr *head,
int len, u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
struct chash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet4_elem data = { .cidr = HOST_MASK,
.proto = h->proto };
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet6_elem data = { .cidr = HOST_MASK,
.proto = h->proto };
hash_ipportnet_create(struct ip_set *set, struct nlattr *head,
int len, u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
struct chash *h;
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
u8 proto = IPSET_IPPROTO_TCPUDP; /* Backward compatibility */
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net4_elem data = { .cidr = HOST_MASK };
u32 timeout = h->timeout;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct chash *h = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net6_elem data = { .cidr = HOST_MASK };
u32 timeout = h->timeout;
static int
hash_net_create(struct ip_set *set, struct nlattr *head, int len, u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
struct chash *h;
enum ipset_adt adt, u32 *lineno, u32 flags)
{
struct list_set *map = set->data;
- struct nlattr *tb[IPSET_ATTR_ADT_MAX];
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX+1];
bool with_timeout = with_timeout(map->timeout);
int before = 0;
u32 timeout = map->timeout;
list_set_create(struct ip_set *set, struct nlattr *head, int len,
u32 flags)
{
- struct nlattr *tb[IPSET_ATTR_CREATE_MAX];
+ struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1];
u32 size = IP_SET_LIST_DEFAULT_SIZE;
if (nla_parse(tb, IPSET_ATTR_CREATE_MAX, head, len,
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <linux/version.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_set.h>
/* Revision 0 interface: backward compatible with netfilter/iptables */
+/* Backward compatibility constrains:
+ * 2.6.24: [NETLINK]: Introduce nested and byteorder flag to netlink attribute
+ * 2.6.31: netfilter: passive OS fingerprint xtables match
+ */
+
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31)
+#error "Linux kernel version too old: must be >= 2.6.31"
+#endif
+
static bool
set_match_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
{
struct xt_set_info_match *info = par->matchinfo;
-
ip_set_nfnl_put(info->match_set.index);
}
{
struct xt_set_info_match *info = par->matchinfo;
-
ip_set_nfnl_put(info->match_set.index);
}
-/* Set target */
-
static unsigned int
set_target(struct sk_buff *skb, const struct xt_target_param *par)
{
struct in##n##_addr **inaddr) \
{ \
struct addrinfo *i; \
- struct sockaddr_in##n *saddr; \
+ struct sockaddr_in##n saddr; \
int found; \
\
if ((*info = get_addrinfo(session, str, family)) == NULL) { \
} \
\
for (i = *info, found = 0; i != NULL; i = i->ai_next) { \
- if (i->ai_family != family) \
+ if (i->ai_family != family \
+ || i->ai_addrlen != sizeof(saddr)) \
continue; \
if (found == 0) { \
- saddr = (struct sockaddr_in##n *)i->ai_addr; \
- *inaddr = &saddr->sin##n##_addr; \
- } else if (found == 1) { \
+ /* Workaround: can't cast on Sparc */ \
+ memcpy(&saddr, i->ai_addr, sizeof(saddr)); \
+ *inaddr = &saddr.sin##n##_addr; \
+ } else if (found == 1) { \
ipset_warn(session, \
"%s resolves to multiple addresses: " \
"using only the first one returned by the resolver", \
- str); \
+ str); \
} \
found++; \
} \
family = ipset_data_family(data);
cidropt = opt == IPSET_OPT_IP ? IPSET_OPT_CIDR : IPSET_OPT_CIDR2;
if (ipset_data_test(data, cidropt)) {
- cidr = *(uint8_t *) ipset_data_get(data, cidropt);
+ cidr = *(const uint8_t *) ipset_data_get(data, cidropt);
D("CIDR: %u", cidr);
} else
cidr = family == AF_INET6 ? 128 : 32;
family = ipset_data_family(data);
cidropt = opt == IPSET_OPT_IP ? IPSET_OPT_CIDR : IPSET_OPT_CIDR2;
if (ipset_data_test(data, cidropt))
- cidr = *(uint8_t *) ipset_data_get(data, cidropt);
+ cidr = *(const uint8_t *) ipset_data_get(data, cidropt);
else
cidr = family == AF_INET6 ? 128 : 32;
flags = env & (1 << IPSET_ENV_RESOLVE) ? 0 : NI_NUMERICHOST;
maxsize = ipset_data_sizeof(opt, AF_INET);
D("opt: %u, maxsize %zu", opt, maxsize);
if (maxsize == sizeof(uint8_t))
- return snprintf(buf, len, "%u", *(uint8_t *) number);
+ return snprintf(buf, len, "%u", *(const uint8_t *) number);
else if (maxsize == sizeof(uint16_t))
- return snprintf(buf, len, "%u", *(uint16_t *) number);
+ return snprintf(buf, len, "%u", *(const uint16_t *) number);
else if (maxsize == sizeof(uint32_t))
return snprintf(buf, len, "%lu",
- (long unsigned) *(uint32_t *) number);
+ (long unsigned) *(const uint32_t *) number);
else
assert(0);
return 0;
if (ipset_data_test(data, IPSET_OPT_NAMEREF)) {
bool before = false;
if (ipset_data_flags_test(data, IPSET_FLAG(IPSET_OPT_FLAGS))) {
- uint32_t *flags =
- (uint32_t *)ipset_data_get(data, IPSET_OPT_FLAGS);
+ const uint32_t *flags =
+ ipset_data_get(data, IPSET_OPT_FLAGS);
before = (*flags) & IPSET_FLAG_BEFORE;
}
size = snprintf(buf + offset, len,
assert(data);
assert(opt == IPSET_OPT_PROTO);
- proto = *(uint8_t *) ipset_data_get(data, IPSET_OPT_PROTO);
+ proto = *(const uint8_t *) ipset_data_get(data, IPSET_OPT_PROTO);
assert(proto);
if (proto == IPSET_IPPROTO_ANY)
uint8_t envopts; /* Session env opts */
/* Kernel message buffer */
size_t bufsize;
- char buffer[0];
+ void *buffer;
};
/*
case MNL_TYPE_U32: {
uint32_t value;
- value = ntohl(*(uint32_t *)d);
+ value = ntohl(*(const uint32_t *)d);
d = &value;
break;
case MNL_TYPE_U16: {
uint16_t value;
- value = ntohs(*(uint16_t *)d);
+ value = ntohs(*(const uint16_t *)d);
d = &value;
break;
}
#ifdef IPSET_DEBUG
if (type == IPSET_ATTR_TYPENAME)
- D("nla typename %s", (char *) d);
+ D("nla typename %s", (const char *) d);
#endif
ret = ipset_data_set(data, attr->opt, d);
#ifdef IPSET_DEBUG
if (type == IPSET_ATTR_TYPENAME)
D("nla typename %s",
- (char *) ipset_data_get(data, IPSET_OPT_TYPENAME));
+ (const char *) ipset_data_get(data, IPSET_OPT_TYPENAME));
#endif
return ret;
}
ATTR2DATA(session, nla, IPSET_ATTR_REVISION, cmd_attrs);
D("head: family %u, typename %s",
ipset_data_family(data),
- (char *) ipset_data_get(data, IPSET_OPT_TYPENAME));
+ (const char *) ipset_data_get(data, IPSET_OPT_TYPENAME));
if (mnl_attr_parse_nested(nla[IPSET_ATTR_DATA],
create_attr_cb, cattr) < 0)
FAILURE("Broken %s kernel message: "
switch (attr->type) {
case MNL_TYPE_U32: {
- uint32_t value = htonl(*(uint32_t *)d);
+ uint32_t value = htonl(*(const uint32_t *)d);
d = &value;
break;
}
case MNL_TYPE_U16: {
- uint16_t value = htons(*(uint16_t *)d);
+ uint16_t value = htons(*(const uint16_t *)d);
d = &value;
break;
build_send_private_msg(struct ipset_session *session, enum ipset_cmd cmd)
{
char buffer[PRIVATE_MSG_BUFLEN] __attribute__ ((aligned));
- struct nlmsghdr *nlh = (struct nlmsghdr *) buffer;
+ struct nlmsghdr *nlh = (struct nlmsghdr *) (void *) buffer;
struct ipset_data *data = session->data;
int len = PRIVATE_MSG_BUFLEN, ret;
enum ipset_cmd saved = session->cmd;
&& STREQ(ipset_data_setname(data), session->saved_setname);
}
-static int
+int
+build_msg(struct ipset_session *session, bool aggregate);
+
+int
build_msg(struct ipset_session *session, bool aggregate)
{
struct nlmsghdr *nlh = (struct nlmsghdr *) session->buffer;
{
struct ipset_session *session;
size_t bufsize = getpagesize();
-
+
/* Create session object */
session = calloc(1, sizeof(struct ipset_session) + bufsize);
if (session == NULL)
return NULL;
session->bufsize = bufsize;
+ session->buffer = session + 1;
/* The single transport method yet */
session->transport = &ipset_mnl_transport;
typename = ipset_data_get(data, IPSET_OPT_TYPENAME);
family = ipset_data_family(data);
- revision = *(uint8_t *) ipset_data_get(data, IPSET_OPT_REVISION);
+ revision = *(const uint8_t *) ipset_data_get(data, IPSET_OPT_REVISION);
/* Check registered types */
for (t = typelist; t != NULL && match == NULL; t = t->next) {
--- /dev/null
+diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
+index 9f00da2..9f51ff6 100644
+--- a/include/linux/netfilter/nfnetlink.h
++++ b/include/linux/netfilter/nfnetlink.h
+@@ -47,7 +47,8 @@ struct nfgenmsg {
+ #define NFNL_SUBSYS_QUEUE 3
+ #define NFNL_SUBSYS_ULOG 4
+ #define NFNL_SUBSYS_OSF 5
+-#define NFNL_SUBSYS_COUNT 6
++#define NFNL_SUBSYS_IPSET 6
++#define NFNL_SUBSYS_COUNT 7
+
+ #ifdef __KERNEL__
+
+diff --git a/include/linux/netlink.h b/include/linux/netlink.h
+index ab5d312..ef8b229 100644
+--- a/include/linux/netlink.h
++++ b/include/linux/netlink.h
+@@ -263,11 +263,14 @@ __nlmsg_put(struct sk_buff *skb, u32 pid, u32 seq, int type, int len, int flags)
+ #define NLMSG_PUT(skb, pid, seq, type, len) \
+ NLMSG_NEW(skb, pid, seq, type, len, 0)
+
+-extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+- struct nlmsghdr *nlh,
+- int (*dump)(struct sk_buff *skb, struct netlink_callback*),
+- int (*done)(struct netlink_callback*));
+-
++extern int netlink_dump_init(struct sock *ssk, struct sk_buff *skb,
++ struct nlmsghdr *nlh,
++ int (*dump)(struct sk_buff *skb, struct netlink_callback*),
++ int (*done)(struct netlink_callback*),
++ unsigned char init, ...);
++
++#define netlink_dump_start(ssk, skb, nlh, dump, done) \
++ netlink_dump_init(ssk, skb, nlh, dump, done, 0)
+
+ #define NL_NONROOT_RECV 0x1
+ #define NL_NONROOT_SEND 0x2
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 19e9800..7d85d45 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1714,15 +1714,18 @@ errout:
+ return err;
+ }
+
+-int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+- struct nlmsghdr *nlh,
+- int (*dump)(struct sk_buff *skb,
+- struct netlink_callback *),
+- int (*done)(struct netlink_callback *))
++int netlink_dump_init(struct sock *ssk, struct sk_buff *skb,
++ struct nlmsghdr *nlh,
++ int (*dump)(struct sk_buff *skb,
++ struct netlink_callback *),
++ int (*done)(struct netlink_callback *),
++ unsigned char init, ...)
+ {
+ struct netlink_callback *cb;
+ struct sock *sk;
+ struct netlink_sock *nlk;
++ va_list args;
++ unsigned char i;
+
+ cb = kzalloc(sizeof(*cb), GFP_KERNEL);
+ if (cb == NULL)
+@@ -1733,6 +1736,10 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+ cb->nlh = nlh;
+ atomic_inc(&skb->users);
+ cb->skb = skb;
++ va_start(args, init);
++ for (i = 0; i < init; i++)
++ cb->args[i] = va_arg(args, long);
++ va_end(args);
+
+ sk = netlink_lookup(sock_net(ssk), ssk->sk_protocol, NETLINK_CB(skb).pid);
+ if (sk == NULL) {
+@@ -1759,7 +1766,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+ */
+ return -EINTR;
+ }
+-EXPORT_SYMBOL(netlink_dump_start);
++EXPORT_SYMBOL(netlink_dump_init);
+
+ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err)
+ {
# Range: List set
0 ipset list test | sed 's/timeout ./timeout x/' > .foo
# Range: Check listing
-0 diff .foo bitmap:ip.t.list4 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list4 && rm .foo
# Sleep 10s so that entries can time out
0 sleep 10s
# Range: List set after timeout
0 ipset list test > .foo
# Range: Check listing
-0 diff .foo bitmap:ip.t.list0 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list0 && rm .foo
# Range: Flush test set
0 ipset flush test
# Range: Delete test set
# Network: List set
0 ipset list test | sed 's/timeout ./timeout x/' > .foo
# Network: Check listing
-0 diff .foo bitmap:ip.t.list5 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list5 && rm .foo
# Sleep 10s so that entries can time out
0 sleep 10s
# Network: List set
0 ipset list test > .foo
# Network: Check listing
-0 diff .foo bitmap:ip.t.list1 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list1 && rm .foo
# Network: Flush test set
0 ipset flush test
# Network: Delete test set
# Subnets: List set
0 ipset list test | sed 's/timeout ./timeout x/' > .foo
# Subnets: Check listing
-0 diff .foo bitmap:ip.t.list6 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list6 && rm .foo
# Sleep 10s so that entries can time out
0 sleep 10s
# Subnets: List set
0 ipset list test > .foo
# Subnets: Check listing
-0 diff .foo bitmap:ip.t.list2 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list2 && rm .foo
# Subnets: Flush test set
0 ipset flush test
# Subnets: Delete test set
# Full: List set
0 ipset list test > .foo
# Full: Check listing
-0 diff .foo bitmap:ip.t.list3 && rm .foo
+0 diff -I 'Size in memory.*' .foo bitmap:ip.t.list3 && rm .foo
# Full: Delete test set
0 ipset destroy test
# eof
# Range: List set
0 ipset -L test > .foo
# Range: Check listing
-0 diff .foo ipmap.t.list0 && rm .foo
+0 diff -I 'Size in memory.*' .foo ipmap.t.list0 && rm .foo
# Range: Delete a range of elements
0 ipset -! -D test 2.0.0.128-2.0.0.132
# Range: List set
0 ipset -L test > .foo
# Range: Check listing
-0 diff .foo ipmap.t.list1 && rm .foo
+0 diff -I 'Size in memory.*' .foo ipmap.t.list1 && rm .foo
# Range: Flush test set
0 ipset -F test
# Range: Delete test set
# Network: List set
0 ipset -L test > .foo
# Network: Check listing
-0 diff .foo ipmap.t.list2 && rm .foo
+0 diff -I 'Size in memory.*' .foo ipmap.t.list2 && rm .foo
# Network: Flush test set
0 ipset -F test
# Network: Delete test set
# Subnets: List set
0 ipset -L test > .foo
# Subnets: Check listing
-0 diff .foo ipmap.t.list3 && rm .foo
+0 diff -I 'Size in memory.*' .foo ipmap.t.list3 && rm .foo
# Subnets: FLush test set
0 ipset -F test
# Subnets: Delete test set
# Full: List set
0 ipset -L test > .foo
# Full: Check listing
-0 diff .foo ipmap.t.list4 && rm .foo
+0 diff -I 'Size in memory.*' .foo ipmap.t.list4 && rm .foo
# Full: Delete test set
0 ipset -X test
# eof
#!/bin/sh
+# set -x
set -e
# We play with the following networks:
# Range: List set
0 ipset -L test > .foo
# Range: Check listing
-0 diff .foo macipmap.t.list0 && rm .foo
+0 diff -I 'Size in memory.*' .foo macipmap.t.list0 && rm .foo
# Range: Flush test set
0 ipset -F test
# Range: Delete test set
# Network: List set
0 ipset -L test > .foo
# Network: Check listing
-0 diff .foo macipmap.t.list1 && rm .foo
+0 diff -I 'Size in memory.*' .foo macipmap.t.list1 && rm .foo
# Network: Flush test set
0 ipset -F test
# Network: Delete test set
# Range: List set
0 ipset -L test | sed 's/timeout ./timeout x/' > .foo
# Range: Check listing
-0 diff .foo macipmap.t.list3 && rm .foo
+0 diff -I 'Size in memory.*' .foo macipmap.t.list3 && rm .foo
# Range: wait 10s so that elements can timeout
0 sleep 10
# Range: List set
0 ipset -L test > .foo
# Range: Check listing
-0 diff .foo macipmap.t.list2 && rm .foo
+0 diff -I 'Size in memory.*' .foo macipmap.t.list2 && rm .foo
# Range: Flush test set
0 ipset -F test
# Range: Delete test set
# Range: List set
0 ipset -L test > .foo
# Range: Check listing
-0 diff .foo portmap.t.list0 && rm .foo
+0 diff -I 'Size in memory.*' .foo portmap.t.list0 && rm .foo
# Range: Flush test set
0 ipset -F test
# Range: Delete test set
# Full: List set
0 ipset -L test > .foo
# Full: Check listing
-0 diff .foo portmap.t.list1 && rm .foo
+0 diff -I 'Size in memory.*' .foo portmap.t.list1 && rm .foo
# Full: Flush test set
0 ipset -F test
# Full: Delete test set
# Full: List set
0 ipset -L test | sed 's/timeout ./timeout x/' > .foo
# Full: Check listing
-0 diff .foo portmap.t.list3 && rm .foo
+0 diff -I 'Size in memory.*' .foo portmap.t.list3 && rm .foo
# Full: sleep 10s so that elements can timeout
0 sleep 10
# Full: List set
0 ipset -L test > .foo
# Full: Check listing
-# 0 diff .foo portmap.t.list2 && rm .foo
+# 0 diff -I 'Size in memory.*' .foo portmap.t.list2 && rm .foo
# Full: Flush test set
0 ipset -F test
# Full: Delete test set
cmd=ip6tables-save
add=match_target6
fi
- modprobe ip_tables
- if [ ! -e /var/log/kern.log -a -z "`grep 'kernel: ip_tables: ' /var/log/kern/log`" ]; then
+ line="`dmesg | tail -1 | cut -d " " -f 2-`"
+ if [ ! -e /var/log/kern.log -o -z "`grep \"$line\" /var/log/kern.log`" ]; then
echo "The destination for kernel log is not /var/log/kern.log, skipping $1 match and target tests"
return
fi
+ c=${cmd%%-save}
+ if [ "`$c -m set -h 2>&1| grep 'cannot open shared object'`" ]; then
+ echo "$c does not support set match, skipping $1 match and target tests"
+ return
+ fi
if [ `$cmd -t filter | wc -l` -eq 7 -a \
`$cmd -t filter | grep ACCEPT | wc -l` -eq 3 ]; then
if [ -z "`which sendip`" ]; then
# List set
0 ipset -L test > .foo
# Check listing
-0 diff .foo setlist.t.list0 && rm .foo
+0 diff -I 'Size in memory.*' .foo setlist.t.list0 && rm .foo
# Flush all sets
0 ipset -F
# Delete all sets
projects / thirdparty / ipset.git / commitdiff
