1*de1e4e89SAndroid Build Coastguard Worker /*
2*de1e4e89SAndroid Build Coastguard Worker * em_ipset.c IPset Ematch
3*de1e4e89SAndroid Build Coastguard Worker *
4*de1e4e89SAndroid Build Coastguard Worker * (C) 2012 Florian Westphal <[email protected]>
5*de1e4e89SAndroid Build Coastguard Worker *
6*de1e4e89SAndroid Build Coastguard Worker * Parts taken from iptables libxt_set.h:
7*de1e4e89SAndroid Build Coastguard Worker * Copyright (C) 2000-2002 Joakim Axelsson <[email protected]>
8*de1e4e89SAndroid Build Coastguard Worker * Patrick Schaaf <[email protected]>
9*de1e4e89SAndroid Build Coastguard Worker * Martin Josefsson <[email protected]>
10*de1e4e89SAndroid Build Coastguard Worker * Copyright (C) 2003-2010 Jozsef Kadlecsik <[email protected]>
11*de1e4e89SAndroid Build Coastguard Worker *
12*de1e4e89SAndroid Build Coastguard Worker * This program is free software; you can redistribute it and/or modify
13*de1e4e89SAndroid Build Coastguard Worker * it under the terms of the GNU General Public License version 2 as
14*de1e4e89SAndroid Build Coastguard Worker * published by the Free Software Foundation.
15*de1e4e89SAndroid Build Coastguard Worker */
16*de1e4e89SAndroid Build Coastguard Worker
17*de1e4e89SAndroid Build Coastguard Worker #include <stdbool.h>
18*de1e4e89SAndroid Build Coastguard Worker #include <stdio.h>
19*de1e4e89SAndroid Build Coastguard Worker #include <errno.h>
20*de1e4e89SAndroid Build Coastguard Worker #include <netdb.h>
21*de1e4e89SAndroid Build Coastguard Worker #include <unistd.h>
22*de1e4e89SAndroid Build Coastguard Worker #include <string.h>
23*de1e4e89SAndroid Build Coastguard Worker #include <stdlib.h>
24*de1e4e89SAndroid Build Coastguard Worker #include <getopt.h>
25*de1e4e89SAndroid Build Coastguard Worker
26*de1e4e89SAndroid Build Coastguard Worker #include <xtables.h>
27*de1e4e89SAndroid Build Coastguard Worker #include <linux/netfilter/ipset/ip_set.h>
28*de1e4e89SAndroid Build Coastguard Worker
29*de1e4e89SAndroid Build Coastguard Worker #ifndef IPSET_INVALID_ID
30*de1e4e89SAndroid Build Coastguard Worker typedef __u16 ip_set_id_t;
31*de1e4e89SAndroid Build Coastguard Worker
32*de1e4e89SAndroid Build Coastguard Worker enum ip_set_dim {
33*de1e4e89SAndroid Build Coastguard Worker IPSET_DIM_ZERO = 0,
34*de1e4e89SAndroid Build Coastguard Worker IPSET_DIM_ONE,
35*de1e4e89SAndroid Build Coastguard Worker IPSET_DIM_TWO,
36*de1e4e89SAndroid Build Coastguard Worker IPSET_DIM_THREE,
37*de1e4e89SAndroid Build Coastguard Worker IPSET_DIM_MAX = 6,
38*de1e4e89SAndroid Build Coastguard Worker };
39*de1e4e89SAndroid Build Coastguard Worker #endif /* IPSET_INVALID_ID */
40*de1e4e89SAndroid Build Coastguard Worker
41*de1e4e89SAndroid Build Coastguard Worker #include <linux/netfilter/xt_set.h>
42*de1e4e89SAndroid Build Coastguard Worker #include "m_ematch.h"
43*de1e4e89SAndroid Build Coastguard Worker
44*de1e4e89SAndroid Build Coastguard Worker #ifndef IPSET_INVALID_ID
45*de1e4e89SAndroid Build Coastguard Worker #define IPSET_INVALID_ID 65535
46*de1e4e89SAndroid Build Coastguard Worker #define SO_IP_SET 83
47*de1e4e89SAndroid Build Coastguard Worker
48*de1e4e89SAndroid Build Coastguard Worker union ip_set_name_index {
49*de1e4e89SAndroid Build Coastguard Worker char name[IPSET_MAXNAMELEN];
50*de1e4e89SAndroid Build Coastguard Worker __u16 index;
51*de1e4e89SAndroid Build Coastguard Worker };
52*de1e4e89SAndroid Build Coastguard Worker
53*de1e4e89SAndroid Build Coastguard Worker #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
54*de1e4e89SAndroid Build Coastguard Worker struct ip_set_req_get_set {
55*de1e4e89SAndroid Build Coastguard Worker unsigned int op;
56*de1e4e89SAndroid Build Coastguard Worker unsigned int version;
57*de1e4e89SAndroid Build Coastguard Worker union ip_set_name_index set;
58*de1e4e89SAndroid Build Coastguard Worker };
59*de1e4e89SAndroid Build Coastguard Worker
60*de1e4e89SAndroid Build Coastguard Worker #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
61*de1e4e89SAndroid Build Coastguard Worker /* Uses ip_set_req_get_set */
62*de1e4e89SAndroid Build Coastguard Worker
63*de1e4e89SAndroid Build Coastguard Worker #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
64*de1e4e89SAndroid Build Coastguard Worker struct ip_set_req_version {
65*de1e4e89SAndroid Build Coastguard Worker unsigned int op;
66*de1e4e89SAndroid Build Coastguard Worker unsigned int version;
67*de1e4e89SAndroid Build Coastguard Worker };
68*de1e4e89SAndroid Build Coastguard Worker #endif /* IPSET_INVALID_ID */
69*de1e4e89SAndroid Build Coastguard Worker
70*de1e4e89SAndroid Build Coastguard Worker extern struct ematch_util ipset_ematch_util;
71*de1e4e89SAndroid Build Coastguard Worker
get_version(unsigned int * version)72*de1e4e89SAndroid Build Coastguard Worker static int get_version(unsigned int *version)
73*de1e4e89SAndroid Build Coastguard Worker {
74*de1e4e89SAndroid Build Coastguard Worker int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
75*de1e4e89SAndroid Build Coastguard Worker struct ip_set_req_version req_version;
76*de1e4e89SAndroid Build Coastguard Worker socklen_t size = sizeof(req_version);
77*de1e4e89SAndroid Build Coastguard Worker
78*de1e4e89SAndroid Build Coastguard Worker if (sockfd < 0) {
79*de1e4e89SAndroid Build Coastguard Worker fputs("Can't open socket to ipset.\n", stderr);
80*de1e4e89SAndroid Build Coastguard Worker return -1;
81*de1e4e89SAndroid Build Coastguard Worker }
82*de1e4e89SAndroid Build Coastguard Worker
83*de1e4e89SAndroid Build Coastguard Worker req_version.op = IP_SET_OP_VERSION;
84*de1e4e89SAndroid Build Coastguard Worker res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
85*de1e4e89SAndroid Build Coastguard Worker if (res != 0) {
86*de1e4e89SAndroid Build Coastguard Worker perror("xt_set getsockopt");
87*de1e4e89SAndroid Build Coastguard Worker close(sockfd);
88*de1e4e89SAndroid Build Coastguard Worker return -1;
89*de1e4e89SAndroid Build Coastguard Worker }
90*de1e4e89SAndroid Build Coastguard Worker
91*de1e4e89SAndroid Build Coastguard Worker *version = req_version.version;
92*de1e4e89SAndroid Build Coastguard Worker return sockfd;
93*de1e4e89SAndroid Build Coastguard Worker }
94*de1e4e89SAndroid Build Coastguard Worker
do_getsockopt(struct ip_set_req_get_set * req)95*de1e4e89SAndroid Build Coastguard Worker static int do_getsockopt(struct ip_set_req_get_set *req)
96*de1e4e89SAndroid Build Coastguard Worker {
97*de1e4e89SAndroid Build Coastguard Worker int sockfd, res;
98*de1e4e89SAndroid Build Coastguard Worker socklen_t size = sizeof(struct ip_set_req_get_set);
99*de1e4e89SAndroid Build Coastguard Worker
100*de1e4e89SAndroid Build Coastguard Worker sockfd = get_version(&req->version);
101*de1e4e89SAndroid Build Coastguard Worker if (sockfd < 0)
102*de1e4e89SAndroid Build Coastguard Worker return -1;
103*de1e4e89SAndroid Build Coastguard Worker res = getsockopt(sockfd, SOL_IP, SO_IP_SET, req, &size);
104*de1e4e89SAndroid Build Coastguard Worker if (res != 0)
105*de1e4e89SAndroid Build Coastguard Worker perror("Problem when communicating with ipset");
106*de1e4e89SAndroid Build Coastguard Worker close(sockfd);
107*de1e4e89SAndroid Build Coastguard Worker if (res != 0)
108*de1e4e89SAndroid Build Coastguard Worker return -1;
109*de1e4e89SAndroid Build Coastguard Worker
110*de1e4e89SAndroid Build Coastguard Worker if (size != sizeof(struct ip_set_req_get_set)) {
111*de1e4e89SAndroid Build Coastguard Worker fprintf(stderr,
112*de1e4e89SAndroid Build Coastguard Worker "Incorrect return size from kernel during ipset lookup, (want %zu, got %zu)\n",
113*de1e4e89SAndroid Build Coastguard Worker sizeof(struct ip_set_req_get_set), (size_t)size);
114*de1e4e89SAndroid Build Coastguard Worker return -1;
115*de1e4e89SAndroid Build Coastguard Worker }
116*de1e4e89SAndroid Build Coastguard Worker
117*de1e4e89SAndroid Build Coastguard Worker return res;
118*de1e4e89SAndroid Build Coastguard Worker }
119*de1e4e89SAndroid Build Coastguard Worker
120*de1e4e89SAndroid Build Coastguard Worker static int
get_set_byid(char * setname,unsigned int idx)121*de1e4e89SAndroid Build Coastguard Worker get_set_byid(char *setname, unsigned int idx)
122*de1e4e89SAndroid Build Coastguard Worker {
123*de1e4e89SAndroid Build Coastguard Worker struct ip_set_req_get_set req;
124*de1e4e89SAndroid Build Coastguard Worker int res;
125*de1e4e89SAndroid Build Coastguard Worker
126*de1e4e89SAndroid Build Coastguard Worker req.op = IP_SET_OP_GET_BYINDEX;
127*de1e4e89SAndroid Build Coastguard Worker req.set.index = idx;
128*de1e4e89SAndroid Build Coastguard Worker res = do_getsockopt(&req);
129*de1e4e89SAndroid Build Coastguard Worker if (res != 0)
130*de1e4e89SAndroid Build Coastguard Worker return -1;
131*de1e4e89SAndroid Build Coastguard Worker if (req.set.name[0] == '\0') {
132*de1e4e89SAndroid Build Coastguard Worker fprintf(stderr,
133*de1e4e89SAndroid Build Coastguard Worker "Set with index %i in kernel doesn't exist.\n", idx);
134*de1e4e89SAndroid Build Coastguard Worker return -1;
135*de1e4e89SAndroid Build Coastguard Worker }
136*de1e4e89SAndroid Build Coastguard Worker
137*de1e4e89SAndroid Build Coastguard Worker strncpy(setname, req.set.name, IPSET_MAXNAMELEN);
138*de1e4e89SAndroid Build Coastguard Worker return 0;
139*de1e4e89SAndroid Build Coastguard Worker }
140*de1e4e89SAndroid Build Coastguard Worker
141*de1e4e89SAndroid Build Coastguard Worker static int
get_set_byname(const char * setname,struct xt_set_info * info)142*de1e4e89SAndroid Build Coastguard Worker get_set_byname(const char *setname, struct xt_set_info *info)
143*de1e4e89SAndroid Build Coastguard Worker {
144*de1e4e89SAndroid Build Coastguard Worker struct ip_set_req_get_set req;
145*de1e4e89SAndroid Build Coastguard Worker int res;
146*de1e4e89SAndroid Build Coastguard Worker
147*de1e4e89SAndroid Build Coastguard Worker req.op = IP_SET_OP_GET_BYNAME;
148*de1e4e89SAndroid Build Coastguard Worker strlcpy(req.set.name, setname, IPSET_MAXNAMELEN);
149*de1e4e89SAndroid Build Coastguard Worker res = do_getsockopt(&req);
150*de1e4e89SAndroid Build Coastguard Worker if (res != 0)
151*de1e4e89SAndroid Build Coastguard Worker return -1;
152*de1e4e89SAndroid Build Coastguard Worker if (req.set.index == IPSET_INVALID_ID)
153*de1e4e89SAndroid Build Coastguard Worker return -1;
154*de1e4e89SAndroid Build Coastguard Worker info->index = req.set.index;
155*de1e4e89SAndroid Build Coastguard Worker return 0;
156*de1e4e89SAndroid Build Coastguard Worker }
157*de1e4e89SAndroid Build Coastguard Worker
158*de1e4e89SAndroid Build Coastguard Worker static int
parse_dirs(const char * opt_arg,struct xt_set_info * info)159*de1e4e89SAndroid Build Coastguard Worker parse_dirs(const char *opt_arg, struct xt_set_info *info)
160*de1e4e89SAndroid Build Coastguard Worker {
161*de1e4e89SAndroid Build Coastguard Worker char *saved = strdup(opt_arg);
162*de1e4e89SAndroid Build Coastguard Worker char *ptr, *tmp = saved;
163*de1e4e89SAndroid Build Coastguard Worker
164*de1e4e89SAndroid Build Coastguard Worker if (!tmp) {
165*de1e4e89SAndroid Build Coastguard Worker perror("strdup");
166*de1e4e89SAndroid Build Coastguard Worker return -1;
167*de1e4e89SAndroid Build Coastguard Worker }
168*de1e4e89SAndroid Build Coastguard Worker
169*de1e4e89SAndroid Build Coastguard Worker while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
170*de1e4e89SAndroid Build Coastguard Worker info->dim++;
171*de1e4e89SAndroid Build Coastguard Worker ptr = strsep(&tmp, ",");
172*de1e4e89SAndroid Build Coastguard Worker if (strncmp(ptr, "src", 3) == 0)
173*de1e4e89SAndroid Build Coastguard Worker info->flags |= (1 << info->dim);
174*de1e4e89SAndroid Build Coastguard Worker else if (strncmp(ptr, "dst", 3) != 0) {
175*de1e4e89SAndroid Build Coastguard Worker fputs("You must specify (the comma separated list of) 'src' or 'dst'\n", stderr);
176*de1e4e89SAndroid Build Coastguard Worker free(saved);
177*de1e4e89SAndroid Build Coastguard Worker return -1;
178*de1e4e89SAndroid Build Coastguard Worker }
179*de1e4e89SAndroid Build Coastguard Worker }
180*de1e4e89SAndroid Build Coastguard Worker
181*de1e4e89SAndroid Build Coastguard Worker if (tmp)
182*de1e4e89SAndroid Build Coastguard Worker fprintf(stderr, "Can't be more src/dst options than %u", IPSET_DIM_MAX);
183*de1e4e89SAndroid Build Coastguard Worker free(saved);
184*de1e4e89SAndroid Build Coastguard Worker return tmp ? -1 : 0;
185*de1e4e89SAndroid Build Coastguard Worker }
186*de1e4e89SAndroid Build Coastguard Worker
ipset_print_usage(FILE * fd)187*de1e4e89SAndroid Build Coastguard Worker static void ipset_print_usage(FILE *fd)
188*de1e4e89SAndroid Build Coastguard Worker {
189*de1e4e89SAndroid Build Coastguard Worker fprintf(fd,
190*de1e4e89SAndroid Build Coastguard Worker "Usage: ipset(SETNAME FLAGS)\n" \
191*de1e4e89SAndroid Build Coastguard Worker "where: SETNAME:= string\n" \
192*de1e4e89SAndroid Build Coastguard Worker " FLAGS := { FLAG[,FLAGS] }\n" \
193*de1e4e89SAndroid Build Coastguard Worker " FLAG := { src | dst }\n" \
194*de1e4e89SAndroid Build Coastguard Worker "\n" \
195*de1e4e89SAndroid Build Coastguard Worker "Example: 'ipset(bulk src,dst)'\n");
196*de1e4e89SAndroid Build Coastguard Worker }
197*de1e4e89SAndroid Build Coastguard Worker
ipset_parse_eopt(struct nlmsghdr * n,struct tcf_ematch_hdr * hdr,struct bstr * args)198*de1e4e89SAndroid Build Coastguard Worker static int ipset_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr,
199*de1e4e89SAndroid Build Coastguard Worker struct bstr *args)
200*de1e4e89SAndroid Build Coastguard Worker {
201*de1e4e89SAndroid Build Coastguard Worker struct xt_set_info set_info = {};
202*de1e4e89SAndroid Build Coastguard Worker int ret;
203*de1e4e89SAndroid Build Coastguard Worker
204*de1e4e89SAndroid Build Coastguard Worker #define PARSE_ERR(CARG, FMT, ARGS...) \
205*de1e4e89SAndroid Build Coastguard Worker em_parse_error(EINVAL, args, CARG, &ipset_ematch_util, FMT, ##ARGS)
206*de1e4e89SAndroid Build Coastguard Worker
207*de1e4e89SAndroid Build Coastguard Worker if (args == NULL)
208*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: missing set name");
209*de1e4e89SAndroid Build Coastguard Worker
210*de1e4e89SAndroid Build Coastguard Worker if (args->len >= IPSET_MAXNAMELEN)
211*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: set name too long (max %u)", IPSET_MAXNAMELEN - 1);
212*de1e4e89SAndroid Build Coastguard Worker ret = get_set_byname(args->data, &set_info);
213*de1e4e89SAndroid Build Coastguard Worker if (ret < 0)
214*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: unknown set name '%s'", args->data);
215*de1e4e89SAndroid Build Coastguard Worker
216*de1e4e89SAndroid Build Coastguard Worker if (args->next == NULL)
217*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: missing set flags");
218*de1e4e89SAndroid Build Coastguard Worker
219*de1e4e89SAndroid Build Coastguard Worker args = bstr_next(args);
220*de1e4e89SAndroid Build Coastguard Worker if (parse_dirs(args->data, &set_info))
221*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: error parsing set flags");
222*de1e4e89SAndroid Build Coastguard Worker
223*de1e4e89SAndroid Build Coastguard Worker if (args->next) {
224*de1e4e89SAndroid Build Coastguard Worker args = bstr_next(args);
225*de1e4e89SAndroid Build Coastguard Worker return PARSE_ERR(args, "ipset: unknown parameter");
226*de1e4e89SAndroid Build Coastguard Worker }
227*de1e4e89SAndroid Build Coastguard Worker
228*de1e4e89SAndroid Build Coastguard Worker addraw_l(n, MAX_MSG, hdr, sizeof(*hdr));
229*de1e4e89SAndroid Build Coastguard Worker addraw_l(n, MAX_MSG, &set_info, sizeof(set_info));
230*de1e4e89SAndroid Build Coastguard Worker
231*de1e4e89SAndroid Build Coastguard Worker #undef PARSE_ERR
232*de1e4e89SAndroid Build Coastguard Worker return 0;
233*de1e4e89SAndroid Build Coastguard Worker }
234*de1e4e89SAndroid Build Coastguard Worker
ipset_print_eopt(FILE * fd,struct tcf_ematch_hdr * hdr,void * data,int data_len)235*de1e4e89SAndroid Build Coastguard Worker static int ipset_print_eopt(FILE *fd, struct tcf_ematch_hdr *hdr, void *data,
236*de1e4e89SAndroid Build Coastguard Worker int data_len)
237*de1e4e89SAndroid Build Coastguard Worker {
238*de1e4e89SAndroid Build Coastguard Worker int i;
239*de1e4e89SAndroid Build Coastguard Worker char setname[IPSET_MAXNAMELEN];
240*de1e4e89SAndroid Build Coastguard Worker const struct xt_set_info *set_info = data;
241*de1e4e89SAndroid Build Coastguard Worker
242*de1e4e89SAndroid Build Coastguard Worker if (data_len != sizeof(*set_info)) {
243*de1e4e89SAndroid Build Coastguard Worker fprintf(stderr, "xt_set_info struct size mismatch\n");
244*de1e4e89SAndroid Build Coastguard Worker return -1;
245*de1e4e89SAndroid Build Coastguard Worker }
246*de1e4e89SAndroid Build Coastguard Worker
247*de1e4e89SAndroid Build Coastguard Worker if (get_set_byid(setname, set_info->index))
248*de1e4e89SAndroid Build Coastguard Worker return -1;
249*de1e4e89SAndroid Build Coastguard Worker fputs(setname, fd);
250*de1e4e89SAndroid Build Coastguard Worker for (i = 1; i <= set_info->dim; i++) {
251*de1e4e89SAndroid Build Coastguard Worker fprintf(fd, "%s%s", i == 1 ? " " : ",", set_info->flags & (1 << i) ? "src" : "dst");
252*de1e4e89SAndroid Build Coastguard Worker }
253*de1e4e89SAndroid Build Coastguard Worker
254*de1e4e89SAndroid Build Coastguard Worker return 0;
255*de1e4e89SAndroid Build Coastguard Worker }
256*de1e4e89SAndroid Build Coastguard Worker
257*de1e4e89SAndroid Build Coastguard Worker struct ematch_util ipset_ematch_util = {
258*de1e4e89SAndroid Build Coastguard Worker .kind = "ipset",
259*de1e4e89SAndroid Build Coastguard Worker .kind_num = TCF_EM_IPSET,
260*de1e4e89SAndroid Build Coastguard Worker .parse_eopt = ipset_parse_eopt,
261*de1e4e89SAndroid Build Coastguard Worker .print_eopt = ipset_print_eopt,
262*de1e4e89SAndroid Build Coastguard Worker .print_usage = ipset_print_usage
263*de1e4e89SAndroid Build Coastguard Worker };
264