1 /*
2 * em_ipset.c IPset Ematch
3 *
4 * (C) 2012 Florian Westphal <fw@strlen.de>
5 *
6 * Parts taken from iptables libxt_set.h:
7 * Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
8 * Patrick Schaaf <bof@bof.de>
9 * Martin Josefsson <gandalf@wlug.westbo.se>
10 * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2 as
14 * published by the Free Software Foundation.
15 */
16
17 #include <stdbool.h>
18 #include <stdio.h>
19 #include <errno.h>
20 #include <netdb.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <stdlib.h>
24 #include <getopt.h>
25
26 #include <xtables.h>
27 #include <linux/netfilter/ipset/ip_set.h>
28
29 #ifndef IPSET_INVALID_ID
30 typedef __u16 ip_set_id_t;
31
32 enum ip_set_dim {
33 IPSET_DIM_ZERO = 0,
34 IPSET_DIM_ONE,
35 IPSET_DIM_TWO,
36 IPSET_DIM_THREE,
37 IPSET_DIM_MAX = 6,
38 };
39 #endif /* IPSET_INVALID_ID */
40
41 #include <linux/netfilter/xt_set.h>
42 #include "m_ematch.h"
43
44 #ifndef IPSET_INVALID_ID
45 #define IPSET_INVALID_ID 65535
46 #define SO_IP_SET 83
47
48 union ip_set_name_index {
49 char name[IPSET_MAXNAMELEN];
50 __u16 index;
51 };
52
53 #define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */
54 struct ip_set_req_get_set {
55 unsigned op;
56 unsigned version;
57 union ip_set_name_index set;
58 };
59
60 #define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */
61 /* Uses ip_set_req_get_set */
62
63 #define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */
64 struct ip_set_req_version {
65 unsigned op;
66 unsigned version;
67 };
68 #endif /* IPSET_INVALID_ID */
69
70 extern struct ematch_util ipset_ematch_util;
71
get_version(unsigned * version)72 static int get_version(unsigned *version)
73 {
74 int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
75 struct ip_set_req_version req_version;
76 socklen_t size = sizeof(req_version);
77
78 if (sockfd < 0) {
79 fputs("Can't open socket to ipset.\n", stderr);
80 return -1;
81 }
82
83 req_version.op = IP_SET_OP_VERSION;
84 res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
85 if (res != 0) {
86 perror("xt_set getsockopt");
87 return -1;
88 }
89
90 *version = req_version.version;
91 return sockfd;
92 }
93
do_getsockopt(struct ip_set_req_get_set * req)94 static int do_getsockopt(struct ip_set_req_get_set *req)
95 {
96 int sockfd, res;
97 socklen_t size = sizeof(struct ip_set_req_get_set);
98 sockfd = get_version(&req->version);
99 if (sockfd < 0)
100 return -1;
101 res = getsockopt(sockfd, SOL_IP, SO_IP_SET, req, &size);
102 if (res != 0)
103 perror("Problem when communicating with ipset");
104 close(sockfd);
105 if (res != 0)
106 return -1;
107
108 if (size != sizeof(struct ip_set_req_get_set)) {
109 fprintf(stderr,
110 "Incorrect return size from kernel during ipset lookup, "
111 "(want %zu, got %zu)\n",
112 sizeof(struct ip_set_req_get_set), (size_t)size);
113 return -1;
114 }
115
116 return res;
117 }
118
119 static int
get_set_byid(char * setname,unsigned int idx)120 get_set_byid(char *setname, unsigned int idx)
121 {
122 struct ip_set_req_get_set req;
123 int res;
124
125 req.op = IP_SET_OP_GET_BYINDEX;
126 req.set.index = idx;
127 res = do_getsockopt(&req);
128 if (res != 0)
129 return -1;
130 if (req.set.name[0] == '\0') {
131 fprintf(stderr,
132 "Set with index %i in kernel doesn't exist.\n", idx);
133 return -1;
134 }
135
136 strncpy(setname, req.set.name, IPSET_MAXNAMELEN);
137 return 0;
138 }
139
140 static int
get_set_byname(const char * setname,struct xt_set_info * info)141 get_set_byname(const char *setname, struct xt_set_info *info)
142 {
143 struct ip_set_req_get_set req;
144 int res;
145
146 req.op = IP_SET_OP_GET_BYNAME;
147 strncpy(req.set.name, setname, IPSET_MAXNAMELEN);
148 req.set.name[IPSET_MAXNAMELEN - 1] = '\0';
149 res = do_getsockopt(&req);
150 if (res != 0)
151 return -1;
152 if (req.set.index == IPSET_INVALID_ID)
153 return -1;
154 info->index = req.set.index;
155 return 0;
156 }
157
158 static int
parse_dirs(const char * opt_arg,struct xt_set_info * info)159 parse_dirs(const char *opt_arg, struct xt_set_info *info)
160 {
161 char *saved = strdup(opt_arg);
162 char *ptr, *tmp = saved;
163
164 if (!tmp) {
165 perror("strdup");
166 return -1;
167 }
168
169 while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
170 info->dim++;
171 ptr = strsep(&tmp, ",");
172 if (strncmp(ptr, "src", 3) == 0)
173 info->flags |= (1 << info->dim);
174 else if (strncmp(ptr, "dst", 3) != 0) {
175 fputs("You must specify (the comma separated list of) 'src' or 'dst'\n", stderr);
176 free(saved);
177 return -1;
178 }
179 }
180
181 if (tmp)
182 fprintf(stderr, "Can't be more src/dst options than %u", IPSET_DIM_MAX);
183 free(saved);
184 return tmp ? -1 : 0;
185 }
186
ipset_print_usage(FILE * fd)187 static void ipset_print_usage(FILE *fd)
188 {
189 fprintf(fd,
190 "Usage: ipset(SETNAME FLAGS)\n" \
191 "where: SETNAME:= string\n" \
192 " FLAGS := { FLAG[,FLAGS] }\n" \
193 " FLAG := { src | dst }\n" \
194 "\n" \
195 "Example: 'ipset(bulk src,dst)'\n");
196 }
197
ipset_parse_eopt(struct nlmsghdr * n,struct tcf_ematch_hdr * hdr,struct bstr * args)198 static int ipset_parse_eopt(struct nlmsghdr *n, struct tcf_ematch_hdr *hdr,
199 struct bstr *args)
200 {
201 struct xt_set_info set_info;
202 int ret;
203
204 memset(&set_info, 0, sizeof(set_info));
205
206 #define PARSE_ERR(CARG, FMT, ARGS...) \
207 em_parse_error(EINVAL, args, CARG, &ipset_ematch_util, FMT ,##ARGS)
208
209 if (args == NULL)
210 return PARSE_ERR(args, "ipset: missing set name");
211
212 if (args->len >= IPSET_MAXNAMELEN)
213 return PARSE_ERR(args, "ipset: set name too long (max %u)", IPSET_MAXNAMELEN - 1);
214 ret = get_set_byname(args->data, &set_info);
215 if (ret < 0)
216 return PARSE_ERR(args, "ipset: unknown set name '%s'", args->data);
217
218 if (args->next == NULL)
219 return PARSE_ERR(args, "ipset: missing set flags");
220
221 args = bstr_next(args);
222 if (parse_dirs(args->data, &set_info))
223 return PARSE_ERR(args, "ipset: error parsing set flags");
224
225 if (args->next) {
226 args = bstr_next(args);
227 return PARSE_ERR(args, "ipset: unknown parameter");
228 }
229
230 addraw_l(n, MAX_MSG, hdr, sizeof(*hdr));
231 addraw_l(n, MAX_MSG, &set_info, sizeof(set_info));
232
233 #undef PARSE_ERR
234 return 0;
235 }
236
ipset_print_eopt(FILE * fd,struct tcf_ematch_hdr * hdr,void * data,int data_len)237 static int ipset_print_eopt(FILE *fd, struct tcf_ematch_hdr *hdr, void *data,
238 int data_len)
239 {
240 int i;
241 char setname[IPSET_MAXNAMELEN];
242 const struct xt_set_info *set_info = data;
243
244 if (data_len != sizeof(*set_info)) {
245 fprintf(stderr, "xt_set_info struct size mismatch\n");
246 return -1;
247 }
248
249 if (get_set_byid(setname, set_info->index))
250 return -1;
251 fputs(setname, fd);
252 for (i = 1; i <= set_info->dim; i++) {
253 fprintf(fd, "%s%s", i == 1 ? " " : ",", set_info->flags & (1 << i) ? "src" : "dst");
254 }
255
256 return 0;
257 }
258
259 struct ematch_util ipset_ematch_util = {
260 .kind = "ipset",
261 .kind_num = TCF_EM_IPSET,
262 .parse_eopt = ipset_parse_eopt,
263 .print_eopt = ipset_print_eopt,
264 .print_usage = ipset_print_usage
265 };
266