SOURCES (LINUX_2_6): linux-2.6-nf-set.patch (NEW) - [base] set mat...

Thu Sep 15 10:34:38 CEST 2005

Author: pluto                        Date: Thu Sep 15 08:34:38 2005 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- [base] set match/target.

---- Files affected:
SOURCES:
   linux-2.6-nf-set.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/linux-2.6-nf-set.patch
diff -u /dev/null SOURCES/linux-2.6-nf-set.patch:1.1.2.1

--- /dev/null	Thu Sep 15 10:34:38 2005
+++ SOURCES/linux-2.6-nf-set.patch	Thu Sep 15 10:34:33 2005
@@ -0,0 +1,5748 @@
+ include/linux/netfilter_ipv4/ip_set.h          |  489 ++++++
+ include/linux/netfilter_ipv4/ip_set_iphash.h   |   30 
+ include/linux/netfilter_ipv4/ip_set_ipmap.h    |   56 
+ include/linux/netfilter_ipv4/ip_set_iptree.h   |   39 
+ include/linux/netfilter_ipv4/ip_set_jhash.h    |  148 +
+ include/linux/netfilter_ipv4/ip_set_macipmap.h |   38 
+ include/linux/netfilter_ipv4/ip_set_malloc.h   |   42 
+ include/linux/netfilter_ipv4/ip_set_nethash.h  |   55 
+ include/linux/netfilter_ipv4/ip_set_portmap.h  |   25 
+ include/linux/netfilter_ipv4/ip_set_prime.h    |   34 
+ include/linux/netfilter_ipv4/ipt_set.h         |   21 
+ net/ipv4/netfilter/Kconfig                     |  101 +
+ net/ipv4/netfilter/Makefile                    |   11 
+ net/ipv4/netfilter/ip_set.c                    | 1989 +++++++++++++++++++++++++
+ net/ipv4/netfilter/ip_set_iphash.c             |  379 ++++
+ net/ipv4/netfilter/ip_set_ipmap.c              |  313 +++
+ net/ipv4/netfilter/ip_set_iptree.c             |  510 ++++++
+ net/ipv4/netfilter/ip_set_macipmap.c           |  338 ++++
+ net/ipv4/netfilter/ip_set_nethash.c            |  449 +++++
+ net/ipv4/netfilter/ip_set_portmap.c            |  325 ++++
+ net/ipv4/netfilter/ipt_SET.c                   |  128 +
+ net/ipv4/netfilter/ipt_set.c                   |  112 +
+ 22 files changed, 5632 insertions(+)
+
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set.h linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set.h	2005-09-15 10:32:21.918471250 +0200
+@@ -0,0 +1,489 @@
++#ifndef _IP_SET_H
++#define _IP_SET_H
++
++/* Copyright (C) 2000-2002 Joakim Axelsson <gozem at linux.nu>
++ *                         Patrick Schaaf <bof at bof.de>
++ *                         Martin Josefsson <gandalf at wlug.westbo.se>
++ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 2 as
++ * published by the Free Software Foundation.  
++ */
++
++/*
++ * A sockopt of such quality has hardly ever been seen before on the open
++ * market!  This little beauty, hardly ever used: above 64, so it's
++ * traditionally used for firewalling, not touched (even once!) by the
++ * 2.0, 2.2 and 2.4 kernels!
++ *
++ * Comes with its own certificate of authenticity, valid anywhere in the
++ * Free world!
++ *
++ * Rusty, 19.4.2000
++ */
++#define SO_IP_SET 		83
++
++/*
++ * Heavily modify by Joakim Axelsson 08.03.2002
++ * - Made it more modulebased
++ *
++ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
++ * - bindings added
++ * - in order to "deal with" backward compatibility, renamed to ipset
++ */
++
++/* 
++ * Used so that the kernel module and ipset-binary can match their versions 
++ */
++#define IP_SET_PROTOCOL_VERSION 2
++
++#define IP_SET_MAXNAMELEN 32	/* set names and set typenames */
++
++/* Lets work with our own typedef for representing an IP address.
++ * We hope to make the code more portable, possibly to IPv6...
++ *
++ * The representation works in HOST byte order, because most set types
++ * will perform arithmetic operations and compare operations.
++ * 
++ * For now the type is an uint32_t.
++ *
++ * Make sure to ONLY use the functions when translating and parsing
++ * in order to keep the host byte order and make it more portable:
++ *  parse_ip()
++ *  parse_mask()
++ *  parse_ipandmask()
++ *  ip_tostring()
++ * (Joakim: where are they???)
++ */
++
++typedef uint32_t ip_set_ip_t;
++
++/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
++ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
++ */
++typedef uint16_t ip_set_id_t;
++
++#define IP_SET_INVALID_ID	65535
++
++/* How deep we follow bindings */
++#define IP_SET_MAX_BINDINGS	6
++
++/*
++ * Option flags for kernel operations (ipt_set_info)
++ */
++#define IPSET_SRC 		0x01	/* Source match/add */
++#define IPSET_DST		0x02	/* Destination match/add */
++#define IPSET_MATCH_INV		0x04	/* Inverse matching */
++
++/*
++ * Set types (flavours)
++ */
++#define IPSET_TYPE_IP		0	/* IP address type of set */
++#define IPSET_TYPE_PORT		1	/* Port type of set */
++
++/* Reserved keywords */
++#define IPSET_TOKEN_DEFAULT	":default:"
++#define IPSET_TOKEN_ALL		":all:"
++
++/* SO_IP_SET operation constants, and their request struct types.
++ *
++ * Operation ids:
++ *	  0-99:	 commands with version checking
++ *	100-199: add/del/test/bind/unbind
++ *	200-299: list, save, restore
++ */
++
++/* Single shot operations: 
++ * version, create, destroy, flush, rename and swap 
++ *
++ * Sets are identified by name.
++ */
++
++#define IP_SET_REQ_STD		\
++	unsigned op;		\
++	unsigned version;	\
++	char name[IP_SET_MAXNAMELEN]
++
++#define IP_SET_OP_CREATE	0x00000001	/* Create a new (empty) set */
++struct ip_set_req_create {
++	IP_SET_REQ_STD;
++	char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_DESTROY	0x00000002	/* Remove a (empty) set */
++struct ip_set_req_std {
++	IP_SET_REQ_STD;
++};
++
++#define IP_SET_OP_FLUSH		0x00000003	/* Remove all IPs in a set */
++/* Uses ip_set_req_std */
++
++#define IP_SET_OP_RENAME	0x00000004	/* Rename a set */
++/* Uses ip_set_req_create */
++
++#define IP_SET_OP_SWAP		0x00000005	/* Swap two sets */
++/* Uses ip_set_req_create */
++
++union ip_set_name_index {
++	char name[IP_SET_MAXNAMELEN];
++	ip_set_id_t index;
++};
++
++#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
++struct ip_set_req_get_set {
++	unsigned op;
++	unsigned version;
++	union ip_set_name_index set;
++};
++
++#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
++/* Uses ip_set_req_get_set */
++
++#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
++struct ip_set_req_version {
++	unsigned op;
++	unsigned version;
++};
++
++/* Double shots operations: 
++ * add, del, test, bind and unbind.
++ *
++ * First we query the kernel to get the index and type of the target set,
++ * then issue the command. Validity of IP is checked in kernel in order
++ * to minimalize sockopt operations.
++ */
++
++/* Get minimal set data for add/del/test/bind/unbind IP */
++#define IP_SET_OP_ADT_GET	0x00000010	/* Get set and type */
++struct ip_set_req_adt_get {
++	unsigned op;
++	unsigned version;
++	union ip_set_name_index set;
++	char typename[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_REQ_BYINDEX	\
++	unsigned op;		\
++	ip_set_id_t index;
++
++struct ip_set_req_adt {
++	IP_SET_REQ_BYINDEX;
++};
++
++#define IP_SET_OP_ADD_IP	0x00000101	/* Add an IP to a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_DEL_IP	0x00000102	/* Remove an IP from a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_TEST_IP	0x00000103	/* Test an IP in a set */
++/* Uses ip_set_req_adt, with type specific addage */
++
++#define IP_SET_OP_BIND_SET	0x00000104	/* Bind an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++struct ip_set_req_bind {
++	IP_SET_REQ_BYINDEX;
++	char binding[IP_SET_MAXNAMELEN];
++};
++
++#define IP_SET_OP_UNBIND_SET	0x00000105	/* Unbind an IP from a set */
++/* Uses ip_set_req_bind, with type speficic addage 
++ * index = 0 means unbinding for all sets */
++
++#define IP_SET_OP_TEST_BIND_SET	0x00000106	/* Test binding an IP to a set */
++/* Uses ip_set_req_bind, with type specific addage */
++
++/* Multiple shots operations: list, save, restore.
++ *
++ * - check kernel version and query the max number of sets
++ * - get the basic information on all sets
++ *   and size required for the next step
++ * - get actual set data: header, data, bindings
++ */
++
++/* Get max_sets and the index of a queried set
++ */
++#define IP_SET_OP_MAX_SETS	0x00000020
++struct ip_set_req_max_sets {
++	unsigned op;
++	unsigned version;
++	ip_set_id_t max_sets;		/* max_sets */
++	ip_set_id_t sets;		/* real number of sets */
++	union ip_set_name_index set;	/* index of set if name used */
++};
++
++/* Get the id and name of the sets plus size for next step */
++#define IP_SET_OP_LIST_SIZE	0x00000201
++#define IP_SET_OP_SAVE_SIZE	0x00000202
++struct ip_set_req_setnames {
++	unsigned op;
++	ip_set_id_t index;		/* set to list/save */
++	size_t size;			/* size to get setdata/bindings */
++	/* followed by sets number of struct ip_set_name_list */
++};
++
++struct ip_set_name_list {
++	char name[IP_SET_MAXNAMELEN];
++	char typename[IP_SET_MAXNAMELEN];
++	ip_set_id_t index;
++	ip_set_id_t id;
++};
++
++/* The actual list operation */
++#define IP_SET_OP_LIST		0x00000203
++struct ip_set_req_list {
++	IP_SET_REQ_BYINDEX;
++	/* sets number of struct ip_set_list in reply */ 
++};
++
++struct ip_set_list {
++	ip_set_id_t index;
++	ip_set_id_t binding;
++	u_int32_t ref;
++	size_t header_size;	/* Set header data of header_size */
++	size_t members_size;	/* Set members data of members_size */
++	size_t bindings_size;	/* Set bindings data of bindings_size */
++};
++
++struct ip_set_hash_list {
++	ip_set_ip_t ip;
++	ip_set_id_t binding;
++};
++
++/* The save operation */
++#define IP_SET_OP_SAVE		0x00000204
++/* Uses ip_set_req_list, in the reply replaced by
++ * sets number of struct ip_set_save plus a marker
++ * ip_set_save followed by ip_set_hash_save structures.
++ */
++struct ip_set_save {
++	ip_set_id_t index;
++	ip_set_id_t binding;
++	size_t header_size;	/* Set header data of header_size */
++	size_t members_size;	/* Set members data of members_size */
++};
++
++/* At restoring, ip == 0 means default binding for the given set: */
++struct ip_set_hash_save {
++	ip_set_ip_t ip;
++	ip_set_id_t id;
++	ip_set_id_t binding;
++};
++
++/* The restore operation */
++#define IP_SET_OP_RESTORE	0x00000205
++/* Uses ip_set_req_setnames followed by ip_set_restore structures
++ * plus a marker ip_set_restore, followed by ip_set_hash_save 
++ * structures.
++ */
++struct ip_set_restore {
++	char name[IP_SET_MAXNAMELEN];
++	char typename[IP_SET_MAXNAMELEN];
++	ip_set_id_t index;
++	size_t header_size;	/* Create data of header_size */
++	size_t members_size;	/* Set members data of members_size */
++};
++
++static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
++{
++	return 4 * ((((b - a + 8) / 8) + 3) / 4);
++}
++
++#ifdef __KERNEL__
++
++#define ip_set_printk(format, args...) 			\
++	do {							\
++		printk("%s: %s: ", __FILE__, __FUNCTION__);	\
++		printk(format "\n" , ## args);			\
++	} while (0)
++
++#if defined(IP_SET_DEBUG)
++#define DP(format, args...) 					\
++	do {							\
++		printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
++		printk(format "\n" , ## args);			\
++	} while (0)
++#define IP_SET_ASSERT(x)					\
++	do {							\
++		if (!(x))					\
++			printk("IP_SET_ASSERT: %s:%i(%s)\n",	\
++				__FILE__, __LINE__, __FUNCTION__); \
++	} while (0)
++#else
++#define DP(format, args...)
++#define IP_SET_ASSERT(x)
++#endif
++
++struct ip_set;
++
++/*
++ * The ip_set_type definition - one per set type, e.g. "ipmap".
++ *
++ * Each individual set has a pointer, set->type, going to one
++ * of these structures. Function pointers inside the structure implement
++ * the real behaviour of the sets.
++ *
++ * If not mentioned differently, the implementation behind the function
++ * pointers of a set_type, is expected to return 0 if ok, and a negative
++ * errno (e.g. -EINVAL) on error.
++ */
++struct ip_set_type {
++	struct list_head list;	/* next in list of set types */
++
++	/* test for IP in set (kernel: iptables -m set src|dst)
++	 * return 0 if not in set, 1 if in set.
++	 */
++	int (*testip_kernel) (struct ip_set *set,
++			      const struct sk_buff * skb, 
++			      u_int32_t flags,
++			      ip_set_ip_t *ip);
++
++	/* test for IP in set (userspace: ipset -T set IP)
++	 * return 0 if not in set, 1 if in set.
++	 */
++	int (*testip) (struct ip_set *set,
++		       const void *data, size_t size,
++		       ip_set_ip_t *ip);
++
++	/*
++	 * Size of the data structure passed by when
++	 * adding/deletin/testing an entry.
++	 */
++	size_t reqsize;
++
++	/* Add IP into set (userspace: ipset -A set IP)
++	 * Return -EEXIST if the address is already in the set,
++	 * and -ERANGE if the address lies outside the set bounds.
++	 * If the address was not already in the set, 0 is returned.
++	 */
++	int (*addip) (struct ip_set *set, 
++		      const void *data, size_t size,
++		      ip_set_ip_t *ip);
++
++	/* Add IP into set (kernel: iptables ... -j SET set src|dst)
++	 * Return -EEXIST if the address is already in the set,
++	 * and -ERANGE if the address lies outside the set bounds.
++	 * If the address was not already in the set, 0 is returned.
++	 */
++	int (*addip_kernel) (struct ip_set *set,
++			     const struct sk_buff * skb, 
++			     u_int32_t flags,
++			     ip_set_ip_t *ip);
++
++	/* remove IP from set (userspace: ipset -D set --entry x)
++	 * Return -EEXIST if the address is NOT in the set,
++	 * and -ERANGE if the address lies outside the set bounds.
++	 * If the address really was in the set, 0 is returned.
++	 */
++	int (*delip) (struct ip_set *set, 
++		      const void *data, size_t size,
++		      ip_set_ip_t *ip);
++
++	/* remove IP from set (kernel: iptables ... -j SET --entry x)
++	 * Return -EEXIST if the address is NOT in the set,
++	 * and -ERANGE if the address lies outside the set bounds.
++	 * If the address really was in the set, 0 is returned.
++	 */
++	int (*delip_kernel) (struct ip_set *set,
++			     const struct sk_buff * skb, 
++			     u_int32_t flags,
++			     ip_set_ip_t *ip);
++
++	/* new set creation - allocated type specific items
++	 */
++	int (*create) (struct ip_set *set,
++		       const void *data, size_t size);
++
++	/* retry the operation after successfully tweaking the set
++	 */
++	int (*retry) (struct ip_set *set);
++
++	/* set destruction - free type specific items
++	 * There is no return value.
++	 * Can be called only when child sets are destroyed.
++	 */
++	void (*destroy) (struct ip_set *set);
++
++	/* set flushing - reset all bits in the set, or something similar.
++	 * There is no return value.
++	 */
++	void (*flush) (struct ip_set *set);
++
++	/* Listing: size needed for header
++	 */
++	size_t header_size;
++
++	/* Listing: Get the header
++	 *
++	 * Fill in the information in "data".
++	 * This function is always run after list_header_size() under a 
++	 * writelock on the set. Therefor is the length of "data" always 
++	 * correct. 
++	 */
++	void (*list_header) (const struct ip_set *set, 
++			     void *data);
++
++	/* Listing: Get the size for the set members
++	 */
++	int (*list_members_size) (const struct ip_set *set);
++
++	/* Listing: Get the set members
++	 *
++	 * Fill in the information in "data".
++	 * This function is always run after list_member_size() under a 
++	 * writelock on the set. Therefor is the length of "data" always 
++	 * correct. 
++	 */
++	void (*list_members) (const struct ip_set *set,
++			      void *data);
++
++	char typename[IP_SET_MAXNAMELEN];
++	char typecode;
++	int protocol_version;
++
++	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
++	struct module *me;
++};
++
++extern int ip_set_register_set_type(struct ip_set_type *set_type);
++extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
++
++/* A generic ipset */
++struct ip_set {
++	char name[IP_SET_MAXNAMELEN];	/* the name of the set */
++	rwlock_t lock;			/* lock for concurrency control */
++	ip_set_id_t id;			/* set id for swapping */
++	ip_set_id_t binding;		/* default binding for the set */
++	atomic_t ref;			/* in kernel and in hash references */
++	struct ip_set_type *type; 	/* the set types */
++	void *data;			/* pooltype specific data */
++};
++
++/* Structure to bind set elements to sets */
++struct ip_set_hash {
++	struct list_head list;		/* list of clashing entries in hash */
++	ip_set_ip_t ip;			/* ip from set */
++	ip_set_id_t id;			/* set id */
++	ip_set_id_t binding;		/* set we bind the element to */
++};
++
++/* register and unregister set references */
++extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
++extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
++extern void ip_set_put(ip_set_id_t id);
++
++/* API for iptables set match, and SET target */
++extern void ip_set_addip_kernel(ip_set_id_t id,
++				const struct sk_buff *skb,
++				const u_int32_t *flags);
++extern void ip_set_delip_kernel(ip_set_id_t id,
++				const struct sk_buff *skb,
++				const u_int32_t *flags);
++extern int ip_set_testip_kernel(ip_set_id_t id,
++				const struct sk_buff *skb,
++				const u_int32_t *flags);
++
++#endif				/* __KERNEL__ */
++
++#endif /*_IP_SET_H*/
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set_iphash.h linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set_iphash.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set_iphash.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set_iphash.h	2005-09-15 10:32:21.918471250 +0200
+@@ -0,0 +1,30 @@
++#ifndef __IP_SET_IPHASH_H
++#define __IP_SET_IPHASH_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "iphash"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_iphash {
++	ip_set_ip_t *members;		/* the iphash proper */
++	uint32_t initval;		/* initval for jhash_1word */
++	uint32_t prime;			/* prime for double hashing */
++	uint32_t hashsize;		/* hash size */
++	uint16_t probes;		/* max number of probes  */
++	uint16_t resize;		/* resize factor in percent */
++	ip_set_ip_t netmask;		/* netmask */
++};
++
++struct ip_set_req_iphash_create {
++	uint32_t hashsize;
++	uint16_t probes;
++	uint16_t resize;
++	ip_set_ip_t netmask;
++};
++
++struct ip_set_req_iphash {
++	ip_set_ip_t ip;
++};
++
++#endif	/* __IP_SET_IPHASH_H */
+diff -uNr linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set_ipmap.h linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set_ipmap.h
+--- linux-2.6.13.1/include.orig/linux/netfilter_ipv4/ip_set_ipmap.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.13.1/include/linux/netfilter_ipv4/ip_set_ipmap.h	2005-09-15 10:32:21.918471250 +0200
+@@ -0,0 +1,56 @@
++#ifndef __IP_SET_IPMAP_H
++#define __IP_SET_IPMAP_H
++
++#include <linux/netfilter_ipv4/ip_set.h>
++
++#define SETTYPE_NAME "ipmap"
++#define MAX_RANGE 0x0000FFFF
++
++struct ip_set_ipmap {
++	void *members;			/* the ipmap proper */
++	ip_set_ip_t first_ip;		/* host byte order, included in range */
++	ip_set_ip_t last_ip;		/* host byte order, included in range */
++	ip_set_ip_t netmask;		/* subnet netmask */
++	ip_set_ip_t sizeid;		/* size of set in IPs */
++	u_int16_t hosts;		/* number of hosts in a subnet */
++};
++
++struct ip_set_req_ipmap_create {
++	ip_set_ip_t from;
++	ip_set_ip_t to;
++	ip_set_ip_t netmask;
++};
++
++struct ip_set_req_ipmap {
++	ip_set_ip_t ip;
++};
++
++unsigned int
++mask_to_bits(ip_set_ip_t mask)
++{
++	unsigned int bits = 32;
++	ip_set_ip_t maskaddr;
++	
++	if (mask == 0xFFFFFFFF)
++		return bits;
++	
<<Diff was trimmed, longer than 597 lines>>

