summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/libipset/linux_ip_set.h28
-rw-r--r--include/libipset/types.h11
-rw-r--r--lib/parse.c6
-rw-r--r--lib/print.c18
-rw-r--r--src/ipset_bitmap_ip.c2
-rw-r--r--src/ipset_bitmap_ipmac.c4
-rw-r--r--src/ipset_bitmap_port.c2
-rw-r--r--src/ipset_hash_ip.c2
-rw-r--r--src/ipset_hash_ipport.c4
-rw-r--r--src/ipset_hash_ipportip.c6
-rw-r--r--src/ipset_hash_ipportnet.c12
-rw-r--r--src/ipset_hash_net.c4
-rw-r--r--src/ipset_hash_netiface.c4
-rw-r--r--src/ipset_hash_netport.c8
-rw-r--r--src/ipset_list_set.c2
15 files changed, 68 insertions, 45 deletions
diff --git a/include/libipset/linux_ip_set.h b/include/libipset/linux_ip_set.h
index fb4b69e..b336d43 100644
--- a/include/libipset/linux_ip_set.h
+++ b/include/libipset/linux_ip_set.h
@@ -11,6 +11,8 @@
* published by the Free Software Foundation.
*/
+#include <linux/types.h>
+
/* The protocol version */
#define IPSET_PROTOCOL 6
@@ -168,4 +170,30 @@ enum ipset_adt {
IPSET_CADT_MAX,
};
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID 65535
+
+enum ip_set_dim {
+ IPSET_DIM_ZERO = 0,
+ IPSET_DIM_ONE,
+ IPSET_DIM_TWO,
+ IPSET_DIM_THREE,
+ /* Max dimension in elements.
+ * If changed, new revision of iptables match/target is required.
+ */
+ IPSET_DIM_MAX = 6,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+ IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+ IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+ IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+ IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+};
+
#endif /* __IP_SET_H */
diff --git a/include/libipset/types.h b/include/libipset/types.h
index d3a0b4c..d2801f1 100644
--- a/include/libipset/types.h
+++ b/include/libipset/types.h
@@ -24,13 +24,8 @@
* - AF_INET46: type supports both IPv4 and IPv6
*/
-/* Set dimensions */
-enum {
- IPSET_DIM_ONE, /* foo */
- IPSET_DIM_TWO, /* foo,bar */
- IPSET_DIM_THREE, /* foo,bar,fie */
- IPSET_DIM_MAX,
-};
+/* The maximal type dimension userspace supports */
+#define IPSET_DIM_UMAX 3
/* Parser options */
enum {
@@ -76,7 +71,7 @@ struct ipset_type {
uint8_t dimension; /* elem dimension */
int8_t kernel_check; /* kernel check */
bool last_elem_optional; /* last element optional */
- struct ipset_elem elem[IPSET_DIM_MAX]; /* parse elem */
+ struct ipset_elem elem[IPSET_DIM_UMAX]; /* parse elem */
ipset_parsefn compat_parse_elem; /* compatibility parser */
const struct ipset_arg *args[IPSET_CADT_MAX]; /* create/ADT args besides elem */
uint64_t mandatory[IPSET_CADT_MAX]; /* create/ADT mandatory flags */
diff --git a/lib/parse.c b/lib/parse.c
index 2bb0601..1aaf072 100644
--- a/lib/parse.c
+++ b/lib/parse.c
@@ -1525,9 +1525,9 @@ ipset_call_parser(struct ipset_session *session,
#define parse_elem(s, t, d, str) \
do { \
- if (!(t)->elem[d].parse) \
+ if (!(t)->elem[d - 1].parse) \
goto internal; \
- ret = (t)->elem[d].parse(s, (t)->elem[d].opt, str); \
+ ret = (t)->elem[d - 1].parse(s, (t)->elem[d - 1].opt, str); \
if (ret) \
goto out; \
} while (0)
@@ -1582,7 +1582,7 @@ ipset_parse_elem(struct ipset_session *session,
} else if (a != NULL) {
if (type->compat_parse_elem) {
ret = type->compat_parse_elem(session,
- type->elem[IPSET_DIM_ONE].opt,
+ type->elem[IPSET_DIM_ONE - 1].opt,
saved);
goto out;
}
diff --git a/lib/print.c b/lib/print.c
index 6452ab5..96c19a1 100644
--- a/lib/print.c
+++ b/lib/print.c
@@ -705,30 +705,30 @@ ipset_print_elem(char *buf, unsigned int len,
if (!type)
return -1;
- size = type->elem[IPSET_DIM_ONE].print(buf, len, data,
- type->elem[IPSET_DIM_ONE].opt, env);
+ size = type->elem[IPSET_DIM_ONE - 1].print(buf, len, data,
+ type->elem[IPSET_DIM_ONE - 1].opt, env);
SNPRINTF_FAILURE(size, len, offset);
- IF_D(ipset_data_test(data, type->elem[IPSET_DIM_TWO].opt),
+ IF_D(ipset_data_test(data, type->elem[IPSET_DIM_TWO - 1].opt),
"print second elem");
if (type->dimension == IPSET_DIM_ONE ||
(type->last_elem_optional &&
- !ipset_data_test(data, type->elem[IPSET_DIM_TWO].opt)))
+ !ipset_data_test(data, type->elem[IPSET_DIM_TWO - 1].opt)))
return offset;
size = snprintf(buf + offset, len, IPSET_ELEM_SEPARATOR);
SNPRINTF_FAILURE(size, len, offset);
- size = type->elem[IPSET_DIM_TWO].print(buf + offset, len, data,
- type->elem[IPSET_DIM_TWO].opt, env);
+ size = type->elem[IPSET_DIM_TWO - 1].print(buf + offset, len, data,
+ type->elem[IPSET_DIM_TWO - 1].opt, env);
SNPRINTF_FAILURE(size, len, offset);
if (type->dimension == IPSET_DIM_TWO ||
(type->last_elem_optional &&
- !ipset_data_test(data, type->elem[IPSET_DIM_THREE].opt)))
+ !ipset_data_test(data, type->elem[IPSET_DIM_THREE - 1].opt)))
return offset;
size = snprintf(buf + offset, len, IPSET_ELEM_SEPARATOR);
SNPRINTF_FAILURE(size, len, offset);
- size = type->elem[IPSET_DIM_THREE].print(buf + offset, len, data,
- type->elem[IPSET_DIM_THREE].opt, env);
+ size = type->elem[IPSET_DIM_THREE - 1].print(buf + offset, len, data,
+ type->elem[IPSET_DIM_THREE - 1].opt, env);
SNPRINTF_FAILURE(size, len, offset);
return offset;
diff --git a/src/ipset_bitmap_ip.c b/src/ipset_bitmap_ip.c
index e73bc7c..89f3002 100644
--- a/src/ipset_bitmap_ip.c
+++ b/src/ipset_bitmap_ip.c
@@ -63,7 +63,7 @@ struct ipset_type ipset_bitmap_ip0 = {
.family = AF_INET,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
diff --git a/src/ipset_bitmap_ipmac.c b/src/ipset_bitmap_ipmac.c
index f47f25d..f8f7495 100644
--- a/src/ipset_bitmap_ipmac.c
+++ b/src/ipset_bitmap_ipmac.c
@@ -61,12 +61,12 @@ struct ipset_type ipset_bitmap_ipmac0 = {
.dimension = IPSET_DIM_TWO,
.last_elem_optional = true,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_single_ip,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_ether,
.print = ipset_print_ether,
.opt = IPSET_OPT_ETHER
diff --git a/src/ipset_bitmap_port.c b/src/ipset_bitmap_port.c
index c8c6e1f..9acdf23 100644
--- a/src/ipset_bitmap_port.c
+++ b/src/ipset_bitmap_port.c
@@ -54,7 +54,7 @@ struct ipset_type ipset_bitmap_port0 = {
.family = AF_UNSPEC,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_tcp_port,
.print = ipset_print_port,
.opt = IPSET_OPT_PORT
diff --git a/src/ipset_hash_ip.c b/src/ipset_hash_ip.c
index 315804a..7be8e19 100644
--- a/src/ipset_hash_ip.c
+++ b/src/ipset_hash_ip.c
@@ -86,7 +86,7 @@ struct ipset_type ipset_hash_ip0 = {
.family = AF_INET46,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_single6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
diff --git a/src/ipset_hash_ipport.c b/src/ipset_hash_ipport.c
index b5bd41b..3738aa4 100644
--- a/src/ipset_hash_ipport.c
+++ b/src/ipset_hash_ipport.c
@@ -92,12 +92,12 @@ struct ipset_type ipset_hash_ipport1 = {
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_single6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
diff --git a/src/ipset_hash_ipportip.c b/src/ipset_hash_ipportip.c
index b27cebf..9a2c44c 100644
--- a/src/ipset_hash_ipportip.c
+++ b/src/ipset_hash_ipportip.c
@@ -92,17 +92,17 @@ struct ipset_type ipset_hash_ipportip1 = {
.family = AF_INET46,
.dimension = IPSET_DIM_THREE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_single6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
},
- [IPSET_DIM_THREE] = {
+ [IPSET_DIM_THREE - 1] = {
.parse = ipset_parse_single_ip,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP2
diff --git a/src/ipset_hash_ipportnet.c b/src/ipset_hash_ipportnet.c
index ecab191..b7415dc 100644
--- a/src/ipset_hash_ipportnet.c
+++ b/src/ipset_hash_ipportnet.c
@@ -93,17 +93,17 @@ struct ipset_type ipset_hash_ipportnet1 = {
.family = AF_INET46,
.dimension = IPSET_DIM_THREE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_single6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
},
- [IPSET_DIM_THREE] = {
+ [IPSET_DIM_THREE - 1] = {
.parse = ipset_parse_ipnet,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP2
@@ -183,17 +183,17 @@ struct ipset_type ipset_hash_ipportnet2 = {
.family = AF_INET46,
.dimension = IPSET_DIM_THREE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_single6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
},
- [IPSET_DIM_THREE] = {
+ [IPSET_DIM_THREE - 1] = {
.parse = ipset_parse_ip4_net6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP2
diff --git a/src/ipset_hash_net.c b/src/ipset_hash_net.c
index 665c398..587f891 100644
--- a/src/ipset_hash_net.c
+++ b/src/ipset_hash_net.c
@@ -76,7 +76,7 @@ struct ipset_type ipset_hash_net0 = {
.family = AF_INET46,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ipnet,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
@@ -128,7 +128,7 @@ struct ipset_type ipset_hash_net1 = {
.family = AF_INET46,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_net6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
diff --git a/src/ipset_hash_netiface.c b/src/ipset_hash_netiface.c
index 2fbe27d..d1f5f7e 100644
--- a/src/ipset_hash_netiface.c
+++ b/src/ipset_hash_netiface.c
@@ -69,12 +69,12 @@ struct ipset_type ipset_hash_netiface0 = {
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_net6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_iface,
.print = ipset_print_iface,
.opt = IPSET_OPT_IFACE
diff --git a/src/ipset_hash_netport.c b/src/ipset_hash_netport.c
index 480dd84..acf4a29 100644
--- a/src/ipset_hash_netport.c
+++ b/src/ipset_hash_netport.c
@@ -70,12 +70,12 @@ struct ipset_type ipset_hash_netport1 = {
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ipnet,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
@@ -144,12 +144,12 @@ struct ipset_type ipset_hash_netport2 = {
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_ip4_net6,
.print = ipset_print_ip,
.opt = IPSET_OPT_IP
},
- [IPSET_DIM_TWO] = {
+ [IPSET_DIM_TWO - 1] = {
.parse = ipset_parse_proto_port,
.print = ipset_print_proto_port,
.opt = IPSET_OPT_PORT
diff --git a/src/ipset_list_set.c b/src/ipset_list_set.c
index f3fa6df..68616e8 100644
--- a/src/ipset_list_set.c
+++ b/src/ipset_list_set.c
@@ -53,7 +53,7 @@ struct ipset_type ipset_list_set0 = {
.family = AF_UNSPEC,
.dimension = IPSET_DIM_ONE,
.elem = {
- [IPSET_DIM_ONE] = {
+ [IPSET_DIM_ONE - 1] = {
.parse = ipset_parse_setname,
.print = ipset_print_name,
.opt = IPSET_OPT_NAME