From 5e5e23e79dbc4cf581a09149885fef178bc07725 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Sat, 6 Apr 2013 09:52:33 +0200 Subject: The uapi include split in the package itself Signed-off-by: Jozsef Kadlecsik --- Makefile.am | 8 +- include/libipset/linux_ip_set.h | 34 ++- include/libipset/linux_ip_set_bitmap.h | 7 +- include/libipset/linux_ip_set_hash.h | 7 +- include/libipset/linux_ip_set_list.h | 7 +- kernel/include/linux/netfilter/ipset/ip_set.h | 225 +------------------- .../include/linux/netfilter/ipset/ip_set_bitmap.h | 11 +- kernel/include/linux/netfilter/ipset/ip_set_hash.h | 19 +- kernel/include/linux/netfilter/ipset/ip_set_list.h | 19 +- kernel/include/linux/netfilter/xt_set.h | 65 ------ kernel/include/uapi/linux/netfilter/ipset/ip_set.h | 231 +++++++++++++++++++++ .../uapi/linux/netfilter/ipset/ip_set_bitmap.h | 13 ++ .../uapi/linux/netfilter/ipset/ip_set_hash.h | 21 ++ .../uapi/linux/netfilter/ipset/ip_set_list.h | 21 ++ kernel/include/uapi/linux/netfilter/xt_set.h | 65 ++++++ update | 9 - 16 files changed, 403 insertions(+), 359 deletions(-) delete mode 100644 kernel/include/linux/netfilter/xt_set.h create mode 100644 kernel/include/uapi/linux/netfilter/ipset/ip_set.h create mode 100644 kernel/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h create mode 100644 kernel/include/uapi/linux/netfilter/ipset/ip_set_hash.h create mode 100644 kernel/include/uapi/linux/netfilter/ipset/ip_set_list.h create mode 100644 kernel/include/uapi/linux/netfilter/xt_set.h delete mode 100755 update diff --git a/Makefile.am b/Makefile.am index 60d0754..0806623 100644 --- a/Makefile.am +++ b/Makefile.am @@ -53,10 +53,10 @@ else endif update_includes: - ./update ip_set.h - ./update ip_set_bitmap.h - ./update ip_set_hash.h - ./update ip_set_list.h + for x in ip_set.h ip_set_bitmap.h ip_set_hash.h ip_set_list.h; do \ + cp kernel/include/uapi/linux/netfilter/ipset/$$x \ + include/libipset/linux_$$x; \ + done update_utils: wget -O /tmp/ipset-bash-completion.tar.gz http://sourceforge.net/projects/ipset-bashcompl/files/latest/download diff --git a/include/libipset/linux_ip_set.h b/include/libipset/linux_ip_set.h index d3267a4..f7ed8c9 100644 --- a/include/libipset/linux_ip_set.h +++ b/include/libipset/linux_ip_set.h @@ -1,6 +1,3 @@ -#ifndef _IP_SET_H -#define _IP_SET_H - /* Copyright (C) 2000-2002 Joakim Axelsson * Patrick Schaaf * Martin Josefsson @@ -10,6 +7,9 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#ifndef _UAPI_IP_SET_H +#define _UAPI_IP_SET_H + #include @@ -202,4 +202,30 @@ enum ip_set_kopt { IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), }; -#endif /* __IP_SET_H */ + +/* Interface to iptables/ip6tables */ + +#define SO_IP_SET 83 + +union ip_set_name_index { + char name[IPSET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned int op; + unsigned int version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned int op; + unsigned int version; +}; + +#endif /*_UAPI_IP_SET_H */ diff --git a/include/libipset/linux_ip_set_bitmap.h b/include/libipset/linux_ip_set_bitmap.h index 95fb963..6a2c038 100644 --- a/include/libipset/linux_ip_set_bitmap.h +++ b/include/libipset/linux_ip_set_bitmap.h @@ -1,5 +1,5 @@ -#ifndef __IP_SET_BITMAP_H -#define __IP_SET_BITMAP_H +#ifndef _UAPI__IP_SET_BITMAP_H +#define _UAPI__IP_SET_BITMAP_H /* Bitmap type specific error codes */ enum { @@ -9,4 +9,5 @@ enum { IPSET_ERR_BITMAP_RANGE_SIZE, }; -#endif /* __IP_SET_BITMAP_H */ + +#endif /* _UAPI__IP_SET_BITMAP_H */ diff --git a/include/libipset/linux_ip_set_hash.h b/include/libipset/linux_ip_set_hash.h index 7a9e5f7..352eecc 100644 --- a/include/libipset/linux_ip_set_hash.h +++ b/include/libipset/linux_ip_set_hash.h @@ -1,5 +1,5 @@ -#ifndef __IP_SET_HASH_H -#define __IP_SET_HASH_H +#ifndef _UAPI__IP_SET_HASH_H +#define _UAPI__IP_SET_HASH_H /* Hash type specific error codes */ enum { @@ -17,4 +17,5 @@ enum { IPSET_ERR_HASH_RANGE, }; -#endif /* __IP_SET_HASH_H */ + +#endif /* _UAPI__IP_SET_HASH_H */ diff --git a/include/libipset/linux_ip_set_list.h b/include/libipset/linux_ip_set_list.h index 2395aa2..a44efaa 100644 --- a/include/libipset/linux_ip_set_list.h +++ b/include/libipset/linux_ip_set_list.h @@ -1,5 +1,5 @@ -#ifndef __IP_SET_LIST_H -#define __IP_SET_LIST_H +#ifndef _UAPI__IP_SET_LIST_H +#define _UAPI__IP_SET_LIST_H /* List type specific error codes */ enum { @@ -17,4 +17,5 @@ enum { IPSET_ERR_REF_EXIST, }; -#endif /* __IP_SET_LIST_H */ + +#endif /* _UAPI__IP_SET_LIST_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h index 1217faf..79c4f22 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set.h +++ b/kernel/include/linux/netfilter/ipset/ip_set.h @@ -1,6 +1,3 @@ -#ifndef _IP_SET_H -#define _IP_SET_H - /* Copyright (C) 2000-2002 Joakim Axelsson * Patrick Schaaf * Martin Josefsson @@ -10,199 +7,9 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#ifndef _IP_SET_H +#define _IP_SET_H -#include - -/* The protocol version */ -#define IPSET_PROTOCOL 6 - -/* The max length of strings including NUL: set and type identifiers */ -#define IPSET_MAXNAMELEN 32 - -/* Message types and commands */ -enum ipset_cmd { - IPSET_CMD_NONE, - IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ - IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ - IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ - IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ - IPSET_CMD_RENAME, /* 5: Rename a set */ - IPSET_CMD_SWAP, /* 6: Swap two sets */ - IPSET_CMD_LIST, /* 7: List sets */ - IPSET_CMD_SAVE, /* 8: Save sets */ - IPSET_CMD_ADD, /* 9: Add an element to a set */ - IPSET_CMD_DEL, /* 10: Delete an element from a set */ - IPSET_CMD_TEST, /* 11: Test an element in a set */ - IPSET_CMD_HEADER, /* 12: Get set header data only */ - IPSET_CMD_TYPE, /* 13: Get set type */ - IPSET_MSG_MAX, /* Netlink message commands */ - - /* Commands in userspace: */ - IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ - IPSET_CMD_HELP, /* 15: Get help */ - IPSET_CMD_VERSION, /* 16: Get program version */ - IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ - - IPSET_CMD_MAX, - - IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ -}; - -/* Attributes at command level */ -enum { - IPSET_ATTR_UNSPEC, - IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ - IPSET_ATTR_SETNAME, /* 2: Name of the set */ - IPSET_ATTR_TYPENAME, /* 3: Typename */ - IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ - IPSET_ATTR_REVISION, /* 4: Settype revision */ - IPSET_ATTR_FAMILY, /* 5: Settype family */ - IPSET_ATTR_FLAGS, /* 6: Flags at command level */ - IPSET_ATTR_DATA, /* 7: Nested attributes */ - IPSET_ATTR_ADT, /* 8: Multiple data containers */ - IPSET_ATTR_LINENO, /* 9: Restore lineno */ - IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ - IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ - __IPSET_ATTR_CMD_MAX, -}; -#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) - -/* CADT specific attributes */ -enum { - IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, - IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, - IPSET_ATTR_IP_TO, /* 2 */ - IPSET_ATTR_CIDR, /* 3 */ - IPSET_ATTR_PORT, /* 4 */ - IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, - IPSET_ATTR_PORT_TO, /* 5 */ - IPSET_ATTR_TIMEOUT, /* 6 */ - IPSET_ATTR_PROTO, /* 7 */ - IPSET_ATTR_CADT_FLAGS, /* 8 */ - IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ - /* Reserve empty slots */ - IPSET_ATTR_CADT_MAX = 16, - /* Create-only specific attributes */ - IPSET_ATTR_GC, - IPSET_ATTR_HASHSIZE, - IPSET_ATTR_MAXELEM, - IPSET_ATTR_NETMASK, - IPSET_ATTR_PROBES, - IPSET_ATTR_RESIZE, - IPSET_ATTR_SIZE, - /* Kernel-only */ - IPSET_ATTR_ELEMENTS, - IPSET_ATTR_REFERENCES, - IPSET_ATTR_MEMSIZE, - - __IPSET_ATTR_CREATE_MAX, -}; -#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) - -/* ADT specific attributes */ -enum { - IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, - IPSET_ATTR_NAME, - IPSET_ATTR_NAMEREF, - IPSET_ATTR_IP2, - IPSET_ATTR_CIDR2, - IPSET_ATTR_IP2_TO, - IPSET_ATTR_IFACE, - __IPSET_ATTR_ADT_MAX, -}; -#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) - -/* IP specific attributes */ -enum { - IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, - IPSET_ATTR_IPADDR_IPV6, - __IPSET_ATTR_IPADDR_MAX, -}; -#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) - -/* Error codes */ -enum ipset_errno { - IPSET_ERR_PRIVATE = 4096, - IPSET_ERR_PROTOCOL, - IPSET_ERR_FIND_TYPE, - IPSET_ERR_MAX_SETS, - IPSET_ERR_BUSY, - IPSET_ERR_EXIST_SETNAME2, - IPSET_ERR_TYPE_MISMATCH, - IPSET_ERR_EXIST, - IPSET_ERR_INVALID_CIDR, - IPSET_ERR_INVALID_NETMASK, - IPSET_ERR_INVALID_FAMILY, - IPSET_ERR_TIMEOUT, - IPSET_ERR_REFERENCED, - IPSET_ERR_IPADDR_IPV4, - IPSET_ERR_IPADDR_IPV6, - - /* Type specific error codes */ - IPSET_ERR_TYPE_SPECIFIC = 4352, -}; - -/* Flags at command level */ -enum ipset_cmd_flags { - IPSET_FLAG_BIT_EXIST = 0, - IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), - IPSET_FLAG_BIT_LIST_SETNAME = 1, - IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), - IPSET_FLAG_BIT_LIST_HEADER = 2, - IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), - IPSET_FLAG_CMD_MAX = 15, /* Lower half */ -}; - -/* Flags at CADT attribute level */ -enum ipset_cadt_flags { - IPSET_FLAG_BIT_BEFORE = 0, - IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), - IPSET_FLAG_BIT_PHYSDEV = 1, - IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), - IPSET_FLAG_BIT_NOMATCH = 2, - IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), - IPSET_FLAG_CADT_MAX = 15, /* Upper half */ -}; - -/* Commands with settype-specific attributes */ -enum ipset_adt { - IPSET_ADD, - IPSET_DEL, - IPSET_TEST, - IPSET_ADT_MAX, - IPSET_CREATE = IPSET_ADT_MAX, - IPSET_CADT_MAX, -}; - -/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t - * and IPSET_INVALID_ID if you want to increase the max number of sets. - */ -typedef __u16 ip_set_id_t; - -#define IPSET_INVALID_ID 65535 - -enum ip_set_dim { - IPSET_DIM_ZERO = 0, - IPSET_DIM_ONE, - IPSET_DIM_TWO, - IPSET_DIM_THREE, - /* Max dimension in elements. - * If changed, new revision of iptables match/target is required. - */ - IPSET_DIM_MAX = 6, - IPSET_BIT_RETURN_NOMATCH = 7, -}; - -/* Option flags for kernel operations */ -enum ip_set_kopt { - IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), - IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), - IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), - IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), - IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), -}; - -#ifdef __KERNEL__ #include #include #include @@ -212,6 +19,7 @@ enum ip_set_kopt { #include #include #include +#include #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) #define xt_action_param xt_match_param @@ -503,31 +311,4 @@ bitmap_bytes(u32 a, u32 b) return 4 * ((((b - a + 8) / 8) + 3) / 4); } -#endif /* __KERNEL__ */ - -/* Interface to iptables/ip6tables */ - -#define SO_IP_SET 83 - -union ip_set_name_index { - char name[IPSET_MAXNAMELEN]; - ip_set_id_t index; -}; - -#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ -struct ip_set_req_get_set { - unsigned int op; - unsigned int version; - union ip_set_name_index set; -}; - -#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ -/* Uses ip_set_req_get_set */ - -#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ -struct ip_set_req_version { - unsigned int op; - unsigned int version; -}; - #endif /*_IP_SET_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set_bitmap.h b/kernel/include/linux/netfilter/ipset/ip_set_bitmap.h index 61a9e87..1a30646 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_bitmap.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_bitmap.h @@ -1,15 +1,8 @@ #ifndef __IP_SET_BITMAP_H #define __IP_SET_BITMAP_H -/* Bitmap type specific error codes */ -enum { - /* The element is out of the range of the set */ - IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, - /* The range exceeds the size limit of the set type */ - IPSET_ERR_BITMAP_RANGE_SIZE, -}; +#include -#ifdef __KERNEL__ #define IPSET_BITMAP_MAX_RANGE 0x0000FFFF /* Common functions */ @@ -26,6 +19,4 @@ range_to_mask(u32 from, u32 to, u8 *bits) return mask; } -#endif /* __KERNEL__ */ - #endif /* __IP_SET_BITMAP_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set_hash.h b/kernel/include/linux/netfilter/ipset/ip_set_hash.h index e2a9fae..f98ddfb 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_hash.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_hash.h @@ -1,23 +1,8 @@ #ifndef __IP_SET_HASH_H #define __IP_SET_HASH_H -/* Hash type specific error codes */ -enum { - /* Hash is full */ - IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, - /* Null-valued element */ - IPSET_ERR_HASH_ELEM, - /* Invalid protocol */ - IPSET_ERR_INVALID_PROTO, - /* Protocol missing but must be specified */ - IPSET_ERR_MISSING_PROTO, - /* Range not supported */ - IPSET_ERR_HASH_RANGE_UNSUPPORTED, - /* Invalid range */ - IPSET_ERR_HASH_RANGE, -}; +#include -#ifdef __KERNEL__ #define IPSET_DEFAULT_HASHSIZE 1024 #define IPSET_MIMINAL_HASHSIZE 64 @@ -25,6 +10,4 @@ enum { #define IPSET_DEFAULT_PROBES 4 #define IPSET_DEFAULT_RESIZE 100 -#endif /* __KERNEL__ */ - #endif /* __IP_SET_HASH_H */ diff --git a/kernel/include/linux/netfilter/ipset/ip_set_list.h b/kernel/include/linux/netfilter/ipset/ip_set_list.h index 40a63f3..68c2aea 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_list.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_list.h @@ -1,27 +1,10 @@ #ifndef __IP_SET_LIST_H #define __IP_SET_LIST_H -/* List type specific error codes */ -enum { - /* Set name to be added/deleted/tested does not exist. */ - IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, - /* list:set type is not permitted to add */ - IPSET_ERR_LOOP, - /* Missing reference set */ - IPSET_ERR_BEFORE, - /* Reference set does not exist */ - IPSET_ERR_NAMEREF, - /* Set is full */ - IPSET_ERR_LIST_FULL, - /* Reference set is not added to the set */ - IPSET_ERR_REF_EXIST, -}; +#include -#ifdef __KERNEL__ #define IP_SET_LIST_DEFAULT_SIZE 8 #define IP_SET_LIST_MIN_SIZE 4 -#endif /* __KERNEL__ */ - #endif /* __IP_SET_LIST_H */ diff --git a/kernel/include/linux/netfilter/xt_set.h b/kernel/include/linux/netfilter/xt_set.h deleted file mode 100644 index e3a9978..0000000 --- a/kernel/include/linux/netfilter/xt_set.h +++ /dev/null @@ -1,65 +0,0 @@ -#ifndef _XT_SET_H -#define _XT_SET_H - -#include -#include - -/* Revision 0 interface: backward compatible with netfilter/iptables */ - -/* - * Option flags for kernel operations (xt_set_info_v0) - */ -#define IPSET_SRC 0x01 /* Source match/add */ -#define IPSET_DST 0x02 /* Destination match/add */ -#define IPSET_MATCH_INV 0x04 /* Inverse matching */ - -struct xt_set_info_v0 { - ip_set_id_t index; - union { - __u32 flags[IPSET_DIM_MAX + 1]; - struct { - __u32 __flags[IPSET_DIM_MAX]; - __u8 dim; - __u8 flags; - } compat; - } u; -}; - -/* match and target infos */ -struct xt_set_info_match_v0 { - struct xt_set_info_v0 match_set; -}; - -struct xt_set_info_target_v0 { - struct xt_set_info_v0 add_set; - struct xt_set_info_v0 del_set; -}; - -/* Revision 1 match and target */ - -struct xt_set_info { - ip_set_id_t index; - __u8 dim; - __u8 flags; -}; - -/* match and target infos */ -struct xt_set_info_match_v1 { - struct xt_set_info match_set; -}; - -struct xt_set_info_target_v1 { - struct xt_set_info add_set; - struct xt_set_info del_set; -}; - -/* Revision 2 target */ - -struct xt_set_info_target_v2 { - struct xt_set_info add_set; - struct xt_set_info del_set; - __u32 flags; - __u32 timeout; -}; - -#endif /*_XT_SET_H*/ diff --git a/kernel/include/uapi/linux/netfilter/ipset/ip_set.h b/kernel/include/uapi/linux/netfilter/ipset/ip_set.h new file mode 100644 index 0000000..fbee428 --- /dev/null +++ b/kernel/include/uapi/linux/netfilter/ipset/ip_set.h @@ -0,0 +1,231 @@ +/* Copyright (C) 2000-2002 Joakim Axelsson + * Patrick Schaaf + * Martin Josefsson + * Copyright (C) 2003-2011 Jozsef Kadlecsik + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef _UAPI_IP_SET_H +#define _UAPI_IP_SET_H + + +#include + +/* The protocol version */ +#define IPSET_PROTOCOL 6 + +/* The max length of strings including NUL: set and type identifiers */ +#define IPSET_MAXNAMELEN 32 + +/* Message types and commands */ +enum ipset_cmd { + IPSET_CMD_NONE, + IPSET_CMD_PROTOCOL, /* 1: Return protocol version */ + IPSET_CMD_CREATE, /* 2: Create a new (empty) set */ + IPSET_CMD_DESTROY, /* 3: Destroy a (empty) set */ + IPSET_CMD_FLUSH, /* 4: Remove all elements from a set */ + IPSET_CMD_RENAME, /* 5: Rename a set */ + IPSET_CMD_SWAP, /* 6: Swap two sets */ + IPSET_CMD_LIST, /* 7: List sets */ + IPSET_CMD_SAVE, /* 8: Save sets */ + IPSET_CMD_ADD, /* 9: Add an element to a set */ + IPSET_CMD_DEL, /* 10: Delete an element from a set */ + IPSET_CMD_TEST, /* 11: Test an element in a set */ + IPSET_CMD_HEADER, /* 12: Get set header data only */ + IPSET_CMD_TYPE, /* 13: Get set type */ + IPSET_MSG_MAX, /* Netlink message commands */ + + /* Commands in userspace: */ + IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */ + IPSET_CMD_HELP, /* 15: Get help */ + IPSET_CMD_VERSION, /* 16: Get program version */ + IPSET_CMD_QUIT, /* 17: Quit from interactive mode */ + + IPSET_CMD_MAX, + + IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */ +}; + +/* Attributes at command level */ +enum { + IPSET_ATTR_UNSPEC, + IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ + IPSET_ATTR_SETNAME, /* 2: Name of the set */ + IPSET_ATTR_TYPENAME, /* 3: Typename */ + IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ + IPSET_ATTR_REVISION, /* 4: Settype revision */ + IPSET_ATTR_FAMILY, /* 5: Settype family */ + IPSET_ATTR_FLAGS, /* 6: Flags at command level */ + IPSET_ATTR_DATA, /* 7: Nested attributes */ + IPSET_ATTR_ADT, /* 8: Multiple data containers */ + IPSET_ATTR_LINENO, /* 9: Restore lineno */ + IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */ + IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */ + __IPSET_ATTR_CMD_MAX, +}; +#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1) + +/* CADT specific attributes */ +enum { + IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IP_FROM = IPSET_ATTR_IP, + IPSET_ATTR_IP_TO, /* 2 */ + IPSET_ATTR_CIDR, /* 3 */ + IPSET_ATTR_PORT, /* 4 */ + IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT, + IPSET_ATTR_PORT_TO, /* 5 */ + IPSET_ATTR_TIMEOUT, /* 6 */ + IPSET_ATTR_PROTO, /* 7 */ + IPSET_ATTR_CADT_FLAGS, /* 8 */ + IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ + /* Reserve empty slots */ + IPSET_ATTR_CADT_MAX = 16, + /* Create-only specific attributes */ + IPSET_ATTR_GC, + IPSET_ATTR_HASHSIZE, + IPSET_ATTR_MAXELEM, + IPSET_ATTR_NETMASK, + IPSET_ATTR_PROBES, + IPSET_ATTR_RESIZE, + IPSET_ATTR_SIZE, + /* Kernel-only */ + IPSET_ATTR_ELEMENTS, + IPSET_ATTR_REFERENCES, + IPSET_ATTR_MEMSIZE, + + __IPSET_ATTR_CREATE_MAX, +}; +#define IPSET_ATTR_CREATE_MAX (__IPSET_ATTR_CREATE_MAX - 1) + +/* ADT specific attributes */ +enum { + IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1, + IPSET_ATTR_NAME, + IPSET_ATTR_NAMEREF, + IPSET_ATTR_IP2, + IPSET_ATTR_CIDR2, + IPSET_ATTR_IP2_TO, + IPSET_ATTR_IFACE, + __IPSET_ATTR_ADT_MAX, +}; +#define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) + +/* IP specific attributes */ +enum { + IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IPADDR_IPV6, + __IPSET_ATTR_IPADDR_MAX, +}; +#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) + +/* Error codes */ +enum ipset_errno { + IPSET_ERR_PRIVATE = 4096, + IPSET_ERR_PROTOCOL, + IPSET_ERR_FIND_TYPE, + IPSET_ERR_MAX_SETS, + IPSET_ERR_BUSY, + IPSET_ERR_EXIST_SETNAME2, + IPSET_ERR_TYPE_MISMATCH, + IPSET_ERR_EXIST, + IPSET_ERR_INVALID_CIDR, + IPSET_ERR_INVALID_NETMASK, + IPSET_ERR_INVALID_FAMILY, + IPSET_ERR_TIMEOUT, + IPSET_ERR_REFERENCED, + IPSET_ERR_IPADDR_IPV4, + IPSET_ERR_IPADDR_IPV6, + + /* Type specific error codes */ + IPSET_ERR_TYPE_SPECIFIC = 4352, +}; + +/* Flags at command level */ +enum ipset_cmd_flags { + IPSET_FLAG_BIT_EXIST = 0, + IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), + IPSET_FLAG_BIT_LIST_SETNAME = 1, + IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), + IPSET_FLAG_BIT_LIST_HEADER = 2, + IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), + IPSET_FLAG_CMD_MAX = 15, /* Lower half */ +}; + +/* Flags at CADT attribute level */ +enum ipset_cadt_flags { + IPSET_FLAG_BIT_BEFORE = 0, + IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), + IPSET_FLAG_BIT_PHYSDEV = 1, + IPSET_FLAG_PHYSDEV = (1 << IPSET_FLAG_BIT_PHYSDEV), + IPSET_FLAG_BIT_NOMATCH = 2, + IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), + IPSET_FLAG_CADT_MAX = 15, /* Upper half */ +}; + +/* Commands with settype-specific attributes */ +enum ipset_adt { + IPSET_ADD, + IPSET_DEL, + IPSET_TEST, + IPSET_ADT_MAX, + IPSET_CREATE = IPSET_ADT_MAX, + IPSET_CADT_MAX, +}; + +/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t + * and IPSET_INVALID_ID if you want to increase the max number of sets. + */ +typedef __u16 ip_set_id_t; + +#define IPSET_INVALID_ID 65535 + +enum ip_set_dim { + IPSET_DIM_ZERO = 0, + IPSET_DIM_ONE, + IPSET_DIM_TWO, + IPSET_DIM_THREE, + /* Max dimension in elements. + * If changed, new revision of iptables match/target is required. + */ + IPSET_DIM_MAX = 6, + IPSET_BIT_RETURN_NOMATCH = 7, +}; + +/* Option flags for kernel operations */ +enum ip_set_kopt { + IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO), + IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), + IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), + IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), + IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), +}; + + +/* Interface to iptables/ip6tables */ + +#define SO_IP_SET 83 + +union ip_set_name_index { + char name[IPSET_MAXNAMELEN]; + ip_set_id_t index; +}; + +#define IP_SET_OP_GET_BYNAME 0x00000006 /* Get set index by name */ +struct ip_set_req_get_set { + unsigned int op; + unsigned int version; + union ip_set_name_index set; +}; + +#define IP_SET_OP_GET_BYINDEX 0x00000007 /* Get set name by index */ +/* Uses ip_set_req_get_set */ + +#define IP_SET_OP_VERSION 0x00000100 /* Ask kernel version */ +struct ip_set_req_version { + unsigned int op; + unsigned int version; +}; + +#endif /* _UAPI_IP_SET_H */ diff --git a/kernel/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h b/kernel/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h new file mode 100644 index 0000000..6a2c038 --- /dev/null +++ b/kernel/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h @@ -0,0 +1,13 @@ +#ifndef _UAPI__IP_SET_BITMAP_H +#define _UAPI__IP_SET_BITMAP_H + +/* Bitmap type specific error codes */ +enum { + /* The element is out of the range of the set */ + IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, + /* The range exceeds the size limit of the set type */ + IPSET_ERR_BITMAP_RANGE_SIZE, +}; + + +#endif /* _UAPI__IP_SET_BITMAP_H */ diff --git a/kernel/include/uapi/linux/netfilter/ipset/ip_set_hash.h b/kernel/include/uapi/linux/netfilter/ipset/ip_set_hash.h new file mode 100644 index 0000000..352eecc --- /dev/null +++ b/kernel/include/uapi/linux/netfilter/ipset/ip_set_hash.h @@ -0,0 +1,21 @@ +#ifndef _UAPI__IP_SET_HASH_H +#define _UAPI__IP_SET_HASH_H + +/* Hash type specific error codes */ +enum { + /* Hash is full */ + IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, + /* Null-valued element */ + IPSET_ERR_HASH_ELEM, + /* Invalid protocol */ + IPSET_ERR_INVALID_PROTO, + /* Protocol missing but must be specified */ + IPSET_ERR_MISSING_PROTO, + /* Range not supported */ + IPSET_ERR_HASH_RANGE_UNSUPPORTED, + /* Invalid range */ + IPSET_ERR_HASH_RANGE, +}; + + +#endif /* _UAPI__IP_SET_HASH_H */ diff --git a/kernel/include/uapi/linux/netfilter/ipset/ip_set_list.h b/kernel/include/uapi/linux/netfilter/ipset/ip_set_list.h new file mode 100644 index 0000000..a44efaa --- /dev/null +++ b/kernel/include/uapi/linux/netfilter/ipset/ip_set_list.h @@ -0,0 +1,21 @@ +#ifndef _UAPI__IP_SET_LIST_H +#define _UAPI__IP_SET_LIST_H + +/* List type specific error codes */ +enum { + /* Set name to be added/deleted/tested does not exist. */ + IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, + /* list:set type is not permitted to add */ + IPSET_ERR_LOOP, + /* Missing reference set */ + IPSET_ERR_BEFORE, + /* Reference set does not exist */ + IPSET_ERR_NAMEREF, + /* Set is full */ + IPSET_ERR_LIST_FULL, + /* Reference set is not added to the set */ + IPSET_ERR_REF_EXIST, +}; + + +#endif /* _UAPI__IP_SET_LIST_H */ diff --git a/kernel/include/uapi/linux/netfilter/xt_set.h b/kernel/include/uapi/linux/netfilter/xt_set.h new file mode 100644 index 0000000..e3a9978 --- /dev/null +++ b/kernel/include/uapi/linux/netfilter/xt_set.h @@ -0,0 +1,65 @@ +#ifndef _XT_SET_H +#define _XT_SET_H + +#include +#include + +/* Revision 0 interface: backward compatible with netfilter/iptables */ + +/* + * Option flags for kernel operations (xt_set_info_v0) + */ +#define IPSET_SRC 0x01 /* Source match/add */ +#define IPSET_DST 0x02 /* Destination match/add */ +#define IPSET_MATCH_INV 0x04 /* Inverse matching */ + +struct xt_set_info_v0 { + ip_set_id_t index; + union { + __u32 flags[IPSET_DIM_MAX + 1]; + struct { + __u32 __flags[IPSET_DIM_MAX]; + __u8 dim; + __u8 flags; + } compat; + } u; +}; + +/* match and target infos */ +struct xt_set_info_match_v0 { + struct xt_set_info_v0 match_set; +}; + +struct xt_set_info_target_v0 { + struct xt_set_info_v0 add_set; + struct xt_set_info_v0 del_set; +}; + +/* Revision 1 match and target */ + +struct xt_set_info { + ip_set_id_t index; + __u8 dim; + __u8 flags; +}; + +/* match and target infos */ +struct xt_set_info_match_v1 { + struct xt_set_info match_set; +}; + +struct xt_set_info_target_v1 { + struct xt_set_info add_set; + struct xt_set_info del_set; +}; + +/* Revision 2 target */ + +struct xt_set_info_target_v2 { + struct xt_set_info add_set; + struct xt_set_info del_set; + __u32 flags; + __u32 timeout; +}; + +#endif /*_XT_SET_H*/ diff --git a/update b/update deleted file mode 100755 index 5804554..0000000 --- a/update +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -NAME=`echo $1 | sed 's/\.h//' | tr a-z A-Z` - -awk "BEGIN { userspace=1 } -/ifdef __KERNEL__/ { userspace = !userspace } -{ if (userspace == 1) print } -END { print \"#endif /* __${NAME}_H */\" }" \ - < kernel/include/linux/netfilter/ipset/$1 > include/libipset/linux_$1 -- cgit v1.2.3