summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/libipset/parse.h2
-rw-r--r--lib/ipset_bitmap_port.c32
-rw-r--r--lib/parse.c38
-rw-r--r--src/ipset.813
4 files changed, 67 insertions, 18 deletions
diff --git a/include/libipset/parse.h b/include/libipset/parse.h
index ee16fb5..014c62f 100644
--- a/include/libipset/parse.h
+++ b/include/libipset/parse.h
@@ -44,6 +44,8 @@ extern int ipset_parse_icmpv6(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_proto_port(struct ipset_session *session,
enum ipset_opt opt, const char *str);
+extern int ipset_parse_tcp_udp_port(struct ipset_session *session,
+ enum ipset_opt opt, const char *str);
extern int ipset_parse_family(struct ipset_session *session,
enum ipset_opt opt, const char *str);
extern int ipset_parse_ip(struct ipset_session *session,
diff --git a/lib/ipset_bitmap_port.c b/lib/ipset_bitmap_port.c
index 6959c3a..a706d80 100644
--- a/lib/ipset_bitmap_port.c
+++ b/lib/ipset_bitmap_port.c
@@ -13,7 +13,7 @@
static const struct ipset_arg bitmap_port_create_args0[] = {
{ .name = { "range", NULL },
.has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_PORT,
- .parse = ipset_parse_tcp_port, .print = ipset_print_port,
+ .parse = ipset_parse_tcp_udp_port, .print = ipset_print_port,
},
{ .name = { "timeout", NULL },
.has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT,
@@ -40,12 +40,14 @@ static const struct ipset_arg bitmap_port_add_args0[] = {
};
static const char bitmap_port_usage0[] =
-"create SETNAME bitmap:port range FROM-TO\n"
+"create SETNAME bitmap:port range [PROTO:]FROM-TO\n"
" [timeout VALUE]\n"
-"add SETNAME PORT|FROM-TO [timeout VALUE]\n"
-"del SETNAME PORT|FROM-TO\n"
-"test SETNAME PORT\n\n"
-"where PORT, FROM and TO are port numbers or port names from /etc/services.\n";
+"add SETNAME [PROTO:]PORT|FROM-TO [timeout VALUE]\n"
+"del SETNAME [PROTO:]PORT|FROM-TO\n"
+"test SETNAME [PROTO:]PORT\n\n"
+"where PORT, FROM and TO are port numbers or port names from /etc/services.\n"
+"PROTO is only needed if a service name is used and it does not exist as a TCP service;\n"
+"it isn't used otherwise with the bitmap.\n";
static struct ipset_type ipset_bitmap_port0 = {
.name = "bitmap:port",
@@ -55,7 +57,7 @@ static struct ipset_type ipset_bitmap_port0 = {
.dimension = IPSET_DIM_ONE,
.elem = {
[IPSET_DIM_ONE - 1] = {
- .parse = ipset_parse_tcp_port,
+ .parse = ipset_parse_tcp_udp_port,
.print = ipset_print_port,
.opt = IPSET_OPT_PORT
},
@@ -91,7 +93,7 @@ static struct ipset_type ipset_bitmap_port0 = {
static const struct ipset_arg bitmap_port_create_args1[] = {
{ .name = { "range", NULL },
.has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_PORT,
- .parse = ipset_parse_tcp_port, .print = ipset_print_port,
+ .parse = ipset_parse_tcp_udp_port, .print = ipset_print_port,
},
{ .name = { "timeout", NULL },
.has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT,
@@ -130,13 +132,15 @@ static const struct ipset_arg bitmap_port_add_args1[] = {
};
static const char bitmap_port_usage1[] =
-"create SETNAME bitmap:port range FROM-TO\n"
+"create SETNAME bitmap:port range [PROTO:]FROM-TO\n"
" [timeout VALUE] [counters]\n"
-"add SETNAME PORT|FROM-TO [timeout VALUE]\n"
+"add SETNAME [PROTO:]PORT|FROM-TO [timeout VALUE]\n"
" [packets VALUE] [bytes VALUE]\n"
-"del SETNAME PORT|FROM-TO\n"
-"test SETNAME PORT\n\n"
-"where PORT, FROM and TO are port numbers or port names from /etc/services.\n";
+"del SETNAME [PROTO:]PORT|FROM-TO\n"
+"test SETNAME [PROTO:]PORT\n\n"
+"where PORT, FROM and TO are port numbers or port names from /etc/services.\n"
+"PROTO is only needed if a service name is used and it does not exist as a TCP service;\n"
+"it isn't used otherwise with the bitmap.\n";
static struct ipset_type ipset_bitmap_port1 = {
.name = "bitmap:port",
@@ -146,7 +150,7 @@ static struct ipset_type ipset_bitmap_port1 = {
.dimension = IPSET_DIM_ONE,
.elem = {
[IPSET_DIM_ONE - 1] = {
- .parse = ipset_parse_tcp_port,
+ .parse = ipset_parse_tcp_udp_port,
.print = ipset_print_port,
.opt = IPSET_OPT_PORT
},
diff --git a/lib/parse.c b/lib/parse.c
index ce3548d..112b273 100644
--- a/lib/parse.c
+++ b/lib/parse.c
@@ -637,6 +637,44 @@ error:
}
/**
+ * ipset_parse_tcp_udp_port - parse (optional) protocol and a single port
+ * @session: session structure
+ * @opt: option kind of the data
+ * @str: string to parse
+ *
+ * Parse string as a protocol and port, separated by a colon.
+ * The protocol part is optional, but may only be "tcp" or "udp".
+ * The parsed port numbers are stored in the data
+ * blob of the session.
+ *
+ * Returns 0 on success or a negative error code.
+ */
+int
+ipset_parse_tcp_udp_port(struct ipset_session *session,
+ enum ipset_opt opt, const char *str)
+{
+ struct ipset_data *data;
+ int err = 0;
+ uint8_t p = 0;
+
+ err = ipset_parse_proto_port(session, opt, str);
+
+ if (!err) {
+ data = ipset_session_data(session);
+
+ p = *(const uint8_t *) ipset_data_get(data, IPSET_OPT_PROTO);
+ if (p != IPPROTO_TCP && p != IPPROTO_UDP) {
+ syntax_err("Only protocols TCP and UDP are valid");
+ err = -1 ;
+ } else {
+ /* Reset the protocol to none */
+ ipset_data_flags_unset(data, IPSET_FLAG(IPSET_OPT_PROTO));
+ }
+ }
+ return err;
+}
+
+/**
* ipset_parse_family - parse INET|INET6 family names
* @session: session structure
* @opt: option kind of the data
diff --git a/src/ipset.8 b/src/ipset.8
index 4353b9f..d7fa964 100644
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -391,22 +391,25 @@ and such a set can store up to 65536 ports.
.PP
\fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromport\fP\-\fItoport [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ]
.PP
-\fIADD\-ENTRY\fR := { \fIport\fR | \fIfromport\fR\-\fItoport\fR }
+\fIADD\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
.PP
\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ]
.PP
-\fIDEL\-ENTRY\fR := { \fIport\fR | \fIfromport\fR\-\fItoport\fR }
+\fIDEL\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR }
.PP
-\fITEST\-ENTRY\fR := \fIport\fR
+\fITEST\-ENTRY\fR := \fI[proto:]port\fR
.PP
Mandatory options to use when creating a \fBbitmap:port\fR type of set:
.TP
-\fBrange\fP \fIfromport\fP\-\fItoport\fR
+\fBrange\fP \fI[proto:]fromport\fP\-\fItoport\fR
Create the set from the specified inclusive port range.
.PP
The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret
the stored numbers as TCP or UDP port numbers.
.PP
+\fBproto\fR only needs to be specified if a service name is used,
+and that name does not exist as a TCP service.
+.PP
Examples:
.IP
ipset create foo bitmap:port range 0\-1024
@@ -414,6 +417,8 @@ ipset create foo bitmap:port range 0\-1024
ipset add foo 80
.IP
ipset test foo 80
+.IP
+ipset del foo udp:[macon-udp]-[tn-tl-w2]
.SS hash:ip
The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or
network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR