From 0d32c5c070f817229110f92d7b31df9a3e4eeec5 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Sun, 24 Oct 2010 21:42:48 +0200 Subject: Fixes, cleanups, comments - More comments added to the code - ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip and hash:ip,port,net types - hash:net and hash:ip,port,net types are reworked - hash:net,port type added - Wrong direction parameters fixed in hash:ip,port - Helps and manpage are updated - More tests added - Ugly macros are rewritten to functions in parse.c (Holger Eitzenberger) - resize related bug in hash types fixed (Holger Eitzenberger) - autoreconf patches by Jan Engelhardt applied - netlink patch minimalized: dumping can be initialized by a second parsing of the message (thanks to David and Patrick for the suggestion) - IPv4/IPv6 address attributes are introduced in order to fix the context (suggested by David) --- include/libipset/errcode.h | 7 ++-- include/libipset/icmp.h | 16 ++++++++++ include/libipset/icmpv6.h | 16 ++++++++++ include/libipset/linux_ip_set.h | 19 ++++++++--- include/libipset/linux_ip_set_bitmap.h | 2 ++ include/libipset/linux_ip_set_hash.h | 6 +++- include/libipset/linux_ip_set_list.h | 6 ++++ include/libipset/nf_inet_addr.h | 2 +- include/libipset/parse.h | 13 ++++++-- include/libipset/print.h | 58 +++++++++++++++++++--------------- include/libipset/types.h | 29 +++++++++-------- include/libipset/ui.h | 3 ++ include/libipset/utils.h | 4 +++ 13 files changed, 128 insertions(+), 53 deletions(-) create mode 100644 include/libipset/icmp.h create mode 100644 include/libipset/icmpv6.h (limited to 'include') diff --git a/include/libipset/errcode.h b/include/libipset/errcode.h index 5ad41ff..ed56eb5 100644 --- a/include/libipset/errcode.h +++ b/include/libipset/errcode.h @@ -11,10 +11,11 @@ struct ipset_session; +/* Kernel error code to message table */ struct ipset_errcode_table { - int errcode; - enum ipset_cmd cmd; - const char *message; + int errcode; /* error code returned by the kernel */ + enum ipset_cmd cmd; /* issued command */ + const char *message; /* error message the code translated to */ }; extern int ipset_errcode(struct ipset_session *session, enum ipset_cmd cmd, diff --git a/include/libipset/icmp.h b/include/libipset/icmp.h new file mode 100644 index 0000000..89604cd --- /dev/null +++ b/include/libipset/icmp.h @@ -0,0 +1,16 @@ +/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef LIBIPSET_ICMP_H +#define LIBIPSET_ICMP_H + +#include /* uintxx_t */ + +extern const char * id_to_icmp(uint8_t id); +extern const char * icmp_to_name(uint8_t type, uint8_t code); +extern int name_to_icmp(const char *str, uint16_t *typecode); + +#endif /* LIBIPSET_ICMP_H */ diff --git a/include/libipset/icmpv6.h b/include/libipset/icmpv6.h new file mode 100644 index 0000000..b23c822 --- /dev/null +++ b/include/libipset/icmpv6.h @@ -0,0 +1,16 @@ +/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#ifndef LIBIPSET_ICMPV6_H +#define LIBIPSET_ICMPV6_H + +#include /* uintxx_t */ + +extern const char * id_to_icmpv6(uint8_t id); +extern const char * icmpv6_to_name(uint8_t type, uint8_t code); +extern int name_to_icmpv6(const char *str, uint16_t *typecode); + +#endif /* LIBIPSET_ICMPV6_H */ diff --git a/include/libipset/linux_ip_set.h b/include/libipset/linux_ip_set.h index 0ad2b14..c3296df 100644 --- a/include/libipset/linux_ip_set.h +++ b/include/libipset/linux_ip_set.h @@ -52,7 +52,7 @@ enum { IPSET_ATTR_PROTOCOL, /* 1: Protocol version */ IPSET_ATTR_SETNAME, /* 2: Name of the set */ IPSET_ATTR_TYPENAME, /* 3: Typename */ - IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* rename/swap */ + IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */ IPSET_ATTR_REVISION, /* 4: Settype revision */ IPSET_ATTR_FAMILY, /* 5: Settype family */ IPSET_ATTR_FLAGS, /* 6: Flags at command level */ @@ -77,7 +77,7 @@ enum { IPSET_ATTR_TIMEOUT, /* 6 */ IPSET_ATTR_PROTO, /* 7 */ IPSET_ATTR_CADT_FLAGS, /* 8 */ - IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, + IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ @@ -108,6 +108,14 @@ enum { }; #define IPSET_ATTR_ADT_MAX (__IPSET_ATTR_ADT_MAX - 1) +/* IP specific attributes */ +enum { + IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1, + IPSET_ATTR_IPADDR_IPV6, + __IPSET_ATTR_IPADDR_MAX, +}; +#define IPSET_ATTR_IPADDR_MAX (__IPSET_ATTR_IPADDR_MAX - 1) + /* Error codes */ enum ipset_errno { IPSET_ERR_PRIVATE = 128, @@ -123,16 +131,20 @@ enum ipset_errno { IPSET_ERR_INVALID_FAMILY, IPSET_ERR_TIMEOUT, IPSET_ERR_REFERENCED, + IPSET_ERR_IPADDR_IPV4, + IPSET_ERR_IPADDR_IPV6, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 160, }; +/* Flags at command level */ enum ipset_cmd_flags { IPSET_FLAG_BIT_EXIST = 0, IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), }; +/* Flags at CADT attribute level */ enum ipset_cadt_flags { IPSET_FLAG_BIT_BEFORE = 0, IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), @@ -148,7 +160,4 @@ enum ipset_adt { IPSET_CADT_MAX, }; -#define IPSET_IPPROTO_ANY 255 -#define IPSET_IPPROTO_TCPUDP 254 - #endif /* __IP_SET_H */ diff --git a/include/libipset/linux_ip_set_bitmap.h b/include/libipset/linux_ip_set_bitmap.h index 01ea534..95fb963 100644 --- a/include/libipset/linux_ip_set_bitmap.h +++ b/include/libipset/linux_ip_set_bitmap.h @@ -3,7 +3,9 @@ /* Bitmap type specific error codes */ enum { + /* The element is out of the range of the set */ IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC, + /* The range exceeds the size limit of the set type */ IPSET_ERR_BITMAP_RANGE_SIZE, }; diff --git a/include/libipset/linux_ip_set_hash.h b/include/libipset/linux_ip_set_hash.h index db6977b..7c6336a 100644 --- a/include/libipset/linux_ip_set_hash.h +++ b/include/libipset/linux_ip_set_hash.h @@ -1,11 +1,15 @@ #ifndef __IP_SET_HASH_H #define __IP_SET_HASH_H -/* Bitmap type specific error codes */ +/* Hash type specific error codes */ enum { + /* Hash is full */ IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC, + /* Null-valued element */ IPSET_ERR_HASH_ELEM, + /* Invalid protocol */ IPSET_ERR_INVALID_PROTO, + /* Protocol missing but must be specified */ IPSET_ERR_MISSING_PROTO, }; diff --git a/include/libipset/linux_ip_set_list.h b/include/libipset/linux_ip_set_list.h index cf282c5..2395aa2 100644 --- a/include/libipset/linux_ip_set_list.h +++ b/include/libipset/linux_ip_set_list.h @@ -3,11 +3,17 @@ /* List type specific error codes */ enum { + /* Set name to be added/deleted/tested does not exist. */ IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC, + /* list:set type is not permitted to add */ IPSET_ERR_LOOP, + /* Missing reference set */ IPSET_ERR_BEFORE, + /* Reference set does not exist */ IPSET_ERR_NAMEREF, + /* Set is full */ IPSET_ERR_LIST_FULL, + /* Reference set is not added to the set */ IPSET_ERR_REF_EXIST, }; diff --git a/include/libipset/nf_inet_addr.h b/include/libipset/nf_inet_addr.h index 91f1914..0e0701e 100644 --- a/include/libipset/nf_inet_addr.h +++ b/include/libipset/nf_inet_addr.h @@ -10,7 +10,7 @@ #include /* uint32_t */ #include /* struct in[6]_addr */ -/* The same structure to hold IP addresses as in linux/netfilter.h */ +/* The structure to hold IP addresses, same as in linux/netfilter.h */ union nf_inet_addr { uint32_t all[4]; uint32_t ip; diff --git a/include/libipset/parse.h b/include/libipset/parse.h index 1e055ee..aaa1577 100644 --- a/include/libipset/parse.h +++ b/include/libipset/parse.h @@ -23,12 +23,19 @@ typedef int (*ipset_parsefn)(struct ipset_session *s, extern int ipset_parse_ether(struct ipset_session *session, enum ipset_opt opt, const char *str); -extern int ipset_parse_single_port(struct ipset_session *session, - enum ipset_opt opt, const char *str); extern int ipset_parse_port(struct ipset_session *session, - enum ipset_opt opt, const char *str); + enum ipset_opt opt, const char *str, + const char *proto); +extern int ipset_parse_tcp_port(struct ipset_session *session, + enum ipset_opt opt, const char *str); +extern int ipset_parse_single_tcp_port(struct ipset_session *session, + enum ipset_opt opt, const char *str); extern int ipset_parse_proto(struct ipset_session *session, enum ipset_opt opt, const char *str); +extern int ipset_parse_icmp(struct ipset_session *session, + enum ipset_opt opt, const char *str); +extern int ipset_parse_icmpv6(struct ipset_session *session, + enum ipset_opt opt, const char *str); extern int ipset_parse_proto_port(struct ipset_session *session, enum ipset_opt opt, const char *str); extern int ipset_parse_family(struct ipset_session *session, diff --git a/include/libipset/print.h b/include/libipset/print.h index 1fc5abc..963b42e 100644 --- a/include/libipset/print.h +++ b/include/libipset/print.h @@ -10,50 +10,56 @@ #include /* enum ipset_opt */ typedef int (*ipset_printfn)(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_ether(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_family(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_type(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_ip(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_ipaddr(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_number(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_name(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_port(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_proto(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); +extern int ipset_print_icmp(char *buf, unsigned int len, + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); +extern int ipset_print_icmpv6(char *buf, unsigned int len, + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_proto_port(char *buf, unsigned int len, const struct ipset_data *data, enum ipset_opt opt, uint8_t env); extern int ipset_print_flag(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); extern int ipset_print_elem(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); #define ipset_print_portnum ipset_print_number extern int ipset_print_data(char *buf, unsigned int len, - const struct ipset_data *data, enum ipset_opt opt, - uint8_t env); + const struct ipset_data *data, + enum ipset_opt opt, uint8_t env); #endif /* LIBIPSET_PRINT_H */ diff --git a/include/libipset/types.h b/include/libipset/types.h index 6a17750..f1847aa 100644 --- a/include/libipset/types.h +++ b/include/libipset/types.h @@ -77,22 +77,23 @@ struct ipset_elem { * but for the readability the full list is supported. */ struct ipset_type { - char name[IPSET_MAXNAMELEN]; /* type name */ - uint8_t revision; /* revision number */ - uint8_t family; /* supported family */ - uint8_t dimension; /* elem dimension */ - int8_t kernel_check; /* kernel check */ - bool last_elem_optional; /* last element optional */ - struct ipset_elem elem[IPSET_DIM_MAX]; /* parse elem */ - ipset_parsefn compat_parse_elem; /* compatibility parser */ - const struct ipset_arg *args[IPSET_CADT_MAX]; /* create/ADT args except elem */ - uint64_t mandatory[IPSET_CADT_MAX]; /* create/ADT mandatory flags */ - uint64_t full[IPSET_CADT_MAX]; /* full args flags */ - size_t maxsize[IPSET_MAXSIZE_MAX]; /* max sizes */ - const char *usage; /* terse usage */ + char name[IPSET_MAXNAMELEN]; /* type name */ + uint8_t revision; /* revision number */ + uint8_t family; /* supported family */ + uint8_t dimension; /* elem dimension */ + int8_t kernel_check; /* kernel check */ + bool last_elem_optional; /* last element optional */ + struct ipset_elem elem[IPSET_DIM_MAX]; /* parse elem */ + ipset_parsefn compat_parse_elem; /* compatibility parser */ + const struct ipset_arg *args[IPSET_CADT_MAX]; /* create/ADT args besides elem */ + uint64_t mandatory[IPSET_CADT_MAX]; /* create/ADT mandatory flags */ + uint64_t full[IPSET_CADT_MAX]; /* full args flags */ + size_t maxsize[IPSET_MAXSIZE_MAX]; /* max sizes */ + const char *usage; /* terse usage */ + void (*usagefn)(void); /* additional usage */ struct ipset_type *next; - const char *alias[]; /* name alias(es) */ + const char *alias[]; /* name alias(es) */ }; extern int ipset_cache_add(const char *name, const struct ipset_type *type, diff --git a/include/libipset/ui.h b/include/libipset/ui.h index f8eeae0..b05b737 100644 --- a/include/libipset/ui.h +++ b/include/libipset/ui.h @@ -7,6 +7,8 @@ #ifndef LIBIPSET_UI_H #define LIBIPSET_UI_H +#include /* enum ipset_cmd */ + /* Commands in userspace */ struct ipset_commands { enum ipset_cmd cmd; @@ -37,5 +39,6 @@ extern bool ipset_match_cmd(const char *arg, const char * const name[]); extern bool ipset_match_option(const char *arg, const char * const name[]); extern bool ipset_match_envopt(const char *arg, const char * const name[]); extern void ipset_shift_argv(int *argc, char *argv[], int from); +extern void ipset_port_usage(void); #endif /* LIBIPSET_UI_H */ diff --git a/include/libipset/utils.h b/include/libipset/utils.h index 672bfa9..75efdac 100644 --- a/include/libipset/utils.h +++ b/include/libipset/utils.h @@ -24,6 +24,10 @@ #define UNUSED __attribute__ ((unused)) +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) +#endif + static inline void in4cpy(struct in_addr *dest, const struct in_addr *src) { -- cgit v1.2.3