From 3fd6b24ace319b139ec3c4e3031a5f05d21e304e Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Tue, 15 Jun 2010 13:30:55 +0200
Subject: ipset 5 in an almost ready state - milestone

Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:

- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
---
 kernel/ipt_set.c | 238 -------------------------------------------------------
 1 file changed, 238 deletions(-)
 delete mode 100644 kernel/ipt_set.c

(limited to 'kernel/ipt_set.c')

diff --git a/kernel/ipt_set.c b/kernel/ipt_set.c
deleted file mode 100644
index 2f97cbb..0000000
--- a/kernel/ipt_set.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
- *                         Patrick Schaaf <bof@bof.de>
- *                         Martin Josefsson <gandalf@wlug.westbo.se>
- * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-/* Kernel module to match an IP set. */
-
-#include <linux/module.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-#include <linux/version.h>
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
-#include <linux/netfilter_ipv4/ip_tables.h>
-#define xt_register_match	ipt_register_match
-#define xt_unregister_match	ipt_unregister_match
-#define xt_match		ipt_match
-#else
-#include <linux/netfilter/x_tables.h>
-#endif
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ipt_set.h>
-
-static inline int
-match_set(const struct ipt_set_info *info,
-	  const struct sk_buff *skb,
-	  int inv)
-{	
-	if (ip_set_testip_kernel(info->index, skb, info->flags))
-		inv = !inv;
-	return inv;
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const void *matchinfo,
-      int offset,
-      const void *hdr,
-      u_int16_t datalen,
-      int *hotdrop) 
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const void *matchinfo,
-      int offset,
-      int *hotdrop) 
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
-static int
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset,
-      unsigned int protoff,
-      int *hotdrop)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-static bool
-match(const struct sk_buff *skb,
-      const struct net_device *in,
-      const struct net_device *out,
-      const struct xt_match *match,
-      const void *matchinfo,
-      int offset, 
-      unsigned int protoff, 
-      bool *hotdrop)
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
-static bool
-match(const struct sk_buff *skb,
-      const struct xt_match_param *par)
-#endif
-{
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-	const struct ipt_set_info_match *info = matchinfo;
-#else
-	const struct ipt_set_info_match *info = par->matchinfo;
-#endif
-		
-	return match_set(&info->match_set,
-			 skb,
-			 info->match_set.flags[0] & IPSET_MATCH_INV);
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
-static int
-checkentry(const char *tablename,
-	   const struct ipt_ip *ip,
-	   void *matchinfo,
-	   unsigned int matchsize,
-	   unsigned int hook_mask)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static int
-checkentry(const char *tablename,
-	   const void *inf,
-	   void *matchinfo,
-	   unsigned int matchsize,
-	   unsigned int hook_mask)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-static int
-checkentry(const char *tablename,
-	   const void *inf,
-	   const struct xt_match *match,
-	   void *matchinfo,
-	   unsigned int matchsize,
-	   unsigned int hook_mask)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23)
-static int
-checkentry(const char *tablename,
-	   const void *inf,
-	   const struct xt_match *match,
-	   void *matchinfo,
-	   unsigned int hook_mask)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-static bool
-checkentry(const char *tablename,
-	   const void *inf,
-	   const struct xt_match *match,
-	   void *matchinfo,
-	   unsigned int hook_mask)
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
-static bool
-checkentry(const struct xt_mtchk_param *par)
-#endif
-{
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-	struct ipt_set_info_match *info = matchinfo;
-#else
-	struct ipt_set_info_match *info = par->matchinfo;
-#endif
-	ip_set_id_t index;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
-		ip_set_printk("invalid matchsize %d", matchsize);
-		return 0;
-	}
-#endif
-
-	index = ip_set_get_byindex(info->match_set.index);
-		
-	if (index == IP_SET_INVALID_ID) {
-		ip_set_printk("Cannot find set indentified by id %u to match",
-			      info->match_set.index);
-		return 0;	/* error */
-	}
-	if (info->match_set.flags[IP_SET_MAX_BINDINGS] != 0) {
-		ip_set_printk("That's nasty!");
-		return 0;	/* error */
-	}
-
-	return 1;
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static void destroy(void *matchinfo,
-		    unsigned int matchsize)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19)
-static void destroy(const struct xt_match *match,
-		    void *matchinfo,
-		    unsigned int matchsize)
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-static void destroy(const struct xt_match *match,
-		    void *matchinfo)
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */
-static void destroy(const struct xt_mtdtor_param *par)
-#endif
-{
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28)
-	struct ipt_set_info_match *info = matchinfo;
-#else
-	struct ipt_set_info_match *info = par->matchinfo;
-#endif
-
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-	if (matchsize != IPT_ALIGN(sizeof(struct ipt_set_info_match))) {
-		ip_set_printk("invalid matchsize %d", matchsize);
-		return;
-	}
-#endif
-	ip_set_put_byindex(info->match_set.index);
-}
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17)
-static struct xt_match set_match = {
-	.name		= "set",
-	.match		= &match,
-	.checkentry	= &checkentry,
-	.destroy	= &destroy,
-	.me		= THIS_MODULE
-};
-#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,17) */
-static struct xt_match set_match = {
-	.name		= "set",
-	.family		= AF_INET,
-	.match		= &match,
-	.matchsize	= sizeof(struct ipt_set_info_match),
-	.checkentry	= &checkentry,
-	.destroy	= &destroy,
-	.me		= THIS_MODULE
-};
-#endif
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables IP set match module");
-
-static int __init ipt_ipset_init(void)
-{
-	return xt_register_match(&set_match);
-}
-
-static void __exit ipt_ipset_fini(void)
-{
-	xt_unregister_match(&set_match);
-}
-
-module_init(ipt_ipset_init);
-module_exit(ipt_ipset_fini);
-- 
cgit v1.2.3