1: /* ipset.c is Copyright (c) 2013 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
2:
3: This program is free software; you can redistribute it and/or modify
4: it under the terms of the GNU General Public License as published by
5: the Free Software Foundation; version 2 dated June, 1991, or
6: (at your option) version 3 dated 29 June, 2007.
7:
8: This program is distributed in the hope that it will be useful,
9: but WITHOUT ANY WARRANTY; without even the implied warranty of
10: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11: GNU General Public License for more details.
12:
13: You should have received a copy of the GNU General Public License
14: along with this program. If not, see <http://www.gnu.org/licenses/>.
15: */
16:
17: #include "dnsmasq.h"
18:
19: #ifdef HAVE_IPSET
20:
21: #include <string.h>
22: #include <errno.h>
23: #include <sys/types.h>
24: #include <sys/socket.h>
25: #include <sys/utsname.h>
26: #include <arpa/inet.h>
27: #include <linux/version.h>
28: #include <linux/netlink.h>
29:
30: /* We want to be able to compile against old header files
31: Kernel version is handled at run-time. */
32:
33: #define NFNL_SUBSYS_IPSET 6
34:
35: #define IPSET_ATTR_DATA 7
36: #define IPSET_ATTR_IP 1
37: #define IPSET_ATTR_IPADDR_IPV4 1
38: #define IPSET_ATTR_IPADDR_IPV6 2
39: #define IPSET_ATTR_PROTOCOL 1
40: #define IPSET_ATTR_SETNAME 2
41: #define IPSET_CMD_ADD 9
42: #define IPSET_CMD_DEL 10
43: #define IPSET_MAXNAMELEN 32
44: #define IPSET_PROTOCOL 6
45:
46: #ifndef NFNETLINK_V0
47: #define NFNETLINK_V0 0
48: #endif
49:
50: #ifndef NLA_F_NESTED
51: #define NLA_F_NESTED (1 << 15)
52: #endif
53:
54: #ifndef NLA_F_NET_BYTEORDER
55: #define NLA_F_NET_BYTEORDER (1 << 14)
56: #endif
57:
58: struct my_nlattr {
59: __u16 nla_len;
60: __u16 nla_type;
61: };
62:
63: struct my_nfgenmsg {
64: __u8 nfgen_family; /* AF_xxx */
65: __u8 version; /* nfnetlink version */
66: __be16 res_id; /* resource id */
67: };
68:
69:
70: /* data structure size in here is fixed */
71: #define BUFF_SZ 256
72:
73: #define NL_ALIGN(len) (((len)+3) & ~(3))
74: static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
75: static int ipset_sock, old_kernel;
76: static char *buffer;
77:
78: static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
79: {
80: struct my_nlattr *attr = (void *)nlh + NL_ALIGN(nlh->nlmsg_len);
81: uint16_t payload_len = NL_ALIGN(sizeof(struct my_nlattr)) + len;
82: attr->nla_type = type;
83: attr->nla_len = payload_len;
84: memcpy((void *)attr + NL_ALIGN(sizeof(struct my_nlattr)), data, len);
85: nlh->nlmsg_len += NL_ALIGN(payload_len);
86: }
87:
88: void ipset_init(void)
89: {
90: struct utsname utsname;
91: int version;
92: char *split;
93:
94: if (uname(&utsname) < 0)
95: die(_("failed to find kernel version: %s"), NULL, EC_MISC);
96:
97: split = strtok(utsname.release, ".");
98: version = (split ? atoi(split) : 0);
99: split = strtok(NULL, ".");
100: version = version * 256 + (split ? atoi(split) : 0);
101: split = strtok(NULL, ".");
102: version = version * 256 + (split ? atoi(split) : 0);
103: old_kernel = (version < KERNEL_VERSION(2,6,32));
104:
105: if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
106: return;
107:
108: if (!old_kernel &&
109: (buffer = safe_malloc(BUFF_SZ)) &&
110: (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
111: (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
112: return;
113:
114: die (_("failed to create IPset control socket: %s"), NULL, EC_MISC);
115: }
116:
117: static int new_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove)
118: {
119: struct nlmsghdr *nlh;
120: struct my_nfgenmsg *nfg;
121: struct my_nlattr *nested[2];
122: uint8_t proto;
123: int addrsz = INADDRSZ;
124: ssize_t rc;
125:
126: #ifdef HAVE_IPV6
127: if (af == AF_INET6)
128: addrsz = IN6ADDRSZ;
129: #endif
130:
131: if (strlen(setname) >= IPSET_MAXNAMELEN)
132: {
133: errno = ENAMETOOLONG;
134: return -1;
135: }
136:
137: memset(buffer, 0, BUFF_SZ);
138:
139: nlh = (struct nlmsghdr *)buffer;
140: nlh->nlmsg_len = NL_ALIGN(sizeof(struct nlmsghdr));
141: nlh->nlmsg_type = (remove ? IPSET_CMD_DEL : IPSET_CMD_ADD) | (NFNL_SUBSYS_IPSET << 8);
142: nlh->nlmsg_flags = NLM_F_REQUEST;
143:
144: nfg = (struct my_nfgenmsg *)(buffer + nlh->nlmsg_len);
145: nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nfgenmsg));
146: nfg->nfgen_family = af;
147: nfg->version = NFNETLINK_V0;
148: nfg->res_id = htons(0);
149:
150: proto = IPSET_PROTOCOL;
151: add_attr(nlh, IPSET_ATTR_PROTOCOL, sizeof(proto), &proto);
152: add_attr(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
153: nested[0] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
154: nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
155: nested[0]->nla_type = NLA_F_NESTED | IPSET_ATTR_DATA;
156: nested[1] = (struct my_nlattr *)(buffer + NL_ALIGN(nlh->nlmsg_len));
157: nlh->nlmsg_len += NL_ALIGN(sizeof(struct my_nlattr));
158: nested[1]->nla_type = NLA_F_NESTED | IPSET_ATTR_IP;
159: add_attr(nlh,
160: (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER,
161: addrsz, &ipaddr->addr);
162: nested[1]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[1];
163: nested[0]->nla_len = (void *)buffer + NL_ALIGN(nlh->nlmsg_len) - (void *)nested[0];
164:
165: while ((rc = sendto(ipset_sock, buffer, nlh->nlmsg_len, 0,
166: (struct sockaddr *)&snl, sizeof(snl))) == -1 && retry_send());
167: return rc;
168: }
169:
170:
171: static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
172: {
173: socklen_t size;
174: struct ip_set_req_adt_get {
175: unsigned op;
176: unsigned version;
177: union {
178: char name[IPSET_MAXNAMELEN];
179: uint16_t index;
180: } set;
181: char typename[IPSET_MAXNAMELEN];
182: } req_adt_get;
183: struct ip_set_req_adt {
184: unsigned op;
185: uint16_t index;
186: uint32_t ip;
187: } req_adt;
188:
189: if (strlen(setname) >= sizeof(req_adt_get.set.name))
190: {
191: errno = ENAMETOOLONG;
192: return -1;
193: }
194:
195: req_adt_get.op = 0x10;
196: req_adt_get.version = 3;
197: strcpy(req_adt_get.set.name, setname);
198: size = sizeof(req_adt_get);
199: if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
200: return -1;
201: req_adt.op = remove ? 0x102 : 0x101;
202: req_adt.index = req_adt_get.set.index;
203: req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
204: if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
205: return -1;
206:
207: return 0;
208: }
209:
210:
211:
212: int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
213: {
214: int af = AF_INET;
215:
216: #ifdef HAVE_IPV6
217: if (flags & F_IPV6)
218: {
219: af = AF_INET6;
220: /* old method only supports IPv4 */
221: if (old_kernel)
222: return -1;
223: }
224: #endif
225:
226: return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
227: }
228:
229: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ipset.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dnsmasq / src