From: Patrick McHardy <kaber@trash.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [PATCH 13/13] "set" match and "SET" target support
Date: Tue, 25 Jan 2011 16:18:28 +0100 [thread overview]
Message-ID: <4D3EE9C4.3020804@trash.net> (raw)
In-Reply-To: <1295618527-9583-14-git-send-email-kadlec@blackhole.kfki.hu>
On 21.01.2011 15:02, Jozsef Kadlecsik wrote:
> --- /dev/null
> +++ b/net/netfilter/xt_set.c
> @@ -0,0 +1,370 @@
> +/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
> + * Patrick Schaaf <bof@bof.de>
> + * Martin Josefsson <gandalf@wlug.westbo.se>
> + * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + */
> +
> +/* Kernel module which implements the set match and SET target
> + * for netfilter/iptables. */
> +
> +#include <linux/module.h>
> +#include <linux/skbuff.h>
> +#include <linux/version.h>
> +
> +#include <linux/netfilter/x_tables.h>
> +#include <linux/netfilter/xt_set.h>
> +
> +MODULE_LICENSE("GPL");
> +MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
> +MODULE_DESCRIPTION("Xtables: IP set match and target module");
> +MODULE_ALIAS("xt_SET");
> +MODULE_ALIAS("ipt_set");
> +MODULE_ALIAS("ip6t_set");
> +MODULE_ALIAS("ipt_SET");
> +MODULE_ALIAS("ip6t_SET");
> +
> +static inline int
> +match_set(ip_set_id_t index, const struct sk_buff *skb,
> + u8 pf, u8 dim, u8 flags, int inv)
> +{
> + if (ip_set_test(index, skb, pf, dim, flags))
> + inv = !inv;
> + return inv;
> +}
> +
> +/* Revision 0 interface: backward compatible with netfilter/iptables */
> +
> +/* Backward compatibility constrains (incomplete):
> + * 2.6.24: [NETLINK]: Introduce nested and byteorder flag to netlink attribute
> + * 2.6.25: is_vmalloc_addr(): Check if an address is within the vmalloc
> + * boundaries
> + * 2.6.27: rcu: split list.h and move rcu-protected lists into rculist.h
> + * 2.6.28: netfilter: ctnetlink: remove bogus module dependency between
> + * ctnetlink and nf_nat (nfnl_lock/nfnl_unlock)
> + * 2.6.29: generic swap(): introduce global macro swap(a, b)
> + * 2.6.31: netfilter: passive OS fingerprint xtables match
> + * 2.6.34: rcu: Add lockdep-enabled variants of rcu_dereference()
These are just implementation details about what changed in previous
versions and don't really matter for the current kernel version.
I think this comment can be removed.
> + */
> +
> +#define CHECK_OK 0
> +#define CHECK_FAIL (-EINVAL)
This is not making the code easier to read, its a common convention
to return 0 for no error and errno codes otherwise.
> +static int
> +set_match_v0_checkentry(const struct xt_mtchk_param *par)
> +{
> + struct xt_set_info_match_v0 *info = par->matchinfo;
> + ip_set_id_t index;
> +
> + index = ip_set_nfnl_get_byindex(info->match_set.index);
> +
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("Cannot find set indentified by id %u to match\n",
> + info->match_set.index);
> + return CHECK_FAIL; /* error */
ENOENT?
> + }
> + if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
> + pr_warning("That's nasty!\n");
> + return CHECK_FAIL; /* error */
> + }
> +
> + /* Fill out compatibility data */
> + compat_flags(&info->match_set);
> +
> + return CHECK_OK;
> +}
> +
> +static int
> +set_target_v0_checkentry(const struct xt_tgchk_param *par)
> +{
> + struct xt_set_info_target_v0 *info = par->targinfo;
> + ip_set_id_t index;
> +
> + if (info->add_set.index != IPSET_INVALID_ID) {
> + index = ip_set_nfnl_get_byindex(info->add_set.index);
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("cannot find add_set index %u as target\n",
> + info->add_set.index);
> + return CHECK_FAIL; /* error */
Same here.
> + }
> + }
> +
> + if (info->del_set.index != IPSET_INVALID_ID) {
> + index = ip_set_nfnl_get_byindex(info->del_set.index);
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("cannot find del_set index %u as target\n",
> + info->del_set.index);
> + return CHECK_FAIL; /* error */
> + }
> + }
> + if (info->add_set.u.flags[IPSET_DIM_MAX-1] != 0 ||
> + info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) {
> + pr_warning("That's nasty!\n");
This message doesn't seem very helpful. Assuming a structure
mismatch and no mischief, it would be better to print something
the user can understand.
> + return CHECK_FAIL; /* error */
> + }
> +
> + /* Fill out compatibility data */
> + compat_flags(&info->add_set);
> + compat_flags(&info->del_set);
> +
> + return CHECK_OK;
> +}
> +static int
> +set_match_checkentry(const struct xt_mtchk_param *par)
> +{
> + struct xt_set_info_match *info = par->matchinfo;
> + ip_set_id_t index;
> +
> + index = ip_set_nfnl_get_byindex(info->match_set.index);
> +
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("Cannot find set indentified by id %u to match\n",
> + info->match_set.index);
> + return CHECK_FAIL; /* error */
> + }
> + if (info->match_set.dim > IPSET_DIM_MAX) {
> + pr_warning("That's nasty!\n");
Even more so in this case, a future userspace version might support
more dimensions.
> + return CHECK_FAIL; /* error */
> + }
> +
> + return CHECK_OK;
> +}
> +
> +static int
> +set_target_checkentry(const struct xt_tgchk_param *par)
> +{
> + const struct xt_set_info_target *info = par->targinfo;
> + ip_set_id_t index;
> +
> + if (info->add_set.index != IPSET_INVALID_ID) {
> + index = ip_set_nfnl_get_byindex(info->add_set.index);
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("cannot find add_set index %u as target\n",
> + info->add_set.index);
> + return CHECK_FAIL; /* error */
ENOENT?
> + }
> + }
> +
> + if (info->del_set.index != IPSET_INVALID_ID) {
> + index = ip_set_nfnl_get_byindex(info->del_set.index);
> + if (index == IPSET_INVALID_ID) {
> + pr_warning("cannot find del_set index %u as target\n",
> + info->del_set.index);
> + return CHECK_FAIL; /* error */
> + }
> + }
> + if (info->add_set.dim > IPSET_DIM_MAX ||
> + info->del_set.flags > IPSET_DIM_MAX) {
> + pr_warning("That's nasty!\n");
> + return CHECK_FAIL; /* error */
> + }
> +
> + return CHECK_OK;
> +}
> +
next prev parent reply other threads:[~2011-01-25 15:18 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-21 14:01 [PATCH 00/13] ipset kernel patches v2 Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 01/13] NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 02/13] IP set core support Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 03/13] bitmap:ip set type support Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 04/13] bitmap:ip,mac " Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 05/13] bitmap:port set " Jozsef Kadlecsik
2011-01-21 14:01 ` [PATCH 06/13] hash:ip " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 07/13] hash:ip,port " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 08/13] hash:ip,port,ip " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 09/13] hash:ip,port,net " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 10/13] hash:net " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 11/13] hash:net,port " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 12/13] list:set " Jozsef Kadlecsik
2011-01-21 14:02 ` [PATCH 13/13] "set" match and "SET" target support Jozsef Kadlecsik
2011-01-25 15:18 ` Patrick McHardy [this message]
2011-01-25 21:40 ` Jozsef Kadlecsik
2011-01-25 15:05 ` [PATCH 03/13] bitmap:ip set type support Patrick McHardy
2011-01-25 21:34 ` Jozsef Kadlecsik
2011-01-27 9:06 ` Jozsef Kadlecsik
2011-01-27 9:08 ` Patrick McHardy
2011-01-21 21:39 ` [PATCH 02/13] IP set core support Jozsef Kadlecsik
2011-01-25 14:47 ` Patrick McHardy
2011-01-25 21:23 ` Jozsef Kadlecsik
2011-01-26 11:57 ` Patrick McHardy
2011-01-26 11:57 ` Patrick McHardy
2011-01-25 15:06 ` Patrick McHardy
2011-01-25 21:28 ` Jozsef Kadlecsik
2011-01-27 8:58 ` Jozsef Kadlecsik
2011-01-25 15:38 ` [PATCH 00/13] ipset kernel patches v2 Patrick McHardy
2011-01-25 21:41 ` Jozsef Kadlecsik
2011-01-31 22:52 [PATCH 00/13] ipset kernel patches v3 Jozsef Kadlecsik
2011-01-31 22:52 ` [PATCH 01/13] NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros Jozsef Kadlecsik
2011-01-31 22:52 ` [PATCH 02/13] IP set core support Jozsef Kadlecsik
2011-01-31 22:52 ` [PATCH 03/13] bitmap:ip set type support Jozsef Kadlecsik
2011-01-31 22:52 ` [PATCH 04/13] bitmap:ip,mac " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 05/13] bitmap:port set " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 06/13] hash:ip " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 07/13] hash:ip,port " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 08/13] hash:ip,port,ip " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 09/13] hash:ip,port,net " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 10/13] hash:net " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 11/13] hash:net,port " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 12/13] list:set " Jozsef Kadlecsik
2011-01-31 22:53 ` [PATCH 13/13] "set" match and "SET" target support Jozsef Kadlecsik
2011-02-01 14:56 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D3EE9C4.3020804@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.