1 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
2 * Patrick Schaaf <bof@bof.de>
3 * Martin Josefsson <gandalf@wlug.westbo.se>
4 * Copyright (C) 2003-2010 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 /* Shared library add-on to iptables to add IP set matching. */
21 #include <linux/netfilter/xt_set.h>
22 #include "libxt_set.h"
27 printf("set match options:\n"
28 " [!] --match-set name flags\n"
29 " 'name' is the set name from to match,\n"
30 " 'flags' are the comma separated list of\n"
31 " 'src' and 'dst' specifications.\n");
34 static const struct option set_opts[] = {
35 { .name = "match-set", .has_arg = true, .val = '1'},
36 { .name = "set", .has_arg = true, .val = '2'},
41 set_check(unsigned int flags)
44 xtables_error(PARAMETER_PROBLEM,
45 "You must specify `--match-set' with proper arguments");
49 set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
50 const void *entry, struct xt_entry_match **match)
52 struct xt_set_info_match_v0 *myinfo =
53 (struct xt_set_info_match_v0 *) (*match)->data;
54 struct xt_set_info_v0 *info = &myinfo->match_set;
59 "--set option deprecated, please use --match-set\n");
60 case '1': /* --match-set <set> <flag>[,<flag> */
62 xtables_error(PARAMETER_PROBLEM,
63 "--match-set can be specified only once");
65 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
67 info->u.flags[0] |= IPSET_MATCH_INV;
70 || argv[optind][0] == '-'
71 || argv[optind][0] == '!')
72 xtables_error(PARAMETER_PROBLEM,
73 "--match-set requires two args.");
75 if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
76 xtables_error(PARAMETER_PROBLEM,
77 "setname `%s' too long, max %d characters.",
78 optarg, IPSET_MAXNAMELEN - 1);
80 get_set_byname(optarg, (struct xt_set_info *)info);
81 parse_dirs_v0(argv[optind], info);
82 DEBUGP("parse: set index %u\n", info->index);
96 print_match_v0(const char *prefix, const struct xt_set_info_v0 *info)
99 char setname[IPSET_MAXNAMELEN];
101 get_set_byid(setname, info->index);
103 (info->u.flags[0] & IPSET_MATCH_INV) ? "! " : "",
106 for (i = 0; i < IPSET_DIM_MAX; i++) {
107 if (!info->u.flags[i])
111 info->u.flags[i] & IPSET_SRC ? "src" : "dst");
116 /* Prints out the matchinfo. */
118 set_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
120 const struct xt_set_info_match_v0 *info = (const void *)match->data;
122 print_match_v0("match-set", &info->match_set);
126 set_save_v0(const void *ip, const struct xt_entry_match *match)
128 const struct xt_set_info_match_v0 *info = (const void *)match->data;
130 print_match_v0("--match-set", &info->match_set);
134 set_parse(int c, char **argv, int invert, unsigned int *flags,
135 const void *entry, struct xt_entry_match **match)
137 struct xt_set_info_match *myinfo =
138 (struct xt_set_info_match *) (*match)->data;
139 struct xt_set_info *info = &myinfo->match_set;
144 "--set option deprecated, please use --match-set\n");
145 case '1': /* --match-set <set> <flag>[,<flag> */
147 xtables_error(PARAMETER_PROBLEM,
148 "--match-set can be specified only once");
150 xtables_check_inverse(optarg, &invert, &optind, 0, argv);
152 info->flags |= IPSET_INV_MATCH;
155 || argv[optind][0] == '-'
156 || argv[optind][0] == '!')
157 xtables_error(PARAMETER_PROBLEM,
158 "--match-set requires two args.");
160 if (strlen(optarg) > IPSET_MAXNAMELEN - 1)
161 xtables_error(PARAMETER_PROBLEM,
162 "setname `%s' too long, max %d characters.",
163 optarg, IPSET_MAXNAMELEN - 1);
165 get_set_byname(optarg, info);
166 parse_dirs(argv[optind], info);
167 DEBUGP("parse: set index %u\n", info->index);
181 print_match(const char *prefix, const struct xt_set_info *info)
184 char setname[IPSET_MAXNAMELEN];
186 get_set_byid(setname, info->index);
188 (info->flags & IPSET_INV_MATCH) ? "! " : "",
191 for (i = 1; i <= info->dim; i++) {
194 info->flags & (1 << i) ? "src" : "dst");
199 /* Prints out the matchinfo. */
201 set_print(const void *ip, const struct xt_entry_match *match, int numeric)
203 const struct xt_set_info_match *info = (const void *)match->data;
205 print_match("match-set", &info->match_set);
209 set_save(const void *ip, const struct xt_entry_match *match)
211 const struct xt_set_info_match *info = (const void *)match->data;
213 print_match("--match-set", &info->match_set);
216 static struct xtables_match set_mt_reg[] = {
220 .version = XTABLES_VERSION,
221 .family = NFPROTO_IPV4,
222 .size = XT_ALIGN(sizeof(struct xt_set_info_match_v0)),
223 .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match_v0)),
225 .parse = set_parse_v0,
226 .final_check = set_check,
227 .print = set_print_v0,
229 .extra_opts = set_opts,
234 .version = XTABLES_VERSION,
235 .family = NFPROTO_UNSPEC,
236 .size = XT_ALIGN(sizeof(struct xt_set_info_match)),
237 .userspacesize = XT_ALIGN(sizeof(struct xt_set_info_match)),
240 .final_check = set_check,
243 .extra_opts = set_opts,
249 xtables_register_matches(set_mt_reg, ARRAY_SIZE(set_mt_reg));