#include <linux/netfilter/x_tables.h>
#include <linux/stringify.h>
#include <linux/vmalloc.h>
-#include <linux/version.h>
#include <net/netlink.h>
#include <uapi/linux/netfilter/ipset/ip_set.h>
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
-#define xt_action_param xt_match_param
-#endif
+#include <linux/netfilter/ipset/ip_set_compat.h>
#define _IP_SET_MODULE_DESC(a, b, c) \
MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
#define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED)
#define ipset_nest_end(skb, start) nla_nest_end(skb, start)
-#ifdef NLA_PUT_NET16
-static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
-{
- return nla_put(skb, attrtype, sizeof(__be16), &value);
-}
-
-static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
-{
- return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
-}
-
-static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
-{
- return nla_put(skb, attrtype, sizeof(__be32), &value);
-}
-
-static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
-{
- return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
-}
-#endif
-
static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr)
{
struct nlattr *__nested = ipset_nest_start(skb, type);
#include <linux/rcupdate.h>
#include <linux/jhash.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
-#ifndef rcu_dereference_bh
-#define rcu_dereference_bh(p) rcu_dereference(p)
-#endif
#define CONCAT(a, b, c) a##b##c
#define TOKEN(a, b, c) CONCAT(a, b, c)
--- /dev/null
+#ifndef __IP_SET_COMPAT_H
+#define __IP_SET_COMPAT_H
+
+/* Not everything could be moved here. Compatibility stuffs can be found in
+ * xt_set.c, ip_set_core.c, ip_set_getport.c, pfxlen.c too.
+ */
+
+#include <linux/version.h>
+#include <linux/netlink.h>
+
+#ifndef rcu_dereference_bh
+#define rcu_dereference_bh(p) rcu_dereference(p)
+#endif
+
+#ifndef rcu_dereference_protected
+#define rcu_dereference_protected(p, c) rcu_dereference(p)
+#endif
+
+#ifndef __rcu
+#define __rcu
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35)
+#define xt_action_param xt_match_param
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 37)
+#define vzalloc(size) __vmalloc(size,\
+ GFP_KERNEL|__GFP_ZERO|__GFP_HIGHMEM,\
+ PAGE_KERNEL)
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
+#include <linux/etherdevice.h>
+
+static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2)
+{
+ return !compare_ether_addr(addr1, addr2);
+}
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
+#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid
+#else
+#define NETLINK_PORTID(skb) NETLINK_CB(skb).portid
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 8, 0)
+#define ns_capable(ns, cap) capable(cap)
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 9, 0)
+#define lock_nfnl() nfnl_lock()
+#define unlock_nfnl() nfnl_unlock()
+#else
+#define lock_nfnl() nfnl_lock(NFNL_SUBSYS_IPSET)
+#define unlock_nfnl() nfnl_unlock(NFNL_SUBSYS_IPSET)
+#endif
+
+#ifdef NLA_PUT_NET16
+static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
+{
+ return nla_put(skb, attrtype, sizeof(__be16), &value);
+}
+
+static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
+{
+ return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
+}
+
+static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
+{
+ return nla_put(skb, attrtype, sizeof(__be32), &value);
+}
+
+static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
+{
+ return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
+}
+#endif
+
+#endif /* __IP_SET_COMPAT_H */
#include <linux/netlink.h>
#include <linux/jiffies.h>
#include <linux/timer.h>
-#include <linux/version.h>
#include <net/netlink.h>
#include <linux/netfilter/ipset/pfxlen.h>
IP_SET_MODULE_DESC("bitmap:ip,mac", REVISION_MIN, REVISION_MAX);
MODULE_ALIAS("ip_set_bitmap:ip,mac");
-/* Backport ether_addr_equal */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
-static inline bool ether_addr_equal(const u8 *addr1, const u8 *addr2)
-{
- return !compare_ether_addr(addr1, addr2);
-}
-#endif
-
enum {
MAC_EMPTY, /* element is not set */
MAC_FILLED, /* element is set with MAC */
#include <linux/spinlock.h>
#include <linux/netlink.h>
#include <linux/rculist.h>
-#ifndef IPSET_IN_KERNEL_TREE
-#include <linux/version.h>
-#endif
#include <net/netlink.h>
#include <linux/netfilter.h>
static DEFINE_MUTEX(ip_set_type_mutex); /* protects ip_set_type_list */
static DEFINE_RWLOCK(ip_set_ref_lock); /* protects the set refs */
-#ifdef __rcu
static struct ip_set * __rcu *ip_set_list; /* all individual sets */
-#else
-static struct ip_set **ip_set_list; /* all individual sets */
-#endif
static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
#define IP_SET_INC 64
IP_SET_CORE_MODULE_DESC(PACKAGE_VERSION);
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
-#ifndef rcu_dereference_protected
-#define rcu_dereference_protected(p, c) rcu_dereference(p)
-#endif
-
/* When the nfnl mutex is held: */
#define nfnl_dereference(p) \
rcu_dereference_protected(p, 1)
static bool
load_settype(const char *name)
{
- nfnl_unlock();
+ unlock_nfnl();
pr_debug("try to load ip_set_%s\n", name);
if (request_module("ip_set_%s", name) < 0) {
pr_warning("Can't find ip_set type %s\n", name);
- nfnl_lock();
+ lock_nfnl();
return false;
}
- nfnl_lock();
+ lock_nfnl();
return true;
}
return members;
}
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 37)
- members = __vmalloc(size, GFP_KERNEL | __GFP_ZERO | __GFP_HIGHMEM,
- PAGE_KERNEL);
-#else
members = vzalloc(size);
-#endif
if (!members)
return NULL;
pr_debug("%p: allocated with vmalloc\n", members);
ip_set_id_t i, index = IPSET_INVALID_ID;
struct ip_set *s;
- nfnl_lock();
+ lock_nfnl();
for (i = 0; i < ip_set_max; i++) {
s = nfnl_set(i);
if (s != NULL && STREQ(s->name, name)) {
break;
}
}
- nfnl_unlock();
+ unlock_nfnl();
return index;
}
if (index > ip_set_max)
return IPSET_INVALID_ID;
- nfnl_lock();
+ lock_nfnl();
set = nfnl_set(index);
if (set)
__ip_set_get(set);
else
index = IPSET_INVALID_ID;
- nfnl_unlock();
+ unlock_nfnl();
return index;
}
ip_set_nfnl_put(ip_set_id_t index)
{
struct ip_set *set;
- nfnl_lock();
+ lock_nfnl();
set = nfnl_set(index);
if (set != NULL)
__ip_set_put(set);
- nfnl_unlock();
+ unlock_nfnl();
}
EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
}
static struct nlmsghdr *
-start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags,
+start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
enum ipset_cmd cmd)
{
struct nlmsghdr *nlh;
struct nfgenmsg *nfmsg;
- nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
+ nlh = nlmsg_put(skb, portid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
sizeof(*nfmsg), flags);
if (nlh == NULL)
return NULL;
return 0;
}
-#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
-#define NETLINK_PORTID(skb) NETLINK_CB(skb).pid
-#else
-#define NETLINK_PORTID(skb) NETLINK_CB(skb).portid
-#endif
-
static int
ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
{
void *data;
int copylen = *len, ret = 0;
- if (!capable(CAP_NET_ADMIN))
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (optval != SO_IP_SET)
return -EBADF;
goto done;
}
req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
- nfnl_lock();
+ lock_nfnl();
find_set_and_id(req_get->set.name, &id);
req_get->set.index = id;
- nfnl_unlock();
+ unlock_nfnl();
goto copy;
}
case IP_SET_OP_GET_BYINDEX: {
ret = -EINVAL;
goto done;
}
- nfnl_lock();
+ lock_nfnl();
set = nfnl_set(req_get->set.index);
strncpy(req_get->set.name, set ? set->name : "",
IPSET_MAXNAMELEN);
- nfnl_unlock();
+ unlock_nfnl();
goto copy;
}
default:
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <uapi/linux/netfilter/xt_set.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");