Add ipset headers, rahunas updated struct changes
authorNeutron Soutmun <neo.neutron@gmail.com>
Tue, 1 Jun 2010 06:36:43 +0000 (13:36 +0700)
committerNeutron Soutmun <neo.neutron@gmail.com>
Tue, 1 Jun 2010 06:36:43 +0000 (13:36 +0700)
src/Makefile.am
src/ipset/ip_set.h [new file with mode: 0644]
src/ipset/ip_set_bitmaps.h [new file with mode: 0644]
src/ipset/ip_set_rahunas.h [new file with mode: 0644]
src/rahunasd.c
src/rh-ipset.h
src/rh-task-ipset.c

index 617b176..7f06678 100644 (file)
@@ -7,6 +7,7 @@ IPSET_VERSION:=4.2
 AM_CFLAGS = \
   $(LIBGNET_CFLAGS) \
   $(LIBGDA_CFLAGS) \
+  -I$(top_srcdir)/src/ \
   -I$(top_srcdir)/src/include/ \
   -DRAHUNAS_VERSION=\"$(RAHUNAS_VERSION)\" \
   -DPROGRAM=\"$(PROGRAM)\" \
diff --git a/src/ipset/ip_set.h b/src/ipset/ip_set.h
new file mode 100644 (file)
index 0000000..07d61a0
--- /dev/null
@@ -0,0 +1,569 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2004 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.  
+ */
+
+#ifndef CONFIG_IP_NF_SET_MAX
+       /* from 2 to 65534 */
+#      define CONFIG_IP_NF_SET_MAX 256
+#endif
+#ifndef CONFIG_IP_NF_SET_HASHSIZE
+#      define CONFIG_IP_NF_SET_HASHSIZE 1024
+#endif
+
+#if 0
+#define IP_SET_DEBUG
+#endif
+
+/*
+ * A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_SET              83
+
+/*
+ * Heavily modify by Joakim Axelsson 08.03.2002
+ * - Made it more modulebased
+ *
+ * Additional heavy modifications by Jozsef Kadlecsik 22.02.2004
+ * - bindings added
+ * - in order to "deal with" backward compatibility, renamed to ipset
+ */
+
+/* 
+ * Used so that the kernel module and ipset-binary can match their versions 
+ */
+#define IP_SET_PROTOCOL_UNALIGNED      3
+#define IP_SET_PROTOCOL_VERSION                4
+
+#define IP_SET_MAXNAMELEN 32   /* set names and set typenames */
+
+/* Lets work with our own typedef for representing an IP address.
+ * We hope to make the code more portable, possibly to IPv6...
+ *
+ * The representation works in HOST byte order, because most set types
+ * will perform arithmetic operations and compare operations.
+ * 
+ * For now the type is an uint32_t.
+ *
+ * Make sure to ONLY use the functions when translating and parsing
+ * in order to keep the host byte order and make it more portable:
+ *  parse_ip()
+ *  parse_mask()
+ *  parse_ipandmask()
+ *  ip_tostring()
+ * (Joakim: where are they???)
+ */
+
+typedef uint32_t ip_set_ip_t;
+
+/* Sets are identified by an id in kernel space. Tweak with ip_set_id_t
+ * and IP_SET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef uint16_t ip_set_id_t;
+
+#define IP_SET_INVALID_ID      65535
+
+/* How deep we follow bindings */
+#define IP_SET_MAX_BINDINGS    6
+
+/*
+ * Option flags for kernel operations (ipt_set_info)
+ */
+#define IPSET_SRC              0x01    /* Source match/add */
+#define IPSET_DST              0x02    /* Destination match/add */
+#define IPSET_MATCH_INV                0x04    /* Inverse matching */
+
+/*
+ * Set features
+ */
+#define IPSET_TYPE_IP          0x01    /* IP address type of set */
+#define IPSET_TYPE_PORT                0x02    /* Port type of set */
+#define IPSET_DATA_SINGLE      0x04    /* Single data storage */
+#define IPSET_DATA_DOUBLE      0x08    /* Double data storage */
+#define IPSET_DATA_TRIPLE      0x10    /* Triple data storage */
+#define IPSET_TYPE_IP1         0x20    /* IP address type of set */
+#define IPSET_TYPE_SETNAME     0x40    /* setname type of set */
+
+/* Reserved keywords */
+#define IPSET_TOKEN_DEFAULT    ":default:"
+#define IPSET_TOKEN_ALL                ":all:"
+
+/* SO_IP_SET operation constants, and their request struct types.
+ *
+ * Operation ids:
+ *       0-99:  commands with version checking
+ *     100-199: add/del/test/bind/unbind
+ *     200-299: list, save, restore
+ */
+
+/* Single shot operations: 
+ * version, create, destroy, flush, rename and swap 
+ *
+ * Sets are identified by name.
+ */
+
+#define IP_SET_REQ_STD         \
+       unsigned op;            \
+       unsigned version;       \
+       char name[IP_SET_MAXNAMELEN]
+
+#define IP_SET_OP_CREATE       0x00000001      /* Create a new (empty) set */
+struct ip_set_req_create {
+       IP_SET_REQ_STD;
+       char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_DESTROY      0x00000002      /* Remove a (empty) set */
+struct ip_set_req_std {
+       IP_SET_REQ_STD;
+};
+
+#define IP_SET_OP_FLUSH                0x00000003      /* Remove all IPs in a set */
+/* Uses ip_set_req_std */
+
+#define IP_SET_OP_RENAME       0x00000004      /* Rename a set */
+/* Uses ip_set_req_create */
+
+#define IP_SET_OP_SWAP         0x00000005      /* Swap two sets */
+/* Uses ip_set_req_create */
+
+union ip_set_name_index {
+       char name[IP_SET_MAXNAMELEN];
+       ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME   0x00000006      /* Get set index by name */
+struct ip_set_req_get_set {
+       unsigned op;
+       unsigned version;
+       union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX  0x00000007      /* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION      0x00000100      /* Ask kernel version */
+struct ip_set_req_version {
+       unsigned op;
+       unsigned version;
+};
+
+/* Double shots operations: 
+ * add, del, test, bind and unbind.
+ *
+ * First we query the kernel to get the index and type of the target set,
+ * then issue the command. Validity of IP is checked in kernel in order
+ * to minimalize sockopt operations.
+ */
+
+/* Get minimal set data for add/del/test/bind/unbind IP */
+#define IP_SET_OP_ADT_GET      0x00000010      /* Get set and type */
+struct ip_set_req_adt_get {
+       unsigned op;
+       unsigned version;
+       union ip_set_name_index set;
+       char typename[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_REQ_BYINDEX     \
+       unsigned op;            \
+       ip_set_id_t index;
+
+struct ip_set_req_adt {
+       IP_SET_REQ_BYINDEX;
+};
+
+#define IP_SET_OP_ADD_IP       0x00000101      /* Add an IP to a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_DEL_IP       0x00000102      /* Remove an IP from a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_TEST_IP      0x00000103      /* Test an IP in a set */
+/* Uses ip_set_req_adt, with type specific addage */
+
+#define IP_SET_OP_BIND_SET     0x00000104      /* Bind an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+struct ip_set_req_bind {
+       IP_SET_REQ_BYINDEX;
+       char binding[IP_SET_MAXNAMELEN];
+};
+
+#define IP_SET_OP_UNBIND_SET   0x00000105      /* Unbind an IP from a set */
+/* Uses ip_set_req_bind, with type speficic addage 
+ * index = 0 means unbinding for all sets */
+
+#define IP_SET_OP_TEST_BIND_SET        0x00000106      /* Test binding an IP to a set */
+/* Uses ip_set_req_bind, with type specific addage */
+
+/* Multiple shots operations: list, save, restore.
+ *
+ * - check kernel version and query the max number of sets
+ * - get the basic information on all sets
+ *   and size required for the next step
+ * - get actual set data: header, data, bindings
+ */
+
+/* Get max_sets and the index of a queried set
+ */
+#define IP_SET_OP_MAX_SETS     0x00000020
+struct ip_set_req_max_sets {
+       unsigned op;
+       unsigned version;
+       ip_set_id_t max_sets;           /* max_sets */
+       ip_set_id_t sets;               /* real number of sets */
+       union ip_set_name_index set;    /* index of set if name used */
+};
+
+/* Get the id and name of the sets plus size for next step */
+#define IP_SET_OP_LIST_SIZE    0x00000201
+#define IP_SET_OP_SAVE_SIZE    0x00000202
+struct ip_set_req_setnames {
+       unsigned op;
+       ip_set_id_t index;              /* set to list/save */
+       u_int32_t size;                 /* size to get setdata */
+       /* followed by sets number of struct ip_set_name_list */
+};
+
+struct ip_set_name_list {
+       char name[IP_SET_MAXNAMELEN];
+       char typename[IP_SET_MAXNAMELEN];
+       ip_set_id_t index;
+       ip_set_id_t id;
+};
+
+/* The actual list operation */
+#define IP_SET_OP_LIST         0x00000203
+struct ip_set_req_list {
+       IP_SET_REQ_BYINDEX;
+       /* sets number of struct ip_set_list in reply */ 
+};
+
+struct ip_set_list {
+       ip_set_id_t index;
+       ip_set_id_t binding;
+       u_int32_t ref;
+       u_int32_t header_size;  /* Set header data of header_size */
+       u_int32_t members_size; /* Set members data of members_size */
+       u_int32_t bindings_size;/* Set bindings data of bindings_size */
+};
+
+struct ip_set_hash_list {
+       ip_set_ip_t ip;
+       ip_set_id_t binding;
+};
+
+/* The save operation */
+#define IP_SET_OP_SAVE         0x00000204
+/* Uses ip_set_req_list, in the reply replaced by
+ * sets number of struct ip_set_save plus a marker
+ * ip_set_save followed by ip_set_hash_save structures.
+ */
+struct ip_set_save {
+       ip_set_id_t index;
+       ip_set_id_t binding;
+       u_int32_t header_size;  /* Set header data of header_size */
+       u_int32_t members_size; /* Set members data of members_size */
+};
+
+/* At restoring, ip == 0 means default binding for the given set: */
+struct ip_set_hash_save {
+       ip_set_ip_t ip;
+       ip_set_id_t id;
+       ip_set_id_t binding;
+};
+
+/* The restore operation */
+#define IP_SET_OP_RESTORE      0x00000205
+/* Uses ip_set_req_setnames followed by ip_set_restore structures
+ * plus a marker ip_set_restore, followed by ip_set_hash_save 
+ * structures.
+ */
+struct ip_set_restore {
+       char name[IP_SET_MAXNAMELEN];
+       char typename[IP_SET_MAXNAMELEN];
+       ip_set_id_t index;
+       u_int32_t header_size;  /* Create data of header_size */
+       u_int32_t members_size; /* Set members data of members_size */
+};
+
+static inline int bitmap_bytes(ip_set_ip_t a, ip_set_ip_t b)
+{
+       return 4 * ((((b - a + 8) / 8) + 3) / 4);
+}
+
+/* General limit for the elements in a set */
+#define MAX_RANGE 0x0000FFFF
+
+/* Alignment: 'unsigned long' unsupported */
+#define IPSET_ALIGNTO          4
+#define        IPSET_ALIGN(len) (((len) + IPSET_ALIGNTO - 1) & ~(IPSET_ALIGNTO - 1))
+#define IPSET_VALIGN(len, old) ((old) ? (len) : IPSET_ALIGN(len))
+
+#ifdef __KERNEL__
+#include "ip_set_compat.h"
+#include "ip_set_malloc.h"
+
+#define ip_set_printk(format, args...)                         \
+       do {                                                    \
+               printk("%s: %s: ", __FILE__, __FUNCTION__);     \
+               printk(format "\n" , ## args);                  \
+       } while (0)
+
+#if defined(IP_SET_DEBUG)
+#define DP(format, args...)                                    \
+       do {                                                    \
+               printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
+               printk(format "\n" , ## args);                  \
+       } while (0)
+#define IP_SET_ASSERT(x)                                       \
+       do {                                                    \
+               if (!(x))                                       \
+                       printk("IP_SET_ASSERT: %s:%i(%s)\n",    \
+                               __FILE__, __LINE__, __FUNCTION__); \
+       } while (0)
+#else
+#define DP(format, args...)
+#define IP_SET_ASSERT(x)
+#endif
+
+struct ip_set;
+
+/*
+ * The ip_set_type definition - one per set type, e.g. "ipmap".
+ *
+ * Each individual set has a pointer, set->type, going to one
+ * of these structures. Function pointers inside the structure implement
+ * the real behaviour of the sets.
+ *
+ * If not mentioned differently, the implementation behind the function
+ * pointers of a set_type, is expected to return 0 if ok, and a negative
+ * errno (e.g. -EINVAL) on error.
+ */
+struct ip_set_type {
+       struct list_head list;  /* next in list of set types */
+
+       /* test for IP in set (kernel: iptables -m set src|dst)
+        * return 0 if not in set, 1 if in set.
+        */
+       int (*testip_kernel) (struct ip_set *set,
+                             const struct sk_buff * skb, 
+                             const u_int32_t *flags);
+
+       /* test for IP in set (userspace: ipset -T set IP)
+        * return 0 if not in set, 1 if in set.
+        */
+       int (*testip) (struct ip_set *set,
+                      const void *data, u_int32_t size);
+
+       /*
+        * Size of the data structure passed by when
+        * adding/deletin/testing an entry.
+        */
+       u_int32_t reqsize;
+
+       /* Add IP into set (userspace: ipset -A set IP)
+        * Return -EEXIST if the address is already in the set,
+        * and -ERANGE if the address lies outside the set bounds.
+        * If the address was not already in the set, 0 is returned.
+        */
+       int (*addip) (struct ip_set *set, 
+                     const void *data, u_int32_t size);
+
+       /* Add IP into set (kernel: iptables ... -j SET set src|dst)
+        * Return -EEXIST if the address is already in the set,
+        * and -ERANGE if the address lies outside the set bounds.
+        * If the address was not already in the set, 0 is returned.
+        */
+       int (*addip_kernel) (struct ip_set *set,
+                            const struct sk_buff * skb,
+                            const u_int32_t *flags);
+
+       /* remove IP from set (userspace: ipset -D set --entry x)
+        * Return -EEXIST if the address is NOT in the set,
+        * and -ERANGE if the address lies outside the set bounds.
+        * If the address really was in the set, 0 is returned.
+        */
+       int (*delip) (struct ip_set *set, 
+                     const void *data, u_int32_t size);
+
+       /* remove IP from set (kernel: iptables ... -j SET --entry x)
+        * Return -EEXIST if the address is NOT in the set,
+        * and -ERANGE if the address lies outside the set bounds.
+        * If the address really was in the set, 0 is returned.
+        */
+       int (*delip_kernel) (struct ip_set *set,
+                            const struct sk_buff * skb,
+                            const u_int32_t *flags);
+
+       /* new set creation - allocated type specific items
+        */
+       int (*create) (struct ip_set *set,
+                      const void *data, u_int32_t size);
+
+       /* retry the operation after successfully tweaking the set
+        */
+       int (*retry) (struct ip_set *set);
+
+       /* set destruction - free type specific items
+        * There is no return value.
+        * Can be called only when child sets are destroyed.
+        */
+       void (*destroy) (struct ip_set *set);
+
+       /* set flushing - reset all bits in the set, or something similar.
+        * There is no return value.
+        */
+       void (*flush) (struct ip_set *set);
+
+       /* Listing: size needed for header
+        */
+       u_int32_t header_size;
+
+       /* Listing: Get the header
+        *
+        * Fill in the information in "data".
+        * This function is always run after list_header_size() under a 
+        * writelock on the set. Therefor is the length of "data" always 
+        * correct. 
+        */
+       void (*list_header) (const struct ip_set *set, 
+                            void *data);
+
+       /* Listing: Get the size for the set members
+        */
+       int (*list_members_size) (const struct ip_set *set, char dont_align);
+
+       /* Listing: Get the set members
+        *
+        * Fill in the information in "data".
+        * This function is always run after list_member_size() under a 
+        * writelock on the set. Therefor is the length of "data" always 
+        * correct. 
+        */
+       void (*list_members) (const struct ip_set *set,
+                             void *data, char dont_align);
+
+       char typename[IP_SET_MAXNAMELEN];
+       unsigned char features;
+       int protocol_version;
+
+       /* Set this to THIS_MODULE if you are a module, otherwise NULL */
+       struct module *me;
+};
+
+extern int ip_set_register_set_type(struct ip_set_type *set_type);
+extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
+
+/* A generic ipset */
+struct ip_set {
+       char name[IP_SET_MAXNAMELEN];   /* the name of the set */
+       rwlock_t lock;                  /* lock for concurrency control */
+       ip_set_id_t id;                 /* set id for swapping */
+       atomic_t ref;                   /* in kernel and in hash references */
+       struct ip_set_type *type;       /* the set types */
+       void *data;                     /* pooltype specific data */
+};
+
+/* register and unregister set references */
+extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
+extern ip_set_id_t ip_set_get_byindex(ip_set_id_t index);
+extern void ip_set_put_byindex(ip_set_id_t index);
+extern ip_set_id_t ip_set_id(ip_set_id_t index);
+extern ip_set_id_t __ip_set_get_byname(const char name[IP_SET_MAXNAMELEN],
+                                      struct ip_set **set);
+extern void __ip_set_put_byindex(ip_set_id_t index);
+
+/* API for iptables set match, and SET target */
+extern int ip_set_addip_kernel(ip_set_id_t id,
+                              const struct sk_buff *skb,
+                              const u_int32_t *flags);
+extern int ip_set_delip_kernel(ip_set_id_t id,
+                              const struct sk_buff *skb,
+                              const u_int32_t *flags);
+extern int ip_set_testip_kernel(ip_set_id_t id,
+                               const struct sk_buff *skb,
+                               const u_int32_t *flags);
+
+/* Macros to generate functions */
+
+#define STRUCT(pre, type)      CONCAT2(pre, type)
+#define CONCAT2(pre, type)     struct pre##type
+
+#define FNAME(pre, mid, post)  CONCAT3(pre, mid, post)
+#define CONCAT3(pre, mid, post)        pre##mid##post
+
+#define UADT0(type, adt, args...)                                      \
+static int                                                             \
+FNAME(type,_u,adt)(struct ip_set *set, const void *data, u_int32_t size)\
+{                                                                      \
+       const STRUCT(ip_set_req_,type) *req = data;                     \
+                                                                       \
+       return FNAME(type,_,adt)(set , ## args);                        \
+}
+
+#define UADT(type, adt, args...)                                       \
+       UADT0(type, adt, req->ip , ## args)
+
+#define KADT(type, adt, getfn, args...)                                        \
+static int                                                             \
+FNAME(type,_k,adt)(struct ip_set *set,                                 \
+            const struct sk_buff *skb,                                 \
+            const u_int32_t *flags)                                    \
+{                                                                      \
+       ip_set_ip_t ip = getfn(skb, flags);                             \
+                                                                       \
+       KADT_CONDITION                                                  \
+       return FNAME(type,_,adt)(set, ip , ##args);                     \
+}
+
+#define REGISTER_MODULE(type)                                          \
+static int __init ip_set_##type##_init(void)                           \
+{                                                                      \
+       init_max_page_size();                                           \
+       return ip_set_register_set_type(&ip_set_##type);                \
+}                                                                      \
+                                                                       \
+static void __exit ip_set_##type##_fini(void)                          \
+{                                                                      \
+       /* FIXME: possible race with ip_set_create() */                 \
+       ip_set_unregister_set_type(&ip_set_##type);                     \
+}                                                                      \
+                                                                       \
+module_init(ip_set_##type##_init);                                     \
+module_exit(ip_set_##type##_fini);
+
+/* Common functions */
+
+static inline ip_set_ip_t
+ipaddr(const struct sk_buff *skb, const u_int32_t *flags)
+{
+       return ntohl(flags[0] & IPSET_SRC ? ip_hdr(skb)->saddr : ip_hdr(skb)->daddr);
+}
+
+#define jhash_ip(map, i, ip)   jhash_1word(ip, *(map->initval + i))
+
+#define pack_ip_port(map, ip, port) \
+       (port + ((ip - ((map)->first_ip)) << 16))
+
+#endif                         /* __KERNEL__ */
+
+#define UNUSED __attribute__ ((unused))
+
+#endif /*_IP_SET_H*/
diff --git a/src/ipset/ip_set_bitmaps.h b/src/ipset/ip_set_bitmaps.h
new file mode 100644 (file)
index 0000000..da3493f
--- /dev/null
@@ -0,0 +1,120 @@
+#ifndef __IP_SET_BITMAPS_H
+#define __IP_SET_BITMAPS_H
+
+/* Macros to generate functions */
+
+#ifdef __KERNEL__
+#define BITMAP_CREATE(type)                                            \
+static int                                                             \
+type##_create(struct ip_set *set, const void *data, u_int32_t size)    \
+{                                                                      \
+       int newbytes;                                                   \
+       const struct ip_set_req_##type##_create *req = data;            \
+       struct ip_set_##type *map;                                      \
+                                                                       \
+       if (req->from > req->to) {                                      \
+               DP("bad range");                                        \
+               return -ENOEXEC;                                        \
+       }                                                               \
+                                                                       \
+       map = kmalloc(sizeof(struct ip_set_##type), GFP_KERNEL);        \
+       if (!map) {                                                     \
+               DP("out of memory for %zu bytes",                       \
+                  sizeof(struct ip_set_##type));                       \
+               return -ENOMEM;                                         \
+       }                                                               \
+       map->first_ip = req->from;                                      \
+       map->last_ip = req->to;                                         \
+                                                                       \
+       newbytes = __##type##_create(req, map);                         \
+       if (newbytes < 0) {                                             \
+               kfree(map);                                             \
+               return newbytes;                                        \
+       }                                                               \
+                                                                       \
+       map->size = newbytes;                                           \
+       map->members = ip_set_malloc(newbytes);                         \
+       if (!map->members) {                                            \
+               DP("out of memory for %i bytes", newbytes);             \
+               kfree(map);                                             \
+               return -ENOMEM;                                         \
+       }                                                               \
+       memset(map->members, 0, newbytes);                              \
+                                                                       \
+       set->data = map;                                                \
+       return 0;                                                       \
+}
+
+#define BITMAP_DESTROY(type)                                           \
+static void                                                            \
+type##_destroy(struct ip_set *set)                                     \
+{                                                                      \
+       struct ip_set_##type *map = set->data;                          \
+                                                                       \
+       ip_set_free(map->members, map->size);                           \
+       kfree(map);                                                     \
+                                                                       \
+       set->data = NULL;                                               \
+}
+
+#define BITMAP_FLUSH(type)                                             \
+static void                                                            \
+type##_flush(struct ip_set *set)                                       \
+{                                                                      \
+       struct ip_set_##type *map = set->data;                          \
+       memset(map->members, 0, map->size);                             \
+}
+
+#define BITMAP_LIST_HEADER(type)                                       \
+static void                                                            \
+type##_list_header(const struct ip_set *set, void *data)               \
+{                                                                      \
+       const struct ip_set_##type *map = set->data;                    \
+       struct ip_set_req_##type##_create *header = data;               \
+                                                                       \
+       header->from = map->first_ip;                                   \
+       header->to = map->last_ip;                                      \
+       __##type##_list_header(map, header);                            \
+}
+
+#define BITMAP_LIST_MEMBERS_SIZE(type, dtype, sizeid, testfn)          \
+static int                                                             \
+type##_list_members_size(const struct ip_set *set, char dont_align)    \
+{                                                                      \
+       const struct ip_set_##type *map = set->data;                    \
+       ip_set_ip_t i, elements = 0;                                    \
+                                                                       \
+       if (dont_align)                                                 \
+               return map->size;                                       \
+                                                                       \
+       for (i = 0; i < sizeid; i++)                                    \
+               if (testfn)                                             \
+                       elements++;                                     \
+                                                                       \
+       return elements * IPSET_ALIGN(sizeof(dtype));                   \
+}
+
+#define IP_SET_TYPE(type, __features)                                  \
+struct ip_set_type ip_set_##type = {                                   \
+       .typename               = #type,                                \
+       .features               = __features,                           \
+       .protocol_version       = IP_SET_PROTOCOL_VERSION,              \
+       .create                 = &type##_create,                       \
+       .destroy                = &type##_destroy,                      \
+       .flush                  = &type##_flush,                        \
+       .reqsize                = sizeof(struct ip_set_req_##type),     \
+       .addip                  = &type##_uadd,                         \
+       .addip_kernel           = &type##_kadd,                         \
+       .delip                  = &type##_udel,                         \
+       .delip_kernel           = &type##_kdel,                         \
+       .testip                 = &type##_utest,                        \
+       .testip_kernel          = &type##_ktest,                        \
+       .header_size            = sizeof(struct ip_set_req_##type##_create),\
+       .list_header            = &type##_list_header,                  \
+       .list_members_size      = &type##_list_members_size,            \
+       .list_members           = &type##_list_members,                 \
+       .me                     = THIS_MODULE,                          \
+};
+#endif /* __KERNEL */
+
+#endif /* __IP_SET_BITMAPS_H */
diff --git a/src/ipset/ip_set_rahunas.h b/src/ipset/ip_set_rahunas.h
new file mode 100644 (file)
index 0000000..8c6dcda
--- /dev/null
@@ -0,0 +1,48 @@
+#ifndef __IP_SET_RAHUNAS_H
+#define __IP_SET_RAHUNAS_H
+
+#include "ip_set.h"
+#include "ip_set_bitmaps.h"
+
+#ifdef __KERNEL__
+#  include <linux/time.h>
+#else
+#  include <time.h>
+#endif
+
+#define SETTYPE_NAME "rahunas"
+
+/* general flags */
+#define IPSET_RAHUNAS_MATCHUNSET       1
+#define IPSET_RAHUNAS_IGNOREMAC   2
+
+/* per ip flags */
+#define IPSET_RAHUNAS_ISSET    1
+
+struct ip_set_rahunas {
+       void *members;                  /* the rahunas proper */
+       ip_set_ip_t first_ip;           /* host byte order, included in range */
+       ip_set_ip_t last_ip;            /* host byte order, included in range */
+       u_int32_t flags;
+  u_int32_t size;
+};
+
+struct ip_set_req_rahunas_create {
+       ip_set_ip_t from;
+       ip_set_ip_t to;
+       u_int32_t flags;
+};
+
+struct ip_set_req_rahunas {
+       ip_set_ip_t ip;
+       unsigned char ethernet[ETH_ALEN];
+       time_t timestamp;
+};
+
+struct ip_set_rahu {
+       unsigned short match;
+       unsigned char ethernet[ETH_ALEN];
+       time_t timestamp;
+};
+
+#endif /* __IP_SET_RAHUNAS_H */
index a648f39..649fc4d 100644 (file)
@@ -66,7 +66,7 @@ size_t expired_check(void *data)
   struct processing_set *process = (struct processing_set *) data;
   struct ip_set_list *setlist = (struct ip_set_list *) process->list;
   size_t offset;
-  struct ip_set_rahunas *table = NULL;
+  struct ip_set_rahu *table = NULL;
   struct task_req req;
   unsigned int id;
   char *ip = NULL;
@@ -81,7 +81,7 @@ size_t expired_check(void *data)
     return (-1); 
 
   offset = sizeof(struct ip_set_list) + setlist->header_size;
-  table = (struct ip_set_rahunas *)(process->list + offset);
+  table = (struct ip_set_rahu *)(process->list + offset);
 
   while (runner != NULL) {
     member = (struct rahunas_member *)runner->data;
index 05abe5e..4177ffe 100644 (file)
@@ -9,8 +9,8 @@
 
 #include "rahunasd.h"
 #include <linux/if_ether.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_rahunas.h>
+#include <ipset/ip_set.h>
+#include <ipset/ip_set_rahunas.h>
 
 #define GETSOCK_TRIES 5
 #define LIST_TRIES 5
index 0a977f2..0da9165 100644 (file)
@@ -17,7 +17,7 @@ size_t set_cleanup(void *data)
   struct processing_set *process = (struct processing_set *) data;
   struct ip_set_list *setlist = (struct ip_set_list *) process->list;
   size_t offset;
-  struct ip_set_rahunas *table = NULL;
+  struct ip_set_rahu *table = NULL;
   struct task_req req;
   unsigned int id;
   char *ip = NULL;