Indexes are exported through getsockopt calls (IP_SET_OP_GET_BYNAME)
and are mandatory for external subsystem using ipset:
* ipset module of tc-ematch (configured by netlink, but using
getsockopt before to get index)
* SET netfilter module
The goal of this patch is to allow one user to use only netlink to get
ipset indexes. However, since `ipset` userspace command does not accept
new/unknow nla (structure didn't change since years), a new flag is
introduced to ask for more data. Currently it adds only indexes, but
application setting the flag should be ready to accept new nla in
future.
Signed-off-by: Florent Fourcot <florent.fourcot@xxxxxxxxxx>
Signed-off-by: Victorien Molle <victorien.molle@xxxxxxxxxx>
---
include/uapi/linux/netfilter/ipset/ip_set.h | 4 ++++
net/netfilter/ipset/ip_set_core.c | 18 +++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
index 60236f694143..8ef2560ff69e 100644
--- a/include/uapi/linux/netfilter/ipset/ip_set.h
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -66,6 +66,8 @@ enum {
IPSET_ATTR_LINENO, /* 9: Restore lineno */
IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+ /* attributes not sent by default (see IPSET_FLAG_EXTRA_DATA) */
+ IPSET_ATTR_INDEX, /* 11: Index of the set */
__IPSET_ATTR_CMD_MAX,
};
#define IPSET_ATTR_CMD_MAX (__IPSET_ATTR_CMD_MAX - 1)
@@ -182,6 +184,8 @@ enum ipset_cmd_flags {
IPSET_FLAG_MAP_SKBPRIO = (1 << IPSET_FLAG_BIT_MAP_SKBPRIO),
IPSET_FLAG_BIT_MAP_SKBQUEUE = 10,
IPSET_FLAG_MAP_SKBQUEUE = (1 << IPSET_FLAG_BIT_MAP_SKBQUEUE),
+ IPSET_FLAG_BIT_EXTRA_DATA = 11,
+ IPSET_FLAG_EXTRA_DATA = (1 << IPSET_FLAG_BIT_EXTRA_DATA),
IPSET_FLAG_CMD_MAX = 15,
};
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index bc4bd247bb7d..370b79368ddb 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1409,6 +1409,11 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
goto release_refcount;
if (dump_flags & IPSET_FLAG_LIST_HEADER)
goto next_set;
+ if (dump_flags & IPSET_FLAG_EXTRA_DATA) {
+ if (nla_put_u16(skb, IPSET_ATTR_INDEX,
+ index))
+ goto nla_put_failure;
+ }
if (set->variant->uref)
set->variant->uref(set, cb, true);
/* fall through */
@@ -1695,6 +1700,7 @@ static int ip_set_header(struct net *net, struct sock *ctnl,
const struct nlattr * const attr[],
struct netlink_ext_ack *extack)
{
+ ip_set_id_t index;
struct ip_set_net *inst = ip_set_pernet(net);
const struct ip_set *set;
struct sk_buff *skb2;
@@ -1705,7 +1711,7 @@ static int ip_set_header(struct net *net, struct sock *ctnl,
!attr[IPSET_ATTR_SETNAME]))
return -IPSET_ERR_PROTOCOL;
- set = find_set(inst, nla_data(attr[IPSET_ATTR_SETNAME]));
+ set = find_set_and_id(inst, nla_data(attr[IPSET_ATTR_SETNAME]), &index);
if (!set)
return -ENOENT;
@@ -1723,6 +1729,16 @@ static int ip_set_header(struct net *net, struct sock *ctnl,
nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
goto nla_put_failure;
+
+ if (attr[IPSET_ATTR_FLAGS]) {
+ u32 flags = ip_set_get_h32(attr[IPSET_ATTR_FLAGS]);
+
+ if (flags & IPSET_FLAG_EXTRA_DATA) {
+ if (nla_put_u16(skb2, IPSET_ATTR_INDEX, index))
+ goto nla_put_failure;
+ }
+ }
+
nlmsg_end(skb2, nlh2);
ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
