static bool set_match_v1(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_set_info_match_v1 *info = par->matchinfo; ADT_OPT(opt, par->family, info->match_set.dim, info->match_set.flags, 0, UINT_MAX); if (opt.flags & IPSET_RETURN_NOMATCH) opt.cmdflags |= IPSET_FLAG_RETURN_NOMATCH; return match_set(info->match_set.index, skb, par, &opt, info->match_set.flags & IPSET_INV_MATCH); }
/* Kernel module to match an IP set. */ #include <linux/module.h> #include <linux/ip.h> #include <linux/skbuff.h> #include <linux/version.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter_ipv4/ip_set.h> #include <linux/netfilter_ipv4/ipt_set.h> static inline int match_set(const struct ipt_set_info *info, const struct sk_buff *skb, int inv) { if (ip_set_testip_kernel(info->index, skb, info->flags)) inv = !inv; return inv; } #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28) static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) #else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,28) */ static bool match(const struct sk_buff *skb, const struct xt_match_param *par) #endif { #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,28) const struct ipt_set_info_match *info = matchinfo; #else const struct ipt_set_info_match *info = par->matchinfo; #endif return match_set(&info->match_set, skb, info->match_set.flags[0] & IPSET_MATCH_INV); }
/* Kernel module to match an IP set. */ #include <linux/module.h> #include <linux/ip.h> #include <linux/skbuff.h> #include <linux/version.h> #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) #include <linux/netfilter_ipv4/ip_tables.h> #define xt_register_match ipt_register_match #define xt_unregister_match ipt_unregister_match #define xt_match ipt_match #else #include <linux/netfilter/x_tables.h> #endif #include <linux/netfilter_ipv4/ip_set.h> #include <linux/netfilter_ipv4/ipt_set.h> #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) #ifndef IPT_ALIGN #define IPT_ALIGN XT_ALIGN #endif #endif static inline int match_set(const struct ipt_set_info *info, const struct sk_buff *skb, int inv) { if (ip_set_testip_kernel(info->index, skb, info->flags)) inv = !inv; return inv; } #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, const void *hdr, u_int16_t datalen, int *hotdrop) #elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, int *hotdrop) #elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,17) static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const void *matchinfo, int offset, unsigned int protoff, int *hotdrop) #elif LINUX_VERSION_CODE < KERNEL_VERSION(2,6,23) static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, int *hotdrop) #else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23) */ static bool match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) #endif { const struct ipt_set_info_match *info = matchinfo; return match_set(&info->match_set, skb, info->match_set.flags[0] & IPSET_MATCH_INV); }
static unsigned int set_target_v3(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_set_info_target_v3 *info = par->targinfo; ADT_OPT(add_opt, par->family, info->add_set.dim, info->add_set.flags, info->flags, info->timeout); ADT_OPT(del_opt, par->family, info->del_set.dim, info->del_set.flags, 0, UINT_MAX); ADT_OPT(map_opt, par->family, info->map_set.dim, info->map_set.flags, 0, UINT_MAX); int ret; /* Normalize to fit into jiffies */ if (add_opt.ext.timeout != IPSET_NO_TIMEOUT && add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC) add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, CAST_TO_MATCH par, &add_opt); if (info->del_set.index != IPSET_INVALID_ID) ip_set_del(info->del_set.index, skb, CAST_TO_MATCH par, &del_opt); if (info->map_set.index != IPSET_INVALID_ID) { map_opt.cmdflags |= info->flags & (IPSET_FLAG_MAP_SKBMARK | IPSET_FLAG_MAP_SKBPRIO | IPSET_FLAG_MAP_SKBQUEUE); ret = match_set(info->map_set.index, skb, CAST_TO_MATCH par, &map_opt, info->map_set.flags & IPSET_INV_MATCH); if (!ret) return XT_CONTINUE; if (map_opt.cmdflags & IPSET_FLAG_MAP_SKBMARK) skb->mark = (skb->mark & ~MOPT(map_opt,skbmarkmask)) ^ MOPT(map_opt, skbmark); if (map_opt.cmdflags & IPSET_FLAG_MAP_SKBPRIO) skb->priority = MOPT(map_opt, skbprio); if ((map_opt.cmdflags & IPSET_FLAG_MAP_SKBQUEUE) && skb->dev && skb->dev->real_num_tx_queues > MOPT(map_opt, skbqueue)) skb_set_queue_mapping(skb, MOPT(map_opt, skbqueue)); } return XT_CONTINUE; }
static bool set_match_v4(const struct sk_buff *skb, struct xt_action_param *par) { const struct xt_set_info_match_v4 *info = par->matchinfo; ADT_OPT(opt, par->family, info->match_set.dim, info->match_set.flags, info->flags, UINT_MAX); int ret; if (info->packets.op != IPSET_COUNTER_NONE || info->bytes.op != IPSET_COUNTER_NONE) opt.cmdflags |= IPSET_FLAG_MATCH_COUNTERS; ret = match_set(info->match_set.index, skb, par, &opt, info->match_set.flags & IPSET_INV_MATCH); if (!(ret && opt.cmdflags & IPSET_FLAG_MATCH_COUNTERS)) return ret; if (!match_counter(opt.ext.packets, &info->packets)) return false; return match_counter(opt.ext.bytes, &info->bytes); }
static int bar(const char *re, int re_len, const char *s, int s_len, struct regex_info *info, int bi) { /* i is offset in re, j is offset in s, bi is brackets index */ int i, j, n, step; for (i = j = 0; i < re_len && j <= s_len; i += step) { /* Handle quantifiers. Get the length of the chunk. */ step = re[i] == '(' ? info->brackets[bi + 1].len + 2 : get_op_len(re + i, re_len - i); DBG(("%s [%.*s] [%.*s] re_len=%d step=%d i=%d j=%d\n", __func__, re_len - i, re + i, s_len - j, s + j, re_len, step, i, j)); FAIL_IF(is_quantifier(&re[i]), SLRE_UNEXPECTED_QUANTIFIER); FAIL_IF(step <= 0, SLRE_INVALID_CHARACTER_SET); if (i + step < re_len && is_quantifier(re + i + step)) { DBG(("QUANTIFIER: [%.*s]%c [%.*s]\n", step, re + i, re[i + step], s_len - j, s + j)); if (re[i + step] == '?') { int result = bar(re + i, step, s + j, s_len - j, info, bi); j += result > 0 ? result : 0; i++; } else if (re[i + step] == '+' || re[i + step] == '*') { int j2 = j, nj = j, n1, n2 = -1, ni, non_greedy = 0; /* Points to the regexp code after the quantifier */ ni = i + step + 1; if (ni < re_len && re[ni] == '?') { non_greedy = 1; ni++; } do { if ((n1 = bar(re + i, step, s + j2, s_len - j2, info, bi)) > 0) { j2 += n1; } if (re[i + step] == '+' && n1 < 0) break; if (ni >= re_len) { /* After quantifier, there is nothing */ nj = j2; } else if ((n2 = bar(re + ni, re_len - ni, s + j2, s_len - j2, info, bi)) >= 0) { /* Regex after quantifier matched */ nj = j2 + n2; } if (nj > j && non_greedy) break; } while (n1 > 0); if (n1 < 0 && re[i + step] == '*' && (n2 = bar(re + ni, re_len - ni, s + j, s_len - j, info, bi)) > 0) { nj = j + n2; } DBG(("STAR/PLUS END: %d %d %d %d %d\n", j, nj, re_len - ni, n1, n2)); FAIL_IF(re[i + step] == '+' && nj == j, SLRE_NO_MATCH); /* If while loop body above was not executed for the * quantifier, */ /* make sure the rest of the regex matches */ FAIL_IF(nj == j && ni < re_len && n2 < 0, SLRE_NO_MATCH); /* Returning here cause we've matched the rest of RE already */ return nj; } continue; } if (re[i] == '[') { n = match_set(re + i + 1, re_len - (i + 2), s + j, info); DBG(("SET %.*s [%.*s] -> %d\n", step, re + i, s_len - j, s + j, n)); FAIL_IF(n <= 0, SLRE_NO_MATCH); j += n; } else if (re[i] == '(') { n = SLRE_NO_MATCH; bi++; FAIL_IF(bi >= info->num_brackets, SLRE_INTERNAL_ERROR); DBG(("CAPTURING [%.*s] [%.*s] [%s]\n", step, re + i, s_len - j, s + j, re + i + step)); if (re_len - (i + step) <= 0) { /* Nothing follows brackets */ n = doh(s + j, s_len - j, info, bi); } else { int j2; for (j2 = 0; j2 <= s_len - j; j2++) { if ((n = doh(s + j, s_len - (j + j2), info, bi)) >= 0 && bar(re + i + step, re_len - (i + step), s + j + n, s_len - (j + n), info, bi) >= 0) break; } } DBG(("CAPTURED [%.*s] [%.*s]:%d\n", step, re + i, s_len - j, s + j, n)); FAIL_IF(n < 0, n); if (info->caps != NULL) { info->caps[bi - 1].ptr = s + j; info->caps[bi - 1].len = n; } j += n; } else if (re[i] == '^') { FAIL_IF(j != 0, SLRE_NO_MATCH); } else if (re[i] == '$') { FAIL_IF(j != s_len, SLRE_NO_MATCH); } else { FAIL_IF(j >= s_len, SLRE_NO_MATCH); n = match_op((unsigned char *) (re + i), (unsigned char *) (s + j), info); FAIL_IF(n <= 0, n); j += n; } } return j; }
static int bar(const char *re, int re_len, const char *s, int s_len, struct slre_cap *caps, struct regex_info *info, int bi) { /* i is offset in re, j is offset in s, bi is brackets index */ int i, j, n, step; DBG(("%s [%.*s] [%.*s]\n", __func__, re_len, re, s_len, s)); for (i = j = 0; i < re_len && j < s_len; i += step) { /* Handle quantifiers. Get the length of the chunk. */ step = re[i] == '(' ? info->brackets[bi + 1].len + 2 : get_op_len(re + i, re_len - i); DBG(("%s [%.*s] [%.*s] re_len=%d step=%d i=%d j=%d\n", __func__, re_len - i, re + i, s_len - j, s + j, re_len, step, i, j)); FAIL_IF(is_quantifier(&re[i]), static_error_unexpected_quantifier); FAIL_IF(step <= 0, static_error_invalid_set); if (i + step < re_len && is_quantifier(re + i + step)) { DBG(("QUANTIFIER: [%.*s] %c\n", step, re + i, re[i + step])); if (re[i + step] == '?') { j += bar(re + i, step, s + j, s_len - j, caps, info, bi); i++; continue; } else if (re[i + step] == '+' || re[i + step] == '*') { int j2 = j, nj = 0, n1, n2, ni, non_greedy = 0; /* Points to the regexp code after the quantifier */ ni = i + step + 1; if (ni < re_len && re[ni] == '?') { non_greedy = 1; ni++; } while ((n1 = bar(re + i, step, s + j2, s_len - j2, caps, info, bi)) > 0) { if (ni >= re_len) { /* After quantifier, there is nothing */ nj = j2 + n1; } else if ((n2 = bar(re + ni, re_len - ni, s + j2 + n1, s_len - (j2 + n1), caps, info, bi)) > 0) { nj = j2 + n1 + n2; } if (nj > 0 && non_greedy) break; j2 += n1; } FAIL_IF(re[i + step] == '+' && nj == 0, static_error_no_match); return nj; } } if (re[i] == '[') { n = match_set(re + i + 1, re_len - (i + 2), s + j, info); DBG(("SET %.*s [%.*s] -> %d\n", step, re + i, s_len - j, s + j, n)); FAIL_IF(n <= 0, static_error_no_match); j += n; } else if (re[i] == '(') { bi++; FAIL_IF(bi >= info->num_brackets, static_error_internal); DBG(("CAPTURING [%.*s] [%.*s]\n", step, re + i, s_len - j, s + j)); n = doh(s + j, s_len - j, caps, info, bi); DBG(("CAPTURED [%.*s] [%.*s]:%d\n", step, re + i, s_len - j, s + j, n)); FAIL_IF(n <= 0, info->error_msg); if (caps != NULL) { caps[bi - 1].ptr = s + j; caps[bi - 1].len = n; } j += n; } else if (re[i] == '^') { FAIL_IF(j != 0, static_error_no_match); } else { n = match_op((unsigned char *) (re + i), (unsigned char *) (s + j), info); FAIL_IF(n <= 0, info->error_msg); j += n; } } /* * Process $ anchor here. If we've reached the end of the string, * but did not exhaust regexp yet, this is no match. */ FAIL_IF(i < re_len && !(re[i] == '$' && i + 1 == re_len), static_error_no_match); return j; }