netfilter: ipset: IP set core support
The patch adds the IP set core support to the kernel.
The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.
The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.
For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.
The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.
There are functional differences between the add/del/test functions
for the kernel and userspace:
- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation in order to fill
out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a set
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-02-01 07:28:35 -07:00
|
|
|
menuconfig IP_SET
|
|
|
|
|
tristate "IP set support"
|
|
|
|
|
depends on INET && NETFILTER
|
2011-02-10 02:13:07 -07:00
|
|
|
depends on NETFILTER_NETLINK
|
netfilter: ipset: IP set core support
The patch adds the IP set core support to the kernel.
The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.
The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.
For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.
The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.
There are functional differences between the add/del/test functions
for the kernel and userspace:
- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation in order to fill
out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a set
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-02-01 07:28:35 -07:00
|
|
|
help
|
|
|
|
|
This option adds IP set support to the kernel.
|
|
|
|
|
In order to define and use the sets, you need the userspace utility
|
|
|
|
|
ipset(8). You can use the sets in netfilter via the "set" match
|
|
|
|
|
and "SET" target.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
if IP_SET
|
|
|
|
|
|
|
|
|
|
config IP_SET_MAX
|
|
|
|
|
int "Maximum number of IP sets"
|
|
|
|
|
default 256
|
|
|
|
|
range 2 65534
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
You can define here default value of the maximum number
|
|
|
|
|
of IP sets for the kernel.
|
|
|
|
|
|
|
|
|
|
The value can be overriden by the 'max_sets' module
|
|
|
|
|
parameter of the 'ip_set' module.
|
|
|
|
|
|
2011-02-01 07:33:17 -07:00
|
|
|
config IP_SET_BITMAP_IP
|
|
|
|
|
tristate "bitmap:ip set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the bitmap:ip set type support, by which one
|
|
|
|
|
can store IPv4 addresses (or network addresse) from a range.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:35:12 -07:00
|
|
|
config IP_SET_BITMAP_IPMAC
|
|
|
|
|
tristate "bitmap:ip,mac set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the bitmap:ip,mac set type support, by which one
|
|
|
|
|
can store IPv4 address and (source) MAC address pairs from a range.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:37:04 -07:00
|
|
|
config IP_SET_BITMAP_PORT
|
|
|
|
|
tristate "bitmap:port set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the bitmap:port set type support, by which one
|
|
|
|
|
can store TCP/UDP port numbers from a range.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:38:36 -07:00
|
|
|
config IP_SET_HASH_IP
|
|
|
|
|
tristate "hash:ip set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:ip set type support, by which one
|
|
|
|
|
can store arbitrary IPv4 or IPv6 addresses (or network addresses)
|
|
|
|
|
in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:39:52 -07:00
|
|
|
config IP_SET_HASH_IPPORT
|
|
|
|
|
tristate "hash:ip,port set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:ip,port set type support, by which one
|
|
|
|
|
can store IPv4/IPv6 address and protocol/port pairs.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:41:26 -07:00
|
|
|
config IP_SET_HASH_IPPORTIP
|
|
|
|
|
tristate "hash:ip,port,ip set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:ip,port,ip set type support, by which
|
|
|
|
|
one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
|
|
|
|
|
address triples in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:51:00 -07:00
|
|
|
config IP_SET_HASH_IPPORTNET
|
|
|
|
|
tristate "hash:ip,port,net set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:ip,port,net set type support, by which
|
|
|
|
|
one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
|
|
|
|
|
network address/prefix triples in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:52:54 -07:00
|
|
|
config IP_SET_HASH_NET
|
|
|
|
|
tristate "hash:net set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:net set type support, by which
|
|
|
|
|
one can store IPv4/IPv6 network address/prefix elements in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:53:55 -07:00
|
|
|
config IP_SET_HASH_NETPORT
|
|
|
|
|
tristate "hash:net,port set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:net,port set type support, by which
|
|
|
|
|
one can store IPv4/IPv6 network address/prefix and
|
|
|
|
|
protocol/port pairs as elements in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-06-16 11:00:48 -06:00
|
|
|
config IP_SET_HASH_NETIFACE
|
|
|
|
|
tristate "hash:net,iface set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the hash:net,iface set type support, by which
|
|
|
|
|
one can store IPv4/IPv6 network address/prefix and
|
|
|
|
|
interface name pairs as elements in a set.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2011-02-01 07:54:59 -07:00
|
|
|
config IP_SET_LIST_SET
|
|
|
|
|
tristate "list:set set support"
|
|
|
|
|
depends on IP_SET
|
|
|
|
|
help
|
|
|
|
|
This option adds the list:set set type support. In this
|
|
|
|
|
kind of set one can store the name of other sets and it forms
|
|
|
|
|
an ordered union of the member sets.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
netfilter: ipset: IP set core support
The patch adds the IP set core support to the kernel.
The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.
The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.
For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.
The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.
There are functional differences between the add/del/test functions
for the kernel and userspace:
- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation in order to fill
out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a set
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2011-02-01 07:28:35 -07:00
|
|
|
endif # IP_SET
|