diff options
| -rw-r--r-- | Makefile.am | 4 | ||||
| -rw-r--r-- | README | 5 | ||||
| -rwxr-xr-x | check_const | 4 | ||||
| -rw-r--r-- | configure.ac | 8 | ||||
| -rw-r--r-- | kernel/Kbuild | 4 | ||||
| -rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_ahash.h | 8 | ||||
| -rw-r--r-- | kernel/ip_set.c | 52 | ||||
| -rw-r--r-- | kernel/xt_set.c | 16 |
8 files changed, 48 insertions, 53 deletions
diff --git a/Makefile.am b/Makefile.am index ab552dc..7d91b8f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,9 +24,7 @@ SUBDIRS = lib src modules: ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel V=$V \ - IP_SET_MAX=$(IP_SET_MAX) \ - NETLINK_DUMP_CONST=$(NETLINK_DUMP_CONST) \ - NFNL_CB_CONST=$(NFNL_CB_CONST) modules + IP_SET_MAX=$(IP_SET_MAX) modules modules_install: ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel modules_install @@ -1,11 +1,12 @@ This is the ipset source tree. Follow the next steps to install ipset: -0. You need the source tree of your kernel (version >= 2.6.31) +0. You need the source tree of your kernel (version >= 2.6.34) and it have to be configured with ip6tables support enabled, modules compiled. Please apply the netlink.patch against your kernel tree, which adds the new subsystem identifier for ipset. - Recompile and install the patched kernel and its modules. + Recompile and install the patched kernel and its modules. Please note, + you have to run the patched kernel for ipset to work. The ipset source code depends on the libmnl library so the library must be installed. You can download the libmnl library from diff --git a/check_const b/check_const index c26b566..61b9f31 100755 --- a/check_const +++ b/check_const @@ -1,7 +1,7 @@ #! /usr/bin/awk -f -# nfnetlink.h && netlink.h - +# include/linux/nfnetlink.h: nfnl_callback +# include/linux/netlink.h: netlink_dump_start { if (/^(struct nfnl_callback|extern int netlink_dump)/) { check=1 } } { if (check == 1 && /(^};|...\);)/) { check=0 } } diff --git a/configure.ac b/configure.ac index f8b920a..a66610e 100644 --- a/configure.ac +++ b/configure.ac @@ -61,14 +61,6 @@ then AC_MSG_ERROR([The kernel source directory $ksourcedir is not patched with netlink.patch to support ipset]) fi -dnl Check kernel dependencies: nfnetlink.h -NFNL_CB_CONST="`./check_const $ksourcedir/include/linux/netfilter/nfnetlink.h`" -AC_SUBST(NFNL_CB_CONST) - -dnl Check kernel dependencies: netlink.h -NETLINK_DUMP_CONST="`./check_const $ksourcedir/include/linux/netlink.h`" -AC_SUBST(NETLINK_DUMP_CONST) - dnl Maximal number of sets supported by the kernel, default 256 AC_ARG_WITH([maxsets], AS_HELP_STRING([--with-maxsets=256], diff --git a/kernel/Kbuild b/kernel/Kbuild index 3124569..dca009a 100644 --- a/kernel/Kbuild +++ b/kernel/Kbuild @@ -1,7 +1,5 @@ EXTRA_CFLAGS := -I$(M)/include \ - -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) \ - -DNETLINK_DUMP_CONST=$(NETLINK_DUMP_CONST) \ - -DNFNL_CB_CONST=$(NFNL_CB_CONST) + -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) obj-m += ip_set.o xt_set.o obj-m += ip_set_bitmap_ip.o ip_set_bitmap_ipmac.o ip_set_bitmap_port.o diff --git a/kernel/include/linux/netfilter/ipset/ip_set_ahash.h b/kernel/include/linux/netfilter/ipset/ip_set_ahash.h index 7e0af3d..b7029e1 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_ahash.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_ahash.h @@ -578,8 +578,8 @@ nla_put_failure: nlmsg_trim(skb, incomplete); ipset_nest_end(skb, atd); if (unlikely(first == cb->args[2])) { - pr_warn("Can't list set %s: one bucket does not fit into " - "a message. Please report it!\n", set->name); + pr_warning("Can't list set %s: one bucket does not fit into " + "a message. Please report it!\n", set->name); cb->args[2] = 0; } return 0; @@ -979,8 +979,8 @@ nla_put_failure: nlmsg_trim(skb, incomplete); ipset_nest_end(skb, atd); if (unlikely(first == cb->args[2])) { - pr_warn("Can't list set %s: one bucket does not fit into " - "a message. Please report it!\n", set->name); + pr_warning("Can't list set %s: one bucket does not fit into " + "a message. Please report it!\n", set->name); cb->args[2] = 0; } return 0; diff --git a/kernel/ip_set.c b/kernel/ip_set.c index e890bf8..6d353d9 100644 --- a/kernel/ip_set.c +++ b/kernel/ip_set.c @@ -707,7 +707,7 @@ EXPORT_SYMBOL_GPL(ip_set_nfnl_put); */ static inline bool -protocol_failed(NFNL_CB_CONST struct nlattr * NFNL_CB_CONST tb[]) +protocol_failed(const struct nlattr * const tb[]) { return !tb[IPSET_ATTR_PROTOCOL] || nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL; @@ -811,8 +811,8 @@ load_type_module(const char *typename) static int ip_set_create(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *set, *clash; ip_set_id_t index = IPSET_INVALID_ID; @@ -950,8 +950,8 @@ ip_set_destroy_set(ip_set_id_t index) static int ip_set_destroy(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { ip_set_id_t i; @@ -995,8 +995,8 @@ ip_set_flush_set(struct ip_set *set) static int ip_set_flush(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { ip_set_id_t i; @@ -1031,8 +1031,8 @@ ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = { static int ip_set_rename(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *set; const char *name2; @@ -1071,8 +1071,8 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb, static int ip_set_swap(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *from, *to; ip_set_id_t from_id, to_id; @@ -1292,8 +1292,8 @@ out: static int ip_set_dump(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { if (unlikely(protocol_failed(attr))) return -IPSET_ERR_PROTOCOL; @@ -1316,7 +1316,7 @@ static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = { static int call_ad(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[], + const struct nlattr * const attr[], struct ip_set *set, const struct nlattr *nla, enum ipset_adt adt, u32 flags) { @@ -1348,8 +1348,8 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, static int ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *set; const struct nlattr *nla; @@ -1392,8 +1392,8 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb, static int ip_set_udel(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *set; const struct nlattr *nla; @@ -1436,8 +1436,8 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb, static int ip_set_utest(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct ip_set *set; int ret = 0; @@ -1469,8 +1469,8 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb, static int ip_set_header(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { const struct ip_set *set; struct sk_buff *skb2; @@ -1526,8 +1526,8 @@ static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = { static int ip_set_type(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct sk_buff *skb2; struct nlmsghdr *nlh2; @@ -1590,8 +1590,8 @@ ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = { static int ip_set_protocol(struct sock *ctnl, struct sk_buff *skb, - NFNL_CB_CONST struct nlmsghdr *nlh, - NFNL_CB_CONST struct nlattr * NFNL_CB_CONST attr[]) + const struct nlmsghdr *nlh, + const struct nlattr * const attr[]) { struct sk_buff *skb2; struct nlmsghdr *nlh2; diff --git a/kernel/xt_set.c b/kernel/xt_set.c index 7484919..e95cae0 100644 --- a/kernel/xt_set.c +++ b/kernel/xt_set.c @@ -38,14 +38,20 @@ match_set(ip_set_id_t index, const struct sk_buff *skb, /* Revision 0 interface: backward compatible with netfilter/iptables */ -/* Backward compatibility constrains: +/* Backward compatibility constrains (incomplete): * 2.6.24: [NETLINK]: Introduce nested and byteorder flag to netlink attribute + * 2.6.25: is_vmalloc_addr(): Check if an address is within the vmalloc + * boundaries + * 2.6.27: rcu: split list.h and move rcu-protected lists into rculist.h + * 2.6.28: netfilter: ctnetlink: remove bogus module dependency between + * ctnetlink and nf_nat (nfnl_lock/nfnl_unlock) + * 2.6.29: generic swap(): introduce global macro swap(a, b) * 2.6.31: netfilter: passive OS fingerprint xtables match + * 2.6.34: rcu: Add lockdep-enabled variants of rcu_dereference() */ - -#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31) -#error "Linux kernel version too old: must be >= 2.6.31" +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) +#error "Linux kernel version too old: must be >= 2.6.35" #endif #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) @@ -120,7 +126,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par) static void set_match_v0_destroy(const struct xt_mtdtor_param *par) { - struct xt_set_info_match *info = par->matchinfo; + struct xt_set_info_match_v0 *info = par->matchinfo; ip_set_nfnl_put(info->match_set.index); } |