summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipset 6.17 releasedv6.17Jozsef Kadlecsik2013-02-214-1/+22
|
* The ipset_list tool is addedJozsef Kadlecsik2013-02-213-0/+1096
| | | | Source: http://sourceforge.net/projects/ipset-list
* The ipset_bash_completion tool is addedJozsef Kadlecsik2013-02-212-0/+418
| | | | Source: http://sourceforge.net/projects/ipset-bashcompl
* Interactive mode error after syntax error (reported by Mart Frauenlob)Jozsef Kadlecsik2013-02-211-3/+8
| | | | | | | | | | | | ipset> list foo ipset v6.16.1: The set with the given name does not exist ipset> -t No command specified ipset> list ipset v6.16.1: Internal protocol error In interactive mode the state was not cleaned up properly after a syntax error, fixed.
* "Directory not empty" error message (reported by John Brendler)Jozsef Kadlecsik2013-02-211-1/+2
| | | | | | | | | When an entry flagged with "nomatch" was tested by ipset, it returned the error message "Kernel error received: Directory not empty" instead of "<element> is NOT in set <setname>". The internal error code was not properly transformed before returning to userspace, fixed.
* netfilter: ipset: timeout values corrupted on set resizeJosh Hunt2013-02-211-1/+3
| | | | | | | | | | | If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix error path when protocol number is used with port rangeJozsef Kadlecsik2013-01-091-1/+3
|
* Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)Jozsef Kadlecsik2013-01-091-4/+3
| | | | | cppcheck (vaguely) reported: [lib/parse.c:448]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
* Fix revision printing in XML mode (reported by Mart Frauenlob)Jozsef Kadlecsik2013-01-091-1/+1
|
* Make sure ip_set_max isn't set to IPSET_INVALID_IDJozsef Kadlecsik2012-11-271-1/+1
|
* ipset 6.16.1 releasedv6.16.1Jozsef Kadlecsik2012-11-272-1/+5
|
* Add ipset package version to external module descriptionJozsef Kadlecsik2012-11-272-1/+8
|
* Backport RCU handling up to 2.6.32.xJozsef Kadlecsik2012-11-271-0/+8
| | | | __rcu and rcu_dereference_protected is missing from older kernel releases.
* ipset 6.16 releasedv6.16Jozsef Kadlecsik2012-11-263-1/+10
|
* Netlink pid is renamed to portid in kernel 3.7.0Jozsef Kadlecsik2012-11-261-10/+16
| | | | | | Handle the renaming of the netlink_skb_parms structure member. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix RCU handling when the number of maximal sets are increasedJozsef Kadlecsik2012-11-261-83/+117
| | | | | | Eric Dumazet spotted that RCU handling was far incomplete in the patch which added the support of increasing the number of maximal sets automatically. This patch completes the RCU handling of the ip_set_list array of the sets.
* netfilter: ipset: fix netiface set name overflowFlorian Westphal2012-11-221-1/+1
| | | | | | | | | | attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove all modules before testing resizeJozsef Kadlecsik2012-11-221-1/+2
|
* build: support for Linux 3.7 UAPIJan Engelhardt2012-11-221-1/+2
| | | | | | | | In Linux 3.7, nfnetlink.h moved below include/uapi/. Make configure recognize that. Furthermore, we can drop the unnecessary indirection via backticks and just ask grep directly if there was any result. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.15 releasedv6.15Jozsef Kadlecsik2012-11-193-1/+17
|
* Increase the number of maximal sets automatically as neededJozsef Kadlecsik2012-11-193-8/+85
| | | | | The max number of sets was hardcoded at kernel cofiguration time. The patch adds the support to increase the max number of sets automatically.
* Fix interactive modeFredrik Eriksson2012-11-101-5/+2
| | | | Catching interactive mode got broken in 6.12.
* Use gethostbyname2 instead of getaddrinfoJozsef Kadlecsik2012-11-052-1/+104
| | | | | | In newer glibc, getaddrinfo issues an extra system call to kernel, which slows down ipset. Replace getaddrinfo with gethostbyname2, where possible.
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-054-65/+97
|
* Make tests/check_cidrs.sh script executableJozsef Kadlecsik2012-11-051-0/+0
|
* Add tests to check completely ranges with hash typesJozsef Kadlecsik2012-11-054-0/+126
| | | | | Test all possible range variations with the hash types in order to catch bugs like the range bug in hash:ip,port,net.
* Make easier to apply the netlink.patchJozsef Kadlecsik2012-11-051-13/+0
| | | | | There is no need for the full source code, the header files are enough to compile ipset.
* Support protocol numbers as well, not only protocol namesJozsef Kadlecsik2012-11-051-3/+9
|
* Add (back) the debug flag to configureJozsef Kadlecsik2012-11-051-0/+6
|
* Fix range bug in hash:ip,port,netJozsef Kadlecsik2012-11-054-12/+13
| | | | | | | | | Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was to be added, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
* Rewrite cidr book keeping to handle /0Jozsef Kadlecsik2012-09-221-49/+55
| | | | The patch is required for the /0 support in hash:net,iface
* Revert patch "Fix cidr book keeping for hash:*net* types"Jozsef Kadlecsik2012-09-221-55/+49
|
* Add simple test to check cidr book-keepingJozsef Kadlecsik2012-09-222-0/+25
|
* ipset 6.14 releasedv6.14Jozsef Kadlecsik2012-09-213-1/+22
|
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-2111-21/+135
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-1115-48/+64
|
* The set type revision number is added to the header part of listingJozsef Kadlecsik2012-09-1126-75/+76
| | | | | | | | | Incompatibility: if your script rely on the number of lines in the header of set listings, then the new line Revision: number can break your script.
* Include supported revisions in module descriptionJozsef Kadlecsik2012-09-1112-39/+78
|
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-1013-5/+25
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-104-30/+117
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* Fix cidr book keeping for hash:*net* typesJozsef Kadlecsik2012-09-101-49/+55
| | | | | | | The book-keeping of the different sized networks were bogus, fix it. The broken code could lead invalid matching in such sets when the number of different sized networks were greater than the smallest CIDR value of the networks.
* Check and reject crazy /0 input parametersJozsef Kadlecsik2012-09-106-10/+13
| | | | | | | | bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely.
* Backport ether_addr_equalJozsef Kadlecsik2012-09-101-2/+11
|
* Coding style fix, backport from kernelJozsef Kadlecsik2012-09-101-2/+2
|
* net: cleanup unsigned to unsigned intEric Dumazet2012-09-082-7/+7
| | | | | | | Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Fix errors when compiling in debug mode.Krunal Patel2012-08-313-8/+6
|
* Make sure IPPROTO_UDPLITE is definedJozsef Kadlecsik2012-08-311-0/+3
|
* build: restore -version-infoJan Engelhardt2012-07-012-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote: >[...] >> * therefore the patch makes a clean restart, >> using -version-info 3:0:0, to continue using .so.3 >> starting from ipset-6.13 until the next *real* >> incompatible change. > >What is still unclear for me, why a clean restart is required. Looking >into "libtool", as I see, "-version-number 3:0:1" and "-version-info >3:0:1" produces the same result. They don't. The libtool manual goes on attempting to explain "-version-number" with C:R:A, though it could have been a lot easier to just say "it copies the values as-is to the file suffix". ---8<--- location git://git.inai.de/ipset (updated) parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13) commit 2b145f0794de6f56eaded0a6403be995be98c93b Author: Jan Engelhardt <jengelh@inai.de> Date: Sat Jun 30 20:39:27 2012 +0200 build: restore -version-info Commit v6.13~7 accidentally swapped "-version-info" with "-version-number". Because "-version-number" takes the values "FIRST:AGE:REV", which is different from "-version-info CURRENT:REV:AGE", libipset.so.3 was emitted. Restore using "-version-info" and continue to use 3 as the "FIRST" interface (instead of 2), because it was declared that way in ipset-6.13. Also note that the version names in libipset.map generally are not supposed to follow SO versions, but the program version): IPSET_6.13 {...}. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.13 releasedv6.13Jozsef Kadlecsik2012-06-293-1/+16
|
* Explain in more detail src/dst for hash:net,ifaceJozsef Kadlecsik2012-06-291-2/+3
|