| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Backport of Pablo's patch to the ipset package.
|
| |
|
|
|
|
|
| |
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If a create command fails at the kernel side, false syntax error
was also reported due to the chicken and egg problem of the family
option.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The patch adds supporting dynamic modules for the set types to ipset
userspace tool. The dynamic module support can be enabled by the
--enable-settype-modules of "configure". The list of set types to
be compiled as dynamic modules can be specified in the
--with-settype-modules-list option. Example
--enable-settype-modules \
--with-settype-modules-list="ipset_hash_ip ipset_hash_ipport"
The keyword "all" can be used to compile all set types as dynamic modules.
|
| | |
|
| |
|
|
|
|
| |
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.
|
| |
|
|
|
| |
gcc 4.7 and above ignore such assignments which leads to a broken
ipset binary (bug reported by Seblu).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
|
| |
|
|
|
|
|
|
|
|
| |
While parsing through IPv6 extension headers, fragment headers are
skipped making them invisible to the caller. This reports the
fragment offset of the last header in order to make it possible to
determine whether the packet is fragmented and, if so whether it is
a first or last fragment.
Signed-off-by: Jesse Gross <jesse@nicira.com>
|
| |
|
|
|
|
|
| |
C assignment can handle struct in6_addr copying.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
|
| |
|
|
|
|
| |
The tests for inclusion of linux/export.h in
ipset-6.11:kernel/net/netfilter/ipset/{ip_set_getport.c,pfxlen.c} are
incorrect, linux/export.h did not go in until 3.2.0.
|
| | |
|
| |
|
|
|
|
|
|
| |
The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.
Problem reported by Stephen Hemminger and Marc Guardiola.
|
| |
|
|
|
| |
Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
| |
|
|
|
|
|
| |
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.
|
| |
|
|
|
| |
If the set is full, the SET target cannot add more elements.
Log warning so that the admin got notified about it.
|
| |
|
|
|
| |
The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.
|
| | |
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
The .c files used to build the plugins for ipset all use #include
<libipset/...>, so the files we install should preferably also be in a
directory called "libipset" rather than just "ipset".
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
The other linux_ip_set*.h files are shipped, so this one probably
should too.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
libipset/types.h, which is installed by default, requires nfproto.h.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
We need to visit that directory, otherwise `make install` is
incomplete and `make distcheck` fails.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
Only ignore these paths if they are a directory.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| |
|
|
|
| |
The ICMP/ICMPv6 type/code parser swapped the type and code values.
(Bug reported by Sabitov)
|
| |
|
|
|
|
|
|
|
|
|
| |
The protocol argument to getservbyname() must be lowercase tcp not
uppercase TCP. This fixes the bug observed by:
# ipset add foo http
ipset v6.9.1: Syntax error: 'http' is invalid as number
Syntax error: cannot parse 'http' as a TCP port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
| |
warning: 'ip_to' may be used uninitialized in this function
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Distributors (like Fedora) might be interested in including the ipset
tools and libs, but they often don't want to build and ship external
kernel modules, especially if those modules are already included in
their kernel packages.
This patch introduces a new --with-kmod configure option that can be
used to conditionally build the kernel module. The module is still built
by default, to preserve compatibility.
A user who wants to build only the user-space part of ipset can do so by
running the following:
$ ./autogen.sh
$ configure --with-kmod=no
$ make
# make install
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
