summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipset 6.31 releasedv6.31Jozsef Kadlecsik2017-02-193-1/+14
|
* Update manpage about the size parameter of list:set types.Jozsef Kadlecsik2017-02-191-1/+2
| | | | The parameter is ignored since ipset version 6.24.
* netfilter: ipset: Null pointer exception in ipset list:setVishwanath Pai2017-02-161-3/+6
| | | | | | | | | | | | | | | | | | | If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* New test to verify that only the intended entries are deleted at hash types.Jozsef Kadlecsik2017-02-163-1/+5
|
* Fix bug: sometimes valid entries in hash:* types of sets were evictedJozsef Kadlecsik2017-02-161-1/+1
| | | | | | | | Wrong index was used and therefore when shrinking a hash bucket at deleting an entry, valid entries could be evicted as well. Thanks to Eric Ewanco for the thorough bugreport. Fixes netfilter bugzilla #1119
* Correct copyright ownerJozsef Kadlecsik2016-11-102-2/+2
| | | | | | | The functions was not introduced by Sergey Popovich, he proposed only separating them into individual extension header files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Revert patch "Correct rcu_dereference_bh_nfnl() usage"Jozsef Kadlecsik2016-11-101-6/+4
| | | | | | | The susbsystem param cannot be used to rely on subsystem mutex locking because the call is used in netlink dump context as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.30 releasedv6.30Jozsef Kadlecsik2016-10-173-1/+27
|
* ipset: Drop extra comma from error messageNeutron Soutmun2016-10-171-1/+1
| | | | | | | * The "by userspace." should be concat with the error message instead. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix the incorrect dynamic/static modules listNeutron Soutmun2016-10-171-2/+2
| | | | | | | | | | * The module's name should not be partial matched. SETTYPE_MODLIST="ipset_hash_ipmac" It shoud not be matched with "ipset_hash_ip". Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: hash: fix boolreturn.cocci warningskbuild test robot2016-10-151-4/+4
| | | | | | | | | | | | | net/netfilter/ipset/ip_set_hash_ipmac.c:70:8-9: WARNING: return of 0/1 in function 'hash_ipmac4_data_list' with return type bool net/netfilter/ipset/ip_set_hash_ipmac.c:178:8-9: WARNING: return of 0/1 in function 'hash_ipmac6_data_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilinski@chilan.com> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct tests to check the number of entries tooJozsef Kadlecsik2016-10-1438-82/+82
| | | | | | | Give enough time for the entries to timeout before listing, so that we get the correct number of entries. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix the nla_put_net64() API changes backportJozsef Kadlecsik2016-10-141-2/+2
| | | | | | | We must call nla_put_net64() because ipset uses net order in the netlink communication. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fixing unnamed union initElad Raz2016-10-132-12/+32
| | | | | | | | | | | | | | | In continue to proposed Vinson Lee's post [1], this patch fixes compilation issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed unions causes compilation error in gcc 4.4.x. References Visible links [1] https://lkml.org/lkml/2015/7/5/74 Signed-off-by: Elad Raz <eladr@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: x_tables: Use par->net instead of computing from the passed net ↵Eric W. Biederman2016-10-132-6/+9
| | | | | | | | | | devices Backported from kernel tree. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct the reported memory size for bitmap:* typesJozsef Kadlecsik2016-10-132-4/+7
| | | | | | | The patch "Fix extension alignmen" (c7cf6f3b) removed counting the non-dynamic extensions into the used up memory area, fixed. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix coding styles reported by checkpatch.pl, already in kernelJozsef Kadlecsik2016-10-111-4/+3
|
* netfilter: x_tables: Pass struct net in xt_action_paramEric W. Biederman2016-10-113-0/+15
| | | | | | | | | | | As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* net: sched: fix skb->protocol use in case of accelerated vlan pathJiri Pirko2016-10-113-1/+22
| | | | | | | | | | | | | | tc code implicitly considers skb->protocol even in case of accelerated vlan paths and expects vlan protocol type here. However, on rx path, if the vlan header was already stripped, skb->protocol contains value of next header. Similar situation is on tx path. So for skbs that use skb->vlan_tci for tagging, use skb->vlan_proto instead. Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac tooJozsef Kadlecsik2016-10-111-0/+2
| | | | | | The explicit length checking was missing, added. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: fix include files for compilationMikko Rapeli2016-10-113-0/+6
| | | | | | | | | Add missing header dependencies and other small changes so that each file compiles alone in userspace. Signed-off-by: Mikko Rapeli <mikko.rapeli@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Backports for the nla_put_net64() API changesNeutron Soutmun2016-06-285-7/+28
| | | | | | | | | | | | | | | | | | | * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] by Nicolas Dichtel <nicolas.dichtel@6wind.com> * Since the nla_put_net64() API has been changed, therefore, the ip_set_compat.h.in should provides the macro IPSET_NLA_PUT_NET64 that point to the nla_put_net64() with appropriate number of arguments. The build script should distinguish the API changes by detect for the existence of nla_put_64bit() function in include/net/netlink.h. This function was added in the same patches set and called by the nla_put_be64() that called by nla_put_net64() respectively. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=e9bbe898cbe89b17ad3993c136aa13d0431cd537 Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: use setup_timer() and mod_timer().Muhammad Falak R Wani2016-05-191-5/+2
| | | | | | | | | | | | | | | Use setup_timer() and instead of init_timer(), being the preferred way of setting up a timer. Also, quoting the mod_timer() function comment: -> mod_timer() is a more efficient way to update the expire field of an active timer (if the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipset, userspace partTomasz Chilinski2016-05-053-0/+188
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipsetTomasz Chilinski2016-05-053-1/+323
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.29 releasedv6.29Jozsef Kadlecsik2016-03-163-1/+11
|
* netfilter: ipset: fix race condition in ipset save, swap and deleteVishwanath Pai2016-03-165-8/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Suppress unnecessary stderr in command loop for resize and listJozsef Kadlecsik2016-03-161-1/+1
|
* Correction in comment testJozsef Kadlecsik2016-03-161-2/+2
|
* Support chroot buildrootsJozsef Kadlecsik2016-03-131-1/+2
| | | | | The calling of modinfo at `make modules_install` did not take into account chroot buildroots (reported by Jan Engelhardt).
* Fix "configure" breakage due to pkg-config related changesJozsef Kadlecsik2016-03-131-0/+2
| | | | | The support for older pkg-config packages broke the "configure" script (reported by Jan Engelhardt).
* ipset 6.28 releasedv6.28Jozsef Kadlecsik2016-03-123-1/+17
|
* netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute lengthJozsef Kadlecsik2016-03-082-1/+4
| | | | | | | | | | | | Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length was not checked explicitly, just for the maximum possible size. Malicious netlink clients could send shorter attribute and thus resulting a kernel read after the buffer. The patch adds the explicit length checkings. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix __aligned_u64 compatibility support for older kernel releasesJozsef Kadlecsik2016-02-293-6/+2
| | | | The issue was reported by Mart Frauenlob.
* Support older pkg-config packagesJozsef Kadlecsik2016-02-291-0/+17
| | | | | Resolve the pkg-config 0.28 or greater dependency introduced by the patch "Add bash completion to the install routine."
* Add bash completion to the install routine.Mart Frauenlob2016-02-264-2/+20
| | | | | | | | Add the configure option --enable-bashcompl (default disabled). The PKG_CHECK_VAR requires pkg-config 0.28 or greater. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add compatibility to support EXPORT_SYMBOL_GPL in module.hJozsef Kadlecsik2016-02-242-0/+15
| | | | Fixes netfilter bugzilla id #1008
* Fix misleading error message with comment extensionJozsef Kadlecsik2016-02-241-1/+1
| | | | | | Error message was totally misleading when comment extension was used when the set was defined without the extension. Reported by Drunkard Zhang.
* Fix set:list type crash when flush/dump set in parallelJozsef Kadlecsik2016-02-242-30/+28
| | | | | | | Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050.
* netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()Jozsef Kadlecsik2016-02-163-48/+69
| | | | Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>
* Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface typeJozsef Kadlecsik2016-01-132-0/+14
|
* netfilter: ipset: allow a 0 netmask with hash_netiface typeFlorian Westphal2016-01-131-4/+0
| | | | | | | | | | | | | | | | | Jozsef says: The correct behaviour is that if we have ipset create test1 hash:net,iface ipset add test1 0.0.0.0/0,eth0 iptables -A INPUT -m set --match-set test1 src,src then the rule should match for any traffic coming in through eth0. This removes the -EINVAL runtime test to make matching work in case packet arrived via the specified interface. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix link with libtool >= 2.4.4Olivier Blin2016-01-091-1/+1
| | | | | | | | As of libtool-2.4.4, -ldl is no longer prepended to LIBS. Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as suggested in libtool-2.4.4 release notes. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.27 releasedv6.27Jozsef Kadlecsik2015-11-073-1/+18
|
* Fix reported memory size for hash:* typesJozsef Kadlecsik2015-11-071-7/+9
| | | | | | | | The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash type expire: release empty hash bucket blockJozsef Kadlecsik2015-11-071-4/+10
| | | | | | When all entries are expired/all slots are empty, release the bucket. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash:* type expirationJozsef Kadlecsik2015-11-071-1/+1
| | | | | | | | Incorrect index was used when the data blob was shrinked at expiration, which could lead to falsely expired entries and memory leak when the comment extension was used too. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Collapse same condition body to a single oneJozsef Kadlecsik2015-11-071-7/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>