summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix set:list type crash when flush/dump set in parallelJozsef Kadlecsik2016-02-242-30/+28
| | | | | | | Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050.
* netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()Jozsef Kadlecsik2016-02-163-48/+69
| | | | Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>
* Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface typeJozsef Kadlecsik2016-01-132-0/+14
|
* netfilter: ipset: allow a 0 netmask with hash_netiface typeFlorian Westphal2016-01-131-4/+0
| | | | | | | | | | | | | | | | | Jozsef says: The correct behaviour is that if we have ipset create test1 hash:net,iface ipset add test1 0.0.0.0/0,eth0 iptables -A INPUT -m set --match-set test1 src,src then the rule should match for any traffic coming in through eth0. This removes the -EINVAL runtime test to make matching work in case packet arrived via the specified interface. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix link with libtool >= 2.4.4Olivier Blin2016-01-091-1/+1
| | | | | | | | As of libtool-2.4.4, -ldl is no longer prepended to LIBS. Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as suggested in libtool-2.4.4 release notes. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.27 releasedv6.27Jozsef Kadlecsik2015-11-073-1/+18
|
* Fix reported memory size for hash:* typesJozsef Kadlecsik2015-11-071-7/+9
| | | | | | | | The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash type expire: release empty hash bucket blockJozsef Kadlecsik2015-11-071-4/+10
| | | | | | When all entries are expired/all slots are empty, release the bucket. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix hash:* type expirationJozsef Kadlecsik2015-11-071-1/+1
| | | | | | | | Incorrect index was used when the data blob was shrinked at expiration, which could lead to falsely expired entries and memory leak when the comment extension was used too. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Collapse same condition body to a single oneJozsef Kadlecsik2015-11-071-7/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix extension alignmentJozsef Kadlecsik2015-11-078-83/+66
| | | | | | | | | | | | | The data extensions in ipset lacked the proper memory alignment and thus could lead to kernel crash on several architectures. Therefore the structures have been reorganized and alignment attributes added where needed. The patch was tested on armv7h by Gerhard Wiesinger and on x86_64, sparc64 by Jozsef Kadlecsik. Reported-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility: include linux/export.h when neededJozsef Kadlecsik2015-10-283-27/+30
|
* Handle uint64_t alignment issue in ipset toolJozsef Kadlecsik2015-10-282-3/+7
|
* Compatibility: make sure vmalloc.h is included for kvfree()Jozsef Kadlecsik2015-10-261-0/+1
|
* Fix detecting 'struct net' in 'struct tcf_ematch'Jozsef Kadlecsik2015-10-192-1/+5
| | | | | Nikolay Borisov reported that the detection is broken. Fix checking in the right sctructure and wrap the call to dev_get_by_index_rcu() too.
* Protect definition of RCU_INIT_POINTER in compatibility header fileJozsef Kadlecsik2015-10-191-0/+4
| | | | | Nikolay Borisov reported that in 3.12.47 RCU_INIT_POINTER is redefined in ip_set_compat.h.in due to not protecting it individually.
* netfilter: ipset: Fix sleeping memory allocation in atomic contextNikolay Borisov2015-10-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 00590fdd5be0 introduced RCU locking in list type and in doing so introduced a memory allocation in list_set_add, which is done in an atomic context, due to the fact that ipset rcu list modifications are serialised with a spin lock. The reason why we can't use a mutex is that in addition to modifying the list with ipset commands, it's also being modified when a particular ipset rule timeout expires aka garbage collection. This gc is triggered from set_cleanup_entries, which in turn is invoked from a timer thus requiring the lock to be bh-safe. Concretely the following call chain can lead to "sleeping function called in atomic context" splat: call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL). And since GFP_KERNEL allows initiating direct reclaim thus potentially sleeping in the allocation path. To fix the issue change the allocation type to GFP_ATOMIC, to correctly reflect that it is occuring in an atomic context. Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type") Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.26 releasedv6.26Jozsef Kadlecsik2015-08-283-1/+22
|
* Out of bound access in hash:net* types fixedJozsef Kadlecsik2015-08-256-5/+127
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Dave Jones reported that KASan detected out of bounds access in hash:net* types: [ 23.139532] ================================================================== [ 23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220 at addr ffff8800d4844b58 [ 23.152937] Write of size 4 by task ipset/457 [ 23.159742] ============================================================================= [ 23.166672] BUG kmalloc-512 (Not tainted): kasan: bad access detected [ 23.173641] ----------------------------------------------------------------------------- [ 23.194668] INFO: Allocated in hash_net_create+0x16a/0x470 age=7 cpu=1 pid=456 [ 23.201836] __slab_alloc.constprop.66+0x554/0x620 [ 23.208994] __kmalloc+0x2f2/0x360 [ 23.216105] hash_net_create+0x16a/0x470 [ 23.223238] ip_set_create+0x3e6/0x740 [ 23.230343] nfnetlink_rcv_msg+0x599/0x640 [ 23.237454] netlink_rcv_skb+0x14f/0x190 [ 23.244533] nfnetlink_rcv+0x3f6/0x790 [ 23.251579] netlink_unicast+0x272/0x390 [ 23.258573] netlink_sendmsg+0x5a1/0xa50 [ 23.265485] SYSC_sendto+0x1da/0x2c0 [ 23.272364] SyS_sendto+0xe/0x10 [ 23.279168] entry_SYSCALL_64_fastpath+0x12/0x6f The bug is fixed in the patch and the testsuite is extended in ipset to check cidr handling more thoroughly.
* Warn about loaded in ip_set modules at module installationJozsef Kadlecsik2015-08-251-0/+11
|
* Use IPSET_BIN in resize-and-list.sh and suppress echoing of loop variableJozsef Kadlecsik2015-08-241-5/+4
|
* Manpage typo correctionsDavid Wittman2015-07-201-3/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix grammar error in manpageNeutron Soutmun2015-07-201-1/+1
| | | | | | | | | | Refer to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/608231 The "allows to" is a common grammar error which it will probably be replaced by "allows one to" as a suggestion in above bug report page. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make struct htype per ipset familyJozsef Kadlecsik2015-06-2611-74/+63
| | | | | | | | | | | Before this patch struct htype created at the first source of ip_set_hash_gen.h and it is common for both IPv4 and IPv6 set variants. Make struct htype per ipset family and use NLEN to make nets array fixed size to simplify struct htype allocation. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
* Optimize hash creation routineJozsef Kadlecsik2015-06-261-34/+29
| | | | | | | Exit as easly as possible on error and use RCU_INIT_POINTER() as set is not seen at creation time. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
* Make sure element data size is a multiple of u32Jozsef Kadlecsik2015-06-261-2/+8
| | | | | | | Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
* Make NLEN compile time constant for hash typesJozsef Kadlecsik2015-06-261-26/+21
| | | | | | | | Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
* Simplify mtype_expire() for hash typesJozsef Kadlecsik2015-06-261-17/+17
| | | | | | | | | | Remove redundant parameters nets_length and dsize: they could be get from other parameters. Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.
* Count non-static extension memory into the set memory size for userspaceJozsef Kadlecsik2015-06-266-21/+32
| | | | | | | | Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set when just the header data is requested.
* net: sched: Simplify em_ipset_matchEric W. Biederman2015-06-251-2/+2
| | | | | | | | | em->net is always set and always available, use it in preference to dev_net(skb->dev). Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.25.1 releasedv6.25.1Jozsef Kadlecsik2015-06-253-1/+10
|
* net/netfilter/ipset: work around gcc-4.4.4 initializer bugAndrew Morton2015-06-252-4/+16
| | | | | | | | | | | | | | | | | gcc-4.4.4 (at least) isn't able to handle the mixture of anonymous unions and declaration-time intializers. Work around this. net/netfilter/ipset/ip_set_hash_netnet.c: In function 'hash_netnet4_uadt': net/netfilter/ipset/ip_set_hash_netnet.c:163: error: unknown field 'cidr' specified in initializer net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: missing braces around initializer net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: (near initialization for 'e.<anonymous>.ip') ... Fixes: ea53ac5b630e813ae ("netfilter: ipset: Add hash:net,net module to kernel.) Cc: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset manpage: refer to iptables-extensionsJozsef Kadlecsik2015-06-251-1/+2
|
* Update userspace header file from the kernel treeJozsef Kadlecsik2015-06-251-3/+8
|
* Handle 'extern "C" {' in check_libmap.shJozsef Kadlecsik2015-06-251-1/+1
|
* ipset 6.25 releasedv6.25Jozsef Kadlecsik2015-06-253-1/+80
|
* Add element count to all set types headerJozsef Kadlecsik2015-06-2537-48/+94
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* Add element count to hash headersEric B Munson2015-06-1971-81/+163
| | | | | | | | | | | | | | | | | | | | | | It would be useful for userspace to query the size of an ipset hash, however, this data is not exposed to userspace outside of counting the number of member entries. This patch uses the attribute IPSET_ATTR_ELEMENTS to indicate the size in the the header that is exported to userspace. This field is then printed by the userspace tool for hashes. Because it is only meaningful for hashes to report their size, the output is conditional on the set type. To do this checking the MATCH_TYPENAME macro was moved to utils.h. The bulk of this patch changes the expected test suite to account for the change in output. Signed-off-by: Eric B Munson <emunson@akamai.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Josh Hunt <johunt@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netlink: implement nla_put_in_addr and nla_put_in6_addrJiri Benc2015-06-133-3/+27
| | | | | | | | | | | | | | | | IP addresses are often stored in netlink attributes. Add generic functions to do that. For nla_put_in_addr, it would be nicer to pass struct in_addr but this is not used universally throughout the kernel, in way too many places __be32 is used to store IPv4 address. Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Compatibility part added. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: deinline ip_set_put_extensions()Denys Vlasenko2015-06-132-23/+27
| | | | | | | | | | | | | | | | | | | | | | n x86 allyesconfig build: The function compiles to 489 bytes of machine code. It has 25 callsites. text data bss dec hex filename 82441375 22255384 20627456 125324215 7784bb7 vmlinux.before 82434909 22255384 20627456 125317749 7783275 vmlinux Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> CC: Eric W. Biederman <ebiederm@xmission.com> CC: David S. Miller <davem@davemloft.net> CC: Jan Engelhardt <jengelh@medozas.de> CC: Jiri Pirko <jpirko@redhat.com> CC: linux-kernel@vger.kernel.org CC: netdev@vger.kernel.org CC: netfilter-devel@vger.kernel.org Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix error path in mtype_resize() when new hash bucket cannot be allocatedJozsef Kadlecsik2015-06-131-10/+15
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* There is no need to call synchronize_rcu() after list_add_rcu()Jozsef Kadlecsik2015-06-131-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix typo in function name get_phyoutdev_name()Jozsef Kadlecsik2015-06-131-2/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Separate memsize calculation code into dedicated functionsJozsef Kadlecsik2015-05-062-10/+31
| | | | | | | | | | Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Split extensions into separate filesJozsef Kadlecsik2015-05-064-92/+122
| | | | | | | Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Improve comment extension helpersJozsef Kadlecsik2015-05-061-1/+1
| | | | | | | | | Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Improve skbinfo get/init helpersJozsef Kadlecsik2015-05-053-30/+24
| | | | | | | | | | | Use struct ip_set_skbinfo in struct ip_set_ext instead of open coded fields and assign structure members in get/init helpers instead of copying members one by one. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Headers file cleanupJozsef Kadlecsik2015-05-053-31/+31
| | | | | | | | | | Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Correct rcu_dereference_bh_nfnl() usageJozsef Kadlecsik2015-05-051-4/+6
| | | | | | | | | | | | | When rcu_dereference_bh_nfnl() macro would be defined on the target system if will accept pointer and subsystem id. Check if rcu_dereference_bh_nfnl() is defined and make it accepting two arguments. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: bridge: add helpers for fetching physin/outdevpabloFlorian Westphal2015-04-273-9/+52
| | | | | | | | | | | | | | | | right now we store this in the nf_bridge_info struct, accessible via skb->nf_bridge. This patch prepares removal of this pointer from skb: Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out device (or ifindexes). Followup patches to netfilter will then allow nf_bridge_info to be obtained by a call into the br_netfilter core, rather than keeping a pointer to it in sk_buff. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-16 12:00:34 +0000