| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Get rid of the structure based extensions and introduce a blob for
the extensions. Thus we can support more extension types easily.
|
|
|
|
|
|
| |
Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
|
| |
|
|
|
|
|
|
| |
In order to support hash:net,net, hash:net,port,net etc. types,
arrays are introduced for the book-keeping of existing cidr sizes
and network numbers in a set.
|
|
|
|
|
|
|
|
| |
ip[6]tables set match and SET target need to know the family of the set
in order to reject adding rules which refer to a set with a non-mathcing
family. Currently such rules are silently accepted and then ignored
instead of generating a clear error message to the user, which is not
helpful.
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Reported by Quentin Armitage, closes netfilter bugzilla id #844.
|
| |
|
|
|
|
| |
Reported by Quentin Armitage, netfilter bugzilla id #843.
|
|
|
|
| |
Bug reported by Quentin Armitage, netfilter bugzilla id #843.
|
|
|
|
| |
Reported by Quentin Armitage, netfilter bugzilla id #843.
|
|
|
|
|
|
|
| |
Option like "netmask" depends on the INET family, so parse "family"
first, then the rest of the options.
Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
|
|
|
|
|
|
|
|
|
| |
The only place in ipset where ipset_parse_elem is called is src/ipset.c. The
second parameter to the function call is type->last_elem_optional, which is of
type bool, but ipset_parse_elem is defined in lib/parse.c with the second
parameter having type enum ipset_opt.
The use in lib/parse.c is clearly as a bool.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:
# ipset n test hash:net
# ipset a test 10.0.0.0/24 nomatch
# ipset t test 10.0.0.1
10.0.0.1 is NOT in set test.
# ipset t test 10.0.0.1 nomatch
10.0.0.1 is in set test.
# ipset a test 192.168.0.0/24
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is NOT in set test.
Before the patch the results were
...
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is in set test.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Due to the ipset kernel API changes, em_ipset.c needs to be provided
in the ipset package, reported by Jan Engelhardt:
WARNING: //lib/modules/3.7.10-jng15-default/kernel/net/sched/em_ipset.ko
disagrees about version of symbol ip_set_test
|
|
|
|
|
| |
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
| |
libipset.pc was not installed by classic 'make install'. This
patch adds it to the list of installed files.
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
The external kernel modules are installed in the extra subdir in
/lib/modules/<kernelrelease>/, but depmod in some distributions
(at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it,
because that way the modules are actually not available there.
Reported by Husnu Demir and tian fang.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable ipset port set types to match IPv4 package fragments for
protocols that doesn't have ports (or the port information isn't
supported by ipset).
For example this allows a hash:ip,port ipset containing the entry
192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels
to/from the host. Without this patch only the first package fragment
(with fragment offset 0) was matched, while subsequent fragments wasn't.
This is not possible for IPv6, where the protocol is in the fragmented
part of the package unlike IPv4, where the protocol is in the IP header.
IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant
for IPv4.
Signed-off-by: Anders K. Pedersen <akp@surftown.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Reported-by: David Laight <David.Laight@ACULAB.COM>
|
|
|
|
| |
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
net/netfilter/ipset/ip_set_hash_ipportnet.c:275:20:
warning: symbol 'cidr' shadows an earlier one
|
|
|
|
| |
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
| |
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.
At the set:list types, the updating of the subcounters can be
suppressed as well.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|