| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.
Problem reported by Stephen Hemminger and Marc Guardiola.
|
| |
|
|
|
| |
Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
| |
|
|
|
|
|
| |
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.
|
| |
|
|
|
| |
If the set is full, the SET target cannot add more elements.
Log warning so that the admin got notified about it.
|
| |
|
|
|
| |
The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.
|
| | |
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
The .c files used to build the plugins for ipset all use #include
<libipset/...>, so the files we install should preferably also be in a
directory called "libipset" rather than just "ipset".
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
The other linux_ip_set*.h files are shipped, so this one probably
should too.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
libipset/types.h, which is installed by default, requires nfproto.h.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
We need to visit that directory, otherwise `make install` is
incomplete and `make distcheck` fails.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
Only ignore these paths if they are a directory.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| |
|
|
|
| |
The ICMP/ICMPv6 type/code parser swapped the type and code values.
(Bug reported by Sabitov)
|
| |
|
|
|
|
|
|
|
|
|
| |
The protocol argument to getservbyname() must be lowercase tcp not
uppercase TCP. This fixes the bug observed by:
# ipset add foo http
ipset v6.9.1: Syntax error: 'http' is invalid as number
Syntax error: cannot parse 'http' as a TCP port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
| |
warning: 'ip_to' may be used uninitialized in this function
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Distributors (like Fedora) might be interested in including the ipset
tools and libs, but they often don't want to build and ship external
kernel modules, especially if those modules are already included in
their kernel packages.
This patch introduces a new --with-kmod configure option that can be
used to conditionally build the kernel module. The module is still built
by default, to preserve compatibility.
A user who wants to build only the user-space part of ipset can do so by
running the following:
$ ./autogen.sh
$ configure --with-kmod=no
$ make
# make install
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
The Kconfig file is not used at building ipset as external system,
still let the file be complete.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[The patch changes the API of the netlink_dump_start interface: port
it to the standalone ipset package.]
The message size allocated for rtnl ifinfo dumps was limited to
a single page. This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.
Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.
Signed-off-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was suggested by "make versioncheck" that the follwing includes of
linux/version.h are redundant:
/home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
/home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
/home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.
and it seems that it is right.
Beyond manually inspecting the source files I also did a few build
tests with various configs to confirm that including the header in
those files is indeed not needed.
Here's a patch to remove the pointless includes.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |\
| |
| |
| | |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The library cannot stand on its own:
19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1
linux-vdso.so.1 => (0x00007fff9a569000)
libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000)
undefined symbol: ipset_errcode (.libs/libipset.so.1)
Resolve this by moving ipset_errcode into the library.
Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
|
| | |
| |
| |
| |
| |
| |
| | |
Needed to stop an automated build process when automake requirements
are not fulfilled.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
| |
|
|
|
|
| |
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
|
| |
|
|
|
|
|
| |
iptables's libxt_SET.c depends on these.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using the xt_set.h header in userspace, one will get these gcc
reports:
ipset/ip_set.h:184:1: error: unknown type name "u16"
In file included from libxt_SET.c:21:0:
netfilter/xt_set.h:61:2: error: unknown type name "u32"
netfilter/xt_set.h:62:2: error: unknown type name "u32"
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
| |
Removing unnecessary messages saves code and text.
Site specific OOM messages are duplications of a generic MM
out of memory message and aren't really useful, so just
delete them.
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
The issue was reported by Jean-Philippe Menil.
|
| |
|
|
|
|
| |
Jan Engelhardt noticed when userspace requests a set type unknown
to the kernel, it can lead to a loop due to the unsafe type module
loading. The issue is fixed in this patch.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.
Signed-off-by: Chris Friesen <chris.friesen@genband.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example
ipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1
Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.
In the patch the algorithm is fixed in order to correctly handle
overlapping networks.
Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| | |
|
