summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Accept "\r\n" terminated lines in restore filesJozsef Kadlecsik2011-05-211-2/+2
|
* Removed old, not used hashing method ip_set_chashJozsef Kadlecsik2011-05-202-1253/+0
|
* Remove variable 'ret' in type_pf_tdel(), which is set but not usedJozsef Kadlecsik2011-05-201-2/+2
|
* Use proper timeout parameter to jiffies conversionJozsef Kadlecsik2011-05-201-8/+10
|
* Remove outdated checking of IPv6 support from configure.acJozsef Kadlecsik2011-05-171-5/+0
| | | | | | ipset can be compiled without IPv6 support since 6.0, however the outdated checking in configure.ac made it not possible. (reported by Denys Fedoryshchenko)
* ipset 6.5 releasedv6.5Jozsef Kadlecsik2011-05-153-1/+13
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-1527-96/+562
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Disable type revisions which are not supported both by the kernel and ipsetJozsef Kadlecsik2011-05-131-0/+13
|
* Update ipset help text to reflect SCTP and UDPLITE supportJozsef Kadlecsik2011-05-121-3/+3
|
* Set type support with multiple revisions addedJozsef Kadlecsik2011-05-1112-32/+49
| | | | | A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types.
* Fix adding ranges to hash typesJozsef Kadlecsik2011-05-0622-34/+229
| | | | | | When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four.
* Ignore -n flag (list just setnames) when sets are to be savedJozsef Kadlecsik2011-05-061-1/+2
|
* ipset 6.4 releasedv6.4Jozsef Kadlecsik2011-04-193-1/+13
|
* Get rid of the trailing empty line at listing sets.Jozsef Kadlecsik2011-04-1967-77/+22
| | | | | | | Also, remove the empty "members" section when listing just the set headers. Testsuite is updated to reflect the changes in the output.
* Fix XML listing, remove broken unused "elements" tagJozsef Kadlecsik2011-04-181-1/+1
|
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-187-33/+118
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* Fix order of listing of setsJozsef Kadlecsik2011-04-184-8/+51
| | | | | | | | A restoreable saving of sets requires that list:set type of sets come last and the code part which should have taken into account the ordering was broken. The patch fixes the listing order. Testsuite entry added which checks the listing order.
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-1818-138/+241
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Sorting is dependent on the locale settings, use LC_ALL=CJozsef Kadlecsik2011-04-116-8/+12
|
* Use unified diff output in testsJozsef Kadlecsik2011-04-1124-66/+66
|
* ipset 6.3 releasedv6.3Jozsef Kadlecsik2011-04-103-1/+13
|
* Testsuite checks addedJozsef Kadlecsik2011-04-103-0/+40
| | | | | | - check iptables match/target extensions with invalid number of dir parameters - check SET target with --del-set option
* set match and SET target fixesJozsef Kadlecsik2011-04-091-2/+16
| | | | | | | The SET target with --del-set did not work due to using wrongly the internal dimension of --add-set instead of --del-set. Also, the checkentries did not release the set references when returned an error. Bugs reported by Lennert Buytenhek.
* Whitespace fixes: some space before tab slipped in.Jozsef Kadlecsik2011-04-081-2/+2
|
* bitmap:ip,mac type requires "src" for MACJozsef Kadlecsik2011-04-082-3/+8
| | | | | | | | | Enforce that the second "src/dst" parameter of the set match and SET target must be "src", because we have access to the source MAC only in the packet. The previous behaviour, that the type required the second parameter but actually ignored the value was counter-intuitive and confusing. Manpage is updated to reflect the change.
* Testsuite changes: keep temporary filesJozsef Kadlecsik2011-04-0825-68/+68
| | | | | Keep temporary files in the tests and erase them only after successfully running the testsuite. This makes simpler to analyze failed tests.
* ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)Jozsef Kadlecsik2011-03-291-1029/+73
|
* ipset 6.2 releasedv6.2Jozsef Kadlecsik2011-03-273-1/+10
|
* Manpage updateJozsef Kadlecsik2011-03-271-0/+2
|
* Timeout can be modified for already added elementsJozsef Kadlecsik2011-03-2721-101/+244
| | | | | | | | | | When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist
* Add explicit text message to detect patched kernel.Jozsef Kadlecsik2011-03-261-0/+13
|
* References are protected by rwlock instead of mutexJozsef Kadlecsik2011-03-258-56/+83
| | | | | | | The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock.
* list:set timeout variant fixesJozsef Kadlecsik2011-03-233-32/+61
| | | | | | | - the timeout value was actually not set - the garbage collector was broken The variant is fixed, the tests to the testsuite are added.
* ipset 6.1 releasedv6.1Jozsef Kadlecsik2011-03-193-1/+11
|
* Fix revision reportingJozsef Kadlecsik2011-03-192-5/+4
| | | | Revision reporting got broken by the revision checking patch, fixed.
* SCTP, UDPLITE support addedJozsef Kadlecsik2011-03-1815-43/+74
| | | | SCTP and UDPLITE port support added to the hash:*port* types.
* Fix checking the revision of the set type at create commandJozsef Kadlecsik2011-03-181-4/+16
| | | | | | The revision number was not checked at the create command: if the userspace sent a valid set type but with not supported revision number, it'd create a loop.
* Manpage was not installedJozsef Kadlecsik2011-03-181-0/+2
| | | | | Entry to install the manpage was missing from Makefile.am (reported by Mark A. Ziesemer)
* hash:ip,port* types with IPv4Jozsef Kadlecsik2011-03-185-94/+48
| | | | | | The hash:ip,port* types with IPv4 silently ignored when address ranges with non TCP/UDP were added/deleted from the set and the first address from the range was only used.
* netfilter:ipset: fix the compile warning in ip_set_createShan Wei2011-03-041-1/+1
| | | | | | | net/netfilter/ipset/ip_set_core.c:615: warning: ?clash? may be used uninitialized in this function Signed-off-by: shanw <shanw@shanw-desktop.(none)> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.0 releasedv6.0Jozsef Kadlecsik2011-02-035-14/+59
|
* Print protocol version together with ipset versionJozsef Kadlecsik2011-02-031-1/+2
|
* Reorganized kernel/ subdirJozsef Kadlecsik2011-02-0322-131/+1133
| | | | | The kernel/ subdirectory is reorganized to follow the kernel directory structure.
* netfilter: ipset: fix linking with CONFIG_IPV6=nPatrick McHardy2011-02-032-6/+19
| | | | | | | | | Add some #ifdefs to unconditionally return false in ip_set_get_ip6_port() when CONFIG_IPV6=n and convert to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module when loading ipset. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipset: send error message manuallyJozsef Kadlecsik2011-02-021-7/+26
| | | | | | | | | | | When a message carries multiple commands and one of them triggers an error, we have to report to the userspace which one was that. The line number of the command plays this role and there's an attribute reserved in the header part of the message to be filled out with the error line number. In order not to modify the original message received from the userspace, we construct a new, complete netlink error message and modifies the attribute there, then send it. Netlink is notified not to send its ACK/error message.
* netfilter: ipset: add missing break statemtns in ip_set_get_ip_port()Patrick McHardy2011-02-021-0/+2
| | | | | | | | Don't fall through in the switch statement, otherwise IPv4 headers are incorrectly parsed again as IPv6 and the return value will always be 'false'. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipset: add missing include to xt_set.hPatrick McHardy2011-02-011-0/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipset: remove unnecessary includesPatrick McHardy2011-02-019-27/+0
| | | | | | | | | None of the set types need uaccess.h since this is handled centrally in ip_set_core. Most set types additionally don't need bitops.h and spinlock.h since they use neither. tcp.h is only needed by those using before(), udp.h is not needed at all. Signed-off-by: Patrick McHardy <kaber@trash.net>
* netfilter: ipset: use nla_parse_nested()Patrick McHardy2011-02-011-26/+16
| | | | | | | | | | | | Replace calls of the form: nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy) by: nla_parse_nested(tb, ATTR_MAX, attr, policy) Signed-off-by: Patrick McHardy <kaber@trash.net>
* Testsuite compatibility with debugging enabledJozsef Kadlecsik2011-02-011-1/+1
| | | | | The error line checking would fail when debugging is enabled (and spit out junk lines), fixed.