summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: Support comments for ipset entries in the core.Oliver Smith2013-09-234-8/+118
| | | | | | | | | | | | | This adds the core support for having comments on ipset entries. The comments are stored as standard null-terminated strings in dynamically allocated memory after being passed to the kernel. As a result of this, code has been added to the generic destroy function to iterate all extensions and call that extension's destroy task if the set has that extension activated, and if such a task is defined. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,net kernel module.Oliver Smith2013-09-2015-2/+640
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. The library version has been bumped accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add hash:net,net module to kernel.Oliver Smith2013-09-204-9/+541
| | | | | | | | | | This adds a new set that provides the ability to configure pairs of subnets. A small amount of additional handling code has been added to the generic hash header file - this code is conditionally activated by a preprocessor definition. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Kconfig: ipset needs NETFILTER_NETLINKJozsef Kadlecsik2013-09-172-1/+6
| | | | | NETFILTER_NETLINK is not selectable in recent kernels, check and warn if not enabled indirectly.
* Add test to verify CIDR trackingJozsef Kadlecsik2013-09-151-0/+12
|
* netfilter: ipset: Fix serious failure in CIDR trackingOliver Smith2013-09-151-10/+14
| | | | | | | | | | | | | | | | | | | | | | | | | This fixes a serious bug affecting all hash types with a net element - specifically, if a CIDR value is deleted such that none of the same size exist any more, all larger (less-specific) values will then fail to match. Adding back any prefix with a CIDR equal to or more specific than the one deleted will fix it. Steps to reproduce: ipset -N test hash:net ipset -A test 1.1.0.0/16 ipset -A test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS in set ipset -D test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set This is due to the fact that the nets counter was unconditionally decremented prior to the iteration that shifts up the entries. Now, we first check if there is a proceeding entry and if not, decrement it and return. Otherwise, we proceed to iterate and then zero the last element, which, in most cases, will already be zero. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* configure: uclinux is also linuxGustavo Zacarias2013-09-131-1/+1
| | | | | Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set: make sure all elements are checked by the gcJozsef Kadlecsik2013-09-091-2/+5
| | | | | When an element timed out, the next one was skipped by the garbage collector, fixed.
* Support extensions which need a per data destroy functionJozsef Kadlecsik2013-09-094-43/+107
|
* Generalize extensions supportJozsef Kadlecsik2013-09-0714-749/+118
| | | | | Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily.
* Move extension data to set structureJozsef Kadlecsik2013-09-0715-289/+266
| | | | | | Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support.
* Rename extension offset ids to extension idsJozsef Kadlecsik2013-09-067-43/+43
|
* Prepare ipset to support multiple networks for hash typesJozsef Kadlecsik2013-09-046-44/+48
| | | | | | In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set.
* Introduce new operation to get both setname and familyJozsef Kadlecsik2013-09-042-0/+25
| | | | | | | | ip[6]tables set match and SET target need to know the family of the set in order to reject adding rules which refer to a set with a non-mathcing family. Currently such rules are silently accepted and then ignored instead of generating a clear error message to the user, which is not helpful.
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-174-18/+67
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove artifical restriction of netmask values for hash:ip type.Jozsef Kadlecsik2013-08-171-6/+4
| | | | Reported by Quentin Armitage, closes netfilter bugzilla id #844.
* Make sure called test scripts can be executed (reported by Tomas Budai)Jozsef Kadlecsik2013-08-161-0/+3
|
* Manpage fix: not just identical, but compatible type of sets can be swappedJozsef Kadlecsik2013-08-141-5/+5
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Validate the set family and not the set type family at swapping.Jozsef Kadlecsik2013-08-141-1/+1
| | | | Bug reported by Quentin Armitage, netfilter bugzilla id #843.
* Fix error message typoJozsef Kadlecsik2013-08-141-1/+1
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Parse option "family" first, because other options may depend on itJozsef Kadlecsik2013-08-141-24/+47
| | | | | | | Option like "netmask" depends on the INET family, so parse "family" first, then the rest of the options. Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-012-2/+2
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Consistent userspace testing with nomatch flagJozsef Kadlecsik2013-07-226-12/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test.
* Report broken netlink messages in debug modeJozsef Kadlecsik2013-07-191-0/+13
|
* Skip really non-first fragments for IPv6 when getting port/protocolJozsef Kadlecsik2013-05-311-4/+2
|
* ipset standalone package needs to ship em_ipset.cJozsef Kadlecsik2013-05-314-4/+152
| | | | | | | | Due to the ipset kernel API changes, em_ipset.c needs to be provided in the ipset package, reported by Jan Engelhardt: WARNING: //lib/modules/3.7.10-jng15-default/kernel/net/sched/em_ipset.ko disagrees about version of symbol ip_set_test
* ipset: Fix hyphen used as minus sign in manpageNeutron Soutmun2013-05-131-1/+1
| | | | | Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset.pc must be installed via 'make install'Eric Leblond2013-05-111-0/+3
| | | | | | | | libipset.pc was not installed by classic 'make install'. This patch adds it to the list of installed files. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.19 releasedv6.19Jozsef Kadlecsik2013-05-093-1/+59
|
* Compatibility fixes to keep the support of kernels back to 2.6.32Jozsef Kadlecsik2013-05-092-48/+48
|
* Check at modules_install whether depmod ignores the extra subdirJozsef Kadlecsik2013-05-091-0/+18
| | | | | | | | | The external kernel modules are installed in the extra subdir in /lib/modules/<kernelrelease>/, but depmod in some distributions (at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it, because that way the modules are actually not available there. Reported by Husnu Demir and tian fang.
* Backport nla_put_net64Jozsef Kadlecsik2013-05-091-0/+10
|
* The utils are updated from their sourcesJozsef Kadlecsik2013-05-075-502/+1734
|
* Support package fragments for IPv4 protos without portsAnders K. Pedersen2013-05-031-1/+17
| | | | | | | | | | | | | | | | | | | Enable ipset port set types to match IPv4 package fragments for protocols that doesn't have ports (or the port information isn't supported by ipset). For example this allows a hash:ip,port ipset containing the entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels to/from the host. Without this patch only the first package fragment (with fragment offset 0) was matched, while subsequent fragments wasn't. This is not possible for IPv6, where the protocol is in the fragmented part of the package unlike IPv4, where the protocol is in the IP header. IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant for IPv4. Signed-off-by: Anders K. Pedersen <akp@surftown.com>
* Manpage typing error correction (reported by Husnu Demir)Jozsef Kadlecsik2013-05-021-2/+2
|
* Update testsuite as the trailing space was eliminated at listingsJozsef Kadlecsik2013-05-0286-108/+108
|
* Use fix sized type for timeout in the extension partJozsef Kadlecsik2013-05-021-1/+1
|
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-025-3/+26
|
* Improve XML output: add element tag and root element (suggested by Lucas Hamie)Jozsef Kadlecsik2013-05-011-33/+38
|
* Make sure kernel configured properly for sparse checkingsJozsef Kadlecsik2013-05-011-0/+6
|
* Fix "may be used uninitialized" warningsJozsef Kadlecsik2013-05-019-12/+12
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-0114-162/+169
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* Fix sparse warnings due to missing rcu annotationsJozsef Kadlecsik2013-04-301-32/+55
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Sparse warning about shadowed variable fixedJozsef Kadlecsik2013-04-301-1/+1
| | | | | net/netfilter/ipset/ip_set_hash_ipportnet.c:275:20: warning: symbol 'cidr' shadows an earlier one
* Don't call ip_nest_end needlessly in the error pathJozsef Kadlecsik2013-04-273-3/+3
| | | | Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Manpage updatesJozsef Kadlecsik2013-04-091-52/+79
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add new testsuite entries to verify counters and the new type implementationsJozsef Kadlecsik2013-04-0924-8/+1156
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the new set type revisions with counter supportJozsef Kadlecsik2013-04-0911-103/+1560
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-0910-8/+128
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* set match: add support to match the countersJozsef Kadlecsik2013-04-096-9/+120
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>