| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Revision reporting got broken by the revision checking patch, fixed.
|
| |
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
| |
|
|
|
|
| |
The revision number was not checked at the create command: if the userspace
sent a valid set type but with not supported revision number, it'd create
a loop.
|
| |
|
|
|
| |
Entry to install the manpage was missing from Makefile.am
(reported by Mark A. Ziesemer)
|
| |
|
|
|
|
| |
The hash:ip,port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and the first address from
the range was only used.
|
| |
|
|
|
|
|
| |
net/netfilter/ipset/ip_set_core.c:615: warning: ?clash? may be used uninitialized in this function
Signed-off-by: shanw <shanw@shanw-desktop.(none)>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| |
|
|
|
| |
The kernel/ subdirectory is reorganized to follow the kernel directory
structure.
|
| |
|
|
|
|
|
|
|
| |
Add some #ifdefs to unconditionally return false in
ip_set_get_ip6_port() when CONFIG_IPV6=n and convert
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables
module when loading ipset.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.
|
| |
|
|
|
|
|
|
| |
Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace calls of the form:
nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)
by:
nla_parse_nested(tb, ATTR_MAX, attr, policy)
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
The error line checking would fail when debugging is enabled
(and spit out junk lines), fixed.
|
| |
|
|
| |
It's too easy to mistype "n" to "new", so just allow it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The number of comparisons for a matching a command name can be
made smaller by just checking on argv[1].
As an example consider the following 'create' arguments 'hashsize',
'family' and 'timeout'. When having the command
create foo hash:ip timeout 60 family inet hashsize 64
it compares without this patch:
strcmp("timeout", "hashsize")
strcmp("64", "hashsize")
strcmp("family", "hashsize")
strcmp("inet", "hashsize")
strcmp("hashsize", "hashsize")
It is worse in practice, as 'create' has more arguments than this.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
|
|
|
|
| |
After stripping off the global options there simply has to follow
a command name, there is no other syntax possible. Therefore the
argv[] loop is unnecessary.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)
|
| |
|
|
|
| |
Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)
|
| |
|
|
|
|
| |
The type specific attribute validation can be moved to the ipset core.
That way it's done centrally and thus can be eliminated from the individual
set types (suggested by Patrick McHardy).
|
| |
|
|
| |
Spelling error fixed (Ferenc Wagner)
|
| |
|
|
| |
Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)
|
| |
|
|
| |
Old cryptic error messages are not useful (Patrick McHardy's review)
|
| |
|
|
|
|
| |
Attribute is const so a little bit more work is needed to return
the error line number. A test is also added in order to check
the functionality. (Patrick McHardy's review)
|
| |
|
|
|
| |
Missing check of the flag NLM_F_ACK is added to the kernel -
and userspace does set it too (Patrick McHardy's review)
|
| |
|
|
| |
Use correct error codes (Patrick McHardy's review)
|
| | |
|
| |
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
| |
Do not use time() as a Netlink sequence number for each message,
as otherwise the same seq number will be used when sending
another message in the same second. Instead use time() just for
initialization, then increment per message.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also check for the name length.
Note that passing errno values back is not done consistently at
various place, as there are some functions which set errno manually,
others pass -errno back. I use the -errno approach here, as it is
slightly shorter.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
"sendip" needs data otherwise ICMP/ICMPv6 gets truncated...
|
| |
|
|
|
|
| |
If resolving is requested and the resolved hostname contains a dash
character, print the unresolved IP address instead in order not to
clash with the IP/hostname range syntax.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
I mistyped the bitwise operator and the network-order conversion was
missing too. Sigh, sendip cannot generate proper packets to check
ICMP and ICMPv6 in the testsuite. :-(
|
| |
|
|
|
|
| |
Some trailing whitespace slipped in, those are removed. With the deleted
ip_set_kernel.h, the pr_* messages lost the trailing "\n" character.
The messages were completed with it.
|
| | |
|
| |
|
|
|
| |
While holding the nfnl_mutex, module loading is not allowed.
Bug spotted by Patrick McHardy in his reviewing.
|
| |
|
|
|
| |
The expire functions of the hash types are called while locked, so
kzalloc must be called with GFP_ATOMIC.
|
| | |
|
| |
|
|
|
| |
We may call ip_set_alloc with GFP_ATOMIC, so we cannot replace __vmalloc
with vzalloc. Missing flag was noticed by Eric Dumazet.
|
| |
|
|
|
|
| |
Allow only network-order data, with NLA_F_NET_BYTEORDER flag.
Sanity checks also added to prevent processing broken messages
where mandatory attributes are missing. (Patrick McHardy's review)
|
