summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ip_set: Fix compatibility with kernels between v3.3 and v4.5HEADmasterSerhey Popovych2020-03-092-1/+7
| | | | | | | | | | | | | | | These kernels does not have in their @struct netlink_dump_control method that is used to prepare for netlink dump ->start(). This affects all kernels that does not contain commit fc9e50f5a5a4 ("netlink: add a start callback for starting a netlink dump"). Introduce fake value of HAVE_NETLINK_DUMP_START_ARGS equal to 7 that never spot in the wild and set HAVE_NETLINK_DUMP_START_ARGS to 4 only after explicit test if ->start() is available. Fixes: 7725bf5ba041 ("netfilter: ipset: fix suspicious RCU usage in find_set_and_id") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Introduce --update-counters-first flag for the set targetJozsef Kadlecsik2020-03-093-4/+33
| | | | | | | | | | | | | | | Stefano Brivio reported that the patch 'netfilter: ipset: Fix "don't update counters" mode when counters used at the matching' changed the semantic of when the counters are updated. Before the patch the counters were updated regardless of the results of the counter matches, after the patch the counters were updated only if the counter match conditions (if specified) matched the packet. In order to handle both ways, the --update-counters-first flag is introduced: when the flag is specified, the counters are updated before checking the counter match conditions. Without the flag the current evaluation path (i.e. update only if counter conditions match) works. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ip_set: Fix build on kernels without INIT_DEFERRABLE_WORKSerhey Popovych2020-03-092-0/+15
| | | | | | | | | | There was macro rename in kernel with commit 203b42f73174 ("workqueue: make deferrable delayed_work initializer names consistent") that renames INIT_DELAYED_WORK_DEFERRABLE() to INIT_DEFERRABLE_WORK(). Fixes: 33f08da28324 ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Support kernels with at least system_wq supportJozsef Kadlecsik2020-03-091-1/+4
|
* ip_set: Fix build on kernels without system_power_efficient_wqSerhey Popovych2020-03-092-1/+7
| | | | | | | | | | | | | This type of workqueue according to comment in <linux/workqueue.h> is same as regular @system_wq when power efficiency scheduler options disabled. For old kernels where @system_power_efficient_wq is not available use regular @system_wq to support ipset on kernels below 3.11. Fixes: 33f08da28324 ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Merge branch 'region_lock'Jozsef Kadlecsik2020-02-227-211/+509
|\
| * ipset 7.6 releasedv7.6region_lockJozsef Kadlecsik2020-02-223-1/+15
| | | | | | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
| * Add checking system_power_efficient_wq in the kernel source treeJozsef Kadlecsik2020-02-221-0/+10
| |
| * netfilter: ipset: Fix forceadd evaluation pathJozsef Kadlecsik2020-02-221-0/+2
| | | | | | | | | | | | | | | | | | | | | | When the forceadd option is enabled, the hash:* types should find and replace the first entry in the bucket with the new one if there are no reuseable (deleted or timed out) entries. However, the position index was just not set to zero and remained the invalid -1 if there were no reuseable entries. Reported-by: syzbot+6a86565c74ebe30aea18@syzkaller.appspotmail.com Fixes: 23c42a403a9c ("netfilter: ipset: Introduction of new commands and protocol version 7") Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
| * netfilter: ipset: Correct the reported memory sizeJozsef Kadlecsik2020-02-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | The patch netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports did not include the size of the comment extensions from the memory size for set listing. Add it, so the proper size is printed. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
| * ip_set: Include kernel header instead of UAPISerhey Popovych2020-02-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | This header is used to build kernel modules not userspace thus it is correct to include linux/in.h kernel variant and not UAPI. This fixes build on old and not widely supported systems like RHEL6 and Debian GNU/Linux 7 (wheezy) before headers split to UAPI and kernel. Fixes: 62d787ba5e66 ("netfilter: added missing includes to a number of header-files.") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
| * netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reportsJozsef Kadlecsik2020-02-184-210/+482
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the case of huge hash:* types of sets, due to the single spinlock of a set the processing of the whole set under spinlock protection could take too long. There were four places where the whole hash table of the set was processed from bucket to bucket under holding the spinlock: - During resizing a set, the original set was locked to exclude kernel side add/del element operations (userspace add/del is excluded by the nfnetlink mutex). The original set is actually just read during the resize, so the spinlocking is replaced with rcu locking of regions. However, thus there can be parallel kernel side add/del of entries. In order not to loose those operations a backlog is added and replayed after the successful resize. - Garbage collection of timed out entries was also protected by the spinlock. In order not to lock too long, region locking is introduced and a single region is processed in one gc go. Also, the simple timer based gc running is replaced with a workqueue based solution. The internal book-keeping (number of elements, size of extensions) is moved to region level due to the region locking. - Adding elements: when the max number of the elements is reached, the gc was called to evict the timed out entries. The new approach is that the gc is called just for the matching region, assuming that if the region (proportionally) seems to be full, then the whole set does. We could scan the other regions to check every entry under rcu locking, but for huge sets it'd mean a slowdown at adding elements. - Listing the set header data: when the set was defined with timeout support, the garbage collector was called to clean up timed out entries to get the correct element numbers and set size values. Now the set is scanned to check non-timed out entries, without actually calling the gc for the whole set. Thanks to Florian Westphal for helping me to solve the SOFTIRQ-safe -> SOFTIRQ-unsafe lock order issues during working on the patch. Reported-by: syzbot+4b0e9d4ff3cf117837e5@syzkaller.appspotmail.com Reported-by: syzbot+c27b8d5010f45c666ed1@syzkaller.appspotmail.com Reported-by: syzbot+68a806795ac89df3aa1c@syzkaller.appspotmail.com Fixes: 23c42a403a9c ("netfilter: ipset: Introduction of new commands and protocol version 7") Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* | ip_set: Include kernel header instead of UAPISerhey Popovych2020-02-071-1/+1
|/ | | | | | | | | | | | This header is used to build kernel modules not userspace thus it is correct to include linux/in.h kernel variant and not UAPI. This fixes build on old and not widely supported systems like RHEL6 and Debian GNU/Linux 7 (wheezy) before headers split to UAPI and kernel. Fixes: 62d787ba5e66 ("netfilter: added missing includes to a number of header-files.") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* .gitignore: add temporary files to the listJozsef Kadlecsik2020-01-261-0/+3
|
* netfilter: ipset: fix suspicious RCU usage in find_set_and_idJozsef Kadlecsik2020-01-261-17/+32
| | | | | | | | | | | | | | find_set_and_id() is called when the NFNL_SUBSYS_IPSET mutex is held. However, in the error path there can be a follow-up recvmsg() without the mutex held. Use the start() function of struct netlink_dump_control instead of dump() to verify and report if the specified set does not exist. Thanks to Pablo Neira Ayuso for helping me to understand the subleties of the netlink protocol. Reported-by: syzbot+fc69d7cb21258ab4ae4d@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add compatibility support for bitmap_zalloc() and bitmap_zero()Jozsef Kadlecsik2020-01-202-0/+32
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: use bitmap infrastructure completelyJozsef Kadlecsik2020-01-195-17/+10
| | | | | | | | | | | | | | | | The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: fix a use-after-free in mtype_destroy()Cong Wang2020-01-151-1/+1
| | | | | | | | | | | | map->members is freed by ip_set_free() right before using it in mtype_ext_cleanup() again. So we just have to move it down. Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") Cc: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.5 releasedv7.5Jozsef Kadlecsik2020-01-093-1/+22
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is presentFlorian Westphal2020-01-091-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The set uadt functions assume lineno is never NULL, but it is in case of ip_set_utest(). syzkaller managed to generate a netlink message that calls this with LINENO attr present: general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 Call Trace: ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 pass a dummy lineno storage, its easier than patching all set implementations. This seems to be a day-0 bug. Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ip_set: Pass init_net when @net is missing in match check params data structureSerhey Popovych2019-12-091-1/+1
| | | | | | | | | | | | | | It is better to restrict ipsets to default network namespace on old kernels that does not contain @net parameter in @struct xt_mtchk_param (i.e. ones prior to commit a83d8e8d099f ("netfilter: xtables: add struct xt_mtchk_param::net"), tag v2.6.34) instead of panicing on them. Found and tested on RHEL 6 with 2.6.32 kernels. Fixes: 90e279db0cf5 ("Add more compatibility checkings to support older kernel releases") Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: xt_set: Do not restrict --map-set to the mangle tableSerhey Popovych2019-12-091-5/+0
| | | | | | | | | | | | | | | | | | | | | | | While mangle table is primary place for packet modification setting mark, traffic class priority or hardware NIC queue can be done in any table with exception similar to using mark in policy-based routing setups (configured with ip-rule(8)) should be done before routing happens (i.e. in PREROUTING chain that usable in mangle or raw tables only). There is no such restriction in MARK target used to set packet mark and CLASSIFY target used to set traffic class priority. Both are free to use in any table. There is no known target that can modify hardware queue for packet. This helps in keeping filtering and packet modification rules together in filter table. Tested with rule in filter table with SET target using --map-prio and HTB for scheduling packets at egress. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* em_ipset: Build on old kernelsSerhey Popovych2019-12-094-2/+30
| | | | | | | | | | | | | | | | | | | Make sure TCF_EM_IPSET defined and corresponds to current upstream value if not defined in target kernel. You need iproute2 version that supports em_ipset to communicate correctly. Include ip_set_compat.h after pkt_cls.h to prevent TCF_EM_IPSET redefine error. Detect skb->iif => skb->skb_iif rename after commit 8964be4a9a5c ("net: rename skb->iif to skb->skb_iif"). Add dev_get_by_index_rcu() define pointing to __dev_get_by_index() to build on RHEL6 kernels with explicit note that this may not work on all architectures. Always build em_ipset regardless of CONFIG_NET_EMATCH_IPSET option. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present()Serhey Popovych2019-12-091-1/+12
| | | | | | | | | | | Since RHEL6 provides it as preprocessor define and does not provide vlan_tx_tag_present(). Add defines in case of vlan_tx_tag_present() isn't available to back tc_skb_protocol() to old behaviour before commit d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path"). Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* configure.ac: Support building with old autoconf 2.63Serhey Popovych2019-12-091-0/+6
| | | | | | | | | | | | | This version found on RHEL6 making autoreconf fail with following error: configure.ac:61: error: possibly undefined macro: AS_VAR_COPY If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. Apply fix from https://github.com/gdnsd/gdnsd/issues/85 to fix problem. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* configure.ac: Build on kernels without skb->vlan_proto correctlySerhey Popovych2019-12-092-0/+15
| | | | | | | | | | | | Support for EtherType other than ETH_P_8021Q for VLAN header introduced with commit 86a9bad3ab6b ("net: vlan: add protocol argument to packet tagging functions") in upstream kernel since v3.10. To support build on older kernels check for ->vlan_proto presence in @struct sk_buff and return htons(ETH_P_8021Q) when it is missing. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* configure.ac: Add cond_resched_rcu() checksSerhey Popovych2019-12-092-0/+22
| | | | | | | | | | It was introduced with commit f6f3c437d09e ("sched: add cond_resched_rcu() helper") since v3.11 upstream kernel. To support building on older kernels add implementation to ip_set_compat.h. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* configure.ac: Better match for ipv6_skip_exthdr() frag_offp arg presenceSerhey Popovych2019-12-091-1/+1
| | | | | | | | | | | | | | | | On older kernels (i.e. ones before commit 5c3a0fd7d0fc ("ip*.h: Remove extern from function prototypes") in upstream since v3.13) we fail to match number of arguments ipv6_skip_exthdr() correctly. Configure chooses 3 args, while function has actually 4 args. This happens because on these kernels tab (\t) is used for intendation between function result type and function name. Fix by matching either space for kernels with mentioned change or tab for older kernels to select number of arguments correctly. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Document explicitly that protocol is not stored in bitmap:portJozsef Kadlecsik2019-11-142-6/+7
|
* ipset 7.4 releasedv7.4Jozsef Kadlecsik2019-11-013-1/+36
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix compatibility support for netlink extended ACK and add ↵Jozsef Kadlecsik2019-11-013-2/+18
| | | | synchronize_rcu_bh() checking
* Fix nla_policies to fully support NL_VALIDATE_STRICTJozsef Kadlecsik2019-11-013-2/+12
| | | | | | | Since v5.2 (commit "netlink: re-add parse/validate functions in strict mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies which did not support strict mode and thus the corresponding ipset commands failed.
* treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner2019-10-3124-88/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* netfilter: remove unnecessary spacesyangxingwu2019-10-312-2/+2
| | | | | | | | This patch removes extra spaces. Signed-off-by: yangxingwu <xingwu.yang@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-319-7/+144
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Sort naturally instead of textual sort (bugzilla #1369)Jozsef Kadlecsik2019-10-312-113/+189
| | | | | Sort 95.0.0.0 before 107.0.0.0 instead of the textual sorting. Also, in the case of subnets, sort reversed, ie. most specific first.
* ipset: Copy the right MAC address in hash:ip,mac IPv6 setsStefano Brivio2019-10-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Same as commit 1b4a75108d5b ("netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets"), another copy and paste went wrong in commit 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets"). When I fixed this for IPv4 in 1b4a75108d5b, I didn't realise that hash:ip,mac sets also support IPv6 as family, and this is covered by a separate function, hash_ipmac6_kadt(). In hash:ip,mac sets, the first dimension is the IP address, and the second dimension is the MAC address: check the IPSET_DIM_TWO_SRC flag in flags while deciding which MAC address to copy, destination or source. This way, mixing source and destination matches for the two dimensions of ip,mac hash type works as expected, also for IPv6. With this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add 2001:db8::1/64 dev veth1 ip -net A addr add 2001:db8::2/64 dev veth2 ip link set veth1 up ip -net A link set veth2 up dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset create test_hash hash:ip,mac family inet6 ip netns exec A ipset add test_hash 2001:db8::1,${dst} ip netns exec A ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT ip netns exec A ip6tables -A INPUT -m set ! --match-set test_hash src,dst -j DROP ipset now correctly matches a test packet: # ping -c1 2001:db8::2 >/dev/null # echo $? 0 Reported-by: Chen, Yi <yiche@redhat.com> Fixes: 8cc4ccf58379 ("netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Do not return with error at 'make modules_install' when modules are not loadedJozsef Kadlecsik2019-10-311-1/+1
| | | | The issue was reported by Oskar Berggren.
* netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c.Jeremy Sowden2019-10-073-31/+27
| | | | | | | | ip_set_get_ip_port() is only used in ip_set_bitmap_port.c. Move it there and make it static. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move function to ip_set_bitmap_ip.c.Jeremy Sowden2019-10-072-14/+12
| | | | | | | | One inline function in ip_set_bitmap.h is only called in ip_set_bitmap_ip.c: move it and remove inline function specifier. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: make ip_set_put_flags extern.Jeremy Sowden2019-10-072-22/+25
| | | | | | | | ip_set_put_flags is rather large for a static inline function in a header-file. Move it to ip_set_core.c and export it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move functions to ip_set_core.c.Jeremy Sowden2019-10-072-102/+102
| | | | | | | | Several inline functions in ip_set.h are only called in ip_set_core.c: move them and remove inline function specifier. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: move ip_set_comment functions from ip_set.h to ip_set_core.c.Jeremy Sowden2019-10-072-62/+67
| | | | | | | | | | | | | | | Most of the functions are only called from within ip_set_core.c. The exception is ip_set_init_comment. However, this is too complex to be a good candidate for a static inline function. Move it to ip_set_core.c, change its linkage to extern and export it, leaving a declaration in ip_set.h. ip_set_comment_free is only used as an extension destructor, so change its prototype to match and drop cast. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: remove inline from static functions in .c files.Jeremy Sowden2019-10-0719-138/+138
| | | | | | | | | | | | | The inline function-specifier should not be used for static functions defined in .c files since it bloats the kernel. Instead leave the compiler to decide which functions to inline. While a couple of the files affected (ip_set_*_gen.h) are technically headers, they contain templates for generating the common parts of particular set-types and so we treat them like .c files. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: add a coding-style fix to ip_set_ext_destroy.Jeremy Sowden2019-10-071-3/+5
| | | | | | | | Use a local variable to hold comment in order to align the arguments of ip_set_comment_free properly. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: added missing includes to a number of header-files.Jeremy Sowden2019-10-071-0/+4
| | | | | | | | | A number of netfilter header-files used declarations and definitions from other headers without including them. Added include directives to make those declarations and definitions available. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: inlined four headers files into another one.Jeremy Sowden2019-10-077-297/+234
| | | | | | | | | | | | | | | | | | | | linux/netfilter/ipset/ip_set.h included four other header files: include/linux/netfilter/ipset/ip_set_comment.h include/linux/netfilter/ipset/ip_set_counter.h include/linux/netfilter/ipset/ip_set_skbinfo.h include/linux/netfilter/ipset/ip_set_timeout.h Of these the first three were not included anywhere else. The last, ip_set_timeout.h, was included in a couple of other places, but defined inline functions which call other inline functions defined in ip_set.h, so ip_set.h had to be included before it. Inlined all four into ip_set.h, and updated the other files that included ip_set_timeout.h. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: Fix an error code in ip_set_sockfn_get()Dan Carpenter2019-08-271-3/+5
| | | | | | | | | | | The copy_to_user() function returns the number of bytes remaining to be copied. In this code, that positive return is checked at the end of the function and we return zero/success. What we should do instead is return -EFAULT. Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.3 releasedv7.3Jozsef Kadlecsik2019-07-233-1/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix rename concurrency with listingJozsef Kadlecsik2019-07-231-1/+1
| | | | | | | | | | | | | Shijie Luo reported that when stress-testing ipset with multiple concurrent create, rename, flush, list, destroy commands, it can result ipset <version>: Broken LIST kernel message: missing DATA part! error messages and broken list results. The problem was the rename operation was not properly handled with respect of listing. The patch fixes the issue. Reported-by: Shijie Luo <luoshijie1@huawei.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>