summaryrefslogtreecommitdiffstats
path: root/kernel/include/linux/netfilter/ipset/ip_set.h
Commit message (Collapse)AuthorAgeFilesLines
* Use fix sized type for timeout in the extension partJozsef Kadlecsik2013-05-021-1/+1
|
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-011-0/+3
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* set match: add support to match the countersJozsef Kadlecsik2013-04-091-2/+7
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the counter extension in the coreJozsef Kadlecsik2013-04-091-4/+71
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce extensions to elements in the coreJozsef Kadlecsik2013-04-091-7/+39
| | | | | | | Introduce extensions to elements in the core and prepare timeout as the first one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make possible to test elements marked with nomatch, from userspaceJozsef Kadlecsik2013-04-091-0/+8
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-091-27/+1
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-091-222/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-051-0/+5
|
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-211-0/+4
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-111-2/+3
|
* Include supported revisions in module descriptionJozsef Kadlecsik2012-09-111-0/+6
|
* net: cleanup unsigned to unsigned intEric Dumazet2012-09-081-4/+4
| | | | | | | Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Backport nla_put_net* functions as NLA_PUT* were removedJozsef Kadlecsik2012-05-101-0/+22
|
* ipset: Stop using NLA_PUT*().David S. Miller2012-05-101-20/+26
| | | | | | | These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-131-0/+4
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-311-1/+4
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* netfilter: ipset: expose userspace-relevant parts in ip_set.hJan Engelhardt2011-08-311-12/+14
| | | | | | | iptables's libxt_SET.c depends on these. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-311-3/+3
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-301-0/+5
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Add xt_action_param to the variant level kadt functions, ipset API changeJozsef Kadlecsik2011-05-271-0/+5
| | | | | | With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type.
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-151-0/+1
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Set type support with multiple revisions addedJozsef Kadlecsik2011-05-111-2/+4
| | | | | A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types.
* Fix adding ranges to hash typesJozsef Kadlecsik2011-05-061-1/+1
| | | | | | When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four.
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-181-0/+4
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-181-4/+14
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Timeout can be modified for already added elementsJozsef Kadlecsik2011-03-271-1/+2
| | | | | | | | | | When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist
* References are protected by rwlock instead of mutexJozsef Kadlecsik2011-03-251-1/+1
| | | | | | | The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock.
* Separate ipset errnos completely from system ones and bump protocol version.Jozsef Kadlecsik2011-01-311-3/+3
|
* Move the type specifici attribute validation to the coreJozsef Kadlecsik2011-01-271-3/+6
| | | | | | The type specific attribute validation can be moved to the ipset core. That way it's done centrally and thus can be eliminated from the individual set types (suggested by Patrick McHardy).
* Use vzalloc() instead of __vmalloc()Jozsef Kadlecsik2011-01-261-1/+1
| | | | Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)
* Fix module loading at create/header commandsJozsef Kadlecsik2011-01-201-1/+1
| | | | | While holding the nfnl_mutex, module loading is not allowed. Bug spotted by Patrick McHardy in his reviewing.
* Enforce network-order data in the netlink protocolJozsef Kadlecsik2011-01-201-5/+17
| | | | | | Allow only network-order data, with NLA_F_NET_BYTEORDER flag. Sanity checks also added to prevent processing broken messages where mandatory attributes are missing. (Patrick McHardy's review)
* Use annotated types and fix sparse warningsJozsef Kadlecsik2011-01-201-25/+17
| | | | | | Annotated types are introduced and sparse warnings fixed. Two warnings remained in ip_set_core.c but those are false ones. (Patrick McHardy's review)
* Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into coreJozsef Kadlecsik2011-01-201-77/+6
| | | | | | The functions are too large to be inlined, so move them into the core. Also, fix the unnecessary initializations in ip_set_get_ipaddr*. (Patrick McHardy's review)
* Move NLA_PUT_NET* macros to include/net/netlink.hJozsef Kadlecsik2011-01-201-6/+0
| | | | These macros can be useful in general (Patrick McHardy's review)
* Update copyright date and some style changes.Jozsef Kadlecsik2011-01-141-1/+2
|
* Separate prefixlens from ip_set core.Jozsef Kadlecsik2011-01-131-9/+0
| | | | | | Separate prefixlens from ip_set core for better readibility and honoring the independence. Also, comment that prefixlens were borrowed from Jan Engelhardt.
* Comment the possible return values of the add/del/test type-functionsJozsef Kadlecsik2010-12-231-2/+8
|
* kernel: const annotationsJan Engelhardt2010-12-191-1/+1
|
* kernel: do not mix const and __read_mostlyJan Engelhardt2010-12-191-2/+1
| | | | | It makes no sense to mix these two. Either it is writable-plus-read-mostly, or it is constant.
* Remove unnecessary gfp_flags argumentsJozsef Kadlecsik2010-12-161-3/+2
| | | | | Where the argument was used, the set lock was already activated, therefore the argument value was always GFP_ATOMIC.
* Create include/linux/netfilter/ipset/ directoryJozsef Kadlecsik2010-12-071-0/+526
Separate the ipset header files from netfilter header files.