summaryrefslogtreecommitdiffstats
path: root/kernel/include/linux/netfilter/ipset/ip_set_ahash.h
Commit message (Collapse)AuthorAgeFilesLines
* Unified hash type generationJozsef Kadlecsik2013-04-091-1241/+0
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-091-3/+0
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:*net*: nomatch flag not excluded on set resizeJozsef Kadlecsik2013-04-091-7/+23
| | | | | | | If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: timeout values corrupted on set resizeJosh Hunt2013-02-211-1/+3
| | | | | | | | | | | If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-051-0/+3
|
* Rewrite cidr book keeping to handle /0Jozsef Kadlecsik2012-09-221-49/+55
| | | | The patch is required for the /0 support in hash:net,iface
* Revert patch "Fix cidr book keeping for hash:*net* types"Jozsef Kadlecsik2012-09-221-55/+49
|
* Coding style fixesJozsef Kadlecsik2012-09-111-1/+1
|
* Fix cidr book keeping for hash:*net* typesJozsef Kadlecsik2012-09-101-49/+55
| | | | | | | The book-keeping of the different sized networks were bogus, fix it. The broken code could lead invalid matching in such sets when the number of different sized networks were greater than the smallest CIDR value of the networks.
* ipset: Stop using NLA_PUT*().David S. Miller2012-05-101-9/+12
| | | | | | | These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
* Fix hash size checking in kernelJozsef Kadlecsik2012-05-061-0/+16
| | | | | | The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu.
* hash:net,iface timeout bug fixedJozsef Kadlecsik2012-01-131-0/+8
| | | | | Timed out entries were still matched till the garbage collector purged them out. The fix is verified in the testsuite.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-131-23/+66
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Log warning when a hash type of set gets fullJozsef Kadlecsik2012-01-101-4/+18
| | | | | If the set is full, the SET target cannot add more elements. Log warning so that the admin got notified about it.
* Fix compiler warnings "'hash_ip4_data_next' declared inline after being called"Chris Friesen2011-07-091-1/+1
| | | | | | | | Some gcc versions warn about prototypes without "inline" when the declaration includes the "inline" keyword. The fix generates a false error message "marked inline, but without a definition" with sparse below 0.4.2. Signed-off-by: Chris Friesen <chris.friesen@genband.com>
* hash:net,iface fixed to handle overlapping nets behind different interfacesJozsef Kadlecsik2011-07-081-31/+61
| | | | | | | | | | | | | | | | | | If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set.
* Make possible to hash some part of the data element only.Jozsef Kadlecsik2011-06-141-4/+10
|
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-311-1/+1
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-301-0/+6
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Add xt_action_param to the variant level kadt functions, ipset API changeJozsef Kadlecsik2011-05-271-0/+1
| | | | | | With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type.
* Adding ranges to hash types with timeout could still fail, fixedJozsef Kadlecsik2011-05-211-1/+1
| | | | | | The patch "Fix adding ranges to hash types" had got a mistypeing in the timeout variant of the hash types, which actually made the patch ineffective. Fixed!
* Remove variable 'ret' in type_pf_tdel(), which is set but not usedJozsef Kadlecsik2011-05-201-2/+2
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-151-1/+1
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Fix adding ranges to hash typesJozsef Kadlecsik2011-05-061-3/+19
| | | | | | When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four.
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-181-1/+1
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Timeout can be modified for already added elementsJozsef Kadlecsik2011-03-271-7/+8
| | | | | | | | | | When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist
* References are protected by rwlock instead of mutexJozsef Kadlecsik2011-03-251-2/+1
| | | | | | | The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock.
* Move the type specifici attribute validation to the coreJozsef Kadlecsik2011-01-271-1/+1
| | | | | | The type specific attribute validation can be moved to the ipset core. That way it's done centrally and thus can be eliminated from the individual set types (suggested by Patrick McHardy).
* Use vzalloc() instead of __vmalloc()Jozsef Kadlecsik2011-01-261-4/+2
| | | | Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)
* Correct the error codes: use ENOENT and EMSGSIZEJozsef Kadlecsik2011-01-261-5/+7
| | | | Use correct error codes (Patrick McHardy's review)
* Fix trailing whitespaces and pr_* messagesJozsef Kadlecsik2011-01-211-13/+13
| | | | | | Some trailing whitespace slipped in, those are removed. With the deleted ip_set_kernel.h, the pr_* messages lost the trailing "\n" character. The messages were completed with it.
* Un-inline functions which are not small enoughJozsef Kadlecsik2011-01-201-7/+7
|
* Fix wrong kzalloc flag in type_pf_expireJozsef Kadlecsik2011-01-201-1/+1
| | | | | The expire functions of the hash types are called while locked, so kzalloc must be called with GFP_ATOMIC.
* Fix the placement style of boolean operators at continued linesJozsef Kadlecsik2011-01-201-2/+2
| | | | Fix "&&" and "||" continuation style (Patrick McHardy's review)
* Use jhash.h accepted in kernel, with backward compatibility.Jozsef Kadlecsik2011-01-131-1/+1
|
* Kernel version compatibility: support from 2.6.34Jozsef Kadlecsik2010-12-211-4/+4
| | | | | The basic kernel compatibility issues are verified back to 2.6.24. The minimal supported kernel version had to be bumped from 2.6.31 to 2.6.34.
* kernel: const annotationsJan Engelhardt2010-12-191-2/+2
|
* kernel: do not mix const and __read_mostlyJan Engelhardt2010-12-191-2/+2
| | | | | It makes no sense to mix these two. Either it is writable-plus-read-mostly, or it is constant.
* Remove unnecessary gfp_flags argumentsJozsef Kadlecsik2010-12-161-26/+22
| | | | | Where the argument was used, the set lock was already activated, therefore the argument value was always GFP_ATOMIC.
* Mistypeing in the hbucket() macro fixed.Jozsef Kadlecsik2010-12-161-2/+6
|
* Convert last printks to pr_debug in ip_set_ahash.hJozsef Kadlecsik2010-12-131-4/+2
|
* Remove remnants of slist from ip_set_ahash.hJozsef Kadlecsik2010-12-131-3/+2
|
* Add proper RCU protection to resizingJozsef Kadlecsik2010-12-101-18/+38
| | | | | | | Resizing can be triggered by userspace command only, and those are serialized by the nfnl mutex. During resizing the set is read-locked, so the only possible concurrent operations are the kernel side readers. Those must be protected by proper RCU locking.
* Convert hash types from chash to ahash.Jozsef Kadlecsik2010-12-101-0/+1057
Instead of the cache friendly hashing, use the array based hashing. According to my tests the latter uses less memory, faster at lookup and deletion, and only slower at insertion.