| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
| |
Separate prefixlens from ip_set core for better readibility and honoring
the independence.
Also, comment that prefixlens were borrowed from Jan Engelhardt.
|
| |
|
|
|
|
|
| |
The basic kernel compatibility issues are verified back to 2.6.24.
The minimal supported kernel version had to be bumped from 2.6.31 to 2.6.34.
|
| |
|
|
|
|
|
| |
It makes no sense to mix these two. Either it is
writable-plus-read-mostly, or it is constant.
|
|
|
|
| |
Within isolated code it would be ok, but not so in exported headers.
|
|
|
|
|
| |
Where the argument was used, the set lock was already activated, therefore
the argument value was always GFP_ATOMIC.
|
| |
|
|
|
|
| |
And enforce from kernel side as well...
|
| |
|
| |
|
|
|
|
|
|
|
| |
Resizing can be triggered by userspace command only, and those
are serialized by the nfnl mutex. During resizing the set is
read-locked, so the only possible concurrent operations are
the kernel side readers. Those must be protected by proper RCU locking.
|
|
|
|
|
|
| |
Instead of the cache friendly hashing, use the array based hashing.
According to my tests the latter uses less memory, faster at lookup and
deletion, and only slower at insertion.
|
| |
|
|
|
|
|
| |
Update ip_set_jhash.h with the version which was submitted for kernel
inclusion.
|
|
|
|
| |
Separate the ipset header files from netfilter header files.
|
|
|
|
|
| |
Spare some memory by moving the static prefixlen maps to the ipset core.
Thus we can get rid of include/net/pfxlen.h too.
|
|
|
|
|
| |
Modifying a set can be performed by save/modify/restore/swap, without
adding kernel part support.
|
| |
|
|
|
|
| |
The command is not used yet, but better to reserve it already.
|
|
|
|
|
|
|
| |
With restricting resizing so that it can be triggered by an add
from userspace only, we can modify it so that it uses read-locking
instead of write-locking. Thus the matching in the set can run parallel
with resizing.
|
|
|
|
|
| |
Resizing functions are called without holding any lock. So we can
allocate using the flag GFP_KERNEL.
|
|
|
|
|
|
| |
The listing was incorrect for large sets, when multiple messages were
required. I assume that one full hash bucket fills into one message,
but that is true for all current hash types.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
|
|
|
|
|
|
|
|
| |
- Use is_vmalloc_addr when freeing vmalloc or kmalloc-ed areas. Thus
we can get rid of a flag and simplify some functions.
- When checking "same" sets, ignore hash size, because resizing
changes it.
- 2.6.35 compatibility added.
- Discuss backward/forward compatibilities in the README file.
|
|
|
|
|
|
|
|
| |
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
|
|
|
|
|
|
| |
- getting ports for family INET6 fixed
- more manpage polishing
- tests to check the iptables/ip6tables match and target added
|
|
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
|
|
|
| |
Commit changed files in kernel/...
|
|
|
|
|
| |
Refresh existing files in kernel/ with new content and add some
new include/source files.
|
|
|
|
| |
Remove unnecessary include files and rename some.
|
|
|
|
| |
Rename files in kernel/ and get rid of old ones (2.4.x kernel tree support).
|
| |
|
|
|
|
| |
See ChangeLog files
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few minor bugs fixed and cleanups:
- Nonexistent sets were reported as existing sets when testing
from userspace in setlist type of sets (bug reported by Victor A.
Safronov)
- When saving sets, setlist type of sets must come last in order
to satisfy the dependency from the elements (bug reported by Marty B.)
- Sparse insists that the flags argument to kmalloc() is gfp_t
(Stephen Hemminger)
- Correct format specifiers and change %i to %d (Jan Engelhardt)
- Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
|
|
|
|
|
| |
The main change is full bigendian and 64/32bit enviroment support - in
consequence the kernel-userspace protocol version was bumped.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old lookup2() Jenkins' hash is outdated, there is a new version called
lookup3() which
- mixes better than lookup2(): passes the check that every input bit changes
every output bit 50% of the time - lookup2() failed it.
- performs better: compiled with -O2 on Core2 Duo, lookup3() 20-40% faster
than lookup2() depending on the key length.
The patch replaces the lookup2() implementation of 'jhash*' with that of
lookup3().
|
|
|
|
|
|
| |
- setlist type does not work properly together with swapping
sets, bug reported by Thomas Jacob.
- Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt)
|
|
|
|
|
|
|
|
| |
- Premature checking prevents to add valid elements to hash
types, fixed (bug reported by JC Janos).
- Local variable shadows another variable, fixed (reported
by Jan Engelhardt).
- More compiler warning options added and warnings fixed.
|
|
|
|
|
| |
- Include file <limits.h> was missing from userspace set type
modules.
|
|
|
|
|
|
|
|
| |
- When flushing a nethash/ipportnethash type of set, it can
lead to a kernel crash due to a wrong type declaration,
bug reported by Krzysztof Oledzki.
- iptree and iptreemap types require the header file linux/timer.h,
also reported by Krzysztof Oledzki.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
userspace changes:
- Added KBUILD_OUTPUT support (Sven Wegener)
- Fix memory leak in ipset_iptreemap (Sven Wegener)
- Fix multiple compiler warnings (Sven Wegener)
- ipportiphash, ipportnethash and setlist types added
- binding marked as deprecated functionality
- element separator token changed to ',' in anticipating
IPv6 addresses, old separator tokens are still supported
- unnecessary includes removed
- ipset does not try to resolve IP addresses when listing
the content of sets (default changed)
- manpage updated
- ChangeLog forked for kernel part
kernel part changes:
- ipportiphash, ipportnethash and setlist types added
- set type modules reworked to avoid code duplication
as much as possible, code unification macros
- expand_macros Makefile target added to help debugging
code unification macros
- ip_set_addip_kernel and ip_set_delip_kernel
changed from void to int, __ip_set_get_byname and
__ip_set_put_byid added for the sake of setlist type
- unnecessary includes removed
- compatibility fix for kernels >= 2.6.27:
semaphore.h was moved from asm/ to linux/ (James King)
- ChangeLog forked for kernel part
|
| |
|
| |
|
|
|