summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter/ipset/ip_set_hash_gen.h
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: Add hash:net,net module to kernel.Oliver Smith2013-09-201-9/+49
| | | | | | | | | | This adds a new set that provides the ability to configure pairs of subnets. A small amount of additional handling code has been added to the generic hash header file - this code is conditionally activated by a preprocessor definition. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix serious failure in CIDR trackingOliver Smith2013-09-151-10/+14
| | | | | | | | | | | | | | | | | | | | | | | | | This fixes a serious bug affecting all hash types with a net element - specifically, if a CIDR value is deleted such that none of the same size exist any more, all larger (less-specific) values will then fail to match. Adding back any prefix with a CIDR equal to or more specific than the one deleted will fix it. Steps to reproduce: ipset -N test hash:net ipset -A test 1.1.0.0/16 ipset -A test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS in set ipset -D test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set This is due to the fact that the nets counter was unconditionally decremented prior to the iteration that shifts up the entries. Now, we first check if there is a proceeding entry and if not, decrement it and return. Otherwise, we proceed to iterate and then zero the last element, which, in most cases, will already be zero. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support extensions which need a per data destroy functionJozsef Kadlecsik2013-09-091-25/+46
|
* Generalize extensions supportJozsef Kadlecsik2013-09-071-76/+10
| | | | | Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily.
* Move extension data to set structureJozsef Kadlecsik2013-09-071-68/+59
| | | | | | Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support.
* Rename extension offset ids to extension idsJozsef Kadlecsik2013-09-061-11/+11
|
* Prepare ipset to support multiple networks for hash typesJozsef Kadlecsik2013-09-041-36/+38
| | | | | | In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set.
* Compatibility fixes to keep the support of kernels back to 2.6.32Jozsef Kadlecsik2013-05-091-2/+2
|
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-011-70/+77
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* Fix sparse warnings due to missing rcu annotationsJozsef Kadlecsik2013-04-301-32/+55
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Don't call ip_nest_end needlessly in the error pathJozsef Kadlecsik2013-04-271-1/+1
| | | | Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* The hash types with counter supportJozsef Kadlecsik2013-04-091-2/+63
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified hash type generationJozsef Kadlecsik2013-04-091-0/+1039
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>