summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter/ipset/ip_set_hash_ip.c
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: Support comments in hash-type ipsets.Oliver Smith2013-09-231-1/+3
| | | | | | | | | | | | | This provides kernel support for creating ipsets with comment support. This does incur a penalty to flushing/destroying an ipset since all entries are walked in order to free the allocated strings, this penalty is of course less expensive than the operation of listing an ipset to userspace, so for general-purpose usage the overall impact is expected to be little to none. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Generalize extensions supportJozsef Kadlecsik2013-09-071-34/+2
| | | | | Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily.
* Move extension data to set structureJozsef Kadlecsik2013-09-071-4/+4
| | | | | | Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support.
* Fix "may be used uninitialized" warningsJozsef Kadlecsik2013-05-011-1/+1
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-011-5/+5
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* The hash types with counter supportJozsef Kadlecsik2013-04-091-2/+31
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Hash types using the unified code baseJozsef Kadlecsik2013-04-091-237/+69
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Move often used IPv6 address masking function to header fileJozsef Kadlecsik2013-04-091-9/+0
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter ipset: Use ipv6_addr_equal() where appropriate.YOSHIFUJI Hideaki2013-04-091-1/+1
| | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix range bug in hash:ip,port,netJozsef Kadlecsik2012-11-051-2/+2
| | | | | | | | | Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was to be added, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
* Include supported revisions in module descriptionJozsef Kadlecsik2012-09-111-3/+6
|
* Check and reject crazy /0 input parametersJozsef Kadlecsik2012-09-101-1/+1
| | | | | | | | bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely.
* ipset: Stop using NLA_PUT*().David S. Miller2012-05-101-8/+12
| | | | | | | These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
* Fix hash size checking in kernelJozsef Kadlecsik2012-05-061-3/+7
| | | | | | The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu.
* Sparse warnings "incorrect type in assignment" fixedJozsef Kadlecsik2012-05-041-2/+2
|
* net: remove ipv6_addr_copy()Alexey Dobriyan2012-04-191-1/+1
| | | | | | | C assignment can handle struct in6_addr copying. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-311-9/+9
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* hash:net,iface fixed to handle overlapping nets behind different interfacesJozsef Kadlecsik2011-07-081-2/+4
| | | | | | | | | | | | | | | | | | If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set.
* Add xt_action_param to the variant level kadt functions, ipset API changeJozsef Kadlecsik2011-05-271-0/+2
| | | | | | With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type.
* Use unified from/to address masking and check the usageJozsef Kadlecsik2011-05-231-2/+1
|
* Set type support with multiple revisions addedJozsef Kadlecsik2011-05-111-1/+2
| | | | | A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types.
* Fix adding ranges to hash typesJozsef Kadlecsik2011-05-061-2/+15
| | | | | | When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four.
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-181-6/+6
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Timeout can be modified for already added elementsJozsef Kadlecsik2011-03-271-5/+5
| | | | | | | | | | When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist
* Reorganized kernel/ subdirJozsef Kadlecsik2011-02-031-0/+464
The kernel/ subdirectory is reorganized to follow the kernel directory structure.