summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter/ipset
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: fix netiface set name overflowFlorian Westphal2012-11-221-1/+1
| | | | | | | | | | attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Increase the number of maximal sets automatically as neededJozsef Kadlecsik2012-11-191-8/+51
| | | | | The max number of sets was hardcoded at kernel cofiguration time. The patch adds the support to increase the max number of sets automatically.
* Fix range bug in hash:ip,port,netJozsef Kadlecsik2012-11-054-12/+13
| | | | | | | | | Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was to be added, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-215-20/+28
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-114-9/+12
|
* Include supported revisions in module descriptionJozsef Kadlecsik2012-09-1111-39/+72
|
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-23/+21
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* Check and reject crazy /0 input parametersJozsef Kadlecsik2012-09-106-10/+13
| | | | | | | | bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely.
* Backport ether_addr_equalJozsef Kadlecsik2012-09-101-2/+11
|
* net: cleanup unsigned to unsigned intEric Dumazet2012-09-081-3/+3
| | | | | | | Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipset: Handle properly an IPSET_CMD_NONETomasz Bursztyka2012-06-291-0/+12
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: hash:net,iface: fix interface comparisonFlorian Westphal2012-06-191-28/+4
| | | | | | | | | | | | | | | | ifname_compare() assumes that skb->dev is zero-padded, e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); in e1000_probe(), so once device is registered dev->name memory contains 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare fail. Use plain strcmp() instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netlink: add netlink_dump_control structure for netlink_dump_start()Pablo Neira Ayuso2012-05-101-2/+12
| | | | Backport of Pablo's patch to the ipset package.
* ipset: Stop using NLA_PUT*().David S. Miller2012-05-1012-229/+271
| | | | | | | These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
* Fix hash size checking in kernelJozsef Kadlecsik2012-05-067-21/+49
| | | | | | The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu.
* Sparse warnings "incorrect type in assignment" fixedJozsef Kadlecsik2012-05-047-33/+39
|
* ipv6: Add fragment reporting to ipv6_skip_exthdr().Jesse Gross2012-05-041-0/+8
| | | | | | | | | | While parsing through IPv6 extension headers, fragment headers are skipped making them invisible to the caller. This reports the fragment offset of the last header in order to make it possible to determine whether the packet is fragmented and, if so whether it is a first or last fragment. Signed-off-by: Jesse Gross <jesse@nicira.com>
* net: remove ipv6_addr_copy()Alexey Dobriyan2012-04-192-2/+2
| | | | | | | C assignment can handle struct in6_addr copying. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Fix the inclusion of linux/export.hHenry Culver2012-01-202-2/+2
| | | | | | The tests for inclusion of linux/export.h in ipset-6.11:kernel/net/netfilter/ipset/{ip_set_getport.c,pfxlen.c} are incorrect, linux/export.h did not go in until 3.2.0.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-134-93/+329
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modulesPaul Gortmaker2012-01-132-0/+8
| | | | | | | These files are non modular, but need to export symbols using the macros now living in export.h -- call out the include so that things won't break when we remove the implicit presence of module.h from everywhere.
* Invert the logic to include version.h in ip_set_core.cJozsef Kadlecsik2011-09-152-2/+2
|
* Suppress false compile-time warnings:Jozsef Kadlecsik2011-09-153-3/+3
| | | | warning: 'ip_to' may be used uninitialized in this function
* Fix compiling ipset as external kernel modulesJozsef Kadlecsik2011-09-062-2/+2
|
* Complete Kconfig with hash:net,iface typeJozsef Kadlecsik2011-09-051-0/+10
| | | | | The Kconfig file is not used at building ipset as external system, still let the file be complete.
* rtnetlink: Compute and store minimum ifinfo dump sizeGreg Rose2011-09-051-0/+4
| | | | | | | | | | | | | | | | | | [The patch changes the API of the netlink_dump_start interface: port it to the standalone ipset package.] The message size allocated for rtnl ifinfo dumps was limited to a single page. This is not enough for additional interface info available with devices that support SR-IOV and caused a bug in which VF info would not be displayed if more than approximately 40 VFs were created per interface. Implement a new function pointer for the rtnl_register service that will calculate the amount of data required for the ifinfo dump and allocate enough data to satisfy the request. Signed-off-by: Greg Rose <gregory.v.rose@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
* Remove redundant linux/version.h includes from net/Jesper Juhl2011-09-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | It was suggested by "make versioncheck" that the follwing includes of linux/version.h are redundant: /home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed. /home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed. /home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed. /home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed. /home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed. and it seems that it is right. Beyond manually inspecting the source files I also did a few build tests with various configs to confirm that including the header in those files is indeed not needed. Here's a patch to remove the pointless includes. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-3113-60/+60
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* netfilter: Remove unnecessary OOM logging messagesJoe Perches2011-08-311-3/+1
| | | | | | | | | | | Removing unnecessary messages saves code and text. Site specific OOM messages are duplications of a generic MM out of memory message and aren't really useful, so just delete them. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Dumping error triggered removing references twice and lead to kernel BUGJozsef Kadlecsik2011-08-311-0/+1
| | | | | | | | If there was a dumping error in the middle, the set-specific variable was not zeroed out and thus the 'done' function of the dumping wrongly tried to release the already released reference of the set. The already released reference was caught by __ip_set_put and triggered a kernel BUG message. The issue was reported by Jean-Philippe Menil.
* Autoload set type modules safelyJozsef Kadlecsik2011-08-291-10/+26
| | | | | | Jan Engelhardt noticed when userspace requests a set type unknown to the kernel, it can lead to a loop due to the unsafe type module loading. The issue is fixed in this patch.
* hash:net,iface fixed to handle overlapping nets behind different interfacesJozsef Kadlecsik2011-07-087-20/+56
| | | | | | | | | | | | | | | | | | If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set.
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-316-20/+21
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-302-0/+763
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Use the stored first cidr value instead of '1'Jozsef Kadlecsik2011-05-283-8/+16
|
* Fix return code for destroy when sets are in useJozsef Kadlecsik2011-05-281-1/+1
|
* Add xt_action_param to the variant level kadt functions, ipset API changeJozsef Kadlecsik2011-05-2711-7/+27
| | | | | | With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type.
* Use unified from/to address masking and check the usageJozsef Kadlecsik2011-05-237-17/+9
|
* ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixedJozsef Kadlecsik2011-05-231-1/+1
|
* Take into account cidr value for the from address when creating the setJozsef Kadlecsik2011-05-221-0/+1
| | | | | | When creating a set from a range expressed as a network like 10.1.1.172/29, the from address was taken as the IP address part and not masked with the netmask from the cidr.
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-154-54/+156
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Set type support with multiple revisions addedJozsef Kadlecsik2011-05-1111-30/+45
| | | | | A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types.
* Fix adding ranges to hash typesJozsef Kadlecsik2011-05-0611-30/+137
| | | | | | When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four.
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-181-27/+46
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* Fix order of listing of setsJozsef Kadlecsik2011-04-181-8/+10
| | | | | | | | A restoreable saving of sets requires that list:set type of sets come last and the code part which should have taken into account the ordering was broken. The patch fixes the listing order. Testsuite entry added which checks the listing order.
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-1811-75/+76
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* Whitespace fixes: some space before tab slipped in.Jozsef Kadlecsik2011-04-081-2/+2
|
* bitmap:ip,mac type requires "src" for MACJozsef Kadlecsik2011-04-081-0/+4
| | | | | | | | | Enforce that the second "src/dst" parameter of the set match and SET target must be "src", because we have access to the source MAC only in the packet. The previous behaviour, that the type required the second parameter but actually ignored the value was counter-intuitive and confusing. Manpage is updated to reflect the change.
* ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)Jozsef Kadlecsik2011-03-291-1029/+73
|
* Timeout can be modified for already added elementsJozsef Kadlecsik2011-03-2710-93/+126
| | | | | | | | | | When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist