summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter/xt_set.c
Commit message (Collapse)AuthorAgeFilesLines
* Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SECJozsef Kadlecsik2018-06-011-4/+4
| | | | | | | | Due to the negative value condition in msecs_to_jiffies(), the real max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC. Neutron Soutmun proposed the proper fix, but an insufficient one was applied, see https://patchwork.ozlabs.org/patch/400405/.
* netfilter: xt_set: Check hook mask correctlySerhey Popovych2018-05-301-1/+1
| | | | | | | | | | | | | | | | | | Inserting rule before one with SET target we get error with warning in dmesg(1) output: # iptables -A FORWARD -t mangle -j SET --map-set test src --map-prio # iptables -I FORWARD 1 -t mangle -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. # dmesg |tail -n1 [268578.026643] mapping of prio or/and queue is allowed only from \ OUTPUT/FORWARD/POSTROUTING chains Rather than checking for supported hook bits for SET target check for unsupported one as done in all rest of matches and targets. Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix "don't update counters" mode when counters used at the matchingJozsef Kadlecsik2018-01-041-76/+43
| | | | The matching of the counters was not taken into account, fixed.
* Compatibility: handle changes in 4.10 kernel treeJozsef Kadlecsik2017-03-231-13/+13
| | | | | Handle changes in struct xt_action_param and the new xt_family(), xt_net() interfaces (reported by Jan Engelhardt).
* Fix coding styles reported by checkpatch.pl, already in kernelJozsef Kadlecsik2016-10-111-4/+3
|
* netfilter: ipset: Improve skbinfo get/init helpersJozsef Kadlecsik2015-05-051-5/+7
| | | | | | | | | | | Use struct ip_set_skbinfo in struct ip_set_ext instead of open coded fields and assign structure members in get/init helpers instead of copying members one by one. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix coding styles reported by the most recent checkpatch.pl.Jozsef Kadlecsik2015-04-171-14/+14
|
* netfilter: ipset: fix boolreturn.cocci warningskbuild test robot2015-03-111-2/+2
| | | | | | | | | | | | | net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function 'set_match_v3' with return type bool net/netfilter/xt_set.c:242:9-10: WARNING: return of 0/1 in function 'set_match_v4' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* More compatibility checking and simplificationsJozsef Kadlecsik2015-01-061-1/+2
| | | | | Try hard to keep the support of the 2.6.32 kernel tree and simplify the code with self-referential macros.
* styles warned by checkpatch.pl fixedJozsef Kadlecsik2014-11-181-1/+8
|
* Add more compatibility checkings to support older kernel releasesJozsef Kadlecsik2014-11-181-1/+4
|
* Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-031-3/+70
| | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure.
* netfilter: Convert pr_warning to pr_warnJoe Perches2014-09-141-24/+18
| | | | | | | | | | | | Use the more common pr_warn. Other miscellanea: o Coalesce formats o Realign arguments Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension support to SET target.Anton Danilov2014-09-141-12/+181
| | | | | Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility code is modified not to rely on kernel version numbersJozsef Kadlecsik2013-10-021-22/+24
| | | | | | | Instead the kernel source code is checked to verify the different compatibility issues for the supported kernel releases. This way hopefully backported features will be handled properly.
* ipset: Add net namespace for ipsetVitaly Lavrov2013-09-281-20/+20
| | | | | | | | | | | | | | | | This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net*". The remaining corrections related to the change prototypes of public functions ip_set_*. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility fixes to keep the support of kernels back to 2.6.32Jozsef Kadlecsik2013-05-091-46/+46
|
* set match: add support to match the countersJozsef Kadlecsik2013-04-091-0/+70
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce extensions to elements in the coreJozsef Kadlecsik2013-04-091-16/+8
| | | | | | | Introduce extensions to elements in the core and prepare timeout as the first one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-091-1/+2
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-051-64/+88
|
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-211-0/+22
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fix, backport from kernelJozsef Kadlecsik2012-09-101-2/+2
|
* Timeout fixing bug broke SET target special timeout value, fixedJozsef Kadlecsik2012-06-081-1/+3
| | | | | | The patch "Fix timeout value overflow bug at large timeout parameters" broke the SET target when no timeout was specified (reported by Jean-Philippe Menil).
* Use MSEC_PER_SEC instead of harcoded valueJozsef Kadlecsik2012-05-151-2/+2
| | | | | David Laight and Eric Dumazet noticed that we were using hardcoded 1000 instead of MSEC_PER_SEC to calculate the timeout.
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-041-2/+13
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Remove redundant linux/version.h includes from net/Jesper Juhl2011-09-051-1/+0
| | | | | | | | | | | | | | | | | | | | | | It was suggested by "make versioncheck" that the follwing includes of linux/version.h are redundant: /home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed. /home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed. /home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed. /home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed. /home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed. and it seems that it is right. Beyond manually inspecting the source files I also did a few build tests with various configs to confirm that including the header in those files is indeed not needed. Here's a patch to remove the pointless includes. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-311-1/+1
|
* Add xt_action_param to the variant level kadt functions, ipset API changeJozsef Kadlecsik2011-05-271-9/+10
| | | | | | With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type.
* Drop supporting kernel versions below 2.6.35Jozsef Kadlecsik2011-05-241-83/+14
|
* Options and flags support added to the kernel APIJozsef Kadlecsik2011-04-181-55/+109
| | | | | | The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries.
* set match and SET target fixesJozsef Kadlecsik2011-04-091-2/+16
| | | | | | | The SET target with --del-set did not work due to using wrongly the internal dimension of --add-set instead of --del-set. Also, the checkentries did not release the set references when returned an error. Bugs reported by Lennert Buytenhek.
* Reorganized kernel/ subdirJozsef Kadlecsik2011-02-031-0/+423
The kernel/ subdirectory is reorganized to follow the kernel directory structure.