| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
| |
Support adding/deleting multiple entries in the kernel side
of the hash:ip,port, hash:ip,port,ip, hash:ip,port,net and
hash:net,port types.
|
| |
|
|
|
| |
Where the argument was used, the set lock was already activated, therefore
the argument value was always GFP_ATOMIC.
|
| | |
|
| |
|
|
| |
And enforce from kernel side as well...
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Resizing can be triggered by userspace command only, and those
are serialized by the nfnl mutex. During resizing the set is
read-locked, so the only possible concurrent operations are
the kernel side readers. Those must be protected by proper RCU locking.
|
| |
|
|
|
|
| |
Instead of the cache friendly hashing, use the array based hashing.
According to my tests the latter uses less memory, faster at lookup and
deletion, and only slower at insertion.
|
| | |
|
| |
|
|
|
| |
Update ip_set_jhash.h with the version which was submitted for kernel
inclusion.
|
| |
|
|
| |
Separate the ipset header files from netfilter header files.
|
| | |
|
| |
|
|
|
| |
Spare some memory by moving the static prefixlen maps to the ipset core.
Thus we can get rid of include/net/pfxlen.h too.
|
| |
|
|
|
| |
Modifying a set can be performed by save/modify/restore/swap, without
adding kernel part support.
|
| | |
|
| |
|
|
| |
The command is not used yet, but better to reserve it already.
|
| |
|
|
|
|
|
| |
With restricting resizing so that it can be triggered by an add
from userspace only, we can modify it so that it uses read-locking
instead of write-locking. Thus the matching in the set can run parallel
with resizing.
|
| |
|
|
|
|
| |
Resizing in kernel context is simply too expensive. Drop the feature:
if a set is used as a dynamic container by a SET target, then the set
must be created with a proper size from now on.
|
| |
|
|
|
| |
Resizing functions are called without holding any lock. So we can
allocate using the flag GFP_KERNEL.
|
| |
|
|
|
|
| |
The listing was incorrect for large sets, when multiple messages were
required. I assume that one full hash bucket fills into one message,
but that is true for all current hash types.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
| |
|
|
|
|
|
|
|
| |
- Use is_vmalloc_addr when freeing vmalloc or kmalloc-ed areas. Thus
we can get rid of a flag and simplify some functions.
- When checking "same" sets, ignore hash size, because resizing
changes it.
- 2.6.35 compatibility added.
- Discuss backward/forward compatibilities in the README file.
|
| |
|
|
|
|
|
| |
Makefile fixes: compiler flags
README and manpage fixes
Compatibility with newer gcc releases (4.4.x)
Compatibility with the 2.6.35 kernel tree
|
| |
|
|
|
|
|
|
| |
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
|
| |
|
|
|
|
| |
- getting ports for family INET6 fixed
- more manpage polishing
- tests to check the iptables/ip6tables match and target added
|
| |
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
| |
|
|
| |
The missing IPv6 match/target aliases added.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
| |
|
|
| |
Commit changed files in kernel/...
|
| |
|
|
|
| |
Refresh existing files in kernel/ with new content and add some
new include/source files.
|
| |
|
|
| |
Remove unnecessary include files and rename some.
|
| |
|
|
| |
Rename files in kernel/ and get rid of old ones (2.4.x kernel tree support).
|
| |
|
|
|
|
|
|
|
|
|
| |
kernel:
- nethash and ipportnethash types counted every entry twice
which could produce bogus entries when listing/saving these types
of sets (bug reported by Husnu Demir)
userspace:
- Checking null entries when listing/saving hash types of sets
deleted because it's unnecessary and can mask possible errors.
|
| | |
|
| | |
|
| |
|
|
| |
See ChangeLog files
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few minor bugs fixed and cleanups:
- Nonexistent sets were reported as existing sets when testing
from userspace in setlist type of sets (bug reported by Victor A.
Safronov)
- When saving sets, setlist type of sets must come last in order
to satisfy the dependency from the elements (bug reported by Marty B.)
- Sparse insists that the flags argument to kmalloc() is gfp_t
(Stephen Hemminger)
- Correct format specifiers and change %i to %d (Jan Engelhardt)
- Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
|
| |
|
|
|
| |
The main change is full bigendian and 64/32bit enviroment support - in
consequence the kernel-userspace protocol version was bumped.
|
| | |
|
| | |
|
| |
|
|
|
| |
References to the old include file replaced with new one in order to
really use the new Jenkins' hash function.
|
| |
|
|
| |
Kernel changelog on Jenkins' hash update added.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The old lookup2() Jenkins' hash is outdated, there is a new version called
lookup3() which
- mixes better than lookup2(): passes the check that every input bit changes
every output bit 50% of the time - lookup2() failed it.
- performs better: compiled with -O2 on Core2 Duo, lookup3() 20-40% faster
than lookup2() depending on the key length.
The patch replaces the lookup2() implementation of 'jhash*' with that of
lookup3().
|
| |
|
|
|
|
| |
Bug fixed: after elements are added and deleted from a hash, an element
can successfully be added in spite it's already in the hash and thus
duplicates can occur. Bug spotted by Shih-Yi Chen.
|
| |
|
|
| |
Compatibility with old gcc without 'bool' added.
|
| |
|
|
| |
Typo which broke compilation with kernels < 2.6.28 fixed.
|
