summaryrefslogtreecommitdiffstats
path: root/kernel
Commit message (Collapse)AuthorAgeFilesLines
* When a single set is destroyed, make sure it can't be grabbed by dumpJozsef Kadlecsik2015-04-261-9/+11
|
* In comment extension ip_set_comment_free() is always called in a safe pathJozsef Kadlecsik2015-04-261-1/+11
|
* Add rcu_barrier() to module removal in the bitmap types tooJozsef Kadlecsik2015-04-173-0/+3
|
* Fix coding styles reported by the most recent checkpatch.pl.Jozsef Kadlecsik2015-04-1715-114/+123
|
* Make sure bitmap:ip,mac detects the proper MAC even when it's overwrittenJozsef Kadlecsik2015-03-294-6/+20
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* RCU safe comment extension handlingJozsef Kadlecsik2015-03-294-20/+42
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure the proper is_destroyed value is checked at dumpingJozsef Kadlecsik2015-03-291-2/+4
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix broken commit "Check extensions attributes before getting extensions."Jozsef Kadlecsik2015-03-291-8/+8
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Improve preprocessor macros checksSergey Popovich2015-03-243-7/+18
| | | | | | | | Check if mandatory MTYPE, HTYPE and HOST_MASK macros defined. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix hashing for ipv6 setsSergey Popovich2015-03-245-8/+2
| | | | | | | | | | | | | | | HKEY_DATALEN remains defined after first inclusion of ip_set_hash_gen.h, so it is incorrectly reused for IPv6 code. Undefine HKEY_DATALEN in ip_set_hash_gen.h at the end. Also remove some useless defines of HKEY_DATALEN in ip_set_hash_{ip{,mark,port},netiface}.c as ip_set_hash_gen.h defines it correctly for such set types anyway. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix ext_*() macrosSergey Popovich2015-03-231-4/+4
| | | | | | | | | So pointers returned by these macros could be referenced with -> directly. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Check for comment netlink attribute lengthSergey Popovich2015-03-2315-15/+30
| | | | | | | | Ensure userspace supplies string not longer than IPSET_MAX_COMMENT_SIZE. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Return bool values instead of intSergey Popovich2015-03-2010-38/+43
| | | | | Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Check CIDR value only when attribute is givenSergey Popovich2015-03-204-49/+41
| | | | | | | | | | | | | | | | There is no reason to check CIDR value regardless attribute specifying CIDR is given. Initialize cidr array in element structure on element structure declaration to let more freedom to the compiler to optimize initialization right before element structure is used. Remove local variables cidr and cidr2 for netnet and netportnet hashes as we do not use packed cidr value for such set types and can store value directly in e.cidr[]. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Make sure we always return line number on batchSergey Popovich2015-03-2015-75/+75
| | | | | | | | | | | | Even if we return with generic IPSET_ERR_PROTOCOL it is good idea to return line number if we called in batch mode. Moreover we are not always exiting with IPSET_ERR_PROTOCOL. For example hash:ip,port,net may return IPSET_ERR_HASH_RANGE_UNSUPPORTED or IPSET_ERR_INVALID_CIDR. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6Sergey Popovich2015-03-205-15/+38
| | | | | | | | | | | | | Permit userspace to supply CIDR length equal to the host address CIDR length in netlink message. Prohibit any other CIDR length for IPv6 variant of the set. Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic -IPSET_ERR_PROTOCOL in IPv6 variant of hash:ip,port,net when IPSET_ATTR_IP_TO attribute is given. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Use HOST_MASK literal to represent host address CIDR lenSergey Popovich2015-03-207-9/+11
| | | | | Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Check IPSET_ATTR_PORT only onceSergey Popovich2015-03-205-40/+10
| | | | | | | | | | We do not need to check tb[IPSET_ATTR_PORT] != NULL before retrieving port, as this attribute is known to exist due to ip_set_attr_netorder() returning true only when attribute exists and it is in network byte order. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Check extensions attributes before getting extensions.Sergey Popovich2015-03-2016-170/+29
| | | | | | | | Make all extensions attributes checks within ip_set_get_extensions() and reduce number of duplicated code. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Use SET_WITH_*() helpers to test set extensionsSergey Popovich2015-03-202-7/+7
| | | | | Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Return ipset error instead of boolSergey Popovich2015-03-1912-48/+126
| | | | | | | | | | | | Statement ret = func1() || func2() returns 0 when both func1() and func2() return 0, or 1 if func1() or func2() returns non-zero. However in our case func1() and func2() returns error code on failure, so it seems good to propagate such error codes, rather than returning 1 in case of failure. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Preprocessor directices cleanupSergey Popovich2015-03-1912-34/+4
| | | | | | | | | | | | | | * Undefine mtype_data_reset_elem before defining. * Remove duplicated mtype_gc_init undefine, move mtype_gc_init define closer to mtype_gc define. * Use htype instead of HTYPE in IPSET_TOKEN(HTYPE, _create)(). * Remove PF definition from sets: no more used. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: No need to make nomatch bitfieldSergey Popovich2015-03-191-2/+2
| | | | | | | | | | We do not store cidr packed with no match, so there is no need to make nomatch bitfield. This simplifies mtype_data_reset_flags() a bit. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure bit operations are not reorderedJozsef Kadlecsik2015-03-192-2/+10
| | | | | Sergey Popovich pointed out that {set,clear}_bit() operations must be protected against instruction reordering.
* netfilter: ipset: Properly calculate extensions offsets and total lengthSergey Popovich2015-03-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Offsets and total length returned by the ip_set_elem_len() calculated incorrectly as initial set element length (i.e. len parameter) is used multiple times in offset calculations, also affecting set element total length. Use initial set element length as start offset, do not add aligned extension offset to the offset. Return offset as total length of the set element. This reduces memory requirements on per element basic for the hash:* type of sets. For example output from 'ipset -terse list test-1' on 64-bit PC, where test-1 is generated via following script: #!/bin/bash set_name='test-1' ipset create "$set_name" hash:net family inet \ timeout 10800 counters comment \ hashsize 65536 maxelem 65536 declare -i o3 o4 fmt="add $set_name 192.168.%u.%u\n" for ((o3 = 0; o3 < 256; o3++)); do for ((o4 = 0; o4 < 256; o4++)); do printf "$fmt" $o3 $o4 done done |ipset -exist restore BEFORE this patch is applied # ipset -terse list test-1 Name: test-1 Type: hash:net Revision: 6 Header: family inet hashsize 65536 maxelem 65536 timeout 10800 counters comment Size in memory: 26348440 and AFTER applying patch # ipset -terse list test-1 Name: test-1 Type: hash:net Revision: 6 Header: family inet hashsize 65536 maxelem 65536 timeout 10800 counters comment Size in memory: 7706392 References: 0 Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix cidr handling for hash:*net* typesJozsef Kadlecsik2015-03-138-35/+41
| | | | | | | | Commit 092d67cda9ad4 broke the cidr handling for the hash:*net* types when the sets were used by the SET target: entries with invalid cidr values were added to the sets. Reported by Jonathan Johnson. Testsuite entry is added to verify the fix.
* netfilter: ipset: fix boolreturn.cocci warningskbuild test robot2015-03-111-2/+2
| | | | | | | | | | | | | net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function 'set_match_v3' with return type bool net/netfilter/xt_set.c:242:9-10: WARNING: return of 0/1 in function 'set_match_v4' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offsetAlexander Drozdov2015-03-111-2/+4
| | | | | | | | | | All the ipset functions respect skb->network_header value, except for ip_set_get_ip4_port() & ip_set_get_ip6_port(). The functions should use skb_network_offset() to get the transport header offset. Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure listing doesn't grab a set which is just being destroyed.Jozsef Kadlecsik2015-01-081-6/+21
| | | | | There was a small window when all sets are destroyed and a concurrent listing of all sets could grab a set which is just being destroyed.
* Missing rcu_read_lock() and _unlock() in mtype_list() fixedJozsef Kadlecsik2015-01-061-0/+3
|
* More compatibility checking and simplificationsJozsef Kadlecsik2015-01-067-33/+64
| | | | | Try hard to keep the support of the 2.6.32 kernel tree and simplify the code with self-referential macros.
* Compatibility: define RCU_INIT_POINTER when __rcu is not definedJozsef Kadlecsik2015-01-061-1/+6
|
* Compatibility: check kernel source for list_last_entryJozsef Kadlecsik2015-01-061-0/+6
| | | | list_last_entry is missing on CentOS7, reported by Ricardo Klein.
* Fix coding styles reported by checkpatch.plJozsef Kadlecsik2015-01-0621-204/+221
|
* Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c.Jozsef Kadlecsik2015-01-061-2/+2
|
* There's no need to call synchronize_rcu() with kfree_rcu()Jozsef Kadlecsik2015-01-061-4/+0
|
* Call rcu_barrier() in module removal pathJozsef Kadlecsik2014-12-1012-2/+14
|
* Call synchronize_rcu() in set type (un)register functions only when neededJozsef Kadlecsik2014-12-101-5/+4
|
* Remove an unused macroJozsef Kadlecsik2014-12-101-4/+0
|
* Give a better name to a macro in ip_set_core.cJozsef Kadlecsik2014-12-101-9/+9
|
* Resolve the STREQ macro to make the code more readable, and use nla_strlcpy ↵Jozsef Kadlecsik2014-12-101-6/+5
| | | | where possible
* Use MSEC_PER_SEC consistentlyJozsef Kadlecsik2014-12-011-2/+2
|
* Remove unnecessary integer RCU handling and fix sparse warningsJozsef Kadlecsik2014-11-276-122/+90
|
* Fix sparse warningJozsef Kadlecsik2014-11-271-2/+2
| | | | "warning: cast to restricted __be32" warnings are fixed
* ipset 6.24 releasedv6.24Jozsef Kadlecsik2014-11-241-0/+23
|
* netfilter: ipset: small potential read beyond the end of bufferDan Carpenter2014-11-181-0/+5
| | | | | | | | | | We could be reading 8 bytes into a 4 byte buffer here. It seems harmless but adding a check is the right thing to do and it silences a static checker warning. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix parallel resizing and listing of the same setJozsef Kadlecsik2014-11-183-22/+65
| | | | | | | | When elements added to a hash:* type of set and resizing triggered, parallel listing could start to list the original set (before resizing) and "continue" with listing the new set. Fix it by references and using the original hash table for listing. Therefore the destroying the original hash table may happen from the resizing or listing functions.
* styles warned by checkpatch.pl fixedJozsef Kadlecsik2014-11-1810-10/+38
|
* Introduce RCU in all set types instead of rwlock per setJozsef Kadlecsik2014-11-187-484/+613
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Performance is tested by Jesper Dangaard Brouer: Simple drop in FORWARD ~~~~~~~~~~~~~~~~~~~~~~ Dropping via simple iptables net-mask match:: iptables -t raw -N simple || iptables -t raw -F simple iptables -t raw -I simple -s 198.18.0.0/15 -j DROP iptables -t raw -D PREROUTING -j simple iptables -t raw -I PREROUTING -j simple Drop performance in "raw": 11.3Mpps Generator: sending 12.2Mpps (tx:12264083 pps) Drop via original ipset in RAW table ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a set with lots of elements:: sudo ./ipset destroy test echo "create test hash:ip hashsize 65536" > test.set for x in `seq 0 255`; do for y in `seq 0 255`; do echo "add test 198.18.$x.$y" >> test.set done done sudo ./ipset restore < test.set Dropping via ipset:: iptables -t raw -F iptables -t raw -N net198 || iptables -t raw -F net198 iptables -t raw -I net198 -m set --match-set test src -j DROP iptables -t raw -I PREROUTING -j net198 Drop performance in "raw" with ipset: 8Mpps Perf report numbers ipset drop in "raw":: + 24.65% ksoftirqd/1 [ip_set] [k] ip_set_test - 21.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_lock_bh - _raw_read_lock_bh + 99.88% ip_set_test - 19.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_unlock_bh - _raw_read_unlock_bh + 99.72% ip_set_test + 4.31% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_kadt + 2.27% ksoftirqd/1 [ixgbe] [k] ixgbe_fetch_rx_buffer + 2.18% ksoftirqd/1 [ip_tables] [k] ipt_do_table + 1.81% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_test + 1.61% ksoftirqd/1 [kernel.kallsyms] [k] __netif_receive_skb_core + 1.44% ksoftirqd/1 [kernel.kallsyms] [k] build_skb + 1.42% ksoftirqd/1 [kernel.kallsyms] [k] ip_rcv + 1.36% ksoftirqd/1 [kernel.kallsyms] [k] __local_bh_enable_ip + 1.16% ksoftirqd/1 [kernel.kallsyms] [k] dev_gro_receive + 1.09% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_unlock + 0.96% ksoftirqd/1 [ixgbe] [k] ixgbe_clean_rx_irq + 0.95% ksoftirqd/1 [kernel.kallsyms] [k] __netdev_alloc_frag + 0.88% ksoftirqd/1 [kernel.kallsyms] [k] kmem_cache_alloc + 0.87% ksoftirqd/1 [xt_set] [k] set_match_v3 + 0.85% ksoftirqd/1 [kernel.kallsyms] [k] inet_gro_receive + 0.83% ksoftirqd/1 [kernel.kallsyms] [k] nf_iterate + 0.76% ksoftirqd/1 [kernel.kallsyms] [k] put_compound_page + 0.75% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_lock Drop via ipset in RAW table with RCU-locking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With RCU locking, the RW-lock is gone. Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
* Remove rbtree from hash:net,iface in order to run under RCUJozsef Kadlecsik2014-11-181-167/+17
|