summaryrefslogtreecommitdiffstats
path: root/kernel
Commit message (Collapse)AuthorAgeFilesLines
* Validate the set family and not the set type family at swapping.Jozsef Kadlecsik2013-08-141-1/+1
| | | | Bug reported by Quentin Armitage, netfilter bugzilla id #843.
* Consistent userspace testing with nomatch flagJozsef Kadlecsik2013-07-226-12/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test.
* Skip really non-first fragments for IPv6 when getting port/protocolJozsef Kadlecsik2013-05-311-4/+2
|
* ipset standalone package needs to ship em_ipset.cJozsef Kadlecsik2013-05-313-0/+148
| | | | | | | | Due to the ipset kernel API changes, em_ipset.c needs to be provided in the ipset package, reported by Jan Engelhardt: WARNING: //lib/modules/3.7.10-jng15-default/kernel/net/sched/em_ipset.ko disagrees about version of symbol ip_set_test
* ipset 6.19 releasedv6.19Jozsef Kadlecsik2013-05-091-0/+39
|
* Compatibility fixes to keep the support of kernels back to 2.6.32Jozsef Kadlecsik2013-05-092-48/+48
|
* Backport nla_put_net64Jozsef Kadlecsik2013-05-091-0/+10
|
* Support package fragments for IPv4 protos without portsAnders K. Pedersen2013-05-031-1/+17
| | | | | | | | | | | | | | | | | | | Enable ipset port set types to match IPv4 package fragments for protocols that doesn't have ports (or the port information isn't supported by ipset). For example this allows a hash:ip,port ipset containing the entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels to/from the host. Without this patch only the first package fragment (with fragment offset 0) was matched, while subsequent fragments wasn't. This is not possible for IPv6, where the protocol is in the fragmented part of the package unlike IPv4, where the protocol is in the IP header. IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant for IPv4. Signed-off-by: Anders K. Pedersen <akp@surftown.com>
* Use fix sized type for timeout in the extension partJozsef Kadlecsik2013-05-021-1/+1
|
* Make sure kernel configured properly for sparse checkingsJozsef Kadlecsik2013-05-011-0/+6
|
* Fix "may be used uninitialized" warningsJozsef Kadlecsik2013-05-019-12/+12
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-0114-162/+169
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* Fix sparse warnings due to missing rcu annotationsJozsef Kadlecsik2013-04-301-32/+55
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Sparse warning about shadowed variable fixedJozsef Kadlecsik2013-04-301-1/+1
| | | | | net/netfilter/ipset/ip_set_hash_ipportnet.c:275:20: warning: symbol 'cidr' shadows an earlier one
* Don't call ip_nest_end needlessly in the error pathJozsef Kadlecsik2013-04-273-3/+3
| | | | Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* set match: add support to match the countersJozsef Kadlecsik2013-04-096-9/+120
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The list:set type with counter supportJozsef Kadlecsik2013-04-091-6/+67
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The hash types with counter supportJozsef Kadlecsik2013-04-098-19/+381
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The bitmap types with counter supportJozsef Kadlecsik2013-04-094-15/+186
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the counter extension in the coreJozsef Kadlecsik2013-04-093-4/+86
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set type using the extension interfaceJozsef Kadlecsik2013-04-091-246/+301
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Hash types using the unified code baseJozsef Kadlecsik2013-04-097-1865/+610
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified hash type generationJozsef Kadlecsik2013-04-092-1241/+1039
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Bitmap types using the unified code baseJozsef Kadlecsik2013-04-093-954/+316
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified bitmap type generationJozsef Kadlecsik2013-04-092-0/+271
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce extensions to elements in the coreJozsef Kadlecsik2013-04-094-110/+86
| | | | | | | Introduce extensions to elements in the core and prepare timeout as the first one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Move often used IPv6 address masking function to header fileJozsef Kadlecsik2013-04-096-45/+9
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make possible to test elements marked with nomatch, from userspaceJozsef Kadlecsik2013-04-095-24/+40
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter ipset: Use ipv6_addr_equal() where appropriate.YOSHIFUJI Hideaki2013-04-097-9/+9
| | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-096-78/+101
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-099-268/+292
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Reorder modules a little bit in KbuildJozsef Kadlecsik2013-04-091-2/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:*net*: nomatch flag not excluded on set resizeJozsef Kadlecsik2013-04-095-11/+99
| | | | | | | If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set: update reference counter when last element pushed offJozsef Kadlecsik2013-04-091-3/+7
| | | | | | | The last element can be replaced or pushed off and in both cases the reference counter must be updated. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.17 releasedv6.17Jozsef Kadlecsik2013-02-211-0/+5
|
* "Directory not empty" error message (reported by John Brendler)Jozsef Kadlecsik2013-02-211-1/+2
| | | | | | | | | When an entry flagged with "nomatch" was tested by ipset, it returned the error message "Kernel error received: Directory not empty" instead of "<element> is NOT in set <setname>". The internal error code was not properly transformed before returning to userspace, fixed.
* netfilter: ipset: timeout values corrupted on set resizeJosh Hunt2013-02-211-1/+3
| | | | | | | | | | | If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure ip_set_max isn't set to IPSET_INVALID_IDJozsef Kadlecsik2012-11-271-1/+1
|
* ipset 6.16.1 releasedv6.16.1Jozsef Kadlecsik2012-11-271-0/+4
|
* Add ipset package version to external module descriptionJozsef Kadlecsik2012-11-271-1/+6
|
* Backport RCU handling up to 2.6.32.xJozsef Kadlecsik2012-11-271-0/+8
| | | | __rcu and rcu_dereference_protected is missing from older kernel releases.
* ipset 6.16 releasedv6.16Jozsef Kadlecsik2012-11-261-0/+5
|
* Netlink pid is renamed to portid in kernel 3.7.0Jozsef Kadlecsik2012-11-261-10/+16
| | | | | | Handle the renaming of the netlink_skb_parms structure member. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix RCU handling when the number of maximal sets are increasedJozsef Kadlecsik2012-11-261-83/+117
| | | | | | Eric Dumazet spotted that RCU handling was far incomplete in the patch which added the support of increasing the number of maximal sets automatically. This patch completes the RCU handling of the ip_set_list array of the sets.
* netfilter: ipset: fix netiface set name overflowFlorian Westphal2012-11-221-1/+1
| | | | | | | | | | attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.15 releasedv6.15Jozsef Kadlecsik2012-11-191-0/+6
|
* Increase the number of maximal sets automatically as neededJozsef Kadlecsik2012-11-191-8/+51
| | | | | The max number of sets was hardcoded at kernel cofiguration time. The patch adds the support to increase the max number of sets automatically.
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-053-64/+96
|
* Fix range bug in hash:ip,port,netJozsef Kadlecsik2012-11-054-12/+13
| | | | | | | | | Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was to be added, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
* Rewrite cidr book keeping to handle /0Jozsef Kadlecsik2012-09-221-49/+55
| | | | The patch is required for the /0 support in hash:net,iface