| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>".
The internal error code was not properly transformed before returning
to userspace, fixed.
|
| |
|
|
|
|
|
|
|
|
|
| |
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().
This also adds simple debug statement similar to the one in type_pf_resize().
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
__rcu and rcu_dereference_protected is missing from older kernel releases.
|
| | |
|
| |
|
|
|
|
| |
Handle the renaming of the netlink_skb_parms structure member.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
Eric Dumazet spotted that RCU handling was far incomplete in the patch
which added the support of increasing the number of maximal sets automatically.
This patch completes the RCU handling of the ip_set_list array of the sets.
|
| |
|
|
|
|
|
|
|
|
| |
attribute is copied to IFNAMSIZ-size stack variable,
but IFNAMSIZ is smaller than IPSET_MAXNAMELEN.
Fortunately nfnetlink needs CAP_NET_ADMIN.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
|
| |
The max number of sets was hardcoded at kernel cofiguration time.
The patch adds the support to increase the max number of sets automatically.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was to be added, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.
The error-prone default initialization is corrected in all hash:* types.
|
| |
|
|
| |
The patch is required for the /0 support in hash:net,iface
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exceptions can now be matched and we can branch according to the
possible cases:
a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match
i.e.
iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...
|
| | |
|
| | |
|
| |
|
|
|
| |
Now it is possible to setup a single hash:net,iface type of set and
a single ip6?tables match which covers all egress/ingress filtering.
|
| |
|
|
|
|
|
| |
The book-keeping of the different sized networks were bogus, fix it.
The broken code could lead invalid matching in such sets when the number
of different sized networks were greater than the smallest CIDR value of
the networks.
|
| |
|
|
|
|
|
|
| |
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.
Reject invalid /0 input parameters explicitely.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Use of "unsigned int" is preferred to bare "unsigned" in net tree.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
|
| |
|
|
|
| |
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does
strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.
Use plain strcmp() instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
The patch "Fix timeout value overflow bug at large timeout parameters"
broke the SET target when no timeout was specified (reported by
Jean-Philippe Menil).
|
| |
|
|
|
| |
David Laight and Eric Dumazet noticed that we were using hardcoded
1000 instead of MSEC_PER_SEC to calculate the timeout.
|
| | |
|
| | |
|
| |
|
|
| |
Backport of Pablo's patch to the ipset package.
|
| |
|
|
|
|
|
| |
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| |
|
|
|
|
| |
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.
|
| | |
|
| |
|
|
|
| |
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
|
| |
|
|
|
|
|
|
|
|
| |
While parsing through IPv6 extension headers, fragment headers are
skipped making them invisible to the caller. This reports the
fragment offset of the last header in order to make it possible to
determine whether the packet is fragmented and, if so whether it is
a first or last fragment.
Signed-off-by: Jesse Gross <jesse@nicira.com>
|
| |
|
|
|
|
|
| |
C assignment can handle struct in6_addr copying.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| |
|
|
|
|
| |
The tests for inclusion of linux/export.h in
ipset-6.11:kernel/net/netfilter/ipset/{ip_set_getport.c,pfxlen.c} are
incorrect, linux/export.h did not go in until 3.2.0.
|
| | |
|
| |
|
|
|
| |
Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
| |
|
|
|
|
|
| |
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.
|
| |
|
|
|
| |
If the set is full, the SET target cannot add more elements.
Log warning so that the admin got notified about it.
|
| | |
|
| | |
|
| |
|
|
| |
warning: 'ip_to' may be used uninitialized in this function
|
| | |
|
