summaryrefslogtreecommitdiffstats
path: root/lib/data.c
Commit message (Collapse)AuthorAgeFilesLines
* Workaround misleading -Wstringop-truncation warningJozsef Kadlecsik2024-02-031-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: Add support for new bitmask parameterVishwanath Pai2022-11-201-0/+10
| | | | | | | | | | | | | | | Add a new parameter to complement the existing 'netmask' option. The main difference between netmask and bitmask is that bitmask takes any arbitrary ip address as input, it does not have to be a valid netmask. The name of the new parameter is 'bitmask'. This lets us mask out arbitrary bits in the ip address, for example: ipset create set1 hash:ip bitmask 255.128.255.0 ipset create set2 hash:ip,port family inet6 bitmask ffff::ff80 Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Expose the initval hash parameter to userspaceJozsef Kadlecsik2020-09-211-6/+6
| | | | | | It makes possible to reproduce exactly the same set after a save/restore. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add bucketsize parameter to all hash typesJozsef Kadlecsik2020-09-211-6/+6
| | | | | | | | | The parameter defines the upper limit in any hash bucket at adding new entries from userspace - if the limit would be exceeded, ipset doubles the hash size and rehashes. It means the set may consume more memory but gives faster evaluation at matching in the set. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-311-0/+8
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-051-1/+1
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduction of new commands and protocol version 7Jozsef Kadlecsik2018-10-271-0/+7
| | | | | | | | | | | Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are introduced. The new commands makes possible to eliminate the getsockopt operation (in iptables set/SET match/target) and thus use only netlink communication between userspace and kernel for ipset. With the new protocol version, userspace can exactly know which functionality is supported by the running kernel. Both the kernel and userspace is fully backward compatible.
* libipset: Add userspace code for the skbinfo extension support.Anton Danilov2014-09-141-1/+29
| | | | | | | | | Add userspace code to support of the skbinfo extension independly of set types. Defines constants, flag and function for print/parse/send/recieve of skbinfo parameters. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add userspace support for forceaddJosh Hunt2014-03-041-0/+5
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-231-0/+7
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-081-0/+8
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-231-0/+35
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-091-0/+23
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Coding style fixesJozsef Kadlecsik2012-09-111-7/+14
|
* Fix typo of word "unkown" to "unknown".Neutron Soutmun2012-05-151-1/+1
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-101-1/+17
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-131-0/+11
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-311-11/+10
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-311-8/+8
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-301-1/+13
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-151-0/+9
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* libipset: remove redundant castsJan Engelhardt2010-12-191-2/+2
|
* libipset: remove redundant indirection via union nameJan Engelhardt2010-12-191-41/+41
| | | | | There are no uses of C99 static initializers, so let's make the union anonymous and reduce accessor lengths.
* libipset: ipset_strncpy is really a strlcpy-type operationJan Engelhardt2010-12-191-7/+7
|
* Fixes, cleanups, commentsv5.0-pre8Jozsef Kadlecsik2010-10-241-6/+9
| | | | | | | | | | | | | | | | | | | - More comments added to the code - ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip and hash:ip,port,net types - hash:net and hash:ip,port,net types are reworked - hash:net,port type added - Wrong direction parameters fixed in hash:ip,port - Helps and manpage are updated - More tests added - Ugly macros are rewritten to functions in parse.c (Holger Eitzenberger) - resize related bug in hash types fixed (Holger Eitzenberger) - autoreconf patches by Jan Engelhardt applied - netlink patch minimalized: dumping can be initialized by a second parsing of the message (thanks to David and Patrick for the suggestion) - IPv4/IPv6 address attributes are introduced in order to fix the context (suggested by David)
* ipset 5: last new feature addedv5.0-pre3Jozsef Kadlecsik2010-06-221-0/+7
| | | | | | | | | | | - the hash types can now store protocol together port, not only port - lots of fixes everywhere: parser, error reporting, manpage The last bits on the todo list before announcing ipset 5: - recheck all the error messages - add possibly more tests - polish manpage
* ipset 5 in an almost ready state - milestonev5.0-pre1Jozsef Kadlecsik2010-06-151-7/+60
| | | | | | | | | | | | Reworked protocol and internal interfaces, missing set types added, backward compatibility verified, lots of tests added (and thanks to the tests, bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere... The missing bits before announcing ipset 5: - net namespace support - new iptables/ip6tables extension library - iptables/ip6tables match and target tests (backward/forward compatibility) - tests on catching syntax errors
* Fourth stage to ipset-5Jozsef Kadlecsik2010-04-221-0/+505
Add new userspace files: include/, lib/ and plus new files in src/.