| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Instead of returning the length of the string which would have been
printed, sprintf sometimes simply returns an error code. Handle
the case and flush the printing buffer and retry.
|
| |
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
Add userspace code to support of the skbinfo extension independly of set types.
Defines constants, flag and function for print/parse/send/recieve of skbinfo
parameters.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
Introduce packet mark mask for hash:ip,mark data type. This allows to
set mark bit filter for the ip set.
Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
This adds support to the userspace portion of ipset for handling ipsets
with the comment extension enabled. The library revision has been raised
accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Incompatibility: if your script rely on the number of lines in the header
of set listings, then the new line
Revision: number
can break your script.
|
| |
|
|
|
|
|
|
|
| |
Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).
The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.
|
| |
|
|
|
| |
gcc 4.7 and above ignore such assignments which leads to a broken
ipset binary (bug reported by Seblu).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
| |
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| |
|
|
|
| |
Use the real string length instead of the maximum one when adding the
attribute.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| | |
|
| |
|
|
|
|
|
| |
Also, remove the empty "members" section when listing
just the set headers.
Testsuite is updated to reflect the changes in the output.
|
| | |
|
| |
|
|
|
|
| |
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:
create foo6 hash:ip hashsize 64 family inet6
add foo6 20a1:1234:5678::/64
add foo6 20a1:1234:5679::/64
you get:
ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64
Should be line 2 though.
The solution is to set the session lineno before parsing.
|
| |
|
|
| |
Internal printing errors were not reported, handle them by setjmp/longjmp.
|
| |
|
|
|
| |
The wrapper around getnameinfo was not snprintf-compatible and
that could cause broken listing/saving for large sets.
|
| |
|
|
|
|
| |
The set cache stored the default family (INET) instead of the set family,
therefore restore mode for IPv6 did not work. The set cache fixed and
message aggregation reworked.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Calculate the free buffer size when adding the existing attributes at the buffered
commands. If the buffer is full, cancel the unfinished nested attribute and commit
the previously buffered commands. Then restart with the current buffered command.
Thus we can get rid of the ugly maxsize parameter of the set types.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
| |
|
|
|
|
|
|
| |
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
|
| |
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
| | |
|
| |
|
|
|
|
| |
Use the libmnl mnl_attr_nest_star/mnl_attr_nest_end functions instead of
the private ones. Ignore possible size differences in iptree*.t compatibility
tests.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
|
|
Add new userspace files: include/, lib/ and plus new files in src/.
|
