summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Use gethostbyname2 instead of getaddrinfoJozsef Kadlecsik2012-11-051-1/+101
| | | | | | In newer glibc, getaddrinfo issues an extra system call to kernel, which slows down ipset. Replace getaddrinfo with gethostbyname2, where possible.
* Support protocol numbers as well, not only protocol namesJozsef Kadlecsik2012-11-051-3/+9
|
* Coding style fixesJozsef Kadlecsik2012-09-117-32/+43
|
* The set type revision number is added to the header part of listingJozsef Kadlecsik2012-09-111-3/+4
| | | | | | | | | Incompatibility: if your script rely on the number of lines in the header of set listings, then the new line Revision: number can break your script.
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-1011-0/+19
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-0/+58
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* build: restore -version-infoJan Engelhardt2012-07-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote: >[...] >> * therefore the patch makes a clean restart, >> using -version-info 3:0:0, to continue using .so.3 >> starting from ipset-6.13 until the next *real* >> incompatible change. > >What is still unclear for me, why a clean restart is required. Looking >into "libtool", as I see, "-version-number 3:0:1" and "-version-info >3:0:1" produces the same result. They don't. The libtool manual goes on attempting to explain "-version-number" with C:R:A, though it could have been a lot easier to just say "it copies the values as-is to the file suffix". ---8<--- location git://git.inai.de/ipset (updated) parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13) commit 2b145f0794de6f56eaded0a6403be995be98c93b Author: Jan Engelhardt <jengelh@inai.de> Date: Sat Jun 30 20:39:27 2012 +0200 build: restore -version-info Commit v6.13~7 accidentally swapped "-version-info" with "-version-number". Because "-version-number" takes the values "FIRST:AGE:REV", which is different from "-version-info CURRENT:REV:AGE", libipset.so.3 was emitted. Restore using "-version-info" and continue to use 3 as the "FIRST" interface (instead of 2), because it was declared that way in ipset-6.13. Also note that the version names in libipset.map generally are not supposed to follow SO versions, but the program version): IPSET_6.13 {...}. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-233-1/+19
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Fix typo of word "unkown" to "unknown".Neutron Soutmun2012-05-152-3/+3
|
* Enable silent (kernel style) compile messagesJozsef Kadlecsik2012-05-103-11/+8
|
* Fix build failed on --disable-dependency-trackingNeutron Soutmun2012-05-101-5/+10
|
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-1011-0/+11
|
* Report syntax error messages immediatelyJozsef Kadlecsik2012-05-101-1/+1
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-104-5/+38
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Add configure summary for the ipset userspace toolJozsef Kadlecsik2012-05-101-3/+5
|
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-1015-67/+249
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-063-1/+44
|
* Fix invalid assignment to const void pointerJozsef Kadlecsik2012-05-061-7/+7
| | | | | gcc 4.7 and above ignore such assignments which leads to a broken ipset binary (bug reported by Seblu).
* Remove unused variables (warnings fixed)Jozsef Kadlecsik2012-05-042-2/+2
|
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-0412-27/+56
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-142-45/+153
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-139-15/+375
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-0514-1/+1591
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* Library map file added in order to support library versioning.Jozsef Kadlecsik2012-01-052-1/+113
|
* Provide a pkgconfig fileJan Engelhardt2012-01-041-0/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ICMP/ICMPv6 type/code parser bug fixedJozsef Kadlecsik2011-11-161-2/+2
| | | | | The ICMP/ICMPv6 type/code parser swapped the type and code values. (Bug reported by Sabitov)
* ipset: fix lookup of tcp port namesStephen Hemminger2011-11-161-2/+2
| | | | | | | | | | | The protocol argument to getservbyname() must be lowercase tcp not uppercase TCP. This fixes the bug observed by: # ipset add foo http ipset v6.9.1: Syntax error: 'http' is invalid as number Syntax error: cannot parse 'http' as a TCP port Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: move ipset_errcode into libraryJan Engelhardt2011-08-312-0/+201
| | | | | | | | | | | | | | | | The library cannot stand on its own: 19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1 linux-vdso.so.1 => (0x00007fff9a569000) libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000) libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000) /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000) undefined symbol: ipset_errcode (.libs/libipset.so.1) Resolve this by moving ipset_errcode into the library. Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-316-79/+81
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Propagate "expose userspace-relevant parts in ip_set.h" to ipset sourceJozsef Kadlecsik2011-08-312-12/+12
| | | | | | With the header file restructuring, the ipset userspace enums IPSET_DIM_* clash with the kernel ones. In this patch the userspace is converted to use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-319-391/+479
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-305-1/+98
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Fix long time uncovered bug at adding string attributes to the netlink messageJozsef Kadlecsik2011-05-271-0/+3
| | | | | Use the real string length instead of the maximum one when adding the attribute.
* Fix warnings reported by valgrindJozsef Kadlecsik2011-05-251-1/+1
|
* Restore with bitmap:port and list:set types did not work, fixedJozsef Kadlecsik2011-05-241-1/+6
|
* Fix the message sequence number book-keepingJozsef Kadlecsik2011-05-241-1/+1
| | | | | | The internal messages mix with the public messages and that confused the sequence number book-keeping. Move setting/updating into ipset_mnl_query.
* Protocol-level debugging support addedJozsef Kadlecsik2011-05-243-6/+286
|
* ipset_mnl_query: in debug mode print the errno returned by the cb functionJozsef Kadlecsik2011-05-231-1/+1
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-153-3/+63
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Disable type revisions which are not supported both by the kernel and ipsetJozsef Kadlecsik2011-05-131-0/+13
|
* Ignore -n flag (list just setnames) when sets are to be savedJozsef Kadlecsik2011-05-061-1/+2
|
* Get rid of the trailing empty line at listing sets.Jozsef Kadlecsik2011-04-191-11/+22
| | | | | | | Also, remove the empty "members" section when listing just the set headers. Testsuite is updated to reflect the changes in the output.
* Fix XML listing, remove broken unused "elements" tagJozsef Kadlecsik2011-04-181-1/+1
|
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-181-2/+31
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* Fix revision reportingJozsef Kadlecsik2011-03-191-4/+3
| | | | Revision reporting got broken by the revision checking patch, fixed.
* SCTP, UDPLITE support addedJozsef Kadlecsik2011-03-183-17/+18
| | | | SCTP and UDPLITE port support added to the hash:*port* types.
* ipset: pass ipset_arg argument pointerHolger Eitzenberger2011-02-011-6/+5
| | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* Send (N)ACK at dumping only when NLM_F_ACK is setJozsef Kadlecsik2011-01-261-2/+2
| | | | | Missing check of the flag NLM_F_ACK is added to the kernel - and userspace does set it too (Patrick McHardy's review)
* Resolving IP addresses did not work at listing/saving sets, fixed.Jozsef Kadlecsik2011-01-261-2/+2
|
* ipset: fix the Netlink sequence numberHolger Eitzenberger2011-01-251-1/+2
| | | | | | | | | | Do not use time() as a Netlink sequence number for each message, as otherwise the same seq number will be used when sending another message in the same second. Instead use time() just for initialization, then increment per message. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>