| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
In newer glibc, getaddrinfo issues an extra system call to kernel,
which slows down ipset. Replace getaddrinfo with gethostbyname2,
where possible.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Incompatibility: if your script rely on the number of lines in the header
of set listings, then the new line
Revision: number
can break your script.
|
|
|
|
|
| |
In order to catch kernel/userspace revision mismatch, better print
all available data.
|
|
|
|
|
| |
Now it is possible to setup a single hash:net,iface type of set and
a single ip6?tables match which covers all egress/ingress filtering.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote:
>[...]
>> * therefore the patch makes a clean restart,
>> using -version-info 3:0:0, to continue using .so.3
>> starting from ipset-6.13 until the next *real*
>> incompatible change.
>
>What is still unclear for me, why a clean restart is required. Looking
>into "libtool", as I see, "-version-number 3:0:1" and "-version-info
>3:0:1" produces the same result.
They don't. The libtool manual goes on attempting to explain
"-version-number" with C:R:A, though it could have been a lot easier
to just say "it copies the values as-is to the file suffix".
---8<---
location git://git.inai.de/ipset (updated)
parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13)
commit 2b145f0794de6f56eaded0a6403be995be98c93b
Author: Jan Engelhardt <jengelh@inai.de>
Date: Sat Jun 30 20:39:27 2012 +0200
build: restore -version-info
Commit v6.13~7 accidentally swapped "-version-info" with
"-version-number". Because "-version-number" takes the values
"FIRST:AGE:REV", which is different from "-version-info
CURRENT:REV:AGE", libipset.so.3 was emitted.
Restore using "-version-info" and continue to use 3 as the "FIRST"
interface (instead of 2), because it was declared that way in
ipset-6.13.
Also note that the version names in libipset.map generally are not
supposed to follow SO versions, but the program version):
IPSET_6.13 {...}.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).
The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
If a create command fails at the kernel side, false syntax error
was also reported due to the chicken and egg problem of the family
option.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch adds supporting dynamic modules for the set types to ipset
userspace tool. The dynamic module support can be enabled by the
--enable-settype-modules of "configure". The list of set types to
be compiled as dynamic modules can be specified in the
--with-settype-modules-list option. Example
--enable-settype-modules \
--with-settype-modules-list="ipset_hash_ip ipset_hash_ipport"
The keyword "all" can be used to compile all set types as dynamic modules.
|
| |
|
|
|
|
|
| |
gcc 4.7 and above ignore such assignments which leads to a broken
ipset binary (bug reported by Seblu).
|
| |
|
|
|
|
|
| |
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
|
|
|
|
|
|
|
|
| |
The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.
Problem reported by Stephen Hemminger and Marc Guardiola.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
|
|
|
|
| |
The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.
|
| |
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
| |
The ICMP/ICMPv6 type/code parser swapped the type and code values.
(Bug reported by Sabitov)
|
|
|
|
|
|
|
|
|
|
|
| |
The protocol argument to getservbyname() must be lowercase tcp not
uppercase TCP. This fixes the bug observed by:
# ipset add foo http
ipset v6.9.1: Syntax error: 'http' is invalid as number
Syntax error: cannot parse 'http' as a TCP port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The library cannot stand on its own:
19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1
linux-vdso.so.1 => (0x00007fff9a569000)
libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000)
undefined symbol: ipset_errcode (.libs/libipset.so.1)
Resolve this by moving ipset_errcode into the library.
Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
|
|
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
|
|
|
|
|
| |
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
|
|
|
|
| |
Use the real string length instead of the maximum one when adding the
attribute.
|
| |
|
| |
|
|
|
|
|
|
| |
The internal messages mix with the public messages and that confused
the sequence number book-keeping. Move setting/updating into
ipset_mnl_query.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| |
|
| |
|
|
|
|
|
|
|
| |
Also, remove the empty "members" section when listing
just the set headers.
Testsuite is updated to reflect the changes in the output.
|
| |
|
|
|
|
|
|
| |
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
|
|
|
|
| |
Revision reporting got broken by the revision checking patch, fixed.
|
|
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
|
| |
Missing check of the flag NLM_F_ACK is added to the kernel -
and userspace does set it too (Patrick McHardy's review)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not use time() as a Netlink sequence number for each message,
as otherwise the same seq number will be used when sending
another message in the same second. Instead use time() just for
initialization, then increment per message.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|