| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
In order to make it simpler and more straightforward to express
the revisions of the set type, all keywords and their parsing
are separated from the individual set types.
All backward compatibility arguments are recognized and ignored
arguments are supported.
Recognized but ignored arguments will be removed in a later release.
|
|
|
|
| |
Fixes bugzilla id #1158 reported by Dimitri Grischin.
|
| |
|
|
|
|
|
|
| |
The patch title was "Report if the option is supported by a newer kernel release"
Fixes bugzilla id #1182, reported by irherder@gmail.com.
|
|
|
|
|
| |
Instead ot printing "Unknown argument: foo", if foo option is
supported by a newer kernel release, report that.
|
|
|
|
|
|
|
|
|
|
| |
Omri Bahumi and Yoni Lavi discovered that due to the inproper
handling of the ipset output buffer, the output may be truncated.
So for example in an "ipset save" output, instead of 192.168.0.0/24,
just 192.168.0.0 printed. If one use "ipset save" and then "ipset restore"
to restore the sets, this may lead to wrong firewall rules at the end.
The patch fixes the bug in the ipset code.
|
| |
|
|
|
|
|
|
|
| |
* The "by userspace." should be concat with the error message instead.
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
| |
Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
| |
Error message was totally misleading when comment
extension was used when the set was defined without
the extension. Reported by Drunkard Zhang.
|
|
|
|
|
|
|
|
| |
As of libtool-2.4.4, -ldl is no longer prepended to LIBS.
Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as
suggested in libtool-2.4.4 release notes.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries. This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.
Because it is only meaningful for hashes to report their size, the
output is conditional on the set type. To do this checking the
MATCH_TYPENAME macro was moved to utils.h.
The bulk of this patch changes the expected test suite to account for
the change in output.
Signed-off-by: Eric B Munson <emunson@akamai.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Josh Hunt <johunt@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit:
author Quentin Armitage <quentin@armitage.org.uk> 2013-08-09 11:26:33 (GMT)
committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-08-17 19:31:29 (GMT)
commit 480761a3bdaa55bf8c966e4dab950ebf84775863 (patch)
tree 6d750f948abf1ae4f93e4c704502d085ac13d679
parent 3a4419954a3ae0ba5dafd711e6b8dd8f0beb5c21 (diff)
Add specifying protocol for bitmap:port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
added ipset_parse_tcp_udp_port(), but forgot to update libipset.map
so we get:
/usr/lib64/ipset/ipset_bitmap_port.so: /usr/lib64/ipset/ipset_bitmap_port.so: undefined symbol: ipset_parse_tcp_udp_port
so update the map.
Signed-off-by: Thomas Backlund <tmb@mageia.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
| |
The ipset_parse_uint16() was introduced but no lib version bumped and
no map file updated.
Bump lib version to 9:0:6. (current and age was bumped)
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
With introducing the skbinfo extension, the library/API versions should
have been incremented, which is fixed now.
|
|
|
|
|
|
| |
Instead of returning the length of the string which would have been
printed, sprintf sometimes simply returns an error code. Handle
the case and flush the printing buffer and retry.
|
| |
|
|
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
NLM_F_DUMP is #defined as (NLM_F_ROOT | NLM_F_ACK), so specifying
all of them is redundant.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
| |
Add userspace part for support of new revisions of the list set type
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
| |
Add userspace part for support of new revisions of the hash set types
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
| |
types.
Add userspace part for support of new revisions of the bitmap set types
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
Add userspace code to support of the skbinfo extension independly of set types.
Defines constants, flag and function for print/parse/send/recieve of skbinfo
parameters.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
We have that done for first and second elements when
parsing element string, do this for third element for
convenience.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
| |
ipset would not parse ether addresses which are not exactly
17 characters long, for ex. 1:2:3:4:5:6, which is fixed in
the patch.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
Using PRIx32 macro is portable across multiple architectures and
also fix the printf format warning on any architectures that
"%llx" is not refer to 32 bits size.
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
| |
The userspace side of the forceadd changes.
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
hash:net,iface supports matching on the bridge port as well,
but userspace currently doesn't handle it correctly as it passes
in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
| |
modified ipset_print_mark to print in hex rather then decimal and
altered accordingly test cases.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
Introduce packet mark mask for hash:ip,mark data type. This allows to
set mark bit filter for the ip set.
Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Found with ipset 6.12.1, but upstream version is still affected.
Creating set of dimension three, adding elements to it and then
displaying gives following results:
-----------------------------------
# ipset create test-1 hash:ip,port,ip
# ipset add test-1 192.0.2.1,icmp:echo-request,192.0.2.1
# ipset add test-1 192.0.2.1,icmp:ttl-zero-during-reassembly,192.0.2.1
# ipset list test-1
Name: test-1
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16608
References: 0
Members:
192.0.2.1,icmp:ttl-zero-during-reass,192.0.2.1
192.0.2.1,icmp:echo-re,192.0.2.1
Same results with -output save|xml.
ipset_print_proto_port() from lib/print.c returns incorrect length
of printed string when ICMP/ICMPv6 specified in port field.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
| |
Currently it is impossible to set timeout on some architectures
(MIPS ar71xx at least) because timeout is parsed into long long data
type but used as uint32 without proper conversion. This patch fixes
this issue. Tested on ar71xx router.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
| |
Commit v6.20~12 caused libipset to shift from libipset.so.3 to
.so.2. That is the wrong thing to do. Set it back to 3+2, as
intended.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds the userspace library, tests to validate correct operation of
the module and also provides appropriate usage information in the man
page.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces new revisions of all hash and bitmap ipsets to
complement the comment functionality introduced into the kernel modules.
Currently all sets have a compile-time limit of 255 characters including
\0. This can otherwise be arbitrarily modified.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
This adds support to the userspace portion of ipset for handling ipsets
with the comment extension enabled. The library revision has been raised
accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
| |
This adds the userspace library, tests to validate correct operation of
the module and also provides appropriate usage information in the man
page. The library version has been bumped accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Reported by Quentin Armitage, closes netfilter bugzilla id #844.
|
|
|
|
| |
Reported by Quentin Armitage, netfilter bugzilla id #843.
|
|
|
|
|
|
|
|
|
| |
The only place in ipset where ipset_parse_elem is called is src/ipset.c. The
second parameter to the function call is type->last_elem_optional, which is of
type bool, but ipset_parse_elem is defined in lib/parse.c with the second
parameter having type enum ipset_opt.
The use in lib/parse.c is clearly as a bool.
|
| |
|