summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Userspace revision handling is reworkedJozsef Kadlecsik2018-01-0222-7805/+4983
| | | | | | | | | | | In order to make it simpler and more straightforward to express the revisions of the set type, all keywords and their parsing are separated from the individual set types. All backward compatibility arguments are recognized and ignored arguments are supported. Recognized but ignored arguments will be removed in a later release.
* Reset state after a command failed, when multiple ones are issued.Jozsef Kadlecsik2017-09-231-0/+1
| | | | Fixes bugzilla id #1158 reported by Dimitri Grischin.
* Handle padding attribute properly in userspace.Jozsef Kadlecsik2017-09-232-0/+9
|
* New function added in commit 54802b2c is missing from libipset.mapJozsef Kadlecsik2017-09-141-0/+5
| | | | | | The patch title was "Report if the option is supported by a newer kernel release" Fixes bugzilla id #1182, reported by irherder@gmail.com.
* Report if the option is supported by a newer kernel releaseJozsef Kadlecsik2017-09-111-0/+24
| | | | | Instead ot printing "Unknown argument: foo", if foo option is supported by a newer kernel release, report that.
* Fix possible truncated output in ipset output buffer handlingJozsef Kadlecsik2017-03-122-36/+39
| | | | | | | | | | Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of the ipset output buffer, the output may be truncated. So for example in an "ipset save" output, instead of 192.168.0.0/24, just 192.168.0.0 printed. If one use "ipset save" and then "ipset restore" to restore the sets, this may lead to wrong firewall rules at the end. The patch fixes the bug in the ipset code.
* Missing prototype added in ipset_hash_ipmac.c (debugging)Jozsef Kadlecsik2017-03-121-0/+1
|
* ipset: Drop extra comma from error messageNeutron Soutmun2016-10-171-1/+1
| | | | | | | * The "by userspace." should be concat with the error message instead. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipset, userspace partTomasz Chilinski2016-05-052-0/+166
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix misleading error message with comment extensionJozsef Kadlecsik2016-02-241-1/+1
| | | | | | Error message was totally misleading when comment extension was used when the set was defined without the extension. Reported by Drunkard Zhang.
* Fix link with libtool >= 2.4.4Olivier Blin2016-01-091-1/+1
| | | | | | | | As of libtool-2.4.4, -ldl is no longer prepended to LIBS. Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as suggested in libtool-2.4.4 release notes. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Handle uint64_t alignment issue in ipset toolJozsef Kadlecsik2015-10-282-3/+7
|
* Add element count to all set types headerJozsef Kadlecsik2015-06-252-2/+5
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* Add element count to hash headersEric B Munson2015-06-192-4/+12
| | | | | | | | | | | | | | | | | | | | | | It would be useful for userspace to query the size of an ipset hash, however, this data is not exposed to userspace outside of counting the number of member entries. This patch uses the attribute IPSET_ATTR_ELEMENTS to indicate the size in the the header that is exported to userspace. This field is then printed by the userspace tool for hashes. Because it is only meaningful for hashes to report their size, the output is conditional on the set type. To do this checking the MATCH_TYPENAME macro was moved to utils.h. The bulk of this patch changes the expected test suite to account for the change in output. Signed-off-by: Eric B Munson <emunson@akamai.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Josh Hunt <johunt@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add script to check libipset.map for missing symbolsJozsef Kadlecsik2014-10-281-0/+2
|
* Update libipset.map with ipset_parse_tcp_udp_portThomas Backlund2014-10-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | Commit: author Quentin Armitage <quentin@armitage.org.uk> 2013-08-09 11:26:33 (GMT) committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-08-17 19:31:29 (GMT) commit 480761a3bdaa55bf8c966e4dab950ebf84775863 (patch) tree 6d750f948abf1ae4f93e4c704502d085ac13d679 parent 3a4419954a3ae0ba5dafd711e6b8dd8f0beb5c21 (diff) Add specifying protocol for bitmap:port Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> added ipset_parse_tcp_udp_port(), but forgot to update libipset.map so we get: /usr/lib64/ipset/ipset_bitmap_port.so: /usr/lib64/ipset/ipset_bitmap_port.so: undefined symbol: ipset_parse_tcp_udp_port so update the map. Signed-off-by: Thomas Backlund <tmb@mageia.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Bump lib version and update map fileNeutron Soutmun2014-10-281-0/+5
| | | | | | | | | | The ipset_parse_uint16() was introduced but no lib version bumped and no map file updated. Bump lib version to 9:0:6. (current and age was bumped) Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support glibc < 2.9 (fixes bugzilla id #891)Jozsef Kadlecsik2014-09-231-0/+1
|
* The library/API versions were forgotten to bump (reported by Sergei Zhirikov)Jozsef Kadlecsik2014-09-221-0/+8
| | | | | With introducing the skbinfo extension, the library/API versions should have been incremented, which is fixed now.
* Retry printing when sprintf fails (reported by Stig Thormodsrud)Jozsef Kadlecsik2014-09-221-14/+2
| | | | | | Instead of returning the length of the string which would have been printed, sprintf sometimes simply returns an error code. Handle the case and flush the printing buffer and retry.
* hash:mac type added to ipsetJozsef Kadlecsik2014-09-152-0/+141
|
* ipset: remove extran newline on debug outputHolger Eitzenberger2014-09-141-1/+1
| | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: avoid duplicate command flagsHolger Eitzenberger2014-09-141-4/+2
| | | | | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] NLM_F_DUMP is #defined as (NLM_F_ROOT | NLM_F_ACK), so specifying all of them is redundant. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove a duplicate debug printHolger Eitzenberger2014-09-141-2/+1
| | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Add userspace support of the skbinfo extension of the list set type.Anton Danilov2014-09-141-0/+131
| | | | | | | | Add userspace part for support of new revisions of the list set type with the skbinfo extension. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Add userspace support of the skbinfo extension of the hash set types.Anton Danilov2014-09-1410-0/+1827
| | | | | | | | Add userspace part for support of new revisions of the hash set types with the skbinfo extension. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Add userspace support of the skbinfo extension of the bitmap set ↵Anton Danilov2014-09-143-0/+405
| | | | | | | | | | types. Add userspace part for support of new revisions of the bitmap set types with the skbinfo extension. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Add userspace code for the skbinfo extension support.Anton Danilov2014-09-146-1/+167
| | | | | | | | | Add userspace code to support of the skbinfo extension independly of set types. Defines constants, flag and function for print/parse/send/recieve of skbinfo parameters. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make possible to compile ipset with IPSET_DEBUG from the dist.Clinton Roy2014-08-191-0/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: print third element in debuggingSergey Popovich2014-05-061-1/+3
| | | | | | | | | We have that done for first and second elements when parsing element string, do this for third element for convenience. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Handle missing leading zeros in ethernet address parserJaneks Jaunups2014-05-061-5/+8
| | | | | | | | ipset would not parse ether addresses which are not exactly 17 characters long, for ex. 1:2:3:4:5:6, which is fixed in the patch. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix printf format warningNeutron Soutmun2014-04-071-1/+2
| | | | | | | | | Using PRIx32 macro is portable across multiple architectures and also fix the printf format warning on any architectures that "%llx" is not refer to 32 bits size. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add userspace support for forceaddJosh Hunt2014-03-0411-0/+1394
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* lib: fix ifname 'physdev:' prefix parsingFlorian Westphal2014-02-131-2/+3
| | | | | | | | | hash:net,iface supports matching on the bridge port as well, but userspace currently doesn't handle it correctly as it passes in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* print mark & mark mask in hex rather then decimalVytas Dauksa2014-01-232-4/+4
| | | | | | | modified ipset_print_mark to print in hex rather then decimal and altered accordingly test cases. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-236-2/+22
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-088-0/+253
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix malformed output from list/save for ICMP types in port field.Sergey Popovich2013-11-111-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Found with ipset 6.12.1, but upstream version is still affected. Creating set of dimension three, adding elements to it and then displaying gives following results: ----------------------------------- # ipset create test-1 hash:ip,port,ip # ipset add test-1 192.0.2.1,icmp:echo-request,192.0.2.1 # ipset add test-1 192.0.2.1,icmp:ttl-zero-during-reassembly,192.0.2.1 # ipset list test-1 Name: test-1 Type: hash:ip,port,ip Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16608 References: 0 Members: 192.0.2.1,icmp:ttl-zero-during-reass,192.0.2.1 192.0.2.1,icmp:echo-re,192.0.2.1 Same results with -output save|xml. ipset_print_proto_port() from lib/print.c returns incorrect length of printed string when ICMP/ICMPv6 specified in port field. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: fix timeout data type sizeNikolay Martynov2013-11-111-3/+8
| | | | | | | | | | Currently it is impossible to set timeout on some architectures (MIPS ar71xx at least) because timeout is parsed into long long data type but used as uint32 without proper conversion. This patch fixes this issue. Tested on ar71xx router. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: fix incorrect library versioningJan Engelhardt2013-10-271-0/+4
| | | | | | | | Commit v6.20~12 caused libipset to shift from libipset.so.3 to .so.2. That is the wrong thing to do. Set it back to 3+2, as intended. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Missing comment support added to hash:ip,port,ip and hash:net,iface typesJozsef Kadlecsik2013-10-022-0/+323
|
* ipset: Add userspace code to support hash:net,port,net kernel module.Oliver Smith2013-09-302-0/+192
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add new userspace set revisions for comment supportOliver Smith2013-09-2310-2/+1256
| | | | | | | | | | | This introduces new revisions of all hash and bitmap ipsets to complement the comment functionality introduced into the kernel modules. Currently all sets have a compile-time limit of 255 characters including \0. This can otherwise be arbitrarily modified. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-238-3/+113
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,net kernel module.Oliver Smith2013-09-202-0/+159
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. The library version has been bumped accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-172-14/+56
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove artifical restriction of netmask values for hash:ip type.Jozsef Kadlecsik2013-08-171-6/+4
| | | | Reported by Quentin Armitage, closes netfilter bugzilla id #844.
* Fix error message typoJozsef Kadlecsik2013-08-141-1/+1
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-011-1/+1
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Report broken netlink messages in debug modeJozsef Kadlecsik2013-07-191-0/+13
|