summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* ipset: Fix malformed output from list/save for ICMP types in port field.Sergey Popovich2013-11-111-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Found with ipset 6.12.1, but upstream version is still affected. Creating set of dimension three, adding elements to it and then displaying gives following results: ----------------------------------- # ipset create test-1 hash:ip,port,ip # ipset add test-1 192.0.2.1,icmp:echo-request,192.0.2.1 # ipset add test-1 192.0.2.1,icmp:ttl-zero-during-reassembly,192.0.2.1 # ipset list test-1 Name: test-1 Type: hash:ip,port,ip Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16608 References: 0 Members: 192.0.2.1,icmp:ttl-zero-during-reass,192.0.2.1 192.0.2.1,icmp:echo-re,192.0.2.1 Same results with -output save|xml. ipset_print_proto_port() from lib/print.c returns incorrect length of printed string when ICMP/ICMPv6 specified in port field. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: fix timeout data type sizeNikolay Martynov2013-11-111-3/+8
| | | | | | | | | | Currently it is impossible to set timeout on some architectures (MIPS ar71xx at least) because timeout is parsed into long long data type but used as uint32 without proper conversion. This patch fixes this issue. Tested on ar71xx router. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: fix incorrect library versioningJan Engelhardt2013-10-271-0/+4
| | | | | | | | Commit v6.20~12 caused libipset to shift from libipset.so.3 to .so.2. That is the wrong thing to do. Set it back to 3+2, as intended. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Missing comment support added to hash:ip,port,ip and hash:net,iface typesJozsef Kadlecsik2013-10-022-0/+323
|
* ipset: Add userspace code to support hash:net,port,net kernel module.Oliver Smith2013-09-302-0/+192
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add new userspace set revisions for comment supportOliver Smith2013-09-2310-2/+1256
| | | | | | | | | | | This introduces new revisions of all hash and bitmap ipsets to complement the comment functionality introduced into the kernel modules. Currently all sets have a compile-time limit of 255 characters including \0. This can otherwise be arbitrarily modified. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-238-3/+113
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,net kernel module.Oliver Smith2013-09-202-0/+159
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. The library version has been bumped accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-172-14/+56
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove artifical restriction of netmask values for hash:ip type.Jozsef Kadlecsik2013-08-171-6/+4
| | | | Reported by Quentin Armitage, closes netfilter bugzilla id #844.
* Fix error message typoJozsef Kadlecsik2013-08-141-1/+1
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-011-1/+1
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Report broken netlink messages in debug modeJozsef Kadlecsik2013-07-191-0/+13
|
* libipset.pc must be installed via 'make install'Eric Leblond2013-05-111-0/+3
| | | | | | | | libipset.pc was not installed by classic 'make install'. This patch adds it to the list of installed files. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-021-0/+6
|
* Improve XML output: add element tag and root element (suggested by Lucas Hamie)Jozsef Kadlecsik2013-05-011-33/+38
|
* Introduce the new set type revisions with counter supportJozsef Kadlecsik2013-04-0911-103/+1560
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-096-2/+89
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix error path when protocol number is used with port rangeJozsef Kadlecsik2013-01-091-1/+3
|
* Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)Jozsef Kadlecsik2013-01-091-4/+3
| | | | | cppcheck (vaguely) reported: [lib/parse.c:448]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
* Fix revision printing in XML mode (reported by Mart Frauenlob)Jozsef Kadlecsik2013-01-091-1/+1
|
* Use gethostbyname2 instead of getaddrinfoJozsef Kadlecsik2012-11-051-1/+101
| | | | | | In newer glibc, getaddrinfo issues an extra system call to kernel, which slows down ipset. Replace getaddrinfo with gethostbyname2, where possible.
* Support protocol numbers as well, not only protocol namesJozsef Kadlecsik2012-11-051-3/+9
|
* Coding style fixesJozsef Kadlecsik2012-09-117-32/+43
|
* The set type revision number is added to the header part of listingJozsef Kadlecsik2012-09-111-3/+4
| | | | | | | | | Incompatibility: if your script rely on the number of lines in the header of set listings, then the new line Revision: number can break your script.
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-1011-0/+19
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-0/+58
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* build: restore -version-infoJan Engelhardt2012-07-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote: >[...] >> * therefore the patch makes a clean restart, >> using -version-info 3:0:0, to continue using .so.3 >> starting from ipset-6.13 until the next *real* >> incompatible change. > >What is still unclear for me, why a clean restart is required. Looking >into "libtool", as I see, "-version-number 3:0:1" and "-version-info >3:0:1" produces the same result. They don't. The libtool manual goes on attempting to explain "-version-number" with C:R:A, though it could have been a lot easier to just say "it copies the values as-is to the file suffix". ---8<--- location git://git.inai.de/ipset (updated) parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13) commit 2b145f0794de6f56eaded0a6403be995be98c93b Author: Jan Engelhardt <jengelh@inai.de> Date: Sat Jun 30 20:39:27 2012 +0200 build: restore -version-info Commit v6.13~7 accidentally swapped "-version-info" with "-version-number". Because "-version-number" takes the values "FIRST:AGE:REV", which is different from "-version-info CURRENT:REV:AGE", libipset.so.3 was emitted. Restore using "-version-info" and continue to use 3 as the "FIRST" interface (instead of 2), because it was declared that way in ipset-6.13. Also note that the version names in libipset.map generally are not supposed to follow SO versions, but the program version): IPSET_6.13 {...}. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-233-1/+19
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Fix typo of word "unkown" to "unknown".Neutron Soutmun2012-05-152-3/+3
|
* Enable silent (kernel style) compile messagesJozsef Kadlecsik2012-05-103-11/+8
|
* Fix build failed on --disable-dependency-trackingNeutron Soutmun2012-05-101-5/+10
|
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-1011-0/+11
|
* Report syntax error messages immediatelyJozsef Kadlecsik2012-05-101-1/+1
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-104-5/+38
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Add configure summary for the ipset userspace toolJozsef Kadlecsik2012-05-101-3/+5
|
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-1015-67/+249
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-063-1/+44
|
* Fix invalid assignment to const void pointerJozsef Kadlecsik2012-05-061-7/+7
| | | | | gcc 4.7 and above ignore such assignments which leads to a broken ipset binary (bug reported by Seblu).
* Remove unused variables (warnings fixed)Jozsef Kadlecsik2012-05-042-2/+2
|
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-0412-27/+56
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-142-45/+153
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-139-15/+375
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-0514-1/+1591
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* Library map file added in order to support library versioning.Jozsef Kadlecsik2012-01-052-1/+113
|
* Provide a pkgconfig fileJan Engelhardt2012-01-041-0/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ICMP/ICMPv6 type/code parser bug fixedJozsef Kadlecsik2011-11-161-2/+2
| | | | | The ICMP/ICMPv6 type/code parser swapped the type and code values. (Bug reported by Sabitov)
* ipset: fix lookup of tcp port namesStephen Hemminger2011-11-161-2/+2
| | | | | | | | | | | The protocol argument to getservbyname() must be lowercase tcp not uppercase TCP. This fixes the bug observed by: # ipset add foo http ipset v6.9.1: Syntax error: 'http' is invalid as number Syntax error: cannot parse 'http' as a TCP port Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: move ipset_errcode into libraryJan Engelhardt2011-08-312-0/+201
| | | | | | | | | | | | | | | | The library cannot stand on its own: 19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1 linux-vdso.so.1 => (0x00007fff9a569000) libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000) libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000) /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000) undefined symbol: ipset_errcode (.libs/libipset.so.1) Resolve this by moving ipset_errcode into the library. Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-316-79/+81
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).