| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The net,iface equal functions currently compares the full interface
names. In several cases, wildcard (or prefix) matching is useful. For
example, when converting a large iptables rule-set to make use of ipset,
I was able to significantly reduce the number of set elements by making
use of wildcard matching.
Wildcard matching is enabled by adding "wildcard" when adding an element
to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to
be set. When this flag is set, only the initial part of the interface
name is used for comparison.
Wildcard matching is done per element and not per set, as there are many
cases where mixing wildcard and non-wildcard elements are useful. This
means that is up to the user to handle (avoid) overlapping interface
names.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
| |
Sort 95.0.0.0 before 107.0.0.0 instead of the textual sorting.
Also, in the case of subnets, sort reversed, ie. most specific first.
|
| |
|
|
|
|
|
|
|
| |
Fix these spelling errors,
s/lenght/length/
s/controll/control/
s/funtion/function/
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
It's better to use my kadlec@netfilter.org email address in
the source code. I might not be able to use
kadlec@blackhole.kfki.hu in the future.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
| |
Some new functions was not added to libipset.map at the previous
release, fix it.
|
| |
|
|
|
| |
Support listing/saving with sorted entries for the hash types.
(bitmap and list types are automatically sorted.)
|
| |
|
|
|
| |
list/save into file given by "-f filename" did not work in 7.0,
reported by Isaac Good.
|
| |
|
|
|
|
|
|
|
|
|
| |
Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are
introduced. The new commands makes possible to eliminate the getsockopt
operation (in iptables set/SET match/target) and thus use only netlink
communication between userspace and kernel for ipset. With the new
protocol version, userspace can exactly know which functionality is
supported by the running kernel.
Both the kernel and userspace is fully backward compatible.
|
| |
|
|
|
| |
From now on the "version" command asks the kernel protocol version too
and reports if the userspace - kernel protocols do not match.
|
| |
|
|
|
| |
Warning messages were not printed and handled properly, the patch
fixes the issue.
|
| |
|
|
|
|
|
|
|
|
|
| |
The ipset library is rewritten/extended to support embedding
ipset, so that sets can fully be managed without calling the ipset
binary. The ipset binary relies completely on the new library.
The libipset.3 manpage was written about the library functions
and usage.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
Otherwise, we are missing checks in some paths, e.g. we might
overrun the buffer used to save the set name in callback_list()
when we strcpy() to it.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
| |
When check_setname is used in ipset_parse_name_compat(), the
'str' and 'saved' macro arguments point in fact to the same
buffer. Free the 'saved' argument only after using it.
While at it, remove a useless NULL check on 'saved'.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
As we loop as long as 'ret' is greater than zero, and break only
if we get an error in mnl_cb_run2 (with ret <= 0), we can just
return ret without checking once more if it's greater than zero.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
Due to the negative value condition in msecs_to_jiffies(), the real
max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC.
Neutron Soutmun proposed the proper fix, but an insufficient one was
applied, see https://patchwork.ozlabs.org/patch/400405/.
|
| |
|
|
|
|
| |
Parsing is attempted both for numbers and service names and
the temporary stored error message triggered to reset the state
parameters about the set. Reported by Yuri D'Elia.
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to make it simpler and more straightforward to express
the revisions of the set type, all keywords and their parsing
are separated from the individual set types.
All backward compatibility arguments are recognized and ignored
arguments are supported.
Recognized but ignored arguments will be removed in a later release.
|
| |
|
|
| |
Fixes bugzilla id #1158 reported by Dimitri Grischin.
|
| | |
|
| |
|
|
|
|
| |
The patch title was "Report if the option is supported by a newer kernel release"
Fixes bugzilla id #1182, reported by irherder@gmail.com.
|
| |
|
|
|
| |
Instead ot printing "Unknown argument: foo", if foo option is
supported by a newer kernel release, report that.
|
| |
|
|
|
|
|
|
|
|
| |
Omri Bahumi and Yoni Lavi discovered that due to the inproper
handling of the ipset output buffer, the output may be truncated.
So for example in an "ipset save" output, instead of 192.168.0.0/24,
just 192.168.0.0 printed. If one use "ipset save" and then "ipset restore"
to restore the sets, this may lead to wrong firewall rules at the end.
The patch fixes the bug in the ipset code.
|
| | |
|
| |
|
|
|
|
|
| |
* The "by userspace." should be concat with the error message instead.
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
| |
Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
| |
Error message was totally misleading when comment
extension was used when the set was defined without
the extension. Reported by Drunkard Zhang.
|
| |
|
|
|
|
|
|
| |
As of libtool-2.4.4, -ldl is no longer prepended to LIBS.
Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as
suggested in libtool-2.4.4 release notes.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
|
|
| |
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries. This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.
Because it is only meaningful for hashes to report their size, the
output is conditional on the set type. To do this checking the
MATCH_TYPENAME macro was moved to utils.h.
The bulk of this patch changes the expected test suite to account for
the change in output.
Signed-off-by: Eric B Munson <emunson@akamai.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Josh Hunt <johunt@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit:
author Quentin Armitage <quentin@armitage.org.uk> 2013-08-09 11:26:33 (GMT)
committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-08-17 19:31:29 (GMT)
commit 480761a3bdaa55bf8c966e4dab950ebf84775863 (patch)
tree 6d750f948abf1ae4f93e4c704502d085ac13d679
parent 3a4419954a3ae0ba5dafd711e6b8dd8f0beb5c21 (diff)
Add specifying protocol for bitmap:port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
added ipset_parse_tcp_udp_port(), but forgot to update libipset.map
so we get:
/usr/lib64/ipset/ipset_bitmap_port.so: /usr/lib64/ipset/ipset_bitmap_port.so: undefined symbol: ipset_parse_tcp_udp_port
so update the map.
Signed-off-by: Thomas Backlund <tmb@mageia.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
| |
The ipset_parse_uint16() was introduced but no lib version bumped and
no map file updated.
Bump lib version to 9:0:6. (current and age was bumped)
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| | |
|
| |
|
|
|
| |
With introducing the skbinfo extension, the library/API versions should
have been incremented, which is fixed now.
|
| |
|
|
|
|
| |
Instead of returning the length of the string which would have been
printed, sprintf sometimes simply returns an error code. Handle
the case and flush the printing buffer and retry.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
NLM_F_DUMP is #defined as (NLM_F_ROOT | NLM_F_ACK), so specifying
all of them is redundant.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
Add userspace part for support of new revisions of the list set type
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
Add userspace part for support of new revisions of the hash set types
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
| |
types.
Add userspace part for support of new revisions of the bitmap set types
with the skbinfo extension.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
Add userspace code to support of the skbinfo extension independly of set types.
Defines constants, flag and function for print/parse/send/recieve of skbinfo
parameters.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
We have that done for first and second elements when
parsing element string, do this for third element for
convenience.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
| |
ipset would not parse ether addresses which are not exactly
17 characters long, for ex. 1:2:3:4:5:6, which is fixed in
the patch.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
Using PRIx32 macro is portable across multiple architectures and
also fix the printf format warning on any architectures that
"%llx" is not refer to 32 bits size.
Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
The userspace side of the forceadd changes.
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
| |
hash:net,iface supports matching on the bridge port as well,
but userspace currently doesn't handle it correctly as it passes
in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
