summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-0412-27/+56
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-142-45/+153
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-139-15/+375
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-0514-1/+1591
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* Library map file added in order to support library versioning.Jozsef Kadlecsik2012-01-052-1/+113
|
* Provide a pkgconfig fileJan Engelhardt2012-01-041-0/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ICMP/ICMPv6 type/code parser bug fixedJozsef Kadlecsik2011-11-161-2/+2
| | | | | The ICMP/ICMPv6 type/code parser swapped the type and code values. (Bug reported by Sabitov)
* ipset: fix lookup of tcp port namesStephen Hemminger2011-11-161-2/+2
| | | | | | | | | | | The protocol argument to getservbyname() must be lowercase tcp not uppercase TCP. This fixes the bug observed by: # ipset add foo http ipset v6.9.1: Syntax error: 'http' is invalid as number Syntax error: cannot parse 'http' as a TCP port Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: move ipset_errcode into libraryJan Engelhardt2011-08-312-0/+201
| | | | | | | | | | | | | | | | The library cannot stand on its own: 19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1 linux-vdso.so.1 => (0x00007fff9a569000) libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000) libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000) /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000) undefined symbol: ipset_errcode (.libs/libipset.so.1) Resolve this by moving ipset_errcode into the library. Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-316-79/+81
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Propagate "expose userspace-relevant parts in ip_set.h" to ipset sourceJozsef Kadlecsik2011-08-312-12/+12
| | | | | | With the header file restructuring, the ipset userspace enums IPSET_DIM_* clash with the kernel ones. In this patch the userspace is converted to use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-319-391/+479
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-305-1/+98
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Fix long time uncovered bug at adding string attributes to the netlink messageJozsef Kadlecsik2011-05-271-0/+3
| | | | | Use the real string length instead of the maximum one when adding the attribute.
* Fix warnings reported by valgrindJozsef Kadlecsik2011-05-251-1/+1
|
* Restore with bitmap:port and list:set types did not work, fixedJozsef Kadlecsik2011-05-241-1/+6
|
* Fix the message sequence number book-keepingJozsef Kadlecsik2011-05-241-1/+1
| | | | | | The internal messages mix with the public messages and that confused the sequence number book-keeping. Move setting/updating into ipset_mnl_query.
* Protocol-level debugging support addedJozsef Kadlecsik2011-05-243-6/+286
|
* ipset_mnl_query: in debug mode print the errno returned by the cb functionJozsef Kadlecsik2011-05-231-1/+1
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-153-3/+63
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Disable type revisions which are not supported both by the kernel and ipsetJozsef Kadlecsik2011-05-131-0/+13
|
* Ignore -n flag (list just setnames) when sets are to be savedJozsef Kadlecsik2011-05-061-1/+2
|
* Get rid of the trailing empty line at listing sets.Jozsef Kadlecsik2011-04-191-11/+22
| | | | | | | Also, remove the empty "members" section when listing just the set headers. Testsuite is updated to reflect the changes in the output.
* Fix XML listing, remove broken unused "elements" tagJozsef Kadlecsik2011-04-181-1/+1
|
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-181-2/+31
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* Fix revision reportingJozsef Kadlecsik2011-03-191-4/+3
| | | | Revision reporting got broken by the revision checking patch, fixed.
* SCTP, UDPLITE support addedJozsef Kadlecsik2011-03-183-17/+18
| | | | SCTP and UDPLITE port support added to the hash:*port* types.
* ipset: pass ipset_arg argument pointerHolger Eitzenberger2011-02-011-6/+5
| | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* Send (N)ACK at dumping only when NLM_F_ACK is setJozsef Kadlecsik2011-01-261-2/+2
| | | | | Missing check of the flag NLM_F_ACK is added to the kernel - and userspace does set it too (Patrick McHardy's review)
* Resolving IP addresses did not work at listing/saving sets, fixed.Jozsef Kadlecsik2011-01-261-2/+2
|
* ipset: fix the Netlink sequence numberHolger Eitzenberger2011-01-251-1/+2
| | | | | | | | | | Do not use time() as a Netlink sequence number for each message, as otherwise the same seq number will be used when sending another message in the same second. Instead use time() just for initialization, then increment per message. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: turn Set name[] into a const pointerHolger Eitzenberger2011-01-251-8/+9
| | | | | | | | | | | | Also check for the name length. Note that passing errno values back is not done consistently at various place, as there are some functions which set errno manually, others pass -errno back. I use the -errno approach here, as it is slightly shorter. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Avoid possible syntax clashing at saving hostnamesJozsef Kadlecsik2011-01-241-1/+2
| | | | | | If resolving is requested and the resolved hostname contains a dash character, print the unresolved IP address instead in order not to clash with the IP/hostname range syntax.
* Fix build with NDEBUG definedJozsef Kadlecsik2011-01-182-8/+14
| | | | | | | | | | | | | | | | The usage of the gcc option -Wunused-parameter interferes badly with the assert() macros. In case -DNDEBUG is specified build fails with: cc1: warnings being treated as errors print.c: In function 'ipset_print_family': print.c:92: error: unused parameter 'opt' print.c: In function 'ipset_print_port': print.c:413: error: unused parameter 'opt' print.c: In function 'ipset_print_proto': Fix it by taking into accout NDEBUG in the function arguments. Bug reported by Holger Eitzenberger.
* Make IPv4 and IPv6 address handling similarJozsef Kadlecsik2011-01-181-1/+10
| | | | | | | | | | | | | | | | While the following works for AF_INET: ipset add foo 192.168.1.1/32 this does not work for AF_INET6: ipset add foo6 20a1:1:2:3:4:5:6:7/128 ipset v5.2: Syntax error: plain IP address must be supplied: 20a1:1:2:3:4:5:6:7/128 Bug reported by Holger Eitzenberger. The complete fix is to handle the special host prefixes in the general IP address parser function.
* Show correct line numbers in restore output for parser errorsJozsef Kadlecsik2011-01-181-0/+13
| | | | | | | | | | | | | | | | | Parser errors are reported by a wrong lineno at restore, bug reported by Holger Eitzenberger: create foo6 hash:ip hashsize 64 family inet6 add foo6 20a1:1234:5678::/64 add foo6 20a1:1234:5679::/64 you get: ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64 Should be line 2 though. The solution is to set the session lineno before parsing.
* Handle internal printing errorsJozsef Kadlecsik2010-12-231-10/+25
| | | | Internal printing errors were not reported, handle them by setjmp/longjmp.
* Use cast to void * instead of memcpy as Sparc workaround at sockaddr_XXX.Jozsef Kadlecsik2010-12-231-8/+6
| | | | | | Direct cast results "cast increases required alignment of target type" on Sparc: use indirect cast to void * instead of memcpy, as Jan Engelhardt suggested.
* Listing/saving of large sets could produce broken listing, fixed.Jozsef Kadlecsik2010-12-232-9/+16
| | | | | The wrapper around getnameinfo was not snprintf-compatible and that could cause broken listing/saving for large sets.
* Restore mode did not work for IPv6 (reported by Elie Rosenblum)Jozsef Kadlecsik2010-12-222-21/+30
| | | | | | The set cache stored the default family (INET) instead of the set family, therefore restore mode for IPv6 did not work. The set cache fixed and message aggregation reworked.
* libipset: static annotationsJan Engelhardt2010-12-191-4/+4
|
* libipset: const annotationsJan Engelhardt2010-12-195-8/+8
|
* libipset: remove redundant castsJan Engelhardt2010-12-193-10/+10
|
* libipset: remove redundant indirection via union nameJan Engelhardt2010-12-191-41/+41
| | | | | There are no uses of C99 static initializers, so let's make the union anonymous and reduce accessor lengths.
* libipset: ipset_strncpy is really a strlcpy-type operationJan Engelhardt2010-12-192-11/+11
|
* Put back the Sparc specific workaround at getaddrinfo.Jozsef Kadlecsik2010-12-191-4/+8
|
* Add ipset_parse_tcpudp_port functionJozsef Kadlecsik2010-12-171-7/+27
| | | | Add new parser function to parse TCP/UDP port name, number, or range of them.
* Buffered commands are just ... buffered.Jozsef Kadlecsik2010-12-132-121/+82
| | | | | | | Calculate the free buffer size when adding the existing attributes at the buffered commands. If the buffer is full, cancel the unfinished nested attribute and commit the previously buffered commands. Then restart with the current buffered command. Thus we can get rid of the ugly maxsize parameter of the set types.
* Support case-insensitive ICMP and ICMPv6 type/code names.Jozsef Kadlecsik2010-12-102-2/+2
|
* Remove command MODIFYJozsef Kadlecsik2010-12-071-1/+1
| | | | | Modifying a set can be performed by save/modify/restore/swap, without adding kernel part support.