summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
...
* lib: fix ifname 'physdev:' prefix parsingFlorian Westphal2014-02-131-2/+3
| | | | | | | | | hash:net,iface supports matching on the bridge port as well, but userspace currently doesn't handle it correctly as it passes in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* print mark & mark mask in hex rather then decimalVytas Dauksa2014-01-232-4/+4
| | | | | | | modified ipset_print_mark to print in hex rather then decimal and altered accordingly test cases. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-236-2/+22
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-088-0/+253
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix malformed output from list/save for ICMP types in port field.Sergey Popovich2013-11-111-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Found with ipset 6.12.1, but upstream version is still affected. Creating set of dimension three, adding elements to it and then displaying gives following results: ----------------------------------- # ipset create test-1 hash:ip,port,ip # ipset add test-1 192.0.2.1,icmp:echo-request,192.0.2.1 # ipset add test-1 192.0.2.1,icmp:ttl-zero-during-reassembly,192.0.2.1 # ipset list test-1 Name: test-1 Type: hash:ip,port,ip Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16608 References: 0 Members: 192.0.2.1,icmp:ttl-zero-during-reass,192.0.2.1 192.0.2.1,icmp:echo-re,192.0.2.1 Same results with -output save|xml. ipset_print_proto_port() from lib/print.c returns incorrect length of printed string when ICMP/ICMPv6 specified in port field. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: fix timeout data type sizeNikolay Martynov2013-11-111-3/+8
| | | | | | | | | | Currently it is impossible to set timeout on some architectures (MIPS ar71xx at least) because timeout is parsed into long long data type but used as uint32 without proper conversion. This patch fixes this issue. Tested on ar71xx router. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: fix incorrect library versioningJan Engelhardt2013-10-271-0/+4
| | | | | | | | Commit v6.20~12 caused libipset to shift from libipset.so.3 to .so.2. That is the wrong thing to do. Set it back to 3+2, as intended. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Missing comment support added to hash:ip,port,ip and hash:net,iface typesJozsef Kadlecsik2013-10-022-0/+323
|
* ipset: Add userspace code to support hash:net,port,net kernel module.Oliver Smith2013-09-302-0/+192
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add new userspace set revisions for comment supportOliver Smith2013-09-2310-2/+1256
| | | | | | | | | | | This introduces new revisions of all hash and bitmap ipsets to complement the comment functionality introduced into the kernel modules. Currently all sets have a compile-time limit of 255 characters including \0. This can otherwise be arbitrarily modified. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-238-3/+113
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,net kernel module.Oliver Smith2013-09-202-0/+159
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. The library version has been bumped accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-172-14/+56
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove artifical restriction of netmask values for hash:ip type.Jozsef Kadlecsik2013-08-171-6/+4
| | | | Reported by Quentin Armitage, closes netfilter bugzilla id #844.
* Fix error message typoJozsef Kadlecsik2013-08-141-1/+1
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-011-1/+1
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Report broken netlink messages in debug modeJozsef Kadlecsik2013-07-191-0/+13
|
* libipset.pc must be installed via 'make install'Eric Leblond2013-05-111-0/+3
| | | | | | | | libipset.pc was not installed by classic 'make install'. This patch adds it to the list of installed files. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-021-0/+6
|
* Improve XML output: add element tag and root element (suggested by Lucas Hamie)Jozsef Kadlecsik2013-05-011-33/+38
|
* Introduce the new set type revisions with counter supportJozsef Kadlecsik2013-04-0911-103/+1560
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-096-2/+89
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix error path when protocol number is used with port rangeJozsef Kadlecsik2013-01-091-1/+3
|
* Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)Jozsef Kadlecsik2013-01-091-4/+3
| | | | | cppcheck (vaguely) reported: [lib/parse.c:448]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.
* Fix revision printing in XML mode (reported by Mart Frauenlob)Jozsef Kadlecsik2013-01-091-1/+1
|
* Use gethostbyname2 instead of getaddrinfoJozsef Kadlecsik2012-11-051-1/+101
| | | | | | In newer glibc, getaddrinfo issues an extra system call to kernel, which slows down ipset. Replace getaddrinfo with gethostbyname2, where possible.
* Support protocol numbers as well, not only protocol namesJozsef Kadlecsik2012-11-051-3/+9
|
* Coding style fixesJozsef Kadlecsik2012-09-117-32/+43
|
* The set type revision number is added to the header part of listingJozsef Kadlecsik2012-09-111-3/+4
| | | | | | | | | Incompatibility: if your script rely on the number of lines in the header of set listings, then the new line Revision: number can break your script.
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-1011-0/+19
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-0/+58
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* build: restore -version-infoJan Engelhardt2012-07-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote: >[...] >> * therefore the patch makes a clean restart, >> using -version-info 3:0:0, to continue using .so.3 >> starting from ipset-6.13 until the next *real* >> incompatible change. > >What is still unclear for me, why a clean restart is required. Looking >into "libtool", as I see, "-version-number 3:0:1" and "-version-info >3:0:1" produces the same result. They don't. The libtool manual goes on attempting to explain "-version-number" with C:R:A, though it could have been a lot easier to just say "it copies the values as-is to the file suffix". ---8<--- location git://git.inai.de/ipset (updated) parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13) commit 2b145f0794de6f56eaded0a6403be995be98c93b Author: Jan Engelhardt <jengelh@inai.de> Date: Sat Jun 30 20:39:27 2012 +0200 build: restore -version-info Commit v6.13~7 accidentally swapped "-version-info" with "-version-number". Because "-version-number" takes the values "FIRST:AGE:REV", which is different from "-version-info CURRENT:REV:AGE", libipset.so.3 was emitted. Restore using "-version-info" and continue to use 3 as the "FIRST" interface (instead of 2), because it was declared that way in ipset-6.13. Also note that the version names in libipset.map generally are not supposed to follow SO versions, but the program version): IPSET_6.13 {...}. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-233-1/+19
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Fix typo of word "unkown" to "unknown".Neutron Soutmun2012-05-152-3/+3
|
* Enable silent (kernel style) compile messagesJozsef Kadlecsik2012-05-103-11/+8
|
* Fix build failed on --disable-dependency-trackingNeutron Soutmun2012-05-101-5/+10
|
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-1011-0/+11
|
* Report syntax error messages immediatelyJozsef Kadlecsik2012-05-101-1/+1
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-104-5/+38
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Add configure summary for the ipset userspace toolJozsef Kadlecsik2012-05-101-3/+5
|
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-1015-67/+249
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-063-1/+44
|
* Fix invalid assignment to const void pointerJozsef Kadlecsik2012-05-061-7/+7
| | | | | gcc 4.7 and above ignore such assignments which leads to a broken ipset binary (bug reported by Seblu).
* Remove unused variables (warnings fixed)Jozsef Kadlecsik2012-05-042-2/+2
|
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-0412-27/+56
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-142-45/+153
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-139-15/+375
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-0514-1/+1591
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* Library map file added in order to support library versioning.Jozsef Kadlecsik2012-01-052-1/+113
|
* Provide a pkgconfig fileJan Engelhardt2012-01-041-0/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>