summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix IPv6 sets nftables translationHEADmasterPablo Neira Ayuso2022-02-281-14/+10
| | | | | | | | | | | | | | | | | | The parser assumes the set is an IPv4 ipset because IPSET_OPT_FAMILY is not set. # ipset-translate restore < ./ipset-mwan3_set_connected_ipv6.dump add table inet global add set inet global mwan3_connected_v6 { type ipv6_addr; flags interval; } flush set inet global mwan3_connected_v6 ipset v7.15: Error in line 4: Syntax error: '64' is out of range 0-32 Remove ipset_xlate_type_get(), call ipset_xlate_set_get() instead to obtain the set type and family. Reported-by: Florian Eckert <fe@dev.tdt.de> Fixes: 325af556cd3a ("add ipset to nftables translation infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Add missing function to libipset.map and bump library versionJozsef Kadlecsik2021-07-281-0/+5
| | | | | | | A new function was not added to libipset.map at the previous release, fix it. Reported by Jan Engelhardt. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* When parsing protocols by number, do not check it in /etc/protocols.Jozsef Kadlecsik2021-07-271-7/+7
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add missing hunk to patch "Allow specifying protocols by number"Jozsef Kadlecsik2021-07-161-2/+12
| | | | | | | Actually, this is the part of it which allows specifying protocols by number :-) Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Allow specifying protocols by numberHaw Loeung2021-07-141-15/+18
| | | | | | | This allows us to optimise and reduce restore time by specifying protocol numbers, especially for large ipsets. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Limit the maximal range of consecutive elements to add/deleteJozsef Kadlecsik2021-07-141-0/+2
| | | | | | | | | The range size of consecutive elements were not limited. Thus one could define a huge range which may result soft lockup errors due to the long execution time. Now the range size is limited to 2^20 entries. Reported by Brad Spengler. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* add ipset to nftables translation infrastructurePablo Neira Ayuso2021-06-261-1/+540
| | | | | | | | | | | | | | | | | | | | | This patch provides the ipset-translate utility which allows you to translate your existing ipset file to nftables. The ipset-translate utility is actually a symlink to ipset, which checks for 'argv[0] == ipset-translate' to exercise the translation path. You can translate your ipset file through: ipset-translate restore < sets.ipt This patch reuses the existing parser and API to represent the sets and the elements. There is a new ipset_xlate_set dummy object that allows to store a created set to fetch the type without interactions with the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: Detach restore routine from parserPablo Neira Ayuso2021-06-261-1/+4
| | | | | | | | | | | Do not call restore() from ipset_parser(). Instead, ipset_parser() returns the IPSET_CMD_RESTORE command and the caller invokes restore(). This patch comes in preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: split parser from command executionPablo Neira Ayuso2021-06-261-14/+30
| | | | | | | | | | | | ipset_parse_argv() parses, builds and send the netlink messages to the kernel. This patch extracts the parser and wrap it around the new ipset_parser() function. This patch comes is preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix patch "Parse port before trying by service name"Jozsef Kadlecsik2021-06-261-14/+22
| | | | | | | | | The patch broke parsing service names: number parsing failures are hard errors which erase data, thus making impossible to parse input as a string. Fix it by enabling soft (warning) failures in the case of port number parsing. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Parse port before trying by service nameHaw Loeung2021-02-191-2/+2
| | | | | | | This improves performance for loading IP sets using port numbers, especially large ones. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Silence unused-but-set-variable warningsJozsef Kadlecsik2021-02-191-4/+4
| | | | | | | | | | | | | | | | | | | | When ipset is compiled in non-debug mode, in some environments warnings treated as errors emitted: session.c: In function 'build_msg': session.c:1985:28: warning: variable 'type' set but not used [-Wunused-but-set-variable] const struct ipset_type *type; ^ session.c:2030:28: warning: variable 'type' set but not used [-Wunused-but-set-variable] const struct ipset_type *type; ^ Fix it by hiding the unused variable definitions/settings in non-debug mode. Reported by Serhey Popovych. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Handle -Werror=implicit-fallthrough= in debug mode compilingJozsef Kadlecsik2021-02-091-0/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: fix print format warningNeutron Soutmun2021-01-191-3/+3
| | | | | | | | | | | * Use PRIx64 for portablility over various architectures. * The format string for the 64bit number printing is incorrect, the `%` sign is missing. * The force types casting over the uint32_t and uint64_t are unnecessary which warned by the compiler on different architecture. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Argument parsing buffer overflow in ipset_parse_argv fixedJozsef Kadlecsik2021-01-191-0/+5
| | | | | | | Argument length checking was simply missing. Fixes netfilter bugzilla #1492, reported by Marshall Whittaker. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Expose the initval hash parameter to userspaceJozsef Kadlecsik2020-09-2118-22/+92
| | | | | | It makes possible to reproduce exactly the same set after a save/restore. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add bucketsize parameter to all hash typesJozsef Kadlecsik2020-09-2117-10/+1201
| | | | | | | | | The parameter defines the upper limit in any hash bucket at adding new entries from userspace - if the limit would be exceeded, ipset doubles the hash size and rehashes. It means the set may consume more memory but gives faster evaluation at matching in the set. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Support the -exist flag with the destroy commandJozsef Kadlecsik2020-09-201-1/+1
| | | | | | | | The -exist flag was supported with the create, add and delete commands. In order to gracefully handle the destroy command with nonexistent sets, the -exist flag is added to destroy too. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Document explicitly that protocol is not stored in bitmap:portJozsef Kadlecsik2019-11-141-4/+4
|
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-313-0/+111
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Sort naturally instead of textual sort (bugzilla #1369)Jozsef Kadlecsik2019-10-311-2/+78
| | | | | Sort 95.0.0.0 before 107.0.0.0 instead of the textual sorting. Also, in the case of subnets, sort reversed, ie. most specific first.
* ipset: fix spelling error in libipset.3 manpageNeutron Soutmun2019-06-281-5/+5
| | | | | | | | | Fix these spelling errors, s/lenght/length/ s/controll/control/ s/funtion/function/ Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-0528-28/+28
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add missing functions to libipset.mapJozsef Kadlecsik2018-11-281-0/+8
| | | | | Some new functions was not added to libipset.map at the previous release, fix it.
* Implement sorting for hash types in the ipset toolJozsef Kadlecsik2018-11-263-17/+277
| | | | | Support listing/saving with sorted entries for the hash types. (bitmap and list types are automatically sorted.)
* Fix to list/save into file specified by optionJozsef Kadlecsik2018-11-101-2/+3
| | | | | list/save into file given by "-f filename" did not work in 7.0, reported by Isaac Good.
* Introduction of new commands and protocol version 7Jozsef Kadlecsik2018-10-274-1/+29
| | | | | | | | | | | Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are introduced. The new commands makes possible to eliminate the getsockopt operation (in iptables set/SET match/target) and thus use only netlink communication between userspace and kernel for ipset. With the new protocol version, userspace can exactly know which functionality is supported by the running kernel. Both the kernel and userspace is fully backward compatible.
* Prepare the ipset tool to handle multiple protocol versionsJozsef Kadlecsik2018-10-222-7/+22
| | | | | From now on the "version" command asks the kernel protocol version too and reports if the userspace - kernel protocols do not match.
* Fix warning message handlingJozsef Kadlecsik2018-10-224-51/+60
| | | | | Warning messages were not printed and handled properly, the patch fixes the issue.
* Library reworked to support embedding ipset completelyJozsef Kadlecsik2018-10-1815-119/+2028
| | | | | | | | | | | The ipset library is rewritten/extended to support embedding ipset, so that sets can fully be managed without calling the ipset binary. The ipset binary relies completely on the new library. The libipset.3 manpage was written about the library functions and usage. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Validate string type attributes in attr2data()Stefano Brivio2018-09-031-0/+4
| | | | | | | | | Otherwise, we are missing checks in some paths, e.g. we might overrun the buffer used to save the set name in callback_list() when we strcpy() to it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix use-after-free in ipset_parse_name_compat()Stefano Brivio2018-08-271-3/+4
| | | | | | | | | | | When check_setname is used in ipset_parse_name_compat(), the 'str' and 'saved' macro arguments point in fact to the same buffer. Free the 'saved' argument only after using it. While at it, remove a useless NULL check on 'saved'. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Simplify return statement in ipset_mnl_query()Stefano Brivio2018-08-241-1/+1
| | | | | | | | | As we loop as long as 'ret' is greater than zero, and break only if we get an error in mnl_cb_run2 (with ret <= 0), we can just return ret without checking once more if it's greater than zero. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SECJozsef Kadlecsik2018-06-011-1/+1
| | | | | | | | Due to the negative value condition in msecs_to_jiffies(), the real max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC. Neutron Soutmun proposed the proper fix, but an insufficient one was applied, see https://patchwork.ozlabs.org/patch/400405/.
* Fix parsing service names for portsJozsef Kadlecsik2018-04-103-10/+32
| | | | | | Parsing is attempted both for numbers and service names and the temporary stored error message triggered to reset the state parameters about the set. Reported by Yuri D'Elia.
* Userspace revision handling is reworkedJozsef Kadlecsik2018-01-0222-7805/+4983
| | | | | | | | | | | In order to make it simpler and more straightforward to express the revisions of the set type, all keywords and their parsing are separated from the individual set types. All backward compatibility arguments are recognized and ignored arguments are supported. Recognized but ignored arguments will be removed in a later release.
* Reset state after a command failed, when multiple ones are issued.Jozsef Kadlecsik2017-09-231-0/+1
| | | | Fixes bugzilla id #1158 reported by Dimitri Grischin.
* Handle padding attribute properly in userspace.Jozsef Kadlecsik2017-09-232-0/+9
|
* New function added in commit 54802b2c is missing from libipset.mapJozsef Kadlecsik2017-09-141-0/+5
| | | | | | The patch title was "Report if the option is supported by a newer kernel release" Fixes bugzilla id #1182, reported by irherder@gmail.com.
* Report if the option is supported by a newer kernel releaseJozsef Kadlecsik2017-09-111-0/+24
| | | | | Instead ot printing "Unknown argument: foo", if foo option is supported by a newer kernel release, report that.
* Fix possible truncated output in ipset output buffer handlingJozsef Kadlecsik2017-03-122-36/+39
| | | | | | | | | | Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of the ipset output buffer, the output may be truncated. So for example in an "ipset save" output, instead of 192.168.0.0/24, just 192.168.0.0 printed. If one use "ipset save" and then "ipset restore" to restore the sets, this may lead to wrong firewall rules at the end. The patch fixes the bug in the ipset code.
* Missing prototype added in ipset_hash_ipmac.c (debugging)Jozsef Kadlecsik2017-03-121-0/+1
|
* ipset: Drop extra comma from error messageNeutron Soutmun2016-10-171-1/+1
| | | | | | | * The "by userspace." should be concat with the error message instead. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:ipmac type support added to ipset, userspace partTomasz Chilinski2016-05-052-0/+166
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix misleading error message with comment extensionJozsef Kadlecsik2016-02-241-1/+1
| | | | | | Error message was totally misleading when comment extension was used when the set was defined without the extension. Reported by Drunkard Zhang.
* Fix link with libtool >= 2.4.4Olivier Blin2016-01-091-1/+1
| | | | | | | | As of libtool-2.4.4, -ldl is no longer prepended to LIBS. Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as suggested in libtool-2.4.4 release notes. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Handle uint64_t alignment issue in ipset toolJozsef Kadlecsik2015-10-282-3/+7
|
* Add element count to all set types headerJozsef Kadlecsik2015-06-252-2/+5
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* Add element count to hash headersEric B Munson2015-06-192-4/+12
| | | | | | | | | | | | | | | | | | | | | | It would be useful for userspace to query the size of an ipset hash, however, this data is not exposed to userspace outside of counting the number of member entries. This patch uses the attribute IPSET_ATTR_ELEMENTS to indicate the size in the the header that is exported to userspace. This field is then printed by the userspace tool for hashes. Because it is only meaningful for hashes to report their size, the output is conditional on the set type. To do this checking the MATCH_TYPENAME macro was moved to utils.h. The bulk of this patch changes the expected test suite to account for the change in output. Signed-off-by: Eric B Munson <emunson@akamai.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Josh Hunt <johunt@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add script to check libipset.map for missing symbolsJozsef Kadlecsik2014-10-281-0/+2
|