| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Executing /usr/sbin/ipset-translate results in the ipset functionality being run, rather than the ipset-translate functionality.
# ipset-translate destroy fred
This command is not supported, use `ipset-translate restore < file'
# /usr/sbin/ipset-translate destroy fred
ipset v7.15: The set with the given name does not exist
use basename() to resolve the issue.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1626
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides the ipset-translate utility which allows you to
translate your existing ipset file to nftables.
The ipset-translate utility is actually a symlink to ipset, which checks
for 'argv[0] == ipset-translate' to exercise the translation path.
You can translate your ipset file through:
ipset-translate restore < sets.ipt
This patch reuses the existing parser and API to represent the sets and
the elements.
There is a new ipset_xlate_set dummy object that allows to store a
created set to fetch the type without interactions with the kernel.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
It's better to use my kadlec@netfilter.org email address in
the source code. I might not be able to use
kadlec@blackhole.kfki.hu in the future.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
| |
The ipset library is rewritten/extended to support embedding
ipset, so that sets can fully be managed without calling the ipset
binary. The ipset binary relies completely on the new library.
The libipset.3 manpage was written about the library functions
and usage.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
| |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make it simpler and more straightforward to express
the revisions of the set type, all keywords and their parsing
are separated from the individual set types.
All backward compatibility arguments are recognized and ignored
arguments are supported.
Recognized but ignored arguments will be removed in a later release.
|
| |
|
|
|
|
|
|
| |
This reverts commit 992723e3712a09037338aa9e5506a080e24d1642.
The single u_int8_t usage was a leftover.
|
|
|
|
|
|
|
|
|
| |
Include sys/types.h for u_int8_t and define _GNU_SOURCE for musl to
expose it.
Fixes: 54802b2c2826 ("Report if the option is supported by a newer kernel release")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
| |
Instead ot printing "Unknown argument: foo", if foo option is
supported by a newer kernel release, report that.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reworks the argument parsing functionality of ipset to handle
quote-delimited lines in such a way that they are considered to be a
single argument.
This commit is necessary for ipset to successfully restore sets that
have comments.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
| |
Option like "netmask" depends on the INET family, so parse "family"
first, then the rest of the options.
Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipset> list foo
ipset v6.16.1: The set with the given name does not exist
ipset> -t
No command specified
ipset> list
ipset v6.16.1: Internal protocol error
In interactive mode the state was not cleaned up properly after a
syntax error, fixed.
|
| |
|
|
|
|
|
| |
In order to catch kernel/userspace revision mismatch, better print
all available data.
|
| |
|
|
|
|
|
|
| |
ipset help listed every set type, including the ones with multiple
revisions - which were listed thus multiple times. Set types with
multiple revisions are listed once from now on.
|
|
|
|
|
|
|
|
|
| |
Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).
The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.
|
|
|
|
|
| |
The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.
|
|
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The number of comparisons for a matching a command name can be
made smaller by just checking on argv[1].
As an example consider the following 'create' arguments 'hashsize',
'family' and 'timeout'. When having the command
create foo hash:ip timeout 60 family inet hashsize 64
it compares without this patch:
strcmp("timeout", "hashsize")
strcmp("64", "hashsize")
strcmp("family", "hashsize")
strcmp("inet", "hashsize")
strcmp("hashsize", "hashsize")
It is worse in practice, as 'create' has more arguments than this.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
|
|
|
|
| |
After stripping off the global options there simply has to follow
a command name, there is no other syntax possible. Therefore the
argv[] loop is unnecessary.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:
create foo6 hash:ip hashsize 64 family inet6
add foo6 20a1:1234:5678::/64
add foo6 20a1:1234:5679::/64
you get:
ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64
Should be line 2 though.
The solution is to set the session lineno before parsing.
|
|
|
|
|
|
|
| |
It's not as nice as I'd like to be: IPSET_CREATE_FLAGS and
IPSET_ADT_FLAGS are required elsewhere, but to make life
simpler, some flags (like IPSET_OPT_TYPENAME) are *not*
added to the types full[] flags. So those must be excluded here.
|
|
|
|
|
| |
There was still some other incorrect usage of 'enum ipset_cmd' and
'enum ipset_adt' - corrected.
|
|
|
|
| |
Wrong enum type was used in the comparison, reported by Jan Engelhardt.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
|
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
|
|
|
| |
Refresh existing files in src/ with the new content.
|
|
Create src/ and move ipset source there. Get rid of unnecessary and
outdated files.
|