| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The library cannot stand on its own:
19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1
linux-vdso.so.1 => (0x00007fff9a569000)
libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000)
undefined symbol: ipset_errcode (.libs/libipset.so.1)
Resolve this by moving ipset_errcode into the library.
Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
|
|
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
|
|
|
|
|
| |
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| |
|
|
|
|
|
|
| |
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
|
|
|
|
|
|
|
|
|
| |
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.
Manpage is updated to reflect the change.
|
| |
|
|
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
|
|
|
|
| |
Entry to install the manpage was missing from Makefile.am
(reported by Mark A. Ziesemer)
|
| |
|
|
|
|
| |
It's too easy to mistype "n" to "new", so just allow it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The number of comparisons for a matching a command name can be
made smaller by just checking on argv[1].
As an example consider the following 'create' arguments 'hashsize',
'family' and 'timeout'. When having the command
create foo hash:ip timeout 60 family inet hashsize 64
it compares without this patch:
strcmp("timeout", "hashsize")
strcmp("64", "hashsize")
strcmp("family", "hashsize")
strcmp("inet", "hashsize")
strcmp("hashsize", "hashsize")
It is worse in practice, as 'create' has more arguments than this.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
|
|
|
|
| |
After stripping off the global options there simply has to follow
a command name, there is no other syntax possible. Therefore the
argv[] loop is unnecessary.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
| |
Spelling error fixed (Ferenc Wagner)
|
|
|
|
| |
Use correct error codes (Patrick McHardy's review)
|
|
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:
create foo6 hash:ip hashsize 64 family inet6
add foo6 20a1:1234:5678::/64
add foo6 20a1:1234:5679::/64
you get:
ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64
Should be line 2 though.
The solution is to set the session lineno before parsing.
|
|
|
|
|
|
|
| |
It's not as nice as I'd like to be: IPSET_CREATE_FLAGS and
IPSET_ADT_FLAGS are required elsewhere, but to make life
simpler, some flags (like IPSET_OPT_TYPENAME) are *not*
added to the types full[] flags. So those must be excluded here.
|
|
|
|
|
| |
There was still some other incorrect usage of 'enum ipset_cmd' and
'enum ipset_adt' - corrected.
|
|
|
|
| |
Wrong enum type was used in the comparison, reported by Jan Engelhardt.
|
|
|
|
|
| |
Match not only the first letter or the full command name, but
an arbitrary prefix too.
|
| |
|
| |
|
|
|
|
|
|
| |
Support adding/deleting multiple entries in the userspace part
of the hash:ip,port, hash:ip,port,ip, hash:ip,port,net and
hash:net,port types.
|
| |
|
| |
|
| |
|
|
|
|
| |
And enforce from kernel side as well...
|
| |
|
| |
|
|
|
|
|
|
|
| |
The manpage is updated to reflect the recent modifications and
the addition of the hash:net,port type. The help text of hash:ip
is updated: adding/deleting multiple entries are supported for
IPv4 only.
|
|
|
|
|
| |
Use the newly added parser function ipset_parse_ip4_single6 instead
of the generic ipset_parse_ip.
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
|
|
|
|
|
|
| |
Makefile fixes: compiler flags
README and manpage fixes
Compatibility with newer gcc releases (4.4.x)
Compatibility with the 2.6.35 kernel tree
|
|
|
|
|
|
| |
- getting ports for family INET6 fixed
- more manpage polishing
- tests to check the iptables/ip6tables match and target added
|
|
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|