summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* build: move ipset_errcode into libraryJan Engelhardt2011-08-312-201/+0
| | | | | | | | | | | | | | | | The library cannot stand on its own: 19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1 linux-vdso.so.1 => (0x00007fff9a569000) libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000) libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000) /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000) undefined symbol: ipset_errcode (.libs/libipset.so.1) Resolve this by moving ipset_errcode into the library. Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-3112-19/+19
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Propagate "expose userspace-relevant parts in ip_set.h" to ipset sourceJozsef Kadlecsik2011-08-3111-25/+25
| | | | | | With the header file restructuring, the ipset userspace enums IPSET_DIM_* clash with the kernel ones. In this patch the userspace is converted to use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
* Update the manpage and document the limits in hash:net,iface.Jozsef Kadlecsik2011-07-111-1/+5
|
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-3114-178/+182
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-304-2/+192
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Remove iptree tests and compatibility element parsingJozsef Kadlecsik2011-05-271-1/+0
|
* Fix warnings reported by valgrindJozsef Kadlecsik2011-05-251-1/+7
|
* Remove supporting set types iptree and iptreemapJozsef Kadlecsik2011-05-241-1/+1
|
* Accept "\r\n" terminated COMMIT command in restore filesJozsef Kadlecsik2011-05-241-1/+1
|
* Accept "\r\n" terminated lines in restore filesJozsef Kadlecsik2011-05-211-2/+2
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-158-35/+287
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Update ipset help text to reflect SCTP and UDPLITE supportJozsef Kadlecsik2011-05-121-3/+3
|
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-182-4/+29
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* bitmap:ip,mac type requires "src" for MACJozsef Kadlecsik2011-04-081-3/+4
| | | | | | | | | Enforce that the second "src/dst" parameter of the set match and SET target must be "src", because we have access to the source MAC only in the packet. The previous behaviour, that the type required the second parameter but actually ignored the value was counter-intuitive and confusing. Manpage is updated to reflect the change.
* Manpage updateJozsef Kadlecsik2011-03-271-0/+2
|
* SCTP, UDPLITE support addedJozsef Kadlecsik2011-03-185-21/+29
| | | | SCTP and UDPLITE port support added to the hash:*port* types.
* Manpage was not installedJozsef Kadlecsik2011-03-181-0/+2
| | | | | Entry to install the manpage was missing from Makefile.am (reported by Mark A. Ziesemer)
* Print protocol version together with ipset versionJozsef Kadlecsik2011-02-031-1/+2
|
* Allow "new" as a commad alias to "create"Jozsef Kadlecsik2011-02-011-7/+7
| | | | It's too easy to mistype "n" to "new", so just allow it.
* ipset: improve command argument parsingHolger Eitzenberger2011-02-011-22/+20
| | | | | | | | | | | | | | | | | | | | | | The number of comparisons for a matching a command name can be made smaller by just checking on argv[1]. As an example consider the following 'create' arguments 'hashsize', 'family' and 'timeout'. When having the command create foo hash:ip timeout 60 family inet hashsize 64 it compares without this patch: strcmp("timeout", "hashsize") strcmp("64", "hashsize") strcmp("family", "hashsize") strcmp("inet", "hashsize") strcmp("hashsize", "hashsize") It is worse in practice, as 'create' has more arguments than this. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* ipset: avoid the unnecessary argv[] loopHolger Eitzenberger2011-02-011-50/+46
| | | | | | | | After stripping off the global options there simply has to follow a command name, there is no other syntax possible. Therefore the argv[] loop is unnecessary. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* ipset: pass ipset_arg argument pointerHolger Eitzenberger2011-02-011-8/+2
| | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* Fix the spelling error fix :-)Jozsef Kadlecsik2011-01-261-1/+1
| | | | Spelling error fixed (Ferenc Wagner)
* Correct the error codes: use ENOENT and EMSGSIZEJozsef Kadlecsik2011-01-261-1/+3
| | | | Use correct error codes (Patrick McHardy's review)
* ipset: fix spelling errorHolger Eitzenberger2011-01-251-2/+2
| | | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Do session initialization onceHolger Eitzenberger2011-01-181-8/+6
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Show correct line numbers in restore output for parser errorsJozsef Kadlecsik2011-01-181-0/+3
| | | | | | | | | | | | | | | | | Parser errors are reported by a wrong lineno at restore, bug reported by Holger Eitzenberger: create foo6 hash:ip hashsize 64 family inet6 add foo6 20a1:1234:5678::/64 add foo6 20a1:1234:5679::/64 you get: ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64 Should be line 2 though. The solution is to set the session lineno before parsing.
* Should have gone to sleep: fix check_allowed. Really.Jozsef Kadlecsik2010-12-191-11/+11
| | | | | | | It's not as nice as I'd like to be: IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS are required elsewhere, but to make life simpler, some flags (like IPSET_OPT_TYPENAME) are *not* added to the types full[] flags. So those must be excluded here.
* The fix of incorrect comparison in check_allowed completed.Jozsef Kadlecsik2010-12-181-22/+25
| | | | | There was still some other incorrect usage of 'enum ipset_cmd' and 'enum ipset_adt' - corrected.
* Fix incorrect comparison in check_allowedJozsef Kadlecsik2010-12-181-1/+1
| | | | Wrong enum type was used in the comparison, reported by Jan Engelhardt.
* Match command prefixesJozsef Kadlecsik2010-12-171-1/+1
| | | | | Match not only the first letter or the full command name, but an arbitrary prefix too.
* Updated manpage to reflect wider input possibilities in the ipset tool.Jozsef Kadlecsik2010-12-171-41/+45
|
* Updated help texts for the hash:ip and list:set types.Jozsef Kadlecsik2010-12-172-6/+7
|
* Support adding/deleting multiple entries, userspace part.Jozsef Kadlecsik2010-12-174-7/+34
| | | | | | Support adding/deleting multiple entries in the userspace part of the hash:ip,port, hash:ip,port,ip, hash:ip,port,net and hash:net,port types.
* Missing spaces in error strings fixed.Jozsef Kadlecsik2010-12-171-4/+4
|
* Use the 'full' flags of the types and check not allowed flags.Jozsef Kadlecsik2010-12-172-14/+113
|
* Manpage cleanups, so it's more clear and straightforward.Jozsef Kadlecsik2010-12-151-20/+20
|
* Document which elements cannot be stored in the different hash types.Jozsef Kadlecsik2010-12-141-4/+13
| | | | And enforce from kernel side as well...
* Fixing dangling empty line produced backward-incompatible exit codes, fixed.Jozsef Kadlecsik2010-12-131-2/+2
|
* Fix dangling empty line at error/warning messages emitted by ipset.Jozsef Kadlecsik2010-12-101-3/+4
|
* Manpage and help text fixes.v5.0-pre10Jozsef Kadlecsik2010-11-022-38/+110
| | | | | | | The manpage is updated to reflect the recent modifications and the addition of the hash:net,port type. The help text of hash:ip is updated: adding/deleting multiple entries are supported for IPv4 only.
* Enforce handling IPv4 and IPv6 differently for hash:ip type.Jozsef Kadlecsik2010-10-301-1/+1
| | | | | Use the newly added parser function ipset_parse_ip4_single6 instead of the generic ipset_parse_ip.
* Merge branch 'ipset-5' of git://dev.medozas.de/ipset into ipset-5Jozsef Kadlecsik2010-10-251-0/+1
|\
| * Add .gitignore filesJan Engelhardt2010-10-191-0/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Rollback to fix commit historyJozsef Kadlecsik2010-10-251-1/+0
| |
* | Fixes, cleanups, commentsv5.0-pre8Jozsef Kadlecsik2010-10-2416-89/+289
|/ | | | | | | | | | | | | | | | | | | - More comments added to the code - ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip and hash:ip,port,net types - hash:net and hash:ip,port,net types are reworked - hash:net,port type added - Wrong direction parameters fixed in hash:ip,port - Helps and manpage are updated - More tests added - Ugly macros are rewritten to functions in parse.c (Holger Eitzenberger) - resize related bug in hash types fixed (Holger Eitzenberger) - autoreconf patches by Jan Engelhardt applied - netlink patch minimalized: dumping can be initialized by a second parsing of the message (thanks to David and Patrick for the suggestion) - IPv4/IPv6 address attributes are introduced in order to fix the context (suggested by David)
* Compatibility and documentation fixesv5.0-pre6Jozsef Kadlecsik2010-07-131-26/+26
| | | | | | | Makefile fixes: compiler flags README and manpage fixes Compatibility with newer gcc releases (4.4.x) Compatibility with the 2.6.35 kernel tree
* ipset 5: IPv6 port related and manpage fixes, more testsv5.0-pre4Jozsef Kadlecsik2010-06-251-32/+36
| | | | | | - getting ports for family INET6 fixed - more manpage polishing - tests to check the iptables/ip6tables match and target added
* ipset 5: last new feature addedv5.0-pre3Jozsef Kadlecsik2010-06-226-65/+132
| | | | | | | | | | | - the hash types can now store protocol together port, not only port - lots of fixes everywhere: parser, error reporting, manpage The last bits on the todo list before announcing ipset 5: - recheck all the error messages - add possibly more tests - polish manpage