summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-311-1/+7
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-053-3/+3
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Correct the manpage about the sort option, supported since 3713072dJozsef Kadlecsik2018-11-301-1/+1
|
* Implement sorting for hash types in the ipset toolJozsef Kadlecsik2018-11-261-2/+2
| | | | | Support listing/saving with sorted entries for the hash types. (bitmap and list types are automatically sorted.)
* Library reworked to support embedding ipset completelyJozsef Kadlecsik2018-10-182-879/+12
| | | | | | | | | | | The ipset library is rewritten/extended to support embedding ipset, so that sets can fully be managed without calling the ipset binary. The ipset binary relies completely on the new library. The libipset.3 manpage was written about the library functions and usage. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* manpage: Add comment about matching on destination MAC addressStefano Brivio2018-08-301-7/+19
| | | | | | | | | | Patch "ipset: Allow matching on destination MAC address for mac and ipmac sets" allows the user to match on destination MAC addresses in some selected cases. Add a comment to the manpage detailing in which cases it makes sense. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix leak in build_argv() on line parsing errorStefano Brivio2018-08-241-2/+3
| | | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SECJozsef Kadlecsik2018-06-011-1/+2
| | | | | | | | Due to the negative value condition in msecs_to_jiffies(), the real max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC. Neutron Soutmun proposed the proper fix, but an insufficient one was applied, see https://patchwork.ozlabs.org/patch/400405/.
* Userspace revision handling is reworkedJozsef Kadlecsik2018-01-021-20/+54
| | | | | | | | | | | In order to make it simpler and more straightforward to express the revisions of the set type, all keywords and their parsing are separated from the individual set types. All backward compatibility arguments are recognized and ignored arguments are supported. Recognized but ignored arguments will be removed in a later release.
* Replace the last reference to u_int8_t with uint8_t.Jozsef Kadlecsik2017-09-261-1/+1
|
* Revert "ipset: fix build with musl"Jozsef Kadlecsik2017-09-261-2/+0
| | | | | | This reverts commit 992723e3712a09037338aa9e5506a080e24d1642. The single u_int8_t usage was a leftover.
* ipset: fix build with muslStijn Tintel2017-09-251-0/+2
| | | | | | | | | Include sys/types.h for u_int8_t and define _GNU_SOURCE for musl to expose it. Fixes: 54802b2c2826 ("Report if the option is supported by a newer kernel release") Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Report if the option is supported by a newer kernel releaseJozsef Kadlecsik2017-09-111-6/+27
| | | | | Instead ot printing "Unknown argument: foo", if foo option is supported by a newer kernel release, report that.
* Update manpage about the size parameter of list:set types.Jozsef Kadlecsik2017-02-191-1/+2
| | | | The parameter is ignored since ipset version 6.24.
* hash:ipmac type support added to ipset, userspace partTomasz Chilinski2016-05-051-0/+22
| | | | | Signed-off-by: Tomasz Chili??ski <tomasz.chilinski@chilan.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Manpage typo correctionsDavid Wittman2015-07-201-3/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix grammar error in manpageNeutron Soutmun2015-07-201-1/+1
| | | | | | | | | | Refer to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/608231 The "allows to" is a common grammar error which it will probably be replaced by "allows one to" as a suggestion in above bug report page. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset manpage: refer to iptables-extensionsJozsef Kadlecsik2015-06-251-1/+2
|
* Add element count to all set types headerJozsef Kadlecsik2015-06-251-0/+5
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* ipset: propose rewording in manpageNeutron Soutmun2015-03-131-3/+2
| | | | | | | | | | | | | | | | | | | | | | I have prepared the patch which refers to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780336, reported and proposed by H. Renault <hr@herverenault.fr>. man ipset reads: del SETNAME DEL-ENTRY [ DEL-OPTIONS ] Delete an entry from a set. If the -exist option is specified, ipset ignores if the entry does not added to (already expired from) the set. Proposed rewording: Delete an entry from a set. If the -exist option is specified and the entry is not in the set (maybe already expired), then the command is ignored. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix hyphen used as minus sign in manpageNeutron Soutmun2014-09-301-1/+1
| | | | | Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Order create and add options in manpage so that generic ones come firstJozsef Kadlecsik2014-09-231-51/+51
|
* Centralise generic create options (family, hashsize, maxelem) on top of man ↵Mart Frauenlob2014-09-231-175/+35
| | | | | | | page in the generic options section. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add description of hash:mac set type to man page.Mart Frauenlob2014-09-221-0/+32
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add missing space for skbinfo option synopsis.Mart Frauenlob2014-09-221-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: man: Add the skbinfo extension documentation.Anton Danilov2014-09-141-28/+42
| | | | | Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix grammar error in manpageNeutron Soutmun2014-04-071-1/+1
| | | | | | | | | | Refer to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/608231 The "allows to" is a common grammar error which it will probably be replaced by "allows one to" as a suggestion in above bug report page. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add userspace support for forceaddJosh Hunt2014-03-041-0/+7
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-231-1/+5
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-081-0/+49
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: manpage: correct add action synopsis for hash:net,port,net.Mart Frauenlob2013-11-261-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: manpage: remove spare comma for hash:net,net test action.Mart Frauenlob2013-11-261-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,port,net kernel module.Oliver Smith2013-09-301-140/+202
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add new userspace set revisions for comment supportOliver Smith2013-09-231-24/+47
| | | | | | | | | | | This introduces new revisions of all hash and bitmap ipsets to complement the comment functionality introduced into the kernel modules. Currently all sets have a compile-time limit of 255 characters including \0. This can otherwise be arbitrarily modified. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Rework the "fake" argument parsing for ipset restore.Oliver Smith2013-09-231-9/+43
| | | | | | | | | | | | This reworks the argument parsing functionality of ipset to handle quote-delimited lines in such a way that they are considered to be a single argument. This commit is necessary for ipset to successfully restore sets that have comments. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add userspace code to support hash:net,net kernel module.Oliver Smith2013-09-201-0/+74
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. The library version has been bumped accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-171-4/+9
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Manpage fix: not just identical, but compatible type of sets can be swappedJozsef Kadlecsik2013-08-141-5/+5
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Parse option "family" first, because other options may depend on itJozsef Kadlecsik2013-08-141-24/+47
| | | | | | | Option like "netmask" depends on the INET family, so parse "family" first, then the rest of the options. Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
* ipset: Fix hyphen used as minus sign in manpageNeutron Soutmun2013-05-131-1/+1
| | | | | Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Manpage typing error correction (reported by Husnu Demir)Jozsef Kadlecsik2013-05-021-2/+2
|
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-021-0/+6
|
* Manpage updatesJozsef Kadlecsik2013-04-091-52/+79
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Interactive mode error after syntax error (reported by Mart Frauenlob)Jozsef Kadlecsik2013-02-211-3/+8
| | | | | | | | | | | | ipset> list foo ipset v6.16.1: The set with the given name does not exist ipset> -t No command specified ipset> list ipset v6.16.1: Internal protocol error In interactive mode the state was not cleaned up properly after a syntax error, fixed.
* Fix interactive modeFredrik Eriksson2012-11-101-5/+2
| | | | Catching interactive mode got broken in 6.12.
* Coding style fixesJozsef Kadlecsik2012-09-111-3/+3
|
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-101-5/+5
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-2/+1
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* Fix errors when compiling in debug mode.Krunal Patel2012-08-312-8/+5
|
* Explain in more detail src/dst for hash:net,ifaceJozsef Kadlecsik2012-06-291-2/+3
|