summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipset 6.21.1 releasedv6.21.1Jozsef Kadlecsik2014-03-073-1/+9
|
* netfilter: ip_set: rename nfnl_dereference()/nfnl_set()Patrick McHardy2014-03-071-23/+23
| | | | | | | | | | The next patch will introduce a nfnl_dereference() macro that actually checks that the appropriate mutex is held and therefore needs a subsystem argument. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The bash utilities are updatedJozsef Kadlecsik2014-03-076-523/+1181
|
* Fix libipset library release versioningJozsef Kadlecsik2014-03-071-1/+1
| | | | | | Patch "add hash:ip,mark data type to ipset" broke the API and library release versioning with not incrementing "current", just "age", which is fixed here. Reported by Mathieu Bridon.
* ipset 6.21 releasedv6.21Jozsef Kadlecsik2014-03-043-1/+35
|
* ipset: add userspace support for forceaddJosh Hunt2014-03-0415-4/+1410
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add forceadd kernel support for hash set typesJosh Hunt2014-03-0414-12/+40
| | | | | | | | | | | | | | | | | | Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: move registration message to init from net_initIlia Mirkin2014-02-161-1/+1
| | | | | | | | | Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved the initialization print into net_init, which can get called a lot due to namespaces. Move it back into init, reduce to pr_info. Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* kernel: uapi: fix MARKMASK attr ABI breakageFlorian Westphal2014-02-142-4/+4
| | | | | | | | | | | | | | commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type) inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e. changing values of all further attributes. This causes 'ipset list' segfault on existing kernels since ipset no longer finds IPSET_ATTR_MEMSIZE (it has a different value on kernel side). Jozsef points out it should be moved below IPSET_ATTR_MARK which works since there is some extra reserved space after that value. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* lib: fix ifname 'physdev:' prefix parsingFlorian Westphal2014-02-131-2/+3
| | | | | | | | | hash:net,iface supports matching on the bridge port as well, but userspace currently doesn't handle it correctly as it passes in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Prepare the kernel for create option flags when no extension is neededJozsef Kadlecsik2014-02-133-0/+14
|
* print mark & mark mask in hex rather then decimalVytas Dauksa2014-01-2311-178/+178
| | | | | | | modified ipset_print_mark to print in hex rather then decimal and altered accordingly test cases. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-2320-9/+99
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-0831-7/+1125
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: remove unused codeStephen Hemminger2014-01-072-29/+0
| | | | | | | Function never used in current upstream code. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add hash: fix coccinelle warningsFengguang Wu2013-12-271-4/+4
| | | | | | | | | | | net/netfilter/ipset/ip_set_hash_netnet.c:115:8-9: WARNING: return of 0/1 in function 'hash_netnet4_data_list' with return type bool /c/kernel-tests/src/cocci/net/netfilter/ipset/ip_set_hash_netnet.c:338:8-9: WARNING: return of 0/1 in function 'hash_netnet6_data_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: coccinelle/misc/boolreturn.cocci Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
* Typo in ip_set_hash_netnet.c fixedDavid Binderman2013-12-031-1/+1
| | | | | | | | | | | | I just ran the static analyser "cppcheck" over the source code of linux-3.13-rc1. It said [linux-3.13-rc1/net/netfilter/ipset/ip_set_hash_netnet.c:62] -> [linux-3.13-rc1/net/net filter/ipset/ip_set_hash_netnet.c:62]: (style) Same expression on both sides of '=='. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: manpage: correct add action synopsis for hash:net,port,net.Mart Frauenlob2013-11-261-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: manpage: remove spare comma for hash:net,net test action.Mart Frauenlob2013-11-261-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* net ipset: use rbtree postorder iteration instead of opencodingCody P Schafer2013-11-133-1/+21
| | | | | | | | Use rbtree_postorder_for_each_entry_safe() to destroy the rbtree instead of opencoding an alternate postorder iteration that modifies the tree Signed-off-by: Cody P Schafer <cody@linux.vnet.ibm.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix all set output from list/save when set with counters in use.Sergey Popovich2013-11-131-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using upstream version with counters support we have following output when listing all sets currently configured: -------------------------------------------------- # ipset create test-1 hash:ip # ipset create test-2 hash:ip counters # ipset add test-2 192.0.2.1/32 # ipset create test-3 hash:ip # ipset add test-3 192.0.2.1/32 # ipset list Name: test-1 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16504 References: 0 Members: Name: test-2 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16616 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16520 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Set test-3 created without counters, but displayed as with counters present. Restricting output to list only test-3 set we have: --------------------------------------------------- # ipset list test-3 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16520 References: 0 Members: 192.0.2.1 So test-3 set created correctly without counters support, but in all sets listing it displayed as such one with counters. It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3 (Support counters in the ipset library) we fogot to add counter options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to clear these flags when preparing output in callback_list() from lib/session.c. v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and IPSET_OPT_COUNTERS from ADT. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Follow manual page behavior for SET target on list:setSergey Popovich2013-11-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ipset(8) for list:set says: The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. However real behavior is bit differ from described. Consider example: # ipset create test-1-v4 hash:ip family inet # ipset create test-1-v6 hash:ip family inet6 # ipset create test-1 list:set # ipset add test-1 test-1-v4 # ipset add test-1 test-1-v6 # iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src # ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src And then when iptables/ip6tables rule matches packet IPSET target tries to add src from packet to the list:set test-1 where first entry is test-1-v4 and the second one is test-1-v6. For IPv4, as it first entry in test-1 src added to test-1-v4 correctly, but for IPv6 src not added! Placing test-1-v6 to the first element of list:set makes behavior correct for IPv6, but brokes for IPv4. This is due to result, returned from ip_set_add() and ip_set_del() from net/netfilter/ipset/ip_set_core.c when set in list:set equires more parameters than given or address families do not match (which is this case). It seems wrong returning 0 from ip_set_add() and ip_set_del() in this case, as 0 should be returned only when an element successfuly added/deleted to/from the set, contrary to ip_set_test() which returns 0 when no entry exists and >0 when entry found in set. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Fix malformed output from list/save for ICMP types in port field.Sergey Popovich2013-11-111-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Found with ipset 6.12.1, but upstream version is still affected. Creating set of dimension three, adding elements to it and then displaying gives following results: ----------------------------------- # ipset create test-1 hash:ip,port,ip # ipset add test-1 192.0.2.1,icmp:echo-request,192.0.2.1 # ipset add test-1 192.0.2.1,icmp:ttl-zero-during-reassembly,192.0.2.1 # ipset list test-1 Name: test-1 Type: hash:ip,port,ip Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16608 References: 0 Members: 192.0.2.1,icmp:ttl-zero-during-reass,192.0.2.1 192.0.2.1,icmp:echo-re,192.0.2.1 Same results with -output save|xml. ipset_print_proto_port() from lib/print.c returns incorrect length of printed string when ICMP/ICMPv6 specified in port field. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: fix timeout data type sizeNikolay Martynov2013-11-111-3/+8
| | | | | | | | | | Currently it is impossible to set timeout on some architectures (MIPS ar71xx at least) because timeout is parsed into long long data type but used as uint32 without proper conversion. This patch fixes this issue. Tested on ar71xx router. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.20.1 releasedv6.20.1Jozsef Kadlecsik2013-10-273-1/+18
|
* build: fix incorrect library versioningJan Engelhardt2013-10-272-1/+5
| | | | | | | | Commit v6.20~12 caused libipset to shift from libipset.so.3 to .so.2. That is the wrong thing to do. Set it back to 3+2, as intended. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: remove duplicate defineMichael Opdenacker2013-10-271-1/+0
| | | | | | | This patch removes a duplicate define from net/netfilter/ipset/ip_set_hash_gen.h Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
* net->user_ns is available starting from 3.8, add compatibility checkingJozsef Kadlecsik2013-10-273-0/+15
| | | | Reported by Jan Engelhardt
* Fix memory allocation for bitmap:portJozsef Kadlecsik2013-10-181-1/+1
| | | | | | | | At the restructuring of the bitmap types creation in ipset, for the bitmap:port type wrong (too large) memory allocation was copied (netfilter bugzilla id #859). Reported-by: Quentin Armitage <quentin@armitage.org.uk>
* netfilter: ipset: Fix configure failure when --with-kmod=noOliver Smith2013-10-171-0/+3
| | | | | | | | | | | | When configuring the sources to build without kernel modules, the path to the kernel sources was not set and the kernel header files were still checked. Now, we do not check the kernel sources for compatibility if we're not going to build any kernel modules. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAXJozsef Kadlecsik2013-10-082-1/+9
|
* The unnamed union initialization may lead to compilation errorJozsef Kadlecsik2013-10-082-24/+20
| | | | | | | | | | | | The unnamed union should be possible to be initialized directly, but unfortunately it's not so: /usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c: In function ?hash_netnet4_kadt?: /usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c:141: error: unknown field ?cidr? specified in initializer Reported-by: Husnu Demir <hdemir@metu.edu.tr>
* Use dev_net() instead of the direct access to ->nd_netJozsef Kadlecsik2013-10-041-2/+2
| | | | | | We have to use dev_net() instead of the direct access to ->nd_net, otherwise compilation fails if NET_NS is not enabled. Reported by the kbuild test robot.
* ipset 6.20 releasedv6.20Jozsef Kadlecsik2013-10-023-1/+58
|
* Missing comment support added to hash:ip,port,ip and hash:net,iface typesJozsef Kadlecsik2013-10-022-0/+323
|
* Compatibility code is modified not to rely on kernel version numbersJozsef Kadlecsik2013-10-027-41/+241
| | | | | | | Instead the kernel source code is checked to verify the different compatibility issues for the supported kernel releases. This way hopefully backported features will be handled properly.
* Use netlink callback dump args onlyJozsef Kadlecsik2013-10-025-54/+68
| | | | | Instead of cb->data, use callback dump args only and introduce symbolic names instead of plain numbers at accessing the argument members.
* ipset: Add userspace code to support hash:net,port,net kernel module.Oliver Smith2013-09-3011-140/+763
| | | | | | | | | This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add hash:net,port,net module to kernel.Oliver Smith2013-09-303-1/+598
| | | | | | | | | This adds a new set that provides similar functionality to ip,port,net but permits arbitrary size subnets for both the first and last parameter. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add net namespace for ipsetVitaly Lavrov2013-09-289-148/+245
| | | | | | | | | | | | | | | | This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net*". The remaining corrections related to the change prototypes of public functions ip_set_*. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Use a common function at listing the extensions of the elementsJozsef Kadlecsik2013-09-255-50/+33
|
* Tests added to check comment extensionJozsef Kadlecsik2013-09-2412-3/+2139
|
* For set:list types, replaced elements must be zeroed outJozsef Kadlecsik2013-09-231-1/+3
| | | | | The new extensions require zero initialization for the new element to be added into a slot from where another element was pushed away.
* Fix hash resizing with commentsJozsef Kadlecsik2013-09-231-5/+5
| | | | | The destroy function must take into account that resizing doesn't create new extensions so those cannot be destroyed at resize.
* ipset: Add new userspace set revisions for comment supportOliver Smith2013-09-2311-26/+1303
| | | | | | | | | | | This introduces new revisions of all hash and bitmap ipsets to complement the comment functionality introduced into the kernel modules. Currently all sets have a compile-time limit of 255 characters including \0. This can otherwise be arbitrarily modified. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-2314-6/+144
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Rework the "fake" argument parsing for ipset restore.Oliver Smith2013-09-231-9/+43
| | | | | | | | | | | | This reworks the argument parsing functionality of ipset to handle quote-delimited lines in such a way that they are considered to be a single argument. This commit is necessary for ipset to successfully restore sets that have comments. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments in the list-type ipset.Oliver Smith2013-09-231-6/+12
| | | | | | | | This provides kernel support for creating list ipsets with the comment annotation extension. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments in bitmap-type ipsets.Oliver Smith2013-09-234-9/+17
| | | | | | | | | | | | | | This provides kernel support for creating bitmap ipsets with comment support. As is the case for hashes, this incurs a penalty when flushing or destroying the entire ipset as the entries must first be walked in order to free the comment strings. This penalty is of course far less than the cost of listing an ipset to userspace. Any set created without support for comments will be flushed/destroyed as before. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments in hash-type ipsets.Oliver Smith2013-09-239-13/+30
| | | | | | | | | | | | | This provides kernel support for creating ipsets with comment support. This does incur a penalty to flushing/destroying an ipset since all entries are walked in order to free the allocated strings, this penalty is of course less expensive than the operation of listing an ipset to userspace, so for general-purpose usage the overall impact is expected to be little to none. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>