summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-174-18/+67
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove artifical restriction of netmask values for hash:ip type.Jozsef Kadlecsik2013-08-171-6/+4
| | | | Reported by Quentin Armitage, closes netfilter bugzilla id #844.
* Make sure called test scripts can be executed (reported by Tomas Budai)Jozsef Kadlecsik2013-08-161-0/+3
|
* Manpage fix: not just identical, but compatible type of sets can be swappedJozsef Kadlecsik2013-08-141-5/+5
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Validate the set family and not the set type family at swapping.Jozsef Kadlecsik2013-08-141-1/+1
| | | | Bug reported by Quentin Armitage, netfilter bugzilla id #843.
* Fix error message typoJozsef Kadlecsik2013-08-141-1/+1
| | | | Reported by Quentin Armitage, netfilter bugzilla id #843.
* Parse option "family" first, because other options may depend on itJozsef Kadlecsik2013-08-141-24/+47
| | | | | | | Option like "netmask" depends on the INET family, so parse "family" first, then the rest of the options. Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-012-2/+2
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Consistent userspace testing with nomatch flagJozsef Kadlecsik2013-07-226-12/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test.
* Report broken netlink messages in debug modeJozsef Kadlecsik2013-07-191-0/+13
|
* Skip really non-first fragments for IPv6 when getting port/protocolJozsef Kadlecsik2013-05-311-4/+2
|
* ipset standalone package needs to ship em_ipset.cJozsef Kadlecsik2013-05-314-4/+152
| | | | | | | | Due to the ipset kernel API changes, em_ipset.c needs to be provided in the ipset package, reported by Jan Engelhardt: WARNING: //lib/modules/3.7.10-jng15-default/kernel/net/sched/em_ipset.ko disagrees about version of symbol ip_set_test
* ipset: Fix hyphen used as minus sign in manpageNeutron Soutmun2013-05-131-1/+1
| | | | | Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset.pc must be installed via 'make install'Eric Leblond2013-05-111-0/+3
| | | | | | | | libipset.pc was not installed by classic 'make install'. This patch adds it to the list of installed files. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.19 releasedv6.19Jozsef Kadlecsik2013-05-093-1/+59
|
* Compatibility fixes to keep the support of kernels back to 2.6.32Jozsef Kadlecsik2013-05-092-48/+48
|
* Check at modules_install whether depmod ignores the extra subdirJozsef Kadlecsik2013-05-091-0/+18
| | | | | | | | | The external kernel modules are installed in the extra subdir in /lib/modules/<kernelrelease>/, but depmod in some distributions (at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it, because that way the modules are actually not available there. Reported by Husnu Demir and tian fang.
* Backport nla_put_net64Jozsef Kadlecsik2013-05-091-0/+10
|
* The utils are updated from their sourcesJozsef Kadlecsik2013-05-075-502/+1734
|
* Support package fragments for IPv4 protos without portsAnders K. Pedersen2013-05-031-1/+17
| | | | | | | | | | | | | | | | | | | Enable ipset port set types to match IPv4 package fragments for protocols that doesn't have ports (or the port information isn't supported by ipset). For example this allows a hash:ip,port ipset containing the entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels to/from the host. Without this patch only the first package fragment (with fragment offset 0) was matched, while subsequent fragments wasn't. This is not possible for IPv6, where the protocol is in the fragmented part of the package unlike IPv4, where the protocol is in the IP header. IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant for IPv4. Signed-off-by: Anders K. Pedersen <akp@surftown.com>
* Manpage typing error correction (reported by Husnu Demir)Jozsef Kadlecsik2013-05-021-2/+2
|
* Update testsuite as the trailing space was eliminated at listingsJozsef Kadlecsik2013-05-0286-108/+108
|
* Use fix sized type for timeout in the extension partJozsef Kadlecsik2013-05-021-1/+1
|
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-025-3/+26
|
* Improve XML output: add element tag and root element (suggested by Lucas Hamie)Jozsef Kadlecsik2013-05-011-33/+38
|
* Make sure kernel configured properly for sparse checkingsJozsef Kadlecsik2013-05-011-0/+6
|
* Fix "may be used uninitialized" warningsJozsef Kadlecsik2013-05-019-12/+12
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Rename simple macro names to avoid namespace issues.Jozsef Kadlecsik2013-05-0114-162/+169
| | | | Reported-by: David Laight <David.Laight@ACULAB.COM>
* Fix sparse warnings due to missing rcu annotationsJozsef Kadlecsik2013-04-301-32/+55
| | | | Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Sparse warning about shadowed variable fixedJozsef Kadlecsik2013-04-301-1/+1
| | | | | net/netfilter/ipset/ip_set_hash_ipportnet.c:275:20: warning: symbol 'cidr' shadows an earlier one
* Don't call ip_nest_end needlessly in the error pathJozsef Kadlecsik2013-04-273-3/+3
| | | | Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Manpage updatesJozsef Kadlecsik2013-04-091-52/+79
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add new testsuite entries to verify counters and the new type implementationsJozsef Kadlecsik2013-04-0924-8/+1156
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the new set type revisions with counter supportJozsef Kadlecsik2013-04-0911-103/+1560
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-0910-8/+128
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* set match: add support to match the countersJozsef Kadlecsik2013-04-096-9/+120
| | | | | | | | | | The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The list:set type with counter supportJozsef Kadlecsik2013-04-091-6/+67
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The hash types with counter supportJozsef Kadlecsik2013-04-098-19/+381
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The bitmap types with counter supportJozsef Kadlecsik2013-04-094-15/+186
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the counter extension in the coreJozsef Kadlecsik2013-04-093-4/+86
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set type using the extension interfaceJozsef Kadlecsik2013-04-091-246/+301
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Hash types using the unified code baseJozsef Kadlecsik2013-04-097-1865/+610
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified hash type generationJozsef Kadlecsik2013-04-092-1241/+1039
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Bitmap types using the unified code baseJozsef Kadlecsik2013-04-093-954/+316
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified bitmap type generationJozsef Kadlecsik2013-04-092-0/+271
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce extensions to elements in the coreJozsef Kadlecsik2013-04-094-110/+86
| | | | | | | Introduce extensions to elements in the core and prepare timeout as the first one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Move often used IPv6 address masking function to header fileJozsef Kadlecsik2013-04-096-45/+9
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make possible to test elements marked with nomatch, from userspaceJozsef Kadlecsik2013-04-095-24/+40
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter ipset: Use ipv6_addr_equal() where appropriate.YOSHIFUJI Hideaki2013-04-097-9/+9
| | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-096-78/+101
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>