summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Resolve the STREQ macro to make the code more readable, and use nla_strlcpy ↵Jozsef Kadlecsik2014-12-101-6/+5
| | | | where possible
* Use MSEC_PER_SEC consistentlyJozsef Kadlecsik2014-12-011-2/+2
|
* Make possible to pass extra flags to sparse (userspace)Jozsef Kadlecsik2014-11-271-1/+1
|
* Remove unnecessary integer RCU handling and fix sparse warningsJozsef Kadlecsik2014-11-276-122/+90
|
* Fix sparse warningJozsef Kadlecsik2014-11-271-2/+2
| | | | "warning: cast to restricted __be32" warnings are fixed
* ipset 6.24 releasedv6.24Jozsef Kadlecsik2014-11-243-1/+37
|
* netfilter: ipset: small potential read beyond the end of bufferDan Carpenter2014-11-181-0/+5
| | | | | | | | | | We could be reading 8 bytes into a 4 byte buffer here. It seems harmless but adding a check is the right thing to do and it silences a static checker warning. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* The "extra" subdirectory for kernel modules may have a full subtreeJozsef Kadlecsik2014-11-181-1/+1
| | | | | | | | | | | | | | Jesper Dangaard Brouer reported that on Red Hat Enterprise Linux Server release 6.5 the extra subdirectory contains the full subtree path /lib/modules/*/extra/netfilter/ipset/ and not /lib/modules/*/extra/ipset/ Check only "/extra/" in the path.
* Fix parallel resizing and listing of the same setJozsef Kadlecsik2014-11-185-22/+80
| | | | | | | | When elements added to a hash:* type of set and resizing triggered, parallel listing could start to list the original set (before resizing) and "continue" with listing the new set. Fix it by references and using the original hash table for listing. Therefore the destroying the original hash table may happen from the resizing or listing functions.
* styles warned by checkpatch.pl fixedJozsef Kadlecsik2014-11-1811-11/+38
|
* Introduce RCU in all set types instead of rwlock per setJozsef Kadlecsik2014-11-189-488/+615
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Performance is tested by Jesper Dangaard Brouer: Simple drop in FORWARD ~~~~~~~~~~~~~~~~~~~~~~ Dropping via simple iptables net-mask match:: iptables -t raw -N simple || iptables -t raw -F simple iptables -t raw -I simple -s 198.18.0.0/15 -j DROP iptables -t raw -D PREROUTING -j simple iptables -t raw -I PREROUTING -j simple Drop performance in "raw": 11.3Mpps Generator: sending 12.2Mpps (tx:12264083 pps) Drop via original ipset in RAW table ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a set with lots of elements:: sudo ./ipset destroy test echo "create test hash:ip hashsize 65536" > test.set for x in `seq 0 255`; do for y in `seq 0 255`; do echo "add test 198.18.$x.$y" >> test.set done done sudo ./ipset restore < test.set Dropping via ipset:: iptables -t raw -F iptables -t raw -N net198 || iptables -t raw -F net198 iptables -t raw -I net198 -m set --match-set test src -j DROP iptables -t raw -I PREROUTING -j net198 Drop performance in "raw" with ipset: 8Mpps Perf report numbers ipset drop in "raw":: + 24.65% ksoftirqd/1 [ip_set] [k] ip_set_test - 21.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_lock_bh - _raw_read_lock_bh + 99.88% ip_set_test - 19.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_unlock_bh - _raw_read_unlock_bh + 99.72% ip_set_test + 4.31% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_kadt + 2.27% ksoftirqd/1 [ixgbe] [k] ixgbe_fetch_rx_buffer + 2.18% ksoftirqd/1 [ip_tables] [k] ipt_do_table + 1.81% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_test + 1.61% ksoftirqd/1 [kernel.kallsyms] [k] __netif_receive_skb_core + 1.44% ksoftirqd/1 [kernel.kallsyms] [k] build_skb + 1.42% ksoftirqd/1 [kernel.kallsyms] [k] ip_rcv + 1.36% ksoftirqd/1 [kernel.kallsyms] [k] __local_bh_enable_ip + 1.16% ksoftirqd/1 [kernel.kallsyms] [k] dev_gro_receive + 1.09% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_unlock + 0.96% ksoftirqd/1 [ixgbe] [k] ixgbe_clean_rx_irq + 0.95% ksoftirqd/1 [kernel.kallsyms] [k] __netdev_alloc_frag + 0.88% ksoftirqd/1 [kernel.kallsyms] [k] kmem_cache_alloc + 0.87% ksoftirqd/1 [xt_set] [k] set_match_v3 + 0.85% ksoftirqd/1 [kernel.kallsyms] [k] inet_gro_receive + 0.83% ksoftirqd/1 [kernel.kallsyms] [k] nf_iterate + 0.76% ksoftirqd/1 [kernel.kallsyms] [k] put_compound_page + 0.75% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_lock Drop via ipset in RAW table with RCU-locking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With RCU locking, the RW-lock is gone. Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
* Remove rbtree from hash:net,iface in order to run under RCUJozsef Kadlecsik2014-11-181-167/+17
|
* Explicitly add padding elements to hash:net,net and hash:net,port,netJozsef Kadlecsik2014-11-182-0/+4
| | | | The elements must be u32 sized for the used hash function.
* Allocate the proper size of memory when /0 networks are supportedJozsef Kadlecsik2014-11-181-2/+1
|
* Simplify cidr handling for hash:*net* typesJozsef Kadlecsik2014-11-181-28/+28
|
* Indicate when /0 networks are supportedJozsef Kadlecsik2014-11-182-1/+2
|
* Add more compatibility checkings to support older kernel releasesJozsef Kadlecsik2014-11-183-6/+32
|
* Make_global.am: Don't include host headersBaruch Siach2014-11-041-2/+1
| | | | | | | This is bad for cross compilation. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Kernel API changes in em_ipset.c, support both old and new onesJozsef Kadlecsik2014-11-033-0/+40
|
* netfilter: Convert uses of __constant_<foo> to <foo>Joe Perches2014-11-031-2/+2
| | | | | | | | | | The use of __constant_<foo> has been unnecessary for quite awhile now. Make these uses consistent with the rest of the kernel. Signed-off-by: Joe Perches <joe@perches.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* net: use the new API kvfree()WANG Cong2014-11-033-4/+22
| | | | | | | | | It is available since v3.15-rc5. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* treewide: fix errors in printkMasanari Iida2014-11-031-1/+1
| | | | | | | | | This patch fix spelling typo in printk. Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
* netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER)Pablo Neira Ayuso2014-11-031-2/+2
| | | | | | | | | | In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"), the bridge netfilter code has been modularized. Use IS_ENABLED instead of ifdef to cover the module case. Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use IS_ENABLED macro and define it if requiredJozsef Kadlecsik2014-11-032-1/+12
|
* Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-033-6/+88
| | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure.
* Add script to check libipset.map for missing symbolsJozsef Kadlecsik2014-10-284-3/+36
|
* Update libipset.map with ipset_parse_tcp_udp_portThomas Backlund2014-10-281-0/+1
| | | | | | | | | | | | | | | | | | | | | | | Commit: author Quentin Armitage <quentin@armitage.org.uk> 2013-08-09 11:26:33 (GMT) committer Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-08-17 19:31:29 (GMT) commit 480761a3bdaa55bf8c966e4dab950ebf84775863 (patch) tree 6d750f948abf1ae4f93e4c704502d085ac13d679 parent 3a4419954a3ae0ba5dafd711e6b8dd8f0beb5c21 (diff) Add specifying protocol for bitmap:port Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> added ipset_parse_tcp_udp_port(), but forgot to update libipset.map so we get: /usr/lib64/ipset/ipset_bitmap_port.so: /usr/lib64/ipset/ipset_bitmap_port.so: undefined symbol: ipset_parse_tcp_udp_port so update the map. Signed-off-by: Thomas Backlund <tmb@mageia.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* libipset: Bump lib version and update map fileNeutron Soutmun2014-10-282-1/+6
| | | | | | | | | | The ipset_parse_uint16() was introduced but no lib version bumped and no map file updated. Bump lib version to 9:0:6. (current and age was bumped) Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: off by one in ip_set_nfnl_get_byindex()Dan Carpenter2014-10-211-1/+1
| | | | | | | | The ->ip_set_list[] array is initialized in ip_set_net_init() and it has ->ip_set_max elements so this check should be >= instead of > otherwise we are off by one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Bash utilities updatedJozsef Kadlecsik2014-09-302-48/+79
|
* ipset: Fix hyphen used as minus sign in manpageNeutron Soutmun2014-09-301-1/+1
| | | | | Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.23 releasedv6.23Jozsef Kadlecsik2014-09-233-1/+18
|
* The utils are updated from their sourcesJozsef Kadlecsik2014-09-231-77/+109
|
* Order create and add options in manpage so that generic ones come firstJozsef Kadlecsik2014-09-231-51/+51
|
* Centralise generic create options (family, hashsize, maxelem) on top of man ↵Mart Frauenlob2014-09-231-175/+35
| | | | | | | page in the generic options section. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support glibc < 2.9 (fixes bugzilla id #891)Jozsef Kadlecsik2014-09-232-0/+71
|
* Support updating extensions when the set is fullJozsef Kadlecsik2014-09-233-23/+43
| | | | | | When the set was full (hash type and maxelem reached), it was not possible to update the extension part of already existing elements. The patch removes this limitation. (Fixes netfilter bugzilla id 880.)
* Add description of hash:mac set type to man page.Mart Frauenlob2014-09-221-0/+32
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add missing space for skbinfo option synopsis.Mart Frauenlob2014-09-221-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The library/API versions were forgotten to bump (reported by Sergei Zhirikov)Jozsef Kadlecsik2014-09-222-1/+9
| | | | | With introducing the skbinfo extension, the library/API versions should have been incremented, which is fixed now.
* Retry printing when sprintf fails (reported by Stig Thormodsrud)Jozsef Kadlecsik2014-09-221-14/+2
| | | | | | Instead of returning the length of the string which would have been printed, sprintf sometimes simply returns an error code. Handle the case and flush the printing buffer and retry.
* ipset 6.22 releasedv6.22Jozsef Kadlecsik2014-09-153-1/+48
|
* hash:mac type added to ipsetJozsef Kadlecsik2014-09-1512-4/+416
|
* skbinfo extension: send nonzero extension elements only to userspaceJozsef Kadlecsik2014-09-151-7/+11
|
* Add test to check mark mappingJozsef Kadlecsik2014-09-142-0/+17
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: remove extran newline on debug outputHolger Eitzenberger2014-09-141-1/+1
| | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: avoid duplicate command flagsHolger Eitzenberger2014-09-141-4/+2
| | | | | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] NLM_F_DUMP is #defined as (NLM_F_ROOT | NLM_F_ACK), so specifying all of them is redundant. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Remove a duplicate debug printHolger Eitzenberger2014-09-141-2/+1
| | | | | | | | | [ The following text is in the "utf-8" character set. ] [ Your display is set for the "ISO-8859-2" character set. ] [ Some characters may be displayed incorrectly. ] Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: Convert pr_warning to pr_warnJoe Perches2014-09-143-42/+35
| | | | | | | | | | | | Use the more common pr_warn. Other miscellanea: o Coalesce formats o Realign arguments Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension support to SET target.Anton Danilov2014-09-142-12/+191
| | | | | Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>