summaryrefslogtreecommitdiffstats
path: root/include/libipset/data.h
Commit message (Collapse)AuthorAgeFilesLines
* netfilter: ipset: Add support for new bitmask parameterVishwanath Pai2022-11-201-2/+4
| | | | | | | | | | | | | | | Add a new parameter to complement the existing 'netmask' option. The main difference between netmask and bitmask is that bitmask takes any arbitrary ip address as input, it does not have to be a valid netmask. The name of the new parameter is 'bitmask'. This lets us mask out arbitrary bits in the ip address, for example: ipset create set1 hash:ip bitmask 255.128.255.0 ipset create set2 hash:ip,port family inet6 bitmask ffff::ff80 Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Expose the initval hash parameter to userspaceJozsef Kadlecsik2020-09-211-0/+1
| | | | | | It makes possible to reproduce exactly the same set after a save/restore. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add bucketsize parameter to all hash typesJozsef Kadlecsik2020-09-211-0/+1
| | | | | | | | | The parameter defines the upper limit in any hash bucket at adding new entries from userspace - if the limit would be exceeded, ipset doubles the hash size and rehashes. It means the set may consume more memory but gives faster evaluation at matching in the set. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-311-1/+3
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-051-1/+1
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduction of new commands and protocol version 7Jozsef Kadlecsik2018-10-271-0/+1
| | | | | | | | | | | Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are introduced. The new commands makes possible to eliminate the getsockopt operation (in iptables set/SET match/target) and thus use only netlink communication between userspace and kernel for ipset. With the new protocol version, userspace can exactly know which functionality is supported by the running kernel. Both the kernel and userspace is fully backward compatible.
* Support linking libipset to C++ programsJozsef Kadlecsik2015-03-181-0/+8
| | | | Issue reported by Pavel Odintsov.
* libipset: Add userspace code for the skbinfo extension support.Anton Danilov2014-09-141-2/+10
| | | | | | | | | Add userspace code to support of the skbinfo extension independly of set types. Defines constants, flag and function for print/parse/send/recieve of skbinfo parameters. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add userspace support for forceaddJosh Hunt2014-03-041-1/+3
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-231-0/+2
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-081-0/+2
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix all set output from list/save when set with counters in use.Sergey Popovich2013-11-131-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using upstream version with counters support we have following output when listing all sets currently configured: -------------------------------------------------- # ipset create test-1 hash:ip # ipset create test-2 hash:ip counters # ipset add test-2 192.0.2.1/32 # ipset create test-3 hash:ip # ipset add test-3 192.0.2.1/32 # ipset list Name: test-1 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16504 References: 0 Members: Name: test-2 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16616 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16520 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Set test-3 created without counters, but displayed as with counters present. Restricting output to list only test-3 set we have: --------------------------------------------------- # ipset list test-3 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16520 References: 0 Members: 192.0.2.1 So test-3 set created correctly without counters support, but in all sets listing it displayed as such one with counters. It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3 (Support counters in the ipset library) we fogot to add counter options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to clear these flags when preparing output in callback_list() from lib/session.c. v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and IPSET_OPT_COUNTERS from ADT. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-231-2/+7
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-091-0/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Coding style fixesJozsef Kadlecsik2012-09-111-1/+2
|
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-101-2/+2
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-101-0/+1
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-131-1/+3
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-311-8/+8
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-301-1/+5
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-151-0/+1
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* libipset: ipset_strncpy is really a strlcpy-type operationJan Engelhardt2010-12-191-1/+1
|
* ipset 5: last new feature addedv5.0-pre3Jozsef Kadlecsik2010-06-221-0/+2
| | | | | | | | | | | - the hash types can now store protocol together port, not only port - lots of fixes everywhere: parser, error reporting, manpage The last bits on the todo list before announcing ipset 5: - recheck all the error messages - add possibly more tests - polish manpage
* ipset 5 in an almost ready state - milestonev5.0-pre1Jozsef Kadlecsik2010-06-151-2/+9
| | | | | | | | | | | | Reworked protocol and internal interfaces, missing set types added, backward compatibility verified, lots of tests added (and thanks to the tests, bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere... The missing bits before announcing ipset 5: - net namespace support - new iptables/ip6tables extension library - iptables/ip6tables match and target tests (backward/forward compatibility) - tests on catching syntax errors
* Fourth stage to ipset-5Jozsef Kadlecsik2010-04-221-0/+124
Add new userspace files: include/, lib/ and plus new files in src/.