summaryrefslogtreecommitdiffstats
path: root/include/libipset
Commit message (Collapse)AuthorAgeFilesLines
* Expose the initval hash parameter to userspaceJozsef Kadlecsik2020-09-214-1/+6
| | | | | | It makes possible to reproduce exactly the same set after a save/restore. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add bucketsize parameter to all hash typesJozsef Kadlecsik2020-09-213-1/+5
| | | | | | | | | The parameter defines the upper limit in any hash bucket at adding new entries from userspace - if the limit would be exceeded, ipset doubles the hash size and rehashes. It means the set may consume more memory but gives faster evaluation at matching in the set. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner2019-10-311-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* ipset: Add wildcard support to net,ifaceKristian Evensen2019-10-313-1/+6
| | | | | | | | | | | | | | | | | | | | | The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-0517-17/+17
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add missing functions to libipset.mapJozsef Kadlecsik2018-11-281-4/+3
| | | | | Some new functions was not added to libipset.map at the previous release, fix it.
* Implement sorting for hash types in the ipset toolJozsef Kadlecsik2018-11-261-0/+104
| | | | | Support listing/saving with sorted entries for the hash types. (bitmap and list types are automatically sorted.)
* Introduction of new commands and protocol version 7Jozsef Kadlecsik2018-10-276-8/+16
| | | | | | | | | | | Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are introduced. The new commands makes possible to eliminate the getsockopt operation (in iptables set/SET match/target) and thus use only netlink communication between userspace and kernel for ipset. With the new protocol version, userspace can exactly know which functionality is supported by the running kernel. Both the kernel and userspace is fully backward compatible.
* Prepare the ipset tool to handle multiple protocol versionsJozsef Kadlecsik2018-10-221-2/+3
| | | | | From now on the "version" command asks the kernel protocol version too and reports if the userspace - kernel protocols do not match.
* Fix warning message handlingJozsef Kadlecsik2018-10-223-10/+16
| | | | | Warning messages were not printed and handled properly, the patch fixes the issue.
* Library reworked to support embedding ipset completelyJozsef Kadlecsik2018-10-185-67/+119
| | | | | | | | | | | The ipset library is rewritten/extended to support embedding ipset, so that sets can fully be managed without calling the ipset binary. The ipset binary relies completely on the new library. The libipset.3 manpage was written about the library functions and usage. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix parsing service names for portsJozsef Kadlecsik2018-04-101-0/+1
| | | | | | Parsing is attempted both for numbers and service names and the temporary stored error message triggered to reset the state parameters about the set. Reported by Yuri D'Elia.
* build: do install libipset/args.hJan Engelhardt2018-01-231-0/+1
| | | | | | | | libipset/types.h includes args.h, therefore args.h must be installed too. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Userspace revision handling is reworkedJozsef Kadlecsik2018-01-022-3/+84
| | | | | | | | | | | In order to make it simpler and more straightforward to express the revisions of the set type, all keywords and their parsing are separated from the individual set types. All backward compatibility arguments are recognized and ignored arguments are supported. Recognized but ignored arguments will be removed in a later release.
* Fix the include guards on the include/libipset/linux_ip_set*.hJozsef Kadlecsik2017-09-144-12/+19
| | | | | | | The include guards did not prevent including the "same" userspace and kernel header files. Fixes bugzilla id #1139, reported and solution suggested by Quentin Armitage.
* Report if the option is supported by a newer kernel releaseJozsef Kadlecsik2017-09-111-0/+2
| | | | | Instead ot printing "Unknown argument: foo", if foo option is supported by a newer kernel release, report that.
* Fix __aligned_u64 compatibility support for older kernel releasesJozsef Kadlecsik2016-02-291-1/+1
| | | | The issue was reported by Mart Frauenlob.
* Update userspace header file from the kernel treeJozsef Kadlecsik2015-06-251-3/+8
|
* Add element count to all set types headerJozsef Kadlecsik2015-06-251-3/+0
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* Add element count to hash headersEric B Munson2015-06-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | It would be useful for userspace to query the size of an ipset hash, however, this data is not exposed to userspace outside of counting the number of member entries. This patch uses the attribute IPSET_ATTR_ELEMENTS to indicate the size in the the header that is exported to userspace. This field is then printed by the userspace tool for hashes. Because it is only meaningful for hashes to report their size, the output is conditional on the set type. To do this checking the MATCH_TYPENAME macro was moved to utils.h. The bulk of this patch changes the expected test suite to account for the change in output. Signed-off-by: Eric B Munson <emunson@akamai.com> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Josh Hunt <johunt@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support linking libipset to C++ programsJozsef Kadlecsik2015-03-1810-1/+80
| | | | Issue reported by Pavel Odintsov.
* styles warned by checkpatch.pl fixedJozsef Kadlecsik2014-11-181-1/+0
|
* Add script to check libipset.map for missing symbolsJozsef Kadlecsik2014-10-281-2/+0
|
* Support glibc < 2.9 (fixes bugzilla id #891)Jozsef Kadlecsik2014-09-231-0/+70
|
* libipset: Add userspace code for the skbinfo extension support.Anton Danilov2014-09-144-2/+34
| | | | | | | | | Add userspace code to support of the skbinfo extension independly of set types. Defines constants, flag and function for print/parse/send/recieve of skbinfo parameters. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add userspace support for forceaddJosh Hunt2014-03-042-3/+8
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* kernel: uapi: fix MARKMASK attr ABI breakageFlorian Westphal2014-02-141-2/+2
| | | | | | | | | | | | | | commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type) inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e. changing values of all further attributes. This causes 'ipset list' segfault on existing kernels since ipset no longer finds IPSET_ATTR_MEMSIZE (it has a different value on kernel side). Jozsef points out it should be moved below IPSET_ATTR_MARK which works since there is some extra reserved space after that value. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Prepare the kernel for create option flags when no extension is neededJozsef Kadlecsik2014-02-131-0/+6
|
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-232-0/+4
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-084-0/+8
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix all set output from list/save when set with counters in use.Sergey Popovich2013-11-131-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using upstream version with counters support we have following output when listing all sets currently configured: -------------------------------------------------- # ipset create test-1 hash:ip # ipset create test-2 hash:ip counters # ipset add test-2 192.0.2.1/32 # ipset create test-3 hash:ip # ipset add test-3 192.0.2.1/32 # ipset list Name: test-1 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16504 References: 0 Members: Name: test-2 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16616 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16520 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Set test-3 created without counters, but displayed as with counters present. Restricting output to list only test-3 set we have: --------------------------------------------------- # ipset list test-3 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16520 References: 0 Members: 192.0.2.1 So test-3 set created correctly without counters support, but in all sets listing it displayed as such one with counters. It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3 (Support counters in the ipset library) we fogot to add counter options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to clear these flags when preparing output in callback_list() from lib/session.c. v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and IPSET_OPT_COUNTERS from ADT. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-234-2/+27
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-171-0/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-011-1/+1
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-021-1/+1
|
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-093-5/+38
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-094-13/+42
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-211-0/+2
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-111-1/+2
|
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-101-0/+1
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Fix errors when compiling in debug mode.Krunal Patel2012-08-311-0/+1
|
* Make sure IPPROTO_UDPLITE is definedJozsef Kadlecsik2012-08-311-0/+3
|
* The commandline parser was too permissive, make it more strictJozsef Kadlecsik2012-06-191-1/+3
| | | | | | The parser allowed more possible argument alternatives for command options than the documented one, which limited the possibility of other option names. The patch makes the parser more strict.
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-231-0/+2
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-101-2/+2
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-101-0/+1
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-101-0/+12
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-061-0/+1
|
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-041-0/+2
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-141-0/+2
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-14 22:00:03 +0000