summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* ipset: add userspace support for forceaddJosh Hunt2014-03-042-3/+8
| | | | | | | The userspace side of the forceadd changes. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* kernel: uapi: fix MARKMASK attr ABI breakageFlorian Westphal2014-02-141-2/+2
| | | | | | | | | | | | | | commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type) inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e. changing values of all further attributes. This causes 'ipset list' segfault on existing kernels since ipset no longer finds IPSET_ATTR_MEMSIZE (it has a different value on kernel side). Jozsef points out it should be moved below IPSET_ATTR_MARK which works since there is some extra reserved space after that value. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Prepare the kernel for create option flags when no extension is neededJozsef Kadlecsik2014-02-131-0/+6
|
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-232-0/+4
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-084-0/+8
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix all set output from list/save when set with counters in use.Sergey Popovich2013-11-131-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using upstream version with counters support we have following output when listing all sets currently configured: -------------------------------------------------- # ipset create test-1 hash:ip # ipset create test-2 hash:ip counters # ipset add test-2 192.0.2.1/32 # ipset create test-3 hash:ip # ipset add test-3 192.0.2.1/32 # ipset list Name: test-1 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16504 References: 0 Members: Name: test-2 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16616 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16520 References: 0 Members: 192.0.2.1 packets 0 bytes 0 Set test-3 created without counters, but displayed as with counters present. Restricting output to list only test-3 set we have: --------------------------------------------------- # ipset list test-3 Name: test-3 Type: hash:ip Revision: 2 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16520 References: 0 Members: 192.0.2.1 So test-3 set created correctly without counters support, but in all sets listing it displayed as such one with counters. It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3 (Support counters in the ipset library) we fogot to add counter options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to clear these flags when preparing output in callback_list() from lib/session.c. v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and IPSET_OPT_COUNTERS from ADT. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Support comments in the userspace library.Oliver Smith2013-09-234-2/+27
| | | | | | | | | This adds support to the userspace portion of ipset for handling ipsets with the comment extension enabled. The library revision has been raised accordingly. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add specifying protocol for bitmap:portQuentin Armitage2013-08-171-0/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Change 2nd parameter type of ipset_parse_elemQuentin Armitage2013-08-011-1/+1
| | | | | | | | | The only place in ipset where ipset_parse_elem is called is src/ipset.c. The second parameter to the function call is type->last_elem_optional, which is of type bool, but ipset_parse_elem is defined in lib/parse.c with the second parameter having type enum ipset_opt. The use in lib/parse.c is clearly as a bool.
* Add sparse checking support to userspaceJozsef Kadlecsik2013-05-021-1/+1
|
* Support counters in the ipset libraryJozsef Kadlecsik2013-04-093-5/+38
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-094-13/+42
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-211-0/+2
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-111-1/+2
|
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-101-0/+1
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Fix errors when compiling in debug mode.Krunal Patel2012-08-311-0/+1
|
* Make sure IPPROTO_UDPLITE is definedJozsef Kadlecsik2012-08-311-0/+3
|
* The commandline parser was too permissive, make it more strictJozsef Kadlecsik2012-06-191-1/+3
| | | | | | The parser allowed more possible argument alternatives for command options than the documented one, which limited the possibility of other option names. The patch makes the parser more strict.
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-231-0/+2
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Add more CC warning option to debug modeJozsef Kadlecsik2012-05-101-2/+2
|
* Suppress false syntax error messagesJozsef Kadlecsik2012-05-101-0/+1
| | | | | | If a create command fails at the kernel side, false syntax error was also reported due to the chicken and egg problem of the family option.
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-101-0/+12
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-061-0/+1
|
* Fix timeout value overflow bug at large timeout parametersJozsef Kadlecsik2012-05-041-0/+2
| | | | | Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz)
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-141-0/+2
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-132-1/+7
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-051-0/+1
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* build: install libipset in the right placeJan Engelhardt2012-01-041-0/+1
| | | | | | | | The .c files used to build the plugins for ipset all use #include <libipset/...>, so the files we install should preferably also be in a directory called "libipset" rather than just "ipset". Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: make distcheck work and use POSIX mode for tarball generationJan Engelhardt2011-12-231-0/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: install libipset/linux_ip_set_list.hJan Engelhardt2011-12-231-0/+1
| | | | | | | The other linux_ip_set*.h files are shipped, so this one probably should too. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: include libipset/nfproto.hJan Engelhardt2011-12-231-0/+1
| | | | | | libipset/types.h, which is installed by default, requires nfproto.h. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: process include/libipset/Jan Engelhardt2011-12-232-3/+1
| | | | | | | We need to visit that directory, otherwise `make install` is incomplete and `make distcheck` fails. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-312-6/+28
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Propagate "expose userspace-relevant parts in ip_set.h" to ipset sourceJozsef Kadlecsik2011-08-312-8/+31
| | | | | | With the header file restructuring, the ipset userspace enums IPSET_DIM_* clash with the kernel ones. In this patch the userspace is converted to use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-3115-79/+84
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-304-3/+15
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Protocol-level debugging support addedJozsef Kadlecsik2011-05-241-0/+2
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-154-1/+9
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-182-0/+8
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* ipset: pass ipset_arg argument pointerHolger Eitzenberger2011-02-011-2/+3
| | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* Separate ipset errnos completely from system ones and bump protocol version.Jozsef Kadlecsik2011-01-311-4/+4
|
* ipset: turn Set name[] into a const pointerHolger Eitzenberger2011-01-251-1/+1
| | | | | | | | | | | | Also check for the name length. Note that passing errno values back is not done consistently at various place, as there are some functions which set errno manually, others pass -errno back. I use the -errno approach here, as it is slightly shorter. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix build with NDEBUG definedJozsef Kadlecsik2011-01-181-0/+5
| | | | | | | | | | | | | | | | The usage of the gcc option -Wunused-parameter interferes badly with the assert() macros. In case -DNDEBUG is specified build fails with: cc1: warnings being treated as errors print.c: In function 'ipset_print_family': print.c:92: error: unused parameter 'opt' print.c: In function 'ipset_print_port': print.c:413: error: unused parameter 'opt' print.c: In function 'ipset_print_proto': Fix it by taking into accout NDEBUG in the function arguments. Bug reported by Holger Eitzenberger.
* Show correct line numbers in restore output for parser errorsJozsef Kadlecsik2011-01-181-0/+1
| | | | | | | | | | | | | | | | | Parser errors are reported by a wrong lineno at restore, bug reported by Holger Eitzenberger: create foo6 hash:ip hashsize 64 family inet6 add foo6 20a1:1234:5678::/64 add foo6 20a1:1234:5679::/64 you get: ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64 Should be line 2 though. The solution is to set the session lineno before parsing.
* libipset: ipset_strncpy is really a strlcpy-type operationJan Engelhardt2010-12-191-1/+1
|
* Add ipset_parse_tcpudp_port functionJozsef Kadlecsik2010-12-171-0/+3
| | | | Add new parser function to parse TCP/UDP port name, number, or range of them.
* Buffered commands are just ... buffered.Jozsef Kadlecsik2010-12-131-8/+0
| | | | | | | Calculate the free buffer size when adding the existing attributes at the buffered commands. If the buffer is full, cancel the unfinished nested attribute and commit the previously buffered commands. Then restart with the current buffered command. Thus we can get rid of the ugly maxsize parameter of the set types.
* Support case-insensitive ICMP and ICMPv6 type/code names.Jozsef Kadlecsik2010-12-101-0/+2
|
* Remove command MODIFYJozsef Kadlecsik2010-12-071-19/+18
| | | | | Modifying a set can be performed by save/modify/restore/swap, without adding kernel part support.
* The protocol extended with the command MODIFY.Jozsef Kadlecsik2010-11-051-18/+19
| | | | The command is not used yet, but better to reserve it already.