| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Reported-by: David Laight <David.Laight@ACULAB.COM>
|
|
|
|
|
|
|
|
|
|
| |
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.
At the set:list types, the updating of the subcounters can be
suppressed as well.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
| |
Introduce extensions to elements in the core and prepare timeout as
the first one.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
| |
Unfortunately not everything could be moved there, there are still
compatibility ifdefs in some other files.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exceptions can now be matched and we can branch according to the
possible cases:
a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match
i.e.
iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...
|
| |
|
| |
|
|
|
|
|
|
|
| |
Use of "unsigned int" is preferred to bare "unsigned" in net tree.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| |
|
|
|
|
|
|
|
| |
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
|
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
|
|
|
|
|
|
| |
iptables's libxt_SET.c depends on these.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
|
|
|
|
|
| |
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
|
|
|
|
| |
A set type may have multiple revisions, for example when syntax is extended.
Support continuous revision ranges in set types.
|
|
|
|
|
|
| |
When ranges are added to hash types, the elements may trigger rehashing the set.
However, the last successfully added element was not kept track so the adding
started again with the first element after the rehashing. Bug reported by Mr Dash Four.
|
|
|
|
|
|
| |
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
|
|
|
|
|
|
| |
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.
|
|
|
|
|
|
|
|
|
|
| |
When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Example
ipset add foo 1.2.3.4 timeout 10
ipset add foo 1.2.3.4 timeout 600 -exist
|
|
|
|
|
|
|
| |
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex protection
of the references is a no go. Therefore the reference protection
is converted to rwlock.
|
| |
|
|
|
|
|
|
| |
The type specific attribute validation can be moved to the ipset core.
That way it's done centrally and thus can be eliminated from the individual
set types (suggested by Patrick McHardy).
|
|
|
|
| |
Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)
|
|
|
|
|
| |
While holding the nfnl_mutex, module loading is not allowed.
Bug spotted by Patrick McHardy in his reviewing.
|
|
|
|
|
|
| |
Allow only network-order data, with NLA_F_NET_BYTEORDER flag.
Sanity checks also added to prevent processing broken messages
where mandatory attributes are missing. (Patrick McHardy's review)
|
|
|
|
|
|
| |
Annotated types are introduced and sparse warnings fixed.
Two warnings remained in ip_set_core.c but those are false ones.
(Patrick McHardy's review)
|
|
|
|
|
|
| |
The functions are too large to be inlined, so move them into the core.
Also, fix the unnecessary initializations in ip_set_get_ipaddr*.
(Patrick McHardy's review)
|
|
|
|
| |
These macros can be useful in general (Patrick McHardy's review)
|
| |
|
|
|
|
|
|
| |
Separate prefixlens from ip_set core for better readibility and honoring
the independence.
Also, comment that prefixlens were borrowed from Jan Engelhardt.
|
| |
|
| |
|
|
|
|
|
| |
It makes no sense to mix these two. Either it is
writable-plus-read-mostly, or it is constant.
|
|
|
|
|
| |
Where the argument was used, the set lock was already activated, therefore
the argument value was always GFP_ATOMIC.
|
|
Separate the ipset header files from netfilter header files.
|