summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter
Commit message (Collapse)AuthorAgeFilesLines
* Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-031-3/+70
| | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure.
* netfilter: ipset: off by one in ip_set_nfnl_get_byindex()Dan Carpenter2014-10-211-1/+1
| | | | | | | | The ->ip_set_list[] array is initialized in ip_set_net_init() and it has ->ip_set_max elements so this check should be >= instead of > otherwise we are off by one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Support updating extensions when the set is fullJozsef Kadlecsik2014-09-231-23/+17
| | | | | | When the set was full (hash type and maxelem reached), it was not possible to update the extension part of already existing elements. The patch removes this limitation. (Fixes netfilter bugzilla id 880.)
* hash:mac type added to ipsetJozsef Kadlecsik2014-09-154-2/+193
|
* netfilter: Convert pr_warning to pr_warnJoe Perches2014-09-143-42/+35
| | | | | | | | | | | | Use the more common pr_warn. Other miscellanea: o Coalesce formats o Realign arguments Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension support to SET target.Anton Danilov2014-09-141-12/+181
| | | | | Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension kernel support for the list set type.Anton Danilov2014-09-081-2/+17
| | | | | | | | Add skbinfo extension kernel support for the list set type. Introduce the new revision of the list set type. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension kernel support for the hash set types.Anton Danilov2014-09-0811-25/+130
| | | | | | | | Add skbinfo extension kernel support for the hash set types. Inroduce the new revisions of all hash set types. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension kernel support for the bitmap set types.Anton Danilov2014-09-084-6/+31
| | | | | | | | Add skbinfo extension kernel support for the bitmap set types. Inroduce the new revisions of bitmap_ip, bitmap_ipmac and bitmap_port set types. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add skbinfo extension kernel support in the ipset core.Anton Danilov2014-09-081-1/+26
| | | | | | | | | | | Skbinfo extension provides mapping of metainformation with lookup in the ipset tables. This patch defines the flags, the constants, the functions and the structures for the data type independent support of the extension. Note the firewall mark stores in the kernel structures as two 32bit values, but transfered through netlink as one 64bit value. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix static checker warning in ip_set_core.cJozsef Kadlecsik2014-09-011-1/+2
| | | | | | | | | Dan Carpenter reported the following static checker warning: net/netfilter/ipset/ip_set_core.c:1414 call_ad() error: 'nlh->nlmsg_len' from user is not capped properly The payload size is limited now by the max size of size_t.
* Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'Jozsef Kadlecsik2014-08-051-1/+3
| | | | | | | | | Dan Carpenter reported that the static checker emits the warning net/netfilter/ipset/ip_set_list_set.c:600 init_list_set() warn: integer overflows 'sizeof(*map) + size * set->dsize' Limit the maximal number of elements in list type of sets.
* net/netfilter/ipset: Resolve missing-field-initializer warningsMark Rustad2014-08-056-18/+18
| | | | | | | | | Resolve missing-field-initializer warnings by providing a directed initializer. Signed-off-by: Mark Rustad <mark.d.rustad@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netnet,netportnet: Fix value range support for IPv4Sergey Popovich2014-05-062-8/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ranges of values are broken with hash:net,net and hash:net,port,net. hash:net,net ============ # ipset create test-nn hash:net,net # ipset add test-nn 10.0.10.1-10.0.10.127,10.0.0.0/8 # ipset list test-nn Name: test-nn Type: hash:net,net Revision: 0 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16960 References: 0 Members: 10.0.10.1,10.0.0.0/8 # ipset test test-nn 10.0.10.65,10.0.0.1 10.0.10.65,10.0.0.1 is NOT in set test-nn. # ipset test test-nn 10.0.10.1,10.0.0.1 10.0.10.1,10.0.0.1 is in set test-nn. hash:net,port,net ================= # ipset create test-npn hash:net,port,net # ipset add test-npn 10.0.10.1-10.0.10.127,tcp:80,10.0.0.0/8 # ipset list test-npn Name: test-npn Type: hash:net,port,net Revision: 0 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 17344 References: 0 Members: 10.0.10.8/29,tcp:80,10.0.0.0 10.0.10.16/28,tcp:80,10.0.0.0 10.0.10.2/31,tcp:80,10.0.0.0 10.0.10.64/26,tcp:80,10.0.0.0 10.0.10.32/27,tcp:80,10.0.0.0 10.0.10.4/30,tcp:80,10.0.0.0 10.0.10.1,tcp:80,10.0.0.0 # ipset list test-npn # ipset test test-npn 10.0.10.126,tcp:80,10.0.0.2 10.0.10.126,tcp:80,10.0.0.2 is NOT in set test-npn. # ipset test test-npn 10.0.10.126,tcp:80,10.0.0.0 10.0.10.126,tcp:80,10.0.0.0 is in set test-npn. # ipset create test-npn hash:net,port,net # ipset add test-npn 10.0.10.0/24,tcp:80-81,10.0.0.0/8 # ipset list test-npn Name: test-npn Type: hash:net,port,net Revision: 0 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 17024 References: 0 Members: 10.0.10.0,tcp:80,10.0.0.0 10.0.10.0,tcp:81,10.0.0.0 # ipset test test-npn 10.0.10.126,tcp:80,10.0.0.0 10.0.10.126,tcp:80,10.0.0.0 is NOT in set test-npn. # ipset test test-npn 10.0.10.0,tcp:80,10.0.0.0 10.0.10.0,tcp:80,10.0.0.0 is in set test-npn. Correctly setup from..to variables where no IPSET_ATTR_IP_TO{,2} attribute is given, so in range processing loop we construct proper cidr value. Check whenever we have no ranges and can short cut in hash:net,net properly. Use unlikely() where appropriate, to comply with other modules. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Removed invalid IPSET_ATTR_MARKMASK validationVytas Dauksa2014-04-071-1/+1
| | | | | | | | | Markmask is an u32, hence it can't be greater then 4294967295 ( i.e. 0xffffffff ). This was causing smatch warning: net/netfilter/ipset/ip_set_hash_gen.h:1084 hash_ipmark_create() warn: impossible condition '(markmask > 4294967295) => (0-u32max > u32max)' Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ip_set: rename nfnl_dereference()/nfnl_set()Patrick McHardy2014-03-071-23/+23
| | | | | | | | | | The next patch will introduce a nfnl_dereference() macro that actually checks that the appropriate mutex is held and therefore needs a subsystem argument. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: add forceadd kernel support for hash set typesJosh Hunt2014-03-0412-10/+32
| | | | | | | | | | | | | | | | | | Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: move registration message to init from net_initIlia Mirkin2014-02-161-1/+1
| | | | | | | | | Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved the initialization print into net_init, which can get called a lot due to namespaces. Move it back into init, reduce to pr_info. Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add markmask for hash:ip,mark data typeVytas Dauksa2014-01-232-0/+40
| | | | | | | | | Introduce packet mark mask for hash:ip,mark data type. This allows to set mark bit filter for the ip set. Change-Id: Id8dd9ca7e64477c4f7b022a1d9c1a5b187f1c96e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* add hash:ip,mark data type to ipsetVytas Dauksa2014-01-083-1/+322
| | | | | | | | | | | | | | | | Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: remove unused codeStephen Hemminger2014-01-071-28/+0
| | | | | | | Function never used in current upstream code. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add hash: fix coccinelle warningsFengguang Wu2013-12-271-4/+4
| | | | | | | | | | | net/netfilter/ipset/ip_set_hash_netnet.c:115:8-9: WARNING: return of 0/1 in function 'hash_netnet4_data_list' with return type bool /c/kernel-tests/src/cocci/net/netfilter/ipset/ip_set_hash_netnet.c:338:8-9: WARNING: return of 0/1 in function 'hash_netnet6_data_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: coccinelle/misc/boolreturn.cocci Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
* Typo in ip_set_hash_netnet.c fixedDavid Binderman2013-12-031-1/+1
| | | | | | | | | | | | I just ran the static analyser "cppcheck" over the source code of linux-3.13-rc1. It said [linux-3.13-rc1/net/netfilter/ipset/ip_set_hash_netnet.c:62] -> [linux-3.13-rc1/net/net filter/ipset/ip_set_hash_netnet.c:62]: (style) Same expression on both sides of '=='. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* net ipset: use rbtree postorder iteration instead of opencodingCody P Schafer2013-11-131-0/+9
| | | | | | | | Use rbtree_postorder_for_each_entry_safe() to destroy the rbtree instead of opencoding an alternate postorder iteration that modifies the tree Signed-off-by: Cody P Schafer <cody@linux.vnet.ibm.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Follow manual page behavior for SET target on list:setSergey Popovich2013-11-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ipset(8) for list:set says: The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. However real behavior is bit differ from described. Consider example: # ipset create test-1-v4 hash:ip family inet # ipset create test-1-v6 hash:ip family inet6 # ipset create test-1 list:set # ipset add test-1 test-1-v4 # ipset add test-1 test-1-v6 # iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src # ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src And then when iptables/ip6tables rule matches packet IPSET target tries to add src from packet to the list:set test-1 where first entry is test-1-v4 and the second one is test-1-v6. For IPv4, as it first entry in test-1 src added to test-1-v4 correctly, but for IPv6 src not added! Placing test-1-v6 to the first element of list:set makes behavior correct for IPv6, but brokes for IPv4. This is due to result, returned from ip_set_add() and ip_set_del() from net/netfilter/ipset/ip_set_core.c when set in list:set equires more parameters than given or address families do not match (which is this case). It seems wrong returning 0 from ip_set_add() and ip_set_del() in this case, as 0 should be returned only when an element successfuly added/deleted to/from the set, contrary to ip_set_test() which returns 0 when no entry exists and >0 when entry found in set. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: remove duplicate defineMichael Opdenacker2013-10-271-1/+0
| | | | | | | This patch removes a duplicate define from net/netfilter/ipset/ip_set_hash_gen.h Signed-off-by: Michael Opdenacker <michael.opdenacker@free-electrons.com>
* net->user_ns is available starting from 3.8, add compatibility checkingJozsef Kadlecsik2013-10-271-0/+4
| | | | Reported by Jan Engelhardt
* Fix memory allocation for bitmap:portJozsef Kadlecsik2013-10-181-1/+1
| | | | | | | | At the restructuring of the bitmap types creation in ipset, for the bitmap:port type wrong (too large) memory allocation was copied (netfilter bugzilla id #859). Reported-by: Quentin Armitage <quentin@armitage.org.uk>
* Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAXJozsef Kadlecsik2013-10-081-1/+1
|
* The unnamed union initialization may lead to compilation errorJozsef Kadlecsik2013-10-082-24/+20
| | | | | | | | | | | | The unnamed union should be possible to be initialized directly, but unfortunately it's not so: /usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c: In function ?hash_netnet4_kadt?: /usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c:141: error: unknown field ?cidr? specified in initializer Reported-by: Husnu Demir <hdemir@metu.edu.tr>
* Compatibility code is modified not to rely on kernel version numbersJozsef Kadlecsik2013-10-024-28/+66
| | | | | | | Instead the kernel source code is checked to verify the different compatibility issues for the supported kernel releases. This way hopefully backported features will be handled properly.
* Use netlink callback dump args onlyJozsef Kadlecsik2013-10-024-54/+58
| | | | | Instead of cb->data, use callback dump args only and introduce symbolic names instead of plain numbers at accessing the argument members.
* netfilter: ipset: Add hash:net,port,net module to kernel.Oliver Smith2013-09-303-1/+598
| | | | | | | | | This adds a new set that provides similar functionality to ip,port,net but permits arbitrary size subnets for both the first and last parameter. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset: Add net namespace for ipsetVitaly Lavrov2013-09-287-138/+232
| | | | | | | | | | | | | | | | This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net*". The remaining corrections related to the change prototypes of public functions ip_set_*. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Use a common function at listing the extensions of the elementsJozsef Kadlecsik2013-09-254-50/+12
|
* For set:list types, replaced elements must be zeroed outJozsef Kadlecsik2013-09-231-1/+3
| | | | | The new extensions require zero initialization for the new element to be added into a slot from where another element was pushed away.
* Fix hash resizing with commentsJozsef Kadlecsik2013-09-231-5/+5
| | | | | The destroy function must take into account that resizing doesn't create new extensions so those cannot be destroyed at resize.
* netfilter: ipset: Support comments in the list-type ipset.Oliver Smith2013-09-231-6/+12
| | | | | | | | This provides kernel support for creating list ipsets with the comment annotation extension. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments in bitmap-type ipsets.Oliver Smith2013-09-234-9/+17
| | | | | | | | | | | | | | This provides kernel support for creating bitmap ipsets with comment support. As is the case for hashes, this incurs a penalty when flushing or destroying the entire ipset as the entries must first be walked in order to free the comment strings. This penalty is of course far less than the cost of listing an ipset to userspace. Any set created without support for comments will be flushed/destroyed as before. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments in hash-type ipsets.Oliver Smith2013-09-239-13/+30
| | | | | | | | | | | | | This provides kernel support for creating ipsets with comment support. This does incur a penalty to flushing/destroying an ipset since all entries are walked in order to free the allocated strings, this penalty is of course less expensive than the operation of listing an ipset to userspace, so for general-purpose usage the overall impact is expected to be little to none. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Support comments for ipset entries in the core.Oliver Smith2013-09-231-0/+14
| | | | | | | | | | | | | This adds the core support for having comments on ipset entries. The comments are stored as standard null-terminated strings in dynamically allocated memory after being passed to the kernel. As a result of this, code has been added to the generic destroy function to iterate all extensions and call that extension's destroy task if the set has that extension activated, and if such a task is defined. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Add hash:net,net module to kernel.Oliver Smith2013-09-204-9/+541
| | | | | | | | | | This adds a new set that provides the ability to configure pairs of subnets. A small amount of additional handling code has been added to the generic hash header file - this code is conditionally activated by a preprocessor definition. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Kconfig: ipset needs NETFILTER_NETLINKJozsef Kadlecsik2013-09-171-1/+1
| | | | | NETFILTER_NETLINK is not selectable in recent kernels, check and warn if not enabled indirectly.
* netfilter: ipset: Fix serious failure in CIDR trackingOliver Smith2013-09-151-10/+14
| | | | | | | | | | | | | | | | | | | | | | | | | This fixes a serious bug affecting all hash types with a net element - specifically, if a CIDR value is deleted such that none of the same size exist any more, all larger (less-specific) values will then fail to match. Adding back any prefix with a CIDR equal to or more specific than the one deleted will fix it. Steps to reproduce: ipset -N test hash:net ipset -A test 1.1.0.0/16 ipset -A test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS in set ipset -D test 2.2.2.0/24 ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set This is due to the fact that the nets counter was unconditionally decremented prior to the iteration that shifts up the entries. Now, we first check if there is a proceeding entry and if not, decrement it and return. Otherwise, we proceed to iterate and then zero the last element, which, in most cases, will already be zero. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set: make sure all elements are checked by the gcJozsef Kadlecsik2013-09-091-2/+5
| | | | | When an element timed out, the next one was skipped by the garbage collector, fixed.
* Support extensions which need a per data destroy functionJozsef Kadlecsik2013-09-093-38/+90
|
* Generalize extensions supportJozsef Kadlecsik2013-09-0713-749/+105
| | | | | Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily.
* Move extension data to set structureJozsef Kadlecsik2013-09-0713-278/+244
| | | | | | Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support.
* Rename extension offset ids to extension idsJozsef Kadlecsik2013-09-066-35/+35
|
* Prepare ipset to support multiple networks for hash typesJozsef Kadlecsik2013-09-045-44/+46
| | | | | | In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set.