| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
- the timeout value was actually not set
- the garbage collector was broken
The variant is fixed, the tests to the testsuite are added.
|
| |
|
|
|
|
| |
Revision reporting got broken by the revision checking patch, fixed.
|
|
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
|
|
|
|
|
| |
The revision number was not checked at the create command: if the userspace
sent a valid set type but with not supported revision number, it'd create
a loop.
|
|
|
|
|
|
| |
The hash:ip,port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and the first address from
the range was only used.
|
|
|
|
|
|
|
| |
net/netfilter/ipset/ip_set_core.c:615: warning: ?clash? may be used uninitialized in this function
Signed-off-by: shanw <shanw@shanw-desktop.(none)>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
The kernel/ subdirectory is reorganized to follow the kernel directory
structure.
|
|
|
|
|
|
|
|
|
| |
Add some #ifdefs to unconditionally return false in
ip_set_get_ip6_port() when CONFIG_IPV6=n and convert
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables
module when loading ipset.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
| |
When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.
|
|
|
|
|
|
|
|
| |
Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace calls of the form:
nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)
by:
nla_parse_nested(tb, ATTR_MAX, attr, policy)
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)
|
|
|
|
|
| |
Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)
|
|
|
|
|
|
| |
The type specific attribute validation can be moved to the ipset core.
That way it's done centrally and thus can be eliminated from the individual
set types (suggested by Patrick McHardy).
|
|
|
|
| |
Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)
|
|
|
|
| |
Old cryptic error messages are not useful (Patrick McHardy's review)
|
|
|
|
|
|
| |
Attribute is const so a little bit more work is needed to return
the error line number. A test is also added in order to check
the functionality. (Patrick McHardy's review)
|
|
|
|
|
| |
Missing check of the flag NLM_F_ACK is added to the kernel -
and userspace does set it too (Patrick McHardy's review)
|
|
|
|
| |
Use correct error codes (Patrick McHardy's review)
|
| |
|
|
|
|
|
|
| |
I mistyped the bitwise operator and the network-order conversion was
missing too. Sigh, sendip cannot generate proper packets to check
ICMP and ICMPv6 in the testsuite. :-(
|
|
|
|
|
|
| |
Some trailing whitespace slipped in, those are removed. With the deleted
ip_set_kernel.h, the pr_* messages lost the trailing "\n" character.
The messages were completed with it.
|
| |
|
|
|
|
|
| |
While holding the nfnl_mutex, module loading is not allowed.
Bug spotted by Patrick McHardy in his reviewing.
|
|
|
|
|
| |
The expire functions of the hash types are called while locked, so
kzalloc must be called with GFP_ATOMIC.
|
| |
|
|
|
|
|
| |
We may call ip_set_alloc with GFP_ATOMIC, so we cannot replace __vmalloc
with vzalloc. Missing flag was noticed by Eric Dumazet.
|
|
|
|
|
|
| |
Allow only network-order data, with NLA_F_NET_BYTEORDER flag.
Sanity checks also added to prevent processing broken messages
where mandatory attributes are missing. (Patrick McHardy's review)
|
|
|
|
|
|
| |
Annotated types are introduced and sparse warnings fixed.
Two warnings remained in ip_set_core.c but those are false ones.
(Patrick McHardy's review)
|
|
|
|
|
|
| |
The functions are too large to be inlined, so move them into the core.
Also, fix the unnecessary initializations in ip_set_get_ipaddr*.
(Patrick McHardy's review)
|
|
|
|
|
| |
NETMASK*, HOSTMASK* macros are rewritten to small inline functions
ip_set_netmask* and ip_set_hostmask* (Patrick McHardy's review)
|
|
|
|
|
| |
Avoid the need for explicit initialization during runtime
(Patrick McHardy's review)
|
|
|
|
| |
These macros can be useful in general (Patrick McHardy's review)
|
|
|
|
| |
Negative set numbers are strange :-) (Patrick McHardy's review)
|
|
|
|
|
| |
The header file was useful at deep debugging only, we can get rid of now.
(Patrick McHardy's review)
|
|
|
|
| |
Fix "&&" and "||" continuation style (Patrick McHardy's review)
|
| |
|
|
|
|
|
|
| |
Ongoing add/del can happen to referenced sets and delete can be issued
to unreferenced sets. So the bogus call to synchronize_net() can safely
be removed.
|
|
|
|
| |
Better add more safety nets against user input.
|
| |
|
| |
|
|
|
|
|
|
| |
Separate prefixlens from ip_set core for better readibility and honoring
the independence.
Also, comment that prefixlens were borrowed from Jan Engelhardt.
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|