summaryrefslogtreecommitdiffstats
path: root/kernel
Commit message (Collapse)AuthorAgeFilesLines
* The list:set type with counter supportJozsef Kadlecsik2013-04-091-6/+67
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The hash types with counter supportJozsef Kadlecsik2013-04-098-19/+381
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The bitmap types with counter supportJozsef Kadlecsik2013-04-094-15/+186
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce the counter extension in the coreJozsef Kadlecsik2013-04-093-4/+86
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set type using the extension interfaceJozsef Kadlecsik2013-04-091-246/+301
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Hash types using the unified code baseJozsef Kadlecsik2013-04-097-1865/+610
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified hash type generationJozsef Kadlecsik2013-04-092-1241/+1039
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Bitmap types using the unified code baseJozsef Kadlecsik2013-04-093-954/+316
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Unified bitmap type generationJozsef Kadlecsik2013-04-092-0/+271
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Introduce extensions to elements in the coreJozsef Kadlecsik2013-04-094-110/+86
| | | | | | | Introduce extensions to elements in the core and prepare timeout as the first one. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Move often used IPv6 address masking function to header fileJozsef Kadlecsik2013-04-096-45/+9
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make possible to test elements marked with nomatch, from userspaceJozsef Kadlecsik2013-04-095-24/+40
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter ipset: Use ipv6_addr_equal() where appropriate.YOSHIFUJI Hideaki2013-04-097-9/+9
| | | | | | Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Add a compatibility header file for easier maintenanceJozsef Kadlecsik2013-04-096-78/+101
| | | | | | | Unfortunately not everything could be moved there, there are still compatibility ifdefs in some other files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* The uapi include split in the package itselfJozsef Kadlecsik2013-04-099-268/+292
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Reorder modules a little bit in KbuildJozsef Kadlecsik2013-04-091-2/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* hash:*net*: nomatch flag not excluded on set resizeJozsef Kadlecsik2013-04-095-11/+99
| | | | | | | If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* list:set: update reference counter when last element pushed offJozsef Kadlecsik2013-04-091-3/+7
| | | | | | | The last element can be replaced or pushed off and in both cases the reference counter must be updated. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.17 releasedv6.17Jozsef Kadlecsik2013-02-211-0/+5
|
* "Directory not empty" error message (reported by John Brendler)Jozsef Kadlecsik2013-02-211-1/+2
| | | | | | | | | When an entry flagged with "nomatch" was tested by ipset, it returned the error message "Kernel error received: Directory not empty" instead of "<element> is NOT in set <setname>". The internal error code was not properly transformed before returning to userspace, fixed.
* netfilter: ipset: timeout values corrupted on set resizeJosh Hunt2013-02-211-1/+3
| | | | | | | | | | | If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure ip_set_max isn't set to IPSET_INVALID_IDJozsef Kadlecsik2012-11-271-1/+1
|
* ipset 6.16.1 releasedv6.16.1Jozsef Kadlecsik2012-11-271-0/+4
|
* Add ipset package version to external module descriptionJozsef Kadlecsik2012-11-271-1/+6
|
* Backport RCU handling up to 2.6.32.xJozsef Kadlecsik2012-11-271-0/+8
| | | | __rcu and rcu_dereference_protected is missing from older kernel releases.
* ipset 6.16 releasedv6.16Jozsef Kadlecsik2012-11-261-0/+5
|
* Netlink pid is renamed to portid in kernel 3.7.0Jozsef Kadlecsik2012-11-261-10/+16
| | | | | | Handle the renaming of the netlink_skb_parms structure member. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix RCU handling when the number of maximal sets are increasedJozsef Kadlecsik2012-11-261-83/+117
| | | | | | Eric Dumazet spotted that RCU handling was far incomplete in the patch which added the support of increasing the number of maximal sets automatically. This patch completes the RCU handling of the ip_set_list array of the sets.
* netfilter: ipset: fix netiface set name overflowFlorian Westphal2012-11-221-1/+1
| | | | | | | | | | attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* ipset 6.15 releasedv6.15Jozsef Kadlecsik2012-11-191-0/+6
|
* Increase the number of maximal sets automatically as neededJozsef Kadlecsik2012-11-191-8/+51
| | | | | The max number of sets was hardcoded at kernel cofiguration time. The patch adds the support to increase the max number of sets automatically.
* Restore the support of kernel versions between 2.6.32 and 2.6.35Jozsef Kadlecsik2012-11-053-64/+96
|
* Fix range bug in hash:ip,port,netJozsef Kadlecsik2012-11-054-12/+13
| | | | | | | | | Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was to be added, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
* Rewrite cidr book keeping to handle /0Jozsef Kadlecsik2012-09-221-49/+55
| | | | The patch is required for the /0 support in hash:net,iface
* Revert patch "Fix cidr book keeping for hash:*net* types"Jozsef Kadlecsik2012-09-221-55/+49
|
* ipset 6.14 releasedv6.14Jozsef Kadlecsik2012-09-211-0/+11
|
* Support to match elements marked with "nomatch" in hash:*net* setsJozsef Kadlecsik2012-09-217-20/+54
| | | | | | | | | | | | | | | Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ...
* Coding style fixesJozsef Kadlecsik2012-09-116-12/+16
|
* Include supported revisions in module descriptionJozsef Kadlecsik2012-09-1112-39/+78
|
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-23/+21
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* Fix cidr book keeping for hash:*net* typesJozsef Kadlecsik2012-09-101-49/+55
| | | | | | | The book-keeping of the different sized networks were bogus, fix it. The broken code could lead invalid matching in such sets when the number of different sized networks were greater than the smallest CIDR value of the networks.
* Check and reject crazy /0 input parametersJozsef Kadlecsik2012-09-106-10/+13
| | | | | | | | bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely.
* Backport ether_addr_equalJozsef Kadlecsik2012-09-101-2/+11
|
* Coding style fix, backport from kernelJozsef Kadlecsik2012-09-101-2/+2
|
* net: cleanup unsigned to unsigned intEric Dumazet2012-09-082-7/+7
| | | | | | | Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipset 6.13 releasedv6.13Jozsef Kadlecsik2012-06-291-0/+7
|
* ipset: Handle properly an IPSET_CMD_NONETomasz Bursztyka2012-06-291-0/+12
| | | | | Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: hash:net,iface: fix interface comparisonFlorian Westphal2012-06-191-28/+4
| | | | | | | | | | | | | | | | ifname_compare() assumes that skb->dev is zero-padded, e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); in e1000_probe(), so once device is registered dev->name memory contains 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare fail. Use plain strcmp() instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Timeout fixing bug broke SET target special timeout value, fixedJozsef Kadlecsik2012-06-081-1/+3
| | | | | | The patch "Fix timeout value overflow bug at large timeout parameters" broke the SET target when no timeout was specified (reported by Jean-Philippe Menil).
* Use MSEC_PER_SEC instead of harcoded valueJozsef Kadlecsik2012-05-152-4/+4
| | | | | David Laight and Eric Dumazet noticed that we were using hardcoded 1000 instead of MSEC_PER_SEC to calculate the timeout.