summaryrefslogtreecommitdiffstats
path: root/lib/ipset.c
Commit message (Collapse)AuthorAgeFilesLines
* Add json output to list commandThomas Oberhammer2023-09-181-1/+3
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* xlate: Drop dead codePhil Sutter2023-03-101-3/+0
| | | | | | | | Set type is not needed when manipulating elements, the assigned variable was unused in that case. Fixes: 325af556cd3a6 ("add ipset to nftables translation infrastructure") Signed-off-by: Phil Sutter <phil@nwl.cc>
* xlate: Fix for fd leak in error pathPhil Sutter2023-03-101-1/+1
| | | | | | | A rather cosmetic issue though, the program will terminate anyway. Fixes: 325af556cd3a6 ("add ipset to nftables translation infrastructure") Signed-off-by: Phil Sutter <phil@nwl.cc>
* Fix all debug mode warningsJozsef Kadlecsik2022-11-201-13/+19
|
* Fix IPv6 sets nftables translationPablo Neira Ayuso2022-02-281-14/+10
| | | | | | | | | | | | | | | | | | The parser assumes the set is an IPv4 ipset because IPSET_OPT_FAMILY is not set. # ipset-translate restore < ./ipset-mwan3_set_connected_ipv6.dump add table inet global add set inet global mwan3_connected_v6 { type ipv6_addr; flags interval; } flush set inet global mwan3_connected_v6 ipset v7.15: Error in line 4: Syntax error: '64' is out of range 0-32 Remove ipset_xlate_type_get(), call ipset_xlate_set_get() instead to obtain the set type and family. Reported-by: Florian Eckert <fe@dev.tdt.de> Fixes: 325af556cd3a ("add ipset to nftables translation infrastructure") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add ipset to nftables translation infrastructurePablo Neira Ayuso2021-06-261-1/+540
| | | | | | | | | | | | | | | | | | | | | This patch provides the ipset-translate utility which allows you to translate your existing ipset file to nftables. The ipset-translate utility is actually a symlink to ipset, which checks for 'argv[0] == ipset-translate' to exercise the translation path. You can translate your ipset file through: ipset-translate restore < sets.ipt This patch reuses the existing parser and API to represent the sets and the elements. There is a new ipset_xlate_set dummy object that allows to store a created set to fetch the type without interactions with the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: Detach restore routine from parserPablo Neira Ayuso2021-06-261-1/+4
| | | | | | | | | | | Do not call restore() from ipset_parser(). Instead, ipset_parser() returns the IPSET_CMD_RESTORE command and the caller invokes restore(). This patch comes in preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: split parser from command executionPablo Neira Ayuso2021-06-261-14/+30
| | | | | | | | | | | | ipset_parse_argv() parses, builds and send the netlink messages to the kernel. This patch extracts the parser and wrap it around the new ipset_parser() function. This patch comes is preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Handle -Werror=implicit-fallthrough= in debug mode compilingJozsef Kadlecsik2021-02-091-0/+2
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Argument parsing buffer overflow in ipset_parse_argv fixedJozsef Kadlecsik2021-01-191-0/+5
| | | | | | | Argument length checking was simply missing. Fixes netfilter bugzilla #1492, reported by Marshall Whittaker. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: update my email addressJozsef Kadlecsik2019-06-051-1/+1
| | | | | | | | | It's better to use my kadlec@netfilter.org email address in the source code. I might not be able to use kadlec@blackhole.kfki.hu in the future. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix to list/save into file specified by optionJozsef Kadlecsik2018-11-101-2/+3
| | | | | list/save into file given by "-f filename" did not work in 7.0, reported by Isaac Good.
* Prepare the ipset tool to handle multiple protocol versionsJozsef Kadlecsik2018-10-221-0/+4
| | | | | From now on the "version" command asks the kernel protocol version too and reports if the userspace - kernel protocols do not match.
* Fix warning message handlingJozsef Kadlecsik2018-10-221-13/+11
| | | | | Warning messages were not printed and handled properly, the patch fixes the issue.
* Library reworked to support embedding ipset completelyJozsef Kadlecsik2018-10-181-0/+1472
The ipset library is rewritten/extended to support embedding ipset, so that sets can fully be managed without calling the ipset binary. The ipset binary relies completely on the new library. The libipset.3 manpage was written about the library functions and usage. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>