| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
In newer glibc, getaddrinfo issues an extra system call to kernel,
which slows down ipset. Replace getaddrinfo with gethostbyname2,
where possible.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If a create command fails at the kernel side, false syntax error
was also reported due to the chicken and egg problem of the family
option.
|
| | |
|
| |
|
|
|
| |
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
|
| |
|
|
|
|
|
|
| |
The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.
Problem reported by Stephen Hemminger and Marc Guardiola.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:
ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch
In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.
|
| |
|
|
|
| |
The ICMP/ICMPv6 type/code parser swapped the type and code values.
(Bug reported by Sabitov)
|
| |
|
|
|
|
|
|
|
|
|
| |
The protocol argument to getservbyname() must be lowercase tcp not
uppercase TCP. This fixes the bug observed by:
# ipset add foo http
ipset v6.9.1: Syntax error: 'http' is invalid as number
Syntax error: cannot parse 'http' as a TCP port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
| |
|
|
|
|
| |
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| |
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
| |
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of the gcc option -Wunused-parameter interferes badly with
the assert() macros. In case -DNDEBUG is specified build fails with:
cc1: warnings being treated as errors
print.c: In function 'ipset_print_family':
print.c:92: error: unused parameter 'opt'
print.c: In function 'ipset_print_port':
print.c:413: error: unused parameter 'opt'
print.c: In function 'ipset_print_proto':
Fix it by taking into accout NDEBUG in the function arguments.
Bug reported by Holger Eitzenberger.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the following works for AF_INET:
ipset add foo 192.168.1.1/32
this does not work for AF_INET6:
ipset add foo6 20a1:1:2:3:4:5:6:7/128
ipset v5.2: Syntax error: plain IP address must be supplied: 20a1:1:2:3:4:5:6:7/128
Bug reported by Holger Eitzenberger.
The complete fix is to handle the special host prefixes in the general
IP address parser function.
|
| |
|
|
|
|
| |
Direct cast results "cast increases required alignment of target type" on
Sparc: use indirect cast to void * instead of memcpy, as Jan Engelhardt
suggested.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Add new parser function to parse TCP/UDP port name, number, or range of them.
|
| |
|
|
|
|
| |
At present IPv6 does not support adding/deleting multiple IPv6 addresses
specified as an ip-ip range or ip/prefix block. A parser function is
added by which can enforce it at parsing the address pattern.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
| |
|
|
|
|
|
|
| |
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
|
| |
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
|
|
Add new userspace files: include/, lib/ and plus new files in src/.
|
