| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
|
|
|
|
| |
Use the real string length instead of the maximum one when adding the
attribute.
|
| |
|
| |
|
|
|
|
|
|
| |
The internal messages mix with the public messages and that confused
the sequence number book-keeping. Move setting/updating into
ipset_mnl_query.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| |
|
| |
|
|
|
|
|
|
|
| |
Also, remove the empty "members" section when listing
just the set headers.
Testsuite is updated to reflect the changes in the output.
|
| |
|
|
|
|
|
|
| |
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
|
|
|
|
| |
Revision reporting got broken by the revision checking patch, fixed.
|
|
|
|
| |
SCTP and UDPLITE port support added to the hash:*port* types.
|
|
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
|
|
|
|
| |
Missing check of the flag NLM_F_ACK is added to the kernel -
and userspace does set it too (Patrick McHardy's review)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not use time() as a Netlink sequence number for each message,
as otherwise the same seq number will be used when sending
another message in the same second. Instead use time() just for
initialization, then increment per message.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also check for the name length.
Note that passing errno values back is not done consistently at
various place, as there are some functions which set errno manually,
others pass -errno back. I use the -errno approach here, as it is
slightly shorter.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
|
|
|
|
|
| |
If resolving is requested and the resolved hostname contains a dash
character, print the unresolved IP address instead in order not to
clash with the IP/hostname range syntax.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usage of the gcc option -Wunused-parameter interferes badly with
the assert() macros. In case -DNDEBUG is specified build fails with:
cc1: warnings being treated as errors
print.c: In function 'ipset_print_family':
print.c:92: error: unused parameter 'opt'
print.c: In function 'ipset_print_port':
print.c:413: error: unused parameter 'opt'
print.c: In function 'ipset_print_proto':
Fix it by taking into accout NDEBUG in the function arguments.
Bug reported by Holger Eitzenberger.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While the following works for AF_INET:
ipset add foo 192.168.1.1/32
this does not work for AF_INET6:
ipset add foo6 20a1:1:2:3:4:5:6:7/128
ipset v5.2: Syntax error: plain IP address must be supplied: 20a1:1:2:3:4:5:6:7/128
Bug reported by Holger Eitzenberger.
The complete fix is to handle the special host prefixes in the general
IP address parser function.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:
create foo6 hash:ip hashsize 64 family inet6
add foo6 20a1:1234:5678::/64
add foo6 20a1:1234:5679::/64
you get:
ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64
Should be line 2 though.
The solution is to set the session lineno before parsing.
|
|
|
|
| |
Internal printing errors were not reported, handle them by setjmp/longjmp.
|
|
|
|
|
|
| |
Direct cast results "cast increases required alignment of target type" on
Sparc: use indirect cast to void * instead of memcpy, as Jan Engelhardt
suggested.
|
|
|
|
|
| |
The wrapper around getnameinfo was not snprintf-compatible and
that could cause broken listing/saving for large sets.
|
|
|
|
|
|
| |
The set cache stored the default family (INET) instead of the set family,
therefore restore mode for IPv6 did not work. The set cache fixed and
message aggregation reworked.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
There are no uses of C99 static initializers, so let's make the union
anonymous and reduce accessor lengths.
|
| |
|
| |
|
|
|
|
| |
Add new parser function to parse TCP/UDP port name, number, or range of them.
|
|
|
|
|
|
|
| |
Calculate the free buffer size when adding the existing attributes at the buffered
commands. If the buffer is full, cancel the unfinished nested attribute and commit
the previously buffered commands. Then restart with the current buffered command.
Thus we can get rid of the ugly maxsize parameter of the set types.
|
| |
|
|
|
|
|
| |
Modifying a set can be performed by save/modify/restore/swap, without
adding kernel part support.
|
|
|
|
| |
The command is not used yet, but better to reserve it already.
|
|
|
|
|
|
| |
At present IPv6 does not support adding/deleting multiple IPv6 addresses
specified as an ip-ip range or ip/prefix block. A parser function is
added by which can enforce it at parsing the address pattern.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
libtool will take care of adding -fPIC as needed. In fact, static
libraries are often not desired to be compiled with -fPIC.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libmnl installs .pc files that we can directly use and which are
preferable over AC_CHECK_LIB.
Also make sure that libipset.so is linked with libmnl, otherwise
linking errors can ensue when a program tries to link to libipset.
Furthermore, remove the now-unused LIBS variable.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
|
|
|
|
|
|
| |
Makefile fixes: compiler flags
README and manpage fixes
Compatibility with newer gcc releases (4.4.x)
Compatibility with the 2.6.35 kernel tree
|
|
|
|
|
|
|
|
| |
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
|
|
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
| |
|