| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reworks the argument parsing functionality of ipset to handle
quote-delimited lines in such a way that they are considered to be a
single argument.
This commit is necessary for ipset to successfully restore sets that
have comments.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
| |
Option like "netmask" depends on the INET family, so parse "family"
first, then the rest of the options.
Bug reported by Quentin Armitage, closed netfilter bugzilla #841.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ipset> list foo
ipset v6.16.1: The set with the given name does not exist
ipset> -t
No command specified
ipset> list
ipset v6.16.1: Internal protocol error
In interactive mode the state was not cleaned up properly after a
syntax error, fixed.
|
| | |
|
| |
|
|
|
| |
In order to catch kernel/userspace revision mismatch, better print
all available data.
|
| | |
|
| |
|
|
|
|
| |
ipset help listed every set type, including the ones with multiple
revisions - which were listed thus multiple times. Set types with
multiple revisions are listed once from now on.
|
| |
|
|
|
|
|
|
|
| |
Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).
The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.
|
| |
|
|
|
| |
The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.
|
| |
|
|
|
| |
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The number of comparisons for a matching a command name can be
made smaller by just checking on argv[1].
As an example consider the following 'create' arguments 'hashsize',
'family' and 'timeout'. When having the command
create foo hash:ip timeout 60 family inet hashsize 64
it compares without this patch:
strcmp("timeout", "hashsize")
strcmp("64", "hashsize")
strcmp("family", "hashsize")
strcmp("inet", "hashsize")
strcmp("hashsize", "hashsize")
It is worse in practice, as 'create' has more arguments than this.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
|
|
|
|
| |
After stripping off the global options there simply has to follow
a command name, there is no other syntax possible. Therefore the
argv[] loop is unnecessary.
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
| |
Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:
create foo6 hash:ip hashsize 64 family inet6
add foo6 20a1:1234:5678::/64
add foo6 20a1:1234:5679::/64
you get:
ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64
Should be line 2 though.
The solution is to set the session lineno before parsing.
|
| |
|
|
|
|
|
| |
It's not as nice as I'd like to be: IPSET_CREATE_FLAGS and
IPSET_ADT_FLAGS are required elsewhere, but to make life
simpler, some flags (like IPSET_OPT_TYPENAME) are *not*
added to the types full[] flags. So those must be excluded here.
|
| |
|
|
|
| |
There was still some other incorrect usage of 'enum ipset_cmd' and
'enum ipset_adt' - corrected.
|
| |
|
|
| |
Wrong enum type was used in the comparison, reported by Jan Engelhardt.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
|
| |
|
|
|
|
|
|
|
|
|
| |
- the hash types can now store protocol together port, not only port
- lots of fixes everywhere: parser, error reporting, manpage
The last bits on the todo list before announcing ipset 5:
- recheck all the error messages
- add possibly more tests
- polish manpage
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
|
| |
|
|
| |
Refresh existing files in src/ with the new content.
|
|
|
Create src/ and move ipset source there. Get rid of unnecessary and
outdated files.
|
