summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Manpage updatesJozsef Kadlecsik2013-04-091-52/+79
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Interactive mode error after syntax error (reported by Mart Frauenlob)Jozsef Kadlecsik2013-02-211-3/+8
| | | | | | | | | | | | ipset> list foo ipset v6.16.1: The set with the given name does not exist ipset> -t No command specified ipset> list ipset v6.16.1: Internal protocol error In interactive mode the state was not cleaned up properly after a syntax error, fixed.
* Fix interactive modeFredrik Eriksson2012-11-101-5/+2
| | | | Catching interactive mode got broken in 6.12.
* Coding style fixesJozsef Kadlecsik2012-09-111-3/+3
|
* Help prints list type revision and terse descriptionJozsef Kadlecsik2012-09-101-5/+5
| | | | | In order to catch kernel/userspace revision mismatch, better print all available data.
* Add /0 network support to hash:net,iface typeJozsef Kadlecsik2012-09-101-2/+1
| | | | | Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering.
* Fix errors when compiling in debug mode.Krunal Patel2012-08-312-8/+5
|
* Explain in more detail src/dst for hash:net,ifaceJozsef Kadlecsik2012-06-291-2/+3
|
* ipset help lists set types multiple times, fixed (reported by Mr Dash Four)Jozsef Kadlecsik2012-06-191-1/+5
| | | | | | ipset help listed every set type, including the ones with multiple revisions - which were listed thus multiple times. Set types with multiple revisions are listed once from now on.
* The commandline parser was too permissive, make it more strictJozsef Kadlecsik2012-06-191-31/+29
| | | | | | The parser allowed more possible argument alternatives for command options than the documented one, which limited the possibility of other option names. The patch makes the parser more strict.
* Allow saving to/restoring from a file without shell redirectionJozsef Kadlecsik2012-05-233-9/+118
| | | | | | | | | Mathieu Bridon suggested that in some environments where there is no access to a full shell with input/output redirection, it'd be useful to read from/write to directly a file (bugzilla #788). The patch adds the new "-file" option to specify a filename to print into when listing/saving sets or read from when restoring sets.
* Enable silent (kernel style) compile messagesJozsef Kadlecsik2012-05-101-3/+0
|
* Add dynamic module support to ipset userspace toolNeutron Soutmun2012-05-101-0/+7
| | | | | | | | | | | | | The patch adds supporting dynamic modules for the set types to ipset userspace tool. The dynamic module support can be enabled by the --enable-settype-modules of "configure". The list of set types to be compiled as dynamic modules can be specified in the --with-settype-modules-list option. Example --enable-settype-modules \ --with-settype-modules-list="ipset_hash_ip ipset_hash_ipport" The keyword "all" can be used to compile all set types as dynamic modules.
* Move ipset_port_usage() into libNeutron Soutmun2012-05-061-31/+0
|
* Improve ipset help text messages (Mr Dash Four)Jozsef Kadlecsik2012-04-191-4/+4
|
* Support hostnames and service names with dashJozsef Kadlecsik2012-01-141-0/+6
| | | | | | | | The square brackets are introduced as an escape mechanism to enter hostnames or service names with dash in order to avoid mixing up the dash in the name with the range notation. Problem reported by Stephen Hemminger and Marc Guardiola.
* Exceptions support added to hash:*net* typesJozsef Kadlecsik2012-01-131-6/+23
| | | | | | | | | | | | The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set.
* Set types moved into libipset libraryJozsef Kadlecsik2012-01-0513-1574/+3
| | | | | The libipset library is complete by this step, and "ipset" just a CLI interface based on the lib.
* build: make distcheck work and use POSIX mode for tarball generationJan Engelhardt2011-12-231-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* build: move ipset_errcode into libraryJan Engelhardt2011-08-312-201/+0
| | | | | | | | | | | | | | | | The library cannot stand on its own: 19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1 linux-vdso.so.1 => (0x00007fff9a569000) libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000) libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000) /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000) undefined symbol: ipset_errcode (.libs/libipset.so.1) Resolve this by moving ipset_errcode into the library. Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com> References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2
* ipset: use NFPROTO_ constantsJan Engelhardt2011-08-3112-19/+19
| | | | | ipset is actually using NFPROTO values rather than AF (xt_set passes that along).
* Propagate "expose userspace-relevant parts in ip_set.h" to ipset sourceJozsef Kadlecsik2011-08-3111-25/+25
| | | | | | With the header file restructuring, the ipset userspace enums IPSET_DIM_* clash with the kernel ones. In this patch the userspace is converted to use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
* Update the manpage and document the limits in hash:net,iface.Jozsef Kadlecsik2011-07-111-1/+5
|
* Whitespace and coding fixes detected by checkpatch.plJozsef Kadlecsik2011-05-3114-178/+182
|
* hash:net,iface type introducedJozsef Kadlecsik2011-05-304-2/+192
| | | | | | | | | | The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1
* Remove iptree tests and compatibility element parsingJozsef Kadlecsik2011-05-271-1/+0
|
* Fix warnings reported by valgrindJozsef Kadlecsik2011-05-251-1/+7
|
* Remove supporting set types iptree and iptreemapJozsef Kadlecsik2011-05-241-1/+1
|
* Accept "\r\n" terminated COMMIT command in restore filesJozsef Kadlecsik2011-05-241-1/+1
|
* Accept "\r\n" terminated lines in restore filesJozsef Kadlecsik2011-05-211-2/+2
|
* Support range for IPv4 at adding/deleting elements for hash:*net* typesJozsef Kadlecsik2011-05-158-35/+287
| | | | | | | | | | | | | | | | | | | The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30
* Update ipset help text to reflect SCTP and UDPLITE supportJozsef Kadlecsik2011-05-121-3/+3
|
* Support listing setnames and headers tooJozsef Kadlecsik2011-04-182-4/+29
| | | | | | Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members.
* bitmap:ip,mac type requires "src" for MACJozsef Kadlecsik2011-04-081-3/+4
| | | | | | | | | Enforce that the second "src/dst" parameter of the set match and SET target must be "src", because we have access to the source MAC only in the packet. The previous behaviour, that the type required the second parameter but actually ignored the value was counter-intuitive and confusing. Manpage is updated to reflect the change.
* Manpage updateJozsef Kadlecsik2011-03-271-0/+2
|
* SCTP, UDPLITE support addedJozsef Kadlecsik2011-03-185-21/+29
| | | | SCTP and UDPLITE port support added to the hash:*port* types.
* Manpage was not installedJozsef Kadlecsik2011-03-181-0/+2
| | | | | Entry to install the manpage was missing from Makefile.am (reported by Mark A. Ziesemer)
* Print protocol version together with ipset versionJozsef Kadlecsik2011-02-031-1/+2
|
* Allow "new" as a commad alias to "create"Jozsef Kadlecsik2011-02-011-7/+7
| | | | It's too easy to mistype "n" to "new", so just allow it.
* ipset: improve command argument parsingHolger Eitzenberger2011-02-011-22/+20
| | | | | | | | | | | | | | | | | | | | | | The number of comparisons for a matching a command name can be made smaller by just checking on argv[1]. As an example consider the following 'create' arguments 'hashsize', 'family' and 'timeout'. When having the command create foo hash:ip timeout 60 family inet hashsize 64 it compares without this patch: strcmp("timeout", "hashsize") strcmp("64", "hashsize") strcmp("family", "hashsize") strcmp("inet", "hashsize") strcmp("hashsize", "hashsize") It is worse in practice, as 'create' has more arguments than this. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* ipset: avoid the unnecessary argv[] loopHolger Eitzenberger2011-02-011-50/+46
| | | | | | | | After stripping off the global options there simply has to follow a command name, there is no other syntax possible. Therefore the argv[] loop is unnecessary. Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* ipset: pass ipset_arg argument pointerHolger Eitzenberger2011-02-011-8/+2
| | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
* Fix the spelling error fix :-)Jozsef Kadlecsik2011-01-261-1/+1
| | | | Spelling error fixed (Ferenc Wagner)
* Correct the error codes: use ENOENT and EMSGSIZEJozsef Kadlecsik2011-01-261-1/+3
| | | | Use correct error codes (Patrick McHardy's review)
* ipset: fix spelling errorHolger Eitzenberger2011-01-251-2/+2
| | | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Do session initialization onceHolger Eitzenberger2011-01-181-8/+6
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Show correct line numbers in restore output for parser errorsJozsef Kadlecsik2011-01-181-0/+3
| | | | | | | | | | | | | | | | | Parser errors are reported by a wrong lineno at restore, bug reported by Holger Eitzenberger: create foo6 hash:ip hashsize 64 family inet6 add foo6 20a1:1234:5678::/64 add foo6 20a1:1234:5679::/64 you get: ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64 Should be line 2 though. The solution is to set the session lineno before parsing.
* Should have gone to sleep: fix check_allowed. Really.Jozsef Kadlecsik2010-12-191-11/+11
| | | | | | | It's not as nice as I'd like to be: IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS are required elsewhere, but to make life simpler, some flags (like IPSET_OPT_TYPENAME) are *not* added to the types full[] flags. So those must be excluded here.
* The fix of incorrect comparison in check_allowed completed.Jozsef Kadlecsik2010-12-181-22/+25
| | | | | There was still some other incorrect usage of 'enum ipset_cmd' and 'enum ipset_adt' - corrected.
* Fix incorrect comparison in check_allowedJozsef Kadlecsik2010-12-181-1/+1
| | | | Wrong enum type was used in the comparison, reported by Jan Engelhardt.