+2.4.2
+ - Only kernel part changes, see kernel/ChangeLoh
+
2.4.1
- macipmap type reported misleading deprecated separator
tokens and printed the old one at listing set elements
V=0
endif
-IPSET_VERSION:=2.4.1
+IPSET_VERSION:=2.4.2
PREFIX:=/usr/local
LIBDIR:=$(PREFIX)/lib
install: binaries_install modules_install
clean: $(EXTRA_CLEANS)
- rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~
+ rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~ tests/*~
[ -f $(KERNEL_DIR)/net/ipv4/netfilter/Config.in ] || (cd kernel; make -C $(KERNEL_DIR) M=`pwd` clean)
#The ipset(8) self
#include <arpa/inet.h>
#include <linux/netfilter_ipv4/ip_set_iphash.h>
+
#include "ipset.h"
#define BUFLEN 30;
#include <arpa/inet.h>
#include <linux/netfilter_ipv4/ip_set_nethash.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include "ipset.h"
+2.4.2
+ - When flushing a nethash/ipportnethash type of set, it can
+ lead to a kernel crash due to a wrong type declaration,
+ bug reported by Krzysztof Oledzki.
+ - iptree and iptreemap types require the header file linux/timer.h,
+ also reported by Krzysztof Oledzki.
+
2.4.1
- Zero-valued element are not accepted by hash type of sets
because we cannot make a difference between a zero-valued
/* Macros to generate functions */
+#ifdef __KERNEL__
#define BITMAP_CREATE(type) \
static int \
type##_create(struct ip_set *set, const void *data, size_t size) \
.list_members = &type##_list_members, \
.me = THIS_MODULE, \
};
+#endif /* __KERNEL */
#endif /* __IP_SET_BITMAPS_H */
#ifndef __IP_SET_HASHES_H
#define __IP_SET_HASHES_H
+#define initval_t uint32_t
+
/* Macros to generate functions */
#ifdef __KERNEL__
set->name, map->hashsize, hashsize); \
\
tmp = kmalloc(sizeof(struct ip_set_##type) \
- + map->probes * sizeof(uint32_t), GFP_ATOMIC); \
+ + map->probes * sizeof(initval_t), GFP_ATOMIC); \
if (!tmp) { \
DP("out of memory for %d bytes", \
sizeof(struct ip_set_##type) \
- + map->probes * sizeof(uint32_t)); \
+ + map->probes * sizeof(initval_t)); \
return -ENOMEM; \
} \
tmp->members = harray_malloc(hashsize, sizeof(dtype), GFP_ATOMIC);\
tmp->elements = 0; \
tmp->probes = map->probes; \
tmp->resize = map->resize; \
- memcpy(tmp->initval, map->initval, map->probes * sizeof(uint32_t));\
+ memcpy(tmp->initval, map->initval, map->probes * sizeof(initval_t));\
__##type##_retry(tmp, map); \
\
write_lock_bh(&set->lock); \
} \
\
map = kmalloc(sizeof(struct ip_set_##type) \
- + req->probes * sizeof(uint32_t), GFP_KERNEL); \
+ + req->probes * sizeof(initval_t), GFP_KERNEL); \
if (!map) { \
DP("out of memory for %d bytes", \
sizeof(struct ip_set_##type) \
- + req->probes * sizeof(uint32_t)); \
+ + req->probes * sizeof(initval_t)); \
return -ENOMEM; \
} \
for (i = 0; i < req->probes; i++) \
- get_random_bytes(((uint32_t *) map->initval)+i, 4); \
+ get_random_bytes(((initval_t *) map->initval)+i, 4); \
map->elements = 0; \
map->hashsize = req->hashsize; \
map->probes = req->probes; \
{ \
struct ip_set_##type *map = set->data; \
harray_flush(map->members, map->hashsize, sizeof(dtype)); \
- memset(map->cidr, 0, 30 * sizeof(uint8_t)); \
- memset(map->nets, 0, 30 * sizeof(uint32_t)); \
+ memset(map->cidr, 0, sizeof(map->cidr)); \
+ memset(map->nets, 0, sizeof(map->nets)); \
map->elements = 0; \
}
#define __IP_SET_IPHASH_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
#define SETTYPE_NAME "iphash"
uint16_t probes; /* max number of probes */
uint16_t resize; /* resize factor in percent */
ip_set_ip_t netmask; /* netmask */
- uint32_t initval[0]; /* initvals for jhash_1word */
+ initval_t initval[0]; /* initvals for jhash_1word */
};
struct ip_set_req_iphash_create {
#define __IP_SET_IPMAP_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#define SETTYPE_NAME "ipmap"
#define __IP_SET_IPPORTHASH_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
#define SETTYPE_NAME "ipporthash"
uint16_t resize; /* resize factor in percent */
ip_set_ip_t first_ip; /* host byte order, included in range */
ip_set_ip_t last_ip; /* host byte order, included in range */
- uint32_t initval[0]; /* initvals for jhash_1word */
+ initval_t initval[0]; /* initvals for jhash_1word */
};
struct ip_set_req_ipporthash_create {
#define __IP_SET_IPPORTIPHASH_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
#define SETTYPE_NAME "ipportiphash"
uint16_t resize; /* resize factor in percent */
ip_set_ip_t first_ip; /* host byte order, included in range */
ip_set_ip_t last_ip; /* host byte order, included in range */
- uint32_t initval[0]; /* initvals for jhash_1word */
+ initval_t initval[0]; /* initvals for jhash_1word */
};
struct ip_set_req_ipportiphash_create {
#define __IP_SET_IPPORTNETHASH_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
#define SETTYPE_NAME "ipportnethash"
ip_set_ip_t last_ip; /* host byte order, included in range */
uint8_t cidr[30]; /* CIDR sizes */
uint16_t nets[30]; /* nr of nets by CIDR sizes */
- uint32_t initval[0]; /* initvals for jhash_1word */
+ initval_t initval[0]; /* initvals for jhash_1word */
};
struct ip_set_req_ipportnethash_create {
#define __IP_SET_MACIPMAP_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#define SETTYPE_NAME "macipmap"
#define __IP_SET_NETHASH_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_hashes.h>
#define SETTYPE_NAME "nethash"
uint16_t resize; /* resize factor in percent */
uint8_t cidr[30]; /* CIDR sizes */
uint16_t nets[30]; /* nr of nets by CIDR sizes */
- uint32_t initval[0]; /* initvals for jhash_1word */
+ initval_t initval[0]; /* initvals for jhash_1word */
};
struct ip_set_req_nethash_create {
#define __IP_SET_PORTMAP_H
#include <linux/netfilter_ipv4/ip_set.h>
+#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#define SETTYPE_NAME "portmap"
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include <linux/netfilter_ipv4/ip_set_iphash.h>
static int limit = MAX_RANGE;
#include <asm/bitops.h>
#include <linux/spinlock.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#include <linux/netfilter_ipv4/ip_set_ipmap.h>
static inline ip_set_ip_t
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include <linux/netfilter_ipv4/ip_set_ipporthash.h>
#include <linux/netfilter_ipv4/ip_set_getport.h>
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include <linux/netfilter_ipv4/ip_set_ipportiphash.h>
#include <linux/netfilter_ipv4/ip_set_getport.h>
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include <linux/netfilter_ipv4/ip_set_ipportnethash.h>
#include <linux/netfilter_ipv4/ip_set_getport.h>
{
tmp->first_ip = map->first_ip;
tmp->last_ip = map->last_ip;
- memcpy(tmp->cidr, map->cidr, 30 * sizeof(uint8_t));
- memcpy(tmp->nets, map->nets, 30 * sizeof(uint16_t));
+ memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
+ memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
}
HASH_RETRY2(ipportnethash, struct ipportip)
}
map->first_ip = req->from;
map->last_ip = req->to;
- memset(map->cidr, 0, 30 * sizeof(uint8_t));
- memset(map->nets, 0, 30 * sizeof(uint16_t));
+ memset(map->cidr, 0, sizeof(map->cidr));
+ memset(map->nets, 0, sizeof(map->nets));
return 0;
}
#include <asm/uaccess.h>
#include <asm/bitops.h>
#include <linux/spinlock.h>
+#include <linux/timer.h>
#include <linux/netfilter_ipv4/ip_set.h>
#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#include <asm/uaccess.h>
#include <asm/bitops.h>
#include <linux/spinlock.h>
+#include <linux/timer.h>
#include <linux/netfilter_ipv4/ip_set.h>
#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#include <linux/spinlock.h>
#include <linux/if_ether.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#include <linux/netfilter_ipv4/ip_set_macipmap.h>
static int
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_hashes.h>
#include <linux/netfilter_ipv4/ip_set_nethash.h>
static int limit = MAX_RANGE;
static inline void
__nethash_retry(struct ip_set_nethash *tmp, struct ip_set_nethash *map)
{
- memcpy(tmp->cidr, map->cidr, 30 * sizeof(uint8_t));
- memcpy(tmp->nets, map->nets, 30 * sizeof(uint16_t));
+ memcpy(tmp->cidr, map->cidr, sizeof(tmp->cidr));
+ memcpy(tmp->nets, map->nets, sizeof(tmp->nets));
}
HASH_RETRY(nethash, ip_set_ip_t)
__nethash_create(const struct ip_set_req_nethash_create *req,
struct ip_set_nethash *map)
{
- memset(map->cidr, 0, 30 * sizeof(uint8_t));
- memset(map->nets, 0, 30 * sizeof(uint16_t));
+ memset(map->cidr, 0, sizeof(map->cidr));
+ memset(map->nets, 0, sizeof(map->nets));
return 0;
}
#include <net/ip.h>
-#include <linux/netfilter_ipv4/ip_set.h>
-#include <linux/netfilter_ipv4/ip_set_bitmaps.h>
#include <linux/netfilter_ipv4/ip_set_portmap.h>
#include <linux/netfilter_ipv4/ip_set_getport.h>
/* ipt_SET.c - netfilter target to manipulate IP sets */
-#include <linux/types.h>
-#include <linux/ip.h>
-#include <linux/timer.h>
#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/netdevice.h>
-#include <linux/if.h>
-#include <linux/inetdevice.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
#include <linux/version.h>
-#include <net/protocol.h>
-#include <net/checksum.h>
+
#include <linux/netfilter_ipv4.h>
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
#include <linux/netfilter_ipv4/ip_tables.h>
0 ipset -T test 192.168.68.69
# IP: Test value not added to the set
1 ipset -T test 2.0.0.2
+# IP: Flush test set
+0 ipset -F test
# IP: Delete test set
0 ipset -X test
# IP: Restore values so that rehashing is triggered
0 ipset -R < iphash.t.restore
# IP: Check that all values are restored
0 (egrep -v '#|-N' iphash.t.restore | sort > .foo.1) && (ipset -S test | egrep -v '#|-N' | sort > .foo.2) && cmp .foo.1 .foo.2 && rm .foo.*
+# IP: Flush test set
+0 ipset -F test
# IP: Delete test set
0 ipset -X test
# Network: Create a set
0 ipset -T test 192.168.68.95
# Network: Test value not added to the set
1 ipset -T test 2.0.1.0
+# Network: Flush test set
+0 ipset -F test
# Network: Delete test set
0 ipset -X test
# eof
1 ipset -A test 2.0.0.0
# Range: Try to add value after upper boundary
1 ipset -A test 2.1.0.1
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Network: Try to create a set from an invalid network
2 ipset -N test ipmap --network 2.0.0.0/15
1 ipset -A test 1.255.255.255
# Network: Try to add value after upper boundary
1 ipset -A test 2.1.0.0
-# Network: Delete test test
+# Network: Flush test set
+0 ipset -F test
+# Network: Delete test set
0 ipset -X test
# Subnets: Create a set to store networks
0 ipset -N test ipmap --network 10.0.0.0/8 --netmask 24
1 ipset -A test 9.255.255.255
# Subnets: Try to add value after upper boundary
1 ipset -A test 11.0.0.0
-# Subnets: Delete test test
+# Subnets: FLush test set
+0 ipset -F test
+# Subnets: Delete test set
0 ipset -X test
# Full: Create full IPv4 space with /16 networks
0 ipset -N test ipmap --network 0.0.0.0/0 --netmask 16
1 ipset -A test 2.0.0.0,5
# Range: Try to add value after upper boundary
1 ipset -A test 2.1.0.1,128
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Network: Try to create a set from an invalid network
2 ipset -N test ipporthash --network 2.0.0.0/15
1 ipset -A test 1.255.255.255,5
# Network: Try to add value after upper boundary
1 ipset -A test 2.1.0.0,128
+# Network: Flush test set
+0 ipset -F test
# Network: Delete test set
0 ipset -X test
# eof
1 ipset -A test 2.0.0.0,5,1.1.1.1
# Range: Try to add value after upper boundary
1 ipset -A test 2.1.0.1,128,2.2.2.2
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Network: Try to create a set from an invalid network
2 ipset -N test ipportiphash --network 2.0.0.0/15
1 ipset -A test 1.255.255.255,5,1.1.1.1
# Network: Try to add value after upper boundary
1 ipset -A test 2.1.0.0,128,2.2.2.2
+# Network: Flush test set
+0 ipset -F test
# Network: Delete test set
0 ipset -X test
# eof
1 ipset -A test 2.0.0.0,5,1.1.1.1/24
# Range: Try to add value after upper boundary
1 ipset -A test 2.1.0.1,128,2.2.2.2/12
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Network: Try to create a set from an invalid network
2 ipset -N test ipportnethash --network 2.0.0.0/15
1 ipset -A test 1.255.255.255,5,1.1.1.1/24
# Network: Try to add value after upper boundary
1 ipset -A test 2.1.0.0,128,2.2.2.2/12
+# Network: Flush test set
+0 ipset -F test
# Network: Delete test set
0 ipset -X test
# eof
1 ipset -T test 2.0.0.2
# Static: Test value not added to the set
1 ipset -T test 192.168.68.70
-# Static: Delete test test
+# Static: Flush test set
+0 ipset -F test
+# Static: Delete test set
0 ipset -X test
# Timeout: Create a set with a timeout parameter
0 ipset -N test iptree --timeout 5
0 sleep 4
# Timeout: Test entry added with 3s timeout
1 ipset -T test 2.0.0.2
+# Timeout: Flush test set
+0 ipset -F test
# Timeout: Delete test set
0 ipset -X test
# eof
0 ipset -T test 192.168.68.67
# Test element after upper bound of deleted network
0 ipset -T test 192.168.68.72
+# Flush test set
+0 ipset -F test
# Delete test set
0 ipset -X test
# eof
1 ipset -T test 2.0.0.2,00:11:22:33:44:56
# Range: Test value with valid MAC
0 ipset -T test 2.0.0.2,00:11:22:33:44:55
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Network: Try to create a set from an invalid network
2 ipset -N test macipmap --network 2.0.0.0/15
1 ipset -A test 1.255.255.255
# Network: Try to add value after upper boundary
1 ipset -A test 2.1.0.0
+# Network: Flush test set
+0 ipset -F test
# Network: Delete test set
0 ipset -X test
# eof
1 ipset -T test 2.0.1.0
# Try to add IP address
2 ipset -A test 2.0.0.1
+# Flush test set
+0 ipset -F test
# Delete test set
0 ipset -X test
# eof
1 ipset -A test 0
# Range: Try to add value after upper boundary
1 ipset -A test 1025
-# Range: Delete test test
+# Range: Flush test set
+0 ipset -F test
+# Range: Delete test set
0 ipset -X test
# Full: Create a full set of ports
0 ipset -N test portmap --from 0 --to 65535
0 ipset -T test 65535
# Full: Test value not added to the set
1 ipset -T test 1
+# Full: Flush test set
+0 ipset -F test
# Full: Delete test set
0 ipset -X test
# eof
1 ipset -D test foo,after,bar
# Setlist: Delete bar,after,foo
0 ipset -D test bar,after,foo
-# Setlist: Delete test test
+# Setlist: Flush test set
+0 ipset -F test
+# Setlist: Delete test set
0 ipset -X test
# eof
projects / ipset / commitdiff