SCTP and UDPLITE port support added to the hash:*port* types.
{
switch (proto) {
case IPPROTO_TCP:
+ case IPPROTO_SCTP:
case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
return true;
}
return false;
#include <linux/skbuff.h>
#include <linux/icmp.h>
#include <linux/icmpv6.h>
+#include <linux/sctp.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ip.h>
#include <net/ipv6.h>
*port = src ? th->source : th->dest;
break;
}
- case IPPROTO_UDP: {
+ case IPPROTO_SCTP: {
+ sctp_sctphdr_t _sh;
+ const sctp_sctphdr_t *sh;
+
+ sh = skb_header_pointer(skb, protooff, sizeof(_sh), &_sh);
+ if (sh == NULL)
+ /* No choice either */
+ return false;
+
+ *port = src ? sh->source : sh->dest;
+ break;
+ }
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE: {
struct udphdr _udph;
const struct udphdr *uh;
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT,
.dimension = IPSET_DIM_TWO,
.family = AF_UNSPEC,
- .revision = 0,
+ .revision = 1,
.create = hash_ipport_create,
.create_policy = {
[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
.dimension = IPSET_DIM_THREE,
.family = AF_UNSPEC,
- .revision = 0,
+ .revision = 1,
.create = hash_ipportip_create,
.create_policy = {
[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
.dimension = IPSET_DIM_THREE,
.family = AF_UNSPEC,
- .revision = 0,
+ .revision = 1,
.create = hash_ipportnet_create,
.create_policy = {
[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT,
.dimension = IPSET_DIM_TWO,
.family = AF_UNSPEC,
- .revision = 0,
+ .revision = 1,
.create = hash_netport_create,
.create_policy = {
[IPSET_ATTR_HASHSIZE] = { .type = NLA_U32 },
p = *(const uint8_t *) ipset_data_get(data, IPSET_OPT_PROTO);
switch (p) {
case IPPROTO_TCP:
- proto = tmp;
- tmp = a;
- goto parse_port;
+ case IPPROTO_SCTP:
case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
proto = tmp;
tmp = a;
goto parse_port;
switch (proto) {
case IPPROTO_TCP:
+ case IPPROTO_SCTP:
case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
break;
case IPPROTO_ICMP:
return ipset_print_icmp(buf + offset, len, data,
struct ipset_data *data;
const char *typename;
uint8_t family, tmin = 0, tmax = 0;
- const uint8_t *kmin, *kmax;
+ uint8_t kmin, kmax;
int ret;
data = ipset_session_data(session);
if (ret != 0)
return NULL;
- kmax = ipset_data_get(data, IPSET_OPT_REVISION);
+ kmax = *(const uint8_t *)ipset_data_get(data, IPSET_OPT_REVISION);
if (ipset_data_test(data, IPSET_OPT_REVISION_MIN))
- kmin = ipset_data_get(data, IPSET_OPT_REVISION_MIN);
+ kmin = *(const uint8_t *)ipset_data_get(data, IPSET_OPT_REVISION_MIN);
else
kmin = kmax;
- if (MAX(tmin, *kmin) > MIN(tmax, *kmax)) {
- if (*kmin > tmax)
+ if (MAX(tmin, kmin) > MIN(tmax, kmax)) {
+ if (kmin > tmax)
return ipset_errptr(session,
- "Kernel supports %s type with family %s "
- "in minimal revision %u while ipset library "
- "in maximal revision %u. "
- "You need to upgrade your ipset library.",
+ "Kernel supports %s type, family %s "
+ "with minimal revision %u while ipset program "
+ "with maximal revision %u.\n"
+ "You need to upgrade your ipset program.",
typename,
family == AF_INET ? "INET" :
family == AF_INET6 ? "INET6" : "UNSPEC",
- *kmin, tmax);
+ kmin, tmax);
else
return ipset_errptr(session,
- "Kernel supports %s type with family %s "
- "in maximal revision %u while ipset library "
- "in minimal revision %u. "
+ "Kernel supports %s type, family %s "
+ "with maximal revision %u while ipset program "
+ "with minimal revision %u.\n"
"You need to upgrade your kernel.",
typename,
family == AF_INET ? "INET" :
family == AF_INET6 ? "INET6" : "UNSPEC",
- *kmax, tmin);
+ kmax, tmin);
}
match->kernel_check = IPSET_KERNEL_OK;
\fBrange\fP \fIfromport\fP\-\fItoport\fR
Create the set from the specified inclusive port range.
.PP
+The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret
+the stored numbers as TCP or UDP port numbers.
+.PP
Examples:
.IP
ipset create foo bitmap:port range 0\-1024
.PP
Examples:
.IP
-ipset create foo hash:ip netmask 24
+ipset create foo hash:ip netmask 30
.IP
-ipset add foo 192.168.1.1\-192.168.1.2
+ipset add foo 192.168.1.0/24
.IP
ipset test foo 192.168.1.2
.SS hash:net
The maximal number of elements which can be stored in the set, default 65536.
.PP
When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
-then the host prefix value is assumed. When adding/deleting entries, overlapping
-elements are not checked.
+then the host prefix value is assumed. When adding/deleting entries, the exact
+element is added/deleted and overlapping elements are not checked by the kernel.
+When testing entries, if a host address is tested, then the kernel tries to match
+the host address in the networks added to the set and reports the result accordingly.
.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
.IP
ipset create foo hash:net
.IP
-ipset add foo 192.168.0/24
+ipset add foo 192.168.0.0/24
.IP
ipset add foo 10.1.0.0/16
.IP
\fIportnumber[\-portnumber]\fR
TCP port or range of ports expressed in TCP port numbers
.TP
-\fBtcp\fR|\fBudp\fR:\fIportname\fR|\fIportnumber\fR[\-\fIportname\fR|\fIportnumber\fR]
-TCP or UDP port or port range expressed in port name(s) or port number(s)
+\fBtcp\fR|\fBsctp\fR|\fBudp\fR|\fBudplite\fR:\fIportname\fR|\fIportnumber\fR[\-\fIportname\fR|\fIportnumber\fR]
+TCP, SCTP, UDP or UDPLITE port or port range expressed in port name(s) or port number(s)
.TP
\fBicmp\fR:\fIcodename\fR|\fItype\fR/\fIcode\fR
ICMP codename or type/code. The supported ICMP codename identifiers can always
.IP
ipset add foo 192.168.1.1,udp:53
.IP
-ipset add foo 192.168.1.1,ospf:0
+ipset add foo 192.168.1.1,vrrp:0
.IP
ipset test foo 192.168.1.1,80
.SS hash:net,port
\fBhash:ip,port\fR set type.
.PP
When adding/deleting/testing entries, if the cidr prefix parameter is not specified,
-then the host prefix value is assumed. When adding/deleting entries, overlapping
-elements are not checked.
+then the host prefix value is assumed. When adding/deleting entries, the exact
+element is added/deleted and overlapping elements are not checked by the kernel.
+When testing entries, if a host address is tested, then the kernel tries to match
+the host address in the networks added to the set and reports the result accordingly.
.PP
From the \fBset\fR netfilter match point of view the searching for a match
always starts from the smallest size of netblock (most specific
" IP is a valid IPv4 or IPv6 address (or hostname).\n"
" Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n"
" is supported for IPv4.\n"
-" Adding/deleting multiple elements with TCP/UDP port range\n"
-" is supported both for IPv4 and IPv6.\n";
+" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n"
+" port range is supported both for IPv4 and IPv6.\n";
struct ipset_type ipset_hash_ipport0 = {
.name = "hash:ip,port",
.alias = { "ipporthash", NULL },
- .revision = 0,
+ .revision = 1,
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
" IP is a valid IPv4 or IPv6 address (or hostname).\n"
" Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n"
" in the first IP component is supported for IPv4.\n"
-" Adding/deleting multiple elements with TCP/UDP port range\n"
-" is supported both for IPv4 and IPv6.\n";
+" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n"
+" port range is supported both for IPv4 and IPv6.\n";
struct ipset_type ipset_hash_ipportip0 = {
.name = "hash:ip,port,ip",
.alias = { "ipportiphash", NULL },
- .revision = 0,
+ .revision = 1,
.family = AF_INET46,
.dimension = IPSET_DIM_THREE,
.elem = {
" CIDR is a valid IPv4 or IPv6 CIDR prefix.\n"
" Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n"
" in the first IP component is supported for IPv4.\n"
-" Adding/deleting multiple elements with TCP/UDP port range\n"
-" is supported both for IPv4 and IPv6.\n";
+" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n"
+" port range is supported both for IPv4 and IPv6.\n";
struct ipset_type ipset_hash_ipportnet0 = {
.name = "hash:ip,port,net",
.alias = { "ipportnethash", NULL },
- .revision = 0,
+ .revision = 1,
.family = AF_INET46,
.dimension = IPSET_DIM_THREE,
.elem = {
"where depending on the INET family\n"
" IP is a valid IPv4 or IPv6 address (or hostname),\n"
" CIDR is a valid IPv4 or IPv6 CIDR prefix.\n"
-" Adding/deleting multiple elements with TCP/UDP port range supported.\n";
+" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n"
+" port range is supported both for IPv4 and IPv6.\n";
struct ipset_type ipset_hash_netport0 = {
.name = "hash:net,port",
.alias = { "netporthash", NULL },
- .revision = 0,
+ .revision = 1,
.family = AF_INET46,
.dimension = IPSET_DIM_TWO,
.elem = {
0 ipset add test 2.0.0.1,vrrp:0
# Test element with vrrp
0 ipset test test 2.0.0.1,vrrp:0
+# Add element with sctp
+0 ipset add test 2.0.0.1,sctp:80
+# Test element with sctp
+0 ipset test test 2.0.0.1,sctp:80
+# Delete element with sctp
+0 ipset del test 2.0.0.1,sctp:80
# List set
0 ipset list test > .foo0 && ./sort.sh .foo0
# Check listing
projects / ipset / commitdiff