The next patch will introduce a nfnl_dereference() macro that actually
checks that the appropriate mutex is held and therefore needs a
subsystem argument.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Patch "add hash:ip,mark data type to ipset" broke the API and
library release versioning with not incrementing "current",
just "age", which is fixed here. Reported by Mathieu Bridon.
Josh Hunt [Sat, 1 Mar 2014 03:14:57 +0000 (22:14 -0500)]
ipset: add forceadd kernel support for hash set types
Adds a new property for hash set types, where if a set is created
with the 'forceadd' option and the set becomes full the next addition
to the set may succeed and evict a random entry from the set.
To keep overhead low eviction is done very simply. It checks to see
which bucket the new entry would be added. If the bucket's pos value
is non-zero (meaning there's at least one entry in the bucket) it
replaces the first entry in the bucket. If pos is zero, then it continues
down the normal add process.
This property is useful if you have a set for 'ban' lists where it may
not matter if you release some entries from the set early.
Ilia Mirkin [Sun, 16 Feb 2014 10:18:52 +0000 (11:18 +0100)]
netfilter: ipset: move registration message to init from net_init
Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved
the initialization print into net_init, which can get called a lot due
to namespaces. Move it back into init, reduce to pr_info.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Florian Westphal [Thu, 13 Feb 2014 11:40:59 +0000 (12:40 +0100)]
kernel: uapi: fix MARKMASK attr ABI breakage
commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type)
inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e.
changing values of all further attributes. This causes 'ipset list'
segfault on existing kernels since ipset no longer finds
IPSET_ATTR_MEMSIZE (it has a different value on kernel side).
Jozsef points out it should be moved below IPSET_ATTR_MARK which
works since there is some extra reserved space after that value.
Florian Westphal [Wed, 12 Feb 2014 09:27:19 +0000 (10:27 +0100)]
lib: fix ifname 'physdev:' prefix parsing
hash:net,iface supports matching on the bridge port as well,
but userspace currently doesn't handle it correctly as it passes
in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV.
Vytas Dauksa [Tue, 17 Dec 2013 14:01:43 +0000 (14:01 +0000)]
add hash:ip,mark data type to ipset
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
net/netfilter/ipset/ip_set_hash_netnet.c:115:8-9: WARNING: return of 0/1 in function 'hash_netnet4_data_list' with return type bool
/c/kernel-tests/src/cocci/net/netfilter/ipset/ip_set_hash_netnet.c:338:8-9: WARNING: return of 0/1 in function 'hash_netnet6_data_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: coccinelle/misc/boolreturn.cocci
David Binderman [Tue, 3 Dec 2013 16:11:23 +0000 (17:11 +0100)]
Typo in ip_set_hash_netnet.c fixed
I just ran the static analyser "cppcheck" over the source
code of linux-3.13-rc1. It said
[linux-3.13-rc1/net/netfilter/ipset/ip_set_hash_netnet.c:62] ->
[linux-3.13-rc1/net/net
filter/ipset/ip_set_hash_netnet.c:62]: (style)
Same expression on both sides of '=='.
Sergey Popovich [Tue, 12 Nov 2013 10:30:56 +0000 (12:30 +0200)]
Fix all set output from list/save when set with counters in use.
Using upstream version with counters support we have following
output when listing all sets currently configured:
--------------------------------------------------
Set test-3 created without counters, but displayed as with counters
present.
Restricting output to list only test-3 set we have:
---------------------------------------------------
# ipset list test-3
Name: test-3
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16520
References: 0
Members:
192.0.2.1
So test-3 set created correctly without counters support, but in
all sets listing it displayed as such one with counters.
It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3
(Support counters in the ipset library) we fogot to add counter
options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to
clear these flags when preparing output in callback_list() from
lib/session.c.
v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and
IPSET_OPT_COUNTERS from ADT.
Sergey Popovich [Thu, 7 Nov 2013 10:56:45 +0000 (12:56 +0200)]
ipset: Follow manual page behavior for SET target on list:set
ipset(8) for list:set says:
The match will try to find a matching entry in the sets and the
target will try to add an entry to the first set to which it can
be added.
However real behavior is bit differ from described. Consider example:
# iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
# ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
And then when iptables/ip6tables rule matches packet IPSET target
tries to add src from packet to the list:set test-1 where first
entry is test-1-v4 and the second one is test-1-v6.
For IPv4, as it first entry in test-1 src added to test-1-v4
correctly, but for IPv6 src not added!
Placing test-1-v6 to the first element of list:set makes behavior
correct for IPv6, but brokes for IPv4.
This is due to result, returned from ip_set_add() and ip_set_del() from
net/netfilter/ipset/ip_set_core.c when set in list:set equires more
parameters than given or address families do not match (which is this
case).
It seems wrong returning 0 from ip_set_add() and ip_set_del() in
this case, as 0 should be returned only when an element successfuly
added/deleted to/from the set, contrary to ip_set_test() which
returns 0 when no entry exists and >0 when entry found in set.
Nikolay Martynov [Thu, 31 Oct 2013 04:34:31 +0000 (00:34 -0400)]
ipset: fix timeout data type size
Currently it is impossible to set timeout on some architectures
(MIPS ar71xx at least) because timeout is parsed into long long data
type but used as uint32 without proper conversion. This patch fixes
this issue. Tested on ar71xx router.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Fri, 18 Oct 2013 12:03:41 +0000 (14:03 +0200)]
Fix memory allocation for bitmap:port
At the restructuring of the bitmap types creation in ipset, for the
bitmap:port type wrong (too large) memory allocation was copied
(netfilter bugzilla id #859).
Oliver Smith [Fri, 11 Oct 2013 14:41:12 +0000 (16:41 +0200)]
netfilter: ipset: Fix configure failure when --with-kmod=no
When configuring the sources to build without kernel modules, the path
to the kernel sources was not set and the kernel header files were still
checked.
Now, we do not check the kernel sources for compatibility if we're not
going to build any kernel modules.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The unnamed union initialization may lead to compilation error
The unnamed union should be possible to be initialized directly, but
unfortunately it's not so:
/usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c: In
function ?hash_netnet4_kadt?:
/usr/src/ipset/kernel/net/netfilter/ipset/ip_set_hash_netnet.c:141:
error: unknown field ?cidr? specified in initializer
Use dev_net() instead of the direct access to ->nd_net
We have to use dev_net() instead of the direct access to ->nd_net,
otherwise compilation fails if NET_NS is not enabled. Reported by
the kbuild test robot.
Major changes were made in ip_set_core.c and ip_set.h.
Global variables are moved to per net namespace.
Added initialization code and the destruction of the network namespace ipset subsystem.
In the prototypes of public functions ip_set_* added parameter "struct net*".
The remaining corrections related to the change prototypes of public functions ip_set_*.
Oliver Smith [Sun, 22 Sep 2013 18:56:35 +0000 (20:56 +0200)]
ipset: Support comments in the userspace library.
This adds support to the userspace portion of ipset for handling ipsets
with the comment extension enabled. The library revision has been raised
accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:34 +0000 (20:56 +0200)]
ipset: Rework the "fake" argument parsing for ipset restore.
This reworks the argument parsing functionality of ipset to handle
quote-delimited lines in such a way that they are considered to be a
single argument.
This commit is necessary for ipset to successfully restore sets that
have comments.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:32 +0000 (20:56 +0200)]
netfilter: ipset: Support comments in bitmap-type ipsets.
This provides kernel support for creating bitmap ipsets with comment
support.
As is the case for hashes, this incurs a penalty when flushing or
destroying the entire ipset as the entries must first be walked in order
to free the comment strings. This penalty is of course far less than the
cost of listing an ipset to userspace. Any set created without support
for comments will be flushed/destroyed as before.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:31 +0000 (20:56 +0200)]
netfilter: ipset: Support comments in hash-type ipsets.
This provides kernel support for creating ipsets with comment support.
This does incur a penalty to flushing/destroying an ipset since all
entries are walked in order to free the allocated strings, this penalty
is of course less expensive than the operation of listing an ipset to
userspace, so for general-purpose usage the overall impact is expected
to be little to none.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:30 +0000 (20:56 +0200)]
netfilter: ipset: Support comments for ipset entries in the core.
This adds the core support for having comments on ipset entries.
The comments are stored as standard null-terminated strings in
dynamically allocated memory after being passed to the kernel. As a
result of this, code has been added to the generic destroy function to
iterate all extensions and call that extension's destroy task if the set
has that extension activated, and if such a task is defined.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Fri, 20 Sep 2013 08:13:54 +0000 (10:13 +0200)]
ipset: Add userspace code to support hash:net,net kernel module.
This adds the userspace library, tests to validate correct operation of
the module and also provides appropriate usage information in the man
page. The library version has been bumped accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Fri, 20 Sep 2013 08:13:53 +0000 (10:13 +0200)]
netfilter: ipset: Add hash:net,net module to kernel.
This adds a new set that provides the ability to configure pairs of
subnets. A small amount of additional handling code has been added to
the generic hash header file - this code is conditionally activated by a
preprocessor definition.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sat, 14 Sep 2013 09:05:53 +0000 (11:05 +0200)]
netfilter: ipset: Fix serious failure in CIDR tracking
This fixes a serious bug affecting all hash types with a net element -
specifically, if a CIDR value is deleted such that none of the same size
exist any more, all larger (less-specific) values will then fail to
match. Adding back any prefix with a CIDR equal to or more specific than
the one deleted will fix it.
Steps to reproduce:
ipset -N test hash:net
ipset -A test 1.1.0.0/16
ipset -A test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS in set
ipset -D test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set
This is due to the fact that the nets counter was unconditionally
decremented prior to the iteration that shifts up the entries. Now, we
first check if there is a proceeding entry and if not, decrement it and
return. Otherwise, we proceed to iterate and then zero the last element,
which, in most cases, will already be zero.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
Prepare ipset to support multiple networks for hash types
In order to support hash:net,net, hash:net,port,net etc. types,
arrays are introduced for the book-keeping of existing cidr sizes
and network numbers in a set.
Introduce new operation to get both setname and family
ip[6]tables set match and SET target need to know the family of the set
in order to reject adding rules which refer to a set with a non-mathcing
family. Currently such rules are silently accepted and then ignored
instead of generating a clear error message to the user, which is not
helpful.
The only place in ipset where ipset_parse_elem is called is src/ipset.c. The
second parameter to the function call is type->last_elem_optional, which is of
type bool, but ipset_parse_elem is defined in lib/parse.c with the second
parameter having type enum ipset_opt.
The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:
# ipset n test hash:net
# ipset a test 10.0.0.0/24 nomatch
# ipset t test 10.0.0.1
10.0.0.1 is NOT in set test.
# ipset t test 10.0.0.1 nomatch
10.0.0.1 is in set test.
# ipset a test 192.168.0.0/24
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is NOT in set test.
Before the patch the results were
...
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is in set test.
Check at modules_install whether depmod ignores the extra subdir
The external kernel modules are installed in the extra subdir in
/lib/modules/<kernelrelease>/, but depmod in some distributions
(at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it,
because that way the modules are actually not available there.
Support package fragments for IPv4 protos without ports
Enable ipset port set types to match IPv4 package fragments for
protocols that doesn't have ports (or the port information isn't
supported by ipset).
For example this allows a hash:ip,port ipset containing the entry
192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels
to/from the host. Without this patch only the first package fragment
(with fragment offset 0) was matched, while subsequent fragments wasn't.
This is not possible for IPv6, where the protocol is in the fragmented
part of the package unlike IPv4, where the protocol is in the IP header.
IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant
for IPv4.
Signed-off-by: Anders K. Pedersen <akp@surftown.com>
projects / ipset / log