]> granicus.if.org Git - ipset/log
ipset
11 years agoset match: add support to match the counters
Jozsef Kadlecsik [Tue, 9 Apr 2013 15:14:19 +0000 (17:14 +0200)]
set match: add support to match the counters

The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.

At the set:list types, the updating of the subcounters can be
suppressed as well.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoThe list:set type with counter support
Jozsef Kadlecsik [Mon, 8 Apr 2013 21:11:32 +0000 (23:11 +0200)]
The list:set type with counter support

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoThe hash types with counter support
Jozsef Kadlecsik [Mon, 8 Apr 2013 21:11:02 +0000 (23:11 +0200)]
The hash types with counter support

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoThe bitmap types with counter support
Jozsef Kadlecsik [Mon, 8 Apr 2013 21:10:22 +0000 (23:10 +0200)]
The bitmap types with counter support

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoIntroduce the counter extension in the core
Jozsef Kadlecsik [Mon, 8 Apr 2013 21:09:19 +0000 (23:09 +0200)]
Introduce the counter extension in the core

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agolist:set type using the extension interface
Jozsef Kadlecsik [Thu, 4 Apr 2013 10:21:02 +0000 (12:21 +0200)]
list:set type using the extension interface

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoHash types using the unified code base
Jozsef Kadlecsik [Mon, 8 Apr 2013 20:50:55 +0000 (22:50 +0200)]
Hash types using the unified code base

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoUnified hash type generation
Jozsef Kadlecsik [Mon, 8 Apr 2013 19:05:44 +0000 (21:05 +0200)]
Unified hash type generation

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoBitmap types using the unified code base
Jozsef Kadlecsik [Mon, 8 Apr 2013 19:03:26 +0000 (21:03 +0200)]
Bitmap types using the unified code base

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoUnified bitmap type generation
Jozsef Kadlecsik [Mon, 8 Apr 2013 19:00:52 +0000 (21:00 +0200)]
Unified bitmap type generation

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoIntroduce extensions to elements in the core
Jozsef Kadlecsik [Mon, 8 Apr 2013 18:59:15 +0000 (20:59 +0200)]
Introduce extensions to elements in the core

Introduce extensions to elements in the core and prepare timeout as
the first one.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoMove often used IPv6 address masking function to header file
Jozsef Kadlecsik [Mon, 8 Apr 2013 18:54:37 +0000 (20:54 +0200)]
Move often used IPv6 address masking function to header file

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoMake possible to test elements marked with nomatch, from userspace
Jozsef Kadlecsik [Mon, 8 Apr 2013 19:51:25 +0000 (21:51 +0200)]
Make possible to test elements marked with nomatch, from userspace

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agonetfilter ipset: Use ipv6_addr_equal() where appropriate.
YOSHIFUJI Hideaki [Sat, 6 Apr 2013 12:10:06 +0000 (14:10 +0200)]
netfilter ipset: Use ipv6_addr_equal() where appropriate.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoAdd a compatibility header file for easier maintenance
Jozsef Kadlecsik [Sat, 6 Apr 2013 12:04:12 +0000 (14:04 +0200)]
Add a compatibility header file for easier maintenance

Unfortunately not everything could be moved there, there are still
compatibility ifdefs in some other files.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoThe uapi include split in the package itself
Jozsef Kadlecsik [Sat, 6 Apr 2013 07:52:33 +0000 (09:52 +0200)]
The uapi include split in the package itself

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoReorder modules a little bit in Kbuild
Jozsef Kadlecsik [Mon, 1 Apr 2013 19:17:58 +0000 (21:17 +0200)]
Reorder modules a little bit in Kbuild

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agohash:*net*: nomatch flag not excluded on set resize
Jozsef Kadlecsik [Mon, 1 Apr 2013 19:13:20 +0000 (21:13 +0200)]
hash:*net*: nomatch flag not excluded on set resize

If a resize is triggered the nomatch flag is not excluded at hashing,
which leads to the element missed at lookup in the resized set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agolist:set: update reference counter when last element pushed off
Jozsef Kadlecsik [Mon, 1 Apr 2013 18:11:01 +0000 (20:11 +0200)]
list:set: update reference counter when last element pushed off

The last element can be replaced or pushed off and in both
cases the reference counter must be updated.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
11 years agoipset 6.17 released v6.17
Jozsef Kadlecsik [Thu, 21 Feb 2013 15:44:09 +0000 (16:44 +0100)]
ipset 6.17 released

11 years agoThe ipset_list tool is added
Jozsef Kadlecsik [Thu, 21 Feb 2013 15:37:41 +0000 (16:37 +0100)]
The ipset_list tool is added

Source: http://sourceforge.net/projects/ipset-list

11 years agoThe ipset_bash_completion tool is added
Jozsef Kadlecsik [Thu, 21 Feb 2013 15:36:35 +0000 (16:36 +0100)]
The ipset_bash_completion tool is added

Source: http://sourceforge.net/projects/ipset-bashcompl

11 years agoInteractive mode error after syntax error (reported by Mart Frauenlob)
Jozsef Kadlecsik [Thu, 21 Feb 2013 11:08:42 +0000 (12:08 +0100)]
Interactive mode error after syntax error (reported by Mart Frauenlob)

ipset> list foo
ipset v6.16.1: The set with the given name does not exist
ipset> -t
No command specified
ipset> list
ipset v6.16.1: Internal protocol error

In interactive mode the state was not cleaned up properly after a
syntax error, fixed.

11 years ago"Directory not empty" error message (reported by John Brendler)
Jozsef Kadlecsik [Thu, 21 Feb 2013 10:12:40 +0000 (11:12 +0100)]
"Directory not empty" error message (reported by John Brendler)

When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>".

The internal error code was not properly transformed before returning
to userspace, fixed.

11 years agonetfilter: ipset: timeout values corrupted on set resize
Josh Hunt [Tue, 19 Feb 2013 19:35:59 +0000 (11:35 -0800)]
netfilter: ipset: timeout values corrupted on set resize

If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().

This also adds simple debug statement similar to the one in type_pf_resize().

Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoFix error path when protocol number is used with port range
Jozsef Kadlecsik [Wed, 9 Jan 2013 22:34:44 +0000 (23:34 +0100)]
Fix error path when protocol number is used with port range

12 years agoCorrect "Suspicious condition (assignment + comparison)" (Thomas Jarosch)
Jozsef Kadlecsik [Mon, 7 Jan 2013 16:07:52 +0000 (17:07 +0100)]
Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)

cppcheck (vaguely) reported:
[lib/parse.c:448]: (style) Suspicious condition (assignment + comparison); Clarify expression with parentheses.

12 years agoFix revision printing in XML mode (reported by Mart Frauenlob)
Jozsef Kadlecsik [Mon, 7 Jan 2013 08:15:33 +0000 (09:15 +0100)]
Fix revision printing in XML mode (reported by Mart Frauenlob)

12 years agoMake sure ip_set_max isn't set to IPSET_INVALID_ID
Jozsef Kadlecsik [Tue, 27 Nov 2012 16:10:33 +0000 (17:10 +0100)]
Make sure ip_set_max isn't set to IPSET_INVALID_ID

12 years agoipset 6.16.1 released v6.16.1
Jozsef Kadlecsik [Tue, 27 Nov 2012 14:05:48 +0000 (15:05 +0100)]
ipset 6.16.1 released

12 years agoAdd ipset package version to external module description
Jozsef Kadlecsik [Tue, 27 Nov 2012 13:58:03 +0000 (14:58 +0100)]
Add ipset package version to external module description

12 years agoBackport RCU handling up to 2.6.32.x
Jozsef Kadlecsik [Tue, 27 Nov 2012 13:19:07 +0000 (14:19 +0100)]
Backport RCU handling up to 2.6.32.x

__rcu and rcu_dereference_protected is missing from older kernel releases.

12 years agoipset 6.16 released v6.16
Jozsef Kadlecsik [Mon, 26 Nov 2012 20:08:28 +0000 (21:08 +0100)]
ipset 6.16 released

12 years agoNetlink pid is renamed to portid in kernel 3.7.0
Jozsef Kadlecsik [Sat, 24 Nov 2012 21:06:19 +0000 (22:06 +0100)]
Netlink pid is renamed to portid in kernel 3.7.0

Handle the renaming of the netlink_skb_parms structure member.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoFix RCU handling when the number of maximal sets are increased
Jozsef Kadlecsik [Sat, 24 Nov 2012 20:59:11 +0000 (21:59 +0100)]
Fix RCU handling when the number of maximal sets are increased

Eric Dumazet spotted that RCU handling was far incomplete in the patch
which added the support of increasing the number of maximal sets automatically.
This patch completes the RCU handling of the ip_set_list array of the sets.

12 years agonetfilter: ipset: fix netiface set name overflow
Florian Westphal [Thu, 22 Nov 2012 11:32:45 +0000 (12:32 +0100)]
netfilter: ipset: fix netiface set name overflow

attribute is copied to IFNAMSIZ-size stack variable,
but IFNAMSIZ is smaller than IPSET_MAXNAMELEN.

Fortunately nfnetlink needs CAP_NET_ADMIN.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoRemove all modules before testing resize
Jozsef Kadlecsik [Thu, 22 Nov 2012 20:54:48 +0000 (21:54 +0100)]
Remove all modules before testing resize

12 years agobuild: support for Linux 3.7 UAPI
Jan Engelhardt [Wed, 21 Nov 2012 23:05:42 +0000 (00:05 +0100)]
build: support for Linux 3.7 UAPI

In Linux 3.7, nfnetlink.h moved below include/uapi/. Make configure
recognize that. Furthermore, we can drop the unnecessary indirection
via backticks and just ask grep directly if there was any result.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoipset 6.15 released v6.15
Jozsef Kadlecsik [Mon, 19 Nov 2012 12:29:49 +0000 (13:29 +0100)]
ipset 6.15 released

12 years agoIncrease the number of maximal sets automatically as needed
Jozsef Kadlecsik [Mon, 19 Nov 2012 10:37:24 +0000 (11:37 +0100)]
Increase the number of maximal sets automatically as needed

The max number of sets was hardcoded at kernel cofiguration time.
The patch adds the support to increase the max number of sets automatically.

12 years agoFix interactive mode
Fredrik Eriksson [Mon, 5 Nov 2012 16:30:19 +0000 (17:30 +0100)]
Fix interactive mode

Catching interactive mode got broken in 6.12.

12 years agoUse gethostbyname2 instead of getaddrinfo
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:11:10 +0000 (17:11 +0100)]
Use gethostbyname2 instead of getaddrinfo

In newer glibc, getaddrinfo issues an extra system call to kernel,
which slows down ipset. Replace getaddrinfo with gethostbyname2,
where possible.

12 years agoRestore the support of kernel versions between 2.6.32 and 2.6.35
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:09:09 +0000 (17:09 +0100)]
Restore the support of kernel versions between 2.6.32 and 2.6.35

12 years agoMake tests/check_cidrs.sh script executable
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:06:46 +0000 (17:06 +0100)]
Make tests/check_cidrs.sh script executable

12 years agoAdd tests to check completely ranges with hash types
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:03:50 +0000 (17:03 +0100)]
Add tests to check completely ranges with hash types

Test all possible range variations with the hash types in order
to catch bugs like the range bug in hash:ip,port,net.

12 years agoMake easier to apply the netlink.patch
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:02:26 +0000 (17:02 +0100)]
Make easier to apply the netlink.patch

There is no need for the full source code, the header files are enough
to compile ipset.

12 years agoSupport protocol numbers as well, not only protocol names
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:01:41 +0000 (17:01 +0100)]
Support protocol numbers as well, not only protocol names

12 years agoAdd (back) the debug flag to configure
Jozsef Kadlecsik [Mon, 5 Nov 2012 16:00:47 +0000 (17:00 +0100)]
Add (back) the debug flag to configure

12 years agoFix range bug in hash:ip,port,net
Jozsef Kadlecsik [Mon, 5 Nov 2012 15:56:42 +0000 (16:56 +0100)]
Fix range bug in hash:ip,port,net

Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was to be added, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.

The error-prone default initialization is corrected in all hash:* types.

12 years agoRewrite cidr book keeping to handle /0
Jozsef Kadlecsik [Sat, 22 Sep 2012 20:55:01 +0000 (22:55 +0200)]
Rewrite cidr book keeping to handle /0

The patch is required for the /0 support in hash:net,iface

12 years agoRevert patch "Fix cidr book keeping for hash:*net* types"
Jozsef Kadlecsik [Sat, 22 Sep 2012 20:53:44 +0000 (22:53 +0200)]
Revert patch "Fix cidr book keeping for hash:*net* types"

12 years agoAdd simple test to check cidr book-keeping
Jozsef Kadlecsik [Sat, 22 Sep 2012 16:10:43 +0000 (18:10 +0200)]
Add simple test to check cidr book-keeping

12 years agoipset 6.14 released v6.14
Jozsef Kadlecsik [Fri, 21 Sep 2012 19:21:29 +0000 (21:21 +0200)]
ipset 6.14 released

12 years agoSupport to match elements marked with "nomatch" in hash:*net* sets
Jozsef Kadlecsik [Fri, 21 Sep 2012 19:03:24 +0000 (21:03 +0200)]
Support to match elements marked with "nomatch" in hash:*net* sets

Exceptions can now be matched and we can branch according to the
possible cases:

a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match

i.e.

iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...

12 years agoCoding style fixes
Jozsef Kadlecsik [Tue, 11 Sep 2012 15:38:17 +0000 (17:38 +0200)]
Coding style fixes

12 years agoThe set type revision number is added to the header part of listing
Jozsef Kadlecsik [Tue, 11 Sep 2012 15:34:37 +0000 (17:34 +0200)]
The set type revision number is added to the header part of listing

Incompatibility: if your script rely on the number of lines in the header
of set listings, then the new line

Revision: number

can break your script.

12 years agoInclude supported revisions in module description
Jozsef Kadlecsik [Tue, 11 Sep 2012 15:10:08 +0000 (17:10 +0200)]
Include supported revisions in module description

12 years agoHelp prints list type revision and terse description
Jozsef Kadlecsik [Sat, 8 Sep 2012 20:55:04 +0000 (22:55 +0200)]
Help prints list type revision and terse description

In order to catch kernel/userspace revision mismatch, better print
all available data.

12 years agoAdd /0 network support to hash:net,iface type
Jozsef Kadlecsik [Mon, 10 Sep 2012 19:22:23 +0000 (21:22 +0200)]
Add /0 network support to hash:net,iface type

Now it is possible to setup a single hash:net,iface type of set and
a single ip6?tables match which covers all egress/ingress filtering.

12 years agoFix cidr book keeping for hash:*net* types
Jozsef Kadlecsik [Mon, 10 Sep 2012 19:19:09 +0000 (21:19 +0200)]
Fix cidr book keeping for hash:*net* types

The book-keeping of the different sized networks were bogus, fix it.
The broken code could lead invalid matching in such sets when the number
of different sized networks were greater than the smallest CIDR value of
the networks.

12 years agoCheck and reject crazy /0 input parameters
Jozsef Kadlecsik [Tue, 4 Sep 2012 15:45:59 +0000 (17:45 +0200)]
Check and reject crazy /0 input parameters

bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.

Reject invalid /0 input parameters explicitely.

12 years agoBackport ether_addr_equal
Jozsef Kadlecsik [Sat, 8 Sep 2012 16:37:21 +0000 (18:37 +0200)]
Backport ether_addr_equal

12 years agoCoding style fix, backport from kernel
Jozsef Kadlecsik [Mon, 10 Sep 2012 18:51:07 +0000 (20:51 +0200)]
Coding style fix, backport from kernel

12 years agonet: cleanup unsigned to unsigned int
Eric Dumazet [Sat, 8 Sep 2012 16:01:32 +0000 (18:01 +0200)]
net: cleanup unsigned to unsigned int

Use of "unsigned int" is preferred to bare "unsigned" in net tree.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoFix errors when compiling in debug mode.
Krunal Patel [Fri, 31 Aug 2012 15:06:09 +0000 (17:06 +0200)]
Fix errors when compiling in debug mode.

12 years agoMake sure IPPROTO_UDPLITE is defined
Jozsef Kadlecsik [Fri, 31 Aug 2012 14:53:33 +0000 (16:53 +0200)]
Make sure IPPROTO_UDPLITE is defined

12 years agobuild: restore -version-info
Jan Engelhardt [Sun, 1 Jul 2012 18:36:19 +0000 (20:36 +0200)]
build: restore -version-info

On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote:
>[...]
>> * therefore the patch makes a clean restart,
>>   using -version-info 3:0:0, to continue using .so.3
>>   starting from ipset-6.13 until the next *real*
>>   incompatible change.
>
>What is still unclear for me, why a clean restart is required. Looking
>into "libtool", as I see, "-version-number 3:0:1" and "-version-info
>3:0:1" produces the same result.

They don't. The libtool manual goes on attempting to explain
"-version-number" with C:R:A, though it could have been a lot easier
to just say "it copies the values as-is to the file suffix".

---8<---
location git://git.inai.de/ipset (updated)

parent 7c7b022a18ea2bae11d889b345caef87f3bf145e (v6.13)
commit 2b145f0794de6f56eaded0a6403be995be98c93b
Author: Jan Engelhardt <jengelh@inai.de>
Date:   Sat Jun 30 20:39:27 2012 +0200

build: restore -version-info

Commit v6.13~7 accidentally swapped "-version-info" with
"-version-number". Because "-version-number" takes the values
"FIRST:AGE:REV", which is different from "-version-info
CURRENT:REV:AGE", libipset.so.3 was emitted.

Restore using "-version-info" and continue to use 3 as the "FIRST"
interface (instead of 2), because it was declared that way in
ipset-6.13.

Also note that the version names in libipset.map generally are not
supposed to follow SO versions, but the program version):
IPSET_6.13 {...}.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoipset 6.13 released v6.13
Jozsef Kadlecsik [Fri, 29 Jun 2012 19:48:45 +0000 (21:48 +0200)]
ipset 6.13 released

12 years agoExplain in more detail src/dst for hash:net,iface
Jozsef Kadlecsik [Fri, 29 Jun 2012 19:29:46 +0000 (21:29 +0200)]
Explain in more detail src/dst for hash:net,iface

12 years agoipset: Handle properly an IPSET_CMD_NONE
Tomasz Bursztyka [Thu, 28 Jun 2012 12:57:48 +0000 (15:57 +0300)]
ipset: Handle properly an IPSET_CMD_NONE

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agonetfilter: ipset: hash:net,iface: fix interface comparison
Florian Westphal [Sun, 17 Jun 2012 19:56:46 +0000 (21:56 +0200)]
netfilter: ipset: hash:net,iface: fix interface comparison

ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does

strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);

in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.

Use plain strcmp() instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
12 years agoipset help lists set types multiple times, fixed (reported by Mr Dash Four)
Jozsef Kadlecsik [Tue, 19 Jun 2012 20:24:53 +0000 (22:24 +0200)]
ipset help lists set types multiple times, fixed (reported by Mr Dash Four)

ipset help listed every set type, including the ones with multiple
revisions - which were listed thus multiple times. Set types with
multiple revisions are listed once from now on.

12 years agoThe commandline parser was too permissive, make it more strict
Jozsef Kadlecsik [Tue, 19 Jun 2012 20:06:59 +0000 (22:06 +0200)]
The commandline parser was too permissive, make it more strict

The parser allowed more possible argument alternatives for
command options than the documented one, which limited the possibility
of other option names. The patch makes the parser more strict.

12 years agoTimeout fixing bug broke SET target special timeout value, fixed
Jozsef Kadlecsik [Fri, 8 Jun 2012 08:02:59 +0000 (10:02 +0200)]
Timeout fixing bug broke SET target special timeout value, fixed

The patch "Fix timeout value overflow bug at large timeout parameters"
broke the SET target when no timeout was specified (reported by
Jean-Philippe Menil).

12 years agoAllow saving to/restoring from a file without shell redirection
Jozsef Kadlecsik [Wed, 23 May 2012 21:27:42 +0000 (23:27 +0200)]
Allow saving to/restoring from a file without shell redirection

Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).

The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.

12 years agoUse MSEC_PER_SEC instead of harcoded value
Jozsef Kadlecsik [Tue, 15 May 2012 13:31:10 +0000 (15:31 +0200)]
Use MSEC_PER_SEC instead of harcoded value

David Laight and Eric Dumazet noticed that we were using hardcoded
1000 instead of MSEC_PER_SEC to calculate the timeout.

12 years agoFix typo of word "unkown" to "unknown".
Neutron Soutmun [Tue, 15 May 2012 13:27:24 +0000 (15:27 +0200)]
Fix typo of word "unkown" to "unknown".

12 years agoipset 6.12.1 released v6.12.1
Jozsef Kadlecsik [Thu, 10 May 2012 20:07:43 +0000 (22:07 +0200)]
ipset 6.12.1 released

12 years agoEnable silent (kernel style) compile messages
Jozsef Kadlecsik [Thu, 10 May 2012 20:05:37 +0000 (22:05 +0200)]
Enable silent (kernel style) compile messages

12 years agoFix build failed on --disable-dependency-tracking
Neutron Soutmun [Thu, 10 May 2012 19:29:34 +0000 (21:29 +0200)]
Fix build failed on --disable-dependency-tracking

12 years agoAdd tarball target to Makefile
Jozsef Kadlecsik [Thu, 10 May 2012 11:31:53 +0000 (13:31 +0200)]
Add tarball target to Makefile

12 years agoipset 6.12 released
Jozsef Kadlecsik [Thu, 10 May 2012 09:54:18 +0000 (11:54 +0200)]
ipset 6.12 released

12 years agoBackport nla_put_net* functions as NLA_PUT* were removed
Jozsef Kadlecsik [Thu, 10 May 2012 09:42:08 +0000 (11:42 +0200)]
Backport nla_put_net* functions as NLA_PUT* were removed

12 years agoCleanup generated files by make tidy
Jozsef Kadlecsik [Thu, 10 May 2012 09:16:01 +0000 (11:16 +0200)]
Cleanup generated files by make tidy

12 years agonetlink: add netlink_dump_control structure for netlink_dump_start()
Pablo Neira Ayuso [Thu, 10 May 2012 09:12:24 +0000 (11:12 +0200)]
netlink: add netlink_dump_control structure for netlink_dump_start()

Backport of Pablo's patch to the ipset package.

12 years agoipset: Stop using NLA_PUT*().
David S. Miller [Thu, 10 May 2012 08:44:03 +0000 (10:44 +0200)]
ipset: Stop using NLA_PUT*().

These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.

Signed-off-by: David S. Miller <davem@davemloft.net>
12 years agoAdd more CC warning option to debug mode
Jozsef Kadlecsik [Thu, 10 May 2012 08:29:22 +0000 (10:29 +0200)]
Add more CC warning option to debug mode

12 years agoReport syntax error messages immediately
Jozsef Kadlecsik [Thu, 10 May 2012 07:42:36 +0000 (09:42 +0200)]
Report syntax error messages immediately

12 years agoSuppress false syntax error messages
Jozsef Kadlecsik [Thu, 10 May 2012 07:30:36 +0000 (09:30 +0200)]
Suppress false syntax error messages

If a create command fails at the kernel side, false syntax error
was also reported due to  the chicken and egg problem of the family
option.

12 years agoAdd configure summary for the ipset userspace tool
Jozsef Kadlecsik [Thu, 10 May 2012 07:22:29 +0000 (09:22 +0200)]
Add configure summary for the ipset userspace tool

12 years agoAdd dynamic module support to ipset userspace tool
Neutron Soutmun [Thu, 10 May 2012 06:05:53 +0000 (08:05 +0200)]
Add dynamic module support to ipset userspace tool

The patch adds supporting dynamic modules for the set types to ipset
userspace tool. The dynamic module support can be enabled by the
--enable-settype-modules of "configure". The list of set types to
be compiled as dynamic modules can be specified in the
--with-settype-modules-list option. Example

--enable-settype-modules \
--with-settype-modules-list="ipset_hash_ip ipset_hash_ipport"

The keyword "all" can be used to compile all set types as dynamic modules.

12 years agoMove ipset_port_usage() into lib
Neutron Soutmun [Sun, 6 May 2012 20:18:52 +0000 (22:18 +0200)]
Move ipset_port_usage() into lib

12 years agoFix hash size checking in kernel
Jozsef Kadlecsik [Sun, 6 May 2012 20:10:52 +0000 (22:10 +0200)]
Fix hash size checking in kernel

The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.

12 years agoFix invalid assignment to const void pointer
Jozsef Kadlecsik [Fri, 4 May 2012 20:06:50 +0000 (22:06 +0200)]
Fix invalid assignment to const void pointer

gcc 4.7 and above ignore such assignments which leads to a broken
ipset binary (bug reported by Seblu).

12 years agoCorrect README file about minimal required iptables version
Oskar Berggren [Fri, 4 May 2012 19:48:16 +0000 (21:48 +0200)]
Correct README file about minimal required iptables version

12 years agoSparse warnings "incorrect type in assignment" fixed
Jozsef Kadlecsik [Fri, 4 May 2012 19:46:48 +0000 (21:46 +0200)]
Sparse warnings "incorrect type in assignment" fixed

12 years agoRemove unused variables (warnings fixed)
Jozsef Kadlecsik [Fri, 4 May 2012 19:45:07 +0000 (21:45 +0200)]
Remove unused variables (warnings fixed)

12 years agoFix timeout value overflow bug at large timeout parameters
Jozsef Kadlecsik [Fri, 4 May 2012 19:37:28 +0000 (21:37 +0200)]
Fix timeout value overflow bug at large timeout parameters

Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)

12 years agoipv6: Add fragment reporting to ipv6_skip_exthdr().
Jesse Gross [Fri, 4 May 2012 14:55:03 +0000 (16:55 +0200)]
ipv6: Add fragment reporting to ipv6_skip_exthdr().

While parsing through IPv6 extension headers, fragment headers are
skipped making them invisible to the caller.  This reports the
fragment offset of the last header in order to make it possible to
determine whether the packet is fragmented and, if so whether it is
a first or last fragment.

Signed-off-by: Jesse Gross <jesse@nicira.com>
12 years agonet: remove ipv6_addr_copy()
Alexey Dobriyan [Thu, 19 Apr 2012 15:34:32 +0000 (17:34 +0200)]
net: remove ipv6_addr_copy()

C assignment can handle struct in6_addr copying.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>