Jozsef Kadlecsik [Wed, 31 Aug 2011 13:56:34 +0000 (15:56 +0200)]
Propagate "expose userspace-relevant parts in ip_set.h" to ipset source
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
Jan Engelhardt [Wed, 31 Aug 2011 12:10:04 +0000 (14:10 +0200)]
netfilter: ipset: avoid use of kernel-only types
When using the xt_set.h header in userspace, one will get these gcc
reports:
ipset/ip_set.h:184:1: error: unknown type name "u16"
In file included from libxt_SET.c:21:0:
netfilter/xt_set.h:61:2: error: unknown type name "u32"
netfilter/xt_set.h:62:2: error: unknown type name "u32"
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Wed, 31 Aug 2011 10:32:55 +0000 (12:32 +0200)]
Dumping error triggered removing references twice and lead to kernel BUG
If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
The issue was reported by Jean-Philippe Menil.
Jozsef Kadlecsik [Mon, 29 Aug 2011 15:08:55 +0000 (17:08 +0200)]
Autoload set type modules safely
Jan Engelhardt noticed when userspace requests a set type unknown
to the kernel, it can lead to a loop due to the unsafe type module
loading. The issue is fixed in this patch.
Chris Friesen [Sat, 9 Jul 2011 08:19:41 +0000 (10:19 +0200)]
Fix compiler warnings "'hash_ip4_data_next' declared inline after being called"
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.
Signed-off-by: Chris Friesen <chris.friesen@genband.com>
Jozsef Kadlecsik [Mon, 30 May 2011 15:48:01 +0000 (17:48 +0200)]
hash:net,iface type introduced
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:
# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1
Jozsef Kadlecsik [Fri, 27 May 2011 19:06:04 +0000 (21:06 +0200)]
Add xt_action_param to the variant level kadt functions, ipset API change
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.
Jozsef Kadlecsik [Sun, 22 May 2011 10:18:36 +0000 (12:18 +0200)]
Take into account cidr value for the from address when creating the set
When creating a set from a range expressed as a network like
10.1.1.172/29, the from address was taken as the IP address part and
not masked with the netmask from the cidr.
Jozsef Kadlecsik [Sat, 21 May 2011 21:19:04 +0000 (23:19 +0200)]
Adding ranges to hash types with timeout could still fail, fixed
The patch "Fix adding ranges to hash types" had got a mistypeing
in the timeout variant of the hash types, which actually made
the patch ineffective. Fixed!
Jozsef Kadlecsik [Tue, 17 May 2011 17:28:10 +0000 (19:28 +0200)]
Remove outdated checking of IPv6 support from configure.ac
ipset can be compiled without IPv6 support since 6.0, however
the outdated checking in configure.ac made it not possible.
(reported by Denys Fedoryshchenko)
Jozsef Kadlecsik [Sun, 15 May 2011 10:04:19 +0000 (12:04 +0200)]
Support range for IPv4 at adding/deleting elements for hash:*net* types
The range internally is converted to the network(s) equal to the range.
Example:
# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30
When ranges are added to hash types, the elements may trigger rehashing the set.
However, the last successfully added element was not kept track so the adding
started again with the first element after the rehashing. Bug reported by Mr Dash Four.
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.
A restoreable saving of sets requires that list:set type of sets
come last and the code part which should have taken into account
the ordering was broken. The patch fixes the listing order.
Testsuite entry added which checks the listing order.
The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.
Jozsef Kadlecsik [Sun, 27 Mar 2011 19:01:33 +0000 (21:01 +0200)]
Timeout can be modified for already added elements
When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Example
Jozsef Kadlecsik [Fri, 25 Mar 2011 10:10:29 +0000 (11:10 +0100)]
References are protected by rwlock instead of mutex
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex protection
of the references is a no go. Therefore the reference protection
is converted to rwlock.
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:23:43 +0000 (17:23 +0100)]
Fix checking the revision of the set type at create command
The revision number was not checked at the create command: if the userspace
sent a valid set type but with not supported revision number, it'd create
a loop.
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:21:20 +0000 (17:21 +0100)]
hash:ip,port* types with IPv4
The hash:ip,port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and the first address from
the range was only used.
Patrick McHardy [Thu, 3 Feb 2011 09:27:49 +0000 (10:27 +0100)]
netfilter: ipset: fix linking with CONFIG_IPV6=n
Add some #ifdefs to unconditionally return false in
ip_set_get_ip6_port() when CONFIG_IPV6=n and convert
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables
module when loading ipset.
When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.
Patrick McHardy [Tue, 1 Feb 2011 19:53:53 +0000 (20:53 +0100)]
netfilter: ipset: remove unnecessary includes
None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.
After stripping off the global options there simply has to follow
a command name, there is no other syntax possible. Therefore the
argv[] loop is unnecessary.
Jozsef Kadlecsik [Thu, 27 Jan 2011 11:44:17 +0000 (12:44 +0100)]
Move the type specifici attribute validation to the core
The type specific attribute validation can be moved to the ipset core.
That way it's done centrally and thus can be eliminated from the individual
set types (suggested by Patrick McHardy).