Oliver Smith [Sun, 22 Sep 2013 18:56:35 +0000 (20:56 +0200)]
ipset: Support comments in the userspace library.
This adds support to the userspace portion of ipset for handling ipsets
with the comment extension enabled. The library revision has been raised
accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:34 +0000 (20:56 +0200)]
ipset: Rework the "fake" argument parsing for ipset restore.
This reworks the argument parsing functionality of ipset to handle
quote-delimited lines in such a way that they are considered to be a
single argument.
This commit is necessary for ipset to successfully restore sets that
have comments.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:32 +0000 (20:56 +0200)]
netfilter: ipset: Support comments in bitmap-type ipsets.
This provides kernel support for creating bitmap ipsets with comment
support.
As is the case for hashes, this incurs a penalty when flushing or
destroying the entire ipset as the entries must first be walked in order
to free the comment strings. This penalty is of course far less than the
cost of listing an ipset to userspace. Any set created without support
for comments will be flushed/destroyed as before.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:31 +0000 (20:56 +0200)]
netfilter: ipset: Support comments in hash-type ipsets.
This provides kernel support for creating ipsets with comment support.
This does incur a penalty to flushing/destroying an ipset since all
entries are walked in order to free the allocated strings, this penalty
is of course less expensive than the operation of listing an ipset to
userspace, so for general-purpose usage the overall impact is expected
to be little to none.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sun, 22 Sep 2013 18:56:30 +0000 (20:56 +0200)]
netfilter: ipset: Support comments for ipset entries in the core.
This adds the core support for having comments on ipset entries.
The comments are stored as standard null-terminated strings in
dynamically allocated memory after being passed to the kernel. As a
result of this, code has been added to the generic destroy function to
iterate all extensions and call that extension's destroy task if the set
has that extension activated, and if such a task is defined.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Fri, 20 Sep 2013 08:13:54 +0000 (10:13 +0200)]
ipset: Add userspace code to support hash:net,net kernel module.
This adds the userspace library, tests to validate correct operation of
the module and also provides appropriate usage information in the man
page. The library version has been bumped accordingly.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Fri, 20 Sep 2013 08:13:53 +0000 (10:13 +0200)]
netfilter: ipset: Add hash:net,net module to kernel.
This adds a new set that provides the ability to configure pairs of
subnets. A small amount of additional handling code has been added to
the generic hash header file - this code is conditionally activated by a
preprocessor definition.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Oliver Smith [Sat, 14 Sep 2013 09:05:53 +0000 (11:05 +0200)]
netfilter: ipset: Fix serious failure in CIDR tracking
This fixes a serious bug affecting all hash types with a net element -
specifically, if a CIDR value is deleted such that none of the same size
exist any more, all larger (less-specific) values will then fail to
match. Adding back any prefix with a CIDR equal to or more specific than
the one deleted will fix it.
Steps to reproduce:
ipset -N test hash:net
ipset -A test 1.1.0.0/16
ipset -A test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS in set
ipset -D test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set
This is due to the fact that the nets counter was unconditionally
decremented prior to the iteration that shifts up the entries. Now, we
first check if there is a proceeding entry and if not, decrement it and
return. Otherwise, we proceed to iterate and then zero the last element,
which, in most cases, will already be zero.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
Prepare ipset to support multiple networks for hash types
In order to support hash:net,net, hash:net,port,net etc. types,
arrays are introduced for the book-keeping of existing cidr sizes
and network numbers in a set.
Introduce new operation to get both setname and family
ip[6]tables set match and SET target need to know the family of the set
in order to reject adding rules which refer to a set with a non-mathcing
family. Currently such rules are silently accepted and then ignored
instead of generating a clear error message to the user, which is not
helpful.
The only place in ipset where ipset_parse_elem is called is src/ipset.c. The
second parameter to the function call is type->last_elem_optional, which is of
type bool, but ipset_parse_elem is defined in lib/parse.c with the second
parameter having type enum ipset_opt.
The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:
# ipset n test hash:net
# ipset a test 10.0.0.0/24 nomatch
# ipset t test 10.0.0.1
10.0.0.1 is NOT in set test.
# ipset t test 10.0.0.1 nomatch
10.0.0.1 is in set test.
# ipset a test 192.168.0.0/24
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is NOT in set test.
Before the patch the results were
...
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is in set test.
Check at modules_install whether depmod ignores the extra subdir
The external kernel modules are installed in the extra subdir in
/lib/modules/<kernelrelease>/, but depmod in some distributions
(at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it,
because that way the modules are actually not available there.
Support package fragments for IPv4 protos without ports
Enable ipset port set types to match IPv4 package fragments for
protocols that doesn't have ports (or the port information isn't
supported by ipset).
For example this allows a hash:ip,port ipset containing the entry
192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels
to/from the host. Without this patch only the first package fragment
(with fragment offset 0) was matched, while subsequent fragments wasn't.
This is not possible for IPv6, where the protocol is in the fragmented
part of the package unlike IPv4, where the protocol is in the IP header.
IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant
for IPv4.
Signed-off-by: Anders K. Pedersen <akp@surftown.com>
netfilter ipset: Use ipv6_addr_equal() where appropriate.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Thu, 21 Feb 2013 11:08:42 +0000 (12:08 +0100)]
Interactive mode error after syntax error (reported by Mart Frauenlob)
ipset> list foo
ipset v6.16.1: The set with the given name does not exist
ipset> -t
No command specified
ipset> list
ipset v6.16.1: Internal protocol error
In interactive mode the state was not cleaned up properly after a
syntax error, fixed.
Jozsef Kadlecsik [Thu, 21 Feb 2013 10:12:40 +0000 (11:12 +0100)]
"Directory not empty" error message (reported by John Brendler)
When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>".
The internal error code was not properly transformed before returning
to userspace, fixed.
Josh Hunt [Tue, 19 Feb 2013 19:35:59 +0000 (11:35 -0800)]
netfilter: ipset: timeout values corrupted on set resize
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().
This also adds simple debug statement similar to the one in type_pf_resize().
Jozsef Kadlecsik [Sat, 24 Nov 2012 20:59:11 +0000 (21:59 +0100)]
Fix RCU handling when the number of maximal sets are increased
Eric Dumazet spotted that RCU handling was far incomplete in the patch
which added the support of increasing the number of maximal sets automatically.
This patch completes the RCU handling of the ip_set_list array of the sets.
Jan Engelhardt [Wed, 21 Nov 2012 23:05:42 +0000 (00:05 +0100)]
build: support for Linux 3.7 UAPI
In Linux 3.7, nfnetlink.h moved below include/uapi/. Make configure
recognize that. Furthermore, we can drop the unnecessary indirection
via backticks and just ask grep directly if there was any result.
projects / ipset / log