Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
Prepare ipset to support multiple networks for hash types
In order to support hash:net,net, hash:net,port,net etc. types,
arrays are introduced for the book-keeping of existing cidr sizes
and network numbers in a set.
Introduce new operation to get both setname and family
ip[6]tables set match and SET target need to know the family of the set
in order to reject adding rules which refer to a set with a non-mathcing
family. Currently such rules are silently accepted and then ignored
instead of generating a clear error message to the user, which is not
helpful.
The only place in ipset where ipset_parse_elem is called is src/ipset.c. The
second parameter to the function call is type->last_elem_optional, which is of
type bool, but ipset_parse_elem is defined in lib/parse.c with the second
parameter having type enum ipset_opt.
The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:
# ipset n test hash:net
# ipset a test 10.0.0.0/24 nomatch
# ipset t test 10.0.0.1
10.0.0.1 is NOT in set test.
# ipset t test 10.0.0.1 nomatch
10.0.0.1 is in set test.
# ipset a test 192.168.0.0/24
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is NOT in set test.
Before the patch the results were
...
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is in set test.
Check at modules_install whether depmod ignores the extra subdir
The external kernel modules are installed in the extra subdir in
/lib/modules/<kernelrelease>/, but depmod in some distributions
(at least in Ubuntu 12.04 LTS) ingores the subdir. Warn about it,
because that way the modules are actually not available there.
Support package fragments for IPv4 protos without ports
Enable ipset port set types to match IPv4 package fragments for
protocols that doesn't have ports (or the port information isn't
supported by ipset).
For example this allows a hash:ip,port ipset containing the entry
192.168.0.1,gre:0 to match all package fragments for PPTP VPN tunnels
to/from the host. Without this patch only the first package fragment
(with fragment offset 0) was matched, while subsequent fragments wasn't.
This is not possible for IPv6, where the protocol is in the fragmented
part of the package unlike IPv4, where the protocol is in the IP header.
IPPROTO_ICMPV6 is deliberately not included, because it isn't relevant
for IPv4.
Signed-off-by: Anders K. Pedersen <akp@surftown.com>
netfilter ipset: Use ipv6_addr_equal() where appropriate.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Thu, 21 Feb 2013 11:08:42 +0000 (12:08 +0100)]
Interactive mode error after syntax error (reported by Mart Frauenlob)
ipset> list foo
ipset v6.16.1: The set with the given name does not exist
ipset> -t
No command specified
ipset> list
ipset v6.16.1: Internal protocol error
In interactive mode the state was not cleaned up properly after a
syntax error, fixed.
Jozsef Kadlecsik [Thu, 21 Feb 2013 10:12:40 +0000 (11:12 +0100)]
"Directory not empty" error message (reported by John Brendler)
When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>".
The internal error code was not properly transformed before returning
to userspace, fixed.
Josh Hunt [Tue, 19 Feb 2013 19:35:59 +0000 (11:35 -0800)]
netfilter: ipset: timeout values corrupted on set resize
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().
This also adds simple debug statement similar to the one in type_pf_resize().
Jozsef Kadlecsik [Sat, 24 Nov 2012 20:59:11 +0000 (21:59 +0100)]
Fix RCU handling when the number of maximal sets are increased
Eric Dumazet spotted that RCU handling was far incomplete in the patch
which added the support of increasing the number of maximal sets automatically.
This patch completes the RCU handling of the ip_set_list array of the sets.
Jan Engelhardt [Wed, 21 Nov 2012 23:05:42 +0000 (00:05 +0100)]
build: support for Linux 3.7 UAPI
In Linux 3.7, nfnetlink.h moved below include/uapi/. Make configure
recognize that. Furthermore, we can drop the unnecessary indirection
via backticks and just ask grep directly if there was any result.
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was to be added, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.
The error-prone default initialization is corrected in all hash:* types.
The book-keeping of the different sized networks were bogus, fix it.
The broken code could lead invalid matching in such sets when the number
of different sized networks were greater than the smallest CIDR value of
the networks.
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.
projects / ipset / log