The book-keeping of the different sized networks were bogus, fix it.
The broken code could lead invalid matching in such sets when the number
of different sized networks were greater than the smallest CIDR value of
the networks.
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.
Jan Engelhardt [Sun, 1 Jul 2012 18:36:19 +0000 (20:36 +0200)]
build: restore -version-info
On Sunday 2012-07-01 19:20, Jozsef Kadlecsik wrote:
>[...]
>> * therefore the patch makes a clean restart,
>> using -version-info 3:0:0, to continue using .so.3
>> starting from ipset-6.13 until the next *real*
>> incompatible change.
>
>What is still unclear for me, why a clean restart is required. Looking
>into "libtool", as I see, "-version-number 3:0:1" and "-version-info
>3:0:1" produces the same result.
They don't. The libtool manual goes on attempting to explain
"-version-number" with C:R:A, though it could have been a lot easier
to just say "it copies the values as-is to the file suffix".
Commit v6.13~7 accidentally swapped "-version-info" with
"-version-number". Because "-version-number" takes the values
"FIRST:AGE:REV", which is different from "-version-info
CURRENT:REV:AGE", libipset.so.3 was emitted.
Restore using "-version-info" and continue to use 3 as the "FIRST"
interface (instead of 2), because it was declared that way in
ipset-6.13.
Also note that the version names in libipset.map generally are not
supposed to follow SO versions, but the program version):
IPSET_6.13 {...}.
Jozsef Kadlecsik [Tue, 19 Jun 2012 20:24:53 +0000 (22:24 +0200)]
ipset help lists set types multiple times, fixed (reported by Mr Dash Four)
ipset help listed every set type, including the ones with multiple
revisions - which were listed thus multiple times. Set types with
multiple revisions are listed once from now on.
Jozsef Kadlecsik [Tue, 19 Jun 2012 20:06:59 +0000 (22:06 +0200)]
The commandline parser was too permissive, make it more strict
The parser allowed more possible argument alternatives for
command options than the documented one, which limited the possibility
of other option names. The patch makes the parser more strict.
Timeout fixing bug broke SET target special timeout value, fixed
The patch "Fix timeout value overflow bug at large timeout parameters"
broke the SET target when no timeout was specified (reported by
Jean-Philippe Menil).
Jozsef Kadlecsik [Wed, 23 May 2012 21:27:42 +0000 (23:27 +0200)]
Allow saving to/restoring from a file without shell redirection
Mathieu Bridon suggested that in some environments where there is no
access to a full shell with input/output redirection, it'd be useful
to read from/write to directly a file (bugzilla #788).
The patch adds the new "-file" option to specify a filename to print
into when listing/saving sets or read from when restoring sets.
Neutron Soutmun [Thu, 10 May 2012 06:05:53 +0000 (08:05 +0200)]
Add dynamic module support to ipset userspace tool
The patch adds supporting dynamic modules for the set types to ipset
userspace tool. The dynamic module support can be enabled by the
--enable-settype-modules of "configure". The list of set types to
be compiled as dynamic modules can be specified in the
--with-settype-modules-list option. Example
Jesse Gross [Fri, 4 May 2012 14:55:03 +0000 (16:55 +0200)]
ipv6: Add fragment reporting to ipv6_skip_exthdr().
While parsing through IPv6 extension headers, fragment headers are
skipped making them invisible to the caller. This reports the
fragment offset of the last header in order to make it possible to
determine whether the packet is fragmented and, if so whether it is
a first or last fragment.
Henry Culver [Fri, 20 Jan 2012 12:40:55 +0000 (13:40 +0100)]
Fix the inclusion of linux/export.h
The tests for inclusion of linux/export.h in
ipset-6.11:kernel/net/netfilter/ipset/{ip_set_getport.c,pfxlen.c} are
incorrect, linux/export.h did not go in until 3.2.0.
Jozsef Kadlecsik [Sat, 14 Jan 2012 14:06:00 +0000 (15:06 +0100)]
Support hostnames and service names with dash
The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.
Problem reported by Stephen Hemminger and Marc Guardiola.
Paul Gortmaker [Fri, 13 Jan 2012 20:28:45 +0000 (21:28 +0100)]
net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.
Jan Engelhardt [Sun, 1 Jan 2012 00:25:34 +0000 (01:25 +0100)]
build: install libipset in the right place
The .c files used to build the plugins for ipset all use #include
<libipset/...>, so the files we install should preferably also be in a
directory called "libipset" rather than just "ipset".
Distributors (like Fedora) might be interested in including the ipset
tools and libs, but they often don't want to build and ship external
kernel modules, especially if those modules are already included in
their kernel packages.
This patch introduces a new --with-kmod configure option that can be
used to conditionally build the kernel module. The module is still built
by default, to preserve compatibility.
A user who wants to build only the user-space part of ipset can do so by
running the following:
$ ./autogen.sh
$ configure --with-kmod=no
$ make
# make install
Greg Rose [Mon, 5 Sep 2011 15:11:40 +0000 (17:11 +0200)]
rtnetlink: Compute and store minimum ifinfo dump size
[The patch changes the API of the netlink_dump_start interface: port
it to the standalone ipset package.]
The message size allocated for rtnl ifinfo dumps was limited to
a single page. This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.
Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.
Signed-off-by: Greg Rose <gregory.v.rose@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Remove redundant linux/version.h includes from net/
It was suggested by "make versioncheck" that the follwing includes of
linux/version.h are redundant:
/home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
/home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
/home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.
and it seems that it is right.
Beyond manually inspecting the source files I also did a few build
tests with various configs to confirm that including the header in
those files is indeed not needed.
Jozsef Kadlecsik [Wed, 31 Aug 2011 13:56:34 +0000 (15:56 +0200)]
Propagate "expose userspace-relevant parts in ip_set.h" to ipset source
With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.
Jan Engelhardt [Wed, 31 Aug 2011 12:10:04 +0000 (14:10 +0200)]
netfilter: ipset: avoid use of kernel-only types
When using the xt_set.h header in userspace, one will get these gcc
reports:
ipset/ip_set.h:184:1: error: unknown type name "u16"
In file included from libxt_SET.c:21:0:
netfilter/xt_set.h:61:2: error: unknown type name "u32"
netfilter/xt_set.h:62:2: error: unknown type name "u32"
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Jozsef Kadlecsik [Wed, 31 Aug 2011 10:32:55 +0000 (12:32 +0200)]
Dumping error triggered removing references twice and lead to kernel BUG
If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
The issue was reported by Jean-Philippe Menil.
Jozsef Kadlecsik [Mon, 29 Aug 2011 15:08:55 +0000 (17:08 +0200)]
Autoload set type modules safely
Jan Engelhardt noticed when userspace requests a set type unknown
to the kernel, it can lead to a loop due to the unsafe type module
loading. The issue is fixed in this patch.
Chris Friesen [Sat, 9 Jul 2011 08:19:41 +0000 (10:19 +0200)]
Fix compiler warnings "'hash_ip4_data_next' declared inline after being called"
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.
Signed-off-by: Chris Friesen <chris.friesen@genband.com>
projects / ipset / log