]> granicus.if.org Git - ipset/log
ipset
8 years agoFix __aligned_u64 compatibility support for older kernel releases
Jozsef Kadlecsik [Mon, 29 Feb 2016 12:04:53 +0000 (13:04 +0100)]
Fix __aligned_u64 compatibility support for older kernel releases

The issue was reported by Mart Frauenlob.

8 years agoSupport older pkg-config packages
Jozsef Kadlecsik [Mon, 29 Feb 2016 12:02:08 +0000 (13:02 +0100)]
Support older pkg-config packages

Resolve the pkg-config 0.28 or greater dependency introduced by
the patch "Add bash completion to the install routine."

8 years agoAdd bash completion to the install routine.
Mart Frauenlob [Thu, 25 Feb 2016 15:01:40 +0000 (16:01 +0100)]
Add bash completion to the install routine.

Add the configure option --enable-bashcompl (default disabled).
The PKG_CHECK_VAR requires pkg-config 0.28 or greater.

Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
8 years agoAdd compatibility to support EXPORT_SYMBOL_GPL in module.h
Jozsef Kadlecsik [Wed, 24 Feb 2016 21:07:40 +0000 (22:07 +0100)]
Add compatibility to support EXPORT_SYMBOL_GPL in module.h

Fixes netfilter bugzilla id #1008

8 years agoFix misleading error message with comment extension
Jozsef Kadlecsik [Wed, 24 Feb 2016 20:10:19 +0000 (21:10 +0100)]
Fix misleading error message with comment extension

Error message was totally misleading when comment
extension was used when the set was defined without
the extension. Reported by Drunkard Zhang.

8 years agoFix set:list type crash when flush/dump set in parallel
Jozsef Kadlecsik [Wed, 24 Feb 2016 19:22:51 +0000 (20:22 +0100)]
Fix set:list type crash when flush/dump set in parallel

Flushing/listing entries was not RCU safe, so parallel flush/dump
could lead to kernel crash. Bug reported by Deniz Eren.

Fixes netfilter bugzilla id #1050.

8 years agonetfilter: nfnetlink: pass down netns pointer to call() and call_rcu()
Jozsef Kadlecsik [Tue, 16 Feb 2016 06:50:22 +0000 (07:50 +0100)]
netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()

Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>

8 years agoTest added to check 0.0.0.0/0,iface to be matched in hash:net,iface type
Jozsef Kadlecsik [Wed, 13 Jan 2016 08:28:07 +0000 (09:28 +0100)]
Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface type

8 years agonetfilter: ipset: allow a 0 netmask with hash_netiface type
Florian Westphal [Tue, 12 Jan 2016 16:07:05 +0000 (17:07 +0100)]
netfilter: ipset: allow a 0 netmask with hash_netiface type

Jozsef says:
 The correct behaviour is that if we have
 ipset create test1 hash:net,iface
 ipset add test1 0.0.0.0/0,eth0
 iptables -A INPUT -m set --match-set test1 src,src

 then the rule should match for any traffic coming in through eth0.

This removes the -EINVAL runtime test to make matching work
in case packet arrived via the specified interface.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1297092
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
8 years agoFix link with libtool >= 2.4.4
Olivier Blin [Wed, 6 Jan 2016 23:21:09 +0000 (00:21 +0100)]
Fix link with libtool >= 2.4.4

As of libtool-2.4.4, -ldl is no longer prepended to LIBS.
Since types.c needs dlopen() and dlerror(), use LIBADD_DLOPEN, as
suggested in libtool-2.4.4 release notes.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset 6.27 released v6.27
Jozsef Kadlecsik [Sat, 7 Nov 2015 12:25:38 +0000 (13:25 +0100)]
ipset 6.27 released

9 years agoFix reported memory size for hash:* types
Jozsef Kadlecsik [Wed, 4 Nov 2015 08:44:29 +0000 (09:44 +0100)]
Fix reported memory size for hash:* types

The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix hash type expire: release empty hash bucket block
Jozsef Kadlecsik [Wed, 4 Nov 2015 08:48:39 +0000 (09:48 +0100)]
Fix hash type expire: release empty hash bucket block

When all entries are expired/all slots are empty, release the bucket.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix hash:* type expiration
Jozsef Kadlecsik [Wed, 4 Nov 2015 08:28:29 +0000 (09:28 +0100)]
Fix hash:* type expiration

Incorrect index was used when the data blob was shrinked at expiration,
which could lead to falsely expired entries and memory leak when
the comment extension was used too.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoCollapse same condition body to a single one
Jozsef Kadlecsik [Mon, 2 Nov 2015 19:27:58 +0000 (20:27 +0100)]
Collapse same condition body to a single one

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix extension alignment
Jozsef Kadlecsik [Sat, 7 Nov 2015 09:44:57 +0000 (10:44 +0100)]
Fix extension alignment

The data extensions in ipset lacked the proper memory alignment and
thus could lead to kernel crash on several architectures. Therefore
the structures have been reorganized and alignment attributes added
where needed. The patch was tested on armv7h by Gerhard Wiesinger and
on x86_64, sparc64 by Jozsef Kadlecsik.

Reported-by: Gerhard Wiesinger <lists@wiesinger.com>
Tested-by: Gerhard Wiesinger <lists@wiesinger.com>
Tested-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoCompatibility: include linux/export.h when needed
Jozsef Kadlecsik [Wed, 28 Oct 2015 16:14:28 +0000 (17:14 +0100)]
Compatibility: include linux/export.h when needed

9 years agoHandle uint64_t alignment issue in ipset tool
Jozsef Kadlecsik [Wed, 28 Oct 2015 16:13:31 +0000 (17:13 +0100)]
Handle uint64_t alignment issue in ipset tool

9 years agoCompatibility: make sure vmalloc.h is included for kvfree()
Jozsef Kadlecsik [Mon, 26 Oct 2015 17:54:19 +0000 (18:54 +0100)]
Compatibility: make sure vmalloc.h is included for kvfree()

9 years agoFix detecting 'struct net' in 'struct tcf_ematch'
Jozsef Kadlecsik [Mon, 19 Oct 2015 18:20:19 +0000 (20:20 +0200)]
Fix detecting 'struct net' in 'struct tcf_ematch'

Nikolay Borisov reported that the detection is broken. Fix checking in the
right sctructure and wrap the call to dev_get_by_index_rcu() too.

9 years agoProtect definition of RCU_INIT_POINTER in compatibility header file
Jozsef Kadlecsik [Mon, 19 Oct 2015 17:58:35 +0000 (19:58 +0200)]
Protect definition of RCU_INIT_POINTER in compatibility header file

Nikolay Borisov reported that in 3.12.47 RCU_INIT_POINTER is redefined
in ip_set_compat.h.in due to not protecting it individually.

9 years agonetfilter: ipset: Fix sleeping memory allocation in atomic context
Nikolay Borisov [Fri, 16 Oct 2015 06:40:28 +0000 (09:40 +0300)]
netfilter: ipset: Fix sleeping memory allocation in atomic context

Commit 00590fdd5be0 introduced RCU locking in list type and in
doing so introduced a memory allocation in list_set_add, which
is done in an atomic context, due to the fact that ipset rcu
list modifications are serialised with a spin lock. The reason
why we can't use a mutex is that in addition to modifying the
list with ipset commands, it's also being modified when a
particular ipset rule timeout expires aka garbage collection.
This gc is triggered from set_cleanup_entries, which in turn
is invoked from a timer thus requiring the lock to be bh-safe.

Concretely the following call chain can lead to "sleeping function
called in atomic context" splat:
call_ad -> list_set_uadt -> list_set_uadd -> kzalloc(, GFP_KERNEL).
And since GFP_KERNEL allows initiating direct reclaim thus
potentially sleeping in the allocation path.

To fix the issue change the allocation type to GFP_ATOMIC, to
correctly reflect that it is occuring in an atomic context.

Fixes: 00590fdd5be0 ("netfilter: ipset: Introduce RCU locking in list type")
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset 6.26 released v6.26
Jozsef Kadlecsik [Fri, 28 Aug 2015 17:01:12 +0000 (19:01 +0200)]
ipset 6.26 released

9 years agoOut of bound access in hash:net* types fixed
Jozsef Kadlecsik [Tue, 25 Aug 2015 09:11:57 +0000 (11:11 +0200)]
Out of bound access in hash:net* types fixed

Dave Jones reported that KASan detected out of bounds access in hash:net*
types:

[   23.139532] ==================================================================
[   23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220 at addr ffff8800d4844b58
[   23.152937] Write of size 4 by task ipset/457
[   23.159742] =============================================================================
[   23.166672] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[   23.173641] -----------------------------------------------------------------------------
[   23.194668] INFO: Allocated in hash_net_create+0x16a/0x470 age=7 cpu=1 pid=456
[   23.201836]  __slab_alloc.constprop.66+0x554/0x620
[   23.208994]  __kmalloc+0x2f2/0x360
[   23.216105]  hash_net_create+0x16a/0x470
[   23.223238]  ip_set_create+0x3e6/0x740
[   23.230343]  nfnetlink_rcv_msg+0x599/0x640
[   23.237454]  netlink_rcv_skb+0x14f/0x190
[   23.244533]  nfnetlink_rcv+0x3f6/0x790
[   23.251579]  netlink_unicast+0x272/0x390
[   23.258573]  netlink_sendmsg+0x5a1/0xa50
[   23.265485]  SYSC_sendto+0x1da/0x2c0
[   23.272364]  SyS_sendto+0xe/0x10
[   23.279168]  entry_SYSCALL_64_fastpath+0x12/0x6f

The bug is fixed in the patch and the testsuite is extended in ipset
to check cidr handling more thoroughly.

9 years agoWarn about loaded in ip_set modules at module installation
Jozsef Kadlecsik [Tue, 25 Aug 2015 08:48:37 +0000 (10:48 +0200)]
Warn about loaded in ip_set modules at module installation

9 years agoUse IPSET_BIN in resize-and-list.sh and suppress echoing of loop variable
Jozsef Kadlecsik [Mon, 24 Aug 2015 15:12:23 +0000 (17:12 +0200)]
Use IPSET_BIN in resize-and-list.sh and suppress echoing of loop variable

9 years agoManpage typo corrections
David Wittman [Mon, 20 Jul 2015 12:05:13 +0000 (14:05 +0200)]
Manpage typo corrections

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix grammar error in manpage
Neutron Soutmun [Mon, 20 Jul 2015 10:21:56 +0000 (17:21 +0700)]
Fix grammar error in manpage

Refer to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/608231

The "allows to" is a common grammar error which it will probably be
replaced by "allows one to" as a suggestion in above bug report page.

Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake struct htype per ipset family
Jozsef Kadlecsik [Fri, 26 Jun 2015 13:13:18 +0000 (15:13 +0200)]
Make struct htype per ipset family

Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.

Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype allocation.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoOptimize hash creation routine
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:45:09 +0000 (11:45 +0200)]
Optimize hash creation routine

Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoMake sure element data size is a multiple of u32
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:16:28 +0000 (11:16 +0200)]
Make sure element data size is a multiple of u32

Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoMake NLEN compile time constant for hash types
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:05:54 +0000 (11:05 +0200)]
Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoSimplify mtype_expire() for hash types
Jozsef Kadlecsik [Fri, 26 Jun 2015 08:14:47 +0000 (10:14 +0200)]
Simplify mtype_expire() for hash types

Remove redundant parameters nets_length and dsize:
they could be get from other parameters.

Remove one leve of intendation by using continue while
iterating over elements in bucket.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoCount non-static extension memory into the set memory size for userspace
Jozsef Kadlecsik [Fri, 26 Jun 2015 07:40:14 +0000 (09:40 +0200)]
Count non-static extension memory into the set memory size for userspace

Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.

9 years agonet: sched: Simplify em_ipset_match
Eric W. Biederman [Thu, 25 Jun 2015 09:48:23 +0000 (11:48 +0200)]
net: sched: Simplify em_ipset_match

em->net is always set and always available, use it in preference
to dev_net(skb->dev).

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset 6.25.1 released v6.25.1
Jozsef Kadlecsik [Thu, 25 Jun 2015 09:19:08 +0000 (11:19 +0200)]
ipset 6.25.1 released

9 years agonet/netfilter/ipset: work around gcc-4.4.4 initializer bug
Andrew Morton [Thu, 25 Jun 2015 09:15:39 +0000 (11:15 +0200)]
net/netfilter/ipset: work around gcc-4.4.4 initializer bug

gcc-4.4.4 (at least) isn't able to handle the mixture of anonymous unions
and declaration-time intializers.  Work around this.

net/netfilter/ipset/ip_set_hash_netnet.c: In function 'hash_netnet4_uadt':
net/netfilter/ipset/ip_set_hash_netnet.c:163: error: unknown field 'cidr' specified in initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: missing braces around initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: (near initialization for 'e.<anonymous>.ip')
...

Fixes: ea53ac5b630e813ae ("netfilter: ipset: Add hash:net,net module to kernel.)
Cc: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset manpage: refer to iptables-extensions
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:49:24 +0000 (10:49 +0200)]
ipset manpage: refer to iptables-extensions

9 years agoUpdate userspace header file from the kernel tree
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:24:18 +0000 (10:24 +0200)]
Update userspace header file from the kernel tree

9 years agoHandle 'extern "C" {' in check_libmap.sh
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:20:41 +0000 (10:20 +0200)]
Handle 'extern "C" {' in check_libmap.sh

9 years agoipset 6.25 released v6.25
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:05:19 +0000 (10:05 +0200)]
ipset 6.25 released

9 years agoAdd element count to all set types header
Jozsef Kadlecsik [Thu, 25 Jun 2015 07:29:20 +0000 (09:29 +0200)]
Add element count to all set types header

It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.

9 years agoAdd element count to hash headers
Eric B Munson [Fri, 29 May 2015 15:36:25 +0000 (11:36 -0400)]
Add element count to hash headers

It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries.  This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to userspace.  This field is then printed by the userspace
tool for hashes.

Because it is only meaningful for hashes to report their size, the
output is conditional on the set type.  To do this checking the
MATCH_TYPENAME macro was moved to utils.h.

The bulk of this patch changes the expected test suite to account for
the change in output.

Signed-off-by: Eric B Munson <emunson@akamai.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Josh Hunt <johunt@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetlink: implement nla_put_in_addr and nla_put_in6_addr
Jiri Benc [Sat, 13 Jun 2015 19:46:47 +0000 (21:46 +0200)]
netlink: implement nla_put_in_addr and nla_put_in6_addr

IP addresses are often stored in netlink attributes. Add generic functions
to do that.

For nla_put_in_addr, it would be nicer to pass struct in_addr but this is
not used universally throughout the kernel, in way too many places __be32 is
used to store IPv4 address.

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Compatibility part added.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: deinline ip_set_put_extensions()
Denys Vlasenko [Sat, 13 Jun 2015 19:34:08 +0000 (21:34 +0200)]
netfilter: ipset: deinline ip_set_put_extensions()

n x86 allyesconfig build:
The function compiles to 489 bytes of machine code.
It has 25 callsites.

    text    data       bss       dec     hex filename
82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
82434909 22255384 20627456 125317749 7783275 vmlinux

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
CC: Eric W. Biederman <ebiederm@xmission.com>
CC: David S. Miller <davem@davemloft.net>
CC: Jan Engelhardt <jengelh@medozas.de>
CC: Jiri Pirko <jpirko@redhat.com>
CC: linux-kernel@vger.kernel.org
CC: netdev@vger.kernel.org
CC: netfilter-devel@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix error path in mtype_resize() when new hash bucket cannot be allocated
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:26:14 +0000 (21:26 +0200)]
Fix error path in mtype_resize() when new hash bucket cannot be allocated

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoThere is no need to call synchronize_rcu() after list_add_rcu()
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:22:32 +0000 (21:22 +0200)]
There is no need to call synchronize_rcu() after list_add_rcu()

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix typo in function name get_phyoutdev_name()
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:21:01 +0000 (21:21 +0200)]
Fix typo in function name get_phyoutdev_name()

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Separate memsize calculation code into dedicated functions
Jozsef Kadlecsik [Wed, 6 May 2015 05:48:20 +0000 (07:48 +0200)]
netfilter: ipset: Separate memsize calculation code into dedicated functions

Hash types already has it's memsize calculation code in separate
functions. Do the same for *bitmap* and *list* sets.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Split extensions into separate files
Jozsef Kadlecsik [Wed, 6 May 2015 05:37:04 +0000 (07:37 +0200)]
netfilter: ipset: Split extensions into separate files

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve comment extension helpers
Jozsef Kadlecsik [Wed, 6 May 2015 05:27:28 +0000 (07:27 +0200)]
netfilter: ipset: Improve comment extension helpers

Allocate memory with kmalloc() rather than kzalloc().

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve skbinfo get/init helpers
Jozsef Kadlecsik [Tue, 5 May 2015 15:13:28 +0000 (17:13 +0200)]
netfilter: ipset: Improve skbinfo get/init helpers

Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Headers file cleanup
Jozsef Kadlecsik [Tue, 5 May 2015 14:59:50 +0000 (16:59 +0200)]
netfilter: ipset: Headers file cleanup

Remove extra whitespace, group counter helper together. Mark some of
the helpers arguments as const.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Correct rcu_dereference_bh_nfnl() usage
Jozsef Kadlecsik [Tue, 5 May 2015 14:48:50 +0000 (16:48 +0200)]
netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

When rcu_dereference_bh_nfnl() macro would be defined on the target
system if will accept pointer and subsystem id.

Check if rcu_dereference_bh_nfnl() is defined and make it accepting two
arguments.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: bridge: add helpers for fetching physin/outdev pablo
Florian Westphal [Mon, 27 Apr 2015 19:48:33 +0000 (21:48 +0200)]
netfilter: bridge: add helpers for fetching physin/outdev

right now we store this in the nf_bridge_info struct, accessible
via skb->nf_bridge.  This patch prepares removal of this pointer from skb:

Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
device (or ifindexes).

Followup patches to netfilter will then allow nf_bridge_info to be
obtained by a call into the br_netfilter core, rather than keeping a
pointer to it in sk_buff.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoWhen a single set is destroyed, make sure it can't be grabbed by dump
Jozsef Kadlecsik [Sun, 26 Apr 2015 08:48:23 +0000 (10:48 +0200)]
When a single set is destroyed, make sure it can't be grabbed by dump

9 years agoIn comment extension ip_set_comment_free() is always called in a safe path
Jozsef Kadlecsik [Sun, 26 Apr 2015 08:46:47 +0000 (10:46 +0200)]
In comment extension ip_set_comment_free() is always called in a safe path

9 years agoAdd rcu_barrier() to module removal in the bitmap types too
Jozsef Kadlecsik [Fri, 17 Apr 2015 18:42:17 +0000 (20:42 +0200)]
Add rcu_barrier() to module removal in the bitmap types too

9 years agoFix coding styles reported by the most recent checkpatch.pl.
Jozsef Kadlecsik [Fri, 17 Apr 2015 18:39:34 +0000 (20:39 +0200)]
Fix coding styles reported by the most recent checkpatch.pl.

9 years agoMake sure bitmap:ip,mac detects the proper MAC even when it's overwritten
Jozsef Kadlecsik [Sun, 29 Mar 2015 14:34:52 +0000 (16:34 +0200)]
Make sure bitmap:ip,mac detects the proper MAC even when it's overwritten

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoRCU safe comment extension handling
Jozsef Kadlecsik [Sun, 29 Mar 2015 10:13:53 +0000 (12:13 +0200)]
RCU safe comment extension handling

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure the proper is_destroyed value is checked at dumping
Jozsef Kadlecsik [Sun, 29 Mar 2015 11:32:10 +0000 (13:32 +0200)]
Make sure the proper is_destroyed value is checked at dumping

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix broken commit "Check extensions attributes before getting extensions."
Jozsef Kadlecsik [Sun, 29 Mar 2015 12:58:51 +0000 (14:58 +0200)]
Fix broken commit "Check extensions attributes before getting extensions."

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve preprocessor macros checks
Sergey Popovich [Fri, 23 Jan 2015 13:24:50 +0000 (15:24 +0200)]
netfilter: ipset: Improve preprocessor macros checks

Check if mandatory MTYPE, HTYPE and HOST_MASK macros
defined.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Fix hashing for ipv6 sets
Sergey Popovich [Fri, 23 Jan 2015 12:58:45 +0000 (14:58 +0200)]
netfilter: ipset: Fix hashing for ipv6 sets

HKEY_DATALEN remains defined after first inclusion
of ip_set_hash_gen.h, so it is incorrectly reused
for IPv6 code.

Undefine HKEY_DATALEN in ip_set_hash_gen.h at the end.

Also remove some useless defines of HKEY_DATALEN in
ip_set_hash_{ip{,mark,port},netiface}.c as ip_set_hash_gen.h
defines it correctly for such set types anyway.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Fix ext_*() macros
Sergey Popovich [Tue, 20 Jan 2015 14:00:14 +0000 (16:00 +0200)]
netfilter: ipset: Fix ext_*() macros

So pointers returned by these macros could be
referenced with -> directly.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check for comment netlink attribute length
Sergey Popovich [Tue, 20 Jan 2015 12:03:19 +0000 (14:03 +0200)]
netfilter: ipset: Check for comment netlink attribute length

Ensure userspace supplies string not longer than
IPSET_MAX_COMMENT_SIZE.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Return bool values instead of int
Sergey Popovich [Mon, 17 Nov 2014 19:21:40 +0000 (21:21 +0200)]
netfilter: ipset: Return bool values instead of int

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check CIDR value only when attribute is given
Sergey Popovich [Mon, 17 Nov 2014 16:45:10 +0000 (18:45 +0200)]
netfilter: ipset: Check CIDR value only when attribute is given

There is no reason to check CIDR value regardless attribute
specifying CIDR is given.

Initialize cidr array in element structure on element structure
declaration to let more freedom to the compiler to optimize
initialization right before element structure is used.

Remove local variables cidr and cidr2 for netnet and netportnet
hashes as we do not use packed cidr value for such set types and
can store value directly in e.cidr[].

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Make sure we always return line number on batch
Sergey Popovich [Mon, 17 Nov 2014 16:03:00 +0000 (18:03 +0200)]
netfilter: ipset: Make sure we always return line number on batch

Even if we return with generic IPSET_ERR_PROTOCOL it is good idea
to return line number if we called in batch mode.

Moreover we are not always exiting with IPSET_ERR_PROTOCOL. For
example hash:ip,port,net may return IPSET_ERR_HASH_RANGE_UNSUPPORTED
or IPSET_ERR_INVALID_CIDR.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6
Sergey Popovich [Mon, 17 Nov 2014 15:42:44 +0000 (17:42 +0200)]
netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6

Permit userspace to supply CIDR length equal to the host address CIDR
length in netlink message. Prohibit any other CIDR length for IPv6
variant of the set.

Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic
-IPSET_ERR_PROTOCOL in IPv6 variant of hash:ip,port,net when
IPSET_ATTR_IP_TO attribute is given.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Use HOST_MASK literal to represent host address CIDR len
Sergey Popovich [Mon, 17 Nov 2014 15:34:47 +0000 (17:34 +0200)]
netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check IPSET_ATTR_PORT only once
Sergey Popovich [Mon, 17 Nov 2014 15:08:37 +0000 (17:08 +0200)]
netfilter: ipset: Check IPSET_ATTR_PORT only once

We do not need to check tb[IPSET_ATTR_PORT] != NULL before
retrieving port, as this attribute is known to exist due to
ip_set_attr_netorder() returning true only when attribute
exists and it is in network byte order.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check extensions attributes before getting extensions.
Sergey Popovich [Mon, 17 Nov 2014 11:44:17 +0000 (13:44 +0200)]
netfilter: ipset: Check extensions attributes before getting extensions.

Make all extensions attributes checks within ip_set_get_extensions()
and reduce number of duplicated code.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Use SET_WITH_*() helpers to test set extensions
Sergey Popovich [Mon, 17 Nov 2014 11:06:26 +0000 (13:06 +0200)]
netfilter: ipset: Use SET_WITH_*() helpers to test set extensions

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Return ipset error instead of bool
Sergey Popovich [Mon, 17 Nov 2014 09:50:37 +0000 (11:50 +0200)]
netfilter: ipset: Return ipset error instead of bool

Statement ret = func1() || func2() returns 0 when both func1()
and func2() return 0, or 1 if func1() or func2() returns non-zero.

However in our case func1() and func2() returns error code on
failure, so it seems good to propagate such error codes, rather
than returning 1 in case of failure.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Preprocessor directices cleanup
Sergey Popovich [Sat, 15 Nov 2014 10:08:44 +0000 (12:08 +0200)]
netfilter: ipset: Preprocessor directices cleanup

 * Undefine mtype_data_reset_elem before defining.

 * Remove duplicated mtype_gc_init undefine, move
   mtype_gc_init define closer to mtype_gc define.

 * Use htype instead of HTYPE in IPSET_TOKEN(HTYPE, _create)().

 * Remove PF definition from sets: no more used.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: No need to make nomatch bitfield
Sergey Popovich [Sat, 15 Nov 2014 09:17:38 +0000 (11:17 +0200)]
netfilter: ipset: No need to make nomatch bitfield

We do not store cidr packed with no match, so there is no
need to make nomatch bitfield.

This simplifies mtype_data_reset_flags() a bit.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure bit operations are not reordered
Jozsef Kadlecsik [Thu, 19 Mar 2015 12:24:47 +0000 (13:24 +0100)]
Make sure bit operations are not reordered

Sergey Popovich pointed out that {set,clear}_bit() operations
must be protected against instruction reordering.

9 years agoSupport linking libipset to C++ programs
Jozsef Kadlecsik [Wed, 18 Mar 2015 19:58:25 +0000 (20:58 +0100)]
Support linking libipset to C++ programs

Issue reported by Pavel Odintsov.

9 years agonetfilter: ipset: Properly calculate extensions offsets and total length
Sergey Popovich [Mon, 16 Mar 2015 13:40:11 +0000 (15:40 +0200)]
netfilter: ipset: Properly calculate extensions offsets and total length

Offsets and total length returned by the ip_set_elem_len()
calculated incorrectly as initial set element length (i.e.
len parameter) is used multiple times in offset calculations,
also affecting set element total length.

Use initial set element length as start offset, do not add aligned
extension offset to the offset. Return offset as total length of
the set element.

This reduces memory requirements on per element basic for the
hash:* type of sets.

For example output from 'ipset -terse list test-1' on 64-bit PC,
where test-1 is generated via following script:

  #!/bin/bash

  set_name='test-1'

  ipset create "$set_name" hash:net family inet \
              timeout 10800 counters comment \
              hashsize 65536 maxelem 65536

  declare -i o3 o4
  fmt="add $set_name 192.168.%u.%u\n"

  for ((o3 = 0; o3 < 256; o3++)); do
      for ((o4 = 0; o4 < 256; o4++)); do
          printf "$fmt" $o3 $o4
      done
  done |ipset -exist restore

BEFORE this patch is applied

  # ipset -terse list test-1
  Name: test-1
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
  Size in memory: 26348440

and AFTER applying patch

  # ipset -terse list test-1
  Name: test-1
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
  Size in memory: 7706392
  References: 0

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset: propose rewording in manpage
Neutron Soutmun [Fri, 13 Mar 2015 02:00:19 +0000 (09:00 +0700)]
ipset: propose rewording in manpage

I have prepared the patch which refers to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780336,
reported and proposed by H. Renault <hr@herverenault.fr>.

man ipset reads:

    del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
        Delete an entry from a set. If the -exist option is specified,
        ipset ignores if the entry does not added to  (already expired
        from)  the set.

Proposed rewording:

        Delete an entry from a set. If the -exist option is specified
        and the entry is not in the set (maybe already expired), then
        the command is ignored.

Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix cidr handling for hash:*net* types
Jozsef Kadlecsik [Fri, 13 Mar 2015 20:18:58 +0000 (21:18 +0100)]
Fix cidr handling for hash:*net* types

Commit 092d67cda9ad4 broke the cidr handling for the hash:*net* types
when the sets were used by the SET target: entries with invalid cidr
values were added to the sets. Reported by Jonathan Johnson.

Testsuite entry is added to verify the fix.

9 years agonetfilter: ipset: fix boolreturn.cocci warnings
kbuild test robot [Wed, 11 Feb 2015 12:33:05 +0000 (20:33 +0800)]
netfilter: ipset: fix boolreturn.cocci warnings

net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function 'set_match_v3' with return type bool
net/netfilter/xt_set.c:242:9-10: WARNING: return of 0/1 in function 'set_match_v4' with return type bool

 Return statements in functions returning bool should use
 true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci

CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset
Alexander Drozdov [Fri, 6 Mar 2015 10:44:06 +0000 (13:44 +0300)]
netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset

All the ipset functions respect skb->network_header value,
except for ip_set_get_ip4_port() & ip_set_get_ip6_port(). The
functions should use skb_network_offset() to get the transport
header offset.

Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure listing doesn't grab a set which is just being destroyed.
Jozsef Kadlecsik [Thu, 8 Jan 2015 17:55:00 +0000 (18:55 +0100)]
Make sure listing doesn't grab a set which is just being destroyed.

There was a small window when all sets are destroyed and a concurrent
listing of all sets could grab a set which is just being destroyed.

9 years agoMissing rcu_read_lock() and _unlock() in mtype_list() fixed
Jozsef Kadlecsik [Tue, 6 Jan 2015 07:32:28 +0000 (08:32 +0100)]
Missing rcu_read_lock() and _unlock() in mtype_list() fixed

9 years agoMore compatibility checking and simplifications
Jozsef Kadlecsik [Mon, 29 Dec 2014 21:28:17 +0000 (22:28 +0100)]
More compatibility checking and simplifications

Try hard to keep the support of the 2.6.32 kernel tree and
simplify the code with self-referential macros.

9 years agoCompatibility: define RCU_INIT_POINTER when __rcu is not defined
Jozsef Kadlecsik [Wed, 17 Dec 2014 07:04:19 +0000 (08:04 +0100)]
Compatibility: define RCU_INIT_POINTER when __rcu is not defined

9 years agoCompatibility: check kernel source for list_last_entry
Jozsef Kadlecsik [Wed, 17 Dec 2014 06:44:37 +0000 (07:44 +0100)]
Compatibility: check kernel source for list_last_entry

list_last_entry is missing on CentOS7, reported by Ricardo Klein.

9 years agoFix coding styles reported by checkpatch.pl
Jozsef Kadlecsik [Wed, 17 Dec 2014 06:43:45 +0000 (07:43 +0100)]
Fix coding styles reported by checkpatch.pl

9 years agoUse nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c.
Jozsef Kadlecsik [Thu, 11 Dec 2014 20:43:56 +0000 (21:43 +0100)]
Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c.

9 years agoThere's no need to call synchronize_rcu() with kfree_rcu()
Jozsef Kadlecsik [Tue, 6 Jan 2015 07:22:05 +0000 (08:22 +0100)]
There's no need to call synchronize_rcu() with kfree_rcu()

10 years agoCall rcu_barrier() in module removal path
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:34:43 +0000 (07:34 +0100)]
Call rcu_barrier() in module removal path

10 years agoCall synchronize_rcu() in set type (un)register functions only when needed
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:31:43 +0000 (07:31 +0100)]
Call synchronize_rcu() in set type (un)register functions only when needed

10 years agoRemove an unused macro
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:31:01 +0000 (07:31 +0100)]
Remove an unused macro

10 years agoGive a better name to a macro in ip_set_core.c
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:29:29 +0000 (07:29 +0100)]
Give a better name to a macro in ip_set_core.c

10 years agoResolve the STREQ macro to make the code more readable, and use nla_strlcpy where...
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:27:35 +0000 (07:27 +0100)]
Resolve the STREQ macro to make the code more readable, and use nla_strlcpy where possible

10 years agoUse MSEC_PER_SEC consistently
Jozsef Kadlecsik [Mon, 1 Dec 2014 06:11:54 +0000 (07:11 +0100)]
Use MSEC_PER_SEC consistently

10 years agoMake possible to pass extra flags to sparse (userspace)
Jozsef Kadlecsik [Thu, 27 Nov 2014 17:05:40 +0000 (18:05 +0100)]
Make possible to pass extra flags to sparse (userspace)