]> granicus.if.org Git - ipset/log
ipset
9 years agoFix grammar error in manpage
Neutron Soutmun [Mon, 20 Jul 2015 10:21:56 +0000 (17:21 +0700)]
Fix grammar error in manpage

Refer to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/608231

The "allows to" is a common grammar error which it will probably be
replaced by "allows one to" as a suggestion in above bug report page.

Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake struct htype per ipset family
Jozsef Kadlecsik [Fri, 26 Jun 2015 13:13:18 +0000 (15:13 +0200)]
Make struct htype per ipset family

Before this patch struct htype created at the first source
of ip_set_hash_gen.h and it is common for both IPv4 and IPv6
set variants.

Make struct htype per ipset family and use NLEN to make
nets array fixed size to simplify struct htype allocation.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoOptimize hash creation routine
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:45:09 +0000 (11:45 +0200)]
Optimize hash creation routine

Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoMake sure element data size is a multiple of u32
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:16:28 +0000 (11:16 +0200)]
Make sure element data size is a multiple of u32

Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoMake NLEN compile time constant for hash types
Jozsef Kadlecsik [Fri, 26 Jun 2015 09:05:54 +0000 (11:05 +0200)]
Make NLEN compile time constant for hash types

Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoSimplify mtype_expire() for hash types
Jozsef Kadlecsik [Fri, 26 Jun 2015 08:14:47 +0000 (10:14 +0200)]
Simplify mtype_expire() for hash types

Remove redundant parameters nets_length and dsize:
they could be get from other parameters.

Remove one leve of intendation by using continue while
iterating over elements in bucket.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

9 years agoCount non-static extension memory into the set memory size for userspace
Jozsef Kadlecsik [Fri, 26 Jun 2015 07:40:14 +0000 (09:40 +0200)]
Count non-static extension memory into the set memory size for userspace

Non-static (i.e. comment) extension was not counted into the memory
size. A new internal counter is introduced for this. In the case of
the hash types the sizes of the arrays are counted there as well so
that we can avoid to scan the whole set when just the header data
is requested.

9 years agonet: sched: Simplify em_ipset_match
Eric W. Biederman [Thu, 25 Jun 2015 09:48:23 +0000 (11:48 +0200)]
net: sched: Simplify em_ipset_match

em->net is always set and always available, use it in preference
to dev_net(skb->dev).

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset 6.25.1 released v6.25.1
Jozsef Kadlecsik [Thu, 25 Jun 2015 09:19:08 +0000 (11:19 +0200)]
ipset 6.25.1 released

9 years agonet/netfilter/ipset: work around gcc-4.4.4 initializer bug
Andrew Morton [Thu, 25 Jun 2015 09:15:39 +0000 (11:15 +0200)]
net/netfilter/ipset: work around gcc-4.4.4 initializer bug

gcc-4.4.4 (at least) isn't able to handle the mixture of anonymous unions
and declaration-time intializers.  Work around this.

net/netfilter/ipset/ip_set_hash_netnet.c: In function 'hash_netnet4_uadt':
net/netfilter/ipset/ip_set_hash_netnet.c:163: error: unknown field 'cidr' specified in initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: missing braces around initializer
net/netfilter/ipset/ip_set_hash_netnet.c:163: warning: (near initialization for 'e.<anonymous>.ip')
...

Fixes: ea53ac5b630e813ae ("netfilter: ipset: Add hash:net,net module to kernel.)
Cc: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset manpage: refer to iptables-extensions
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:49:24 +0000 (10:49 +0200)]
ipset manpage: refer to iptables-extensions

9 years agoUpdate userspace header file from the kernel tree
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:24:18 +0000 (10:24 +0200)]
Update userspace header file from the kernel tree

9 years agoHandle 'extern "C" {' in check_libmap.sh
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:20:41 +0000 (10:20 +0200)]
Handle 'extern "C" {' in check_libmap.sh

9 years agoipset 6.25 released v6.25
Jozsef Kadlecsik [Thu, 25 Jun 2015 08:05:19 +0000 (10:05 +0200)]
ipset 6.25 released

9 years agoAdd element count to all set types header
Jozsef Kadlecsik [Thu, 25 Jun 2015 07:29:20 +0000 (09:29 +0200)]
Add element count to all set types header

It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.

9 years agoAdd element count to hash headers
Eric B Munson [Fri, 29 May 2015 15:36:25 +0000 (11:36 -0400)]
Add element count to hash headers

It would be useful for userspace to query the size of an ipset hash,
however, this data is not exposed to userspace outside of counting the
number of member entries.  This patch uses the attribute
IPSET_ATTR_ELEMENTS to indicate the size in the the header that is
exported to userspace.  This field is then printed by the userspace
tool for hashes.

Because it is only meaningful for hashes to report their size, the
output is conditional on the set type.  To do this checking the
MATCH_TYPENAME macro was moved to utils.h.

The bulk of this patch changes the expected test suite to account for
the change in output.

Signed-off-by: Eric B Munson <emunson@akamai.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Josh Hunt <johunt@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetlink: implement nla_put_in_addr and nla_put_in6_addr
Jiri Benc [Sat, 13 Jun 2015 19:46:47 +0000 (21:46 +0200)]
netlink: implement nla_put_in_addr and nla_put_in6_addr

IP addresses are often stored in netlink attributes. Add generic functions
to do that.

For nla_put_in_addr, it would be nicer to pass struct in_addr but this is
not used universally throughout the kernel, in way too many places __be32 is
used to store IPv4 address.

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Compatibility part added.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: deinline ip_set_put_extensions()
Denys Vlasenko [Sat, 13 Jun 2015 19:34:08 +0000 (21:34 +0200)]
netfilter: ipset: deinline ip_set_put_extensions()

n x86 allyesconfig build:
The function compiles to 489 bytes of machine code.
It has 25 callsites.

    text    data       bss       dec     hex filename
82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
82434909 22255384 20627456 125317749 7783275 vmlinux

Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
CC: Eric W. Biederman <ebiederm@xmission.com>
CC: David S. Miller <davem@davemloft.net>
CC: Jan Engelhardt <jengelh@medozas.de>
CC: Jiri Pirko <jpirko@redhat.com>
CC: linux-kernel@vger.kernel.org
CC: netdev@vger.kernel.org
CC: netfilter-devel@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix error path in mtype_resize() when new hash bucket cannot be allocated
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:26:14 +0000 (21:26 +0200)]
Fix error path in mtype_resize() when new hash bucket cannot be allocated

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoThere is no need to call synchronize_rcu() after list_add_rcu()
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:22:32 +0000 (21:22 +0200)]
There is no need to call synchronize_rcu() after list_add_rcu()

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix typo in function name get_phyoutdev_name()
Jozsef Kadlecsik [Sat, 13 Jun 2015 19:21:01 +0000 (21:21 +0200)]
Fix typo in function name get_phyoutdev_name()

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Separate memsize calculation code into dedicated functions
Jozsef Kadlecsik [Wed, 6 May 2015 05:48:20 +0000 (07:48 +0200)]
netfilter: ipset: Separate memsize calculation code into dedicated functions

Hash types already has it's memsize calculation code in separate
functions. Do the same for *bitmap* and *list* sets.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Split extensions into separate files
Jozsef Kadlecsik [Wed, 6 May 2015 05:37:04 +0000 (07:37 +0200)]
netfilter: ipset: Split extensions into separate files

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve comment extension helpers
Jozsef Kadlecsik [Wed, 6 May 2015 05:27:28 +0000 (07:27 +0200)]
netfilter: ipset: Improve comment extension helpers

Allocate memory with kmalloc() rather than kzalloc().

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve skbinfo get/init helpers
Jozsef Kadlecsik [Tue, 5 May 2015 15:13:28 +0000 (17:13 +0200)]
netfilter: ipset: Improve skbinfo get/init helpers

Use struct ip_set_skbinfo in struct ip_set_ext instead of open
coded fields and assign structure members in get/init helpers
instead of copying members one by one.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Headers file cleanup
Jozsef Kadlecsik [Tue, 5 May 2015 14:59:50 +0000 (16:59 +0200)]
netfilter: ipset: Headers file cleanup

Remove extra whitespace, group counter helper together. Mark some of
the helpers arguments as const.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Correct rcu_dereference_bh_nfnl() usage
Jozsef Kadlecsik [Tue, 5 May 2015 14:48:50 +0000 (16:48 +0200)]
netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

When rcu_dereference_bh_nfnl() macro would be defined on the target
system if will accept pointer and subsystem id.

Check if rcu_dereference_bh_nfnl() is defined and make it accepting two
arguments.

Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>.

Suggested-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: bridge: add helpers for fetching physin/outdev pablo
Florian Westphal [Mon, 27 Apr 2015 19:48:33 +0000 (21:48 +0200)]
netfilter: bridge: add helpers for fetching physin/outdev

right now we store this in the nf_bridge_info struct, accessible
via skb->nf_bridge.  This patch prepares removal of this pointer from skb:

Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out
device (or ifindexes).

Followup patches to netfilter will then allow nf_bridge_info to be
obtained by a call into the br_netfilter core, rather than keeping a
pointer to it in sk_buff.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoWhen a single set is destroyed, make sure it can't be grabbed by dump
Jozsef Kadlecsik [Sun, 26 Apr 2015 08:48:23 +0000 (10:48 +0200)]
When a single set is destroyed, make sure it can't be grabbed by dump

9 years agoIn comment extension ip_set_comment_free() is always called in a safe path
Jozsef Kadlecsik [Sun, 26 Apr 2015 08:46:47 +0000 (10:46 +0200)]
In comment extension ip_set_comment_free() is always called in a safe path

9 years agoAdd rcu_barrier() to module removal in the bitmap types too
Jozsef Kadlecsik [Fri, 17 Apr 2015 18:42:17 +0000 (20:42 +0200)]
Add rcu_barrier() to module removal in the bitmap types too

9 years agoFix coding styles reported by the most recent checkpatch.pl.
Jozsef Kadlecsik [Fri, 17 Apr 2015 18:39:34 +0000 (20:39 +0200)]
Fix coding styles reported by the most recent checkpatch.pl.

9 years agoMake sure bitmap:ip,mac detects the proper MAC even when it's overwritten
Jozsef Kadlecsik [Sun, 29 Mar 2015 14:34:52 +0000 (16:34 +0200)]
Make sure bitmap:ip,mac detects the proper MAC even when it's overwritten

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoRCU safe comment extension handling
Jozsef Kadlecsik [Sun, 29 Mar 2015 10:13:53 +0000 (12:13 +0200)]
RCU safe comment extension handling

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure the proper is_destroyed value is checked at dumping
Jozsef Kadlecsik [Sun, 29 Mar 2015 11:32:10 +0000 (13:32 +0200)]
Make sure the proper is_destroyed value is checked at dumping

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix broken commit "Check extensions attributes before getting extensions."
Jozsef Kadlecsik [Sun, 29 Mar 2015 12:58:51 +0000 (14:58 +0200)]
Fix broken commit "Check extensions attributes before getting extensions."

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Improve preprocessor macros checks
Sergey Popovich [Fri, 23 Jan 2015 13:24:50 +0000 (15:24 +0200)]
netfilter: ipset: Improve preprocessor macros checks

Check if mandatory MTYPE, HTYPE and HOST_MASK macros
defined.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Fix hashing for ipv6 sets
Sergey Popovich [Fri, 23 Jan 2015 12:58:45 +0000 (14:58 +0200)]
netfilter: ipset: Fix hashing for ipv6 sets

HKEY_DATALEN remains defined after first inclusion
of ip_set_hash_gen.h, so it is incorrectly reused
for IPv6 code.

Undefine HKEY_DATALEN in ip_set_hash_gen.h at the end.

Also remove some useless defines of HKEY_DATALEN in
ip_set_hash_{ip{,mark,port},netiface}.c as ip_set_hash_gen.h
defines it correctly for such set types anyway.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Fix ext_*() macros
Sergey Popovich [Tue, 20 Jan 2015 14:00:14 +0000 (16:00 +0200)]
netfilter: ipset: Fix ext_*() macros

So pointers returned by these macros could be
referenced with -> directly.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check for comment netlink attribute length
Sergey Popovich [Tue, 20 Jan 2015 12:03:19 +0000 (14:03 +0200)]
netfilter: ipset: Check for comment netlink attribute length

Ensure userspace supplies string not longer than
IPSET_MAX_COMMENT_SIZE.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Return bool values instead of int
Sergey Popovich [Mon, 17 Nov 2014 19:21:40 +0000 (21:21 +0200)]
netfilter: ipset: Return bool values instead of int

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check CIDR value only when attribute is given
Sergey Popovich [Mon, 17 Nov 2014 16:45:10 +0000 (18:45 +0200)]
netfilter: ipset: Check CIDR value only when attribute is given

There is no reason to check CIDR value regardless attribute
specifying CIDR is given.

Initialize cidr array in element structure on element structure
declaration to let more freedom to the compiler to optimize
initialization right before element structure is used.

Remove local variables cidr and cidr2 for netnet and netportnet
hashes as we do not use packed cidr value for such set types and
can store value directly in e.cidr[].

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Make sure we always return line number on batch
Sergey Popovich [Mon, 17 Nov 2014 16:03:00 +0000 (18:03 +0200)]
netfilter: ipset: Make sure we always return line number on batch

Even if we return with generic IPSET_ERR_PROTOCOL it is good idea
to return line number if we called in batch mode.

Moreover we are not always exiting with IPSET_ERR_PROTOCOL. For
example hash:ip,port,net may return IPSET_ERR_HASH_RANGE_UNSUPPORTED
or IPSET_ERR_INVALID_CIDR.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6
Sergey Popovich [Mon, 17 Nov 2014 15:42:44 +0000 (17:42 +0200)]
netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6

Permit userspace to supply CIDR length equal to the host address CIDR
length in netlink message. Prohibit any other CIDR length for IPv6
variant of the set.

Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic
-IPSET_ERR_PROTOCOL in IPv6 variant of hash:ip,port,net when
IPSET_ATTR_IP_TO attribute is given.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Use HOST_MASK literal to represent host address CIDR len
Sergey Popovich [Mon, 17 Nov 2014 15:34:47 +0000 (17:34 +0200)]
netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check IPSET_ATTR_PORT only once
Sergey Popovich [Mon, 17 Nov 2014 15:08:37 +0000 (17:08 +0200)]
netfilter: ipset: Check IPSET_ATTR_PORT only once

We do not need to check tb[IPSET_ATTR_PORT] != NULL before
retrieving port, as this attribute is known to exist due to
ip_set_attr_netorder() returning true only when attribute
exists and it is in network byte order.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Check extensions attributes before getting extensions.
Sergey Popovich [Mon, 17 Nov 2014 11:44:17 +0000 (13:44 +0200)]
netfilter: ipset: Check extensions attributes before getting extensions.

Make all extensions attributes checks within ip_set_get_extensions()
and reduce number of duplicated code.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Use SET_WITH_*() helpers to test set extensions
Sergey Popovich [Mon, 17 Nov 2014 11:06:26 +0000 (13:06 +0200)]
netfilter: ipset: Use SET_WITH_*() helpers to test set extensions

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Return ipset error instead of bool
Sergey Popovich [Mon, 17 Nov 2014 09:50:37 +0000 (11:50 +0200)]
netfilter: ipset: Return ipset error instead of bool

Statement ret = func1() || func2() returns 0 when both func1()
and func2() return 0, or 1 if func1() or func2() returns non-zero.

However in our case func1() and func2() returns error code on
failure, so it seems good to propagate such error codes, rather
than returning 1 in case of failure.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: Preprocessor directices cleanup
Sergey Popovich [Sat, 15 Nov 2014 10:08:44 +0000 (12:08 +0200)]
netfilter: ipset: Preprocessor directices cleanup

 * Undefine mtype_data_reset_elem before defining.

 * Remove duplicated mtype_gc_init undefine, move
   mtype_gc_init define closer to mtype_gc define.

 * Use htype instead of HTYPE in IPSET_TOKEN(HTYPE, _create)().

 * Remove PF definition from sets: no more used.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: No need to make nomatch bitfield
Sergey Popovich [Sat, 15 Nov 2014 09:17:38 +0000 (11:17 +0200)]
netfilter: ipset: No need to make nomatch bitfield

We do not store cidr packed with no match, so there is no
need to make nomatch bitfield.

This simplifies mtype_data_reset_flags() a bit.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure bit operations are not reordered
Jozsef Kadlecsik [Thu, 19 Mar 2015 12:24:47 +0000 (13:24 +0100)]
Make sure bit operations are not reordered

Sergey Popovich pointed out that {set,clear}_bit() operations
must be protected against instruction reordering.

9 years agoSupport linking libipset to C++ programs
Jozsef Kadlecsik [Wed, 18 Mar 2015 19:58:25 +0000 (20:58 +0100)]
Support linking libipset to C++ programs

Issue reported by Pavel Odintsov.

9 years agonetfilter: ipset: Properly calculate extensions offsets and total length
Sergey Popovich [Mon, 16 Mar 2015 13:40:11 +0000 (15:40 +0200)]
netfilter: ipset: Properly calculate extensions offsets and total length

Offsets and total length returned by the ip_set_elem_len()
calculated incorrectly as initial set element length (i.e.
len parameter) is used multiple times in offset calculations,
also affecting set element total length.

Use initial set element length as start offset, do not add aligned
extension offset to the offset. Return offset as total length of
the set element.

This reduces memory requirements on per element basic for the
hash:* type of sets.

For example output from 'ipset -terse list test-1' on 64-bit PC,
where test-1 is generated via following script:

  #!/bin/bash

  set_name='test-1'

  ipset create "$set_name" hash:net family inet \
              timeout 10800 counters comment \
              hashsize 65536 maxelem 65536

  declare -i o3 o4
  fmt="add $set_name 192.168.%u.%u\n"

  for ((o3 = 0; o3 < 256; o3++)); do
      for ((o4 = 0; o4 < 256; o4++)); do
          printf "$fmt" $o3 $o4
      done
  done |ipset -exist restore

BEFORE this patch is applied

  # ipset -terse list test-1
  Name: test-1
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
  Size in memory: 26348440

and AFTER applying patch

  # ipset -terse list test-1
  Name: test-1
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
  Size in memory: 7706392
  References: 0

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoipset: propose rewording in manpage
Neutron Soutmun [Fri, 13 Mar 2015 02:00:19 +0000 (09:00 +0700)]
ipset: propose rewording in manpage

I have prepared the patch which refers to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780336,
reported and proposed by H. Renault <hr@herverenault.fr>.

man ipset reads:

    del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
        Delete an entry from a set. If the -exist option is specified,
        ipset ignores if the entry does not added to  (already expired
        from)  the set.

Proposed rewording:

        Delete an entry from a set. If the -exist option is specified
        and the entry is not in the set (maybe already expired), then
        the command is ignored.

Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoFix cidr handling for hash:*net* types
Jozsef Kadlecsik [Fri, 13 Mar 2015 20:18:58 +0000 (21:18 +0100)]
Fix cidr handling for hash:*net* types

Commit 092d67cda9ad4 broke the cidr handling for the hash:*net* types
when the sets were used by the SET target: entries with invalid cidr
values were added to the sets. Reported by Jonathan Johnson.

Testsuite entry is added to verify the fix.

9 years agonetfilter: ipset: fix boolreturn.cocci warnings
kbuild test robot [Wed, 11 Feb 2015 12:33:05 +0000 (20:33 +0800)]
netfilter: ipset: fix boolreturn.cocci warnings

net/netfilter/xt_set.c:196:9-10: WARNING: return of 0/1 in function 'set_match_v3' with return type bool
net/netfilter/xt_set.c:242:9-10: WARNING: return of 0/1 in function 'set_match_v4' with return type bool

 Return statements in functions returning bool should use
 true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci

CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agonetfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset
Alexander Drozdov [Fri, 6 Mar 2015 10:44:06 +0000 (13:44 +0300)]
netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset

All the ipset functions respect skb->network_header value,
except for ip_set_get_ip4_port() & ip_set_get_ip6_port(). The
functions should use skb_network_offset() to get the transport
header offset.

Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
9 years agoMake sure listing doesn't grab a set which is just being destroyed.
Jozsef Kadlecsik [Thu, 8 Jan 2015 17:55:00 +0000 (18:55 +0100)]
Make sure listing doesn't grab a set which is just being destroyed.

There was a small window when all sets are destroyed and a concurrent
listing of all sets could grab a set which is just being destroyed.

9 years agoMissing rcu_read_lock() and _unlock() in mtype_list() fixed
Jozsef Kadlecsik [Tue, 6 Jan 2015 07:32:28 +0000 (08:32 +0100)]
Missing rcu_read_lock() and _unlock() in mtype_list() fixed

9 years agoMore compatibility checking and simplifications
Jozsef Kadlecsik [Mon, 29 Dec 2014 21:28:17 +0000 (22:28 +0100)]
More compatibility checking and simplifications

Try hard to keep the support of the 2.6.32 kernel tree and
simplify the code with self-referential macros.

9 years agoCompatibility: define RCU_INIT_POINTER when __rcu is not defined
Jozsef Kadlecsik [Wed, 17 Dec 2014 07:04:19 +0000 (08:04 +0100)]
Compatibility: define RCU_INIT_POINTER when __rcu is not defined

9 years agoCompatibility: check kernel source for list_last_entry
Jozsef Kadlecsik [Wed, 17 Dec 2014 06:44:37 +0000 (07:44 +0100)]
Compatibility: check kernel source for list_last_entry

list_last_entry is missing on CentOS7, reported by Ricardo Klein.

9 years agoFix coding styles reported by checkpatch.pl
Jozsef Kadlecsik [Wed, 17 Dec 2014 06:43:45 +0000 (07:43 +0100)]
Fix coding styles reported by checkpatch.pl

9 years agoUse nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c.
Jozsef Kadlecsik [Thu, 11 Dec 2014 20:43:56 +0000 (21:43 +0100)]
Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c.

9 years agoThere's no need to call synchronize_rcu() with kfree_rcu()
Jozsef Kadlecsik [Tue, 6 Jan 2015 07:22:05 +0000 (08:22 +0100)]
There's no need to call synchronize_rcu() with kfree_rcu()

10 years agoCall rcu_barrier() in module removal path
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:34:43 +0000 (07:34 +0100)]
Call rcu_barrier() in module removal path

10 years agoCall synchronize_rcu() in set type (un)register functions only when needed
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:31:43 +0000 (07:31 +0100)]
Call synchronize_rcu() in set type (un)register functions only when needed

10 years agoRemove an unused macro
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:31:01 +0000 (07:31 +0100)]
Remove an unused macro

10 years agoGive a better name to a macro in ip_set_core.c
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:29:29 +0000 (07:29 +0100)]
Give a better name to a macro in ip_set_core.c

10 years agoResolve the STREQ macro to make the code more readable, and use nla_strlcpy where...
Jozsef Kadlecsik [Wed, 10 Dec 2014 06:27:35 +0000 (07:27 +0100)]
Resolve the STREQ macro to make the code more readable, and use nla_strlcpy where possible

10 years agoUse MSEC_PER_SEC consistently
Jozsef Kadlecsik [Mon, 1 Dec 2014 06:11:54 +0000 (07:11 +0100)]
Use MSEC_PER_SEC consistently

10 years agoMake possible to pass extra flags to sparse (userspace)
Jozsef Kadlecsik [Thu, 27 Nov 2014 17:05:40 +0000 (18:05 +0100)]
Make possible to pass extra flags to sparse (userspace)

10 years agoRemove unnecessary integer RCU handling and fix sparse warnings
Jozsef Kadlecsik [Thu, 27 Nov 2014 16:54:52 +0000 (17:54 +0100)]
Remove unnecessary integer RCU handling and fix sparse warnings

10 years agoFix sparse warning
Jozsef Kadlecsik [Thu, 27 Nov 2014 06:47:06 +0000 (07:47 +0100)]
Fix sparse warning

"warning: cast to restricted __be32" warnings are fixed

10 years agoipset 6.24 released v6.24
Jozsef Kadlecsik [Mon, 24 Nov 2014 20:46:45 +0000 (21:46 +0100)]
ipset 6.24 released

10 years agonetfilter: ipset: small potential read beyond the end of buffer
Dan Carpenter [Tue, 18 Nov 2014 08:55:17 +0000 (09:55 +0100)]
netfilter: ipset: small potential read beyond the end of buffer

We could be reading 8 bytes into a 4 byte buffer here.  It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoThe "extra" subdirectory for kernel modules may have a full subtree
Jozsef Kadlecsik [Tue, 18 Nov 2014 07:15:42 +0000 (08:15 +0100)]
The "extra" subdirectory for kernel modules may have a full subtree

Jesper Dangaard Brouer reported that on Red Hat Enterprise Linux
Server release 6.5 the extra subdirectory contains the full subtree
path

/lib/modules/*/extra/netfilter/ipset/

and not

/lib/modules/*/extra/ipset/

Check only "/extra/" in the path.

10 years agoFix parallel resizing and listing of the same set
Jozsef Kadlecsik [Sat, 25 Oct 2014 22:11:29 +0000 (00:11 +0200)]
Fix parallel resizing and listing of the same set

When elements added to a hash:* type of set and resizing triggered,
parallel listing could start to list the original set (before resizing)
and "continue" with listing the new set. Fix it by references and
using the original hash table for listing. Therefore the destroying
the original hash table may happen from the resizing or listing functions.

10 years agostyles warned by checkpatch.pl fixed
Jozsef Kadlecsik [Tue, 18 Nov 2014 07:00:56 +0000 (08:00 +0100)]
styles warned by checkpatch.pl fixed

10 years agoIntroduce RCU in all set types instead of rwlock per set
Jozsef Kadlecsik [Tue, 30 Sep 2014 07:46:41 +0000 (09:46 +0200)]
Introduce RCU in all set types instead of rwlock per set

Performance is tested by Jesper Dangaard Brouer:

Simple drop in FORWARD
~~~~~~~~~~~~~~~~~~~~~~

Dropping via simple iptables net-mask match::

 iptables -t raw -N simple || iptables -t raw -F simple
 iptables -t raw -I simple  -s 198.18.0.0/15 -j DROP
 iptables -t raw -D PREROUTING -j simple
 iptables -t raw -I PREROUTING -j simple

Drop performance in "raw": 11.3Mpps

Generator: sending 12.2Mpps (tx:12264083 pps)

Drop via original ipset in RAW table
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Create a set with lots of elements::

 sudo ./ipset destroy test
 echo "create test hash:ip hashsize 65536" > test.set
 for x in `seq 0 255`; do
    for y in `seq 0 255`; do
        echo "add test 198.18.$x.$y" >> test.set
    done
 done
 sudo ./ipset restore < test.set

Dropping via ipset::

 iptables -t raw -F
 iptables -t raw -N net198 || iptables -t raw -F net198
 iptables -t raw -I net198 -m set --match-set test src -j DROP
 iptables -t raw -I PREROUTING -j net198

Drop performance in "raw" with ipset: 8Mpps

Perf report numbers ipset drop in "raw"::

 +   24.65%  ksoftirqd/1  [ip_set]           [k] ip_set_test
 -   21.42%  ksoftirqd/1  [kernel.kallsyms]  [k] _raw_read_lock_bh
    - _raw_read_lock_bh
       + 99.88% ip_set_test
 -   19.42%  ksoftirqd/1  [kernel.kallsyms]  [k] _raw_read_unlock_bh
    - _raw_read_unlock_bh
       + 99.72% ip_set_test
 +    4.31%  ksoftirqd/1  [ip_set_hash_ip]   [k] hash_ip4_kadt
 +    2.27%  ksoftirqd/1  [ixgbe]            [k] ixgbe_fetch_rx_buffer
 +    2.18%  ksoftirqd/1  [ip_tables]        [k] ipt_do_table
 +    1.81%  ksoftirqd/1  [ip_set_hash_ip]   [k] hash_ip4_test
 +    1.61%  ksoftirqd/1  [kernel.kallsyms]  [k] __netif_receive_skb_core
 +    1.44%  ksoftirqd/1  [kernel.kallsyms]  [k] build_skb
 +    1.42%  ksoftirqd/1  [kernel.kallsyms]  [k] ip_rcv
 +    1.36%  ksoftirqd/1  [kernel.kallsyms]  [k] __local_bh_enable_ip
 +    1.16%  ksoftirqd/1  [kernel.kallsyms]  [k] dev_gro_receive
 +    1.09%  ksoftirqd/1  [kernel.kallsyms]  [k] __rcu_read_unlock
 +    0.96%  ksoftirqd/1  [ixgbe]            [k] ixgbe_clean_rx_irq
 +    0.95%  ksoftirqd/1  [kernel.kallsyms]  [k] __netdev_alloc_frag
 +    0.88%  ksoftirqd/1  [kernel.kallsyms]  [k] kmem_cache_alloc
 +    0.87%  ksoftirqd/1  [xt_set]           [k] set_match_v3
 +    0.85%  ksoftirqd/1  [kernel.kallsyms]  [k] inet_gro_receive
 +    0.83%  ksoftirqd/1  [kernel.kallsyms]  [k] nf_iterate
 +    0.76%  ksoftirqd/1  [kernel.kallsyms]  [k] put_compound_page
 +    0.75%  ksoftirqd/1  [kernel.kallsyms]  [k] __rcu_read_lock

Drop via ipset in RAW table with RCU-locking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With RCU locking, the RW-lock is gone.

Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps

Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
10 years agoRemove rbtree from hash:net,iface in order to run under RCU
Jozsef Kadlecsik [Thu, 9 Oct 2014 09:20:09 +0000 (11:20 +0200)]
Remove rbtree from hash:net,iface in order to run under RCU

10 years agoExplicitly add padding elements to hash:net,net and hash:net,port,net
Jozsef Kadlecsik [Thu, 9 Oct 2014 08:58:30 +0000 (10:58 +0200)]
Explicitly add padding elements to hash:net,net and hash:net,port,net

The elements must be u32 sized for the used hash function.

10 years agoAllocate the proper size of memory when /0 networks are supported
Jozsef Kadlecsik [Fri, 3 Oct 2014 05:06:00 +0000 (07:06 +0200)]
Allocate the proper size of memory when /0 networks are supported

10 years agoSimplify cidr handling for hash:*net* types
Jozsef Kadlecsik [Fri, 3 Oct 2014 05:53:39 +0000 (07:53 +0200)]
Simplify cidr handling for hash:*net* types

10 years agoIndicate when /0 networks are supported
Jozsef Kadlecsik [Fri, 3 Oct 2014 05:10:14 +0000 (07:10 +0200)]
Indicate when /0 networks are supported

10 years agoAdd more compatibility checkings to support older kernel releases
Jozsef Kadlecsik [Mon, 10 Nov 2014 18:20:29 +0000 (19:20 +0100)]
Add more compatibility checkings to support older kernel releases

10 years agoMake_global.am: Don't include host headers
Baruch Siach [Tue, 28 Oct 2014 19:21:34 +0000 (21:21 +0200)]
Make_global.am: Don't include host headers

This is bad for cross compilation.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agoKernel API changes in em_ipset.c, support both old and new ones
Jozsef Kadlecsik [Mon, 3 Nov 2014 17:35:28 +0000 (18:35 +0100)]
Kernel API changes in em_ipset.c, support both old and new ones

10 years agonetfilter: Convert uses of __constant_<foo> to <foo>
Joe Perches [Mon, 3 Nov 2014 16:37:26 +0000 (17:37 +0100)]
netfilter: Convert uses of __constant_<foo> to <foo>

The use of __constant_<foo> has been unnecessary for quite awhile now.

Make these uses consistent with the rest of the kernel.

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonet: use the new API kvfree()
WANG Cong [Mon, 3 Nov 2014 16:35:30 +0000 (17:35 +0100)]
net: use the new API kvfree()

It is available since v3.15-rc5.

Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agotreewide: fix errors in printk
Masanari Iida [Mon, 3 Nov 2014 16:10:49 +0000 (17:10 +0100)]
treewide: fix errors in printk

This patch fix spelling typo in printk.

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
10 years agonetfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
Pablo Neira Ayuso [Mon, 3 Nov 2014 07:07:22 +0000 (08:07 +0100)]
netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER)

In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"),
the bridge netfilter code has been modularized.

Use IS_ENABLED instead of ifdef to cover the module case.

Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoUse IS_ENABLED macro and define it if required
Jozsef Kadlecsik [Mon, 3 Nov 2014 07:06:19 +0000 (08:06 +0100)]
Use IS_ENABLED macro and define it if required

10 years agoAlignment problem between 64bit kernel 32bit userspace
Jozsef Kadlecsik [Mon, 3 Nov 2014 06:35:36 +0000 (07:35 +0100)]
Alignment problem between 64bit kernel 32bit userspace

Sven-Haegar Koch reported the issue:

sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.

In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32

which was introduced by the counter extension in ipset.

The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.

10 years agoAdd script to check libipset.map for missing symbols
Jozsef Kadlecsik [Tue, 28 Oct 2014 16:36:25 +0000 (17:36 +0100)]
Add script to check libipset.map for missing symbols

10 years agoUpdate libipset.map with ipset_parse_tcp_udp_port
Thomas Backlund [Tue, 28 Oct 2014 16:19:53 +0000 (17:19 +0100)]
Update libipset.map with ipset_parse_tcp_udp_port

Commit:

author  Quentin Armitage <quentin@armitage.org.uk>      2013-08-09 11:26:33 (GMT)
committer       Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>     2013-08-17 19:31:29 (GMT)
commit  480761a3bdaa55bf8c966e4dab950ebf84775863 (patch)
tree    6d750f948abf1ae4f93e4c704502d085ac13d679
parent  3a4419954a3ae0ba5dafd711e6b8dd8f0beb5c21 (diff)
Add specifying protocol for bitmap:port
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
added ipset_parse_tcp_udp_port(), but forgot to update libipset.map

so we get:

/usr/lib64/ipset/ipset_bitmap_port.so: /usr/lib64/ipset/ipset_bitmap_port.so: undefined symbol: ipset_parse_tcp_udp_port

so update the map.

Signed-off-by: Thomas Backlund <tmb@mageia.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agolibipset: Bump lib version and update map file
Neutron Soutmun [Fri, 24 Oct 2014 09:36:22 +0000 (16:36 +0700)]
libipset: Bump lib version and update map file

The ipset_parse_uint16() was introduced but no lib version bumped and
no map file updated.

Bump lib version to 9:0:6. (current and age was bumped)

Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: off by one in ip_set_nfnl_get_byindex()
Dan Carpenter [Tue, 21 Oct 2014 16:18:14 +0000 (18:18 +0200)]
netfilter: ipset: off by one in ip_set_nfnl_get_byindex()

The ->ip_set_list[] array is initialized in ip_set_net_init() and it
has ->ip_set_max elements so this check should be >= instead of >
otherwise we are off by one.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agoBash utilities updated
Jozsef Kadlecsik [Tue, 30 Sep 2014 07:48:51 +0000 (09:48 +0200)]
Bash utilities updated