Jozsef Kadlecsik [Mon, 13 Dec 2010 11:31:12 +0000 (12:31 +0100)]
Buffered commands are just ... buffered.
Calculate the free buffer size when adding the existing attributes at the buffered
commands. If the buffer is full, cancel the unfinished nested attribute and commit
the previously buffered commands. Then restart with the current buffered command.
Thus we can get rid of the ugly maxsize parameter of the set types.
Jozsef Kadlecsik [Fri, 10 Dec 2010 16:04:38 +0000 (17:04 +0100)]
Add proper RCU protection to resizing
Resizing can be triggered by userspace command only, and those
are serialized by the nfnl mutex. During resizing the set is
read-locked, so the only possible concurrent operations are
the kernel side readers. Those must be protected by proper RCU locking.
Jozsef Kadlecsik [Fri, 10 Dec 2010 12:54:51 +0000 (13:54 +0100)]
Convert hash types from chash to ahash.
Instead of the cache friendly hashing, use the array based hashing.
According to my tests the latter uses less memory, faster at lookup and
deletion, and only slower at insertion.
The manpage is updated to reflect the recent modifications and
the addition of the hash:net,port type. The help text of hash:ip
is updated: adding/deleting multiple entries are supported for
IPv4 only.
Jozsef Kadlecsik [Sat, 30 Oct 2010 21:11:47 +0000 (23:11 +0200)]
Add parser function to handle IPv4 and IPv6 differently.
At present IPv6 does not support adding/deleting multiple IPv6 addresses
specified as an ip-ip range or ip/prefix block. A parser function is
added by which can enforce it at parsing the address pattern.
Jozsef Kadlecsik [Sat, 30 Oct 2010 16:52:53 +0000 (18:52 +0200)]
Resizing converted to run under read-locking of the set
With restricting resizing so that it can be triggered by an add
from userspace only, we can modify it so that it uses read-locking
instead of write-locking. Thus the matching in the set can run parallel
with resizing.
Jozsef Kadlecsik [Fri, 29 Oct 2010 20:50:12 +0000 (22:50 +0200)]
Remove to support resizing from kernel context.
Resizing in kernel context is simply too expensive. Drop the feature:
if a set is used as a dynamic container by a SET target, then the set
must be created with a proper size from now on.
Jozsef Kadlecsik [Fri, 29 Oct 2010 20:21:01 +0000 (22:21 +0200)]
Listing for hash types fixed
The listing was incorrect for large sets, when multiple messages were
required. I assume that one full hash bucket fills into one message,
but that is true for all current hash types.
Jozsef Kadlecsik [Sun, 24 Oct 2010 19:42:48 +0000 (21:42 +0200)]
Fixes, cleanups, comments
- More comments added to the code
- ICMP and ICMPv6 support added to the hash:ip,port, hash:ip,port,ip
and hash:ip,port,net types
- hash:net and hash:ip,port,net types are reworked
- hash:net,port type added
- Wrong direction parameters fixed in hash:ip,port
- Helps and manpage are updated
- More tests added
- Ugly macros are rewritten to functions in parse.c
(Holger Eitzenberger)
- resize related bug in hash types fixed (Holger Eitzenberger)
- autoreconf patches by Jan Engelhardt applied
- netlink patch minimalized: dumping can be initialized by a second
parsing of the message (thanks to David and Patrick for the suggestion)
- IPv4/IPv6 address attributes are introduced in order to fix the context
(suggested by David)
Jan Engelhardt [Tue, 19 Oct 2010 16:03:03 +0000 (18:03 +0200)]
build: run autoupdate
AC_CANONICAL_SYSTEM is deprecated in favor of calling one or more of
AC_CANONICAL_{BUILD,HOST,TARGET}. Since configure.ac only uses $target,
only AC_CANONICAL_TARGET is needed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jan Engelhardt [Tue, 19 Oct 2010 09:02:26 +0000 (11:02 +0200)]
build: resolve autoreconf/libtoolize suggestions
libtoolize: Consider adding "AC_CONFIG_MACRO_DIR([m4])" to configure.ac and
libtoolize: rerunning libtoolize, to keep the correct libtool macros in-tree.
libtoolize: Consider adding "-I m4" to ACLOCAL_AMFLAGS in Makefile.am.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Jozsef Kadlecsik [Mon, 23 Aug 2010 14:48:14 +0000 (16:48 +0200)]
Cleanup, compatibility
- Use is_vmalloc_addr when freeing vmalloc or kmalloc-ed areas. Thus
we can get rid of a flag and simplify some functions.
- When checking "same" sets, ignore hash size, because resizing
changes it.
- 2.6.35 compatibility added.
- Discuss backward/forward compatibilities in the README file.
Jozsef Kadlecsik [Tue, 29 Jun 2010 19:14:40 +0000 (21:14 +0200)]
ipset 5: Sparc related and compatibility fixes
ipset 5 is tested on Sparc, which revealed some compatibility issues
and those are fixed. Kernels from 2.6.31 onward are supported.
The testsuite checkings are completed to run match/target checks.
The README file is updated to reflect the requirements to install
and run ipset 5.
Jozsef Kadlecsik [Tue, 15 Jun 2010 13:08:55 +0000 (15:08 +0200)]
Use libmnl nest functions and fix size differences in iptree*.t
Use the libmnl mnl_attr_nest_star/mnl_attr_nest_end functions instead of
the private ones. Ignore possible size differences in iptree*.t compatibility
tests.
Jozsef Kadlecsik [Tue, 15 Jun 2010 11:30:55 +0000 (13:30 +0200)]
ipset 5 in an almost ready state - milestone
Reworked protocol and internal interfaces, missing set types added,
backward compatibility verified, lots of tests added (and thanks to the tests,
bugs fixed), even the manpage is rewritten ;-). Countless changes everywhere...
The missing bits before announcing ipset 5:
- net namespace support
- new iptables/ip6tables extension library
- iptables/ip6tables match and target tests (backward/forward compatibility)
- tests on catching syntax errors
Jozsef Kadlecsik [Sun, 24 Jan 2010 14:49:16 +0000 (15:49 +0100)]
New version 4.2 released:
kernel:
- nethash and ipportnethash types counted every entry twice
which could produce bogus entries when listing/saving these types
of sets (bug reported by Husnu Demir)
userspace:
- Checking null entries when listing/saving hash types of sets
deleted because it's unnecessary and can mask possible errors.
Jozsef Kadlecsik [Tue, 18 Aug 2009 17:52:26 +0000 (19:52 +0200)]
ipset 3.1 release
A few minor bugs fixed and cleanups:
- Nonexistent sets were reported as existing sets when testing
from userspace in setlist type of sets (bug reported by Victor A.
Safronov)
- When saving sets, setlist type of sets must come last in order
to satisfy the dependency from the elements (bug reported by Marty B.)
- Sparse insists that the flags argument to kmalloc() is gfp_t
(Stephen Hemminger)
- Correct format specifiers and change %i to %d (Jan Engelhardt)
- Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
root [Tue, 10 Feb 2009 14:42:13 +0000 (15:42 +0100)]
Jenkins' hash updated
The old lookup2() Jenkins' hash is outdated, there is a new version called
lookup3() which
- mixes better than lookup2(): passes the check that every input bit changes
every output bit 50% of the time - lookup2() failed it.
- performs better: compiled with -O2 on Core2 Duo, lookup3() 20-40% faster
than lookup2() depending on the key length.
The patch replaces the lookup2() implementation of 'jhash*' with that of
lookup3().
Jozsef Kadlecsik [Tue, 10 Feb 2009 14:38:32 +0000 (15:38 +0100)]
Fix possible duplicates in hashesh.
Bug fixed: after elements are added and deleted from a hash, an element
can successfully be added in spite it's already in the hash and thus
duplicates can occur. Bug spotted by Shih-Yi Chen.
2.4.5
- setlist type does not work properly together with swapping
sets, bug reported by Thomas Jacob.
- Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt)
2.4.4
- Premature checking prevents to add valid elements to hash
types, fixed (bug reported by JC Janos).
- Local variable shadows another variable, fixed (reported
by Jan Engelhardt).
- More compiler warning options added and warnings fixed.
- When flushing a nethash/ipportnethash type of set, it can
lead to a kernel crash due to a wrong type declaration,
bug reported by Krzysztof Oledzki.
- iptree and iptreemap types require the header file linux/timer.h,
also reported by Krzysztof Oledzki.
- macipmap type reported misleading deprecated separator
tokens and printed the old one at listing set elements.
Token printing was errorneous too.
(Bugs reported by Krzysztof Oledzki)
- Warn only once about deprecated separator tokens in
restore mode.
userspace changes:
- Added KBUILD_OUTPUT support (Sven Wegener)
- Fix memory leak in ipset_iptreemap (Sven Wegener)
- Fix multiple compiler warnings (Sven Wegener)
- ipportiphash, ipportnethash and setlist types added
- binding marked as deprecated functionality
- element separator token changed to ',' in anticipating
IPv6 addresses, old separator tokens are still supported
- unnecessary includes removed
- ipset does not try to resolve IP addresses when listing
the content of sets (default changed)
- manpage updated
- ChangeLog forked for kernel part
kernel part changes:
- ipportiphash, ipportnethash and setlist types added
- set type modules reworked to avoid code duplication
as much as possible, code unification macros
- expand_macros Makefile target added to help debugging
code unification macros
- ip_set_addip_kernel and ip_set_delip_kernel
changed from void to int, __ip_set_get_byname and
__ip_set_put_byid added for the sake of setlist type
- unnecessary includes removed
- compatibility fix for kernels >= 2.6.27:
semaphore.h was moved from asm/ to linux/ (James King)
- ChangeLog forked for kernel part