]> granicus.if.org Git - ipset/log
ipset
13 years agoTake into account cidr value for the from address when creating the set
Jozsef Kadlecsik [Sun, 22 May 2011 10:18:36 +0000 (12:18 +0200)]
Take into account cidr value for the from address when creating the set

When creating a set from a range expressed as a network like
10.1.1.172/29, the from address was taken as the IP address part and
not masked with the netmask from the cidr.

13 years agoAdding ranges to hash types with timeout could still fail, fixed
Jozsef Kadlecsik [Sat, 21 May 2011 21:19:04 +0000 (23:19 +0200)]
Adding ranges to hash types with timeout could still fail, fixed

The patch "Fix adding ranges to hash types" had got a mistypeing
in the timeout variant of the hash types, which actually made
the patch ineffective. Fixed!

13 years agoAccept "\r\n" terminated lines in restore files
Jozsef Kadlecsik [Sat, 21 May 2011 21:10:14 +0000 (23:10 +0200)]
Accept "\r\n" terminated lines in restore files

13 years agoRemoved old, not used hashing method ip_set_chash
Jozsef Kadlecsik [Fri, 20 May 2011 15:07:48 +0000 (17:07 +0200)]
Removed old, not used hashing method ip_set_chash

13 years agoRemove variable 'ret' in type_pf_tdel(), which is set but not used
Jozsef Kadlecsik [Fri, 20 May 2011 09:25:14 +0000 (11:25 +0200)]
Remove variable 'ret' in type_pf_tdel(), which is set but not used

13 years agoUse proper timeout parameter to jiffies conversion
Jozsef Kadlecsik [Fri, 20 May 2011 07:53:39 +0000 (09:53 +0200)]
Use proper timeout parameter to jiffies conversion

13 years agoRemove outdated checking of IPv6 support from configure.ac
Jozsef Kadlecsik [Tue, 17 May 2011 17:28:10 +0000 (19:28 +0200)]
Remove outdated checking of IPv6 support from configure.ac

ipset can be compiled without IPv6 support since 6.0, however
the outdated checking in configure.ac made it not possible.
(reported by Denys Fedoryshchenko)

13 years agoipset 6.5 released v6.5
Jozsef Kadlecsik [Sun, 15 May 2011 13:34:04 +0000 (15:34 +0200)]
ipset 6.5 released

13 years agoSupport range for IPv4 at adding/deleting elements for hash:*net* types
Jozsef Kadlecsik [Sun, 15 May 2011 10:04:19 +0000 (12:04 +0200)]
Support range for IPv4 at adding/deleting elements for hash:*net* types

The range internally is converted to the network(s) equal to the range.
Example:

# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30

13 years agoDisable type revisions which are not supported both by the kernel and ipset
Jozsef Kadlecsik [Fri, 13 May 2011 21:47:56 +0000 (23:47 +0200)]
Disable type revisions which are not supported both by the kernel and ipset

13 years agoUpdate ipset help text to reflect SCTP and UDPLITE support
Jozsef Kadlecsik [Thu, 12 May 2011 15:12:54 +0000 (17:12 +0200)]
Update ipset help text to reflect SCTP and UDPLITE support

13 years agoSet type support with multiple revisions added
Jozsef Kadlecsik [Wed, 11 May 2011 15:29:21 +0000 (17:29 +0200)]
Set type support with multiple revisions added

A set type may have multiple revisions, for example when syntax is extended.
Support continuous revision ranges in set types.

13 years agoFix adding ranges to hash types
Jozsef Kadlecsik [Fri, 6 May 2011 20:08:09 +0000 (22:08 +0200)]
Fix adding ranges to hash types

When ranges are added to hash types, the elements may trigger rehashing the set.
However, the last successfully added element was not kept track so the adding
started again with the first element after the rehashing. Bug reported by Mr Dash Four.

13 years agoIgnore -n flag (list just setnames) when sets are to be saved
Jozsef Kadlecsik [Fri, 6 May 2011 20:05:10 +0000 (22:05 +0200)]
Ignore -n flag (list just setnames) when sets are to be saved

13 years agoipset 6.4 released v6.4
Jozsef Kadlecsik [Tue, 19 Apr 2011 11:43:29 +0000 (13:43 +0200)]
ipset 6.4 released

13 years agoGet rid of the trailing empty line at listing sets.
Jozsef Kadlecsik [Tue, 19 Apr 2011 10:25:38 +0000 (12:25 +0200)]
Get rid of the trailing empty line at listing sets.

Also, remove the empty "members" section when listing
just the set headers.

Testsuite is updated to reflect the changes in the output.

13 years agoFix XML listing, remove broken unused "elements" tag
Jozsef Kadlecsik [Mon, 18 Apr 2011 15:35:10 +0000 (17:35 +0200)]
Fix XML listing, remove broken unused "elements" tag

13 years agoSupport listing setnames and headers too
Jozsef Kadlecsik [Mon, 18 Apr 2011 15:32:25 +0000 (17:32 +0200)]
Support listing setnames and headers too

Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.

13 years agoFix order of listing of sets
Jozsef Kadlecsik [Mon, 18 Apr 2011 11:19:59 +0000 (13:19 +0200)]
Fix order of listing of sets

A restoreable saving of sets requires that list:set type of sets
come last and the code part which should have taken into account
the ordering was broken. The patch fixes the listing order.

Testsuite entry added which checks the listing order.

13 years agoOptions and flags support added to the kernel API
Jozsef Kadlecsik [Mon, 18 Apr 2011 10:53:25 +0000 (12:53 +0200)]
Options and flags support added to the kernel API

The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.

13 years agoSorting is dependent on the locale settings, use LC_ALL=C
Jozsef Kadlecsik [Mon, 11 Apr 2011 08:37:08 +0000 (10:37 +0200)]
Sorting is dependent on the locale settings, use LC_ALL=C

13 years agoUse unified diff output in tests
Jozsef Kadlecsik [Mon, 11 Apr 2011 08:13:16 +0000 (10:13 +0200)]
Use unified diff output in tests

13 years agoipset 6.3 released v6.3
Jozsef Kadlecsik [Sun, 10 Apr 2011 15:26:09 +0000 (17:26 +0200)]
ipset 6.3 released

13 years agoTestsuite checks added
Jozsef Kadlecsik [Sun, 10 Apr 2011 14:22:46 +0000 (16:22 +0200)]
Testsuite checks added

- check iptables match/target extensions with invalid number of
  dir parameters
- check SET target with --del-set option

13 years agoset match and SET target fixes
Jozsef Kadlecsik [Sat, 9 Apr 2011 19:35:02 +0000 (21:35 +0200)]
set match and SET target fixes

The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.

13 years agoWhitespace fixes: some space before tab slipped in.
Jozsef Kadlecsik [Fri, 8 Apr 2011 14:21:35 +0000 (16:21 +0200)]
Whitespace fixes: some space before tab slipped in.

13 years agobitmap:ip,mac type requires "src" for MAC
Jozsef Kadlecsik [Fri, 8 Apr 2011 14:04:22 +0000 (16:04 +0200)]
bitmap:ip,mac type requires "src" for MAC

Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.

Manpage is updated to reflect the change.

13 years agoTestsuite changes: keep temporary files
Jozsef Kadlecsik [Fri, 8 Apr 2011 13:53:02 +0000 (15:53 +0200)]
Testsuite changes: keep temporary files

Keep temporary files in the tests and erase them only after successfully
running the testsuite. This makes simpler to analyze failed tests.

13 years agoipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)
Jozsef Kadlecsik [Tue, 29 Mar 2011 19:21:30 +0000 (21:21 +0200)]
ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)

13 years agoipset 6.2 released v6.2
Jozsef Kadlecsik [Sun, 27 Mar 2011 19:13:56 +0000 (21:13 +0200)]
ipset 6.2 released

13 years agoManpage update
Jozsef Kadlecsik [Sun, 27 Mar 2011 19:12:45 +0000 (21:12 +0200)]
Manpage update

13 years agoTimeout can be modified for already added elements
Jozsef Kadlecsik [Sun, 27 Mar 2011 19:01:33 +0000 (21:01 +0200)]
Timeout can be modified for already added elements

When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Example

ipset add foo 1.2.3.4 timeout 10
ipset add foo 1.2.3.4 timeout 600 -exist

13 years agoAdd explicit text message to detect patched kernel.
Jozsef Kadlecsik [Sat, 26 Mar 2011 19:19:32 +0000 (20:19 +0100)]
Add explicit text message to detect patched kernel.

13 years agoReferences are protected by rwlock instead of mutex
Jozsef Kadlecsik [Fri, 25 Mar 2011 10:10:29 +0000 (11:10 +0100)]
References are protected by rwlock instead of mutex

The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex protection
of the references is a no go. Therefore the reference protection
is converted to rwlock.

13 years agolist:set timeout variant fixes
Jozsef Kadlecsik [Wed, 23 Mar 2011 20:10:16 +0000 (21:10 +0100)]
list:set timeout variant fixes

- the timeout value was actually not set
- the garbage collector was broken

The variant is fixed, the tests to the testsuite are added.

13 years agoipset 6.1 released v6.1
Jozsef Kadlecsik [Sat, 19 Mar 2011 10:20:57 +0000 (11:20 +0100)]
ipset 6.1 released

13 years agoFix revision reporting
Jozsef Kadlecsik [Sat, 19 Mar 2011 10:13:20 +0000 (11:13 +0100)]
Fix revision reporting

Revision reporting got broken by the revision checking patch, fixed.

13 years agoSCTP, UDPLITE support added
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:24:50 +0000 (17:24 +0100)]
SCTP, UDPLITE support added

SCTP and UDPLITE port support added to the hash:*port* types.

13 years agoFix checking the revision of the set type at create command
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:23:43 +0000 (17:23 +0100)]
Fix checking the revision of the set type at create command

The revision number was not checked at the create command: if the userspace
sent a valid set type but with not supported revision number, it'd create
a loop.

13 years agoManpage was not installed
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:22:26 +0000 (17:22 +0100)]
Manpage was not installed

Entry to install the manpage was missing from Makefile.am
(reported by Mark A. Ziesemer)

13 years agohash:ip,port* types with IPv4
Jozsef Kadlecsik [Fri, 18 Mar 2011 16:21:20 +0000 (17:21 +0100)]
hash:ip,port* types with IPv4

The hash:ip,port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and the first address from
the range was only used.

13 years agonetfilter:ipset: fix the compile warning in ip_set_create
Shan Wei [Fri, 4 Mar 2011 07:34:35 +0000 (15:34 +0800)]
netfilter:ipset: fix the compile warning in ip_set_create

net/netfilter/ipset/ip_set_core.c:615: warning: ?clash? may be used uninitialized in this function

Signed-off-by: shanw <shanw@shanw-desktop.(none)>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 years agoipset 6.0 released v6.0
Jozsef Kadlecsik [Thu, 3 Feb 2011 12:40:23 +0000 (13:40 +0100)]
ipset 6.0 released

13 years agoPrint protocol version together with ipset version
Jozsef Kadlecsik [Thu, 3 Feb 2011 12:05:22 +0000 (13:05 +0100)]
Print protocol version together with ipset version

13 years agoReorganized kernel/ subdir
Jozsef Kadlecsik [Thu, 3 Feb 2011 10:44:27 +0000 (11:44 +0100)]
Reorganized kernel/ subdir

The kernel/ subdirectory is reorganized to follow the kernel directory
structure.

13 years agonetfilter: ipset: fix linking with CONFIG_IPV6=n
Patrick McHardy [Thu, 3 Feb 2011 09:27:49 +0000 (10:27 +0100)]
netfilter: ipset: fix linking with CONFIG_IPV6=n

Add some #ifdefs to unconditionally return false in
ip_set_get_ip6_port() when CONFIG_IPV6=n and convert
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables
module when loading ipset.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: send error message manually
Jozsef Kadlecsik [Wed, 2 Feb 2011 19:43:18 +0000 (20:43 +0100)]
netfilter: ipset: send error message manually

When a message carries multiple commands and one of them triggers
an error, we have to report to the userspace which one was that.
The line number of the command plays this role and there's an attribute
reserved in the header part of the message to be filled out with the error
line number. In order not to modify the original message received from
the userspace, we construct a new, complete netlink error message and
modifies the attribute there, then send it.
Netlink is notified not to send its ACK/error message.

13 years agonetfilter: ipset: add missing break statemtns in ip_set_get_ip_port()
Patrick McHardy [Wed, 2 Feb 2011 19:40:12 +0000 (20:40 +0100)]
netfilter: ipset: add missing break statemtns in ip_set_get_ip_port()

Don't fall through in the switch statement, otherwise IPv4 headers
are incorrectly parsed again as IPv6 and the return value will always
be 'false'.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: add missing include to xt_set.h
Patrick McHardy [Tue, 1 Feb 2011 19:55:58 +0000 (20:55 +0100)]
netfilter: ipset: add missing include to xt_set.h

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: remove unnecessary includes
Patrick McHardy [Tue, 1 Feb 2011 19:53:53 +0000 (20:53 +0100)]
netfilter: ipset: remove unnecessary includes

None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agonetfilter: ipset: use nla_parse_nested()
Patrick McHardy [Tue, 1 Feb 2011 19:51:56 +0000 (20:51 +0100)]
netfilter: ipset: use nla_parse_nested()

Replace calls of the form:

nla_parse(tb, ATTR_MAX, nla_data(attr), nla_len(attr), policy)

by:

nla_parse_nested(tb, ATTR_MAX, attr, policy)

Signed-off-by: Patrick McHardy <kaber@trash.net>
13 years agoTestsuite compatibility with debugging enabled
Jozsef Kadlecsik [Tue, 1 Feb 2011 19:37:42 +0000 (20:37 +0100)]
Testsuite compatibility with debugging enabled

The error line checking would fail when debugging is enabled
(and spit out junk lines), fixed.

13 years agoAllow "new" as a commad alias to "create"
Jozsef Kadlecsik [Tue, 1 Feb 2011 19:35:33 +0000 (20:35 +0100)]
Allow "new" as a commad alias to "create"

It's too easy to mistype "n" to "new", so just allow it.

13 years agoipset: improve command argument parsing
Holger Eitzenberger [Tue, 1 Feb 2011 17:13:10 +0000 (18:13 +0100)]
ipset: improve command argument parsing

The number of comparisons for a matching a command name can be
made smaller by just checking on argv[1].

As an example consider the following 'create' arguments 'hashsize',
'family' and 'timeout'.  When having the command

 create foo hash:ip timeout 60 family inet hashsize 64

it compares without this patch:

 strcmp("timeout", "hashsize")
 strcmp("64", "hashsize")
 strcmp("family", "hashsize")
 strcmp("inet", "hashsize")
 strcmp("hashsize", "hashsize")

It is worse in practice, as 'create' has more arguments than this.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
13 years agoipset: avoid the unnecessary argv[] loop
Holger Eitzenberger [Mon, 24 Jan 2011 21:36:35 +0000 (22:36 +0100)]
ipset: avoid the unnecessary argv[] loop

After stripping off the global options there simply has to follow
a command name, there is no other syntax possible.  Therefore the
argv[] loop is unnecessary.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
13 years agoipset: pass ipset_arg argument pointer
Holger Eitzenberger [Tue, 1 Feb 2011 16:30:57 +0000 (17:30 +0100)]
ipset: pass ipset_arg argument pointer

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
13 years agoSeparate ipset errnos completely from system ones and bump protocol version.
Jozsef Kadlecsik [Mon, 31 Jan 2011 22:32:51 +0000 (23:32 +0100)]
Separate ipset errnos completely from system ones and bump protocol version.

13 years agoUse better error codes in xt_set.c
Jozsef Kadlecsik [Mon, 31 Jan 2011 22:30:31 +0000 (23:30 +0100)]
Use better error codes in xt_set.c

13 years agoFix sparse warning about shadowed definition
Jozsef Kadlecsik [Thu, 27 Jan 2011 21:22:26 +0000 (22:22 +0100)]
Fix sparse warning about shadowed definition

13 years agobitmap:ip type: flavour specific adt functions
Jozsef Kadlecsik [Thu, 27 Jan 2011 21:17:38 +0000 (22:17 +0100)]
bitmap:ip type: flavour specific adt functions

Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)

13 years agobitmap:port type: flavour specific adt functions
Jozsef Kadlecsik [Thu, 27 Jan 2011 20:54:21 +0000 (21:54 +0100)]
bitmap:port type: flavour specific adt functions

Use flavour-specific ADT functions and use shared ones for all
other type functions (Patrick McHardy's review)

13 years agoMove the type specifici attribute validation to the core
Jozsef Kadlecsik [Thu, 27 Jan 2011 11:44:17 +0000 (12:44 +0100)]
Move the type specifici attribute validation to the core

The type specific attribute validation can be moved to the ipset core.
That way it's done centrally and thus can be eliminated from the individual
set types (suggested by Patrick McHardy).

13 years agoFix the spelling error fix :-)
Jozsef Kadlecsik [Wed, 26 Jan 2011 22:50:56 +0000 (23:50 +0100)]
Fix the spelling error fix :-)

Spelling error fixed (Ferenc Wagner)

13 years agoUse vzalloc() instead of __vmalloc()
Jozsef Kadlecsik [Wed, 26 Jan 2011 22:47:20 +0000 (23:47 +0100)]
Use vzalloc() instead of __vmalloc()

Use vzalloc() if kernel version supports it. (Eric Dumazet, Patrick McHardy)

13 years agoUse meaningful error messages in xt_set.c
Jozsef Kadlecsik [Wed, 26 Jan 2011 22:22:58 +0000 (23:22 +0100)]
Use meaningful error messages in xt_set.c

Old cryptic error messages are not useful (Patrick McHardy's review)

13 years agoConstified attribute cannot be written
Jozsef Kadlecsik [Wed, 26 Jan 2011 21:59:25 +0000 (22:59 +0100)]
Constified attribute cannot be written

Attribute is const so a little bit more work is needed to return
the error line number. A test is also added in order to check
the functionality. (Patrick McHardy's review)

13 years agoSend (N)ACK at dumping only when NLM_F_ACK is set
Jozsef Kadlecsik [Wed, 26 Jan 2011 21:37:11 +0000 (22:37 +0100)]
Send (N)ACK at dumping only when NLM_F_ACK is set

Missing check of the flag NLM_F_ACK is added to the kernel -
and userspace does set it too (Patrick McHardy's review)

13 years agoCorrect the error codes: use ENOENT and EMSGSIZE
Jozsef Kadlecsik [Wed, 26 Jan 2011 21:26:01 +0000 (22:26 +0100)]
Correct the error codes: use ENOENT and EMSGSIZE

Use correct error codes (Patrick McHardy's review)

13 years agoResolving IP addresses did not work at listing/saving sets, fixed.
Jozsef Kadlecsik [Wed, 26 Jan 2011 20:49:30 +0000 (21:49 +0100)]
Resolving IP addresses did not work at listing/saving sets, fixed.

13 years agoipset: fix spelling error
Holger Eitzenberger [Mon, 24 Jan 2011 21:36:37 +0000 (22:36 +0100)]
ipset: fix spelling error

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 years agoipset: fix the Netlink sequence number
Holger Eitzenberger [Mon, 24 Jan 2011 21:36:33 +0000 (22:36 +0100)]
ipset: fix the Netlink sequence number

Do not use time() as a Netlink sequence number for each message,
as otherwise the same seq number will be used when sending
another message in the same second.  Instead use time() just for
initialization, then increment per message.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 years agoipset: turn Set name[] into a const pointer
Holger Eitzenberger [Mon, 24 Jan 2011 21:36:32 +0000 (22:36 +0100)]
ipset: turn Set name[] into a const pointer

Also check for the name length.

Note that passing errno values back is not done consistently at
various place, as there are some functions which set errno manually,
others pass -errno back.  I use the -errno approach here, as it is
slightly shorter.

Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 years agoCheck ICMP and ICMPv6 with the set match and target in the testsuite
Jozsef Kadlecsik [Mon, 24 Jan 2011 17:14:01 +0000 (18:14 +0100)]
Check ICMP and ICMPv6 with the set match and target in the testsuite

"sendip" needs data otherwise ICMP/ICMPv6 gets truncated...

13 years agoAvoid possible syntax clashing at saving hostnames
Jozsef Kadlecsik [Mon, 24 Jan 2011 16:38:26 +0000 (17:38 +0100)]
Avoid possible syntax clashing at saving hostnames

If resolving is requested and the resolved hostname contains a dash
character, print the unresolved IP address instead in order not to
clash with the IP/hostname range syntax.

13 years agoipset 5.4.1 released v5.4.1
Jozsef Kadlecsik [Sat, 22 Jan 2011 09:35:45 +0000 (10:35 +0100)]
ipset 5.4.1 released

13 years agoAdd UPGRADE instructions
Jozsef Kadlecsik [Sat, 22 Jan 2011 09:31:08 +0000 (10:31 +0100)]
Add UPGRADE instructions

13 years agoipset 5.4 released v5.4
Jozsef Kadlecsik [Fri, 21 Jan 2011 21:47:01 +0000 (22:47 +0100)]
ipset 5.4 released

13 years agoFixed broken ICMP and ICMPv6 handling
Jozsef Kadlecsik [Fri, 21 Jan 2011 20:29:50 +0000 (21:29 +0100)]
Fixed broken ICMP and ICMPv6 handling

I mistyped the bitwise operator and the network-order conversion was
missing too. Sigh, sendip cannot generate proper packets to check
ICMP and ICMPv6 in the testsuite. :-(

13 years agoFix trailing whitespaces and pr_* messages
Jozsef Kadlecsik [Fri, 21 Jan 2011 10:39:56 +0000 (11:39 +0100)]
Fix trailing whitespaces and pr_* messages

Some trailing whitespace slipped in, those are removed. With the deleted
ip_set_kernel.h, the pr_* messages lost the trailing "\n" character.
The messages were completed with it.

13 years agoUn-inline functions which are not small enough
Jozsef Kadlecsik [Thu, 20 Jan 2011 22:10:26 +0000 (23:10 +0100)]
Un-inline functions which are not small enough

13 years agoFix module loading at create/header commands
Jozsef Kadlecsik [Thu, 20 Jan 2011 21:24:03 +0000 (22:24 +0100)]
Fix module loading at create/header commands

While holding the nfnl_mutex, module loading is not allowed.
Bug spotted by Patrick McHardy in his reviewing.

13 years agoFix wrong kzalloc flag in type_pf_expire
Jozsef Kadlecsik [Thu, 20 Jan 2011 17:55:48 +0000 (18:55 +0100)]
Fix wrong kzalloc flag in type_pf_expire

The expire functions of the hash types are called while locked, so
kzalloc must be called with GFP_ATOMIC.

13 years agoThe get_ip*_port functions are too large to be inlined, moved into the core.
Jozsef Kadlecsik [Thu, 20 Jan 2011 17:51:54 +0000 (18:51 +0100)]
The get_ip*_port functions are too large to be inlined, moved into the core.

13 years agoAdd missing __GFP_HIGHMEM flag to __vmalloc
Jozsef Kadlecsik [Thu, 20 Jan 2011 17:19:31 +0000 (18:19 +0100)]
Add missing __GFP_HIGHMEM flag to __vmalloc

We may call ip_set_alloc with GFP_ATOMIC, so we cannot replace __vmalloc
with vzalloc. Missing flag was noticed by Eric Dumazet.

13 years agoEnforce network-order data in the netlink protocol
Jozsef Kadlecsik [Thu, 20 Jan 2011 16:54:26 +0000 (17:54 +0100)]
Enforce network-order data in the netlink protocol

Allow only network-order data, with NLA_F_NET_BYTEORDER flag.
Sanity checks also added to prevent processing broken messages
where mandatory attributes are missing. (Patrick McHardy's review)

13 years agoUse annotated types and fix sparse warnings
Jozsef Kadlecsik [Thu, 20 Jan 2011 13:48:23 +0000 (14:48 +0100)]
Use annotated types and fix sparse warnings

Annotated types are introduced and sparse warnings fixed.
Two warnings remained in ip_set_core.c but those are false ones.
(Patrick McHardy's review)

13 years agoMove ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into core
Jozsef Kadlecsik [Thu, 20 Jan 2011 10:45:37 +0000 (11:45 +0100)]
Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into core

The functions are too large to be inlined, so move them into the core.
Also, fix the unnecessary initializations in ip_set_get_ipaddr*.
(Patrick McHardy's review)

13 years agoNETMASK*, HOSTMASK* macros are too generic
Jozsef Kadlecsik [Thu, 20 Jan 2011 10:34:00 +0000 (11:34 +0100)]
NETMASK*, HOSTMASK* macros are too generic

NETMASK*, HOSTMASK* macros are rewritten to small inline functions
ip_set_netmask* and ip_set_hostmask* (Patrick McHardy's review)

13 years agoUse static LIST_HEAD() for ip_set_type_list
Jozsef Kadlecsik [Thu, 20 Jan 2011 09:58:43 +0000 (10:58 +0100)]
Use static LIST_HEAD() for ip_set_type_list

Avoid the need for explicit initialization during runtime
(Patrick McHardy's review)

13 years agoMove NLA_PUT_NET* macros to include/net/netlink.h
Jozsef Kadlecsik [Thu, 20 Jan 2011 09:39:01 +0000 (10:39 +0100)]
Move NLA_PUT_NET* macros to include/net/netlink.h

These macros can be useful in general (Patrick McHardy's review)

13 years agoThe module parameter max_sets should be unsigned int
Jozsef Kadlecsik [Thu, 20 Jan 2011 09:26:44 +0000 (10:26 +0100)]
The module parameter max_sets should be unsigned int

Negative set numbers are strange :-) (Patrick McHardy's review)

13 years agoGet rid of ip_set_kernel.h
Jozsef Kadlecsik [Thu, 20 Jan 2011 09:25:04 +0000 (10:25 +0100)]
Get rid of ip_set_kernel.h

The header file was useful at deep debugging only, we can get rid of now.
(Patrick McHardy's review)

13 years agoFix the placement style of boolean operators at continued lines
Jozsef Kadlecsik [Thu, 20 Jan 2011 09:20:14 +0000 (10:20 +0100)]
Fix the placement style of boolean operators at continued lines

Fix "&&" and "||" continuation style (Patrick McHardy's review)

13 years agoipset 5.3 released v5.3
Jozsef Kadlecsik [Tue, 18 Jan 2011 19:47:44 +0000 (20:47 +0100)]
ipset 5.3 released

13 years agoSet the non-debug compiling the default
Jozsef Kadlecsik [Tue, 18 Jan 2011 19:39:51 +0000 (20:39 +0100)]
Set the non-debug compiling the default

Compiling with debugging can be enabled with the "--enable-debug" option
of the configure script.

13 years agoTestsuite fix of ospf replaced with vrrp.
Jozsef Kadlecsik [Tue, 18 Jan 2011 16:49:55 +0000 (17:49 +0100)]
Testsuite fix of ospf replaced with vrrp.

The testsuite failed incorrectly, because the order of the elements
changed.

13 years agoFix build with NDEBUG defined
Jozsef Kadlecsik [Tue, 18 Jan 2011 16:48:22 +0000 (17:48 +0100)]
Fix build with NDEBUG defined

The usage of the gcc option -Wunused-parameter interferes badly with
the assert() macros.  In case -DNDEBUG is specified build fails with:

  cc1: warnings being treated as errors
  print.c: In function 'ipset_print_family':
  print.c:92: error: unused parameter 'opt'
  print.c: In function 'ipset_print_port':
  print.c:413: error: unused parameter 'opt'
  print.c: In function 'ipset_print_proto':

Fix it by taking into accout NDEBUG in the function arguments.

Bug reported by Holger Eitzenberger.

13 years agoDo session initialization once
Holger Eitzenberger [Tue, 18 Jan 2011 16:30:50 +0000 (17:30 +0100)]
Do session initialization once

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
13 years agoMake IPv4 and IPv6 address handling similar
Jozsef Kadlecsik [Tue, 18 Jan 2011 16:20:30 +0000 (17:20 +0100)]
Make IPv4 and IPv6 address handling similar

While the following works for AF_INET:

 ipset add foo 192.168.1.1/32

this does not work for AF_INET6:

 ipset add foo6 20a1:1:2:3:4:5:6:7/128
 ipset v5.2: Syntax error: plain IP address must be supplied: 20a1:1:2:3:4:5:6:7/128

Bug reported by Holger Eitzenberger.

The complete fix is to handle the special host prefixes in the general
IP address parser function.

13 years agoShow correct line numbers in restore output for parser errors
Jozsef Kadlecsik [Tue, 18 Jan 2011 16:17:46 +0000 (17:17 +0100)]
Show correct line numbers in restore output for parser errors

Parser errors are reported by a wrong lineno at restore, bug reported
by Holger Eitzenberger:

  create foo6 hash:ip hashsize 64 family inet6
  add foo6 20a1:1234:5678::/64
  add foo6 20a1:1234:5679::/64

you get:

  ipset v5.2: Error in line 1: Syntax error: plain IP address must be supplied: 20a1:1234:5678::/64

Should be line 2 though.

The solution is to set the session lineno before parsing.