From 1b8c69e14d97bf5d0e973740c5802fdbf96f756d Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 13 Jul 2010 14:18:22 +0200 Subject: [PATCH] Compatibility and documentation fixes Makefile fixes: compiler flags README and manpage fixes Compatibility with newer gcc releases (4.4.x) Compatibility with the 2.6.35 kernel tree --- Make_global.am | 2 +- README | 25 ++++++++++--------- configure.ac | 12 ++++++++++ include/libipset/types.h | 1 + kernel/xt_set.c | 40 +++++++++++++++++++++++++++++++ lib/types.c | 1 - src/ipset.8 | 52 ++++++++++++++++++++-------------------- 7 files changed, 94 insertions(+), 39 deletions(-) diff --git a/Make_global.am b/Make_global.am index b2e57d6..48812c0 100644 --- a/Make_global.am +++ b/Make_global.am @@ -21,7 +21,6 @@ AM_CFLAGS = -std=gnu99 \ -Wcast-qual \ -Wextra \ -Wfloat-equal \ - -Wformat-nonliteral \ -Wformat=2 \ -Winit-self \ -Winline \ @@ -31,6 +30,7 @@ AM_CFLAGS = -std=gnu99 \ -Wnested-externs \ -Wno-missing-field-initializers \ -Wold-style-definition \ + -Woverlength-strings \ -Wpacked \ -Wpointer-arith \ -Wredundant-decls \ diff --git a/README b/README index 08a22ba..45d3eb9 100644 --- a/README +++ b/README @@ -1,20 +1,23 @@ -This is the ipset source tree. Follow these steps to install ipset: +This is the ipset source tree. Follow the next steps to install ipset: 0. You need the source tree of your kernel (version >= 2.6.31) - and it have to be configured, modules compiled. Please apply - the netlink.patch against your kernel tree (with kernel <= 2.6.31.1 - please use the patch netlink.patch-2.6.31.1). Recompile and - install the patched kernel. + and it have to be configured (with ip6tables support), modules compiled. + Please apply the netlink.patch against your kernel tree + (with kernel <= 2.6.31.1 please use the patch netlink.patch-2.6.31.1). -1. Initialize the compiling environment for ipset + Recompile and install the patched kernel and its modules. + + The ipset source code depends on the libmnl library so the library + must be installed. + +1. Initialize the compiling environment for ipset. The packages automake, + autoconf and libtool are required. % ./autogen.sh 2. Run `./configure` and then compile the ipset binary and the kernel modules. - The ipset source code depends on the libmnl library. - Configure parameters can be used to to override the default path to the kernel source tree (/lib/modules/`uname -r`/build), the maximum number of sets (256), the default hash sizes (1024) @@ -25,7 +28,7 @@ This is the ipset source tree. Follow these steps to install ipset: % make % make modules -3. Install the binary and the modules +3. Install the binary and the kernel modules # make install # make modules_install @@ -49,5 +52,5 @@ This is the ipset source tree. Follow these steps to install ipset: That's it! -Read the ipset(8) and iptables(8) manpages on how to use ipset -and its match and target from iptables. +Read the ipset(8) and iptables(8), ip6tables(8) manpages on how to use +ipset and its match and target from iptables. diff --git a/configure.ac b/configure.ac index f75ef49..7622ac4 100644 --- a/configure.ac +++ b/configure.ac @@ -32,6 +32,18 @@ then AC_MSG_ERROR([Invalid kernel build directory $kbuilddir]) fi +if test ! -e "$kbuilddir/.config" +then + AC_MSG_ERROR([The kernel build directory $kbuilddir is not configured]) +fi + +AC_PROG_GREP + +if test "X`$GREP '^CONFIG_IP6_NF_IPTABLES=' $kbuilddir/.config`" = "X" +then + AC_MSG_ERROR([The kernel build directory $kbuilddir is not configured with IP6_NF_IPTABLES support (ip6tables)]) +fi + dnl Check kernel dependencies: nfnetlink.h NFNL_CB_CONST="`./check_const $kbuilddir/include/linux/netfilter/nfnetlink.h`" AC_SUBST(NFNL_CB_CONST) diff --git a/include/libipset/types.h b/include/libipset/types.h index 45d5e3d..6a17750 100644 --- a/include/libipset/types.h +++ b/include/libipset/types.h @@ -7,6 +7,7 @@ #ifndef LIBIPSET_TYPES_H #define LIBIPSET_TYPES_H +#include /* NULL */ #include /* uintxx_t */ #include /* enum ipset_opt */ diff --git a/kernel/xt_set.c b/kernel/xt_set.c index 3ed8a6a..4734cc4 100644 --- a/kernel/xt_set.c +++ b/kernel/xt_set.c @@ -48,8 +48,13 @@ match_set(ip_set_id_t index, const struct sk_buff *skb, #error "Linux kernel version too old: must be >= 2.6.31" #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_match_v0(const struct sk_buff *skb, const struct xt_match_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static bool +set_match_v0(const struct sk_buff *skb, struct xt_action_param *par) +#endif { const struct xt_set_info_match_v0 *info = par->matchinfo; @@ -75,8 +80,13 @@ compat_flags(struct xt_set_info_v0 *info) } } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_match_v0_checkentry(const struct xt_mtchk_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static int +set_match_v0_checkentry(const struct xt_mtchk_param *par) +#endif { struct xt_set_info_match_v0 *info = par->matchinfo; ip_set_id_t index; @@ -107,8 +117,13 @@ set_match_v0_destroy(const struct xt_mtdtor_param *par) ip_set_nfnl_put(info->match_set.index); } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static unsigned int set_target_v0(struct sk_buff *skb, const struct xt_target_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static unsigned int +set_target_v0(struct sk_buff *skb, const struct xt_action_param *par) +#endif { const struct xt_set_info_target_v0 *info = par->targinfo; @@ -124,8 +139,13 @@ set_target_v0(struct sk_buff *skb, const struct xt_target_param *par) return XT_CONTINUE; } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_target_v0_checkentry(const struct xt_tgchk_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static int +set_target_v0_checkentry(const struct xt_tgchk_param *par) +#endif { struct xt_set_info_target_v0 *info = par->targinfo; ip_set_id_t index; @@ -173,8 +193,13 @@ set_target_v0_destroy(const struct xt_tgdtor_param *par) /* Revision 1: current interface to netfilter/iptables */ +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_match(const struct sk_buff *skb, const struct xt_match_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static bool +set_match(const struct sk_buff *skb, struct xt_action_param *par) +#endif { const struct xt_set_info_match *info = par->matchinfo; @@ -184,8 +209,13 @@ set_match(const struct sk_buff *skb, const struct xt_match_param *par) info->match_set.flags & IPSET_INV_MATCH); } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_match_checkentry(const struct xt_mtchk_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static int +set_match_checkentry(const struct xt_mtchk_param *par) +#endif { struct xt_set_info_match *info = par->matchinfo; ip_set_id_t index; @@ -213,8 +243,13 @@ set_match_destroy(const struct xt_mtdtor_param *par) ip_set_nfnl_put(info->match_set.index); } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static unsigned int set_target(struct sk_buff *skb, const struct xt_target_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static unsigned int +set_target(struct sk_buff *skb, const struct xt_action_param *par) +#endif { const struct xt_set_info_target *info = par->targinfo; @@ -232,8 +267,13 @@ set_target(struct sk_buff *skb, const struct xt_target_param *par) return XT_CONTINUE; } +#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,35) static bool set_target_checkentry(const struct xt_tgchk_param *par) +#else /* LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,35) */ +static int +set_target_checkentry(const struct xt_tgchk_param *par) +#endif { const struct xt_set_info_target *info = par->targinfo; ip_set_id_t index; diff --git a/lib/types.c b/lib/types.c index 067abcb..e3cad35 100644 --- a/lib/types.c +++ b/lib/types.c @@ -9,7 +9,6 @@ #include /* ETH_ALEN */ #include /* struct in6_addr */ #include /* AF_ */ -#include /* NULL */ #include /* malloc, free */ #include /* FIXME: debug */ diff --git a/src/ipset.8 b/src/ipset.8 index c45f39f..c4f6a6b 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -202,8 +202,8 @@ command follows the syntax where the current list of the methods are \fBbitmap\fR, \fBhash\fR, and \fBlist\fR and the possible data types -are \fBip\fR, \fBmac\fR and \fBport\fR. The dimension of the set type -is equal to the number of datat types in its type name. +are \fBip\fR, \fBmac\fR and \fBport\fR. The dimension of a set +is equal to the number of data types in its type name. When adding, deleting or testing entries in a set, the same comma separated data syntax must be used for the entry parameter of the commands, i.e @@ -212,9 +212,9 @@ ipset add foo ipaddr,portnum,ipaddr The \fBbitmap\fR and \fBlist\fR types use a fixed sized storage. The \fBhash\fR types use a hash to store the elements. In order to avoid clashes in the hash, -a limited number of chaining, and if that is exhausted, the doubling of the hash -is performed. The hash size is limited by the maximal number of elements parameter of -the hash. +a limited number of chaining, and if that is exhausted, the doubling of the hash size +is performed. The hash size is indirectly limited by the maximal number of elements +parameter of the hash. All set types support the optional @@ -288,8 +288,8 @@ IPv4 address range or network. The size of the range cannot exceed the limit of maximum 65536 entries. .PP The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can -be left out when adding/deleting/testing entries in the set. If -we add an entry without the MAC address specified, when the first time the entry is +be left out when adding/deleting/testing entries in the set. If we add an entry +without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the source MAC address from the packet. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete. @@ -315,7 +315,7 @@ and such a set can store up to 65536 ports. .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := {\fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR } +\fIDEL\-ENTRY\fR := { \fIport\fR | \fIfrom\-port\fR\-\fIto\-port\fR } .PP \fITEST\-ENTRY\fR := \fIport\fR .PP @@ -335,7 +335,7 @@ ipset test foo 80 The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or network addresses. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR .PP @@ -354,7 +354,7 @@ a range or a network: .PP Optional \fBcreate\fR options: .TP -\fBfamily\fR { \fBinet\fR|\fBinet6\fR } +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } The protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. .TP @@ -383,7 +383,7 @@ ipset test foo 192.168.1.2 .SS hash:net The \fBhash:net\fR set type uses a hash to store different sized IP network addresses. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR[/\fIcidr\fR] .PP @@ -395,7 +395,7 @@ The \fBhash:net\fR set type uses a hash to store different sized IP network addr .PP Optional \fBcreate\fR options: .TP -\fBfamily\fR { \fBinet\fR|\fBinet6\fR } +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } The protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. .TP @@ -433,7 +433,7 @@ ipset test foo 192.168.0/24 .SS hash:ip,port The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR .PP @@ -445,7 +445,7 @@ The \fBhash:ip,port\fR set type uses a hash to store IP address and port number .PP Optional \fBcreate\fR options: .TP -\fBfamily\fR { \fBinet\fR|\fBinet6\fR } +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } The protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. .TP @@ -484,7 +484,7 @@ ipset test foo 192.168.1.1,80 The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number and a second IP address triples. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR .PP @@ -496,7 +496,7 @@ and a second IP address triples. .PP Optional \fBcreate\fR options: .TP -\fBfamily\fR { \fBinet\fR|\fBinet6\fR } +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } The protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. .TP @@ -531,7 +531,7 @@ ipset test foo 192.168.1.1,udp:53,10.0.0.1 The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number and IP network address triples. .PP -\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR|\fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBproto\fR \fIvalue\fR ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIipaddr\fR[/\fIcidr\fR] .PP @@ -543,7 +543,7 @@ and IP network address triples. .PP Optional \fBcreate\fR options: .TP -\fBfamily\fR { \fBinet\fR|\fBinet6\fR } +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } The protocol family of the IP addresses to be stored in the set. The default is \fBinet\fR, i.e IPv4. .TP @@ -595,13 +595,13 @@ set names. .PP \fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIADD\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ] +\fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] .PP -\fIDEL\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ] +\fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP -\fITEST\-ENTRY\fR := \fIsetname\fR [ \fBbefore\fR|\fBafter\fR \fIsetname\fR ] +\fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] .PP Optional \fBcreate\fR options: .TP @@ -617,16 +617,16 @@ type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal -or less parameters are checked, elements added. For example if \fIa\fR and +or less parameters are checked, elements added/deleted. For example if \fIa\fR and \fIb\fR are \fBlist:set\fR type of sets then in the command .IP iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst .PP the match and target will skip any set in \fIa\fR and \fIb\fR -which stores data triples, but will check all sets with single or double -data storage in \fIa\fR -set and add src to the first single or src,dst to the first double -data storage set in \fIb\fR. +which stores data triples, but will match all sets with single or double +data storage in \fIa\fR set and stop matching at the first successful set, +and add src to the first single or src,dst to the first double data storage set +in \fIb\fR to which the entry can be added. .PP You can imagine a setlist type of set as an ordered union of the set elements. -- 2.40.0