ENABLE_VERBOSE +AM_VERBOSE_CC = @echo " CC " $@; +AM_VERBOSE_CCLD = @echo " CCLD " $@; +endif diff --git a/ b/ new file mode 100644 index 0000000..f94689b --- /dev/null +++ b/ @@ -0,0 +1,49 @@ +## Process this file with automake to produce + +include $(top_srcdir)/ + +if ! WITH_KBUILDDIR +KBUILD_OUTPUT=/lib/modules/`uname -r`/build +else +KBUILD_OUTPUT=$(KBUILDDIR) +endif +if ! WITH_MAXSETS +IP_SET_MAX=256 +else +IP_SET_MAX=$(MAXSETS) +endif +if ENABLE_VERBOSE +V=1 +else +V=0 +endif + +SUBDIRS = lib src + +modules: + cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` V=$V IP_SET_MAX=$(IP_SET_MAX) modules + +modules_install: + cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` modules_install + +modules_clean: + cd kernel; make -C $(KBUILD_OUTPUT) M=`pwd` clean + +update_includes: + ./update ip_set.h + ./update ip_set_bitmap.h + ./update ip_set_hash.h + +tests: + cd tests; ./ + +cleanup_dirs := . include/libipset lib src tests + +tidy: distclean + rm -rf .deps $(foreach dir,$(cleanup_dirs),$(wildcard $(dir)/*~)) + rm -rf aclocal.m4 autom4te.cache + rm -rf config.* configure depcomp install-sh libtool + rm -rf Makefile */Makefile */ + rm -rf missing stamp-h1 + +.PHONY: modules modules_instal modules_clean update_includes tests diff --git a/ b/ new file mode 100755 index 0000000..d65b0b7 --- /dev/null +++ b/ @@ -0,0 +1,18 @@ +#!/bin/sh + +run () +{ + echo "running: $*" + eval $* + + if test $? != 0 ; then + echo "error: while running '$*'" + exit 1 + fi +} + +run aclocal +run autoheader +run libtoolize -f +run automake -a +run autoconf diff --git a/ b/ new file mode 100644 index 0000000..cfffa99 --- /dev/null +++ b/ @@ -0,0 +1,76 @@ +dnl Boilerplate +AC_INIT([ipset], [5.0], []) +AC_CANONICAL_SYSTEM +AC_CONFIG_HEADER([config.h]) +AM_INIT_AUTOMAKE([-Wall -Werror foreign]) + +dnl Shortcut: Linux supported alone +case $target in +*-*-linux*) ;; +*) AC_MSG_ERROR([Linux systems supported exclusively!]);; +esac + +dnl Additional arguments +dnl Kernel build directory or source tree +AC_ARG_WITH([kernel], + AS_HELP_STRING([--with-kernel=PATH], + [Path to kernel source/build directory]), + [KBUILDDOR="$withval";]) +AM_CONDITIONAL(WITH_KBUILDDIR, test "$KBUILDDIR" != "") +AC_SUBST(KBUILDDIR) + +dnl Maximal number of sets supported by the kernel, default 256 +AC_ARG_WITH([maxsets], + AS_HELP_STRING([--with-maxsets=256], + [Maximal numer of sets supported by the kernel]), + [MAXSETS="$withval";]) +AM_CONDITIONAL(WITH_MAXSETS, test "$MAXSETS" != "") +AC_SUBST(MAXSETS) + +dnl Verbose compiling +AC_ARG_ENABLE([verbose], + AS_HELP_STRING([--enable-verbose], + [Enable verbose mode at compiling/linking.]), + [case "${enableval}" in + yes) enable_verbose=yes ;; + no) enable_verbose=no ;; + *) AC_MSG_ERROR([bad value ${enableval} for --enable-verbose]) ;; + esac], [enable_verbose=no]) + +AM_CONDITIONAL([ENABLE_VERBOSE], [test "x$enable_verbose" = xyes]) + +dnl Disable extra warn flags +AC_ARG_ENABLE([extra-flags], + AS_HELP_STRING([--disable-extra-flags], + [Disable extra compiler warning flags.]), + [case "${enableval}" in + yes) extra_flags=yes ;; + no) extra_flags=no ;; + *) AC_MSG_ERROR([bad value ${enableval} for --disable-extra-flags]) ;; + esac], [extra_flags=yes]) + +AM_CONDITIONAL([DISABLE_EXTRA_FLAGS], [test "x$extra_flags" = xno]) + +dnl Checks for programs +AC_PROG_CC +AC_PROG_LIBTOOL +AC_PROG_INSTALL +AC_PROG_LN_S + +dnl Checks for libraries +AC_CHECK_LIB([mnl], [mnl_socket_open]) +if test x"${ac_cv_lib_mnl_mnl_socket_open}" = xno; then + AC_MSG_ERROR(libmnl not found) +fi + +dnl Checks for header files + +dnl Checks for typedefs, structures, and compiler characteristics. +AC_CHECK_TYPES([union nf_inet_addr],,,[#include +#include +#include ]) +dnl Checks for library functions. + +dnl Generate output +AC_CONFIG_FILES([Makefile lib/Makefile src/Makefile]) +AC_OUTPUT diff --git a/netlink.patch b/netlink.patch new file mode 100644 index 0000000..685cd23 --- /dev/null +++ b/netlink.patch @@ -0,0 +1,86 @@ +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h +index 9f00da2..9f51ff6 100644 +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -47,7 +47,8 @@ struct nfgenmsg { + #define NFNL_SUBSYS_QUEUE 3 + #define NFNL_SUBSYS_ULOG 4 + #define NFNL_SUBSYS_OSF 5 +-#define NFNL_SUBSYS_COUNT 6 ++#define NFNL_SUBSYS_IPSET 6 ++#define NFNL_SUBSYS_COUNT 7 + + #ifdef __KERNEL__ + +diff --git a/include/linux/netlink.h b/include/linux/netlink.h +index ab5d312..ef8b229 100644 +--- a/include/linux/netlink.h ++++ b/include/linux/netlink.h +@@ -263,11 +263,14 @@ __nlmsg_put(struct sk_buff *skb, u32 pid, u32 seq, int type, int len, int flags) + #define NLMSG_PUT(skb, pid, seq, type, len) \ + NLMSG_NEW(skb, pid, seq, type, len, 0) + +-extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, +- const struct nlmsghdr *nlh, +- int (*dump)(struct sk_buff *skb, struct netlink_callback*), +- int (*done)(struct netlink_callback*)); +- ++extern int netlink_dump_init(struct sock *ssk, struct sk_buff *skb, ++ const struct nlmsghdr *nlh, ++ int (*dump)(struct sk_buff *skb, struct netlink_callback*), ++ int (*done)(struct netlink_callback*), ++ unsigned char init, ...); ++ ++#define netlink_dump_start(ssk, skb, nlh, dump, done) \ ++ netlink_dump_init(ssk, skb, nlh, dump, done, 0) + + #define NL_NONROOT_RECV 0x1 + #define NL_NONROOT_SEND 0x2 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 19e9800..1b9dbe8 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1714,15 +1714,18 @@ errout: + return err; + } + +-int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, +- const struct nlmsghdr *nlh, +- int (*dump)(struct sk_buff *skb, +- struct netlink_callback *), +- int (*done)(struct netlink_callback *)) ++int netlink_dump_init(struct sock *ssk, struct sk_buff *skb, ++ const struct nlmsghdr *nlh, ++ int (*dump)(struct sk_buff *skb, ++ struct netlink_callback *), ++ int (*done)(struct netlink_callback *), ++ unsigned char init, ...) + { + struct netlink_callback *cb; + struct sock *sk; + struct netlink_sock *nlk; ++ va_list args; ++ unsigned char i; + + cb = kzalloc(sizeof(*cb), GFP_KERNEL); + if (cb == NULL) +@@ -1748,6 +1751,10 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + sock_put(sk); + return -EBUSY; + } ++ va_start(args, init); ++ for (i = 0; i < init; i++) ++ cb->args[i] = va_arg(args, unsigned long); ++ va_end(args); + nlk->cb = cb; + mutex_unlock(nlk->cb_mutex); + +@@ -1759,7 +1766,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb, + */ + return -EINTR; + } +-EXPORT_SYMBOL(netlink_dump_start); ++EXPORT_SYMBOL(netlink_dump_init); + + void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err) + { diff --git a/tests/bitmap:ip.t b/tests/bitmap:ip.t new file mode 100644 index 0000000..b44f5c4 --- /dev/null +++ b/tests/bitmap:ip.t @@ -0,0 +1,151 @@ +# Range: Try to create from an invalid range with timeout +1 ipset create test bitmap:ip range timeout 5 +# Range: Create a set from a valid range with timeout +0 ipset create test bitmap:ip range timeout 5 +# Range: Add lower boundary +0 ipset add test timeout 10 +# Range: Add upper boundary +0 ipset add test timeout 0 +# Range: Test lower boundary +0 ipset test test +# Range: Test upper boundary +0 ipset test test +# Range: Test element not added to the set +1 ipset test test +# Range: Test element before lower boundary +1 ipset test test +# Range: Test element after upper boundary +1 ipset test test +# Range: Try to add element before lower boundary +1 ipset add test +# Range: Try to add element after upper boundary +1 ipset add test +# Range: Delete element not added to the set +1 ipset -D test +# Range: Delete element not added to the set, with exist flag +0 ipset -x -D test +# Range: Add element in the middle +0 ipset -A test +# Range: Add element in the middle again +1 ipset -A test +# Range: Add element in the middle again, with exist flag +0 ipset -x -A test +# Range: Delete the same element +0 ipset -D test +# Range: Add a range of elements +0 ipset -A test timeout 6 +# Range: List set +0 ipset list test > .foo +# Range: Check listing +0 grep ' timeout' .foo >/dev/null +# Sleep 10s so that entries can time out +0 sleep 10s +# Range: List set after timeout +0 ipset list test > .foo +# Range: Check listing +0 diff .foo bitmap:ip.t.list0 && rm .foo +# Range: Flush test set +0 ipset flush test +# Range: Delete test set +0 ipset destroy test +# Network: Try to create a set from an invalid network with timeout +1 ipset create test bitmap:ip range +# Network: Create a set from a valid network with timeout +0 ipset create test bitmap:ip range timeout 5 +# Network: Add lower boundary +0 ipset add test timeout 0 +# Network: Add upper boundary +0 ipset add test timeout 10 +# Network: Test lower boundary +0 ipset test test +# Network: Test upper boundary +0 ipset test test +# Network: Test element not added to the set +1 ipset test test +# Network: Test element before lower boundary +1 ipset test test +# Network: Test element after upper boundary +1 ipset test test +# Network: Try to add element before lower boundary +1 ipset add test +# Network: Try to add element after upper boundary +1 ipset add test +# Network: Delete element not added to the set +1 ipset -D test +# Network: Add element in the middle +0 ipset -A test timeout 20 +# Network: Delete the same element +0 ipset -D test +# Network: List set +0 ipset list test > .foo +# Network: Check listing +0 grep ' timeout' .foo >/dev/null +# Sleep 10s so that entries can time out +0 sleep 10s +# Network: List set +0 ipset list test > .foo +# Network: Check listing +0 diff .foo bitmap:ip.t.list1 && rm .foo +# Network: Flush test set +0 ipset flush test +# Network: Delete test set +0 ipset destroy test +# Subnets: Create a set to store networks with timeout +0 ipset create test bitmap:ip range netmask 24 timeout 5 +# Subnets: Add lower boundary +0 ipset add test timeout 10 +# Subnets: Add upper boundary +0 ipset add test timeout 0 +# Subnets: Test lower boundary +0 ipset test test +# Subnets: Test upper boundary +0 ipset test test +# Subnets: Test element not added to the set +1 ipset test test +# Subnets: Test element before lower boundary +1 ipset test test +# Subnets: Test element after upper boundary +1 ipset test test +# Subnets: Try to add element before lower boundary +1 ipset add test +# Subnets: Try to add element after upper boundary +1 ipset add test +# Subnets: Try to delete element not added to the set +1 ipset -D test +# Subnets: Add element to the set +0 ipset -A test +# Subnets: Delete the same element from the set +0 ipset -D test +# Subnets: Add a subnet of subnets +0 ipset -A test timeout 8 +# Subnets: Check listing +0 ipset list test | grep ' timeout' >/dev/null +# Sleep 10s so that entries can time out +0 sleep 10s +# Subnets: List set +0 ipset list test > .foo +# Subnets: Check listing +0 diff .foo bitmap:ip.t.list2 && rm .foo +# Subnets: Flush test set +0 ipset flush test +# Subnets: Delete test set +0 ipset destroy test +# Full: Create full IPv4 space with /16 networks and timeout +0 ipset create test bitmap:ip range netmask 16 timeout 5 +# Full: Add lower boundary +0 ipset add test timeout 0 +# Full: Add upper boundary +0 ipset add test timeout 0 +# Full: Test lower boundary +0 ipset test test +# Full: Test upper boundary +0 ipset test test +# Full: Test element not added to the set +1 ipset test test +# Full: List set +0 ipset list test > .foo +# Full: Check listing +0 diff .foo bitmap:ip.t.list3 && rm .foo +# Full: Delete test set +0 ipset destroy test +# eof diff --git a/tests/bitmap:ip.t.list0 b/tests/bitmap:ip.t.list0 new file mode 100644 index 0000000..0be60c0 --- /dev/null +++ b/tests/bitmap:ip.t.list0 @@ -0,0 +1,9 @@ +Name: test +Type: bitmap:ip +Header: range timeout 5 +Elements: 1 +Size in memory: 524288 +References: 0 +Members: + timeout 0 + diff --git a/tests/bitmap:ip.t.list1 b/tests/bitmap:ip.t.list1 new file mode 100644 index 0000000..02ccdaa --- /dev/null +++ b/tests/bitmap:ip.t.list1 @@ -0,0 +1,9 @@ +Name: test +Type: bitmap:ip +Header: range timeout 5 +Elements: 1 +Size in memory: 524288 +References: 0 +Members: + timeout 0 + diff --git a/tests/bitmap:ip.t.list2 b/tests/bitmap:ip.t.list2 new file mode 100644 index 0000000..7b17999 --- /dev/null +++ b/tests/bitmap:ip.t.list2 @@ -0,0 +1,9 @@ +Name: test +Type: bitmap:ip +Header: range netmask 24 timeout 5 +Elements: 1 +Size in memory: 524288 +References: 0 +Members: + timeout 0 + diff --git a/tests/bitmap:ip.t.list3 b/tests/bitmap:ip.t.list3 new file mode 100644 index 0000000..677bb2a --- /dev/null +++ b/tests/bitmap:ip.t.list3 @@ -0,0 +1,10 @@ +Name: test +Type: bitmap:ip +Header: range netmask 16 timeout 5 +Elements: 2 +Size in memory: 524288 +References: 0 +Members: + timeout 0 + timeout 0 + diff --git a/tests/hash:ip.t b/tests/hash:ip.t new file mode 100644 index 0000000..de6b0df --- /dev/null +++ b/tests/hash:ip.t @@ -0,0 +1,79 @@ +# IP: Create a set with timeout +0 ipset -N test iphash --hashsize 128 timeout 5 +# Range: Add zero valued element +1 ipset -A test +# Range: Test zero valued element +1 ipset -T test +# IP: Add first random value +0 ipset -A test timeout 5 +# IP: Add second random value +0 ipset -A test timeout 0 +# IP: Test first random value +0 ipset -T test +# IP: Test second random value +0 ipset -T test +# IP: Test value not added to the set +1 ipset -T test +# IP: Add third random value +0 ipset -A test +# IP: Delete the same value +0 ipset -D test +# Sleep 6s so that element can time out +0 sleep 6 +# IP: List set +0 ipset -L test 2>/dev/null > .foo0 && ./ .foo0 +# IP: Check listing +0 diff .foo hash:ip.t.list0 && rm .foo +# IP: Flush test set +0 ipset -F test +# IP: Delete test set +0 ipset -X test +# IP: Restore values so that rehashing is triggered +0 sed 's/hashsize 128/hashsize 128 timeout 6/' iphash.t.restore | ipset -R +# IP: Check that the values are restored +0 test `ipset -S test| grep add| wc -l` -eq 129 +# Sleep 8s so that elements can time out +0 sleep 8 +# IP: check that elements timed out +0 test `ipset -S test| grep add| wc -l` -eq 0 +# IP: Flush test set +0 ipset -F test +# IP: Delete test set +0 ipset -X test +# Network: Create a set with timeout +0 ipset -N test iphash --hashsize 128 --netmask 24 timeout 6 +# Network: Add zero valued element +1 ipset -A test +# Network: Test zero valued element +1 ipset -T test +# Network: Delete zero valued element +1 ipset -D test +# Network: Add first random network +0 ipset -A test +# Network: Add second random network +0 ipset -A test +# Network: Test first random value +0 ipset -T test +# Network: Test second random value +0 ipset -T test +# Network: Test value not added to the set +1 ipset -T test +# Network: List set +0 ipset -L test > .foo && grep ' timeout' .foo >/dev/null && grep ' timeout' .foo >/dev/null && rm .foo +# Network: Add third element +0 ipset -A test timeout 0 +# Network: Add third random network +0 ipset -A test +# Network: Delete the same network +0 ipset -D test +# Sleep 6s so that elements can time out +0 sleep 6 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 diff .foo hash:ip.t.list1 && rm .foo +# Network: Flush test set +0 ipset -F test +# Network: Delete test set +0 ipset -X test +# eof diff --git a/tests/hash:ip.t.list0 b/tests/hash:ip.t.list0 new file mode 100644 index 0000000..cf2ecac --- /dev/null +++ b/tests/hash:ip.t.list0 @@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Header: hashsize 128 maxelem 65536 probes 4 resize 50 timeout 5 +Elements: 1 +Size in memory: 2048 +References: 0 +Members: + timeout 0 + diff --git a/tests/hash:ip.t.list1 b/tests/hash:ip.t.list1 new file mode 100644 index 0000000..c564ba0 --- /dev/null +++ b/tests/hash:ip.t.list1 @@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Header: hashsize 128 maxelem 65536 probes 4 resize 50 netmask 24 timeout 6 +Elements: 1 +Size in memory: 2048 +References: 0 +Members: + timeout 0 + diff --git a/tests/iphash.t.restore.old b/tests/iphash.t.restore.old new file mode 100644 index 0000000..fd915cc --- /dev/null +++ b/tests/iphash.t.restore.old @@ -0,0 +1,131 @@ +-N test iphash --hashsize 128 +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +-A test +COMMIT diff --git a/tests/ipmap.t.list4 b/tests/ipmap.t.list4 new file mode 100644 index 0000000..f498ba9 --- /dev/null +++ b/tests/ipmap.t.list4 @@ -0,0 +1,10 @@ +Name: test +Type: bitmap:ip +Header: range netmask 16 +Elements: 2 +Size in memory: 8192 +References: 0 +Members: + + + diff --git a/tests/macipmap.t.list2 b/tests/macipmap.t.list2 new file mode 100644 index 0000000..9d0413e --- /dev/null +++ b/tests/macipmap.t.list2 @@ -0,0 +1,9 @@ +Name: test +Type: bitmap:ip,mac +Header: range timeout 10 +Elements: 1 +Size in memory: 1048576 +References: 0 +Members: + timeout 5 + diff --git a/tests/portmap.t.list2 b/tests/portmap.t.list2 new file mode 100644 index 0000000..66e06b8 --- /dev/null +++ b/tests/portmap.t.list2 @@ -0,0 +1,9 @@ +Name: test +Type: bitmap:port +Header: range 0-65535 timeout 8 +Elements: 1 +Size in memory: 524288 +References: 0 +Members: +65535 timeout 0 + diff --git a/update b/update new file mode 100755 index 0000000..494485c --- /dev/null +++ b/update @@ -0,0 +1,9 @@ +#!/bin/sh + +NAME=`echo $1 | sed 's/\.h//' | tr a-z A-Z` + +awk "BEGIN { userspace=1 } +/ifdef __KERNEL__/ { userspace = !userspace } +{ if (userspace == 1) print } +END { print \"#endif /* __${NAME}_H */\" }" \ + < kernel/include/linux/netfilter/$1 > include/libipset/linux_$1 -- 2.40.0