• Home
  • History
  • Annotate
  • only in /external/iptables/include/linux/netfilter/ipset/
History log of /external/iptables/include/linux/netfilter/ipset/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
a40cd9b784590ee09f1be4897f28bb0b2ce1096d 06-Nov-2014 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Alignment problem between 64bit kernel 32bit userspace

Sven-Haegar Koch reported the issue:

sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.

In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32

which was introduced by the counter extension in ipset.

The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
p_set.h
6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 02-Sep-2014 Anton Danilov <littlesmilingcloud@gmail.com> xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)

This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.

Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
p_set.h
cf1f03f8f3cf2db577a9ddee254cc7f886129d18 04-Sep-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> extensions: libxt_set, libxt_SET: check the set family too

Do not accept silently sets with wrong protocol family but reject
them with an error message. It makes straightforward to catch user
errors.

[ Use afinfo instead to avoid a binary interface update --pablo ]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
p_set.h
34844da8f53ec80b34ad094f2fca2519a7079ec2 01-May-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Introduce a new revision for the set match with the counters support

The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
p_set.h
d637ead63658d741501974c381889b3857073308 21-Sep-2012 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> New set match revision with --return-nomatch flag support
p_set.h
dbe77cc974cee656eae37e75039dd1a410a4535b 28-Aug-2011 Jan Engelhardt <jengelh@medozas.de> include: refresh include files from kernel 3.1-rc3

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
p_set.h