| a40cd9b784590ee09f1be4897f28bb0b2ce1096d |
|
06-Nov-2014 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Alignment problem between 64bit kernel 32bit userspace
Sven-Haegar Koch reported the issue:
sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
In syslog:
x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32
which was introduced by the counter extension in ipset.
The patch fixes the alignment issue with introducing a new set match
revision with the fixed underlying 'struct ip_set_counter_match'
structure.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
| 6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 |
|
02-Sep-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)
This feature add support of mapping metainformation to packets like nftables maps or
ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue.
Usage of this functionality allowed only from mangle table. We can map tc priority
only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision.
If entry doesn't exist in the set nothing of fields changed.
Example of classify by destination address:
iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
| 34844da8f53ec80b34ad094f2fca2519a7079ec2 |
|
01-May-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Introduce a new revision for the set match with the counters support
The revision add the support of matching the packet/byte counters
if the set was defined with the extension. Also, a new flag is
introduced to suppress updating the packet/byte counters if required.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
| dbe77cc974cee656eae37e75039dd1a410a4535b |
|
28-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
include: refresh include files from kernel 3.1-rc3
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/include/linux/netfilter/xt_set.h
|
| e39f367d905670e39e6f08d2b73c715a6d0b4bfb |
|
17-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
SET target revision 2 added
The new revision of the SET target supports the following new operations
- specifying the timeout value of the entry to be added
- flag to instruct the kernel that if the entry already
exists then reset the timeout value to the specified one (or
to the default from the set definition)
/external/iptables/include/linux/netfilter/xt_set.h
|
| d40f1628c3717daebc437a398a285e371b5b6f7f |
|
16-Jun-2010 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
libxt_set: new revision added
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
/external/iptables/include/linux/netfilter/xt_set.h
|