a40cd9b784590ee09f1be4897f28bb0b2ce1096d |
|
06-Nov-2014 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Alignment problem between 64bit kernel 32bit userspace Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
6d9ae2952a440b4ff28e86df6d18b53caa7ecd94 |
|
02-Sep-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
xtables: SET target: Add mapping of meta informations (skbinfo ipset extension) This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
34844da8f53ec80b34ad094f2fca2519a7079ec2 |
|
01-May-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
Introduce a new revision for the set match with the counters support The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
/external/iptables/include/linux/netfilter/xt_set.h
|
dbe77cc974cee656eae37e75039dd1a410a4535b |
|
28-Aug-2011 |
Jan Engelhardt <jengelh@medozas.de> |
include: refresh include files from kernel 3.1-rc3 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/include/linux/netfilter/xt_set.h
|
e39f367d905670e39e6f08d2b73c715a6d0b4bfb |
|
17-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
SET target revision 2 added The new revision of the SET target supports the following new operations - specifying the timeout value of the entry to be added - flag to instruct the kernel that if the entry already exists then reset the timeout value to the specified one (or to the default from the set definition)
/external/iptables/include/linux/netfilter/xt_set.h
|
d40f1628c3717daebc437a398a285e371b5b6f7f |
|
16-Jun-2010 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
libxt_set: new revision added libipt_set renamed to libxt_set and the support for the forthcoming ipset release added. I have tested backward (IPv4) and forward compatibility (IPv4/IPv6): ipset -N test iphash ipset -A test test-address iptables -N test-set iptables -A test-set -j LOG --log-prefix "match " iptables -A test-set -j DROP iptables -A OUTPUT -m set --match-set test dst -j test-set ping test-address
/external/iptables/include/linux/netfilter/xt_set.h
|