f48d19db12e1cde296ce7a13c38303618e38e304 |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: The bitmap types with counter support Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
b0da3905bb1eb0969470f57b18c978f902475c78 |
|
27-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Bitmap types using the unified code base Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
5add189a125e6b497e31bffdaaed8145ec6d4984 |
|
13-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: bitmap:ip,mac: fix listing with timeout The type when timeout support was enabled, could not list all elements, just the first ones which could fit into one netlink message: it just did not continue listing after the first message. Reported-by: Yoann JUET <yoann.juet@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Tested-by: Yoann JUET <yoann.juet@univ-nantes.fr> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
3ace95c0ac125a042cfb682d0a9bbdbf1e5a2c65 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Coding style fixes Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
10111a6ef373c377e87730749a0f68210c3fd062 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Include supported revisions in module description Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
b9fed748185a96b7cfe74afac4bd228e8af16f01 |
|
04-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Check and reject crazy /0 input parameters bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
8561cf99785faf73cccb9f417170d8b5844bf496 |
|
08-May-2012 |
Joe Perches <joe@perches.com> |
netfilter: Convert compare_ether_addr to ether_addr_equal Use the new bool function ether_addr_equal to add some clarity and reduce the likelihood for misuse of compare_ether_addr for sorting. Done via cocci script: $ cat compare_ether_addr.cocci @@ expression a,b; @@ - !compare_ether_addr(a, b) + ether_addr_equal(a, b) @@ expression a,b; @@ - compare_ether_addr(a, b) + !ether_addr_equal(a, b) @@ expression a,b; @@ - !ether_addr_equal(a, b) == 0 + ether_addr_equal(a, b) @@ expression a,b; @@ - !ether_addr_equal(a, b) != 0 + !ether_addr_equal(a, b) @@ expression a,b; @@ - ether_addr_equal(a, b) == 0 + !ether_addr_equal(a, b) @@ expression a,b; @@ - ether_addr_equal(a, b) != 0 + ether_addr_equal(a, b) @@ expression a,b; @@ - !!ether_addr_equal(a, b) + ether_addr_equal(a, b) Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
7cf7899d9ee31c88c86ea8459fc4db4bd11cc240 |
|
02-Apr-2012 |
David S. Miller <davem@davemloft.net> |
ipset: Stop using NLA_PUT*(). These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
|
c15f1c83251049182b1771da004d14f29683ab97 |
|
14-Feb-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: use NFPROTO_ constants ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
15b4d93f0316caec44e07255c1d73bde4fac12e4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: whitespace and coding fixes detected by checkpatch.pl Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
b66554cf03fe866b3fb7b9f40f430b8ba09f41c8 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: add xt_action_param to the variant level kadt functions, ipset API change With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
e6146e8684ed6dd4c0ff85ca21bf4324114fbbfa |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: use unified from/to address masking and check the usage Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
f1e00b39797944bf25addaf543839feeb25fbdc5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: set type support with multiple revisions added A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
3d14b171f004f75c2d1e82e10545966f94132705 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix adding ranges to hash types When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
ac8cc925d35fc5a05da2bd097e602f20de2478a4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: options and flags support added to the kernel API The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
5416219e5ca4504ea80d662fdda7337e52e86ee5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: timeout can be modified for already added elements When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
0e8a835aa59d08d702af0fcfd296e2218b2e344b |
|
13-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: bitmap:ip,mac type requires "src" for MAC Enforce that the second "src/dst" parameter of the set match and SET target must be "src", because we have access to the source MAC only in the packet. The previous behaviour, that the type required the second parameter but actually ignored the value was counter-intuitive and confusing. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
2f9f28b212a2bd4948c8ceaaec33ce0123632129 |
|
04-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: references are protected by rwlock instead of mutex The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
6604271c5bc658a6067ed0c3deba4d89e0e50382 |
|
29-Mar-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: References are protected by rwlock instead of mutex The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
582e1fc85ca3727abd4e99109a267c514ea5c260 |
|
01-Feb-2011 |
Patrick McHardy <kaber@trash.net> |
netfilter: ipset: remove unnecessary includes None of the set types need uaccess.h since this is handled centrally in ip_set_core. Most set types additionally don't need bitops.h and spinlock.h since they use neither. tcp.h is only needed by those using before(), udp.h is not needed at all. Signed-off-by: Patrick McHardy <kaber@trash.net>
|
de76021a1bb35e3560afccf741d1119a872aea49 |
|
01-Feb-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: bitmap:ip,mac type support The module implements the bitmap:ip,mac set type in two flavours, without and with timeout support. In this kind of set one can store IPv4 address and (source) MAC address pairs. The type supports elements added without the MAC part filled out: when the first matching from kernel happens, the MAC part is automatically filled out. The timing out of the elements stars when an element is complete in the IP,MAC pair. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|