| af331419d34e2fc0e2d0c629734f8d160f95a3ec |
|
28-Aug-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
netfilter: ipset: Add skbinfo extension kernel support for the hash set types.
Add skbinfo extension kernel support for the hash set types.
Inroduce the new revisions of all hash set types.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 94729f8a1e9d38c8df6c83799fde8d2eaef2ff54 |
|
05-Aug-2014 |
Mark Rustad <mark.d.rustad@intel.com> |
netfilter: ipset: Resolve missing-field-initializer warnings
Resolve missing-field-initializer warnings by providing a
directed initializer.
Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 07cf8f5ae2657ac495b906c68ff3441ff8ba80ba |
|
01-Mar-2014 |
Josh Hunt <johunt@akamai.com> |
netfilter: ipset: add forceadd kernel support for hash set types
Adds a new property for hash set types, where if a set is created
with the 'forceadd' option and the set becomes full the next addition
to the set may succeed and evict a random entry from the set.
To keep overhead low eviction is done very simply. It checks to see
which bucket the new entry would be added. If the bucket's pos value
is non-zero (meaning there's at least one entry in the bucket) it
replaces the first entry in the bucket. If pos is zero, then it continues
down the normal add process.
This property is useful if you have a set for 'ban' lists where it may
not matter if you release some entries from the set early.
Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| fda75c6d9e31a901e25b922e86c8fd505c899873 |
|
22-Sep-2013 |
Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> |
netfilter: ipset: Support comments in hash-type ipsets.
This provides kernel support for creating ipsets with comment support.
This does incur a penalty to flushing/destroying an ipset since all
entries are walked in order to free the allocated strings, this penalty
is of course less expensive than the operation of listing an ipset to
userspace, so for general-purpose usage the overall impact is expected
to be little to none.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 03c8b234e61a9a3aab8d970b3bf681934ecfe443 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Generalize extensions support
Get rid of the structure based extensions and introduce a blob for
the extensions. Thus we can support more extension types easily.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| ca134ce86451f3f5ac45ffbf1494a1f42110bf93 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Move extension data to set structure
Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 20b2fab483094d51c8d26784b81e12149474e0f2 |
|
01-May-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix "may be used uninitialized" warnings
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 35b8dcf8c3a0be1feb1c8b29b22e1685ba0c2e14 |
|
30-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Rename simple macro names to avoid namespace issues.
Reported-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 00d71b270eedacd7d3d7b20fb93269853470d18e |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: The hash types with counter support
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 5d50e1d88336a9334348a338731c6a7bc4823d08 |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Hash types using the unified code base
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 29e3b1608c8dca3ae4224a26862d18ea003ccee6 |
|
29-Jan-2013 |
YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org> |
netfilter ipset: Use ipv6_addr_equal() where appropriate.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| 4fe198e6b136c516df493ec325ab8f70d470f477 |
|
19-Nov-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix range bug in hash:ip,port,net
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was the object, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.
The error-prone default initialization is corrected in all hash:* types.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 17b14ca25e9cd6c5cd7605941f6120e405a84f8b |
|
19-Nov-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix range bug in hash:ip,port,net
Due to the missing ininitalization at adding/deleting entries, when
a plain_ip,port,net element was the object, multiple elements were
added/deleted instead. The bug came from the missing dangling
default initialization.
The error-prone default initialization is corrected in all hash:* types.
|
| 10111a6ef373c377e87730749a0f68210c3fd062 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Include supported revisions in module description
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| b9fed748185a96b7cfe74afac4bd228e8af16f01 |
|
04-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Check and reject crazy /0 input parameters
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range
when created and using such a set results in a kernel crash.
The hash types just silently ignored such parameters.
Reject invalid /0 input parameters explicitely.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 6e27c9b4ee8f348770be5751e6a845ff52a31e19 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix sparse warnings "incorrect type in assignment"
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c |
|
14-May-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix hash size checking in kernel
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| 7cf7899d9ee31c88c86ea8459fc4db4bd11cc240 |
|
02-Apr-2012 |
David S. Miller <davem@davemloft.net> |
ipset: Stop using NLA_PUT*().
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| c15f1c83251049182b1771da004d14f29683ab97 |
|
14-Feb-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: use NFPROTO_ constants
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 648ae8e53d58ed1b667db173a2d4ff2132a3b529 |
|
09-Nov-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: suppress compile-time warnings in ip_set_hash_ipport*.c
warning: 'ip_to' may be used uninitialized in this function
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 |
|
21-Jul-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example
ipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1
Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.
In the patch the algorithm is fixed in order to correctly handle
overlapping networks.
Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| b66554cf03fe866b3fb7b9f40f430b8ba09f41c8 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: add xt_action_param to the variant level kadt functions, ipset API change
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| e6146e8684ed6dd4c0ff85ca21bf4324114fbbfa |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: use unified from/to address masking and check the usage
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| f1e00b39797944bf25addaf543839feeb25fbdc5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: set type support with multiple revisions added
A set type may have multiple revisions, for example when syntax is
extended. Support continuous revision ranges in set types.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 3d14b171f004f75c2d1e82e10545966f94132705 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix adding ranges to hash types
When ranges are added to hash types, the elements may trigger rehashing
the set. However, the last successfully added element was not kept track
so the adding started again with the first element after the rehashing.
Bug reported by Mr Dash Four.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| ac8cc925d35fc5a05da2bd097e602f20de2478a4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: options and flags support added to the kernel API
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 5416219e5ca4504ea80d662fdda7337e52e86ee5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: timeout can be modified for already added elements
When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Example
ipset add foo 1.2.3.4 timeout 10
ipset add foo 1.2.3.4 timeout 600 -exist
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 91eb7c08c6cb3b8eeba1c61f5753c56dcb77f018 |
|
13-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: SCTP, UDPLITE support added
SCTP and UDPLITE port support added to the hash:*port* set types.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 5e0c1eb7e6b61998c7ecd39b7f69a15773d894d4 |
|
20-Mar-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix address ranges at hash:*port* types
The hash:*port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and used the first
address from the range only.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 582e1fc85ca3727abd4e99109a267c514ea5c260 |
|
01-Feb-2011 |
Patrick McHardy <kaber@trash.net> |
netfilter: ipset: remove unnecessary includes
None of the set types need uaccess.h since this is handled centrally
in ip_set_core. Most set types additionally don't need bitops.h and
spinlock.h since they use neither. tcp.h is only needed by those
using before(), udp.h is not needed at all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 5663bc30e6114b6ba88cc428619ede46a3246a7b |
|
01-Feb-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:ip,port,ip set type support
The module implements the hash:ip,port,ip type support in four flavours:
for IPv4 and IPv6, both without and with timeout support. The elements
are three dimensional: IPv4/IPv6 address, protocol/port and IPv4/IPv6
address triples.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|