1109a90c01177e8f4a5fd95c5b685ad02f1fe9bb |
|
01-Oct-2014 |
Pablo Neira Ayuso <pablo@netfilter.org> |
netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER) In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"), the bridge netfilter code has been modularized. Use IS_ENABLED instead of ifdef to cover the module case. Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
af331419d34e2fc0e2d0c629734f8d160f95a3ec |
|
28-Aug-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
netfilter: ipset: Add skbinfo extension kernel support for the hash set types. Add skbinfo extension kernel support for the hash set types. Inroduce the new revisions of all hash set types. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
07cf8f5ae2657ac495b906c68ff3441ff8ba80ba |
|
01-Mar-2014 |
Josh Hunt <johunt@akamai.com> |
netfilter: ipset: add forceadd kernel support for hash set types Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
b182837ac111e87f8e82cbcb0046449d9412187f |
|
24-Jan-2014 |
Cody P Schafer <cody@linux.vnet.ibm.com> |
net/netfilter/ipset/ip_set_hash_netiface.c: use rbtree postorder iteration instead of opencoding Use rbtree_postorder_for_each_entry_safe() to destroy the rbtree instead of opencoding an alternate postorder iteration that modifies the tree Signed-off-by: Cody P Schafer <cody@linux.vnet.ibm.com> Cc: Michel Lespinasse <walken@google.com> Cc: Jan Kara <jack@suse.cz> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Patrick McHardy <kaber@trash.net> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
fda75c6d9e31a901e25b922e86c8fd505c899873 |
|
22-Sep-2013 |
Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> |
netfilter: ipset: Support comments in hash-type ipsets. This provides kernel support for creating ipsets with comment support. This does incur a penalty to flushing/destroying an ipset since all entries are walked in order to free the allocated strings, this penalty is of course less expensive than the operation of listing an ipset to userspace, so for general-purpose usage the overall impact is expected to be little to none. Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
03c8b234e61a9a3aab8d970b3bf681934ecfe443 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Generalize extensions support Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
ca134ce86451f3f5ac45ffbf1494a1f42110bf93 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Move extension data to set structure Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
a04d8b6bd9113f3e7f0c216dcaa3c1ad498f2a96 |
|
30-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Prepare ipset to support multiple networks for hash types In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
20b2fab483094d51c8d26784b81e12149474e0f2 |
|
01-May-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix "may be used uninitialized" warnings Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
35b8dcf8c3a0be1feb1c8b29b22e1685ba0c2e14 |
|
30-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Rename simple macro names to avoid namespace issues. Reported-by: David Laight <David.Laight@ACULAB.COM> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
0f1799ba1a5db4c48b72ac2da2dc70d8c190a73d |
|
16-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Consistent userspace testing with nomatch flag The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
00d71b270eedacd7d3d7b20fb93269853470d18e |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: The hash types with counter support Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
5d50e1d88336a9334348a338731c6a7bc4823d08 |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Hash types using the unified code base Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
8672d4d1a00b59057bb1f9659259967d2a19e086 |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Move often used IPv6 address masking function to header file Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
43c56e595bb81319230affd545392536c933317e |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Make possible to test elements marked with nomatch Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
6eb4c7e96e19fd2c38a103472048fc0e0e0a3ec3 |
|
09-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:*net*: nomatch flag not excluded on set resize If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
29e3b1608c8dca3ae4224a26862d18ea003ccee6 |
|
29-Jan-2013 |
YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org> |
netfilter ipset: Use ipv6_addr_equal() where appropriate. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
4a6dd664eba59488c9e56b51a594396d7706eb08 |
|
22-Nov-2012 |
Florian Westphal <fw@strlen.de> |
netfilter: ipset: fix netiface set name overflow attribute is copied to IFNAMSIZ-size stack variable, but IFNAMSIZ is smaller than IPSET_MAXNAMELEN. Fortunately nfnetlink needs CAP_NET_ADMIN. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
3e0304a583d72c747caa8afac76b8d514aa293f5 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Support to match elements marked with "nomatch" Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
10111a6ef373c377e87730749a0f68210c3fd062 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Include supported revisions in module description Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
bd9087e0407bfb5ec22d82d3bab1d2bba45daf5a |
|
10-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Add /0 network support to hash:net,iface type Now it is possible to setup a single hash:net,iface type of set and a single ip6?tables match which covers all egress/ingress filtering. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
6e27c9b4ee8f348770be5751e6a845ff52a31e19 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix sparse warnings "incorrect type in assignment" Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
ef5b6e127761667f78d99b7510a3876077fe9abe |
|
17-Jun-2012 |
Florian Westphal <fw@strlen.de> |
netfilter: ipset: fix interface comparision in hash-netiface sets ifname_compare() assumes that skb->dev is zero-padded, e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); in e1000_probe(), so once device is registered dev->name memory contains 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare fail. Use plain strcmp() instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c |
|
14-May-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix hash size checking in kernel The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
7cf7899d9ee31c88c86ea8459fc4db4bd11cc240 |
|
02-Apr-2012 |
David S. Miller <davem@davemloft.net> |
ipset: Stop using NLA_PUT*(). These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
|
2a7cef2a4ba64b9bf0ff9aeaa364554716c06669 |
|
14-Jan-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Exceptions support added to hash:*net* types The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
c15f1c83251049182b1771da004d14f29683ab97 |
|
14-Feb-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: use NFPROTO_ constants ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 |
|
21-Jul-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
15b4d93f0316caec44e07255c1d73bde4fac12e4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: whitespace and coding fixes detected by checkpatch.pl Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|
e385357a2f214e4d4e79c6118f1bede2572e0701 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:net,iface type introduced The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
|