| cbee93d7b71bf9d73382e503a4f60848eec60ea8 |
|
28-Aug-2014 |
Anton Danilov <littlesmilingcloud@gmail.com> |
netfilter: ipset: Add skbinfo extension kernel support for the list set type.
Add skbinfo extension kernel support for the list set type.
Introduce the new revision of the list set type.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 1b05756c48ea07ced9604ef01d11194d936da163 |
|
05-Aug-2014 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'
Dan Carpenter reported that the static checker emits the warning
net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
warn: integer overflows 'sizeof(*map) + size * set->dsize'
Limit the maximal number of elements in list type of sets.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 93302880d8a3e5dc6b7da3f9825beb839152c940 |
|
18-Oct-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Use netlink callback dump args only
Instead of cb->data, use callback dump args only and introduce symbolic
names instead of plain numbers at accessing the argument members.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 1785e8f473082aa60d62c7165856cf6484077b99 |
|
30-Sep-2013 |
Vitaly Lavrov <lve@guap.ru> |
netfiler: ipset: Add net namespace for ipset
This patch adds netns support for ipset.
Major changes were made in ip_set_core.c and ip_set.h.
Global variables are moved to per net namespace.
Added initialization code and the destruction of the network namespace ipset subsystem.
In the prototypes of public functions ip_set_* added parameter "struct net*".
The remaining corrections related to the change prototypes of public functions ip_set_*.
The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347
Signed-off-by: Vitaly Lavrov <lve@guap.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 3fd986b3d99e3847f1cce6fc36043d0f16508e1d |
|
25-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Use a common function at listing the extensions
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 8ec81f9a4db94fa5638c55793365b896dd9daecc |
|
23-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: For set:list types, replaced elements must be zeroed out
The new extensions require zero initialization for the new element
to be added into a slot from where another element was pushed away.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 81b10bb4bd16ea975c007f9bb2c2676cef6ade10 |
|
22-Sep-2013 |
Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> |
netfilter: ipset: Support comments in the list-type ipset.
This provides kernel support for creating list ipsets with the comment
annotation extension.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| b91b396d5e35eef9938a56e781cb0171a53907ca |
|
09-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set: make sure all elements are checked by the gc
When an element timed out, the next one was skipped by the garbage
collector, fixed.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 40cd63bf33b21ef4d43776b1d49c605f876fe32c |
|
09-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Support extensions which need a per data destroy function
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 03c8b234e61a9a3aab8d970b3bf681934ecfe443 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Generalize extensions support
Get rid of the structure based extensions and introduce a blob for
the extensions. Thus we can support more extension types easily.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| ca134ce86451f3f5ac45ffbf1494a1f42110bf93 |
|
07-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Move extension data to set structure
Default timeout and extension offsets are moved to struct set, because
all set types supports all extensions and it makes possible to generalize
extension support.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| f925f7056920213889c5e61445f9529f1a86ae41 |
|
06-Sep-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Rename extension offset ids to extension ids
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 35b8dcf8c3a0be1feb1c8b29b22e1685ba0c2e14 |
|
30-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Rename simple macro names to avoid namespace issues.
Reported-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 122ebbf24c33ac13a9243248c9b8da0fa4c012bd |
|
27-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Don't call ip_nest_end needlessly in the error path
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 6e01781d1c80e2e8263471252a631e86165b15c5 |
|
27-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: set match: add support to match the counters
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.
At the set:list types, the updating of the subcounters can be
suppressed as well.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| de76303c5a30e4754cd566dd4b9f3c26170fcf26 |
|
08-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: The list:set type with counter support
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 7d47d972b5d154e143bb24a795af92bbb3c95532 |
|
04-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set type using the extension interface
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 02f815cb6d3f57914228be84df9613ee5a01c2e6 |
|
09-Apr-2013 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set: fix reference counter update
The last element can be replaced or pushed off and in both
cases the reference counter must be updated.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| 10111a6ef373c377e87730749a0f68210c3fd062 |
|
21-Sep-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Include supported revisions in module description
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
|
| 7cf7899d9ee31c88c86ea8459fc4db4bd11cc240 |
|
02-Apr-2012 |
David S. Miller <davem@davemloft.net> |
ipset: Stop using NLA_PUT*().
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| c15f1c83251049182b1771da004d14f29683ab97 |
|
14-Feb-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: use NFPROTO_ constants
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| b66554cf03fe866b3fb7b9f40f430b8ba09f41c8 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: add xt_action_param to the variant level kadt functions, ipset API change
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| f1e00b39797944bf25addaf543839feeb25fbdc5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: set type support with multiple revisions added
A set type may have multiple revisions, for example when syntax is
extended. Support continuous revision ranges in set types.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 3d14b171f004f75c2d1e82e10545966f94132705 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix adding ranges to hash types
When ranges are added to hash types, the elements may trigger rehashing
the set. However, the last successfully added element was not kept track
so the adding started again with the first element after the rehashing.
Bug reported by Mr Dash Four.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| ac8cc925d35fc5a05da2bd097e602f20de2478a4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: options and flags support added to the kernel API
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 483e9ea357d1c0b74a149087bf06f17ae62f750a |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: whitespace fixes: some space before tab slipped in
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 5416219e5ca4504ea80d662fdda7337e52e86ee5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: timeout can be modified for already added elements
When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Example
ipset add foo 1.2.3.4 timeout 10
ipset add foo 1.2.3.4 timeout 600 -exist
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 2f9f28b212a2bd4948c8ceaaec33ce0123632129 |
|
04-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: references are protected by rwlock instead of mutex
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex
protection of the references is a no go. Therefore the reference protection
is converted to rwlock.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 512d06b5b64fb422d90f199b1be188082729edf9 |
|
04-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set timeout variant fixes
- the timeout value was actually not set
- the garbage collector was broken
The variant is fixed, the tests to the ipset testsuite are added.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 6604271c5bc658a6067ed0c3deba4d89e0e50382 |
|
29-Mar-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: References are protected by rwlock instead of mutex
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex protection
of the references is a no go. Therefore the reference protection
is converted to rwlock.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| 49a341f2bb0e8eb2f2877956a758ea40cbd47b26 |
|
28-Mar-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set timeout variant fixes
- the timeout value was actually not set
- the garbage collector was broken
The variant is fixed, the tests to the ipset testsuite are added.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| f830837f0eed0f9e371b8fd65169365780814bb1 |
|
01-Feb-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: list:set set type support
The module implements the list:set type support in two flavours:
without and with timeout. The sets has two sides: for the userspace,
they store the names of other (non list:set type of) sets: one can add,
delete and test set names. For the kernel, it forms an ordered union of
the member sets: the members sets are tried in order when elements are
added, deleted and tested and the process stops at the first success.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|