2a7cef2a4ba64b9bf0ff9aeaa364554716c06669 |
|
14-Jan-2012 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: Exceptions support added to hash:*net* types The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/include/linux/netfilter/ipset/ip_set.h
|
ae8ded1cb88b9c24f3c9552ca9eefd894b069716 |
|
14-Jan-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: expose userspace-relevant parts in ip_set.h iptables's libxt_SET.c depends on these. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/include/linux/netfilter/ipset/ip_set.h
|
c15f1c83251049182b1771da004d14f29683ab97 |
|
14-Feb-2012 |
Jan Engelhardt <jengelh@medozas.de> |
netfilter: ipset: use NFPROTO_ constants ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/include/linux/netfilter/ipset/ip_set.h
|
15b4d93f0316caec44e07255c1d73bde4fac12e4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: whitespace and coding fixes detected by checkpatch.pl Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
e385357a2f214e4d4e79c6118f1bede2572e0701 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: hash:net,iface type introduced The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
b66554cf03fe866b3fb7b9f40f430b8ba09f41c8 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: add xt_action_param to the variant level kadt functions, ipset API change With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
d0d9e0a5a8db05b2179c2ffb25d1c2850cce3c8e |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: support range for IPv4 at adding/deleting elements for hash:*net* types The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
f1e00b39797944bf25addaf543839feeb25fbdc5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: set type support with multiple revisions added A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
3d14b171f004f75c2d1e82e10545966f94132705 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: fix adding ranges to hash types When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
c1e2e04388b2539960453689b8e721709f71dc9c |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: support listing setnames and headers too Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
ac8cc925d35fc5a05da2bd097e602f20de2478a4 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: options and flags support added to the kernel API The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
5416219e5ca4504ea80d662fdda7337e52e86ee5 |
|
16-Jun-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: timeout can be modified for already added elements When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
2f9f28b212a2bd4948c8ceaaec33ce0123632129 |
|
04-Apr-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: references are protected by rwlock instead of mutex The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|
a7b4f989a629493bb4ec4a354def784d440b32c4 |
|
01-Feb-2011 |
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
netfilter: ipset: IP set core support The patch adds the IP set core support to the kernel. The IP set core implements a netlink (nfnetlink) based protocol by which one can create, destroy, flush, rename, swap, list, save, restore sets, and add, delete, test elements from userspace. For simplicity (and backward compatibilty and for not to force ip(6)tables to be linked with a netlink library) reasons a small getsockopt-based protocol is also kept in order to communicate with the ip(6)tables match and target. The netlink protocol passes all u16, etc values in network order with NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the NLA_F_NESTED and NLA_F_NET_BYTEORDER flags. For other kernel subsystems (netfilter match and target) the API contains the functions to add, delete and test elements in sets and the required calls to get/put refereces to the sets before those operations can be performed. The set types (which are implemented in independent modules) are stored in a simple RCU protected list. A set type may have variants: for example without timeout or with timeout support, for IPv4 or for IPv6. The sets (i.e. the pointers to the sets) are stored in an array. The sets are identified by their index in the array, which makes possible easy and fast swapping of sets. The array is protected indirectly by the nfnl mutex from nfnetlink. The content of the sets are protected by the rwlock of the set. There are functional differences between the add/del/test functions for the kernel and userspace: - kernel add/del/test: works on the current packet (i.e. one element) - kernel test: may trigger an "add" operation in order to fill out unspecified parts of the element from the packet (like MAC address) - userspace add/del: works on the netlink message and thus possibly on multiple elements from the IPSET_ATTR_ADT container attribute. - userspace add: may trigger resizing of a set Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
/include/linux/netfilter/ipset/ip_set.h
|