- 15 Sep, 2014 1 commit
-
-
Anton Danilov authored
Skbinfo extension provides mapping of metainformation with lookup in the ipset tables. This patch defines the flags, the constants, the functions and the structures for the data type independent support of the extension. Note the firewall mark stores in the kernel structures as two 32bit values, but transfered through netlink as one 64bit value. Signed-off-by:
Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by:
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 24 Aug, 2014 1 commit
-
-
Jozsef Kadlecsik authored
Dan Carpenter reported that the static checker emits the warning net/netfilter/ipset/ip_set_list_set.c:600 init_list_set() warn: integer overflows 'sizeof(*map) + size * set->dsize' Limit the maximal number of elements in list type of sets. Signed-off-by:
-
- 06 Mar, 2014 3 commits
-
-
Josh Hunt authored
Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by:
Josh Hunt <johunt@akamai.com> Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by: -
Vytas Dauksa authored
Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by:
-
- 03 Jan, 2014 1 commit
-
-
stephen hemminger authored
Function never used in current upstream code. Signed-off-by:
Stephen Hemminger <stephen@networkplumber.org> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
- 22 Oct, 2013 1 commit
-
-
Jozsef Kadlecsik authored
Instead of cb->data, use callback dump args only and introduce symbolic names instead of plain numbers at accessing the argument members. Signed-off-by:
-
- 30 Sep, 2013 10 commits
-
-
Vitaly Lavrov authored
This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net*". The remaining corrections related to the change prototypes of public functions ip_set_*. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by:
Vitaly Lavrov <lve@guap.ru> Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by: -
Oliver Smith authored
This adds the core support for having comments on ipset entries. The comments are stored as standard null-terminated strings in dynamically allocated memory after being passed to the kernel. As a result of this, code has been added to the generic destroy function to iterate all extensions and call that extension's destroy task if the set has that extension activated, and if such a task is defined. Signed-off-by:
Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily. Signed-off-by: -
Jozsef Kadlecsik authored
Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support. Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set. Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Reported-by:
David Laight <David.Laight@ACULAB.COM> Signed-off-by:
-
- 16 Sep, 2013 1 commit
-
-
Jozsef Kadlecsik authored
The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test. Signed-off-by:
-
- 29 Apr, 2013 7 commits
-
-
Jozsef Kadlecsik authored
The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Introduce extensions to elements in the core and prepare timeout as the first one. This patch also modifies the em_ipset classifier to use the new extension struct layout. Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
- 09 Apr, 2013 1 commit
-
-
Jozsef Kadlecsik authored
If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by:
-
- 21 Feb, 2013 1 commit
-
-
Josh Hunt authored
If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by:
-
- 17 Oct, 2012 1 commit
-
-
David Howells authored
Remove non-UAPI Kbuild files that have become empty as a result of UAPI disintegration. They used to have only header-y lines in them and those have now moved to the Kbuild files in the corresponding uapi/ directories. Possibly these should not be removed but rather have a comment inserted to say they are intentionally left blank. This would make it easier to add generated header lines in future without having to restore the infrastructure. Note that at this point not all the UAPI disintegration parts have been merged, so it is likely that more empty Kbuild files will turn up. It is probably necessary to make the files non-empty to prevent the patch program from automatically deleting them when it reduces them to nothing. Signed-off-by:David Howells <dhowells@redhat.com>
-
- 09 Oct, 2012 1 commit
-
-
David Howells authored
Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Acked-by:
Thomas Gleixner <tglx@linutronix.de> Acked-by:
Michael Kerrisk <mtk.manpages@gmail.com> Acked-by:
Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by:
Dave Jones <davej@redhat.com>
-
- 22 Sep, 2012 4 commits
-
-
Jozsef Kadlecsik authored
Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by:
-
- 16 May, 2012 2 commits
-
-
Jozsef Kadlecsik authored
Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz) [ This patch was mangled by Pablo Neira Ayuso since David Laight and Eric Dumazet noticed that we were using hardcoded 1000 instead of MSEC_PER_SEC to calculate the timeout ] Signed-off-by:
-
Jozsef Kadlecsik authored
The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 15 Apr, 2012 1 commit
-
-
Eric Dumazet authored
Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
- 02 Apr, 2012 1 commit
-
-
David S. Miller authored
These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by:
-
- 07 Mar, 2012 3 commits
-
-
Jozsef Kadlecsik authored
Timed out entries were still matched till the garbage collector purged them out. The fix is verified in the testsuite. Signed-off-by:
-
Jozsef Kadlecsik authored
The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: -
Jozsef Kadlecsik authored
If the set is full, the SET target cannot add more elements. Log warning so that the admin got notified about it. Signed-off-by:
-
