1. 10 Nov, 2016 7 commits
  2. 24 Apr, 2016 1 commit
  3. 28 Mar, 2016 1 commit
    • Vishwanath Pai's avatar
      netfilter: ipset: fix race condition in ipset save, swap and delete · 596cf3fe
      Vishwanath Pai authored
      This fix adds a new reference counter (ref_netlink) for the struct ip_set.
      The other reference counter (ref) can be swapped out by ip_set_swap and we
      need a separate counter to keep track of references for netlink events
      like dump. Using the same ref counter for dump causes a race condition
      which can be demonstrated by the following script:
      ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \
      ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \
      ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \
      ipset save &
      ipset swap hash_ip3 hash_ip2
      ipset destroy hash_ip3 /* will crash the machine */
      Swap will exchange the values of ref so destroy will see ref = 0 instead of
      ref = 1. With this fix in place swap will not succeed because ipset save
      still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink).
      Both delete and swap will error out if ref_netlink != 0 on the set.
      Note: The changes to *_head functions is because previously we would
      increment ref whenever we called these functions, we don't do that
      Reviewed-by: default avatarJoshua Hunt <johunt@akamai.com>
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  4. 07 Nov, 2015 1 commit
  5. 14 Jun, 2015 5 commits
  6. 14 May, 2015 1 commit
    • Denys Vlasenko's avatar
      netfilter: ipset: deinline ip_set_put_extensions() · a3b1c1eb
      Denys Vlasenko authored
      On x86 allyesconfig build:
      The function compiles to 489 bytes of machine code.
      It has 25 callsites.
          text    data       bss       dec     hex filename
      82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
      82434909 22255384 20627456 125317749 7783275 vmlinux
      Signed-off-by: default avatarDenys Vlasenko <dvlasenk@redhat.com>
      CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      CC: Eric W. Biederman <ebiederm@xmission.com>
      CC: David S. Miller <davem@davemloft.net>
      CC: Jan Engelhardt <jengelh@medozas.de>
      CC: Jiri Pirko <jpirko@redhat.com>
      CC: linux-kernel@vger.kernel.org
      CC: netdev@vger.kernel.org
      CC: netfilter-devel@vger.kernel.org
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  7. 13 May, 2015 1 commit
  8. 31 Mar, 2015 1 commit
  9. 15 Sep, 2014 2 commits
  10. 24 Aug, 2014 1 commit
  11. 06 Mar, 2014 3 commits
  12. 03 Jan, 2014 1 commit
  13. 22 Oct, 2013 1 commit
  14. 30 Sep, 2013 10 commits
  15. 16 Sep, 2013 1 commit
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Consistent userspace testing with nomatch flag · 0f1799ba
      Jozsef Kadlecsik authored
      The "nomatch" commandline flag should invert the matching at testing,
      similarly to the --return-nomatch flag of the "set" match of iptables.
      Until now it worked with the elements with "nomatch" flag only. From
      now on it works with elements without the flag too, i.e:
       # ipset n test hash:net
       # ipset a test nomatch
       # ipset t test is NOT in set test.
       # ipset t test nomatch is in set test.
       # ipset a test
       # ipset t test is in set test.
       # ipset t test nomatch is NOT in set test.
       Before the patch the results were
       # ipset t test is in set test.
       # ipset t test nomatch is in set test.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
  16. 29 Apr, 2013 3 commits