- 13 5月, 2015 3 次提交
-
-
由 Sergey Popovich 提交于
We do not need to check tb[IPSET_ATTR_PORT] != NULL before retrieving port, as this attribute is known to exist due to ip_set_attr_netorder() returning true only when attribute exists and it is in network byte order. Signed-off-by: NSergey Popovich <popovich_sergei@mail.ua> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Sergey Popovich 提交于
Statement ret = func1() || func2() returns 0 when both func1() and func2() return 0, or 1 if func1() or func2() returns non-zero. However in our case func1() and func2() returns error code on failure, so it seems good to propagate such error codes, rather than returning 1 in case of failure. Signed-off-by: NSergey Popovich <popovich_sergei@mail.ua> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Sergey Popovich 提交于
* Undefine mtype_data_reset_elem before defining. * Remove duplicated mtype_gc_init undefine, move mtype_gc_init define closer to mtype_gc define. * Use htype instead of HTYPE in IPSET_TOKEN(HTYPE, _create)(). * Remove PF definition from sets: no more used. Signed-off-by: NSergey Popovich <popovich_sergei@mail.ua> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 16 9月, 2014 1 次提交
-
-
由 Anton Danilov 提交于
Add skbinfo extension kernel support for the hash set types. Inroduce the new revisions of all hash set types. Signed-off-by: NAnton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 06 3月, 2014 1 次提交
-
-
由 Josh Hunt 提交于
Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: NJosh Hunt <johunt@akamai.com> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 01 10月, 2013 7 次提交
-
-
由 Oliver Smith 提交于
This provides kernel support for creating ipsets with comment support. This does incur a penalty to flushing/destroying an ipset since all entries are walked in order to free the allocated strings, this penalty is of course less expensive than the operation of listing an ipset to userspace, so for general-purpose usage the overall impact is expected to be little to none. Signed-off-by: NOliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Get rid of the structure based extensions and introduce a blob for the extensions. Thus we can support more extension types easily. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Default timeout and extension offsets are moved to struct set, because all set types supports all extensions and it makes possible to generalize extension support. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Reported-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Reported-by: NDavid Laight <David.Laight@ACULAB.COM> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
net/netfilter/ipset/ip_set_hash_ipportnet.c:275:20: warning: symbol 'cidr' shadows an earlier one Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 17 9月, 2013 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 30 4月, 2013 4 次提交
-
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 10 4月, 2013 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 30 1月, 2013 1 次提交
-
-
由 YOSHIFUJI Hideaki / 吉藤英明 提交于
Signed-off-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 22 11月, 2012 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was the object, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 19 11月, 2012 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
Due to the missing ininitalization at adding/deleting entries, when a plain_ip,port,net element was the object, multiple elements were added/deleted instead. The bug came from the missing dangling default initialization. The error-prone default initialization is corrected in all hash:* types.
-
- 23 9月, 2012 2 次提交
-
-
由 Jozsef Kadlecsik 提交于
Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 22 9月, 2012 2 次提交
-
-
由 Jozsef Kadlecsik 提交于
bitmap:ip and bitmap:ip,mac type did not reject such a crazy range when created and using such a set results in a kernel crash. The hash types just silently ignored such parameters. Reject invalid /0 input parameters explicitely. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
- 17 5月, 2012 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 02 4月, 2012 1 次提交
-
-
由 David S. Miller 提交于
These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 3月, 2012 2 次提交
-
-
由 Jozsef Kadlecsik 提交于
The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Jan Engelhardt 提交于
ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 22 11月, 2011 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
warning: 'ip_to' may be used uninitialized in this function Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 21 7月, 2011 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 17 6月, 2011 8 次提交
-
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30 Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jozsef Kadlecsik 提交于
When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 06 6月, 2011 1 次提交
-
-
由 Jozsef Kadlecsik 提交于
The stored cidr values are tried one after anoter. The boolean condition evaluated to '1' instead of the first stored cidr or the default host cidr. Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-