ipset
7 years agoFix the inclusion of linux/export.h master
Henry Culver [Fri, 20 Jan 2012 12:40:55 +0000]
Fix the inclusion of linux/export.h

The tests for inclusion of linux/export.h in
ipset-6.11:kernel/net/netfilter/ipset/{ip_set_getport.c,pfxlen.c} are
incorrect, linux/export.h did not go in until 3.2.0.

7 years agoipset 6.11 released
Jozsef Kadlecsik [Sat, 14 Jan 2012 14:25:34 +0000]
ipset 6.11 released

7 years agoSupport hostnames and service names with dash
Jozsef Kadlecsik [Sat, 14 Jan 2012 14:06:00 +0000]
Support hostnames and service names with dash

The square brackets are introduced as an escape mechanism to
enter hostnames or service names with dash in order to avoid
mixing up the dash in the name with the range notation.

Problem reported by Stephen Hemminger and Marc Guardiola.

7 years agohash:net,iface timeout bug fixed
Jozsef Kadlecsik [Fri, 13 Jan 2012 21:55:54 +0000]
hash:net,iface timeout bug fixed

Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.

7 years agoExceptions support added to hash:*net* types
Jozsef Kadlecsik [Fri, 13 Jan 2012 21:52:44 +0000]
Exceptions support added to hash:*net* types

The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:

ipset create test hash:net
ipset add test 192.168.0/24
ipset add test 192.168.0/30 nomatch

In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.

7 years agonet: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
Paul Gortmaker [Fri, 13 Jan 2012 20:28:45 +0000]
net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules

These files are non modular, but need to export symbols using
the macros now living in export.h -- call out the include so
that things won't break when we remove the implicit presence
of module.h from everywhere.

7 years agoLog warning when a hash type of set gets full
Jozsef Kadlecsik [Tue, 10 Jan 2012 16:04:32 +0000]
Log warning when a hash type of set gets full

If the set is full, the SET target cannot add more elements.
Log warning so that the admin got notified about it.

7 years agoSet types moved into libipset library
Jozsef Kadlecsik [Thu, 5 Jan 2012 20:30:20 +0000]
Set types moved into libipset library

The libipset library is complete by this step, and "ipset" just
a CLI interface based on the lib.

7 years agoLibrary map file added in order to support library versioning.
Jozsef Kadlecsik [Thu, 5 Jan 2012 10:49:26 +0000]
Library map file added in order to support library versioning.

7 years agodoc: Linux 2.6.39 already has the defs
Jan Engelhardt [Sun, 1 Jan 2012 00:25:33 +0000]
doc: Linux 2.6.39 already has the defs

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: install libipset in the right place
Jan Engelhardt [Sun, 1 Jan 2012 00:25:34 +0000]
build: install libipset in the right place

The .c files used to build the plugins for ipset all use #include
<libipset/...>, so the files we install should preferably also be in a
directory called "libipset" rather than just "ipset".

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoProvide a pkgconfig file
Jan Engelhardt [Sun, 1 Jan 2012 00:25:35 +0000]
Provide a pkgconfig file

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: make distcheck work and use POSIX mode for tarball generation
Jan Engelhardt [Sat, 17 Dec 2011 15:35:08 +0000]
build: make distcheck work and use POSIX mode for tarball generation

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: install libipset/linux_ip_set_list.h
Jan Engelhardt [Sat, 17 Dec 2011 15:35:07 +0000]
build: install libipset/linux_ip_set_list.h

The other linux_ip_set*.h files are shipped, so this one probably
should too.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: include libipset/nfproto.h
Jan Engelhardt [Sat, 17 Dec 2011 15:35:06 +0000]
build: include libipset/nfproto.h

libipset/types.h, which is installed by default, requires nfproto.h.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: process include/libipset/
Jan Engelhardt [Sat, 17 Dec 2011 15:35:05 +0000]
build: process include/libipset/

We need to visit that directory, otherwise `make install` is
incomplete and `make distcheck` fails.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: use AC_CONFIG_AUX_DIR and stash away tools
Jan Engelhardt [Sat, 17 Dec 2011 15:35:04 +0000]
build: use AC_CONFIG_AUX_DIR and stash away tools

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoUpdate .gitignore
Jan Engelhardt [Sat, 17 Dec 2011 15:35:03 +0000]
Update .gitignore

Only ignore these paths if they are a directory.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoipset 6.10 released
Jozsef Kadlecsik [Fri, 25 Nov 2011 08:36:04 +0000]
ipset 6.10 released

7 years agoTests added to check ICMP/ICMPv6 type/code parsing
Jozsef Kadlecsik [Thu, 24 Nov 2011 15:49:54 +0000]
Tests added to check ICMP/ICMPv6 type/code parsing

7 years agoICMP/ICMPv6 type/code parser bug fixed
Jozsef Kadlecsik [Wed, 16 Nov 2011 21:49:01 +0000]
ICMP/ICMPv6 type/code parser bug fixed

The ICMP/ICMPv6 type/code parser swapped the type and code values.
(Bug reported by Sabitov)

7 years agoipset: fix lookup of tcp port names
Stephen Hemminger [Fri, 28 Oct 2011 16:16:13 +0000]
ipset: fix lookup of tcp port names

The protocol argument to getservbyname() must be lowercase tcp not
uppercase TCP. This fixes the bug observed by:

 # ipset add foo http
 ipset v6.9.1: Syntax error: 'http' is invalid as number
 Syntax error: cannot parse 'http' as a TCP port

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoInvert the logic to include version.h in ip_set_core.c
Jozsef Kadlecsik [Thu, 15 Sep 2011 19:00:22 +0000]
Invert the logic to include version.h in ip_set_core.c

7 years agoSuppress false compile-time warnings:
Jozsef Kadlecsik [Thu, 15 Sep 2011 07:07:41 +0000]
Suppress false compile-time warnings:

warning: 'ip_to' may be used uninitialized in this function

7 years agoOptionally disable building the kernel module.
Mathieu Bridon [Mon, 12 Sep 2011 08:03:23 +0000]
Optionally disable building the kernel module.

Distributors (like Fedora) might be interested in including the ipset
tools and libs, but they often don't want to build and ship external
kernel modules, especially if those modules are already included in
their kernel packages.

This patch introduces a new --with-kmod configure option that can be
used to conditionally build the kernel module. The module is still built
by default, to preserve compatibility.

A user who wants to build only the user-space part of ipset can do so by
running the following:

    $ ./autogen.sh
    $ configure --with-kmod=no
    $ make
    # make install

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoMake tidy complete
Jozsef Kadlecsik [Tue, 6 Sep 2011 19:29:53 +0000]
Make tidy complete

7 years agoipset 6.9.1 released
Jozsef Kadlecsik [Tue, 6 Sep 2011 19:26:56 +0000]
ipset 6.9.1 released

7 years agoFix compiling ipset as external kernel modules
Jozsef Kadlecsik [Tue, 6 Sep 2011 19:25:10 +0000]
Fix compiling ipset as external kernel modules

7 years agoipset 6.9 released
Jozsef Kadlecsik [Tue, 6 Sep 2011 19:12:17 +0000]
ipset 6.9 released

7 years agoComplete Kconfig with hash:net,iface type
Jozsef Kadlecsik [Mon, 5 Sep 2011 15:33:50 +0000]
Complete Kconfig with hash:net,iface type

The Kconfig file is not used at building ipset as external system,
still let the file be complete.

7 years agortnetlink: Compute and store minimum ifinfo dump size
Greg Rose [Mon, 5 Sep 2011 15:11:40 +0000]
rtnetlink: Compute and store minimum ifinfo dump size

[The patch changes the API of the netlink_dump_start interface: port
it to the standalone ipset package.]

The message size allocated for rtnl ifinfo dumps was limited to
a single page.  This is not enough for additional interface info
available with devices that support SR-IOV and caused a bug in
which VF info would not be displayed if more than approximately
40 VFs were created per interface.

Implement a new function pointer for the rtnl_register service that will
calculate the amount of data required for the ifinfo dump and allocate
enough data to satisfy the request.

Signed-off-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

7 years agoRemove redundant linux/version.h includes from net/
Jesper Juhl [Mon, 5 Sep 2011 15:07:17 +0000]
Remove redundant linux/version.h includes from net/

It was suggested by "make versioncheck" that the follwing includes of
linux/version.h are redundant:

  /home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
  /home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
  /home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
  /home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
  /home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.

and it seems that it is right.

Beyond manually inspecting the source files I also did a few build
tests with various configs to confirm that including the header in
those files is indeed not needed.

Here's a patch to remove the pointless includes.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoMerge branch 'master' of git://dev.medozas.de/ipset
Jozsef Kadlecsik [Thu, 1 Sep 2011 09:10:10 +0000]
Merge branch 'master' of git://dev.medozas.de/ipset

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agobuild: move ipset_errcode into library
Jan Engelhardt [Sun, 28 Aug 2011 17:13:47 +0000]
build: move ipset_errcode into library

The library cannot stand on its own:

19:13 seven:../ipset/lib > ldd -r .libs/libipset.so.1
        linux-vdso.so.1 =>  (0x00007fff9a569000)
        libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fd42ae5c000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fd42aaef000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd42b28d000)
undefined symbol: ipset_errcode (.libs/libipset.so.1)

Resolve this by moving ipset_errcode into the library.

Reported-by: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
References: http://marc.info/?l=netfilter-devel&m=131435791514602&w=2

7 years agobuild: abort autogen on subcommand failure
Jan Engelhardt [Mon, 1 Aug 2011 19:26:24 +0000]
build: abort autogen on subcommand failure

Needed to stop an automated build process when automake requirements
are not fulfilled.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

7 years agoipset: use NFPROTO_ constants
Jan Engelhardt [Thu, 25 Aug 2011 09:17:33 +0000]
ipset: use NFPROTO_ constants

ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).

7 years agoPropagate "expose userspace-relevant parts in ip_set.h" to ipset source
Jozsef Kadlecsik [Wed, 31 Aug 2011 13:56:34 +0000]
Propagate "expose userspace-relevant parts in ip_set.h" to ipset source

With the header file restructuring, the ipset userspace enums IPSET_DIM_*
clash with the kernel ones. In this patch the userspace is converted to
use the kernel part enums and thus we got rid of userspace enums IPSET_DIM_*.

7 years agonetfilter: ipset: expose userspace-relevant parts in ip_set.h
Jan Engelhardt [Wed, 31 Aug 2011 12:10:05 +0000]
netfilter: ipset: expose userspace-relevant parts in ip_set.h

iptables's libxt_SET.c depends on these.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agonetfilter: ipset: avoid use of kernel-only types
Jan Engelhardt [Wed, 31 Aug 2011 12:10:04 +0000]
netfilter: ipset: avoid use of kernel-only types

When using the xt_set.h header in userspace, one will get these gcc
reports:

ipset/ip_set.h:184:1: error: unknown type name "u16"
In file included from libxt_SET.c:21:0:
netfilter/xt_set.h:61:2: error: unknown type name "u32"
netfilter/xt_set.h:62:2: error: unknown type name "u32"

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agonetfilter: Remove unnecessary OOM logging messages
Joe Perches [Mon, 29 Aug 2011 21:17:25 +0000]
netfilter: Remove unnecessary OOM logging messages

Removing unnecessary messages saves code and text.

Site specific OOM messages are duplications of a generic MM
out of memory message and aren't really useful, so just
delete them.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

7 years agoDumping error triggered removing references twice and lead to kernel BUG
Jozsef Kadlecsik [Wed, 31 Aug 2011 10:32:55 +0000]
Dumping error triggered removing references twice and lead to kernel BUG

If there was a dumping error in the middle, the set-specific variable was
not zeroed out and thus the 'done' function of the dumping wrongly tried
to release the already released reference of the set. The already released
reference was caught by __ip_set_put and triggered a kernel BUG message.
The issue was reported by Jean-Philippe Menil.

7 years agoAutoload set type modules safely
Jozsef Kadlecsik [Mon, 29 Aug 2011 15:08:55 +0000]
Autoload set type modules safely

Jan Engelhardt noticed when userspace requests a set type unknown
to the kernel, it can lead to a loop due to the unsafe type module
loading. The issue is fixed in this patch.

7 years agoipset 6.8 released
Jozsef Kadlecsik [Mon, 11 Jul 2011 09:10:47 +0000]
ipset 6.8 released

7 years agoUpdate the manpage and document the limits in hash:net,iface.
Jozsef Kadlecsik [Mon, 11 Jul 2011 08:50:21 +0000]
Update the manpage and document the limits in hash:net,iface.

7 years agoFix compiler warnings "'hash_ip4_data_next' declared inline after being called"
Chris Friesen [Sat, 9 Jul 2011 08:19:41 +0000]
Fix compiler warnings "'hash_ip4_data_next' declared inline after being called"

Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.

Signed-off-by: Chris Friesen <chris.friesen@genband.com>

7 years agohash:net,iface fixed to handle overlapping nets behind different interfaces
Jozsef Kadlecsik [Fri, 8 Jul 2011 09:06:40 +0000]
hash:net,iface fixed to handle overlapping nets behind different interfaces

If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

ipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

8 years agoMake possible to hash some part of the data element only.
Jozsef Kadlecsik [Tue, 14 Jun 2011 19:58:39 +0000]
Make possible to hash some part of the data element only.

8 years agoREADME file corrections from Richard Lucassen
Jozsef Kadlecsik [Wed, 8 Jun 2011 17:41:31 +0000]
README file corrections from Richard Lucassen

8 years agoipset 6.7 released
Jozsef Kadlecsik [Tue, 31 May 2011 19:44:47 +0000]
ipset 6.7 released

8 years agoWhitespace and coding fixes detected by checkpatch.pl
Jozsef Kadlecsik [Tue, 31 May 2011 17:38:00 +0000]
Whitespace and coding fixes detected by checkpatch.pl

8 years agohash:net,iface type introduced
Jozsef Kadlecsik [Mon, 30 May 2011 15:48:01 +0000]
hash:net,iface type introduced

The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:

# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1

8 years agohash:* tests may seem to fail due to the too wide grep pattern, fix them
Jozsef Kadlecsik [Mon, 30 May 2011 15:29:58 +0000]
hash:* tests may seem to fail due to the too wide grep pattern, fix them

8 years agoUse the stored first cidr value instead of '1'
Jozsef Kadlecsik [Sat, 28 May 2011 21:36:14 +0000]
Use the stored first cidr value instead of '1'

8 years agoFix return code for destroy when sets are in use
Jozsef Kadlecsik [Sat, 28 May 2011 21:16:51 +0000]
Fix return code for destroy when sets are in use

8 years agoAdd xt_action_param to the variant level kadt functions, ipset API change
Jozsef Kadlecsik [Fri, 27 May 2011 19:06:04 +0000]
Add xt_action_param to the variant level kadt functions, ipset API change

With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.

8 years agoRemove iptree tests and compatibility element parsing
Jozsef Kadlecsik [Fri, 27 May 2011 18:56:13 +0000]
Remove iptree tests and compatibility element parsing

8 years agohash:net test may seem to fail due to the too wide grep pattern, fix it
Jozsef Kadlecsik [Fri, 27 May 2011 18:54:01 +0000]
hash:net test may seem to fail due to the too wide grep pattern, fix it

8 years agoFix long time uncovered bug at adding string attributes to the netlink message
Jozsef Kadlecsik [Fri, 27 May 2011 18:52:06 +0000]
Fix long time uncovered bug at adding string attributes to the netlink message

Use the real string length instead of the maximum one when adding the
attribute.

8 years agoFix warnings reported by valgrind
Jozsef Kadlecsik [Wed, 25 May 2011 18:22:05 +0000]
Fix warnings reported by valgrind

8 years agoRemove supporting set types iptree and iptreemap
Jozsef Kadlecsik [Tue, 24 May 2011 19:06:02 +0000]
Remove supporting set types iptree and iptreemap

8 years agoDrop supporting kernel versions below 2.6.35
Jozsef Kadlecsik [Tue, 24 May 2011 19:04:50 +0000]
Drop supporting kernel versions below 2.6.35

8 years agoipset 6.6 released
Jozsef Kadlecsik [Tue, 24 May 2011 08:29:06 +0000]
ipset 6.6 released

8 years agoRestore with bitmap:port and list:set types did not work, fixed
Jozsef Kadlecsik [Tue, 24 May 2011 07:35:14 +0000]
Restore with bitmap:port and list:set types did not work, fixed

8 years agoAccept "\r\n" terminated COMMIT command in restore files
Jozsef Kadlecsik [Tue, 24 May 2011 07:34:36 +0000]
Accept "\r\n" terminated COMMIT command in restore files

8 years agoFix the message sequence number book-keeping
Jozsef Kadlecsik [Tue, 24 May 2011 07:34:01 +0000]
Fix the message sequence number book-keeping

The internal messages mix with the public messages and that confused
the sequence number book-keeping. Move setting/updating into
ipset_mnl_query.

8 years agoProtocol-level debugging support added
Jozsef Kadlecsik [Tue, 24 May 2011 07:33:38 +0000]
Protocol-level debugging support added

8 years agohash:net stress test in range notation added
Jozsef Kadlecsik [Mon, 23 May 2011 09:32:54 +0000]
hash:net stress test in range notation added

8 years agoUse unified from/to address masking and check the usage
Jozsef Kadlecsik [Mon, 23 May 2011 08:56:14 +0000]
Use unified from/to address masking and check the usage

8 years agoipset_mnl_query: in debug mode print the errno returned by the cb function
Jozsef Kadlecsik [Mon, 23 May 2011 08:36:33 +0000]
ipset_mnl_query: in debug mode print the errno returned by the cb function

8 years agoip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed
Jozsef Kadlecsik [Mon, 23 May 2011 08:22:47 +0000]
ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed

8 years agoTake into account cidr value for the from address when creating the set
Jozsef Kadlecsik [Sun, 22 May 2011 10:18:36 +0000]
Take into account cidr value for the from address when creating the set

When creating a set from a range expressed as a network like
10.1.1.172/29, the from address was taken as the IP address part and
not masked with the netmask from the cidr.

8 years agoAdding ranges to hash types with timeout could still fail, fixed
Jozsef Kadlecsik [Sat, 21 May 2011 21:19:04 +0000]
Adding ranges to hash types with timeout could still fail, fixed

The patch "Fix adding ranges to hash types" had got a mistypeing
in the timeout variant of the hash types, which actually made
the patch ineffective. Fixed!

8 years agoAccept "\r\n" terminated lines in restore files
Jozsef Kadlecsik [Sat, 21 May 2011 21:10:14 +0000]
Accept "\r\n" terminated lines in restore files

8 years agoRemoved old, not used hashing method ip_set_chash
Jozsef Kadlecsik [Fri, 20 May 2011 15:07:48 +0000]
Removed old, not used hashing method ip_set_chash

8 years agoRemove variable 'ret' in type_pf_tdel(), which is set but not used
Jozsef Kadlecsik [Fri, 20 May 2011 09:25:14 +0000]
Remove variable 'ret' in type_pf_tdel(), which is set but not used

8 years agoUse proper timeout parameter to jiffies conversion
Jozsef Kadlecsik [Fri, 20 May 2011 07:53:39 +0000]
Use proper timeout parameter to jiffies conversion

8 years agoRemove outdated checking of IPv6 support from configure.ac
Jozsef Kadlecsik [Tue, 17 May 2011 17:28:10 +0000]
Remove outdated checking of IPv6 support from configure.ac

ipset can be compiled without IPv6 support since 6.0, however
the outdated checking in configure.ac made it not possible.
(reported by Denys Fedoryshchenko)

8 years agoipset 6.5 released
Jozsef Kadlecsik [Sun, 15 May 2011 13:34:04 +0000]
ipset 6.5 released

8 years agoSupport range for IPv4 at adding/deleting elements for hash:*net* types
Jozsef Kadlecsik [Sun, 15 May 2011 10:04:19 +0000]
Support range for IPv4 at adding/deleting elements for hash:*net* types

The range internally is converted to the network(s) equal to the range.
Example:

# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30

8 years agoDisable type revisions which are not supported both by the kernel and ipset
Jozsef Kadlecsik [Fri, 13 May 2011 21:47:56 +0000]
Disable type revisions which are not supported both by the kernel and ipset

8 years agoUpdate ipset help text to reflect SCTP and UDPLITE support
Jozsef Kadlecsik [Thu, 12 May 2011 15:12:54 +0000]
Update ipset help text to reflect SCTP and UDPLITE support

8 years agoSet type support with multiple revisions added
Jozsef Kadlecsik [Wed, 11 May 2011 15:29:21 +0000]
Set type support with multiple revisions added

A set type may have multiple revisions, for example when syntax is extended.
Support continuous revision ranges in set types.

8 years agoFix adding ranges to hash types
Jozsef Kadlecsik [Fri, 6 May 2011 20:08:09 +0000]
Fix adding ranges to hash types

When ranges are added to hash types, the elements may trigger rehashing the set.
However, the last successfully added element was not kept track so the adding
started again with the first element after the rehashing. Bug reported by Mr Dash Four.

8 years agoIgnore -n flag (list just setnames) when sets are to be saved
Jozsef Kadlecsik [Fri, 6 May 2011 20:05:10 +0000]
Ignore -n flag (list just setnames) when sets are to be saved

8 years agoipset 6.4 released
Jozsef Kadlecsik [Tue, 19 Apr 2011 11:43:29 +0000]
ipset 6.4 released

8 years agoGet rid of the trailing empty line at listing sets.
Jozsef Kadlecsik [Tue, 19 Apr 2011 10:25:38 +0000]
Get rid of the trailing empty line at listing sets.

Also, remove the empty "members" section when listing
just the set headers.

Testsuite is updated to reflect the changes in the output.

8 years agoFix XML listing, remove broken unused "elements" tag
Jozsef Kadlecsik [Mon, 18 Apr 2011 15:35:10 +0000]
Fix XML listing, remove broken unused "elements" tag

8 years agoSupport listing setnames and headers too
Jozsef Kadlecsik [Mon, 18 Apr 2011 15:32:25 +0000]
Support listing setnames and headers too

Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.

8 years agoFix order of listing of sets
Jozsef Kadlecsik [Mon, 18 Apr 2011 11:19:59 +0000]
Fix order of listing of sets

A restoreable saving of sets requires that list:set type of sets
come last and the code part which should have taken into account
the ordering was broken. The patch fixes the listing order.

Testsuite entry added which checks the listing order.

8 years agoOptions and flags support added to the kernel API
Jozsef Kadlecsik [Mon, 18 Apr 2011 10:53:25 +0000]
Options and flags support added to the kernel API

The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.

8 years agoSorting is dependent on the locale settings, use LC_ALL=C
Jozsef Kadlecsik [Mon, 11 Apr 2011 08:37:08 +0000]
Sorting is dependent on the locale settings, use LC_ALL=C

8 years agoUse unified diff output in tests
Jozsef Kadlecsik [Mon, 11 Apr 2011 08:13:16 +0000]
Use unified diff output in tests

8 years agoipset 6.3 released
Jozsef Kadlecsik [Sun, 10 Apr 2011 15:26:09 +0000]
ipset 6.3 released

8 years agoTestsuite checks added
Jozsef Kadlecsik [Sun, 10 Apr 2011 14:22:46 +0000]
Testsuite checks added

- check iptables match/target extensions with invalid number of
  dir parameters
- check SET target with --del-set option

8 years agoset match and SET target fixes
Jozsef Kadlecsik [Sat, 9 Apr 2011 19:35:02 +0000]
set match and SET target fixes

The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.

8 years agoWhitespace fixes: some space before tab slipped in.
Jozsef Kadlecsik [Fri, 8 Apr 2011 14:21:35 +0000]
Whitespace fixes: some space before tab slipped in.

8 years agobitmap:ip,mac type requires "src" for MAC
Jozsef Kadlecsik [Fri, 8 Apr 2011 14:04:22 +0000]
bitmap:ip,mac type requires "src" for MAC

Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.

Manpage is updated to reflect the change.

8 years agoTestsuite changes: keep temporary files
Jozsef Kadlecsik [Fri, 8 Apr 2011 13:53:02 +0000]
Testsuite changes: keep temporary files

Keep temporary files in the tests and erase them only after successfully
running the testsuite. This makes simpler to analyze failed tests.

8 years agoipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)
Jozsef Kadlecsik [Tue, 29 Mar 2011 19:21:30 +0000]
ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)

8 years agoipset 6.2 released
Jozsef Kadlecsik [Sun, 27 Mar 2011 19:13:56 +0000]
ipset 6.2 released