Hello community, here is the log from the commit of package ipset for openSUSE:Factory checked in at 2020-01-23 16:08:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ipset (Old) and /work/SRC/openSUSE:Factory/.ipset.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ipset" Thu Jan 23 16:08:11 2020 rev:37 rq:765271 version:7.5 Changes: -------- --- /work/SRC/openSUSE:Factory/ipset/ipset.changes 2019-11-06 15:16:13.853180785 +0100 +++ /work/SRC/openSUSE:Factory/.ipset.new.26092/ipset.changes 2020-01-23 16:08:21.431544930 +0100 @@ -1,0 +2,9 @@ +Fri Jan 10 13:03:52 UTC 2020 - Jan Engelhardt <[email protected]> + +- Update to release 7.5 + * netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO + is present. + * netfilter: xt_set: Do not restrict --map-set to the + mangle table. + +------------------------------------------------------------------- Old: ---- ipset-7.4.tar.bz2 New: ---- ipset-7.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ipset.spec ++++++ --- /var/tmp/diff_new_pack.mG9Nsn/_old 2020-01-23 16:08:22.935545821 +0100 +++ /var/tmp/diff_new_pack.mG9Nsn/_new 2020-01-23 16:08:22.939545823 +0100 @@ -1,7 +1,7 @@ # # spec file for package ipset # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %define ipset_build_kmp 0 %endif Name: ipset -Version: 7.4 +Version: 7.5 Release: 0 Summary: Netfilter ipset administration utility License: GPL-2.0-only ++++++ ipset-7.4.tar.bz2 -> ipset-7.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/ChangeLog new/ipset-7.5/ChangeLog --- old/ipset-7.4/ChangeLog 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/ChangeLog 2020-01-09 20:28:32.000000000 +0100 @@ -1,3 +1,13 @@ +7.5 + - configure.ac: Support building with old autoconf 2.63 + (Serhey Popovych) + - configure.ac: Build on kernels without skb->vlan_proto correctly + (Serhey Popovych) + - configure.ac: Add cond_resched_rcu() checks (Serhey Popovych) + - configure.ac: Better match for ipv6_skip_exthdr() frag_offp + arg presence (Serhey Popovych) + - Document explicitly that protocol is not stored in bitmap:port + 7.4 - Fix compatibility support for netlink extended ACK and add synchronize_rcu_bh() checking diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/Makefile.in new/ipset-7.5/Makefile.in --- old/ipset-7.4/Makefile.in 2019-11-01 16:15:34.000000000 +0100 +++ new/ipset-7.5/Makefile.in 2020-01-09 20:30:11.000000000 +0100 @@ -314,6 +314,7 @@ FGREP = @FGREP@ GREP = @GREP@ HAVE_CHECKENTRY_BOOL = @HAVE_CHECKENTRY_BOOL@ +HAVE_COND_RESCHED_RCU = @HAVE_COND_RESCHED_RCU@ HAVE_ETHER_ADDR_COPY = @HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_EQUAL = @HAVE_ETHER_ADDR_EQUAL@ HAVE_EXPORT_H = @HAVE_EXPORT_H@ @@ -343,6 +344,7 @@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS = @HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_PARSERS = @HAVE_PASSING_EXTENDED_ACK_TO_PARSERS@ HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE = @HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE@ +HAVE_SKB_IIF = @HAVE_SKB_IIF@ HAVE_STATE_IN_XT_ACTION_PARAM = @HAVE_STATE_IN_XT_ACTION_PARAM@ HAVE_STRSCPY = @HAVE_STRSCPY@ HAVE_STRUCT_XT_ACTION_PARAM = @HAVE_STRUCT_XT_ACTION_PARAM@ @@ -353,6 +355,7 @@ HAVE_TIMER_SETUP = @HAVE_TIMER_SETUP@ HAVE_TYPEDEF_SCTP_SCTPHDR_T = @HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_USER_NS_IN_STRUCT_NET = @HAVE_USER_NS_IN_STRUCT_NET@ +HAVE_VLAN_PROTO_IN_SK_BUFF = @HAVE_VLAN_PROTO_IN_SK_BUFF@ HAVE_VZALLOC = @HAVE_VZALLOC@ HAVE_XT_FAMILY = @HAVE_XT_FAMILY@ HAVE_XT_MTCHK_PARAM_STRUCT_NET = @HAVE_XT_MTCHK_PARAM_STRUCT_NET@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/configure new/ipset-7.5/configure --- old/ipset-7.4/configure 2019-11-01 16:15:33.000000000 +0100 +++ new/ipset-7.5/configure 2020-01-09 20:30:10.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ipset 7.4. +# Generated by GNU Autoconf 2.69 for ipset 7.5. # # Report bugs to <[email protected]>. # @@ -594,8 +594,8 @@ # Identity of this package. PACKAGE_NAME='ipset' PACKAGE_TARNAME='ipset' -PACKAGE_VERSION='7.4' -PACKAGE_STRING='ipset 7.4' +PACKAGE_VERSION='7.5' +PACKAGE_STRING='ipset 7.5' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -654,6 +654,8 @@ HAVE_XT_FAMILY HAVE_STATE_IN_XT_ACTION_PARAM HAVE_NET_IN_XT_ACTION_PARAM +HAVE_SKB_IIF +HAVE_VLAN_PROTO_IN_SK_BUFF HAVE_TC_SKB_PROTOCOL HAVE_EXPORT_SYMBOL_GPL_IN_MODULE_H HAVE_NET_IN_NFNL_CALLBACK_FN @@ -673,6 +675,7 @@ HAVE_NET_OPS_ID HAVE_XT_TARGET_PARAM HAVE_CHECKENTRY_BOOL +HAVE_COND_RESCHED_RCU HAVE_IPV6_SKIP_EXTHDR_ARGS HAVE_EXPORT_H HAVE_NFNL_LOCK_SUBSYS @@ -1434,7 +1437,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ipset 7.4 to adapt to many kinds of systems. +\`configure' configures ipset 7.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1508,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ipset 7.4:";; + short | recursive ) echo "Configuration of ipset 7.5:";; esac cat <<\_ACEOF @@ -1643,7 +1646,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ipset configure 7.4 +ipset configure 7.5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2021,7 +2024,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ipset $as_me 7.4, which was +It was created by ipset $as_me 7.5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2958,7 +2961,7 @@ # Define the identity of the package. PACKAGE='ipset' - VERSION='7.4' + VERSION='7.5' cat >>confdefs.h <<_ACEOF @@ -13487,6 +13490,10 @@ # backward compatibility with older pkg-config +# This hack makes PKG_CHECK_VARS from m4/pkg.m4 work on autoconf 2.63 +# (courtesy of sunnybear in https://github.com/gdnsd/gdnsd/issues/85) + + if test "x$enable_bashcompl" = "xyes"; then if test -n "$bashcompdir"; then @@ -14871,7 +14878,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for ipv6_skip_exthdr args" >&5 $as_echo_n "checking kernel source for ipv6_skip_exthdr args... " >&6; } if test -f $ksourcedir/include/net/ipv6.h && \ - $AWK '/ ipv6_skip_exthdr\(/,/\)/' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then + $AWK '/( |\t)ipv6_skip_exthdr\(/,/\)/' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: 4 args" >&5 $as_echo "4 args" >&6; } HAVE_IPV6_SKIP_EXTHDR_ARGS=4 @@ -14883,6 +14890,21 @@ fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for cond_resched_rcu" >&5 +$as_echo_n "checking kernel source for cond_resched_rcu... " >&6; } +if test -f $ksourcedir/include/linux/sched.h && \ + $AWK '/( |\t)cond_resched_rcu\(/,/\)/' $ksourcedir/include/linux/sched.h | $GREP -q 'cond_resched_rcu'; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_COND_RESCHED_RCU=define + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + HAVE_COND_RESCHED_RCU=undef + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for bool checkentry function prototype" >&5 $as_echo_n "checking kernel source for bool checkentry function prototype... " >&6; } if test -f $ksourcedir/include/linux/netfilter/x_tables.h && \ @@ -15170,6 +15192,38 @@ $as_echo "no" >&6; } HAVE_TC_SKB_PROTOCOL=undef + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for vlan_proto in struct sk_buff" >&5 +$as_echo_n "checking kernel source for vlan_proto in struct sk_buff... " >&6; } + if test -f $ksourcedir/include/linux/skbuff.h && \ + $AWK '/^struct sk_buff {/,/^};$/' $ksourcedir/include/linux/skbuff.h | \ + $GREP -q 'vlan_proto'; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_VLAN_PROTO_IN_SK_BUFF=define + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + HAVE_VLAN_PROTO_IN_SK_BUFF=undef + + fi +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for iif to skb_iif rename in struct sk_buff" >&5 +$as_echo_n "checking kernel source for iif to skb_iif rename in struct sk_buff... " >&6; } +if test -f $ksourcedir/include/linux/skbuff.h && \ + $AWK '/^struct sk_buff {/,/^};$/' $ksourcedir/include/linux/skbuff.h | \ + $GREP -q 'skb_iif'; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_SKB_IIF=define + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + HAVE_SKB_IIF=undef + fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for struct net in struct xt_action_param" >&5 @@ -17960,7 +18014,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ipset $as_me 7.4, which was +This file was extended by ipset $as_me 7.5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18026,7 +18080,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ipset config.status 7.4 +ipset config.status 7.5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/configure.ac new/ipset-7.5/configure.ac --- old/ipset-7.4/configure.ac 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/configure.ac 2020-01-09 20:28:32.000000000 +0100 @@ -1,5 +1,5 @@ dnl Boilerplate -AC_INIT([ipset], [7.4], [[email protected]]) +AC_INIT([ipset], [7.5], [[email protected]]) AC_CONFIG_AUX_DIR([build-aux]) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR([m4]) @@ -64,6 +64,12 @@ ])# PKG_CHECK_VAR ]) +# This hack makes PKG_CHECK_VARS from m4/pkg.m4 work on autoconf 2.63 +# (courtesy of sunnybear in https://github.com/gdnsd/gdnsd/issues/85) +m4_ifndef([AS_VAR_COPY], +[m4_define([AS_VAR_COPY], +[AS_LITERAL_IF([$1[]$2], [$1=$$2], [eval $1=\$$2])])]) + if test "x$enable_bashcompl" = "xyes"; then PKG_CHECK_VAR(bashcompdir, [bash-completion], [completionsdir], , bashcompdir="${sysconfdir}/bash_completion.d") AC_SUBST(bashcompdir) @@ -325,7 +331,7 @@ AC_MSG_CHECKING([kernel source for ipv6_skip_exthdr args]) if test -f $ksourcedir/include/net/ipv6.h && \ - $AWK '/ ipv6_skip_exthdr\(/,/\)/' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then + $AWK '/( |\t)ipv6_skip_exthdr\(/,/\)/' $ksourcedir/include/net/ipv6.h | $GREP -q 'frag_offp'; then AC_MSG_RESULT(4 args) AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 4) else @@ -333,6 +339,16 @@ AC_SUBST(HAVE_IPV6_SKIP_EXTHDR_ARGS, 3) fi +AC_MSG_CHECKING([kernel source for cond_resched_rcu]) +if test -f $ksourcedir/include/linux/sched.h && \ + $AWK '/( |\t)cond_resched_rcu\(/,/\)/' $ksourcedir/include/linux/sched.h | $GREP -q 'cond_resched_rcu'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_COND_RESCHED_RCU, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_COND_RESCHED_RCU, undef) +fi + AC_MSG_CHECKING([kernel source for bool checkentry function prototype]) if test -f $ksourcedir/include/linux/netfilter/x_tables.h && \ $GREP -q 'bool .\*checkentry.' $ksourcedir/include/linux/netfilter/x_tables.h; then @@ -525,6 +541,28 @@ else AC_MSG_RESULT(no) AC_SUBST(HAVE_TC_SKB_PROTOCOL, undef) + + AC_MSG_CHECKING([kernel source for vlan_proto in struct sk_buff]) + if test -f $ksourcedir/include/linux/skbuff.h && \ + $AWK '/^struct sk_buff {/,/^};$/' $ksourcedir/include/linux/skbuff.h | \ + $GREP -q 'vlan_proto'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_VLAN_PROTO_IN_SK_BUFF, define) + else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_VLAN_PROTO_IN_SK_BUFF, undef) + fi +fi + +AC_MSG_CHECKING([kernel source for iif to skb_iif rename in struct sk_buff]) +if test -f $ksourcedir/include/linux/skbuff.h && \ + $AWK '/^struct sk_buff {/,/^};$/' $ksourcedir/include/linux/skbuff.h | \ + $GREP -q 'skb_iif'; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_SKB_IIF, define) +else + AC_MSG_RESULT(no) + AC_SUBST(HAVE_SKB_IIF, undef) fi AC_MSG_CHECKING([kernel source for struct net in struct xt_action_param]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/include/libipset/Makefile.in new/ipset-7.5/include/libipset/Makefile.in --- old/ipset-7.4/include/libipset/Makefile.in 2019-11-01 16:15:34.000000000 +0100 +++ new/ipset-7.5/include/libipset/Makefile.in 2020-01-09 20:30:11.000000000 +0100 @@ -199,6 +199,7 @@ FGREP = @FGREP@ GREP = @GREP@ HAVE_CHECKENTRY_BOOL = @HAVE_CHECKENTRY_BOOL@ +HAVE_COND_RESCHED_RCU = @HAVE_COND_RESCHED_RCU@ HAVE_ETHER_ADDR_COPY = @HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_EQUAL = @HAVE_ETHER_ADDR_EQUAL@ HAVE_EXPORT_H = @HAVE_EXPORT_H@ @@ -228,6 +229,7 @@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS = @HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_PARSERS = @HAVE_PASSING_EXTENDED_ACK_TO_PARSERS@ HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE = @HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE@ +HAVE_SKB_IIF = @HAVE_SKB_IIF@ HAVE_STATE_IN_XT_ACTION_PARAM = @HAVE_STATE_IN_XT_ACTION_PARAM@ HAVE_STRSCPY = @HAVE_STRSCPY@ HAVE_STRUCT_XT_ACTION_PARAM = @HAVE_STRUCT_XT_ACTION_PARAM@ @@ -238,6 +240,7 @@ HAVE_TIMER_SETUP = @HAVE_TIMER_SETUP@ HAVE_TYPEDEF_SCTP_SCTPHDR_T = @HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_USER_NS_IN_STRUCT_NET = @HAVE_USER_NS_IN_STRUCT_NET@ +HAVE_VLAN_PROTO_IN_SK_BUFF = @HAVE_VLAN_PROTO_IN_SK_BUFF@ HAVE_VZALLOC = @HAVE_VZALLOC@ HAVE_XT_FAMILY = @HAVE_XT_FAMILY@ HAVE_XT_MTCHK_PARAM_STRUCT_NET = @HAVE_XT_MTCHK_PARAM_STRUCT_NET@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/ChangeLog new/ipset-7.5/kernel/ChangeLog --- old/ipset-7.4/kernel/ChangeLog 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/ChangeLog 2020-01-09 20:28:32.000000000 +0100 @@ -1,3 +1,14 @@ +7.5 + - netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present + (Florian Westphal) + - ip_set: Pass init_net when @net is missing in match check params + data structure (Serhey Popovych) + - netfilter: xt_set: Do not restrict --map-set to the mangle table + (Serhey Popovych) + - compat: em_ipset: Build on old kernels (Serhey Popovych) + - compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present() + (Serhey Popovych) + 7.4 - Fix nla_policies to fully support NL_VALIDATE_STRICT - treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in new/ipset-7.5/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in --- old/ipset-7.4/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in 2020-01-09 20:28:32.000000000 +0100 @@ -50,6 +50,8 @@ #@HAVE_STRSCPY@ HAVE_STRSCPY #@HAVE_SYNCHRONIZE_RCU_BH@ HAVE_SYNCHRONIZE_RCU_BH #@HAVE_LOCKDEP_NFNL_IS_HELD@ HAVE_LOCKDEP_NFNL_IS_HELD +#@HAVE_COND_RESCHED_RCU@ HAVE_COND_RESCHED_RCU +#@HAVE_SKB_IIF@ HAVE_SKB_IIF #ifdef HAVE_EXPORT_SYMBOL_GPL_IN_MODULE_H #include <linux/module.h> @@ -148,6 +150,17 @@ #endif #endif +#ifndef HAVE_COND_RESCHED_RCU +static inline void cond_resched_rcu(void) +{ +#if defined(CONFIG_DEBUG_ATOMIC_SLEEP) || !defined(CONFIG_PREEMPT_RCU) + rcu_read_unlock(); + cond_resched(); + rcu_read_lock(); +#endif +} +#endif + #if defined(CONFIG_NETFILTER_NETLINK) || defined(CONFIG_NETFILTER_NETLINK_MODULE) #else #error "NETFILTER_NETLINK must be enabled: select NFACCT/NFQUEUE/LOG over NFNETLINK" @@ -323,10 +336,25 @@ #ifndef HAVE_TC_SKB_PROTOCOL #include <linux/if_vlan.h> + +/* RHEL defines it */ +#ifndef skb_vlan_tag_present +#if !defined(vlan_tx_tag_present) && \ + !defined(NETIF_F_HW_VLAN_TX) && \ + !defined(NETIF_F_HW_VLAN_CTAG_TX) +#define vlan_tx_tag_present(skb) 0 +#endif +#define skb_vlan_tag_present vlan_tx_tag_present +#endif + static inline __be16 tc_skb_protocol(const struct sk_buff *skb) { - if (vlan_tx_tag_present(skb)) + if (skb_vlan_tag_present(skb)) +#ifdef HAVE_VLAN_PROTO_IN_SK_BUFF return skb->vlan_proto; +#else + return htons(ETH_P_8021Q); +#endif return skb->protocol; } #endif @@ -403,5 +431,21 @@ #define SIZE_MAX (~(size_t)0) #endif +#ifndef TCF_EM_IPSET +#define TCF_EM_IPSET 8 +#endif + +#ifndef HAVE_SKB_IIF +#define skb_iif iif +#endif + +#ifndef HAVE_DEV_GET_BY_INDEX_RCU +/* This should not be considered RCU-safe on all architectures. + * You probably should consider upgrading your kernel in case of + * kernel crashes including em_ipset and this function call. + */ +#define dev_get_by_index_rcu __dev_get_by_index +#endif + #endif /* IP_SET_COMPAT_HEADERS */ #endif /* __IP_SET_COMPAT_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/net/netfilter/ipset/ip_set_core.c new/ipset-7.5/kernel/net/netfilter/ipset/ip_set_core.c --- old/ipset-7.4/kernel/net/netfilter/ipset/ip_set_core.c 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/net/netfilter/ipset/ip_set_core.c 2020-01-09 20:28:32.000000000 +0100 @@ -1871,6 +1871,7 @@ struct ip_set *set; struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {}; int ret = 0; + u32 lineno; if (unlikely(protocol_min_failed(attr) || !attr[IPSET_ATTR_SETNAME] || @@ -1887,7 +1888,7 @@ return -IPSET_ERR_PROTOCOL; rcu_read_lock_bh(); - ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); + ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0); rcu_read_unlock_bh(); /* Userspace can't trigger element to be re-added */ if (ret == -EAGAIN) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/net/netfilter/xt_set.c new/ipset-7.5/kernel/net/netfilter/xt_set.c --- old/ipset-7.4/kernel/net/netfilter/xt_set.c 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/net/netfilter/xt_set.c 2020-01-09 20:28:32.000000000 +0100 @@ -39,7 +39,7 @@ #ifdef HAVE_XT_MTCHK_PARAM_STRUCT_NET #define XT_PAR_NET(par) ((par)->net) #else -#define XT_PAR_NET(par) NULL +#define XT_PAR_NET(par) (&(init_net)) #endif static inline int @@ -499,11 +499,6 @@ } if (info->map_set.index != IPSET_INVALID_ID) { - if (strncmp(par->table, "mangle", 7)) { - pr_warn("--map-set only usable from mangle table\n"); - ret = -EINVAL; - goto cleanup_del; - } if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) | (info->flags & IPSET_FLAG_MAP_SKBQUEUE)) && (par->hook_mask & ~(1 << NF_INET_FORWARD | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/net/sched/Kbuild new/ipset-7.5/kernel/net/sched/Kbuild --- old/ipset-7.4/kernel/net/sched/Kbuild 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/net/sched/Kbuild 2020-01-09 20:28:32.000000000 +0100 @@ -1,4 +1,4 @@ NOSTDINC_FLAGS += -I$(KDIR)/include EXTRA_CFLAGS := -DCONFIG_IP_SET_MAX=$(IP_SET_MAX) -obj-$(CONFIG_NET_EMATCH_IPSET) += em_ipset.o +obj-m += em_ipset.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/kernel/net/sched/em_ipset.c new/ipset-7.5/kernel/net/sched/em_ipset.c --- old/ipset-7.4/kernel/net/sched/em_ipset.c 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/kernel/net/sched/em_ipset.c 2020-01-09 20:28:32.000000000 +0100 @@ -15,10 +15,10 @@ #include <linux/string.h> #include <linux/skbuff.h> #include <linux/netfilter/xt_set.h> -#include <linux/netfilter/ipset/ip_set_compat.h> #include <linux/ipv6.h> #include <net/ip.h> #include <net/pkt_cls.h> +#include <linux/netfilter/ipset/ip_set_compat.h> #ifdef HAVE_TCF_EMATCH_OPS_CHANGE_ARG_NET static int em_ipset_change(struct net *net, void *data, int data_len, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/lib/Makefile.in new/ipset-7.5/lib/Makefile.in --- old/ipset-7.4/lib/Makefile.in 2019-11-01 16:15:34.000000000 +0100 +++ new/ipset-7.5/lib/Makefile.in 2020-01-09 20:30:11.000000000 +0100 @@ -318,6 +318,7 @@ FGREP = @FGREP@ GREP = @GREP@ HAVE_CHECKENTRY_BOOL = @HAVE_CHECKENTRY_BOOL@ +HAVE_COND_RESCHED_RCU = @HAVE_COND_RESCHED_RCU@ HAVE_ETHER_ADDR_COPY = @HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_EQUAL = @HAVE_ETHER_ADDR_EQUAL@ HAVE_EXPORT_H = @HAVE_EXPORT_H@ @@ -347,6 +348,7 @@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS = @HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_PARSERS = @HAVE_PASSING_EXTENDED_ACK_TO_PARSERS@ HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE = @HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE@ +HAVE_SKB_IIF = @HAVE_SKB_IIF@ HAVE_STATE_IN_XT_ACTION_PARAM = @HAVE_STATE_IN_XT_ACTION_PARAM@ HAVE_STRSCPY = @HAVE_STRSCPY@ HAVE_STRUCT_XT_ACTION_PARAM = @HAVE_STRUCT_XT_ACTION_PARAM@ @@ -357,6 +359,7 @@ HAVE_TIMER_SETUP = @HAVE_TIMER_SETUP@ HAVE_TYPEDEF_SCTP_SCTPHDR_T = @HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_USER_NS_IN_STRUCT_NET = @HAVE_USER_NS_IN_STRUCT_NET@ +HAVE_VLAN_PROTO_IN_SK_BUFF = @HAVE_VLAN_PROTO_IN_SK_BUFF@ HAVE_VZALLOC = @HAVE_VZALLOC@ HAVE_XT_FAMILY = @HAVE_XT_FAMILY@ HAVE_XT_MTCHK_PARAM_STRUCT_NET = @HAVE_XT_MTCHK_PARAM_STRUCT_NET@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/lib/ipset_bitmap_port.c new/ipset-7.5/lib/ipset_bitmap_port.c --- old/ipset-7.4/lib/ipset_bitmap_port.c 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/lib/ipset_bitmap_port.c 2020-01-09 20:28:32.000000000 +0100 @@ -69,7 +69,7 @@ }, .usage = "where PORT, FROM and TO are port numbers or port names from /etc/services.\n" " PROTO is only needed if a service name is used and it does not exist\n" - " as a TCP service; it isn't used otherwise with the bitmap.", + " as a TCP service; just the resolved service numer is stored in the set.", .description = "Initial revision", }; @@ -136,7 +136,7 @@ }, .usage = "where PORT, FROM and TO are port numbers or port names from /etc/services.\n" " PROTO is only needed if a service name is used and it does not exist\n" - " as a TCP service; it isn't used otherwise with the bitmap.", + " as a TCP service; just the resolved service numer is stored in the set.", .description = "counters support", }; @@ -205,7 +205,7 @@ }, .usage = "where PORT, FROM and TO are port numbers or port names from /etc/services.\n" " PROTO is only needed if a service name is used and it does not exist\n" - " as a TCP service; it isn't used otherwise with the bitmap.", + " as a TCP service; just the resolved service numer is stored in the set.", .description = "comment support", }; @@ -278,7 +278,7 @@ }, .usage = "where PORT, FROM and TO are port numbers or port names from /etc/services.\n" " PROTO is only needed if a service name is used and it does not exist\n" - " as a TCP service; it isn't used otherwise with the bitmap.", + " as a TCP service; just the resolved service numer is stored in the set.", .description = "skbinfo support", }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/src/Makefile.in new/ipset-7.5/src/Makefile.in --- old/ipset-7.4/src/Makefile.in 2019-11-01 16:15:35.000000000 +0100 +++ new/ipset-7.5/src/Makefile.in 2020-01-09 20:30:11.000000000 +0100 @@ -304,6 +304,7 @@ FGREP = @FGREP@ GREP = @GREP@ HAVE_CHECKENTRY_BOOL = @HAVE_CHECKENTRY_BOOL@ +HAVE_COND_RESCHED_RCU = @HAVE_COND_RESCHED_RCU@ HAVE_ETHER_ADDR_COPY = @HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_EQUAL = @HAVE_ETHER_ADDR_EQUAL@ HAVE_EXPORT_H = @HAVE_EXPORT_H@ @@ -333,6 +334,7 @@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS = @HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_PARSERS = @HAVE_PASSING_EXTENDED_ACK_TO_PARSERS@ HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE = @HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE@ +HAVE_SKB_IIF = @HAVE_SKB_IIF@ HAVE_STATE_IN_XT_ACTION_PARAM = @HAVE_STATE_IN_XT_ACTION_PARAM@ HAVE_STRSCPY = @HAVE_STRSCPY@ HAVE_STRUCT_XT_ACTION_PARAM = @HAVE_STRUCT_XT_ACTION_PARAM@ @@ -343,6 +345,7 @@ HAVE_TIMER_SETUP = @HAVE_TIMER_SETUP@ HAVE_TYPEDEF_SCTP_SCTPHDR_T = @HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_USER_NS_IN_STRUCT_NET = @HAVE_USER_NS_IN_STRUCT_NET@ +HAVE_VLAN_PROTO_IN_SK_BUFF = @HAVE_VLAN_PROTO_IN_SK_BUFF@ HAVE_VZALLOC = @HAVE_VZALLOC@ HAVE_XT_FAMILY = @HAVE_XT_FAMILY@ HAVE_XT_MTCHK_PARAM_STRUCT_NET = @HAVE_XT_MTCHK_PARAM_STRUCT_NET@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/src/ipset.8 new/ipset-7.5/src/ipset.8 --- old/ipset-7.4/src/ipset.8 2019-11-01 16:13:11.000000000 +0100 +++ new/ipset-7.5/src/ipset.8 2020-01-09 20:28:32.000000000 +0100 @@ -496,8 +496,9 @@ The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. .PP -\fBproto\fR only needs to be specified if a service name is used, -and that name does not exist as a TCP service. +\fBproto\fR only needs to be specified if a service name is used +and that name does not exist as a TCP service. The protocol is never stored +in the set, just the port number of the service. .PP Examples: .IP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ipset-7.4/utils/Makefile.in new/ipset-7.5/utils/Makefile.in --- old/ipset-7.4/utils/Makefile.in 2019-11-01 16:15:35.000000000 +0100 +++ new/ipset-7.5/utils/Makefile.in 2020-01-09 20:30:11.000000000 +0100 @@ -253,6 +253,7 @@ FGREP = @FGREP@ GREP = @GREP@ HAVE_CHECKENTRY_BOOL = @HAVE_CHECKENTRY_BOOL@ +HAVE_COND_RESCHED_RCU = @HAVE_COND_RESCHED_RCU@ HAVE_ETHER_ADDR_COPY = @HAVE_ETHER_ADDR_COPY@ HAVE_ETHER_ADDR_EQUAL = @HAVE_ETHER_ADDR_EQUAL@ HAVE_EXPORT_H = @HAVE_EXPORT_H@ @@ -282,6 +283,7 @@ HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS = @HAVE_PASSING_EXTENDED_ACK_TO_CALLBACKS@ HAVE_PASSING_EXTENDED_ACK_TO_PARSERS = @HAVE_PASSING_EXTENDED_ACK_TO_PARSERS@ HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE = @HAVE_RBTREE_POSTORDER_FOR_EACH_ENTRY_SAFE@ +HAVE_SKB_IIF = @HAVE_SKB_IIF@ HAVE_STATE_IN_XT_ACTION_PARAM = @HAVE_STATE_IN_XT_ACTION_PARAM@ HAVE_STRSCPY = @HAVE_STRSCPY@ HAVE_STRUCT_XT_ACTION_PARAM = @HAVE_STRUCT_XT_ACTION_PARAM@ @@ -292,6 +294,7 @@ HAVE_TIMER_SETUP = @HAVE_TIMER_SETUP@ HAVE_TYPEDEF_SCTP_SCTPHDR_T = @HAVE_TYPEDEF_SCTP_SCTPHDR_T@ HAVE_USER_NS_IN_STRUCT_NET = @HAVE_USER_NS_IN_STRUCT_NET@ +HAVE_VLAN_PROTO_IN_SK_BUFF = @HAVE_VLAN_PROTO_IN_SK_BUFF@ HAVE_VZALLOC = @HAVE_VZALLOC@ HAVE_XT_FAMILY = @HAVE_XT_FAMILY@ HAVE_XT_MTCHK_PARAM_STRUCT_NET = @HAVE_XT_MTCHK_PARAM_STRUCT_NET@
