On Mon, 23 May 2016, Jozsef Kadlecsik wrote:
> On Mon, 23 May 2016, Marek Mrva wrote:
>
> > I have been playing with hash:net,iface table for a couple of days now,
> > but for the love of me, I can't make it accept physdev: devices.
> >
> > The man says:
On Thu, 23 Jun 2016, Neutron Soutmun wrote:
> * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1]
> by Nicolas Dichtel
>
> * Since the nla_put_net64() API has been changed, therefore, the
> ip_set_compat.h.in should provides the macro
On Mon, 29 Feb 2016, Pablo Neira Ayuso wrote:
> On Wed, Feb 24, 2016 at 09:19:26PM +0100, Jozsef Kadlecsik wrote:
> > Flushing/listing entries was not RCU safe, so parallel flush/dump
> > could lead to kernel crash. Bug reported by Deniz Eren.
> >
> > Fixes
Flushing/listing entries was not RCU safe, so parallel flush/dump
could lead to kernel crash. Bug reported by Deniz Eren.
Fixes netfilter bugzilla id #1050.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_core.c | 3 ++
net/netfilter
type crash when flush/dump set in parallel
(2016-02-24 20:32:21 +0100)
Jozsef Kadlecsik (1):
netfilter: ipset: Fix set:list type crash when flush/dump set in parallel
net/netfilter/ipset/ip_set_core.c | 3 +++
net
Hi,
I'm happy to announce ipset 6.28 with a couple of important fixes, some
compatibility improvements and corrections.
Userspace changes:
- Support older pkg-config packages
- Add bash completion to the install routine (Mart Frauenlob)
- Fix misleading error message with comment
Hunt <joh...@akamai.com>
Signed-off-by: Vishwanath Pai <v...@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 4
net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
net/netfilter/ip
Hi,
ipset 6.29 is released, because the configure script was broken and a
race condition was fixed in concurrent save-swap and then delete
operations.
Userspace changes:
- Suppress unnecessary stderr in command loop for resize and list
- Correction in comment test
- Support chroot
On Sat, 12 Mar 2016, Jan Engelhardt wrote:
> >I'm happy to announce ipset 6.28 with a couple of important fixes, some
> >compatibility improvements and corrections.
> > - Support older pkg-config packages
>
> Whatever you did, it broke.
>
> [ 51s] checking for libmnl... no
> [ 51s]
On Mon, 28 Mar 2016, Eric Dumazet wrote:
> On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote:
> > On Monday 2016-03-28 21:29, David Miller wrote:
> > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff
> > >>> > > *skb,
> > >>> > > length--;
> > >>> > >
Hi,
On Mon, 14 Mar 2016, Vishwanath Pai wrote:
> I have updated the patch according to comments by Jozsef. Renamed
> ref_kernel to ref_netlink, renamed _put/_get functions and updated the
> description in commit log.
Patch is applied to the ipset git tree - you use some older kernel tree
and I
On Thu, 17 Mar 2016, AllKind wrote:
> On 16.03.2016 21:40, Jozsef Kadlecsik wrote:
> >
> > ipset 6.29 is released, because the configure script was broken and a
> > race condition was fixed in concurrent save-swap and then delete
> > operations.
> [...]
>
On Sun, 27 Mar 2016, Baozeng Ding wrote:
> The following program triggers stack-out-of-bounds in tcp_packet. The
> kernel version is 4.5 (on Mar 16 commit
> 09fd671ccb2475436bd5f597f751ca4a7d177aea).
> Uncovered with syzkaller. Thanks.
>
>
On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote:
> On Sun, 27 Mar 2016, Baozeng Ding wrote:
>
> > The following program triggers stack-out-of-bounds in tcp_packet. The
> > kernel version is 4.5 (on Mar 16 commit
> > 09fd671ccb2475436bd5f597f751ca4a7d177aea).
> > Un
-by: Julia Lawall <julia.law...@lip6.fr>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++
net/netfilter/ipset/ip_set_hash_mac.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/net
to d8aacd87180141ff6b812b53de77a4336e87c91a:
netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length (2016-03-08
20:36:17 +0100)
Jozsef Kadlecsik (1):
netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length
net
)
Jozsef Kadlecsik (1):
net: netfilter: Fix stack out of bounds when parsing TCP options
net/netfilter/nf_conntrack_proto_tcp.c | 4
1 file changed, 4 insertions(+)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of
TCP
option code and size.
Reported-by: Baozeng Ding <splovi...@gmail.com>
Tested-by: Baozeng Ding <splovi...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/nf_conntrack_proto_tcp.c | 4
1 file changed, 4 insertions(+)
diff --g
On Sun, 24 Apr 2016, Tomasz ChiliĆski wrote:
> First - thanks a lot for excellent ipset toolkit!
> Second - Sorry for posting directly to you, but didn't get reply from
> netfilter-devel
> mailing list after trying to subscribe there.
>
> I've created lately my own very missed set type
On Mon, 23 May 2016, Marek Mrva wrote:
> I have been playing with hash:net,iface table for a couple of days now,
> but for the love of me, I can't make it accept physdev: devices.
>
> The man says: When the interface is flagged with physdev:, the interface
> is interpreted as the
On Sat, 14 May 2016, Muhammad Falak R Wani wrote:
> Use setup_timer() and instead of init_timer(), being the preferred way
> of setting up a timer.
>
> Also, quoting the mod_timer() function comment:
> -> mod_timer() is a more efficient way to update the expire field of an
>active timer (if
On Mon, 23 Jan 2017, Florian Westphal wrote:
> Jozsef Kadlecsik <kad...@blackhole.kfki.hu> wrote:
> > > > > --- a/net/netfilter/core.c
> > > > > +++ b/net/netfilter/core.c
> > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(str
uting the above will crash the kernel.
Signed-off-by: Vishwanath Pai <v...@akamai.com>
Reviewed-by: Josh Hunt <joh...@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_list_set.c | 9 ++---
1 file changed, 6 insertions(+),
Hi,
ipset 6.31 has just been released with two important bugfixes. So please
upgrade your ipset package.
Userspace changes:
- Update manpage about the size parameter of list:set types.
- New test to verify that only the intended entries are deleted at hash
types.
Kernel part changes:
m fixed sized arrays to
linked lists.
> I think this change was introduced in v4.2 by the following commit:
> commit 00590fdd5be0d763631ef10e6a3e2ce8fc2d9ec3
> Author: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
> Date: Sat Jun 13 16:56:02 2015 +0200
>
>
On Wed, 15 Feb 2017, Vishwanath Pai wrote:
> On 02/15/2017 04:33 AM, Jozsef Kadlecsik wrote:
> > On Tue, 14 Feb 2017, Vishwanath Pai wrote:
> >
> >> I noticed that in recent versions of ipset the parameter 'size' in set
> >> type list:set is ignored. I noticed t
Hi,
On Wed, 15 Feb 2017, Vishwanath Pai wrote:
> If we use before/after to add an element to an empty list it will cause
> a kernel panic.
>
> $> cat crash.restore
> create a hash:ip
> create b hash:ip
> create test list:set timeout 5 size 4
> add test b before a
>
> $> ipset -R <
header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.
Signed-off-by: Eric B Munson <emun...@akamai.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Cc: Josh Hunt <joh...@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-b
Remove one leve of intendation by using continue while
iterating over elements in bucket.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_has
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 8 ++--
include/linux/netfilter/ipset/ip_set_comment.h | 7 +--
net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++--
net/netfilter/ipset/ip_set_core.c | 2 +
proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 30 +++---
net/netfilter/ipset/ip_se
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 16 +---
1 file changed, 9 insertions
The set full case (with net_ratelimit()-ed pr_warn()) is already
handled, simply jump there.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/netfilter
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h| 2 ++
include
mer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_bitmap_gen.h | 7 ++-
net/
From: Tomasz Chilinski <tomasz.chilin...@chilan.com>
Introduce the hash:ipmac type.
Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/Kconfig | 9 +
net/netfil
Cleanup to separate all extensions into individual files.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfil
<popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h| 51 +++-
net/netfilter/ipset/ip_set_hash_ip.c | 10 +++---
net/netfilter/ipset/ip_set_hash_ipmark.c | 10
Hash types already has it's memsize calculation code in separate
functions. Clean up and do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozs
Remove redundant parameters nets_length and dsize, because
they can be get from other parameters.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 9 +
a_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci
CC: Tomasz Chilinski <tomasz.chilin...@chilan.com>
Signed-off-by: Fengguang Wu <fengguang...@intel.com>
Signed-off-by: Joz
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&
Remove unnecessary whitespaces.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 13 +++
Mark some of the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip
)
Eric B Munson (1):
netfilter: ipset: Add element count to hash headers
Jozsef Kadlecsik (19):
netfilter: ipset: Remove extra whitespaces in ip_set.h
netfilter: ipset: Mark some helper args as const.
netfilter: ipset: Headers file cleanup
netfilter: ipset: Improve
Remove extra whitespace, group counter helper together. Mark some of
the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@bl
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 16 +---
1 file changed, 9 insertions
the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
Exit as easly as possible on error and use RCU_INIT_POINTER()
as set is not seen at creation time.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 63 ---
1 file changed, 29 insertions(+), 34 del
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 8 ++--
include/linux/netfilter/ipset/ip_set_comment.h | 7 +--
net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++--
net/netfilter/ipset/ip_set_core.c | 2 +
a_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci
CC: Tomasz Chilinski <tomasz.chilin...@chilan.com>
Signed-off-by: Fengguang Wu <fengguang...@intel.com>
Signed-off-by: Joz
Hash types already has it's memsize calculation code in separate
functions. Do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Ka
the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h| 2 ++
include
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 +
.@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 30 +++---
net/netfilter/ipset/ip_set_core.c | 12 ++--
net/netfilter/xt_set.c | 12 +++-
3 files changed, 24
Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h
b/net/netfilter/ipset/ip_se
header that is
exported to userspace. This field is then printed by the userspace
tool for hashes.
Signed-off-by: Eric B Munson <emun...@akamai.com>
Cc: Pablo Neira Ayuso <pa...@netfilter.org>
Cc: Josh Hunt <joh...@akamai.com>
Cc: netfilter-devel@vger.kernel.org
Signed-off-b
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h
b/include/linux/netfilter/ipset/ip_set.h
index b5bd0fb3..7a218eb
the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
Hash types already has it's memsize calculation code in separate
functions. Do the same for *bitmap* and *list* sets.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Ka
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h
and the only place where NLEN needed to be calculated at runtime
is *_create() method.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&
<popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h| 51 +++-
net/netfilter/ipset/ip_set_hash_ip.c | 10 +++---
net/netfilter/ipset/ip_set_hash_ipmark.c | 10
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 95 +--
Data for hashing required to be array of u32. Make sure that
element data always multiple of u32.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 +
Allocate memory with kmalloc() rather than kzalloc().
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipse
a_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: scripts/coccinelle/misc/boolreturn.cocci
CC: Tomasz Chilinski <tomasz.chilin...@chilan.com>
Signed-off-by: Fengguang Wu <fengguang...@intel.com>
Signed-off-by: Joz
Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h
b/net/netfilter/ipset/ip_se
Remove redundant parameters nets_length and dsize:
they could be get from other parameters.
Remove one leve of intendation by using continue while
iterating over elements in bucket.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Signed-off-by: Jozsef Kadlecsi
It is better to list the set elements for all set types, thus the
header information is uniform. Element counts are therefore added
to the bitmap and list types.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h| 2 ++
include
the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
):
netfilter: ipset: Add element count to hash headers
Jozsef Kadlecsik (16):
netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage
netfilter: ipset: Headers file cleanup
netfilter: ipset: Improve skbinfo get/init helpers
netfilter: ipset: Improve comment extension helpers
From: Tomasz Chilinski <tomasz.chilin...@chilan.com>
Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/Kconfig | 9 +
net/netfilter/ipset/Makefile| 1 +
n
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h
b/include/linux/netfilter/ipset/ip_set.h
index b5bd0fb3..7a218eb
The calculation of the full allocated memory did not take
into account the size of the base hash bucket structure at some
places.
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 16 +---
1 file changed, 9 insertions
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 8 ++--
include/linux/netfilter/ipset/ip_set_comment.h | 7 +--
net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++--
net/netfilter/ipset/ip_set_core.c | 2 +
.@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 30 +++---
net/netfilter/ipset/ip_set_core.c | 12 ++--
net/netfilter/xt_set.c | 12 +++-
3 files changed, 24
Remove extra whitespace, group counter helper together. Mark some of
the helpers arguments as const.
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>.
Suggested-by: Sergey Popovich <popovich_ser...@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kad...@bl
Hi,
I'm happy to announce ipset 6.30 which introduces a new set type,
hash:ip,mac, and brings a couple of small corrections and backports from
the most recent kernel tree.
Userspace changes:
- Drop extra comma from error message (Neutron Soutmun)
- Fix the incorrect dynamic/static modules
the timer is inactive it will be activated).
Use setup_timer() and mod_timer() to setup and arm a timer, making the
code compact and easier to read.
Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu>
---
Hi Josh,
Overall, I like the feature and the patches. After reviewing I comment
only the parts where I believe some modifications are needed.
On Tue, 21 Mar 2017, Josh Hunt wrote:
> Extends ipset netmask support to handle both cidr values and full
> netmasks. As part of that it now supports
On Tue, 21 Mar 2017, Josh Hunt wrote:
> Convert netmask to store cidr and netmask.
>
> Signed-off-by: Josh Hunt
> ---
> include/libipset/data.h | 5 ++-
> include/libipset/linux_ip_set.h | 5 +++
> include/libipset/print.h| 3 ++
> lib/data.c
> -#define IPSET_TYPE_REV_MAX 4 /* skbinfo support */
> +/* 4 skbinfo support */
> +#define IPSET_TYPE_REV_MAX 5 /* nf_inet_addr netmask support */
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Jozsef Kadlecsik &
On Tue, 21 Mar 2017, Josh Hunt wrote:
> Adds netmask support to hash:ipport sets.
>
> Signed-off-by: Josh Hunt
> ---
> lib/ipset_hash_ipport.c | 194
>
> 1 file changed, 194 insertions(+)
>
> diff --git
dded */
> +#define IPSET_TYPE_REV_MAX 6 /* netmask support added */
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Jozsef Kadlecsik <kad...@blackhole.kfki.hu>");
> @@ -38,6 +39,7 @@
>
> /* Type specific function prefix */
> #define HTYPE
Hi Josh,
On Tue, 28 Mar 2017, Josh Hunt wrote:
> > Overall, I like the feature and the patches. After reviewing I comment
> > only the parts where I believe some modifications are needed.
>
> Thanks for the review. I'll go through this and send a v2 in the next
> few days.
Thinking over it I
On Tue, 28 Mar 2017, Josh Hunt wrote:
> > Thinking over it I understand better your approach: replace
> > IPSET_ATTR_NETMASK with IPSET_ATTR_NETMASK_MASK completely and keeping
> > the former for backward compatibility reasons only. What I propose is
> > able to maintain syntax-compatibility
On Fri, 17 Mar 2017, Jan Engelhardt wrote:
> With 4.10.3, ipset 6.32 seems to run into an issue:
>
> [ 59s]
> /home/abuild/rpmbuild/BUILD/ipset-default-6.32/kernel/net/netfilter/xt_set.c:
> In function 'set_match_v0':
> [ 59s]
>
cp connections are now dropped
> if they are no longer established (e.g. in finwait).
>
> This could be refined further, e.g. by adding 'soft' established timeout
> (i.e., a timeout that is only used once we get close to resource
> exhaustion).
I like the idea and the implementation:
Acked-by: Jozs
Hi Pablo,
On Fri, 14 Apr 2017, Pablo Neira Ayuso wrote:
> On Mon, Apr 10, 2017 at 03:52:37PM -0400, Aaron Conole wrote:
> > There are no in-tree callers.
>
> @Jozsef, let me know if I should just take this to save you a pull
> request.
Just take it, thank you.
Acked-by: Joz
Hi,
On Thu, 8 Dec 2016, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Between revisions, the layout of xtables data may change completely.
> Do not interpret the data in a revision M with a module of revision N.
>
> Signed-off-by: Willem de Bruijn
On Fri, 3 Mar 2017, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > > However, changing test to if (iph->frag_off) return -NF_ACCEPT seems
> > > wrong too because we have enough info to track. OTOH, this only happens
> > > with HDRINCL+raw socket so perhaps we
Hi,
ipset 6.32 has been released, with just userspace part changes.
Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of
the ipset output buffer, the output may be truncated. So for example in an
"ipset save" output, instead of 192.168.0.0/24, just 192.168.0.0 printed.
If
On Sun, 12 Mar 2017, Jozsef Kadlecsik wrote:
> ipset 6.32 has been released, with just userspace part changes.
> Omri Bahumi and Yoni Lavi discovered that due to the inproper handling of
> the ipset output buffer, the output may be truncated. So for example in an
> "ipset save
On Thu, 27 Apr 2017, Willem de Bruijn wrote:
> > Maybe the case can be reproduced with the following steps, but I'm
> > guessing:
> >
> > - rules inserted
> > - iptables binary downgraded/upgraded
> > - rules listed
>
> It will. This is largely what the patch protects against. But perhaps
> it
Hi Willem,
On Wed, 26 Apr 2017, Willem de Bruijn wrote:
> On Wed, Apr 26, 2017 at 5:15 PM, Willem de Bruijn
> wrote:
> >>> The patch breaks backward/forward compatibility in a match/target.
> >>>
> >>> When the list of the revisions of a given match/target of
Hi,
On Tue, 30 May 2017, Neutron Soutmun wrote:
> Fix the ipset command replacement.
>
> For ipset="/sbin/ipset"
>
> Actual:
> /sbin//sbin/ipset 2>.foo.err | ... | xargs -n1 ipset
> Expected:
> /sbin/ipset 2>.foo.err | ... | xargs -n1 /sbin/ipset
> ---
> tests/runtest.sh | 2
Hi Pablo,
On Mon, 18 Sep 2017, Pablo Neira Ayuso wrote:
> On Mon, Sep 11, 2017 at 09:52:36PM +0200, Jozsef Kadlecsik wrote:
> > Hi Pablo,
> >
> > Here follows a few ipset patches for the nf-next tree:
> >
> > * Merge assignment and simplify return in a fu
Hello,
I messed up and created duplicates in the public ipset git repo:
942de32 Merge branch 'master' of git.netfilter.org:ipset
a029bc6 Reset state after a command failed, when multiple ones are issued.
2a98659 Handle padding attribute properly in userspace.
5128db6 Add test file missing from
1 - 100 of 204 matches
Mail list logo