Re: [ipset] hash:net,iface bug?

2016-05-26 Thread Jozsef Kadlecsik
On Mon, 23 May 2016, Jozsef Kadlecsik wrote: > On Mon, 23 May 2016, Marek Mrva wrote: > > > I have been playing with hash:net,iface table for a couple of days now, > > but for the love of me, I can't make it accept physdev: devices. > > > > The man says:

Re: [PATCH] ipset: Backports for the nla_put_net64() API changes

2016-06-28 Thread Jozsef Kadlecsik
On Thu, 23 Jun 2016, Neutron Soutmun wrote: > * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] > by Nicolas Dichtel > > * Since the nla_put_net64() API has been changed, therefore, the > ip_set_compat.h.in should provides the macro

Re: [PATCH 1/1] netfilter: ipset: Fix set:list type crash when flush/dump set in parallel

2016-02-29 Thread Jozsef Kadlecsik
On Mon, 29 Feb 2016, Pablo Neira Ayuso wrote: > On Wed, Feb 24, 2016 at 09:19:26PM +0100, Jozsef Kadlecsik wrote: > > Flushing/listing entries was not RCU safe, so parallel flush/dump > > could lead to kernel crash. Bug reported by Deniz Eren. > > > > Fixes

[PATCH 1/1] netfilter: ipset: Fix set:list type crash when flush/dump set in parallel

2016-02-24 Thread Jozsef Kadlecsik
Flushing/listing entries was not RCU safe, so parallel flush/dump could lead to kernel crash. Bug reported by Deniz Eren. Fixes netfilter bugzilla id #1050. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_core.c | 3 ++ net/netfilter

[PATCH 0/1] ipset patch for nf

2016-02-24 Thread Jozsef Kadlecsik
type crash when flush/dump set in parallel (2016-02-24 20:32:21 +0100) Jozsef Kadlecsik (1): netfilter: ipset: Fix set:list type crash when flush/dump set in parallel net/netfilter/ipset/ip_set_core.c | 3 +++ net

Re: [PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length

2016-03-08 Thread Jozsef Kadlecsik
Hi Daniel, On Tue, 8 Mar 2016, Daniel Borkmann wrote: > On 03/08/2016 08:44 PM, Jozsef Kadlecsik wrote: > > Julia Lawall pointed out that IPSET_ATTR_ETHER netlink attribute length > > was not checked explicitly, just for the maximum possible size. Malicious > > netlink clien

[ANNOUNCE] ipset 6.28 released

2016-03-12 Thread Jozsef Kadlecsik
Hi, I'm happy to announce ipset 6.28 with a couple of important fixes, some compatibility improvements and corrections. Userspace changes: - Support older pkg-config packages - Add bash completion to the install routine (Mart Frauenlob) - Fix misleading error message with comment

[PATCH 1/1] netfilter: ipset: fix race condition in ipset save, swap and delete

2016-03-19 Thread Jozsef Kadlecsik
Hunt <joh...@akamai.com> Signed-off-by: Vishwanath Pai <v...@akamai.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 4 net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- net/netfilter/ip

[ANNOUNCE] ipset 6.29 released

2016-03-19 Thread Jozsef Kadlecsik
Hi, ipset 6.29 is released, because the configure script was broken and a race condition was fixed in concurrent save-swap and then delete operations. Userspace changes: - Suppress unnecessary stderr in command loop for resize and list - Correction in comment test - Support chroot

Re: [ANNOUNCE] ipset 6.28 released

2016-03-13 Thread Jozsef Kadlecsik
On Sat, 12 Mar 2016, Jan Engelhardt wrote: > >I'm happy to announce ipset 6.28 with a couple of important fixes, some > >compatibility improvements and corrections. > > - Support older pkg-config packages > > Whatever you did, it broke. > > [ 51s] checking for libmnl... no > [ 51s]

Re: [ANNOUNCE] ipset 6.28 released

2016-03-13 Thread Jozsef Kadlecsik
On Sun, 13 Mar 2016, Jan Engelhardt wrote: > On Sunday 2016-03-13 11:33, Jozsef Kadlecsik wrote: > >On Sat, 12 Mar 2016, Jan Engelhardt wrote: > > > >Does this patch help to solve the problem? > > > >diff --git a/configure.ac b/configure.ac > >index 198883

Re: [ANNOUNCE] ipset 6.28 released

2016-03-13 Thread Jozsef Kadlecsik
On Sun, 13 Mar 2016, Jan Engelhardt wrote: > By the way, there is another issue. You are calling `modinfo` when make > install, but you are not passing -b ${DESTDIR}, so it, too, fails > inside chroot buildroots. (because /lib/modules/V/kernel is empty; > ipset is in $DESTDIR/lib/modules/V/...)

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Jozsef Kadlecsik
On Mon, 28 Mar 2016, Eric Dumazet wrote: > On Mon, 2016-03-28 at 22:20 +0200, Jan Engelhardt wrote: > > On Monday 2016-03-28 21:29, David Miller wrote: > > >>> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff > > >>> > > *skb, > > >>> > > length--; > > >>> > >

Re: [PATCH v2] netfilter: fix race condition in ipset save, swap and delete

2016-03-19 Thread Jozsef Kadlecsik
Hi, On Mon, 14 Mar 2016, Vishwanath Pai wrote: > I have updated the patch according to comments by Jozsef. Renamed > ref_kernel to ref_netlink, renamed _put/_get functions and updated the > description in commit log. Patch is applied to the ipset git tree - you use some older kernel tree and I

Re: [ANNOUNCE] ipset 6.29 released

2016-03-19 Thread Jozsef Kadlecsik
On Thu, 17 Mar 2016, AllKind wrote: > On 16.03.2016 21:40, Jozsef Kadlecsik wrote: > > > > ipset 6.29 is released, because the configure script was broken and a > > race condition was fixed in concurrent save-swap and then delete > > operations. > [...] >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-27 Thread Jozsef Kadlecsik
On Sun, 27 Mar 2016, Baozeng Ding wrote: > The following program triggers stack-out-of-bounds in tcp_packet. The > kernel version is 4.5 (on Mar 16 commit > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > Uncovered with syzkaller. Thanks. > >

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-27 Thread Jozsef Kadlecsik
On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: > On Sun, 27 Mar 2016, Baozeng Ding wrote: > > > The following program triggers stack-out-of-bounds in tcp_packet. The > > kernel version is 4.5 (on Mar 16 commit > > 09fd671ccb2475436bd5f597f751ca4a7d177aea). > > Un

[PATCH 1/1] netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length

2016-03-08 Thread Jozsef Kadlecsik
-by: Julia Lawall <julia.law...@lip6.fr> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++ net/netfilter/ipset/ip_set_hash_mac.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/net/net

[PATCH 0/1] ipset patch for nf

2016-03-08 Thread Jozsef Kadlecsik
to d8aacd87180141ff6b812b53de77a4336e87c91a: netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length (2016-03-08 20:36:17 +0100) Jozsef Kadlecsik (1): netfilter: ipset: Check IPSET_ATTR_ETHER netlink attribute length net

[PATCH 0/1] netfilter TCP conntrack option parser fix

2016-03-30 Thread Jozsef Kadlecsik
) Jozsef Kadlecsik (1): net: netfilter: Fix stack out of bounds when parsing TCP options net/netfilter/nf_conntrack_proto_tcp.c | 4 1 file changed, 4 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

[PATCH 1/1] net: netfilter: Fix stack out of bounds when parsing TCP options

2016-03-30 Thread Jozsef Kadlecsik
TCP option code and size. Reported-by: Baozeng Ding <splovi...@gmail.com> Tested-by: Baozeng Ding <splovi...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/nf_conntrack_proto_tcp.c | 4 1 file changed, 4 insertions(+) diff --g

Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet

2016-03-28 Thread Jozsef Kadlecsik
ing wrote: > > > > > > On 2016/3/28 6:25, Jozsef Kadlecsik wrote: > > > On Mon, 28 Mar 2016, Jozsef Kadlecsik wrote: > > > > > > > On Sun, 27 Mar 2016, Baozeng Ding wrote: > > > > > > > > > The following program triggers stac

Re: new ipset set type - hash:ip,mac

2016-04-25 Thread Jozsef Kadlecsik
On Sun, 24 Apr 2016, Tomasz ChiliƄski wrote: > First - thanks a lot for excellent ipset toolkit! > Second - Sorry for posting directly to you, but didn't get reply from > netfilter-devel > mailing list after trying to subscribe there. > > I've created lately my own very missed set type

Re: [ipset] hash:net,iface bug?

2016-05-23 Thread Jozsef Kadlecsik
On Mon, 23 May 2016, Marek Mrva wrote: > I have been playing with hash:net,iface table for a couple of days now, > but for the love of me, I can't make it accept physdev: devices. > > The man says: When the interface is flagged with physdev:, the interface > is interpreted as the

Re: [PATCH 1/3] netfilter: ipset: use setup_timer() and mod_timer().

2016-05-20 Thread Jozsef Kadlecsik
On Sat, 14 May 2016, Muhammad Falak R Wani wrote: > Use setup_timer() and instead of init_timer(), being the preferred way > of setting up a timer. > > Also, quoting the mod_timer() function comment: > -> mod_timer() is a more efficient way to update the expire field of an >active timer (if

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Jozsef Kadlecsik
Hi Florian, On Mon, 23 Jan 2017, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote: > > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > > > index 0c629fdf90e1..ce6adfae521a 100644 > > > ---

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Jozsef Kadlecsik
On Mon, 23 Jan 2017, Florian Westphal wrote: > Jozsef Kadlecsik <kad...@blackhole.kfki.hu> wrote: > > > > > --- a/net/netfilter/core.c > > > > > +++ b/net/netfilter/core.c > > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(str

[PATCH 0/2] ipset patches for nf

2017-02-19 Thread Jozsef Kadlecsik
for you to fetch changes up to 40b446a1d8af17274746ff7079aa0a618dffbac3: netfilter: ipset: Null pointer exception in ipset list:set (2017-02-19 19:08:47 +0100) Jozsef Kadlecsik (1): Fix bug: sometimes valid entries in hash

[PATCH 2/2] netfilter: ipset: Null pointer exception in ipset list:set

2017-02-19 Thread Jozsef Kadlecsik
uting the above will crash the kernel. Signed-off-by: Vishwanath Pai <v...@akamai.com> Reviewed-by: Josh Hunt <joh...@akamai.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_list_set.c | 9 ++--- 1 file changed, 6 insertions(+),

[PATCH 1/2] Fix bug: sometimes valid entries in hash:* types of sets were evicted

2017-02-19 Thread Jozsef Kadlecsik
Wrong index was used and therefore when shrinking a hash bucket at deleting an entry, valid entries could be evicted as well. Thanks to Eric Ewanco for the thorough bugreport. Fixes netfilter bugzilla #1119 Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter

[ANNOUNCE] ipset 6.31 released

2017-02-19 Thread Jozsef Kadlecsik
Hi, ipset 6.31 has just been released with two important bugfixes. So please upgrade your ipset package. Userspace changes: - Update manpage about the size parameter of list:set types. - New test to verify that only the intended entries are deleted at hash types. Kernel part changes:

Re: Parameter 'size' in type list:set is ignored

2017-02-15 Thread Jozsef Kadlecsik
m fixed sized arrays to linked lists. > I think this change was introduced in v4.2 by the following commit: > commit 00590fdd5be0d763631ef10e6a3e2ce8fc2d9ec3 > Author: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> > Date: Sat Jun 13 16:56:02 2015 +0200 > >

Re: Parameter 'size' in type list:set is ignored

2017-02-16 Thread Jozsef Kadlecsik
On Wed, 15 Feb 2017, Vishwanath Pai wrote: > On 02/15/2017 04:33 AM, Jozsef Kadlecsik wrote: > > On Tue, 14 Feb 2017, Vishwanath Pai wrote: > > > >> I noticed that in recent versions of ipset the parameter 'size' in set > >> type list:set is ignored. I noticed t

Re: [PATCH] netfilter: ipset: Null pointer exception in ipset list:set

2017-02-16 Thread Jozsef Kadlecsik
Hi, On Wed, 15 Feb 2017, Vishwanath Pai wrote: > If we use before/after to add an element to an empty list it will cause > a kernel panic. > > $> cat crash.restore > create a hash:ip > create b hash:ip > create test list:set timeout 5 size 4 > add test b before a > > $> ipset -R <

[PATCH 09/22] netfilter: ipset: Add element count to hash headers

2016-11-10 Thread Jozsef Kadlecsik
header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-b

[PATCH 13/22] netfilter: ipset: Simplify mtype_expire() for hash types

2016-11-10 Thread Jozsef Kadlecsik
Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_has

[PATCH 11/22] netfilter: ipset: Count non-static extension memory for userspace

2016-11-10 Thread Jozsef Kadlecsik
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 04/22] netfilter: ipset: Improve skbinfo get/init helpers

2016-11-10 Thread Jozsef Kadlecsik
proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_se

[PATCH 19/22] netfilter: ipset: Fix reported memory size for hash:* types

2016-11-10 Thread Jozsef Kadlecsik
The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 03/22] netfilter: ipset: Headers file cleanup

2016-11-10 Thread Jozsef Kadlecsik
Group counter helper functions together. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/i

[PATCH 16/22] netfilter: ipset: Optimize hash creation routine

2016-11-10 Thread Jozsef Kadlecsik
Exit as easly as possible on error and use RCU_INIT_POINTER() as set is not seen at creation time. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 63 --- 1 file changed, 29 insertions(+), 34 del

[PATCH 18/22] netfilter: ipset: Collapse same condition body to a single one

2016-11-10 Thread Jozsef Kadlecsik
The set full case (with net_ratelimit()-ed pr_warn()) is already handled, simply jump there. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/netfilter

[PATCH 05/22] netfilter: ipset: Use kmalloc() in comment extension helper

2016-11-10 Thread Jozsef Kadlecsik
; Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set_comment.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/netfilter/ipset/ip_set_comment.h b/include/linux/netfilter/ipset/ip_set_comment.h index bae5c

[PATCH 10/22] netfilter: ipset: Add element count to all set types header

2016-11-10 Thread Jozsef Kadlecsik
It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-11-10 Thread Jozsef Kadlecsik
mer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_bitmap_gen.h | 7 ++- net/

[PATCH 20/22] netfilter: ipset: hash:ipmac type support added to ipset

2016-11-10 Thread Jozsef Kadlecsik
From: Tomasz Chilinski <tomasz.chilin...@chilan.com> Introduce the hash:ipmac type. Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/Kconfig | 9 + net/netfil

[PATCH 06/22] netfilter: ipset: Split extensions into separate files

2016-11-10 Thread Jozsef Kadlecsik
Cleanup to separate all extensions into individual files. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfil

[PATCH 17/22] netfilter: ipset: Make struct htype per ipset family

2016-11-10 Thread Jozsef Kadlecsik
<popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h| 51 +++- net/netfilter/ipset/ip_set_hash_ip.c | 10 +++--- net/netfilter/ipset/ip_set_hash_ipmark.c | 10

[PATCH 07/22] netfilter: ipset: Separate memsize calculation code into dedicated function

2016-11-10 Thread Jozsef Kadlecsik
Hash types already has it's memsize calculation code in separate functions. Clean up and do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozs

[PATCH 12/22] netfilter: ipset: Remove redundant mtype_expire() arguments

2016-11-10 Thread Jozsef Kadlecsik
Remove redundant parameters nets_length and dsize, because they can be get from other parameters. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 9 +

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

2016-11-10 Thread Jozsef Kadlecsik
a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 08/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

2016-11-10 Thread Jozsef Kadlecsik
Cleanup: group ip_set_put_extensions and ip_set_get_extensions together and add missing extern. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/net

[PATCH 14/22] netfilter: ipset: Make NLEN compile time constant for hash types

2016-11-10 Thread Jozsef Kadlecsik
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 01/22] netfilter: ipset: Remove extra whitespaces in ip_set.h

2016-11-10 Thread Jozsef Kadlecsik
Remove unnecessary whitespaces. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 13 +++

[PATCH 02/22] netfilter: ipset: Mark some helper args as const.

2016-11-10 Thread Jozsef Kadlecsik
Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip

[PATCH 00/22] ipset patches for nf-next, v3

2016-11-10 Thread Jozsef Kadlecsik
) Eric B Munson (1): netfilter: ipset: Add element count to hash headers Jozsef Kadlecsik (19): netfilter: ipset: Remove extra whitespaces in ip_set.h netfilter: ipset: Mark some helper args as const. netfilter: ipset: Headers file cleanup netfilter: ipset: Improve

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-23 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 04/22] netfilter: ipset: Improve comment extension helpers

2016-10-23 Thread Jozsef Kadlecsik
Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipse

[PATCH 15/22] netfilter: ipset: Make struct htype per ipset family

2016-10-23 Thread Jozsef Kadlecsik
<popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h| 51 +++- net/netfilter/ipset/ip_set_hash_ip.c | 10 +++--- net/netfilter/ipset/ip_set_hash_ipmark.c | 10

[PATCH 18/22] netfilter: ipset: hash:ipmac type support added to ipset

2016-10-23 Thread Jozsef Kadlecsik
From: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/Kconfig | 9 + net/netfilter/ipset/Makefile| 1 + n

[PATCH 11/22] netfilter: ipset: Simplify mtype_expire() for hash types

2016-10-23 Thread Jozsef Kadlecsik
Remove redundant parameters nets_length and dsize: they could be get from other parameters. Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsi

[PATCH 02/22] netfilter: ipset: Headers file cleanup

2016-10-23 Thread Jozsef Kadlecsik
Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@bl

[PATCH 17/22] netfilter: ipset: Fix reported memory size for hash:* types

2016-10-23 Thread Jozsef Kadlecsik
The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 20/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-23 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 14/22] netfilter: ipset: Optimize hash creation routine

2016-10-23 Thread Jozsef Kadlecsik
Exit as easly as possible on error and use RCU_INIT_POINTER() as set is not seen at creation time. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 63 --- 1 file changed, 29 insertions(+), 34 del

[PATCH 10/22] netfilter: ipset: Count non-static extension memory for userspace

2016-10-23 Thread Jozsef Kadlecsik
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

2016-10-23 Thread Jozsef Kadlecsik
a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

2016-10-23 Thread Jozsef Kadlecsik
Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Ka

[PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-23 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 09/22] netfilter: ipset: Add element count to all set types header

2016-10-23 Thread Jozsef Kadlecsik
It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 12/22] netfilter: ipset: Make NLEN compile time constant for hash types

2016-10-23 Thread Jozsef Kadlecsik
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 13/22] netfilter: ipset: Make sure element data size is a multiple of u32

2016-10-23 Thread Jozsef Kadlecsik
Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 +

[PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

2016-10-23 Thread Jozsef Kadlecsik
.@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_set_core.c | 12 ++-- net/netfilter/xt_set.c | 12 +++- 3 files changed, 24

[PATCH 01/22] netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

2016-10-23 Thread Jozsef Kadlecsik
Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_se

[PATCH 08/22] netfilter: ipset: Add element count to hash headers

2016-10-23 Thread Jozsef Kadlecsik
header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-b

[PATCH 00/22] ipset patches for nf-next, v2

2016-10-23 Thread Jozsef Kadlecsik
: fix boolreturn.cocci warnings (2016-10-23 22:24:56 +0200) Eric B Munson (1): netfilter: ipset: Add element count to hash headers Jozsef Kadlecsik (16): netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

[PATCH 16/22] netfilter: ipset: Collapse same condition body to a single one

2016-10-23 Thread Jozsef Kadlecsik
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h index 0082ccf..f4b30b6 100644 ---

[PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

2016-10-23 Thread Jozsef Kadlecsik
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index b5bd0fb3..7a218eb

[PATCH 20/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-17 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

2016-10-17 Thread Jozsef Kadlecsik
Hash types already has it's memsize calculation code in separate functions. Do the same for *bitmap* and *list* sets. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Ka

[PATCH 12/22] netfilter: ipset: Make NLEN compile time constant for hash types

2016-10-17 Thread Jozsef Kadlecsik
Hash types define HOST_MASK before inclusion of ip_set_hash_gen.h and the only place where NLEN needed to be calculated at runtime is *_create() method. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu&

[PATCH 15/22] netfilter: ipset: Make struct htype per ipset family

2016-10-17 Thread Jozsef Kadlecsik
<popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h| 51 +++- net/netfilter/ipset/ip_set_hash_ip.c | 10 +++--- net/netfilter/ipset/ip_set_hash_ipmark.c | 10

[PATCH 05/22] netfilter: ipset: Split extensions into separate files

2016-10-17 Thread Jozsef Kadlecsik
Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 95 +--

[PATCH 13/22] netfilter: ipset: Make sure element data size is a multiple of u32

2016-10-17 Thread Jozsef Kadlecsik
Data for hashing required to be array of u32. Make sure that element data always multiple of u32. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 +

[PATCH 04/22] netfilter: ipset: Improve comment extension helpers

2016-10-17 Thread Jozsef Kadlecsik
Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipse

[PATCH 22/22] netfilter: ipset: hash: fix boolreturn.cocci warnings

2016-10-17 Thread Jozsef Kadlecsik
a_list' with return type bool Return statements in functions returning bool should use true/false instead of 1/0. Generated by: scripts/coccinelle/misc/boolreturn.cocci CC: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Fengguang Wu <fengguang...@intel.com> Signed-off-by: Joz

[PATCH 01/22] netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage

2016-10-17 Thread Jozsef Kadlecsik
Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_se

[PATCH 11/22] netfilter: ipset: Simplify mtype_expire() for hash types

2016-10-17 Thread Jozsef Kadlecsik
Remove redundant parameters nets_length and dsize: they could be get from other parameters. Remove one leve of intendation by using continue while iterating over elements in bucket. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Signed-off-by: Jozsef Kadlecsi

[PATCH 09/22] netfilter: ipset: Add element count to all set types header

2016-10-17 Thread Jozsef Kadlecsik
It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h| 2 ++ include

[PATCH 08/22] netfilter: ipset: Add element count to hash headers

2016-10-17 Thread Jozsef Kadlecsik
header that is exported to userspace. This field is then printed by the userspace tool for hashes. Signed-off-by: Eric B Munson <emun...@akamai.com> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Cc: Josh Hunt <joh...@akamai.com> Cc: netfilter-devel@vger.kernel.org Signed-off-b

[PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-17 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

[PATCH 00/22] ipset patches for nf-next

2016-10-17 Thread Jozsef Kadlecsik
): netfilter: ipset: Add element count to hash headers Jozsef Kadlecsik (16): netfilter: ipset: Correct rcu_dereference_bh_nfnl() usage netfilter: ipset: Headers file cleanup netfilter: ipset: Improve skbinfo get/init helpers netfilter: ipset: Improve comment extension helpers

[PATCH 18/22] netfilter: ipset: hash:ipmac type support added to ipset

2016-10-17 Thread Jozsef Kadlecsik
From: Tomasz Chilinski <tomasz.chilin...@chilan.com> Signed-off-by: Tomasz Chili??ski <tomasz.chilin...@chilan.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/Kconfig | 9 + net/netfilter/ipset/Makefile| 1 + n

[PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

2016-10-17 Thread Jozsef Kadlecsik
Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index b5bd0fb3..7a218eb

[PATCH 17/22] netfilter: ipset: Fix reported memory size for hash:* types

2016-10-17 Thread Jozsef Kadlecsik
The calculation of the full allocated memory did not take into account the size of the base hash bucket structure at some places. Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- net/netfilter/ipset/ip_set_hash_gen.h | 16 +--- 1 file changed, 9 insertions

[PATCH 10/22] netfilter: ipset: Count non-static extension memory for userspace

2016-10-17 Thread Jozsef Kadlecsik
-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 8 ++-- include/linux/netfilter/ipset/ip_set_comment.h | 7 +-- net/netfilter/ipset/ip_set_bitmap_gen.h| 5 +++-- net/netfilter/ipset/ip_set_core.c | 2 +

[PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

2016-10-17 Thread Jozsef Kadlecsik
.@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> --- include/linux/netfilter/ipset/ip_set.h | 30 +++--- net/netfilter/ipset/ip_set_core.c | 12 ++-- net/netfilter/xt_set.c | 12 +++- 3 files changed, 24

[PATCH 02/22] netfilter: ipset: Headers file cleanup

2016-10-17 Thread Jozsef Kadlecsik
Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_ser...@mail.ua>. Suggested-by: Sergey Popovich <popovich_ser...@mail.ua> Signed-off-by: Jozsef Kadlecsik <kad...@bl

[ANNOUNCE] ipset 6.30 released

2016-10-17 Thread Jozsef Kadlecsik
Hi, I'm happy to announce ipset 6.30 which introduces a new set type, hash:ip,mac, and brings a couple of small corrections and backports from the most recent kernel tree. Userspace changes: - Drop extra comma from error message (Neutron Soutmun) - Fix the incorrect dynamic/static modules

[PATCH 21/22] netfilter: ipset: use setup_timer() and mod_timer().

2016-10-17 Thread Jozsef Kadlecsik
the timer is inactive it will be activated). Use setup_timer() and mod_timer() to setup and arm a timer, making the code compact and easier to read. Signed-off-by: Muhammad Falak R Wani <falakre...@gmail.com> Signed-off-by: Jozsef Kadlecsik <kad...@blackhole.kfki.hu> ---

  1   2   3   >