linux.git/include/linux/netfilter/ipset, branch v3.2 Linux kernel source tree netfilter: ipset: fix compiler warnings "'hash_ip4_data_next' declared inline after being called" 2011-07-21T10:07:10+00:00 Chris Friesen chris.friesen@genband.com 2011-07-21T10:07:10+00:00 0f598f0b4c3b2259366cfa8adc01bd8e714c82d0 Some gcc versions warn about prototypes without "inline" when the declaration includes the "inline" keyword. The fix generates a false error message "marked inline, but without a definition" with sparse below 0.4.2. Signed-off-by: Chris Friesen <chris.friesen@genband.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.

Signed-off-by: Chris Friesen <chris.friesen@genband.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces 2011-07-21T10:06:18+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:06:18+00:00 89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: make possible to hash some part of the data element only 2011-07-21T10:05:31+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:05:31+00:00 a6a7b759ba62e62542308e091f7fc9cfac4f978e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: whitespace and coding fixes detected by checkpatch.pl 2011-06-16T17:01:26+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T17:01:26+00:00 15b4d93f0316caec44e07255c1d73bde4fac12e4 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: hash:net,iface type introduced 2011-06-16T17:00:48+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T17:00:48+00:00 e385357a2f214e4d4e79c6118f1bede2572e0701 The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:

        # ipset create test hash:net,iface
        # ipset add test 192.168.0.0/16,eth0
        # ipset add test 192.168.0.0/24,eth1

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: add xt_action_param to the variant level kadt functions, ipset API change 2011-06-16T16:56:47+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T16:56:47+00:00 b66554cf03fe866b3fb7b9f40f430b8ba09f41c8 With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: use unified from/to address masking and check the usage 2011-06-16T16:55:58+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T16:55:58+00:00 e6146e8684ed6dd4c0ff85ca21bf4324114fbbfa Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: adding ranges to hash types with timeout could still fail, fixed 2011-06-16T16:53:51+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T16:53:51+00:00 c64562eaf2ad61d7492788ef95678f52d0d28f2a The patch "Fix adding ranges to hash types" had got a mistypeing in the timeout variant of the hash types, which actually made the patch ineffective. Fixed! Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The patch "Fix adding ranges to hash types" had got a mistypeing
in the timeout variant of the hash types, which actually made
the patch ineffective. Fixed!

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: support range for IPv4 at adding/deleting elements for hash:*net* types 2011-06-16T16:52:41+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T16:52:41+00:00 d0d9e0a5a8db05b2179c2ffb25d1c2850cce3c8e The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The range internally is converted to the network(s) equal to the range.
Example:

	# ipset new test hash:net
	# ipset add test 10.2.0.0-10.2.1.12
	# ipset list test
	Name: test
	Type: hash:net
	Header: family inet hashsize 1024 maxelem 65536
	Size in memory: 16888
	References: 0
	Members:
	10.2.1.12
	10.2.1.0/29
	10.2.0.0/24
	10.2.1.8/30

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: set type support with multiple revisions added 2011-06-16T16:51:41+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T16:51:41+00:00 f1e00b39797944bf25addaf543839feeb25fbdc5 A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
A set type may have multiple revisions, for example when syntax is
extended. Support continuous revision ranges in set types.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>