linux.git/include/linux/netfilter/ipset, branch v3.4 Linux kernel source tree netfilter: ipset: fix hash size checking in kernel 2012-05-16T19:38:49+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-05-14T01:47:01+00:00 26a5d3cc0b3d1ff23b5a94edb58226afe7f12a0c The hash size must fit both into u32 (jhash) and the max value of size_t. The missing checking could lead to kernel crash, bug reported by Seblu. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 
The hash size must fit both into u32 (jhash) and the max value of
size_t. The missing checking could lead to kernel crash, bug reported
by Seblu.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: ipset: hash:net,iface timeout bug fixed 2012-03-07T16:40:37+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-01-13T21:55:54+00:00 7f81c951d961bef0bf9aa55449654302b9da8185 Timed out entries were still matched till the garbage collector purged them out. The fix is verified in the testsuite. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Timed out entries were still matched till the garbage collector
purged them out. The fix is verified in the testsuite.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Exceptions support added to hash:*net* types 2012-03-07T16:40:35+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-01-14T16:16:36+00:00 2a7cef2a4ba64b9bf0ff9aeaa364554716c06669 The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:

        ipset create test hash:net
        ipset add test 192.168.0/24
        ipset add test 192.168.0/30 nomatch

In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Log warning when a hash type of set gets full 2012-03-07T16:40:33+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-01-10T16:04:32+00:00 0927a1ac63388271d58e9f7352d71434e1271374 If the set is full, the SET target cannot add more elements. Log warning so that the admin got notified about it. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
If the set is full, the SET target cannot add more elements.
Log warning so that the admin got notified about it.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: expose userspace-relevant parts in ip_set.h 2012-03-07T16:40:31+00:00 Jan Engelhardt jengelh@medozas.de 2012-01-14T15:26:20+00:00 ae8ded1cb88b9c24f3c9552ca9eefd894b069716 iptables's libxt_SET.c depends on these. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
iptables's libxt_SET.c depends on these.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: use NFPROTO_ constants 2012-03-07T16:40:29+00:00 Jan Engelhardt jengelh@medozas.de 2012-02-13T23:24:10+00:00 c15f1c83251049182b1771da004d14f29683ab97 ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
ipset is actually using NFPROTO values rather than AF (xt_set passes
that along).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: fix compiler warnings "'hash_ip4_data_next' declared inline after being called" 2011-07-21T10:07:10+00:00 Chris Friesen chris.friesen@genband.com 2011-07-21T10:07:10+00:00 0f598f0b4c3b2259366cfa8adc01bd8e714c82d0 Some gcc versions warn about prototypes without "inline" when the declaration includes the "inline" keyword. The fix generates a false error message "marked inline, but without a definition" with sparse below 0.4.2. Signed-off-by: Chris Friesen <chris.friesen@genband.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.

Signed-off-by: Chris Friesen <chris.friesen@genband.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces 2011-07-21T10:06:18+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:06:18+00:00 89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: make possible to hash some part of the data element only 2011-07-21T10:05:31+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:05:31+00:00 a6a7b759ba62e62542308e091f7fc9cfac4f978e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ipset: whitespace and coding fixes detected by checkpatch.pl 2011-06-16T17:01:26+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-06-16T17:01:26+00:00 15b4d93f0316caec44e07255c1d73bde4fac12e4 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>