linux.git/include/linux/netfilter/ipset, branch v3.9 Linux kernel source tree netfilter: ipset: hash:*net*: nomatch flag not excluded on set resize 2013-04-09T19:04:16+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-04-09T08:57:20+00:00 6eb4c7e96e19fd2c38a103472048fc0e0e0a3ec3 If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
If a resize is triggered the nomatch flag is not excluded at hashing,
which leads to the element missed at lookup in the resized set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: timeout values corrupted on set resize 2013-02-21T16:34:47+00:00 Josh Hunt johunt@akamai.com 2013-02-19T19:35:59+00:00 cf1c4a094f46ace5bf00078e2db73491ddf018fe If a resize is triggered on a set with timeouts enabled, the timeout values will get corrupted when copying them to the new set. This occured b/c the wrong timeout value is supplied to type_pf_elem_tadd(). This also adds simple debug statement similar to the one in type_pf_resize(). Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().

This also adds simple debug statement similar to the one in type_pf_resize().

Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
UAPI: Remove empty non-UAPI Kbuild files 2012-10-17T11:31:15+00:00 David Howells dhowells@redhat.com 2012-10-17T11:31:15+00:00 64d7155cdfe5546ca0730daf7dd73ee52a74eeaf Remove non-UAPI Kbuild files that have become empty as a result of UAPI disintegration. They used to have only header-y lines in them and those have now moved to the Kbuild files in the corresponding uapi/ directories. Possibly these should not be removed but rather have a comment inserted to say they are intentionally left blank. This would make it easier to add generated header lines in future without having to restore the infrastructure. Note that at this point not all the UAPI disintegration parts have been merged, so it is likely that more empty Kbuild files will turn up. It is probably necessary to make the files non-empty to prevent the patch program from automatically deleting them when it reduces them to nothing. Signed-off-by: David Howells <dhowells@redhat.com> 
Remove non-UAPI Kbuild files that have become empty as a result of UAPI
disintegration.  They used to have only header-y lines in them and those have
now moved to the Kbuild files in the corresponding uapi/ directories.

Possibly these should not be removed but rather have a comment inserted to say
they are intentionally left blank.  This would make it easier to add generated
header lines in future without having to restore the infrastructure.

Note that at this point not all the UAPI disintegration parts have been merged,
so it is likely that more empty Kbuild files will turn up.

It is probably necessary to make the files non-empty to prevent the patch
program from automatically deleting them when it reduces them to nothing.

Signed-off-by: David Howells <dhowells@redhat.com>
UAPI: (Scripted) Disintegrate include/linux/netfilter/ipset 2012-10-09T08:48:55+00:00 David Howells dhowells@redhat.com 2012-10-09T08:48:55+00:00 a82014149becc68695e7f1d62a8cc1e4ae062318 Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com> 
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>
netfilter: ipset: Support to match elements marked with "nomatch" 2012-09-22T20:44:34+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T20:02:36+00:00 3e0304a583d72c747caa8afac76b8d514aa293f5 Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Exceptions can now be matched and we can branch according to the
possible cases:

a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match

i.e.

iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Coding style fixes 2012-09-22T20:44:29+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T20:01:45+00:00 3ace95c0ac125a042cfb682d0a9bbdbf1e5a2c65 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Include supported revisions in module description 2012-09-22T20:44:24+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-21T19:59:32+00:00 10111a6ef373c377e87730749a0f68210c3fd062 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Rewrite cidr book keeping to handle /0 2012-09-22T20:43:42+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2012-09-22T20:42:08+00:00 85f8c13e4122eb04fae9d3801eabaa45e3006a88 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-05-17T02:17:37+00:00 David S. Miller davem@davemloft.net 2012-05-17T02:17:37+00:00 028940342a906db8da014a7603a0deddc2c323dd 






netfilter: ipset: fix timeout value overflow bug
2012-05-16T22:56:41+00:00

Jozsef Kadlecsik
kadlec@blackhole.kfki.hu

2012-05-07T02:35:44+00:00

127f559127f5175e4bec3dab725a34845d956591

Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)

[ This patch was mangled by Pablo Neira Ayuso since David Laight and
  Eric Dumazet noticed that we were using hardcoded 1000 instead of
  MSEC_PER_SEC to calculate the timeout ]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>





Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)

[ This patch was mangled by Pablo Neira Ayuso since David Laight and
  Eric Dumazet noticed that we were using hardcoded 1000 instead of
  MSEC_PER_SEC to calculate the timeout ]

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>