linux.git/include/linux/netfilter/ipset, branch v4.0 Linux kernel source tree netfilter: ipset: send nonzero skbinfo extensions only 2014-09-15T20:20:21+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2014-09-15T15:30:54+00:00 aef96193fe7b2791c4a3b19fe75426b929769471 Do not send zero valued skbinfo extensions to userspace at listing. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Do not send zero valued skbinfo extensions to userspace at listing.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Add skbinfo extension kernel support in the ipset core. 2014-09-15T20:20:20+00:00 Anton Danilov littlesmilingcloud@gmail.com 2014-08-28T06:11:27+00:00 0e9871e3f79fd17c691b50a9669220c54ff084a2 Skbinfo extension provides mapping of metainformation with lookup in the ipset tables. This patch defines the flags, the constants, the functions and the structures for the data type independent support of the extension. Note the firewall mark stores in the kernel structures as two 32bit values, but transfered through netlink as one 64bit value. Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Skbinfo extension provides mapping of metainformation with lookup in the ipset tables.
This patch defines the flags, the constants, the functions and the structures
for the data type independent support of the extension.
Note the firewall mark stores in the kernel structures as two 32bit values,
but transfered through netlink as one 64bit value.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize' 2014-08-24T17:33:10+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2014-08-05T20:02:34+00:00 1b05756c48ea07ced9604ef01d11194d936da163 Dan Carpenter reported that the static checker emits the warning net/netfilter/ipset/ip_set_list_set.c:600 init_list_set() warn: integer overflows 'sizeof(*map) + size * set->dsize' Limit the maximal number of elements in list type of sets. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Dan Carpenter reported that the static checker emits the warning

        net/netfilter/ipset/ip_set_list_set.c:600 init_list_set()
        warn: integer overflows 'sizeof(*map) + size * set->dsize'

Limit the maximal number of elements in list type of sets.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: add forceadd kernel support for hash set types 2014-03-06T08:31:43+00:00 Josh Hunt johunt@akamai.com 2014-03-01T03:14:57+00:00 07cf8f5ae2657ac495b906c68ff3441ff8ba80ba Adds a new property for hash set types, where if a set is created with the 'forceadd' option and the set becomes full the next addition to the set may succeed and evict a random entry from the set. To keep overhead low eviction is done very simply. It checks to see which bucket the new entry would be added. If the bucket's pos value is non-zero (meaning there's at least one entry in the bucket) it replaces the first entry in the bucket. If pos is zero, then it continues down the normal add process. This property is useful if you have a set for 'ban' lists where it may not matter if you release some entries from the set early. Signed-off-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Adds a new property for hash set types, where if a set is created
with the 'forceadd' option and the set becomes full the next addition
to the set may succeed and evict a random entry from the set.

To keep overhead low eviction is done very simply. It checks to see
which bucket the new entry would be added. If the bucket's pos value
is non-zero (meaning there's at least one entry in the bucket) it
replaces the first entry in the bucket. If pos is zero, then it continues
down the normal add process.

This property is useful if you have a set for 'ban' lists where it may
not matter if you release some entries from the set early.

Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Prepare the kernel for create option flags when no extension is needed 2014-03-06T08:31:42+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2014-02-13T11:19:56+00:00 af284ece87365f3a69723f5bcc1bcdb505b5eb5d Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: add hash:ip,mark data type to ipset 2014-03-06T08:31:42+00:00 Vytas Dauksa vytas.dauksa@smoothwall.net 2013-12-17T14:01:43+00:00 3b02b56cd5988d569731f6c0c26992296e46b758 Introduce packet mark support with new ip,mark hash set. This includes userspace and kernelspace code, hash:ip,mark set tests and man page updates. The intended use of ip,mark set is similar to the ip:port type, but for protocols which don't use a predictable port number. Instead of port number it matches a firewall mark determined by a layer 7 filtering program like opendpi. As well as allowing or blocking traffic it will also be used for accounting packets and bytes sent for each protocol. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.

The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.

As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: remove unused code 2014-01-03T22:41:35+00:00 stephen hemminger stephen@networkplumber.org 2013-12-31T01:13:10+00:00 02eca9d2cc541806e8f03b4131c7ee9120246df7 Function never used in current upstream code. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Function never used in current upstream code.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Use netlink callback dump args only 2013-10-22T08:13:59+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-10-18T09:41:55+00:00 93302880d8a3e5dc6b7da3f9825beb839152c940 Instead of cb->data, use callback dump args only and introduce symbolic names instead of plain numbers at accessing the argument members. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Instead of cb->data, use callback dump args only and introduce symbolic
names instead of plain numbers at accessing the argument members.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfiler: ipset: Add net namespace for ipset 2013-09-30T19:42:52+00:00 Vitaly Lavrov lve@guap.ru 2013-09-30T15:07:02+00:00 1785e8f473082aa60d62c7165856cf6484077b99 This patch adds netns support for ipset. Major changes were made in ip_set_core.c and ip_set.h. Global variables are moved to per net namespace. Added initialization code and the destruction of the network namespace ipset subsystem. In the prototypes of public functions ip_set_* added parameter "struct net*". The remaining corrections related to the change prototypes of public functions ip_set_*. The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347 Signed-off-by: Vitaly Lavrov <lve@guap.ru> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
This patch adds netns support for ipset.

Major changes were made in ip_set_core.c and ip_set.h.
Global variables are moved to per net namespace.
Added initialization code and the destruction of the network namespace ipset subsystem.
In the prototypes of public functions ip_set_* added parameter "struct net*".

The remaining corrections related to the change prototypes of public functions ip_set_*.

The patch for git://git.netfilter.org/ipset.git commit 6a4ec96c0b8caac5c35474e40e319704d92ca347

Signed-off-by: Vitaly Lavrov <lve@guap.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
netfilter: ipset: Use a common function at listing the extensions 2013-09-30T19:42:36+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-09-25T15:44:35+00:00 3fd986b3d99e3847f1cce6fc36043d0f16508e1d Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>