30 Apr, 2013
2 commits
-
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.At the set:list types, the updating of the subcounters can be
suppressed as well.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso -
Introduce extensions to elements in the core and prepare timeout as
the first one.This patch also modifies the em_ipset classifier to use the new
extension struct layout.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
23 Sep, 2012
1 commit
-
Exceptions can now be matched and we can branch according to the
possible cases:a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no matchi.e.
iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...Signed-off-by: Jozsef Kadlecsik
09 Jul, 2012
1 commit
-
The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.Reported-by: Jean-Philippe Menil
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
17 May, 2012
1 commit
-
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)[ This patch was mangled by Pablo Neira Ayuso since David Laight and
Eric Dumazet noticed that we were using hardcoded 1000 instead of
MSEC_PER_SEC to calculate the timeout ]Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
22 Jun, 2011
1 commit
-
It was suggested by "make versioncheck" that the follwing includes of
linux/version.h are redundant:/home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
/home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
/home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
/home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.and it seems that it is right.
Beyond manually inspecting the source files I also did a few build
tests with various configs to confirm that including the header in
those files is indeed not needed.Here's a patch to remove the pointless includes.
Signed-off-by: Jesper Juhl
Acked-by: Jozsef Kadlecsik
Signed-off-by: David S. Miller
17 Jun, 2011
3 commits
-
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
13 Apr, 2011
1 commit
-
The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
01 Feb, 2011
1 commit
-
The patch adds the combined module of the "SET" target and "set" match
to netfilter. Both the previous and the current revisions are supported.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy