22 Jul, 2011
1 commit
21 Jul, 2011
3 commits
-
Some gcc versions warn about prototypes without "inline" when the declaration
includes the "inline" keyword. The fix generates a false error message
"marked inline, but without a definition" with sparse below 0.4.2.Signed-off-by: Chris Friesen
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Exampleipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.In the patch the algorithm is fixed in order to correctly handle
overlapping networks.Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
19 Jul, 2011
1 commit
-
Introduces a new nfnetlink type that applies a given
verdict to all queued packets with an id
Signed-off-by: Patrick McHardy
18 Jul, 2011
1 commit
-
Goal of this patch is to permit nfnetlink providers not mandate
nfnl_mutex being held while nfnetlink_rcv_msg() calls them.If struct nfnl_callback contains a non NULL call_rcu(), then
nfnetlink_rcv_msg() will use it instead of call() field, holding
rcu_read_lock instead of nfnl_mutexSigned-off-by: Eric Dumazet
CC: Florian Westphal
CC: Eric Leblond
Signed-off-by: Patrick McHardy
21 Jun, 2011
1 commit
-
Conflicts:
drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
drivers/net/wireless/rtlwifi/pci.c
net/netfilter/ipvs/ip_vs_core.c
17 Jun, 2011
11 commits
-
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The hash:net,iface type makes possible to store network address and
interface name pairs in a set. It's mostly suitable for egress
and ingress filtering. Examples:# ipset create test hash:net,iface
# ipset add test 192.168.0.0/16,eth0
# ipset add test 192.168.0.0/24,eth1Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
With the change the sets can use any parameter available for the match
and target extensions, like input/output interface. It's required for
the hash:net,iface set type.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The patch "Fix adding ranges to hash types" had got a mistypeing
in the timeout variant of the hash types, which actually made
the patch ineffective. Fixed!Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The range internally is converted to the network(s) equal to the range.
Example:# ipset new test hash:net
# ipset add test 10.2.0.0-10.2.1.12
# ipset list test
Name: test
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16888
References: 0
Members:
10.2.1.12
10.2.1.0/29
10.2.0.0/24
10.2.1.8/30Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
A set type may have multiple revisions, for example when syntax is
extended. Support continuous revision ranges in set types.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
When ranges are added to hash types, the elements may trigger rehashing
the set. However, the last successfully added element was not kept track
so the adding started again with the first element after the rehashing.Bug reported by Mr Dash Four.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
Current listing makes possible to list sets with full content only.
The patch adds support partial listings, i.e. listing just
the existing setnames or listing set headers, without set members.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The support makes possible to specify the timeout value for
the SET target and a flag to reset the timeout for already existing
entries.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
When an element to a set with timeout added, one can change the timeout
by "readding" the element with the "-exist" flag. That means the timeout
value is reset to the specified one (or to the default from the set
specification if the "timeout n" option is not used). Exampleipset add foo 1.2.3.4 timeout 10
ipset add foo 1.2.3.4 timeout 600 -existSigned-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
06 Jun, 2011
1 commit
-
Following error is raised (and other similar ones) :
net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’:
net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’
not in enumerated type ‘enum ip_conntrack_info’gcc barfs on adding two enum values and getting a not enumerated
result :case IP_CT_RELATED+IP_CT_IS_REPLY:
Add missing enum values
Signed-off-by: Eric Dumazet
CC: David Miller
Signed-off-by: Pablo Neira Ayuso
27 May, 2011
2 commits
-
Variable 'ret' is set in type_pf_tdel() but not used, remove.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso -
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Pablo Neira Ayuso
20 Apr, 2011
1 commit
13 Apr, 2011
1 commit
-
SCTP and UDPLITE port support added to the hash:*port* set types.
Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
11 Apr, 2011
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (34 commits)
net: Add support for SMSC LAN9530, LAN9730 and LAN89530
mlx4_en: Restoring RX buffer pointer in case of failure
mlx4: Sensing link type at device initialization
ipv4: Fix "Set rt->rt_iif more sanely on output routes."
MAINTAINERS: add entry for Xen network backend
be2net: Fix suspend/resume operation
be2net: Rename some struct members for clarity
pppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev
dsa/mv88e6131: add support for mv88e6085 switch
ipv6: Enable RFS sk_rxhash tracking for ipv6 sockets (v2)
be2net: Fix a potential crash during shutdown.
bna: Fix for handling firmware heartbeat failure
can: mcp251x: Allow pass IRQ flags through platform data.
smsc911x: fix mac_lock acquision before calling smsc911x_mac_read
iwlwifi: accept EEPROM version 0x423 for iwl6000
rt2x00: fix cancelling uninitialized work
rtlwifi: Fix some warnings/bugs
p54usb: IDs for two new devices
wl12xx: fix potential buffer overflow in testmode nvs push
zd1211rw: reset rx idle timer from tasklet
...
04 Apr, 2011
2 commits
-
We currently use a percpu spinlock to 'protect' rule bytes/packets
counters, after various attempts to use RCU instead.Lately we added a seqlock so that get_counters() can run without
blocking BH or 'writers'. But we really only need the seqcount in it.Spinlock itself is only locked by the current/owner cpu, so we can
remove it completely.This cleanups api, using correct 'writer' vs 'reader' semantic.
At replace time, the get_counters() call makes sure all cpus are done
using the old table.Signed-off-by: Eric Dumazet
Cc: Jan Engelhardt
Signed-off-by: Patrick McHardy -
The timeout variant of the list:set type must reference the member sets.
However, its garbage collector runs at timer interrupt so the mutex
protection of the references is a no go. Therefore the reference protection
is converted to rwlock.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
31 Mar, 2011
1 commit
-
Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: Lucas De Marchi
20 Mar, 2011
1 commit
-
The hash:*port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and used the first
address from the range only.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy
19 Mar, 2011
1 commit
-
Now that we finally have __aligned_xx exported to userspace, convert
the headers that get exported over to the proper type.Signed-off-by: Mike Frysinger
Signed-off-by: David S. Miller
16 Mar, 2011
2 commits
-
The kernel will refuse certain types that do not work in ipv6 mode.
We can then add these features incrementally without risk of userspace
breakage.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy -
Followup patch will add ipv6 support.
ipt_addrtype.h is retained for compatibility reasons, but no longer used
by the kernel.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
03 Feb, 2011
2 commits
-
Add a new 'devgroup' match to match on the device group of the
incoming and outgoing network device of a packet.Signed-off-by: Patrick McHardy
-
Add a dummy ip_set_get_ip6_port function that unconditionally
returns false for CONFIG_IPV6=n and convert the real function
to ipv6_skip_exthdr() to avoid pulling in the ip6_tables module
when loading ipset.Signed-off-by: Patrick McHardy
02 Feb, 2011
1 commit
-
Signed-off-by: Patrick McHardy
01 Feb, 2011
6 commits
-
The patch adds the combined module of the "SET" target and "set" match
to netfilter. Both the previous and the current revisions are supported.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the list:set type support in two flavours:
without and with timeout. The sets has two sides: for the userspace,
they store the names of other (non list:set type of) sets: one can add,
delete and test set names. For the kernel, it forms an ordered union of
the member sets: the members sets are tried in order when elements are
added, deleted and tested and the process stops at the first success.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the hash:ip type support in four flavours:
for IPv4 or IPv6, both without and with timeout support.All the hash types are based on the "array hash" or ahash structure
and functions as a good compromise between minimal memory footprint
and speed. The hashing uses arrays to resolve clashes. The hash table
is resized (doubled) when searching becomes too long. Resizing can be
triggered by userspace add commands only and those are serialized by
the nfnl mutex. During resizing the set is read-locked, so the only
possible concurrent operations are the kernel side readers. Those are
protected by RCU locking.Because of the four flavours and the other hash types, the functions
are implemented in general forms in the ip_set_ahash.h header file
and the real functions are generated before compiling by macro expansion.
Thus the dereferencing of low-level functions and void pointer arguments
could be avoided: the low-level functions are inlined, the function
arguments are pointers of type-specific structures.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The module implements the bitmap:ip set type in two flavours, without
and with timeout support. In this kind of set one can store IPv4
addresses (or network addresses) from a given range.In order not to waste memory, the timeout version does not rely on
the kernel timer for every element to be timed out but on garbage
collection. All set types use this mechanism.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The patch adds the IP set core support to the kernel.
The IP set core implements a netlink (nfnetlink) based protocol by which
one can create, destroy, flush, rename, swap, list, save, restore sets,
and add, delete, test elements from userspace. For simplicity (and backward
compatibilty and for not to force ip(6)tables to be linked with a netlink
library) reasons a small getsockopt-based protocol is also kept in order
to communicate with the ip(6)tables match and target.The netlink protocol passes all u16, etc values in network order with
NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the
NLA_F_NESTED and NLA_F_NET_BYTEORDER flags.For other kernel subsystems (netfilter match and target) the API contains
the functions to add, delete and test elements in sets and the required calls
to get/put refereces to the sets before those operations can be performed.The set types (which are implemented in independent modules) are stored
in a simple RCU protected list. A set type may have variants: for example
without timeout or with timeout support, for IPv4 or for IPv6. The sets
(i.e. the pointers to the sets) are stored in an array. The sets are
identified by their index in the array, which makes possible easy and
fast swapping of sets. The array is protected indirectly by the nfnl
mutex from nfnetlink. The content of the sets are protected by the rwlock
of the set.There are functional differences between the add/del/test functions
for the kernel and userspace:- kernel add/del/test: works on the current packet (i.e. one element)
- kernel test: may trigger an "add" operation in order to fill
out unspecified parts of the element from the packet (like MAC address)
- userspace add/del: works on the netlink message and thus possibly
on multiple elements from the IPSET_ATTR_ADT container attribute.
- userspace add: may trigger resizing of a setSigned-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy -
The patch adds the NFNL_SUBSYS_IPSET id and NLA_PUT_NET* macros to the
vanilla kernel.Signed-off-by: Jozsef Kadlecsik
Signed-off-by: Patrick McHardy