Projects
openEuler:Mainline
ipset
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:ipset.spec
Changed
@@ -1,14 +1,17 @@ Name: ipset -Version: 7.15 -Release: 1 +Version: 7.17 +Release: 2 Summary: Manage Linux IP sets License: GPLv2 URL: http://ipset.netfilter.org/ Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2 Source1: ipset.service Source2: ipset.start-stop +Source3: ipset-config -BuildRequires: libmnl-devel automake autoconf libtool libtool-ltdl-devel systemd +Patch0: backport-netfilter-ipset-Fix-overflow-before-widen-in-the-bit.patch + +BuildRequires: libmnl-devel automake autoconf libtool libtool-ltdl-devel systemd make Requires: ipset-libs = %{version}-%{release} iptables-services Requires(post): systemd Requires(preun): systemd @@ -54,7 +57,7 @@ %build ./autogen.sh -%configure --with-kmod=no +%configure --with-kmod=no --disable-static rm -fr kernel %disable_rpath %make_build @@ -69,12 +72,27 @@ install -d -m 755 %{buildroot}%{_libexecdir}/%{name} install -c -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/%{name} +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-config + install -d -m 755 %{buildroot}%{_sysconfdir}/%{name} %ldconfig_scriptlets libs %post %systemd_post %{name}.service +if -f /etc/ipset/ipset && ! -f /etc/sysconfig/ipset ; then + mv /etc/ipset/ipset /etc/sysconfig/ipset + ln -s /etc/sysconfig/ipset /etc/ipset/ipset + echo "Warning: ipset save location has moved to /etc/sysconfig" +fi + -f /etc/sysconfig/iptables-config && . /etc/sysconfig/iptables-config + -f /etc/sysconfig/ip6tables-config && . /etc/sysconfig/ip6tables-config +if ${IPTABLES_SAVE_ON_STOP} == yes || \ + ${IP6TABLES_SAVE_ON_STOP} == yes ; then + echo "Warning: ipset no longer saves automatically when iptables does" + echo " must enable explicitly in /etc/sysconfig/ipset-config" +fi %preun if $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ; then @@ -95,6 +113,8 @@ %{_unitdir}/ipset.service %{_libexecdir}/ipset/ipset.start-stop %{_sysconfdir}/%{name} +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset-config +%ghost %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset %files libs %defattr(-,root,root) @@ -104,7 +124,6 @@ %files devel %defattr(-,root,root) %{_includedir}/libipset -%{_libdir}/*.a %{_libdir}/libipset.so %{_libdir}/pkgconfig/*.pc @@ -114,6 +133,24 @@ %{_mandir}/man3/libipset.3.* %changelog +* Tue Feb 28 2023 gaihuiying <eaglegai@163.com> - 7.17-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:delete *.a file + +* Wed Feb 01 2023 xinghe <xinghe2@h-partners.com> - 7.17-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:update ipset to 7.17 + +* Thu Oct 20 2022 xinghe <xinghe2@h-partners.com> - 7.15-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix IPv6 sets nftables translation + * Mon Mar 21 2022 yanglu <yanglu72@h-partners.com> - 7.15-1 - Type:requirements - ID:NA
View file
_service:tar_scm:backport-netfilter-ipset-Fix-overflow-before-widen-in-the-bit.patch
Added
@@ -0,0 +1,44 @@ +From f9a5f712132273139473cb322c3155375a1d1836 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> +Date: Sat, 28 Jan 2023 19:09:52 +0100 +Subject: PATCH netfilter: ipset: Fix overflow before widen in the + bitmap_ip_create() function. + +When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of +an arithmetic expression 2 << (netmask - mask_bits - 1) is subject +to overflow due to a failure casting operands to a larger data type +before performing the arithmetic. + +Note that it's harmless since the value will be checked at the next step. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") +Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> +Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> + +Conflict: NA +Reference: http://git.netfilter.org/ipset/commit/?id=f9a5f712132273139473cb322c3155375a1d1836 +--- + kernel/net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c +index c488663..f37169c 100644 +--- a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -312,8 +312,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb, + return -IPSET_ERR_BITMAP_RANGE; + + pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); +- hosts = 2 << (32 - netmask - 1); +- elements = 2 << (netmask - mask_bits - 1); ++ hosts = 2U << (32 - netmask - 1); ++ elements = 2UL << (netmask - mask_bits - 1); + } + if (elements > IPSET_BITMAP_MAX_RANGE + 1) + return -IPSET_ERR_BITMAP_RANGE_SIZE; +-- +2.27.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/ipset.git</param> - <param name="revision">ace86321e07a3bd02d6390821fae0023f183d934</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:ipset-7.15.tar.bz2/ChangeLog -> _service:tar_scm:ipset-7.17.tar.bz2/ChangeLog
Changed
@@ -1,3 +1,24 @@ +7.17 + - Tests: When verifying comments/timeouts, make sure entries don't expire + - Tests: Make sure the internal batches add the correct number of elements + - Tests: Verify that hash:net,port,net type can handle 0/0 properly + - Makefile: Create LZMA-compressed dist-files (Phil Sutter) + +7.16 + - Add new ipset_parse_bitmask() function to the library interface + - test: Make sure no more than 64 clashing elements can be added + to hash:net,iface sets + - netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai) + - netfilter: ipset: Update the man page to include netmask/bitmask options + (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai) + - netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) + - ipset-translate: allow invoking with a path name (Quentin Armitage) + - Fix IPv6 sets nftables translation (Pablo Neira Ayuso) + - Fix typo in ipset-translate man page (Bernhard M. Wiedemann) + 7.14 - Add missing function to libipset.map and bump library version (reported by Jan Engelhardt)
View file
_service:tar_scm:ipset-7.15.tar.bz2/Make_global.am -> _service:tar_scm:ipset-7.17.tar.bz2/Make_global.am
Changed
@@ -69,7 +69,7 @@ # interface. # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include
View file
_service:tar_scm:ipset-7.15.tar.bz2/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -213,8 +213,8 @@ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir distdir-am dist dist-all distcheck -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ - $(LISP)config.h.in +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \ + config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. @@ -282,9 +282,11 @@ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" -DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best -DIST_TARGETS = dist-gzip +DIST_ARCHIVES = $(distdir).tar.xz +DIST_TARGETS = dist-xz +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -496,7 +498,7 @@ ACLOCAL_AMFLAGS = -I m4 # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse @@ -763,11 +765,14 @@ dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) - dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) +dist-zstd: distdir + tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst + $(am__post_remove_distdir) + dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @@ -810,6 +815,8 @@ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ + *.tar.zst*) \ + zstd -dc $(distdir).tar.zst | $(am__untar) ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) @@ -825,7 +832,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ @@ -987,18 +994,18 @@ am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-hdr distclean-libtool distclean-tags distcleancheck \ - distdir distuninstallcheck dvi dvi-am html html-am info \ - info-am install install-am install-data install-data-am \ - install-dvi install-dvi-am install-exec install-exec-am \ - install-html install-html-am install-info install-info-am \ - install-man install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am + dist-xz dist-zip dist-zstd distcheck distclean \ + distclean-generic distclean-hdr distclean-libtool \ + distclean-tags distcleancheck distdir distuninstallcheck dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am .PRECIOUS: Makefile
View file
_service:tar_scm:ipset-7.15.tar.bz2/aclocal.m4 -> _service:tar_scm:ipset-7.17.tar.bz2/aclocal.m4
Changed
@@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,9 +20,9 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.)) -dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29) -dnl +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 12 (pkg-config-0.29.2) + dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>. dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com> dnl @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun(PKG_PREREQ, -m4_define(PKG_MACROS_VERSION, 0.29) +m4_define(PKG_MACROS_VERSION, 0.29.2) m4_if(m4_version_compare(PKG_MACROS_VERSION, $1), -1, m4_fatal(pkg.m4 version $1 or higher is required but PKG_MACROS_VERSION found)) )dnl PKG_PREREQ @@ -164,7 +164,7 @@ AC_ARG_VAR($1_LIBS, linker flags for $1, overriding pkg-config)dnl pkg_failed=no -AC_MSG_CHECKING(for $1) +AC_MSG_CHECKING(for $2) _PKG_CONFIG($1_CFLAGS, cflags, $2) _PKG_CONFIG($1_LIBS, libs, $2) @@ -174,11 +174,11 @@ See the pkg-config man page for more details.) if test $pkg_failed = yes; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` - else + else $1_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs @@ -195,7 +195,7 @@ _PKG_TEXT)dnl ) elif test $pkg_failed = untried; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) m4_default($4, AC_MSG_FAILURE( The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full @@ -296,7 +296,7 @@ AS_VAR_IF($1, "", $5, $4)dnl )dnl PKG_CHECK_VAR -# Copyright (C) 2002-2018 Free Software Foundation, Inc. +# Copyright (C) 2002-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -311,7 +311,7 @@ am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if($1, 1.16.1, , +m4_if($1, 1.16.3, , AC_FATAL(Do not call $0, use AM_INIT_AUTOMAKE($1).))dnl ) @@ -327,14 +327,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN(AM_SET_CURRENT_AUTOMAKE_VERSION, -AM_AUTOMAKE_VERSION(1.16.1)dnl +AM_AUTOMAKE_VERSION(1.16.3)dnl m4_ifndef(AC_AUTOCONF_VERSION, m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl _AM_AUTOCONF_VERSION(m4_defn(AC_AUTOCONF_VERSION))) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -386,7 +386,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -417,7 +417,7 @@ Usually this means the macro was only invoked conditionally.) fi)) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -608,7 +608,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -647,7 +647,9 @@ done if test $am_rc -ne 0; then AC_MSG_FAILURE(Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE="gmake" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking).) fi @@ -674,7 +676,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -871,7 +873,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME("$_am_arg")`/stamp-h$_am_stamp_count) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -892,7 +894,7 @@ fi AC_SUBST(install_sh)) -# Copyright (C) 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -913,7 +915,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -956,7 +958,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -977,12 +979,7 @@ AC_REQUIRE(AM_AUX_DIR_EXPAND)dnl AC_REQUIRE_AUX_FILE(missing)dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -995,7 +992,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1024,7 +1021,7 @@ AC_DEFUN(_AM_IF_OPTION, m4_ifset(_AM_MANGLE_OPTION($1), $2, $3)) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1071,7 +1068,7 @@ # For backward compatibility. AC_DEFUN_ONCE(AM_PROG_CC_C_O, AC_REQUIRE(AC_PROG_CC)) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1090,7 +1087,7 @@ # Check to make sure that the build environment is sane. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1171,7 +1168,7 @@ rm -f conftest.file ) -# Copyright (C) 2009-2018 Free Software Foundation, Inc. +# Copyright (C) 2009-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1231,7 +1228,7 @@ _AM_SUBST_NOTMAKE(AM_BACKSLASH)dnl ) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1259,7 +1256,7 @@ INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST(INSTALL_STRIP_PROGRAM)) -# Copyright (C) 2006-2018 Free Software Foundation, Inc. +# Copyright (C) 2006-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -1278,7 +1275,7 @@ # Check how to create a tarball. -*- Autoconf -*- -# Copyright (C) 2004-2018 Free Software Foundation, Inc. +# Copyright (C) 2004-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it,
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/compile -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/compile
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey <tromey@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*)
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/depcomp -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/depcomp
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/install-sh -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/install-sh
Changed
@@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *23672367) mkdir_umask=$umask;; - .*00202 | .0202 | .02) mkdir_umask=22;; - - *0-7) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *1235670-70-7) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX, + # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. @@ -411,7 +416,7 @@ prefixes= else if $posix_mkdir; then - (umask=$mkdir_umask && + (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 @@ -451,7 +456,18 @@ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. - (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + (umask $cp_umask && + { test -z "$stripcmd" || { + # Create $dsttmp read-write so that cp doesn't create it read-only, + # which would cause strip to fail. + if test -z "$doit"; then + : >"$dsttmp" # No need to fork-exec 'touch'. + else + $doit touch "$dsttmp" + fi + } + } && + $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # @@ -477,6 +493,13 @@ then rm -f "$dsttmp" else + # If $backupsuffix is set, and the file being installed + # already exists, attempt a backup. Don't worry if it fails, + # e.g., if mv doesn't support -f. + if test -n "$backupsuffix" && test -f "$dst"; then + $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null + fi + # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || @@ -491,9 +514,9 @@ # file should still install successfully. { test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || + $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/ltmain.sh -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/ltmain.sh
Changed
@@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-9" +VERSION="2.4.6 Debian-2.4.6-15" package_revision=2.4.6 @@ -387,7 +387,7 @@ # putting '$debug_cmd' at the start of all your functions, you can get # bash to show function call trace with: # -# debug_cmd='eval echo "${FUNCNAME0} $*" >&2' bash your-script-name +# debug_cmd='echo "${FUNCNAME0} $*" >&2' bash your-script-name debug_cmd=${debug_cmd-":"} exit_cmd=: @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-9 + version: $progname $scriptversion Debian-2.4.6-15 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -7368,10 +7368,12 @@ # -stdlib=* select c++ std lib with clang # -fsanitize=* Clang/GCC memory and address sanitizer # -fuse-ld=* Linker select flags for GCC + # -static-* direct GCC to link specific libraries statically + # -fcilkplus Cilk Plus language extension features for C/C++ -64|-mips0-9|-r0-90-9*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ -t45*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ - -specs=*|-fsanitize=*|-fuse-ld=*) + -specs=*|-fsanitize=*|-fuse-ld=*|-static-*|-fcilkplus) func_quote_for_eval "$arg" arg=$func_quote_for_eval_result func_append compile_command " $arg"
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/missing -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/missing
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify
View file
_service:tar_scm:ipset-7.15.tar.bz2/configure -> _service:tar_scm:ipset-7.17.tar.bz2/configure
Changed
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ipset 7.15. +# Generated by GNU Autoconf 2.69 for ipset 7.17. # # Report bugs to <kadlec@netfilter.org>. # @@ -594,8 +594,8 @@ # Identity of this package. PACKAGE_NAME='ipset' PACKAGE_TARNAME='ipset' -PACKAGE_VERSION='7.15' -PACKAGE_STRING='ipset 7.15' +PACKAGE_VERSION='7.17' +PACKAGE_STRING='ipset 7.17' PACKAGE_BUGREPORT='kadlec@netfilter.org' PACKAGE_URL='' @@ -1452,7 +1452,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ipset 7.15 to adapt to many kinds of systems. +\`configure' configures ipset 7.17 to adapt to many kinds of systems. Usage: $0 OPTION... VAR=VALUE... @@ -1523,7 +1523,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ipset 7.15:";; + short | recursive ) echo "Configuration of ipset 7.17:";; esac cat <<\_ACEOF @@ -1661,7 +1661,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ipset configure 7.15 +ipset configure 7.17 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2039,7 +2039,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ipset $as_me 7.15, which was +It was created by ipset $as_me 7.17, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2666,12 +2666,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -2976,7 +2971,7 @@ # Define the identity of the package. PACKAGE='ipset' - VERSION='7.15' + VERSION='7.17' cat >>confdefs.h <<_ACEOF @@ -5865,7 +5860,7 @@ fi : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} @@ -7586,8 +7581,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 - echo "$AR cru libconftest.a conftest.o" >&5 - $AR cru libconftest.a conftest.o 2>&5 + echo "$AR cr libconftest.a conftest.o" >&5 + $AR cr libconftest.a conftest.o 2>&5 echo "$RANLIB libconftest.a" >&5 $RANLIB libconftest.a 2>&5 cat > conftest.c << _LT_EOF @@ -7619,11 +7614,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -8685,6 +8680,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -14530,8 +14531,8 @@ pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5 -$as_echo_n "checking for libmnl... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl >= 1" >&5 +$as_echo_n "checking for libmnl >= 1... " >&6; } if test -n "$libmnl_CFLAGS"; then pkg_cv_libmnl_CFLAGS="$libmnl_CFLAGS" @@ -14571,7 +14572,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -14598,7 +14599,7 @@ and libmnl_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} @@ -15055,6 +15056,12 @@ $as_echo "yes" >&6; } HAVE_KVCALLOC=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvcalloc' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVCALLOC=define + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -15070,6 +15077,12 @@ $as_echo "yes" >&6; } HAVE_KVFREE=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvfree' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVFREE=define + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -15641,14 +15654,20 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for kvzalloc() in mm.h" >&5 -$as_echo_n "checking kernel source for kvzalloc() in mm.h... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for kvzalloc() in mm.h and slab.h" >&5 +$as_echo_n "checking kernel source for kvzalloc() in mm.h and slab.h... " >&6; } if test -f $ksourcedir/include/linux/mm.h && \ $GREP -q 'static inline void \*kvzalloc(' $ksourcedir/include/linux/mm.h; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } HAVE_KVZALLOC=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvzalloc' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVZALLOC=define + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -18261,7 +18280,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ipset $as_me 7.15, which was +This file was extended by ipset $as_me 7.17, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18327,7 +18346,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/\\""\`\$/\\\\&/g'`" ac_cs_version="\\ -ipset config.status 7.15 +ipset config.status 7.17 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -19427,7 +19446,9 @@ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE=\"gmake\" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking). See \`config.log' for more details" "$LINENO" 5; }
View file
_service:tar_scm:ipset-7.15.tar.bz2/configure.ac -> _service:tar_scm:ipset-7.17.tar.bz2/configure.ac
Changed
@@ -1,10 +1,10 @@ dnl Boilerplate -AC_INIT(ipset, 7.15, kadlec@netfilter.org) +AC_INIT(ipset, 7.17, kadlec@netfilter.org) AC_CONFIG_AUX_DIR(build-aux) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR(m4) AC_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE(foreign subdir-objects tar-pax) +AM_INIT_AUTOMAKE(foreign subdir-objects tar-pax no-dist-gzip dist-xz) m4_ifdef(AM_SILENT_RULES, AM_SILENT_RULES(yes)) AC_PROG_LN_S @@ -443,6 +443,10 @@ $GREP -q 'kvcalloc' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVCALLOC, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvcalloc' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVCALLOC, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVCALLOC, undef) @@ -453,6 +457,10 @@ $GREP -q 'kvfree' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVFREE, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvfree' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVFREE, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVFREE, undef) @@ -837,11 +845,15 @@ AC_SUBST(HAVE_NLMSG_UNICAST, undef) fi -AC_MSG_CHECKING(kernel source for kvzalloc() in mm.h) +AC_MSG_CHECKING(kernel source for kvzalloc() in mm.h and slab.h) if test -f $ksourcedir/include/linux/mm.h && \ $GREP -q 'static inline void \*kvzalloc(' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVZALLOC, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvzalloc' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVZALLOC, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVZALLOC, undef)
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it,
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/args.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/args.h
Changed
@@ -58,6 +58,7 @@ IPSET_ARG_SKBQUEUE, /* skbqueue */ IPSET_ARG_BUCKETSIZE, /* bucketsize */ IPSET_ARG_INITVAL, /* initval */ + IPSET_ARG_BITMASK, /* bitmask */ IPSET_ARG_MAX, };
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/data.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/data.h
Changed
@@ -37,6 +37,7 @@ IPSET_OPT_RESIZE, IPSET_OPT_SIZE, IPSET_OPT_FORCEADD, + IPSET_OPT_BITMASK, /* Create-specific options, filled out by the kernel */ IPSET_OPT_ELEMENTS, IPSET_OPT_REFERENCES, @@ -70,7 +71,7 @@ IPSET_OPT_BUCKETSIZE, IPSET_OPT_INITVAL, /* Internal options */ - IPSET_OPT_FLAGS = 48, /* IPSET_FLAG_EXIST| */ + IPSET_OPT_FLAGS = 49, /* IPSET_FLAG_EXIST| */ IPSET_OPT_CADT_FLAGS, /* IPSET_FLAG_BEFORE| */ IPSET_OPT_ELEM, IPSET_OPT_TYPE, @@ -105,7 +106,8 @@ | IPSET_FLAG(IPSET_OPT_COUNTERS)\ | IPSET_FLAG(IPSET_OPT_CREATE_COMMENT)\ | IPSET_FLAG(IPSET_OPT_FORCEADD)\ - | IPSET_FLAG(IPSET_OPT_SKBINFO)) + | IPSET_FLAG(IPSET_OPT_SKBINFO)\ + | IPSET_FLAG(IPSET_OPT_BITMASK)) #define IPSET_ADT_FLAGS \ (IPSET_FLAG(IPSET_OPT_IP) \
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/linux_ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/linux_ip_set.h
Changed
@@ -89,6 +89,7 @@ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ IPSET_ATTR_MARK, /* 10 */ IPSET_ATTR_MARKMASK, /* 11 */ + IPSET_ATTR_BITMASK, /* 12 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ @@ -157,6 +158,7 @@ IPSET_ERR_COMMENT, IPSET_ERR_INVALID_MARKMASK, IPSET_ERR_SKBINFO, + IPSET_ERR_BITMASK_NETMASK_EXCL, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 4352,
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/list_sort.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/list_sort.h
Changed
@@ -61,7 +61,7 @@ // entry->prev = (void *) 0; } -static inline void __list_splice(const struct list_head *list, +static inline void __list_splice(struct list_head *list, struct list_head *prev, struct list_head *next) { @@ -75,7 +75,7 @@ next->prev = last; } -static inline void list_splice(const struct list_head *list, +static inline void list_splice(struct list_head *list, struct list_head *head) { if (!list_empty(list))
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/parse.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/parse.h
Changed
@@ -92,6 +92,8 @@ enum ipset_opt opt, const char *str); extern int ipset_parse_netmask(struct ipset_session *session, enum ipset_opt opt, const char *str); +extern int ipset_parse_bitmask(struct ipset_session *session, + enum ipset_opt opt, const char *str); extern int ipset_parse_flag(struct ipset_session *session, enum ipset_opt opt, const char *str); extern int ipset_parse_typename(struct ipset_session *session,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/ChangeLog -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/ChangeLog
Changed
@@ -1,3 +1,28 @@ +7.17 + - netfilter: ipset: Rework long task execution when adding/deleting entries + - netfilter: ipset: fix hash:net,port,net hang with /0 subnet + +7.16 + - netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface + - Fix all debug mode warnings + - netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) + - netfilter: ipset: regression in ip_set_hash_ip.c (Vishwanath Pai) + - netfilter: move from strlcpy with unused retval to strscpy + (Wolfram Sang) + - compatibility: handle unsafe_memcpy() + - netlink: Bounds-check struct nlmsgerr creation (Kees Cook) + - compatibility: move to skb_protocol in the code from tc_skb_protocol + - Compatibility: check kvcalloc, kvfree, kvzalloc in slab.h too + - sched: consistently handle layer3 header accesses in the presence + of VLANs (Toke Høiland-Jørgensen) + - treewide: Replace GPLv2 boilerplate/reference with SPDX + - rule 500 (Thomas Gleixner) + - headers: Remove some left-over license text in + include/uapi/linux/netfilter/ (Christophe JAILLET) + - netfilter: ipset: enforce documented limit to prevent allocating + huge memory + - netfilter: ipset: Fix oversized kvmalloc() calls + 7.15 - netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() (Nathan Chancellor)
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set.h
Changed
@@ -200,7 +200,7 @@ }; /* Max range where every element is added/deleted in one step */ -#define IPSET_MAX_RANGE (1<<20) +#define IPSET_MAX_RANGE (1<<14) /* The max revision number supported by any set type + 1 */ #define IPSET_REVISION_MAX 9 @@ -528,6 +528,16 @@ *skbinfo = ext->skbinfo; } +static inline void +nf_inet_addr_mask_inplace(union nf_inet_addr *a1, + const union nf_inet_addr *mask) +{ + a1->all0 &= mask->all0; + a1->all1 &= mask->all1; + a1->all2 &= mask->all2; + a1->all3 &= mask->all3; +} + #define IP_SET_INIT_KEXT(skb, opt, set) \ { .bytes = (skb)->len, .packets = 1, .target = true,\ .timeout = ip_set_adt_opt_timeout(opt, set) }
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
Changed
@@ -406,11 +406,9 @@ #define skb_vlan_tag_present vlan_tx_tag_present #endif -static inline __be16 tc_skb_protocol(const struct sk_buff *skb) +#ifndef HAVE_SKB_PROTOCOL +static inline __be16 skb_protocol(const struct sk_buff *skb, bool skip_vlan) { -#ifdef HAVE_SKB_PROTOCOL - return skb_protocol(skb, true); -#else if (skb_vlan_tag_present(skb)) #ifdef HAVE_VLAN_PROTO_IN_SK_BUFF return skb->vlan_proto; @@ -418,9 +416,9 @@ return htons(ETH_P_8021Q); #endif return skb->protocol; -#endif } #endif +#endif #ifdef HAVE_XT_NET #define IPSET_DEV_NET(par) xt_net(par) @@ -607,5 +605,11 @@ return members; } #endif + +#ifndef unsafe_memcpy +#define unsafe_memcpy(dst, src, bytes, justification) \ + memcpy(dst, src, bytes) +#endif + #endif /* IP_SET_COMPAT_HEADERS */ #endif /* __IP_SET_COMPAT_H */
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/uapi/linux/netfilter/ipset/ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/uapi/linux/netfilter/ipset/ip_set.h
Changed
@@ -3,10 +3,6 @@ * Patrick Schaaf <bof@bof.de> * Martin Josefsson <gandalf@wlug.westbo.se> * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. */ #ifndef _UAPI_IP_SET_H #define _UAPI_IP_SET_H @@ -89,6 +85,7 @@ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ IPSET_ATTR_MARK, /* 10 */ IPSET_ATTR_MARKMASK, /* 11 */ + IPSET_ATTR_BITMASK, /* 12 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ @@ -157,6 +154,7 @@ IPSET_ERR_COMMENT, IPSET_ERR_INVALID_MARKMASK, IPSET_ERR_SKBINFO, + IPSET_ERR_BITMASK_NETMASK_EXCL, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 4352,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_core.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_core.c
Changed
@@ -354,7 +354,7 @@ c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC); if (unlikely(!c)) return; - strlcpy(c->str, ext->comment, len + 1); + strscpy(c->str, ext->comment, len + 1); set->ext_size += sizeof(*c) + strlen(c->str) + 1; rcu_assign_pointer(comment->c, c); } @@ -1082,7 +1082,7 @@ if (!set) return -ENOMEM; spin_lock_init(&set->lock); - strlcpy(set->name, name, IPSET_MAXNAMELEN); + strscpy(set->name, name, IPSET_MAXNAMELEN); set->family = family; set->revision = revision; @@ -1754,9 +1754,10 @@ ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); ip_set_unlock(set); retried = true; - } while (ret == -EAGAIN && - set->variant->resize && - (ret = set->variant->resize(set, retried)) == 0); + } while (ret == -ERANGE || + (ret == -EAGAIN && + set->variant->resize && + (ret = set->variant->resize(set, retried)) == 0)); if (!ret || (ret == -IPSET_ERR_EXIST && eexist)) return 0; @@ -1775,11 +1776,12 @@ skb2 = nlmsg_new(payload, GFP_KERNEL); if (!skb2) return -ENOMEM; - rep = __nlmsg_put(skb2, NETLINK_PORTID(skb), - nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); + rep = nlmsg_put(skb2, NETLINK_PORTID(skb), + nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); errmsg = nlmsg_data(rep); errmsg->error = ret; - memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); + unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, + /* Bounds checked by the skb layer. */); cmdattr = (void *)&errmsg->msg + min_len; ret = NLA_PARSE(cda, IPSET_ATTR_CMD_MAX, cmdattr,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_gen.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_gen.h
Changed
@@ -43,31 +43,8 @@ #define AHASH_MAX_SIZE (6 * AHASH_INIT_SIZE) /* Max muber of elements in the array block when tuned */ #define AHASH_MAX_TUNED 64 - #define AHASH_MAX(h) ((h)->bucketsize) -/* Max number of elements can be tuned */ -#ifdef IP_SET_HASH_WITH_MULTI -static u8 -tune_bucketsize(u8 curr, u32 multi) -{ - u32 n; - - if (multi < curr) - return curr; - - n = curr + AHASH_INIT_SIZE; - /* Currently, at listing one hash bucket must fit into a message. - * Therefore we have a hard limit here. - */ - return n > curr && n <= AHASH_MAX_TUNED ? n : curr; -} -#define TUNE_BUCKETSIZE(h, multi) \ - ((h)->bucketsize = tune_bucketsize((h)->bucketsize, multi)) -#else -#define TUNE_BUCKETSIZE(h, multi) -#endif - /* A hash bucket */ struct hbucket { struct rcu_head rcu; /* for call_rcu_bh */ @@ -131,11 +108,11 @@ { size_t hsize; - /* We must fit both into u32 in jhash and size_t */ + /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */ if (hbits > 31) return 0; hsize = jhash_size(hbits); - if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *) + if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *) < hsize) return 0; @@ -183,6 +160,17 @@ (SET_WITH_TIMEOUT(set) && \ ip_set_timeout_expired(ext_timeout(d, set))) +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) +static const union nf_inet_addr onesmask = { + .all0 = 0xffffffff, + .all1 = 0xffffffff, + .all2 = 0xffffffff, + .all3 = 0xffffffff +}; + +static const union nf_inet_addr zeromask = {}; +#endif + #endif /* _IP_SET_HASH_GEN_H */ #ifndef MTYPE @@ -307,8 +295,9 @@ u32 markmask; /* markmask value for mark mask to store */ #endif u8 bucketsize; /* max elements in an array block */ -#ifdef IP_SET_HASH_WITH_NETMASK +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) u8 netmask; /* netmask value for subnets to store */ + union nf_inet_addr bitmask; /* stores bitmask */ #endif struct list_head ad; /* Resize add|del backlist */ struct mtype_elem next; /* temporary storage for uadd */ @@ -483,8 +472,8 @@ /* Resizing changes htable_bits, so we ignore it */ return x->maxelem == y->maxelem && a->timeout == b->timeout && -#ifdef IP_SET_HASH_WITH_NETMASK - x->netmask == y->netmask && +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + nf_inet_addr_cmp(&x->bitmask, &y->bitmask) && #endif #ifdef IP_SET_HASH_WITH_MARKMASK x->markmask == y->markmask && @@ -937,7 +926,12 @@ goto set_full; /* Create a new slot */ if (n->pos >= n->size) { - TUNE_BUCKETSIZE(h, multi); +#ifdef IP_SET_HASH_WITH_MULTI + if (h->bucketsize >= AHASH_MAX_TUNED) + goto set_full; + else if (h->bucketsize <= multi) + h->bucketsize += AHASH_INIT_SIZE; +#endif if (n->size >= AHASH_MAX(h)) { /* Trigger rehashing */ mtype_data_next(&h->next, d); @@ -1283,9 +1277,21 @@ htonl(jhash_size(htable_bits))) || nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem))) goto nla_put_failure; +#ifdef IP_SET_HASH_WITH_BITMASK + /* if netmask is set to anything other than HOST_MASK we know that the user supplied netmask + * and not bitmask. These two are mutually exclusive. */ + if (h->netmask == HOST_MASK && !nf_inet_addr_cmp(&onesmask, &h->bitmask)) { + if (set->family == NFPROTO_IPV4) { + if (nla_put_ipaddr4(skb, IPSET_ATTR_BITMASK, h->bitmask.ip)) + goto nla_put_failure; + } else if (set->family == NFPROTO_IPV6) { + if (nla_put_ipaddr6(skb, IPSET_ATTR_BITMASK, &h->bitmask.in6)) + goto nla_put_failure; + } + } +#endif #ifdef IP_SET_HASH_WITH_NETMASK - if (h->netmask != HOST_MASK && - nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask)) + if (h->netmask != HOST_MASK && nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask)) goto nla_put_failure; #endif #ifdef IP_SET_HASH_WITH_MARKMASK @@ -1448,8 +1454,10 @@ u32 markmask; #endif u8 hbits; -#ifdef IP_SET_HASH_WITH_NETMASK - u8 netmask; +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + int ret __attribute__((unused)) = 0; + u8 netmask = set->family == NFPROTO_IPV4 ? 32 : 128; + union nf_inet_addr bitmask = onesmask; #endif size_t hsize; struct htype *h; @@ -1487,7 +1495,6 @@ #endif #ifdef IP_SET_HASH_WITH_NETMASK - netmask = set->family == NFPROTO_IPV4 ? 32 : 128; if (tbIPSET_ATTR_NETMASK) { netmask = nla_get_u8(tbIPSET_ATTR_NETMASK); @@ -1495,6 +1502,33 @@ (set->family == NFPROTO_IPV6 && netmask > 128) || netmask == 0) return -IPSET_ERR_INVALID_NETMASK; + + /* we convert netmask to bitmask and store it */ + if (set->family == NFPROTO_IPV4) + bitmask.ip = ip_set_netmask(netmask); + else + ip6_netmask(&bitmask, netmask); + } +#endif + +#ifdef IP_SET_HASH_WITH_BITMASK + if (tbIPSET_ATTR_BITMASK) { + /* bitmask and netmask do the same thing, allow only one of these options */ + if (tbIPSET_ATTR_NETMASK) + return -IPSET_ERR_BITMASK_NETMASK_EXCL; + + if (set->family == NFPROTO_IPV4) { + ret = ip_set_get_ipaddr4(tbIPSET_ATTR_BITMASK, &bitmask.ip); + if (ret || !bitmask.ip) + return -IPSET_ERR_INVALID_NETMASK; + } else if (set->family == NFPROTO_IPV6) { + ret = ip_set_get_ipaddr6(tbIPSET_ATTR_BITMASK, &bitmask); + if (ret || ipv6_addr_any(&bitmask.in6)) + return -IPSET_ERR_INVALID_NETMASK; + } + + if (nf_inet_addr_cmp(&bitmask, &zeromask)) + return -IPSET_ERR_INVALID_NETMASK; } #endif @@ -1537,7 +1571,8 @@ for (i = 0; i < ahash_numof_locks(hbits); i++) spin_lock_init(&t->hregioni.lock); h->maxelem = maxelem; -#ifdef IP_SET_HASH_WITH_NETMASK +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + h->bitmask = bitmask; h->netmask = netmask; #endif #ifdef IP_SET_HASH_WITH_MARKMASK
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ip.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ip.c
Changed
@@ -25,7 +25,8 @@ /* 2 Comments support */ /* 3 Forceadd support */ /* 4 skbinfo support */ -#define IPSET_TYPE_REV_MAX 5 /* bucketsize, initval support */ +/* 5 bucketsize, initval support */ +#define IPSET_TYPE_REV_MAX 6 /* bitmask support */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); @@ -35,6 +36,7 @@ /* Type specific function prefix */ #define HTYPE hash_ip #define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK /* IPv4 variant */ @@ -87,7 +89,7 @@ __be32 ip; ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip); - ip &= ip_set_netmask(h->netmask); + ip &= h->bitmask.ip; if (ip == 0) return -EINVAL; @@ -99,11 +101,11 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ip4 *h = set->data; + struct hash_ip4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ip4_elem e = { 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, hosts; + u32 ip = 0, ip_to = 0, hosts, i = 0; int ret = 0; if (tbIPSET_ATTR_LINENO) @@ -120,7 +122,7 @@ if (ret) return ret; - ip &= ip_set_hostmask(h->netmask); + ip &= ntohl(h->bitmask.ip); e.ip = htonl(ip); if (e.ip == 0) return -IPSET_ERR_HASH_ELEM; @@ -148,22 +150,20 @@ hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); - /* 64bit division is not allowed on 32bit */ - if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE) - return -ERANGE; - - if (retried) { + if (retried) ip = ntohl(h->next.ip); + for (; ip <= ip_to; i++) { e.ip = htonl(ip); - } - for (; ip <= ip_to;) { + if (i > IPSET_MAX_RANGE) { + hash_ip4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret; ip += hosts; - e.ip = htonl(ip); - if (e.ip == 0) + if (ip == 0) return 0; ret = 0; @@ -188,12 +188,6 @@ return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6); } -static void -hash_ip6_netmask(union nf_inet_addr *ip, u8 prefix) -{ - ip6_netmask(ip, prefix); -} - static bool hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *e) { @@ -230,7 +224,7 @@ struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); - hash_ip6_netmask(&e.ip, h->netmask); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); if (ipv6_addr_any(&e.ip.in6)) return -EINVAL; @@ -269,7 +263,7 @@ if (ret) return ret; - hash_ip6_netmask(&e.ip, h->netmask); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); if (ipv6_addr_any(&e.ip.in6)) return -IPSET_ERR_HASH_ELEM; @@ -296,6 +290,7 @@ IPSET_ATTR_RESIZE = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, }, .adt_policy = {
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c
Changed
@@ -99,11 +99,11 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipmark4 *h = set->data; + struct hash_ipmark4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipmark4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0; + u32 ip, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -150,13 +150,14 @@ ip_set_mask_from_to(ip, ip_to, cidr); } - if (((u64)ip_to - ip + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); - for (; ip <= ip_to; ip++) { + for (; ip <= ip_to; ip++, i++) { e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_ipmark4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipport.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipport.c
Changed
@@ -27,7 +27,8 @@ /* 3 Comments support added */ /* 4 Forceadd support added */ /* 5 skbinfo support added */ -#define IPSET_TYPE_REV_MAX 6 /* bucketsize, initval support added */ +/* 6 bucketsize, initval support added */ +#define IPSET_TYPE_REV_MAX 7 /* bitmask support added */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); @@ -36,6 +37,8 @@ /* Type specific function prefix */ #define HTYPE hash_ipport +#define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK /* IPv4 variant */ @@ -93,12 +96,16 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + const struct MTYPE *h = set->data; if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.port, &e.proto)) return -EINVAL; ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); + e.ip &= h->bitmask.ip; + if (e.ip == 0) + return -EINVAL; return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -106,11 +113,11 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipport4 *h = set->data; + struct hash_ipport4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0, p = 0, port, port_to; + u32 ip, ip_to = 0, p = 0, port, port_to, i = 0; bool with_ports = false; int ret; @@ -130,6 +137,10 @@ if (ret) return ret; + e.ip &= h->bitmask.ip; + if (e.ip == 0) + return -EINVAL; + e.port = nla_get_be16(tbIPSET_ATTR_PORT); if (tbIPSET_ATTR_PROTO) { @@ -174,17 +185,18 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); for (; ip <= ip_to; ip++) { p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) : port; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.ip = htonl(ip); e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_ipport4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) @@ -254,12 +266,17 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport6_elem e = { .ip = { .all = { 0 } } }; struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + const struct MTYPE *h = set->data; if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.port, &e.proto)) return -EINVAL; ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); + if (ipv6_addr_any(&e.ip.in6)) + return -EINVAL; + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -299,6 +316,10 @@ if (ret) return ret; + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); + if (ipv6_addr_any(&e.ip.in6)) + return -EINVAL; + e.port = nla_get_be16(tbIPSET_ATTR_PORT); if (tbIPSET_ATTR_PROTO) { @@ -357,6 +378,8 @@ IPSET_ATTR_PROTO = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, + IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, }, .adt_policy = { IPSET_ATTR_IP = { .type = NLA_NESTED },
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c
Changed
@@ -109,11 +109,11 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipportip4 *h = set->data; + struct hash_ipportip4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipportip4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0, p = 0, port, port_to; + u32 ip, ip_to = 0, p = 0, port, port_to, i = 0; bool with_ports = false; int ret; @@ -181,17 +181,18 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); for (; ip <= ip_to; ip++) { p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) : port; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.ip = htonl(ip); e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_ipportip4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
Changed
@@ -161,12 +161,12 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipportnet4 *h = set->data; + struct hash_ipportnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0, p = 0, port, port_to; - u32 ip2_from = 0, ip2_to = 0, ip2; + u32 ip2_from = 0, ip2_to = 0, ip2, i = 0; bool with_ports = false; u8 cidr; int ret; @@ -254,9 +254,6 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - ip2_to = ip2_from; if (tbIPSET_ATTR_IP2_TO) { ret = ip_set_get_hostipaddr4(tbIPSET_ATTR_IP2_TO, &ip2_to); @@ -283,9 +280,15 @@ for (; p <= port_to; p++) { e.port = htons(p); do { + i++; e.ip2 = htonl(ip2); ip2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr); e.cidr = cidr - 1; + if (i > IPSET_MAX_RANGE) { + hash_ipportnet4_data_next(&h->next, + &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_net.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_net.c
Changed
@@ -137,11 +137,11 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_net4 *h = set->data; + struct hash_net4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_net4_elem e = { .cidr = HOST_MASK }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, ipn, n = 0; + u32 ip = 0, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -189,19 +189,16 @@ if (ip + UINT_MAX == ip_to) return -IPSET_ERR_HASH_RANGE; } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr); - n++; - } while (ipn++ < ip_to); - - if (n > IPSET_MAX_RANGE) - return -ERANGE; if (retried) ip = ntohl(h->next.ip); do { + i++; e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_net4_data_next(&h->next, &e); + return -ERANGE; + } ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netiface.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
Changed
@@ -203,7 +203,7 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, ipn, n = 0; + u32 ip = 0, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -257,19 +257,16 @@ } else { ip_set_mask_from_to(ip, ip_to, e.cidr); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr); - n++; - } while (ipn++ < ip_to); - - if (n > IPSET_MAX_RANGE) - return -ERANGE; if (retried) ip = ntohl(h->next.ip); do { + i++; e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_netiface4_data_next(&h->next, &e); + return -ERANGE; + } ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr); ret = adtfn(set, &e, &ext, &ext, flags);
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netnet.c
Changed
@@ -23,7 +23,8 @@ #define IPSET_TYPE_REV_MIN 0 /* 1 Forceadd support added */ /* 2 skbinfo support added */ -#define IPSET_TYPE_REV_MAX 3 /* bucketsize, initval support added */ +/* 3 bucketsize, initval support added */ +#define IPSET_TYPE_REV_MAX 4 /* bitmask support added */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>"); @@ -33,6 +34,8 @@ /* Type specific function prefix */ #define HTYPE hash_netnet #define IP_SET_HASH_WITH_NETS +#define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK #define IPSET_NET_COUNT 2 /* IPv4 variants */ @@ -153,8 +156,8 @@ ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip0); ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip1); - e.ip0 &= ip_set_netmask(e.cidr0); - e.ip1 &= ip_set_netmask(e.cidr1); + e.ip0 &= (ip_set_netmask(e.cidr0) & h->bitmask.ip); + e.ip1 &= (ip_set_netmask(e.cidr1) & h->bitmask.ip); return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -163,13 +166,12 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netnet4 *h = set->data; + struct hash_netnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netnet4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0; - u32 ip2 = 0, ip2_from = 0, ip2_to = 0, ipn; - u64 n = 0, m = 0; + u32 ip2 = 0, ip2_from = 0, ip2_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -213,8 +215,8 @@ if (adt == IPSET_TEST || !(tbIPSET_ATTR_IP_TO || tbIPSET_ATTR_IP2_TO)) { - e.ip0 = htonl(ip & ip_set_hostmask(e.cidr0)); - e.ip1 = htonl(ip2_from & ip_set_hostmask(e.cidr1)); + e.ip0 = htonl(ip & ntohl(h->bitmask.ip) & ip_set_hostmask(e.cidr0)); + e.ip1 = htonl(ip2_from & ntohl(h->bitmask.ip) & ip_set_hostmask(e.cidr1)); ret = adtfn(set, &e, &ext, &ext, flags); return ip_set_enomatch(ret, flags, adt, set) ? -ret : ip_set_eexist(ret, flags) ? 0 : ret; @@ -245,19 +247,6 @@ } else { ip_set_mask_from_to(ip2_from, ip2_to, e.cidr1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr0); - n++; - } while (ipn++ < ip_to); - ipn = ip2_from; - do { - ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr1); - m++; - } while (ipn++ < ip2_to); - - if (n*m > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip0); @@ -270,7 +259,12 @@ e.ip0 = htonl(ip); ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr0); do { + i++; e.ip1 = htonl(ip2); + if (i > IPSET_MAX_RANGE) { + hash_netnet4_data_next(&h->next, &e); + return -ERANGE; + } ip2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr1); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) @@ -404,6 +398,11 @@ ip6_netmask(&e.ip0, e.cidr0); ip6_netmask(&e.ip1, e.cidr1); + nf_inet_addr_mask_inplace(&e.ip0, &h->bitmask); + nf_inet_addr_mask_inplace(&e.ip1, &h->bitmask); + if (e.cidr0 == HOST_MASK && ipv6_addr_any(&e.ip0.in6)) + return -EINVAL; + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -414,6 +413,7 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_netnet6_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + const struct hash_netnet6 *h = set->data; int ret; if (tbIPSET_ATTR_LINENO) @@ -453,6 +453,11 @@ ip6_netmask(&e.ip0, e.cidr0); ip6_netmask(&e.ip1, e.cidr1); + nf_inet_addr_mask_inplace(&e.ip0, &h->bitmask); + nf_inet_addr_mask_inplace(&e.ip1, &h->bitmask); + if (e.cidr0 == HOST_MASK && ipv6_addr_any(&e.ip0.in6)) + return -IPSET_ERR_HASH_ELEM; + if (tbIPSET_ATTR_CADT_FLAGS) { u32 cadt_flags = ip_set_get_h32(tbIPSET_ATTR_CADT_FLAGS); @@ -484,6 +489,8 @@ IPSET_ATTR_RESIZE = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, + IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, }, .adt_policy = { IPSET_ATTR_IP = { .type = NLA_NESTED },
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netport.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netport.c
Changed
@@ -155,12 +155,11 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netport4 *h = set->data; + struct hash_netport4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 port, port_to, p = 0, ip = 0, ip_to = 0, ipn; - u64 n = 0; + u32 port, port_to, p = 0, ip = 0, ip_to = 0, i = 0; bool with_ports = false; u8 cidr; int ret; @@ -237,14 +236,6 @@ } else { ip_set_mask_from_to(ip, ip_to, e.cidr + 1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &cidr); - n++; - } while (ipn++ < ip_to); - - if (n*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip); @@ -256,8 +247,12 @@ e.ip = htonl(ip); ip = ip_set_range_to_cidr(ip, ip_to, &cidr); e.cidr = cidr - 1; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_netport4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netportnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netportnet.c
Changed
@@ -174,17 +174,26 @@ return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } +static u32 +hash_netportnet4_range_to_cidr(u32 from, u32 to, u8 *cidr) +{ + if (from == 0 && to == UINT_MAX) { + *cidr = 0; + return to; + } + return ip_set_range_to_cidr(from, to, cidr); +} + static int hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netportnet4 *h = set->data; + struct hash_netportnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netportnet4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0, p = 0, port, port_to; - u32 ip2_from = 0, ip2_to = 0, ip2, ipn; - u64 n = 0, m = 0; + u32 ip2_from = 0, ip2_to = 0, ip2, i = 0; bool with_ports = false; int ret; @@ -286,19 +295,6 @@ } else { ip_set_mask_from_to(ip2_from, ip2_to, e.cidr1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr0); - n++; - } while (ipn++ < ip_to); - ipn = ip2_from; - do { - ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr1); - m++; - } while (ipn++ < ip2_to); - - if (n*m*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip0); @@ -311,13 +307,19 @@ do { e.ip0 = htonl(ip); - ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr0); + ip = hash_netportnet4_range_to_cidr(ip, ip_to, &e.cidr0); for (; p <= port_to; p++) { e.port = htons(p); do { + i++; e.ip1 = htonl(ip2); - ip2 = ip_set_range_to_cidr(ip2, ip2_to, - &e.cidr1); + if (i > IPSET_MAX_RANGE) { + hash_netportnet4_data_next(&h->next, + &e); + return -ERANGE; + } + ip2 = hash_netportnet4_range_to_cidr(ip2, + ip2_to, &e.cidr1); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/sched/em_ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/sched/em_ipset.c
Changed
@@ -1,11 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-only /* * net/sched/em_ipset.c ipset ematch * * Copyright (c) 2012 Florian Westphal <fw@strlen.de> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. */ #include <linux/gfp.h> @@ -87,7 +84,7 @@ #else #define ACPAR_FAMILY(f) acpar.family = f #endif - switch (tc_skb_protocol(skb)) { + switch (skb_protocol(skb, true)) { case htons(ETH_P_IP): ACPAR_FAMILY(NFPROTO_IPV4); if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/lib/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -504,7 +504,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) \ ${libmnl_CFLAGS} $(am__append_3) @@ -869,7 +869,8 @@ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -1000,7 +1001,7 @@ uninstall-man: uninstall-man3 -.MAKE: all check install install-am install-strip +.MAKE: all check install install-am install-exec install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-generic clean-libLTLIBRARIES clean-libtool cscopelist-am \
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/args.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/args.c
Changed
@@ -300,6 +300,14 @@ .print = ipset_print_hexnumber, .help = "initval VALUE", }, + IPSET_ARG_BITMASK = { + .name = { "bitmask", NULL }, + .has_arg = IPSET_MANDATORY_ARG, + .opt = IPSET_OPT_BITMASK, + .parse = ipset_parse_bitmask, + .print = ipset_print_ip, + .help = "bitmask bitmask", + }, }; const struct ipset_arg *
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/data.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/data.c
Changed
@@ -53,6 +53,7 @@ uint8_t bucketsize; uint8_t resize; uint8_t netmask; + union nf_inet_addr bitmask; uint32_t hashsize; uint32_t maxelem; uint32_t markmask; @@ -301,6 +302,12 @@ case IPSET_OPT_NETMASK: data->create.netmask = *(const uint8_t *) value; break; + case IPSET_OPT_BITMASK: + if (!(data->family == NFPROTO_IPV4 || + data->family == NFPROTO_IPV6)) + return -1; + copy_addr(data->family, &data->create.bitmask, value); + break; case IPSET_OPT_BUCKETSIZE: data->create.bucketsize = *(const uint8_t *) value; break; @@ -508,6 +515,8 @@ return &data->create.markmask; case IPSET_OPT_NETMASK: return &data->create.netmask; + case IPSET_OPT_BITMASK: + return &data->create.bitmask; case IPSET_OPT_BUCKETSIZE: return &data->create.bucketsize; case IPSET_OPT_RESIZE: @@ -594,6 +603,7 @@ case IPSET_OPT_IP_TO: case IPSET_OPT_IP2: case IPSET_OPT_IP2_TO: + case IPSET_OPT_BITMASK: return family == NFPROTO_IPV4 ? sizeof(uint32_t) : sizeof(struct in6_addr); case IPSET_OPT_MARK:
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/debug.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/debug.c
Changed
@@ -40,6 +40,7 @@ IPSET_ATTR_MAXELEM = { .name = "MAXELEM" }, IPSET_ATTR_MARKMASK = { .name = "MARKMASK" }, IPSET_ATTR_NETMASK = { .name = "NETMASK" }, + IPSET_ATTR_BITMASK = { .name = "BITMASK" }, IPSET_ATTR_BUCKETSIZE = { .name = "BUCKETSIZE" }, IPSET_ATTR_RESIZE = { .name = "RESIZE" }, IPSET_ATTR_SIZE = { .name = "SIZE" },
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/errcode.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/errcode.c
Changed
@@ -44,6 +44,8 @@ "The value of the markmask parameter is invalid" }, { IPSET_ERR_INVALID_FAMILY, 0, "Protocol family not supported by the set type" }, + { IPSET_ERR_BITMASK_NETMASK_EXCL, 0, + "netmask and bitmask options are mutually exclusive, provide only one" }, /* DESTROY specific error codes */ { IPSET_ERR_BUSY, IPSET_CMD_DESTROY,
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset.c
Changed
@@ -30,6 +30,7 @@ #include <libipset/ipset.h> /* prototypes */ #include <libipset/ip_set_compiler.h> /* compiler attributes */ #include <libipset/list_sort.h> /* lists */ +#include <libipset/xlate.h> /* ipset_xlate_argv */ static char program_name = PACKAGE; static char program_version = PACKAGE_VERSION; @@ -936,10 +937,10 @@ IPSET_TEST = "test SETNAME", }; -static const struct ipset_xlate_set * +static struct ipset_xlate_set * ipset_xlate_set_get(struct ipset *ipset, const char *name) { - const struct ipset_xlate_set *set; + struct ipset_xlate_set *set; list_for_each_entry(set, &ipset->xlate_sets, list) { if (!strcmp(set->name, name)) @@ -949,18 +950,6 @@ return NULL; } -static const struct ipset_type *ipset_xlate_type_get(struct ipset *ipset, - const char *name) -{ - const struct ipset_xlate_set *set; - - set = ipset_xlate_set_get(ipset, name); - if (!set) - return NULL; - - return set->type; -} - static int ipset_parser(struct ipset *ipset, int oargc, char *oargv) { @@ -970,7 +959,7 @@ char *arg0 = NULL, *arg1 = NULL; const struct ipset_envopts *opt; const struct ipset_commands *command; - const struct ipset_type *type; + const struct ipset_type *type = NULL; struct ipset_session *session = ipset->session; void *p = ipset_session_printf_private(session); int argc = oargc; @@ -1139,6 +1128,7 @@ if (arg0) { const struct ipset_arg *arg; int k; + enum ipset_adt c; /* Type-specific help, without kernel checking */ type = type_find(arg0); @@ -1148,11 +1138,11 @@ "Unknown settype: `%s'", arg0); printf("\n%s type specific options:\n\n", type->name); for (i = 0; cmd_help_orderi != IPSET_CADT_MAX; i++) { - cmd = cmd_help_orderi; + c = cmd_help_orderi; printf("%s %s %s\n", - cmd_prefixcmd, type->name, type->cmdcmd.help); - for (k = 0; type->cmdcmd.argsk != IPSET_ARG_NONE; k++) { - arg = ipset_keyword(type->cmdcmd.argsk); + cmd_prefixc, type->name, type->cmdc.help); + for (k = 0; type->cmdc.argsk != IPSET_ARG_NONE; k++) { + arg = ipset_keyword(type->cmdc.argsk); if (!arg->help || arg->help0 == '\0') continue; printf(" %s\n", arg->help); @@ -1282,8 +1272,16 @@ if (!ipset->xlate) { type = ipset_type_get(session, cmd); } else { - type = ipset_xlate_type_get(ipset, arg0); - ipset_session_data_set(session, IPSET_OPT_TYPE, type); + const struct ipset_xlate_set *xlate_set; + + xlate_set = ipset_xlate_set_get(ipset, arg0); + if (xlate_set) { + ipset_session_data_set(session, IPSET_OPT_TYPE, + xlate_set->type); + ipset_session_data_set(session, IPSET_OPT_FAMILY, + &xlate_set->family); + type = xlate_set->type; + } } if (type == NULL) return ipset->standard_error(ipset, p); @@ -1552,7 +1550,7 @@ } /* Ignore the set family, use inet. */ -static const char *ipset_xlate_family(uint8_t family) +static const char *ipset_xlate_family(uint8_t family UNUSED) { return "inet"; } @@ -1709,6 +1707,10 @@ else if (family == AF_INET6) return "ipv6_addr"; break; + case IPSET_XLATE_TYPE_UNKNOWN: + break; + default: + break; } /* This should not ever happen. */ return "unknown"; @@ -1733,7 +1735,6 @@ char buf64; bool concat; char *term; - int i; session = ipset_session(ipset); data = ipset_session_data(session); @@ -1847,7 +1848,7 @@ return -1; case IPSET_CMD_LIST: if (!set) { - printf("list sets %s\n", + printf("list sets %s %s\n", ipset_xlate_family(family), table); } else { printf("list set %s %s %s\n", @@ -1906,6 +1907,8 @@ } if (ipset_data_test(data, IPSET_OPT_ETHER)) { ipset_print_ether(buf, sizeof(buf), data, IPSET_OPT_ETHER, 0); + size_t i; + for (i = 0; i < strlen(buf); i++) bufi = tolower(bufi); @@ -1968,7 +1971,6 @@ struct ipset_session *session = ipset_session(ipset); struct ipset_data *data = ipset_session_data(session); void *p = ipset_session_printf_private(session); - const char *filename; enum ipset_cmd cmd; FILE *f = stdin; int ret = 0; @@ -1977,7 +1979,7 @@ if (ipset->filename) { f = fopen(ipset->filename, "r"); if (!f) { - fprintf(stderr, "cannot open file `%s'\n", filename); + fprintf(stderr, "cannot open file `%s'\n", ipset->filename); return -1; } } @@ -2011,7 +2013,7 @@ ipset_data_reset(data); } - if (filename) + if (ipset->filename) fclose(f); return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_ip.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_ip.c
Changed
@@ -477,6 +477,91 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_ip6 = { + .name = "hash:ip", + .alias = { "iphash", NULL }, + .revision = 6, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_ONE, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_NETMASK, + IPSET_ARG_BITMASK, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_GC, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + }, + .usage = "where depending on the INET family\n" + " IP is a valid IPv4 or IPv6 address (or hostname),\n" + " CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " is supported for IPv4.", + .description = "bitmask support", +}; + void _init(void); void _init(void) { @@ -486,4 +571,5 @@ ipset_type_add(&ipset_hash_ip3); ipset_type_add(&ipset_hash_ip4); ipset_type_add(&ipset_hash_ip5); + ipset_type_add(&ipset_hash_ip6); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_ipport.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_ipport.c
Changed
@@ -604,6 +604,113 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_ipport7 = { + .name = "hash:ip,port", + .alias = { "ipporthash", NULL }, + .revision = 7, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_TWO, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + IPSET_DIM_TWO - 1 = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + IPSET_ARG_NETMASK, + IPSET_ARG_BITMASK, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_IGNORED_FROM, + IPSET_ARG_IGNORED_TO, + IPSET_ARG_IGNORED_NETWORK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO), + .help = "IP,PROTO:PORT", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO), + .help = "IP,PROTO:PORT", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .help = "IP,PROTO:PORT", + }, + }, + .usage = "where depending on the INET family\n" + " IP is a valid IPv4 or IPv6 address (or hostname).\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " is supported for IPv4.\n" + " Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n" + " port range is supported both for IPv4 and IPv6.", + .usagefn = ipset_port_usage, + .description = "netmask and bitmask support", +}; + void _init(void); void _init(void) { @@ -613,4 +720,5 @@ ipset_type_add(&ipset_hash_ipport4); ipset_type_add(&ipset_hash_ipport5); ipset_type_add(&ipset_hash_ipport6); + ipset_type_add(&ipset_hash_ipport7); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_netnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_netnet.c
Changed
@@ -387,6 +387,106 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_netnet4 = { + .name = "hash:net,net", + .alias = { "netnethash", NULL }, + .revision = 4, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_TWO, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + IPSET_DIM_TWO - 1 = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP2 + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + IPSET_ARG_BITMASK, + IPSET_ARG_NETMASK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_NOMATCH, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP/CIDR|FROM-TO,IP/CIDR|FROM-TO", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP/CIDR|FROM-TO,IP/CIDR|FROM-TO", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NOMATCH, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2), + .help = "IP/CIDR,IP/CIDR", + }, + }, + .usage = "where depending on the INET family\n" + " IP is an IPv4 or IPv6 address (or hostname),\n" + " CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" + " IP range is not supported with IPv6.", + .description = "netmask and bitmask support", +}; + void _init(void); void _init(void) { @@ -394,4 +494,5 @@ ipset_type_add(&ipset_hash_netnet1); ipset_type_add(&ipset_hash_netnet2); ipset_type_add(&ipset_hash_netnet3); + ipset_type_add(&ipset_hash_netnet4); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/libipset.map -> _service:tar_scm:ipset-7.17.tar.bz2/lib/libipset.map
Changed
@@ -213,3 +213,7 @@ ipset_xlate_argv; } LIBIPSET_4.10; +LIBIPSET_4.12 { +global: + ipset_parse_bitmask; +} LIBIPSET_4.10;
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/parse.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/parse.c
Changed
@@ -280,7 +280,8 @@ parse_portname(struct ipset_session *session, const char *str, uint16_t *port, const char *proto) { - char *saved, *tmp, *protoname; + char *saved, *tmp; + const char *protoname; const struct protoent *protoent; struct servent *service; uint8_t protonum = 0; @@ -292,7 +293,7 @@ if (tmp == NULL) goto error; - protoname = (char *)proto; + protoname = proto; if (string_to_u8(session, proto, &protonum, IPSET_WARNING) == 0) { protoent = getprotobynumber(protonum); if (protoent == NULL) @@ -1703,6 +1704,9 @@ assert(str); data = ipset_session_data(session); + if (ipset_data_test(data, IPSET_OPT_BITMASK)) + return syntax_err("bitmask and netmask are mutually exclusive, provide only one"); + family = ipset_data_family(data); if (family == NFPROTO_UNSPEC) { family = NFPROTO_IPV4; @@ -1722,6 +1726,46 @@ } /** + * ipset_parse_bitmask - parse string as a bitmask + * @session: session structure + * @opt: option kind of the data + * @str: string to parse + * + * Parse string as a bitmask value, depending on family type. + * If family is not set yet, INET is assumed. + * The value is stored in the data blob of the session. + * + * Returns 0 on success or a negative error code. + */ +int +ipset_parse_bitmask(struct ipset_session *session, + enum ipset_opt opt, const char *str) +{ + uint8_t family; + struct ipset_data *data; + + assert(session); + assert(opt == IPSET_OPT_BITMASK); + assert(str); + + data = ipset_session_data(session); + if (ipset_data_test(data, IPSET_OPT_NETMASK)) + return syntax_err("bitmask and netmask are mutually exclusive, provide only one"); + + family = ipset_data_family(data); + if (family == NFPROTO_UNSPEC) { + family = NFPROTO_IPV4; + ipset_data_set(data, IPSET_OPT_FAMILY, &family); + } + + if (parse_ipaddr(session, opt, str, family)) + return syntax_err("bitmask is not valid for family = %s", + family == NFPROTO_IPV4 ? "inet" : "inet6"); + + return 0; +} + +/** * ipset_parse_flag - "parse" option flags * @session: session structure * @opt: option kind of the data
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/print.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/print.c
Changed
@@ -265,7 +265,7 @@ assert(buf); assert(len > 0); assert(data); - assert(opt == IPSET_OPT_IP || opt == IPSET_OPT_IP2); + assert(opt == IPSET_OPT_IP || opt == IPSET_OPT_IP2 || opt == IPSET_OPT_BITMASK); D("len: %u", len); family = ipset_data_family(data); @@ -976,6 +976,7 @@ size = ipset_print_elem(buf, len, data, opt, env); break; case IPSET_OPT_IP: + case IPSET_OPT_BITMASK: size = ipset_print_ip(buf, len, data, opt, env); break; case IPSET_OPT_PORT:
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/session.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/session.c
Changed
@@ -462,6 +462,10 @@ .type = MNL_TYPE_U32, .opt = IPSET_OPT_MEMSIZE, }, + IPSET_ATTR_BITMASK = { + .type = MNL_TYPE_NESTED, + .opt = IPSET_OPT_BITMASK, + }, }; static const struct ipset_attr_policy adt_attrs = { @@ -1721,6 +1725,10 @@ if (attr->type == MNL_TYPE_NESTED) { /* IP addresses */ struct nlattr *nested; + + if (type == IPSET_ATTR_BITMASK) + family = ipset_data_family(session->data); + int atype = family == NFPROTO_IPV4 ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6;
View file
_service:tar_scm:ipset-7.15.tar.bz2/m4/libtool.m4 -> _service:tar_scm:ipset-7.17.tar.bz2/m4/libtool.m4
Changed
@@ -1041,8 +1041,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1071,11 +1071,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -1492,7 +1492,7 @@ m4_defun(_LT_PROG_AR, AC_CHECK_TOOLS(AR, ar, false) : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} _LT_DECL(, AR, 1, The archiver) _LT_DECL(, AR_FLAGS, 1, Flags to create an archive) @@ -4704,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*)
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/src/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -484,7 +484,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset-translate.8 -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset-translate.8
Changed
@@ -33,7 +33,7 @@ The only available command is: .IP \bu 2 -ipset-translate restores < file.ipt +ipset-translate restore < file.ipt .SH USAGE The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset.8 -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset.8
Changed
@@ -524,7 +524,7 @@ network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR type of set. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fIipaddr\fR .PP @@ -549,6 +549,9 @@ ipset add foo 192.168.1.0/24 .IP ipset test foo 192.168.1.2 +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. .SS hash:mac The \fBhash:mac\fR set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a \fBhash:mac\fR type of set. For matches on destination MAC addresses, see COMMENTS below. @@ -648,7 +651,7 @@ first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP @@ -680,6 +683,18 @@ further increases this as the list of secondary prefixes is traversed per primary prefix. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Example: .IP ipset create foo hash:net,net @@ -701,7 +716,7 @@ The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,\fIproto\fR:\fIport\fR .PP @@ -741,6 +756,18 @@ two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Examples: .IP ipset create foo hash:ip,port
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset.c
Changed
@@ -6,6 +6,7 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#define _GNU_SOURCE #include <assert.h> /* assert */ #include <stdio.h> /* fprintf */ #include <stdlib.h> /* exit */ @@ -31,7 +32,7 @@ exit(1); } - if (!strcmp(argv0, "ipset-translate")) { + if (!strcmp(basename(argv0), "ipset-translate")) { ret = ipset_xlate_argv(ipset, argc, argv); } else { ret = ipset_parse_argv(ipset, argc, argv);
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/comment.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/comment.t
Changed
@@ -113,7 +113,7 @@ # Hash comment: Stress test with comments and timeout 0 ./netnetgen.sh comment timeout | ipset restore # Hash comment: List set and check the number of elements -0 n=`ipset -L test|grep '^10.'|wc -l` && test $n -eq 87040 +0 n=`ipset save test|grep 'add test 10.'|wc -l` && test $n -eq 87040 # Hash comment: Destroy test set 0 ipset destroy test # Hash comment: create set with timeout
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:ip,port.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t
Changed
@@ -170,4 +170,122 @@ 0 ./check_extensions test 2.0.0.20 700 13 12479 # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and netmask +0 ipset -N test hash:ip,port --hashsize 128 --netmask 24 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0,80 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0,80 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0,80 +# Network: Add first random network +0 ipset -A test 2.0.0.1,8080 +# Network: Add second random network +0 ipset -A test 192.168.68.69,22 +# Network: Test first random value +0 ipset -T test 2.0.0.255,8080 +# Network: Test second random value +0 ipset -T test 192.168.68.95,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,8080 +# Network: Add third element +0 ipset -A test 200.100.10.1,22 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,22 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,22 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list3 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list4 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with timeout and bitmask +0 ipset -N test hash:ip,port --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0,80 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0,80 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0,80 +# Network: Add first random network +0 ipset -A test 2.0.0.1,8080 +# Network: Add second random network +0 ipset -A test 192.168.68.69,22 +# Network: Test first random value +0 ipset -T test 2.0.0.255,8080 +# Network: Test second random value +0 ipset -T test 192.168.68.95,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,8080 +# Network: Add third element +0 ipset -A test 200.100.10.1,22 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,22 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,22 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list5 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list6 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test hash:ip,port --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4,22 +# Network: Add second random network +0 ipset -A test 1.168.122.124,22 +# Network: Test first random value +0 ipset -T test 1.2.9.4,22 +# Network: Test second random value +0 ipset -T test 1.168.68.124,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,23 +# Network: Test delete value +0 ipset -D test 1.168.0.124,22 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list7 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list3
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xf49ba001 netmask 24 +Size in memory: 408 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,tcp:22 timeout 3 +2.0.0.0,tcp:8080 timeout 3 +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list4
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x18b2277a netmask 24 +Size in memory: 408 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list5
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x6a0e903a bitmask 255.255.255.0 +Size in memory: 408 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,tcp:22 timeout 3 +2.0.0.0,tcp:8080 timeout 3 +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x2fcffdca bitmask 255.255.255.0 +Size in memory: 408 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list7
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 bucketsize 12 initval 0x98bdfa72 bitmask 255.255.0.255 +Size in memory: 312 +References: 0 +Number of entries: 1 +Members: +1.2.0.4,tcp:22
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:ip.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t
Changed
@@ -72,7 +72,7 @@ 0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 1024 # IP: Destroy sets 0 ipset -X -# Network: Create a set with timeout +# Network: Create a set with timeout and netmask 0 ipset -N test iphash --hashsize 128 --netmask 24 timeout 4 # Network: Add zero valued element 1 ipset -A test 0.0.0.0 @@ -136,6 +136,12 @@ 0 ipset del test 10.0.0.1-10.0.0.10 # Range: Check number of elements 0 n=`ipset save test|wc -l` && test $n -eq 1 +# Range: Flush set +0 ipset flush test +# Range: Add elements in multiple internal batches +0 ipset add test 10.1.0.0-10.1.64.255 +# Range: Check number of elements +0 n=`ipset save test|grep '^add test 10.1' | wc -l` && test $n -eq 16640 # Range: Delete test set 0 ipset destroy test # Timeout: Check that resizing keeps timeout values @@ -210,4 +216,78 @@ 0 ./check_extensions test 10.255.255.64 600 6 $((6*40)) # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and bitmask +0 ipset -N test iphash --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 2.0.0.1 +# Network: Add second random network +0 ipset -A test 192.168.68.69 +# Network: Test first random value +0 ipset -T test 2.0.0.255 +# Network: Test second random value +0 ipset -T test 192.168.68.95 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12 +# Network: Delete the same network +0 ipset -D test 200.100.0.12 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list4 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list5 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with both bitmask and netmask +1 ipset -N test iphash --hashsize 128 --bitmask 255.255.0.255 --netmask 24 +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test iphash --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4 +# Network: Add second random network +0 ipset -A test 1.2.4.5 +# Network: Test first random value +0 ipset -T test 1.2.9.4 +# Network: Test second random value +0 ipset -T test 1.2.9.5 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0 +# Network: Test delete value +0 ipset -D test 1.2.0.5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list6 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list4
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip +Revision: 5 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.255.0 timeout 4 bucketsize 12 initval 0xfe970e91 +Size in memory: 528 +References: 0 +Number of entries: 3 +Members: +192.168.68.0 timeout 3 +2.0.0.0 timeout 3 +200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list5
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Revision: 5 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.255.0 timeout 4 bucketsize 12 initval 0xbc66e38a +Size in memory: 528 +References: 0 +Number of entries: 1 +Members: +200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Revision: 6 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.0.255 bucketsize 12 initval 0xd7d821e1 +Size in memory: 296 +References: 0 +Number of entries: 1 +Members: +1.2.0.4
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,iface.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,iface.t
Changed
@@ -132,6 +132,10 @@ 0 (set -e; for x in `seq 0 63`; do ipset add test 10.0.0.0/16,eth$x; done) # Check listing 0 n=`ipset list test | grep -v Revision: | wc -l` && test $n -eq 71 +# Flush test set +0 ipset flush test +# Try to add more than 64 clashing entries +1 (set -e; for x in `seq 0 64`; do ipset add test 10.0.0.0/16,eth$x; done) # Delete test set 0 ipset destroy test # Check all possible CIDR values
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,net.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t
Changed
@@ -166,4 +166,110 @@ 0 ./check_extensions test 2.0.0.0/25,2.0.0.0/25 700 13 12479 # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and netmask +0 ipset -N test hash:net,net --hashsize 128 --netmask 24 timeout 4 +# Network: Add first random network +0 ipset -A test 2.0.10.1,2.10.10.254 +# Network: Add second random network +0 ipset -A test 192.168.68.1,192.168.68.254 +# Network: Test first random value +0 ipset -T test 2.0.10.11,2.10.10.25 +# Network: Test second random value +0 ipset -T test 192.168.68.11,192.168.68.5 +# Network: Test value not added to the set +1 ipset -T test 2.10.1.0,21.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1,200.100.10.100 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,200.100.0.13 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,200.100.0.13 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list3 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list4 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80.20.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with timeout and bitmask +0 ipset -N test hash:net,net --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add first random network +0 ipset -A test 2.0.10.1,2.10.10.254 +# Network: Add second random network +0 ipset -A test 192.168.68.1,192.168.68.254 +# Network: Test first random value +0 ipset -T test 2.0.10.11,2.10.10.25 +# Network: Test second random value +0 ipset -T test 192.168.68.11,192.168.68.5 +# Network: Test value not added to the set +1 ipset -T test 2.10.1.0,21.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1,200.100.10.100 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,200.100.0.13 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,200.100.0.13 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list5 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list6 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80.20.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test hash:net,net --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4,22.23.24.25 +# Network: Add second random network +0 ipset -A test 1.168.122.124,122.23.45.50 +# Network: Test first random value +0 ipset -T test 1.2.43.4,22.23.2.25 +# Network: Test second random value +0 ipset -T test 1.168.12.124,122.23.4.50 +# Network: Test value not added to the set +1 ipset -T test 2.168.122.124,22.23.45.50 +# Network: Test delete value +0 ipset -D test 1.168.12.124,122.23.0.50 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list7 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list3
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xe17e4732 netmask 24 +Size in memory: 848 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,192.168.68.0 timeout 3 +2.0.10.0,2.10.10.0 timeout 3 +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list4
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xb69e293e netmask 24 +Size in memory: 848 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list5
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xe17e4732 bitmask 255.255.255.0 +Size in memory: 848 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,192.168.68.0 timeout 3 +2.0.10.0,2.10.10.0 timeout 3 +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xb69e293e bitmask 255.255.255.0 +Size in memory: 848 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list7
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 bucketsize 12 initval 0x6223fef7 bitmask 255.255.0.255 +Size in memory: 736 +References: 0 +Number of entries: 1 +Members: +1.2.0.4,22.23.0.25
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,port,net.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,port,net.t
Changed
@@ -52,6 +52,12 @@ 0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.0-192.168.2.255 # Check that correct number of elements are added 0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 6 +# Flush set +0 ipset flush test +# Add 0/0 networks +0 ipset add test 0.0.0.0/0,tcp:1-2,192.168.230.128/25 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^0'|wc -l` && test $n -eq 2 # Destroy set 0 ipset -X test # Create test set with timeout support
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/netnetgen.sh -> _service:tar_scm:ipset-7.17.tar.bz2/tests/netnetgen.sh
Changed
@@ -6,7 +6,7 @@ comment=" comment" ;; timeout) - timeout=" timeout 5" + timeout=" timeout 10" ;; *) ;;
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/xlate/xlate.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/xlate/xlate.t
Changed
@@ -53,3 +53,5 @@ add bp1 22 create bim1 bitmap:ip,mac range 1.1.1.0/24 add bim1 1.1.1.1,aa:bb:cc:dd:ee:ff +create hn6 hash:net family inet6 +add hn6 fe80::/64
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/xlate/xlate.t.nft -> _service:tar_scm:ipset-7.17.tar.bz2/tests/xlate/xlate.t.nft
Changed
@@ -54,3 +54,5 @@ add element inet global bp1 { 22 } add set inet global bim1 { type ipv4_addr . ether_addr; } add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff } +add set inet global hn6 { type ipv6_addr; flags interval; } +add element inet global hn6 { fe80::/64 }
View file
_service:tar_scm:ipset-7.15.tar.bz2/utils/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/utils/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -432,7 +432,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse
View file
_service:tar_scm:ipset-config
Added
@@ -0,0 +1,5 @@ +# Save current ipsets on stop. +# Value: yes|no, default: no +# Saves all ipsets to /etc/sysconfig/ipset.d/ if service gets stopped +# (e.g. on system shutdown). +IPSET_SAVE_ON_STOP="no" \ No newline at end of file
View file
_service:tar_scm:ipset.service
Changed
@@ -9,10 +9,11 @@ ExecStart=/usr/libexec/ipset/ipset.start-stop start ExecStop=/usr/libexec/ipset/ipset.start-stop stop ExecReload=/usr/libexec/ipset/ipset.start-stop reload -# Save current ipset entries on stop/restart. +# Save current ipset entries on stop. # Value: yes|no, default: no -# Saves all ipsets to /etc/ipset/ipset if ipset gets stopped -Environment=IPSET_SAVE_ON_STOP=no IPSET_SAVE_ON_RESTART=no +# Saves all ipsets to /etc/sysconfig/ipset if ipset gets stopped +Environment=IPSET_SAVE_ON_STOP=no +EnvironmentFile=-/etc/sysconfig/ipset-config Install WantedBy=basic.target
View file
_service:tar_scm:ipset.start-stop
Changed
@@ -1,209 +1,359 @@ -#!/bin/bash +#!/bin/sh # # ipset Start and stop ipset firewall sets # -# config: /etc/ipset/ipset -# - -IPSET=ipset -IPSET_BIN=/usr/sbin/${IPSET} -IPSET_DATA=/etc/${IPSET}/${IPSET} - -IPTABLES_CONFIG=/etc/sysconfig/iptables-config -IP6TABLES_CONFIG=${IPTABLES_CONFIG/iptables/ip6tables} - -TMP_FIFO=/tmp/${IPSET}.$$ - -if ! -x ${IPSET_BIN} ; then - echo "${IPSET_BIN} does not exist." - exit 5 -fi - -CLEAN_FILES=TMP_FIFO -trap "rm -f \$CLEAN_FILES" EXIT - -# Default ipset configuration: - -z $IPSET_SAVE_ON_STOP && IPSET_SAVE_ON_STOP=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_STOP - -z $IPSET_SAVE_ON_RESTART && IPSET_SAVE_ON_RESTART=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_RESTART - -# Load iptables configuration(s) - -f "$IPTABLES_CONFIG" && . "$IPTABLES_CONFIG" - -f "$IP6TABLES_CONFIG" && . "$IP6TABLES_CONFIG" - -# It doesn't make sense to save iptables config and not our config - ${IPTABLES_SAVE_ON_STOP} = yes || ${IP6TABLES_SAVE_ON_STOP} = yes && IPSET_SAVE_ON_STOP=yes - ${IPTABLES_SAVE_ON_RESTART} = yes || ${IP6TABLES_SAVE_ON_RESTART} = yes && IPSET_SAVE_ON_RESTART=yes - -check_can_unload() { - # If the xt_set module is loaded and can't be unloaded, then iptables is - # using ipsets, so refuse to stop the service. - if -n $(lsmod | grep "^xt_set ") ; then - rmmod xt_set 2>/dev/null - $? -ne 0 && echo Current iptables configuration requires ipsets && return 1 - fi - - return 0 -} - -flush_n_delete() { - local ret=0 set - - # Flush sets - ${IPSET_BIN} flush - let ret+=$? - - # Delete ipset sets. If we don't do them individually, then none - # will be deleted unless they all can be. - for set in $(${IPSET_BIN} list -name); do - ${IPSET_BIN} destroy 2>/dev/null - $? -ne 0 && ret=1 - done - - return $ret +# config: /etc/sysconfig/ipset-config + +IPSET_BIN=/usr/sbin/ipset +IPSET_CONFIG=/etc/sysconfig/ipset-config +IPSET_DATA_COMPAT=/etc/sysconfig/ipset +IPSET_DATA_COMPAT_BACKUP=${IPSET_DATA_COMPAT}.save +IPSET_DATA_DIR=/etc/sysconfig/ipset.d +IPSET_DATA_DIR_BACKUP=${IPSET_DATA_DIR}.save +IPSET_DATA_SAVED_FLAG=${IPSET_DATA_DIR}/.saved +IPSET_LOCK=/run/ipset.lock +IPSET_RUN=/run/ipset.run +CLEAN_FILES="" + +trap "rm -rf \${CLEAN_FILES}" EXIT + +info() { + echo "ipset: ${*}" >&2 } - -start_clean() -{ - mkfifo -m go= "${TMP_FIFO}" - $? -ne 0 && return 1 - - # Get the lists of sets in current(old) config and new config - old_sets="$(${IPSET_BIN} list -name | sort -u)" - new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)" - - # List of sets no longer wanted - drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" & - printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" - - )" - - # Get rid of sets no longer needed - # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time - for dset in $drop_sets; do - ipset destroy $dset 2>/dev/null - # If it won't go - ? in use by iptables, just clear it - $? -ne 0 && ipset flush $dset - done - - # Now delete the set members no longer required - ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & - grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ - | ${IPSET_BIN} restore -! - - # At last we can add the set members we haven't got - ipset restore -! <${IPSET_DATA} - - rm ${TMP_FIFO} - - return 0 + +warn() { + echo "<4>ipset: ${*}" >&2 } - -start() { - # Do not start if there is no config file. - ! -f "$IPSET_DATA" && echo "Loaded with no configuration" && return 0 - - # We can skip the first bit and do a simple load if - # there is no current ipset configuration - res=1 - if -n $(${IPSET_BIN} list -name) ; then - # The following may fail for some bizarre reason - start_clean - res=$? - - $res -ne 0 && echo "Some old configuration may remain" - fi - - # res -ne 0 => either start_clean failed, or we didn't need to run it - if $res -ne 0 ; then - # This is the easy way to start but would leave any old - # entries still configured. Still, better than nothing - - # but fine if we had no config - ${IPSET_BIN} restore -! <${IPSET_DATA} - res=$? - fi - - if $res -ne 0 ; then - return 1 - fi - - return 0 + +err() { + echo "<3>ipset: ${*}" >&2 } - -stop() { - # Nothing to stop if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - $? -ne 0 && return 6 - - flush_n_delete - $? -ne 0 && echo Warning: Not all sets were flushed/deleted - - return 0 + + -x ${IPSET_BIN} || { err "Cannot execute ${IPSET_BIN}"; exit 1; } + +# Source ipset configuration +# shellcheck source=ipset-config + -f ${IPSET_CONFIG} && . ${IPSET_CONFIG} + +set -f + +lock() { + CLEAN_FILES="${CLEAN_FILES} ${IPSET_LOCK}" + until mkdir ${IPSET_LOCK} 2>/dev/null; do :; done } - + save() { - # Do not save if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - $? -ne 0 && return 6 - - -z $(${IPSET_BIN} list -name) && return 0 - - ret=0 - TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \ - && CLEAN_FILES+=" $TMP_FILE" \ - && chmod 600 "$TMP_FILE" \ - && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \ - && -s $TMP_FILE \ - || ret=1 - - if $ret -eq 0 ; then - # No need to do anything if the files are the same - if ! -f $IPSET_DATA ; then - mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1 + fail=0 + + # Make backups of existing configuration first, if any + -d ${IPSET_DATA_DIR} && mv -Tf ${IPSET_DATA_DIR} ${IPSET_DATA_DIR_BACKUP} + -f ${IPSET_DATA_COMPAT} && mv -Tf ${IPSET_DATA_COMPAT} ${IPSET_DATA_COMPAT_BACKUP} + + rm -f ${IPSET_DATA_SAVED_FLAG} + + # Save each set in a separate file + mkdir -p ${IPSET_DATA_DIR} + chmod 0700 ${IPSET_DATA_DIR} + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + # Empty name allowed, use ".set" as suffix. 'ipset save' doesn't + # quote set names with spaces: if we have a space in the name, + # work around this by quoting it ourselves in the output. + # shellcheck disable=SC2003 # No POSIX equivalent to expr index + if expr index "${set}" " " >/dev/null; then + :> "${IPSET_DATA_DIR}/${set}.set" + for line in $(${IPSET_BIN} save "${set}"); do + create=0 + echo "${line}" | grep -q "^create " && create=1 + if $create -eq 1 ; then + line=${line#create *} + else + line=${line#add *} + fi + line=${line#${set} *} + set="$(echo "${set}" | sed 's/"/\\"/g')" + if $create -eq 1 ; then + echo "create \"${set}\" ${line}" >> "${IPSET_DATA_DIR}/${set}.set" + else + echo "add \"${set}\" ${line}" >> "${IPSET_DATA_DIR}/${set}.set" + fi + done + else + ${IPSET_BIN} save "${set}" > "${IPSET_DATA_DIR}/${set}.set" || fail=1 + fi + -f "${IPSET_DATA_DIR}/${set}.set" && chmod 600 "${IPSET_DATA_DIR}/${set}.set" + $fail -eq 1 && err "Cannot save set ${set}" && unset IFS && return 1 + done + touch ${IPSET_DATA_SAVED_FLAG} || { unset IFS; return 1; } + unset IFS + + # Done: remove backups + rm -rf ${IPSET_DATA_DIR_BACKUP} + rm -rf ${IPSET_DATA_COMPAT_BACKUP} + + return 0 +} + +# Generate a grep regexp matching abbreviated command forms. E.g., for create: +# \(c\|cr\|cre\|crea\|creat\|create\) +cmd_short_expr() { + out= + cmd_len=1 + while "${cmd_len}" -le "${#1}" ; do + -z "${out}" && out='\(' || out="${out}"'\|' + # shellcheck disable=SC2003 # No POSIX equivalent to expr substr + out="${out}$(expr substr "${1}" 1 "${cmd_len}")" + cmd_len=$((cmd_len + 1)) + done + echo "${out}"'\)' +} + +ipset_restore() { + file="${1}" + + retfile="$(mktemp -q /tmp/ipset.XXXXXX)" + CLEAN_FILES="${CLEAN_FILES} ${retfile}" + + # If restore fails due to invalid lines, remove them and retry + while ! restore_err="$( (${IPSET_BIN} -f "${file}" -! restore 2>&1; echo $? >"${retfile}") | head -n1; exit "$(cat "${retfile}")" )"; do + warn "${restore_err}" + case ${restore_err#*: } in + "No command specified"*) + line="$(grep -m1 -n "^${restore_err##* }" "${file}")" + line="${line%:*}" + ;; + "Missing second mandatory argument to command "*) + cmd="${restore_err##* }" + cmd_expr="$(cmd_short_expr "${cmd}")" + line="$(grep -n '^'"${cmd_expr}" "${file}" | grep -m1 -v '^0-9\+\:'"${cmd_expr}"':blank:\+^:blank:\+:blank:\+^:blank:\+')" + line="${line%:*}" + ;; + "Missing mandatory argument to command "*) + cmd="${restore_err##* }" + cmd_expr="$(cmd_short_expr "${cmd}")" + line="$(grep -n '^'"${cmd_expr}" "${file}" | grep -m1 -v '^0-9\+\:'"${cmd_expr}"':blank:\+^:blank:\+')" + line="${line%:*}" + ;; + "Command "*"is invalid in restore mode"*) + restore_err_cmd="${restore_err#*: }" + restore_err_cmd="${restore_err_cmd#*\`}" + restore_err_cmd="${restore_err_cmd%%\'*}" + cmd="${restore_err_cmd##* }" + cmd_expr="$(cmd_short_expr "${cmd}")" + line="$(grep -m1 -ne '^'"${cmd_expr}"':blank:\+' -e '^'"${restore_err_cmd}"'$' "${file}")" + line="${line%:*}" + ;; + "Error in line "*) + line="${restore_err%: *}" + line="${line##* }" + ;; + *) + rm "${retfile}" + CLEAN_FILES="${CLEAN_FILES%* ${retfile}}" + return 1 + ;; + esac + + -z "${line}" && return 1 + + warn "Skipped invalid entry: $(sed "${line}q;d" "${file}")" + sed -i -e "${line}d" "${file}" + + -s "${file}" || return 1 + done + + rm "${retfile}" + CLEAN_FILES="${CLEAN_FILES%* ${retfile}}" +} + +load() { + if -f ${IPSET_DATA_SAVED_FLAG} ; then + # If we have a cleanly saved directory with all sets, we can + # delete any left-overs and use it + rm -rf ${IPSET_DATA_DIR_BACKUP} + rm -f ${IPSET_DATA_COMPAT_BACKUP} else - diff -q $TMP_FILE $IPSET_DATA >/dev/null - - if $? -ne 0 ; then - if -f $IPSET_DATA ; then - cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \ - && chmod 600 $IPSET_DATA.save \ - || ret=1 + # If sets weren't cleanly saved, restore from backups + -d ${IPSET_DATA_DIR_BACKUP} && rm -rf ${IPSET_DATA_DIR} && mv -Tf ${IPSET_DATA_DIR_BACKUP} ${IPSET_DATA_DIR} + -f ${IPSET_DATA_COMPAT_BACKUP} && rm -f ${IPSET_DATA_COMPAT} && mv -Tf ${IPSET_DATA_COMPAT_BACKUP} ${IPSET_DATA_COMPAT} + fi + + if ! -d ${IPSET_DATA_DIR} && ! -f ${IPSET_DATA_COMPAT} ; then + info "No existing configuration available, none loaded" + touch ${IPSET_RUN} + return + fi + + # Merge all sets into temporary file + merged="$(mktemp -q /tmp/ipset.XXXXXX)" + CLEAN_FILES="${CLEAN_FILES} ${merged}" + chmod 600 "${merged}" + set +f + if -d ${IPSET_DATA_DIR} ; then + # Copy create commands from each saved set first, then the rest: + # list:set entries depend on other sets, so make sure they all + # get created first + for f in "${IPSET_DATA_DIR}"/*; do + "${f}" = "${IPSET_DATA_DIR}/*" && break + -f "${f}" || continue + grep '^c' "${f}" >> "${merged}" + done + for f in "${IPSET_DATA_DIR}"/*; do + "${f}" = "${IPSET_DATA_DIR}/*" && break + -f "${f}" || continue + grep -v '^c' "${f}" >> "${merged}" + done + fi + set -f + -f ${IPSET_DATA_COMPAT} && cat ${IPSET_DATA_COMPAT} >> "${merged}" + + # Drop sets that aren't in saved data, mark conflicts with existing sets + conflicts="" + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + grep -q "^create ${set} " "${merged}" && conflicts="${conflicts}|${set}" && continue + + # We can't destroy the set if it's in use, flush it instead + if ! ${IPSET_BIN} destroy "${set}" 2>/dev/null; then + ${IPSET_BIN} flush "${set}" fi - if $ret -eq 0 ; then - cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \ - && chmod 600 $IPSET_DATA \ - || ret=1 + done + unset IFS + conflicts="${conflicts#|*}" + + # Common case: if we have no conflicts, just restore in one shot + if -z "${conflicts}" ; then + if ! ipset_restore "${merged}"; then + err "Failed to restore configured sets" + exit 1 fi - fi + rm "${merged}" + CLEAN_FILES="${CLEAN_FILES%* ${merged}}" + touch ${IPSET_RUN} + return fi - fi - - rm -f $TMP_FILE - return $ret + + # Find a salt for md5sum that makes names of saved sets unique + salt=0 + while true; do + unique=1 + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + if grep -q "^create $(echo "${salt}${set}" | md5sum | head -c31) " "${merged}"; then + unique=0 + break + fi + done + unset IFS + ${unique} -eq 1 && break + salt=$((salt + 1)) + done + + # Add sets, mangling names for conflicting sets + mangled="$(mktemp -q /tmp/ipset.XXXXXX)" + CLEAN_FILES="${CLEAN_FILES} ${mangled}" + chmod 600 "${mangled}" + + cat "${merged}" > "${mangled}" + IFS='|' + for set in ${conflicts}; do + new_name=$(echo "${salt}${set}" | md5sum | head -c31) + echo "s/^(add|create) $set /\1 $new_name /" + done | sed -i -r -f - "${mangled}" + unset IFS + if ! ipset_restore "${mangled}"; then + err "Failed to restore configured sets" + exit 1 + fi + + rm "${mangled}" + CLEAN_FILES="${CLEAN_FILES%* ${mangled}}" + + # Swap and delete old sets + IFS='|' + for set in ${conflicts}; do + mangled="$(echo "${salt}${set}" | md5sum | head -c31)" + if ! ${IPSET_BIN} swap "${set}" "${mangled}" 2>/dev/null; then + # This fails if set types are different: try to destroy + # existing set + if ! ${IPSET_BIN} destroy "${set}" 2>/dev/null; then + # Conflicting set is in use, we can only warn + # and flush the existing set + err "Cannot load set \"${set}\", set with same name and conflicting type in use" + ${IPSET_BIN} flush "${set}" + ${IPSET_BIN} destroy "${mangled}" + else + ${IPSET_BIN} rename "${mangled}" "${set}" + fi + else + ${IPSET_BIN} destroy "${mangled}" + fi + done + unset IFS + + rm "${merged}" + CLEAN_FILES="${CLEAN_FILES%* ${merged}}" + touch ${IPSET_RUN} +} + +cleanup() { + ${IPSET_BIN} flush || err "Failed to flush sets" + + # Try to destroy all sets at once. This will fail if some are in use, + # destroy all the other ones in that case + ${IPSET_BIN} destroy 2>/dev/null && return + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + if ! ${IPSET_BIN} destroy "${set}"; then + err "Failed to destroy set ${set}" + fi + done + unset IFS +} + +stop() { + -f ${IPSET_RUN} || { info "Not running"; return 0; } + "${IPSET_SAVE_ON_STOP}" = "yes" && { save || err "Failed to save sets"; } + + # Nothing to stop if the ip_set module is not loaded + lsmod | grep -q "^ip_set " || { info "Not running"; rm ${IPSET_RUN}; return 0; } + + # If the xt_set module is in use, then iptables is using ipset, so + # refuse to stop the service + if mod="$(lsmod | grep ^xt_set)"; then + if "$(echo "${mod}" | tr -s ' ' | cut -d' ' -f3)" != "0" ; then + err "Current iptables configuration requires ipset" && return 1 + fi + fi + + cleanup + + rm ${IPSET_RUN} + return 0 } - - + +lock case "$1" in - start) - start - RETVAL=$? +start) + load ;; - stop) - check_can_unload || exit 1 - $IPSET_SAVE_ON_STOP = yes && save +stop) stop - RETVAL=$? - $RETVAL -eq 6 && echo "${IPSET}: not running" && exit 0 ;; - reload) - $IPSET_SAVE_ON_RESTART = yes && save - stop - RETVAL=$? - $RETVAL -eq 6 && echo "${IPSET}: not running" && exit 0 - start - RETVAL=$? +reload) + cleanup + load + ;; +save) + save ;; - *) - echo "Usage: $IPSET {start|stop|reload}" >&2 +*) + info "Usage: $0 {start|stop|reload|save}" exit 1 esac - -exit $RETVAL + +exit $? \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2