Projects
openEuler:Mainline
ipset
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:ipset.spec
Changed
@@ -1,14 +1,17 @@ Name: ipset -Version: 7.15 -Release: 1 +Version: 7.17 +Release: 2 Summary: Manage Linux IP sets License: GPLv2 URL: http://ipset.netfilter.org/ Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2 Source1: ipset.service Source2: ipset.start-stop +Source3: ipset-config -BuildRequires: libmnl-devel automake autoconf libtool libtool-ltdl-devel systemd +Patch0: backport-netfilter-ipset-Fix-overflow-before-widen-in-the-bit.patch + +BuildRequires: libmnl-devel automake autoconf libtool libtool-ltdl-devel systemd make Requires: ipset-libs = %{version}-%{release} iptables-services Requires(post): systemd Requires(preun): systemd @@ -54,7 +57,7 @@ %build ./autogen.sh -%configure --with-kmod=no +%configure --with-kmod=no --disable-static rm -fr kernel %disable_rpath %make_build @@ -69,12 +72,27 @@ install -d -m 755 %{buildroot}%{_libexecdir}/%{name} install -c -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/%{name} +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-config + install -d -m 755 %{buildroot}%{_sysconfdir}/%{name} %ldconfig_scriptlets libs %post %systemd_post %{name}.service +if -f /etc/ipset/ipset && ! -f /etc/sysconfig/ipset ; then + mv /etc/ipset/ipset /etc/sysconfig/ipset + ln -s /etc/sysconfig/ipset /etc/ipset/ipset + echo "Warning: ipset save location has moved to /etc/sysconfig" +fi + -f /etc/sysconfig/iptables-config && . /etc/sysconfig/iptables-config + -f /etc/sysconfig/ip6tables-config && . /etc/sysconfig/ip6tables-config +if ${IPTABLES_SAVE_ON_STOP} == yes || \ + ${IP6TABLES_SAVE_ON_STOP} == yes ; then + echo "Warning: ipset no longer saves automatically when iptables does" + echo " must enable explicitly in /etc/sysconfig/ipset-config" +fi %preun if $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ; then @@ -95,6 +113,8 @@ %{_unitdir}/ipset.service %{_libexecdir}/ipset/ipset.start-stop %{_sysconfdir}/%{name} +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset-config +%ghost %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset %files libs %defattr(-,root,root) @@ -104,7 +124,6 @@ %files devel %defattr(-,root,root) %{_includedir}/libipset -%{_libdir}/*.a %{_libdir}/libipset.so %{_libdir}/pkgconfig/*.pc @@ -114,6 +133,24 @@ %{_mandir}/man3/libipset.3.* %changelog +* Tue Feb 28 2023 gaihuiying <eaglegai@163.com> - 7.17-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:delete *.a file + +* Wed Feb 01 2023 xinghe <xinghe2@h-partners.com> - 7.17-1 +- Type:requirements +- ID:NA +- SUG:NA +- DESC:update ipset to 7.17 + +* Thu Oct 20 2022 xinghe <xinghe2@h-partners.com> - 7.15-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix IPv6 sets nftables translation + * Mon Mar 21 2022 yanglu <yanglu72@h-partners.com> - 7.15-1 - Type:requirements - ID:NA
View file
_service:tar_scm:backport-netfilter-ipset-Fix-overflow-before-widen-in-the-bit.patch
Added
@@ -0,0 +1,44 @@ +From f9a5f712132273139473cb322c3155375a1d1836 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> +Date: Sat, 28 Jan 2023 19:09:52 +0100 +Subject: PATCH netfilter: ipset: Fix overflow before widen in the + bitmap_ip_create() function. + +When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of +an arithmetic expression 2 << (netmask - mask_bits - 1) is subject +to overflow due to a failure casting operands to a larger data type +before performing the arithmetic. + +Note that it's harmless since the value will be checked at the next step. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") +Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> +Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> + +Conflict: NA +Reference: http://git.netfilter.org/ipset/commit/?id=f9a5f712132273139473cb322c3155375a1d1836 +--- + kernel/net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c +index c488663..f37169c 100644 +--- a/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c ++++ b/kernel/net/netfilter/ipset/ip_set_bitmap_ip.c +@@ -312,8 +312,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb, + return -IPSET_ERR_BITMAP_RANGE; + + pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); +- hosts = 2 << (32 - netmask - 1); +- elements = 2 << (netmask - mask_bits - 1); ++ hosts = 2U << (32 - netmask - 1); ++ elements = 2UL << (netmask - mask_bits - 1); + } + if (elements > IPSET_BITMAP_MAX_RANGE + 1) + return -IPSET_ERR_BITMAP_RANGE_SIZE; +-- +2.27.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/ipset.git</param> - <param name="revision">ace86321e07a3bd02d6390821fae0023f183d934</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:ipset-7.15.tar.bz2/ChangeLog -> _service:tar_scm:ipset-7.17.tar.bz2/ChangeLog
Changed
@@ -1,3 +1,24 @@ +7.17 + - Tests: When verifying comments/timeouts, make sure entries don't expire + - Tests: Make sure the internal batches add the correct number of elements + - Tests: Verify that hash:net,port,net type can handle 0/0 properly + - Makefile: Create LZMA-compressed dist-files (Phil Sutter) + +7.16 + - Add new ipset_parse_bitmask() function to the library interface + - test: Make sure no more than 64 clashing elements can be added + to hash:net,iface sets + - netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai) + - netfilter: ipset: Update the man page to include netmask/bitmask options + (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai) + - netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai) + - netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) + - ipset-translate: allow invoking with a path name (Quentin Armitage) + - Fix IPv6 sets nftables translation (Pablo Neira Ayuso) + - Fix typo in ipset-translate man page (Bernhard M. Wiedemann) + 7.14 - Add missing function to libipset.map and bump library version (reported by Jan Engelhardt)
View file
_service:tar_scm:ipset-7.15.tar.bz2/Make_global.am -> _service:tar_scm:ipset-7.17.tar.bz2/Make_global.am
Changed
@@ -69,7 +69,7 @@ # interface. # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include
View file
_service:tar_scm:ipset-7.15.tar.bz2/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -213,8 +213,8 @@ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ cscope distdir distdir-am dist dist-all distcheck -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ - $(LISP)config.h.in +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) \ + config.h.in # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. @@ -282,9 +282,11 @@ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" -DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best -DIST_TARGETS = dist-gzip +DIST_ARCHIVES = $(distdir).tar.xz +DIST_TARGETS = dist-xz +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -496,7 +498,7 @@ ACLOCAL_AMFLAGS = -I m4 # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse @@ -763,11 +765,14 @@ dist-lzip: distdir tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz $(am__post_remove_distdir) - dist-xz: distdir tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz $(am__post_remove_distdir) +dist-zstd: distdir + tardir=$(distdir) && $(am__tar) | zstd -c $${ZSTD_CLEVEL-$${ZSTD_OPT--19}} >$(distdir).tar.zst + $(am__post_remove_distdir) + dist-tarZ: distdir @echo WARNING: "Support for distribution archives compressed with" \ "legacy program 'compress' is deprecated." >&2 @@ -810,6 +815,8 @@ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ + *.tar.zst*) \ + zstd -dc $(distdir).tar.zst | $(am__untar) ;;\ esac chmod -R a-w $(distdir) chmod u+w $(distdir) @@ -825,7 +832,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ @@ -987,18 +994,18 @@ am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-hdr distclean-libtool distclean-tags distcleancheck \ - distdir distuninstallcheck dvi dvi-am html html-am info \ - info-am install install-am install-data install-data-am \ - install-dvi install-dvi-am install-exec install-exec-am \ - install-html install-html-am install-info install-info-am \ - install-man install-pdf install-pdf-am install-ps \ - install-ps-am install-strip installcheck installcheck-am \ - installdirs installdirs-am maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ - uninstall-am + dist-xz dist-zip dist-zstd distcheck distclean \ + distclean-generic distclean-hdr distclean-libtool \ + distclean-tags distcleancheck distdir distuninstallcheck dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am .PRECIOUS: Makefile
View file
_service:tar_scm:ipset-7.15.tar.bz2/aclocal.m4 -> _service:tar_scm:ipset-7.17.tar.bz2/aclocal.m4
Changed
@@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.1 -*- Autoconf -*- +# generated automatically by aclocal 1.16.3 -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -20,9 +20,9 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.)) -dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29) -dnl +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 12 (pkg-config-0.29.2) + dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>. dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com> dnl @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun(PKG_PREREQ, -m4_define(PKG_MACROS_VERSION, 0.29) +m4_define(PKG_MACROS_VERSION, 0.29.2) m4_if(m4_version_compare(PKG_MACROS_VERSION, $1), -1, m4_fatal(pkg.m4 version $1 or higher is required but PKG_MACROS_VERSION found)) )dnl PKG_PREREQ @@ -164,7 +164,7 @@ AC_ARG_VAR($1_LIBS, linker flags for $1, overriding pkg-config)dnl pkg_failed=no -AC_MSG_CHECKING(for $1) +AC_MSG_CHECKING(for $2) _PKG_CONFIG($1_CFLAGS, cflags, $2) _PKG_CONFIG($1_LIBS, libs, $2) @@ -174,11 +174,11 @@ See the pkg-config man page for more details.) if test $pkg_failed = yes; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then $1_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` - else + else $1_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` fi # Put the nasty error message in config.log where it belongs @@ -195,7 +195,7 @@ _PKG_TEXT)dnl ) elif test $pkg_failed = untried; then - AC_MSG_RESULT(no) + AC_MSG_RESULT(no) m4_default($4, AC_MSG_FAILURE( The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full @@ -296,7 +296,7 @@ AS_VAR_IF($1, "", $5, $4)dnl )dnl PKG_CHECK_VAR -# Copyright (C) 2002-2018 Free Software Foundation, Inc. +# Copyright (C) 2002-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -311,7 +311,7 @@ am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if($1, 1.16.1, , +m4_if($1, 1.16.3, , AC_FATAL(Do not call $0, use AM_INIT_AUTOMAKE($1).))dnl ) @@ -327,14 +327,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN(AM_SET_CURRENT_AUTOMAKE_VERSION, -AM_AUTOMAKE_VERSION(1.16.1)dnl +AM_AUTOMAKE_VERSION(1.16.3)dnl m4_ifndef(AC_AUTOCONF_VERSION, m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl _AM_AUTOCONF_VERSION(m4_defn(AC_AUTOCONF_VERSION))) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -386,7 +386,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -417,7 +417,7 @@ Usually this means the macro was only invoked conditionally.) fi)) -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -608,7 +608,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -647,7 +647,9 @@ done if test $am_rc -ne 0; then AC_MSG_FAILURE(Something went wrong bootstrapping makefile fragments - for automatic dependency tracking. Try re-running configure with the + for automatic dependency tracking. If GNU make was not used, consider + re-running the configure script with MAKE="gmake" (or whatever is + necessary). You can also try re-running configure with the '--disable-dependency-tracking' option to at least be able to build the package (albeit without support for automatic dependency tracking).) fi @@ -674,7 +676,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -871,7 +873,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME("$_am_arg")`/stamp-h$_am_stamp_count) -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -892,7 +894,7 @@ fi AC_SUBST(install_sh)) -# Copyright (C) 2003-2018 Free Software Foundation, Inc. +# Copyright (C) 2003-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -913,7 +915,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc. +# Copyright (C) 2001-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -956,7 +958,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2018 Free Software Foundation, Inc. +# Copyright (C) 1997-2020 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -977,12 +979,7 @@ AC_REQUIRE(AM_AUX_DIR_EXPAND)dnl AC_REQUIRE_AUX_FILE(missing)dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -995,7 +992,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2018 Free Software Foundation, Inc.
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/compile -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/compile
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey <tromey@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*)
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/depcomp -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/depcomp
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/install-sh -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/install-sh
Changed
@@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *23672367) mkdir_umask=$umask;; - .*00202 | .0202 | .02) mkdir_umask=22;; - - *0-7) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *1235670-70-7) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX,
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/ltmain.sh -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/ltmain.sh
Changed
@@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-9" +VERSION="2.4.6 Debian-2.4.6-15" package_revision=2.4.6 @@ -387,7 +387,7 @@ # putting '$debug_cmd' at the start of all your functions, you can get # bash to show function call trace with: # -# debug_cmd='eval echo "${FUNCNAME0} $*" >&2' bash your-script-name +# debug_cmd='echo "${FUNCNAME0} $*" >&2' bash your-script-name debug_cmd=${debug_cmd-":"} exit_cmd=: @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-9 + version: $progname $scriptversion Debian-2.4.6-15 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -7368,10 +7368,12 @@ # -stdlib=* select c++ std lib with clang # -fsanitize=* Clang/GCC memory and address sanitizer # -fuse-ld=* Linker select flags for GCC + # -static-* direct GCC to link specific libraries statically + # -fcilkplus Cilk Plus language extension features for C/C++ -64|-mips0-9|-r0-90-9*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ -t45*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ - -specs=*|-fsanitize=*|-fuse-ld=*) + -specs=*|-fsanitize=*|-fuse-ld=*|-static-*|-fcilkplus) func_quote_for_eval "$arg" arg=$func_quote_for_eval_result func_append compile_command " $arg"
View file
_service:tar_scm:ipset-7.15.tar.bz2/build-aux/missing -> _service:tar_scm:ipset-7.17.tar.bz2/build-aux/missing
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify
View file
_service:tar_scm:ipset-7.15.tar.bz2/configure -> _service:tar_scm:ipset-7.17.tar.bz2/configure
Changed
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ipset 7.15. +# Generated by GNU Autoconf 2.69 for ipset 7.17. # # Report bugs to <kadlec@netfilter.org>. # @@ -594,8 +594,8 @@ # Identity of this package. PACKAGE_NAME='ipset' PACKAGE_TARNAME='ipset' -PACKAGE_VERSION='7.15' -PACKAGE_STRING='ipset 7.15' +PACKAGE_VERSION='7.17' +PACKAGE_STRING='ipset 7.17' PACKAGE_BUGREPORT='kadlec@netfilter.org' PACKAGE_URL='' @@ -1452,7 +1452,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ipset 7.15 to adapt to many kinds of systems. +\`configure' configures ipset 7.17 to adapt to many kinds of systems. Usage: $0 OPTION... VAR=VALUE... @@ -1523,7 +1523,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ipset 7.15:";; + short | recursive ) echo "Configuration of ipset 7.17:";; esac cat <<\_ACEOF @@ -1661,7 +1661,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ipset configure 7.15 +ipset configure 7.17 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2039,7 +2039,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ipset $as_me 7.15, which was +It was created by ipset $as_me 7.17, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2666,12 +2666,7 @@ am_aux_dir=`cd "$ac_aux_dir" && pwd` if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -2976,7 +2971,7 @@ # Define the identity of the package. PACKAGE='ipset' - VERSION='7.15' + VERSION='7.17' cat >>confdefs.h <<_ACEOF @@ -5865,7 +5860,7 @@ fi : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} @@ -7586,8 +7581,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 - echo "$AR cru libconftest.a conftest.o" >&5 - $AR cru libconftest.a conftest.o 2>&5 + echo "$AR cr libconftest.a conftest.o" >&5 + $AR cr libconftest.a conftest.o 2>&5 echo "$RANLIB libconftest.a" >&5 $RANLIB libconftest.a 2>&5 cat > conftest.c << _LT_EOF @@ -7619,11 +7614,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -8685,6 +8680,12 @@ lt_prog_compiler_pic='-KPIC' lt_prog_compiler_static='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -14530,8 +14531,8 @@ pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5 -$as_echo_n "checking for libmnl... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl >= 1" >&5 +$as_echo_n "checking for libmnl >= 1... " >&6; } if test -n "$libmnl_CFLAGS"; then pkg_cv_libmnl_CFLAGS="$libmnl_CFLAGS" @@ -14571,7 +14572,7 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -14598,7 +14599,7 @@ and libmnl_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details." "$LINENO" 5 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} @@ -15055,6 +15056,12 @@ $as_echo "yes" >&6; } HAVE_KVCALLOC=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvcalloc' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVCALLOC=define + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -15070,6 +15077,12 @@ $as_echo "yes" >&6; } HAVE_KVFREE=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvfree' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVFREE=define + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -15641,14 +15654,20 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for kvzalloc() in mm.h" >&5 -$as_echo_n "checking kernel source for kvzalloc() in mm.h... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking kernel source for kvzalloc() in mm.h and slab.h" >&5 +$as_echo_n "checking kernel source for kvzalloc() in mm.h and slab.h... " >&6; } if test -f $ksourcedir/include/linux/mm.h && \ $GREP -q 'static inline void \*kvzalloc(' $ksourcedir/include/linux/mm.h; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } HAVE_KVZALLOC=define +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvzalloc' $ksourcedir/include/linux/slab.h; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_KVZALLOC=define +
View file
_service:tar_scm:ipset-7.15.tar.bz2/configure.ac -> _service:tar_scm:ipset-7.17.tar.bz2/configure.ac
Changed
@@ -1,10 +1,10 @@ dnl Boilerplate -AC_INIT(ipset, 7.15, kadlec@netfilter.org) +AC_INIT(ipset, 7.17, kadlec@netfilter.org) AC_CONFIG_AUX_DIR(build-aux) AC_CANONICAL_HOST AC_CONFIG_MACRO_DIR(m4) AC_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE(foreign subdir-objects tar-pax) +AM_INIT_AUTOMAKE(foreign subdir-objects tar-pax no-dist-gzip dist-xz) m4_ifdef(AM_SILENT_RULES, AM_SILENT_RULES(yes)) AC_PROG_LN_S @@ -443,6 +443,10 @@ $GREP -q 'kvcalloc' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVCALLOC, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvcalloc' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVCALLOC, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVCALLOC, undef) @@ -453,6 +457,10 @@ $GREP -q 'kvfree' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVFREE, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvfree' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVFREE, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVFREE, undef) @@ -837,11 +845,15 @@ AC_SUBST(HAVE_NLMSG_UNICAST, undef) fi -AC_MSG_CHECKING(kernel source for kvzalloc() in mm.h) +AC_MSG_CHECKING(kernel source for kvzalloc() in mm.h and slab.h) if test -f $ksourcedir/include/linux/mm.h && \ $GREP -q 'static inline void \*kvzalloc(' $ksourcedir/include/linux/mm.h; then AC_MSG_RESULT(yes) AC_SUBST(HAVE_KVZALLOC, define) +elif test -f $ksourcedir/include/linux/slab.h && \ + $GREP -q 'kvzalloc' $ksourcedir/include/linux/slab.h; then + AC_MSG_RESULT(yes) + AC_SUBST(HAVE_KVZALLOC, define) else AC_MSG_RESULT(no) AC_SUBST(HAVE_KVZALLOC, undef)
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it,
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/args.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/args.h
Changed
@@ -58,6 +58,7 @@ IPSET_ARG_SKBQUEUE, /* skbqueue */ IPSET_ARG_BUCKETSIZE, /* bucketsize */ IPSET_ARG_INITVAL, /* initval */ + IPSET_ARG_BITMASK, /* bitmask */ IPSET_ARG_MAX, };
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/data.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/data.h
Changed
@@ -37,6 +37,7 @@ IPSET_OPT_RESIZE, IPSET_OPT_SIZE, IPSET_OPT_FORCEADD, + IPSET_OPT_BITMASK, /* Create-specific options, filled out by the kernel */ IPSET_OPT_ELEMENTS, IPSET_OPT_REFERENCES, @@ -70,7 +71,7 @@ IPSET_OPT_BUCKETSIZE, IPSET_OPT_INITVAL, /* Internal options */ - IPSET_OPT_FLAGS = 48, /* IPSET_FLAG_EXIST| */ + IPSET_OPT_FLAGS = 49, /* IPSET_FLAG_EXIST| */ IPSET_OPT_CADT_FLAGS, /* IPSET_FLAG_BEFORE| */ IPSET_OPT_ELEM, IPSET_OPT_TYPE, @@ -105,7 +106,8 @@ | IPSET_FLAG(IPSET_OPT_COUNTERS)\ | IPSET_FLAG(IPSET_OPT_CREATE_COMMENT)\ | IPSET_FLAG(IPSET_OPT_FORCEADD)\ - | IPSET_FLAG(IPSET_OPT_SKBINFO)) + | IPSET_FLAG(IPSET_OPT_SKBINFO)\ + | IPSET_FLAG(IPSET_OPT_BITMASK)) #define IPSET_ADT_FLAGS \ (IPSET_FLAG(IPSET_OPT_IP) \
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/linux_ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/linux_ip_set.h
Changed
@@ -89,6 +89,7 @@ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ IPSET_ATTR_MARK, /* 10 */ IPSET_ATTR_MARKMASK, /* 11 */ + IPSET_ATTR_BITMASK, /* 12 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ @@ -157,6 +158,7 @@ IPSET_ERR_COMMENT, IPSET_ERR_INVALID_MARKMASK, IPSET_ERR_SKBINFO, + IPSET_ERR_BITMASK_NETMASK_EXCL, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 4352,
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/list_sort.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/list_sort.h
Changed
@@ -61,7 +61,7 @@ // entry->prev = (void *) 0; } -static inline void __list_splice(const struct list_head *list, +static inline void __list_splice(struct list_head *list, struct list_head *prev, struct list_head *next) { @@ -75,7 +75,7 @@ next->prev = last; } -static inline void list_splice(const struct list_head *list, +static inline void list_splice(struct list_head *list, struct list_head *head) { if (!list_empty(list))
View file
_service:tar_scm:ipset-7.15.tar.bz2/include/libipset/parse.h -> _service:tar_scm:ipset-7.17.tar.bz2/include/libipset/parse.h
Changed
@@ -92,6 +92,8 @@ enum ipset_opt opt, const char *str); extern int ipset_parse_netmask(struct ipset_session *session, enum ipset_opt opt, const char *str); +extern int ipset_parse_bitmask(struct ipset_session *session, + enum ipset_opt opt, const char *str); extern int ipset_parse_flag(struct ipset_session *session, enum ipset_opt opt, const char *str); extern int ipset_parse_typename(struct ipset_session *session,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/ChangeLog -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/ChangeLog
Changed
@@ -1,3 +1,28 @@ +7.17 + - netfilter: ipset: Rework long task execution when adding/deleting entries + - netfilter: ipset: fix hash:net,port,net hang with /0 subnet + +7.16 + - netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface + - Fix all debug mode warnings + - netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) + - netfilter: ipset: regression in ip_set_hash_ip.c (Vishwanath Pai) + - netfilter: move from strlcpy with unused retval to strscpy + (Wolfram Sang) + - compatibility: handle unsafe_memcpy() + - netlink: Bounds-check struct nlmsgerr creation (Kees Cook) + - compatibility: move to skb_protocol in the code from tc_skb_protocol + - Compatibility: check kvcalloc, kvfree, kvzalloc in slab.h too + - sched: consistently handle layer3 header accesses in the presence + of VLANs (Toke Høiland-Jørgensen) + - treewide: Replace GPLv2 boilerplate/reference with SPDX + - rule 500 (Thomas Gleixner) + - headers: Remove some left-over license text in + include/uapi/linux/netfilter/ (Christophe JAILLET) + - netfilter: ipset: enforce documented limit to prevent allocating + huge memory + - netfilter: ipset: Fix oversized kvmalloc() calls + 7.15 - netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() (Nathan Chancellor)
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set.h
Changed
@@ -200,7 +200,7 @@ }; /* Max range where every element is added/deleted in one step */ -#define IPSET_MAX_RANGE (1<<20) +#define IPSET_MAX_RANGE (1<<14) /* The max revision number supported by any set type + 1 */ #define IPSET_REVISION_MAX 9 @@ -528,6 +528,16 @@ *skbinfo = ext->skbinfo; } +static inline void +nf_inet_addr_mask_inplace(union nf_inet_addr *a1, + const union nf_inet_addr *mask) +{ + a1->all0 &= mask->all0; + a1->all1 &= mask->all1; + a1->all2 &= mask->all2; + a1->all3 &= mask->all3; +} + #define IP_SET_INIT_KEXT(skb, opt, set) \ { .bytes = (skb)->len, .packets = 1, .target = true,\ .timeout = ip_set_adt_opt_timeout(opt, set) }
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
Changed
@@ -406,11 +406,9 @@ #define skb_vlan_tag_present vlan_tx_tag_present #endif -static inline __be16 tc_skb_protocol(const struct sk_buff *skb) +#ifndef HAVE_SKB_PROTOCOL +static inline __be16 skb_protocol(const struct sk_buff *skb, bool skip_vlan) { -#ifdef HAVE_SKB_PROTOCOL - return skb_protocol(skb, true); -#else if (skb_vlan_tag_present(skb)) #ifdef HAVE_VLAN_PROTO_IN_SK_BUFF return skb->vlan_proto; @@ -418,9 +416,9 @@ return htons(ETH_P_8021Q); #endif return skb->protocol; -#endif } #endif +#endif #ifdef HAVE_XT_NET #define IPSET_DEV_NET(par) xt_net(par) @@ -607,5 +605,11 @@ return members; } #endif + +#ifndef unsafe_memcpy +#define unsafe_memcpy(dst, src, bytes, justification) \ + memcpy(dst, src, bytes) +#endif + #endif /* IP_SET_COMPAT_HEADERS */ #endif /* __IP_SET_COMPAT_H */
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/include/uapi/linux/netfilter/ipset/ip_set.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/include/uapi/linux/netfilter/ipset/ip_set.h
Changed
@@ -3,10 +3,6 @@ * Patrick Schaaf <bof@bof.de> * Martin Josefsson <gandalf@wlug.westbo.se> * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. */ #ifndef _UAPI_IP_SET_H #define _UAPI_IP_SET_H @@ -89,6 +85,7 @@ IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ IPSET_ATTR_MARK, /* 10 */ IPSET_ATTR_MARKMASK, /* 11 */ + IPSET_ATTR_BITMASK, /* 12 */ /* Reserve empty slots */ IPSET_ATTR_CADT_MAX = 16, /* Create-only specific attributes */ @@ -157,6 +154,7 @@ IPSET_ERR_COMMENT, IPSET_ERR_INVALID_MARKMASK, IPSET_ERR_SKBINFO, + IPSET_ERR_BITMASK_NETMASK_EXCL, /* Type specific error codes */ IPSET_ERR_TYPE_SPECIFIC = 4352,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_core.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_core.c
Changed
@@ -354,7 +354,7 @@ c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC); if (unlikely(!c)) return; - strlcpy(c->str, ext->comment, len + 1); + strscpy(c->str, ext->comment, len + 1); set->ext_size += sizeof(*c) + strlen(c->str) + 1; rcu_assign_pointer(comment->c, c); } @@ -1082,7 +1082,7 @@ if (!set) return -ENOMEM; spin_lock_init(&set->lock); - strlcpy(set->name, name, IPSET_MAXNAMELEN); + strscpy(set->name, name, IPSET_MAXNAMELEN); set->family = family; set->revision = revision; @@ -1754,9 +1754,10 @@ ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); ip_set_unlock(set); retried = true; - } while (ret == -EAGAIN && - set->variant->resize && - (ret = set->variant->resize(set, retried)) == 0); + } while (ret == -ERANGE || + (ret == -EAGAIN && + set->variant->resize && + (ret = set->variant->resize(set, retried)) == 0)); if (!ret || (ret == -IPSET_ERR_EXIST && eexist)) return 0; @@ -1775,11 +1776,12 @@ skb2 = nlmsg_new(payload, GFP_KERNEL); if (!skb2) return -ENOMEM; - rep = __nlmsg_put(skb2, NETLINK_PORTID(skb), - nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); + rep = nlmsg_put(skb2, NETLINK_PORTID(skb), + nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); errmsg = nlmsg_data(rep); errmsg->error = ret; - memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); + unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, + /* Bounds checked by the skb layer. */); cmdattr = (void *)&errmsg->msg + min_len; ret = NLA_PARSE(cda, IPSET_ATTR_CMD_MAX, cmdattr,
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_gen.h -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_gen.h
Changed
@@ -43,31 +43,8 @@ #define AHASH_MAX_SIZE (6 * AHASH_INIT_SIZE) /* Max muber of elements in the array block when tuned */ #define AHASH_MAX_TUNED 64 - #define AHASH_MAX(h) ((h)->bucketsize) -/* Max number of elements can be tuned */ -#ifdef IP_SET_HASH_WITH_MULTI -static u8 -tune_bucketsize(u8 curr, u32 multi) -{ - u32 n; - - if (multi < curr) - return curr; - - n = curr + AHASH_INIT_SIZE; - /* Currently, at listing one hash bucket must fit into a message. - * Therefore we have a hard limit here. - */ - return n > curr && n <= AHASH_MAX_TUNED ? n : curr; -} -#define TUNE_BUCKETSIZE(h, multi) \ - ((h)->bucketsize = tune_bucketsize((h)->bucketsize, multi)) -#else -#define TUNE_BUCKETSIZE(h, multi) -#endif - /* A hash bucket */ struct hbucket { struct rcu_head rcu; /* for call_rcu_bh */ @@ -131,11 +108,11 @@ { size_t hsize; - /* We must fit both into u32 in jhash and size_t */ + /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */ if (hbits > 31) return 0; hsize = jhash_size(hbits); - if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *) + if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *) < hsize) return 0; @@ -183,6 +160,17 @@ (SET_WITH_TIMEOUT(set) && \ ip_set_timeout_expired(ext_timeout(d, set))) +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) +static const union nf_inet_addr onesmask = { + .all0 = 0xffffffff, + .all1 = 0xffffffff, + .all2 = 0xffffffff, + .all3 = 0xffffffff +}; + +static const union nf_inet_addr zeromask = {}; +#endif + #endif /* _IP_SET_HASH_GEN_H */ #ifndef MTYPE @@ -307,8 +295,9 @@ u32 markmask; /* markmask value for mark mask to store */ #endif u8 bucketsize; /* max elements in an array block */ -#ifdef IP_SET_HASH_WITH_NETMASK +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) u8 netmask; /* netmask value for subnets to store */ + union nf_inet_addr bitmask; /* stores bitmask */ #endif struct list_head ad; /* Resize add|del backlist */ struct mtype_elem next; /* temporary storage for uadd */ @@ -483,8 +472,8 @@ /* Resizing changes htable_bits, so we ignore it */ return x->maxelem == y->maxelem && a->timeout == b->timeout && -#ifdef IP_SET_HASH_WITH_NETMASK - x->netmask == y->netmask && +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + nf_inet_addr_cmp(&x->bitmask, &y->bitmask) && #endif #ifdef IP_SET_HASH_WITH_MARKMASK x->markmask == y->markmask && @@ -937,7 +926,12 @@ goto set_full; /* Create a new slot */ if (n->pos >= n->size) { - TUNE_BUCKETSIZE(h, multi); +#ifdef IP_SET_HASH_WITH_MULTI + if (h->bucketsize >= AHASH_MAX_TUNED) + goto set_full; + else if (h->bucketsize <= multi) + h->bucketsize += AHASH_INIT_SIZE; +#endif if (n->size >= AHASH_MAX(h)) { /* Trigger rehashing */ mtype_data_next(&h->next, d); @@ -1283,9 +1277,21 @@ htonl(jhash_size(htable_bits))) || nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem))) goto nla_put_failure; +#ifdef IP_SET_HASH_WITH_BITMASK + /* if netmask is set to anything other than HOST_MASK we know that the user supplied netmask + * and not bitmask. These two are mutually exclusive. */ + if (h->netmask == HOST_MASK && !nf_inet_addr_cmp(&onesmask, &h->bitmask)) { + if (set->family == NFPROTO_IPV4) { + if (nla_put_ipaddr4(skb, IPSET_ATTR_BITMASK, h->bitmask.ip)) + goto nla_put_failure; + } else if (set->family == NFPROTO_IPV6) { + if (nla_put_ipaddr6(skb, IPSET_ATTR_BITMASK, &h->bitmask.in6)) + goto nla_put_failure; + } + } +#endif #ifdef IP_SET_HASH_WITH_NETMASK - if (h->netmask != HOST_MASK && - nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask)) + if (h->netmask != HOST_MASK && nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask)) goto nla_put_failure; #endif #ifdef IP_SET_HASH_WITH_MARKMASK @@ -1448,8 +1454,10 @@ u32 markmask; #endif u8 hbits; -#ifdef IP_SET_HASH_WITH_NETMASK - u8 netmask; +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + int ret __attribute__((unused)) = 0; + u8 netmask = set->family == NFPROTO_IPV4 ? 32 : 128; + union nf_inet_addr bitmask = onesmask; #endif size_t hsize; struct htype *h; @@ -1487,7 +1495,6 @@ #endif #ifdef IP_SET_HASH_WITH_NETMASK - netmask = set->family == NFPROTO_IPV4 ? 32 : 128; if (tbIPSET_ATTR_NETMASK) { netmask = nla_get_u8(tbIPSET_ATTR_NETMASK); @@ -1495,6 +1502,33 @@ (set->family == NFPROTO_IPV6 && netmask > 128) || netmask == 0) return -IPSET_ERR_INVALID_NETMASK; + + /* we convert netmask to bitmask and store it */ + if (set->family == NFPROTO_IPV4) + bitmask.ip = ip_set_netmask(netmask); + else + ip6_netmask(&bitmask, netmask); + } +#endif + +#ifdef IP_SET_HASH_WITH_BITMASK + if (tbIPSET_ATTR_BITMASK) { + /* bitmask and netmask do the same thing, allow only one of these options */ + if (tbIPSET_ATTR_NETMASK) + return -IPSET_ERR_BITMASK_NETMASK_EXCL; + + if (set->family == NFPROTO_IPV4) { + ret = ip_set_get_ipaddr4(tbIPSET_ATTR_BITMASK, &bitmask.ip); + if (ret || !bitmask.ip) + return -IPSET_ERR_INVALID_NETMASK; + } else if (set->family == NFPROTO_IPV6) { + ret = ip_set_get_ipaddr6(tbIPSET_ATTR_BITMASK, &bitmask); + if (ret || ipv6_addr_any(&bitmask.in6)) + return -IPSET_ERR_INVALID_NETMASK; + } + + if (nf_inet_addr_cmp(&bitmask, &zeromask)) + return -IPSET_ERR_INVALID_NETMASK; } #endif @@ -1537,7 +1571,8 @@ for (i = 0; i < ahash_numof_locks(hbits); i++) spin_lock_init(&t->hregioni.lock); h->maxelem = maxelem; -#ifdef IP_SET_HASH_WITH_NETMASK +#if defined(IP_SET_HASH_WITH_NETMASK) || defined(IP_SET_HASH_WITH_BITMASK) + h->bitmask = bitmask; h->netmask = netmask; #endif #ifdef IP_SET_HASH_WITH_MARKMASK
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ip.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ip.c
Changed
@@ -25,7 +25,8 @@ /* 2 Comments support */ /* 3 Forceadd support */ /* 4 skbinfo support */ -#define IPSET_TYPE_REV_MAX 5 /* bucketsize, initval support */ +/* 5 bucketsize, initval support */ +#define IPSET_TYPE_REV_MAX 6 /* bitmask support */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); @@ -35,6 +36,7 @@ /* Type specific function prefix */ #define HTYPE hash_ip #define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK /* IPv4 variant */ @@ -87,7 +89,7 @@ __be32 ip; ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip); - ip &= ip_set_netmask(h->netmask); + ip &= h->bitmask.ip; if (ip == 0) return -EINVAL; @@ -99,11 +101,11 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ip4 *h = set->data; + struct hash_ip4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ip4_elem e = { 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, hosts; + u32 ip = 0, ip_to = 0, hosts, i = 0; int ret = 0; if (tbIPSET_ATTR_LINENO) @@ -120,7 +122,7 @@ if (ret) return ret; - ip &= ip_set_hostmask(h->netmask); + ip &= ntohl(h->bitmask.ip); e.ip = htonl(ip); if (e.ip == 0) return -IPSET_ERR_HASH_ELEM; @@ -148,22 +150,20 @@ hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); - /* 64bit division is not allowed on 32bit */ - if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE) - return -ERANGE; - - if (retried) { + if (retried) ip = ntohl(h->next.ip); + for (; ip <= ip_to; i++) { e.ip = htonl(ip); - } - for (; ip <= ip_to;) { + if (i > IPSET_MAX_RANGE) { + hash_ip4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret; ip += hosts; - e.ip = htonl(ip); - if (e.ip == 0) + if (ip == 0) return 0; ret = 0; @@ -188,12 +188,6 @@ return ipv6_addr_equal(&ip1->ip.in6, &ip2->ip.in6); } -static void -hash_ip6_netmask(union nf_inet_addr *ip, u8 prefix) -{ - ip6_netmask(ip, prefix); -} - static bool hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *e) { @@ -230,7 +224,7 @@ struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); - hash_ip6_netmask(&e.ip, h->netmask); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); if (ipv6_addr_any(&e.ip.in6)) return -EINVAL; @@ -269,7 +263,7 @@ if (ret) return ret; - hash_ip6_netmask(&e.ip, h->netmask); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); if (ipv6_addr_any(&e.ip.in6)) return -IPSET_ERR_HASH_ELEM; @@ -296,6 +290,7 @@ IPSET_ATTR_RESIZE = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, }, .adt_policy = {
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c
Changed
@@ -99,11 +99,11 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipmark4 *h = set->data; + struct hash_ipmark4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipmark4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0; + u32 ip, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -150,13 +150,14 @@ ip_set_mask_from_to(ip, ip_to, cidr); } - if (((u64)ip_to - ip + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); - for (; ip <= ip_to; ip++) { + for (; ip <= ip_to; ip++, i++) { e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_ipmark4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipport.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipport.c
Changed
@@ -27,7 +27,8 @@ /* 3 Comments support added */ /* 4 Forceadd support added */ /* 5 skbinfo support added */ -#define IPSET_TYPE_REV_MAX 6 /* bucketsize, initval support added */ +/* 6 bucketsize, initval support added */ +#define IPSET_TYPE_REV_MAX 7 /* bitmask support added */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); @@ -36,6 +37,8 @@ /* Type specific function prefix */ #define HTYPE hash_ipport +#define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK /* IPv4 variant */ @@ -93,12 +96,16 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + const struct MTYPE *h = set->data; if (!ip_set_get_ip4_port(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.port, &e.proto)) return -EINVAL; ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip); + e.ip &= h->bitmask.ip; + if (e.ip == 0) + return -EINVAL; return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -106,11 +113,11 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipport4 *h = set->data; + struct hash_ipport4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0, p = 0, port, port_to; + u32 ip, ip_to = 0, p = 0, port, port_to, i = 0; bool with_ports = false; int ret; @@ -130,6 +137,10 @@ if (ret) return ret; + e.ip &= h->bitmask.ip; + if (e.ip == 0) + return -EINVAL; + e.port = nla_get_be16(tbIPSET_ATTR_PORT); if (tbIPSET_ATTR_PROTO) { @@ -174,17 +185,18 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); for (; ip <= ip_to; ip++) { p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) : port; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.ip = htonl(ip); e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_ipport4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) @@ -254,12 +266,17 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipport6_elem e = { .ip = { .all = { 0 } } }; struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + const struct MTYPE *h = set->data; if (!ip_set_get_ip6_port(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.port, &e.proto)) return -EINVAL; ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6); + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); + if (ipv6_addr_any(&e.ip.in6)) + return -EINVAL; + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -299,6 +316,10 @@ if (ret) return ret; + nf_inet_addr_mask_inplace(&e.ip, &h->bitmask); + if (ipv6_addr_any(&e.ip.in6)) + return -EINVAL; + e.port = nla_get_be16(tbIPSET_ATTR_PORT); if (tbIPSET_ATTR_PROTO) { @@ -357,6 +378,8 @@ IPSET_ATTR_PROTO = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, + IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, }, .adt_policy = { IPSET_ATTR_IP = { .type = NLA_NESTED },
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c
Changed
@@ -109,11 +109,11 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipportip4 *h = set->data; + struct hash_ipportip4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipportip4_elem e = { .ip = 0 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip, ip_to = 0, p = 0, port, port_to; + u32 ip, ip_to = 0, p = 0, port, port_to, i = 0; bool with_ports = false; int ret; @@ -181,17 +181,18 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - if (retried) ip = ntohl(h->next.ip); for (; ip <= ip_to; ip++) { p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port) : port; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.ip = htonl(ip); e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_ipportip4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
Changed
@@ -161,12 +161,12 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_ipportnet4 *h = set->data; + struct hash_ipportnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0, p = 0, port, port_to; - u32 ip2_from = 0, ip2_to = 0, ip2; + u32 ip2_from = 0, ip2_to = 0, ip2, i = 0; bool with_ports = false; u8 cidr; int ret; @@ -254,9 +254,6 @@ swap(port, port_to); } - if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; - ip2_to = ip2_from; if (tbIPSET_ATTR_IP2_TO) { ret = ip_set_get_hostipaddr4(tbIPSET_ATTR_IP2_TO, &ip2_to); @@ -283,9 +280,15 @@ for (; p <= port_to; p++) { e.port = htons(p); do { + i++; e.ip2 = htonl(ip2); ip2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr); e.cidr = cidr - 1; + if (i > IPSET_MAX_RANGE) { + hash_ipportnet4_data_next(&h->next, + &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_net.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_net.c
Changed
@@ -137,11 +137,11 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_net4 *h = set->data; + struct hash_net4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_net4_elem e = { .cidr = HOST_MASK }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, ipn, n = 0; + u32 ip = 0, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -189,19 +189,16 @@ if (ip + UINT_MAX == ip_to) return -IPSET_ERR_HASH_RANGE; } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr); - n++; - } while (ipn++ < ip_to); - - if (n > IPSET_MAX_RANGE) - return -ERANGE; if (retried) ip = ntohl(h->next.ip); do { + i++; e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_net4_data_next(&h->next, &e); + return -ERANGE; + } ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags))
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netiface.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
Changed
@@ -203,7 +203,7 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 ip = 0, ip_to = 0, ipn, n = 0; + u32 ip = 0, ip_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -257,19 +257,16 @@ } else { ip_set_mask_from_to(ip, ip_to, e.cidr); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr); - n++; - } while (ipn++ < ip_to); - - if (n > IPSET_MAX_RANGE) - return -ERANGE; if (retried) ip = ntohl(h->next.ip); do { + i++; e.ip = htonl(ip); + if (i > IPSET_MAX_RANGE) { + hash_netiface4_data_next(&h->next, &e); + return -ERANGE; + } ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr); ret = adtfn(set, &e, &ext, &ext, flags);
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netnet.c
Changed
@@ -23,7 +23,8 @@ #define IPSET_TYPE_REV_MIN 0 /* 1 Forceadd support added */ /* 2 skbinfo support added */ -#define IPSET_TYPE_REV_MAX 3 /* bucketsize, initval support added */ +/* 3 bucketsize, initval support added */ +#define IPSET_TYPE_REV_MAX 4 /* bitmask support added */ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>"); @@ -33,6 +34,8 @@ /* Type specific function prefix */ #define HTYPE hash_netnet #define IP_SET_HASH_WITH_NETS +#define IP_SET_HASH_WITH_NETMASK +#define IP_SET_HASH_WITH_BITMASK #define IPSET_NET_COUNT 2 /* IPv4 variants */ @@ -153,8 +156,8 @@ ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip0); ip4addrptr(skb, opt->flags & IPSET_DIM_TWO_SRC, &e.ip1); - e.ip0 &= ip_set_netmask(e.cidr0); - e.ip1 &= ip_set_netmask(e.cidr1); + e.ip0 &= (ip_set_netmask(e.cidr0) & h->bitmask.ip); + e.ip1 &= (ip_set_netmask(e.cidr1) & h->bitmask.ip); return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -163,13 +166,12 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netnet4 *h = set->data; + struct hash_netnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netnet4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0; - u32 ip2 = 0, ip2_from = 0, ip2_to = 0, ipn; - u64 n = 0, m = 0; + u32 ip2 = 0, ip2_from = 0, ip2_to = 0, i = 0; int ret; if (tbIPSET_ATTR_LINENO) @@ -213,8 +215,8 @@ if (adt == IPSET_TEST || !(tbIPSET_ATTR_IP_TO || tbIPSET_ATTR_IP2_TO)) { - e.ip0 = htonl(ip & ip_set_hostmask(e.cidr0)); - e.ip1 = htonl(ip2_from & ip_set_hostmask(e.cidr1)); + e.ip0 = htonl(ip & ntohl(h->bitmask.ip) & ip_set_hostmask(e.cidr0)); + e.ip1 = htonl(ip2_from & ntohl(h->bitmask.ip) & ip_set_hostmask(e.cidr1)); ret = adtfn(set, &e, &ext, &ext, flags); return ip_set_enomatch(ret, flags, adt, set) ? -ret : ip_set_eexist(ret, flags) ? 0 : ret; @@ -245,19 +247,6 @@ } else { ip_set_mask_from_to(ip2_from, ip2_to, e.cidr1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr0); - n++; - } while (ipn++ < ip_to); - ipn = ip2_from; - do { - ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr1); - m++; - } while (ipn++ < ip2_to); - - if (n*m > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip0); @@ -270,7 +259,12 @@ e.ip0 = htonl(ip); ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr0); do { + i++; e.ip1 = htonl(ip2); + if (i > IPSET_MAX_RANGE) { + hash_netnet4_data_next(&h->next, &e); + return -ERANGE; + } ip2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr1); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) @@ -404,6 +398,11 @@ ip6_netmask(&e.ip0, e.cidr0); ip6_netmask(&e.ip1, e.cidr1); + nf_inet_addr_mask_inplace(&e.ip0, &h->bitmask); + nf_inet_addr_mask_inplace(&e.ip1, &h->bitmask); + if (e.cidr0 == HOST_MASK && ipv6_addr_any(&e.ip0.in6)) + return -EINVAL; + return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } @@ -414,6 +413,7 @@ ipset_adtfn adtfn = set->variant->adtadt; struct hash_netnet6_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); + const struct hash_netnet6 *h = set->data; int ret; if (tbIPSET_ATTR_LINENO) @@ -453,6 +453,11 @@ ip6_netmask(&e.ip0, e.cidr0); ip6_netmask(&e.ip1, e.cidr1); + nf_inet_addr_mask_inplace(&e.ip0, &h->bitmask); + nf_inet_addr_mask_inplace(&e.ip1, &h->bitmask); + if (e.cidr0 == HOST_MASK && ipv6_addr_any(&e.ip0.in6)) + return -IPSET_ERR_HASH_ELEM; + if (tbIPSET_ATTR_CADT_FLAGS) { u32 cadt_flags = ip_set_get_h32(tbIPSET_ATTR_CADT_FLAGS); @@ -484,6 +489,8 @@ IPSET_ATTR_RESIZE = { .type = NLA_U8 }, IPSET_ATTR_TIMEOUT = { .type = NLA_U32 }, IPSET_ATTR_CADT_FLAGS = { .type = NLA_U32 }, + IPSET_ATTR_NETMASK = { .type = NLA_U8 }, + IPSET_ATTR_BITMASK = { .type = NLA_NESTED }, }, .adt_policy = { IPSET_ATTR_IP = { .type = NLA_NESTED },
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netport.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netport.c
Changed
@@ -155,12 +155,11 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netport4 *h = set->data; + struct hash_netport4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); - u32 port, port_to, p = 0, ip = 0, ip_to = 0, ipn; - u64 n = 0; + u32 port, port_to, p = 0, ip = 0, ip_to = 0, i = 0; bool with_ports = false; u8 cidr; int ret; @@ -237,14 +236,6 @@ } else { ip_set_mask_from_to(ip, ip_to, e.cidr + 1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &cidr); - n++; - } while (ipn++ < ip_to); - - if (n*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip); @@ -256,8 +247,12 @@ e.ip = htonl(ip); ip = ip_set_range_to_cidr(ip, ip_to, &cidr); e.cidr = cidr - 1; - for (; p <= port_to; p++) { + for (; p <= port_to; p++, i++) { e.port = htons(p); + if (i > IPSET_MAX_RANGE) { + hash_netport4_data_next(&h->next, &e); + return -ERANGE; + } ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netportnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/netfilter/ipset/ip_set_hash_netportnet.c
Changed
@@ -174,17 +174,26 @@ return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); } +static u32 +hash_netportnet4_range_to_cidr(u32 from, u32 to, u8 *cidr) +{ + if (from == 0 && to == UINT_MAX) { + *cidr = 0; + return to; + } + return ip_set_range_to_cidr(from, to, cidr); +} + static int hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb, enum ipset_adt adt, u32 *lineno, u32 flags, bool retried) { - const struct hash_netportnet4 *h = set->data; + struct hash_netportnet4 *h = set->data; ipset_adtfn adtfn = set->variant->adtadt; struct hash_netportnet4_elem e = { }; struct ip_set_ext ext = IP_SET_INIT_UEXT(set); u32 ip = 0, ip_to = 0, p = 0, port, port_to; - u32 ip2_from = 0, ip2_to = 0, ip2, ipn; - u64 n = 0, m = 0; + u32 ip2_from = 0, ip2_to = 0, ip2, i = 0; bool with_ports = false; int ret; @@ -286,19 +295,6 @@ } else { ip_set_mask_from_to(ip2_from, ip2_to, e.cidr1); } - ipn = ip; - do { - ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr0); - n++; - } while (ipn++ < ip_to); - ipn = ip2_from; - do { - ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr1); - m++; - } while (ipn++ < ip2_to); - - if (n*m*(port_to - port + 1) > IPSET_MAX_RANGE) - return -ERANGE; if (retried) { ip = ntohl(h->next.ip0); @@ -311,13 +307,19 @@ do { e.ip0 = htonl(ip); - ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr0); + ip = hash_netportnet4_range_to_cidr(ip, ip_to, &e.cidr0); for (; p <= port_to; p++) { e.port = htons(p); do { + i++; e.ip1 = htonl(ip2); - ip2 = ip_set_range_to_cidr(ip2, ip2_to, - &e.cidr1); + if (i > IPSET_MAX_RANGE) { + hash_netportnet4_data_next(&h->next, + &e); + return -ERANGE; + } + ip2 = hash_netportnet4_range_to_cidr(ip2, + ip2_to, &e.cidr1); ret = adtfn(set, &e, &ext, &ext, flags); if (ret && !ip_set_eexist(ret, flags)) return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/kernel/net/sched/em_ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/kernel/net/sched/em_ipset.c
Changed
@@ -1,11 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-only /* * net/sched/em_ipset.c ipset ematch * * Copyright (c) 2012 Florian Westphal <fw@strlen.de> - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. */ #include <linux/gfp.h> @@ -87,7 +84,7 @@ #else #define ACPAR_FAMILY(f) acpar.family = f #endif - switch (tc_skb_protocol(skb)) { + switch (skb_protocol(skb, true)) { case htons(ETH_P_IP): ACPAR_FAMILY(NFPROTO_IPV4); if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/lib/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -504,7 +504,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) \ ${libmnl_CFLAGS} $(am__append_3) @@ -869,7 +869,8 @@ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am -install-exec: install-exec-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data: install-data-am uninstall: uninstall-am @@ -1000,7 +1001,7 @@ uninstall-man: uninstall-man3 -.MAKE: all check install install-am install-strip +.MAKE: all check install install-am install-exec install-strip .PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ clean-generic clean-libLTLIBRARIES clean-libtool cscopelist-am \
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/args.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/args.c
Changed
@@ -300,6 +300,14 @@ .print = ipset_print_hexnumber, .help = "initval VALUE", }, + IPSET_ARG_BITMASK = { + .name = { "bitmask", NULL }, + .has_arg = IPSET_MANDATORY_ARG, + .opt = IPSET_OPT_BITMASK, + .parse = ipset_parse_bitmask, + .print = ipset_print_ip, + .help = "bitmask bitmask", + }, }; const struct ipset_arg *
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/data.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/data.c
Changed
@@ -53,6 +53,7 @@ uint8_t bucketsize; uint8_t resize; uint8_t netmask; + union nf_inet_addr bitmask; uint32_t hashsize; uint32_t maxelem; uint32_t markmask; @@ -301,6 +302,12 @@ case IPSET_OPT_NETMASK: data->create.netmask = *(const uint8_t *) value; break; + case IPSET_OPT_BITMASK: + if (!(data->family == NFPROTO_IPV4 || + data->family == NFPROTO_IPV6)) + return -1; + copy_addr(data->family, &data->create.bitmask, value); + break; case IPSET_OPT_BUCKETSIZE: data->create.bucketsize = *(const uint8_t *) value; break; @@ -508,6 +515,8 @@ return &data->create.markmask; case IPSET_OPT_NETMASK: return &data->create.netmask; + case IPSET_OPT_BITMASK: + return &data->create.bitmask; case IPSET_OPT_BUCKETSIZE: return &data->create.bucketsize; case IPSET_OPT_RESIZE: @@ -594,6 +603,7 @@ case IPSET_OPT_IP_TO: case IPSET_OPT_IP2: case IPSET_OPT_IP2_TO: + case IPSET_OPT_BITMASK: return family == NFPROTO_IPV4 ? sizeof(uint32_t) : sizeof(struct in6_addr); case IPSET_OPT_MARK:
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/debug.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/debug.c
Changed
@@ -40,6 +40,7 @@ IPSET_ATTR_MAXELEM = { .name = "MAXELEM" }, IPSET_ATTR_MARKMASK = { .name = "MARKMASK" }, IPSET_ATTR_NETMASK = { .name = "NETMASK" }, + IPSET_ATTR_BITMASK = { .name = "BITMASK" }, IPSET_ATTR_BUCKETSIZE = { .name = "BUCKETSIZE" }, IPSET_ATTR_RESIZE = { .name = "RESIZE" }, IPSET_ATTR_SIZE = { .name = "SIZE" },
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/errcode.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/errcode.c
Changed
@@ -44,6 +44,8 @@ "The value of the markmask parameter is invalid" }, { IPSET_ERR_INVALID_FAMILY, 0, "Protocol family not supported by the set type" }, + { IPSET_ERR_BITMASK_NETMASK_EXCL, 0, + "netmask and bitmask options are mutually exclusive, provide only one" }, /* DESTROY specific error codes */ { IPSET_ERR_BUSY, IPSET_CMD_DESTROY,
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset.c
Changed
@@ -30,6 +30,7 @@ #include <libipset/ipset.h> /* prototypes */ #include <libipset/ip_set_compiler.h> /* compiler attributes */ #include <libipset/list_sort.h> /* lists */ +#include <libipset/xlate.h> /* ipset_xlate_argv */ static char program_name = PACKAGE; static char program_version = PACKAGE_VERSION; @@ -936,10 +937,10 @@ IPSET_TEST = "test SETNAME", }; -static const struct ipset_xlate_set * +static struct ipset_xlate_set * ipset_xlate_set_get(struct ipset *ipset, const char *name) { - const struct ipset_xlate_set *set; + struct ipset_xlate_set *set; list_for_each_entry(set, &ipset->xlate_sets, list) { if (!strcmp(set->name, name)) @@ -949,18 +950,6 @@ return NULL; } -static const struct ipset_type *ipset_xlate_type_get(struct ipset *ipset, - const char *name) -{ - const struct ipset_xlate_set *set; - - set = ipset_xlate_set_get(ipset, name); - if (!set) - return NULL; - - return set->type; -} - static int ipset_parser(struct ipset *ipset, int oargc, char *oargv) { @@ -970,7 +959,7 @@ char *arg0 = NULL, *arg1 = NULL; const struct ipset_envopts *opt; const struct ipset_commands *command; - const struct ipset_type *type; + const struct ipset_type *type = NULL; struct ipset_session *session = ipset->session; void *p = ipset_session_printf_private(session); int argc = oargc; @@ -1139,6 +1128,7 @@ if (arg0) { const struct ipset_arg *arg; int k; + enum ipset_adt c; /* Type-specific help, without kernel checking */ type = type_find(arg0); @@ -1148,11 +1138,11 @@ "Unknown settype: `%s'", arg0); printf("\n%s type specific options:\n\n", type->name); for (i = 0; cmd_help_orderi != IPSET_CADT_MAX; i++) { - cmd = cmd_help_orderi; + c = cmd_help_orderi; printf("%s %s %s\n", - cmd_prefixcmd, type->name, type->cmdcmd.help); - for (k = 0; type->cmdcmd.argsk != IPSET_ARG_NONE; k++) { - arg = ipset_keyword(type->cmdcmd.argsk); + cmd_prefixc, type->name, type->cmdc.help); + for (k = 0; type->cmdc.argsk != IPSET_ARG_NONE; k++) { + arg = ipset_keyword(type->cmdc.argsk); if (!arg->help || arg->help0 == '\0') continue; printf(" %s\n", arg->help); @@ -1282,8 +1272,16 @@ if (!ipset->xlate) { type = ipset_type_get(session, cmd); } else { - type = ipset_xlate_type_get(ipset, arg0); - ipset_session_data_set(session, IPSET_OPT_TYPE, type); + const struct ipset_xlate_set *xlate_set; + + xlate_set = ipset_xlate_set_get(ipset, arg0); + if (xlate_set) { + ipset_session_data_set(session, IPSET_OPT_TYPE, + xlate_set->type); + ipset_session_data_set(session, IPSET_OPT_FAMILY, + &xlate_set->family); + type = xlate_set->type; + } } if (type == NULL) return ipset->standard_error(ipset, p); @@ -1552,7 +1550,7 @@ } /* Ignore the set family, use inet. */ -static const char *ipset_xlate_family(uint8_t family) +static const char *ipset_xlate_family(uint8_t family UNUSED) { return "inet"; } @@ -1709,6 +1707,10 @@ else if (family == AF_INET6) return "ipv6_addr"; break; + case IPSET_XLATE_TYPE_UNKNOWN: + break; + default: + break; } /* This should not ever happen. */ return "unknown"; @@ -1733,7 +1735,6 @@ char buf64; bool concat; char *term; - int i; session = ipset_session(ipset); data = ipset_session_data(session); @@ -1847,7 +1848,7 @@ return -1; case IPSET_CMD_LIST: if (!set) { - printf("list sets %s\n", + printf("list sets %s %s\n", ipset_xlate_family(family), table); } else { printf("list set %s %s %s\n", @@ -1906,6 +1907,8 @@ } if (ipset_data_test(data, IPSET_OPT_ETHER)) { ipset_print_ether(buf, sizeof(buf), data, IPSET_OPT_ETHER, 0); + size_t i; + for (i = 0; i < strlen(buf); i++) bufi = tolower(bufi); @@ -1968,7 +1971,6 @@ struct ipset_session *session = ipset_session(ipset); struct ipset_data *data = ipset_session_data(session); void *p = ipset_session_printf_private(session); - const char *filename; enum ipset_cmd cmd; FILE *f = stdin; int ret = 0; @@ -1977,7 +1979,7 @@ if (ipset->filename) { f = fopen(ipset->filename, "r"); if (!f) { - fprintf(stderr, "cannot open file `%s'\n", filename); + fprintf(stderr, "cannot open file `%s'\n", ipset->filename); return -1; } } @@ -2011,7 +2013,7 @@ ipset_data_reset(data); } - if (filename) + if (ipset->filename) fclose(f); return ret;
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_ip.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_ip.c
Changed
@@ -477,6 +477,91 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_ip6 = { + .name = "hash:ip", + .alias = { "iphash", NULL }, + .revision = 6, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_ONE, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_NETMASK, + IPSET_ARG_BITMASK, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_GC, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO), + .help = "IP", + }, + }, + .usage = "where depending on the INET family\n" + " IP is a valid IPv4 or IPv6 address (or hostname),\n" + " CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " is supported for IPv4.", + .description = "bitmask support", +}; + void _init(void); void _init(void) { @@ -486,4 +571,5 @@ ipset_type_add(&ipset_hash_ip3); ipset_type_add(&ipset_hash_ip4); ipset_type_add(&ipset_hash_ip5); + ipset_type_add(&ipset_hash_ip6); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_ipport.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_ipport.c
Changed
@@ -604,6 +604,113 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_ipport7 = { + .name = "hash:ip,port", + .alias = { "ipporthash", NULL }, + .revision = 7, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_TWO, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_single6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + IPSET_DIM_TWO - 1 = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + IPSET_ARG_NETMASK, + IPSET_ARG_BITMASK, + /* Ignored options: backward compatibilty */ + IPSET_ARG_PROBES, + IPSET_ARG_RESIZE, + IPSET_ARG_IGNORED_FROM, + IPSET_ARG_IGNORED_TO, + IPSET_ARG_IGNORED_NETWORK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO), + .help = "IP,PROTO:PORT", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO), + .help = "IP,PROTO:PORT", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_PORT), + .help = "IP,PROTO:PORT", + }, + }, + .usage = "where depending on the INET family\n" + " IP is a valid IPv4 or IPv6 address (or hostname).\n" + " Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" + " is supported for IPv4.\n" + " Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n" + " port range is supported both for IPv4 and IPv6.", + .usagefn = ipset_port_usage, + .description = "netmask and bitmask support", +}; + void _init(void); void _init(void) { @@ -613,4 +720,5 @@ ipset_type_add(&ipset_hash_ipport4); ipset_type_add(&ipset_hash_ipport5); ipset_type_add(&ipset_hash_ipport6); + ipset_type_add(&ipset_hash_ipport7); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/ipset_hash_netnet.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/ipset_hash_netnet.c
Changed
@@ -387,6 +387,106 @@ .description = "bucketsize, initval support", }; +/* bitmask support */ +static struct ipset_type ipset_hash_netnet4 = { + .name = "hash:net,net", + .alias = { "netnethash", NULL }, + .revision = 4, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_TWO, + .elem = { + IPSET_DIM_ONE - 1 = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + IPSET_DIM_TWO - 1 = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP2 + }, + }, + .cmd = { + IPSET_CREATE = { + .args = { + IPSET_ARG_FAMILY, + /* Aliases */ + IPSET_ARG_INET, + IPSET_ARG_INET6, + IPSET_ARG_HASHSIZE, + IPSET_ARG_MAXELEM, + IPSET_ARG_TIMEOUT, + IPSET_ARG_COUNTERS, + IPSET_ARG_COMMENT, + IPSET_ARG_FORCEADD, + IPSET_ARG_SKBINFO, + IPSET_ARG_BUCKETSIZE, + IPSET_ARG_INITVAL, + IPSET_ARG_BITMASK, + IPSET_ARG_NETMASK, + IPSET_ARG_NONE, + }, + .need = 0, + .full = 0, + .help = "", + }, + IPSET_ADD = { + .args = { + IPSET_ARG_TIMEOUT, + IPSET_ARG_NOMATCH, + IPSET_ARG_PACKETS, + IPSET_ARG_BYTES, + IPSET_ARG_ADT_COMMENT, + IPSET_ARG_SKBMARK, + IPSET_ARG_SKBPRIO, + IPSET_ARG_SKBQUEUE, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP/CIDR|FROM-TO,IP/CIDR|FROM-TO", + }, + IPSET_DEL = { + .args = { + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + .help = "IP/CIDR|FROM-TO,IP/CIDR|FROM-TO", + }, + IPSET_TEST = { + .args = { + IPSET_ARG_NOMATCH, + IPSET_ARG_NONE, + }, + .need = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_IP2), + .full = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2), + .help = "IP/CIDR,IP/CIDR", + }, + }, + .usage = "where depending on the INET family\n" + " IP is an IPv4 or IPv6 address (or hostname),\n" + " CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" + " IP range is not supported with IPv6.", + .description = "netmask and bitmask support", +}; + void _init(void); void _init(void) { @@ -394,4 +494,5 @@ ipset_type_add(&ipset_hash_netnet1); ipset_type_add(&ipset_hash_netnet2); ipset_type_add(&ipset_hash_netnet3); + ipset_type_add(&ipset_hash_netnet4); }
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/libipset.map -> _service:tar_scm:ipset-7.17.tar.bz2/lib/libipset.map
Changed
@@ -213,3 +213,7 @@ ipset_xlate_argv; } LIBIPSET_4.10; +LIBIPSET_4.12 { +global: + ipset_parse_bitmask; +} LIBIPSET_4.10;
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/parse.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/parse.c
Changed
@@ -280,7 +280,8 @@ parse_portname(struct ipset_session *session, const char *str, uint16_t *port, const char *proto) { - char *saved, *tmp, *protoname; + char *saved, *tmp; + const char *protoname; const struct protoent *protoent; struct servent *service; uint8_t protonum = 0; @@ -292,7 +293,7 @@ if (tmp == NULL) goto error; - protoname = (char *)proto; + protoname = proto; if (string_to_u8(session, proto, &protonum, IPSET_WARNING) == 0) { protoent = getprotobynumber(protonum); if (protoent == NULL) @@ -1703,6 +1704,9 @@ assert(str); data = ipset_session_data(session); + if (ipset_data_test(data, IPSET_OPT_BITMASK)) + return syntax_err("bitmask and netmask are mutually exclusive, provide only one"); + family = ipset_data_family(data); if (family == NFPROTO_UNSPEC) { family = NFPROTO_IPV4; @@ -1722,6 +1726,46 @@ } /** + * ipset_parse_bitmask - parse string as a bitmask + * @session: session structure + * @opt: option kind of the data + * @str: string to parse + * + * Parse string as a bitmask value, depending on family type. + * If family is not set yet, INET is assumed. + * The value is stored in the data blob of the session. + * + * Returns 0 on success or a negative error code. + */ +int +ipset_parse_bitmask(struct ipset_session *session, + enum ipset_opt opt, const char *str) +{ + uint8_t family; + struct ipset_data *data; + + assert(session); + assert(opt == IPSET_OPT_BITMASK); + assert(str); + + data = ipset_session_data(session); + if (ipset_data_test(data, IPSET_OPT_NETMASK)) + return syntax_err("bitmask and netmask are mutually exclusive, provide only one"); + + family = ipset_data_family(data); + if (family == NFPROTO_UNSPEC) { + family = NFPROTO_IPV4; + ipset_data_set(data, IPSET_OPT_FAMILY, &family); + } + + if (parse_ipaddr(session, opt, str, family)) + return syntax_err("bitmask is not valid for family = %s", + family == NFPROTO_IPV4 ? "inet" : "inet6"); + + return 0; +} + +/** * ipset_parse_flag - "parse" option flags * @session: session structure * @opt: option kind of the data
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/print.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/print.c
Changed
@@ -265,7 +265,7 @@ assert(buf); assert(len > 0); assert(data); - assert(opt == IPSET_OPT_IP || opt == IPSET_OPT_IP2); + assert(opt == IPSET_OPT_IP || opt == IPSET_OPT_IP2 || opt == IPSET_OPT_BITMASK); D("len: %u", len); family = ipset_data_family(data); @@ -976,6 +976,7 @@ size = ipset_print_elem(buf, len, data, opt, env); break; case IPSET_OPT_IP: + case IPSET_OPT_BITMASK: size = ipset_print_ip(buf, len, data, opt, env); break; case IPSET_OPT_PORT:
View file
_service:tar_scm:ipset-7.15.tar.bz2/lib/session.c -> _service:tar_scm:ipset-7.17.tar.bz2/lib/session.c
Changed
@@ -462,6 +462,10 @@ .type = MNL_TYPE_U32, .opt = IPSET_OPT_MEMSIZE, }, + IPSET_ATTR_BITMASK = { + .type = MNL_TYPE_NESTED, + .opt = IPSET_OPT_BITMASK, + }, }; static const struct ipset_attr_policy adt_attrs = { @@ -1721,6 +1725,10 @@ if (attr->type == MNL_TYPE_NESTED) { /* IP addresses */ struct nlattr *nested; + + if (type == IPSET_ATTR_BITMASK) + family = ipset_data_family(session->data); + int atype = family == NFPROTO_IPV4 ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6;
View file
_service:tar_scm:ipset-7.15.tar.bz2/m4/libtool.m4 -> _service:tar_scm:ipset-7.17.tar.bz2/m4/libtool.m4
Changed
@@ -1041,8 +1041,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR cr libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cr libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1071,11 +1071,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) + 10.0,*86*-darwin8*|10.0,*-darwin912*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.012,.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -1492,7 +1492,7 @@ m4_defun(_LT_PROG_AR, AC_CHECK_TOOLS(AR, ar, false) : ${AR=ar} -: ${AR_FLAGS=cru} +: ${AR_FLAGS=cr} _LT_DECL(, AR, 1, The archiver) _LT_DECL(, AR_FLAGS, 1, Flags to create an archive) @@ -4704,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*)
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/src/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -484,7 +484,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset-translate.8 -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset-translate.8
Changed
@@ -33,7 +33,7 @@ The only available command is: .IP \bu 2 -ipset-translate restores < file.ipt +ipset-translate restore < file.ipt .SH USAGE The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset.8 -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset.8
Changed
@@ -524,7 +524,7 @@ network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR type of set. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fIipaddr\fR .PP @@ -549,6 +549,9 @@ ipset add foo 192.168.1.0/24 .IP ipset test foo 192.168.1.2 +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. .SS hash:mac The \fBhash:mac\fR set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a \fBhash:mac\fR type of set. For matches on destination MAC addresses, see COMMENTS below. @@ -648,7 +651,7 @@ first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fInetaddr\fR,\fInetaddr\fR .PP @@ -680,6 +683,18 @@ further increases this as the list of secondary prefixes is traversed per primary prefix. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Example: .IP ipset create foo hash:net,net @@ -701,7 +716,7 @@ The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. .PP -\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP +\fICREATE\-OPTIONS\fR := \fBfamily\fR { \fBinet\fR | \fBinet6\fR } \fBhashsize\fR \fIvalue\fR \fBmaxelem\fR \fIvalue\fR \fBbucketsize\fR \fIvalue\fR \fBnetmask\fP \fIcidr\fP \fBbitmask\fP \fImask\fP \fBtimeout\fR \fIvalue\fR \fBcounters\fP \fBcomment\fP \fBskbinfo\fP .PP \fIADD\-ENTRY\fR := \fIipaddr\fR,\fIproto\fR:\fIport\fR .PP @@ -741,6 +756,18 @@ two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. .PP +Optional \fBcreate\fR options: +.TP +\fBnetmask\fP \fIcidr\fP +When the optional \fBnetmask\fP parameter specified, network addresses will be +stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must be +between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set +if the network address, which is resulted by masking the address with the netmask, +can be found in the set. +.TP +\fBbitmask\fP \fImask\fP +This works similar to \fBnetmask\fP but it will accept any valid IPv4/v6 address. It does not have to be a valid netmask. +.PP Examples: .IP ipset create foo hash:ip,port
View file
_service:tar_scm:ipset-7.15.tar.bz2/src/ipset.c -> _service:tar_scm:ipset-7.17.tar.bz2/src/ipset.c
Changed
@@ -6,6 +6,7 @@ * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. */ +#define _GNU_SOURCE #include <assert.h> /* assert */ #include <stdio.h> /* fprintf */ #include <stdlib.h> /* exit */ @@ -31,7 +32,7 @@ exit(1); } - if (!strcmp(argv0, "ipset-translate")) { + if (!strcmp(basename(argv0), "ipset-translate")) { ret = ipset_xlate_argv(ipset, argc, argv); } else { ret = ipset_parse_argv(ipset, argc, argv);
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/comment.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/comment.t
Changed
@@ -113,7 +113,7 @@ # Hash comment: Stress test with comments and timeout 0 ./netnetgen.sh comment timeout | ipset restore # Hash comment: List set and check the number of elements -0 n=`ipset -L test|grep '^10.'|wc -l` && test $n -eq 87040 +0 n=`ipset save test|grep 'add test 10.'|wc -l` && test $n -eq 87040 # Hash comment: Destroy test set 0 ipset destroy test # Hash comment: create set with timeout
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:ip,port.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t
Changed
@@ -170,4 +170,122 @@ 0 ./check_extensions test 2.0.0.20 700 13 12479 # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and netmask +0 ipset -N test hash:ip,port --hashsize 128 --netmask 24 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0,80 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0,80 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0,80 +# Network: Add first random network +0 ipset -A test 2.0.0.1,8080 +# Network: Add second random network +0 ipset -A test 192.168.68.69,22 +# Network: Test first random value +0 ipset -T test 2.0.0.255,8080 +# Network: Test second random value +0 ipset -T test 192.168.68.95,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,8080 +# Network: Add third element +0 ipset -A test 200.100.10.1,22 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,22 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,22 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list3 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list4 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with timeout and bitmask +0 ipset -N test hash:ip,port --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0,80 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0,80 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0,80 +# Network: Add first random network +0 ipset -A test 2.0.0.1,8080 +# Network: Add second random network +0 ipset -A test 192.168.68.69,22 +# Network: Test first random value +0 ipset -T test 2.0.0.255,8080 +# Network: Test second random value +0 ipset -T test 192.168.68.95,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,8080 +# Network: Add third element +0 ipset -A test 200.100.10.1,22 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,22 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,22 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list5 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list6 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test hash:ip,port --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4,22 +# Network: Add second random network +0 ipset -A test 1.168.122.124,22 +# Network: Test first random value +0 ipset -T test 1.2.9.4,22 +# Network: Test second random value +0 ipset -T test 1.168.68.124,22 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0,23 +# Network: Test delete value +0 ipset -D test 1.168.0.124,22 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip,port.t.list7 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list3
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xf49ba001 netmask 24 +Size in memory: 408 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,tcp:22 timeout 3 +2.0.0.0,tcp:8080 timeout 3 +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list4
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x18b2277a netmask 24 +Size in memory: 408 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list5
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x6a0e903a bitmask 255.255.255.0 +Size in memory: 408 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,tcp:22 timeout 3 +2.0.0.0,tcp:8080 timeout 3 +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0x2fcffdca bitmask 255.255.255.0 +Size in memory: 408 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,tcp:22 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip,port.t.list7
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip,port +Revision: 7 +Header: family inet hashsize 128 maxelem 65536 bucketsize 12 initval 0x98bdfa72 bitmask 255.255.0.255 +Size in memory: 312 +References: 0 +Number of entries: 1 +Members: +1.2.0.4,tcp:22
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:ip.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t
Changed
@@ -72,7 +72,7 @@ 0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 1024 # IP: Destroy sets 0 ipset -X -# Network: Create a set with timeout +# Network: Create a set with timeout and netmask 0 ipset -N test iphash --hashsize 128 --netmask 24 timeout 4 # Network: Add zero valued element 1 ipset -A test 0.0.0.0 @@ -136,6 +136,12 @@ 0 ipset del test 10.0.0.1-10.0.0.10 # Range: Check number of elements 0 n=`ipset save test|wc -l` && test $n -eq 1 +# Range: Flush set +0 ipset flush test +# Range: Add elements in multiple internal batches +0 ipset add test 10.1.0.0-10.1.64.255 +# Range: Check number of elements +0 n=`ipset save test|grep '^add test 10.1' | wc -l` && test $n -eq 16640 # Range: Delete test set 0 ipset destroy test # Timeout: Check that resizing keeps timeout values @@ -210,4 +216,78 @@ 0 ./check_extensions test 10.255.255.64 600 6 $((6*40)) # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and bitmask +0 ipset -N test iphash --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 2.0.0.1 +# Network: Add second random network +0 ipset -A test 192.168.68.69 +# Network: Test first random value +0 ipset -T test 2.0.0.255 +# Network: Test second random value +0 ipset -T test 192.168.68.95 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12 +# Network: Delete the same network +0 ipset -D test 200.100.0.12 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list4 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list5 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with both bitmask and netmask +1 ipset -N test iphash --hashsize 128 --bitmask 255.255.0.255 --netmask 24 +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test iphash --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4 +# Network: Add second random network +0 ipset -A test 1.2.4.5 +# Network: Test first random value +0 ipset -T test 1.2.9.4 +# Network: Test second random value +0 ipset -T test 1.2.9.5 +# Network: Test value not added to the set +1 ipset -T test 2.0.1.0 +# Network: Test delete value +0 ipset -D test 1.2.0.5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:ip.t.list6 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list4
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:ip +Revision: 5 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.255.0 timeout 4 bucketsize 12 initval 0xfe970e91 +Size in memory: 528 +References: 0 +Number of entries: 3 +Members: +192.168.68.0 timeout 3 +2.0.0.0 timeout 3 +200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list5
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Revision: 5 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.255.0 timeout 4 bucketsize 12 initval 0xbc66e38a +Size in memory: 528 +References: 0 +Number of entries: 1 +Members: +200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:ip.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:ip +Revision: 6 +Header: family inet hashsize 128 maxelem 65536 bitmask 255.255.0.255 bucketsize 12 initval 0xd7d821e1 +Size in memory: 296 +References: 0 +Number of entries: 1 +Members: +1.2.0.4
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,iface.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,iface.t
Changed
@@ -132,6 +132,10 @@ 0 (set -e; for x in `seq 0 63`; do ipset add test 10.0.0.0/16,eth$x; done) # Check listing 0 n=`ipset list test | grep -v Revision: | wc -l` && test $n -eq 71 +# Flush test set +0 ipset flush test +# Try to add more than 64 clashing entries +1 (set -e; for x in `seq 0 64`; do ipset add test 10.0.0.0/16,eth$x; done) # Delete test set 0 ipset destroy test # Check all possible CIDR values
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,net.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t
Changed
@@ -166,4 +166,110 @@ 0 ./check_extensions test 2.0.0.0/25,2.0.0.0/25 700 13 12479 # Counters and timeout: destroy set 0 ipset x test +# Network: Create a set with timeout and netmask +0 ipset -N test hash:net,net --hashsize 128 --netmask 24 timeout 4 +# Network: Add first random network +0 ipset -A test 2.0.10.1,2.10.10.254 +# Network: Add second random network +0 ipset -A test 192.168.68.1,192.168.68.254 +# Network: Test first random value +0 ipset -T test 2.0.10.11,2.10.10.25 +# Network: Test second random value +0 ipset -T test 192.168.68.11,192.168.68.5 +# Network: Test value not added to the set +1 ipset -T test 2.10.1.0,21.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1,200.100.10.100 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,200.100.0.13 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,200.100.0.13 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list3 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list4 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80.20.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with timeout and bitmask +0 ipset -N test hash:net,net --hashsize 128 --bitmask 255.255.255.0 timeout 4 +# Network: Add first random network +0 ipset -A test 2.0.10.1,2.10.10.254 +# Network: Add second random network +0 ipset -A test 192.168.68.1,192.168.68.254 +# Network: Test first random value +0 ipset -T test 2.0.10.11,2.10.10.25 +# Network: Test second random value +0 ipset -T test 192.168.68.11,192.168.68.5 +# Network: Test value not added to the set +1 ipset -T test 2.10.1.0,21.0.1.0 +# Network: Add third element +0 ipset -A test 200.100.10.1,200.100.10.100 timeout 0 +# Network: Add third random network +0 ipset -A test 200.100.0.12,200.100.0.13 +# Network: Delete the same network +0 ipset -D test 200.100.0.12,200.100.0.13 +# Network: List set +0 ipset -L test > .foo0 && ./sort.sh .foo0 +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list5 +# Sleep 5s so that elements can time out +0 sleep 5 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list6 +# Network: Flush test set +0 ipset -F test +# Network: add element with 1s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 1 +# Network: readd element with 3s timeout +0 ipset add test 200.100.0.12,80.20.0.12 timeout 3 -exist +# Network: sleep 2s +0 sleep 2s +# Network: check readded element +0 ipset test test 200.100.0.12,80.20.0.12 +# Network: Delete test set +0 ipset -X test +# Network: Create a set with bitmask which is not a valid netmask +0 ipset -N test hash:net,net --hashsize 128 --bitmask 255.255.0.255 +# Network: Add zero valued element +1 ipset -A test 0.0.0.0 +# Network: Test zero valued element +1 ipset -T test 0.0.0.0 +# Network: Delete zero valued element +1 ipset -D test 0.0.0.0 +# Network: Add first random network +0 ipset -A test 1.2.3.4,22.23.24.25 +# Network: Add second random network +0 ipset -A test 1.168.122.124,122.23.45.50 +# Network: Test first random value +0 ipset -T test 1.2.43.4,22.23.2.25 +# Network: Test second random value +0 ipset -T test 1.168.12.124,122.23.4.50 +# Network: Test value not added to the set +1 ipset -T test 2.168.122.124,22.23.45.50 +# Network: Test delete value +0 ipset -D test 1.168.12.124,122.23.0.50 +# Network: List set +0 ipset -L test > .foo +# Network: Check listing +0 ./diff.sh .foo hash:net,net.t.list7 +# Network: Delete test set +0 ipset -X test # eof
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list3
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xe17e4732 netmask 24 +Size in memory: 848 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,192.168.68.0 timeout 3 +2.0.10.0,2.10.10.0 timeout 3 +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list4
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xb69e293e netmask 24 +Size in memory: 848 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list5
Added
@@ -0,0 +1,11 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xe17e4732 bitmask 255.255.255.0 +Size in memory: 848 +References: 0 +Number of entries: 3 +Members: +192.168.68.0,192.168.68.0 timeout 3 +2.0.10.0,2.10.10.0 timeout 3 +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list6
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 timeout 4 bucketsize 12 initval 0xb69e293e bitmask 255.255.255.0 +Size in memory: 848 +References: 0 +Number of entries: 1 +Members: +200.100.10.0,200.100.10.0 timeout 0
View file
_service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,net.t.list7
Added
@@ -0,0 +1,9 @@ +Name: test +Type: hash:net,net +Revision: 4 +Header: family inet hashsize 128 maxelem 65536 bucketsize 12 initval 0x6223fef7 bitmask 255.255.0.255 +Size in memory: 736 +References: 0 +Number of entries: 1 +Members: +1.2.0.4,22.23.0.25
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/hash:net,port,net.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/hash:net,port,net.t
Changed
@@ -52,6 +52,12 @@ 0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.0-192.168.2.255 # Check that correct number of elements are added 0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 6 +# Flush set +0 ipset flush test +# Add 0/0 networks +0 ipset add test 0.0.0.0/0,tcp:1-2,192.168.230.128/25 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^0'|wc -l` && test $n -eq 2 # Destroy set 0 ipset -X test # Create test set with timeout support
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/netnetgen.sh -> _service:tar_scm:ipset-7.17.tar.bz2/tests/netnetgen.sh
Changed
@@ -6,7 +6,7 @@ comment=" comment" ;; timeout) - timeout=" timeout 5" + timeout=" timeout 10" ;; *) ;;
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/xlate/xlate.t -> _service:tar_scm:ipset-7.17.tar.bz2/tests/xlate/xlate.t
Changed
@@ -53,3 +53,5 @@ add bp1 22 create bim1 bitmap:ip,mac range 1.1.1.0/24 add bim1 1.1.1.1,aa:bb:cc:dd:ee:ff +create hn6 hash:net family inet6 +add hn6 fe80::/64
View file
_service:tar_scm:ipset-7.15.tar.bz2/tests/xlate/xlate.t.nft -> _service:tar_scm:ipset-7.17.tar.bz2/tests/xlate/xlate.t.nft
Changed
@@ -54,3 +54,5 @@ add element inet global bp1 { 22 } add set inet global bim1 { type ipv4_addr . ether_addr; } add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff } +add set inet global hn6 { type ipv6_addr; flags interval; } +add element inet global hn6 { fe80::/64 }
View file
_service:tar_scm:ipset-7.15.tar.bz2/utils/Makefile.in -> _service:tar_scm:ipset-7.17.tar.bz2/utils/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2020 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -432,7 +432,7 @@ top_srcdir = @top_srcdir@ # curr:rev:age -LIBVERSION = 16:0:3 +LIBVERSION = 17:0:4 AM_CPPFLAGS = $(kinclude_CFLAGS) $(all_includes) -I$(top_srcdir)/include AM_CFLAGS = -std=gnu99 $(am__append_1) $(am__append_2) SPARSE = sparse
View file
_service:tar_scm:ipset-config
Added
@@ -0,0 +1,5 @@ +# Save current ipsets on stop. +# Value: yes|no, default: no +# Saves all ipsets to /etc/sysconfig/ipset.d/ if service gets stopped +# (e.g. on system shutdown). +IPSET_SAVE_ON_STOP="no" \ No newline at end of file
View file
_service:tar_scm:ipset.service
Changed
@@ -9,10 +9,11 @@ ExecStart=/usr/libexec/ipset/ipset.start-stop start ExecStop=/usr/libexec/ipset/ipset.start-stop stop ExecReload=/usr/libexec/ipset/ipset.start-stop reload -# Save current ipset entries on stop/restart. +# Save current ipset entries on stop. # Value: yes|no, default: no -# Saves all ipsets to /etc/ipset/ipset if ipset gets stopped -Environment=IPSET_SAVE_ON_STOP=no IPSET_SAVE_ON_RESTART=no +# Saves all ipsets to /etc/sysconfig/ipset if ipset gets stopped +Environment=IPSET_SAVE_ON_STOP=no +EnvironmentFile=-/etc/sysconfig/ipset-config Install WantedBy=basic.target
View file
_service:tar_scm:ipset.start-stop
Changed
@@ -1,209 +1,359 @@ -#!/bin/bash +#!/bin/sh # # ipset Start and stop ipset firewall sets # -# config: /etc/ipset/ipset -# - -IPSET=ipset -IPSET_BIN=/usr/sbin/${IPSET} -IPSET_DATA=/etc/${IPSET}/${IPSET} - -IPTABLES_CONFIG=/etc/sysconfig/iptables-config -IP6TABLES_CONFIG=${IPTABLES_CONFIG/iptables/ip6tables} - -TMP_FIFO=/tmp/${IPSET}.$$ - -if ! -x ${IPSET_BIN} ; then - echo "${IPSET_BIN} does not exist." - exit 5 -fi - -CLEAN_FILES=TMP_FIFO -trap "rm -f \$CLEAN_FILES" EXIT - -# Default ipset configuration: - -z $IPSET_SAVE_ON_STOP && IPSET_SAVE_ON_STOP=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_STOP - -z $IPSET_SAVE_ON_RESTART && IPSET_SAVE_ON_RESTART=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_RESTART - -# Load iptables configuration(s) - -f "$IPTABLES_CONFIG" && . "$IPTABLES_CONFIG" - -f "$IP6TABLES_CONFIG" && . "$IP6TABLES_CONFIG" - -# It doesn't make sense to save iptables config and not our config - ${IPTABLES_SAVE_ON_STOP} = yes || ${IP6TABLES_SAVE_ON_STOP} = yes && IPSET_SAVE_ON_STOP=yes - ${IPTABLES_SAVE_ON_RESTART} = yes || ${IP6TABLES_SAVE_ON_RESTART} = yes && IPSET_SAVE_ON_RESTART=yes - -check_can_unload() { - # If the xt_set module is loaded and can't be unloaded, then iptables is - # using ipsets, so refuse to stop the service. - if -n $(lsmod | grep "^xt_set ") ; then - rmmod xt_set 2>/dev/null - $? -ne 0 && echo Current iptables configuration requires ipsets && return 1 - fi - - return 0 -} - -flush_n_delete() { - local ret=0 set - - # Flush sets - ${IPSET_BIN} flush - let ret+=$? - - # Delete ipset sets. If we don't do them individually, then none - # will be deleted unless they all can be. - for set in $(${IPSET_BIN} list -name); do - ${IPSET_BIN} destroy 2>/dev/null - $? -ne 0 && ret=1 - done - - return $ret +# config: /etc/sysconfig/ipset-config + +IPSET_BIN=/usr/sbin/ipset +IPSET_CONFIG=/etc/sysconfig/ipset-config +IPSET_DATA_COMPAT=/etc/sysconfig/ipset +IPSET_DATA_COMPAT_BACKUP=${IPSET_DATA_COMPAT}.save +IPSET_DATA_DIR=/etc/sysconfig/ipset.d +IPSET_DATA_DIR_BACKUP=${IPSET_DATA_DIR}.save +IPSET_DATA_SAVED_FLAG=${IPSET_DATA_DIR}/.saved +IPSET_LOCK=/run/ipset.lock +IPSET_RUN=/run/ipset.run +CLEAN_FILES="" + +trap "rm -rf \${CLEAN_FILES}" EXIT + +info() { + echo "ipset: ${*}" >&2 } - -start_clean() -{ - mkfifo -m go= "${TMP_FIFO}" - $? -ne 0 && return 1 - - # Get the lists of sets in current(old) config and new config - old_sets="$(${IPSET_BIN} list -name | sort -u)" - new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)" - - # List of sets no longer wanted - drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" & - printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" - - )" - - # Get rid of sets no longer needed - # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time - for dset in $drop_sets; do - ipset destroy $dset 2>/dev/null - # If it won't go - ? in use by iptables, just clear it - $? -ne 0 && ipset flush $dset - done - - # Now delete the set members no longer required - ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & - grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ - | ${IPSET_BIN} restore -! - - # At last we can add the set members we haven't got - ipset restore -! <${IPSET_DATA} - - rm ${TMP_FIFO} - - return 0 + +warn() { + echo "<4>ipset: ${*}" >&2 } - -start() { - # Do not start if there is no config file. - ! -f "$IPSET_DATA" && echo "Loaded with no configuration" && return 0 - - # We can skip the first bit and do a simple load if - # there is no current ipset configuration - res=1 - if -n $(${IPSET_BIN} list -name) ; then - # The following may fail for some bizarre reason - start_clean - res=$? - - $res -ne 0 && echo "Some old configuration may remain" - fi - - # res -ne 0 => either start_clean failed, or we didn't need to run it - if $res -ne 0 ; then - # This is the easy way to start but would leave any old - # entries still configured. Still, better than nothing - - # but fine if we had no config - ${IPSET_BIN} restore -! <${IPSET_DATA} - res=$? - fi - - if $res -ne 0 ; then - return 1 - fi - - return 0 + +err() { + echo "<3>ipset: ${*}" >&2 } - -stop() { - # Nothing to stop if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - $? -ne 0 && return 6 - - flush_n_delete - $? -ne 0 && echo Warning: Not all sets were flushed/deleted - - return 0 + + -x ${IPSET_BIN} || { err "Cannot execute ${IPSET_BIN}"; exit 1; } + +# Source ipset configuration +# shellcheck source=ipset-config + -f ${IPSET_CONFIG} && . ${IPSET_CONFIG} + +set -f + +lock() { + CLEAN_FILES="${CLEAN_FILES} ${IPSET_LOCK}" + until mkdir ${IPSET_LOCK} 2>/dev/null; do :; done } - + save() { - # Do not save if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - $? -ne 0 && return 6 - - -z $(${IPSET_BIN} list -name) && return 0 - - ret=0 - TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \ - && CLEAN_FILES+=" $TMP_FILE" \ - && chmod 600 "$TMP_FILE" \ - && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \ - && -s $TMP_FILE \ - || ret=1 - - if $ret -eq 0 ; then - # No need to do anything if the files are the same - if ! -f $IPSET_DATA ; then - mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1 + fail=0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2