1. 20 Jan, 2020 1 commit
  2. 07 Oct, 2019 4 commits
  3. 13 Aug, 2019 1 commit
    • Jeremy Sowden's avatar
      netfilter: inline four headers files into another one. · bd96b4c7
      Jeremy Sowden authored
      
      
      linux/netfilter/ipset/ip_set.h included four other header files:
      
        include/linux/netfilter/ipset/ip_set_comment.h
        include/linux/netfilter/ipset/ip_set_counter.h
        include/linux/netfilter/ipset/ip_set_skbinfo.h
        include/linux/netfilter/ipset/ip_set_timeout.h
      
      Of these the first three were not included anywhere else.  The last,
      ip_set_timeout.h, was included in a couple of other places, but defined
      inline functions which call other inline functions defined in ip_set.h,
      so ip_set.h had to be included before it.
      
      Inlined all four into ip_set.h, and updated the other files that
      included ip_set_timeout.h.
      
      Signed-off-by: default avatarJeremy Sowden <jeremy@azazel.net>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bd96b4c7
  4. 19 Jun, 2019 1 commit
  5. 10 Jun, 2019 1 commit
  6. 27 Apr, 2019 2 commits
    • Michal Kubecek's avatar
      ipset: drop ipset_nest_start() and ipset_nest_end() · 12ad5f65
      Michal Kubecek authored
      
      
      After the previous commit, both ipset_nest_start() and ipset_nest_end() are
      just aliases for nla_nest_start() and nla_nest_end() so that there is no
      need to keep them.
      
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      12ad5f65
    • Michal Kubecek's avatar
      netlink: make nla_nest_start() add NLA_F_NESTED flag · ae0be8de
      Michal Kubecek authored
      
      
      Even if the NLA_F_NESTED flag was introduced more than 11 years ago, most
      netlink based interfaces (including recently added ones) are still not
      setting it in kernel generated messages. Without the flag, message parsers
      not aware of attribute semantics (e.g. wireshark dissector or libmnl's
      mnl_nlmsg_fprintf()) cannot recognize nested attributes and won't display
      the structure of their contents.
      
      Unfortunately we cannot just add the flag everywhere as there may be
      userspace applications which check nlattr::nla_type directly rather than
      through a helper masking out the flags. Therefore the patch renames
      nla_nest_start() to nla_nest_start_noflag() and introduces nla_nest_start()
      as a wrapper adding NLA_F_NESTED. The calls which add NLA_F_NESTED manually
      are rewritten to use nla_nest_start().
      
      Except for changes in include/net/netlink.h, the patch was generated using
      this semantic patch:
      
      @@ expression E1, E2; @@
      -nla_nest_start(E1, E2)
      +nla_nest_start_noflag(E1, E2)
      
      @@ expression E1, E2; @@
      -nla_nest_start_noflag(E1, E2 | NLA_F_NESTED)
      +nla_nest_start(E1, E2)
      
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae0be8de
  7. 31 Oct, 2018 1 commit
    • Stefano Brivio's avatar
      netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace · 439cd39e
      Stefano Brivio authored
      Commit 45040978
      
       ("netfilter: ipset: Fix set:list type crash
      when flush/dump set in parallel") postponed decreasing set
      reference counters to the RCU callback.
      
      An 'ipset del' command can terminate before the RCU grace period
      is elapsed, and if sets are listed before then, the reference
      counter shown in userspace will be wrong:
      
       # ipset create h hash:ip; ipset create l list:set; ipset add l
       # ipset del l h; ipset list h
       Name: h
       Type: hash:ip
       Revision: 4
       Header: family inet hashsize 1024 maxelem 65536
       Size in memory: 88
       References: 1
       Number of entries: 0
       Members:
       # sleep 1; ipset list h
       Name: h
       Type: hash:ip
       Revision: 4
       Header: family inet hashsize 1024 maxelem 65536
       Size in memory: 88
       References: 0
       Number of entries: 0
       Members:
      
      Fix this by making the reference count update synchronous again.
      
      As a result, when sets are listed, ip_set_name_byindex() might
      now fetch a set whose reference count is already zero. Instead
      of relying on the reference count to protect against concurrent
      set renaming, grab ip_set_ref_lock as reader and copy the name,
      while holding the same lock in ip_set_rename() as writer
      instead.
      
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Fixes: 45040978
      
       ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      439cd39e
  8. 27 Oct, 2018 1 commit
    • Jozsef Kadlecsik's avatar
      netfilter: ipset: Introduction of new commands and protocol version 7 · 23c42a40
      Jozsef Kadlecsik authored
      
      
      Two new commands (IPSET_CMD_GET_BYNAME, IPSET_CMD_GET_BYINDEX) are
      introduced. The new commands makes possible to eliminate the getsockopt
      operation (in iptables set/SET match/target) and thus use only netlink
      communication between userspace and kernel for ipset. With the new
      protocol version, userspace can exactly know which functionality is
      supported by the running kernel.
      
      Both the kernel and userspace is fully backward compatible.
      
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      23c42a40
  9. 08 Jan, 2018 1 commit
  10. 10 Nov, 2016 8 commits
  11. 24 Apr, 2016 1 commit
  12. 28 Mar, 2016 1 commit
    • Vishwanath Pai's avatar
      netfilter: ipset: fix race condition in ipset save, swap and delete · 596cf3fe
      Vishwanath Pai authored
      
      
      This fix adds a new reference counter (ref_netlink) for the struct ip_set.
      The other reference counter (ref) can be swapped out by ip_set_swap and we
      need a separate counter to keep track of references for netlink events
      like dump. Using the same ref counter for dump causes a race condition
      which can be demonstrated by the following script:
      
      ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \
      counters
      ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \
      counters
      ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \
      counters
      
      ipset save &
      
      ipset swap hash_ip3 hash_ip2
      ipset destroy hash_ip3 /* will crash the machine */
      
      Swap will exchange the values of ref so destroy will see ref = 0 instead of
      ref = 1. With this fix in place swap will not succeed because ipset save
      still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink).
      
      Both delete and swap will error out if ref_netlink != 0 on the set.
      
      Note: The changes to *_head functions is because previously we would
      increment ref whenever we called these functions, we don't do that
      anymore.
      
      Reviewed-by: default avatarJoshua Hunt <johunt@akamai.com>
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      596cf3fe
  13. 07 Nov, 2015 1 commit
  14. 14 Jun, 2015 4 commits
  15. 14 May, 2015 1 commit
    • Denys Vlasenko's avatar
      netfilter: ipset: deinline ip_set_put_extensions() · a3b1c1eb
      Denys Vlasenko authored
      
      
      On x86 allyesconfig build:
      The function compiles to 489 bytes of machine code.
      It has 25 callsites.
      
          text    data       bss       dec     hex filename
      82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
      82434909 22255384 20627456 125317749 7783275 vmlinux
      
      Signed-off-by: default avatarDenys Vlasenko <dvlasenk@redhat.com>
      CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      CC: Eric W. Biederman <ebiederm@xmission.com>
      CC: David S. Miller <davem@davemloft.net>
      CC: Jan Engelhardt <jengelh@medozas.de>
      CC: Jiri Pirko <jpirko@redhat.com>
      CC: linux-kernel@vger.kernel.org
      CC: netdev@vger.kernel.org
      CC: netfilter-devel@vger.kernel.org
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a3b1c1eb
  16. 13 May, 2015 1 commit
  17. 31 Mar, 2015 1 commit
  18. 15 Sep, 2014 2 commits
  19. 06 Mar, 2014 3 commits
  20. 03 Jan, 2014 1 commit
  21. 22 Oct, 2013 1 commit
  22. 30 Sep, 2013 2 commits