[00/26] ipset patches for nf-next

Message ID	1380570637-31235-1-git-send-email-kadlec@blackhole.kfki.hu
State	Accepted
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso <pablo@netfilter.org> Subject: [PATCH 00/26] ipset patches for nf-next Date: Mon, 30 Sep 2013 21:50:11 +0200 Message-Id: <1380570637-31235-1-git-send-email-kadlec@blackhole.kfki.hu> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1380570637-31235-1-git-send-email-kadlec@blackhole.kfki.hu

State

Accepted

Headers

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: netfilter-devel@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 00/26] ipset patches for nf-next
Date: Mon, 30 Sep 2013 21:50:11 +0200
Message-Id: <1380570637-31235-1-git-send-email-kadlec@blackhole.kfki.hu>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Message

Jozsef Kadlecsik Sept. 30, 2013, 7:50 p.m. UTC

Hi Pablo,

Here follows a huge batch of ipset patches for nf-next. Besides a lot of small
fixes and corrections, it contains two new set types, a reworked extensions
support with a new extension (per element comments) and netns support.
Please consider applying them.

Best regards,
Jozsef

The following changes since commit 7722e0d1c076d9610f00d79bde8af977157aa23b:
  Gao feng (1):
        netfilter: xt_TCPMSS: lookup route from proper net namespace

are available in the git repository at:

  git://blackhole.kfki.hu/nf-next master

Anders K. Pedersen (1):
      netfilter: ipset: Support package fragments for IPv4 protos without ports

Jozsef Kadlecsik (18):
      netfilter: ipset: Don't call ip_nest_end needlessly in the error path
      netfilter: ipset: Sparse warning about shadowed variable fixed
      netfilter: ipset: Fix sparse warnings due to missing rcu annotations
      netfilter: ipset: Rename simple macro names to avoid namespace issues.
      netfilter: ipset: Fix "may be used uninitialized" warnings
      netfilter: ipset: Use fix sized type for timeout in the extension part
      netfilter: ipset: order matches and targets separatedly in xt_set.c
      netfilter: ipset: Introduce new operation to get both setname and family
      netfilter: ipset: Prepare ipset to support multiple networks for hash types
      netfilter: ipset: Rename extension offset ids to extension ids
      netfilter: ipset: Move extension data to set structure
      netfilter: ipset: Generalize extensions support
      netfilter: ipset: Support extensions which need a per data destroy function
      netfilter: ipset: list:set: make sure all elements are checked by the gc
      netfilter: ipset: Kconfig: ipset needs NETFILTER_NETLINK
      netfilter: ipset: Fix hash resizing with comments
      netfilter: ipset: For set:list types, replaced elements must be zeroed out
      netfilter: ipset: Use a common function at listing the extensions

Oliver Smith (6):
      netfilter: ipset: Add hash:net,net module to kernel.
      netfilter: ipset: Support comments for ipset entries in the core.
      netfilter: ipset: Support comments in bitmap-type ipsets.
      netfilter: ipset: Support comments in the list-type ipset.
      netfilter: ipset: Support comments in hash-type ipsets.
      netfilter: ipset: Add hash:net,port,net module to kernel.

Vitaly Lavrov (1):
      netfiler: ipset: Add net namespace for ipset

 include/linux/netfilter/ipset/ip_set.h         |  151 +++++-
 include/linux/netfilter/ipset/ip_set_comment.h |   57 +++
 include/linux/netfilter/ipset/ip_set_timeout.h |    4 +-
 include/uapi/linux/netfilter/ipset/ip_set.h    |   16 +-
 net/netfilter/ipset/Kconfig                    |   20 +-
 net/netfilter/ipset/Makefile                   |    2 +
 net/netfilter/ipset/ip_set_bitmap_gen.h        |  163 ++++---
 net/netfilter/ipset/ip_set_bitmap_ip.c         |  125 ++----
 net/netfilter/ipset/ip_set_bitmap_ipmac.c      |  156 ++-----
 net/netfilter/ipset/ip_set_bitmap_port.c       |  112 ++----
 net/netfilter/ipset/ip_set_core.c              |  361 +++++++++++----
 net/netfilter/ipset/ip_set_getport.c           |   18 +-
 net/netfilter/ipset/ip_set_hash_gen.h          |  526 +++++++++++-----------
 net/netfilter/ipset/ip_set_hash_ip.c           |   58 +--
 net/netfilter/ipset/ip_set_hash_ipport.c       |   80 +---
 net/netfilter/ipset/ip_set_hash_ipportip.c     |   86 +---
 net/netfilter/ipset/ip_set_hash_ipportnet.c    |  108 +----
 net/netfilter/ipset/ip_set_hash_net.c          |   85 +---
 net/netfilter/ipset/ip_set_hash_netiface.c     |   98 +----
 net/netfilter/ipset/ip_set_hash_netnet.c       |  483 +++++++++++++++++++
 net/netfilter/ipset/ip_set_hash_netport.c      |   92 +---
 net/netfilter/ipset/ip_set_hash_netportnet.c   |  588 ++++++++++++++++++++++++
 net/netfilter/ipset/ip_set_list_set.c          |  263 ++++-------
 net/netfilter/xt_set.c                         |  222 +++++-----
 net/sched/em_ipset.c                           |    7 +-
 25 files changed, 2364 insertions(+), 1517 deletions(-)
 create mode 100644 include/linux/netfilter/ipset/ip_set_comment.h
 create mode 100644 net/netfilter/ipset/ip_set_hash_netnet.c
 create mode 100644 net/netfilter/ipset/ip_set_hash_netportnet.c
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pablo Neira Ayuso Oct. 1, 2013, 10:24 a.m. UTC | #1

On Mon, Sep 30, 2013 at 09:50:11PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> Here follows a huge batch of ipset patches for nf-next. Besides a lot of small
> fixes and corrections, it contains two new set types, a reworked extensions
> support with a new extension (per element comments) and netns support.
> Please consider applying them.

Pulled, thanks Jozsef!

Please, could you send me a short summary of changes commenting the
patchset? Something similar to what I usually send to David when I
make a pull-request would be just fine. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jozsef Kadlecsik Oct. 1, 2013, 8:07 p.m. UTC | #2

On Tue, 1 Oct 2013, Pablo Neira Ayuso wrote:

> On Mon, Sep 30, 2013 at 09:50:11PM +0200, Jozsef Kadlecsik wrote:
> > Hi Pablo,
> > 
> > Here follows a huge batch of ipset patches for nf-next. Besides a lot of small
> > fixes and corrections, it contains two new set types, a reworked extensions
> > support with a new extension (per element comments) and netns support.
> > Please consider applying them.
> 
> Pulled, thanks Jozsef!
> 
> Please, could you send me a short summary of changes commenting the 
> patchset? Something similar to what I usually send to David when I make 
> a pull-request would be just fine. Thanks.

Sure, here it comes:

The patchset contains the following fixes and new features for ipset:

* Don't call ip_nest_end needlessly in the error path from me, suggested 
  by Pablo Neira Ayuso.
* Fixed sparse warnings about shadowed variable and missing rcu annotation
  and fix of "may be used uninitialized" warnings, from me.
* Renamed simple macro names to avoid namespace issues, reported by David 
  Laight.
* Use fix sized type for timeout in the extension part, and cosmetic
  ordering of matches and targets separatedly in xt_set.c, from me.
* Support package fragments for IPv4 protos without ports from Anders K. 
  Pedersen. For example this allows a hash:ip,port ipset containing the 
  entry 192.168.0.1,gre:0 to match all package fragments for PPTP VPN 
  tunnels to/from the host. Without this patch only the first package 
  fragment (with fragment offset 0) was matched.
* Introduced a new operation to get both setname and family, from me.
  ip[6]tables set match and SET target need to know the family of the set
  in order to reject adding rules which refer to a set with a non-mathcing
  family. Currently such rules are silently accepted and then ignored
  instead of generating an error message to the user.
* Reworked extensions support in ipset types from me. The approach of
  defining structures with all variations is not manageable as the
  number of extensions grows. Therefore a blob for the extensions is
  introduced, somewhat similar to conntrack. The support of extensions
  which need a per data destroy function is added as well.
* When an element timed out in a list:set type of set, the garbage
  collector skipped the checking of the next element. So the purging
  was delayed to the next run of the gc, fixed by me.
* A small Kconfig fix: NETFILTER_NETLINK cannot be selected and
  ipset requires it.
* hash:net,net type from Oliver Smith. The type provides the ability to 
  store pairs of subnets in a set.
* Comment for ipset entries from Oliver Smith. This makes possible to
  annotate entries in a set with comments, for example:

  ipset n foo hash:net,net comment
  ipset a foo 10.0.0.0/21,192.168.1.0/24 comment "office nets A and B"

* Fix of hash types resizing with comment extension from me.
* Fix of new extensions for list:set type when an element is added
  into a slot from where another element was pushed away from me.
* Introduction of a common function for the listing of the element 
  extensions from me.
* Net namespace support for ipset from Vitaly Lavrov.
* hash:net,port,net type from Oliver Smith, which makes possible
  to store the triples of two subnets and a protocol, port pair in
  a set.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[00/26] ipset patches for nf-next

Pull-request

Message

Comments