[netfilter-cvslog] r4311 - trunk/ipset
kadlec at netfilter.org
kadlec at netfilter.org
Fri Sep 30 18:45:45 CEST 2005
Author: kadlec at netfilter.org
Date: 2005-09-30 18:45:42 +0200 (Fri, 30 Sep 2005)
New Revision: 4311
Modified:
trunk/ipset/ChangeLog
trunk/ipset/Makefile
trunk/ipset/ipset.8
trunk/ipset/ipset.c
trunk/ipset/ipset_iphash.c
trunk/ipset/ipset_ipmap.c
trunk/ipset/ipset_iptree.c
trunk/ipset/ipset_macipmap.c
trunk/ipset/ipset_nethash.c
trunk/ipset/ipset_portmap.c
Log:
2.2.4 released, see fixes in pom-ng/set
Modified: trunk/ipset/ChangeLog
===================================================================
--- trunk/ipset/ChangeLog 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ChangeLog 2005-09-30 16:45:42 UTC (rev 4311)
@@ -1,3 +1,10 @@
+2.2.4
+ - half-fixed memory allocation bug in iphash and nethash finally
+ completely fixed (bug reported by Nikolai Malykh)
+ - restrictions to enter zero-valued entries into all non-hash type sets
+ were removed
+ - Too strict check on the set size of ipmap type was corrected
+
2.2.3
- memory allocation bug in iphash and nethash in connection with the SET
target was fixed (bug reported by Nikolai Malykh)
Modified: trunk/ipset/Makefile
===================================================================
--- trunk/ipset/Makefile 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/Makefile 2005-09-30 16:45:42 UTC (rev 4311)
@@ -8,7 +8,7 @@
KERNEL_DIR=/usr/src/linux
endif
-IPSET_VERSION:=2.2.3
+IPSET_VERSION:=2.2.4
PREFIX:=/usr/local
LIBDIR:=$(PREFIX)/lib
@@ -21,7 +21,7 @@
RELEASE_DIR:=/tmp
COPT_FLAGS:=-O2
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. #-g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. # -g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
SH_CFLAGS:=$(CFLAGS) -fPIC
SETTYPES:=ipmap portmap macipmap iphash nethash iptree
Modified: trunk/ipset/ipset.8
===================================================================
--- trunk/ipset/ipset.8 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset.8 2005-09-30 16:45:42 UTC (rev 4311)
@@ -200,7 +200,7 @@
ipset supports the following set types:
.SS ipmap
The ipmap set type uses a memory range, where each bit represents
-one IP address. An ipmap set can store up to 65535 (B-class network)
+one IP address. An ipmap set can store up to 65536 (B-class network)
IP addresses. The ipmap set type is very fast and memory cheap, great
for use when one want to match certain IPs in a range. Using the
.B "--netmask"
@@ -228,7 +228,7 @@
.SS macipmap
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
-up to 65535 (B-class network) IP addresses with MAC.
+up to 65536 (B-class network) IP addresses with MAC.
When adding an entry to a macipmap set, you must specify the entry as
.I IP%MAC.
When deleting or testing macipmap entries, the
@@ -264,7 +264,7 @@
entries from a macipmap type of set.
.SS portmap
The portmap set type uses a memory range, where each bit represents
-one port. A portmap set type can store up to 65535 ports.
+one port. A portmap set type can store up to 65536 ports.
The portmap set type is very fast and memory cheap.
.P
Options to use when creating an portmap set:
@@ -325,7 +325,7 @@
.TP
.BR "--probes " probes
How many times try to resolve clashing at adding an IP to the hash
-by double-hashing (default 2).
+by double-hashing (default 4).
.TP
.BR "--resize " percent
Increase the hash size by this many percent (default 50) when adding
@@ -354,7 +354,7 @@
.I IP%timeout-value.
.SH GENERAL RESTRICTIONS
Setnames starting with colon (:) cannot be defined. Zero valued set
-entries cannot be used.
+entries cannot be used with hash type of sets.
.SH COMMENTS
If you want to store same size subnets from a given network
(say /24 blocks from a /8 network), use the ipmap set type.
Modified: trunk/ipset/ipset.c
===================================================================
--- trunk/ipset/ipset.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -483,16 +483,15 @@
char *ip_tostring(ip_set_ip_t ip, unsigned options)
{
struct in_addr addr;
- char *name;
-
addr.s_addr = htonl(ip);
if (!(options & OPT_NUMERIC)) {
+ char *name;
if ((name = ip_tohost(&addr)) != NULL ||
(name = ip_tonetwork(&addr)) != NULL)
return name;
}
-
+
return inet_ntoa(addr);
}
@@ -511,9 +510,6 @@
if (inet_aton(str, &addr) != 0) {
*ip = ntohl(addr.s_addr); /* We want host byte order */
- if (!*ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified", str);
return;
}
@@ -530,10 +526,6 @@
"Please specify one.", str);
*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
- if (!*ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified",
- str);
return;
}
@@ -563,7 +555,7 @@
DP("bits: %d", bits);
- *mask = 0xFFFFFFFF << (32 - bits);
+ *mask = bits != 0 ? 0xFFFFFFFF << (32 - bits) : 0L;
}
/* Combines parse_ip and parse_mask */
@@ -589,13 +581,13 @@
parse_ip(buf, ip);
DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring(*ip, 0), *mask);
+ str, *ip, ip_tostring_numeric(*ip), *mask);
/* Apply the netmask */
*ip &= *mask;
DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring(*ip, 0), *mask);
+ str, *ip, ip_tostring_numeric(*ip), *mask);
}
/* Return a string representation of a port
@@ -654,11 +646,7 @@
if ((string_to_number(str, 0, 65535, port) != 0)
&& (string_to_port(str, port) != 0))
exit_error(PARAMETER_PROBLEM,
- "Invalid TCP port `%s' specified", str);
-
- if (!*port)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued port `%s' specified", str);
+ "Invalid TCP port `%s' specified", str);
}
/*
Modified: trunk/ipset/ipset_iphash.c
===================================================================
--- trunk/ipset/ipset_iphash.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_iphash.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -152,6 +152,9 @@
(struct ip_set_req_iphash *) data;
parse_ip(optarg, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", optarg);
return mydata->ip;
};
Modified: trunk/ipset/ipset_ipmap.c
===================================================================
--- trunk/ipset/ipset_ipmap.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_ipmap.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -80,14 +80,18 @@
parse_ipandmask(optarg, &mydata->from, &mydata->to);
/* Make to the last of from + mask */
- mydata->to = mydata->from | ~(mydata->to);
-
+ if (mydata->to)
+ mydata->to = mydata->from | ~(mydata->to);
+ else {
+ mydata->from = 0x00000000;
+ mydata->to = 0xFFFFFFFF;
+ }
*flags |= OPT_CREATE_NETWORK;
- DP("--network from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
break;
@@ -112,11 +116,15 @@
return 1;
}
+#define ERRSTRLEN 256
+
/* Final check; exit if not ok. */
void create_final(void *data, unsigned int flags)
{
struct ip_set_req_ipmap_create *mydata =
(struct ip_set_req_ipmap_create *) data;
+ ip_set_ip_t range;
+ char errstr[ERRSTRLEN];
if (flags == 0)
exit_error(PARAMETER_PROBLEM,
@@ -135,17 +143,14 @@
"Need to specify both --from and --to\n");
}
- DP("from : %x to: %x diff: %d", mydata->from, mydata->to,
+ DP("from : %x to: %x diff: %x",
+ mydata->from, mydata->to,
mydata->to - mydata->from);
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
- if (mydata->to - mydata->from > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE);
if (flags & OPT_CREATE_NETMASK) {
unsigned int mask_bits, netmask_bits;
ip_set_ip_t mask;
@@ -157,21 +162,37 @@
mask_to_bits(mydata->netmask));
mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
- if (!mask)
+ if (!mask
+ && (mydata->from || mydata->to != 0xFFFFFFFF)) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
exit_error(PARAMETER_PROBLEM,
- "%s-%s is not a full network\n",
- ip_tostring_numeric(mydata->from),
- ip_tostring_numeric(mydata->to));
-
+ "%s-%s is not a full network (%x)\n",
+ errstr,
+ ip_tostring_numeric(mydata->to), mask);
+ }
netmask_bits = mask_to_bits(mydata->netmask);
- if (netmask_bits <= mask_bits)
+ if (netmask_bits <= mask_bits) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
exit_error(PARAMETER_PROBLEM,
- "%d netmask specifies larger or equal netblock than %s-%s\n",
+ "%d netmask specifies larger or equal netblock than %s-%s (%d)\n",
netmask_bits,
- ip_tostring_numeric(mydata->from),
- ip_tostring_numeric(mydata->to));
+ errstr,
+ ip_tostring_numeric(mydata->to),
+ mask_bits);
+ }
+ range = (1<<(netmask_bits - mask_bits)) - 1;
+ } else {
+ range = mydata->to - mydata->from;
}
+ if (range > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range to large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
@@ -194,7 +215,7 @@
parse_ip(optarg, &mydata->ip);
DP("%s", ip_tostring_numeric(mydata->ip));
- return mydata->ip;
+ return 1;
}
/*
Modified: trunk/ipset/ipset_iptree.c
===================================================================
--- trunk/ipset/ipset_iptree.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_iptree.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -93,7 +93,7 @@
mydata->timeout = 0;
free(saved);
- return mydata->ip;
+ return 1;
}
/*
Modified: trunk/ipset/ipset_macipmap.c
===================================================================
--- trunk/ipset/ipset_macipmap.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_macipmap.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -84,10 +84,10 @@
*flags |= OPT_CREATE_NETWORK;
- DP("--network from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
break;
@@ -137,12 +137,12 @@
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
if (mydata->to - mydata->from > MAX_RANGE)
exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE);
+ "Range too large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
@@ -194,7 +194,7 @@
memset(mydata->ethernet, 0, ETH_ALEN);
free(saved);
- return mydata->ip;
+ return 1;
}
/*
Modified: trunk/ipset/ipset_nethash.c
===================================================================
--- trunk/ipset/ipset_nethash.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_nethash.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -49,7 +49,7 @@
/* Default create parameters */
mydata->hashsize = 1024;
- mydata->probes = 2;
+ mydata->probes = 4;
mydata->resize = 50;
}
@@ -149,6 +149,9 @@
mydata->cidr = cidr;
parse_ip(ptr, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", ptr);
free(saved);
return mydata->ip;
Modified: trunk/ipset/ipset_portmap.c
===================================================================
--- trunk/ipset/ipset_portmap.c 2005-09-30 16:44:08 UTC (rev 4310)
+++ trunk/ipset/ipset_portmap.c 2005-09-30 16:45:42 UTC (rev 4311)
@@ -99,12 +99,12 @@
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
if (mydata->to - mydata->from > MAX_RANGE)
exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d ports in range\n",
- MAX_RANGE);
+ "Range too large. Max is %d ports in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
@@ -123,7 +123,7 @@
parse_port(optarg, &mydata->port);
DP("%s", port_tostring(mydata->port, 0));
- return mydata->port;
+ return 1;
}
/*
More information about the netfilter-cvslog
mailing list