From 6340d999d71f2053cf1857bae6c16ceeacce0df6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 15 Nov 2009 16:34:05 +0100 Subject: [PATCH] ipset: fast forward to v4.1 --- extensions/ipset/ip_set.c | 1 + extensions/ipset/ip_set_hashes.h | 22 +++++++++++------- extensions/ipset/ip_set_ipportiphash.c | 3 ++- extensions/ipset/ip_set_ipportnethash.c | 3 ++- extensions/ipset/ipset.8 | 30 ++++++++++++------------- extensions/ipset/ipset.c | 2 +- 6 files changed, 35 insertions(+), 26 deletions(-) diff --git a/extensions/ipset/ip_set.c b/extensions/ipset/ip_set.c index a172d49..f7e2785 100644 --- a/extensions/ipset/ip_set.c +++ b/extensions/ipset/ip_set.c @@ -1474,6 +1474,7 @@ ip_set_init(void) { int res; + /* For the -rt branch, DECLARE_MUTEX/init_MUTEX avoided */ sema_init(&ip_set_app_mutex, 1); if (max_sets) diff --git a/extensions/ipset/ip_set_hashes.h b/extensions/ipset/ip_set_hashes.h index f62ae37..8eeced3 100644 --- a/extensions/ipset/ip_set_hashes.h +++ b/extensions/ipset/ip_set_hashes.h @@ -186,7 +186,7 @@ type##_list_members_size(const struct ip_set *set, char dont_align) \ { \ const struct ip_set_##type *map = set->data; \ \ - return (map->hashsize * IPSET_VALIGN(sizeof(dtype), dont_align));\ + return (map->elements * IPSET_VALIGN(sizeof(dtype), dont_align));\ } #define HASH_LIST_MEMBERS(type, dtype) \ @@ -195,27 +195,33 @@ type##_list_members(const struct ip_set *set, void *data, char dont_align)\ { \ const struct ip_set_##type *map = set->data; \ dtype *elem, *d; \ - uint32_t i; \ + uint32_t i, n = 0; \ \ for (i = 0; i < map->hashsize; i++) { \ elem = HARRAY_ELEM(map->members, dtype *, i); \ - d = data + i * IPSET_VALIGN(sizeof(dtype), dont_align); \ - *d = *elem; \ + if (*elem) { \ + d = data + n * IPSET_VALIGN(sizeof(dtype), dont_align);\ + *d = *elem; \ + n++; \ + } \ } \ } -#define HASH_LIST_MEMBERS_MEMCPY(type, dtype) \ +#define HASH_LIST_MEMBERS_MEMCPY(type, dtype, nonzero) \ static void \ type##_list_members(const struct ip_set *set, void *data, char dont_align)\ { \ const struct ip_set_##type *map = set->data; \ dtype *elem; \ - uint32_t i; \ + uint32_t i, n = 0; \ \ for (i = 0; i < map->hashsize; i++) { \ elem = HARRAY_ELEM(map->members, dtype *, i); \ - memcpy(data + i * IPSET_VALIGN(sizeof(dtype), dont_align),\ - elem, sizeof(dtype)); \ + if (nonzero) { \ + memcpy(data + n * IPSET_VALIGN(sizeof(dtype), dont_align),\ + elem, sizeof(dtype)); \ + n++; \ + } \ } \ } diff --git a/extensions/ipset/ip_set_ipportiphash.c b/extensions/ipset/ip_set_ipportiphash.c index 0dbafea..0f9ca2f 100644 --- a/extensions/ipset/ip_set_ipportiphash.c +++ b/extensions/ipset/ip_set_ipportiphash.c @@ -200,7 +200,8 @@ __ipportiphash_list_header(const struct ip_set_ipportiphash *map, HASH_LIST_HEADER(ipportiphash) HASH_LIST_MEMBERS_SIZE(ipportiphash, struct ipportip) -HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip) +HASH_LIST_MEMBERS_MEMCPY(ipportiphash, struct ipportip, + (elem->ip || elem->ip1)) IP_SET_RTYPE(ipportiphash, IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE) diff --git a/extensions/ipset/ip_set_ipportnethash.c b/extensions/ipset/ip_set_ipportnethash.c index 0ec4108..a66b1c2 100644 --- a/extensions/ipset/ip_set_ipportnethash.c +++ b/extensions/ipset/ip_set_ipportnethash.c @@ -284,7 +284,8 @@ __ipportnethash_list_header(const struct ip_set_ipportnethash *map, HASH_LIST_HEADER(ipportnethash) HASH_LIST_MEMBERS_SIZE(ipportnethash, struct ipportip) -HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip) +HASH_LIST_MEMBERS_MEMCPY(ipportnethash, struct ipportip, + (elem->ip || elem->ip1)) IP_SET_RTYPE(ipportnethash, IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP1 | IPSET_DATA_TRIPLE) diff --git a/extensions/ipset/ipset.8 b/extensions/ipset/ipset.8 index eb803ec..fa73298 100644 --- a/extensions/ipset/ipset.8 +++ b/extensions/ipset/ipset.8 @@ -99,15 +99,15 @@ the set, then add all elements. Then create the next set, add all its elements and so on. Also, it is a restore operation, so the sets being restored must not exist. .TP -\fB\-A\fP, \fB\-\-add\fP \fIsetname\fP \fIaddress\fP -Add an IP address entry to a set. +\fB\-A\fP, \fB\-\-add\fP \fIsetname\fP \fIentry\fP +Add an entry to a set. .TP -\fB\-D\fP, \fB\-\-del\fP \fIsetname\fP \fIaddress\fP -Delete an IP address entry from a set. +\fB\-D\fP, \fB\-\-del\fP \fIsetname\fP \fIentry\fP +Delete an entry from a set. .TP -\fB-T\fP, \fB\-\-test\fP \fIsetname\fP \fIaddress\fP -Test wether an IP address entry is in a set or not. Exit status number is zero -if the tested address is in the set and nonzero if it is missing from +\fB-T\fP, \fB\-\-test\fP \fIsetname\fP \fIentry\fP +Test wether an entry is in a set or not. Exit status number is zero +if the tested entry is in the set and nonzero if it is missing from the set. .TP \fB\-H\fP, \fB\-\-help\fP [\fIsettype\fP] @@ -176,7 +176,7 @@ The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store up to 65536 (B-class network) IP addresses with MAC. When adding an entry to a macipmap set, you must specify the entry as -"\fIip\fP\fB,\fP\fImac\fP". +"\fIaddress\fP\fB,\fP\fImac\fP". When deleting or testing macipmap entries, the "\fB,\fP\fImac\fP" part is not mandatory. @@ -269,10 +269,10 @@ ipset \-N test iphash \-\-probes 2 The nethash set type uses a hash to store different size of network addresses. The .I -IP -"address" used in the ipset commands must be in the form -"\fIip-address\fP\fB/\fP\fIprefixlen\fP" -where the CIDR block size must be in the inclusive range of 1-31. +entry +used in the ipset commands must be in the form +"\fIaddress\fP\fB/\fP\fIprefixlen\fP" +where prefixlen must be in the inclusive range of 1-31. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. .P @@ -314,7 +314,7 @@ resort, dynamic growing of the hash performed. An ipporthash set can store up to 65536 (B-class network) IP addresses with all possible port values. When adding, deleting and testing values in an ipporthash type of set, the entries must be specified as -"\fIip\fP\fB,\fP\fIport\fP". +"\fIaddress\fP\fB,\fP\fIport\fP". .P The ipporthash types of sets evaluates two src/dst parameters of the "set" @@ -353,7 +353,7 @@ address triples. The first IP address must come form a maximum /16 sized network or range while the port number and the second IP address parameters are arbitrary. When adding, deleting and testing values in an ipportiphash type of set, the entries must be specified as -"\fIip\fP\fB,\fP\fIport\fP\fB,\fP\fIip\fP". +"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP". .P The ipportiphash types of sets evaluates three src/dst parameters of the "set" @@ -394,7 +394,7 @@ parameters are arbitrary, but the size of the network address must be between /1-/31. When adding, deleting and testing values in an ipportnethash type of set, the entries must be specified as -"\fIaddress\fP\fB,\fP\fIaddress\fP\fB/\fP\fIprefixlen\fP". +"\fIaddress\fP\fB,\fP\fIport\fP\fB,\fP\fIaddress\fP\fB/\fP\fIprefixlen\fP". .P The ipportnethash types of sets evaluates three src/dst parameters of the "set" diff --git a/extensions/ipset/ipset.c b/extensions/ipset/ipset.c index c13576f..98a6ca5 100644 --- a/extensions/ipset/ipset.c +++ b/extensions/ipset/ipset.c @@ -30,7 +30,7 @@ #define PROC_SYS_MODPROBE "/proc/sys/kernel/modprobe" #endif -#define IPSET_VERSION "4.0" +#define IPSET_VERSION "4.1" char program_name[] = "ipset"; char program_version[] = IPSET_VERSION;