+2.2.4
+ - half-fixed memory allocation bug in iphash and nethash finally
+ completely fixed (bug reported by Nikolai Malykh)
+ - restrictions to enter zero-valued entries into all non-hash type sets
+ were removed
+ - Too strict check on the set size of ipmap type was corrected
+
2.2.3
- memory allocation bug in iphash and nethash in connection with the SET
target was fixed (bug reported by Nikolai Malykh)
KERNEL_DIR=/usr/src/linux
endif
-IPSET_VERSION:=2.2.3
+IPSET_VERSION:=2.2.4
PREFIX:=/usr/local
LIBDIR:=$(PREFIX)/lib
RELEASE_DIR:=/tmp
COPT_FLAGS:=-O2
-CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. #-g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
+CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -I. # -g -DIPSET_DEBUG #-pg # -DIPTC_DEBUG
SH_CFLAGS:=$(CFLAGS) -fPIC
SETTYPES:=ipmap portmap macipmap iphash nethash iptree
ipset supports the following set types:
.SS ipmap
The ipmap set type uses a memory range, where each bit represents
-one IP address. An ipmap set can store up to 65535 (B-class network)
+one IP address. An ipmap set can store up to 65536 (B-class network)
IP addresses. The ipmap set type is very fast and memory cheap, great
for use when one want to match certain IPs in a range. Using the
.B "--netmask"
.SS macipmap
The macipmap set type uses a memory range, where each 8 bytes
represents one IP and a MAC addresses. A macipmap set type can store
-up to 65535 (B-class network) IP addresses with MAC.
+up to 65536 (B-class network) IP addresses with MAC.
When adding an entry to a macipmap set, you must specify the entry as
.I IP%MAC.
When deleting or testing macipmap entries, the
entries from a macipmap type of set.
.SS portmap
The portmap set type uses a memory range, where each bit represents
-one port. A portmap set type can store up to 65535 ports.
+one port. A portmap set type can store up to 65536 ports.
The portmap set type is very fast and memory cheap.
.P
Options to use when creating an portmap set:
.TP
.BR "--probes " probes
How many times try to resolve clashing at adding an IP to the hash
-by double-hashing (default 2).
+by double-hashing (default 4).
.TP
.BR "--resize " percent
Increase the hash size by this many percent (default 50) when adding
.I IP%timeout-value.
.SH GENERAL RESTRICTIONS
Setnames starting with colon (:) cannot be defined. Zero valued set
-entries cannot be used.
+entries cannot be used with hash type of sets.
.SH COMMENTS
If you want to store same size subnets from a given network
(say /24 blocks from a /8 network), use the ipmap set type.
char *ip_tostring(ip_set_ip_t ip, unsigned options)
{
struct in_addr addr;
- char *name;
-
addr.s_addr = htonl(ip);
if (!(options & OPT_NUMERIC)) {
+ char *name;
if ((name = ip_tohost(&addr)) != NULL ||
(name = ip_tonetwork(&addr)) != NULL)
return name;
}
-
+
return inet_ntoa(addr);
}
if (inet_aton(str, &addr) != 0) {
*ip = ntohl(addr.s_addr); /* We want host byte order */
- if (!*ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified", str);
return;
}
"Please specify one.", str);
*ip = ntohl(((struct in_addr *) host->h_addr_list[0])->s_addr);
- if (!*ip)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued IP address `%s' specified",
- str);
return;
}
DP("bits: %d", bits);
- *mask = 0xFFFFFFFF << (32 - bits);
+ *mask = bits != 0 ? 0xFFFFFFFF << (32 - bits) : 0L;
}
/* Combines parse_ip and parse_mask */
parse_ip(buf, ip);
DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring(*ip, 0), *mask);
+ str, *ip, ip_tostring_numeric(*ip), *mask);
/* Apply the netmask */
*ip &= *mask;
DP("%s ip: %08X (%s) mask: %08X",
- str, *ip, ip_tostring(*ip, 0), *mask);
+ str, *ip, ip_tostring_numeric(*ip), *mask);
}
/* Return a string representation of a port
if ((string_to_number(str, 0, 65535, port) != 0)
&& (string_to_port(str, port) != 0))
exit_error(PARAMETER_PROBLEM,
- "Invalid TCP port `%s' specified", str);
-
- if (!*port)
- exit_error(PARAMETER_PROBLEM,
- "Zero valued port `%s' specified", str);
+ "Invalid TCP port `%s' specified", str);
}
/*
(struct ip_set_req_iphash *) data;
parse_ip(optarg, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", optarg);
return mydata->ip;
};
parse_ipandmask(optarg, &mydata->from, &mydata->to);
/* Make to the last of from + mask */
- mydata->to = mydata->from | ~(mydata->to);
-
+ if (mydata->to)
+ mydata->to = mydata->from | ~(mydata->to);
+ else {
+ mydata->from = 0x00000000;
+ mydata->to = 0xFFFFFFFF;
+ }
*flags |= OPT_CREATE_NETWORK;
- DP("--network from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
break;
return 1;
}
+#define ERRSTRLEN 256
+
/* Final check; exit if not ok. */
void create_final(void *data, unsigned int flags)
{
struct ip_set_req_ipmap_create *mydata =
(struct ip_set_req_ipmap_create *) data;
+ ip_set_ip_t range;
+ char errstr[ERRSTRLEN];
if (flags == 0)
exit_error(PARAMETER_PROBLEM,
"Need to specify both --from and --to\n");
}
- DP("from : %x to: %x diff: %d", mydata->from, mydata->to,
+ DP("from : %x to: %x diff: %x",
+ mydata->from, mydata->to,
mydata->to - mydata->from);
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
- if (mydata->to - mydata->from > MAX_RANGE)
- exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE);
if (flags & OPT_CREATE_NETMASK) {
unsigned int mask_bits, netmask_bits;
ip_set_ip_t mask;
mask_to_bits(mydata->netmask));
mask = range_to_mask(mydata->from, mydata->to, &mask_bits);
- if (!mask)
+ if (!mask
+ && (mydata->from || mydata->to != 0xFFFFFFFF)) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
exit_error(PARAMETER_PROBLEM,
- "%s-%s is not a full network\n",
- ip_tostring_numeric(mydata->from),
- ip_tostring_numeric(mydata->to));
-
+ "%s-%s is not a full network (%x)\n",
+ errstr,
+ ip_tostring_numeric(mydata->to), mask);
+ }
netmask_bits = mask_to_bits(mydata->netmask);
- if (netmask_bits <= mask_bits)
+ if (netmask_bits <= mask_bits) {
+ strncpy(errstr, ip_tostring_numeric(mydata->from),
+ ERRSTRLEN-2);
+ errstr[ERRSTRLEN-1] = '\0';
exit_error(PARAMETER_PROBLEM,
- "%d netmask specifies larger or equal netblock than %s-%s\n",
+ "%d netmask specifies larger or equal netblock than %s-%s (%d)\n",
netmask_bits,
- ip_tostring_numeric(mydata->from),
- ip_tostring_numeric(mydata->to));
+ errstr,
+ ip_tostring_numeric(mydata->to),
+ mask_bits);
+ }
+ range = (1<<(netmask_bits - mask_bits)) - 1;
+ } else {
+ range = mydata->to - mydata->from;
}
+ if (range > MAX_RANGE)
+ exit_error(PARAMETER_PROBLEM,
+ "Range to large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
parse_ip(optarg, &mydata->ip);
DP("%s", ip_tostring_numeric(mydata->ip));
- return mydata->ip;
+ return 1;
}
/*
mydata->timeout = 0;
free(saved);
- return mydata->ip;
+ return 1;
}
/*
*flags |= OPT_CREATE_NETWORK;
- DP("--network from %x (%s)", mydata->from,
- ip_tostring_numeric(mydata->from));
- DP("--network to %x (%s)", mydata->to,
- ip_tostring_numeric(mydata->to));
+ DP("--network from %x (%s)",
+ mydata->from, ip_tostring_numeric(mydata->from));
+ DP("--network to %x (%s)",
+ mydata->to, ip_tostring_numeric(mydata->to));
break;
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
if (mydata->to - mydata->from > MAX_RANGE)
exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d IPs in range\n",
- MAX_RANGE);
+ "Range too large. Max is %d IPs in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
memset(mydata->ethernet, 0, ETH_ALEN);
free(saved);
- return mydata->ip;
+ return 1;
}
/*
/* Default create parameters */
mydata->hashsize = 1024;
- mydata->probes = 2;
+ mydata->probes = 4;
mydata->resize = 50;
}
mydata->cidr = cidr;
parse_ip(ptr, &mydata->ip);
+ if (!mydata->ip)
+ exit_error(PARAMETER_PROBLEM,
+ "Zero valued IP address `%s' specified", ptr);
free(saved);
return mydata->ip;
if (mydata->from > mydata->to)
exit_error(PARAMETER_PROBLEM,
- "From can't be lower than to.\n", MAX_RANGE);
+ "From can't be lower than to.\n");
if (mydata->to - mydata->from > MAX_RANGE)
exit_error(PARAMETER_PROBLEM,
- "Range to large. Max is %d ports in range\n",
- MAX_RANGE);
+ "Range too large. Max is %d ports in range\n",
+ MAX_RANGE+1);
}
/* Create commandline options */
parse_port(optarg, &mydata->port);
DP("%s", port_tostring(mydata->port, 0));
- return mydata->port;
+ return 1;
}
/*
projects / thirdparty / ipset.git / commitdiff
