IP set home  Features  Download & Install  Tips & Examples  ipset(8)  iptables(8)  ChangeLog

ChangeLog 6.11 Kernel part changes hash:net,iface timeout bug fixed Exceptions support added to hash:*net* types net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules Log warning when a hash type of set gets full Userspace changes Support hostnames and service names with dash Exceptions support added to hash:*net* types Log warning when a hash type of set gets full Set types moved into libipset library Library map file added in order to support library versioning doc: Linux 2.6.39 already has the defs (Jan Engelhardt) build: install libipset in the right place (Jan Engelhardt) Provide a pkgconfig file (Jan Engelhardt) build: make distcheck work and use POSIX mode for tarball generation (Jan Engelhardt) build: install libipset/linux_ip_set_list.h (Jan Engelhardt) build: include libipset/nfproto.h (Jan Engelhardt) build: process include/libipset/ (Jan Engelhardt) build: use AC_CONFIG_AUX_DIR and stash away tools (Jan Engelhardt) Update .gitignore (Jan Engelhardt) 6.10 Kernel part changes Invert the logic to include version.h in ip_set_core.c Suppress false compile-time warnings about uninitialized variable ip_to Userspace changes Tests added to check ICMP/ICMPv6 type/code parsing ICMP/ICMPv6 type/code parser bug fixed (bug reported by Sabitov) ipset: fix lookup of tcp port names (Stephen Hemminger) Optionally disable building the kernel module (Mathieu Bridon) Make tidy complete 6.9.1 Kernel part changes Fix compiling ipset as external kernel modules (v6.9) Complete Kconfig with hash:net,iface type (standalone package) rtnetlink: Compute and store minimum ifinfo dump size (Greg Rose) Remove redundant linux/version.h includes from net/ (Jesper Juhl) ipset: use NFPROTO_ constants (Jan Engelhardt) netfilter: ipset: expose userspace-relevant parts in ip_set.h (Jan Engelhardt) netfilter: ipset: avoid use of kernel-only types (Jan Engelhardt) netfilter: Remove unnecessary OOM logging messages (Joe Perches) Dumping error triggered removing references twice and lead to kernel BUG Autoload set type modules safely Userspace changes build: move ipset_errcode into library (Jan Engelhardt) build: abort autogen on subcommand failure (Jan Engelhardt) ipset: use NFPROTO_ constants (Jan Engelhardt) Propagate "expose userspace-relevant parts in ip_set.h" to ipset source 6.8 Kernel part changes Fix compiler warnings "'hash_ip4_data_next' declared inline after being called" (Chris Friesen) hash:net,iface fixed to handle overlapping nets behind different interfaces Make possible to hash some part of the data element only. Userspace changes Update the manpage and document the limits in hash:net,iface. README file corrections from Richard Lucassen 6.7 Kernel part changes Whitespace and coding fixes, detected by checkpatch.pl hash:net,iface type introduced Use the stored first cidr value instead of '1' Fix return code for destroy when sets are in use Add xt_action_param to the variant level kadt functions, ipset API change Drop supporting kernel versions below 2.6.35 Userspace changes Whitespace and coding fixes, detected by checkpatch.pl hash:net,iface type introduced hash:* tests may seem to fail due to the too wide grep pattern, fix them Remove iptree tests and compatibility element parsing hash:net test may seem to fail due to the too wide grep pattern, fix it Fix long time uncovered bug at adding string attributes to the netlink messages Fix warnings reported by valgrind Remove supporting set types iptree and iptreemap 6.6 Kernel part changes Use unified from/to address masking and check the usage ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed Take into account cidr value for the from address when creating the set Adding ranges to hash types with timeout could still fail, fixed Removed old, not used hashing method ip_set_chash Remove variable 'ret' in type_pf_tdel(), which is set but not used Use proper timeout parameter to jiffies conversion Userspace changes Restore with bitmap:port and list:set types did not work, fixed Accept "\r\n" terminated COMMIT command in restore files Fix the message sequence number book-keeping Protocol-level debugging support added hash:net stress test in range notation added ipset_mnl_query: in debug mode print the errno returned by the cb function Accept "\r\n" terminated lines in restore files Remove outdated checking of IPv6 support from configure.ac 6.5 Kernel part changes Support range for IPv4 at adding/deleting elements for hash:*net* types Set type support with multiple revisions added Fix adding ranges to hash types Userspace changes Support range for IPv4 at adding/deleting elements for hash:*net* types Disable type revisions which are not supported both by the kernel and ipset Update ipset help text to reflect SCTP and UDPLITE support Ignore -n flag (list just setnames) when sets are to be saved 6.4 Kernel part changes Support listing setnames and headers too Fix the order of listing of sets Options and flags support added to the kernel API Userspace changes Get rid of the trailing empty line at listing sets Fix XML listing, remove broken unused "elements" tag Support listing setnames and headers too Sorting is dependent on the locale settings, use LC_ALL=C Use unified diff output in tests 6.3 Kernel part changes ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev) bitmap:ip,mac type requires "src" for MAC, enforce it whitespace fixes: some space before tab slipped in set match and SET target fixes (bugs reported by Lennert Buytenhek) Userspace changes Testsuite changes: keep temporary files bitmap:ip,mac type requires "src" for MAC: manpage is updated to reflect the change Testsuite checks added (SET target and dir parameter checks) 6.2 Kernel part changes list:set timeout variant fixes References are protected by rwlock instead of mutex Add explicit text message to detect patched kernel (netlink.patch) Timeout can be modified for already added elements Userspace changes Manpage update 6.1 Kernel part changes The hash:*port* types ignored the address range with non TCP/UDP, fixed Fix checking the revision number of the set type at create command SCTP, UDPLITE support to hash:*port* types added Fix revision reporting got broken by the revision checking patch Userspace changes Manpage was not installed (reported by Mark A. Ziesemer) SCTP, UDPLITE support to the hash:*port* types added 6.0 Kernel part changes Reorganized kernel/ subdir netfilter: ipset: fix linking with CONFIG_IPV6=n (Patrick McHardy) netfilter: ipset: send error message manually netfilter: ipset: add missing break statemtns in ip_set_get_ip_port() (Patrick McHardy) netfilter: ipset: add missing include to xt_set.h (Patrick McHardy) netfilter: ipset: remove unnecessary includes (Patrick McHardy) netfilter: ipset: use nla_parse_nested() (Patrick McHardy) Separate ipset errnos completely from system ones and bump protocol version Use better error codes in xt_set.c Fix sparse warning about shadowed definition bitmap:ip type: flavour specific adt functions (Patrick McHardy's review) bitmap:port type: flavour specific adt functions (Patrick McHardy's review) Move the type specifici attribute validation to the core (suggested by Patrick McHardy) Use vzalloc() instead of __vmalloc() (Eric Dumazet, Patrick McHardy) Use meaningful error messages in xt_set.c (Patrick McHardy's review) Constified attribute cannot be written (Patrick McHardy's review) Send (N)ACK at dumping only when NLM_F_ACK is set (Patrick McHardy's review) Correct the error codes: use ENOENT and EMSGSIZE (Patrick McHardy's review) Userspace changes Print protocol version together with ipset version Testsuite compatibility with debugging enabled Allow "new" as a commad alias to "create" ipset: improve command argument parsing (Holger Eitzenberger) ipset: avoid the unnecessary argv[] loop (Holger Eitzenberger) ipset: pass ipset_arg argument pointer (Holger Eitzenberger) Separate ipset errnos completely from system ones and bump protocol version Fix the spelling error fix :-) (Ferenc Wagner) Resolving IP addresses did not work at listing/saving sets, fixed ipset: fix spelling error (Holger Eitzenberger) ipset: fix the Netlink sequence number (Holger Eitzenberger) ipset: turn Set name[] into a const pointer (Holger Eitzenberger) Check ICMP and ICMPv6 with the set match and target in the testsuite Avoid possible syntax clashing at saving hostnames 5.4.1 Documentation UPGRADE file added 5.4 Kernel part changes Fixed broken ICMP and ICMPv6 handling Fix trailing whitespaces and pr_* messages Un-inline functions which are not small enough (Patrick McHardy) Fix module loading at create/header commands (Patrick McHardy) Fix wrong kzalloc flag in type_pf_expire The get_ip*_port functions are too large to be inlined, moved into the core Add missing __GFP_HIGHMEM flag to __vmalloc (Eric Dumazet) Enforce network-ordered data in the netlink protocol Use annotated types and fix sparse warnings (Patrick McHardy) Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into the core (Patrick McHardy) NETMASK*, HOSTMASK* macros are too generic, replace with inline functions (Patrick McHardy) Use static LIST_HEAD() for ip_set_type_list (Patrick McHardy) Move NLA_PUT_NET* macros to include/net/netlink.h (Patrick McHardy) The module parameter max_sets should be unsigned int (Patrick McHardy) Get rid of ip_set_kernel.h (Patrick McHardy) Fix the placement style of boolean operators at continued lines (Patrick McHardy) 5.3 Kernel part changes There is no need to call synchronize_net() at swapping Replace strncpy with strlcpy at creating a set Update copyright date and some style changes Use jhash.h accepted in kernel, with backward compatibility Separate prefixlens from ip_set core Remove unused ctnl parameter from call_ad (Jan Engelhardt) Comment the possible return values of the add/del/test type-functions Userspace changes Set the non-debug compiling the default Testsuite fix of ospf replaced with vrrp Fix build with NDEBUG defined (Holger Eitzenberger) Do session initialization once (Holger Eitzenberger) Make IPv4 and IPv6 address handling similar (Holger Eitzenberger) Show correct line numbers in restore output for parser errors (Holger Eitzenberger) Replace ospf with vrrp in the testsuite Remove autogenerated files (Jan Engelhardt) Use only AC_CANONICAL_HOST (Jan Engelhardt) 5.2 Kernel part changes Kernel version check at minimal supported version was mistyped, now fixed Userspace changes Handle internal printing errors Use cast to void * instead of memcpy as Sparc workaround at sockaddr_XXX suggested by Jan Engelhardt) Listing/saving of large sets could produce broken listing, fixed Support libtool < 2.2 5.1 Kernel part changes Kernel version compatibility: support bumped starting from 2.6.34 Use EXPORT_SYMBOL_GPL (Jan Engelhardt) const annotations (Jan Engelhardt) Use __read_mostly for registration-type structures (Jan Engelhardt) Do not mix const and __read_mostly (Jan Engelhardt) xt_set: avoid user types in exported kernel headers (Jan Engelhardt) Enable parallel building (Jan Engelhardt) Fix Kbuild for me to delete backup files Userspace changes Test cases for IPv6 restore and more complex restore sessions added Restore mode did not work for IPv6, fixed (reported by Elie Rosenblum) libipset: static annotations (Jan Engelhardt) libipset: const annotations (Jan Engelhardt) libipset: remove redundant casts (Jan Engelhardt) libipset: remove redundant indirection via union name (Jan Engelhardt) libipset: ipset_strncpy is really a strlcpy-type operation (Jan Engelhardt) Prevent calling Makefile directly in the kernel/ subdirectory Put back the Sparc specific workaround at getaddrinfo (reported by Jan Engelhardt) Check old system kernel header files Check from `configure` that the kernel source is patched with netlink.patch Use configure to detect compiler warning flags Try to solve PKG_CHECK_MODULES issue (reported by Rob Sterenborg) Fix incorrect comparison in check_allowed (reported by Jan Engelhardt) 5.0 New main branch - ipset completely rewritten 4.5 Kernel part changes The iptreemap type used wrong gfp flags when deleting entries (bug reported by Dash Four) Userspace changes Take into account the compile time setting of the default hash size (reported by Dash Four) 4.4 Kernel part changes The ipporthash, ipportiphash and ipportnethash set types did not work with mixed "src" and "dst" direction parameters of the "set" and "SET" iptables match and target (reported by Dash Four) Errorneous semaphore handling in error path fixed (reported by Jan Engelhardt, bugzilla id 668) Userspace changes Manpage fix to make it clear how ipset works on setlist type of sets (John Brendler, bugzilla id 640) 4.3 Kernel part changes Support of 2.6.35 kernels added 4.2 Kernel part changes nethash and ipportnethash types counted every entry twice which could produce bogus entries when listing/saving these types of sets (bug reported by Husnu Demir) Userspace changes Checking null entries when listing/saving hash types of sets deleted because it's unnecessary and can mask possible errors. 4.1 Kernel part changes Do not use init_MUTEX either (Jan Engelhardt) Improve listing/saving hash type of sets by not copying empty entries unnecessarily to userspace. Userspace changes Manpage fixes and corrections (Jan Engelhardt) 4.0 Kernel part changes Compilation of ip_set_iptree.c fails with kernel 2.6.20 due to missing include of linux/jiffies.h (Jan Engelhardt) Do not use DECLARE_MUTEX (compatibility fix on 2.6.31-rt, Jan Engelhardt) Flushing iptreemap type of sets caused high ksoftirqd load due to zeroed out gc parameter (bug reported by Georg Chini) New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini) Binding support is removed Userspace changes New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini) Binding support is removed 3.2 Kernel part changes Mixed up formats in ip_set_iptree.c fixed (Rob Sterenborg) Don't use 'bool' for backward compatibility reasons (Rob Sterenborg) 3.1 Userspace changes Correct format specifiers and change %i to %d (Jan Engelhardt) Kernel part changes Nonexistent sets were reported as existing sets when testing from userspace in setlist type of sets (bug reported by Victor A. Safronov) When saving sets, setlist type of sets must come last in order to satisfy the dependency from the elements (bug reported by Marty B.) Sparse insists that the flags argument to kmalloc() is gfp_t (Stephen Hemminger) Correct format specifiers and change %i to %d (Jan Engelhardt) Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt) 3.0 Userspace changes New kernel-userspace protocol release Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593) tests/runtests.sh changed to support old bash shells Kernel part changes New kernel-userspace protocol release Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593) Support of 2.4.3[67].* kernels fixed Compiling with debugging enabled fixed 2.5.0 Userspace changes On parisc architecture cast increases required aligment (bugzilla id 582), fixed. Respect LDFLAGS settings at compile time (Peter Volkov). Kernel part changes instead of setting the locks directly as it causes compilation errors with 2.6.29-rt (Jan Engelhardt). 2.4.9 Kernel part changes References to the old include file replaced with new one in order to really use the new Jenkins' hash function. 2.4.8 Userspace changes In order to disable the extra warning flags, NO_EXTRA_WARN_FLAGS variable added to userspace Makefile. Kernel part changes The Jenkins' hash lookup2() replaced with Jenkins' faster/better lookup3() hash function. Bug fixed: after elements are added and deleted from a hash, an element can successfully be added in spite it's already in the hash and thus duplicates can occur (Shih-Yi Chen). Compatibility with old gcc without 'bool' added. 2.4.7 Kernel part changes Typo which broke compilation with kernels < 2.6.28 fixed (reported by Richard Lucassen, Danny Rawlins) 2.4.6 Kernel part changes Compatibility fix for kernels >= 2.6.28 2.4.5 Userspace changes Some compiler warning options are too aggressive and therefore disabled. Kernel part changes setlist type does not work properly together with swapping sets, bug reported by Thomas Jacob. Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt) 2.4.4 Userspace changes Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos). Local variable shadows another variable, fixed (reported by Jan Engelhardt). More compiler warning options added and warnings fixed. Kernel part changes Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos). 2.4.3 Userspace changes Include file <limits.h> was missing from userspace set type modules, reported by Krzysztof Oledzki and Sven Wegener. 2.4.2 Kernel part changes When flushing a nethash/ipportnethash type of set, it can lead to a kernel crash due to a wrong type declaration, bug reported by Krzysztof Oledzki. iptree and iptreemap types require the header file linux/timer.h, also reported by Krzysztof Oledzki. 2.4.1 Userspace changes macipmap type reported misleading deprecated separator tokens and printed the old one at listing set elements; the warning contained misprinting as well (bugs reported by Krzysztof Oledzki) Warn only once about deprecated separator tokens in restore mode. Kernel part changes Zero-valued element are not acceptable by hash type of sets because we cannot make a difference between a zero-valued element and not-set element. Enforce it, as manpage says. (fixes bugzilla id 543) 2.4 Userspace changes Added KBUILD_OUTPUT support (Sven Wegener) Fix memory leak in ipset_iptreemap (Sven Wegener) Fix multiple compiler warnings (Sven Wegener) ipportiphash, ipportnethash and setlist types added binding marked as deprecated functionality element separator token changed to ',' in anticipating IPv6 addresses, old separator tokens are still supported unnecessary includes removed ipset does not try to resolve IP addresses when listing the content of sets (default changed) manpage updated Kernel part changes ipportiphash, ipportnethash and setlist types added set type modules reworked to avoid code duplication as much as possible, code unification macros expand_macros Makefile target added to help debugging code unification macros ip_set_addip_kernel and ip_set_delip_kernel changed from void to int, __ip_set_get_byname and __ip_set_put_byid added for the sake of setlist type unnecessary includes removed compatibility fix for kernels >= 2.6.27: semaphore.h was moved from asm/ to linux/ (James King) 2.3.3a Fix to compile ipset with 2.4.26.x tree statically (bug reported by G.W. Haywood) 2.3.3 compatibility for the 2.6.x kernel tree improved and compiler warnings fixed (Jan Engelhardt) compatibility fixes for the 2.4.36.x kernel tree added 2.3.2 including limits.h for UINT_MAX is required with glibc-2.8 (pud) needless cast from and to void pointers cleanups in iptreemap (Sven Wegener) Initial ipset release with kernel modules included. 2.3.1 segfault on --unbind :all: :all: fixed (reported by bugzilla, report and patch sent by Tom Eastep) User input parameters are sanitized everywhere Initial testsuite added and 'test' target to the Makefile added: few bugs discovered and fixed typo in macipmap type prevented to use max size set of this type *map types are made sure to allow and use max size of sets 2.3.0 jiffies rollover bug in iptree type fixed (reported by Lukasz Nierycho and others) endiannes bug in iptree type fixed (spotted by Jan Engelhardt) iptreemap type added (submitted by Sven Wegener) 2.6.22/23 compatibility fixes (Jeremy Jacque) typo fixes in ipset (Neville D) separator changed to ':' from '%' (old one still supported) in ipset 2.2.9a use correct type (socklen_t) for getsockopt (H. Nakano) incorrect return codes fixed (Tomasz Lemiech, Alexey Bortnikov) kernel header dependency removed (asm/bitops.h) ipset now tries to load in the ip_set kernel module if the protocol is not available 2.2.9 ipset -N did not generate proper return code limit module parameter added to the kernel modules of the iphash, ipporthash, nethash and iptree type of sets so that the maximal number of elements can now be limited zero valued entries (port 0 or IP address 0.0.0.0) were detected as members of the hash/tree kind of sets (reported by Andrew Kraslavsky) list and save operations used the external identifier of the sets for the bindings instead of the internal one (reported by Amin Azez) 2.2.8 Nasty off-by-one bug fixed in iptree type of sets (bug reported by Pablo Sole) 2.2.7 All patches were submitted by Jones Desougi. missing or confusing error message fixes for ipporthash minor correction in debugging in nethash copy-paste bug in kernel set types at memory allocation checking fixed unified memory allocations in ipset 2.2.6 memory allocation in iptree is changed to GFP_ATOMIC because we hold a lock (bug reported by Radek Hladik) compatibility fix: __nocast is not defined in all 2.6 branches (problem reported by Ming-Ching Tiew) manpage corrections 2.2.5 garbage collector of iptree type of sets is fixed: flushing sets/removing kernel module could corrupt the timer new ipporthash type added manpage fixes and corrections 2.2.4 half-fixed memory allocation bug in iphash and nethash finally completely fixed (bug reported by Nikolai Malykh) restrictions to enter zero-valued entries into all non-hash type sets were removed Too strict check on the set size of ipmap type was corrected 2.2.3 Memory allocation bug in iphash and nethash in connection with the SET target was fixed (bug reported by Nikolai Malykh) lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is updated accordingly (Cardoso Didier, Samir Bellabes) manpage is updated to clearly state the command order in restore mode 2.2.2 Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen Compiler warning in the non-SMP case fixed (Marcus Sundberg) slab cache names shrunk in order to be compatible with 2.4.* (Marcus Sundberg) 2.2.1 Magic number in ip_set_nethash.h was mistyped (bug reported by Rob Carlson) ipset can now test IP addresses in nethash type of sets (i.e. addresses in netblocks added to the set) 2.2.0 Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson) Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford Wolf) Safety checkings of restore in ipset was incomplete (Robin H. Johnson) More careful resizing by avoiding locking completely stdin stored internally in a temporary file, so we can feed 'ipset -R' from a pipe iptree set type added 2.1.0 Lock debugging used with debugless lock definiton (Piotr Chytla and others). Bindings were not properly filled out at listing (kernel) When listing sets from kernel, id was not added to the set structure (ipset) nethash set type added ipset manpage corrections (macipmap) 2.0.1 Missing -fPIC in Makefile (Robert Iakobashvili) Cut'n'paste bug at saving macipmap types (Vincent Bernat). Bug in printing/saving SET targets reported and fixed by Michal Pokrywka 2.0 Chaining of sets are changed: child sets replaced by bindings Kernel-userspace communication reorganized to minimize the number of syscalls Save and restore functionality implemented iphash type reworked: clashing resolved by double-hashing and by dynamically growing the set 1.0 ipset forked from ippool Chaining of sets added via child sets portmap and iphash types added

All the documentation on this site is released under the GNU/GPL license terms.