ChangeLog

  • 6.21.1
    • Kernel part changes
      • netfilter: ip_set: rename nfnl_dereference()/nfnl_set() (Patrick McHardy)
    • Userspace changes
      • The bash utilities are updated
      • Fix libipset library release versioning (reported by Mathieu Bridon)
  • 6.21
    • Kernel part changes
      • ipset: add forceadd kernel support for hash set types (Josh Hunt)
      • netfilter: ipset: move registration message to init from net_init (Ilia Mirkin)
      • kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
      • Prepare the kernel for create option flags when no extension is needed
      • add markmask for hash:ip,mark data type (Vytas Dauksa)
      • add hash:ip,mark data type to ipset (Vytas Dauksa)
      • ipset: remove unused code (Stephen Hemminger)
      • netfilter: ipset: Add hash: fix coccinelle warnings (Fengguang Wu)
      • Typo in ip_set_hash_netnet.c fixed (David Binderman)
      • net ipset: use rbtree postorder iteration instead of opencoding (Cody P Schafer)
      • ipset: Follow manual page behavior for SET target on list:set (Sergey Popovich)
    • Userspace changes
      • ipset: add userspace support for forceadd (Josh Hunt)
      • kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
      • lib: fix ifname 'physdev:' prefix parsing (Florian Westphal)
      • Prepare the kernel for create option flags when no extension is needed
      • print mark & mark mask in hex rather then decimal (Vytas Dauksa)
      • add markmask for hash:ip,mark data type (Vytas Dauksa)
      • add hash:ip,mark data type to ipset (Vytas Dauksa)
      • ipset: manpage: correct add action synopsis for hash:net,port,net. (Mart Frauenlob)
      • ipset: manpage: remove spare comma for hash:net,net test action. (Mart Frauenlob)
      • Fix all set output from list/save when set with counters in use. (Sergey Popovich)
      • ipset: Fix malformed output from list/save for ICMP types in port field (Sergey Popovich)
      • ipset: fix timeout data type size (Nikolay Martynov)
  • 6.20.1
    • Kernel part changes
      • netfilter: ipset: remove duplicate define (Michael Opdenacker)
      • net->user_ns is available starting from 3.8, add compatibility checking (reported by Jan Engelhardt)
      • Fix memory allocation for bitmap:port (reported by Quentin Armitage)
      • Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
      • The unnamed union initialization may lead to compilation error (reported by Husnu Demir)
      • Use dev_net() instead of the direct access to ->nd_net (reported by the kbuild test robot)
    • Userspace changes
      • build: fix incorrect library versioning (Jan Engelhardt)
      • netfilter: ipset: Fix configure failure when --with-kmod=no (Oliver Smith)
      • Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
  • 6.20
    • Kernel part changes
      • Compatibility code is modified not to rely on kernel version numbers
      • Use netlink callback dump args only
      • Add hash:net,port,net module to kernel (Oliver Smith)
      • Add net namespace for ipset (Vitaly Lavrov)
      • Use a common function at listing the extensions of the elements
      • For set:list types, replaced elements must be zeroed out
      • Fix hash resizing with comments
      • Support comments in the list-type ipset (Oliver Smith)
      • Support comments in bitmap-type ipsets (Oliver Smith)
      • Support comments in hash-type ipsets (Oliver Smith)
      • Support comments for ipset entries in the core (Oliver Smith)
      • Add hash:net,net module to kernel (Oliver Smith)
      • Fix serious failure in CIDR tracking (Oliver Smith)
      • list:set: make sure all elements are checked by the gc
      • Support extensions which need a per data destroy function
      • Generalize extensions support
      • Move extension data to set structure
      • Rename extension offset ids to extension ids
      • Prepare ipset to support multiple networks for hash types
      • Introduce new operation to get both setname and family
      • Validate the set family and not the set type family at swapping (Bug reported by Quentin Armitage, netfilter bugzilla id #843)
      • Consistent userspace testing with nomatch flag
      • Skip really non-first fragments for IPv6 when getting port/protocol
      • ipset standalone package needs to ship em_ipset.c (reported by Jan Engelhardt)
    • Userspace changes
      • Missing comment support added to hash:ip,port,ip and hash:net,iface types
      • Compatibility code is modified not to rely on kernel version numbers
      • Add userspace code to support hash:net,port,net kernel module (Oliver Smith)
      • Tests added to check comment extension
      • Add new userspace set revisions for comment support (Oliver Smith)
      • Support comments in the userspace library (Oliver Smith)
      • Rework the "fake" argument parsing for ipset restore (Oliver Smith)
      • Add userspace code to support hash:net,net kernel module (Oliver Smith)
      • Add test to verify CIDR tracking
      • configure: uclinux is also linux (Gustavo Zacarias)
      • Add specifying protocol for bitmap:port (Quentin Armitage)
      • Remove artifical restriction of netmask values for hash:ip type (Reported by Quentin Armitage, netfilter bugzilla id #844)
      • Make sure called test scripts can be executed (reported by Tomas Budai)
      • Manpage fix: not just identical, but compatible type of sets can be swapped (Reported by Quentin Armitage, netfilter bugzilla id #843)
      • Fix error message typo (Reported by Quentin Armitage, netfilter bugzilla id #843)
      • Parse option "family" first, because other options may depend on it (Bug reported by Quentin Armitage, closed netfilter bugzilla #841)
      • Change 2nd parameter type of ipset_parse_elem (Quentin Armitage)
      • Report broken netlink messages in debug mode
      • Fix hyphen used as minus sign in manpage (Neutron Soutmun)
      • libipset.pc must be installed via 'make install' (Eric Leblond)
  • 6.19
    • Kernel part changes
      • Compatibility fixes to keep the support of kernels back to 2.6.32
      • Backport nla_put_net64
      • Support package fragments for IPv4 protos without ports (Anders K. Pedersen)
      • Use fix sized type for timeout in the extension part
      • Make sure kernel configured properly for sparse checkings
      • Fix "may be used uninitialized" warnings (reported by Pablo Neira Ayuso)
      • Rename simple macro names to avoid namespace issues (reported by David Laight)
      • Fix sparse warnings due to missing rcu annotations (reported by Pablo Neira Ayuso)
      • Sparse warning about shadowed variable fixed
      • Don't call ip_nest_end needlessly in the error path (suggested by Pablo Neira Ayuso)
      • set match: add support to match the counters
      • The list:set type with counter support
      • The hash types with counter support
      • The bitmap types with counter support
      • Introduce the counter extension in the core
      • list:set type using the extension interface
      • Hash types using the unified code base
      • Unified hash type generation
      • Bitmap types using the unified code base
      • Unified bitmap type generation
      • Move often used IPv6 address masking function to header file
      • Make possible to test elements marked with nomatch, from userspace
      • netfilter ipset: Use ipv6_addr_equal() where appropriate. (YOSHIFUJI Hideaki)
      • Add a compatibility header file for easier maintenance
      • The uapi include split in the package itself
      • Reorder modules a little bit in Kbuild
    • Userspace changes
      • Check at modules_install whether depmod ignores the extra subdir (reported by Husnu Demir and tian fang)
      • The utils are updated from their sources
      • Manpage typing error correction (reported by Husnu Demir)
      • Update testsuite as the trailing space was eliminated at listings
      • Add sparse checking support to userspace
      • Improve XML output: add element tag and root element (suggested by Lucas Hamie)
      • Manpage updates
      • Add new testsuite entries to verify counters and the new type implementation
      • Introduce the new set type revisions with counter support
      • Support counters in the ipset library
      • The uapi include split in the package itself
  • 6.18
    • Kernel part changes
      • bitmap:ip,mac: fix listing with timeout (reported by Yoann JUET)
      • hash:*net*: nomatch flag not excluded on set resize
      • list:set: update reference counter when last element pushed off
  • 6.17
    • Kernel part changes
      • Make sure ip_set_max isn't set to IPSET_INVALID_ID
      • netfilter: ipset: timeout values corrupted on set resize (Josh Hunt)
      • "Directory not empty" error message (reported by John Brendler)
    • Userspace changes
      • Fix revision printing in XML mode (reported by Mart Frauenlob)
      • Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)
      • Fix error path when protocol number is used with port range
      • Interactive mode error after syntax error (reported by Mart Frauenlob)
      • The ipset_bash_completion tool is added
      • The ipset_list tool is added
  • 6.16.1
    • Kernel part changes
      • Add ipset package version to external module description
      • Backport RCU handling up to 2.6.32.x
  • 6.16
    • Userspace changes
      • Remove all modules before testing resize
      • build: support for Linux 3.7 UAPI (Jan Engelhardt)
    • Kernel part changes
      • Netlink pid is renamed to portid in kernel 3.7.0
      • Fix RCU handling when the number of maximal sets are increased
      • netfilter: ipset: fix netiface set name overflow (Florian Westphal)
  • 6.15
    • Userspace changes
      • Fix interactive mode (Fredrik Eriksson)
      • Use gethostbyname2 instead of getaddrinfo
      • Make tests/check_cidrs.sh script executable
      • Add tests to check completely ranges with hash types
      • Make easier to apply the netlink.patch
      • Support protocol numbers as well, not only protocol names
      • Add (back) the debug flag to configure
      • Add simple test to check cidr book-keeping
    • Kernel part changes
      • Increase the number of maximal sets automatically as needed
      • Restore the support of kernel versions between 2.6.32 and 2.6.35
      • Fix range bug in hash:ip,port,net
      • Revert, then reapply cidr book keeping patch to handle /0
  • 6.14
    • Userspace changes
      • Support to match elements marked with "nomatch" in hash:*net* sets
      • Coding style fixes
      • The set type revision number is added to the header part of listing
      • Help prints list type revision and terse description
      • Add /0 network support to hash:net,iface type
      • Fix errors when compiling in debug mode (Krunal Patel)
      • Make sure IPPROTO_UDPLITE is defined
      • build: restore -version-info (Jan Engelhardt)
    • Kernel part changes
      • Support to match elements marked with "nomatch" in hash:*net* sets
      • Coding style fixes
      • Include supported revisions in module descriptio
      • Add /0 network support to hash:net,iface type
      • Fix cidr book keeping for hash:*net* types
      • Check and reject crazy /0 input parameters
      • Backport ether_addr_equal
      • Coding style fix, backport from kernel
      • net: cleanup unsigned to unsigned int (Eric Dumazet)
  • 6.13
    • Userspace changes
      • Explain in more detail src/dst for hash:net,iface
      • ipset help lists set types multiple times, fixed (reported by Mr Dash Four)
      • The commandline parser was too permissive, make it more strict
      • Allow saving to/restoring from a file without shell redirection
      • Fix typo of word "unkown" to "unknown" (Neutron Soutmun)
    • Kernel part changes
      • ipset: Handle properly an IPSET_CMD_NONE (Tomasz Bursztyka)
      • netfilter: ipset: hash:net,iface: fix interface comparison (Florian Westphal)
      • Timeout fixing bug broke SET target special timeout value, fixed
      • Use MSEC_PER_SEC instead of harcoded value
  • 6.12.1
    • Userspace changes
      • Enable silent (kernel style) compile messages
      • Fix build failed on --disable-dependency-tracking (Neutron Soutmun)
      • Add tarball target to Makefile
  • 6.12
    • Kernel part changes
      • Backport nla_put_net* functions as NLA_PUT* were removed
      • netlink: add netlink_dump_control structure for netlink_dump_start()
      • ipset: Stop using NLA_PUT*().
      • Fix hash size checking in kernel (bug reported by Seblu)
      • Correct README file about minimal required iptables version (Oskar Berggren)
      • Sparse warnings "incorrect type in assignment" fixed
      • Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz)
      • ipv6: Add fragment reporting to ipv6_skip_exthdr().
      • net: remove ipv6_addr_copy()
      • Fix the inclusion of linux/export.h (Henry Culver)
    • Userspace changes
      • Cleanup generated files by make tidy
      • Add more CC warning option to debug mod
      • Report syntax error messages immediately
      • Suppress false syntax error messages
      • Add configure summary for the ipset userspace tool
      • Add dynamic module support to ipset userspace tool (Neutron Soutmun)
      • Move ipset_port_usage() into lib (Neutron Soutmun)
      • Fix invalid assignment to const void pointer (bug reported by Seblu)
      • Remove unused variables (warnings fixed)
      • Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz)
      • Improve ipset help text messages (Mr Dash Four)
  • 6.11
    • Kernel part changes
      • hash:net,iface timeout bug fixed
      • Exceptions support added to hash:*net* types
      • net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
      • Log warning when a hash type of set gets full
    • Userspace changes
      • Support hostnames and service names with dash
      • Exceptions support added to hash:*net* types
      • Log warning when a hash type of set gets full
      • Set types moved into libipset library
      • Library map file added in order to support library versioning
      • doc: Linux 2.6.39 already has the defs (Jan Engelhardt)
      • build: install libipset in the right place (Jan Engelhardt)
      • Provide a pkgconfig file (Jan Engelhardt)
      • build: make distcheck work and use POSIX mode for tarball generation (Jan Engelhardt)
      • build: install libipset/linux_ip_set_list.h (Jan Engelhardt)
      • build: include libipset/nfproto.h (Jan Engelhardt)
      • build: process include/libipset/ (Jan Engelhardt)
      • build: use AC_CONFIG_AUX_DIR and stash away tools (Jan Engelhardt)
      • Update .gitignore (Jan Engelhardt)
  • 6.10
    • Kernel part changes
      • Invert the logic to include version.h in ip_set_core.c
      • Suppress false compile-time warnings about uninitialized variable ip_to
    • Userspace changes
      • Tests added to check ICMP/ICMPv6 type/code parsing
      • ICMP/ICMPv6 type/code parser bug fixed (bug reported by Sabitov)
      • ipset: fix lookup of tcp port names (Stephen Hemminger)
      • Optionally disable building the kernel module (Mathieu Bridon)
      • Make tidy complete
  • 6.9.1
    • Kernel part changes
      • Fix compiling ipset as external kernel modules (v6.9)
      • Complete Kconfig with hash:net,iface type (standalone package)
      • rtnetlink: Compute and store minimum ifinfo dump size (Greg Rose)
      • Remove redundant linux/version.h includes from net/ (Jesper Juhl)
      • ipset: use NFPROTO_ constants (Jan Engelhardt)
      • netfilter: ipset: expose userspace-relevant parts in ip_set.h (Jan Engelhardt)
      • netfilter: ipset: avoid use of kernel-only types (Jan Engelhardt)
      • netfilter: Remove unnecessary OOM logging messages (Joe Perches)
      • Dumping error triggered removing references twice and lead to kernel BUG
      • Autoload set type modules safely
    • Userspace changes
      • build: move ipset_errcode into library (Jan Engelhardt)
      • build: abort autogen on subcommand failure (Jan Engelhardt)
      • ipset: use NFPROTO_ constants (Jan Engelhardt)
      • Propagate "expose userspace-relevant parts in ip_set.h" to ipset source
  • 6.8
    • Kernel part changes
      • Fix compiler warnings "'hash_ip4_data_next' declared inline after being called" (Chris Friesen)
      • hash:net,iface fixed to handle overlapping nets behind different interfaces
      • Make possible to hash some part of the data element only.
    • Userspace changes
      • Update the manpage and document the limits in hash:net,iface.
      • README file corrections from Richard Lucassen
  • 6.7
    • Kernel part changes
      • Whitespace and coding fixes, detected by checkpatch.pl
      • hash:net,iface type introduced
      • Use the stored first cidr value instead of '1'
      • Fix return code for destroy when sets are in use
      • Add xt_action_param to the variant level kadt functions, ipset API change
      • Drop supporting kernel versions below 2.6.35
    • Userspace changes
      • Whitespace and coding fixes, detected by checkpatch.pl
      • hash:net,iface type introduced
      • hash:* tests may seem to fail due to the too wide grep pattern, fix them
      • Remove iptree tests and compatibility element parsing
      • hash:net test may seem to fail due to the too wide grep pattern, fix it
      • Fix long time uncovered bug at adding string attributes to the netlink messages
      • Fix warnings reported by valgrind
      • Remove supporting set types iptree and iptreemap
  • 6.6
    • Kernel part changes
      • Use unified from/to address masking and check the usage
      • ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed
      • Take into account cidr value for the from address when creating the set
      • Adding ranges to hash types with timeout could still fail, fixed
      • Removed old, not used hashing method ip_set_chash
      • Remove variable 'ret' in type_pf_tdel(), which is set but not used
      • Use proper timeout parameter to jiffies conversion
    • Userspace changes
      • Restore with bitmap:port and list:set types did not work, fixed
      • Accept "\r\n" terminated COMMIT command in restore files
      • Fix the message sequence number book-keeping
      • Protocol-level debugging support added
      • hash:net stress test in range notation added
      • ipset_mnl_query: in debug mode print the errno returned by the cb function
      • Accept "\r\n" terminated lines in restore files
      • Remove outdated checking of IPv6 support from configure.ac
  • 6.5
    • Kernel part changes
      • Support range for IPv4 at adding/deleting elements for hash:*net* types
      • Set type support with multiple revisions added
      • Fix adding ranges to hash types
    • Userspace changes
      • Support range for IPv4 at adding/deleting elements for hash:*net* types
      • Disable type revisions which are not supported both by the kernel and ipset
      • Update ipset help text to reflect SCTP and UDPLITE support
      • Ignore -n flag (list just setnames) when sets are to be saved
  • 6.4
    • Kernel part changes
      • Support listing setnames and headers too
      • Fix the order of listing of sets
      • Options and flags support added to the kernel API
    • Userspace changes
      • Get rid of the trailing empty line at listing sets
      • Fix XML listing, remove broken unused "elements" tag
      • Support listing setnames and headers too
      • Sorting is dependent on the locale settings, use LC_ALL=C
      • Use unified diff output in tests
  • 6.3
    • Kernel part changes
      • ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)
      • bitmap:ip,mac type requires "src" for MAC, enforce it
      • whitespace fixes: some space before tab slipped in
      • set match and SET target fixes (bugs reported by Lennert Buytenhek)
    • Userspace changes
      • Testsuite changes: keep temporary files
      • bitmap:ip,mac type requires "src" for MAC: manpage is updated to reflect the change
      • Testsuite checks added (SET target and dir parameter checks)
  • 6.2
    • Kernel part changes
      • list:set timeout variant fixes
      • References are protected by rwlock instead of mutex
      • Add explicit text message to detect patched kernel (netlink.patch)
      • Timeout can be modified for already added elements
    • Userspace changes
      • Manpage update
  • 6.1
    • Kernel part changes
      • The hash:*port* types ignored the address range with non TCP/UDP, fixed
      • Fix checking the revision number of the set type at create command
      • SCTP, UDPLITE support to hash:*port* types added
      • Fix revision reporting got broken by the revision checking patch
    • Userspace changes
      • Manpage was not installed (reported by Mark A. Ziesemer)
      • SCTP, UDPLITE support to the hash:*port* types added
  • 6.0
    • Kernel part changes
      • Reorganized kernel/ subdir
      • netfilter: ipset: fix linking with CONFIG_IPV6=n (Patrick McHardy)
      • netfilter: ipset: send error message manually
      • netfilter: ipset: add missing break statemtns in ip_set_get_ip_port() (Patrick McHardy)
      • netfilter: ipset: add missing include to xt_set.h (Patrick McHardy)
      • netfilter: ipset: remove unnecessary includes (Patrick McHardy)
      • netfilter: ipset: use nla_parse_nested() (Patrick McHardy)
      • Separate ipset errnos completely from system ones and bump protocol version
      • Use better error codes in xt_set.c
      • Fix sparse warning about shadowed definition
      • bitmap:ip type: flavour specific adt functions (Patrick McHardy's review)
      • bitmap:port type: flavour specific adt functions (Patrick McHardy's review)
      • Move the type specifici attribute validation to the core (suggested by Patrick McHardy)
      • Use vzalloc() instead of __vmalloc() (Eric Dumazet, Patrick McHardy)
      • Use meaningful error messages in xt_set.c (Patrick McHardy's review)
      • Constified attribute cannot be written (Patrick McHardy's review)
      • Send (N)ACK at dumping only when NLM_F_ACK is set (Patrick McHardy's review)
      • Correct the error codes: use ENOENT and EMSGSIZE (Patrick McHardy's review)
    • Userspace changes
      • Print protocol version together with ipset version
      • Testsuite compatibility with debugging enabled
      • Allow "new" as a commad alias to "create"
      • ipset: improve command argument parsing (Holger Eitzenberger)
      • ipset: avoid the unnecessary argv[] loop (Holger Eitzenberger)
      • ipset: pass ipset_arg argument pointer (Holger Eitzenberger)
      • Separate ipset errnos completely from system ones and bump protocol version
      • Fix the spelling error fix :-) (Ferenc Wagner)
      • Resolving IP addresses did not work at listing/saving sets, fixed
      • ipset: fix spelling error (Holger Eitzenberger)
      • ipset: fix the Netlink sequence number (Holger Eitzenberger)
      • ipset: turn Set name[] into a const pointer (Holger Eitzenberger)
      • Check ICMP and ICMPv6 with the set match and target in the testsuite
      • Avoid possible syntax clashing at saving hostnames
  • 5.4.1
    • Documentation
      • UPGRADE file added
  • 5.4
    • Kernel part changes
      • Fixed broken ICMP and ICMPv6 handling
      • Fix trailing whitespaces and pr_* messages
      • Un-inline functions which are not small enough (Patrick McHardy)
      • Fix module loading at create/header commands (Patrick McHardy)
      • Fix wrong kzalloc flag in type_pf_expire
      • The get_ip*_port functions are too large to be inlined, moved into the core
      • Add missing __GFP_HIGHMEM flag to __vmalloc (Eric Dumazet)
      • Enforce network-ordered data in the netlink protocol
      • Use annotated types and fix sparse warnings (Patrick McHardy)
      • Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into the core (Patrick McHardy)
      • NETMASK*, HOSTMASK* macros are too generic, replace with inline functions (Patrick McHardy)
      • Use static LIST_HEAD() for ip_set_type_list (Patrick McHardy)
      • Move NLA_PUT_NET* macros to include/net/netlink.h (Patrick McHardy)
      • The module parameter max_sets should be unsigned int (Patrick McHardy)
      • Get rid of ip_set_kernel.h (Patrick McHardy)
      • Fix the placement style of boolean operators at continued lines (Patrick McHardy)
  • 5.3
    • Kernel part changes
      • There is no need to call synchronize_net() at swapping
      • Replace strncpy with strlcpy at creating a set
      • Update copyright date and some style changes
      • Use jhash.h accepted in kernel, with backward compatibility
      • Separate prefixlens from ip_set core
      • Remove unused ctnl parameter from call_ad (Jan Engelhardt)
      • Comment the possible return values of the add/del/test type-functions
    • Userspace changes
      • Set the non-debug compiling the default
      • Testsuite fix of ospf replaced with vrrp
      • Fix build with NDEBUG defined (Holger Eitzenberger)
      • Do session initialization once (Holger Eitzenberger)
      • Make IPv4 and IPv6 address handling similar (Holger Eitzenberger)
      • Show correct line numbers in restore output for parser errors (Holger Eitzenberger)
      • Replace ospf with vrrp in the testsuite
      • Remove autogenerated files (Jan Engelhardt)
      • Use only AC_CANONICAL_HOST (Jan Engelhardt)
  • 5.2
    • Kernel part changes
      • Kernel version check at minimal supported version was mistyped, now fixed
    • Userspace changes
      • Handle internal printing errors
      • Use cast to void * instead of memcpy as Sparc workaround at sockaddr_XXX suggested by Jan Engelhardt)
      • Listing/saving of large sets could produce broken listing, fixed
      • Support libtool < 2.2
  • 5.1
    • Kernel part changes
      • Kernel version compatibility: support bumped starting from 2.6.34
      • Use EXPORT_SYMBOL_GPL (Jan Engelhardt)
      • const annotations (Jan Engelhardt)
      • Use __read_mostly for registration-type structures (Jan Engelhardt)
      • Do not mix const and __read_mostly (Jan Engelhardt)
      • xt_set: avoid user types in exported kernel headers (Jan Engelhardt)
      • Enable parallel building (Jan Engelhardt)
      • Fix Kbuild for me to delete backup files
    • Userspace changes
      • Test cases for IPv6 restore and more complex restore sessions added
      • Restore mode did not work for IPv6, fixed (reported by Elie Rosenblum)
      • libipset: static annotations (Jan Engelhardt)
      • libipset: const annotations (Jan Engelhardt)
      • libipset: remove redundant casts (Jan Engelhardt)
      • libipset: remove redundant indirection via union name (Jan Engelhardt)
      • libipset: ipset_strncpy is really a strlcpy-type operation (Jan Engelhardt)
      • Prevent calling Makefile directly in the kernel/ subdirectory
      • Put back the Sparc specific workaround at getaddrinfo (reported by Jan Engelhardt)
      • Check old system kernel header files
      • Check from `configure` that the kernel source is patched with netlink.patch
      • Use configure to detect compiler warning flags
      • Try to solve PKG_CHECK_MODULES issue (reported by Rob Sterenborg)
      • Fix incorrect comparison in check_allowed (reported by Jan Engelhardt)
  • 5.0
    • New main branch - ipset completely rewritten
  • 4.5
    • Kernel part changes
      • The iptreemap type used wrong gfp flags when deleting entries (bug reported by Dash Four)
    • Userspace changes
      • Take into account the compile time setting of the default hash size (reported by Dash Four)
  • 4.4
    • Kernel part changes
      • The ipporthash, ipportiphash and ipportnethash set types did not work with mixed "src" and "dst" direction parameters of the "set" and "SET" iptables match and target (reported by Dash Four)
      • Errorneous semaphore handling in error path fixed (reported by Jan Engelhardt, bugzilla id 668)
    • Userspace changes
      • Manpage fix to make it clear how ipset works on setlist type of sets (John Brendler, bugzilla id 640)
  • 4.3
    • Kernel part changes
      • Support of 2.6.35 kernels added
  • 4.2
    • Kernel part changes
      • nethash and ipportnethash types counted every entry twice which could produce bogus entries when listing/saving these types of sets (bug reported by Husnu Demir)
    • Userspace changes
      • Checking null entries when listing/saving hash types of sets deleted because it's unnecessary and can mask possible errors.
  • 4.1
    • Kernel part changes
      • Do not use init_MUTEX either (Jan Engelhardt)
      • Improve listing/saving hash type of sets by not copying empty entries unnecessarily to userspace.
    • Userspace changes
      • Manpage fixes and corrections (Jan Engelhardt)
  • 4.0
    • Kernel part changes
      • Compilation of ip_set_iptree.c fails with kernel 2.6.20 due to missing include of linux/jiffies.h (Jan Engelhardt)
      • Do not use DECLARE_MUTEX (compatibility fix on 2.6.31-rt, Jan Engelhardt)
      • Flushing iptreemap type of sets caused high ksoftirqd load due to zeroed out gc parameter (bug reported by Georg Chini)
      • New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini)
      • Binding support is removed
    • Userspace changes
      • New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini)
      • Binding support is removed
  • 3.2
    • Kernel part changes
      • Mixed up formats in ip_set_iptree.c fixed (Rob Sterenborg)
      • Don't use 'bool' for backward compatibility reasons (Rob Sterenborg)
  • 3.1
    • Userspace changes
      • Correct format specifiers and change %i to %d (Jan Engelhardt)
    • Kernel part changes
      • Nonexistent sets were reported as existing sets when testing from userspace in setlist type of sets (bug reported by Victor A. Safronov)
      • When saving sets, setlist type of sets must come last in order to satisfy the dependency from the elements (bug reported by Marty B.)
      • Sparse insists that the flags argument to kmalloc() is gfp_t (Stephen Hemminger)
      • Correct format specifiers and change %i to %d (Jan Engelhardt)
      • Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
  • 3.0
    • Userspace changes
      • New kernel-userspace protocol release
      • Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
      • tests/runtests.sh changed to support old bash shells
    • Kernel part changes
      • New kernel-userspace protocol release
      • Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
      • Support of 2.4.3[67].* kernels fixed
      • Compiling with debugging enabled fixed
  • 2.5.0
    • Userspace changes
      • On parisc architecture cast increases required aligment (bugzilla id 582), fixed.
      • Respect LDFLAGS settings at compile time (Peter Volkov).
    • Kernel part changes
      • instead of setting the locks directly as it causes compilation errors with 2.6.29-rt (Jan Engelhardt).
  • 2.4.9
    • Kernel part changes
      • References to the old include file replaced with new one in order to really use the new Jenkins' hash function.
  • 2.4.8
    • Userspace changes
      • In order to disable the extra warning flags, NO_EXTRA_WARN_FLAGS variable added to userspace Makefile.
    • Kernel part changes
      • The Jenkins' hash lookup2() replaced with Jenkins' faster/better lookup3() hash function.
      • Bug fixed: after elements are added and deleted from a hash, an element can successfully be added in spite it's already in the hash and thus duplicates can occur (Shih-Yi Chen).
      • Compatibility with old gcc without 'bool' added.
  • 2.4.7
    • Kernel part changes
      • Typo which broke compilation with kernels < 2.6.28 fixed (reported by Richard Lucassen, Danny Rawlins)
  • 2.4.6
    • Kernel part changes
      • Compatibility fix for kernels >= 2.6.28
  • 2.4.5
    • Userspace changes
      • Some compiler warning options are too aggressive and therefore disabled.
    • Kernel part changes
      • setlist type does not work properly together with swapping sets, bug reported by Thomas Jacob.
      • Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt)
  • 2.4.4
    • Userspace changes
      • Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos).
      • Local variable shadows another variable, fixed (reported by Jan Engelhardt).
      • More compiler warning options added and warnings fixed.
    • Kernel part changes
      • Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos).
  • 2.4.3
    • Userspace changes
      • Include file <limits.h> was missing from userspace set type modules, reported by Krzysztof Oledzki and Sven Wegener.
  • 2.4.2
    • Kernel part changes
      • When flushing a nethash/ipportnethash type of set, it can lead to a kernel crash due to a wrong type declaration, bug reported by Krzysztof Oledzki.
      • iptree and iptreemap types require the header file linux/timer.h, also reported by Krzysztof Oledzki.
  • 2.4.1
    • Userspace changes
      • macipmap type reported misleading deprecated separator tokens and printed the old one at listing set elements; the warning contained misprinting as well (bugs reported by Krzysztof Oledzki)
      • Warn only once about deprecated separator tokens in restore mode.
    • Kernel part changes
      • Zero-valued element are not acceptable by hash type of sets because we cannot make a difference between a zero-valued element and not-set element. Enforce it, as manpage says. (fixes bugzilla id 543)
  • 2.4
    • Userspace changes
      • Added KBUILD_OUTPUT support (Sven Wegener)
      • Fix memory leak in ipset_iptreemap (Sven Wegener)
      • Fix multiple compiler warnings (Sven Wegener)
      • ipportiphash, ipportnethash and setlist types added
      • binding marked as deprecated functionality
      • element separator token changed to ',' in anticipating IPv6 addresses, old separator tokens are still supported
      • unnecessary includes removed
      • ipset does not try to resolve IP addresses when listing the content of sets (default changed)
      • manpage updated
    • Kernel part changes
      • ipportiphash, ipportnethash and setlist types added
      • set type modules reworked to avoid code duplication as much as possible, code unification macros
      • expand_macros Makefile target added to help debugging code unification macros
      • ip_set_addip_kernel and ip_set_delip_kernel changed from void to int, __ip_set_get_byname and __ip_set_put_byid added for the sake of setlist type
      • unnecessary includes removed
      • compatibility fix for kernels >= 2.6.27: semaphore.h was moved from asm/ to linux/ (James King)
  • 2.3.3a
    • Fix to compile ipset with 2.4.26.x tree statically (bug reported by G.W. Haywood)
  • 2.3.3
    • compatibility for the 2.6.x kernel tree improved and compiler warnings fixed (Jan Engelhardt)
    • compatibility fixes for the 2.4.36.x kernel tree added
  • 2.3.2
    • including limits.h for UINT_MAX is required with glibc-2.8 (pud)
    • needless cast from and to void pointers cleanups in iptreemap (Sven Wegener)
    • Initial ipset release with kernel modules included.
  • 2.3.1
    • segfault on --unbind :all: :all: fixed (reported by bugzilla, report and patch sent by Tom Eastep)
    • User input parameters are sanitized everywhere
    • Initial testsuite added and 'test' target to the Makefile added: few bugs discovered and fixed
      • typo in macipmap type prevented to use max size set of this type
      • *map types are made sure to allow and use max size of sets
  • 2.3.0
    • jiffies rollover bug in iptree type fixed (reported by Lukasz Nierycho and others)
    • endiannes bug in iptree type fixed (spotted by Jan Engelhardt)
    • iptreemap type added (submitted by Sven Wegener)
    • 2.6.22/23 compatibility fixes (Jeremy Jacque)
    • typo fixes in ipset (Neville D)
    • separator changed to ':' from '%' (old one still supported) in ipset
  • 2.2.9a
    • use correct type (socklen_t) for getsockopt (H. Nakano)
    • incorrect return codes fixed (Tomasz Lemiech, Alexey Bortnikov)
    • kernel header dependency removed (asm/bitops.h)
    • ipset now tries to load in the ip_set kernel module if the protocol is not available
  • 2.2.9
    • ipset -N did not generate proper return code
    • limit module parameter added to the kernel modules of the iphash, ipporthash, nethash and iptree type of sets so that the maximal number of elements can now be limited
    • zero valued entries (port 0 or IP address 0.0.0.0) were detected as members of the hash/tree kind of sets (reported by Andrew Kraslavsky)
    • list and save operations used the external identifier of the sets for the bindings instead of the internal one (reported by Amin Azez)
  • 2.2.8
    • Nasty off-by-one bug fixed in iptree type of sets (bug reported by Pablo Sole)
  • 2.2.7
    All patches were submitted by Jones Desougi.
    • missing or confusing error message fixes for ipporthash
    • minor correction in debugging in nethash
    • copy-paste bug in kernel set types at memory allocation checking fixed
    • unified memory allocations in ipset
  • 2.2.6
    • memory allocation in iptree is changed to GFP_ATOMIC because we hold a lock (bug reported by Radek Hladik)
    • compatibility fix: __nocast is not defined in all 2.6 branches (problem reported by Ming-Ching Tiew)
    • manpage corrections
  • 2.2.5
    • garbage collector of iptree type of sets is fixed: flushing sets/removing kernel module could corrupt the timer
    • new ipporthash type added
    • manpage fixes and corrections
  • 2.2.4
    • half-fixed memory allocation bug in iphash and nethash finally completely fixed (bug reported by Nikolai Malykh)
    • restrictions to enter zero-valued entries into all non-hash type sets were removed
    • Too strict check on the set size of ipmap type was corrected
  • 2.2.3
    • Memory allocation bug in iphash and nethash in connection with the SET target was fixed (bug reported by Nikolai Malykh)
    • lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is updated accordingly (Cardoso Didier, Samir Bellabes)
    • manpage is updated to clearly state the command order in restore mode
  • 2.2.2
    • Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen
    • Compiler warning in the non-SMP case fixed (Marcus Sundberg)
    • slab cache names shrunk in order to be compatible with 2.4.* (Marcus Sundberg)
  • 2.2.1
    • Magic number in ip_set_nethash.h was mistyped (bug reported by Rob Carlson)
    • ipset can now test IP addresses in nethash type of sets (i.e. addresses in netblocks added to the set)
  • 2.2.0
    • Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
    • Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford Wolf)
    • Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
    • More careful resizing by avoiding locking completely
    • stdin stored internally in a temporary file, so we can feed 'ipset -R' from a pipe
    • iptree set type added
  • 2.1.0
    • Lock debugging used with debugless lock definiton (Piotr Chytla and others).
    • Bindings were not properly filled out at listing (kernel)
    • When listing sets from kernel, id was not added to the set structure (ipset)
    • nethash set type added
    • ipset manpage corrections (macipmap)
  • 2.0.1
    • Missing -fPIC in Makefile (Robert Iakobashvili)
    • Cut'n'paste bug at saving macipmap types (Vincent Bernat).
    • Bug in printing/saving SET targets reported and fixed by Michal Pokrywka
  • 2.0
    • Chaining of sets are changed: child sets replaced by bindings
    • Kernel-userspace communication reorganized to minimize the number of syscalls
    • Save and restore functionality implemented
    • iphash type reworked: clashing resolved by double-hashing and by dynamically growing the set
  • 1.0
    • ipset forked from ippool
    • Chaining of sets added via child sets
    • portmap and iphash types added