ChangeLog

  • 7.23
    • Userspace changes
      • tests: runtest.sh: Keep running, print summary of failed tests (Phil Sutter)
      • tests: cidr.sh: Fix for quirks in RHEL's ipcalc (Phil Sutter)
      • tests: cidr.sh: Respect IPSET_BIN env var (Phil Sutter)
      • ipset: Fix implicit declaration of function basename (Mike Pagano)
      • tests: Reduce testsuite run-time (Phil Sutter)
      • lib: ipset: Avoid 'argv' array overstepping (Phil Sutter)
      • lib: data: Fix for global-buffer-overflow warning by ASAN (Phil Sutter)
    • Kernel part changes
      • netfilter: ipset: Hold module reference while requesting a module (Phil Sutter)
      • netfilter: ipset: add missing range check in bitmap_ip_uadt (Jeongjun Park)
      • netfilter: ipset: Fix suspicious rcu_dereference_protected()
      • Replace BUG_ON() with WARN_ON_ONCE() according to usage policy.
  • 7.22
    • Userspace changes
      • ipset: fix json output format for IPSET_OPT_IP (Z. Liu)
      • tests: add namespace test and take into account delayed set removal at module remove
      • Update autoconfig tools to build cleanly on Debian bookworm
    • Kernel part changes
      • netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
      • netfilter: ipset: Add list flush to cancel_gc (Alexander Maltsev)
      • Kill sched.h dependency on rcupdate.h (Kent Overstreet)
      • Handle "netfilter: propagate net to nf_bridge_get_physindev" patch
      • netfilter: propagate net to nf_bridge_get_physindev (Pavel Tikhomirov)
      • Revert "netfilter: ipset: remove set destroy at ip_set module removal"
  • 7.21
    • Userspace changes
      • The patch "Fix hex literals in json output" broke save mode, restore it
      • Fix -Werror=format-extra-args warning
      • Workaround misleading -Wstringop-truncation warning
    • Kernel part changes
      • netfilter: ipset: Suppress false sparse warnings
      • tests: Verify module unload when sets with timeout were just destroyed
      • netfilter: ipset: remove set destroy at ip_set module removal
      • netfilter: ipset: Cleanup the code of destroy operation and explain the two stages in comments
      • netfilter: ipset: Missing gc cancellations fixed
  • 7.20
    • Userspace changes
      • Ignore *.order.cmd and *.symvers.cmd files in kernel builds
      • Bash completion utility updated
      • Fix json output for -name option (Mark)
      • Fix hex literals in json output
      • tests: increase timeout to cope with slow virtual test machine
    • Kernel part changes
      • treewide: Convert del_timer*() to timer_shutdown*() (Steven Rostedt)
      • Use timer_shutdown_sync() when available, instead of del_timer_sync()
      • netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v4
      • netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v3
      • netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v2
      • netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
  • 7.19
    • Userspace changes
      • build: Fix the double-prefix in pkgconfig (Sam James)
  • 7.18
    • Userspace changes
      • Add json output to list command (Thomas Oberhammer)
      • tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter)
      • tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter)
      • tests: cidr.sh: Add ipcalc fallback (Phil Sutter)
      • tests: xlate: Make test input valid (Phil Sutter)
      • tests: xlate: Test built binary by default (Phil Sutter)
      • xlate: Drop dead code (Phil Sutter)
      • xlate: Fix for fd leak in error path (Phil Sutter)
      • configure.ac: fix bashisms (Sam James)
      • lib/Makefile.am: fix pkgconfig dir (Sam James)
    • Kernel part changes
      • netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP (reported by Kyle Zeng)
      • netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (Kyle Zeng)
      • compatibility: handle strscpy_pad()
      • netfilter: ipset: refactor deprecated strncpy (Justin Stitt)
      • netfilter: ipset: remove rcu_read_lock_bh pair from ip_set_test (Florian Westphal)
      • netfilter: ipset: Replace strlcpy with strscpy (Azeem Shaikh)
      • netfilter: ipset: Add schedule point in call_ad(). (Kuniyuki Iwashima)
      • net: Kconfig: fix spellos (Randy Dunlap)
      • netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. (Gavrilov Ilia)
  • 7.17
    • Userspace changes
      • Tests: When verifying comments/timeouts, make sure entries don't expire
      • Tests: Make sure the internal batches add the correct number of elements
      • Tests: Verify that hash:net,port,net type can handle 0/0 properly
      • Makefile: Create LZMA-compressed dist-files (Phil Sutter)
    • Kernel part changes
      • netfilter: ipset: Rework long task execution when adding/deleting entries
      • ipset: fix hash:net,port,net hang with /0 subnet
  • 7.16
    • Userspace changes
      • Add new ipset_parse_bitmask() function to the library interface
      • test: Make sure no more than 64 clashing elements can be added to hash:net,iface sets
      • netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai)
      • netfilter: ipset: Update the man page to include netmask/bitmask options (Vishwanath Pai)
      • netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai)
      • netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai)
      • netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai)
      • netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai)
      • ipset-translate: allow invoking with a path name (Quentin Armitage)
      • Fix IPv6 sets nftables translation (Pablo Neira Ayuso)
      • Fix typo in ipset-translate man page (Bernhard M. Wiedemann)
    • Kernel part changes
      • netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
      • Fix all debug mode warnings
      • netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai)
      • netfilter: ipset: regression in ip_set_hash_ip.c (Vishwanath Pai)
      • netfilter: move from strlcpy with unused retval to strscpy (Wolfram Sang)
      • compatibility: handle unsafe_memcpy()
      • netlink: Bounds-check struct nlmsgerr creation (Kees Cook)
      • compatibility: move to skb_protocol in the code from tc_skb_protocol
      • Compatibility: check kvcalloc, kvfree, kvzalloc in slab.h too
      • sched: consistently handle layer3 header accesses in the presence of VLANs (Toke Høiland-Jørgensen)
      • treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner)
      • headers: Remove some left-over license text in include/uapi/linux/netfilter/ (Christophe JAILLET)
      • netfilter: ipset: enforce documented limit to prevent allocating huge memory
      • netfilter: ipset: Fix oversized kvmalloc() calls
  • 7.15
    • Kernel part changes
      • netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() (Nathan Chancellor)
  • 7.14
    • Userspace changes
      • Add missing function to libipset.map and bump library version (reported by Jan Engelhardt)
    • Kernel part changes
      • 64bit division isn't allowed on 32bit, replace it with shift
  • 7.13
    • Userspace changes
      • When parsing protocols by number, do not check it in /etc/protocols.
      • Add missing hunk to patch "Allow specifying protocols by number"
    • Kernel part changes
      • Limit the maximal range of consecutive elements to add/delete fix
  • 7.12
    • Userspace changes
      • Allow specifying protocols by number (Haw Loeung)
      • Fix example in ipset.8 manpage discovered by Pablo Neira Ayuso.
      • tests: add tests ipset to nftables (Pablo Neira Ayuso)
      • add ipset to nftables translation infrastructure (Pablo Neira Ayuso)
      • lib: Detach restore routine from parser (Pablo Neira Ayuso)
      • lib: split parser from command execution (Pablo Neira Ayuso)
      • Fix patch "Parse port before trying by service name"
    • Kernel part changes
      • Limit the maximal range of consecutive elements to add/delete (reported by Brad Spengler)
      • Backport "netfilter: use nfnetlink_unicast()"
      • Backport "netfilter: nfnetlink: consolidate callback type"
      • Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks"
      • Backport "netfilter: add helper function to set up the nfnetlink header and use it"
  • 7.11
    • Userspace changes
      • Parse port before trying by service name (Haw Loeung)
      • Silence unused-but-set-variable warnings (reported by Serhey Popovych)
      • Handle -Werror=implicit-fallthrough= in debug mode compiling
      • ipset: fix print format warning (Neutron Soutmun)
      • Updated utilities
      • Argument parsing buffer overflow in ipset_parse_argv fixed (reported by Marshall Whittaker)
  • 7.10
    • Kernel part changes
      • Fix patch "Handle false warning from -Wstringop-overflow"
      • Backward compatibility: handle renaming nla_strlcpy to nla_strscpy
      • treewide: rename nla_strlcpy to nla_strscpy. (Francis Laniel)
      • netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin)
      • netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin)
      • Handle false warning from -Wstringop-overflow
      • Backward compatibility: handle missing strscpy with a wrapper of strlcpy.
      • Move compiler specific compatibility support to separated file (broken compatibility support reported by Ed W)
  • 7.9
    • Userspace changes
      • Fix library versioning (Jan Engelhardt)
  • 7.8
    • Kernel part changes
      • Complete backward compatibility fix for package copy of <linux/jhash.h>
      • Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT
      • netfilter: ipset: enable memory accounting for ipset allocations (Vasily Averin)
      • netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet)
      • Compatibility: use skb_policy() from if_vlan.h if available
      • Compatibility: Check for the fourth arg of list_for_each_entry_rcu()
      • Backward compatibility fix for the package copy of <linux/jhash.h>
  • 7.7
    • Userspace changes
      • Expose the initval hash parameter to userspace
      • Handle all variable header parts in helper scripts instead ot test tasks
      • Add bucketsize parameter to all hash types
      • Support the -exist flag with the destroy command
    • Kernel part changes
      • Expose the initval hash parameter to userspace
      • Add bucketsize parameter to all hash types
      • Use fallthrough pseudo-keyword in the package copy of too
      • Support the -exist flag with the destroy command
      • netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva)
      • netfilter: Replace zero-length array with flexible-array member (Gustavo A. R. Silva)
      • netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet)
      • netfiler: ipset: fix unaligned atomic access (Russell King)
      • netfilter: ipset: Fix subcounter update skip (Phil Sutter)
      • ipset: Update byte and packet counters regardless of whether they match (Stefano Brivio)
      • netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover)
      • ip_set: Fix compatibility with kernels between v3.3 and v4.5 (Serhey Popovych)
      • ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK (Serhey Popovych)
      • ipset: Support kernels with at least system_wq support
      • ip_set: Fix build on kernels without system_power_efficient_wq (Serhey Popovych)
  • 7.6
    • Userspace changes
      • Add checking system_power_efficient_wq in the kernel source tree
      • .gitignore: add temporary files to the list
    • Kernel part changes
      • netfilter: ipset: Fix forceadd evaluation path
      • netfilter: ipset: Correct the reported memory size
      • ip_set: Include kernel header instead of UAPI (Serhey Popovych)
      • netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports
      • netfilter: ipset: fix suspicious RCU usage in find_set_and_id
      • Add compatibility support for bitmap_zalloc() and bitmap_zero()
      • netfilter: ipset: use bitmap infrastructure completely
      • netfilter: fix a use-after-free in mtype_destroy() (Cong Wang)
  • 7.5
    • Userspace changes
      • configure.ac: Support building with old autoconf 2.63 (Serhey Popovych)
      • configure.ac: Build on kernels without skb->vlan_proto correctly (Serhey Popovych)
      • configure.ac: Add cond_resched_rcu() checks (Serhey Popovych)
      • configure.ac: Better match for ipv6_skip_exthdr() frag_offp arg presence (Serhey Popovych)
      • Document explicitly that protocol is not stored in bitmap:port
    • Kernel part changes
      • netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present (Florian Westphal)
      • ip_set: Pass init_net when @net is missing in match check params data structure (Serhey Popovych)
      • netfilter: xt_set: Do not restrict --map-set to the mangle table (Serhey Popovych)
      • compat: em_ipset: Build on old kernels (Serhey Popovych)
      • compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present() (Serhey Popovych)
  • 7.4
    • Userspace changes
      • Fix compatibility support for netlink extended ACK and add synchronize_rcu_bh() checking
      • treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner)
      • ipset: Add wildcard support to net,iface (Kristian Evensen)
      • Sort naturally instead of textual sort (bugzilla #1369)
      • Do not return with error at 'make modules_install' when modules are not loaded (reported by Oskar Berggren)
    • Kernel part changes
      • Fix nla_policies to fully support NL_VALIDATE_STRICT
      • treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner)
      • netfilter: remove unnecessary spaces (yangxingwu)
      • ipset: Add wildcard support to net,iface (Kristian Evensen)
      • ipset: Copy the right MAC address in hash:ip,mac IPv6 sets (Stefano Brivio)
      • netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c. (Jeremy Sowden)
      • netfilter: ipset: move function to ip_set_bitmap_ip.c. (Jeremy Sowden)
      • netfilter: ipset: make ip_set_put_flags extern. (Jeremy Sowden)
      • netfilter: ipset: move functions to ip_set_core.c. (Jeremy Sowden)
      • netfilter: ipset: move ip_set_comment functions from ip_set.h to ip_set_core.c. (Jeremy Sowden)
      • netfilter: ipset: remove inline from static functions in .c files. (Jeremy Sowden)
      • netfilter: ipset: add a coding-style fix to ip_set_ext_destroy. (Jeremy Sowden)
      • netfilter: added missing includes to a number of header-files. (Jeremy Sowden)
      • netfilter: inlined four headers files into another one. (Jeremy Sowden)
      • netfilter: ipset: Fix an error code in ip_set_sockfn_get() (Dan Carpenter)
  • 7.3
    • Userspace changes
      • ipset: fix spelling error in libipset.3 manpage (Neutron Soutmun)
    • Kernel part changes
      • Fix rename concurrency with listing
      • ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets (Stefano Brivio)
      • ipset: Actually allow destination MAC address for hash:ip,mac sets too (Stefano Brivio)
  • 7.2
    • Userspace changes
      • Update my email address
    • Kernel part changes
      • Update my email address
      • ipset: Fix memory accounting for hash types on resize (Stefano Brivio)
      • Fix error path in set_target_v3_checkentry()
      • Fix the last missing check of nla_parse()
      • netfilter: ipset: fix a missing check of nla_parse (Aditya Pakki)
      • netfilter: ipset: merge uadd and udel functions (Florent Fourcot)
      • netfilter: ipset: remove useless memset() calls (Florent Fourcot)
  • 7.1
    • Userspace changes
      • Add compatibility support for strscpy()
      • Correct the manpage about the sort option
      • Add missing functions to libipset.map
      • configure.ac: Fix build regression on RHEL/CentOS/SL (Serhey Popovych)
      • Implement sorting for hash types in the ipset tool
      • Fix to list/save into file specified by option (reported by Isaac Good)
    • Kernel part changes
      • netfilter/ipset: replace a strncpy() with strscpy() (Qian Cai)
      • netfilter: ipset: fix ip_set_byindex function (Florent Fourcot)
      • netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel (Pan Bian)
      • Correct workaround in patch "Fix calling ip_set() macro at dumping"
  • 7.0
    • Userspace changes
      • Introduction of new commands and protocol version 7, updated kernel include files
      • Add compatibility support for async in pernet_operations
      • Use more robust awk patterns to check for backward compatibility
      • Prepare the ipset tool to handle multiple protocol version
      • Fix warning message handlin
      • Correct to test null valued entry in hash:net6,port,net6 test
      • Library reworked to support embedding ipset completely
      • Add compatibility to support kvcalloc()
      • Validate string type attributes in attr2data() (Stefano Brivio)
      • manpage: Add comment about matching on destination MAC address (Stefano Brivio)
      • Add compatibility to support is_zero_ether_addr()
      • Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio)
      • Fix leak in build_argv() on line parsing error (Stefano Brivio)
      • Simplify return statement in ipset_mnl_query() (Stefano Brivio)
      • tests/check_klog.sh: Try dmesg too, don't let shell terminate script (Stefano Brivio)
    • Kernel part changes
      • Introduction of new commands and protocol version 7
      • License cleanup: add SPDX license identifier to uapi header files with no license (Greg Kroah-Hartman)
      • net: Convert ip_set_net_ops (Kirill Tkhai)
      • netfilter: Replace spin_is_locked() with lockdep (Lance Roy)
      • Fix calling ip_set() macro at dumping
      • Correct rcu_dereference() call in ip_set_put_comment()
      • netfilter: ipset: fix ip_set_list allocation failure (Andrey Ryabinin)
      • ipset: Make invalid MAC address checks consisten (Stefano Brivio)
      • ipset: Allow matching on destination MAC address for mac and ipmac sets (Stefano Brivio)
      • netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (Eric Westbrook)
      • ipset: list:set: Decrease refcount synchronously on deletion and replace (Stefano Brivio)
      • netfilter: ipset: forbid family for hash:mac sets (Florent Fourcot)
      • Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC
      • List timing out entries with "timeout 1" instead of zero timeout value (Fixes bugzilla #1258)
      • netfilter: xt_set: Check hook mask correctly (Serhey Popovych)
  • 6.38
    • Userspace changes
      • Fix API version number (reported by Jan Engelhardt)
  • 6.37
    • Kernel part changes
      • netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp (Joe Perches)
    • Userspace changes
      • Fix parsing service names for ports (reported by Yuri D'Elia)
  • 6.36
    • Kernel part changes
      • Remove duplicate module description
      • netfilter: remove messages print and boot/module load time (Pablo Neira Ayuso)
      • Fix wraparound bug introduced in commit 48596a8ddc46 in v6.34 (reported by Thomas Schwark)
    • Userspace changes
      • Use 'ss' in runtest.sh but fall back to deprecated 'net-tools' command (bugzilla id #1209)
      • build: do install libipset/args.h (Jan Engelhardt)
      • Add test to verify wraparound fix
  • 6.35
    • Kernel part changes
      • netfilter: mark expected switch fall-throughs (Gustavo A. R. Silva)
      • License cleanup: add SPDX GPL-2.0 license identifier to files with no license (Greg Kroah-Hartman)
      • Backport patch: netfilter: ipset: use nfnl_mutex_is_locked
      • Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit()
      • netfilter: ipset: use nfnl_mutex_is_locked (Florian Westphal)
      • netfilter: ipset: add resched points during set listing (Florian Westphal)
      • Fix "don't update counters" mode when counters used at the matching
      • Backport patch: netfilter: ipset: Convert timers to use timer_setup()
      • netfilter: ipset: use swap macro instead of _manually_ swapping values (Gustavo A. R. Silva)
      • netfilter: ipset: Fix race between dump and swap (Ross Lagerwall)
      • netfilter: ipset: pernet ops must be unregistered last (Florian Westphal)
    • Userspace changes
      • Userspace revision handling is reworked
      • Replace the last reference to u_int8_t with uint8_t.
  • 6.34
    • Kernel part changes
      • Fix adding an IPv4 range containing more than 2^31 addresses (bugzilla id #1005, reported by Oleg Serditov and Oliver Ford
    • Userspace changes
      • testsuite: Make sure it can be run over ssh :-)
      • Reset state after a command failed, when multiple ones are issued (bugzilla id #1158, reported by Dimitri Grischin)
      • Handle padding attribute properly in userspace.
      • Test to check the fix to add an IPv4 range containing more than 2^31 addresses
      • Fix the include guards on the include/libipset/linux_ip_set*.h (bugzilla id #1139, suggested by Quentin Armitage)
      • New function added in commit 54802b2c is missing from libipset.map (bugzilla id #1182, reported by irherder@gmail.com)
  • 6.33
    • Kernel part changes
      • Backport patch: sctp: remove the typedef sctp_sctphdr_t
      • Backport patch: netfilter: nfnetlink: extended ACK reporting
      • ipset: remove unused function __ip_set_get_netlink (Aaron Conole)
      • Backport patch: netlink: pass extended ACK struct to parsing functions
      • Backport patch netlink: extended ACK reporting
      • netfilter: Remove exceptional & on function name (Arushi Singhal)
      • Backport missing part of patch: netfilter: Remove unnecessary cast on void pointer
      • Backport nfnl_msg_type()
      • netfilter: ipset: ipset list may return wrong member count for set with timeout (Vishwanath Pai)
      • netfilter: ipset: deduplicate prefixlen maps (Aaron Conole)
      • Fix sparse warnings
      • netfilter: ipset: Compress return logic (simran singhal)
      • netfilter: ipset: Remove unnecessary cast on void pointer (simran singhal)
      • Compatibility: handle changes in 4.10 kernel tree
    • Userspace changes
      • Report if the option is supported by a newer kernel release
      • ipset: Fix ipset command replacement in runtest.sh (Neutron Soutmun)
      • Correct a test: number of entries may be outdated
  • 6.32
    • Userspace changes
      • Fix possible truncated output in ipset output buffer handling (Reported by Omri Bahumi and Yoni Lavi).
      • Missing prototype added in ipset_hash_ipmac.c (debugging)
  • 6.31
    • Kernel part changes
      • netfilter: ipset: Null pointer exception in ipset list:set (Vishwanath Pai)
      • Fix bug: sometimes valid entries in hash:* types of sets were evicted (reported by Eric Ewanco)
      • Correct copyright owner
      • Revert patch "Correct rcu_dereference_bh_nfnl() usage"
    • Userspace changes
      • Update manpage about the size parameter of list:set types.
      • New test to verify that only the intended entries are deleted at hash types.
  • 6.30
    • Kernel part changes
      • netfilter: ipset: hash: fix boolreturn.cocci warnings (Fengguang Wu)
      • Fix the nla_put_net64() API changes backport
      • netfilter: ipset: Fixing unnamed union init (Elad Raz)
      • netfilter: x_tables: Use par->net instead of computing from the passed net devices (Eric W. Biederman)
      • Correct the reported memory size for bitmap:* types
      • Fix coding styles reported by checkpatch.pl, already in kernel
      • netfilter: x_tables: Pass struct net in xt_action_param (Eric W. Biederman)
      • net: sched: fix skb->protocol use in case of accelerated vlan path (Jiri Pirko)
      • Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac too
      • netfilter: fix include files for compilation (Mikko Rapeli)
      • ipset: Backports for the nla_put_net64() API changes (Neutron Soutmun)
      • netfilter: ipset: use setup_timer() and mod_timer(). (Muhammad Falak R Wani)
      • hash:ipmac type support added to ipset (Tomasz Chilinski)
    • Userspace changes
      • Drop extra comma from error message (Neutron Soutmun)
      • Fix the incorrect dynamic/static modules list (Neutron Soutmun)
      • Correct tests to check the number of entries too
      • hash:ipmac type support added to ipset, userspace part (Tomasz Chilinski)
  • 6.29
    • Kernel part changes
      • Fix race condition in ipset save, swap and delete (Vishwanath Pai)
    • Userspace changes
      • Suppress unnecessary stderr in command loop for resize and list
      • Correction in comment test
      • Support chroot buildroots (reported by Jan Engelhardt)
      • Fix "configure" breakage due to pkg-config related changes (reported by Jan Engelhardt)
  • 6.28
    • Kernel part changes
      • Check IPSET_ATTR_ETHER netlink attribute length
      • Fix __aligned_u64 compatibility support for older kernel releases
      • Add compatibility to support EXPORT_SYMBOL_GPL in module.h
      • Fix set:list type crash when flush/dump set in parallel
      • Pass down netns pointer to call() and call_rcu() (backport)
      • Allow a 0 netmask with hash_netiface type (Florian Westphal)
    • Userspace changes
      • Support older pkg-config packages
      • Add bash completion to the install routine (Mart Frauenlob)
      • Fix misleading error message with comment extension
      • Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface type
      • Fix link with libtool >= 2.4.4 (Olivier Blin)
  • 6.27
    • Kernel part changes
      • Fix reported memory size for hash:* types
      • Fix hash type expire: release empty hash bucket block
      • Fix hash type expiration: incorrect index fixed
      • Collapse same condition body to a single one
      • Fix extension alignment
      • Compatibility: include linux/export.h when needed
      • Compatibility: make sure vmalloc.h is included for kvfree()
      • Compatibility: Fix detecting 'struct net' in 'struct tcf_ematch'
      • Compatibility: Protect definition of RCU_INIT_POINTER in compatibility header file
      • netfilter: ipset: Fix sleeping memory allocation in atomic context (Nikolay Borisov)
    • Userspace changes
      • Handle uint64_t alignment issue in ipset tool
  • 6.26
    • Kernel part changes
      • Out of bound access in hash:net* types fixed (reported by Dave Jones)
      • Make struct htype per ipset family (originally from Sergey Popovich)
      • Optimize hash creation routine (originally from Sergey Popovich)
      • Make sure element data size is a multiple of u32 (originally from Sergey Popovich)
      • Make NLEN compile time constant for hash types (originally from Sergey Popovich)
      • Simplify mtype_expire() for hash types (originally from Sergey Popovich)
      • Count non-static extension memory into the set memory size for userspace
      • net: sched: Simplify em_ipset_match (Eric W. Biederman)
    • Userspace changes
      • Out of bound access in hash:net* types fixed (reported by Dave Jones): new tests added to the testsuite to verify the fix
      • Warn about loaded in ip_set modules at module installation
      • Use IPSET_BIN in resize-and-list.sh and suppress echoing of loop variable
      • Manpage typo corrections (David Wittman)
      • Fix grammar error in manpage (Neutron Soutmun)
  • 6.25.1
    • Kernel part changes
      • net/netfilter/ipset: work around gcc-4.4.4 initializer bug (Andrew Morton)
    • Userspace changes
      • ipset manpage: refer to iptables-extensions
      • Update userspace header file from the kernel tree
      • Handle 'extern "C" {' in check_libmap.sh
  • 6.25
    • Kernel part changes
      • Add element count to all set types header
      • Add element count to hash headers (Eric B Munson)
      • implement nla_put_in_addr and nla_put_in6_addr (Jiri Benc)
      • deinline ip_set_put_extensions() (Denys Vlasenko)
      • Fix error path in mtype_resize() when new hash bucket cannot be allocated
      • There is no need to call synchronize_rcu() after list_add_rcu()
      • Fix typo in function name get_phyoutdev_name()
      • Separate memsize calculation code into dedicated functions (originally from Sergey Popovich)
      • Split extensions into separate files (originally from Sergey Popovich)
      • Improve comment extension helpers (originally from Sergey Popovich)
      • Improve skbinfo get/init helpers (originally from Sergey Popovich)
      • Headers file cleanup (originally from Sergey Popovich)
      • Correct rcu_dereference_bh_nfnl() usage (originally from Sergey Popovich)
      • add helpers for fetching physin/outdev (Florian Westphal)
      • When a single set is destroyed, make sure it can't be grabbed by dump
      • In comment extension ip_set_comment_free() is always called in a safe path
      • Add rcu_barrier() to module removal in the bitmap types too
      • Fix coding styles reported by the most recent checkpatch.pl
      • Make sure bitmap:ip,mac detects the proper MAC even when it's overwritten
      • RCU safe comment extension handling
      • Make sure the proper is_destroyed value is checked at dumping
      • Fix broken commit "Check extensions attributes before getting extensions."
      • Improve preprocessor macros checks (Sergey Popovich)
      • Fix hashing for ipv6 sets (Sergey Popovich)
      • Fix ext_*() macros so pointers returned by these macros could be referenced directly (Sergey Popovich)
      • Check for comment netlink attribute length (Sergey Popovich)
      • Return bool values instead of int (Sergey Popovich)
      • Check CIDR value only when attribute is given (Sergey Popovich)
      • Make sure we always return line number on batch (Sergey Popovich)
      • Permit CIDR equal to the host address CIDR in IPv6 (Sergey Popovich)
      • Use HOST_MASK literal to represent host address CIDR len (Sergey Popovich)
      • Check IPSET_ATTR_PORT only once (Sergey Popovich)
      • Check extensions attributes before getting extensions (Sergey Popovich)
      • Use SET_WITH_*() helpers to test set extensions (Sergey Popovich)
      • Return ipset error instead of bool (Sergey Popovich)
      • Preprocessor directices cleanup (Sergey Popovich)
      • No need to make nomatch bitfield (Sergey Popovich)
      • Make sure bit operations are not reordered
      • Properly calculate extensions offsets and total length (Sergey Popovich)
      • Fix cidr handling for hash:*net* types, reported by Jonathan Johnson
      • fix boolreturn.cocci warnings (Fengguang Wu)
      • make ip_set_get_ip*_port to use skb_network_offset (Alexander Drozdov)
      • Make sure listing doesn't grab a set which is just being destroyed.
      • Missing rcu_read_lock() and _unlock() in mtype_list() fixed
      • Fix coding styles reported by checkpatch.pl
      • Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c
      • There's no need to call synchronize_rcu() with kfree_rcu()
      • Call rcu_barrier() in module removal path
      • Call synchronize_rcu() in set type (un)register functions only when needed
      • Remove an unused macro
      • Give a better name to a macro in ip_set_core.c
      • Resolve the STREQ macro to make the code more readable, and use nla_strlcpy where possible
      • Use MSEC_PER_SEC consistently
      • Remove unnecessary integer RCU handling and fix other sparse warnings
      • Fix sparse warning "cast to restricted __be32"
    • Userspace changes
      • Add element count to all set types header
      • Add element count to hash headers (Eric B Munson)
      • Support linking libipset to C++ programs (reported by Pavel Odintsov)
      • ipset: propose rewording in manpage (Neutron Soutmun)
      • More compatibility checking and simplifications to support the 2.6.32 kernel tree
      • Compatibility: define RCU_INIT_POINTER when __rcu is not defined
      • Compatibility: check kernel source for list_last_entry (CentOS7, reported by Ricardo Klein)
      • Make possible to pass extra flags to sparse
  • 6.24
    • Kernel part changes
      • netfilter: ipset: small potential read beyond the end of buffer (Dan Carpenter)
      • Fix parallel resizing and listing of the same set
      • styles warned by checkpatch.pl fixed
      • Introduce RCU in all set types instead of rwlock per set (performance tested by Jesper Dangaard Brouer)
      • Remove rbtree from hash:net,iface in order to run under RCU
      • Explicitly add padding elements to hash:net,net and hash:net,port,net
      • Allocate the proper size of memory when /0 networks are supported
      • Simplify cidr handling for hash:*net* types
      • Indicate when /0 networks are supported
      • Kernel API changes in em_ipset.c, support both old and new ones
      • netfilter: Convert uses of __constant_ to (Joe Perches)
      • net: use the new API kvfree() (WANG Cong)
      • treewide: fix errors in print (Masanari Iida)
      • netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER) (Pablo Neira Ayuso)
      • Use IS_ENABLED macro and define it if required
      • Alignment problem between 64bit kernel 32bit userspace fixed (reported by Sven-Haegar Koch)
      • netfilter: ipset: off by one in ip_set_nfnl_get_byindex() (Dan Carpenter)
    • Userspace changes
      • The "extra" subdirectory for kernel modules may have a full subtree (reported by Jesper Dangaard Brouer)
      • Add more compatibility checkings to support older kernel releases
      • Make_global.am: Don't include host headers (Baruch Siach)
      • Alignment problem between 64bit kernel 32bit userspace fixed (reported by Sven-Haegar Koch)
      • Add script to check libipset.map for missing symbols
      • Update libipset.map with ipset_parse_tcp_udp_port (Thomas Backlund)
      • libipset: Bump lib version and update map file (Neutron Soutmun)
      • Bash utilities updated
      • ipset: Fix hyphen used as minus sign in manpage (Neutron Soutmun)
  • 6.23
    • Kernel part changes
      • Support updating extensions when the set is full (fixes bugzilla id #880)
    • Userspace changes
      • The utils are updated from their sources
      • Order create and add options in manpage so that generic ones come first
      • Centralise generic create options (family, hashsize, maxelem) on top of man page in the generic options section. (Mart Frauenlob)
      • Support glibc < 2.9 (fixes bugzilla id #891)
      • Add description of hash:mac set type to man page. (Mart Frauenlob)
      • Add missing space for skbinfo option synopsis. (Mart Frauenlob)
      • The library/API versions were forgotten to bump (reported by Sergei Zhirikov)
      • Retry printing when sprintf fails (reported by Stig Thormodsrud)
  • 6.22
    • Kernel part changes
      • hash:mac type added to ipset
      • skbinfo extension: send nonzero extension elements only to userspace
      • netfilter: Convert pr_warning to pr_warn (Joe Perches)
      • netfilter: ipset: Add skbinfo extension support to SET target. (Anton Danilov)
      • netfilter: ipset: Add skbinfo extension kernel support for the list set type. (Anton Danilov)
      • netfilter: ipset: Add skbinfo extension kernel support for the hash set types. (Anton Danilov)
      • netfilter: ipset: Add skbinfo extension kernel support for the bitmap set types. (Anton Danilov)
      • netfilter: ipset: Add skbinfo extension kernel support in the ipset core. (Anton Danilov)
      • Fix static checker warning in ip_set_core.c (reported by Dan Carpenter)
      • Fix warn: integer overflows 'sizeof(*map) + size * set->dsize' (reported by Dan Carpenter)
      • net/netfilter/ipset: Resolve missing-field-initializer warnings (Mark Rustad)
      • netnet,netportnet: Fix value range support for IPv4 (Sergey Popovich)
      • Removed invalid IPSET_ATTR_MARKMASK validation (Vytas Dauksa)
    • Userspace changes
      • hash:mac type added to ipset
      • Add test to check mark mapping
      • ipset: remove extran newline on debug output (Holger Eitzenberger)
      • ipset: avoid duplicate command flags (Holger Eitzenberger)
      • Remove a duplicate debug print (Holger Eitzenberger)
      • ipset: man: Add the skbinfo extension documentation. (Anton Danilov)
      • libipset: Add userspace support of the skbinfo extension of the list set type. (Anton Danilov)
      • libipset: Add userspace support of the skbinfo extension of the hash set types. (Anton Danilov)
      • libipset: Add userspace support of the skbinfo extension of the bitmap set types. (Anton Danilov)
      • libipset: Add userspace code for the skbinfo extension support. (Anton Danilov)
      • Make possible to compile ipset with IPSET_DEBUG from the dist. (Clinton Roy)
      • libipset: print third element in debugging (Sergey Popovich)
      • ipset: Handle missing leading zeros in ethernet address parser (Janeks Jaunups)
      • ipset: Pass IPSET_BIN to test scripts to change binary location (Neutron Soutmun)
      • ipset: Fix grammar error in manpage (Neutron Soutmun)
      • ipset: Fix printf format warning (Neutron Soutmun)
  • 6.21.1
    • Kernel part changes
      • netfilter: ip_set: rename nfnl_dereference()/nfnl_set() (Patrick McHardy)
    • Userspace changes
      • The bash utilities are updated
      • Fix libipset library release versioning (reported by Mathieu Bridon)
  • 6.21
    • Kernel part changes
      • ipset: add forceadd kernel support for hash set types (Josh Hunt)
      • netfilter: ipset: move registration message to init from net_init (Ilia Mirkin)
      • kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
      • Prepare the kernel for create option flags when no extension is needed
      • add markmask for hash:ip,mark data type (Vytas Dauksa)
      • add hash:ip,mark data type to ipset (Vytas Dauksa)
      • ipset: remove unused code (Stephen Hemminger)
      • netfilter: ipset: Add hash: fix coccinelle warnings (Fengguang Wu)
      • Typo in ip_set_hash_netnet.c fixed (David Binderman)
      • net ipset: use rbtree postorder iteration instead of opencoding (Cody P Schafer)
      • ipset: Follow manual page behavior for SET target on list:set (Sergey Popovich)
    • Userspace changes
      • ipset: add userspace support for forceadd (Josh Hunt)
      • kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
      • lib: fix ifname 'physdev:' prefix parsing (Florian Westphal)
      • Prepare the kernel for create option flags when no extension is needed
      • print mark & mark mask in hex rather then decimal (Vytas Dauksa)
      • add markmask for hash:ip,mark data type (Vytas Dauksa)
      • add hash:ip,mark data type to ipset (Vytas Dauksa)
      • ipset: manpage: correct add action synopsis for hash:net,port,net. (Mart Frauenlob)
      • ipset: manpage: remove spare comma for hash:net,net test action. (Mart Frauenlob)
      • Fix all set output from list/save when set with counters in use. (Sergey Popovich)
      • ipset: Fix malformed output from list/save for ICMP types in port field (Sergey Popovich)
      • ipset: fix timeout data type size (Nikolay Martynov)
  • 6.20.1
    • Kernel part changes
      • netfilter: ipset: remove duplicate define (Michael Opdenacker)
      • net->user_ns is available starting from 3.8, add compatibility checking (reported by Jan Engelhardt)
      • Fix memory allocation for bitmap:port (reported by Quentin Armitage)
      • Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
      • The unnamed union initialization may lead to compilation error (reported by Husnu Demir)
      • Use dev_net() instead of the direct access to ->nd_net (reported by the kbuild test robot)
    • Userspace changes
      • build: fix incorrect library versioning (Jan Engelhardt)
      • netfilter: ipset: Fix configure failure when --with-kmod=no (Oliver Smith)
      • Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
  • 6.20
    • Kernel part changes
      • Compatibility code is modified not to rely on kernel version numbers
      • Use netlink callback dump args only
      • Add hash:net,port,net module to kernel (Oliver Smith)
      • Add net namespace for ipset (Vitaly Lavrov)
      • Use a common function at listing the extensions of the elements
      • For set:list types, replaced elements must be zeroed out
      • Fix hash resizing with comments
      • Support comments in the list-type ipset (Oliver Smith)
      • Support comments in bitmap-type ipsets (Oliver Smith)
      • Support comments in hash-type ipsets (Oliver Smith)
      • Support comments for ipset entries in the core (Oliver Smith)
      • Add hash:net,net module to kernel (Oliver Smith)
      • Fix serious failure in CIDR tracking (Oliver Smith)
      • list:set: make sure all elements are checked by the gc
      • Support extensions which need a per data destroy function
      • Generalize extensions support
      • Move extension data to set structure
      • Rename extension offset ids to extension ids
      • Prepare ipset to support multiple networks for hash types
      • Introduce new operation to get both setname and family
      • Validate the set family and not the set type family at swapping (Bug reported by Quentin Armitage, netfilter bugzilla id #843)
      • Consistent userspace testing with nomatch flag
      • Skip really non-first fragments for IPv6 when getting port/protocol
      • ipset standalone package needs to ship em_ipset.c (reported by Jan Engelhardt)
    • Userspace changes
      • Missing comment support added to hash:ip,port,ip and hash:net,iface types
      • Compatibility code is modified not to rely on kernel version numbers
      • Add userspace code to support hash:net,port,net kernel module (Oliver Smith)
      • Tests added to check comment extension
      • Add new userspace set revisions for comment support (Oliver Smith)
      • Support comments in the userspace library (Oliver Smith)
      • Rework the "fake" argument parsing for ipset restore (Oliver Smith)
      • Add userspace code to support hash:net,net kernel module (Oliver Smith)
      • Add test to verify CIDR tracking
      • configure: uclinux is also linux (Gustavo Zacarias)
      • Add specifying protocol for bitmap:port (Quentin Armitage)
      • Remove artifical restriction of netmask values for hash:ip type (Reported by Quentin Armitage, netfilter bugzilla id #844)
      • Make sure called test scripts can be executed (reported by Tomas Budai)
      • Manpage fix: not just identical, but compatible type of sets can be swapped (Reported by Quentin Armitage, netfilter bugzilla id #843)
      • Fix error message typo (Reported by Quentin Armitage, netfilter bugzilla id #843)
      • Parse option "family" first, because other options may depend on it (Bug reported by Quentin Armitage, closed netfilter bugzilla #841)
      • Change 2nd parameter type of ipset_parse_elem (Quentin Armitage)
      • Report broken netlink messages in debug mode
      • Fix hyphen used as minus sign in manpage (Neutron Soutmun)
      • libipset.pc must be installed via 'make install' (Eric Leblond)
  • 6.19
    • Kernel part changes
      • Compatibility fixes to keep the support of kernels back to 2.6.32
      • Backport nla_put_net64
      • Support package fragments for IPv4 protos without ports (Anders K. Pedersen)
      • Use fix sized type for timeout in the extension part
      • Make sure kernel configured properly for sparse checkings
      • Fix "may be used uninitialized" warnings (reported by Pablo Neira Ayuso)
      • Rename simple macro names to avoid namespace issues (reported by David Laight)
      • Fix sparse warnings due to missing rcu annotations (reported by Pablo Neira Ayuso)
      • Sparse warning about shadowed variable fixed
      • Don't call ip_nest_end needlessly in the error path (suggested by Pablo Neira Ayuso)
      • set match: add support to match the counters
      • The list:set type with counter support
      • The hash types with counter support
      • The bitmap types with counter support
      • Introduce the counter extension in the core
      • list:set type using the extension interface
      • Hash types using the unified code base
      • Unified hash type generation
      • Bitmap types using the unified code base
      • Unified bitmap type generation
      • Move often used IPv6 address masking function to header file
      • Make possible to test elements marked with nomatch, from userspace
      • netfilter ipset: Use ipv6_addr_equal() where appropriate. (YOSHIFUJI Hideaki)
      • Add a compatibility header file for easier maintenance
      • The uapi include split in the package itself
      • Reorder modules a little bit in Kbuild
    • Userspace changes
      • Check at modules_install whether depmod ignores the extra subdir (reported by Husnu Demir and tian fang)
      • The utils are updated from their sources
      • Manpage typing error correction (reported by Husnu Demir)
      • Update testsuite as the trailing space was eliminated at listings
      • Add sparse checking support to userspace
      • Improve XML output: add element tag and root element (suggested by Lucas Hamie)
      • Manpage updates
      • Add new testsuite entries to verify counters and the new type implementation
      • Introduce the new set type revisions with counter support
      • Support counters in the ipset library
      • The uapi include split in the package itself
  • 6.18
    • Kernel part changes
      • bitmap:ip,mac: fix listing with timeout (reported by Yoann JUET)
      • hash:*net*: nomatch flag not excluded on set resize
      • list:set: update reference counter when last element pushed off
  • 6.17
    • Kernel part changes
      • Make sure ip_set_max isn't set to IPSET_INVALID_ID
      • netfilter: ipset: timeout values corrupted on set resize (Josh Hunt)
      • "Directory not empty" error message (reported by John Brendler)
    • Userspace changes
      • Fix revision printing in XML mode (reported by Mart Frauenlob)
      • Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)
      • Fix error path when protocol number is used with port range
      • Interactive mode error after syntax error (reported by Mart Frauenlob)
      • The ipset_bash_completion tool is added
      • The ipset_list tool is added
  • 6.16.1
    • Kernel part changes
      • Add ipset package version to external module description
      • Backport RCU handling up to 2.6.32.x
  • 6.16
    • Userspace changes
      • Remove all modules before testing resize
      • build: support for Linux 3.7 UAPI (Jan Engelhardt)
    • Kernel part changes
      • Netlink pid is renamed to portid in kernel 3.7.0
      • Fix RCU handling when the number of maximal sets are increased
      • netfilter: ipset: fix netiface set name overflow (Florian Westphal)
  • 6.15
    • Userspace changes
      • Fix interactive mode (Fredrik Eriksson)
      • Use gethostbyname2 instead of getaddrinfo
      • Make tests/check_cidrs.sh script executable
      • Add tests to check completely ranges with hash types
      • Make easier to apply the netlink.patch
      • Support protocol numbers as well, not only protocol names
      • Add (back) the debug flag to configure
      • Add simple test to check cidr book-keeping
    • Kernel part changes
      • Increase the number of maximal sets automatically as needed
      • Restore the support of kernel versions between 2.6.32 and 2.6.35
      • Fix range bug in hash:ip,port,net
      • Revert, then reapply cidr book keeping patch to handle /0
  • 6.14
    • Userspace changes
      • Support to match elements marked with "nomatch" in hash:*net* sets
      • Coding style fixes
      • The set type revision number is added to the header part of listing
      • Help prints list type revision and terse description
      • Add /0 network support to hash:net,iface type
      • Fix errors when compiling in debug mode (Krunal Patel)
      • Make sure IPPROTO_UDPLITE is defined
      • build: restore -version-info (Jan Engelhardt)
    • Kernel part changes
      • Support to match elements marked with "nomatch" in hash:*net* sets
      • Coding style fixes
      • Include supported revisions in module descriptio
      • Add /0 network support to hash:net,iface type
      • Fix cidr book keeping for hash:*net* types
      • Check and reject crazy /0 input parameters
      • Backport ether_addr_equal
      • Coding style fix, backport from kernel
      • net: cleanup unsigned to unsigned int (Eric Dumazet)
  • 6.13
    • Userspace changes
      • Explain in more detail src/dst for hash:net,iface
      • ipset help lists set types multiple times, fixed (reported by Mr Dash Four)
      • The commandline parser was too permissive, make it more strict
      • Allow saving to/restoring from a file without shell redirection
      • Fix typo of word "unkown" to "unknown" (Neutron Soutmun)
    • Kernel part changes
      • ipset: Handle properly an IPSET_CMD_NONE (Tomasz Bursztyka)
      • netfilter: ipset: hash:net,iface: fix interface comparison (Florian Westphal)
      • Timeout fixing bug broke SET target special timeout value, fixed
      • Use MSEC_PER_SEC instead of harcoded value
  • 6.12.1
    • Userspace changes
      • Enable silent (kernel style) compile messages
      • Fix build failed on --disable-dependency-tracking (Neutron Soutmun)
      • Add tarball target to Makefile
  • 6.12
    • Kernel part changes
      • Backport nla_put_net* functions as NLA_PUT* were removed
      • netlink: add netlink_dump_control structure for netlink_dump_start()
      • ipset: Stop using NLA_PUT*().
      • Fix hash size checking in kernel (bug reported by Seblu)
      • Correct README file about minimal required iptables version (Oskar Berggren)
      • Sparse warnings "incorrect type in assignment" fixed
      • Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz)
      • ipv6: Add fragment reporting to ipv6_skip_exthdr().
      • net: remove ipv6_addr_copy()
      • Fix the inclusion of linux/export.h (Henry Culver)
    • Userspace changes
      • Cleanup generated files by make tidy
      • Add more CC warning option to debug mod
      • Report syntax error messages immediately
      • Suppress false syntax error messages
      • Add configure summary for the ipset userspace tool
      • Add dynamic module support to ipset userspace tool (Neutron Soutmun)
      • Move ipset_port_usage() into lib (Neutron Soutmun)
      • Fix invalid assignment to const void pointer (bug reported by Seblu)
      • Remove unused variables (warnings fixed)
      • Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz)
      • Improve ipset help text messages (Mr Dash Four)
  • 6.11
    • Kernel part changes
      • hash:net,iface timeout bug fixed
      • Exceptions support added to hash:*net* types
      • net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
      • Log warning when a hash type of set gets full
    • Userspace changes
      • Support hostnames and service names with dash
      • Exceptions support added to hash:*net* types
      • Log warning when a hash type of set gets full
      • Set types moved into libipset library
      • Library map file added in order to support library versioning
      • doc: Linux 2.6.39 already has the defs (Jan Engelhardt)
      • build: install libipset in the right place (Jan Engelhardt)
      • Provide a pkgconfig file (Jan Engelhardt)
      • build: make distcheck work and use POSIX mode for tarball generation (Jan Engelhardt)
      • build: install libipset/linux_ip_set_list.h (Jan Engelhardt)
      • build: include libipset/nfproto.h (Jan Engelhardt)
      • build: process include/libipset/ (Jan Engelhardt)
      • build: use AC_CONFIG_AUX_DIR and stash away tools (Jan Engelhardt)
      • Update .gitignore (Jan Engelhardt)
  • 6.10
    • Kernel part changes
      • Invert the logic to include version.h in ip_set_core.c
      • Suppress false compile-time warnings about uninitialized variable ip_to
    • Userspace changes
      • Tests added to check ICMP/ICMPv6 type/code parsing
      • ICMP/ICMPv6 type/code parser bug fixed (bug reported by Sabitov)
      • ipset: fix lookup of tcp port names (Stephen Hemminger)
      • Optionally disable building the kernel module (Mathieu Bridon)
      • Make tidy complete
  • 6.9.1
    • Kernel part changes
      • Fix compiling ipset as external kernel modules (v6.9)
      • Complete Kconfig with hash:net,iface type (standalone package)
      • rtnetlink: Compute and store minimum ifinfo dump size (Greg Rose)
      • Remove redundant linux/version.h includes from net/ (Jesper Juhl)
      • ipset: use NFPROTO_ constants (Jan Engelhardt)
      • netfilter: ipset: expose userspace-relevant parts in ip_set.h (Jan Engelhardt)
      • netfilter: ipset: avoid use of kernel-only types (Jan Engelhardt)
      • netfilter: Remove unnecessary OOM logging messages (Joe Perches)
      • Dumping error triggered removing references twice and lead to kernel BUG
      • Autoload set type modules safely
    • Userspace changes
      • build: move ipset_errcode into library (Jan Engelhardt)
      • build: abort autogen on subcommand failure (Jan Engelhardt)
      • ipset: use NFPROTO_ constants (Jan Engelhardt)
      • Propagate "expose userspace-relevant parts in ip_set.h" to ipset source
  • 6.8
    • Kernel part changes
      • Fix compiler warnings "'hash_ip4_data_next' declared inline after being called" (Chris Friesen)
      • hash:net,iface fixed to handle overlapping nets behind different interfaces
      • Make possible to hash some part of the data element only.
    • Userspace changes
      • Update the manpage and document the limits in hash:net,iface.
      • README file corrections from Richard Lucassen
  • 6.7
    • Kernel part changes
      • Whitespace and coding fixes, detected by checkpatch.pl
      • hash:net,iface type introduced
      • Use the stored first cidr value instead of '1'
      • Fix return code for destroy when sets are in use
      • Add xt_action_param to the variant level kadt functions, ipset API change
      • Drop supporting kernel versions below 2.6.35
    • Userspace changes
      • Whitespace and coding fixes, detected by checkpatch.pl
      • hash:net,iface type introduced
      • hash:* tests may seem to fail due to the too wide grep pattern, fix them
      • Remove iptree tests and compatibility element parsing
      • hash:net test may seem to fail due to the too wide grep pattern, fix it
      • Fix long time uncovered bug at adding string attributes to the netlink messages
      • Fix warnings reported by valgrind
      • Remove supporting set types iptree and iptreemap
  • 6.6
    • Kernel part changes
      • Use unified from/to address masking and check the usage
      • ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed
      • Take into account cidr value for the from address when creating the set
      • Adding ranges to hash types with timeout could still fail, fixed
      • Removed old, not used hashing method ip_set_chash
      • Remove variable 'ret' in type_pf_tdel(), which is set but not used
      • Use proper timeout parameter to jiffies conversion
    • Userspace changes
      • Restore with bitmap:port and list:set types did not work, fixed
      • Accept "\r\n" terminated COMMIT command in restore files
      • Fix the message sequence number book-keeping
      • Protocol-level debugging support added
      • hash:net stress test in range notation added
      • ipset_mnl_query: in debug mode print the errno returned by the cb function
      • Accept "\r\n" terminated lines in restore files
      • Remove outdated checking of IPv6 support from configure.ac
  • 6.5
    • Kernel part changes
      • Support range for IPv4 at adding/deleting elements for hash:*net* types
      • Set type support with multiple revisions added
      • Fix adding ranges to hash types
    • Userspace changes
      • Support range for IPv4 at adding/deleting elements for hash:*net* types
      • Disable type revisions which are not supported both by the kernel and ipset
      • Update ipset help text to reflect SCTP and UDPLITE support
      • Ignore -n flag (list just setnames) when sets are to be saved
  • 6.4
    • Kernel part changes
      • Support listing setnames and headers too
      • Fix the order of listing of sets
      • Options and flags support added to the kernel API
    • Userspace changes
      • Get rid of the trailing empty line at listing sets
      • Fix XML listing, remove broken unused "elements" tag
      • Support listing setnames and headers too
      • Sorting is dependent on the locale settings, use LC_ALL=C
      • Use unified diff output in tests
  • 6.3
    • Kernel part changes
      • ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)
      • bitmap:ip,mac type requires "src" for MAC, enforce it
      • whitespace fixes: some space before tab slipped in
      • set match and SET target fixes (bugs reported by Lennert Buytenhek)
    • Userspace changes
      • Testsuite changes: keep temporary files
      • bitmap:ip,mac type requires "src" for MAC: manpage is updated to reflect the change
      • Testsuite checks added (SET target and dir parameter checks)
  • 6.2
    • Kernel part changes
      • list:set timeout variant fixes
      • References are protected by rwlock instead of mutex
      • Add explicit text message to detect patched kernel (netlink.patch)
      • Timeout can be modified for already added elements
    • Userspace changes
      • Manpage update
  • 6.1
    • Kernel part changes
      • The hash:*port* types ignored the address range with non TCP/UDP, fixed
      • Fix checking the revision number of the set type at create command
      • SCTP, UDPLITE support to hash:*port* types added
      • Fix revision reporting got broken by the revision checking patch
    • Userspace changes
      • Manpage was not installed (reported by Mark A. Ziesemer)
      • SCTP, UDPLITE support to the hash:*port* types added
  • 6.0
    • Kernel part changes
      • Reorganized kernel/ subdir
      • netfilter: ipset: fix linking with CONFIG_IPV6=n (Patrick McHardy)
      • netfilter: ipset: send error message manually
      • netfilter: ipset: add missing break statemtns in ip_set_get_ip_port() (Patrick McHardy)
      • netfilter: ipset: add missing include to xt_set.h (Patrick McHardy)
      • netfilter: ipset: remove unnecessary includes (Patrick McHardy)
      • netfilter: ipset: use nla_parse_nested() (Patrick McHardy)
      • Separate ipset errnos completely from system ones and bump protocol version
      • Use better error codes in xt_set.c
      • Fix sparse warning about shadowed definition
      • bitmap:ip type: flavour specific adt functions (Patrick McHardy's review)
      • bitmap:port type: flavour specific adt functions (Patrick McHardy's review)
      • Move the type specifici attribute validation to the core (suggested by Patrick McHardy)
      • Use vzalloc() instead of __vmalloc() (Eric Dumazet, Patrick McHardy)
      • Use meaningful error messages in xt_set.c (Patrick McHardy's review)
      • Constified attribute cannot be written (Patrick McHardy's review)
      • Send (N)ACK at dumping only when NLM_F_ACK is set (Patrick McHardy's review)
      • Correct the error codes: use ENOENT and EMSGSIZE (Patrick McHardy's review)
    • Userspace changes
      • Print protocol version together with ipset version
      • Testsuite compatibility with debugging enabled
      • Allow "new" as a commad alias to "create"
      • ipset: improve command argument parsing (Holger Eitzenberger)
      • ipset: avoid the unnecessary argv[] loop (Holger Eitzenberger)
      • ipset: pass ipset_arg argument pointer (Holger Eitzenberger)
      • Separate ipset errnos completely from system ones and bump protocol version
      • Fix the spelling error fix :-) (Ferenc Wagner)
      • Resolving IP addresses did not work at listing/saving sets, fixed
      • ipset: fix spelling error (Holger Eitzenberger)
      • ipset: fix the Netlink sequence number (Holger Eitzenberger)
      • ipset: turn Set name[] into a const pointer (Holger Eitzenberger)
      • Check ICMP and ICMPv6 with the set match and target in the testsuite
      • Avoid possible syntax clashing at saving hostnames
  • 5.4.1
    • Documentation
      • UPGRADE file added
  • 5.4
    • Kernel part changes
      • Fixed broken ICMP and ICMPv6 handling
      • Fix trailing whitespaces and pr_* messages
      • Un-inline functions which are not small enough (Patrick McHardy)
      • Fix module loading at create/header commands (Patrick McHardy)
      • Fix wrong kzalloc flag in type_pf_expire
      • The get_ip*_port functions are too large to be inlined, moved into the core
      • Add missing __GFP_HIGHMEM flag to __vmalloc (Eric Dumazet)
      • Enforce network-ordered data in the netlink protocol
      • Use annotated types and fix sparse warnings (Patrick McHardy)
      • Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into the core (Patrick McHardy)
      • NETMASK*, HOSTMASK* macros are too generic, replace with inline functions (Patrick McHardy)
      • Use static LIST_HEAD() for ip_set_type_list (Patrick McHardy)
      • Move NLA_PUT_NET* macros to include/net/netlink.h (Patrick McHardy)
      • The module parameter max_sets should be unsigned int (Patrick McHardy)
      • Get rid of ip_set_kernel.h (Patrick McHardy)
      • Fix the placement style of boolean operators at continued lines (Patrick McHardy)
  • 5.3
    • Kernel part changes
      • There is no need to call synchronize_net() at swapping
      • Replace strncpy with strlcpy at creating a set
      • Update copyright date and some style changes
      • Use jhash.h accepted in kernel, with backward compatibility
      • Separate prefixlens from ip_set core
      • Remove unused ctnl parameter from call_ad (Jan Engelhardt)
      • Comment the possible return values of the add/del/test type-functions
    • Userspace changes
      • Set the non-debug compiling the default
      • Testsuite fix of ospf replaced with vrrp
      • Fix build with NDEBUG defined (Holger Eitzenberger)
      • Do session initialization once (Holger Eitzenberger)
      • Make IPv4 and IPv6 address handling similar (Holger Eitzenberger)
      • Show correct line numbers in restore output for parser errors (Holger Eitzenberger)
      • Replace ospf with vrrp in the testsuite
      • Remove autogenerated files (Jan Engelhardt)
      • Use only AC_CANONICAL_HOST (Jan Engelhardt)
  • 5.2
    • Kernel part changes
      • Kernel version check at minimal supported version was mistyped, now fixed
    • Userspace changes
      • Handle internal printing errors
      • Use cast to void * instead of memcpy as Sparc workaround at sockaddr_XXX suggested by Jan Engelhardt)
      • Listing/saving of large sets could produce broken listing, fixed
      • Support libtool < 2.2
  • 5.1
    • Kernel part changes
      • Kernel version compatibility: support bumped starting from 2.6.34
      • Use EXPORT_SYMBOL_GPL (Jan Engelhardt)
      • const annotations (Jan Engelhardt)
      • Use __read_mostly for registration-type structures (Jan Engelhardt)
      • Do not mix const and __read_mostly (Jan Engelhardt)
      • xt_set: avoid user types in exported kernel headers (Jan Engelhardt)
      • Enable parallel building (Jan Engelhardt)
      • Fix Kbuild for me to delete backup files
    • Userspace changes
      • Test cases for IPv6 restore and more complex restore sessions added
      • Restore mode did not work for IPv6, fixed (reported by Elie Rosenblum)
      • libipset: static annotations (Jan Engelhardt)
      • libipset: const annotations (Jan Engelhardt)
      • libipset: remove redundant casts (Jan Engelhardt)
      • libipset: remove redundant indirection via union name (Jan Engelhardt)
      • libipset: ipset_strncpy is really a strlcpy-type operation (Jan Engelhardt)
      • Prevent calling Makefile directly in the kernel/ subdirectory
      • Put back the Sparc specific workaround at getaddrinfo (reported by Jan Engelhardt)
      • Check old system kernel header files
      • Check from `configure` that the kernel source is patched with netlink.patch
      • Use configure to detect compiler warning flags
      • Try to solve PKG_CHECK_MODULES issue (reported by Rob Sterenborg)
      • Fix incorrect comparison in check_allowed (reported by Jan Engelhardt)
  • 5.0
    • New main branch - ipset completely rewritten
  • 4.5
    • Kernel part changes
      • The iptreemap type used wrong gfp flags when deleting entries (bug reported by Dash Four)
    • Userspace changes
      • Take into account the compile time setting of the default hash size (reported by Dash Four)
  • 4.4
    • Kernel part changes
      • The ipporthash, ipportiphash and ipportnethash set types did not work with mixed "src" and "dst" direction parameters of the "set" and "SET" iptables match and target (reported by Dash Four)
      • Errorneous semaphore handling in error path fixed (reported by Jan Engelhardt, bugzilla id 668)
    • Userspace changes
      • Manpage fix to make it clear how ipset works on setlist type of sets (John Brendler, bugzilla id 640)
  • 4.3
    • Kernel part changes
      • Support of 2.6.35 kernels added
  • 4.2
    • Kernel part changes
      • nethash and ipportnethash types counted every entry twice which could produce bogus entries when listing/saving these types of sets (bug reported by Husnu Demir)
    • Userspace changes
      • Checking null entries when listing/saving hash types of sets deleted because it's unnecessary and can mask possible errors.
  • 4.1
    • Kernel part changes
      • Do not use init_MUTEX either (Jan Engelhardt)
      • Improve listing/saving hash type of sets by not copying empty entries unnecessarily to userspace.
    • Userspace changes
      • Manpage fixes and corrections (Jan Engelhardt)
  • 4.0
    • Kernel part changes
      • Compilation of ip_set_iptree.c fails with kernel 2.6.20 due to missing include of linux/jiffies.h (Jan Engelhardt)
      • Do not use DECLARE_MUTEX (compatibility fix on 2.6.31-rt, Jan Engelhardt)
      • Flushing iptreemap type of sets caused high ksoftirqd load due to zeroed out gc parameter (bug reported by Georg Chini)
      • New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini)
      • Binding support is removed
    • Userspace changes
      • New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini)
      • Binding support is removed
  • 3.2
    • Kernel part changes
      • Mixed up formats in ip_set_iptree.c fixed (Rob Sterenborg)
      • Don't use 'bool' for backward compatibility reasons (Rob Sterenborg)
  • 3.1
    • Userspace changes
      • Correct format specifiers and change %i to %d (Jan Engelhardt)
    • Kernel part changes
      • Nonexistent sets were reported as existing sets when testing from userspace in setlist type of sets (bug reported by Victor A. Safronov)
      • When saving sets, setlist type of sets must come last in order to satisfy the dependency from the elements (bug reported by Marty B.)
      • Sparse insists that the flags argument to kmalloc() is gfp_t (Stephen Hemminger)
      • Correct format specifiers and change %i to %d (Jan Engelhardt)
      • Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
  • 3.0
    • Userspace changes
      • New kernel-userspace protocol release
      • Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
      • tests/runtests.sh changed to support old bash shells
    • Kernel part changes
      • New kernel-userspace protocol release
      • Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
      • Support of 2.4.3[67].* kernels fixed
      • Compiling with debugging enabled fixed
  • 2.5.0
    • Userspace changes
      • On parisc architecture cast increases required aligment (bugzilla id 582), fixed.
      • Respect LDFLAGS settings at compile time (Peter Volkov).
    • Kernel part changes
      • instead of setting the locks directly as it causes compilation errors with 2.6.29-rt (Jan Engelhardt).
  • 2.4.9
    • Kernel part changes
      • References to the old include file replaced with new one in order to really use the new Jenkins' hash function.
  • 2.4.8
    • Userspace changes
      • In order to disable the extra warning flags, NO_EXTRA_WARN_FLAGS variable added to userspace Makefile.
    • Kernel part changes
      • The Jenkins' hash lookup2() replaced with Jenkins' faster/better lookup3() hash function.
      • Bug fixed: after elements are added and deleted from a hash, an element can successfully be added in spite it's already in the hash and thus duplicates can occur (Shih-Yi Chen).
      • Compatibility with old gcc without 'bool' added.
  • 2.4.7
    • Kernel part changes
      • Typo which broke compilation with kernels < 2.6.28 fixed (reported by Richard Lucassen, Danny Rawlins)
  • 2.4.6
    • Kernel part changes
      • Compatibility fix for kernels >= 2.6.28
  • 2.4.5
    • Userspace changes
      • Some compiler warning options are too aggressive and therefore disabled.
    • Kernel part changes
      • setlist type does not work properly together with swapping sets, bug reported by Thomas Jacob.
      • Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt)
  • 2.4.4
    • Userspace changes
      • Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos).
      • Local variable shadows another variable, fixed (reported by Jan Engelhardt).
      • More compiler warning options added and warnings fixed.
    • Kernel part changes
      • Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos).
  • 2.4.3
    • Userspace changes
      • Include file <limits.h> was missing from userspace set type modules, reported by Krzysztof Oledzki and Sven Wegener.
  • 2.4.2
    • Kernel part changes
      • When flushing a nethash/ipportnethash type of set, it can lead to a kernel crash due to a wrong type declaration, bug reported by Krzysztof Oledzki.
      • iptree and iptreemap types require the header file linux/timer.h, also reported by Krzysztof Oledzki.
  • 2.4.1
    • Userspace changes
      • macipmap type reported misleading deprecated separator tokens and printed the old one at listing set elements; the warning contained misprinting as well (bugs reported by Krzysztof Oledzki)
      • Warn only once about deprecated separator tokens in restore mode.
    • Kernel part changes
      • Zero-valued element are not acceptable by hash type of sets because we cannot make a difference between a zero-valued element and not-set element. Enforce it, as manpage says. (fixes bugzilla id 543)
  • 2.4
    • Userspace changes
      • Added KBUILD_OUTPUT support (Sven Wegener)
      • Fix memory leak in ipset_iptreemap (Sven Wegener)
      • Fix multiple compiler warnings (Sven Wegener)
      • ipportiphash, ipportnethash and setlist types added
      • binding marked as deprecated functionality
      • element separator token changed to ',' in anticipating IPv6 addresses, old separator tokens are still supported
      • unnecessary includes removed
      • ipset does not try to resolve IP addresses when listing the content of sets (default changed)
      • manpage updated
    • Kernel part changes
      • ipportiphash, ipportnethash and setlist types added
      • set type modules reworked to avoid code duplication as much as possible, code unification macros
      • expand_macros Makefile target added to help debugging code unification macros
      • ip_set_addip_kernel and ip_set_delip_kernel changed from void to int, __ip_set_get_byname and __ip_set_put_byid added for the sake of setlist type
      • unnecessary includes removed
      • compatibility fix for kernels >= 2.6.27: semaphore.h was moved from asm/ to linux/ (James King)
  • 2.3.3a
    • Fix to compile ipset with 2.4.26.x tree statically (bug reported by G.W. Haywood)
  • 2.3.3
    • compatibility for the 2.6.x kernel tree improved and compiler warnings fixed (Jan Engelhardt)
    • compatibility fixes for the 2.4.36.x kernel tree added
  • 2.3.2
    • including limits.h for UINT_MAX is required with glibc-2.8 (pud)
    • needless cast from and to void pointers cleanups in iptreemap (Sven Wegener)
    • Initial ipset release with kernel modules included.
  • 2.3.1
    • segfault on --unbind :all: :all: fixed (reported by bugzilla, report and patch sent by Tom Eastep)
    • User input parameters are sanitized everywhere
    • Initial testsuite added and 'test' target to the Makefile added: few bugs discovered and fixed
      • typo in macipmap type prevented to use max size set of this type
      • *map types are made sure to allow and use max size of sets
  • 2.3.0
    • jiffies rollover bug in iptree type fixed (reported by Lukasz Nierycho and others)
    • endiannes bug in iptree type fixed (spotted by Jan Engelhardt)
    • iptreemap type added (submitted by Sven Wegener)
    • 2.6.22/23 compatibility fixes (Jeremy Jacque)
    • typo fixes in ipset (Neville D)
    • separator changed to ':' from '%' (old one still supported) in ipset
  • 2.2.9a
    • use correct type (socklen_t) for getsockopt (H. Nakano)
    • incorrect return codes fixed (Tomasz Lemiech, Alexey Bortnikov)
    • kernel header dependency removed (asm/bitops.h)
    • ipset now tries to load in the ip_set kernel module if the protocol is not available
  • 2.2.9
    • ipset -N did not generate proper return code
    • limit module parameter added to the kernel modules of the iphash, ipporthash, nethash and iptree type of sets so that the maximal number of elements can now be limited
    • zero valued entries (port 0 or IP address 0.0.0.0) were detected as members of the hash/tree kind of sets (reported by Andrew Kraslavsky)
    • list and save operations used the external identifier of the sets for the bindings instead of the internal one (reported by Amin Azez)
  • 2.2.8
    • Nasty off-by-one bug fixed in iptree type of sets (bug reported by Pablo Sole)
  • 2.2.7
    All patches were submitted by Jones Desougi.
    • missing or confusing error message fixes for ipporthash
    • minor correction in debugging in nethash
    • copy-paste bug in kernel set types at memory allocation checking fixed
    • unified memory allocations in ipset
  • 2.2.6
    • memory allocation in iptree is changed to GFP_ATOMIC because we hold a lock (bug reported by Radek Hladik)
    • compatibility fix: __nocast is not defined in all 2.6 branches (problem reported by Ming-Ching Tiew)
    • manpage corrections
  • 2.2.5
    • garbage collector of iptree type of sets is fixed: flushing sets/removing kernel module could corrupt the timer
    • new ipporthash type added
    • manpage fixes and corrections
  • 2.2.4
    • half-fixed memory allocation bug in iphash and nethash finally completely fixed (bug reported by Nikolai Malykh)
    • restrictions to enter zero-valued entries into all non-hash type sets were removed
    • Too strict check on the set size of ipmap type was corrected
  • 2.2.3
    • Memory allocation bug in iphash and nethash in connection with the SET target was fixed (bug reported by Nikolai Malykh)
    • lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is updated accordingly (Cardoso Didier, Samir Bellabes)
    • manpage is updated to clearly state the command order in restore mode
  • 2.2.2
    • Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen
    • Compiler warning in the non-SMP case fixed (Marcus Sundberg)
    • slab cache names shrunk in order to be compatible with 2.4.* (Marcus Sundberg)
  • 2.2.1
    • Magic number in ip_set_nethash.h was mistyped (bug reported by Rob Carlson)
    • ipset can now test IP addresses in nethash type of sets (i.e. addresses in netblocks added to the set)
  • 2.2.0
    • Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
    • Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford Wolf)
    • Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
    • More careful resizing by avoiding locking completely
    • stdin stored internally in a temporary file, so we can feed 'ipset -R' from a pipe
    • iptree set type added
  • 2.1.0
    • Lock debugging used with debugless lock definiton (Piotr Chytla and others).
    • Bindings were not properly filled out at listing (kernel)
    • When listing sets from kernel, id was not added to the set structure (ipset)
    • nethash set type added
    • ipset manpage corrections (macipmap)
  • 2.0.1
    • Missing -fPIC in Makefile (Robert Iakobashvili)
    • Cut'n'paste bug at saving macipmap types (Vincent Bernat).
    • Bug in printing/saving SET targets reported and fixed by Michal Pokrywka
  • 2.0
    • Chaining of sets are changed: child sets replaced by bindings
    • Kernel-userspace communication reorganized to minimize the number of syscalls
    • Save and restore functionality implemented
    • iphash type reworked: clashing resolved by double-hashing and by dynamically growing the set
  • 1.0
    • ipset forked from ippool
    • Chaining of sets added via child sets
    • portmap and iphash types added