IP set home  Features  Download & Install  Tips & Examples  ChangeLog  ipset(8)  iptables(8)  ip6tables(8)  iptables-extensions(8)  libipset(3)

ChangeLog 7.21 Userspace changes The patch "Fix hex literals in json output" broke save mode, restore it Fix -Werror=format-extra-args warning Workaround misleading -Wstringop-truncation warning Kernel part changes netfilter: ipset: Suppress false sparse warnings tests: Verify module unload when sets with timeout were just destroyed netfilter: ipset: remove set destroy at ip_set module removal netfilter: ipset: Cleanup the code of destroy operation and explain the two stages in comments netfilter: ipset: Missing gc cancellations fixed 7.20 Userspace changes Ignore *.order.cmd and *.symvers.cmd files in kernel builds Bash completion utility updated Fix json output for -name option (Mark) Fix hex literals in json output tests: increase timeout to cope with slow virtual test machine Kernel part changes treewide: Convert del_timer*() to timer_shutdown*() (Steven Rostedt) Use timer_shutdown_sync() when available, instead of del_timer_sync() netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v4 netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v3 netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test v2 netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test 7.19 Userspace changes build: Fix the double-prefix in pkgconfig (Sam James) 7.18 Userspace changes Add json output to list command (Thomas Oberhammer) tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter) tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter) tests: cidr.sh: Add ipcalc fallback (Phil Sutter) tests: xlate: Make test input valid (Phil Sutter) tests: xlate: Test built binary by default (Phil Sutter) xlate: Drop dead code (Phil Sutter) xlate: Fix for fd leak in error path (Phil Sutter) configure.ac: fix bashisms (Sam James) lib/Makefile.am: fix pkgconfig dir (Sam James) Kernel part changes netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP (reported by Kyle Zeng) netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (Kyle Zeng) compatibility: handle strscpy_pad() netfilter: ipset: refactor deprecated strncpy (Justin Stitt) netfilter: ipset: remove rcu_read_lock_bh pair from ip_set_test (Florian Westphal) netfilter: ipset: Replace strlcpy with strscpy (Azeem Shaikh) netfilter: ipset: Add schedule point in call_ad(). (Kuniyuki Iwashima) net: Kconfig: fix spellos (Randy Dunlap) netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. (Gavrilov Ilia) 7.17 Userspace changes Tests: When verifying comments/timeouts, make sure entries don't expire Tests: Make sure the internal batches add the correct number of elements Tests: Verify that hash:net,port,net type can handle 0/0 properly Makefile: Create LZMA-compressed dist-files (Phil Sutter) Kernel part changes netfilter: ipset: Rework long task execution when adding/deleting entries ipset: fix hash:net,port,net hang with /0 subnet 7.16 Userspace changes Add new ipset_parse_bitmask() function to the library interface test: Make sure no more than 64 clashing elements can be added to hash:net,iface sets netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai) netfilter: ipset: Update the man page to include netmask/bitmask options (Vishwanath Pai) netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai) netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai) netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai) netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) ipset-translate: allow invoking with a path name (Quentin Armitage) Fix IPv6 sets nftables translation (Pablo Neira Ayuso) Fix typo in ipset-translate man page (Bernhard M. Wiedemann) Kernel part changes netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface Fix all debug mode warnings netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai) netfilter: ipset: regression in ip_set_hash_ip.c (Vishwanath Pai) netfilter: move from strlcpy with unused retval to strscpy (Wolfram Sang) compatibility: handle unsafe_memcpy() netlink: Bounds-check struct nlmsgerr creation (Kees Cook) compatibility: move to skb_protocol in the code from tc_skb_protocol Compatibility: check kvcalloc, kvfree, kvzalloc in slab.h too sched: consistently handle layer3 header accesses in the presence of VLANs (Toke Høiland-Jørgensen) treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner) headers: Remove some left-over license text in include/uapi/linux/netfilter/ (Christophe JAILLET) netfilter: ipset: enforce documented limit to prevent allocating huge memory netfilter: ipset: Fix oversized kvmalloc() calls 7.15 Kernel part changes netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() (Nathan Chancellor) 7.14 Userspace changes Add missing function to libipset.map and bump library version (reported by Jan Engelhardt) Kernel part changes 64bit division isn't allowed on 32bit, replace it with shift 7.13 Userspace changes When parsing protocols by number, do not check it in /etc/protocols. Add missing hunk to patch "Allow specifying protocols by number" Kernel part changes Limit the maximal range of consecutive elements to add/delete fix 7.12 Userspace changes Allow specifying protocols by number (Haw Loeung) Fix example in ipset.8 manpage discovered by Pablo Neira Ayuso. tests: add tests ipset to nftables (Pablo Neira Ayuso) add ipset to nftables translation infrastructure (Pablo Neira Ayuso) lib: Detach restore routine from parser (Pablo Neira Ayuso) lib: split parser from command execution (Pablo Neira Ayuso) Fix patch "Parse port before trying by service name" Kernel part changes Limit the maximal range of consecutive elements to add/delete (reported by Brad Spengler) Backport "netfilter: use nfnetlink_unicast()" Backport "netfilter: nfnetlink: consolidate callback type" Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks" Backport "netfilter: add helper function to set up the nfnetlink header and use it" 7.11 Userspace changes Parse port before trying by service name (Haw Loeung) Silence unused-but-set-variable warnings (reported by Serhey Popovych) Handle -Werror=implicit-fallthrough= in debug mode compiling ipset: fix print format warning (Neutron Soutmun) Updated utilities Argument parsing buffer overflow in ipset_parse_argv fixed (reported by Marshall Whittaker) 7.10 Kernel part changes Fix patch "Handle false warning from -Wstringop-overflow" Backward compatibility: handle renaming nla_strlcpy to nla_strscpy treewide: rename nla_strlcpy to nla_strscpy. (Francis Laniel) netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin) netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin) Handle false warning from -Wstringop-overflow Backward compatibility: handle missing strscpy with a wrapper of strlcpy. Move compiler specific compatibility support to separated file (broken compatibility support reported by Ed W) 7.9 Userspace changes Fix library versioning (Jan Engelhardt) 7.8 Kernel part changes Complete backward compatibility fix for package copy of <linux/jhash.h> Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT netfilter: ipset: enable memory accounting for ipset allocations (Vasily Averin) netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet) Compatibility: use skb_policy() from if_vlan.h if available Compatibility: Check for the fourth arg of list_for_each_entry_rcu() Backward compatibility fix for the package copy of <linux/jhash.h> 7.7 Userspace changes Expose the initval hash parameter to userspace Handle all variable header parts in helper scripts instead ot test tasks Add bucketsize parameter to all hash types Support the -exist flag with the destroy command Kernel part changes Expose the initval hash parameter to userspace Add bucketsize parameter to all hash types Use fallthrough pseudo-keyword in the package copy of too Support the -exist flag with the destroy command netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva) netfilter: Replace zero-length array with flexible-array member (Gustavo A. R. Silva) netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet) netfiler: ipset: fix unaligned atomic access (Russell King) netfilter: ipset: Fix subcounter update skip (Phil Sutter) ipset: Update byte and packet counters regardless of whether they match (Stefano Brivio) netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover) ip_set: Fix compatibility with kernels between v3.3 and v4.5 (Serhey Popovych) ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK (Serhey Popovych) ipset: Support kernels with at least system_wq support ip_set: Fix build on kernels without system_power_efficient_wq (Serhey Popovych) 7.6 Userspace changes Add checking system_power_efficient_wq in the kernel source tree .gitignore: add temporary files to the list Kernel part changes netfilter: ipset: Fix forceadd evaluation path netfilter: ipset: Correct the reported memory size ip_set: Include kernel header instead of UAPI (Serhey Popovych) netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports netfilter: ipset: fix suspicious RCU usage in find_set_and_id Add compatibility support for bitmap_zalloc() and bitmap_zero() netfilter: ipset: use bitmap infrastructure completely netfilter: fix a use-after-free in mtype_destroy() (Cong Wang) 7.5 Userspace changes configure.ac: Support building with old autoconf 2.63 (Serhey Popovych) configure.ac: Build on kernels without skb->vlan_proto correctly (Serhey Popovych) configure.ac: Add cond_resched_rcu() checks (Serhey Popovych) configure.ac: Better match for ipv6_skip_exthdr() frag_offp arg presence (Serhey Popovych) Document explicitly that protocol is not stored in bitmap:port Kernel part changes netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present (Florian Westphal) ip_set: Pass init_net when @net is missing in match check params data structure (Serhey Popovych) netfilter: xt_set: Do not restrict --map-set to the mangle table (Serhey Popovych) compat: em_ipset: Build on old kernels (Serhey Popovych) compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present() (Serhey Popovych) 7.4 Userspace changes Fix compatibility support for netlink extended ACK and add synchronize_rcu_bh() checking treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner) ipset: Add wildcard support to net,iface (Kristian Evensen) Sort naturally instead of textual sort (bugzilla #1369) Do not return with error at 'make modules_install' when modules are not loaded (reported by Oskar Berggren) Kernel part changes Fix nla_policies to fully support NL_VALIDATE_STRICT treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Thomas Gleixner) netfilter: remove unnecessary spaces (yangxingwu) ipset: Add wildcard support to net,iface (Kristian Evensen) ipset: Copy the right MAC address in hash:ip,mac IPv6 sets (Stefano Brivio) netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c. (Jeremy Sowden) netfilter: ipset: move function to ip_set_bitmap_ip.c. (Jeremy Sowden) netfilter: ipset: make ip_set_put_flags extern. (Jeremy Sowden) netfilter: ipset: move functions to ip_set_core.c. (Jeremy Sowden) netfilter: ipset: move ip_set_comment functions from ip_set.h to ip_set_core.c. (Jeremy Sowden) netfilter: ipset: remove inline from static functions in .c files. (Jeremy Sowden) netfilter: ipset: add a coding-style fix to ip_set_ext_destroy. (Jeremy Sowden) netfilter: added missing includes to a number of header-files. (Jeremy Sowden) netfilter: inlined four headers files into another one. (Jeremy Sowden) netfilter: ipset: Fix an error code in ip_set_sockfn_get() (Dan Carpenter) 7.3 Userspace changes ipset: fix spelling error in libipset.3 manpage (Neutron Soutmun) Kernel part changes Fix rename concurrency with listing ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets (Stefano Brivio) ipset: Actually allow destination MAC address for hash:ip,mac sets too (Stefano Brivio) 7.2 Userspace changes Update my email address Kernel part changes Update my email address ipset: Fix memory accounting for hash types on resize (Stefano Brivio) Fix error path in set_target_v3_checkentry() Fix the last missing check of nla_parse() netfilter: ipset: fix a missing check of nla_parse (Aditya Pakki) netfilter: ipset: merge uadd and udel functions (Florent Fourcot) netfilter: ipset: remove useless memset() calls (Florent Fourcot) 7.1 Userspace changes Add compatibility support for strscpy() Correct the manpage about the sort option Add missing functions to libipset.map configure.ac: Fix build regression on RHEL/CentOS/SL (Serhey Popovych) Implement sorting for hash types in the ipset tool Fix to list/save into file specified by option (reported by Isaac Good) Kernel part changes netfilter/ipset: replace a strncpy() with strscpy() (Qian Cai) netfilter: ipset: fix ip_set_byindex function (Florent Fourcot) netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel (Pan Bian) Correct workaround in patch "Fix calling ip_set() macro at dumping" 7.0 Userspace changes Introduction of new commands and protocol version 7, updated kernel include files Add compatibility support for async in pernet_operations Use more robust awk patterns to check for backward compatibility Prepare the ipset tool to handle multiple protocol version Fix warning message handlin Correct to test null valued entry in hash:net6,port,net6 test Library reworked to support embedding ipset completely Add compatibility to support kvcalloc() Validate string type attributes in attr2data() (Stefano Brivio) manpage: Add comment about matching on destination MAC address (Stefano Brivio) Add compatibility to support is_zero_ether_addr() Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio) Fix leak in build_argv() on line parsing error (Stefano Brivio) Simplify return statement in ipset_mnl_query() (Stefano Brivio) tests/check_klog.sh: Try dmesg too, don't let shell terminate script (Stefano Brivio) Kernel part changes Introduction of new commands and protocol version 7 License cleanup: add SPDX license identifier to uapi header files with no license (Greg Kroah-Hartman) net: Convert ip_set_net_ops (Kirill Tkhai) netfilter: Replace spin_is_locked() with lockdep (Lance Roy) Fix calling ip_set() macro at dumping Correct rcu_dereference() call in ip_set_put_comment() netfilter: ipset: fix ip_set_list allocation failure (Andrey Ryabinin) ipset: Make invalid MAC address checks consisten (Stefano Brivio) ipset: Allow matching on destination MAC address for mac and ipmac sets (Stefano Brivio) netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net (Eric Westbrook) ipset: list:set: Decrease refcount synchronously on deletion and replace (Stefano Brivio) netfilter: ipset: forbid family for hash:mac sets (Florent Fourcot) Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC List timing out entries with "timeout 1" instead of zero timeout value (Fixes bugzilla #1258) netfilter: xt_set: Check hook mask correctly (Serhey Popovych) 6.38 Userspace changes Fix API version number (reported by Jan Engelhardt) 6.37 Kernel part changes netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp (Joe Perches) Userspace changes Fix parsing service names for ports (reported by Yuri D'Elia) 6.36 Kernel part changes Remove duplicate module description netfilter: remove messages print and boot/module load time (Pablo Neira Ayuso) Fix wraparound bug introduced in commit 48596a8ddc46 in v6.34 (reported by Thomas Schwark) Userspace changes Use 'ss' in runtest.sh but fall back to deprecated 'net-tools' command (bugzilla id #1209) build: do install libipset/args.h (Jan Engelhardt) Add test to verify wraparound fix 6.35 Kernel part changes netfilter: mark expected switch fall-throughs (Gustavo A. R. Silva) License cleanup: add SPDX GPL-2.0 license identifier to files with no license (Greg Kroah-Hartman) Backport patch: netfilter: ipset: use nfnl_mutex_is_locked Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit() netfilter: ipset: use nfnl_mutex_is_locked (Florian Westphal) netfilter: ipset: add resched points during set listing (Florian Westphal) Fix "don't update counters" mode when counters used at the matching Backport patch: netfilter: ipset: Convert timers to use timer_setup() netfilter: ipset: use swap macro instead of _manually_ swapping values (Gustavo A. R. Silva) netfilter: ipset: Fix race between dump and swap (Ross Lagerwall) netfilter: ipset: pernet ops must be unregistered last (Florian Westphal) Userspace changes Userspace revision handling is reworked Replace the last reference to u_int8_t with uint8_t. 6.34 Kernel part changes Fix adding an IPv4 range containing more than 2^31 addresses (bugzilla id #1005, reported by Oleg Serditov and Oliver Ford Userspace changes testsuite: Make sure it can be run over ssh :-) Reset state after a command failed, when multiple ones are issued (bugzilla id #1158, reported by Dimitri Grischin) Handle padding attribute properly in userspace. Test to check the fix to add an IPv4 range containing more than 2^31 addresses Fix the include guards on the include/libipset/linux_ip_set*.h (bugzilla id #1139, suggested by Quentin Armitage) New function added in commit 54802b2c is missing from libipset.map (bugzilla id #1182, reported by irherder@gmail.com) 6.33 Kernel part changes Backport patch: sctp: remove the typedef sctp_sctphdr_t Backport patch: netfilter: nfnetlink: extended ACK reporting ipset: remove unused function __ip_set_get_netlink (Aaron Conole) Backport patch: netlink: pass extended ACK struct to parsing functions Backport patch netlink: extended ACK reporting netfilter: Remove exceptional & on function name (Arushi Singhal) Backport missing part of patch: netfilter: Remove unnecessary cast on void pointer Backport nfnl_msg_type() netfilter: ipset: ipset list may return wrong member count for set with timeout (Vishwanath Pai) netfilter: ipset: deduplicate prefixlen maps (Aaron Conole) Fix sparse warnings netfilter: ipset: Compress return logic (simran singhal) netfilter: ipset: Remove unnecessary cast on void pointer (simran singhal) Compatibility: handle changes in 4.10 kernel tree Userspace changes Report if the option is supported by a newer kernel release ipset: Fix ipset command replacement in runtest.sh (Neutron Soutmun) Correct a test: number of entries may be outdated 6.32 Userspace changes Fix possible truncated output in ipset output buffer handling (Reported by Omri Bahumi and Yoni Lavi). Missing prototype added in ipset_hash_ipmac.c (debugging) 6.31 Kernel part changes netfilter: ipset: Null pointer exception in ipset list:set (Vishwanath Pai) Fix bug: sometimes valid entries in hash:* types of sets were evicted (reported by Eric Ewanco) Correct copyright owner Revert patch "Correct rcu_dereference_bh_nfnl() usage" Userspace changes Update manpage about the size parameter of list:set types. New test to verify that only the intended entries are deleted at hash types. 6.30 Kernel part changes netfilter: ipset: hash: fix boolreturn.cocci warnings (Fengguang Wu) Fix the nla_put_net64() API changes backport netfilter: ipset: Fixing unnamed union init (Elad Raz) netfilter: x_tables: Use par->net instead of computing from the passed net devices (Eric W. Biederman) Correct the reported memory size for bitmap:* types Fix coding styles reported by checkpatch.pl, already in kernel netfilter: x_tables: Pass struct net in xt_action_param (Eric W. Biederman) net: sched: fix skb->protocol use in case of accelerated vlan path (Jiri Pirko) Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac too netfilter: fix include files for compilation (Mikko Rapeli) ipset: Backports for the nla_put_net64() API changes (Neutron Soutmun) netfilter: ipset: use setup_timer() and mod_timer(). (Muhammad Falak R Wani) hash:ipmac type support added to ipset (Tomasz Chilinski) Userspace changes Drop extra comma from error message (Neutron Soutmun) Fix the incorrect dynamic/static modules list (Neutron Soutmun) Correct tests to check the number of entries too hash:ipmac type support added to ipset, userspace part (Tomasz Chilinski) 6.29 Kernel part changes Fix race condition in ipset save, swap and delete (Vishwanath Pai) Userspace changes Suppress unnecessary stderr in command loop for resize and list Correction in comment test Support chroot buildroots (reported by Jan Engelhardt) Fix "configure" breakage due to pkg-config related changes (reported by Jan Engelhardt) 6.28 Kernel part changes Check IPSET_ATTR_ETHER netlink attribute length Fix __aligned_u64 compatibility support for older kernel releases Add compatibility to support EXPORT_SYMBOL_GPL in module.h Fix set:list type crash when flush/dump set in parallel Pass down netns pointer to call() and call_rcu() (backport) Allow a 0 netmask with hash_netiface type (Florian Westphal) Userspace changes Support older pkg-config packages Add bash completion to the install routine (Mart Frauenlob) Fix misleading error message with comment extension Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface type Fix link with libtool >= 2.4.4 (Olivier Blin) 6.27 Kernel part changes Fix reported memory size for hash:* types Fix hash type expire: release empty hash bucket block Fix hash type expiration: incorrect index fixed Collapse same condition body to a single one Fix extension alignment Compatibility: include linux/export.h when needed Compatibility: make sure vmalloc.h is included for kvfree() Compatibility: Fix detecting 'struct net' in 'struct tcf_ematch' Compatibility: Protect definition of RCU_INIT_POINTER in compatibility header file netfilter: ipset: Fix sleeping memory allocation in atomic context (Nikolay Borisov) Userspace changes Handle uint64_t alignment issue in ipset tool 6.26 Kernel part changes Out of bound access in hash:net* types fixed (reported by Dave Jones) Make struct htype per ipset family (originally from Sergey Popovich) Optimize hash creation routine (originally from Sergey Popovich) Make sure element data size is a multiple of u32 (originally from Sergey Popovich) Make NLEN compile time constant for hash types (originally from Sergey Popovich) Simplify mtype_expire() for hash types (originally from Sergey Popovich) Count non-static extension memory into the set memory size for userspace net: sched: Simplify em_ipset_match (Eric W. Biederman) Userspace changes Out of bound access in hash:net* types fixed (reported by Dave Jones): new tests added to the testsuite to verify the fix Warn about loaded in ip_set modules at module installation Use IPSET_BIN in resize-and-list.sh and suppress echoing of loop variable Manpage typo corrections (David Wittman) Fix grammar error in manpage (Neutron Soutmun) 6.25.1 Kernel part changes net/netfilter/ipset: work around gcc-4.4.4 initializer bug (Andrew Morton) Userspace changes ipset manpage: refer to iptables-extensions Update userspace header file from the kernel tree Handle 'extern "C" {' in check_libmap.sh 6.25 Kernel part changes Add element count to all set types header Add element count to hash headers (Eric B Munson) implement nla_put_in_addr and nla_put_in6_addr (Jiri Benc) deinline ip_set_put_extensions() (Denys Vlasenko) Fix error path in mtype_resize() when new hash bucket cannot be allocated There is no need to call synchronize_rcu() after list_add_rcu() Fix typo in function name get_phyoutdev_name() Separate memsize calculation code into dedicated functions (originally from Sergey Popovich) Split extensions into separate files (originally from Sergey Popovich) Improve comment extension helpers (originally from Sergey Popovich) Improve skbinfo get/init helpers (originally from Sergey Popovich) Headers file cleanup (originally from Sergey Popovich) Correct rcu_dereference_bh_nfnl() usage (originally from Sergey Popovich) add helpers for fetching physin/outdev (Florian Westphal) When a single set is destroyed, make sure it can't be grabbed by dump In comment extension ip_set_comment_free() is always called in a safe path Add rcu_barrier() to module removal in the bitmap types too Fix coding styles reported by the most recent checkpatch.pl Make sure bitmap:ip,mac detects the proper MAC even when it's overwritten RCU safe comment extension handling Make sure the proper is_destroyed value is checked at dumping Fix broken commit "Check extensions attributes before getting extensions." Improve preprocessor macros checks (Sergey Popovich) Fix hashing for ipv6 sets (Sergey Popovich) Fix ext_*() macros so pointers returned by these macros could be referenced directly (Sergey Popovich) Check for comment netlink attribute length (Sergey Popovich) Return bool values instead of int (Sergey Popovich) Check CIDR value only when attribute is given (Sergey Popovich) Make sure we always return line number on batch (Sergey Popovich) Permit CIDR equal to the host address CIDR in IPv6 (Sergey Popovich) Use HOST_MASK literal to represent host address CIDR len (Sergey Popovich) Check IPSET_ATTR_PORT only once (Sergey Popovich) Check extensions attributes before getting extensions (Sergey Popovich) Use SET_WITH_*() helpers to test set extensions (Sergey Popovich) Return ipset error instead of bool (Sergey Popovich) Preprocessor directices cleanup (Sergey Popovich) No need to make nomatch bitfield (Sergey Popovich) Make sure bit operations are not reordered Properly calculate extensions offsets and total length (Sergey Popovich) Fix cidr handling for hash:*net* types, reported by Jonathan Johnson fix boolreturn.cocci warnings (Fengguang Wu) make ip_set_get_ip*_port to use skb_network_offset (Alexander Drozdov) Make sure listing doesn't grab a set which is just being destroyed. Missing rcu_read_lock() and _unlock() in mtype_list() fixed Fix coding styles reported by checkpatch.pl Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c There's no need to call synchronize_rcu() with kfree_rcu() Call rcu_barrier() in module removal path Call synchronize_rcu() in set type (un)register functions only when needed Remove an unused macro Give a better name to a macro in ip_set_core.c Resolve the STREQ macro to make the code more readable, and use nla_strlcpy where possible Use MSEC_PER_SEC consistently Remove unnecessary integer RCU handling and fix other sparse warnings Fix sparse warning "cast to restricted __be32" Userspace changes Add element count to all set types header Add element count to hash headers (Eric B Munson) Support linking libipset to C++ programs (reported by Pavel Odintsov) ipset: propose rewording in manpage (Neutron Soutmun) More compatibility checking and simplifications to support the 2.6.32 kernel tree Compatibility: define RCU_INIT_POINTER when __rcu is not defined Compatibility: check kernel source for list_last_entry (CentOS7, reported by Ricardo Klein) Make possible to pass extra flags to sparse 6.24 Kernel part changes netfilter: ipset: small potential read beyond the end of buffer (Dan Carpenter) Fix parallel resizing and listing of the same set styles warned by checkpatch.pl fixed Introduce RCU in all set types instead of rwlock per set (performance tested by Jesper Dangaard Brouer) Remove rbtree from hash:net,iface in order to run under RCU Explicitly add padding elements to hash:net,net and hash:net,port,net Allocate the proper size of memory when /0 networks are supported Simplify cidr handling for hash:*net* types Indicate when /0 networks are supported Kernel API changes in em_ipset.c, support both old and new ones netfilter: Convert uses of __constant_ to (Joe Perches) net: use the new API kvfree() (WANG Cong) treewide: fix errors in print (Masanari Iida) netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER) (Pablo Neira Ayuso) Use IS_ENABLED macro and define it if required Alignment problem between 64bit kernel 32bit userspace fixed (reported by Sven-Haegar Koch) netfilter: ipset: off by one in ip_set_nfnl_get_byindex() (Dan Carpenter) Userspace changes The "extra" subdirectory for kernel modules may have a full subtree (reported by Jesper Dangaard Brouer) Add more compatibility checkings to support older kernel releases Make_global.am: Don't include host headers (Baruch Siach) Alignment problem between 64bit kernel 32bit userspace fixed (reported by Sven-Haegar Koch) Add script to check libipset.map for missing symbols Update libipset.map with ipset_parse_tcp_udp_port (Thomas Backlund) libipset: Bump lib version and update map file (Neutron Soutmun) Bash utilities updated ipset: Fix hyphen used as minus sign in manpage (Neutron Soutmun) 6.23 Kernel part changes Support updating extensions when the set is full (fixes bugzilla id #880) Userspace changes The utils are updated from their sources Order create and add options in manpage so that generic ones come first Centralise generic create options (family, hashsize, maxelem) on top of man page in the generic options section. (Mart Frauenlob) Support glibc < 2.9 (fixes bugzilla id #891) Add description of hash:mac set type to man page. (Mart Frauenlob) Add missing space for skbinfo option synopsis. (Mart Frauenlob) The library/API versions were forgotten to bump (reported by Sergei Zhirikov) Retry printing when sprintf fails (reported by Stig Thormodsrud) 6.22 Kernel part changes hash:mac type added to ipset skbinfo extension: send nonzero extension elements only to userspace netfilter: Convert pr_warning to pr_warn (Joe Perches) netfilter: ipset: Add skbinfo extension support to SET target. (Anton Danilov) netfilter: ipset: Add skbinfo extension kernel support for the list set type. (Anton Danilov) netfilter: ipset: Add skbinfo extension kernel support for the hash set types. (Anton Danilov) netfilter: ipset: Add skbinfo extension kernel support for the bitmap set types. (Anton Danilov) netfilter: ipset: Add skbinfo extension kernel support in the ipset core. (Anton Danilov) Fix static checker warning in ip_set_core.c (reported by Dan Carpenter) Fix warn: integer overflows 'sizeof(*map) + size * set->dsize' (reported by Dan Carpenter) net/netfilter/ipset: Resolve missing-field-initializer warnings (Mark Rustad) netnet,netportnet: Fix value range support for IPv4 (Sergey Popovich) Removed invalid IPSET_ATTR_MARKMASK validation (Vytas Dauksa) Userspace changes hash:mac type added to ipset Add test to check mark mapping ipset: remove extran newline on debug output (Holger Eitzenberger) ipset: avoid duplicate command flags (Holger Eitzenberger) Remove a duplicate debug print (Holger Eitzenberger) ipset: man: Add the skbinfo extension documentation. (Anton Danilov) libipset: Add userspace support of the skbinfo extension of the list set type. (Anton Danilov) libipset: Add userspace support of the skbinfo extension of the hash set types. (Anton Danilov) libipset: Add userspace support of the skbinfo extension of the bitmap set types. (Anton Danilov) libipset: Add userspace code for the skbinfo extension support. (Anton Danilov) Make possible to compile ipset with IPSET_DEBUG from the dist. (Clinton Roy) libipset: print third element in debugging (Sergey Popovich) ipset: Handle missing leading zeros in ethernet address parser (Janeks Jaunups) ipset: Pass IPSET_BIN to test scripts to change binary location (Neutron Soutmun) ipset: Fix grammar error in manpage (Neutron Soutmun) ipset: Fix printf format warning (Neutron Soutmun) 6.21.1 Kernel part changes netfilter: ip_set: rename nfnl_dereference()/nfnl_set() (Patrick McHardy) Userspace changes The bash utilities are updated Fix libipset library release versioning (reported by Mathieu Bridon) 6.21 Kernel part changes ipset: add forceadd kernel support for hash set types (Josh Hunt) netfilter: ipset: move registration message to init from net_init (Ilia Mirkin) kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal) Prepare the kernel for create option flags when no extension is needed add markmask for hash:ip,mark data type (Vytas Dauksa) add hash:ip,mark data type to ipset (Vytas Dauksa) ipset: remove unused code (Stephen Hemminger) netfilter: ipset: Add hash: fix coccinelle warnings (Fengguang Wu) Typo in ip_set_hash_netnet.c fixed (David Binderman) net ipset: use rbtree postorder iteration instead of opencoding (Cody P Schafer) ipset: Follow manual page behavior for SET target on list:set (Sergey Popovich) Userspace changes ipset: add userspace support for forceadd (Josh Hunt) kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal) lib: fix ifname 'physdev:' prefix parsing (Florian Westphal) Prepare the kernel for create option flags when no extension is needed print mark & mark mask in hex rather then decimal (Vytas Dauksa) add markmask for hash:ip,mark data type (Vytas Dauksa) add hash:ip,mark data type to ipset (Vytas Dauksa) ipset: manpage: correct add action synopsis for hash:net,port,net. (Mart Frauenlob) ipset: manpage: remove spare comma for hash:net,net test action. (Mart Frauenlob) Fix all set output from list/save when set with counters in use. (Sergey Popovich) ipset: Fix malformed output from list/save for ICMP types in port field (Sergey Popovich) ipset: fix timeout data type size (Nikolay Martynov) 6.20.1 Kernel part changes netfilter: ipset: remove duplicate define (Michael Opdenacker) net->user_ns is available starting from 3.8, add compatibility checking (reported by Jan Engelhardt) Fix memory allocation for bitmap:port (reported by Quentin Armitage) Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX The unnamed union initialization may lead to compilation error (reported by Husnu Demir) Use dev_net() instead of the direct access to ->nd_net (reported by the kbuild test robot) Userspace changes build: fix incorrect library versioning (Jan Engelhardt) netfilter: ipset: Fix configure failure when --with-kmod=no (Oliver Smith) Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX 6.20 Kernel part changes Compatibility code is modified not to rely on kernel version numbers Use netlink callback dump args only Add hash:net,port,net module to kernel (Oliver Smith) Add net namespace for ipset (Vitaly Lavrov) Use a common function at listing the extensions of the elements For set:list types, replaced elements must be zeroed out Fix hash resizing with comments Support comments in the list-type ipset (Oliver Smith) Support comments in bitmap-type ipsets (Oliver Smith) Support comments in hash-type ipsets (Oliver Smith) Support comments for ipset entries in the core (Oliver Smith) Add hash:net,net module to kernel (Oliver Smith) Fix serious failure in CIDR tracking (Oliver Smith) list:set: make sure all elements are checked by the gc Support extensions which need a per data destroy function Generalize extensions support Move extension data to set structure Rename extension offset ids to extension ids Prepare ipset to support multiple networks for hash types Introduce new operation to get both setname and family Validate the set family and not the set type family at swapping (Bug reported by Quentin Armitage, netfilter bugzilla id #843) Consistent userspace testing with nomatch flag Skip really non-first fragments for IPv6 when getting port/protocol ipset standalone package needs to ship em_ipset.c (reported by Jan Engelhardt) Userspace changes Missing comment support added to hash:ip,port,ip and hash:net,iface types Compatibility code is modified not to rely on kernel version numbers Add userspace code to support hash:net,port,net kernel module (Oliver Smith) Tests added to check comment extension Add new userspace set revisions for comment support (Oliver Smith) Support comments in the userspace library (Oliver Smith) Rework the "fake" argument parsing for ipset restore (Oliver Smith) Add userspace code to support hash:net,net kernel module (Oliver Smith) Add test to verify CIDR tracking configure: uclinux is also linux (Gustavo Zacarias) Add specifying protocol for bitmap:port (Quentin Armitage) Remove artifical restriction of netmask values for hash:ip type (Reported by Quentin Armitage, netfilter bugzilla id #844) Make sure called test scripts can be executed (reported by Tomas Budai) Manpage fix: not just identical, but compatible type of sets can be swapped (Reported by Quentin Armitage, netfilter bugzilla id #843) Fix error message typo (Reported by Quentin Armitage, netfilter bugzilla id #843) Parse option "family" first, because other options may depend on it (Bug reported by Quentin Armitage, closed netfilter bugzilla #841) Change 2nd parameter type of ipset_parse_elem (Quentin Armitage) Report broken netlink messages in debug mode Fix hyphen used as minus sign in manpage (Neutron Soutmun) libipset.pc must be installed via 'make install' (Eric Leblond) 6.19 Kernel part changes Compatibility fixes to keep the support of kernels back to 2.6.32 Backport nla_put_net64 Support package fragments for IPv4 protos without ports (Anders K. Pedersen) Use fix sized type for timeout in the extension part Make sure kernel configured properly for sparse checkings Fix "may be used uninitialized" warnings (reported by Pablo Neira Ayuso) Rename simple macro names to avoid namespace issues (reported by David Laight) Fix sparse warnings due to missing rcu annotations (reported by Pablo Neira Ayuso) Sparse warning about shadowed variable fixed Don't call ip_nest_end needlessly in the error path (suggested by Pablo Neira Ayuso) set match: add support to match the counters The list:set type with counter support The hash types with counter support The bitmap types with counter support Introduce the counter extension in the core list:set type using the extension interface Hash types using the unified code base Unified hash type generation Bitmap types using the unified code base Unified bitmap type generation Move often used IPv6 address masking function to header file Make possible to test elements marked with nomatch, from userspace netfilter ipset: Use ipv6_addr_equal() where appropriate. (YOSHIFUJI Hideaki) Add a compatibility header file for easier maintenance The uapi include split in the package itself Reorder modules a little bit in Kbuild Userspace changes Check at modules_install whether depmod ignores the extra subdir (reported by Husnu Demir and tian fang) The utils are updated from their sources Manpage typing error correction (reported by Husnu Demir) Update testsuite as the trailing space was eliminated at listings Add sparse checking support to userspace Improve XML output: add element tag and root element (suggested by Lucas Hamie) Manpage updates Add new testsuite entries to verify counters and the new type implementation Introduce the new set type revisions with counter support Support counters in the ipset library The uapi include split in the package itself 6.18 Kernel part changes bitmap:ip,mac: fix listing with timeout (reported by Yoann JUET) hash:*net*: nomatch flag not excluded on set resize list:set: update reference counter when last element pushed off 6.17 Kernel part changes Make sure ip_set_max isn't set to IPSET_INVALID_ID netfilter: ipset: timeout values corrupted on set resize (Josh Hunt) "Directory not empty" error message (reported by John Brendler) Userspace changes Fix revision printing in XML mode (reported by Mart Frauenlob) Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch) Fix error path when protocol number is used with port range Interactive mode error after syntax error (reported by Mart Frauenlob) The ipset_bash_completion tool is added The ipset_list tool is added 6.16.1 Kernel part changes Add ipset package version to external module description Backport RCU handling up to 2.6.32.x 6.16 Userspace changes Remove all modules before testing resize build: support for Linux 3.7 UAPI (Jan Engelhardt) Kernel part changes Netlink pid is renamed to portid in kernel 3.7.0 Fix RCU handling when the number of maximal sets are increased netfilter: ipset: fix netiface set name overflow (Florian Westphal) 6.15 Userspace changes Fix interactive mode (Fredrik Eriksson) Use gethostbyname2 instead of getaddrinfo Make tests/check_cidrs.sh script executable Add tests to check completely ranges with hash types Make easier to apply the netlink.patch Support protocol numbers as well, not only protocol names Add (back) the debug flag to configure Add simple test to check cidr book-keeping Kernel part changes Increase the number of maximal sets automatically as needed Restore the support of kernel versions between 2.6.32 and 2.6.35 Fix range bug in hash:ip,port,net Revert, then reapply cidr book keeping patch to handle /0 6.14 Userspace changes Support to match elements marked with "nomatch" in hash:*net* sets Coding style fixes The set type revision number is added to the header part of listing Help prints list type revision and terse description Add /0 network support to hash:net,iface type Fix errors when compiling in debug mode (Krunal Patel) Make sure IPPROTO_UDPLITE is defined build: restore -version-info (Jan Engelhardt) Kernel part changes Support to match elements marked with "nomatch" in hash:*net* sets Coding style fixes Include supported revisions in module descriptio Add /0 network support to hash:net,iface type Fix cidr book keeping for hash:*net* types Check and reject crazy /0 input parameters Backport ether_addr_equal Coding style fix, backport from kernel net: cleanup unsigned to unsigned int (Eric Dumazet) 6.13 Userspace changes Explain in more detail src/dst for hash:net,iface ipset help lists set types multiple times, fixed (reported by Mr Dash Four) The commandline parser was too permissive, make it more strict Allow saving to/restoring from a file without shell redirection Fix typo of word "unkown" to "unknown" (Neutron Soutmun) Kernel part changes ipset: Handle properly an IPSET_CMD_NONE (Tomasz Bursztyka) netfilter: ipset: hash:net,iface: fix interface comparison (Florian Westphal) Timeout fixing bug broke SET target special timeout value, fixed Use MSEC_PER_SEC instead of harcoded value 6.12.1 Userspace changes Enable silent (kernel style) compile messages Fix build failed on --disable-dependency-tracking (Neutron Soutmun) Add tarball target to Makefile 6.12 Kernel part changes Backport nla_put_net* functions as NLA_PUT* were removed netlink: add netlink_dump_control structure for netlink_dump_start() ipset: Stop using NLA_PUT*(). Fix hash size checking in kernel (bug reported by Seblu) Correct README file about minimal required iptables version (Oskar Berggren) Sparse warnings "incorrect type in assignment" fixed Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz) ipv6: Add fragment reporting to ipv6_skip_exthdr(). net: remove ipv6_addr_copy() Fix the inclusion of linux/export.h (Henry Culver) Userspace changes Cleanup generated files by make tidy Add more CC warning option to debug mod Report syntax error messages immediately Suppress false syntax error messages Add configure summary for the ipset userspace tool Add dynamic module support to ipset userspace tool (Neutron Soutmun) Move ipset_port_usage() into lib (Neutron Soutmun) Fix invalid assignment to const void pointer (bug reported by Seblu) Remove unused variables (warnings fixed) Fix timeout value overflow bug at large timeout parameters (bug reported by Andreas Herz) Improve ipset help text messages (Mr Dash Four) 6.11 Kernel part changes hash:net,iface timeout bug fixed Exceptions support added to hash:*net* types net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules Log warning when a hash type of set gets full Userspace changes Support hostnames and service names with dash Exceptions support added to hash:*net* types Log warning when a hash type of set gets full Set types moved into libipset library Library map file added in order to support library versioning doc: Linux 2.6.39 already has the defs (Jan Engelhardt) build: install libipset in the right place (Jan Engelhardt) Provide a pkgconfig file (Jan Engelhardt) build: make distcheck work and use POSIX mode for tarball generation (Jan Engelhardt) build: install libipset/linux_ip_set_list.h (Jan Engelhardt) build: include libipset/nfproto.h (Jan Engelhardt) build: process include/libipset/ (Jan Engelhardt) build: use AC_CONFIG_AUX_DIR and stash away tools (Jan Engelhardt) Update .gitignore (Jan Engelhardt) 6.10 Kernel part changes Invert the logic to include version.h in ip_set_core.c Suppress false compile-time warnings about uninitialized variable ip_to Userspace changes Tests added to check ICMP/ICMPv6 type/code parsing ICMP/ICMPv6 type/code parser bug fixed (bug reported by Sabitov) ipset: fix lookup of tcp port names (Stephen Hemminger) Optionally disable building the kernel module (Mathieu Bridon) Make tidy complete 6.9.1 Kernel part changes Fix compiling ipset as external kernel modules (v6.9) Complete Kconfig with hash:net,iface type (standalone package) rtnetlink: Compute and store minimum ifinfo dump size (Greg Rose) Remove redundant linux/version.h includes from net/ (Jesper Juhl) ipset: use NFPROTO_ constants (Jan Engelhardt) netfilter: ipset: expose userspace-relevant parts in ip_set.h (Jan Engelhardt) netfilter: ipset: avoid use of kernel-only types (Jan Engelhardt) netfilter: Remove unnecessary OOM logging messages (Joe Perches) Dumping error triggered removing references twice and lead to kernel BUG Autoload set type modules safely Userspace changes build: move ipset_errcode into library (Jan Engelhardt) build: abort autogen on subcommand failure (Jan Engelhardt) ipset: use NFPROTO_ constants (Jan Engelhardt) Propagate "expose userspace-relevant parts in ip_set.h" to ipset source 6.8 Kernel part changes Fix compiler warnings "'hash_ip4_data_next' declared inline after being called" (Chris Friesen) hash:net,iface fixed to handle overlapping nets behind different interfaces Make possible to hash some part of the data element only. Userspace changes Update the manpage and document the limits in hash:net,iface. README file corrections from Richard Lucassen 6.7 Kernel part changes Whitespace and coding fixes, detected by checkpatch.pl hash:net,iface type introduced Use the stored first cidr value instead of '1' Fix return code for destroy when sets are in use Add xt_action_param to the variant level kadt functions, ipset API change Drop supporting kernel versions below 2.6.35 Userspace changes Whitespace and coding fixes, detected by checkpatch.pl hash:net,iface type introduced hash:* tests may seem to fail due to the too wide grep pattern, fix them Remove iptree tests and compatibility element parsing hash:net test may seem to fail due to the too wide grep pattern, fix it Fix long time uncovered bug at adding string attributes to the netlink messages Fix warnings reported by valgrind Remove supporting set types iptree and iptreemap 6.6 Kernel part changes Use unified from/to address masking and check the usage ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed Take into account cidr value for the from address when creating the set Adding ranges to hash types with timeout could still fail, fixed Removed old, not used hashing method ip_set_chash Remove variable 'ret' in type_pf_tdel(), which is set but not used Use proper timeout parameter to jiffies conversion Userspace changes Restore with bitmap:port and list:set types did not work, fixed Accept "\r\n" terminated COMMIT command in restore files Fix the message sequence number book-keeping Protocol-level debugging support added hash:net stress test in range notation added ipset_mnl_query: in debug mode print the errno returned by the cb function Accept "\r\n" terminated lines in restore files Remove outdated checking of IPv6 support from configure.ac 6.5 Kernel part changes Support range for IPv4 at adding/deleting elements for hash:*net* types Set type support with multiple revisions added Fix adding ranges to hash types Userspace changes Support range for IPv4 at adding/deleting elements for hash:*net* types Disable type revisions which are not supported both by the kernel and ipset Update ipset help text to reflect SCTP and UDPLITE support Ignore -n flag (list just setnames) when sets are to be saved 6.4 Kernel part changes Support listing setnames and headers too Fix the order of listing of sets Options and flags support added to the kernel API Userspace changes Get rid of the trailing empty line at listing sets Fix XML listing, remove broken unused "elements" tag Support listing setnames and headers too Sorting is dependent on the locale settings, use LC_ALL=C Use unified diff output in tests 6.3 Kernel part changes ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev) bitmap:ip,mac type requires "src" for MAC, enforce it whitespace fixes: some space before tab slipped in set match and SET target fixes (bugs reported by Lennert Buytenhek) Userspace changes Testsuite changes: keep temporary files bitmap:ip,mac type requires "src" for MAC: manpage is updated to reflect the change Testsuite checks added (SET target and dir parameter checks) 6.2 Kernel part changes list:set timeout variant fixes References are protected by rwlock instead of mutex Add explicit text message to detect patched kernel (netlink.patch) Timeout can be modified for already added elements Userspace changes Manpage update 6.1 Kernel part changes The hash:*port* types ignored the address range with non TCP/UDP, fixed Fix checking the revision number of the set type at create command SCTP, UDPLITE support to hash:*port* types added Fix revision reporting got broken by the revision checking patch Userspace changes Manpage was not installed (reported by Mark A. Ziesemer) SCTP, UDPLITE support to the hash:*port* types added 6.0 Kernel part changes Reorganized kernel/ subdir netfilter: ipset: fix linking with CONFIG_IPV6=n (Patrick McHardy) netfilter: ipset: send error message manually netfilter: ipset: add missing break statemtns in ip_set_get_ip_port() (Patrick McHardy) netfilter: ipset: add missing include to xt_set.h (Patrick McHardy) netfilter: ipset: remove unnecessary includes (Patrick McHardy) netfilter: ipset: use nla_parse_nested() (Patrick McHardy) Separate ipset errnos completely from system ones and bump protocol version Use better error codes in xt_set.c Fix sparse warning about shadowed definition bitmap:ip type: flavour specific adt functions (Patrick McHardy's review) bitmap:port type: flavour specific adt functions (Patrick McHardy's review) Move the type specifici attribute validation to the core (suggested by Patrick McHardy) Use vzalloc() instead of __vmalloc() (Eric Dumazet, Patrick McHardy) Use meaningful error messages in xt_set.c (Patrick McHardy's review) Constified attribute cannot be written (Patrick McHardy's review) Send (N)ACK at dumping only when NLM_F_ACK is set (Patrick McHardy's review) Correct the error codes: use ENOENT and EMSGSIZE (Patrick McHardy's review) Userspace changes Print protocol version together with ipset version Testsuite compatibility with debugging enabled Allow "new" as a commad alias to "create" ipset: improve command argument parsing (Holger Eitzenberger) ipset: avoid the unnecessary argv[] loop (Holger Eitzenberger) ipset: pass ipset_arg argument pointer (Holger Eitzenberger) Separate ipset errnos completely from system ones and bump protocol version Fix the spelling error fix :-) (Ferenc Wagner) Resolving IP addresses did not work at listing/saving sets, fixed ipset: fix spelling error (Holger Eitzenberger) ipset: fix the Netlink sequence number (Holger Eitzenberger) ipset: turn Set name[] into a const pointer (Holger Eitzenberger) Check ICMP and ICMPv6 with the set match and target in the testsuite Avoid possible syntax clashing at saving hostnames 5.4.1 Documentation UPGRADE file added 5.4 Kernel part changes Fixed broken ICMP and ICMPv6 handling Fix trailing whitespaces and pr_* messages Un-inline functions which are not small enough (Patrick McHardy) Fix module loading at create/header commands (Patrick McHardy) Fix wrong kzalloc flag in type_pf_expire The get_ip*_port functions are too large to be inlined, moved into the core Add missing __GFP_HIGHMEM flag to __vmalloc (Eric Dumazet) Enforce network-ordered data in the netlink protocol Use annotated types and fix sparse warnings (Patrick McHardy) Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into the core (Patrick McHardy) NETMASK*, HOSTMASK* macros are too generic, replace with inline functions (Patrick McHardy) Use static LIST_HEAD() for ip_set_type_list (Patrick McHardy) Move NLA_PUT_NET* macros to include/net/netlink.h (Patrick McHardy) The module parameter max_sets should be unsigned int (Patrick McHardy) Get rid of ip_set_kernel.h (Patrick McHardy) Fix the placement style of boolean operators at continued lines (Patrick McHardy) 5.3 Kernel part changes There is no need to call synchronize_net() at swapping Replace strncpy with strlcpy at creating a set Update copyright date and some style changes Use jhash.h accepted in kernel, with backward compatibility Separate prefixlens from ip_set core Remove unused ctnl parameter from call_ad (Jan Engelhardt) Comment the possible return values of the add/del/test type-functions Userspace changes Set the non-debug compiling the default Testsuite fix of ospf replaced with vrrp Fix build with NDEBUG defined (Holger Eitzenberger) Do session initialization once (Holger Eitzenberger) Make IPv4 and IPv6 address handling similar (Holger Eitzenberger) Show correct line numbers in restore output for parser errors (Holger Eitzenberger) Replace ospf with vrrp in the testsuite Remove autogenerated files (Jan Engelhardt) Use only AC_CANONICAL_HOST (Jan Engelhardt) 5.2 Kernel part changes Kernel version check at minimal supported version was mistyped, now fixed Userspace changes Handle internal printing errors Use cast to void * instead of memcpy as Sparc workaround at sockaddr_XXX suggested by Jan Engelhardt) Listing/saving of large sets could produce broken listing, fixed Support libtool < 2.2 5.1 Kernel part changes Kernel version compatibility: support bumped starting from 2.6.34 Use EXPORT_SYMBOL_GPL (Jan Engelhardt) const annotations (Jan Engelhardt) Use __read_mostly for registration-type structures (Jan Engelhardt) Do not mix const and __read_mostly (Jan Engelhardt) xt_set: avoid user types in exported kernel headers (Jan Engelhardt) Enable parallel building (Jan Engelhardt) Fix Kbuild for me to delete backup files Userspace changes Test cases for IPv6 restore and more complex restore sessions added Restore mode did not work for IPv6, fixed (reported by Elie Rosenblum) libipset: static annotations (Jan Engelhardt) libipset: const annotations (Jan Engelhardt) libipset: remove redundant casts (Jan Engelhardt) libipset: remove redundant indirection via union name (Jan Engelhardt) libipset: ipset_strncpy is really a strlcpy-type operation (Jan Engelhardt) Prevent calling Makefile directly in the kernel/ subdirectory Put back the Sparc specific workaround at getaddrinfo (reported by Jan Engelhardt) Check old system kernel header files Check from `configure` that the kernel source is patched with netlink.patch Use configure to detect compiler warning flags Try to solve PKG_CHECK_MODULES issue (reported by Rob Sterenborg) Fix incorrect comparison in check_allowed (reported by Jan Engelhardt) 5.0 New main branch - ipset completely rewritten 4.5 Kernel part changes The iptreemap type used wrong gfp flags when deleting entries (bug reported by Dash Four) Userspace changes Take into account the compile time setting of the default hash size (reported by Dash Four) 4.4 Kernel part changes The ipporthash, ipportiphash and ipportnethash set types did not work with mixed "src" and "dst" direction parameters of the "set" and "SET" iptables match and target (reported by Dash Four) Errorneous semaphore handling in error path fixed (reported by Jan Engelhardt, bugzilla id 668) Userspace changes Manpage fix to make it clear how ipset works on setlist type of sets (John Brendler, bugzilla id 640) 4.3 Kernel part changes Support of 2.6.35 kernels added 4.2 Kernel part changes nethash and ipportnethash types counted every entry twice which could produce bogus entries when listing/saving these types of sets (bug reported by Husnu Demir) Userspace changes Checking null entries when listing/saving hash types of sets deleted because it's unnecessary and can mask possible errors. 4.1 Kernel part changes Do not use init_MUTEX either (Jan Engelhardt) Improve listing/saving hash type of sets by not copying empty entries unnecessarily to userspace. Userspace changes Manpage fixes and corrections (Jan Engelhardt) 4.0 Kernel part changes Compilation of ip_set_iptree.c fails with kernel 2.6.20 due to missing include of linux/jiffies.h (Jan Engelhardt) Do not use DECLARE_MUTEX (compatibility fix on 2.6.31-rt, Jan Engelhardt) Flushing iptreemap type of sets caused high ksoftirqd load due to zeroed out gc parameter (bug reported by Georg Chini) New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini) Binding support is removed Userspace changes New protocol is introduced to handle aligment issues properly (bug reported by Georg Chini) Binding support is removed 3.2 Kernel part changes Mixed up formats in ip_set_iptree.c fixed (Rob Sterenborg) Don't use 'bool' for backward compatibility reasons (Rob Sterenborg) 3.1 Userspace changes Correct format specifiers and change %i to %d (Jan Engelhardt) Kernel part changes Nonexistent sets were reported as existing sets when testing from userspace in setlist type of sets (bug reported by Victor A. Safronov) When saving sets, setlist type of sets must come last in order to satisfy the dependency from the elements (bug reported by Marty B.) Sparse insists that the flags argument to kmalloc() is gfp_t (Stephen Hemminger) Correct format specifiers and change %i to %d (Jan Engelhardt) Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt) 3.0 Userspace changes New kernel-userspace protocol release Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593) tests/runtests.sh changed to support old bash shells Kernel part changes New kernel-userspace protocol release Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593) Support of 2.4.3[67].* kernels fixed Compiling with debugging enabled fixed 2.5.0 Userspace changes On parisc architecture cast increases required aligment (bugzilla id 582), fixed. Respect LDFLAGS settings at compile time (Peter Volkov). Kernel part changes instead of setting the locks directly as it causes compilation errors with 2.6.29-rt (Jan Engelhardt). 2.4.9 Kernel part changes References to the old include file replaced with new one in order to really use the new Jenkins' hash function. 2.4.8 Userspace changes In order to disable the extra warning flags, NO_EXTRA_WARN_FLAGS variable added to userspace Makefile. Kernel part changes The Jenkins' hash lookup2() replaced with Jenkins' faster/better lookup3() hash function. Bug fixed: after elements are added and deleted from a hash, an element can successfully be added in spite it's already in the hash and thus duplicates can occur (Shih-Yi Chen). Compatibility with old gcc without 'bool' added. 2.4.7 Kernel part changes Typo which broke compilation with kernels < 2.6.28 fixed (reported by Richard Lucassen, Danny Rawlins) 2.4.6 Kernel part changes Compatibility fix for kernels >= 2.6.28 2.4.5 Userspace changes Some compiler warning options are too aggressive and therefore disabled. Kernel part changes setlist type does not work properly together with swapping sets, bug reported by Thomas Jacob. Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt) 2.4.4 Userspace changes Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos). Local variable shadows another variable, fixed (reported by Jan Engelhardt). More compiler warning options added and warnings fixed. Kernel part changes Premature checking prevents to add valid elements to hash types, fixed (bug reported by JC Janos). 2.4.3 Userspace changes Include file <limits.h> was missing from userspace set type modules, reported by Krzysztof Oledzki and Sven Wegener. 2.4.2 Kernel part changes When flushing a nethash/ipportnethash type of set, it can lead to a kernel crash due to a wrong type declaration, bug reported by Krzysztof Oledzki. iptree and iptreemap types require the header file linux/timer.h, also reported by Krzysztof Oledzki. 2.4.1 Userspace changes macipmap type reported misleading deprecated separator tokens and printed the old one at listing set elements; the warning contained misprinting as well (bugs reported by Krzysztof Oledzki) Warn only once about deprecated separator tokens in restore mode. Kernel part changes Zero-valued element are not acceptable by hash type of sets because we cannot make a difference between a zero-valued element and not-set element. Enforce it, as manpage says. (fixes bugzilla id 543) 2.4 Userspace changes Added KBUILD_OUTPUT support (Sven Wegener) Fix memory leak in ipset_iptreemap (Sven Wegener) Fix multiple compiler warnings (Sven Wegener) ipportiphash, ipportnethash and setlist types added binding marked as deprecated functionality element separator token changed to ',' in anticipating IPv6 addresses, old separator tokens are still supported unnecessary includes removed ipset does not try to resolve IP addresses when listing the content of sets (default changed) manpage updated Kernel part changes ipportiphash, ipportnethash and setlist types added set type modules reworked to avoid code duplication as much as possible, code unification macros expand_macros Makefile target added to help debugging code unification macros ip_set_addip_kernel and ip_set_delip_kernel changed from void to int, __ip_set_get_byname and __ip_set_put_byid added for the sake of setlist type unnecessary includes removed compatibility fix for kernels >= 2.6.27: semaphore.h was moved from asm/ to linux/ (James King) 2.3.3a Fix to compile ipset with 2.4.26.x tree statically (bug reported by G.W. Haywood) 2.3.3 compatibility for the 2.6.x kernel tree improved and compiler warnings fixed (Jan Engelhardt) compatibility fixes for the 2.4.36.x kernel tree added 2.3.2 including limits.h for UINT_MAX is required with glibc-2.8 (pud) needless cast from and to void pointers cleanups in iptreemap (Sven Wegener) Initial ipset release with kernel modules included. 2.3.1 segfault on --unbind :all: :all: fixed (reported by bugzilla, report and patch sent by Tom Eastep) User input parameters are sanitized everywhere Initial testsuite added and 'test' target to the Makefile added: few bugs discovered and fixed typo in macipmap type prevented to use max size set of this type *map types are made sure to allow and use max size of sets 2.3.0 jiffies rollover bug in iptree type fixed (reported by Lukasz Nierycho and others) endiannes bug in iptree type fixed (spotted by Jan Engelhardt) iptreemap type added (submitted by Sven Wegener) 2.6.22/23 compatibility fixes (Jeremy Jacque) typo fixes in ipset (Neville D) separator changed to ':' from '%' (old one still supported) in ipset 2.2.9a use correct type (socklen_t) for getsockopt (H. Nakano) incorrect return codes fixed (Tomasz Lemiech, Alexey Bortnikov) kernel header dependency removed (asm/bitops.h) ipset now tries to load in the ip_set kernel module if the protocol is not available 2.2.9 ipset -N did not generate proper return code limit module parameter added to the kernel modules of the iphash, ipporthash, nethash and iptree type of sets so that the maximal number of elements can now be limited zero valued entries (port 0 or IP address 0.0.0.0) were detected as members of the hash/tree kind of sets (reported by Andrew Kraslavsky) list and save operations used the external identifier of the sets for the bindings instead of the internal one (reported by Amin Azez) 2.2.8 Nasty off-by-one bug fixed in iptree type of sets (bug reported by Pablo Sole) 2.2.7 All patches were submitted by Jones Desougi. missing or confusing error message fixes for ipporthash minor correction in debugging in nethash copy-paste bug in kernel set types at memory allocation checking fixed unified memory allocations in ipset 2.2.6 memory allocation in iptree is changed to GFP_ATOMIC because we hold a lock (bug reported by Radek Hladik) compatibility fix: __nocast is not defined in all 2.6 branches (problem reported by Ming-Ching Tiew) manpage corrections 2.2.5 garbage collector of iptree type of sets is fixed: flushing sets/removing kernel module could corrupt the timer new ipporthash type added manpage fixes and corrections 2.2.4 half-fixed memory allocation bug in iphash and nethash finally completely fixed (bug reported by Nikolai Malykh) restrictions to enter zero-valued entries into all non-hash type sets were removed Too strict check on the set size of ipmap type was corrected 2.2.3 Memory allocation bug in iphash and nethash in connection with the SET target was fixed (bug reported by Nikolai Malykh) lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is updated accordingly (Cardoso Didier, Samir Bellabes) manpage is updated to clearly state the command order in restore mode 2.2.2 Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen Compiler warning in the non-SMP case fixed (Marcus Sundberg) slab cache names shrunk in order to be compatible with 2.4.* (Marcus Sundberg) 2.2.1 Magic number in ip_set_nethash.h was mistyped (bug reported by Rob Carlson) ipset can now test IP addresses in nethash type of sets (i.e. addresses in netblocks added to the set) 2.2.0 Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson) Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford Wolf) Safety checkings of restore in ipset was incomplete (Robin H. Johnson) More careful resizing by avoiding locking completely stdin stored internally in a temporary file, so we can feed 'ipset -R' from a pipe iptree set type added 2.1.0 Lock debugging used with debugless lock definiton (Piotr Chytla and others). Bindings were not properly filled out at listing (kernel) When listing sets from kernel, id was not added to the set structure (ipset) nethash set type added ipset manpage corrections (macipmap) 2.0.1 Missing -fPIC in Makefile (Robert Iakobashvili) Cut'n'paste bug at saving macipmap types (Vincent Bernat). Bug in printing/saving SET targets reported and fixed by Michal Pokrywka 2.0 Chaining of sets are changed: child sets replaced by bindings Kernel-userspace communication reorganized to minimize the number of syscalls Save and restore functionality implemented iphash type reworked: clashing resolved by double-hashing and by dynamically growing the set 1.0 ipset forked from ippool Chaining of sets added via child sets portmap and iphash types added

All the documentation on this site is released under the GNU/GPL license terms.