ChangeLog
- 7.23
- Userspace changes
- tests: runtest.sh: Keep running, print summary of failed tests (Phil Sutter)
- tests: cidr.sh: Fix for quirks in RHEL's ipcalc (Phil Sutter)
- tests: cidr.sh: Respect IPSET_BIN env var (Phil Sutter)
- ipset: Fix implicit declaration of function basename (Mike Pagano)
- tests: Reduce testsuite run-time (Phil Sutter)
- lib: ipset: Avoid 'argv' array overstepping (Phil Sutter)
- lib: data: Fix for global-buffer-overflow warning by ASAN (Phil Sutter)
- Kernel part changes
- netfilter: ipset: Hold module reference while requesting a module (Phil Sutter)
- netfilter: ipset: add missing range check in bitmap_ip_uadt (Jeongjun Park)
- netfilter: ipset: Fix suspicious rcu_dereference_protected()
- Replace BUG_ON() with WARN_ON_ONCE() according to usage policy.
- 7.22
- Userspace changes
- ipset: fix json output format for IPSET_OPT_IP (Z. Liu)
- tests: add namespace test and take into account delayed set removal at module remove
- Update autoconfig tools to build cleanly on Debian bookworm
- Kernel part changes
- netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
- netfilter: ipset: Add list flush to cancel_gc (Alexander Maltsev)
- Kill sched.h dependency on rcupdate.h (Kent Overstreet)
- Handle "netfilter: propagate net to nf_bridge_get_physindev" patch
- netfilter: propagate net to nf_bridge_get_physindev (Pavel Tikhomirov)
- Revert "netfilter: ipset: remove set destroy at ip_set module removal"
- 7.21
- Userspace changes
- The patch "Fix hex literals in json output" broke save mode, restore it
- Fix -Werror=format-extra-args warning
- Workaround misleading -Wstringop-truncation warning
- Kernel part changes
- netfilter: ipset: Suppress false sparse warnings
- tests: Verify module unload when sets with timeout were just destroyed
- netfilter: ipset: remove set destroy at ip_set module removal
- netfilter: ipset: Cleanup the code of destroy operation and explain the two stages in comments
- netfilter: ipset: Missing gc cancellations fixed
- 7.20
- Userspace changes
- Ignore *.order.cmd and *.symvers.cmd files in kernel builds
- Bash completion utility updated
- Fix json output for -name option (Mark)
- Fix hex literals in json output
- tests: increase timeout to cope with slow virtual test machine
- Kernel part changes
- treewide: Convert del_timer*() to timer_shutdown*() (Steven Rostedt)
- Use timer_shutdown_sync() when available, instead of del_timer_sync()
- netfilter: ipset: fix race condition between swap/destroy and kernel
side add/del/test v4
- netfilter: ipset: fix race condition between swap/destroy and kernel
side add/del/test v3
- netfilter: ipset: fix race condition between swap/destroy and kernel
side add/del/test v2
- netfilter: ipset: fix race condition between swap/destroy and kernel
side add/del/test
- 7.19
- Userspace changes
- build: Fix the double-prefix in pkgconfig (Sam James)
- 7.18
- Userspace changes
- Add json output to list command (Thomas Oberhammer)
- tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter)
- tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter)
- tests: cidr.sh: Add ipcalc fallback (Phil Sutter)
- tests: xlate: Make test input valid (Phil Sutter)
- tests: xlate: Test built binary by default (Phil Sutter)
- xlate: Drop dead code (Phil Sutter)
- xlate: Fix for fd leak in error path (Phil Sutter)
- configure.ac: fix bashisms (Sam James)
- lib/Makefile.am: fix pkgconfig dir (Sam James)
- Kernel part changes
- netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP (reported by Kyle Zeng)
- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c (Kyle Zeng)
- compatibility: handle strscpy_pad()
- netfilter: ipset: refactor deprecated strncpy (Justin Stitt)
- netfilter: ipset: remove rcu_read_lock_bh pair from ip_set_test (Florian Westphal)
- netfilter: ipset: Replace strlcpy with strscpy (Azeem Shaikh)
- netfilter: ipset: Add schedule point in call_ad(). (Kuniyuki Iwashima)
- net: Kconfig: fix spellos (Randy Dunlap)
- netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. (Gavrilov Ilia)
- 7.17
- Userspace changes
- Tests: When verifying comments/timeouts, make sure entries don't expire
- Tests: Make sure the internal batches add the correct number of elements
- Tests: Verify that hash:net,port,net type can handle 0/0 properly
- Makefile: Create LZMA-compressed dist-files (Phil Sutter)
- Kernel part changes
- netfilter: ipset: Rework long task execution when adding/deleting entries
- ipset: fix hash:net,port,net hang with /0 subnet
- 7.16
- Userspace changes
- Add new ipset_parse_bitmask() function to the library interface
- test: Make sure no more than 64 clashing elements can be added
to hash:net,iface sets
- netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai)
- netfilter: ipset: Update the man page to include netmask/bitmask options
(Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai)
- netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai)
- ipset-translate: allow invoking with a path name (Quentin Armitage)
- Fix IPv6 sets nftables translation (Pablo Neira Ayuso)
- Fix typo in ipset-translate man page (Bernhard M. Wiedemann)
- Kernel part changes
- netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
- Fix all debug mode warnings
- netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai)
- netfilter: ipset: regression in ip_set_hash_ip.c (Vishwanath Pai)
- netfilter: move from strlcpy with unused retval to strscpy
(Wolfram Sang)
- compatibility: handle unsafe_memcpy()
- netlink: Bounds-check struct nlmsgerr creation (Kees Cook)
- compatibility: move to skb_protocol in the code from tc_skb_protocol
- Compatibility: check kvcalloc, kvfree, kvzalloc in slab.h too
- sched: consistently handle layer3 header accesses in the presence
of VLANs (Toke Høiland-Jørgensen)
- treewide: Replace GPLv2 boilerplate/reference with SPDX
- rule 500 (Thomas Gleixner)
- headers: Remove some left-over license text in
include/uapi/linux/netfilter/ (Christophe JAILLET)
- netfilter: ipset: enforce documented limit to prevent allocating
huge memory
- netfilter: ipset: Fix oversized kvmalloc() calls
- 7.15
- Kernel part changes
- netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()
(Nathan Chancellor)
- 7.14
- Userspace changes
- Add missing function to libipset.map and bump library version (reported by Jan Engelhardt)
- Kernel part changes
- 64bit division isn't allowed on 32bit, replace it with shift
- 7.13
- Userspace changes
- When parsing protocols by number, do not check it in /etc/protocols.
- Add missing hunk to patch "Allow specifying protocols by number"
- Kernel part changes
- Limit the maximal range of consecutive elements to add/delete fix
- 7.12
- Userspace changes
- Allow specifying protocols by number (Haw Loeung)
- Fix example in ipset.8 manpage discovered by Pablo Neira Ayuso.
- tests: add tests ipset to nftables (Pablo Neira Ayuso)
- add ipset to nftables translation infrastructure (Pablo Neira Ayuso)
- lib: Detach restore routine from parser (Pablo Neira Ayuso)
- lib: split parser from command execution (Pablo Neira Ayuso)
- Fix patch "Parse port before trying by service name"
- Kernel part changes
- Limit the maximal range of consecutive elements to add/delete
(reported by Brad Spengler)
- Backport "netfilter: use nfnetlink_unicast()"
- Backport "netfilter: nfnetlink: consolidate callback type"
- Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks"
- Backport "netfilter: add helper function to set up the nfnetlink header and use it"
- 7.11
- Userspace changes
- Parse port before trying by service name (Haw Loeung)
- Silence unused-but-set-variable warnings (reported by Serhey Popovych)
- Handle -Werror=implicit-fallthrough= in debug mode compiling
- ipset: fix print format warning (Neutron Soutmun)
- Updated utilities
- Argument parsing buffer overflow in ipset_parse_argv fixed
(reported by Marshall Whittaker)
- 7.10
- Kernel part changes
- Fix patch "Handle false warning from -Wstringop-overflow"
- Backward compatibility: handle renaming nla_strlcpy to nla_strscpy
- treewide: rename nla_strlcpy to nla_strscpy. (Francis Laniel)
- netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin)
- netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin)
- Handle false warning from -Wstringop-overflow
- Backward compatibility: handle missing strscpy with a wrapper of strlcpy.
- Move compiler specific compatibility support to separated file (broken
compatibility support reported by Ed W)
- 7.9
- Userspace changes
- Fix library versioning (Jan Engelhardt)
- 7.8
- Kernel part changes
- Complete backward compatibility fix for package copy of <linux/jhash.h>
- Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT
- netfilter: ipset: enable memory accounting for ipset allocations
(Vasily Averin)
- netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet)
- Compatibility: use skb_policy() from if_vlan.h if available
- Compatibility: Check for the fourth arg of list_for_each_entry_rcu()
- Backward compatibility fix for the package copy of <linux/jhash.h>
- 7.7
- Userspace changes
- Expose the initval hash parameter to userspace
- Handle all variable header parts in helper scripts instead ot test tasks
- Add bucketsize parameter to all hash types
- Support the -exist flag with the destroy command
- Kernel part changes
- Expose the initval hash parameter to userspace
- Add bucketsize parameter to all hash types
- Use fallthrough pseudo-keyword in the package copy of too
- Support the -exist flag with the destroy command
- netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva)
- netfilter: Replace zero-length array with flexible-array member (Gustavo A. R. Silva)
- netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet)
- netfiler: ipset: fix unaligned atomic access (Russell King)
- netfilter: ipset: Fix subcounter update skip (Phil Sutter)
- ipset: Update byte and packet counters regardless of whether they match (Stefano Brivio)
- netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover)
- ip_set: Fix compatibility with kernels between v3.3 and v4.5 (Serhey Popovych)
- ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK (Serhey Popovych)
- ipset: Support kernels with at least system_wq support
- ip_set: Fix build on kernels without system_power_efficient_wq (Serhey Popovych)
- 7.6
- Userspace changes
- Add checking system_power_efficient_wq in the kernel source tree
- .gitignore: add temporary files to the list
- Kernel part changes
- netfilter: ipset: Fix forceadd evaluation path
- netfilter: ipset: Correct the reported memory size
- ip_set: Include kernel header instead of UAPI (Serhey Popovych)
- netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports
- netfilter: ipset: fix suspicious RCU usage in find_set_and_id
- Add compatibility support for bitmap_zalloc() and bitmap_zero()
- netfilter: ipset: use bitmap infrastructure completely
- netfilter: fix a use-after-free in mtype_destroy() (Cong Wang)
- 7.5
- Userspace changes
- configure.ac: Support building with old autoconf 2.63
(Serhey Popovych)
- configure.ac: Build on kernels without skb->vlan_proto correctly
(Serhey Popovych)
- configure.ac: Add cond_resched_rcu() checks (Serhey Popovych)
- configure.ac: Better match for ipv6_skip_exthdr() frag_offp
arg presence (Serhey Popovych)
- Document explicitly that protocol is not stored in bitmap:port
- Kernel part changes
- netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
(Florian Westphal)
- ip_set: Pass init_net when @net is missing in match check params
data structure (Serhey Popovych)
- netfilter: xt_set: Do not restrict --map-set to the mangle table
(Serhey Popovych)
- compat: em_ipset: Build on old kernels (Serhey Popovych)
- compat: Use skb_vlan_tag_present() instead of vlan_tx_tag_present()
(Serhey Popovych)
- 7.4
- Userspace changes
- Fix compatibility support for netlink extended ACK and add
synchronize_rcu_bh() checking
- treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
(Thomas Gleixner)
- ipset: Add wildcard support to net,iface (Kristian Evensen)
- Sort naturally instead of textual sort (bugzilla #1369)
- Do not return with error at 'make modules_install' when modules
are not loaded (reported by Oskar Berggren)
- Kernel part changes
- Fix nla_policies to fully support NL_VALIDATE_STRICT
- treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
(Thomas Gleixner)
- netfilter: remove unnecessary spaces (yangxingwu)
- ipset: Add wildcard support to net,iface (Kristian Evensen)
- ipset: Copy the right MAC address in hash:ip,mac IPv6 sets
(Stefano Brivio)
- netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c.
(Jeremy Sowden)
- netfilter: ipset: move function to ip_set_bitmap_ip.c. (Jeremy Sowden)
- netfilter: ipset: make ip_set_put_flags extern. (Jeremy Sowden)
- netfilter: ipset: move functions to ip_set_core.c. (Jeremy Sowden)
- netfilter: ipset: move ip_set_comment functions from ip_set.h
to ip_set_core.c. (Jeremy Sowden)
- netfilter: ipset: remove inline from static functions in .c files.
(Jeremy Sowden)
- netfilter: ipset: add a coding-style fix to ip_set_ext_destroy.
(Jeremy Sowden)
- netfilter: added missing includes to a number of header-files.
(Jeremy Sowden)
- netfilter: inlined four headers files into another one. (Jeremy Sowden)
- netfilter: ipset: Fix an error code in ip_set_sockfn_get()
(Dan Carpenter)
- 7.3
- Userspace changes
- ipset: fix spelling error in libipset.3 manpage (Neutron Soutmun)
- Kernel part changes
- Fix rename concurrency with listing
- ipset: Copy the right MAC address in bitmap:ip,mac and
hash:ip,mac sets (Stefano Brivio)
- ipset: Actually allow destination MAC address for hash:ip,mac
sets too (Stefano Brivio)
- 7.2
- Userspace changes
- Kernel part changes
- Update my email address
- ipset: Fix memory accounting for hash types on resize (Stefano Brivio)
- Fix error path in set_target_v3_checkentry()
- Fix the last missing check of nla_parse()
- netfilter: ipset: fix a missing check of nla_parse (Aditya Pakki)
- netfilter: ipset: merge uadd and udel functions (Florent Fourcot)
- netfilter: ipset: remove useless memset() calls (Florent Fourcot)
- 7.1
- Userspace changes
- Add compatibility support for strscpy()
- Correct the manpage about the sort option
- Add missing functions to libipset.map
- configure.ac: Fix build regression on RHEL/CentOS/SL
(Serhey Popovych)
- Implement sorting for hash types in the ipset tool
- Fix to list/save into file specified by option
(reported by Isaac Good)
- Kernel part changes
- netfilter/ipset: replace a strncpy() with strscpy() (Qian Cai)
- netfilter: ipset: fix ip_set_byindex function (Florent Fourcot)
- netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
(Pan Bian)
- Correct workaround in patch "Fix calling ip_set() macro at dumping"
- 7.0
- Userspace changes
- Introduction of new commands and protocol version 7, updated
kernel include files
- Add compatibility support for async in pernet_operations
- Use more robust awk patterns to check for backward compatibility
- Prepare the ipset tool to handle multiple protocol version
- Fix warning message handlin
- Correct to test null valued entry in hash:net6,port,net6 test
- Library reworked to support embedding ipset completely
- Add compatibility to support kvcalloc()
- Validate string type attributes in attr2data() (Stefano Brivio)
- manpage: Add comment about matching on destination MAC address
(Stefano Brivio)
- Add compatibility to support is_zero_ether_addr()
- Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio)
- Fix leak in build_argv() on line parsing error (Stefano Brivio)
- Simplify return statement in ipset_mnl_query() (Stefano Brivio)
- tests/check_klog.sh: Try dmesg too, don't let shell terminate script
(Stefano Brivio)
- Kernel part changes
- Introduction of new commands and protocol version 7
- License cleanup: add SPDX license identifier to uapi header files with
no license (Greg Kroah-Hartman)
- net: Convert ip_set_net_ops (Kirill Tkhai)
- netfilter: Replace spin_is_locked() with lockdep (Lance Roy)
- Fix calling ip_set() macro at dumping
- Correct rcu_dereference() call in ip_set_put_comment()
- netfilter: ipset: fix ip_set_list allocation failure (Andrey Ryabinin)
- ipset: Make invalid MAC address checks consisten (Stefano Brivio)
- ipset: Allow matching on destination MAC address for mac and ipmac sets
(Stefano Brivio)
- netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
(Eric Westbrook)
- ipset: list:set: Decrease refcount synchronously on deletion and replace
(Stefano Brivio)
- netfilter: ipset: forbid family for hash:mac sets (Florent Fourcot)
- Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC
- List timing out entries with "timeout 1" instead of zero timeout value
(Fixes bugzilla #1258)
- netfilter: xt_set: Check hook mask correctly (Serhey Popovych)
- 6.38
- Userspace changes
- Fix API version number (reported by Jan Engelhardt)
- 6.37
- Kernel part changes
- netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp
(Joe Perches)
- Userspace changes
- Fix parsing service names for ports (reported by Yuri D'Elia)
- 6.36
- Kernel part changes
- Remove duplicate module description
- netfilter: remove messages print and boot/module load time
(Pablo Neira Ayuso)
- Fix wraparound bug introduced in commit 48596a8ddc46 in v6.34
(reported by Thomas Schwark)
- Userspace changes
- Use 'ss' in runtest.sh but fall back to deprecated 'net-tools'
command (bugzilla id #1209)
- build: do install libipset/args.h (Jan Engelhardt)
- Add test to verify wraparound fix
- 6.35
- Kernel part changes
- netfilter: mark expected switch fall-throughs (Gustavo A. R. Silva)
- License cleanup: add SPDX GPL-2.0 license identifier to files with no
license (Greg Kroah-Hartman)
- Backport patch: netfilter: ipset: use nfnl_mutex_is_locked
- Missing nfnl_lock()/nfnl_unlock() is added to ip_set_net_exit()
- netfilter: ipset: use nfnl_mutex_is_locked (Florian Westphal)
- netfilter: ipset: add resched points during set listing
(Florian Westphal)
- Fix "don't update counters" mode when counters used at the matching
- Backport patch: netfilter: ipset: Convert timers to use timer_setup()
- netfilter: ipset: use swap macro instead of _manually_ swapping values
(Gustavo A. R. Silva)
- netfilter: ipset: Fix race between dump and swap (Ross Lagerwall)
- netfilter: ipset: pernet ops must be unregistered last (Florian
Westphal)
- Userspace changes
- Userspace revision handling is reworked
- Replace the last reference to u_int8_t with uint8_t.
- 6.34
- Kernel part changes
- Fix adding an IPv4 range containing more than 2^31 addresses
(bugzilla id #1005, reported by Oleg Serditov and Oliver Ford
- Userspace changes
- testsuite: Make sure it can be run over ssh :-)
- Reset state after a command failed, when multiple ones are issued
(bugzilla id #1158, reported by Dimitri Grischin)
- Handle padding attribute properly in userspace.
- Test to check the fix to add an IPv4 range containing more than 2^31
addresses
- Fix the include guards on the include/libipset/linux_ip_set*.h
(bugzilla id #1139, suggested by Quentin Armitage)
- New function added in commit 54802b2c is missing from libipset.map
(bugzilla id #1182, reported by irherder@gmail.com)
- 6.33
- Kernel part changes
- Backport patch: sctp: remove the typedef sctp_sctphdr_t
- Backport patch: netfilter: nfnetlink: extended ACK reporting
- ipset: remove unused function __ip_set_get_netlink (Aaron Conole)
- Backport patch: netlink: pass extended ACK struct to parsing functions
- Backport patch netlink: extended ACK reporting
- netfilter: Remove exceptional & on function name (Arushi Singhal)
- Backport missing part of patch: netfilter: Remove unnecessary cast on
void pointer
- Backport nfnl_msg_type()
- netfilter: ipset: ipset list may return wrong member count for set with
timeout (Vishwanath Pai)
- netfilter: ipset: deduplicate prefixlen maps (Aaron Conole)
- Fix sparse warnings
- netfilter: ipset: Compress return logic (simran singhal)
- netfilter: ipset: Remove unnecessary cast on void pointer (simran
singhal)
- Compatibility: handle changes in 4.10 kernel tree
- Userspace changes
- Report if the option is supported by a newer kernel release
- ipset: Fix ipset command replacement in runtest.sh (Neutron Soutmun)
- Correct a test: number of entries may be outdated
- 6.32
- Userspace changes
- Fix possible truncated output in ipset output buffer handling
(Reported by Omri Bahumi and Yoni Lavi).
- Missing prototype added in ipset_hash_ipmac.c (debugging)
- 6.31
- Kernel part changes
- netfilter: ipset: Null pointer exception in ipset list:set
(Vishwanath Pai)
- Fix bug: sometimes valid entries in hash:* types of sets were evicted
(reported by Eric Ewanco)
- Correct copyright owner
- Revert patch "Correct rcu_dereference_bh_nfnl() usage"
- Userspace changes
- Update manpage about the size parameter of list:set types.
- New test to verify that only the intended entries are deleted at hash
types.
- 6.30
- Kernel part changes
- netfilter: ipset: hash: fix boolreturn.cocci warnings
(Fengguang Wu)
- Fix the nla_put_net64() API changes backport
- netfilter: ipset: Fixing unnamed union init (Elad Raz)
- netfilter: x_tables: Use par->net instead of computing from the passed
net devices (Eric W. Biederman)
- Correct the reported memory size for bitmap:* types
- Fix coding styles reported by checkpatch.pl, already in kernel
- netfilter: x_tables: Pass struct net in xt_action_param
(Eric W. Biederman)
- net: sched: fix skb->protocol use in case of accelerated vlan path
(Jiri Pirko)
- Check IPSET_ATTR_ETHER netlink attribute length in hash:ipmac too
- netfilter: fix include files for compilation (Mikko Rapeli)
- ipset: Backports for the nla_put_net64() API changes (Neutron Soutmun)
- netfilter: ipset: use setup_timer() and mod_timer().
(Muhammad Falak R Wani)
- hash:ipmac type support added to ipset (Tomasz Chilinski)
- Userspace changes
- Drop extra comma from error message (Neutron Soutmun)
- Fix the incorrect dynamic/static modules list (Neutron Soutmun)
- Correct tests to check the number of entries too
- hash:ipmac type support added to ipset, userspace part (Tomasz Chilinski)
- 6.29
- Kernel part changes
- Fix race condition in ipset save, swap and delete (Vishwanath Pai)
- Userspace changes
- Suppress unnecessary stderr in command loop for resize and list
- Correction in comment test
- Support chroot buildroots (reported by Jan Engelhardt)
- Fix "configure" breakage due to pkg-config related changes
(reported by Jan Engelhardt)
- 6.28
- Kernel part changes
- Check IPSET_ATTR_ETHER netlink attribute length
- Fix __aligned_u64 compatibility support for older kernel releases
- Add compatibility to support EXPORT_SYMBOL_GPL in module.h
- Fix set:list type crash when flush/dump set in parallel
- Pass down netns pointer to call() and call_rcu() (backport)
- Allow a 0 netmask with hash_netiface type (Florian Westphal)
- Userspace changes
- Support older pkg-config packages
- Add bash completion to the install routine (Mart Frauenlob)
- Fix misleading error message with comment extension
- Test added to check 0.0.0.0/0,iface to be matched in hash:net,iface type
- Fix link with libtool >= 2.4.4 (Olivier Blin)
- 6.27
- Kernel part changes
- Fix reported memory size for hash:* types
- Fix hash type expire: release empty hash bucket block
- Fix hash type expiration: incorrect index fixed
- Collapse same condition body to a single one
- Fix extension alignment
- Compatibility: include linux/export.h when needed
- Compatibility: make sure vmalloc.h is included for kvfree()
- Compatibility: Fix detecting 'struct net' in 'struct tcf_ematch'
- Compatibility: Protect definition of RCU_INIT_POINTER in compatibility
header file
- netfilter: ipset: Fix sleeping memory allocation in atomic context
(Nikolay Borisov)
- Userspace changes
- Handle uint64_t alignment issue in ipset tool
- 6.26
- Kernel part changes
- Out of bound access in hash:net* types fixed (reported by Dave Jones)
- Make struct htype per ipset family (originally from Sergey Popovich)
- Optimize hash creation routine (originally from Sergey Popovich)
- Make sure element data size is a multiple of u32 (originally from Sergey
Popovich)
- Make NLEN compile time constant for hash types (originally from Sergey
Popovich)
- Simplify mtype_expire() for hash types (originally from Sergey Popovich)
- Count non-static extension memory into the set memory size for userspace
- net: sched: Simplify em_ipset_match (Eric W. Biederman)
- Userspace changes
- Out of bound access in hash:net* types fixed (reported by Dave Jones):
new tests added to the testsuite to verify the fix
- Warn about loaded in ip_set modules at module installation
- Use IPSET_BIN in resize-and-list.sh and suppress echoing of loop
variable
- Manpage typo corrections (David Wittman)
- Fix grammar error in manpage (Neutron Soutmun)
- 6.25.1
- Kernel part changes
- net/netfilter/ipset: work around gcc-4.4.4 initializer bug
(Andrew Morton)
- Userspace changes
- ipset manpage: refer to iptables-extensions
- Update userspace header file from the kernel tree
- Handle 'extern "C" {' in check_libmap.sh
- 6.25
- Kernel part changes
- Add element count to all set types header
- Add element count to hash headers (Eric B Munson)
- implement nla_put_in_addr and nla_put_in6_addr (Jiri Benc)
- deinline ip_set_put_extensions() (Denys Vlasenko)
- Fix error path in mtype_resize() when new hash bucket cannot be
allocated
- There is no need to call synchronize_rcu() after list_add_rcu()
- Fix typo in function name get_phyoutdev_name()
- Separate memsize calculation code into dedicated functions (originally
from Sergey Popovich)
- Split extensions into separate files (originally from Sergey Popovich)
- Improve comment extension helpers (originally from Sergey Popovich)
- Improve skbinfo get/init helpers (originally from Sergey Popovich)
- Headers file cleanup (originally from Sergey Popovich)
- Correct rcu_dereference_bh_nfnl() usage (originally from Sergey
Popovich)
- add helpers for fetching physin/outdev (Florian Westphal)
- When a single set is destroyed, make sure it can't be grabbed by dump
- In comment extension ip_set_comment_free() is always called in a safe
path
- Add rcu_barrier() to module removal in the bitmap types too
- Fix coding styles reported by the most recent checkpatch.pl
- Make sure bitmap:ip,mac detects the proper MAC even when it's
overwritten
- RCU safe comment extension handling
- Make sure the proper is_destroyed value is checked at dumping
- Fix broken commit "Check extensions attributes before getting
extensions."
- Improve preprocessor macros checks (Sergey Popovich)
- Fix hashing for ipv6 sets (Sergey Popovich)
- Fix ext_*() macros so pointers returned by these macros could be
referenced directly (Sergey Popovich)
- Check for comment netlink attribute length (Sergey Popovich)
- Return bool values instead of int (Sergey Popovich)
- Check CIDR value only when attribute is given (Sergey Popovich)
- Make sure we always return line number on batch (Sergey Popovich)
- Permit CIDR equal to the host address CIDR in IPv6 (Sergey Popovich)
- Use HOST_MASK literal to represent host address CIDR len (Sergey
Popovich)
- Check IPSET_ATTR_PORT only once (Sergey Popovich)
- Check extensions attributes before getting extensions (Sergey Popovich)
- Use SET_WITH_*() helpers to test set extensions (Sergey Popovich)
- Return ipset error instead of bool (Sergey Popovich)
- Preprocessor directices cleanup (Sergey Popovich)
- No need to make nomatch bitfield (Sergey Popovich)
- Make sure bit operations are not reordered
- Properly calculate extensions offsets and total length (Sergey Popovich)
- Fix cidr handling for hash:*net* types, reported by Jonathan Johnson
- fix boolreturn.cocci warnings (Fengguang Wu)
- make ip_set_get_ip*_port to use skb_network_offset (Alexander Drozdov)
- Make sure listing doesn't grab a set which is just being destroyed.
- Missing rcu_read_lock() and _unlock() in mtype_list() fixed
- Fix coding styles reported by checkpatch.pl
- Use nlmsg_total_size instead of NLMSG_SPACE in ip_set_core.c
- There's no need to call synchronize_rcu() with kfree_rcu()
- Call rcu_barrier() in module removal path
- Call synchronize_rcu() in set type (un)register functions only when
needed
- Remove an unused macro
- Give a better name to a macro in ip_set_core.c
- Resolve the STREQ macro to make the code more readable, and use
nla_strlcpy where possible
- Use MSEC_PER_SEC consistently
- Remove unnecessary integer RCU handling and fix other sparse warnings
- Fix sparse warning "cast to restricted __be32"
- Userspace changes
- Add element count to all set types header
- Add element count to hash headers (Eric B Munson)
- Support linking libipset to C++ programs (reported by Pavel Odintsov)
- ipset: propose rewording in manpage (Neutron Soutmun)
- More compatibility checking and simplifications to support the
2.6.32 kernel tree
- Compatibility: define RCU_INIT_POINTER when __rcu is not defined
- Compatibility: check kernel source for list_last_entry
(CentOS7, reported by Ricardo Klein)
- Make possible to pass extra flags to sparse
- 6.24
- Kernel part changes
- netfilter: ipset: small potential read beyond the end of buffer
(Dan Carpenter)
- Fix parallel resizing and listing of the same set
- styles warned by checkpatch.pl fixed
- Introduce RCU in all set types instead of rwlock per set
(performance tested by Jesper Dangaard Brouer)
- Remove rbtree from hash:net,iface in order to run under RCU
- Explicitly add padding elements to hash:net,net and hash:net,port,net
- Allocate the proper size of memory when /0 networks are supported
- Simplify cidr handling for hash:*net* types
- Indicate when /0 networks are supported
- Kernel API changes in em_ipset.c, support both old and new ones
- netfilter: Convert uses of __constant_ to (Joe Perches)
- net: use the new API kvfree() (WANG Cong)
- treewide: fix errors in print (Masanari Iida)
- netfilter: use IS_ENABLED(CONFIG_BRIDGE_NETFILTER) (Pablo Neira Ayuso)
- Use IS_ENABLED macro and define it if required
- Alignment problem between 64bit kernel 32bit userspace fixed
(reported by Sven-Haegar Koch)
- netfilter: ipset: off by one in ip_set_nfnl_get_byindex()
(Dan Carpenter)
- Userspace changes
- The "extra" subdirectory for kernel modules may have a full subtree
(reported by Jesper Dangaard Brouer)
- Add more compatibility checkings to support older kernel releases
- Make_global.am: Don't include host headers (Baruch Siach)
- Alignment problem between 64bit kernel 32bit userspace fixed
(reported by Sven-Haegar Koch)
- Add script to check libipset.map for missing symbols
- Update libipset.map with ipset_parse_tcp_udp_port (Thomas Backlund)
- libipset: Bump lib version and update map file (Neutron Soutmun)
- Bash utilities updated
- ipset: Fix hyphen used as minus sign in manpage (Neutron Soutmun)
- 6.23
- Kernel part changes
- Support updating extensions when the set is full
(fixes bugzilla id #880)
- Userspace changes
- The utils are updated from their sources
- Order create and add options in manpage so that generic ones
come first
- Centralise generic create options (family, hashsize, maxelem)
on top of man page in the generic options section. (Mart Frauenlob)
- Support glibc < 2.9 (fixes bugzilla id #891)
- Add description of hash:mac set type to man page. (Mart Frauenlob)
- Add missing space for skbinfo option synopsis. (Mart Frauenlob)
- The library/API versions were forgotten to bump (reported by
Sergei Zhirikov)
- Retry printing when sprintf fails (reported by Stig Thormodsrud)
- 6.22
- Kernel part changes
- hash:mac type added to ipset
- skbinfo extension: send nonzero extension elements only to userspace
- netfilter: Convert pr_warning to pr_warn (Joe Perches)
- netfilter: ipset: Add skbinfo extension support to SET target.
(Anton Danilov)
- netfilter: ipset: Add skbinfo extension kernel support for the list
set type. (Anton Danilov)
- netfilter: ipset: Add skbinfo extension kernel support for the hash
set types. (Anton Danilov)
- netfilter: ipset: Add skbinfo extension kernel support for the
bitmap set types. (Anton Danilov)
- netfilter: ipset: Add skbinfo extension kernel support in the ipset
core. (Anton Danilov)
- Fix static checker warning in ip_set_core.c (reported by Dan Carpenter)
- Fix warn: integer overflows 'sizeof(*map) + size * set->dsize'
(reported by Dan Carpenter)
- net/netfilter/ipset: Resolve missing-field-initializer warnings
(Mark Rustad)
- netnet,netportnet: Fix value range support for IPv4 (Sergey Popovich)
- Removed invalid IPSET_ATTR_MARKMASK validation (Vytas Dauksa)
- Userspace changes
- hash:mac type added to ipset
- Add test to check mark mapping
- ipset: remove extran newline on debug output (Holger Eitzenberger)
- ipset: avoid duplicate command flags (Holger Eitzenberger)
- Remove a duplicate debug print (Holger Eitzenberger)
- ipset: man: Add the skbinfo extension documentation. (Anton Danilov)
- libipset: Add userspace support of the skbinfo extension of the list
set type. (Anton Danilov)
- libipset: Add userspace support of the skbinfo extension of the hash
set types. (Anton Danilov)
- libipset: Add userspace support of the skbinfo extension of the
bitmap set types. (Anton Danilov)
- libipset: Add userspace code for the skbinfo extension support.
(Anton Danilov)
- Make possible to compile ipset with IPSET_DEBUG from the dist.
(Clinton Roy)
- libipset: print third element in debugging (Sergey Popovich)
- ipset: Handle missing leading zeros in ethernet address parser
(Janeks Jaunups)
- ipset: Pass IPSET_BIN to test scripts to change binary location
(Neutron Soutmun)
- ipset: Fix grammar error in manpage (Neutron Soutmun)
- ipset: Fix printf format warning (Neutron Soutmun)
- 6.21.1
- Kernel part changes
- netfilter: ip_set: rename nfnl_dereference()/nfnl_set()
(Patrick McHardy)
- Userspace changes
- The bash utilities are updated
- Fix libipset library release versioning (reported by Mathieu Bridon)
- 6.21
- Kernel part changes
- ipset: add forceadd kernel support for hash set types (Josh Hunt)
- netfilter: ipset: move registration message to init from net_init
(Ilia Mirkin)
- kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
- Prepare the kernel for create option flags when no extension is needed
- add markmask for hash:ip,mark data type (Vytas Dauksa)
- add hash:ip,mark data type to ipset (Vytas Dauksa)
- ipset: remove unused code (Stephen Hemminger)
- netfilter: ipset: Add hash: fix coccinelle warnings (Fengguang Wu)
- Typo in ip_set_hash_netnet.c fixed (David Binderman)
- net ipset: use rbtree postorder iteration instead of opencoding
(Cody P Schafer)
- ipset: Follow manual page behavior for SET target on list:set
(Sergey Popovich)
- Userspace changes
- ipset: add userspace support for forceadd (Josh Hunt)
- kernel: uapi: fix MARKMASK attr ABI breakage (Florian Westphal)
- lib: fix ifname 'physdev:' prefix parsing (Florian Westphal)
- Prepare the kernel for create option flags when no extension is needed
- print mark & mark mask in hex rather then decimal (Vytas Dauksa)
- add markmask for hash:ip,mark data type (Vytas Dauksa)
- add hash:ip,mark data type to ipset (Vytas Dauksa)
- ipset: manpage: correct add action synopsis for hash:net,port,net.
(Mart Frauenlob)
- ipset: manpage: remove spare comma for hash:net,net test action.
(Mart Frauenlob)
- Fix all set output from list/save when set with counters in use.
(Sergey Popovich)
- ipset: Fix malformed output from list/save for ICMP types in port field
(Sergey Popovich)
- ipset: fix timeout data type size (Nikolay Martynov)
- 6.20.1
- Kernel part changes
- netfilter: ipset: remove duplicate define (Michael Opdenacker)
- net->user_ns is available starting from 3.8, add compatibility
checking (reported by Jan Engelhardt)
- Fix memory allocation for bitmap:port (reported by Quentin Armitage)
- Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
- The unnamed union initialization may lead to compilation error
(reported by Husnu Demir)
- Use dev_net() instead of the direct access to ->nd_net (reported by
the kbuild test robot)
- Userspace changes
- build: fix incorrect library versioning (Jan Engelhardt)
- netfilter: ipset: Fix configure failure when --with-kmod=no
(Oliver Smith)
- Avoid clashing with configured kernel in [CONFIG_]IP_SET_MAX
- 6.20
- Kernel part changes
- Compatibility code is modified not to rely on kernel version numbers
- Use netlink callback dump args only
- Add hash:net,port,net module to kernel (Oliver Smith)
- Add net namespace for ipset (Vitaly Lavrov)
- Use a common function at listing the extensions of the elements
- For set:list types, replaced elements must be zeroed out
- Fix hash resizing with comments
- Support comments in the list-type ipset (Oliver Smith)
- Support comments in bitmap-type ipsets (Oliver Smith)
- Support comments in hash-type ipsets (Oliver Smith)
- Support comments for ipset entries in the core (Oliver Smith)
- Add hash:net,net module to kernel (Oliver Smith)
- Fix serious failure in CIDR tracking (Oliver Smith)
- list:set: make sure all elements are checked by the gc
- Support extensions which need a per data destroy function
- Generalize extensions support
- Move extension data to set structure
- Rename extension offset ids to extension ids
- Prepare ipset to support multiple networks for hash types
- Introduce new operation to get both setname and family
- Validate the set family and not the set type family at swapping
(Bug reported by Quentin Armitage, netfilter bugzilla id #843)
- Consistent userspace testing with nomatch flag
- Skip really non-first fragments for IPv6 when getting port/protocol
- ipset standalone package needs to ship em_ipset.c (reported by Jan
Engelhardt)
- Userspace changes
- Missing comment support added to hash:ip,port,ip and hash:net,iface
types
- Compatibility code is modified not to rely on kernel version numbers
- Add userspace code to support hash:net,port,net kernel module
(Oliver Smith)
- Tests added to check comment extension
- Add new userspace set revisions for comment support (Oliver Smith)
- Support comments in the userspace library (Oliver Smith)
- Rework the "fake" argument parsing for ipset restore (Oliver Smith)
- Add userspace code to support hash:net,net kernel module
(Oliver Smith)
- Add test to verify CIDR tracking
- configure: uclinux is also linux (Gustavo Zacarias)
- Add specifying protocol for bitmap:port (Quentin Armitage)
- Remove artifical restriction of netmask values for hash:ip type
(Reported by Quentin Armitage, netfilter bugzilla id #844)
- Make sure called test scripts can be executed (reported by Tomas Budai)
- Manpage fix: not just identical, but compatible type of sets can be
swapped (Reported by Quentin Armitage, netfilter bugzilla id #843)
- Fix error message typo (Reported by Quentin Armitage, netfilter bugzilla
id #843)
- Parse option "family" first, because other options may depend on it
(Bug reported by Quentin Armitage, closed netfilter bugzilla #841)
- Change 2nd parameter type of ipset_parse_elem (Quentin Armitage)
- Report broken netlink messages in debug mode
- Fix hyphen used as minus sign in manpage (Neutron Soutmun)
- libipset.pc must be installed via 'make install' (Eric Leblond)
- 6.19
- Kernel part changes
- Compatibility fixes to keep the support of kernels back to 2.6.32
- Backport nla_put_net64
- Support package fragments for IPv4 protos without ports (Anders K. Pedersen)
- Use fix sized type for timeout in the extension part
- Make sure kernel configured properly for sparse checkings
- Fix "may be used uninitialized" warnings (reported by Pablo Neira
Ayuso)
- Rename simple macro names to avoid namespace issues (reported by
David Laight)
- Fix sparse warnings due to missing rcu annotations (reported by
Pablo Neira Ayuso)
- Sparse warning about shadowed variable fixed
- Don't call ip_nest_end needlessly in the error path (suggested by
Pablo Neira Ayuso)
- set match: add support to match the counters
- The list:set type with counter support
- The hash types with counter support
- The bitmap types with counter support
- Introduce the counter extension in the core
- list:set type using the extension interface
- Hash types using the unified code base
- Unified hash type generation
- Bitmap types using the unified code base
- Unified bitmap type generation
- Move often used IPv6 address masking function to header file
- Make possible to test elements marked with nomatch, from userspace
- netfilter ipset: Use ipv6_addr_equal() where appropriate.
(YOSHIFUJI Hideaki)
- Add a compatibility header file for easier maintenance
- The uapi include split in the package itself
- Reorder modules a little bit in Kbuild
- Userspace changes
- Check at modules_install whether depmod ignores the extra subdir
(reported by Husnu Demir and tian fang)
- The utils are updated from their sources
- Manpage typing error correction (reported by Husnu Demir)
- Update testsuite as the trailing space was eliminated at listings
- Add sparse checking support to userspace
- Improve XML output: add element tag and root element (suggested by Lucas
Hamie)
- Manpage updates
- Add new testsuite entries to verify counters and the new type
implementation
- Introduce the new set type revisions with counter support
- Support counters in the ipset library
- The uapi include split in the package itself
- 6.18
- Kernel part changes
- bitmap:ip,mac: fix listing with timeout (reported by Yoann JUET)
- hash:*net*: nomatch flag not excluded on set resize
- list:set: update reference counter when last element pushed off
- 6.17
- Kernel part changes
- Make sure ip_set_max isn't set to IPSET_INVALID_ID
- netfilter: ipset: timeout values corrupted on set resize (Josh Hunt)
- "Directory not empty" error message (reported by John Brendler)
- Userspace changes
- Fix revision printing in XML mode (reported by Mart Frauenlob)
- Correct "Suspicious condition (assignment + comparison)" (Thomas Jarosch)
- Fix error path when protocol number is used with port range
- Interactive mode error after syntax error (reported by Mart Frauenlob)
- The ipset_bash_completion tool is added
- The ipset_list tool is added
- 6.16.1
- Kernel part changes
- Add ipset package version to external module description
- Backport RCU handling up to 2.6.32.x
- 6.16
- Userspace changes
- Remove all modules before testing resize
- build: support for Linux 3.7 UAPI (Jan Engelhardt)
- Kernel part changes
- Netlink pid is renamed to portid in kernel 3.7.0
- Fix RCU handling when the number of maximal sets are increased
- netfilter: ipset: fix netiface set name overflow (Florian Westphal)
- 6.15
- Userspace changes
- Fix interactive mode (Fredrik Eriksson)
- Use gethostbyname2 instead of getaddrinfo
- Make tests/check_cidrs.sh script executable
- Add tests to check completely ranges with hash types
- Make easier to apply the netlink.patch
- Support protocol numbers as well, not only protocol names
- Add (back) the debug flag to configure
- Add simple test to check cidr book-keeping
- Kernel part changes
- Increase the number of maximal sets automatically as needed
- Restore the support of kernel versions between 2.6.32 and 2.6.35
- Fix range bug in hash:ip,port,net
- Revert, then reapply cidr book keeping patch to handle /0
- 6.14
- Userspace changes
- Support to match elements marked with "nomatch" in hash:*net* sets
- Coding style fixes
- The set type revision number is added to the header part of listing
- Help prints list type revision and terse description
- Add /0 network support to hash:net,iface type
- Fix errors when compiling in debug mode (Krunal Patel)
- Make sure IPPROTO_UDPLITE is defined
- build: restore -version-info (Jan Engelhardt)
- Kernel part changes
- Support to match elements marked with "nomatch" in hash:*net* sets
- Coding style fixes
- Include supported revisions in module descriptio
- Add /0 network support to hash:net,iface type
- Fix cidr book keeping for hash:*net* types
- Check and reject crazy /0 input parameters
- Backport ether_addr_equal
- Coding style fix, backport from kernel
- net: cleanup unsigned to unsigned int (Eric Dumazet)
- 6.13
- Userspace changes
- Explain in more detail src/dst for hash:net,iface
- ipset help lists set types multiple times, fixed
(reported by Mr Dash Four)
- The commandline parser was too permissive, make it more strict
- Allow saving to/restoring from a file without shell redirection
- Fix typo of word "unkown" to "unknown" (Neutron Soutmun)
- Kernel part changes
- ipset: Handle properly an IPSET_CMD_NONE (Tomasz Bursztyka)
- netfilter: ipset: hash:net,iface: fix interface comparison
(Florian Westphal)
- Timeout fixing bug broke SET target special timeout value, fixed
- Use MSEC_PER_SEC instead of harcoded value
- 6.12.1
- Userspace changes
- Enable silent (kernel style) compile messages
- Fix build failed on --disable-dependency-tracking (Neutron Soutmun)
- Add tarball target to Makefile
- 6.12
- Kernel part changes
- Backport nla_put_net* functions as NLA_PUT* were removed
- netlink: add netlink_dump_control structure for netlink_dump_start()
- ipset: Stop using NLA_PUT*().
- Fix hash size checking in kernel (bug reported by Seblu)
- Correct README file about minimal required iptables version
(Oskar Berggren)
- Sparse warnings "incorrect type in assignment" fixed
- Fix timeout value overflow bug at large timeout parameters
(bug reported by Andreas Herz)
- ipv6: Add fragment reporting to ipv6_skip_exthdr().
- net: remove ipv6_addr_copy()
- Fix the inclusion of linux/export.h (Henry Culver)
- Userspace changes
- Cleanup generated files by make tidy
- Add more CC warning option to debug mod
- Report syntax error messages immediately
- Suppress false syntax error messages
- Add configure summary for the ipset userspace tool
- Add dynamic module support to ipset userspace tool
(Neutron Soutmun)
- Move ipset_port_usage() into lib (Neutron Soutmun)
- Fix invalid assignment to const void pointer (bug reported by Seblu)
- Remove unused variables (warnings fixed)
- Fix timeout value overflow bug at large timeout parameters
(bug reported by Andreas Herz)
- Improve ipset help text messages (Mr Dash Four)
- 6.11
- Kernel part changes
- hash:net,iface timeout bug fixed
- Exceptions support added to hash:*net* types
- net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
- Log warning when a hash type of set gets full
- Userspace changes
- Support hostnames and service names with dash
- Exceptions support added to hash:*net* types
- Log warning when a hash type of set gets full
- Set types moved into libipset library
- Library map file added in order to support library versioning
- doc: Linux 2.6.39 already has the defs (Jan Engelhardt)
- build: install libipset in the right place (Jan Engelhardt)
- Provide a pkgconfig file (Jan Engelhardt)
- build: make distcheck work and use POSIX mode for tarball generation
(Jan Engelhardt)
- build: install libipset/linux_ip_set_list.h (Jan Engelhardt)
- build: include libipset/nfproto.h (Jan Engelhardt)
- build: process include/libipset/ (Jan Engelhardt)
- build: use AC_CONFIG_AUX_DIR and stash away tools (Jan Engelhardt)
- Update .gitignore (Jan Engelhardt)
- 6.10
- Kernel part changes
- Invert the logic to include version.h in ip_set_core.c
- Suppress false compile-time warnings about uninitialized variable ip_to
- Userspace changes
- Tests added to check ICMP/ICMPv6 type/code parsing
- ICMP/ICMPv6 type/code parser bug fixed (bug reported by Sabitov)
- ipset: fix lookup of tcp port names (Stephen Hemminger)
- Optionally disable building the kernel module (Mathieu Bridon)
- Make tidy complete
- 6.9.1
- Kernel part changes
- Fix compiling ipset as external kernel modules (v6.9)
- Complete Kconfig with hash:net,iface type (standalone package)
- rtnetlink: Compute and store minimum ifinfo dump size (Greg Rose)
- Remove redundant linux/version.h includes from net/ (Jesper Juhl)
- ipset: use NFPROTO_ constants (Jan Engelhardt)
- netfilter: ipset: expose userspace-relevant parts in ip_set.h
(Jan Engelhardt)
- netfilter: ipset: avoid use of kernel-only types (Jan Engelhardt)
- netfilter: Remove unnecessary OOM logging messages (Joe Perches)
- Dumping error triggered removing references twice and lead to kernel BUG
- Autoload set type modules safely
- Userspace changes
- build: move ipset_errcode into library (Jan Engelhardt)
- build: abort autogen on subcommand failure (Jan Engelhardt)
- ipset: use NFPROTO_ constants (Jan Engelhardt)
- Propagate "expose userspace-relevant parts in ip_set.h" to ipset source
- 6.8
- Kernel part changes
- Fix compiler warnings "'hash_ip4_data_next' declared inline after being
called" (Chris Friesen)
- hash:net,iface fixed to handle overlapping nets behind different
interfaces
- Make possible to hash some part of the data element only.
- Userspace changes
- Update the manpage and document the limits in hash:net,iface.
- README file corrections from Richard Lucassen
- 6.7
- Kernel part changes
- Whitespace and coding fixes, detected by checkpatch.pl
- hash:net,iface type introduced
- Use the stored first cidr value instead of '1'
- Fix return code for destroy when sets are in use
- Add xt_action_param to the variant level kadt functions,
ipset API change
- Drop supporting kernel versions below 2.6.35
- Userspace changes
- Whitespace and coding fixes, detected by checkpatch.pl
- hash:net,iface type introduced
- hash:* tests may seem to fail due to the too wide grep pattern, fix them
- Remove iptree tests and compatibility element parsing
- hash:net test may seem to fail due to the too wide grep pattern, fix it
- Fix long time uncovered bug at adding string attributes to the netlink
messages
- Fix warnings reported by valgrind
- Remove supporting set types iptree and iptreemap
- 6.6
- Kernel part changes
- Use unified from/to address masking and check the usage
- ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed
- Take into account cidr value for the from address when creating the set
- Adding ranges to hash types with timeout could still fail, fixed
- Removed old, not used hashing method ip_set_chash
- Remove variable 'ret' in type_pf_tdel(), which is set but not used
- Use proper timeout parameter to jiffies conversion
- Userspace changes
- Restore with bitmap:port and list:set types did not work, fixed
- Accept "\r\n" terminated COMMIT command in restore files
- Fix the message sequence number book-keeping
- Protocol-level debugging support added
- hash:net stress test in range notation added
- ipset_mnl_query: in debug mode print the errno returned by the cb
function
- Accept "\r\n" terminated lines in restore files
- Remove outdated checking of IPv6 support from configure.ac
- 6.5
- Kernel part changes
- Support range for IPv4 at adding/deleting elements for hash:*net* types
- Set type support with multiple revisions added
- Fix adding ranges to hash types
- Userspace changes
- Support range for IPv4 at adding/deleting elements for hash:*net* types
- Disable type revisions which are not supported both by the kernel and ipset
- Update ipset help text to reflect SCTP and UDPLITE support
- Ignore -n flag (list just setnames) when sets are to be saved
- 6.4
- Kernel part changes
- Support listing setnames and headers too
- Fix the order of listing of sets
- Options and flags support added to the kernel API
- Userspace changes
- Get rid of the trailing empty line at listing sets
- Fix XML listing, remove broken unused "elements" tag
- Support listing setnames and headers too
- Sorting is dependent on the locale settings, use LC_ALL=C
- Use unified diff output in tests
- 6.3
- Kernel part changes
- ipset/Kconfig was a mixed up kernel config file, fixed (Michael Tokarev)
- bitmap:ip,mac type requires "src" for MAC, enforce it
- whitespace fixes: some space before tab slipped in
- set match and SET target fixes (bugs reported by Lennert Buytenhek)
- Userspace changes
- Testsuite changes: keep temporary files
- bitmap:ip,mac type requires "src" for MAC: manpage is updated to reflect
the change
- Testsuite checks added (SET target and dir parameter checks)
- 6.2
- Kernel part changes
- list:set timeout variant fixes
- References are protected by rwlock instead of mutex
- Add explicit text message to detect patched kernel (netlink.patch)
- Timeout can be modified for already added elements
- Userspace changes
- 6.1
- Kernel part changes
- The hash:*port* types ignored the address range with non TCP/UDP, fixed
- Fix checking the revision number of the set type at create command
- SCTP, UDPLITE support to hash:*port* types added
- Fix revision reporting got broken by the revision checking patch
- Userspace changes
- Manpage was not installed (reported by Mark A. Ziesemer)
- SCTP, UDPLITE support to the hash:*port* types added
- 6.0
- Kernel part changes
- Reorganized kernel/ subdir
- netfilter: ipset: fix linking with CONFIG_IPV6=n (Patrick McHardy)
- netfilter: ipset: send error message manually
- netfilter: ipset: add missing break statemtns in
ip_set_get_ip_port() (Patrick McHardy)
- netfilter: ipset: add missing include to xt_set.h (Patrick McHardy)
- netfilter: ipset: remove unnecessary includes (Patrick McHardy)
- netfilter: ipset: use nla_parse_nested() (Patrick McHardy)
- Separate ipset errnos completely from system ones and bump protocol
version
- Use better error codes in xt_set.c
- Fix sparse warning about shadowed definition
- bitmap:ip type: flavour specific adt functions (Patrick McHardy's review)
- bitmap:port type: flavour specific adt functions (Patrick McHardy's
review)
- Move the type specifici attribute validation to the core
(suggested by Patrick McHardy)
- Use vzalloc() instead of __vmalloc() (Eric Dumazet, Patrick McHardy)
- Use meaningful error messages in xt_set.c (Patrick McHardy's review)
- Constified attribute cannot be written (Patrick McHardy's review)
- Send (N)ACK at dumping only when NLM_F_ACK is set
(Patrick McHardy's review)
- Correct the error codes: use ENOENT and EMSGSIZE (Patrick McHardy's
review)
- Userspace changes
- Print protocol version together with ipset version
- Testsuite compatibility with debugging enabled
- Allow "new" as a commad alias to "create"
- ipset: improve command argument parsing (Holger Eitzenberger)
- ipset: avoid the unnecessary argv[] loop (Holger Eitzenberger)
- ipset: pass ipset_arg argument pointer (Holger Eitzenberger)
- Separate ipset errnos completely from system ones and bump protocol
version
- Fix the spelling error fix :-) (Ferenc Wagner)
- Resolving IP addresses did not work at listing/saving sets, fixed
- ipset: fix spelling error (Holger Eitzenberger)
- ipset: fix the Netlink sequence number (Holger Eitzenberger)
- ipset: turn Set name[] into a const pointer (Holger Eitzenberger)
- Check ICMP and ICMPv6 with the set match and target in the testsuite
- Avoid possible syntax clashing at saving hostnames
- 5.4.1
- 5.4
- Kernel part changes
- Fixed broken ICMP and ICMPv6 handling
- Fix trailing whitespaces and pr_* messages
- Un-inline functions which are not small enough (Patrick McHardy)
- Fix module loading at create/header commands (Patrick McHardy)
- Fix wrong kzalloc flag in type_pf_expire
- The get_ip*_port functions are too large to be inlined,
moved into the core
- Add missing __GFP_HIGHMEM flag to __vmalloc (Eric Dumazet)
- Enforce network-ordered data in the netlink protocol
- Use annotated types and fix sparse warnings (Patrick McHardy)
- Move ip_set_alloc, ip_set_free and ip_set_get_ipaddr* into the core
(Patrick McHardy)
- NETMASK*, HOSTMASK* macros are too generic, replace with inline
functions (Patrick McHardy)
- Use static LIST_HEAD() for ip_set_type_list (Patrick McHardy)
- Move NLA_PUT_NET* macros to include/net/netlink.h (Patrick McHardy)
- The module parameter max_sets should be unsigned int (Patrick McHardy)
- Get rid of ip_set_kernel.h (Patrick McHardy)
- Fix the placement style of boolean operators at continued lines
(Patrick McHardy)
- 5.3
- Kernel part changes
- There is no need to call synchronize_net() at swapping
- Replace strncpy with strlcpy at creating a set
- Update copyright date and some style changes
- Use jhash.h accepted in kernel, with backward compatibility
- Separate prefixlens from ip_set core
- Remove unused ctnl parameter from call_ad (Jan Engelhardt)
- Comment the possible return values of the add/del/test type-functions
- Userspace changes
- Set the non-debug compiling the default
- Testsuite fix of ospf replaced with vrrp
- Fix build with NDEBUG defined (Holger Eitzenberger)
- Do session initialization once (Holger Eitzenberger)
- Make IPv4 and IPv6 address handling similar (Holger Eitzenberger)
- Show correct line numbers in restore output for parser errors
(Holger Eitzenberger)
- Replace ospf with vrrp in the testsuite
- Remove autogenerated files (Jan Engelhardt)
- Use only AC_CANONICAL_HOST (Jan Engelhardt)
- 5.2
- Kernel part changes
- Kernel version check at minimal supported version was mistyped, now fixed
- Userspace changes
- Handle internal printing errors
- Use cast to void * instead of memcpy as Sparc workaround at
sockaddr_XXX suggested by Jan Engelhardt)
- Listing/saving of large sets could produce broken listing, fixed
- Support libtool < 2.2
- 5.1
- Kernel part changes
- Kernel version compatibility: support bumped starting from 2.6.34
- Use EXPORT_SYMBOL_GPL (Jan Engelhardt)
- const annotations (Jan Engelhardt)
- Use __read_mostly for registration-type structures
(Jan Engelhardt)
- Do not mix const and __read_mostly (Jan Engelhardt)
- xt_set: avoid user types in exported kernel headers (Jan Engelhardt)
- Enable parallel building (Jan Engelhardt)
- Fix Kbuild for me to delete backup files
- Userspace changes
- Test cases for IPv6 restore and more complex restore sessions added
- Restore mode did not work for IPv6, fixed (reported by Elie Rosenblum)
- libipset: static annotations (Jan Engelhardt)
- libipset: const annotations (Jan Engelhardt)
- libipset: remove redundant casts (Jan Engelhardt)
- libipset: remove redundant indirection via union name (Jan Engelhardt)
- libipset: ipset_strncpy is really a strlcpy-type operation
(Jan Engelhardt)
- Prevent calling Makefile directly in the kernel/ subdirectory
- Put back the Sparc specific workaround at getaddrinfo
(reported by Jan Engelhardt)
- Check old system kernel header files
- Check from `configure` that the kernel source is patched with
netlink.patch
- Use configure to detect compiler warning flags
- Try to solve PKG_CHECK_MODULES issue (reported by Rob Sterenborg)
- Fix incorrect comparison in check_allowed (reported by Jan Engelhardt)
- 5.0
- New main branch - ipset completely rewritten
- 4.5
- Kernel part changes
- The iptreemap type used wrong gfp flags when deleting entries
(bug reported by Dash Four)
- Userspace changes
- Take into account the compile time setting of the default hash size
(reported by Dash Four)
- 4.4
- Kernel part changes
- The ipporthash, ipportiphash and ipportnethash set types did not
work with mixed "src" and "dst" direction parameters of the
"set" and "SET" iptables match and target (reported by Dash Four)
- Errorneous semaphore handling in error path fixed
(reported by Jan Engelhardt, bugzilla id 668)
- Userspace changes
- Manpage fix to make it clear how ipset works on setlist type
of sets (John Brendler, bugzilla id 640)
- 4.3
- Kernel part changes
- Support of 2.6.35 kernels added
- 4.2
- Kernel part changes
- nethash and ipportnethash types counted every entry twice
which could produce bogus entries when listing/saving these types
of sets (bug reported by Husnu Demir)
- Userspace changes
- Checking null entries when listing/saving hash types of sets
deleted because it's unnecessary and can mask possible errors.
- 4.1
- Kernel part changes
- Do not use init_MUTEX either (Jan Engelhardt)
- Improve listing/saving hash type of sets by not copying empty
entries unnecessarily to userspace.
- Userspace changes
- Manpage fixes and corrections (Jan Engelhardt)
- 4.0
- Kernel part changes
- Compilation of ip_set_iptree.c fails with kernel 2.6.20 due to
missing include of linux/jiffies.h (Jan Engelhardt)
- Do not use DECLARE_MUTEX (compatibility fix on 2.6.31-rt, Jan
Engelhardt)
- Flushing iptreemap type of sets caused high ksoftirqd load due to
zeroed out gc parameter (bug reported by Georg Chini)
- New protocol is introduced to handle aligment issues properly
(bug reported by Georg Chini)
- Binding support is removed
- Userspace changes
- New protocol is introduced to handle aligment issues properly
(bug reported by Georg Chini)
- Binding support is removed
- 3.2
- Kernel part changes
- Mixed up formats in ip_set_iptree.c fixed (Rob Sterenborg)
- Don't use 'bool' for backward compatibility reasons (Rob Sterenborg)
- 3.1
- Userspace changes
- Correct format specifiers and change %i to %d (Jan Engelhardt)
- Kernel part changes
- Nonexistent sets were reported as existing sets when testing
from userspace in setlist type of sets (bug reported by Victor A.
Safronov)
- When saving sets, setlist type of sets must come last in order
to satisfy the dependency from the elements (bug reported by Marty B.)
- Sparse insists that the flags argument to kmalloc() is gfp_t
(Stephen Hemminger)
- Correct format specifiers and change %i to %d (Jan Engelhardt)
- Fix the definition of 'bool' for kernels <= 2.6.18 (Jan Engelhardt)
- 3.0
- Userspace changes
- New kernel-userspace protocol release
- Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
- tests/runtests.sh changed to support old bash shells
- Kernel part changes
- New kernel-userspace protocol release
- Bigendian and 64/32bit fixes (Stefan Gula, bugzilla id 593)
- Support of 2.4.3[67].* kernels fixed
- Compiling with debugging enabled fixed
- 2.5.0
- Userspace changes
- On parisc architecture cast increases required aligment (bugzilla
id 582), fixed.
- Respect LDFLAGS settings at compile time (Peter Volkov).
- Kernel part changes
- instead of setting the locks directly
as it causes compilation errors with 2.6.29-rt (Jan Engelhardt).
- 2.4.9
- Kernel part changes
- References to the old include file replaced with new one in order to
really use the new Jenkins' hash function.
- 2.4.8
- Userspace changes
- In order to disable the extra warning flags, NO_EXTRA_WARN_FLAGS
variable added to userspace Makefile.
- Kernel part changes
- The Jenkins' hash lookup2() replaced with Jenkins' faster/better
lookup3() hash function.
- Bug fixed: after elements are added and deleted from a hash, an element
can successfully be added in spite it's already in the hash and thus
duplicates can occur (Shih-Yi Chen).
- Compatibility with old gcc without 'bool' added.
- 2.4.7
- Kernel part changes
- Typo which broke compilation with kernels < 2.6.28
fixed (reported by Richard Lucassen, Danny Rawlins)
- 2.4.6
- Kernel part changes
- Compatibility fix for kernels >= 2.6.28
- 2.4.5
- Userspace changes
- Some compiler warning options are too aggressive and
therefore disabled.
- Kernel part changes
- setlist type does not work properly together with swapping
sets, bug reported by Thomas Jacob.
- Include linux/capability.h explicitly in ip_set.c (Jan Engelhardt)
- 2.4.4
- Userspace changes
- Premature checking prevents to add valid elements to hash
types, fixed (bug reported by JC Janos).
- Local variable shadows another variable, fixed (reported
by Jan Engelhardt).
- More compiler warning options added and warnings fixed.
- Kernel part changes
- Premature checking prevents to add valid elements to hash
types, fixed (bug reported by JC Janos).
- 2.4.3
- Userspace changes
- Include file <limits.h> was missing from userspace set type
modules, reported by Krzysztof Oledzki and Sven Wegener.
- 2.4.2
- Kernel part changes
- When flushing a nethash/ipportnethash type of set, it can
lead to a kernel crash due to a wrong type declaration,
bug reported by Krzysztof Oledzki.
- iptree and iptreemap types require the header file linux/timer.h,
also reported by Krzysztof Oledzki.
- 2.4.1
- Userspace changes
- macipmap type reported misleading deprecated separator
tokens and printed the old one at listing set elements;
the warning contained misprinting as well (bugs reported
by Krzysztof Oledzki)
- Warn only once about deprecated separator tokens in
restore mode.
- Kernel part changes
- Zero-valued element are not acceptable by hash type of sets
because we cannot make a difference between a zero-valued
element and not-set element. Enforce it, as manpage says.
(fixes bugzilla id 543)
- 2.4
- Userspace changes
- Added KBUILD_OUTPUT support (Sven Wegener)
- Fix memory leak in ipset_iptreemap (Sven Wegener)
- Fix multiple compiler warnings (Sven Wegener)
- ipportiphash, ipportnethash and setlist types added
- binding marked as deprecated functionality
- element separator token changed to ',' in anticipating
IPv6 addresses, old separator tokens are still supported
- unnecessary includes removed
- ipset does not try to resolve IP addresses when listing
the content of sets (default changed)
- manpage updated
- Kernel part changes
- ipportiphash, ipportnethash and setlist types added
- set type modules reworked to avoid code duplication
as much as possible, code unification macros
- expand_macros Makefile target added to help debugging
code unification macros
- ip_set_addip_kernel and ip_set_delip_kernel
changed from void to int, __ip_set_get_byname and
__ip_set_put_byid added for the sake of setlist type
- unnecessary includes removed
- compatibility fix for kernels >= 2.6.27:
semaphore.h was moved from asm/ to linux/ (James King)
- 2.3.3a
- Fix to compile ipset with 2.4.26.x tree statically (bug reported by
G.W. Haywood)
- 2.3.3
- compatibility for the 2.6.x kernel tree improved and compiler warnings
fixed (Jan Engelhardt)
- compatibility fixes for the 2.4.36.x kernel tree added
- 2.3.2
- including limits.h for UINT_MAX is required with glibc-2.8 (pud)
- needless cast from and to void pointers cleanups in iptreemap (Sven Wegener)
- Initial ipset release with kernel modules included.
- 2.3.1
- segfault on --unbind :all: :all: fixed (reported by bugzilla,
report and patch sent by Tom Eastep)
- User input parameters are sanitized everywhere
- Initial testsuite added and 'test' target to the Makefile added:
few bugs discovered and fixed
- typo in macipmap type prevented to use max size set of this type
- *map types are made sure to allow and use max size of sets
- 2.3.0
- jiffies rollover bug in iptree type fixed (reported by Lukasz Nierycho
and others)
- endiannes bug in iptree type fixed (spotted by Jan Engelhardt)
- iptreemap type added (submitted by Sven Wegener)
- 2.6.22/23 compatibility fixes (Jeremy Jacque)
- typo fixes in ipset (Neville D)
- separator changed to ':' from '%' (old one still supported) in ipset
- 2.2.9a
- use correct type (socklen_t) for getsockopt (H. Nakano)
- incorrect return codes fixed (Tomasz Lemiech, Alexey Bortnikov)
- kernel header dependency removed (asm/bitops.h)
- ipset now tries to load in the ip_set kernel module if the protocol
is not available
- 2.2.9
ipset -N did not generate proper return code
limit module parameter added to the kernel modules of the
iphash, ipporthash, nethash and iptree type of sets so that
the maximal number of elements can now be limited
- zero valued entries (port 0 or IP address 0.0.0.0) were
detected as members of the hash/tree kind of sets
(reported by Andrew Kraslavsky)
- list and save operations used the external identifier
of the sets for the bindings instead of the internal one
(reported by Amin Azez)
- 2.2.8
- Nasty off-by-one bug fixed in iptree type of sets
(bug reported by Pablo Sole)
- 2.2.7
All patches were submitted by Jones Desougi.
- missing or confusing error message fixes for ipporthash
- minor correction in debugging in nethash
- copy-paste bug in kernel set types at memory allocation
checking fixed
- unified memory allocations in ipset
- 2.2.6
- memory allocation in iptree is changed to GFP_ATOMIC because
we hold a lock (bug reported by Radek Hladik)
- compatibility fix: __nocast is not defined in all 2.6 branches
(problem reported by Ming-Ching Tiew)
- manpage corrections
- 2.2.5
- garbage collector of iptree type of sets is fixed: flushing
sets/removing kernel module could corrupt the timer
- new ipporthash type added
- manpage fixes and corrections
- 2.2.4
- half-fixed memory allocation bug in iphash and nethash finally
completely fixed (bug reported by Nikolai Malykh)
- restrictions to enter zero-valued entries into all non-hash type
sets were removed
- Too strict check on the set size of ipmap type was corrected
- 2.2.3
- Memory allocation bug in iphash and nethash in connection with the SET
target was fixed (bug reported by Nikolai Malykh)
- lockhelp.h was removed from the 2.6.13 kernel tree, ip_set.c is
updated accordingly (Cardoso Didier, Samir Bellabes)
- manpage is updated to clearly state the command order in restore mode
- 2.2.2
- Jiffies rollover bug in ip_set_iptree reported and fixed by Rob Nielsen
- Compiler warning in the non-SMP case fixed (Marcus Sundberg)
- slab cache names shrunk in order to be compatible with 2.4.* (Marcus
Sundberg)
- 2.2.1
- Magic number in ip_set_nethash.h was mistyped (bug reported by Rob
Carlson)
- ipset can now test IP addresses in nethash type of sets (i.e. addresses
in netblocks added to the set)
- 2.2.0
- Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
- Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford
Wolf)
- Safety checkings of restore in ipset was incomplete (Robin H.
Johnson)
- More careful resizing by avoiding locking completely
- stdin stored internally in a temporary file, so we can feed 'ipset -R'
from a pipe
- iptree set type added
- 2.1.0
- Lock debugging used with debugless lock definiton (Piotr Chytla and
others).
- Bindings were not properly filled out at listing (kernel)
- When listing sets from kernel, id was not added to the set structure
(ipset)
- nethash set type added
- ipset manpage corrections (macipmap)
- 2.0.1
- Missing -fPIC in Makefile (Robert Iakobashvili)
- Cut'n'paste bug at saving macipmap types (Vincent Bernat).
- Bug in printing/saving SET targets reported and fixed by Michal
Pokrywka
- 2.0
- Chaining of sets are changed: child sets replaced
by bindings
- Kernel-userspace communication reorganized to minimize
the number of syscalls
- Save and restore functionality implemented
- iphash type reworked: clashing resolved by double-hashing
and by dynamically growing the set
- 1.0
- ipset forked from ippool
- Chaining of sets added via child sets
- portmap and iphash types added
|
|