[patch 0/2] Ipset patches

[patch 0/2] Ipset patches

[holger]

Hi Jozsef,

what follows are two small patches which remove unneeded argv[]
loops when parsing the ipset commands.  They are in particular no
change in command line handling.

The command line handling can still be improved, as e. g.

 $ ipset -o xml create foo hash:ip
 $ ipset -s add foo 192.168.1.1

both work, but the options are just ignored.  And they don't
make much sense for either 'create' or 'add'.

Also we should consider to make the argument handling a little
more strict, as e. g.

 $ ipset -o xml list foo
 $ ipset list -o xml foo
 $ ipset list foo -o xml

all work.  By removing some of those possibilities it should even
get simpler code wise.

 /holger

-- 

Re: [patch 0/2] Ipset patches

[Jozsef Kadlecsik]

Hi Holger,

On Wed, 19 Jan 2011, holger@eitzenberger.org wrote:

> what follows are two small patches which remove unneeded argv[]
> loops when parsing the ipset commands.  They are in particular no
> change in command line handling.
> 
> The command line handling can still be improved, as e. g.
> 
>  $ ipset -o xml create foo hash:ip
>  $ ipset -s add foo 192.168.1.1
> 
> both work, but the options are just ignored.  And they don't
> make much sense for either 'create' or 'add'.
> 
> Also we should consider to make the argument handling a little
> more strict, as e. g.
> 
>  $ ipset -o xml list foo
>  $ ipset list -o xml foo
>  $ ipset list foo -o xml
> 
> all work.  By removing some of those possibilities it should even
> get simpler code wise.

Thank you indeed, after fixing the issues raised by Patrick and Eric, I'll 
work on the userspace part and your patches.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

[PATCH 0/2] ipset patches

[Jozsef Kadlecsik]

Hi Pablo,

Please consider applying the next two patches against your nf tree.
You can pull the changes from

git://blackhole.kfki.hu/nf master

Best regards,
Jozsef

Josh Hunt (1):
  netfilter: ipset: timeout values corrupted on set resize

Jozsef Kadlecsik (1):
  netfilter: ipset: "Directory not empty" error message

 include/linux/netfilter/ipset/ip_set_ahash.h |    4 +++-
 net/netfilter/ipset/ip_set_core.c            |    3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

[PATCH 1/2] netfilter: ipset: timeout values corrupted on set resize

[Jozsef Kadlecsik]

From: Josh Hunt <johunt@akamai.com>

If a resize is triggered on a set with timeouts enabled, the timeout
values will get corrupted when copying them to the new set. This occured
b/c the wrong timeout value is supplied to type_pf_elem_tadd().

This also adds simple debug statement similar to the one in type_pf_resize().

Signed-off-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 include/linux/netfilter/ipset/ip_set_ahash.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index ef9acd3..01d25e6 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -854,6 +854,8 @@ type_pf_tresize(struct ip_set *set, bool retried)
 retry:
 	ret = 0;
 	htable_bits++;
+	pr_debug("attempt to resize set %s from %u to %u, t %p\n",
+		 set->name, orig->htable_bits, htable_bits, orig);
 	if (!htable_bits) {
 		/* In case we have plenty of memory :-) */
 		pr_warning("Cannot increase the hashsize of set %s further\n",
@@ -873,7 +875,7 @@ retry:
 			data = ahash_tdata(n, j);
 			m = hbucket(t, HKEY(data, h->initval, htable_bits));
 			ret = type_pf_elem_tadd(m, data, AHASH_MAX(h), 0,
-						type_pf_data_timeout(data));
+						ip_set_timeout_get(type_pf_data_timeout(data)));
 			if (ret < 0) {
 				read_unlock_bh(&set->lock);
 				ahash_destroy(t);
-- 
1.7.0.4

[PATCH 2/2] netfilter: ipset: "Directory not empty" error message

[Jozsef Kadlecsik]

When an entry flagged with "nomatch" was tested by ipset, it
returned the error message "Kernel error received:
Directory not empty" instead of "<element> is NOT in set <setname>"
(reported by John Brendler).

The internal error code was not properly transformed before returning
to userspace, fixed.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 net/netfilter/ipset/ip_set_core.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 6d6d8f2..38ca630 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1470,7 +1470,8 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
 	if (ret == -EAGAIN)
 		ret = 1;
 
-	return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
+	return (ret < 0 && ret != -ENOTEMPTY) ? ret :
+		ret > 0 ? 0 : -IPSET_ERR_EXIST;
 }
 
 /* Get headed data of a set */
-- 
1.7.0.4

Re: [PATCH 0/2] ipset patches

[Pablo Neira Ayuso]

On Thu, Feb 21, 2013 at 05:45:44PM +0100, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> Please consider applying the next two patches against your nf tree.
> You can pull the changes from
> 
> git://blackhole.kfki.hu/nf master

Pulled, thanks Jozsef.

Will pass this to -stable as well.