On Sun, 22 Sep 2013, Oliver wrote:
> From: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> This provides kernel support for creating ipsets with comment support.
>
> This does incur a penalty to flushing/destroying an ipset since all
> entries are walked in order to free the allocated strings, this penalty
> is of course less expensive than the operation of listing an ipset to
> userspace, so for general-purpose usage the overall impact is expected
> to be little to none.
The patch, together with the one for the bitmap and list types are
applied, with a modification:
> Signed-off-by: Oliver Smith <oliver@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> ---
> kernel/net/netfilter/ipset/ip_set_hash_gen.h | 14 ++++++++------
> kernel/net/netfilter/ipset/ip_set_hash_ip.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_ipport.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_ipportip.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_net.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_netiface.c | 4 +++-
> kernel/net/netfilter/ipset/ip_set_hash_netnet.c | 1 +
> kernel/net/netfilter/ipset/ip_set_hash_netport.c | 4 +++-
> 9 files changed, 30 insertions(+), 13 deletions(-)
>
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_gen.h b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> index 59ae854..324de2f 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
> @@ -701,6 +701,8 @@ reuse_slot:
> ip_set_timeout_set(ext_timeout(data, set), ext->timeout);
> if (SET_WITH_COUNTER(set))
> ip_set_init_counter(ext_counter(data, set), ext);
> + if (SET_WITH_COMMENT(set))
> + ip_set_init_comment(ext_comment(data, set), ext);
>
> out:
> rcu_read_unlock_bh();
> @@ -908,12 +910,9 @@ mtype_head(struct ip_set *set, struct sk_buff *skb)
> goto nla_put_failure;
> #endif
> if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
> - nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)) ||
> - ((set->extensions & IPSET_EXT_TIMEOUT) &&
> - nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(set->timeout))) ||
> - ((set->extensions & IPSET_EXT_COUNTER) &&
> - nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS,
> - htonl(IPSET_FLAG_WITH_COUNTERS))))
> + nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)))
> + goto nla_put_failure;
> + if (unlikely(ip_set_put_flags(skb, set)))
> goto nla_put_failure;
> ipset_nest_end(skb, nested);
>
> @@ -970,6 +969,9 @@ mtype_list(const struct ip_set *set,
> if (SET_WITH_COUNTER(set) &&
> ip_set_put_counter(skb, ext_counter(e, set)))
> goto nla_put_failure;
> + if (SET_WITH_COMMENT(set) &&
> + ip_set_put_comment(skb, ext_comment(e, set)))
> + goto nla_put_failure;
> ipset_nest_end(skb, nested);
> }
> }
> diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ip.c b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
> index a111ffe..10db2ff 100644
> --- a/kernel/net/netfilter/ipset/ip_set_hash_ip.c
> +++ b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
> @@ -24,7 +24,8 @@
> #include <linux/netfilter/ipset/ip_set_hash.h>
>
> #define IPSET_TYPE_REV_MIN 0
> -#define IPSET_TYPE_REV_MAX 1 /* Counters support */
> +/* 1 Counters support */
> +#define IPSET_TYPE_REV_MAX 2 /* Comments support */
>
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>");
> @@ -292,6 +293,7 @@ static struct ip_set_type hash_ip_type __read_mostly = {
> [IPSET_ATTR_LINENO] = { .type = NLA_U32 },
> [IPSET_ATTR_BYTES] = { .type = NLA_U64 },
> [IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
> + [IPSET_ATTR_COMMENT] = { .type = NLA_STRING },
NLA_STRING is changed everywhere to NLA_NUL_STRING to enforce a NULL
terminated string in the attribute. ip_set_init_comment uses strlen, so
better not let it be fooled with non-terminated strings.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
