Hi,
I'm happy to announce ipset 7.0 which - besides of a couple fixes and
corrections - brings a new internal protocol version between the kernel
and userspace.
The system is fully backward compatible:
- the new kernel modules work fine with any older ipset userspace binary,
- the new ipset binary works fine with any older ip_set* kernel modules.
The new protocol version was required to be introduced in order to support
two new functions and the extendend LIST operation, which makes possible
to run ipset in every case entirely over netlink, without the need to use
getsockopt().
In the userspace part the library was reworked: from now on ipset can
fully be embedded, python/perl/etc. binding library constructed and run
ipset commands without calling the binary itself. The libipset(3) manpage
describes the usage of the toplevel functions needed to issue ipset
commands.
Userspace changes:
- Introduction of new commands and protocol version 7, updated
kernel include files
- Add compatibility support for async in pernet_operations
- Use more robust awk patterns to check for backward compatibility
- Prepare the ipset tool to handle multiple protocol version
- Fix warning message handling
- Correct to test null valued entry in hash:net6,port,net6 test
- Library reworked to support embedding ipset completely
- Add compatibility to support kvcalloc()
- Validate string type attributes in attr2data() (Stefano Brivio)
- manpage: Add comment about matching on destination MAC address
(Stefano Brivio)
- Add compatibility to support is_zero_ether_addr()
- Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio)
- Fix leak in build_argv() on line parsing error (Stefano Brivio)
- Simplify return statement in ipset_mnl_query() (Stefano Brivio)
- tests/check_klog.sh: Try dmesg too, don't let shell terminate script
(Stefano Brivio)
Kernel part changes:
- Introduction of new commands and protocol version 7
- License cleanup: add SPDX license identifier to uapi header files with
no license (Greg Kroah-Hartman)
- net: Convert ip_set_net_ops (Kirill Tkhai)
- netfilter: Replace spin_is_locked() with lockdep (Lance Roy)
- Fix calling ip_set() macro at dumping
- Correct rcu_dereference() call in ip_set_put_comment()
- netfilter: ipset: fix ip_set_list allocation failure (Andrey Ryabinin)
- ipset: Make invalid MAC address checks consisten (Stefano Brivio)
- ipset: Allow matching on destination MAC address for mac and ipmac
sets (Stefano Brivio)
- netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
(Eric Westbrook)
- ipset: list:set: Decrease refcount synchronously on deletion and
replace (Stefano Brivio)
- netfilter: ipset: forbid family for hash:mac sets (Florent Fourcot)
- Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC
- List timing out entries with "timeout 1" instead of zero timeout value
(Fixes bugzilla #1258)
- netfilter: xt_set: Check hook mask correctly (Serhey Popovych)
You can download the source code of ipset from:
http://ipset.netfilter.org
ftp://ftp.netfilter.org/pub/ipset/
git://git.netfilter.org/ipset.git
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
