From 4e92e6ba2c4411f0ea3ae503c42fe7029bcc4618 Mon Sep 17 00:00:00 2001 From: Oliver Smith Date: Sat, 28 Sep 2013 20:20:01 +0200 Subject: ipset: Add userspace code to support hash:net,port,net kernel module. This adds the userspace library, tests to validate correct operation of the module and also provides appropriate usage information in the man page. Signed-off-by: Oliver Smith Signed-off-by: Jozsef Kadlecsik --- lib/Makefile.am | 1 + lib/ipset_hash_netportnet.c | 191 +++++++++++++++++++++ src/ipset.8 | 342 ++++++++++++++++++++++---------------- tests/hash:net,port,net.t | 183 ++++++++++++++++++++ tests/hash:net,port,net.t.list0 | 10 ++ tests/hash:net6,port,net6.t | 143 ++++++++++++++++ tests/hash:net6,port,net6.t.list0 | 10 ++ tests/resizen.sh | 13 ++ tests/resizet.sh | 8 + tests/runtest.sh | 1 + tests/setlist_resize.sh | 1 + 11 files changed, 763 insertions(+), 140 deletions(-) create mode 100644 lib/ipset_hash_netportnet.c create mode 100644 tests/hash:net,port,net.t create mode 100644 tests/hash:net,port,net.t.list0 create mode 100644 tests/hash:net6,port,net6.t create mode 100644 tests/hash:net6,port,net6.t.list0 diff --git a/lib/Makefile.am b/lib/Makefile.am index 32fc820..2234670 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -10,6 +10,7 @@ IPSET_SETTYPE_LIST = \ ipset_hash_ipportnet.c \ ipset_hash_net.c \ ipset_hash_netnet.c \ + ipset_hash_netportnet.c \ ipset_hash_netport.c \ ipset_hash_netiface.c \ ipset_list_set.c diff --git a/lib/ipset_hash_netportnet.c b/lib/ipset_hash_netportnet.c new file mode 100644 index 0000000..728c4a3 --- /dev/null +++ b/lib/ipset_hash_netportnet.c @@ -0,0 +1,191 @@ +/* Copyright 2007-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ +#include /* IPSET_OPT_* */ +#include /* parser functions */ +#include /* printing functions */ +#include /* ipset_port_usage */ +#include /* prototypes */ + +/* Parse commandline arguments */ +static const struct ipset_arg hash_netportnet_create_args0[] = { + { .name = { "family", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_FAMILY, + .parse = ipset_parse_family, .print = ipset_print_family, + }, + /* Alias: family inet */ + { .name = { "-4", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_FAMILY, + .parse = ipset_parse_family, + }, + /* Alias: family inet6 */ + { .name = { "-6", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_FAMILY, + .parse = ipset_parse_family, + }, + { .name = { "hashsize", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_HASHSIZE, + .parse = ipset_parse_uint32, .print = ipset_print_number, + }, + { .name = { "maxelem", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_MAXELEM, + .parse = ipset_parse_uint32, .print = ipset_print_number, + }, + { .name = { "timeout", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT, + .parse = ipset_parse_timeout, .print = ipset_print_number, + }, + { .name = { "counters", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_COUNTERS, + .parse = ipset_parse_flag, .print = ipset_print_flag, + }, + { .name = { "comment", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_CREATE_COMMENT, + .parse = ipset_parse_flag, .print = ipset_print_flag, + }, + { }, +}; + +static const struct ipset_arg hash_netportnet_add_args0[] = { + { .name = { "timeout", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_TIMEOUT, + .parse = ipset_parse_timeout, .print = ipset_print_number, + }, + { .name = { "nomatch", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_NOMATCH, + .parse = ipset_parse_flag, .print = ipset_print_flag, + }, + { .name = { "packets", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_PACKETS, + .parse = ipset_parse_uint64, .print = ipset_print_number, + }, + { .name = { "bytes", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_BYTES, + .parse = ipset_parse_uint64, .print = ipset_print_number, + }, + { .name = { "comment", NULL }, + .has_arg = IPSET_MANDATORY_ARG, .opt = IPSET_OPT_ADT_COMMENT, + .parse = ipset_parse_comment, .print = ipset_print_comment, + }, + { }, +}; + +static const struct ipset_arg hash_netportnet_test_args0[] = { + { .name = { "nomatch", NULL }, + .has_arg = IPSET_NO_ARG, .opt = IPSET_OPT_NOMATCH, + .parse = ipset_parse_flag, .print = ipset_print_flag, + }, + { }, +}; + +static const char hash_netportnet_usage0[] = +"create SETNAME hash:net,port,net\n" +" [family inet|inet6]\n" +" [hashsize VALUE] [maxelem VALUE]\n" +" [timeout VALUE] [counters] [comment]\n" +"add SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR] [timeout VALUE] [nomatch]\n" +" [packets VALUE] [bytes VALUE] [comment \"string\"]\n" +"del SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR]\n" +"test SETNAME IP[/CIDR],PROTO:PORT,IP[/CIDR]\n\n" +"where depending on the INET family\n" +" IP are valid IPv4 or IPv6 addresses (or hostnames),\n" +" CIDR is a valid IPv4 or IPv6 CIDR prefix.\n" +" Adding/deleting multiple elements in IP/CIDR or FROM-TO form\n" +" in both IP components are supported for IPv4.\n" +" Adding/deleting multiple elements with TCP/SCTP/UDP/UDPLITE\n" +" port range is supported both for IPv4 and IPv6.\n"; + +static struct ipset_type ipset_hash_netportnet0 = { + .name = "hash:net,port,net", + .alias = { "netportnethash", NULL }, + .revision = 0, + .family = NFPROTO_IPSET_IPV46, + .dimension = IPSET_DIM_THREE, + .elem = { + [IPSET_DIM_ONE - 1] = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP + }, + [IPSET_DIM_TWO - 1] = { + .parse = ipset_parse_proto_port, + .print = ipset_print_proto_port, + .opt = IPSET_OPT_PORT + }, + [IPSET_DIM_THREE - 1] = { + .parse = ipset_parse_ip4_net6, + .print = ipset_print_ip, + .opt = IPSET_OPT_IP2 + }, + }, + .args = { + [IPSET_CREATE] = hash_netportnet_create_args0, + [IPSET_ADD] = hash_netportnet_add_args0, + [IPSET_TEST] = hash_netportnet_test_args0, + }, + .mandatory = { + [IPSET_CREATE] = 0, + [IPSET_ADD] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2), + [IPSET_DEL] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2), + [IPSET_TEST] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2), + }, + .full = { + [IPSET_CREATE] = IPSET_FLAG(IPSET_OPT_HASHSIZE) + | IPSET_FLAG(IPSET_OPT_MAXELEM) + | IPSET_FLAG(IPSET_OPT_TIMEOUT) + | IPSET_FLAG(IPSET_OPT_COUNTERS) + | IPSET_FLAG(IPSET_OPT_CREATE_COMMENT), + [IPSET_ADD] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO) + | IPSET_FLAG(IPSET_OPT_TIMEOUT) + | IPSET_FLAG(IPSET_OPT_NOMATCH) + | IPSET_FLAG(IPSET_OPT_PACKETS) + | IPSET_FLAG(IPSET_OPT_BYTES) + | IPSET_FLAG(IPSET_OPT_ADT_COMMENT), + [IPSET_DEL] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_IP_TO) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PORT_TO) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_IP2_TO), + [IPSET_TEST] = IPSET_FLAG(IPSET_OPT_IP) + | IPSET_FLAG(IPSET_OPT_CIDR) + | IPSET_FLAG(IPSET_OPT_PORT) + | IPSET_FLAG(IPSET_OPT_PROTO) + | IPSET_FLAG(IPSET_OPT_IP2) + | IPSET_FLAG(IPSET_OPT_CIDR2) + | IPSET_FLAG(IPSET_OPT_NOMATCH), + }, + + .usage = hash_netportnet_usage0, + .usagefn = ipset_port_usage, + .description = "initial revision", +}; + +void _init(void); +void _init(void) +{ + ipset_type_add(&ipset_hash_netportnet0); +} diff --git a/src/ipset.8 b/src/ipset.8 index 20fb4d4..8a21eaf 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -18,37 +18,37 @@ ipset \(em administration tool for IP sets .SH "SYNOPSIS" \fBipset\fR [ \fIOPTIONS\fR ] \fICOMMAND\fR [ \fICOMMAND\-OPTIONS\fR ] -.PP +.PP COMMANDS := { \fBcreate\fR | \fBadd\fR | \fBdel\fR | \fBtest\fR | \fBdestroy\fR | \fBlist\fR | \fBsave\fR | \fBrestore\fR | \fBflush\fR | \fBrename\fR | \fBswap\fR | \fBhelp\fR | \fBversion\fR | \fB\-\fR } -.PP +.PP \fIOPTIONS\fR := { \fB\-exist\fR | \fB\-output\fR { \fBplain\fR | \fBsave\fR | \fBxml\fR } | \fB\-quiet\fR | \fB\-resolve\fR | \fB\-sorted\fR | \fB\-name\fR | \fB\-terse\fR | \fB\-file\fR \fIfilename\fR } -.PP +.PP \fBipset\fR \fBcreate\fR \fISETNAME\fR \fITYPENAME\fR [ \fICREATE\-OPTIONS\fR ] -.PP +.PP \fBipset\fR \fBadd\fR \fISETNAME\fR \fIADD\-ENTRY\fR [ \fIADD\-OPTIONS\fR ] -.PP +.PP \fBipset\fR \fBdel\fR \fISETNAME\fR \fIDEL\-ENTRY\fR [ \fIDEL\-OPTIONS\fR ] -.PP +.PP \fBipset\fR \fBtest\fR \fISETNAME\fR \fITEST\-ENTRY\fR [ \fITEST\-OPTIONS\fR ] -.PP +.PP \fBipset\fR \fBdestroy\fR [ \fISETNAME\fR ] -.PP +.PP \fBipset\fR \fBlist\fR [ \fISETNAME\fR ] -.PP +.PP \fBipset\fR \fBsave\fR [ \fISETNAME\fR ] -.PP +.PP \fBipset\fR \fBrestore\fR -.PP +.PP \fBipset\fR \fBflush\fR [ \fISETNAME\fR ] -.PP +.PP \fBipset\fR \fBrename\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR -.PP +.PP \fBipset\fR \fBswap\fR \fISETNAME\-FROM\fR \fISETNAME\-TO\fR -.PP +.PP \fBipset\fR \fBhelp\fR [ \fITYPENAME\fR ] -.PP +.PP \fBipset\fR \fBversion\fR -.PP +.PP \fBipset\fR \fB\-\fR .SH "DESCRIPTION" \fBipset\fR @@ -56,7 +56,7 @@ is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address and port number pairs, etc. See the set type definitions below. -.PP +.PP \fBIptables\fR matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed @@ -241,13 +241,13 @@ When adding, deleting or testing entries in a set, the same comma separated data syntax must be used for the entry parameter of the commands, i.e .IP ipset add foo ipaddr,portnum,ipaddr -.PP +.PP If host names or service names with dash in the name are used instead of IP addresses or service numbers, then the host name or service name must be enclosed in square brackets. Example: .IP ipset add foo [test\-hostname],[ftp\-data] -.PP +.PP In the case of host names the DNS resolver is called internally by \fBipset\fR but if it returns multiple IP addresses, only the first one is used. @@ -279,7 +279,7 @@ ipset create test hash:ip timeout 300 ipset add test 192.168.0.1 timeout 60 .IP ipset \-exist add test 192.168.0.1 timeout 600 -.PP +.PP .SS nomatch The \fBhash\fR set types which can store \fBnet\fR type of data (i.e. hash:*net*) support the optional \fBnomatch\fR @@ -303,7 +303,7 @@ to a set with non\-zero counter values: ipset create foo hash:ip counters .IP ipset add foo 192.168.1.1 packets 42 bytes 1024 -.PP +.PP .SS comment All set types support the optional \fBcomment\fR extension. Enabling this extension on an ipset enables you to annotate an ipset entry with @@ -332,24 +332,24 @@ the above would appear as: "allow access to SMB share on \\\\fileserv\\" The \fBbitmap:ip\fR set type uses a memory range to store either IPv4 host (default) or IPv4 network addresses. A \fBbitmap:ip\fR type of set can store up to 65536 entries. -.PP +.PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := { \fIip\fR | \fIfromip\fR\-\fItoip\fR | \fIip\fR/\fIcidr\fR } -.PP +.PP \fITEST\-ENTRY\fR := \fIip\fR -.PP +.PP Mandatory \fBcreate\fR options: .TP \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range (in entries) cannot exceed the limit of maximum 65536 elements. -.PP +.PP Optional \fBcreate\fR options: .TP \fBnetmask\fP \fIcidr\fP @@ -358,10 +358,10 @@ stored in the set instead of IP host addresses. The \fIcidr\fR prefix value must between 1\-32. An IP address will be in the set if the network address, which is resulted by masking the address with the specified netmask, can be found in the set. -.PP +.PP The \fBbitmap:ip\fR type supports adding or deleting multiple entries in one command. -.PP +.PP Examples: .IP ipset create foo bitmap:ip range 192.168.0.0/16 @@ -371,36 +371,36 @@ ipset add foo 192.168.1/24 ipset test foo 192.168.1.1 .SS bitmap:ip,mac The \fBbitmap:ip,mac\fR set type uses a memory range to store IPv4 and a MAC address pairs. A \fBbitmap:ip,mac\fR type of set can store up to 65536 entries. -.PP +.PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] -.PP +.PP \fITEST\-ENTRY\fR := \fIip\fR[,\fImacaddr\fR] -.PP +.PP Mandatory options to use when creating a \fBbitmap:ip,mac\fR type of set: .TP \fBrange\fP \fIfromip\fP\-\fItoip\fR|\fIip\fR/\fIcidr\fR Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range cannot exceed the limit of maximum 65536 entries. -.PP +.PP The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can be left out when adding/deleting/testing entries in the set. If we add an entry without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the source MAC address from the packet. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete. -.PP +.PP The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second one must be \fBsrc\fR to match, add or delete entries, because the \fBset\fR match and \fBSET\fR target have access to the source MAC address only. -.PP +.PP Examples: .IP ipset create foo bitmap:ip,mac range 192.168.0.0/16 @@ -411,25 +411,25 @@ ipset test foo 192.168.1.1 .SS bitmap:port The \fBbitmap:port\fR set type uses a memory range to store port numbers and such a set can store up to 65536 ports. -.PP +.PP \fICREATE\-OPTIONS\fR := \fBrange\fP \fIfromport\fP\-\fItoport [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR } -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := { \fI[proto:]port\fR | \fI[proto:]fromport\fR\-\fItoport\fR } -.PP +.PP \fITEST\-ENTRY\fR := \fI[proto:]port\fR -.PP +.PP Mandatory options to use when creating a \fBbitmap:port\fR type of set: .TP \fBrange\fP \fI[proto:]fromport\fP\-\fItoport\fR Create the set from the specified inclusive port range. -.PP +.PP The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. -.PP +.PP \fBproto\fR only needs to be specified if a service name is used, and that name does not exist as a TCP service. .PP @@ -446,17 +446,17 @@ ipset del foo udp:[macon-udp]-[tn-tl-w2] The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR type of set. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIipaddr\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIipaddr\fR -.PP +.PP \fITEST\-ENTRY\fR := \fIipaddr\fR -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -477,12 +477,12 @@ stored in the set instead of IP host addresses. The \fIcidr\fP prefix value must between 1\-32 for IPv4 and between 1\-128 for IPv6. An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. -.PP +.PP For the \fBinet\fR family one can add or delete multiple entries by specifying a range or a network: -.PP +.PP \fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } -.PP +.PP Examples: .IP ipset create foo hash:ip netmask 30 @@ -493,20 +493,20 @@ ipset test foo 192.168.1.2 .SS hash:net The \fBhash:net\fR set type uses a hash to store different sized IP network addresses. Network address with zero prefix size cannot be stored in this type of sets. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fInetaddr\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fInetaddr\fR -.PP +.PP \fITEST\-ENTRY\fR := \fInetaddr\fR -.PP +.PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -520,28 +520,28 @@ correct value. .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP For the \fBinet\fR family one can add or delete multiple entries by specifying a range, which is converted internally to network(s) equal to the range: -.PP +.PP \fInetaddr\fR := { \fIip\fR[/\fIcidr\fR] | \fIfromaddr\fR\-\fItoaddr\fR } -.PP +.PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. -.PP +.PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. -.PP +.PP The lookup time grows linearly with the number of the different prefix values added to the set. -.PP +.PP Example: .IP ipset create foo hash:net @@ -553,7 +553,7 @@ ipset add foo 10.1.0.0/16 ipset add foo 192.168.0/24 .IP ipset add foo 192.168.0/30 nomatch -.PP +.PP When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except the ones from 192.168.0/30. @@ -635,17 +635,17 @@ and 192.168.0/24<->192.168.54.0/24 except the ones from The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -659,12 +659,12 @@ correct value .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP For the \fBinet\fR family one can add or delete multiple entries by specifying a range or a network of IPv4 addresses in the IP address part of the entry: -.PP +.PP \fIipaddr\fR := { \fIip\fR | \fIfromaddr\fR\-\fItoaddr\fR | \fIip\fR/\fIcidr\fR } -.PP +.PP The [\fIproto\fR:]\fIport\fR part of the elements may be expressed in the following forms, where the range @@ -690,11 +690,11 @@ be listed by the help command. \fIproto\fR:0 All other protocols, as an identifier from /etc/protocols or number. The pseudo port number must be zero. -.PP +.PP The \fBhash:ip,port\fR type of sets require two \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. -.PP +.PP Examples: .IP ipset create foo hash:ip,port @@ -711,20 +711,20 @@ The \fBhash:net,port\fR set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR -.PP +.PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -738,19 +738,19 @@ correct value. .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. For the [\fIproto\fR:]\fIport\fR part of the elements see the description at the \fBhash:ip,port\fR set type. -.PP +.PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. -.PP +.PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. @@ -758,10 +758,10 @@ When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. -.PP +.PP The lookup time grows linearly with the number of the different prefix values added to the set. -.PP +.PP Examples: .IP ipset create foo hash:net,port @@ -775,22 +775,22 @@ ipset test foo 192.168.0/24,25 The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR -.PP +.PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fIip\fR -.PP +.PP For the first \fIipaddr\fR and [\fIproto\fR:]\fIport\fR parts of the elements see the descriptions at the \fBhash:ip,port\fR set type. -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -804,11 +804,11 @@ correct value. .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP The \fBhash:ip,port,ip\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. -.PP +.PP Examples: .IP ipset create foo hash:ip,port,ip @@ -821,26 +821,26 @@ The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR -.PP +.PP \fITEST\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR -.PP +.PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] -.PP +.PP For the \fIipaddr\fR and [\fIproto\fR:]\fIport\fR parts of the elements see the descriptions at the \fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -854,7 +854,7 @@ correct value. .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. @@ -862,13 +862,13 @@ When adding/deleting triples to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. -.PP +.PP The lookup time grows linearly with the number of the different \fIcidr\fR values added to the set. -.PP +.PP The \fBhash:ip,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of the \fBset\fR match and \fBSET\fR target kernel modules. -.PP +.PP Examples: .IP ipset create foo hash:ip,port,net @@ -878,23 +878,85 @@ ipset add foo 192.168.1,80,10.0.0/24 ipset add foo 192.168.2,25,10.1.0.0/16 .IP ipset test foo 192.168.1,80.10.0.0/24 +.SS hash:net,port,net +The \fBhash:net,port,net\fR set type behaves similarly to hash:ip,port,net but accepts a +cidr value for both the first and last parameter. Either subnet is permitted to be a /0 +should you wish to match port between all destinations. +.PP +\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] +.PP +\fIADD\-ENTRY\fR := \fIipaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR +.PP +\fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] +.PP +\fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR +.PP +\fITEST\-ENTRY\fR := \fInetaddr\fR,[\fIproto\fR:]\fIport\fR,\fInetaddr\fR +.PP +where +\fInetaddr\fR := \fIip\fR[/\fIcidr\fR] +.PP +For the [\fIproto\fR:]\fIport\fR +part of the elements see the description at the +\fBhash:ip,port\fR set type. For the \fInetaddr\fR part of the elements +see the description at the \fBhash:net\fR set type. +.PP +Optional \fBcreate\fR options: +.TP +\fBfamily\fR { \fBinet\fR | \fBinet6\fR } +The protocol family of the IP addresses to be stored in the set. The default is +\fBinet\fR, i.e IPv4. +.TP +\fBhashsize\fR \fIvalue\fR +The initial hash size for the set, default is 1024. The hash size must be a power +of two, the kernel automatically rounds up non power of two hash sizes to the first +correct value. +.TP +\fBmaxelem\fR \fIvalue\fR +The maximal number of elements which can be stored in the set, default 65536. +.PP +From the \fBset\fR netfilter match point of view the searching for a match +always starts from the smallest size of netblock (most specific +cidr) to the largest one (least specific cidr) added to the set. +When adding/deleting triples +to the set by the \fBSET\fR netfilter target, it will be +added/deleted by the most specific cidr which can be found in the +set, or by the host cidr value if the set is empty. The first subnet has +precedence when performing the most-specific lookup, just as for hash:net,net +.PP +The lookup time grows linearly with the number of the different \fIcidr\fR +values added to the set and by the number of secondary \fIcidr\fR values per +primary. +.PP +The \fBhash:net,port,net\fR type of sets require three \fBsrc\fR/\fBdst\fR parameters of +the \fBset\fR match and \fBSET\fR target kernel modules. +.PP +Examples: +.IP +ipset create foo hash:net,port,net +.IP +ipset add foo 192.168.1.0/24,0,10.0.0/24 +.IP +ipset add foo 192.168.2.0/24,25,10.1.0.0/16 +.IP +ipset test foo 192.168.1.1,80,10.0.0.1 .SS hash:net,iface The \fBhash:net,iface\fR set type uses a hash to store different sized IP network address and interface name pairs. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBnomatch\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR -.PP +.PP \fITEST\-ENTRY\fR := \fInetaddr\fR,[\fBphysdev\fR:]\fIiface\fR -.PP +.PP where \fInetaddr\fR := \fIip\fR[/\fIcidr\fR] -.PP +.PP Optional \fBcreate\fR options: .TP \fBfamily\fR { \fBinet\fR | \fBinet6\fR } @@ -908,16 +970,16 @@ correct value. .TP \fBmaxelem\fR \fIvalue\fR The maximal number of elements which can be stored in the set, default 65536. -.PP +.PP For the \fInetaddr\fR part of the elements see the description at the \fBhash:net\fR set type. -.PP +.PP When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and overlapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. -.PP +.PP From the \fBset\fR netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. @@ -925,21 +987,21 @@ When adding/deleting IP addresses to the set by the \fBSET\fR netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. -.PP +.PP The second direction parameter of the \fBset\fR match and \fBSET\fR target modules corresponds to the incoming/outgoing interface: \fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while \fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When the interface is flagged with \fBphysdev:\fR, the interface is interpreted as the incoming/outgoing bridge port. -.PP +.PP The lookup time grows linearly with the number of the different prefix values added to the set. -.PP +.PP The internal restriction of the \fBhash:net,iface\fR set type is that the same network prefix cannot be stored with more than 64 different interfaces in a single set. -.PP +.PP Examples: .IP ipset create foo hash:net,iface @@ -952,25 +1014,25 @@ ipset test foo 192.168.0/24,eth0 .SS list:set The \fBlist:set\fR type uses a simple list in which you can store set names. -.PP +.PP \fICREATE\-OPTIONS\fR := [ \fBsize\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] -.PP +.PP \fIADD\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] -.PP +.PP \fIADD\-OPTIONS\fR := [ \fBtimeout\fR \fIvalue\fR ] [ \fBpackets\fR \fIvalue\fR ] [ \fBbytes\fR \fIvalue\fR ] [ \fBcomment\fR \fIstring\fR ] -.PP +.PP \fIDEL\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] -.PP +.PP \fITEST\-ENTRY\fR := \fIsetname\fR [ { \fBbefore\fR | \fBafter\fR } \fIsetname\fR ] -.PP +.PP Optional \fBcreate\fR options: .TP \fBsize\fR \fIvalue\fR The size of the list, the default is 8. -.PP +.PP By the \fBipset\fR command you can add, delete and test set names in a \fBlist:set\fR type of set. -.PP +.PP By the \fBset\fR match or \fBSET\fR target of netfilter you can test, add or delete entries in the sets added to the \fBlist:set\fR type of set. The match will try to find a matching entry in the sets and @@ -981,14 +1043,14 @@ or less parameters are checked, elements added/deleted. For example if \fIa\fR a \fIb\fR are \fBlist:set\fR type of sets then in the command .IP iptables \-m set \-\-match\-set a src,dst \-j SET \-\-add\-set b src,dst -.PP +.PP the match and target will skip any set in \fIa\fR and \fIb\fR which stores data triples, but will match all sets with single or double data storage in \fIa\fR set and stop matching at the first successful set, and add src to the first single or src,dst to the first double data storage set in \fIb\fR to which the entry can be added. You can imagine a \fBlist:set\fR type of set as an ordered union of the set elements. -.PP +.PP Please note: by the \fBipset\fR command you can add, delete and \fBtest\fR the setnames in a \fBlist:set\fR type of set, and \fBnot\fR the presence of a set's member (such as an IP address). @@ -1001,9 +1063,9 @@ If you want to store same size subnets from a given network If you want to store random same size networks (say random /24 blocks), use the \fBhash:ip\fR set type. If you have got random size of netblocks, use \fBhash:net\fR. -.PP +.PP Backward compatibility is maintained and old \fBipset\fR syntax is still supported. -.PP +.PP The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them, they are automatically replaced by \fBhash:ip\fR type of sets. .SH "DIAGNOSTICS" diff --git a/tests/hash:net,port,net.t b/tests/hash:net,port,net.t new file mode 100644 index 0000000..4b55631 --- /dev/null +++ b/tests/hash:net,port,net.t @@ -0,0 +1,183 @@ +# Create a set with timeout +0 ipset create test hash:net,port,net timeout 5 +# Add partly zero valued element +0 ipset add test 2.0.0.1/24,0,192.168.0.0/24 +# Test partly zero valued element +0 ipset test test 2.0.0.1/24,0,192.168.0.0/24 +# Delete partly zero valued element +0 ipset del test 2.0.0.1/24,0,192.168.0.0/24 +# Add first random value +0 ipset add test 2.0.0.1/24,5,192.168.0.0/24 +# Add second random value +0 ipset add test 2.1.0.0/24,128,10.0.0.0/16 +# Test first random value +0 ipset test test 2.0.0.1,5,192.168.0.1 +# Test second random value +0 ipset test test 2.1.0.0,128,10.0.1.1 +# Test value not added to the set +1 ipset test test 2.5.0.1,4,10.0.0.1 +# Delete value not added to the set +1 ipset del test 2.0.0.1/8,6,10.0.0.0/16 +# Test value before first random value +1 ipset test test 2.0.0.0/25,5,192.168.0.0/24 +# Test value after second random value +1 ipset test test 2.4.0.1,128,10.0.0.100 +# Try to add value before first random value +0 ipset add test 2.0.0.0/24,5,192.168.0.0/25 +# Try to add value after second random value +0 ipset add test 2.1.0.1,128,10.0.0.0/17 +# List set +0 ipset list test | grep -v Revision: | sed 's/timeout ./timeout x/' > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:net,port,net.t.list0 +# Sleep 5s so that elements can time out +0 sleep 5 +# List set +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Flush test set +0 ipset flush test +# Delete set +0 ipset destroy test +# Create set to add a range +0 ipset new test hash:net,port,net hashsize 64 +# Add a range +0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.1/24 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 3 +# Destroy set +0 ipset -X test +# Create set to add a range and with range notation in the network +0 ipset new test hash:net,port,net hashsize 64 +# Add a range which forces a resizing +0 ipset add test 10.0.0.0-10.0.3.255,tcp:80-82,192.168.0.0-192.168.2.255 +# Check that correct number of elements are added +0 n=`ipset list test|grep '^10.0'|wc -l` && test $n -eq 6 +# Destroy set +0 ipset -X test +# Create test set with timeout support +0 ipset create test hash:net,port,net timeout 30 +# Add a non-matching IP address entry +0 ipset -A test 2.2.2.2,80,1.1.1.1 nomatch +# Add an overlapping matching small net +0 ipset -A test 2.2.2.2,80,1.1.1.0/30 +# Add an overlapping non-matching larger net +0 ipset -A test 2.2.2.2,80,1.1.1.0/28 nomatch +# Add an even larger matching net +0 ipset -A test 2.2.2.2,80,1.1.1.0/26 +# Check non-matching IP +1 ipset -T test 2.2.2.2,80,1.1.1.1 +# Check matching IP from non-matchin small net +0 ipset -T test 2.2.2.2,80,1.1.1.3 +# Check non-matching IP from larger net +1 ipset -T test 2.2.2.2,80,1.1.1.4 +# Check matching IP from even larger net +0 ipset -T test 2.2.2.2,80,1.1.1.16 +# Update non-matching IP to matching one +0 ipset -! -A test 2.2.2.2,80,1.1.1.1 +# Delete overlapping small net +0 ipset -D test 2.2.2.2,80,1.1.1.0/30 +# Check matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.1 +# Add overlapping small net +0 ipset -A test 2.2.2.2,80,1.1.1.0/30 +# Update matching IP as a non-matching one, with shorter timeout +0 ipset -! -A test 2.2.2.2,80,1.1.1.1 nomatch timeout 2 +# Check non-matching IP +1 ipset -T test 2.2.2.2,80,1.1.1.1 +# Sleep 3s so that element can time out +0 sleep 3 +# Check non-matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.1 +# Check matching IP +0 ipset -T test 2.2.2.2,80,1.1.1.3 +# Delete test set +0 ipset destroy test +# Create set +0 ipset create test hash:net,port,net +# Add a single element +0 ipset add test 10.0.0.1,tcp:80,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 2 +# Delete the single element +0 ipset del test 10.0.0.1,tcp:80,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 6 +# Delete the IP range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add a port range +0 ipset add test 10.0.0.1,tcp:80-89,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 11 +# Delete the port range +0 ipset del test 10.0.0.1,tcp:80-89,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Add an IP and port range +0 ipset add test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 51 +# Delete the IP and port range +0 ipset del test 10.0.0.1-10.0.0.10,tcp:80-89,2.2.2.0/24 +# Check number of elements +0 n=`ipset save test|wc -l` && test $n -eq 1 +# Destroy set +0 ipset -X test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -4 netportnet +# Nomatch: Check that resizing keeps the nomatch flag +0 ./resizen.sh -4 netportnet +# Counters: create set +0 ipset n test hash:net,port,net counters +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2.0.0.1,80,192.168.199.200 +# Counters: check counters +0 ./check_counters test 2.0.0.1 5 3456 +# Counters: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200 +# Counters: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200 +# Counters: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2.0.0.20 12 9876 +# Counters: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2.0.0.20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:net,port,net counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.1,80,192.168.199.200 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2.0.0.1,80,192.168.199.200 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2.0.0.1,80,192.168.199.200 +# Counters and timeout: test deleted element +1 ipset t test 2.0.0.1,80,192.168.199.200 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2.0.0.20,453,10.0.0.1 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2.0.0.20,453,10.0.0.1 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2.0.0.20,453,10.0.0.1 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2.0.0.20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:net,port,net.t.list0 b/tests/hash:net,port,net.t.list0 new file mode 100644 index 0000000..0d90e62 --- /dev/null +++ b/tests/hash:net,port,net.t.list0 @@ -0,0 +1,10 @@ +Name: test +Type: hash:net,port,net +Header: family inet hashsize 1024 maxelem 65536 timeout x +Size in memory: 17672 +References: 0 +Members: +2.0.0.0/24,tcp:5,192.168.0.0/24 timeout x +2.0.0.0/24,tcp:5,192.168.0.0/25 timeout x +2.1.0.0/24,tcp:128,10.0.0.0/16 timeout x +2.1.0.1,tcp:128,10.0.0.0/17 timeout x diff --git a/tests/hash:net6,port,net6.t b/tests/hash:net6,port,net6.t new file mode 100644 index 0000000..63587e3 --- /dev/null +++ b/tests/hash:net6,port,net6.t @@ -0,0 +1,143 @@ +# Range: Create a set +0 ipset -N test netportnethash -6 +# Range: Add zero valued element +1 ipset -A test 2:0:0::1/24,0,0:0:0::0/0 +# Range: Test zero valued element +1 ipset -T test 2:0:0::1/24,0,0:0:0::0/0 +# Range: Delete zero valued element +1 ipset -D test 2:0:0::1,0,0:0:0::0/0 +# Range: Add almost zero valued element +0 ipset -A test 2:0:0::1,0,0:0:0::0/24 +# Range: Test almost zero valued element +0 ipset -T test 2:0:0::1,0,0:0:0::0/24 +# Range: Delete almost zero valued element +0 ipset -D test 2:0:0::1,0,0:0:0::0/24 +# Range: Add first random value +0 ipset -A test 2:0:0::1,5,1:1:1::1/24 +# Range: Add second random value +0 ipset -A test 2:1:0::0,128,2:2:2::2/12 +# Range: Test first random value +0 ipset -T test 2:0:0::1,5,1:1:1::2 +# Range: Test second random value +0 ipset -T test 2:1:0::0,128,2:2:2::0 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::1,5,2:1:1::255 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::1,6,1:1:1::1 +# Range: Test value not added to the set +1 ipset -T test 2:0:0::2,6,1:1:1::1 +# Range: Test value before first random value +1 ipset -T test 2:0:0::0,5,1:1:1::1 +# Range: Test value after second random value +1 ipset -T test 2:1:0::1,128,2:2:2::2 +# Range: Try to add value before first random value +0 ipset -A test 2:0:0::0,5,1:1:1::1/24 +# Range: Try to add value after second random value +0 ipset -A test 2:1:0::1,128,2:2:2::2/12 +# Range: List set +0 ipset -L test | grep -v Revision: > .foo0 && ./sort.sh .foo0 +# Range: Check listing +0 diff -u -I 'Size in memory.*' .foo hash:net6,port,net6.t.list0 +# Range: Flush test set +0 ipset -F test +# Range: Delete test set +0 ipset -X test +# Create set to add a range +0 ipset new test hash:net,port,net -6 hashsize 64 +# Add a range which forces a resizing +0 ipset add test 1::1,tcp:80-1105,2::2/12 +# Check that correct number of elements are added +0 n=`ipset list test|grep 1::1|wc -l` && test $n -eq 1026 +# Destroy set +0 ipset -X test +# Create test set with timeout support +0 ipset create test hash:net,port,net family inet6 timeout 30 +# Add a non-matching IP address entry +0 ipset -A test 2:2:2::2,80,1:1:1::1 nomatch +# Add an overlapping matching small net +0 ipset -A test 2:2:2::2,80,1:1:1::/124 +# Add an overlapping non-matching larger net +0 ipset -A test 2:2:2::2,80,1:1:1::/120 nomatch +# Add an even larger matching net +0 ipset -A test 2:2:2::2,80,1:1:1::/116 +# Check non-matching IP +1 ipset -T test 2:2:2::2,80,1:1:1::1 +# Check matching IP from non-matchin small net +0 ipset -T test 2:2:2::2,80,1:1:1::F +# Check non-matching IP from larger net +1 ipset -T test 2:2:2::2,80,1:1:1::10 +# Check matching IP from even larger net +0 ipset -T test 2:2:2::2,80,1:1:1::100 +# Update non-matching IP to matching one +0 ipset -! -A test 2:2:2::2,80,1:1:1::1 +# Delete overlapping small net +0 ipset -D test 2:2:2::2,80,1:1:1::/124 +# Check matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::1 +# Add overlapping small net +0 ipset -A test 2:2:2::2,80,1:1:1::/124 +# Update matching IP as a non-matching one, with shorter timeout +0 ipset -! -A test 2:2:2::2,80,1:1:1::1 nomatch timeout 2 +# Check non-matching IP +1 ipset -T test 2:2:2::2,80,1:1:1::1 +# Sleep 3s so that element can time out +0 sleep 3 +# Check non-matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::1 +# Check matching IP +0 ipset -T test 2:2:2::2,80,1:1:1::F +# Delete test set +0 ipset destroy test +# Timeout: Check that resizing keeps timeout values +0 ./resizet.sh -6 netportnet +# Nomatch: Check that resizing keeps the nomatch flag +0 ./resizen.sh -6 netportnet +# Counters: create set +0 ipset n test hash:net,port,net -6 counters +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1/64 packets 5 bytes 3456 +# Counters: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1/64 +# Counters: check counters +0 ./check_counters test 2::1 5 3456 +# Counters: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1/64 +# Counters: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1/64 +# Counters: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54 packets 12 bytes 9876 +# Counters: check counters +0 ./check_counters test 2::20 12 9876 +# Counters: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 packets 13 bytes 12479 +# Counters: check counters +0 ./check_counters test 2::20 13 12479 +# Counters: destroy set +0 ipset x test +# Counters and timeout: create set +0 ipset n test hash:net,port,net -6 counters timeout 600 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::1,80,2002:24:ff::1/64 packets 5 bytes 3456 +# Counters and timeout: check element +0 ipset t test 2:0:0::1,80,2002:24:ff::1/64 +# Counters and timeout: check counters +0 ./check_extensions test 2::1 600 5 3456 +# Counters and timeout: delete element +0 ipset d test 2:0:0::1,80,2002:24:ff::1/64 +# Counters and timeout: test deleted element +1 ipset t test 2:0:0::1,80,2002:24:ff::1/64 +# Counters and timeout: add element with packet, byte counters +0 ipset a test 2:0:0::20,453,2002:ff:24::ab/54 packets 12 bytes 9876 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 12 9876 +# Counters and timeout: update counters +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 packets 13 bytes 12479 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 600 13 12479 +# Counters and timeout: update timeout +0 ipset -! a test 2:0:0::20,453,2002:ff:24::ab/54 timeout 700 +# Counters and timeout: check counters +0 ./check_extensions test 2::20 700 13 12479 +# Counters and timeout: destroy set +0 ipset x test +# eof diff --git a/tests/hash:net6,port,net6.t.list0 b/tests/hash:net6,port,net6.t.list0 new file mode 100644 index 0000000..8a927ec --- /dev/null +++ b/tests/hash:net6,port,net6.t.list0 @@ -0,0 +1,10 @@ +Name: test +Type: hash:net,port,net +Header: family inet6 hashsize 1024 maxelem 65536 +Size in memory: 18824 +References: 0 +Members: +2:1::,tcp:128,::/12 +2:1::1,tcp:128,::/12 +2::,tcp:5,1::/24 +2::1,tcp:5,1::/24 diff --git a/tests/resizen.sh b/tests/resizen.sh index f473b0b..9ceee88 100644 --- a/tests/resizen.sh +++ b/tests/resizen.sh @@ -34,6 +34,19 @@ case "$2" in done done ;; + netportnet) + $ipset n test hash:net,port,net $1 hashsize 64 + for x in `seq 0 16`; do + for y in `seq 0 255`; do + $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch + done + done + for x in `seq 0 16`; do + for y in `seq 0 255`; do + $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null + done + done + ;; net) $ipset n test hash:net $1 hashsize 64 for x in `seq 0 16`; do diff --git a/tests/resizet.sh b/tests/resizet.sh index ff98d58..c121357 100644 --- a/tests/resizet.sh +++ b/tests/resizet.sh @@ -53,6 +53,14 @@ case "$2" in done done ;; + netportnet) + $ipset n test hash:net,port,net $1 hashsize 64 timeout 100 + for x in `seq 0 16`; do + for y in `seq 0 128`; do + $ipset a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net + done + done + ;; net) $ipset n test hash:net $1 hashsize 64 timeout 100 for x in `seq 0 16`; do diff --git a/tests/runtest.sh b/tests/runtest.sh index 64708ac..a82b802 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -10,6 +10,7 @@ tests="$tests ipporthash hash:ip,port hash:ip6,port" tests="$tests ipportiphash hash:ip,port,ip hash:ip6,port,ip6" tests="$tests nethash hash:net hash:net6 hash:net,port hash:net6,port" tests="$tests hash:ip,port,net hash:ip6,port,net6 hash:net,net hash:net6,net6" +tests="$tests hash:net,port,net hash:net6,port,net6" tests="$tests hash:net,iface.t" tests="$tests comment setlist restore" # tests="$tests iptree iptreemap" diff --git a/tests/setlist_resize.sh b/tests/setlist_resize.sh index ee045f4..bdf762b 100755 --- a/tests/setlist_resize.sh +++ b/tests/setlist_resize.sh @@ -7,6 +7,7 @@ loop=8 for x in ip_set_list_set ip_set_hash_netiface ip_set_hash_ipportnet \ ip_set_hash_netport ip_set_hash_net ip_set_hash_ipportip \ ip_set_hash_ipport ip_set_hash_ip ip_set_hash_netnet \ + ip_set_hash_netportnet \ ip_set_bitmap_port ip_set_bitmap_ipmac \ ip_set_bitmap_ip xt_set ip_set; do rmmod $x -- cgit v1.2.1