- Update from version 7.17 to 7.19
- Update of nrootfile not required
- Changelog
7.19
- build: Fix the double-prefix in pkgconfig (Sam James)
7.18
- Add json output to list command (Thomas Oberhammer)
- tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter)
- tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter)
- tests: cidr.sh: Add ipcalc fallback (Phil Sutter)
- tests: xlate: Make test input valid (Phil Sutter)
- tests: xlate: Test built binary by default (Phil Sutter)
- xlate: Drop dead code (Phil Sutter)
- xlate: Fix for fd leak in error path (Phil Sutter)
- configure.ac: fix bashisms (Sam James)
- lib/Makefile.am: fix pkgconfig dir (Sam James)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.15 to 7.17
- Update of rootfile
- Changelog
7.17
- Tests: When verifying comments/timeouts, make sure entries don't expire
- Tests: Make sure the internal batches add the correct number of elements
- Tests: Verify that hash:net,port,net type can handle 0/0 properly
- Makefile: Create LZMA-compressed dist-files (Phil Sutter)
7.16
- Add new ipset_parse_bitmask() function to the library interface
- test: Make sure no more than 64 clashing elements can be added
to hash:net,iface sets
- netfilter: ipset: add tests for the new bitmask feature (Vishwanath Pai)
- netfilter: ipset: Update the man page to include netmask/bitmask options
(Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:netnet (Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:ipport (Vishwanath Pai)
- netfilter: ipset: Add bitmask support to hash:ip (Vishwanath Pai)
- netfilter: ipset: Add support for new bitmask parameter (Vishwanath Pai)
- ipset-translate: allow invoking with a path name (Quentin Armitage)
- Fix IPv6 sets nftables translation (Pablo Neira Ayuso)
- Fix typo in ipset-translate man page (Bernhard M. Wiedemann)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 7.11 to 7.15
- Update of rootfile
- Changelog
7.15
Kernel part changes
netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()
7.14
Userspace changes
Add missing function to libipset.map and bump library version
Kernel part changes
64bit division isn't allowed on 32bit, replace it with shift
7.13
Userspace changes
When parsing protocols by number, do not check it in /etc/protocols.
Add missing hunk to patch "Allow specifying protocols by number"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete fix
7.12
Userspace changes
Allow specifying protocols by number
Fix example in ipset.8 manpage
tests: add tests ipset to nftables
add ipset to nftables translation infrastructur
lib: Detach restore routine from parser
lib: split parser from command execution
Fix patch "Parse port before trying by service name"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete
Backport "netfilter: use nfnetlink_unicast()"
Backport "netfilter: nfnetlink: consolidate callback type"
Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to
callbacks"
Backport "netfilter: add helper function to set up the nfnetlink header
and use it"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
- Update ipset from 7.10 to 7.11
- No update to rootfile
- Changelog
- Parse port before trying by service name (Haw Loeung)
- Silence unused-but-set-variable warnings (reported by
Serhey Popovych)
- Handle -Werror=implicit-fallthrough= in debug mode compiling
- ipset: fix print format warning (Neutron Soutmun)
- Updated utilities
- Argument parsing buffer overflow in ipset_parse_argv fixed
(reported by Marshall Whittaker)
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update ipset from 7.6 to 7.10
- Changelog
7.10
Kernel part changes
Fix patch "Handle false warning from -Wstringop-overflow"
Backward compatibility: handle renaming nla_strlcpy to nla_strscpy
treewide: rename nla_strlcpy to nla_strscpy. (Francis Laniel)
netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin)
netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin)
Handle false warning from -Wstringop-overflow
Backward compatibility: handle missing strscpy with a wrapper of strlcpy.
Move compiler specific compatibility support to separated file (broken compatibility support reported by Ed W)
7.9
Userspace changes
Fix library versioning (Jan Engelhardt)
7.8
Kernel part changes
Complete backward compatibility fix for package copy of <linux/jhash.h>
Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT
netfilter: ipset: enable memory accounting for ipset allocations (Vasily Averin)
netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet)
Compatibility: use skb_policy() from if_vlan.h if available
Compatibility: Check for the fourth arg of list_for_each_entry_rcu()
Backward compatibility fix for the package copy of <linux/jhash.h>
7.7
Userspace changes
Expose the initval hash parameter to userspace
Handle all variable header parts in helper scripts instead ot test tasks
Add bucketsize parameter to all hash types
Support the -exist flag with the destroy command
Kernel part changes
Expose the initval hash parameter to userspace
Add bucketsize parameter to all hash types
Use fallthrough pseudo-keyword in the package copy of too
Support the -exist flag with the destroy command
netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva)
netfilter: Replace zero-length array with flexible-array member (Gustavo A. R. Silva)
netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet)
netfiler: ipset: fix unaligned atomic access (Russell King)
netfilter: ipset: Fix subcounter update skip (Phil Sutter)
ipset: Update byte and packet counters regardless of whether they match (Stefano Brivio)
netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover)
ip_set: Fix compatibility with kernels between v3.3 and v4.5 (Serhey Popovych)
ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK (Serhey Popovych)
ipset: Support kernels with at least system_wq support
ip_set: Fix build on kernels without system_power_efficient_wq (Serhey Popovych)
- Rootfiles updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The reason why this comes up is that we currently don't build
a kernel for aarch64 and therefore building ipset fails.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
