rpms/ipset
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipset-7.22-1

Browse Source 
- Turn absolute ipset-translate symlink into a relative one
- Rebase onto 7.22 plus fixes

Resolves: RHEL-34701
This commit is contained in:
Phil Sutter 2024-08-01 18:38:03 +02:00
parent f8b1a19113
commit 36aa439c39
10 changed files with 484 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
0001-Fix-typo-in-ipset-translate-man-page.patch
View File

@ -1,31 +0,0 @@
From c74a420471fd693f89e0b0e19f93c88af22fb7de Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Wed, 29 Sep 2021 09:55:43 +0200
Subject: [PATCH] Fix typo in ipset-translate man page
originally reported in
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZIXKNQHSSCQ4ZLEGYYKLAXQ4PQ5EYFGZ/
by Larry Len Rainey
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/ipset-translate.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ipset-translate.8 b/src/ipset-translate.8
index bb4e737e1480..55ce2a99f2cf 100644
--- a/src/ipset-translate.8
+++ b/src/ipset-translate.8
@@ -33,7 +33,7 @@ to \fBnftables(8)\fP.
The only available command is:
.IP \[bu] 2
-ipset-translate restores < file.ipt
+ipset-translate restore < file.ipt
.SH USAGE
The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by
--
2.37.2

23
0001-Replace-BUG_ON-with-WARN_ON_ONCE-according-to-usage-.patch Normal file
View File

@ -0,0 +1,23 @@
From 21080dc79c4e9244149aa78f6a8f7fbb6f4b8e81 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Thu, 6 Jun 2024 08:57:11 +0200
Subject: [PATCH] Replace BUG_ON() with WARN_ON_ONCE() according to usage
policy.
---
kernel/net/netfilter/ipset/ip_set_list_set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/net/netfilter/ipset/ip_set_list_set.c b/kernel/net/netfilter/ipset/ip_set_list_set.c
index fd78e2db06e4f..0d3e5a7331f26 100644
--- a/kernel/net/netfilter/ipset/ip_set_list_set.c
+++ b/kernel/net/netfilter/ipset/ip_set_list_set.c
@@ -432,7 +432,7 @@ list_set_destroy(struct ip_set *set)
{
struct list_set *map = set->data;
- BUG_ON(!list_empty(&map->members));
+ WARN_ON_ONCE(!list_empty(&map->members));
kfree(map);
set->data = NULL;

28
0001-build-do-install-libipset-args.h.patch
View File

@ -1,28 +0,0 @@
From 39fde1381f0ba9101f65c08f2abda5426a46f8b1 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 22 Jan 2018 22:50:33 +0100
Subject: [PATCH] build: do install libipset/args.h
libipset/types.h includes args.h, therefore args.h must be installed
too.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/libipset/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/libipset/Makefile.am b/include/libipset/Makefile.am
index 3b47518..79a1357 100644
--- a/include/libipset/Makefile.am
+++ b/include/libipset/Makefile.am
@@ -1,5 +1,6 @@
pkgincludedir = ${includedir}/libipset
pkginclude_HEADERS = \
+ args.h \
data.h \
errcode.h \
linux_ip_set_bitmap.h \
--
2.11.0

91
0002-Fix-IPv6-sets-nftables-translation.patch
View File

@ -1,91 +0,0 @@
From be7f6099feb7b5d34715b06f9308877cdcdc404a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 28 Feb 2022 19:52:57 +0100
Subject: [PATCH] Fix IPv6 sets nftables translation
The parser assumes the set is an IPv4 ipset because IPSET_OPT_FAMILY is
not set.
# ipset-translate restore < ./ipset-mwan3_set_connected_ipv6.dump
add table inet global
add set inet global mwan3_connected_v6 { type ipv6_addr; flags interval; }
flush set inet global mwan3_connected_v6
ipset v7.15: Error in line 4: Syntax error: '64' is out of range 0-32
Remove ipset_xlate_type_get(), call ipset_xlate_set_get() instead to
obtain the set type and family.
Reported-by: Florian Eckert <fe@dev.tdt.de>
Fixes: 325af556cd3a ("add ipset to nftables translation infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
lib/ipset.c | 24 ++++++++++--------------
tests/xlate/xlate.t | 2 ++
tests/xlate/xlate.t.nft | 2 ++
3 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/lib/ipset.c b/lib/ipset.c
index 73e67db88e0d..50f86aee045b 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -949,18 +949,6 @@ ipset_xlate_set_get(struct ipset *ipset, const char *name)
return NULL;
}
-static const struct ipset_type *ipset_xlate_type_get(struct ipset *ipset,
- const char *name)
-{
- const struct ipset_xlate_set *set;
-
- set = ipset_xlate_set_get(ipset, name);
- if (!set)
- return NULL;
-
- return set->type;
-}
-
static int
ipset_parser(struct ipset *ipset, int oargc, char *oargv[])
{
@@ -1282,8 +1270,16 @@ ipset_parser(struct ipset *ipset, int oargc, char *oargv[])
if (!ipset->xlate) {
type = ipset_type_get(session, cmd);
} else {
- type = ipset_xlate_type_get(ipset, arg0);
- ipset_session_data_set(session, IPSET_OPT_TYPE, type);
+ const struct ipset_xlate_set *xlate_set;
+
+ xlate_set = ipset_xlate_set_get(ipset, arg0);
+ if (xlate_set) {
+ ipset_session_data_set(session, IPSET_OPT_TYPE,
+ xlate_set->type);
+ ipset_session_data_set(session, IPSET_OPT_FAMILY,
+ &xlate_set->family);
+ type = xlate_set->type;
+ }
}
if (type == NULL)
return ipset->standard_error(ipset, p);
diff --git a/tests/xlate/xlate.t b/tests/xlate/xlate.t
index b1e7d288e2a9..f09cb202bb6c 100644
--- a/tests/xlate/xlate.t
+++ b/tests/xlate/xlate.t
@@ -53,3 +53,5 @@ create bp1 bitmap:port range 1-1024
add bp1 22
create bim1 bitmap:ip,mac range 1.1.1.0/24
add bim1 1.1.1.1,aa:bb:cc:dd:ee:ff
+create hn6 hash:net family inet6
+add hn6 fe80::/64
diff --git a/tests/xlate/xlate.t.nft b/tests/xlate/xlate.t.nft
index 96eba3b0175e..0152a3081125 100644
--- a/tests/xlate/xlate.t.nft
+++ b/tests/xlate/xlate.t.nft
@@ -54,3 +54,5 @@ add set inet global bp1 { type inet_service; }
add element inet global bp1 { 22 }
add set inet global bim1 { type ipv4_addr . ether_addr; }
add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff }
+add set inet global hn6 { type ipv6_addr; flags interval; }
+add element inet global hn6 { fe80::/64 }
--
2.37.2

54
0002-lib-data-Fix-for-global-buffer-overflow-warning-by-A.patch Normal file
View File

@ -0,0 +1,54 @@
From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:16 +0200
Subject: [PATCH] lib: data: Fix for global-buffer-overflow warning by ASAN
After compiling with CFLAGS="-fsanitize=address -g", running the
testsuite triggers the following warning:
| ipmap: Range: Check syntax error: missing range/from-to: FAILED
| Failed test: ../src/ipset 2>.foo.err -N test ipmap
| =================================================================
| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8
| READ of size 32 at 0x55a21e77172a thread T0
| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119
| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349
| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819
| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205
| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344
| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38
| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09)
| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4)
| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040)
|
| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19
| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO'
| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10
| '*.LC0' is ascii string 'bitmap:ip'
Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In
contrast to strncpy(), memcpy() does not respect NUL-chars in input but
stubbornly reads as many bytes as specified.
Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
lib/data.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/data.c b/lib/data.c
index c05b20144cdad..64cad7a377302 100644
--- a/lib/data.c
+++ b/lib/data.c
@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len)
assert(dst);
assert(src);
+ if (strlen(src) < len)
+ len = strlen(src) + 1;
+
memcpy(dst, src, len);
dst[len - 1] = '\0';
}

46
0003-ipset-translate-allow-invoking-with-a-path-name.patch
View File

@ -1,46 +0,0 @@
From e1b60b2a93356c313cccb2abfdae4b58d530e02b Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Thu, 11 Aug 2022 17:52:18 +0100
Subject: [PATCH] ipset-translate: allow invoking with a path name
Executing /usr/sbin/ipset-translate results in the ipset functionality being run, rather than the ipset-translate functionality.
# ipset-translate destroy fred
This command is not supported, use `ipset-translate restore < file'
# /usr/sbin/ipset-translate destroy fred
ipset v7.15: The set with the given name does not exist
use basename() to resolve the issue.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1626
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/ipset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/ipset.c b/src/ipset.c
index 6d42b60d2fe9..162f477d49cd 100644
--- a/src/ipset.c
+++ b/src/ipset.c
@@ -6,6 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
+#define _GNU_SOURCE
#include <assert.h> /* assert */
#include <stdio.h> /* fprintf */
#include <stdlib.h> /* exit */
@@ -31,7 +32,7 @@ main(int argc, char *argv[])
exit(1);
}
- if (!strcmp(argv[0], "ipset-translate")) {
+ if (!strcmp(basename(argv[0]), "ipset-translate")) {
ret = ipset_xlate_argv(ipset, argc, argv);
} else {
ret = ipset_parse_argv(ipset, argc, argv);
--
2.37.2

38
0003-lib-ipset-Avoid-argv-array-overstepping.patch Normal file
View File

@ -0,0 +1,38 @@
From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:17 +0200
Subject: [PATCH] lib: ipset: Avoid 'argv' array overstepping
The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
array size. The maximum allowed array index is therefore argc-1.
This fix will leave items in argv non-NULL-terminated, so explicitly
NULL the formerly last entry after shifting.
Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
valgrind. Yet adding debug output printing argv entries being copied
did.
Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
lib/ipset.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/ipset.c b/lib/ipset.c
index c910d88805c28..3bf1c5fcdbc59 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
assert(*argc >= from + 1);
- for (i = from + 1; i <= *argc; i++)
+ for (i = from + 1; i < *argc; i++)
argv[i-1] = argv[i];
- (*argc)--;
+ argv[--(*argc)] = NULL;
return;
}

354
0004-tests-Reduce-testsuite-run-time.patch Normal file
View File

@ -0,0 +1,354 @@
From 5c9ef9016d2781f6e07a544e34ec9f4a8d65d0e2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:18 +0200
Subject: [PATCH] tests: Reduce testsuite run-time
Where acceptable, batch add set element calls to avoid overhead of
excessive 'ipset' program spawns. On my (slow) testing VM, this patch
reduces a full run of tests/runtest.sh from ~70min down to ~11min.
This might eliminate the situation being tested: resize.sh might be such
a case so batch only 255 'ipset add' calls and continue to repeat these
batched calls 32 times in hopes that it still qualifies as the resizing
stress test tests/hash:ip.t calls it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
tests/resize.sh | 4 ++--
tests/resizec.sh | 32 +++++++++++++--------------
tests/resizen.sh | 49 ++++++++++++++++++++---------------------
tests/resizet.sh | 40 ++++++++++++++++-----------------
tests/setlist_resize.sh | 4 ++--
5 files changed, 64 insertions(+), 65 deletions(-)
diff --git a/tests/resize.sh b/tests/resize.sh
index 19b93fb01876c..9069b4970e92d 100755
--- a/tests/resize.sh
+++ b/tests/resize.sh
@@ -9,6 +9,6 @@ set -e
$ipset n resize-test hash:ip hashsize 64
for x in `seq 1 32`; do
for y in `seq 1 255`; do
- $ipset a resize-test 192.168.$x.$y
- done
+ echo "a resize-test 192.168.$x.$y"
+ done | $ipset restore
done
diff --git a/tests/resizec.sh b/tests/resizec.sh
index 28d674769f76f..781acf74c38dd 100755
--- a/tests/resizec.sh
+++ b/tests/resizec.sh
@@ -25,65 +25,65 @@ case "$2" in
$ipset n test hash:ip $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y comment "text $ip$x$sep$y"
+ echo "a test $ip$x$sep$y comment \"text $ip$x$sep$y\""
done
- done
+ done | $ipset restore
;;
ipport)
$ipset n test hash:ip,port $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023 "text $ip$x$sep$y,1023"
+ echo "a test $ip$x$sep$y,1023 \"text $ip$x$sep$y,1023\""
done
- done
+ done | $ipset restore
;;
ipportip)
$ipset n test hash:ip,port,ip $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2 comment "text $ip$x$sep$y,1023,$ip2"
+ echo "a test $ip$x$sep$y,1023,$ip2 comment \"text $ip$x$sep$y,1023,$ip2\""
done
- done
+ done | $ipset restore
;;
ipportnet)
$ipset n test hash:ip,port,net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net comment "text $ip$x$sep$y,1023,$ip2/$net"
+ echo "a test $ip$x$sep$y,1023,$ip2/$net comment \"text $ip$x$sep$y,1023,$ip2/$net\""
done
- done
+ done | $ipset restore
;;
net)
$ipset n test hash:net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net comment "text $ip$x$sep$y/$net"
+ echo "a test $ip$x$sep$y/$net comment \"text $ip$x$sep$y/$net\""
done
- done
+ done | $ipset restore
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net comment "text $ip$x$sep$y/$net,$ip$y$sep$x/$net"
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net comment \"text $ip$x$sep$y/$net,$ip$y$sep$x/$net\""
done
- done
+ done | $ipset restore
;;
netport)
$ipset n test hash:net,port $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023 comment "text $ip$x$sep$y/$net,1023"
+ echo "a test $ip$x$sep$y/$net,1023 comment \"text $ip$x$sep$y/$net,1023\""
done
- done
+ done | $ipset restore
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0 comment "text $ip$x$sep$y/$net,eth0"
+ echo "$ipset a test $ip$x$sep$y/$net,eth0 comment \"text $ip$x$sep$y/$net,eth0\""
done
- done
+ done | $ipset restore
;;
esac
$ipset l test | grep ^$ip | while read x y z; do
diff --git a/tests/resizen.sh b/tests/resizen.sh
index 9322bd2a2cfce..13221f7b0894a 100755
--- a/tests/resizen.sh
+++ b/tests/resizen.sh
@@ -25,80 +25,79 @@ case "$2" in
$ipset n test hash:ip,port,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch
+ echo "a test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netportnet)
$ipset n test hash:net,port,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch
+ echo "a test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
net)
$ipset n test hash:net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net nomatch
+ echo "a test $ip$x$sep$y/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch \
- 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netport)
$ipset n test hash:net,port $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023 nomatch
+ echo "a test $ip$x$sep$y/$net,1023 nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,1023 nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,1023 nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0 nomatch
+ echo "a test $ip$x$sep$y/$net,eth0 nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,eth0 nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,eth0 nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
esac
$ipset x
diff --git a/tests/resizet.sh b/tests/resizet.sh
index eed4abf2bd86e..e8fdd732435ab 100755
--- a/tests/resizet.sh
+++ b/tests/resizet.sh
@@ -25,81 +25,81 @@ case "$2" in
$ipset n test hash:ip $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y
+ echo "a test $ip$x$sep$y"
done
- done
+ done | $ipset restore
;;
ipmark)
$ipset n test hash:ip,mark $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023
+ echo "a test $ip$x$sep$y,1023"
done
- done
+ done | $ipset restore
;;
ipport)
$ipset n test hash:ip,port $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023
+ echo "a test $ip$x$sep$y,1023"
done
- done
+ done | $ipset restore
;;
ipportip)
$ipset n test hash:ip,port,ip $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2
+ echo "a test $ip$x$sep$y,1023,$ip2"
done
- done
+ done | $ipset restore
;;
ipportnet)
$ipset n test hash:ip,port,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net
+ echo "a test $ip$x$sep$y,1023,$ip2/$net"
done
- done
+ done | $ipset restore
;;
netportnet)
$ipset n test hash:net,port,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 128`; do
- $ipset a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net
+ echo "a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net"
done
- done
+ done | $ipset restore
;;
net)
$ipset n test hash:net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net
+ echo "a test $ip$x$sep$y/$net"
done
- done
+ done | $ipset restore
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net"
done
- done
+ done | $ipset restore
;;
netport)
$ipset n test hash:net,port $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023
+ echo "a test $ip$x$sep$y/$net,1023"
done
- done
+ done | $ipset restore
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0
+ echo "a test $ip$x$sep$y/$net,eth0"
done
- done
+ done | $ipset restore
;;
esac
$ipset l test | grep ^$ip | while read x y z; do
diff --git a/tests/setlist_resize.sh b/tests/setlist_resize.sh
index 1c2be327b841a..acb33e3ba0f08 100755
--- a/tests/setlist_resize.sh
+++ b/tests/setlist_resize.sh
@@ -25,9 +25,9 @@ rmmod ip_set >/dev/null 2>&1
create() {
n=$1
while [ $n -le 1024 ]; do
- $ipset c test$n hash:ip
+ echo "c test$n hash:ip"
n=$((n+2))
- done
+ done | $ipset restore
}
for x in `seq 1 $loop`; do

16
ipset.spec
View File

@ -1,6 +1,6 @@
Name: ipset Name: ipset
Version: 7.21 Version: 7.22
Release: 2%{?dist} Release: 1%{?dist}
Summary: Manage Linux IP sets Summary: Manage Linux IP sets
License: GPL-2.0-only License: GPL-2.0-only
@ -10,6 +10,11 @@ Source1: %{name}.service
Source2: %{name}.start-stop Source2: %{name}.start-stop
Source3: %{name}-config Source3: %{name}-config
Patch001: 0001-Replace-BUG_ON-with-WARN_ON_ONCE-according-to-usage-.patch
Patch002: 0002-lib-data-Fix-for-global-buffer-overflow-warning-by-A.patch
Patch003: 0003-lib-ipset-Avoid-argv-array-overstepping.patch
Patch004: 0004-tests-Reduce-testsuite-run-time.patch
BuildRequires: libmnl-devel BuildRequires: libmnl-devel
BuildRequires: automake BuildRequires: automake
BuildRequires: autoconf BuildRequires: autoconf
@ -108,6 +113,9 @@ install -c -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-config
# Create directory for configuration # Create directory for configuration
mkdir -p %{buildroot}%{_sysconfdir}/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}
# Turn absolute symlink into a relative one
ln -sf %{name} %{buildroot}/%{_sbindir}/%{name}-translate
%preun %preun
if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
@ -171,6 +179,10 @@ fi
%changelog %changelog
* Thu Aug 01 2024 Phil Sutter <psutter@redhat.com> - 7.22-1
- Turn absolute ipset-translate symlink into a relative one
- Rebase onto 7.22 plus fixes
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7.21-2 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7.21-2
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (ipset-7.21.tar.bz2) = 175c6516c2091c57738a0324678d8d016e4d7f18fa03cb0dcc502391cac4caf4db1e757f61ad2fe312c1dbe431ec9cfabbc8e15a64a94ebd2fa903155b27c88f SHA512 (ipset-7.22.tar.bz2) = e375a9110eb7974480147c57eb2cff4bdd03c7704cdae006a3d254cc80fada587aa8aee25a86f7cab29db83f5e283c5f9a47a314297317660ebba5097f623d79