[ANNOUNCE] ipset 7.8 released

[ANNOUNCE] ipset 7.8 released

[Jozsef Kadlecsik]

Hi,

I'm happy to announce ipset 7.8 which includes a couple of fixes, 
compatibility fixes. Small improvements like the new flags of the hash:* 
types make possible to optimize sets for speed or memory and to restore 
exactly the same set (from internal structure point of view) as the saved 
one.

Kernel part changes:
  - Complete backward compatibility fix for package copy of 
    <linux/jhash.h>
  - Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT
  - netfilter: ipset: enable memory accounting for ipset allocations
    (Vasily Averin)
  - netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet)
  - Compatibility: use skb_policy() from if_vlan.h if available
  - Compatibility: Check for the fourth arg of list_for_each_entry_rcu()
  - Backward compatibility fix for the package copy of <linux/jhash.h>

ipset 7.7 was released without announcement, so the changelogs are listed 
here for the sake of completeness:

Userspace changes:
  - Expose the initval hash parameter to userspace
  - Handle all variable header parts in helper scripts instead ot test 
    tasks
  - Add bucketsize parameter to all hash types
  - Support the -exist flag with the destroy command

Kernel part changes:
  - Expose the initval hash parameter to userspace
  - Add bucketsize parameter to all hash types
  - Use fallthrough pseudo-keyword in the package copy of <linux/jhash.h> 
    too
  - Support the -exist flag with the destroy command
  - netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva)
  - netfilter: Replace zero-length array with flexible-array member
    (Gustavo A. R. Silva)
  - netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet)
  - netfiler: ipset: fix unaligned atomic access (Russell King)
  - netfilter: ipset: Fix subcounter update skip (Phil Sutter)
  - ipset: Update byte and packet counters regardless of whether they 
    match (Stefano Brivio)
  - netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover)
  - ip_set: Fix compatibility with kernels between v3.3 and v4.5
    (Serhey Popovych)
  - ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK
    (Serhey Popovych)
  - ipset: Support kernels with at least system_wq support
  - ip_set: Fix build on kernels without system_power_efficient_wq
    (Serhey Popovych)

You can download the source code of ipset from:
        http://ipset.netfilter.org
        ftp://ftp.netfilter.org/pub/ipset/
        git://git.netfilter.org/ipset.git

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ANNOUNCE] ipset 7.8 released

[Jan Engelhardt]

On Thursday 2020-11-19 21:48, Jozsef Kadlecsik wrote:
>
>I'm happy to announce ipset 7.8 which includes a couple of fixes, 
>compatibility fixes. Small improvements like the new flags of the hash:* 
>types make possible to optimize sets for speed or memory and to restore 
>exactly the same set (from internal structure point of view) as the saved 
>one.

LIBVERSION changed from 14:0:1 (ipset 7.6) to 14:1:2,
producing libipset.so.13 (7.6) and now libipset.so.12

That seems incorrect! It should have been
- 14:0:1 (no changes)
- 15:0:2 (compatible changes)
- 15:0:0 (incompatible changes)

Re: [ANNOUNCE] ipset 7.8 released

[Jozsef Kadlecsik]

Hi Jan,

On Thu, 19 Nov 2020, Jan Engelhardt wrote:

> LIBVERSION changed from 14:0:1 (ipset 7.6) to 14:1:2,
> producing libipset.so.13 (7.6) and now libipset.so.12
> 
> That seems incorrect! It should have been
> - 14:0:1 (no changes)
> - 15:0:2 (compatible changes)
> - 15:0:0 (incompatible changes)

Oh, my. It should be 15:0:2 (compatible changes). I dunno how many times I 
can mix it up, this numbering scheme is simply alien to my brain wiring.

I released 7.9. Thanks for the quick feedback!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ANNOUNCE] ipset 7.8 released

[Jan Engelhardt]

On Thursday 2020-11-19 22:46, Jozsef Kadlecsik wrote:

>Hi Jan,
>
>On Thu, 19 Nov 2020, Jan Engelhardt wrote:
>
>> LIBVERSION changed from 14:0:1 (ipset 7.6) to 14:1:2,
>> producing libipset.so.13 (7.6) and now libipset.so.12
>> 
>> That seems incorrect! It should have been
>> - 14:0:1 (no changes)
>> - 15:0:2 (compatible changes)
>> - 15:0:0 (incompatible changes)
>
>Oh, my. It should be 15:0:2 (compatible changes). I dunno how many times I 
>can mix it up, this numbering scheme is simply alien to my brain wiring.

If in doubt, always use :0:0 --- and make a mental note of exactly the 
:0:0 requirement in Make_global.am. :-)

Distros can always rebuild transitively. They have to do that anyway for 
things like /usr/lib64/libbfd-2.35.0.20200915-1.so (with a date, it 
could change daily anyway). But recovering from a backjumping lib...

Re: [ANNOUNCE] ipset 7.8 released

[Neutron Soutmun]

Hi,

For the ipset 7.9, I found the released download url is
http://ipset.netfilter.org/ipset-7.9.tar.bz2,
however, it's previous releases are in http://ftp.netfilter.org/pub/ipset/

The Debian has the tool to detect the new release with package watch [1] file.
Could you please consider uploading the new release to the
fpt.netfiler.org/pub/ipset also.

Best regards,
Neutron Soutmun

---
[1] https://salsa.debian.org/pkg-netfilter-team/pkg-ipset/-/blob/debian/master/debian/watch

On Fri, Nov 20, 2020 at 5:09 AM Jan Engelhardt <jengelh@inai.de> wrote:
>
> On Thursday 2020-11-19 22:46, Jozsef Kadlecsik wrote:
>
> >Hi Jan,
> >
> >On Thu, 19 Nov 2020, Jan Engelhardt wrote:
> >
> >> LIBVERSION changed from 14:0:1 (ipset 7.6) to 14:1:2,
> >> producing libipset.so.13 (7.6) and now libipset.so.12
> >>
> >> That seems incorrect! It should have been
> >> - 14:0:1 (no changes)
> >> - 15:0:2 (compatible changes)
> >> - 15:0:0 (incompatible changes)
> >
> >Oh, my. It should be 15:0:2 (compatible changes). I dunno how many times I
> >can mix it up, this numbering scheme is simply alien to my brain wiring.
>
> If in doubt, always use :0:0 --- and make a mental note of exactly the
> :0:0 requirement in Make_global.am. :-)
>
> Distros can always rebuild transitively. They have to do that anyway for
> things like /usr/lib64/libbfd-2.35.0.20200915-1.so (with a date, it
> could change daily anyway). But recovering from a backjumping lib...

Re: [ANNOUNCE] ipset 7.8 released

[Jozsef Kadlecsik]

Hi,

On Fri, 20 Nov 2020, Neutron Soutmun wrote:

> For the ipset 7.9, I found the released download url is 
> http://ipset.netfilter.org/ipset-7.9.tar.bz2, however, it's previous 
> releases are in http://ftp.netfilter.org/pub/ipset/
> 
> The Debian has the tool to detect the new release with package watch [1] 
> file. Could you please consider uploading the new release to the 
> fpt.netfiler.org/pub/ipset also.

It has been fixed. Please note, I switched from md5 to sha512 at 
generating the checksum file, so the filename is changed accordingly to 
<packagename>.sha512sum.txt.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ANNOUNCE] ipset 7.8 released

[Neutron Soutmun]

Hi,

On Fri, Nov 20, 2020 at 3:07 PM Jozsef Kadlecsik <kadlec@netfilter.org> wrote:
>
> Hi,
>
> On Fri, 20 Nov 2020, Neutron Soutmun wrote:
>
> > For the ipset 7.9, I found the released download url is
> > http://ipset.netfilter.org/ipset-7.9.tar.bz2, however, it's previous
> > releases are in http://ftp.netfilter.org/pub/ipset/
> >
> > The Debian has the tool to detect the new release with package watch [1]
> > file. Could you please consider uploading the new release to the
> > fpt.netfiler.org/pub/ipset also.
>
> It has been fixed. Please note, I switched from md5 to sha512 at
> generating the checksum file, so the filename is changed accordingly to
> <packagename>.sha512sum.txt.

Noted and thanks a lot.

Best regards,
Neutron Soutmun

Re: [ANNOUNCE] ipset 7.8 released

[Ed W]

Hi, I'm having some difficulty compiling ipset 7.9 in kernel 4.14.78 as provided by Variscite for an
arm board


I've trimmed the build log and errors, but it seems to revolve around:

Pre kernel 4.18 the header

    ./include/linux/ipc.h

would include

    ./include/linux/rhashtable.h

(later it includes rhashtable-types.h)

This in turn draws in the jhash.c copy, which in turn includes ip_set_compat.h, which then causes
some errors due to drawing in things where we haven't yet finished reading all the header files

I'm not sure how to work around the compile fail in ipset-7.9? I agree I can't rule it out to be a
problem due to the vendor kernel, but the include tree seems to point clearly to the issue above in
ipc.h



Note: ipset7.7 gives me errors about    

    error: 'fallthrough' undeclared

Which seems fair enough given the age of my kernel. I could probably fix this


ipset 7.6 compiles ok for me.


Any guidance please?

Thanks

Ed W



make[1]: Entering directory '/var/embedded/src/linux-kernel'
  CC [M]  /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/xt_set.o
  CC [M]  /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_core.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_getport.o
  CC [M]  /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/pfxlen.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_bitmap_ip.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_bitmap_port.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ip.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ipport.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ipportip.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ipmac.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_ipmark.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_net.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_netport.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_netiface.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_netnet.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_netportnet.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_hash_mac.o
  CC [M] 
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ipset/ip_set_list_set.o
In file included from ./include/linux/netlink.h:9,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/netfilter/ipset/ip_set_compat.h:95,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/jhash.h:3,
                 from ./include/linux/rhashtable.h:24,
                 from ./include/linux/ipc.h:7,
                 from ./include/uapi/linux/sem.h:5,
                 from ./include/linux/sem.h:9,
                 from ./include/linux/sched.h:15,
                 from ./include/linux/uaccess.h:5,
                 from ./include/net/checksum.h:25,
                 from ./include/linux/skbuff.h:31,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:16:
./include/net/scm.h: In function 'scm_send':
./include/net/scm.h:84:21: error: implicit declaration of function 'task_tgid'; did you mean
'task_uid'? [-Werror=implicit-function-declaration]
   84 |   scm_set_cred(scm, task_tgid(current), current_uid(), current_gid());
      |                     ^~~~~~~~~
      |                     task_uid
In file included from ./include/linux/srcu.h:33,
                 from ./include/linux/notifier.h:16,
                 from ./include/linux/memory_hotplug.h:7,
                 from ./include/linux/mmzone.h:782,
                 from ./include/linux/gfp.h:6,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:11:
./include/linux/cred.h:276:35: error: dereferencing pointer to incomplete type 'struct task_struct'
  276 |  rcu_dereference_protected(current->cred, 1)
      |                                   ^~
./include/linux/rcupdate.h:358:12: note: in definition of macro '__rcu_dereference_protected'
  358 |  ((typeof(*p) __force __kernel *)(p)); \
      |            ^
./include/linux/cred.h:276:2: note: in expansion of macro 'rcu_dereference_protected'
  276 |  rcu_dereference_protected(current->cred, 1)
      |  ^~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/cred.h:354:2: note: in expansion of macro 'current_cred'
  354 |  current_cred()->xxx;   \
      |  ^~~~~~~~~~~~
./include/linux/cred.h:357:25: note: in expansion of macro 'current_cred_xxx'
  357 | #define current_uid()  (current_cred_xxx(uid))
      |                         ^~~~~~~~~~~~~~~~
./include/net/scm.h:84:41: note: in expansion of macro 'current_uid'
   84 |   scm_set_cred(scm, task_tgid(current), current_uid(), current_gid());
      |                                         ^~~~~~~~~~~
In file included from ./include/linux/netlink.h:9,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/netfilter/ipset/ip_set_compat.h:95,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/jhash.h:3,
                 from ./include/linux/rhashtable.h:24,
                 from ./include/linux/ipc.h:7,
                 from ./include/uapi/linux/sem.h:5,
                 from ./include/linux/sem.h:9,
                 from ./include/linux/sched.h:15,
                 from ./include/linux/uaccess.h:5,
                 from ./include/net/checksum.h:25,
                 from ./include/linux/skbuff.h:31,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:16:
./include/net/scm.h:84:21: warning: passing argument 2 of 'scm_set_cred' makes pointer from integer
without a cast [-Wint-conversion]
   84 |   scm_set_cred(scm, task_tgid(current), current_uid(), current_gid());
      |                     ^~~~~~~~~~~~~~~~~~
      |                     |
      |                     int
./include/net/scm.h:56:21: note: expected 'struct pid *' but argument is of type 'int'
   56 |         struct pid *pid, kuid_t uid, kgid_t gid)
      |         ~~~~~~~~~~~~^~~
In file included from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/netfilter/ipset/ip_set_compat.h:95,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/jhash.h:3,
                 from ./include/linux/rhashtable.h:24,
                 from ./include/linux/ipc.h:7,
                 from ./include/uapi/linux/sem.h:5,
                 from ./include/linux/sem.h:9,
                 from ./include/linux/sched.h:15,
                 from ./include/linux/uaccess.h:5,
                 from ./include/net/checksum.h:25,
                 from ./include/linux/skbuff.h:31,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:16:
./include/linux/netlink.h: In function 'nlmsg_hdr':
./include/linux/netlink.h:16:31: error: dereferencing pointer to incomplete type 'const struct sk_buff'
   16 |  return (struct nlmsghdr *)skb->data;
      |                               ^~
./include/linux/netlink.h: In function 'netlink_skb_clone':
./include/linux/netlink.h:147:9: error: implicit declaration of function 'skb_clone'
[-Werror=implicit-function-declaration]
  147 |  nskb = skb_clone(skb, gfp_mask);
      |         ^~~~~~~~~
./include/linux/netlink.h:147:7: warning: assignment to 'struct sk_buff *' from 'int' makes pointer
from integer without a cast [-Wint-conversion]
  147 |  nskb = skb_clone(skb, gfp_mask);
      |       ^
./include/linux/netlink.h:152:25: error: dereferencing pointer to incomplete type 'struct sk_buff'
  152 |  if (is_vmalloc_addr(skb->head))
      |                         ^~
In file included from ./include/linux/uaccess.h:5,
                 from ./include/net/checksum.h:25,
                 from ./include/linux/skbuff.h:31,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:16:
./include/linux/sched.h: At top level:
./include/linux/sched.h:1163:27: error: conflicting types for 'task_tgid'
 1163 | static inline struct pid *task_tgid(struct task_struct *task)
      |                           ^~~~~~~~~
In file included from ./include/linux/netlink.h:9,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/netfilter/ipset/ip_set_compat.h:95,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/include/linux/jhash.h:3,
                 from ./include/linux/rhashtable.h:24,
                 from ./include/linux/ipc.h:7,
                 from ./include/uapi/linux/sem.h:5,
                 from ./include/linux/sem.h:9,
                 from ./include/linux/sched.h:15,
                 from ./include/linux/uaccess.h:5,
                 from ./include/net/checksum.h:25,
                 from ./include/linux/skbuff.h:31,
                 from
/var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/sched/em_ipset.c:16:
./include/net/scm.h:84:21: note: previous implicit declaration of 'task_tgid' was here
   84 |   scm_set_cred(scm, task_tgid(current), current_uid(), current_gid());
      |                     ^~~~~~~~~

Re: [ANNOUNCE] ipset 7.8 released

[Jozsef Kadlecsik]

[-- Attachment #1: Type: text/plain, Size: 4884 bytes --]

Hi,

On Fri, 4 Dec 2020, Ed W wrote:

> Hi, I'm having some difficulty compiling ipset 7.9 in kernel 4.14.78 as 
> provided by Variscite for an arm board
>  
> I've trimmed the build log and errors, but it seems to revolve around:
> 
> Pre kernel 4.18 the header
> 
>     ./include/linux/ipc.h
> 
> would include
> 
>     ./include/linux/rhashtable.h
> 
> (later it includes rhashtable-types.h)
> 
> This in turn draws in the jhash.c copy, which in turn includes 
> ip_set_compat.h, which then causes some errors due to drawing in things 
> where we haven't yet finished reading all the header files
> 
> I'm not sure how to work around the compile fail in ipset-7.9? I agree I 
> can't rule it out to be a problem due to the vendor kernel, but the 
> include tree seems to point clearly to the issue above in ipc.h 
> 
> 
> Note: ipset7.7 gives me errors about    
> 
>     error: 'fallthrough' undeclared
> 
> Which seems fair enough given the age of my kernel. I could probably fix this

That is fixed in 7.9.

> ipset 7.6 compiles ok for me.
>  
> Any guidance please?

Please give a try to the next patch on top of ipset 7.9: it separates the 
compiler compatibility stuff from the kernel compatibility part and that 
helps to resolve the include file issue.

diff --git a/.gitignore b/.gitignore
index 46a78dd..0e8a087 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,7 @@ Makefile.in
 Module.symvers
 modules.order
 kernel/include/linux/netfilter/ipset/ip_set_compat.h
+kernel/include/linux/netfilter/ipset/ip_set_compiler.h
 
 /aclocal.m4
 /autom4te.cache/
diff --git a/configure.ac b/configure.ac
index 1086de3..2f06590 100644
--- a/configure.ac
+++ b/configure.ac
@@ -851,7 +851,8 @@ dnl Checks for library functions.
 dnl Generate output
 AC_CONFIG_FILES([Makefile include/libipset/Makefile
 	lib/Makefile lib/libipset.pc src/Makefile utils/Makefile
-	kernel/include/linux/netfilter/ipset/ip_set_compat.h])
+	kernel/include/linux/netfilter/ipset/ip_set_compat.h
+	kernel/include/linux/netfilter/ipset/ip_set_compiler.h])
 AC_OUTPUT
 
 dnl Summary
diff --git a/kernel/include/linux/jhash.h b/kernel/include/linux/jhash.h
index 8df77ec..d144e33 100644
--- a/kernel/include/linux/jhash.h
+++ b/kernel/include/linux/jhash.h
@@ -1,6 +1,6 @@
 #ifndef _LINUX_JHASH_H
 #define _LINUX_JHASH_H
-#include <linux/netfilter/ipset/ip_set_compat.h>
+#include <linux/netfilter/ipset/ip_set_compiler.h>
 
 /* jhash.h: Jenkins hash support.
  *
diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
index 8f00e6a..bf99bc0 100644
--- a/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
+++ b/kernel/include/linux/netfilter/ipset/ip_set_compat.h.in
@@ -519,18 +519,5 @@ static inline void *kvzalloc(size_t size, gfp_t flags)
 	return members;
 }
 #endif
-
-/* Compiler attributes */
-#ifndef __has_attribute
-# define __has_attribute(x) __GCC4_has_attribute_##x
-# define __GCC4_has_attribute___fallthrough__		0
-#endif
-
-#if __has_attribute(__fallthrough__)
-# define fallthrough			__attribute__((__fallthrough__))
-#else
-# define fallthrough			do {} while (0)  /* fallthrough */
-#endif
-
 #endif /* IP_SET_COMPAT_HEADERS */
 #endif /* __IP_SET_COMPAT_H */
diff --git a/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in b/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in
new file mode 100644
index 0000000..1b392f8
--- /dev/null
+++ b/kernel/include/linux/netfilter/ipset/ip_set_compiler.h.in
@@ -0,0 +1,15 @@
+#ifndef __IP_SET_COMPILER_H
+#define __IP_SET_COMPILER_H
+
+/* Compiler attributes */
+#ifndef __has_attribute
+# define __has_attribute(x) __GCC4_has_attribute_##x
+# define __GCC4_has_attribute___fallthrough__		0
+#endif
+
+#if __has_attribute(__fallthrough__)
+# define fallthrough			__attribute__((__fallthrough__))
+#else
+# define fallthrough			do {} while (0)  /* fallthrough */
+#endif
+#endif /* __IP_SET_COMPILER_H */
diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c
index dcbc400..85961fc 100644
--- a/kernel/net/netfilter/ipset/ip_set_core.c
+++ b/kernel/net/netfilter/ipset/ip_set_core.c
@@ -21,6 +21,7 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_compiler.h>
 
 static LIST_HEAD(ip_set_type_list);		/* all registered set types */
 static DEFINE_MUTEX(ip_set_type_mutex);		/* protects ip_set_type_list */

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset 7.9 compilation fix on kernel 4.14

[Jozsef Kadlecsik]

[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]

Hi,

On Thu, 10 Dec 2020, Ed W wrote:

> There remains a compile warning, just wanted to bring to your attention:
> 
> /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ips
> et/ip_set_core.c: In function 'ip_set_rename':
> /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ips
> et/ip_set_core.c:1359:2: warning: 'strncpy' specified bound 32 equals
> destination size [-Wstringop-truncation]
>  1359 |  strncpy(set->name, name2, IPSET_MAXNAMELEN);
>       |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   LD [M] /var/tmp/portage/net-firewall/ipset-7.9/work/ipset-7.9/kernel/net/netfilter/ips
> et/ip_set.o

That's a false warning: name2 comes from a netlink attribute which size 
is limited to IPSET_MAXNAMELEN-1, including NUL. The compiler can't figure 
it out though.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary