Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
netfilter: ipset: bitmap:ip,mac type requires "src" for MAC
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
authored by Jozsef Kadlecsik and committed by Patrick McHardy 0e8a835a b32e3dc7
+4
net/netfilter/ipset/ip_set_bitmap_ipmac.c
+4
net/netfilter/ipset/ip_set_bitmap_ipmac.c
···
343
343
ipset_adtfn adtfn = set->variant->adt[adt];
344
344
struct ipmac data;
345
345
346
+
/* MAC can be src only */
347
+
if (!(flags & IPSET_DIM_TWO_SRC))
348
+
return 0;
349
+
346
350
data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
347
351
if (data.id < map->first_ip || data.id > map->last_ip)
348
352
return -IPSET_ERR_BITMAP_RANGE;