Merge branch 'master' of git://blackhole.kfki.hu/nf-next

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Jozsef Kadlecsik says:

====================
ipset patches for nf-next

- Add wildcard support to hash:net,iface which makes possible to
match interface prefixes besides complete interfaces names, from
Kristian Evensen.
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 6 years ago 3944a4fd f6ae9f12

+20 -5

2 changed files

expand all

include

uapi

linux

netfilter

ipset

ip_set.h

net

netfilter

ipset

ip_set_hash_netiface.c

include/uapi/linux/netfilter/ipset/ip_set.h

··· 205 205 IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD), 206 206 IPSET_FLAG_BIT_WITH_SKBINFO = 6, 207 207 IPSET_FLAG_WITH_SKBINFO = (1 << IPSET_FLAG_BIT_WITH_SKBINFO), 208 + IPSET_FLAG_BIT_IFACE_WILDCARD = 7, 209 + IPSET_FLAG_IFACE_WILDCARD = (1 << IPSET_FLAG_BIT_IFACE_WILDCARD), 208 210 IPSET_FLAG_CADT_MAX = 15, 209 211 }; 210 212

+18 -5

net/netfilter/ipset/ip_set_hash_netiface.c

··· 25 25 /* 3 Counters support added */ 26 26 /* 4 Comments support added */ 27 27 /* 5 Forceadd support added */ 28 - #define IPSET_TYPE_REV_MAX 6 /* skbinfo support added */ 28 + /* 6 skbinfo support added */ 29 + #define IPSET_TYPE_REV_MAX 7 /* interface wildcard support added */ 29 30 30 31 MODULE_LICENSE("GPL"); 31 32 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>"); ··· 58 57 u8 cidr; 59 58 u8 nomatch; 60 59 u8 elem; 60 + u8 wildcard; 61 61 char iface[IFNAMSIZ]; 62 62 }; 63 63 ··· 73 71 ip1->cidr == ip2->cidr && 74 72 (++*multi) && 75 73 ip1->physdev == ip2->physdev && 76 - strcmp(ip1->iface, ip2->iface) == 0; 74 + (ip1->wildcard ? 75 + strncmp(ip1->iface, ip2->iface, strlen(ip1->iface)) == 0 : 76 + strcmp(ip1->iface, ip2->iface) == 0); 77 77 } 78 78 79 79 static int ··· 107 103 hash_netiface4_data_list(struct sk_buff *skb, 108 104 const struct hash_netiface4_elem *data) 109 105 { 110 - u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; 106 + u32 flags = (data->physdev ? IPSET_FLAG_PHYSDEV : 0) | 107 + (data->wildcard ? IPSET_FLAG_IFACE_WILDCARD : 0); 111 108 112 109 if (data->nomatch) 113 110 flags |= IPSET_FLAG_NOMATCH; ··· 234 229 e.physdev = 1; 235 230 if (cadt_flags & IPSET_FLAG_NOMATCH) 236 231 flags |= (IPSET_FLAG_NOMATCH << 16); 232 + if (cadt_flags & IPSET_FLAG_IFACE_WILDCARD) 233 + e.wildcard = 1; 237 234 } 238 235 if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) { 239 236 e.ip = htonl(ip & ip_set_hostmask(e.cidr)); ··· 287 280 u8 cidr; 288 281 u8 nomatch; 289 282 u8 elem; 283 + u8 wildcard; 290 284 char iface[IFNAMSIZ]; 291 285 }; 292 286 ··· 302 294 ip1->cidr == ip2->cidr && 303 295 (++*multi) && 304 296 ip1->physdev == ip2->physdev && 305 - strcmp(ip1->iface, ip2->iface) == 0; 297 + (ip1->wildcard ? 298 + strncmp(ip1->iface, ip2->iface, strlen(ip1->iface)) == 0 : 299 + strcmp(ip1->iface, ip2->iface) == 0); 306 300 } 307 301 308 302 static int ··· 336 326 hash_netiface6_data_list(struct sk_buff *skb, 337 327 const struct hash_netiface6_elem *data) 338 328 { 339 - u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0; 329 + u32 flags = (data->physdev ? IPSET_FLAG_PHYSDEV : 0) | 330 + (data->wildcard ? IPSET_FLAG_IFACE_WILDCARD : 0); 340 331 341 332 if (data->nomatch) 342 333 flags |= IPSET_FLAG_NOMATCH; ··· 451 440 e.physdev = 1; 452 441 if (cadt_flags & IPSET_FLAG_NOMATCH) 453 442 flags |= (IPSET_FLAG_NOMATCH << 16); 443 + if (cadt_flags & IPSET_FLAG_IFACE_WILDCARD) 444 + e.wildcard = 1; 454 445 } 455 446 456 447 ret = adtfn(set, &e, &ext, &ext, flags);