Commit 3e0304a5 authored by Jozsef Kadlecsik's avatar Jozsef Kadlecsik

netfilter: ipset: Support to match elements marked with "nomatch"

Exceptions can now be matched and we can branch according to the
possible cases:

a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match

i.e.

iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...
Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
parent 3ace95c0
...@@ -190,6 +190,7 @@ enum ip_set_dim { ...@@ -190,6 +190,7 @@ enum ip_set_dim {
* If changed, new revision of iptables match/target is required. * If changed, new revision of iptables match/target is required.
*/ */
IPSET_DIM_MAX = 6, IPSET_DIM_MAX = 6,
IPSET_BIT_RETURN_NOMATCH = 7,
}; };
/* Option flags for kernel operations */ /* Option flags for kernel operations */
...@@ -198,6 +199,7 @@ enum ip_set_kopt { ...@@ -198,6 +199,7 @@ enum ip_set_kopt {
IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
}; };
#ifdef __KERNEL__ #ifdef __KERNEL__
...@@ -229,6 +231,8 @@ enum ip_set_feature { ...@@ -229,6 +231,8 @@ enum ip_set_feature {
IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
IPSET_TYPE_IFACE_FLAG = 5, IPSET_TYPE_IFACE_FLAG = 5,
IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
IPSET_TYPE_NOMATCH_FLAG = 6,
IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),
/* Strictly speaking not a feature, but a flag for dumping: /* Strictly speaking not a feature, but a flag for dumping:
* this settype must be dumped last */ * this settype must be dumped last */
IPSET_DUMP_LAST_FLAG = 7, IPSET_DUMP_LAST_FLAG = 7,
......
...@@ -370,6 +370,12 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb, ...@@ -370,6 +370,12 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
set->variant->kadt(set, skb, par, IPSET_ADD, opt); set->variant->kadt(set, skb, par, IPSET_ADD, opt);
write_unlock_bh(&set->lock); write_unlock_bh(&set->lock);
ret = 1; ret = 1;
} else {
/* --return-nomatch: invert matched element */
if ((opt->flags & IPSET_RETURN_NOMATCH) &&
(set->type->features & IPSET_TYPE_NOMATCH) &&
(ret > 0 || ret == -ENOTEMPTY))
ret = -ret;
} }
/* Convert error codes to nomatch */ /* Convert error codes to nomatch */
......
...@@ -104,10 +104,10 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags) ...@@ -104,10 +104,10 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH); dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
} }
static inline bool static inline int
hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem) hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -411,10 +411,10 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags) ...@@ -411,10 +411,10 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH); dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
} }
static inline bool static inline int
hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem) hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -697,7 +697,8 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags) ...@@ -697,7 +697,8 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
static struct ip_set_type hash_ipportnet_type __read_mostly = { static struct ip_set_type hash_ipportnet_type __read_mostly = {
.name = "hash:ip,port,net", .name = "hash:ip,port,net",
.protocol = IPSET_PROTOCOL, .protocol = IPSET_PROTOCOL,
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2, .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2 |
IPSET_TYPE_NOMATCH,
.dimension = IPSET_DIM_THREE, .dimension = IPSET_DIM_THREE,
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision_min = REVISION_MIN, .revision_min = REVISION_MIN,
......
...@@ -90,10 +90,10 @@ hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags) ...@@ -90,10 +90,10 @@ hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
dst->nomatch = flags & IPSET_FLAG_NOMATCH; dst->nomatch = flags & IPSET_FLAG_NOMATCH;
} }
static inline bool static inline int
hash_net4_data_match(const struct hash_net4_elem *elem) hash_net4_data_match(const struct hash_net4_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -311,10 +311,10 @@ hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags) ...@@ -311,10 +311,10 @@ hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
dst->nomatch = flags & IPSET_FLAG_NOMATCH; dst->nomatch = flags & IPSET_FLAG_NOMATCH;
} }
static inline bool static inline int
hash_net6_data_match(const struct hash_net6_elem *elem) hash_net6_data_match(const struct hash_net6_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -536,7 +536,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags) ...@@ -536,7 +536,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
static struct ip_set_type hash_net_type __read_mostly = { static struct ip_set_type hash_net_type __read_mostly = {
.name = "hash:net", .name = "hash:net",
.protocol = IPSET_PROTOCOL, .protocol = IPSET_PROTOCOL,
.features = IPSET_TYPE_IP, .features = IPSET_TYPE_IP | IPSET_TYPE_NOMATCH,
.dimension = IPSET_DIM_ONE, .dimension = IPSET_DIM_ONE,
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision_min = REVISION_MIN, .revision_min = REVISION_MIN,
......
...@@ -201,10 +201,10 @@ hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags) ...@@ -201,10 +201,10 @@ hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
dst->nomatch = flags & IPSET_FLAG_NOMATCH; dst->nomatch = flags & IPSET_FLAG_NOMATCH;
} }
static inline bool static inline int
hash_netiface4_data_match(const struct hash_netiface4_elem *elem) hash_netiface4_data_match(const struct hash_netiface4_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -497,10 +497,10 @@ hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags) ...@@ -497,10 +497,10 @@ hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
dst->nomatch = flags & IPSET_FLAG_NOMATCH; dst->nomatch = flags & IPSET_FLAG_NOMATCH;
} }
static inline bool static inline int
hash_netiface6_data_match(const struct hash_netiface6_elem *elem) hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -774,7 +774,8 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags) ...@@ -774,7 +774,8 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
static struct ip_set_type hash_netiface_type __read_mostly = { static struct ip_set_type hash_netiface_type __read_mostly = {
.name = "hash:net,iface", .name = "hash:net,iface",
.protocol = IPSET_PROTOCOL, .protocol = IPSET_PROTOCOL,
.features = IPSET_TYPE_IP | IPSET_TYPE_IFACE, .features = IPSET_TYPE_IP | IPSET_TYPE_IFACE |
IPSET_TYPE_NOMATCH,
.dimension = IPSET_DIM_TWO, .dimension = IPSET_DIM_TWO,
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision_min = REVISION_MIN, .revision_min = REVISION_MIN,
......
...@@ -104,10 +104,10 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags) ...@@ -104,10 +104,10 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH); dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
} }
static inline bool static inline int
hash_netport4_data_match(const struct hash_netport4_elem *elem) hash_netport4_data_match(const struct hash_netport4_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -375,10 +375,10 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags) ...@@ -375,10 +375,10 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH); dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
} }
static inline bool static inline int
hash_netport6_data_match(const struct hash_netport6_elem *elem) hash_netport6_data_match(const struct hash_netport6_elem *elem)
{ {
return !elem->nomatch; return elem->nomatch ? -ENOTEMPTY : 1;
} }
static inline void static inline void
...@@ -650,7 +650,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags) ...@@ -650,7 +650,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
static struct ip_set_type hash_netport_type __read_mostly = { static struct ip_set_type hash_netport_type __read_mostly = {
.name = "hash:net,port", .name = "hash:net,port",
.protocol = IPSET_PROTOCOL, .protocol = IPSET_PROTOCOL,
.features = IPSET_TYPE_IP | IPSET_TYPE_PORT, .features = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_NOMATCH,
.dimension = IPSET_DIM_TWO, .dimension = IPSET_DIM_TWO,
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.revision_min = REVISION_MIN, .revision_min = REVISION_MIN,
......
...@@ -356,6 +356,27 @@ static struct xt_match set_matches[] __read_mostly = { ...@@ -356,6 +356,27 @@ static struct xt_match set_matches[] __read_mostly = {
.destroy = set_match_v1_destroy, .destroy = set_match_v1_destroy,
.me = THIS_MODULE .me = THIS_MODULE
}, },
/* --return-nomatch flag support */
{
.name = "set",
.family = NFPROTO_IPV4,
.revision = 2,
.match = set_match_v1,
.matchsize = sizeof(struct xt_set_info_match_v1),
.checkentry = set_match_v1_checkentry,
.destroy = set_match_v1_destroy,
.me = THIS_MODULE
},
{
.name = "set",
.family = NFPROTO_IPV6,
.revision = 2,
.match = set_match_v1,
.matchsize = sizeof(struct xt_set_info_match_v1),
.checkentry = set_match_v1_checkentry,
.destroy = set_match_v1_destroy,
.me = THIS_MODULE
},
}; };
static struct xt_target set_targets[] __read_mostly = { static struct xt_target set_targets[] __read_mostly = {
...@@ -389,6 +410,7 @@ static struct xt_target set_targets[] __read_mostly = { ...@@ -389,6 +410,7 @@ static struct xt_target set_targets[] __read_mostly = {
.destroy = set_target_v1_destroy, .destroy = set_target_v1_destroy,
.me = THIS_MODULE .me = THIS_MODULE
}, },
/* --timeout and --exist flags support */
{ {
.name = "SET", .name = "SET",
.revision = 2, .revision = 2,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment