Hello.
This patch adds ‘—matchall’ argument to setlist. By default, setlist
returns true if packet match to any of it members. With –matchall
packet must match to every member of setlist.
This is my first patch, so sorry if I do something wrong. Comments are welcome.
Piotr Piróg
diff -pruN ipset-4.2.orig/ipset_setlist.c ipset-4.2/ipset_setlist.c
--- ipset-4.2.orig/ipset_setlist.c 2010-03-18 14:59:55.000000000 +0100
+++ ipset-4.2/ipset_setlist.c 2010-03-18 19:07:40.000000000 +0100
@@ -32,6 +32,7 @@ setlist_create_init(void *data)
struct ip_set_req_setlist_create *mydata = data;
mydata->size = 8;
+ mydata->matchall = 0;
}
/* Function which parses command options; returns true if it ate an option */
@@ -50,6 +51,9 @@ setlist_create_parse(int c, char *argv[]
"between 1-255", optarg);
mydata->size = size;
break;
+ case '2':
+ mydata->matchall = 1;
+ break;
default:
return 0;
}
@@ -65,6 +69,7 @@ setlist_create_final(void *data UNUSED,
/* Create commandline options */
static const struct option create_opts[] = {
{.name = "size", .has_arg = required_argument, .val = '1'},
+ {.name = "matchall", .has_arg = no_argument, .val = '2'},
{NULL},
};
@@ -124,6 +129,7 @@ setlist_initheader(struct set *set, cons
memset(map, 0, sizeof(struct ip_set_setlist));
map->size = header->size;
+ map->matchall = header->matchall;
}
static void
@@ -131,6 +137,8 @@ setlist_printheader(struct set *set, uns
{
struct ip_set_setlist *mysetdata = set->settype->header;
+ if (mysetdata->matchall == 1)
+ printf(" matchall");
printf(" size: %u\n", mysetdata->size);
}
@@ -161,9 +169,12 @@ setlist_saveheader(struct set *set, unsi
{
struct ip_set_setlist *mysetdata = set->settype->header;
- printf("-N %s %s --size %u\n",
+ printf("-N %s %s --size %u",
set->name, set->settype->typename,
mysetdata->size);
+ if (mysetdata->matchall == 1)
+ printf(" --matchall");
+ printf("\n");
}
static void
@@ -189,7 +200,7 @@ static void
setlist_usage(void)
{
printf
- ("-N set setlist --size size\n"
+ ("-N set setlist --size size [--matchall]\n"
"-A set setname[,before|after,setname]\n"
"-D set setname\n"
"-T set setname\n");
diff -pruN ipset-4.2.orig/kernel/include/linux/netfilter_ipv4/ip_set_setlist.h
ipset-4.2/kernel/include/linux/netfilter_ipv4/ip_set_setlist.h
--- ipset-4.2.orig/kernel/include/linux/netfilter_ipv4/ip_set_setlist.h 2010-03-18
14:59:54.000000000 +0100
+++ ipset-4.2/kernel/include/linux/netfilter_ipv4/ip_set_setlist.h 2010-03-18
19:02:42.000000000 +0100
@@ -10,11 +10,13 @@
struct ip_set_setlist {
uint8_t size;
+ uint8_t matchall;
ip_set_id_t index[0];
};
struct ip_set_req_setlist_create {
uint8_t size;
+ uint8_t matchall;
};
struct ip_set_req_setlist {
diff -pruN ipset-4.2.orig/kernel/ip_set_setlist.c
ipset-4.2/kernel/ip_set_setlist.c
--- ipset-4.2.orig/kernel/ip_set_setlist.c 2010-03-18 14:59:55.000000000 +0100
+++ ipset-4.2/kernel/ip_set_setlist.c 2010-03-18 19:02:42.000000000 +0100
@@ -75,11 +75,11 @@ setlist_ktest(struct ip_set *set,
const u_int32_t *flags)
{
struct ip_set_setlist *map = set->data;
- int i, res = 0;
+ int i, res = map->matchall;
for (i = 0; i < map->size
&& map->index[i] != IP_SET_INVALID_ID
- && res == 0; i++)
+ && res == map->matchall; i++)
res = ip_set_testip_kernel(map->index[i], skb, flags);
return res;
}
@@ -251,6 +251,7 @@ setlist_create(struct ip_set *set, const
if (!map)
return -ENOMEM;
map->size = req->size;
+ map->matchall = req->matchall;
for (i = 0; i < map->size; i++)
map->index[i] = IP_SET_INVALID_ID;
@@ -292,6 +293,7 @@ setlist_list_header(const struct ip_set
struct ip_set_req_setlist_create *header = data;
header->size = map->size;
+ header->matchall = map->matchall;
}
static int
--
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
