Enable new netmask suport for hash:ip set types.
Example usage:
Legacy behavior:
ipset create foo hash:ip family inet6 netmask 64
New netmask support (equivalent to legacy example):
ipset create foo hash:ip family inet6 netmask ffff:ffff:ffff:ffff::
New wildcard mask support:
ipset create foo hash:ip family inet6 netmask ffff:ffff:ffff:0:0:ffff:ffff:ffff
The 3 mask types are supported for ipv4 sets as well.
Signed-off-by: Josh Hunt <joh...@akamai.com>
---
net/netfilter/ipset/ip_set_hash_ip.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c
b/net/netfilter/ipset/ip_set_hash_ip.c
index 20bfbd3..74aa4a6 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -27,7 +27,8 @@
/* 1 Counters support */
/* 2 Comments support */
/* 3 Forceadd support */
-#define IPSET_TYPE_REV_MAX 4 /* skbinfo support */
+/* 4 skbinfo support */
+#define IPSET_TYPE_REV_MAX 5 /* nf_inet_addr netmask support */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kad...@blackhole.kfki.hu>");
@@ -89,7 +90,7 @@ struct hash_ip4_elem {
__be32 ip;
ip4addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &ip);
- ip &= ip_set_netmask(h->netmask);
+ ip &= h->netmask.mask.ip;
if (ip == 0)
return -EINVAL;
@@ -122,7 +123,7 @@ struct hash_ip4_elem {
if (ret)
return ret;
- ip &= ip_set_hostmask(h->netmask);
+ ip &= ntohl(h->netmask.mask.ip);
if (adt == IPSET_TEST) {
e.ip = htonl(ip);
@@ -146,7 +147,7 @@ struct hash_ip4_elem {
ip_set_mask_from_to(ip, ip_to, cidr);
}
- hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
+ hosts = (h->netmask.cidr == 32 || !h->netmask.cidr) ? 1 : 2 << (32 -
h->netmask.cidr - 1);
if (retried)
ip = ntohl(h->next.ip);
@@ -182,9 +183,9 @@ struct hash_ip6_elem {
}
static inline void
-hash_ip6_netmask(union nf_inet_addr *ip, u8 prefix)
+hash_ip6_netmask(union nf_inet_addr *ip, const union nf_inet_addr *mask)
{
- ip6_netmask(ip, prefix);
+ nf_inet_addr_mask_inplace(ip, mask);
}
static bool
@@ -223,7 +224,7 @@ struct hash_ip6_elem {
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
ip6addrptr(skb, opt->flags & IPSET_DIM_ONE_SRC, &e.ip.in6);
- hash_ip6_netmask(&e.ip, h->netmask);
+ hash_ip6_netmask(&e.ip, &h->netmask.mask);
if (ipv6_addr_any(&e.ip.in6))
return -EINVAL;
@@ -262,7 +263,7 @@ struct hash_ip6_elem {
if (ret)
return ret;
- hash_ip6_netmask(&e.ip, h->netmask);
+ hash_ip6_netmask(&e.ip, &h->netmask.mask);
if (ipv6_addr_any(&e.ip.in6))
return -IPSET_ERR_HASH_ELEM;
@@ -286,7 +287,8 @@ struct hash_ip6_elem {
[IPSET_ATTR_PROBES] = { .type = NLA_U8 },
[IPSET_ATTR_RESIZE] = { .type = NLA_U8 },
[IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 },
- [IPSET_ATTR_NETMASK] = { .type = NLA_U8 },
+ [IPSET_ATTR_NETMASK] = { .type = NLA_U8 },
+ [IPSET_ATTR_NETMASK_MASK] = { .type = NLA_NESTED },
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
},
.adt_policy = {
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
