netfilter: ipset: Support to match elements marked with "nomatch"

Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-09-21 22:02:36 +0200
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2012-09-22 22:44:34 +0200
commit: 3e0304a583d72c747caa8afac76b8d514aa293f5 (patch)
tree: 134fd8cc48ed72be16a7ca2f90b169de103bec2e /net/netfilter/ipset/ip_set_core.c
parent: 3ace95c0ac125a042cfb682d0a9bbdbf1e5a2c65 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 72e9bf0ef90d..778465f217fa 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -370,6 +370,12 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
 		set->variant->kadt(set, skb, par, IPSET_ADD, opt);
 		write_unlock_bh(&set->lock);
 		ret = 1;
+	} else {
+		/* --return-nomatch: invert matched element */
+		if ((opt->flags & IPSET_RETURN_NOMATCH) &&
+		    (set->type->features & IPSET_TYPE_NOMATCH) &&
+		    (ret > 0 || ret == -ENOTEMPTY))
+			ret = -ret;
 	}
 
 	/* Convert error codes to nomatch */
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-09-21 22:02:36 +0200
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2012-09-22 22:44:34 +0200
commit	3e0304a583d72c747caa8afac76b8d514aa293f5 (patch)
tree	134fd8cc48ed72be16a7ca2f90b169de103bec2e /net/netfilter/ipset/ip_set_core.c
parent	3ace95c0ac125a042cfb682d0a9bbdbf1e5a2c65 (diff)