From patchwork Thu Jul 5 22:34:31 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mr Dash Four X-Patchwork-Id: 169286 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45A202C01D3 for ; Fri, 6 Jul 2012 08:35:25 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932197Ab2GEWfX (ORCPT ); Thu, 5 Jul 2012 18:35:23 -0400 Received: from mail-wi0-f172.google.com ([209.85.212.172]:56156 "EHLO mail-wi0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932480Ab2GEWfV (ORCPT ); Thu, 5 Jul 2012 18:35:21 -0400 Received: by mail-wi0-f172.google.com with SMTP id hm11so160062wib.1 for ; Thu, 05 Jul 2012 15:35:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references :in-reply-to:references; bh=M/x5FC7vbVlYy28Iiub1rXAB0L/DBwFqcaDYDJ19LUo=; b=DDaZK8y0snzvq0Q7co092bfkPh3YnQMuGKwJ7TDTMpyXJ9WgoEKqwz3Y+QHstQYyve f9tciscaBecVB2ywvf+rpMY19I5dEcr9/qzlhHLRNUgtzkABQN0vAzDLKNnPWidYzVKr e3k97jMhsXB20gGJ70ZekKcDwVZMwUNYxwFv1vp4Ol3J8BJ39L4bMOXd7VMeVFWGamME blxpK8IwKEpgWQI3Cyqhd3eftMQKHu+HQ+FJ7lyTqGSe/nFYr9dLEmifSzRUSqQv1zJD zmhwCLRutfI8LdmlKhZsw4qGVKULbmGEfL267BDHtqmPpPgJJ0BC0a8a2KEO+KA5Nkzq WTJQ== Received: by 10.180.99.195 with SMTP id es3mr2785593wib.12.1341527721288; Thu, 05 Jul 2012 15:35:21 -0700 (PDT) Received: from test7.my.net (cpc2-gill1-0-0-cust1894.basl.cable.virginmedia.com. [82.34.63.103]) by mx.google.com with ESMTPS id fu8sm2443659wib.5.2012.07.05.15.35.20 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 05 Jul 2012 15:35:20 -0700 (PDT) From: Mr Dash Four To: Netfilter Core Team Cc: Mr Dash Four , Jozsef Kadlecsik , Pablo Neira Ayuso , Patrick McHardy Subject: [PATCH 2/3] ipset: change 'iface' part in hash:net,iface set Date: Thu, 5 Jul 2012 23:34:31 +0100 Message-Id: <1341527720-10125-1-git-send-email-mr.dash.four@googlemail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: References: In-Reply-To: References: Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Userspace changes to ipset, allowing 'in' and 'out' values to be specified for the 'iface' part of hash:net,iface type sets. Man page updated accordingly. Signed-off-by: Mr Dash Four --- include/libipset/linux_ip_set.h | 5 +++++ src/ipset.8 | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/libipset/linux_ip_set.h b/include/libipset/linux_ip_set.h index 008da06..8f2bd95 100644 --- a/include/libipset/linux_ip_set.h +++ b/include/libipset/linux_ip_set.h @@ -190,6 +190,10 @@ enum ip_set_dim { * If changed, new revision of iptables match/target is required. */ IPSET_DIM_MAX = 6, + /* + * Indicates whether the new 'iface' format (in/out) has been used. + */ + IPSET_DIM_IFACE = 7, }; /* Option flags for kernel operations */ @@ -198,6 +202,7 @@ enum ip_set_kopt { IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE), IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO), IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE), + IPSET_DIM_IFACE_INOUT = (1 << IPSET_DIM_IFACE), }; #endif /* __IP_SET_H */ diff --git a/src/ipset.8 b/src/ipset.8 index bbad680..522107f 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -800,10 +800,10 @@ set, or by the host prefix value if the set is empty. .PP The second direction parameter of the \fBset\fR match and \fBSET\fR target modules corresponds to the incoming/outgoing interface: -\fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while -\fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When -the interface is flagged with \fBphysdev:\fR, the interface is interpreted -as the incoming/outgoing bridge port. +\fBin\fR for the incoming, +\fBout\fR for the outgoing interface, thus, consistent with their appropriate flags in netfilter/iptables), while the format used in prior versions of ipset is also supported: +\fBsrc\fR indicating the incoming and +\fBdst\fR the outgoing interface respectively. If the interface value is preceded with \fBphysdev:\fR, the interface is then interpreted as bridge port. .PP The lookup time grows linearly with the number of the different prefix values added to the set.