@@ -20,7 +20,8 @@
#define IPSET_TYPE_REV_MIN 0
/* 1 Counter support added */
/* 2 Comment support added */
-#define IPSET_TYPE_REV_MAX 3 /* skbinfo support added */
+/* 3 skbinfo support added */
+#define IPSET_TYPE_REV_MAX 4 /* SCTP and UDPLITE support added */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@netfilter.org>");
@@ -119,7 +120,9 @@ ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port)
return ret;
switch (proto) {
case IPPROTO_TCP:
+ case IPPROTO_SCTP:
case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
return true;
default:
return false;
@@ -282,6 +282,79 @@ static struct ipset_type ipset_bitmap_port3 = {
.description = "skbinfo support",
};
+/* SCTP and UDPLITE support */
+static struct ipset_type ipset_bitmap_port4 = {
+ .name = "bitmap:port",
+ .alias = { "portmap", NULL },
+ .revision = 4,
+ .family = NFPROTO_UNSPEC,
+ .dimension = IPSET_DIM_ONE,
+ .elem = {
+ [IPSET_DIM_ONE - 1] = {
+ .parse = ipset_parse_tcp_udp_port,
+ .print = ipset_print_port,
+ .opt = IPSET_OPT_PORT
+ },
+ },
+ .cmd = {
+ [IPSET_CREATE] = {
+ .args = {
+ IPSET_ARG_PORTRANGE,
+ IPSET_ARG_TIMEOUT,
+ IPSET_ARG_COUNTERS,
+ IPSET_ARG_COMMENT,
+ IPSET_ARG_SKBINFO,
+ /* Backward compatibility */
+ IPSET_ARG_FROM_PORT,
+ IPSET_ARG_TO_PORT,
+ IPSET_ARG_NONE,
+ },
+ .need = IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO),
+ .full = IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO),
+ .help = "range [PROTO:]FROM-TO",
+ },
+ [IPSET_ADD] = {
+ .args = {
+ IPSET_ARG_TIMEOUT,
+ IPSET_ARG_PACKETS,
+ IPSET_ARG_BYTES,
+ IPSET_ARG_ADT_COMMENT,
+ IPSET_ARG_SKBMARK,
+ IPSET_ARG_SKBPRIO,
+ IPSET_ARG_SKBQUEUE,
+ IPSET_ARG_NONE,
+ },
+ .need = IPSET_FLAG(IPSET_OPT_PORT),
+ .full = IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO),
+ .help = "[PROTO:]PORT|FROM-TO",
+ },
+ [IPSET_DEL] = {
+ .args = {
+ IPSET_ARG_NONE,
+ },
+ .need = IPSET_FLAG(IPSET_OPT_PORT),
+ .full = IPSET_FLAG(IPSET_OPT_PORT)
+ | IPSET_FLAG(IPSET_OPT_PORT_TO),
+ .help = "[PROTO:]PORT|FROM-TO",
+ },
+ [IPSET_TEST] = {
+ .args = {
+ IPSET_ARG_NONE,
+ },
+ .need = IPSET_FLAG(IPSET_OPT_PORT),
+ .full = IPSET_FLAG(IPSET_OPT_PORT),
+ .help = "[PROTO:]PORT",
+ },
+ },
+ .usage = "where PORT, FROM and TO are port numbers or port names from /etc/services.\n"
+ " PROTO is only needed if a service name is used and it does not exist\n"
+ " as a TCP service; just the resolved service numer is stored in the set.",
+ .description = "SCTP and UDPLITE support",
+};
+
void _init(void);
void _init(void)
{
@@ -289,4 +362,5 @@ void _init(void)
ipset_type_add(&ipset_bitmap_port1);
ipset_type_add(&ipset_bitmap_port2);
ipset_type_add(&ipset_bitmap_port3);
+ ipset_type_add(&ipset_bitmap_port4);
}
@@ -504,7 +504,7 @@ Mandatory options to use when creating a \fBbitmap:port\fR type of set:
Create the set from the specified inclusive port range.
.PP
The \fBset\fR match and \fBSET\fR target netfilter kernel modules interpret
-the stored numbers as TCP or UDP port numbers.
+the stored numbers as TCP, SCTP, UDP or UDPLITE port numbers.
.PP
\fBproto\fR only needs to be specified if a service name is used
and that name does not exist as a TCP service. The protocol is never stored
Currently hash:*port* types support SCTP and UDPLITE while bitmap:port doesn't. ip_set_get_ip4_port() and ip_set_get_ip6_port() can get SCTP and TCPLITE port. This patch adds SCTP and UDPLITE support to bitmap:port type by making ip_set_get_ip_port() return true for the two protocols. Signed-off-by: Quan Tian <tianquan23@gmail.com> --- .../net/netfilter/ipset/ip_set_bitmap_port.c | 5 +- lib/ipset_bitmap_port.c | 74 +++++++++++++++++++ src/ipset.8 | 2 +- 3 files changed, 79 insertions(+), 2 deletions(-)