From patchwork Wed Aug 29 17:51:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Brivio X-Patchwork-Id: 963593 X-Patchwork-Delegate: kadlec@blackhole.kfki.hu Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 420tTg07Ndz9s1x for ; Thu, 30 Aug 2018 03:51:19 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727860AbeH2VtR (ORCPT ); Wed, 29 Aug 2018 17:49:17 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47694 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727392AbeH2VtR (ORCPT ); Wed, 29 Aug 2018 17:49:17 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 24B9087A70; Wed, 29 Aug 2018 17:51:16 +0000 (UTC) Received: from epycfail.redhat.com (ovpn-200-25.brq.redhat.com [10.40.200.25]) by smtp.corp.redhat.com (Postfix) with ESMTP id 274D2A9EF9; Wed, 29 Aug 2018 17:51:14 +0000 (UTC) From: Stefano Brivio To: Jozsef Kadlecsik Cc: netfilter-devel@vger.kernel.org Subject: [PATCH ipset] manpage: Add comment about matching on destination MAC address Date: Wed, 29 Aug 2018 19:51:12 +0200 Message-Id: <6390cfb5666deacf895cb32e7483a5ec08d608e8.1535564790.git.sbrivio@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 29 Aug 2018 17:51:16 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 29 Aug 2018 17:51:16 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sbrivio@redhat.com' RCPT:'' Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Patch "ipset: Allow matching on destination MAC address for mac and ipmac sets" allows the user to match on destination MAC addresses in some selected cases. Add a comment to the manpage detailing in which cases it makes sense. Signed-off-by: Stefano Brivio --- Jozsef, I'm sending this as a separate patch as I guess it's more convenient to have kernel and manpage changes separated. Please let me know if I should rather squash this into the kernel patch itself. src/ipset.8 | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/ipset.8 b/src/ipset.8 index 87fb93814ddc..9f1e68f247d6 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -451,13 +451,15 @@ The \fBbitmap:ip,mac\fR type is exceptional in the sense that the MAC part can be left out when adding/deleting/testing entries in the set. If we add an entry without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the -source MAC address from the packet. If the entry was specified with a timeout value, -the timer starts off when the IP and MAC address pair is complete. +MAC address from the packet. The source MAC address is used if the entry matched +due to a \fBsrc\fR parameter of the \fBset\fR match, and the destination MAC +address is used if available and the entry matched due to a \fBdst\fR parameter. +If the entry was specified with a timeout value, the timer starts off when the +IP and MAC address pair is complete. .PP The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of -the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second -one must be \fBsrc\fR to match, add or delete entries, because the \fBset\fR -match and \fBSET\fR target have access to the source MAC address only. +the \fBset\fR match and \fBSET\fR target netfilter kernel modules. For matches +on destination MAC addresses, see COMMENTS below. .PP Examples: .IP @@ -532,7 +534,7 @@ ipset add foo 192.168.1.0/24 ipset test foo 192.168.1.2 .SS hash:mac The \fBhash:mac\fR set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a \fBhash:mac\fR -type of set. +type of set. For matches on destination MAC addresses, see COMMENTS below. .PP \fICREATE\-OPTIONS\fR := [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP @@ -554,7 +556,7 @@ ipset test foo 01:02:03:04:05:06 .SS hash:ip,mac The \fBhash:ip,mac\fR set type uses a hash to store IP and a MAC address pairs. Zero valued MAC addresses cannot be stored in a \fBhash:ip,mac\fR -type of set. +type of set. For matches on destination MAC addresses, see COMMENTS below. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] [ \fBcounters\fP ] [ \fBcomment\fP ] [ \fBskbinfo\fP ] .PP @@ -1058,6 +1060,16 @@ If you want to store random same size networks (say random /24 blocks), use the \fBhash:ip\fR set type. If you have got random size of netblocks, use \fBhash:net\fR. .PP +Matching on destination MAC addresses using the \fBdst\fR parameter of the +\fBset\fR match netfilter kernel modules will only work if the destination MAC +address is available in the packet at the given processing stage, that is, it +only applies for incoming packets in the \fBPREROUTING\fR, \fBINPUT\fR and +\fBFORWARD\fR chains, against the MAC address as originally found in the +received packet (typically, one of the MAC addresses of the local host). This is +\fBnot\fR the destination MAC address a destination IP address resolves to, +after routing. If the MAC address is not available (e.g. in the \fBOUTPUT\fR +chain), the packet will simply not match. +.PP Backward compatibility is maintained and old \fBipset\fR syntax is still supported. .PP The \fBiptree\fR and \fBiptreemap\fR set types are removed: if you refer to them,