git.baikalelectronics.ru Git - kernel.git/commit

author	Stefano Brivio <sbrivio@redhat.com>
	Fri, 17 Aug 2018 19:09:47 +0000 (21:09 +0200)
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Mon, 22 Oct 2018 21:11:21 +0000 (23:11 +0200)
commit	439b586f30e9a4504ed46634c792bfdecf4d8e39
tree	55eb4fdf90b228476c19c77ef10f169b9f9e6306	tree \| snapshot
parent	bfc07695d5d7f10260fe2c7ad09568d652a41b82	commit \| diff

netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets

There doesn't seem to be any reason to restrict MAC address
matching to source MAC addresses in set types bitmap:ipmac,
hash:ipmac and hash:mac. With this patch, and this setup:

  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up

  ip netns exec A ipset create test hash:mac
  dst=$(ip netns exec A cat /sys/class/net/veth2/address)
  ip netns exec A ipset add test ${dst}
  ip netns exec A iptables -P INPUT DROP
  ip netns exec A iptables -I INPUT -m set --match-set test dst -j ACCEPT

ipset will match packets based on destination MAC address:

  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0

Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

net/netfilter/ipset/ip_set_bitmap_ipmac.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipmac.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_mac.c		diff \| blob \| history