netfilter: ipset: Consistent userspace testing with nomatch flag

The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:

 # ipset n test hash:net
 # ipset a test 10.0.0.0/24 nomatch
 # ipset t test 10.0.0.1
 10.0.0.1 is NOT in set test.
 # ipset t test 10.0.0.1 nomatch
 10.0.0.1 is in set test.

 # ipset a test 192.168.0.0/24
 # ipset t test 192.168.0.1
 192.168.0.1 is in set test.
 # ipset t test 192.168.0.1 nomatch
 192.168.0.1 is NOT in set test.

 Before the patch the results were

 ...
 # ipset t test 192.168.0.1
 192.168.0.1 is in set test.
 # ipset t test 192.168.0.1 nomatch
 192.168.0.1 is in set test.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

5 files changed, 9 insertions, 10 deletions

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index f77139007983..c8c303c3386f 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1489,8 +1489,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
         if (ret == -EAGAIN)
                 ret = 1;
 
-        return (ret < 0 && ret != -ENOTEMPTY) ? ret :
-                ret > 0 ? 0 : -IPSET_ERR_EXIST;
+        return ret > 0 ? 0 : -IPSET_ERR_EXIST;
 }
 
 /* Get headed data of a set */
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index c6a525373be4..f15f3e28b9c3 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -260,7 +260,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
                 e.ip = htonl(ip);
                 e.ip2 = htonl(ip2_from & ip_set_hostmask(e.cidr + 1));
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }
 
@@ -544,7 +544,7 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }
 
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index da740ceb56ae..223e9f546d0f 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -199,7 +199,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
         if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
                 e.ip = htonl(ip & ip_set_hostmask(e.cidr));
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret:
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }
 
@@ -396,7 +396,7 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
 
         ret = adtfn(set, &e, &ext, &ext, flags);
 
-        return ip_set_enomatch(ret, flags, adt) ? 1 :
+        return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                ip_set_eexist(ret, flags) ? 0 : ret;
 }
 
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 84ae6f6ce624..7d798d5d5cd3 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -368,7 +368,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
         if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
                 e.ip = htonl(ip & ip_set_hostmask(e.cidr));
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }
 
@@ -634,7 +634,7 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
 
         ret = adtfn(set, &e, &ext, &ext, flags);
 
-        return ip_set_enomatch(ret, flags, adt) ? 1 :
+        return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                ip_set_eexist(ret, flags) ? 0 : ret;
 }
 
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 9a0869853be5..09d6690bee6f 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -244,7 +244,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
         if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) {
                 e.ip = htonl(ip & ip_set_hostmask(e.cidr + 1));
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }
 
@@ -489,7 +489,7 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
                 ret = adtfn(set, &e, &ext, &ext, flags);
-                return ip_set_enomatch(ret, flags, adt) ? 1 :
+                return ip_set_enomatch(ret, flags, adt, set) ? -ret :
                        ip_set_eexist(ret, flags) ? 0 : ret;
         }