diff options
| author | Vytas Dauksa <vytas.dauksa@smoothwall.net> | 2013-12-17 09:01:43 -0500 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2014-03-06 03:31:42 -0500 |
| commit | 3b02b56cd5988d569731f6c0c26992296e46b758 (patch) | |
| tree | fc2af4bd9de189edc2a374816d8920a897f4da4d /include/linux | |
| parent | 9562cf28d1b48d0545d7b5dd2995d00b45e1cb53 (diff) | |
netfilter: ipset: add hash:ip,mark data type to ipset
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 0c7d01eae56c..4ac00d4aa87e 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h | |||
| @@ -39,11 +39,13 @@ enum ip_set_feature { | |||
| 39 | IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), | 39 | IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG), |
| 40 | IPSET_TYPE_IFACE_FLAG = 5, | 40 | IPSET_TYPE_IFACE_FLAG = 5, |
| 41 | IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), | 41 | IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG), |
| 42 | IPSET_TYPE_NOMATCH_FLAG = 6, | 42 | IPSET_TYPE_MARK_FLAG = 6, |
| 43 | IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG), | ||
| 44 | IPSET_TYPE_NOMATCH_FLAG = 7, | ||
| 43 | IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), | 45 | IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG), |
| 44 | /* Strictly speaking not a feature, but a flag for dumping: | 46 | /* Strictly speaking not a feature, but a flag for dumping: |
| 45 | * this settype must be dumped last */ | 47 | * this settype must be dumped last */ |
| 46 | IPSET_DUMP_LAST_FLAG = 7, | 48 | IPSET_DUMP_LAST_FLAG = 8, |
| 47 | IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), | 49 | IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG), |
| 48 | }; | 50 | }; |
| 49 | 51 | ||
| @@ -171,8 +173,6 @@ struct ip_set_type { | |||
| 171 | char name[IPSET_MAXNAMELEN]; | 173 | char name[IPSET_MAXNAMELEN]; |
| 172 | /* Protocol version */ | 174 | /* Protocol version */ |
| 173 | u8 protocol; | 175 | u8 protocol; |
| 174 | /* Set features to control swapping */ | ||
| 175 | u8 features; | ||
| 176 | /* Set type dimension */ | 176 | /* Set type dimension */ |
| 177 | u8 dimension; | 177 | u8 dimension; |
| 178 | /* | 178 | /* |
| @@ -182,6 +182,8 @@ struct ip_set_type { | |||
| 182 | u8 family; | 182 | u8 family; |
| 183 | /* Type revisions */ | 183 | /* Type revisions */ |
| 184 | u8 revision_min, revision_max; | 184 | u8 revision_min, revision_max; |
| 185 | /* Set features to control swapping */ | ||
| 186 | u16 features; | ||
| 185 | 187 | ||
| 186 | /* Create set */ | 188 | /* Create set */ |
| 187 | int (*create)(struct net *net, struct ip_set *set, | 189 | int (*create)(struct net *net, struct ip_set *set, |