netfilter: ipset: Introduce new operation to get both setname and family

ip[6]tables set match and SET target need to know the family of the set
in order to reject adding rules which refer to a set with a non-mathcing
family. Currently such rules are silently accepted and then ignored
instead of generating a clear error message to the user, which is not
helpful.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

1 files changed, 8 insertions, 0 deletions

diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
index 8024cdf13b70..2b61ac44dcc1 100644
--- a/include/uapi/linux/netfilter/ipset/ip_set.h
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -250,6 +250,14 @@ struct ip_set_req_get_set {
 #define IP_SET_OP_GET_BYINDEX   0x00000007      /* Get set name by index */
 /* Uses ip_set_req_get_set */
 
+#define IP_SET_OP_GET_FNAME     0x00000008      /* Get set index and family */
+struct ip_set_req_get_set_family {
+        unsigned int op;
+        unsigned int version;
+        unsigned int family;
+        union ip_set_name_index set;
+};
+
 #define IP_SET_OP_VERSION       0x00000100      /* Ask kernel version */
 struct ip_set_req_version {
         unsigned int op;