netfilter: ipset: Support to match elements marked with "nomatch"

Exceptions can now be matched and we can branch according to the
possible cases:

a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match

i.e.

iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

1 files changed, 4 insertions, 0 deletions

diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 0c1e97b3acfb..528697b3c152 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -190,6 +190,7 @@ enum ip_set_dim {
          * If changed, new revision of iptables match/target is required.
          */
         IPSET_DIM_MAX = 6,
+        IPSET_BIT_RETURN_NOMATCH = 7,
 };
 
 /* Option flags for kernel operations */
@@ -198,6 +199,7 @@ enum ip_set_kopt {
         IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
         IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
         IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+        IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
 };
 
 #ifdef __KERNEL__
@@ -229,6 +231,8 @@ enum ip_set_feature {
         IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
         IPSET_TYPE_IFACE_FLAG = 5,
         IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
+        IPSET_TYPE_NOMATCH_FLAG = 6,
+        IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),
         /* Strictly speaking not a feature, but a flag for dumping:
          * this settype must be dumped last */
         IPSET_DUMP_LAST_FLAG = 7,