diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2013-04-27 08:40:50 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-04-29 14:09:03 -0400 |
| commit | 6e01781d1c80e2e8263471252a631e86165b15c5 (patch) | |
| tree | 7984310c841a98832be4eaee3f865ce9bf2c355f /include | |
| parent | de76303c5a30e4754cd566dd4b9f3c26170fcf26 (diff) | |
netfilter: ipset: set match: add support to match the counters
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.
At the set:list types, the updating of the subcounters can be
suppressed as well.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 9 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/ipset/ip_set.h | 31 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/xt_set.h | 9 |
3 files changed, 43 insertions, 6 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index 0f978ebfaefb..d80e2753847c 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h | |||
| @@ -76,7 +76,7 @@ struct ip_set; | |||
| 76 | 76 | ||
| 77 | typedef int (*ipset_adtfn)(struct ip_set *set, void *value, | 77 | typedef int (*ipset_adtfn)(struct ip_set *set, void *value, |
| 78 | const struct ip_set_ext *ext, | 78 | const struct ip_set_ext *ext, |
| 79 | struct ip_set_ext *mext, u32 flags); | 79 | struct ip_set_ext *mext, u32 cmdflags); |
| 80 | 80 | ||
| 81 | /* Kernel API function options */ | 81 | /* Kernel API function options */ |
| 82 | struct ip_set_adt_opt { | 82 | struct ip_set_adt_opt { |
| @@ -217,10 +217,15 @@ ip_set_update_counter(struct ip_set_counter *counter, | |||
| 217 | const struct ip_set_ext *ext, | 217 | const struct ip_set_ext *ext, |
| 218 | struct ip_set_ext *mext, u32 flags) | 218 | struct ip_set_ext *mext, u32 flags) |
| 219 | { | 219 | { |
| 220 | if (ext->packets != ULLONG_MAX) { | 220 | if (ext->packets != ULLONG_MAX && |
| 221 | !(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) { | ||
| 221 | ip_set_add_bytes(ext->bytes, counter); | 222 | ip_set_add_bytes(ext->bytes, counter); |
| 222 | ip_set_add_packets(ext->packets, counter); | 223 | ip_set_add_packets(ext->packets, counter); |
| 223 | } | 224 | } |
| 225 | if (flags & IPSET_FLAG_MATCH_COUNTERS) { | ||
| 226 | mext->packets = ip_set_get_packets(counter); | ||
| 227 | mext->bytes = ip_set_get_bytes(counter); | ||
| 228 | } | ||
| 224 | } | 229 | } |
| 225 | 230 | ||
| 226 | static inline bool | 231 | static inline bool |
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h index ed452675d153..8024cdf13b70 100644 --- a/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/include/uapi/linux/netfilter/ipset/ip_set.h | |||
| @@ -145,7 +145,7 @@ enum ipset_errno { | |||
| 145 | IPSET_ERR_TYPE_SPECIFIC = 4352, | 145 | IPSET_ERR_TYPE_SPECIFIC = 4352, |
| 146 | }; | 146 | }; |
| 147 | 147 | ||
| 148 | /* Flags at command level */ | 148 | /* Flags at command level or match/target flags, lower half of cmdattrs*/ |
| 149 | enum ipset_cmd_flags { | 149 | enum ipset_cmd_flags { |
| 150 | IPSET_FLAG_BIT_EXIST = 0, | 150 | IPSET_FLAG_BIT_EXIST = 0, |
| 151 | IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), | 151 | IPSET_FLAG_EXIST = (1 << IPSET_FLAG_BIT_EXIST), |
| @@ -153,10 +153,20 @@ enum ipset_cmd_flags { | |||
| 153 | IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), | 153 | IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME), |
| 154 | IPSET_FLAG_BIT_LIST_HEADER = 2, | 154 | IPSET_FLAG_BIT_LIST_HEADER = 2, |
| 155 | IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), | 155 | IPSET_FLAG_LIST_HEADER = (1 << IPSET_FLAG_BIT_LIST_HEADER), |
| 156 | IPSET_FLAG_CMD_MAX = 15, /* Lower half */ | 156 | IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE = 3, |
| 157 | IPSET_FLAG_SKIP_COUNTER_UPDATE = | ||
| 158 | (1 << IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE), | ||
| 159 | IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE = 4, | ||
| 160 | IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE = | ||
| 161 | (1 << IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE), | ||
| 162 | IPSET_FLAG_BIT_MATCH_COUNTERS = 5, | ||
| 163 | IPSET_FLAG_MATCH_COUNTERS = (1 << IPSET_FLAG_BIT_MATCH_COUNTERS), | ||
| 164 | IPSET_FLAG_BIT_RETURN_NOMATCH = 7, | ||
| 165 | IPSET_FLAG_RETURN_NOMATCH = (1 << IPSET_FLAG_BIT_RETURN_NOMATCH), | ||
| 166 | IPSET_FLAG_CMD_MAX = 15, | ||
| 157 | }; | 167 | }; |
| 158 | 168 | ||
| 159 | /* Flags at CADT attribute level */ | 169 | /* Flags at CADT attribute level, upper half of cmdattrs */ |
| 160 | enum ipset_cadt_flags { | 170 | enum ipset_cadt_flags { |
| 161 | IPSET_FLAG_BIT_BEFORE = 0, | 171 | IPSET_FLAG_BIT_BEFORE = 0, |
| 162 | IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), | 172 | IPSET_FLAG_BEFORE = (1 << IPSET_FLAG_BIT_BEFORE), |
| @@ -166,7 +176,7 @@ enum ipset_cadt_flags { | |||
| 166 | IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), | 176 | IPSET_FLAG_NOMATCH = (1 << IPSET_FLAG_BIT_NOMATCH), |
| 167 | IPSET_FLAG_BIT_WITH_COUNTERS = 3, | 177 | IPSET_FLAG_BIT_WITH_COUNTERS = 3, |
| 168 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), | 178 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), |
| 169 | IPSET_FLAG_CADT_MAX = 15, /* Upper half */ | 179 | IPSET_FLAG_CADT_MAX = 15, |
| 170 | }; | 180 | }; |
| 171 | 181 | ||
| 172 | /* Commands with settype-specific attributes */ | 182 | /* Commands with settype-specific attributes */ |
| @@ -195,6 +205,7 @@ enum ip_set_dim { | |||
| 195 | * If changed, new revision of iptables match/target is required. | 205 | * If changed, new revision of iptables match/target is required. |
| 196 | */ | 206 | */ |
| 197 | IPSET_DIM_MAX = 6, | 207 | IPSET_DIM_MAX = 6, |
| 208 | /* Backward compatibility: set match revision 2 */ | ||
| 198 | IPSET_BIT_RETURN_NOMATCH = 7, | 209 | IPSET_BIT_RETURN_NOMATCH = 7, |
| 199 | }; | 210 | }; |
| 200 | 211 | ||
| @@ -207,6 +218,18 @@ enum ip_set_kopt { | |||
| 207 | IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), | 218 | IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH), |
| 208 | }; | 219 | }; |
| 209 | 220 | ||
| 221 | enum { | ||
| 222 | IPSET_COUNTER_NONE = 0, | ||
| 223 | IPSET_COUNTER_EQ, | ||
| 224 | IPSET_COUNTER_NE, | ||
| 225 | IPSET_COUNTER_LT, | ||
| 226 | IPSET_COUNTER_GT, | ||
| 227 | }; | ||
| 228 | |||
| 229 | struct ip_set_counter_match { | ||
| 230 | __u8 op; | ||
| 231 | __u64 value; | ||
| 232 | }; | ||
| 210 | 233 | ||
| 211 | /* Interface to iptables/ip6tables */ | 234 | /* Interface to iptables/ip6tables */ |
| 212 | 235 | ||
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h index e3a9978f259f..964d3d42f874 100644 --- a/include/uapi/linux/netfilter/xt_set.h +++ b/include/uapi/linux/netfilter/xt_set.h | |||
| @@ -62,4 +62,13 @@ struct xt_set_info_target_v2 { | |||
| 62 | __u32 timeout; | 62 | __u32 timeout; |
| 63 | }; | 63 | }; |
| 64 | 64 | ||
| 65 | /* Revision 3 match */ | ||
| 66 | |||
| 67 | struct xt_set_info_match_v3 { | ||
| 68 | struct xt_set_info match_set; | ||
| 69 | struct ip_set_counter_match packets; | ||
| 70 | struct ip_set_counter_match bytes; | ||
| 71 | __u32 flags; | ||
| 72 | }; | ||
| 73 | |||
| 65 | #endif /*_XT_SET_H*/ | 74 | #endif /*_XT_SET_H*/ |