diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2018-01-04 13:21:26 +0100 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2018-01-04 13:21:26 +0100 |
| commit | ad92ed77e77fe421a86f0fde907c51286ed47928 (patch) | |
| tree | 412d16a99a72446666734d404ffd380eb85d6f49 /kernel/include | |
| parent | 0a81ab50306539788e2dd0471f3b1ed5b9dcc5ef (diff) | |
Fix "don't update counters" mode when counters used at the matching
The matching of the counters was not taken into account, fixed.
Diffstat (limited to 'kernel/include')
| -rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set.h | 6 | ||||
| -rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_counter.h | 25 |
2 files changed, 25 insertions, 6 deletions
diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h index 3e44e66..3986e63 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set.h +++ b/kernel/include/linux/netfilter/ipset/ip_set.h @@ -123,6 +123,8 @@ struct ip_set_ext { u64 bytes; char *comment; u32 timeout; + u8 packets_op; + u8 bytes_op; }; struct ip_set; @@ -340,6 +342,10 @@ extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[], struct ip_set_ext *ext); extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set, const void *e, bool active); +extern bool ip_set_match_extensions(struct ip_set *set, + const struct ip_set_ext *ext, + struct ip_set_ext *mext, + u32 flags, void *data); static inline int ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) diff --git a/kernel/include/linux/netfilter/ipset/ip_set_counter.h b/kernel/include/linux/netfilter/ipset/ip_set_counter.h index 8bf9192..a0d134a 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_counter.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_counter.h @@ -34,20 +34,33 @@ ip_set_get_packets(const struct ip_set_counter *counter) return (u64)atomic64_read(&(counter)->packets); } +static inline bool +ip_set_match_counter(u64 counter, u64 match, u8 op) +{ + switch (op) { + case IPSET_COUNTER_NONE: + return true; + case IPSET_COUNTER_EQ: + return counter == match; + case IPSET_COUNTER_NE: + return counter != match; + case IPSET_COUNTER_LT: + return counter < match; + case IPSET_COUNTER_GT: + return counter > match; + } + return false; +} + static inline void ip_set_update_counter(struct ip_set_counter *counter, - const struct ip_set_ext *ext, - struct ip_set_ext *mext, u32 flags) + const struct ip_set_ext *ext, u32 flags) { if (ext->packets != ULLONG_MAX && !(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) { ip_set_add_bytes(ext->bytes, counter); ip_set_add_packets(ext->packets, counter); } - if (flags & IPSET_FLAG_MATCH_COUNTERS) { - mext->packets = ip_set_get_packets(counter); - mext->bytes = ip_set_get_bytes(counter); - } } static inline bool |