path: root/kernel/net/netfilter/ipset/ip_set_hash_mac.c
diff options
authorStefano Brivio <>2018-08-17 21:09:47 +0200
committerJozsef Kadlecsik <>2018-08-30 10:30:55 +0200
commit1543514c46a7a552aca0e1bb74d66ea98ecf3e38 (patch)
tree321bc6f3139ad58617cd60a20d031b8d47b60b58 /kernel/net/netfilter/ipset/ip_set_hash_mac.c
parentbdd09d11cf09fbe93963229fb2d686ad03126daa (diff)
ipset: Allow matching on destination MAC address for mac and ipmac sets
There doesn't seem to be any reason to restrict MAC address matching to source MAC addresses in set types bitmap:ipmac, hash:ipmac and hash:mac. With this patch, and this setup: ip netns add A ip link add veth1 type veth peer name veth2 netns A ip addr add dev veth1 ip -net A addr add dev veth2 ip link set veth1 up ip -net A link set veth2 up ip netns exec A ipset create test hash:mac dst=$(ip netns exec A cat /sys/class/net/veth2/address) ip netns exec A ipset add test ${dst} ip netns exec A iptables -P INPUT DROP ip netns exec A iptables -I INPUT -m set --match-set test dst -j ACCEPT ipset will match packets based on destination MAC address: # ping -c1 >/dev/null # echo $? 0 Reported-by: Yi Chen <> Signed-off-by: Stefano Brivio <> Signed-off-by: Jozsef Kadlecsik <>
Diffstat (limited to 'kernel/net/netfilter/ipset/ip_set_hash_mac.c')
1 files changed, 5 insertions, 5 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_hash_mac.c b/kernel/net/netfilter/ipset/ip_set_hash_mac.c
index f9d5a2a..4fe5f24 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_mac.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_mac.c
@@ -81,15 +81,15 @@ hash_mac4_kadt(struct ip_set *set, const struct sk_buff *skb,
struct hash_mac4_elem e = { { .foo[0] = 0, .foo[1] = 0 } };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
- /* MAC can be src only */
- if (!(opt->flags & IPSET_DIM_ONE_SRC))
- return 0;
if (skb_mac_header(skb) < skb->head ||
(skb_mac_header(skb) + ETH_HLEN) > skb->data)
return -EINVAL;
- ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
+ if (opt->flags & IPSET_DIM_ONE_SRC)
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
+ else
+ ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
if (is_zero_ether_addr(e.ether))
return -EINVAL;
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);