diff options
-rw-r--r-- | kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c | 4 | ||||
-rw-r--r-- | src/ipset.8 | 7 |
2 files changed, 8 insertions, 3 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c index 35b4879..913a461 100644 --- a/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c +++ b/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c @@ -344,6 +344,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, ipset_adtfn adtfn = set->variant->adt[adt]; struct ipmac data; + /* MAC can be src only */ + if (!(flags & IPSET_DIM_TWO_SRC)) + return 0; + data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC)); if (data.id < map->first_ip || data.id > map->last_ip) return -IPSET_ERR_BITMAP_RANGE; diff --git a/src/ipset.8 b/src/ipset.8 index 9603ddc..d9e5ff8 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -302,9 +302,10 @@ matched by the kernel, it will automatically fill out the missing MAC address wi source MAC address from the packet. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete. .PP -Please note, the \fBset\fR match and \fBSET\fR target netfilter kernel modules -\fBalways\fR use the source MAC address from the packet to match, add or delete -entries from a \fBbitmap:ip,mac\fR type of set. +The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of +the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second +one must be \fBsrc\fR to match, add or delete entries because the \fBset\fR match +and \fBSET\fR target have access to the source MAC address only. .PP Examples: .IP |