From e883bb17de2b69e7f3ae9b414915aebef477f383 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Wed, 4 Sep 2013 16:49:08 +0200 Subject: Introduce new operation to get both setname and family ip[6]tables set match and SET target need to know the family of the set in order to reject adding rules which refer to a set with a non-mathcing family. Currently such rules are silently accepted and then ignored instead of generating a clear error message to the user, which is not helpful. --- kernel/net/netfilter/ipset/ip_set_core.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'kernel/net/netfilter') diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c index 4c95bb8..2532c92 100644 --- a/kernel/net/netfilter/ipset/ip_set_core.c +++ b/kernel/net/netfilter/ipset/ip_set_core.c @@ -1804,6 +1804,23 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) unlock_nfnl(); goto copy; } + case IP_SET_OP_GET_FNAME: { + struct ip_set_req_get_set_family *req_get = data; + ip_set_id_t id; + + if (*len != sizeof(struct ip_set_req_get_set_family)) { + ret = -EINVAL; + goto done; + } + req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0'; + lock_nfnl(); + find_set_and_id(req_get->set.name, &id); + req_get->set.index = id; + if (id != IPSET_INVALID_ID) + req_get->family = nfnl_set(id)->family; + unlock_nfnl(); + goto copy; + } case IP_SET_OP_GET_BYINDEX: { struct ip_set_req_get_set *req_get = data; struct ip_set *set; -- cgit v1.2.3