Exceptions support added to hash:*net* types

The "nomatch" keyword and option is added to the hash:*net* types,
by which one can add exception entries to sets. Example:

	ipset create test hash:net
	ipset add test 192.168.0/24
	ipset add test 192.168.0/30 nomatch

In this case the IP addresses from 192.168.0/24 except 192.168.0/30
match the elements of the set.

2 files changed, 7 insertions, 1 deletions

diff --git a/include/libipset/data.h b/include/libipset/data.h
index 3ba6f0a..525cc6a 100644
--- a/include/libipset/data.h
+++ b/include/libipset/data.h
@@ -53,6 +53,7 @@ enum ipset_opt {
 	IPSET_OPT_EXIST,
 	IPSET_OPT_BEFORE,
 	IPSET_OPT_PHYSDEV,
+	IPSET_OPT_NOMATCH,
 	/* Internal options */
 	IPSET_OPT_FLAGS = 48,	/* IPSET_FLAG_EXIST| */
 	IPSET_OPT_CADT_FLAGS,	/* IPSET_FLAG_BEFORE| */
@@ -101,7 +102,8 @@ enum ipset_opt {
 	| IPSET_FLAG(IPSET_OPT_IFACE) \
 	| IPSET_FLAG(IPSET_OPT_CADT_FLAGS)\
 	| IPSET_FLAG(IPSET_OPT_BEFORE) \
-	| IPSET_FLAG(IPSET_OPT_PHYSDEV))
+	| IPSET_FLAG(IPSET_OPT_PHYSDEV) \
+	| IPSET_FLAG(IPSET_OPT_NOMATCH))
 
 struct ipset_data;
 
diff --git a/include/libipset/linux_ip_set.h b/include/libipset/linux_ip_set.h
index b336d43..008da06 100644
--- a/include/libipset/linux_ip_set.h
+++ b/include/libipset/linux_ip_set.h
@@ -150,6 +150,7 @@ enum ipset_cmd_flags {
 	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
 	IPSET_FLAG_BIT_LIST_HEADER = 2,
 	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
+	IPSET_FLAG_CMD_MAX = 15,	/* Lower half */
 };
 
 /* Flags at CADT attribute level */
@@ -158,6 +159,9 @@ enum ipset_cadt_flags {
 	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
 	IPSET_FLAG_BIT_PHYSDEV	= 1,
 	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
+	IPSET_FLAG_BIT_NOMATCH	= 2,
+	IPSET_FLAG_NOMATCH	= (1 << IPSET_FLAG_BIT_NOMATCH),
+	IPSET_FLAG_CADT_MAX	= 15,	/* Upper half */
 };
 
 /* Commands with settype-specific attributes */