Introduce new operation to get both setname and family

ip[6]tables set match and SET target need to know the family of the set in order to reject adding rules which refer to a set with a non-mathcing family. Currently such rules are silently accepted and then ignored instead of generating a clear error message to the user, which is not helpful.
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-09-04 16:49:08 +0200
committer: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-09-04 16:49:08 +0200
commit: e883bb17de2b69e7f3ae9b414915aebef477f383 (patch)
tree: 5d0899a9aa7498c44e89e5764c00641407b9729b /kernel/net/netfilter/ipset
parent: 480761a3bdaa55bf8c966e4dab950ebf84775863 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_core.c b/kernel/net/netfilter/ipset/ip_set_core.c
index 4c95bb8..2532c92 100644
--- a/kernel/net/netfilter/ipset/ip_set_core.c
+++ b/kernel/net/netfilter/ipset/ip_set_core.c
@@ -1804,6 +1804,23 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
 		unlock_nfnl();
 		goto copy;
 	}
+	case IP_SET_OP_GET_FNAME: {
+		struct ip_set_req_get_set_family *req_get = data;
+		ip_set_id_t id;
+
+		if (*len != sizeof(struct ip_set_req_get_set_family)) {
+			ret = -EINVAL;
+			goto done;
+		}
+		req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
+		lock_nfnl();
+		find_set_and_id(req_get->set.name, &id);
+		req_get->set.index = id;
+		if (id != IPSET_INVALID_ID)
+			req_get->family = nfnl_set(id)->family;
+		unlock_nfnl();
+		goto copy;
+	}
 	case IP_SET_OP_GET_BYINDEX: {
 		struct ip_set_req_get_set *req_get = data;
 		struct ip_set *set;
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2013-09-04 16:49:08 +0200
committer	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2013-09-04 16:49:08 +0200
commit	e883bb17de2b69e7f3ae9b414915aebef477f383 (patch)
tree	5d0899a9aa7498c44e89e5764c00641407b9729b /kernel/net/netfilter/ipset
parent	480761a3bdaa55bf8c966e4dab950ebf84775863 (diff)