2 files changed, 8 insertions, 3 deletions

diff --git a/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 35b4879..913a461 100644
--- a/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/kernel/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -344,6 +344,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 	ipset_adtfn adtfn = set->variant->adt[adt];
 	struct ipmac data;
 
+	/* MAC can be src only */
+	if (!(flags & IPSET_DIM_TWO_SRC))
+		return 0;
+
 	data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
 	if (data.id < map->first_ip || data.id > map->last_ip)
 		return -IPSET_ERR_BITMAP_RANGE;
diff --git a/src/ipset.8 b/src/ipset.8
index 9603ddc..d9e5ff8 100644
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -302,9 +302,10 @@ matched by the kernel, it will automatically fill out the missing MAC address wi
 source MAC address from the packet. If the entry was specified with a timeout value,
 the timer starts off when the IP and MAC address pair is complete.
 .PP 
-Please note, the \fBset\fR match and \fBSET\fR target netfilter kernel modules
-\fBalways\fR use the source MAC address from the packet to match, add or delete
-entries from a \fBbitmap:ip,mac\fR type of set.
+The \fBbitmap:ip,mac\fR type of sets require two \fBsrc/dst\fR parameters of
+the \fBset\fR match and \fBSET\fR target netfilter kernel modules and the second
+one must be \fBsrc\fR to match, add or delete entries because the \fBset\fR match
+and \fBSET\fR target have access to the source MAC address only.
 .PP 
 Examples:
 .IP