From 6dd8bdacfe82ed178c5d6538685f02eb996a3c76 Mon Sep 17 00:00:00 2001 From: Kristian Evensen Date: Thu, 26 Sep 2019 12:06:45 +0200 Subject: ipset: Add wildcard support to net,iface The net,iface equal functions currently compares the full interface names. In several cases, wildcard (or prefix) matching is useful. For example, when converting a large iptables rule-set to make use of ipset, I was able to significantly reduce the number of set elements by making use of wildcard matching. Wildcard matching is enabled by adding "wildcard" when adding an element to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to be set. When this flag is set, only the initial part of the interface name is used for comparison. Wildcard matching is done per element and not per set, as there are many cases where mixing wildcard and non-wildcard elements are useful. This means that is up to the user to handle (avoid) overlapping interface names. Signed-off-by: Kristian Evensen Signed-off-by: Jozsef Kadlecsik --- lib/data.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lib/data.c') diff --git a/lib/data.c b/lib/data.c index 47c9ddb..f28d1d3 100644 --- a/lib/data.c +++ b/lib/data.c @@ -410,6 +410,9 @@ ipset_data_set(struct ipset_data *data, enum ipset_opt opt, const void *value) case IPSET_OPT_NOMATCH: cadt_flag_type_attr(data, opt, IPSET_FLAG_NOMATCH); break; + case IPSET_OPT_IFACE_WILDCARD: + cadt_flag_type_attr(data, opt, IPSET_FLAG_IFACE_WILDCARD); + break; case IPSET_OPT_FLAGS: data->flags = *(const uint32_t *)value; break; @@ -433,6 +436,9 @@ ipset_data_set(struct ipset_data *data, enum ipset_opt opt, const void *value) if (data->cadt_flags & IPSET_FLAG_WITH_SKBINFO) ipset_data_flags_set(data, IPSET_FLAG(IPSET_OPT_SKBINFO)); + if (data->cadt_flags & IPSET_FLAG_IFACE_WILDCARD) + ipset_data_flags_set(data, + IPSET_FLAG(IPSET_OPT_IFACE_WILDCARD)); break; default: return -1; @@ -564,6 +570,7 @@ ipset_data_get(const struct ipset_data *data, enum ipset_opt opt) case IPSET_OPT_CREATE_COMMENT: case IPSET_OPT_FORCEADD: case IPSET_OPT_SKBINFO: + case IPSET_OPT_IFACE_WILDCARD: return &data->cadt_flags; default: return NULL; @@ -630,6 +637,7 @@ ipset_data_sizeof(enum ipset_opt opt, uint8_t family) case IPSET_OPT_NOMATCH: case IPSET_OPT_COUNTERS: case IPSET_OPT_FORCEADD: + case IPSET_OPT_IFACE_WILDCARD: return sizeof(uint32_t); case IPSET_OPT_ADT_COMMENT: return IPSET_MAX_COMMENT_SIZE + 1; -- cgit v1.2.3