path: root/include/linux/netfilter/ipset/ip_set.h
Commit message (Collapse)AuthorAgeFilesLines
* Alignment problem between 64bit kernel 32bit userspaceJozsef Kadlecsik2014-11-061-1/+7
| | | | | | | | | | | | | | | | | | Sven-Haegar Koch reported the issue: sims:~# iptables -A OUTPUT -m set --match-set testset src -j ACCEPT iptables: Invalid argument. Run `dmesg' for more information. In syslog: x_tables: ip_tables: set.3 match: invalid size 48 (kernel) != (user) 32 which was introduced by the counter extension in ipset. The patch fixes the alignment issue with introducing a new set match revision with the fixed underlying 'struct ip_set_counter_match' structure. Signed-off-by: Jozsef Kadlecsik <>
* xtables: SET target: Add mapping of meta informations (skbinfo ipset extension)Anton Danilov2014-09-141-0/+10
| | | | | | | | | | | | | | This feature add support of mapping metainformation to packets like nftables maps or ipfw tables. Currently we can map firewall mark, tc priority and hardware NIC queue. Usage of this functionality allowed only from mangle table. We can map tc priority only in OUTPUT/FORWARD/POSTROUTING chains because it rewrite by route decision. If entry doesn't exist in the set nothing of fields changed. Example of classify by destination address: iptables -t mangle -A POSTROUTING -o eth0 -j SET --map-set DST2CLASS dst --map-prio Signed-off-by: Anton Danilov <> Signed-off-by: Jozsef Kadlecsik <>
* extensions: libxt_set, libxt_SET: check the set family tooJozsef Kadlecsik2013-11-181-0/+9
| | | | | | | | | | | Do not accept silently sets with wrong protocol family but reject them with an error message. It makes straightforward to catch user errors. [ Use afinfo instead to avoid a binary interface update --pablo ] Signed-off-by: Jozsef Kadlecsik <> Signed-off-by: Pablo Neira Ayuso <>
* Introduce a new revision for the set match with the counters supportJozsef Kadlecsik2013-06-071-10/+42
| | | | | | | | The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <>
* New set match revision with --return-nomatch flag supportJozsef Kadlecsik2012-09-211-0/+2
* include: refresh include files from kernel 3.1-rc3Jan Engelhardt2011-08-311-0/+225
Signed-off-by: Jan Engelhardt <>