diff options
| author | Jozsef Kadlecsik | 2011-04-13 13:43:23 +0200 |
|---|---|---|
| committer | Patrick McHardy | 2011-04-13 13:43:23 +0200 |
| commit | 0e8a835aa59d08d702af0fcfd296e2218b2e344b (patch) | |
| tree | cfc99302895c328a9f394ead9695e8e99ac92de1 | |
| parent | Merge branch 'master' of ssh://master.kernel.org/pub/scm/linux/kernel/git/kab... (diff) | |
| download | kernel-qcow2-linux-0e8a835aa59d08d702af0fcfd296e2218b2e344b.tar.gz kernel-qcow2-linux-0e8a835aa59d08d702af0fcfd296e2218b2e344b.tar.xz kernel-qcow2-linux-0e8a835aa59d08d702af0fcfd296e2218b2e344b.zip | |
netfilter: ipset: bitmap:ip,mac type requires "src" for MAC
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
| -rw-r--r-- | net/netfilter/ipset/ip_set_bitmap_ipmac.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c index 00a33242e90c..a274300b6a56 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c @@ -343,6 +343,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, ipset_adtfn adtfn = set->variant->adt[adt]; struct ipmac data; + /* MAC can be src only */ + if (!(flags & IPSET_DIM_TWO_SRC)) + return 0; + data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC)); if (data.id < map->first_ip || data.id > map->last_ip) return -IPSET_ERR_BITMAP_RANGE; |