review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Stefano Brivio <sbrivio@redhat.com>
	Fri, 17 Aug 2018 19:09:47 +0000 (21:09 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 26 Jan 2019 08:32:33 +0000 (09:32 +0100)
commit	ad7013cd6d6a95807673fe80a818156f96513d4d
tree	4ac7eaac5175fc5f471e3df3fb0e0a4fc5dc2bfc	tree \| snapshot
parent	183144815e34369b97b8efbee7f524388c71ae1f	commit \| diff

netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets

[ Upstream commit 8cc4ccf58379935f3ad456cc34e61c4e4c921d0e ]

There doesn't seem to be any reason to restrict MAC address
matching to source MAC addresses in set types bitmap:ipmac,
hash:ipmac and hash:mac. With this patch, and this setup:

  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up

  ip netns exec A ipset create test hash:mac
  dst=$(ip netns exec A cat /sys/class/net/veth2/address)
  ip netns exec A ipset add test ${dst}
  ip netns exec A iptables -P INPUT DROP
  ip netns exec A iptables -I INPUT -m set --match-set test dst -j ACCEPT

ipset will match packets based on destination MAC address:

  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0

Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/netfilter/ipset/ip_set_bitmap_ipmac.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipmac.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_mac.c		diff \| blob \| history