netfilter: ipset: Support to match elements marked with "nomatch"
Exceptions can now be matched and we can branch according to the
possible cases:
a. match in the set if the element is not flagged as "nomatch"
b. match in the set if the element is flagged with "nomatch"
c. no match
i.e.
iptables ... -m set --match-set ... -j ...
iptables ... -m set --match-set ... --nomatch-entries -j ...
...
Signed-off-by: 
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Showing
- include/linux/netfilter/ipset/ip_set.h 4 additions, 0 deletionsinclude/linux/netfilter/ipset/ip_set.h
- net/netfilter/ipset/ip_set_core.c 6 additions, 0 deletionsnet/netfilter/ipset/ip_set_core.c
- net/netfilter/ipset/ip_set_hash_ipportnet.c 6 additions, 5 deletionsnet/netfilter/ipset/ip_set_hash_ipportnet.c
- net/netfilter/ipset/ip_set_hash_net.c 5 additions, 5 deletionsnet/netfilter/ipset/ip_set_hash_net.c
- net/netfilter/ipset/ip_set_hash_netiface.c 6 additions, 5 deletionsnet/netfilter/ipset/ip_set_hash_netiface.c
- net/netfilter/ipset/ip_set_hash_netport.c 5 additions, 5 deletionsnet/netfilter/ipset/ip_set_hash_netport.c
- net/netfilter/xt_set.c 22 additions, 0 deletionsnet/netfilter/xt_set.c
Loading
Please register or sign in to comment