netfilter: ipset: bitmap:ip,mac type requires "src" for MAC
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Wed, 13 Apr 2011 11:43:23 +0000 (13:43 +0200)
committerPatrick McHardy <kaber@trash.net>
Wed, 13 Apr 2011 11:43:23 +0000 (13:43 +0200)
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
net/netfilter/ipset/ip_set_bitmap_ipmac.c

index 00a33242e90c2e89994a0711fcae7a61809225e5..a274300b6a566faee28c3e10d31fdba1bbd212c0 100644 (file)
@@ -343,6 +343,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct ipmac data;
 
+       /* MAC can be src only */
+       if (!(flags & IPSET_DIM_TWO_SRC))
+               return 0;
+
        data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
        if (data.id < map->first_ip || data.id > map->last_ip)
                return -IPSET_ERR_BITMAP_RANGE;