git.ipfire.org Git - thirdparty/ipset.git/commit

author	Kristian Evensen <kristian.evensen@gmail.com>
	Thu, 26 Sep 2019 10:06:45 +0000 (12:06 +0200)
committer	Jozsef Kadlecsik <kadlec@netfilter.org>
	Thu, 31 Oct 2019 14:11:09 +0000 (15:11 +0100)
commit	6dd8bdacfe82ed178c5d6538685f02eb996a3c76
tree	ad11b90d7e36cade863127510e3056123b12f120	tree
parent	0b08f9f17ae95a6f8eded6543922b99e7f29cbf7	commit \| diff

ipset: Add wildcard support to net,iface

The net,iface equal functions currently compares the full interface
names. In several cases, wildcard (or prefix) matching is useful. For
example, when converting a large iptables rule-set to make use of ipset,
I was able to significantly reduce the number of set elements by making
use of wildcard matching.

Wildcard matching is enabled by adding "wildcard" when adding an element
to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to
be set. When this flag is set, only the initial part of the interface
name is used for comparison.

Wildcard matching is done per element and not per set, as there are many
cases where mixing wildcard and non-wildcard elements are useful. This
means that is up to the user to handle (avoid) overlapping interface
names.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

include/libipset/args.h		diff \| blob \| blame \| history
include/libipset/data.h		diff \| blob \| blame \| history
include/libipset/linux_ip_set.h		diff \| blob \| blame \| history
kernel/include/uapi/linux/netfilter/ipset/ip_set.h		diff \| blob \| blame \| history
kernel/net/netfilter/ipset/ip_set_hash_netiface.c		diff \| blob \| blame \| history
lib/args.c		diff \| blob \| blame \| history
lib/data.c		diff \| blob \| blame \| history
lib/ipset_hash_netiface.c		diff \| blob \| blame \| history
src/ipset.8		diff \| blob \| blame \| history