git.ipfire.org Git - thirdparty/ipset.git/commit

author	Jozsef Kadlecsik <kadlec@netfilter.org>
	Mon, 9 Mar 2020 11:01:42 +0000 (12:01 +0100)
committer	Jozsef Kadlecsik <kadlec@netfilter.org>
	Mon, 9 Mar 2020 11:01:42 +0000 (12:01 +0100)
commit	c2dfb6432aea5bb0a3522901b0c44f42d8adbd49
tree	4d2d2a370a8ec52871a7b3781ed024ac4dc35d8f	tree
parent	73dfa4dfe56f748bd419dd79133d4a61e0917e74	commit \| diff

Introduce --update-counters-first flag for the set target

Stefano Brivio reported that the patch 'netfilter: ipset:
Fix "don't update counters" mode when counters used at the matching'
changed the semantic of when the counters are updated. Before the patch
the counters were updated regardless of the results of the counter
matches, after the patch the counters were updated only if the counter
match conditions (if specified) matched the packet. In order to handle
both ways, the --update-counters-first flag is introduced: when the flag
is specified, the counters are updated before checking the counter match
conditions. Without the flag the current evaluation path (i.e. update
only if counter conditions match) works.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

kernel/include/uapi/linux/netfilter/ipset/ip_set.h		diff \| blob \| blame \| history
kernel/net/netfilter/ipset/ip_set_core.c		diff \| blob \| blame \| history
kernel/net/netfilter/xt_set.c		diff \| blob \| blame \| history