netfilter: ipset: Support to match elements marked with "nomatch"

[karo-tx-linux.git] / net / netfilter / ipset / ip_set_core.c

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 72e9bf0ef90d73c32a043cf74280b4e97136f298..778465f217fa975c39af6fb3d7429214dbfe2a51 100644 (file)
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -370,6 +370,12 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
                set->variant->kadt(set, skb, par, IPSET_ADD, opt);
                write_unlock_bh(&set->lock);
                ret = 1;
+       } else {
+               /* --return-nomatch: invert matched element */
+               if ((opt->flags & IPSET_RETURN_NOMATCH) &&
+                   (set->type->features & IPSET_TYPE_NOMATCH) &&
+                   (ret > 0 || ret == -ENOTEMPTY))
+                       ret = -ret;
        }
 
        /* Convert error codes to nomatch */