From 6d4fa852a023080101f1665ea189dd1844c87fef Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 11 Jul 2012 10:56:57 +0000
Subject: net: sched: add ipset ematch

Can be used to match packets against netfilter ip sets created via ipset(8).
skb->sk_iif is used as 'incoming interface', skb->dev is 'outgoing interface'.

Since ipset is usually called from netfilter, the ematch
initializes a fake xt_action_param, pulls the ip header into the
linear area and also sets skb->data to the IP header (otherwise
matching Layer 4 set types doesn't work).

Tested-by: Mr Dash Four <mr.dash.four@googlemail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/sched/Kconfig | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'net/sched/Kconfig')

diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index 4a5d2bd4f789..62fb51face8a 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -517,6 +517,16 @@ config NET_EMATCH_CANID
 	  To compile this code as a module, choose M here: the
 	  module will be called em_canid.
 
+config NET_EMATCH_IPSET
+	tristate "IPset"
+	depends on NET_EMATCH && IP_SET
+	---help---
+	  Say Y here if you want to be able to classify packets based on
+	  ipset membership.
+
+	  To compile this code as a module, choose M here: the
+	  module will be called em_ipset.
+
 config NET_CLS_ACT
 	bool "Actions"
 	---help---
-- 
cgit v1.2.3