ipvs: add ipset-type blklst to support deny list in network-cidr gran…

…ularity

Signed-off-by: ywc689 <[email protected]>

include/conf/blklst.h

@@ -24,22 +24,22 @@
 
 #include "inet.h"
 #include "conf/sockopts.h"
+#include "conf/ipset.h"
 
 struct dp_vs_blklst_entry {
     union inet_addr addr;
 };
 
 typedef struct dp_vs_blklst_conf {
     /* identify service */
-    union inet_addr     blklst;
     union inet_addr     vaddr;
-    int                 af;
-    uint32_t            fwmark;
     uint16_t            vport;
     uint8_t             proto;
-    uint8_t             padding;
+    uint8_t             af;
 
-    /* for set */
+    /* subject and ipset are mutual exclusive */
+    union inet_addr     subject;
+    char                ipset[IPSET_MAXNAMELEN];
 } dpvs_blklst_t;
 
 struct dp_vs_blklst_conf_array {

include/ipvs/blklst.h

@@ -18,20 +18,25 @@
 #ifndef __DPVS_BLKLST_H__
 #define __DPVS_BLKLST_H__
 #include "conf/common.h"
-#include "ipvs/service.h"
 #include "timer.h"
+#include "ipvs/service.h"
+#include "ipset/ipset.h"
 
 struct blklst_entry {
     struct list_head    list;
-    int af;
-    uint8_t             proto;
-    uint16_t            vport;
+
     union inet_addr     vaddr;
-    union inet_addr     blklst;
+    uint16_t            vport;
+    uint8_t             proto;
+    uint8_t             af;
+
+    union inet_addr     subject;
+    struct ipset        *set;
+    bool                dst_match; /* internal use for ipset */
 };
 
-struct blklst_entry *dp_vs_blklst_lookup(int af, uint8_t proto, const union inet_addr *vaddr,
-                                         uint16_t vport, const union inet_addr *blklst);
+bool dp_vs_blklst_filtered(int af, uint8_t proto, const union inet_addr *vaddr,
+        uint16_t vport, const union inet_addr *subject, struct rte_mbuf *mbuf);
 void dp_vs_blklst_flush(struct dp_vs_service *svc);
 
 int dp_vs_blklst_init(void);