From: Sasha Levin <sashal@kernel•org>
To: stable@vger•kernel.org, linux-kernel@vger•kernel.org
Cc: Eric Westbrook <eric@westbrook•io>,
Eric Westbrook <linux@westbrook•io>,
Jozsef Kadlecsik <kadlec@blackhole•kfki.hu>,
Pablo Neira Ayuso <pablo@netfilter•org>,
Sasha Levin <sashal@kernel•org>,
netfilter-devel@vger•kernel.org, coreteam@netfilter•org,
netdev@vger•kernel.org
Subject: [PATCH AUTOSEL 4.18 06/59] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
Date: Wed, 14 Nov 2018 17:22:38 -0500 [thread overview]
Message-ID: <20181114222335.99339-6-sashal@kernel.org> (raw)
In-Reply-To: <20181114222335.99339-1-sashal@kernel.org>
From: Eric Westbrook <eric@westbrook•io>
[ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ]
Allow /0 as advertised for hash:net,port,net sets.
For "hash:net,port,net", ipset(8) says that "either subnet
is permitted to be a /0 should you wish to match port
between all destinations."
Make that statement true.
Before:
# ipset create cidrzero hash:net,port,net
# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
ipset v6.34: The value of the CIDR parameter of the IP address is invalid
# ipset create cidrzero6 hash:net,port,net family inet6
# ipset add cidrzero6 ::/0,12345,::/0
ipset v6.34: The value of the CIDR parameter of the IP address is invalid
After:
# ipset create cidrzero hash:net,port,net
# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
# ipset test cidrzero 192.168.205.129,12345,172.16.205.129
192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero.
# ipset create cidrzero6 hash:net,port,net family inet6
# ipset add cidrzero6 ::/0,12345,::/0
# ipset test cidrzero6 fe80::1,12345,ff00::1
fe80::1,tcp:12345,ff00::1 is in set cidrzero6.
See also:
https://bugzilla.kernel.org/show_bug.cgi?id=200897
https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c
Signed-off-by: Eric Westbrook <linux@westbrook•io>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole•kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter•org>
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
net/netfilter/ipset/ip_set_hash_netportnet.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index d391485a6acd..613e18e720a4 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -213,13 +213,13 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+ if (e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
- if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+ if (e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
@@ -493,13 +493,13 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+ if (e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
- if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+ if (e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
--
2.17.1
next prev parent reply other threads:[~2018-11-14 22:22 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20181114222335.99339-1-sashal@kernel.org>
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 05/59] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace Sasha Levin
2018-11-14 22:22 ` Sasha Levin [this message]
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 07/59] netfilter: ipset: fix ip_set_list allocation failure Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 10/59] bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 11/59] usbnet: smsc95xx: disable carrier check while suspending Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 12/59] net: dsa: microchip: initialize mutex before use Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 13/59] net: bcmgenet: protect stop from timeout Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 14/59] net: systemport: Protect " Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 16/59] netfilter: xt_IDLETIMER: add sysfs filename checking routine Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 17/59] netfilter: ipset: Fix calling ip_set() macro at dumping Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 18/59] netfilter: nft_compat: ebtables 'nat' table is normal chain type Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 20/59] net: hns3: Fix for out-of-bounds access when setting pfc back pressure Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 21/59] mlxsw: spectrum: Fix IP2ME CPU policer configuration Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 23/59] net: phy: realtek: fix RTL8201F sysfs name Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 43/59] ice: Fix dead device link issue with flow control Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 44/59] ice: Fix the bytecount sent to netdev_tx_sent_queue Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 45/59] i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 46/59] ibmvnic: fix accelerated VLAN handling Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 47/59] qed: Fix memory/entry leak in qed_init_sp_request() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 48/59] qed: Fix blocking/unlimited SPQ entries leak Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 49/59] qed: Fix SPQ entries not returned to pool in error flows Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 50/59] qed: Fix potential memory corruption Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 51/59] net: stmmac: Fix RX packet size > 8191 Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 52/59] net: smsc95xx: Fix MTU range Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 54/59] net: aquantia: fix potential IOMMU fault after driver unbind Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 55/59] net: aquantia: fixed enable unicast on 32 macvlan Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 56/59] net: aquantia: invalid checksumm offload implementation Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 57/59] net: qualcomm: rmnet: Fix incorrect assignment of real_dev Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 59/59] net: dsa: mv88e6xxx: Fix clearing of stats counters Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114222335.99339-6-sashal@kernel.org \
--to=sashal@kernel$(echo .)org \
--cc=coreteam@netfilter$(echo .)org \
--cc=eric@westbrook$(echo .)io \
--cc=kadlec@blackhole$(echo .)kfki.hu \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux@westbrook$(echo .)io \
--cc=netdev@vger$(echo .)kernel.org \
--cc=netfilter-devel@vger$(echo .)kernel.org \
--cc=pablo@netfilter$(echo .)org \
--cc=stable@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox