From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Eric Westbrook <eric@westbrook.io>,
Eric Westbrook <linux@westbrook.io>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 03/27] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
Date: Wed, 14 Nov 2018 17:24:52 -0500 [thread overview]
Message-ID: <20181114222520.99926-3-sashal@kernel.org> (raw)
In-Reply-To: <20181114222520.99926-1-sashal@kernel.org>
From: Eric Westbrook <eric@westbrook.io>
[ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ]
Allow /0 as advertised for hash:net,port,net sets.
For "hash:net,port,net", ipset(8) says that "either subnet
is permitted to be a /0 should you wish to match port
between all destinations."
Make that statement true.
Before:
# ipset create cidrzero hash:net,port,net
# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
ipset v6.34: The value of the CIDR parameter of the IP address is invalid
# ipset create cidrzero6 hash:net,port,net family inet6
# ipset add cidrzero6 ::/0,12345,::/0
ipset v6.34: The value of the CIDR parameter of the IP address is invalid
After:
# ipset create cidrzero hash:net,port,net
# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
# ipset test cidrzero 192.168.205.129,12345,172.16.205.129
192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero.
# ipset create cidrzero6 hash:net,port,net family inet6
# ipset add cidrzero6 ::/0,12345,::/0
# ipset test cidrzero6 fe80::1,12345,ff00::1
fe80::1,tcp:12345,ff00::1 is in set cidrzero6.
See also:
https://bugzilla.kernel.org/show_bug.cgi?id=200897
https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c
Signed-off-by: Eric Westbrook <linux@westbrook.io>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipset/ip_set_hash_netportnet.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 8602f2595a1a..0e6e40c6f652 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -213,13 +213,13 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+ if (e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
- if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+ if (e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
@@ -492,13 +492,13 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_CIDR]) {
e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+ if (e.cidr[0] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
if (tb[IPSET_ATTR_CIDR2]) {
e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
- if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+ if (e.cidr[1] > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
}
--
2.17.1
next prev parent reply other threads:[~2018-11-14 22:25 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-14 22:24 [PATCH AUTOSEL 4.14 01/27] s390/vdso: add missing FORCE to build targets Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 02/27] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace Sasha Levin
2018-11-14 22:24 ` Sasha Levin [this message]
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 04/27] s390/mm: Fix ERROR: "__node_distance" undefined! Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 05/27] usbnet: smsc95xx: disable carrier check while suspending Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 06/27] net: dsa: microchip: initialize mutex before use Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 07/27] net: systemport: Protect stop from timeout Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 08/27] netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 09/27] netfilter: xt_IDLETIMER: add sysfs filename checking routine Sasha Levin
2018-11-14 22:24 ` [PATCH AUTOSEL 4.14 10/27] s390/qeth: fix HiperSockets sniffer Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 11/27] mlxsw: spectrum: Fix IP2ME CPU policer configuration Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 12/27] hwmon: (ibmpowernv) Remove bogus __init annotations Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 13/27] Revert "drm/exynos/decon5433: implement frame counter" Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 14/27] clk: fixed-factor: fix of_node_get-put imbalance Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 15/27] lib/raid6: Fix arm64 test build Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 16/27] s390/perf: Change CPUM_CF return code in event init function Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 17/27] i2c: omap: Enable for ARCH_K3 Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 18/27] sched/core: Take the hotplug lock in sched_init_smp() Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 19/27] perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 20/27] i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 21/27] ibmvnic: fix accelerated VLAN handling Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 22/27] qed: Fix memory/entry leak in qed_init_sp_request() Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 23/27] qed: Fix blocking/unlimited SPQ entries leak Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 24/27] qed: Fix potential memory corruption Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 25/27] net: stmmac: Fix RX packet size > 8191 Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 26/27] net: smsc95xx: Fix MTU range Sasha Levin
2018-11-14 22:25 ` [PATCH AUTOSEL 4.14 27/27] ext4: missing !bh check in ext4_xattr_inode_write() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114222520.99926-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=eric@westbrook.io \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@westbrook.io \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox