From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 10/38] netfilter: ipset: Follow manual page behavior for SET target on list:set
Date: Mon, 17 Mar 2014 13:42:30 +0100 [thread overview]
Message-ID: <1395060178-11833-11-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1395060178-11833-1-git-send-email-pablo@netfilter.org>
From: Sergey Popovich <popovich_sergei@mail.ru>
ipset(8) for list:set says:
The match will try to find a matching entry in the sets and the
target will try to add an entry to the first set to which it can
be added.
However real behavior is bit differ from described. Consider example:
# ipset create test-1-v4 hash:ip family inet
# ipset create test-1-v6 hash:ip family inet6
# ipset create test-1 list:set
# ipset add test-1 test-1-v4
# ipset add test-1 test-1-v6
# iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
# ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
And then when iptables/ip6tables rule matches packet IPSET target
tries to add src from packet to the list:set test-1 where first
entry is test-1-v4 and the second one is test-1-v6.
For IPv4, as it first entry in test-1 src added to test-1-v4
correctly, but for IPv6 src not added!
Placing test-1-v6 to the first element of list:set makes behavior
correct for IPv6, but brokes for IPv4.
This is due to result, returned from ip_set_add() and ip_set_del() from
net/netfilter/ipset/ip_set_core.c when set in list:set equires more
parameters than given or address families do not match (which is this
case).
It seems wrong returning 0 from ip_set_add() and ip_set_del() in
this case, as 0 should be returned only when an element successfuly
added/deleted to/from the set, contrary to ip_set_test() which
returns 0 when no entry exists and >0 when entry found in set.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ru>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 728a2cf..c6c97b8 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -510,7 +510,7 @@ ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
if (opt->dim < set->type->dimension ||
!(opt->family == set->family || set->family == NFPROTO_UNSPEC))
- return 0;
+ return -IPSET_ERR_TYPE_MISMATCH;
write_lock_bh(&set->lock);
ret = set->variant->kadt(set, skb, par, IPSET_ADD, opt);
@@ -533,7 +533,7 @@ ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
if (opt->dim < set->type->dimension ||
!(opt->family == set->family || set->family == NFPROTO_UNSPEC))
- return 0;
+ return -IPSET_ERR_TYPE_MISMATCH;
write_lock_bh(&set->lock);
ret = set->variant->kadt(set, skb, par, IPSET_DEL, opt);
--
1.7.10.4
next prev parent reply other threads:[~2014-03-17 12:42 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-17 12:42 [PATCH 00/38] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 01/38] netfilter: remove double colon Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 02/38] netfilter: xt_ipcomp: Use ntohs to ease sparse warning Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 03/38] netfilter: nft_ct: labels get support Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 04/38] netfilter: ip_set: rename nfnl_dereference()/nfnl_set() Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 05/38] netfilter: nfnetlink: add rcu_dereference_protected() helpers Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 06/38] netfilter: nf_tables: add nft_dereference() macro Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 07/38] netfilter: nf_tables: accept QUEUE/DROP verdict parameters Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 08/38] netfilter: nfnetlink_log: remove unused code Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 09/38] netfilter: nf_tables: add optional user data area to rules Pablo Neira Ayuso
2014-03-17 12:42 ` Pablo Neira Ayuso [this message]
2014-03-17 12:42 ` [PATCH 11/38] netfilter: ipset: Add hash: fix coccinelle warnings Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 12/38] netfilter: ipset: add hash:ip,mark data type to ipset Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 13/38] netfilter: ipset: add markmask for hash:ip,mark data type Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 14/38] netfilter: ipset: Prepare the kernel for create option flags when no extension is needed Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 15/38] netfilter: ipset: kernel: uapi: fix MARKMASK attr ABI breakage Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 16/38] netfilter: ipset: move registration message to init from net_init Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 17/38] netfilter: ipset: add forceadd kernel support for hash set types Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 18/38] sections, ipvs: Remove useless __read_mostly for ipvs genl_ops Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 19/38] ipvs: Reduce checkpatch noise in ip_vs_lblc.c Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 20/38] netfilter: trivial code cleanup and doc changes Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 21/38] netfilter: conntrack: spinlock per cpu to protect special lists Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 22/38] netfilter: avoid race with exp->master ct Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 23/38] netfilter: conntrack: seperate expect locking from nf_conntrack_lock Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 24/38] netfilter: conntrack: remove central spinlock nf_conntrack_lock Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 25/38] netfilter: nft_hash: bug fixes and resizing Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 26/38] netfilter: nf_tables: clean up nf_tables_trans_add() argument order Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 27/38] netfilter: nf_tables: restore context for expression destructors Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 28/38] netfilter: nf_tables: restore notifications for anonymous set destruction Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 29/38] netfilter: nft_ct: remove family from struct nft_ct Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 30/38] netfilter: nft_nat: fix family validation Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 31/38] netfilter: connlimit: factor hlist search into new function Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 32/38] netfilter: connlimit: improve packet-to-closed-connection logic Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 33/38] netfilter: connlimit: move insertion of new element out of count function Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 34/38] netfilter: connlimit: use kmem_cache for conn objects Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 35/38] netfilter: Convert uses of __constant_<foo> to <foo> Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 36/38] netfilter: connlimit: use keyed locks Pablo Neira Ayuso
2014-03-17 12:54 ` David Laight
2014-03-17 14:26 ` Florian Westphal
2014-03-17 14:40 ` David Laight
2014-03-17 14:00 ` Eric Dumazet
2014-03-17 14:23 ` Florian Westphal
2014-03-18 13:46 ` Jesper Dangaard Brouer
2014-03-18 14:01 ` Eric Dumazet
2014-03-17 12:42 ` [PATCH 37/38] netfilter: connlimit: make same_source_net signed Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 38/38] netfilter: connlimit: use rbtree for per-host conntrack obj storage Pablo Neira Ayuso
2014-03-17 19:19 ` [PATCH 00/38] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1395060178-11833-11-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).