ipset issues in 2.6.39-rc2

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* ipset issues in 2.6.39-rc2
@ 2011-04-09 15:16 Lennert Buytenhek
  2011-04-09 20:06 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 3+ messages in thread
From: Lennert Buytenhek @ 2011-04-09 15:16 UTC (permalink / raw)
  To: netfilter-devel

Hi,

On the current Fedora Rawhide kernel (2.6.39-0.rc2.git0.0.fc16), I am
seeing the following two issues:

1. Attempting to create a -j SET rule with a certain invalid set of
   flags leaks a reference to the specified pool:

	# ipset create foo hash:ip
	# ipset list foo | grep References
	References: 0
	# iptables -A INPUT -j SET --del-set foo src,src,src,src,src,src
	iptables: Numerical result out of range.
	# ipset list foo | grep References
	References: 1
	#

2. --del-set doesn't seem to work (or I don't understand how it's supposed
   to work):

	# ipset create bar hash:ip
	# ipset add bar 127.0.0.1
	# iptables -I INPUT -s 127.0.0.1 -p icmp -j SET --del-set bar src
	# ping -c 1 127.0.0.1
	[...]
	# iptables -L INPUT -v | grep SET
	    2   168 SET        icmp --  *      *       127.0.0.1            0.0.0.0/0           del-set bar src,dst,dst,dst,dst,dst 
	# ipset list bar
	[...]
	Members:
	127.0.0.1
	#


thanks,
Lennert

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipset issues in 2.6.39-rc2
  2011-04-09 15:16 ipset issues in 2.6.39-rc2 Lennert Buytenhek
@ 2011-04-09 20:06 ` Jozsef Kadlecsik
  2011-04-10 11:44   ` Lennert Buytenhek
  0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2011-04-09 20:06 UTC (permalink / raw)
  To: Lennert Buytenhek; +Cc: netfilter-devel

Hi,

On Sat, 9 Apr 2011, Lennert Buytenhek wrote:

> On the current Fedora Rawhide kernel (2.6.39-0.rc2.git0.0.fc16), I am
> seeing the following two issues:
> 
> 1. Attempting to create a -j SET rule with a certain invalid set of
>    flags leaks a reference to the specified pool:
> 
> 	# ipset create foo hash:ip
> 	# ipset list foo | grep References
> 	References: 0
> 	# iptables -A INPUT -j SET --del-set foo src,src,src,src,src,src
> 	iptables: Numerical result out of range.
> 	# ipset list foo | grep References
> 	References: 1
> 	#
> 
> 2. --del-set doesn't seem to work (or I don't understand how it's supposed
>    to work):
> 
> 	# ipset create bar hash:ip
> 	# ipset add bar 127.0.0.1
> 	# iptables -I INPUT -s 127.0.0.1 -p icmp -j SET --del-set bar src
> 	# ping -c 1 127.0.0.1
> 	[...]
> 	# iptables -L INPUT -v | grep SET
> 	    2   168 SET        icmp --  *      *       127.0.0.1            0.0.0.0/0           del-set bar src,dst,dst,dst,dst,dst 
> 	# ipset list bar
> 	[...]
> 	Members:
> 	127.0.0.1

Both are real bugs indeed. I have sent the fixes to netfilter-devel and 
I'll release a new ipset version at the weekend. I also fixed the set 
match/target in iptables to catch properly the invalid number of dir 
parameters and committed it in git.

Thanks for the bugreport!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipset issues in 2.6.39-rc2
  2011-04-09 20:06 ` Jozsef Kadlecsik
@ 2011-04-10 11:44   ` Lennert Buytenhek
  0 siblings, 0 replies; 3+ messages in thread
From: Lennert Buytenhek @ 2011-04-10 11:44 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

On Sat, Apr 09, 2011 at 10:06:58PM +0200, Jozsef Kadlecsik wrote:

> Hi,

Hi there,


> > On the current Fedora Rawhide kernel (2.6.39-0.rc2.git0.0.fc16), I am
> > seeing the following two issues:
> > 
> > 1. Attempting to create a -j SET rule with a certain invalid set of
> >    flags leaks a reference to the specified pool:
> > 
> > 	# ipset create foo hash:ip
> > 	# ipset list foo | grep References
> > 	References: 0
> > 	# iptables -A INPUT -j SET --del-set foo src,src,src,src,src,src
> > 	iptables: Numerical result out of range.
> > 	# ipset list foo | grep References
> > 	References: 1
> > 	#
> > 
> > 2. --del-set doesn't seem to work (or I don't understand how it's supposed
> >    to work):
> > 
> > 	# ipset create bar hash:ip
> > 	# ipset add bar 127.0.0.1
> > 	# iptables -I INPUT -s 127.0.0.1 -p icmp -j SET --del-set bar src
> > 	# ping -c 1 127.0.0.1
> > 	[...]
> > 	# iptables -L INPUT -v | grep SET
> > 	    2   168 SET        icmp --  *      *       127.0.0.1            0.0.0.0/0           del-set bar src,dst,dst,dst,dst,dst 
> > 	# ipset list bar
> > 	[...]
> > 	Members:
> > 	127.0.0.1
> 
> Both are real bugs indeed. I have sent the fixes to netfilter-devel and 
> I'll release a new ipset version at the weekend. I also fixed the set 
> match/target in iptables to catch properly the invalid number of dir 
> parameters and committed it in git.

I didn't test (1), but your patch at least fixes (2) -- thanks!


cheers,
Lennert

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-04-10 11:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-09 15:16 ipset issues in 2.6.39-rc2 Lennert Buytenhek
2011-04-09 20:06 ` Jozsef Kadlecsik
2011-04-10 11:44   ` Lennert Buytenhek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).