netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/1] ipset patch for the nf tree
@ 2018-01-12 10:16 Jozsef Kadlecsik
  0 siblings, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2018-01-12 10:16 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Hi Pablo,

Here follows a patch for the nf tree, please apply it:

- The patch "Fix adding an IPv4 range containing more than 2^31
  addresses" introduced a wraparound bug, which could lead to
  memory exhaustion, which is fixed here (netfilter bugzilla
  id #1212, reported by Thomas Schwark)

Best regards,
Jozsef

The following changes since commit 889c604fd0b5f6d3b8694ade229ee44124de1127:

  netfilter: x_tables: fix int overflow in xt_alloc_table_info() (2018-01-07 00:17:23 +0100)

are available in the git repository at:

  git://blackhole.kfki.hu/nf ba31d2d88b9

for you to fetch changes up to ba31d2d88b95ce1872fc17ffd0da70b68be0a07f:

  Fix wraparound bug introduced in commit 48596a8ddc46 (2018-01-12 11:07:35 +0100)

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      Fix wraparound bug introduced in commit 48596a8ddc46

 net/netfilter/ipset/ip_set_hash_ipportnet.c  | 26 ++++++++++-----------
 net/netfilter/ipset/ip_set_hash_net.c        |  9 ++++---
 net/netfilter/ipset/ip_set_hash_netiface.c   |  9 ++++---
 net/netfilter/ipset/ip_set_hash_netnet.c     | 28 +++++++++++-----------
 net/netfilter/ipset/ip_set_hash_netport.c    | 19 ++++++++-------
 net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++++++++++++++--------------
 6 files changed, 63 insertions(+), 63 deletions(-)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 0/1] ipset patch for the nf tree
@ 2021-07-27 11:17 Jozsef Kadlecsik
  0 siblings, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2021-07-27 11:17 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Hi Pablo,

Please apply the next patch to the nf tree. Brad Spengler reported that
huge range of consecutive elements could result soft lockup errors due
to the long execution time. The patch limits and enforces the maximal size
of such ranges.

Best regards,
Jozsef

The following changes since commit 832df96d5f957d42fd9eb9660519a0c51fe8538e:

  Merge branch 'sctp-pmtu-probe' (2021-07-25 23:06:21 +0100)

are available in the Git repository at:

  git://blackhole.kfki.hu/nf 97b5fa905d232f300fd

for you to fetch changes up to 97b5fa905d232f300fd943c320932dd0523727ee:

  netfilter: ipset: Limit the maximal range of consecutive elements to add/delete (2021-07-27 12:59:38 +0200)

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      netfilter: ipset: Limit the maximal range of consecutive elements to add/delete

 include/linux/netfilter/ipset/ip_set.h       |  3 +++
 net/netfilter/ipset/ip_set_hash_ip.c         |  8 +++++++-
 net/netfilter/ipset/ip_set_hash_ipmark.c     | 10 +++++++++-
 net/netfilter/ipset/ip_set_hash_ipport.c     |  3 +++
 net/netfilter/ipset/ip_set_hash_ipportip.c   |  3 +++
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |  3 +++
 net/netfilter/ipset/ip_set_hash_net.c        | 11 ++++++++++-
 net/netfilter/ipset/ip_set_hash_netiface.c   | 10 +++++++++-
 net/netfilter/ipset/ip_set_hash_netnet.c     | 16 +++++++++++++++-
 net/netfilter/ipset/ip_set_hash_netport.c    | 11 ++++++++++-
 net/netfilter/ipset/ip_set_hash_netportnet.c | 16 +++++++++++++++-
 11 files changed, 87 insertions(+), 7 deletions(-)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 0/1] ipset patch for the nf tree
@ 2022-11-22 19:18 Jozsef Kadlecsik
  2022-11-22 19:18 ` [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2022-11-22 19:18 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Hi Pablo,

Please apply the next one-liner patch to your nf tree. Thanks!

- The "netfilter: ipset: enforce documented limit to prevent allocating
  huge memory" patch contained a wrong condition which makes impossible to
  add up to 64 clashing elements to a hash:net,iface type of set while it is
  the documented feature of the set type. The patch fixes the condition and
  thus makes possible to add the elements while keeps preventing allocating
  huge memory.

Best regards,
Jozsef

The following changes since commit c7aa1a76d4a0a3c401025b60c401412bbb60f8c6:

  netfilter: ipset: regression in ip_set_hash_ip.c (2022-11-21 15:00:45 +0100)

are available in the Git repository at:

  git://blackhole.kfki.hu/nf 5e8cc0ff84d763559

for you to fetch changes up to 5e8cc0ff84d763559d34e3ddf5a1e645712ead54:

  netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface (2022-11-22 20:07:27 +0100)

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface

 net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
  2022-11-22 19:18 [PATCH 0/1] ipset patch for the nf tree Jozsef Kadlecsik
@ 2022-11-22 19:18 ` Jozsef Kadlecsik
  2022-11-22 20:45   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2022-11-22 19:18 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

The patch "netfilter: ipset: enforce documented limit to prevent allocating
huge memory" was too strict and prevented to add up to 64 clashing elements
to a hash:net,iface type of set. This patch fixes the issue and now the type
behaves as documented.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
 net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 3adc291d9ce1..7499192af586 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -916,7 +916,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
 #ifdef IP_SET_HASH_WITH_MULTI
 		if (h->bucketsize >= AHASH_MAX_TUNED)
 			goto set_full;
-		else if (h->bucketsize < multi)
+		else if (h->bucketsize <= multi)
 			h->bucketsize += AHASH_INIT_SIZE;
 #endif
 		if (n->size >= AHASH_MAX(h)) {
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
  2022-11-22 19:18 ` [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface Jozsef Kadlecsik
@ 2022-11-22 20:45   ` Pablo Neira Ayuso
  2022-11-22 22:13     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-22 20:45 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

Hi Jozsef,

On Tue, Nov 22, 2022 at 08:18:58PM +0100, Jozsef Kadlecsik wrote:
> The patch "netfilter: ipset: enforce documented limit to prevent allocating
> huge memory" was too strict and prevented to add up to 64 clashing elements
> to a hash:net,iface type of set. This patch fixes the issue and now the type
> behaves as documented.

I have manually applied, this to add the Fixes: tag, upstream
maintainers usually require this and it also helps robots to identify
patches which should go into -stable.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
  2022-11-22 20:45   ` Pablo Neira Ayuso
@ 2022-11-22 22:13     ` Jozsef Kadlecsik
  0 siblings, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2022-11-22 22:13 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

On Tue, 22 Nov 2022, Pablo Neira Ayuso wrote:

> On Tue, Nov 22, 2022 at 08:18:58PM +0100, Jozsef Kadlecsik wrote:
> > The patch "netfilter: ipset: enforce documented limit to prevent allocating
> > huge memory" was too strict and prevented to add up to 64 clashing elements
> > to a hash:net,iface type of set. This patch fixes the issue and now the type
> > behaves as documented.
> 
> I have manually applied, this to add the Fixes: tag, upstream 
> maintainers usually require this and it also helps robots to identify 
> patches which should go into -stable.

I forgot to add the Fixes: tag, thanks!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-11-22 22:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-22 19:18 [PATCH 0/1] ipset patch for the nf tree Jozsef Kadlecsik
2022-11-22 19:18 ` [PATCH 1/1] netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface Jozsef Kadlecsik
2022-11-22 20:45   ` Pablo Neira Ayuso
2022-11-22 22:13     ` Jozsef Kadlecsik
  -- strict thread matches above, loose matches on Subject: below --
2021-07-27 11:17 [PATCH 0/1] ipset patch for the nf tree Jozsef Kadlecsik
2018-01-12 10:16 Jozsef Kadlecsik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).