[PATCH AUTOSEL 4.14 37/53] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Taehee Yoo <ap420073@gmail.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 37/53] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
Date: Tue,  8 Jan 2019 14:32:05 -0500	[thread overview]
Message-ID: <20190108193222.123316-37-sashal@kernel.org> (raw)
In-Reply-To: <20190108193222.123316-1-sashal@kernel.org>

From: Taehee Yoo <ap420073@gmail.com>

[ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ]

If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.
So that MAC address checking routine is added.

test commands:
   %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
	   -j CLUSTERIP --new --hashmode sourceip \
	   --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
   %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
	   -j CLUSTERIP --new --hashmode sourceip \
	   --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1

After this patch, above commands are disallowed.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index cc7c9d67ac19..45f21489f515 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -492,7 +492,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
 			if (IS_ERR(config))
 				return PTR_ERR(config);
 		}
-	}
+	} else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN))
+		return -EINVAL;
 
 	ret = nf_ct_netns_get(par->net, par->family);
 	if (ret < 0) {
-- 
2.19.1

next prev parent reply	other threads:[~2019-01-08 19:45 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-08 19:31 [PATCH AUTOSEL 4.14 01/53] gpio: pl061: Move irq_chip definition inside struct pl061 Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 02/53] platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 03/53] e1000e: allow non-monotonic SYSTIM readings Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 04/53] writeback: don't decrement wb->refcnt if !wb->bdi Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 05/53] serial: set suppress_bind_attrs flag only if builtin Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 06/53] ALSA: oxfw: add support for APOGEE duet FireWire Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 07/53] x86/mce: Fix -Wmissing-prototypes warnings Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 08/53] MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 09/53] arm64: perf: set suppress_bind_attrs flag to true Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 10/53] USB: serial: ftdi_sio: use rounding when calculating baud rate divisors Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 11/53] usb: gadget: udc: renesas_usb3: add a safety connection way for forced_b_device Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 12/53] selinux: always allow mounting submounts Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 13/53] drm/amdgpu: Correct get_crtc_scanoutpos behavior when vpos >= vtotal Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 14/53] rxe: IB_WR_REG_MR does not capture MR's iova field Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 15/53] jffs2: Fix use of uninitialized delayed_work, lockdep breakage Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 16/53] clk: imx: make mux parent strings const Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 17/53] pstore/ram: Do not treat empty buffers as valid Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 18/53] powerpc/xmon: Fix invocation inside lock region Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 19/53] powerpc/pseries/cpuidle: Fix preempt warning Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 20/53] arm64: relocatable: fix inconsistencies in linker script and options Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 21/53] media: firewire: Fix app_info parameter type in avc_ca{,_app}_info Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 22/53] IB/hfi1: Incorrect sizing of sge for PIO will OOPs Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 23/53] media: venus: core: Set dma maximum segment size Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 24/53] net: call sk_dst_reset when set SO_DONTROUTE Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 25/53] scsi: target: use consistent left-aligned ASCII INQUIRY data Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 26/53] selftests: do not macro-expand failed assertion expressions Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 27/53] clk: imx6q: reset exclusive gates on init Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 28/53] arm64: Fix minor issues with the dcache_by_line_op macro Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 29/53] kconfig: fix file name and line number of warn_ignored_character() Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 30/53] kconfig: fix memory leak when EOF is encountered in quotation Sasha Levin
2019-01-08 19:31 ` [PATCH AUTOSEL 4.14 31/53] mmc: atmel-mci: do not assume idle after atmci_request_end Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 32/53] btrfs: improve error handling of btrfs_add_link Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 33/53] tty/serial: do not free trasnmit buffer page under port lock Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 34/53] perf intel-pt: Fix error with config term "pt=0" Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 35/53] perf svghelper: Fix unchecked usage of strncpy() Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 36/53] perf parse-events: " Sasha Levin
2019-01-08 19:32 ` Sasha Levin [this message]
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 38/53] dm crypt: use u64 instead of sector_t to store iv_offset Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 39/53] dm kcopyd: Fix bug causing workqueue stalls Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 40/53] tools lib subcmd: Don't add the kernel sources to the include path Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 41/53] dm snapshot: Fix excessive memory usage and workqueue stalls Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 42/53] quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 43/53] clocksource/drivers/integrator-ap: Add missing of_node_put() Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 44/53] ALSA: bebob: fix model-id of unit for Apogee Ensemble Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 45/53] sysfs: Disable lockdep for driver bind/unbind files Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 46/53] IB/usnic: Fix potential deadlock Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 47/53] scsi: smartpqi: correct lun reset issues Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 48/53] scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown() Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 49/53] scsi: megaraid: fix out-of-bound array accesses Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 50/53] ocfs2: fix panic due to unrecovered local alloc Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 51/53] mm/page-writeback.c: don't break integrity writeback on ->writepage() error Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 52/53] mm/swap: use nr_node_ids for avail_lists in swap_info_struct Sasha Levin
2019-01-08 19:32 ` [PATCH AUTOSEL 4.14 53/53] mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cc7c9d67ac1 dfblob:45f21489f51 )
 OR (
bs:"[PATCH AUTOSEL 4.14 37/53] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190108193222.123316-37-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ap420073@gmail.com \
    --cc=coreteam@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).