netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6

Permit userspace to supply CIDR length equal to the host address CIDR
length in netlink message. Prohibit any other CIDR length for IPv6
variant of the set.

Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic
-IPSET_ERR_PROTOCOL in IPv6 variant of hash:ip,port,net when
IPSET_ATTR_IP_TO attribute is given.

Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ip.c b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
index 9a7046f4234979c2c84ae1107dc5f486e0efafb3..1ad0178643adcbe91763f4e17b24872e4821c20a 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
@@ -241,10 +241,15 @@ hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
        struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
        int ret;
 
-       if (unlikely(!tb[IPSET_ATTR_IP] ||
-                    tb[IPSET_ATTR_IP_TO] ||
-                    tb[IPSET_ATTR_CIDR]))
+       if (unlikely(!tb[IPSET_ATTR_IP]))
                return -IPSET_ERR_PROTOCOL;
+       if (unlikely(tb[IPSET_ATTR_IP_TO]))
+               return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
+       if (unlikely(tb[IPSET_ATTR_CIDR])) {
+               u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+               if (cidr != HOST_MASK)
+                       return -IPSET_ERR_INVALID_CIDR;
+       }
 
        if (tb[IPSET_ATTR_LINENO])
                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c b/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c
index 55a1146342253197bc3a00c3d24f2542ba2ebdec..081b1f87b89c2c751403efaae130b3169f5c9bf2 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -237,10 +237,15 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
        int ret;
 
        if (unlikely(!tb[IPSET_ATTR_IP] ||
-                    !ip_set_attr_netorder(tb, IPSET_ATTR_MARK) ||
-                    tb[IPSET_ATTR_IP_TO] ||
-                    tb[IPSET_ATTR_CIDR]))
+                    !ip_set_attr_netorder(tb, IPSET_ATTR_MARK)))
                return -IPSET_ERR_PROTOCOL;
+       if (unlikely(tb[IPSET_ATTR_IP_TO]))
+               return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
+       if (unlikely(tb[IPSET_ATTR_CIDR])) {
+               u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+               if (cidr != HOST_MASK)
+                       return -IPSET_ERR_INVALID_CIDR;
+       }
 
        if (tb[IPSET_ATTR_LINENO])
                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipport.c b/kernel/net/netfilter/ipset/ip_set_hash_ipport.c
index d4c649e340aff30a835292a5741f31e9985f0fba..55160089f6152696ee16639f7937bcce6e193b01 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -279,10 +279,15 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
 
        if (unlikely(!tb[IPSET_ATTR_IP] ||
                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
-                    !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
-                    tb[IPSET_ATTR_IP_TO] ||
-                    tb[IPSET_ATTR_CIDR]))
+                    !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
                return -IPSET_ERR_PROTOCOL;
+       if (unlikely(tb[IPSET_ATTR_IP_TO]))
+               return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
+       if (unlikely(tb[IPSET_ATTR_CIDR])) {
+               u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+               if (cidr != HOST_MASK)
+                       return -IPSET_ERR_INVALID_CIDR;
+       }
 
        if (tb[IPSET_ATTR_LINENO])
                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c b/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c
index 869e8a33fd1e5e9e99ba2fc740bf80686fa8d9de..7bc08a3dcc3eff134253bd4a62b4eb6f94bf2fd1 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -287,10 +287,15 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
 
        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
-                    !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
-                    tb[IPSET_ATTR_IP_TO] ||
-                    tb[IPSET_ATTR_CIDR]))
+                    !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))
                return -IPSET_ERR_PROTOCOL;
+       if (unlikely(tb[IPSET_ATTR_IP_TO]))
+               return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
+       if (unlikely(tb[IPSET_ATTR_CIDR])) {
+               u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+               if (cidr != HOST_MASK)
+                       return -IPSET_ERR_INVALID_CIDR;
+       }
 
        if (tb[IPSET_ATTR_LINENO])
                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c b/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 13a078916b10900b970a499b35c24221fc46230e..0b15bd6a7503d13d5c1dc661e8c896bd3d59abbe 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -426,12 +426,15 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
-                    !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||
-                    tb[IPSET_ATTR_IP_TO] ||
-                    tb[IPSET_ATTR_CIDR]))
+                    !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
                return -IPSET_ERR_PROTOCOL;
        if (unlikely(tb[IPSET_ATTR_IP_TO]))
                return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;
+       if (unlikely(tb[IPSET_ATTR_CIDR])) {
+               u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+               if (cidr != HOST_MASK)
+                       return -IPSET_ERR_INVALID_CIDR;
+       }
 
        if (tb[IPSET_ATTR_LINENO])
                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);