Dan Carpenter [Tue, 18 Nov 2014 08:55:17 +0000 (09:55 +0100)]
netfilter: ipset: small potential read beyond the end of buffer
We could be reading 8 bytes into a 4 byte buffer here. It seems
harmless but adding a check is the right thing to do and it silences a
static checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Jozsef Kadlecsik [Sat, 25 Oct 2014 22:11:29 +0000 (00:11 +0200)]
Fix parallel resizing and listing of the same set
When elements added to a hash:* type of set and resizing triggered,
parallel listing could start to list the original set (before resizing)
and "continue" with listing the new set. Fix it by references and
using the original hash table for listing. Therefore the destroying
the original hash table may happen from the resizing or listing functions.
Drop via original ipset in RAW table
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create a set with lots of elements::
sudo ./ipset destroy test
echo "create test hash:ip hashsize 65536" > test.set
for x in `seq 0 255`; do
for y in `seq 0 255`; do
echo "add test 198.18.$x.$y" >> test.set
done
done
sudo ./ipset restore < test.set
Dropping via ipset::
iptables -t raw -F
iptables -t raw -N net198 || iptables -t raw -F net198
iptables -t raw -I net198 -m set --match-set test src -j DROP
iptables -t raw -I PREROUTING -j net198
WANG Cong [Mon, 3 Nov 2014 16:35:30 +0000 (17:35 +0100)]
net: use the new API kvfree()
It is available since v3.15-rc5.
Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Tue, 21 Oct 2014 16:18:14 +0000 (18:18 +0200)]
netfilter: ipset: off by one in ip_set_nfnl_get_byindex()
The ->ip_set_list[] array is initialized in ip_set_net_init() and it
has ->ip_set_max elements so this check should be >= instead of >
otherwise we are off by one.
When the set was full (hash type and maxelem reached), it was not
possible to update the extension part of already existing elements.
The patch removes this limitation. (Fixes netfilter bugzilla id 880.)
Retry printing when sprintf fails (reported by Stig Thormodsrud)
Instead of returning the length of the string which would have been
printed, sprintf sometimes simply returns an error code. Handle
the case and flush the printing buffer and retry.
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
NLM_F_DUMP is #defined as (NLM_F_ROOT | NLM_F_ACK), so specifying
all of them is redundant.
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "ISO-8859-2" character set. ]
[ Some characters may be displayed incorrectly. ]
Anton Danilov [Thu, 28 Aug 2014 06:11:31 +0000 (10:11 +0400)]
libipset: Add userspace code for the skbinfo extension support.
Add userspace code to support of the skbinfo extension independly of set types.
Defines constants, flag and function for print/parse/send/recieve of skbinfo
parameters.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Anton Danilov [Thu, 28 Aug 2014 06:11:27 +0000 (10:11 +0400)]
netfilter: ipset: Add skbinfo extension kernel support in the ipset core.
Skbinfo extension provides mapping of metainformation with lookup in the ipset tables.
This patch defines the flags, the constants, the functions and the structures
for the data type independent support of the extension.
Note the firewall mark stores in the kernel structures as two 32bit values,
but transfered through netlink as one 64bit value.
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
# ipset list test-nn
Name: test-nn
Type: hash:net,net
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16960
References: 0
Members:
10.0.10.1,10.0.0.0/8
# ipset test test-nn 10.0.10.65,10.0.0.1
10.0.10.65,10.0.0.1 is NOT in set test-nn.
# ipset test test-nn 10.0.10.1,10.0.0.1
10.0.10.1,10.0.0.1 is in set test-nn.
hash:net,port,net
=================
# ipset create test-npn hash:net,port,net
# ipset add test-npn 10.0.10.1-10.0.10.127,tcp:80,10.0.0.0/8
# ipset list test-npn
Name: test-npn
Type: hash:net,port,net
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 17344
References: 0
Members:
10.0.10.8/29,tcp:80,10.0.0.0
10.0.10.16/28,tcp:80,10.0.0.0
10.0.10.2/31,tcp:80,10.0.0.0
10.0.10.64/26,tcp:80,10.0.0.0
10.0.10.32/27,tcp:80,10.0.0.0
10.0.10.4/30,tcp:80,10.0.0.0
10.0.10.1,tcp:80,10.0.0.0
# ipset list test-npn
# ipset test test-npn 10.0.10.126,tcp:80,10.0.0.2
10.0.10.126,tcp:80,10.0.0.2 is NOT in set test-npn.
# ipset test test-npn 10.0.10.126,tcp:80,10.0.0.0
10.0.10.126,tcp:80,10.0.0.0 is in set test-npn.
# ipset create test-npn hash:net,port,net
# ipset add test-npn 10.0.10.0/24,tcp:80-81,10.0.0.0/8
# ipset list test-npn
Name: test-npn
Type: hash:net,port,net
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 17024
References: 0
Members:
10.0.10.0,tcp:80,10.0.0.0
10.0.10.0,tcp:81,10.0.0.0
# ipset test test-npn 10.0.10.126,tcp:80,10.0.0.0
10.0.10.126,tcp:80,10.0.0.0 is NOT in set test-npn.
# ipset test test-npn 10.0.10.0,tcp:80,10.0.0.0
10.0.10.0,tcp:80,10.0.0.0 is in set test-npn.
Correctly setup from..to variables where no IPSET_ATTR_IP_TO{,2}
attribute is given, so in range processing loop we construct proper
cidr value. Check whenever we have no ranges and can short cut in
hash:net,net properly. Use unlikely() where appropriate, to comply
with other modules.
Markmask is an u32, hence it can't be greater then 4294967295 ( i.e.
0xffffffff ). This was causing smatch warning:
net/netfilter/ipset/ip_set_hash_gen.h:1084 hash_ipmark_create() warn:
impossible condition '(markmask > 4294967295) => (0-u32max > u32max)'
ipset: Pass IPSET_BIN to test scripts to change binary location
In the "as-installed" package testing situation, the test scripts should
invokes the system installed "ipset" binary.
Therefore, the IPSET_BIN could be passed to change the binary location.
IPSET_BIN=/sbin/ipset ./runtest.sh
The test scripts run fine in build source tree without IPSET_BIN.
Using PRIx32 macro is portable across multiple architectures and
also fix the printf format warning on any architectures that
"%llx" is not refer to 32 bits size.
The next patch will introduce a nfnl_dereference() macro that actually
checks that the appropriate mutex is held and therefore needs a
subsystem argument.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Patch "add hash:ip,mark data type to ipset" broke the API and
library release versioning with not incrementing "current",
just "age", which is fixed here. Reported by Mathieu Bridon.
Josh Hunt [Sat, 1 Mar 2014 03:14:57 +0000 (22:14 -0500)]
ipset: add forceadd kernel support for hash set types
Adds a new property for hash set types, where if a set is created
with the 'forceadd' option and the set becomes full the next addition
to the set may succeed and evict a random entry from the set.
To keep overhead low eviction is done very simply. It checks to see
which bucket the new entry would be added. If the bucket's pos value
is non-zero (meaning there's at least one entry in the bucket) it
replaces the first entry in the bucket. If pos is zero, then it continues
down the normal add process.
This property is useful if you have a set for 'ban' lists where it may
not matter if you release some entries from the set early.
Ilia Mirkin [Sun, 16 Feb 2014 10:18:52 +0000 (11:18 +0100)]
netfilter: ipset: move registration message to init from net_init
Commit 1785e8f473 ("netfiler: ipset: Add net namespace for ipset") moved
the initialization print into net_init, which can get called a lot due
to namespaces. Move it back into init, reduce to pr_info.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Florian Westphal [Thu, 13 Feb 2014 11:40:59 +0000 (12:40 +0100)]
kernel: uapi: fix MARKMASK attr ABI breakage
commit 2dfb973c0dcc6d2211 (add markmask for hash:ip,mark data type)
inserted IPSET_ATTR_MARKMASK in-between other enum values, i.e.
changing values of all further attributes. This causes 'ipset list'
segfault on existing kernels since ipset no longer finds
IPSET_ATTR_MEMSIZE (it has a different value on kernel side).
Jozsef points out it should be moved below IPSET_ATTR_MARK which
works since there is some extra reserved space after that value.
Florian Westphal [Wed, 12 Feb 2014 09:27:19 +0000 (10:27 +0100)]
lib: fix ifname 'physdev:' prefix parsing
hash:net,iface supports matching on the bridge port as well,
but userspace currently doesn't handle it correctly as it passes
in 'physdev:eth0' instead of 'eth0'+IPSET_OPT_PHYSDEV.
Vytas Dauksa [Tue, 17 Dec 2013 14:01:43 +0000 (14:01 +0000)]
add hash:ip,mark data type to ipset
Introduce packet mark support with new ip,mark hash set. This includes
userspace and kernelspace code, hash:ip,mark set tests and man page
updates.
The intended use of ip,mark set is similar to the ip:port type, but for
protocols which don't use a predictable port number. Instead of port
number it matches a firewall mark determined by a layer 7 filtering
program like opendpi.
As well as allowing or blocking traffic it will also be used for
accounting packets and bytes sent for each protocol.
net/netfilter/ipset/ip_set_hash_netnet.c:115:8-9: WARNING: return of 0/1 in function 'hash_netnet4_data_list' with return type bool
/c/kernel-tests/src/cocci/net/netfilter/ipset/ip_set_hash_netnet.c:338:8-9: WARNING: return of 0/1 in function 'hash_netnet6_data_list' with return type bool
Return statements in functions returning bool should use
true/false instead of 1/0.
Generated by: coccinelle/misc/boolreturn.cocci
David Binderman [Tue, 3 Dec 2013 16:11:23 +0000 (17:11 +0100)]
Typo in ip_set_hash_netnet.c fixed
I just ran the static analyser "cppcheck" over the source
code of linux-3.13-rc1. It said
[linux-3.13-rc1/net/netfilter/ipset/ip_set_hash_netnet.c:62] ->
[linux-3.13-rc1/net/net
filter/ipset/ip_set_hash_netnet.c:62]: (style)
Same expression on both sides of '=='.
Sergey Popovich [Tue, 12 Nov 2013 10:30:56 +0000 (12:30 +0200)]
Fix all set output from list/save when set with counters in use.
Using upstream version with counters support we have following
output when listing all sets currently configured:
--------------------------------------------------
Set test-3 created without counters, but displayed as with counters
present.
Restricting output to list only test-3 set we have:
---------------------------------------------------
# ipset list test-3
Name: test-3
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16520
References: 0
Members:
192.0.2.1
So test-3 set created correctly without counters support, but in
all sets listing it displayed as such one with counters.
It seems with commit 5a6021823aa0da24b83f8d03f46ad4202f149fa3
(Support counters in the ipset library) we fogot to add counter
options flags to IPSET_CREATE_FLAGS and IPSET_ADT_FLAGS defines to
clear these flags when preparing output in callback_list() from
lib/session.c.
v2: Remove IPSET_OPT_BYTES, IPSET_PAKETS from CREATE and
IPSET_OPT_COUNTERS from ADT.
Sergey Popovich [Thu, 7 Nov 2013 10:56:45 +0000 (12:56 +0200)]
ipset: Follow manual page behavior for SET target on list:set
ipset(8) for list:set says:
The match will try to find a matching entry in the sets and the
target will try to add an entry to the first set to which it can
be added.
However real behavior is bit differ from described. Consider example:
# iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
# ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src
And then when iptables/ip6tables rule matches packet IPSET target
tries to add src from packet to the list:set test-1 where first
entry is test-1-v4 and the second one is test-1-v6.
For IPv4, as it first entry in test-1 src added to test-1-v4
correctly, but for IPv6 src not added!
Placing test-1-v6 to the first element of list:set makes behavior
correct for IPv6, but brokes for IPv4.
This is due to result, returned from ip_set_add() and ip_set_del() from
net/netfilter/ipset/ip_set_core.c when set in list:set equires more
parameters than given or address families do not match (which is this
case).
It seems wrong returning 0 from ip_set_add() and ip_set_del() in
this case, as 0 should be returned only when an element successfuly
added/deleted to/from the set, contrary to ip_set_test() which
returns 0 when no entry exists and >0 when entry found in set.
projects / ipset / log