Commit 06aa151a authored Nov 05, 2018 by Taehee Yoo Committed by Pablo Neira Ayuso Dec 18, 2018

netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set



If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.
So that MAC address checking routine is added.

test commands:
   %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
	   -j CLUSTERIP --new --hashmode sourceip \
	   --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
   %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
	   -j CLUSTERIP --new --hashmode sourceip \
	   --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1

After this patch, above commands are disallowed.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 2a61d8b8

net/ipv4/netfilter/ipt_CLUSTERIP.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -509,7 +509,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
	if (IS_ERR(config))		if (IS_ERR(config))
	return PTR_ERR(config);		return PTR_ERR(config);
	}		}
	}		} else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN))
			return -EINVAL;

	ret = nf_ct_netns_get(par->net, par->family);		ret = nf_ct_netns_get(par->net, par->family);
	if (ret < 0) {		if (ret < 0) {