Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c227f27 authored by Sergey Popovich's avatar Sergey Popovich Committed by Jozsef Kadlecsik
Browse files

netfilter: ipset: Permit CIDR equal to the host address CIDR in IPv6 



Permit userspace to supply CIDR length equal to the host address CIDR
length in netlink message. Prohibit any other CIDR length for IPv6
variant of the set.

Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic
-IPSET_ERR_PROTOCOL in IPv6 variant of hash:ip,port,net when
IPSET_ATTR_IP_TO attribute is given.

Signed-off-by: default avatarSergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
parent 7dd37bc8

net/netfilter/ipset/ip_set_hash_ip.c

+9 −3
Original line number Diff line number Diff line
@@ -240,10 +240,16 @@ hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[], 
	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);

	int ret;



	if (unlikely(!tb[IPSET_ATTR_IP] ||

		     tb[IPSET_ATTR_IP_TO] ||

		     tb[IPSET_ATTR_CIDR]))

	if (unlikely(!tb[IPSET_ATTR_IP]))

		return -IPSET_ERR_PROTOCOL;

	if (unlikely(tb[IPSET_ATTR_IP_TO]))

		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (unlikely(tb[IPSET_ATTR_CIDR])) {

		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);



		if (cidr != HOST_MASK)

			return -IPSET_ERR_INVALID_CIDR;

	}



	if (tb[IPSET_ATTR_LINENO])

		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

net/netfilter/ipset/ip_set_hash_ipmark.c

+9 −3
Original line number Diff line number Diff line
@@ -235,10 +235,16 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[], 
	int ret;



	if (unlikely(!tb[IPSET_ATTR_IP] ||

		     !ip_set_attr_netorder(tb, IPSET_ATTR_MARK) ||

		     tb[IPSET_ATTR_IP_TO] ||

		     tb[IPSET_ATTR_CIDR]))

		     !ip_set_attr_netorder(tb, IPSET_ATTR_MARK)))

		return -IPSET_ERR_PROTOCOL;

	if (unlikely(tb[IPSET_ATTR_IP_TO]))

		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (unlikely(tb[IPSET_ATTR_CIDR])) {

		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);



		if (cidr != HOST_MASK)

			return -IPSET_ERR_INVALID_CIDR;

	}



	if (tb[IPSET_ATTR_LINENO])

		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

net/netfilter/ipset/ip_set_hash_ipport.c

+9 −3
Original line number Diff line number Diff line
@@ -275,10 +275,16 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[], 


	if (unlikely(!tb[IPSET_ATTR_IP] ||

		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||

		     tb[IPSET_ATTR_IP_TO] ||

		     tb[IPSET_ATTR_CIDR]))

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))

		return -IPSET_ERR_PROTOCOL;

	if (unlikely(tb[IPSET_ATTR_IP_TO]))

		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (unlikely(tb[IPSET_ATTR_CIDR])) {

		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);



		if (cidr != HOST_MASK)

			return -IPSET_ERR_INVALID_CIDR;

	}



	if (tb[IPSET_ATTR_LINENO])

		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

net/netfilter/ipset/ip_set_hash_ipportip.c

+9 −3
Original line number Diff line number Diff line
@@ -286,10 +286,16 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[], 


	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||

		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||

		     tb[IPSET_ATTR_IP_TO] ||

		     tb[IPSET_ATTR_CIDR]))

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO)))

		return -IPSET_ERR_PROTOCOL;

	if (unlikely(tb[IPSET_ATTR_IP_TO]))

		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (unlikely(tb[IPSET_ATTR_CIDR])) {

		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);



		if (cidr != HOST_MASK)

			return -IPSET_ERR_INVALID_CIDR;

	}



	if (tb[IPSET_ATTR_LINENO])

		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);

net/netfilter/ipset/ip_set_hash_ipportnet.c

+7 −3
Original line number Diff line number Diff line
@@ -423,12 +423,16 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[], 
	if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||

		     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS) ||

		     tb[IPSET_ATTR_IP_TO] ||

		     tb[IPSET_ATTR_CIDR]))

		     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))

		return -IPSET_ERR_PROTOCOL;

	if (unlikely(tb[IPSET_ATTR_IP_TO]))

		return -IPSET_ERR_HASH_RANGE_UNSUPPORTED;

	if (unlikely(tb[IPSET_ATTR_CIDR])) {

		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);



		if (cidr != HOST_MASK)

			return -IPSET_ERR_INVALID_CIDR;

	}



	if (tb[IPSET_ATTR_LINENO])

		*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);