linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Eric Westbrook <eric@westbrook.io>,
	Eric Westbrook <linux@westbrook.io>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.18 06/59] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
Date: Wed, 14 Nov 2018 17:22:38 -0500	[thread overview]
Message-ID: <20181114222335.99339-6-sashal@kernel.org> (raw)
In-Reply-To: <20181114222335.99339-1-sashal@kernel.org>

From: Eric Westbrook <eric@westbrook.io>

[ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ]

Allow /0 as advertised for hash:net,port,net sets.

For "hash:net,port,net", ipset(8) says that "either subnet
is permitted to be a /0 should you wish to match port
between all destinations."

Make that statement true.

Before:

    # ipset create cidrzero hash:net,port,net
    # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
    ipset v6.34: The value of the CIDR parameter of the IP address is invalid

    # ipset create cidrzero6 hash:net,port,net family inet6
    # ipset add cidrzero6 ::/0,12345,::/0
    ipset v6.34: The value of the CIDR parameter of the IP address is invalid

After:

    # ipset create cidrzero hash:net,port,net
    # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
    # ipset test cidrzero 192.168.205.129,12345,172.16.205.129
    192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero.

    # ipset create cidrzero6 hash:net,port,net family inet6
    # ipset add cidrzero6 ::/0,12345,::/0
    # ipset test cidrzero6 fe80::1,12345,ff00::1
    fe80::1,tcp:12345,ff00::1 is in set cidrzero6.

See also:

  https://bugzilla.kernel.org/show_bug.cgi?id=200897
  https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c

Signed-off-by: Eric Westbrook <linux@westbrook.io>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_hash_netportnet.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index d391485a6acd..613e18e720a4 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -213,13 +213,13 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 
 	if (tb[IPSET_ATTR_CIDR]) {
 		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
-		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+		if (e.cidr[0] > HOST_MASK)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 
 	if (tb[IPSET_ATTR_CIDR2]) {
 		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
-		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+		if (e.cidr[1] > HOST_MASK)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 
@@ -493,13 +493,13 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
 
 	if (tb[IPSET_ATTR_CIDR]) {
 		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
-		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
+		if (e.cidr[0] > HOST_MASK)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 
 	if (tb[IPSET_ATTR_CIDR2]) {
 		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
-		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
+		if (e.cidr[1] > HOST_MASK)
 			return -IPSET_ERR_INVALID_CIDR;
 	}
 
-- 
2.17.1


  parent reply	other threads:[~2018-11-14 22:23 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-14 22:22 [PATCH AUTOSEL 4.18 01/59] s390/vdso: add missing FORCE to build targets Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 02/59] HID: i2c-hid: Add a small delay after sleep command for Raydium touchpanel Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 03/59] Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 04/59] HID: alps: allow incoming reports when only the trackstick is opened Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 05/59] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace Sasha Levin
2018-11-14 22:22 ` Sasha Levin [this message]
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 07/59] netfilter: ipset: fix ip_set_list allocation failure Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 08/59] s390/mm: fix mis-accounting of pgtable_bytes Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 09/59] s390/mm: Fix ERROR: "__node_distance" undefined! Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 10/59] bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 11/59] usbnet: smsc95xx: disable carrier check while suspending Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 12/59] net: dsa: microchip: initialize mutex before use Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 13/59] net: bcmgenet: protect stop from timeout Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 14/59] net: systemport: Protect " Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 15/59] netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 16/59] netfilter: xt_IDLETIMER: add sysfs filename checking routine Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 17/59] netfilter: ipset: Fix calling ip_set() macro at dumping Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 18/59] netfilter: nft_compat: ebtables 'nat' table is normal chain type Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 19/59] s390/qeth: fix HiperSockets sniffer Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 20/59] net: hns3: Fix for out-of-bounds access when setting pfc back pressure Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 21/59] mlxsw: spectrum: Fix IP2ME CPU policer configuration Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 22/59] hwmon: (ibmpowernv) Remove bogus __init annotations Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 23/59] net: phy: realtek: fix RTL8201F sysfs name Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 24/59] ARM: dts: fsl: Fix improperly quoted stdout-path values Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 25/59] ARM: dts: imx6sx-sdb: Fix enet phy regulator Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 26/59] Revert "drm/exynos/decon5433: implement frame counter" Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.18 27/59] arm64: dts: renesas: r8a7795: add missing dma-names on hscif2 Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 28/59] clk: fixed-factor: fix of_node_get-put imbalance Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 29/59] mtd: nand: Fix nanddev_pos_next_page() kernel-doc header Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 30/59] lib/raid6: Fix arm64 test build Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 31/59] drm/amd/display: Stop leaking planes Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 32/59] block: Clear kernel memory before copying to user Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 33/59] drm/amd/amdgpu/dm: Fix dm_dp_create_fake_mst_encoder() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 34/59] s390/perf: Change CPUM_CF return code in event init function Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 35/59] ceph: quota: fix null pointer dereference in quota check Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 36/59] clk: meson-gxbb: set fclk_div3 as CLK_IS_CRITICAL Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 37/59] clk: meson: axg: mark fdiv2 and fdiv3 as critical Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 38/59] nvme: make sure ns head inherits underlying device limits Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 39/59] i2c: omap: Enable for ARCH_K3 Sasha Levin
2018-11-15  4:35   ` Vignesh R
2018-11-22 19:31     ` Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 40/59] sched/core: Take the hotplug lock in sched_init_smp() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 41/59] perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 42/59] perf tools: Do not zero sample_id_all for group members Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 43/59] ice: Fix dead device link issue with flow control Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 44/59] ice: Fix the bytecount sent to netdev_tx_sent_queue Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 45/59] i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 46/59] ibmvnic: fix accelerated VLAN handling Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 47/59] qed: Fix memory/entry leak in qed_init_sp_request() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 48/59] qed: Fix blocking/unlimited SPQ entries leak Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 49/59] qed: Fix SPQ entries not returned to pool in error flows Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 50/59] qed: Fix potential memory corruption Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 51/59] net: stmmac: Fix RX packet size > 8191 Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 52/59] net: smsc95xx: Fix MTU range Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 53/59] ext4: missing !bh check in ext4_xattr_inode_write() Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 54/59] net: aquantia: fix potential IOMMU fault after driver unbind Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 55/59] net: aquantia: fixed enable unicast on 32 macvlan Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 56/59] net: aquantia: invalid checksumm offload implementation Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 57/59] net: qualcomm: rmnet: Fix incorrect assignment of real_dev Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 58/59] kbuild: deb-pkg: fix too low build version number Sasha Levin
2018-11-14 22:23 ` [PATCH AUTOSEL 4.18 59/59] net: dsa: mv88e6xxx: Fix clearing of stats counters Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181114222335.99339-6-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=eric@westbrook.io \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@westbrook.io \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).