* [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4
@ 2011-04-19 14:51 kaber
2011-04-19 14:51 ` [PATCH 1/3] netfilter: ipset: bitmap:ip,mac type requires "src" for MAC kaber
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: kaber @ 2011-04-19 14:51 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
Hi Dave,
following are three netfilter fixes for 2.6.39-rc4, containing:
- a fix for the bitmap:ip,mac set type to require the src/dst parameter
to be set to src, from Jozsef
- a fix to make --del-set of the SET target work, from Jozsef
- a patch to fix the order in which sets are dumped, from Jozsef
Please pull from:
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] netfilter: ipset: bitmap:ip,mac type requires "src" for MAC
2011-04-19 14:51 [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 kaber
@ 2011-04-19 14:51 ` kaber
2011-04-19 14:51 ` [PATCH 2/3] netfilter: ipset: set match and SET target fixes kaber
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: kaber @ 2011-04-19 14:51 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Enforce that the second "src/dst" parameter of the set match and SET target
must be "src", because we have access to the source MAC only in the packet.
The previous behaviour, that the type required the second parameter
but actually ignored the value was counter-intuitive and confusing.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 00a3324..a274300 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -343,6 +343,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
ipset_adtfn adtfn = set->variant->adt[adt];
struct ipmac data;
+ /* MAC can be src only */
+ if (!(flags & IPSET_DIM_TWO_SRC))
+ return 0;
+
data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
if (data.id < map->first_ip || data.id > map->last_ip)
return -IPSET_ERR_BITMAP_RANGE;
--
1.7.2.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] netfilter: ipset: set match and SET target fixes
2011-04-19 14:51 [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 kaber
2011-04-19 14:51 ` [PATCH 1/3] netfilter: ipset: bitmap:ip,mac type requires "src" for MAC kaber
@ 2011-04-19 14:51 ` kaber
2011-04-19 14:51 ` [PATCH 3/3] netfilter: ipset: Fix the order of listing of sets kaber
2011-04-19 19:05 ` [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 David Miller
3 siblings, 0 replies; 5+ messages in thread
From: kaber @ 2011-04-19 14:51 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The SET target with --del-set did not work due to using wrongly
the internal dimension of --add-set instead of --del-set.
Also, the checkentries did not release the set references when
returned an error. Bugs reported by Lennert Buytenhek.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/netfilter/xt_set.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 061d48c..b3babae 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -81,6 +81,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
pr_warning("Protocol error: set match dimension "
"is over the limit!\n");
+ ip_set_nfnl_put(info->match_set.index);
return -ERANGE;
}
@@ -135,6 +136,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
if (index == IPSET_INVALID_ID) {
pr_warning("Cannot find del_set index %u as target\n",
info->del_set.index);
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->add_set.index);
return -ENOENT;
}
}
@@ -142,6 +145,10 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) {
pr_warning("Protocol error: SET target dimension "
"is over the limit!\n");
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->add_set.index);
+ if (info->del_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->del_set.index);
return -ERANGE;
}
@@ -192,6 +199,7 @@ set_match_checkentry(const struct xt_mtchk_param *par)
if (info->match_set.dim > IPSET_DIM_MAX) {
pr_warning("Protocol error: set match dimension "
"is over the limit!\n");
+ ip_set_nfnl_put(info->match_set.index);
return -ERANGE;
}
@@ -219,7 +227,7 @@ set_target(struct sk_buff *skb, const struct xt_action_param *par)
if (info->del_set.index != IPSET_INVALID_ID)
ip_set_del(info->del_set.index,
skb, par->family,
- info->add_set.dim,
+ info->del_set.dim,
info->del_set.flags);
return XT_CONTINUE;
@@ -245,13 +253,19 @@ set_target_checkentry(const struct xt_tgchk_param *par)
if (index == IPSET_INVALID_ID) {
pr_warning("Cannot find del_set index %u as target\n",
info->del_set.index);
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->add_set.index);
return -ENOENT;
}
}
if (info->add_set.dim > IPSET_DIM_MAX ||
- info->del_set.flags > IPSET_DIM_MAX) {
+ info->del_set.dim > IPSET_DIM_MAX) {
pr_warning("Protocol error: SET target dimension "
"is over the limit!\n");
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->add_set.index);
+ if (info->del_set.index != IPSET_INVALID_ID)
+ ip_set_nfnl_put(info->del_set.index);
return -ERANGE;
}
--
1.7.2.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] netfilter: ipset: Fix the order of listing of sets
2011-04-19 14:51 [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 kaber
2011-04-19 14:51 ` [PATCH 1/3] netfilter: ipset: bitmap:ip,mac type requires "src" for MAC kaber
2011-04-19 14:51 ` [PATCH 2/3] netfilter: ipset: set match and SET target fixes kaber
@ 2011-04-19 14:51 ` kaber
2011-04-19 19:05 ` [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 David Miller
3 siblings, 0 replies; 5+ messages in thread
From: kaber @ 2011-04-19 14:51 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
A restoreable saving of sets requires that list:set type of sets
come last and the code part which should have taken into account
the ordering was broken. The patch fixes the listing order.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/netfilter/ipset/ip_set_core.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index e88ac3c..d87e03b 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1022,8 +1022,9 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
if (cb->args[1] >= ip_set_max)
goto out;
- pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
+dump_last:
+ pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
for (; cb->args[1] < max; cb->args[1]++) {
index = (ip_set_id_t) cb->args[1];
set = ip_set_list[index];
@@ -1038,8 +1039,8 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
* so that lists (unions of sets) are dumped last.
*/
if (cb->args[0] != DUMP_ONE &&
- !((cb->args[0] == DUMP_ALL) ^
- (set->type->features & IPSET_DUMP_LAST)))
+ ((cb->args[0] == DUMP_ALL) ==
+ !!(set->type->features & IPSET_DUMP_LAST)))
continue;
pr_debug("List set: %s\n", set->name);
if (!cb->args[2]) {
@@ -1083,6 +1084,12 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
goto release_refcount;
}
}
+ /* If we dump all sets, continue with dumping last ones */
+ if (cb->args[0] == DUMP_ALL) {
+ cb->args[0] = DUMP_LAST;
+ cb->args[1] = 0;
+ goto dump_last;
+ }
goto out;
nla_put_failure:
@@ -1093,11 +1100,6 @@ release_refcount:
pr_debug("release set %s\n", ip_set_list[index]->name);
ip_set_put_byindex(index);
}
-
- /* If we dump all sets, continue with dumping last ones */
- if (cb->args[0] == DUMP_ALL && cb->args[1] >= max && !cb->args[2])
- cb->args[0] = DUMP_LAST;
-
out:
if (nlh) {
nlmsg_end(skb, nlh);
--
1.7.2.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4
2011-04-19 14:51 [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 kaber
` (2 preceding siblings ...)
2011-04-19 14:51 ` [PATCH 3/3] netfilter: ipset: Fix the order of listing of sets kaber
@ 2011-04-19 19:05 ` David Miller
3 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2011-04-19 19:05 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel, netdev
From: kaber@trash.net
Date: Tue, 19 Apr 2011 16:51:42 +0200
> Hi Dave,
>
> following are three netfilter fixes for 2.6.39-rc4, containing:
>
> - a fix for the bitmap:ip,mac set type to require the src/dst parameter
> to be set to src, from Jozsef
>
> - a fix to make --del-set of the SET target work, from Jozsef
>
> - a patch to fix the order in which sets are dumped, from Jozsef
>
> Please pull from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git master
Pulled, thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-04-19 19:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-04-19 14:51 [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 kaber
2011-04-19 14:51 ` [PATCH 1/3] netfilter: ipset: bitmap:ip,mac type requires "src" for MAC kaber
2011-04-19 14:51 ` [PATCH 2/3] netfilter: ipset: set match and SET target fixes kaber
2011-04-19 14:51 ` [PATCH 3/3] netfilter: ipset: Fix the order of listing of sets kaber
2011-04-19 19:05 ` [PATCH 0/3] netfilter: netfilter fixes for 2.6.39-rc4 David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.