* [PATCH 0/3] ipset patches for the nf tree
@ 2019-07-29 19:33 Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 1/3] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Jozsef Kadlecsik
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2019-07-29 19:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
Hi Pablo,
Please consider to apply the next patches to the nf tree:
- When the support of destination MAC addresses for hash:mac sets was
introduced, it was forgotten to add the same functionality to hash:ip,mac
types of sets. The patch from Stefano Brivio adds the missing part.
- When the support of destination MAC addresses for hash:mac sets was
introduced, a copy&paste error was made in the code of the hash:ip,mac
and bitmap:ip,mac types: the MAC address in these set types is in
the second position and not in the first one. Stefano Brivio's patch
fixes the issue.
- There was still a not properly handled concurrency handling issue
between renaming and listing sets at the same time, reported by
Shijie Luo.
Best regards,
Jozsef
The following changes since commit 91826ba13855f73e252fef68369b3b0e1ed25253:
netfilter: add include guard to xt_connlabel.h (2019-07-29 15:13:41 +0200)
are available in the Git repository at:
git://blackhole.kfki.hu/nf 6c1f7e2c1b96ab9b
for you to fetch changes up to 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6:
netfilter: ipset: Fix rename concurrency with listing (2019-07-29 21:18:07 +0200)
----------------------------------------------------------------
Jozsef Kadlecsik (1):
netfilter: ipset: Fix rename concurrency with listing
Stefano Brivio (2):
netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too
netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipmac.c | 6 +-----
3 files changed, 3 insertions(+), 7 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too
2019-07-29 19:33 [PATCH 0/3] ipset patches for the nf tree Jozsef Kadlecsik
@ 2019-07-29 19:33 ` Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Jozsef Kadlecsik
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2019-07-29 19:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
From: Stefano Brivio <sbrivio@redhat.com>
In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the
KADT check that prevents matching on destination MAC addresses for
hash:mac sets, but forgot to remove the same check for hash:ip,mac set.
Drop this check: functionality is now commented in man pages and there's
no reason to restrict to source MAC address matching anymore.
Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ipmac.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index faf59b6a998f..eb1443408320 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -89,10 +89,6 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
struct hash_ipmac4_elem e = { .ip = 0, { .foo[0] = 0, .foo[1] = 0 } };
struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
- /* MAC can be src only */
- if (!(opt->flags & IPSET_DIM_TWO_SRC))
- return 0;
-
if (skb_mac_header(skb) < skb->head ||
(skb_mac_header(skb) + ETH_HLEN) > skb->data)
return -EINVAL;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
2019-07-29 19:33 [PATCH 0/3] ipset patches for the nf tree Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 1/3] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Jozsef Kadlecsik
@ 2019-07-29 19:33 ` Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 3/3] netfilter: ipset: Fix rename concurrency with listing Jozsef Kadlecsik
2019-07-30 11:41 ` [PATCH 0/3] ipset patches for the nf tree Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2019-07-29 19:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
From: Stefano Brivio <sbrivio@redhat.com>
In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
KADT functions for sets matching on MAC addreses the copy of source or
destination MAC address depending on the configured match.
This was done correctly for hash:mac, but for hash:ip,mac and
bitmap:ip,mac, copying and pasting the same code block presents an
obvious problem: in these two set types, the MAC address is the second
dimension, not the first one, and we are actually selecting the MAC
address depending on whether the first dimension (IP address) specifies
source or destination.
Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.
This way, mixing source and destination matches for the two dimensions
of ip,mac set types works as expected. With this setup:
ip netns add A
ip link add veth1 type veth peer name veth2 netns A
ip addr add 192.0.2.1/24 dev veth1
ip -net A addr add 192.0.2.2/24 dev veth2
ip link set veth1 up
ip -net A link set veth2 up
dst=$(ip netns exec A cat /sys/class/net/veth2/address)
ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP
ip netns exec A ipset create test_hash hash:ip,mac
ip netns exec A ipset add test_hash 192.0.2.1,${dst}
ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP
ipset correctly matches a test packet:
# ping -c1 192.0.2.2 >/dev/null
# echo $?
0
Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index ca7ac4a25ada..1d4e63326e68 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -226,7 +226,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
e.id = ip_to_id(map, ip);
- if (opt->flags & IPSET_DIM_ONE_SRC)
+ if (opt->flags & IPSET_DIM_TWO_SRC)
ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
else
ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index eb1443408320..24d8f4df4230 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -93,7 +93,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
(skb_mac_header(skb) + ETH_HLEN) > skb->data)
return -EINVAL;
- if (opt->flags & IPSET_DIM_ONE_SRC)
+ if (opt->flags & IPSET_DIM_TWO_SRC)
ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
else
ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] netfilter: ipset: Fix rename concurrency with listing
2019-07-29 19:33 [PATCH 0/3] ipset patches for the nf tree Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 1/3] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Jozsef Kadlecsik
@ 2019-07-29 19:33 ` Jozsef Kadlecsik
2019-07-30 11:41 ` [PATCH 0/3] ipset patches for the nf tree Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2019-07-29 19:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
From: Jozsef Kadlecsik <kadlec@netfilter.org>
Shijie Luo reported that when stress-testing ipset with multiple concurrent
create, rename, flush, list, destroy commands, it can result
ipset <version>: Broken LIST kernel message: missing DATA part!
error messages and broken list results. The problem was the rename operation
was not properly handled with respect of listing. The patch fixes the issue.
Reported-by: Shijie Luo <luoshijie1@huawei.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 2e151856ad99..e64d5f9a89dd 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1161,7 +1161,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
return -ENOENT;
write_lock_bh(&ip_set_ref_lock);
- if (set->ref != 0) {
+ if (set->ref != 0 || set->ref_netlink != 0) {
ret = -IPSET_ERR_REFERENCED;
goto out;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] ipset patches for the nf tree
2019-07-29 19:33 [PATCH 0/3] ipset patches for the nf tree Jozsef Kadlecsik
` (2 preceding siblings ...)
2019-07-29 19:33 ` [PATCH 3/3] netfilter: ipset: Fix rename concurrency with listing Jozsef Kadlecsik
@ 2019-07-30 11:41 ` Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2019-07-30 11:41 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter-devel
On Mon, Jul 29, 2019 at 09:33:51PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
>
> Please consider to apply the next patches to the nf tree:
>
> - When the support of destination MAC addresses for hash:mac sets was
> introduced, it was forgotten to add the same functionality to hash:ip,mac
> types of sets. The patch from Stefano Brivio adds the missing part.
> - When the support of destination MAC addresses for hash:mac sets was
> introduced, a copy&paste error was made in the code of the hash:ip,mac
> and bitmap:ip,mac types: the MAC address in these set types is in
> the second position and not in the first one. Stefano Brivio's patch
> fixes the issue.
> - There was still a not properly handled concurrency handling issue
> between renaming and listing sets at the same time, reported by
> Shijie Luo.
Pulled, thanks Jozsef.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-30 11:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 19:33 [PATCH 0/3] ipset patches for the nf tree Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 1/3] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 2/3] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets Jozsef Kadlecsik
2019-07-29 19:33 ` [PATCH 3/3] netfilter: ipset: Fix rename concurrency with listing Jozsef Kadlecsik
2019-07-30 11:41 ` [PATCH 0/3] ipset patches for the nf tree Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).