Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Stefano Brivio <sbrivio@redhat.com>, Chen Yi <yiche@redhat.com>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 26/68] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
Date: Tue, 13 Aug 2019 22:15:04 -0400
Message-ID: <20190814021548.16001-26-sashal@kernel.org> (raw)
In-Reply-To: <20190814021548.16001-1-sashal@kernel.org>

From: Stefano Brivio <sbrivio@redhat.com>

[ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ]

In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
KADT functions for sets matching on MAC addreses the copy of source or
destination MAC address depending on the configured match.

This was done correctly for hash:mac, but for hash:ip,mac and
bitmap:ip,mac, copying and pasting the same code block presents an
obvious problem: in these two set types, the MAC address is the second
dimension, not the first one, and we are actually selecting the MAC
address depending on whether the first dimension (IP address) specifies
source or destination.

Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.

This way, mixing source and destination matches for the two dimensions
of ip,mac set types works as expected. With this setup:

  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up

  dst=$(ip netns exec A cat /sys/class/net/veth2/address)

  ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
  ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP

  ip netns exec A ipset create test_hash hash:ip,mac
  ip netns exec A ipset add test_hash 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP

ipset correctly matches a test packet:

  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0

Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
 net/netfilter/ipset/ip_set_hash_ipmac.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 13ade5782847b..4f01321e793ce 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -230,7 +230,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 
 	e.id = ip_to_id(map, ip);
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index 75c21c8b76514..16ec822e40447 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -99,7 +99,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data)
 		return -EINVAL;
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
-- 
2.20.1


  parent reply index

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-14  2:14 [PATCH AUTOSEL 4.19 01/68] iio: adc: max9611: Fix misuse of GENMASK macro Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 02/68] iio: cros_ec_accel_legacy: Fix incorrect channel setting Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 03/68] HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 04/68] MIPS: kernel: only use i8253 clocksource with periodic clockevent Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 05/68] mips: fix cacheinfo Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 06/68] netfilter: ebtables: fix a memory leak bug in compat Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 07/68] ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 08/68] selftests/bpf: fix sendmsg6_prog on s390 Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 09/68] bonding: Force slave speed check after link state recovery for 802.3ad Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 10/68] net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 11/68] selftests: forwarding: gre_multipath: Enable IPv4 forwarding Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 12/68] selftests: forwarding: gre_multipath: Fix flower filters Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 13/68] can: dev: call netif_carrier_off() in register_candev() Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 14/68] can: mcp251x: add error check when wq alloc failed Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 15/68] can: gw: Fix error path of cgw_module_init Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 16/68] ASoC: Fail card instantiation if DAI format setup fails Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 17/68] st21nfca_connectivity_event_received: null check the allocation Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 18/68] st_nci_hci_connectivity_event_received: " Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 19/68] ASoC: rockchip: Fix mono capture Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 20/68] ASoC: ti: davinci-mcasp: Correct slot_width posed constraint Sasha Levin
2019-08-14  2:14 ` [PATCH AUTOSEL 4.19 21/68] net: usb: qmi_wwan: Add the BroadMobi BM818 card Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 22/68] qed: RDMA - Fix the hw_ver returned in device attributes Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 23/68] isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 24/68] mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 25/68] netfilter: ipset: Actually allow destination MAC address for hash:ip,mac sets too Sasha Levin
2019-08-14  2:15 ` Sasha Levin [this message]
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 27/68] netfilter: ipset: Fix rename concurrency with listing Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 28/68] netfilter: ebtables: also count base chain policies Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 29/68] rxrpc: Fix potential deadlock Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 30/68] rxrpc: Fix the lack of notification when sendmsg() fails on a DATA packet Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 31/68] driver core: Fix use-after-free and double free on glue directory Sasha Levin
2019-08-14  7:36   ` Greg Kroah-Hartman
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 32/68] isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 33/68] net: phy: phy_led_triggers: Fix a possible null-pointer dereference in phy_led_trigger_change_speed() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 34/68] perf bench numa: Fix cpu0 binding Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 35/68] Input: kbtab - sanity check for endpoint type Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 36/68] net: usb: pegasus: fix improper read if get_registers() fail Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 37/68] can: sja1000: force the string buffer NULL-terminated Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 38/68] can: peak_usb: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 39/68] net/ethernet/qlogic/qed: " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 40/68] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 41/68] NFS: Fix regression whereby fscache errors are appearing on 'nofsc' mounts Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 42/68] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 43/68] HID: holtek: test for sanity of intfdata Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 44/68] HID: input: fix a4tech horizontal wheel custom usage Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 45/68] drm/rockchip: Suspend DP late Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 46/68] SMB3: Fix potential memory leak when processing compound chain Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 47/68] SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 48/68] HID: hiddev: avoid opening a disconnected device Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 49/68] HID: hiddev: do cleanup in failure of opening a device Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 50/68] s390: put _stext and _etext into .text section Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 51/68] Input: iforce - add sanity checks Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 52/68] net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 53/68] net: stmmac: Fix issues when number of Queues >= 4 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 54/68] net: stmmac: tc: Do not return a fragment entry Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 55/68] net: hisilicon: make hip04_tx_reclaim non-reentrant Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 56/68] net: hisilicon: fix hip04-xmit never return TX_BUSY Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 57/68] net: hisilicon: Fix dma_map_single failed on arm64 Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 58/68] libata: have ata_scsi_rw_xlat() fail invalid passthrough requests Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 59/68] libata: add SG safety checks in SFF pio transfers Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 60/68] x86/lib/cpu: Address missing prototypes warning Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 61/68] drm/vmwgfx: fix memory leak when too many retries have occurred Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 62/68] block, bfq: handle NULL return value by bfq_init_rq() Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 63/68] perf ftrace: Fix failure to set cpumask when only one cpu is present Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 64/68] perf cpumap: Fix writing to illegal memory in handling cpumap mask Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 65/68] perf pmu-events: Fix missing "cpu_clk_unhalted.core" event Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 66/68] KVM: arm64: Don't write junk to sysregs on reset Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 67/68] KVM: arm: Don't write junk to CP15 registers " Sasha Levin
2019-08-14  2:15 ` [PATCH AUTOSEL 4.19 68/68] selftests: kvm: Adding config fragments Sasha Levin

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190814021548.16001-26-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=kadlec@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=sbrivio@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=yiche@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox