Commit 3b18d5eb authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nft_set_rbtree: allow loose matching of closing element in interval 



Allow to find closest matching for the right side of an interval (end
flag set on) so we allow lookups in inner ranges, eg. 10-20 in 5-25.

Fixes: ba0e4d99 ("netfilter: nf_tables: get set elements via netlink")
Reported-by: default avatarPhil Sutter <phil@nwl.cc>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 9a4890bd

net/netfilter/nft_set_rbtree.c

+8 −2
Original line number Diff line number Diff line
@@ -135,9 +135,12 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set, 
		d = memcmp(this, key, set->klen);

		if (d < 0) {

			parent = rcu_dereference_raw(parent->rb_left);

			if (!(flags & NFT_SET_ELEM_INTERVAL_END))

				interval = rbe;

		} else if (d > 0) {

			parent = rcu_dereference_raw(parent->rb_right);

			if (flags & NFT_SET_ELEM_INTERVAL_END)

				interval = rbe;

		} else {

			if (!nft_set_elem_active(&rbe->ext, genmask))

				parent = rcu_dereference_raw(parent->rb_left);
@@ -154,7 +157,10 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set, 


	if (set->flags & NFT_SET_INTERVAL && interval != NULL &&

	    nft_set_elem_active(&interval->ext, genmask) &&

	    !nft_rbtree_interval_end(interval)) {

	    ((!nft_rbtree_interval_end(interval) &&

	      !(flags & NFT_SET_ELEM_INTERVAL_END)) ||

	     (nft_rbtree_interval_end(interval) &&

	      (flags & NFT_SET_ELEM_INTERVAL_END)))) {

		*elem = interval;

		return true;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE