Commit 5b94b2be authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

Merge git://blackhole.kfki.hu/nf 



Jozsef Kadlecsik says:

====================
ipset patches for nf

- Check hook mask for unsupported hooks instead of supported ones in xt_set.
  (Serhey Popovych).

- List/save just timing out entries with "timeout 1" instead of "timeout 0":
  zero timeout value means permanent entries. When restoring the elements,
  we'd add non-timing out entries. Fixes netfilter bugzilla id #1258.

- Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC due to the
  negative value condition in msecs_to_jiffies(). msecs_to_jiffies()
  should be revised: if one wants to set the timeout above 2147483,
  msecs_to_jiffies() sets the value to 4294967. (Reported by Maxim Masiutin).

- Forbid family for hash:mac sets in the kernel module: ipset userspace tool
  enforces it but third party tools could create sets with this parameter.
  Such sets then cannot be listed/saved with ipset itself. (Florent Fourcot)
====================

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parents 11ff7288 cbdebe48

include/linux/netfilter/ipset/ip_set_timeout.h

+14 −6
Original line number Diff line number Diff line
@@ -23,6 +23,9 @@ 
/* Set is defined with timeout support: timeout value may be 0 */

#define IPSET_NO_TIMEOUT	UINT_MAX



/* Max timeout value, see msecs_to_jiffies() in jiffies.h */

#define IPSET_MAX_TIMEOUT	(UINT_MAX >> 1)/MSEC_PER_SEC



#define ip_set_adt_opt_timeout(opt, set)	\

((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
@@ -32,11 +35,10 @@ ip_set_timeout_uget(struct nlattr *tb) 
	unsigned int timeout = ip_set_get_h32(tb);



	/* Normalize to fit into jiffies */

	if (timeout > UINT_MAX/MSEC_PER_SEC)

		timeout = UINT_MAX/MSEC_PER_SEC;

	if (timeout > IPSET_MAX_TIMEOUT)

		timeout = IPSET_MAX_TIMEOUT;



	/* Userspace supplied TIMEOUT parameter: adjust crazy size */

	return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;

	return timeout;

}



static inline bool
@@ -65,8 +67,14 @@ ip_set_timeout_set(unsigned long *timeout, u32 value) 
static inline u32

ip_set_timeout_get(const unsigned long *timeout)

{

	return *timeout == IPSET_ELEM_PERMANENT ? 0 :

		jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;

	u32 t;



	if (*timeout == IPSET_ELEM_PERMANENT)

		return 0;



	t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;

	/* Zero value in userspace means no timeout */

	return t == 0 ? 1 : t;

}



#endif	/* __KERNEL__ */

net/netfilter/ipset/ip_set_hash_gen.h

+4 −1
Original line number Diff line number Diff line
@@ -1234,7 +1234,10 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set, 
	pr_debug("Create set %s with family %s\n",

		 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");



#ifndef IP_SET_PROTO_UNDEF

#ifdef IP_SET_PROTO_UNDEF

	if (set->family != NFPROTO_UNSPEC)

		return -IPSET_ERR_INVALID_FAMILY;

#else

	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))

		return -IPSET_ERR_INVALID_FAMILY;

#endif

net/netfilter/xt_set.c

+5 −5
Original line number Diff line number Diff line
@@ -372,8 +372,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) 


	/* Normalize to fit into jiffies */

	if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&

	    add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)

		add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;

	    add_opt.ext.timeout > IPSET_MAX_TIMEOUT)

		add_opt.ext.timeout = IPSET_MAX_TIMEOUT;

	if (info->add_set.index != IPSET_INVALID_ID)

		ip_set_add(info->add_set.index, skb, par, &add_opt);

	if (info->del_set.index != IPSET_INVALID_ID)
@@ -407,8 +407,8 @@ set_target_v3(struct sk_buff *skb, const struct xt_action_param *par) 


	/* Normalize to fit into jiffies */

	if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&

	    add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)

		add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;

	    add_opt.ext.timeout > IPSET_MAX_TIMEOUT)

		add_opt.ext.timeout = IPSET_MAX_TIMEOUT;

	if (info->add_set.index != IPSET_INVALID_ID)

		ip_set_add(info->add_set.index, skb, par, &add_opt);

	if (info->del_set.index != IPSET_INVALID_ID)
@@ -470,7 +470,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par) 
		}

		if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) |

		     (info->flags & IPSET_FLAG_MAP_SKBQUEUE)) &&

		     !(par->hook_mask & (1 << NF_INET_FORWARD |

		     (par->hook_mask & ~(1 << NF_INET_FORWARD |

					 1 << NF_INET_LOCAL_OUT |

					 1 << NF_INET_POST_ROUTING))) {

			pr_info_ratelimited("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");

CRA Git | Maintained and supported by SUSTech CRA and CCSE