netfilter: ipset: hash:*net*: nomatch flag not excluded on set resize

If a resize is triggered the nomatch flag is not excluded at hashing, which leads to the element missed at lookup in the resized set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2013-04-09 04:57:20 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-09 15:04:16 -0400
commit: 6eb4c7e96e19fd2c38a103472048fc0e0e0a3ec3 (patch)
tree: b1a7a2ef0b8ec7771722beb75187199c04f31ebe /net
parent: 02f815cb6d3f57914228be84df9613ee5a01c2e6 (diff)
4 files changed, 76 insertions, 4 deletions
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index f2627226a087..10a30b4fc7db 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -104,6 +104,15 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
 {
@@ -414,6 +423,15 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 4b677cf6bf7d..d6a59154d710 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -87,7 +87,16 @@ hash_net4_data_copy(struct hash_net4_elem *dst,
 static inline void
 hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_net4_data_reset_flags(struct hash_net4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
@@ -308,7 +317,16 @@ hash_net6_data_copy(struct hash_net6_elem *dst,
 static inline void
 hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_net6_data_reset_flags(struct hash_net6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 6ba985f1c96f..f2b0a3c30130 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -198,7 +198,16 @@ hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
 static inline void
 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_netiface4_data_reset_flags(struct hash_netiface4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
@@ -494,7 +503,7 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 static inline void
 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 static inline int
@@ -504,6 +513,15 @@ hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
 }
 static inline void
+hash_netiface6_data_reset_flags(struct hash_netiface6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
        elem->elem = 0;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index af20c0c5ced2..349deb672a2d 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -104,6 +104,15 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_netport4_data_reset_flags(struct hash_netport4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_netport4_data_match(const struct hash_netport4_elem *elem)
 {
@@ -375,6 +384,15 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_netport6_data_reset_flags(struct hash_netport6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_netport6_data_match(const struct hash_netport6_elem *elem)
 {
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2013-04-09 04:57:20 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-04-09 15:04:16 -0400
commit	6eb4c7e96e19fd2c38a103472048fc0e0e0a3ec3 (patch)
tree	b1a7a2ef0b8ec7771722beb75187199c04f31ebe /net
parent	02f815cb6d3f57914228be84df9613ee5a01c2e6 (diff)

diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c index f2627226a087..10a30b4fc7db 100644 --- a/net/netfilter/ipset/ip_set_hash_ipportnet.c +++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -104,6 +104,15 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
104	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);	104	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
105	}	105	}
106		106
		107	static inline void
		108	hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem dst, u32 flags)
		109	{
		110	if (dst->nomatch) {
		111	*flags = IPSET_FLAG_NOMATCH;
		112	dst->nomatch = 0;
		113	}
		114	}
		115
107	static inline int	116	static inline int
108	hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)	117	hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
109	{	118	{
@@ -414,6 +423,15 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
414	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);	423	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
415	}	424	}
416		425
		426	static inline void
		427	hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem dst, u32 flags)
		428	{
		429	if (dst->nomatch) {
		430	*flags = IPSET_FLAG_NOMATCH;
		431	dst->nomatch = 0;
		432	}
		433	}
		434
417	static inline int	435	static inline int
418	hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)	436	hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
419	{	437	{


diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c index 4b677cf6bf7d..d6a59154d710 100644 --- a/net/netfilter/ipset/ip_set_hash_net.c +++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -87,7 +87,16 @@ hash_net4_data_copy(struct hash_net4_elem *dst,
87	static inline void	87	static inline void
88	hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)	88	hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
89	{	89	{
90	dst->nomatch = flags & IPSET_FLAG_NOMATCH;	90	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
		91	}
		92
		93	static inline void
		94	hash_net4_data_reset_flags(struct hash_net4_elem dst, u32 flags)
		95	{
		96	if (dst->nomatch) {
		97	*flags = IPSET_FLAG_NOMATCH;
		98	dst->nomatch = 0;
		99	}
91	}	100	}
92		101
93	static inline int	102	static inline int
@@ -308,7 +317,16 @@ hash_net6_data_copy(struct hash_net6_elem *dst,
308	static inline void	317	static inline void
309	hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)	318	hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
310	{	319	{
311	dst->nomatch = flags & IPSET_FLAG_NOMATCH;	320	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
		321	}
		322
		323	static inline void
		324	hash_net6_data_reset_flags(struct hash_net6_elem dst, u32 flags)
		325	{
		326	if (dst->nomatch) {
		327	*flags = IPSET_FLAG_NOMATCH;
		328	dst->nomatch = 0;
		329	}
312	}	330	}
313		331
314	static inline int	332	static inline int


diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c index 6ba985f1c96f..f2b0a3c30130 100644 --- a/net/netfilter/ipset/ip_set_hash_netiface.c +++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -198,7 +198,16 @@ hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
198	static inline void	198	static inline void
199	hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)	199	hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
200	{	200	{
201	dst->nomatch = flags & IPSET_FLAG_NOMATCH;	201	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
		202	}
		203
		204	static inline void
		205	hash_netiface4_data_reset_flags(struct hash_netiface4_elem dst, u32 flags)
		206	{
		207	if (dst->nomatch) {
		208	*flags = IPSET_FLAG_NOMATCH;
		209	dst->nomatch = 0;
		210	}
202	}	211	}
203		212
204	static inline int	213	static inline int
@@ -494,7 +503,7 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
494	static inline void	503	static inline void
495	hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)	504	hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
496	{	505	{
497	dst->nomatch = flags & IPSET_FLAG_NOMATCH;	506	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
498	}	507	}
499		508
500	static inline int	509	static inline int
@@ -504,6 +513,15 @@ hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
504	}	513	}
505		514
506	static inline void	515	static inline void
		516	hash_netiface6_data_reset_flags(struct hash_netiface6_elem dst, u32 flags)
		517	{
		518	if (dst->nomatch) {
		519	*flags = IPSET_FLAG_NOMATCH;
		520	dst->nomatch = 0;
		521	}
		522	}
		523
		524	static inline void
507	hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)	525	hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
508	{	526	{
509	elem->elem = 0;	527	elem->elem = 0;


diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c index af20c0c5ced2..349deb672a2d 100644 --- a/net/netfilter/ipset/ip_set_hash_netport.c +++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -104,6 +104,15 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
104	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);	104	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
105	}	105	}
106		106
		107	static inline void
		108	hash_netport4_data_reset_flags(struct hash_netport4_elem dst, u32 flags)
		109	{
		110	if (dst->nomatch) {
		111	*flags = IPSET_FLAG_NOMATCH;
		112	dst->nomatch = 0;
		113	}
		114	}
		115
107	static inline int	116	static inline int
108	hash_netport4_data_match(const struct hash_netport4_elem *elem)	117	hash_netport4_data_match(const struct hash_netport4_elem *elem)
109	{	118	{
@@ -375,6 +384,15 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
375	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);	384	dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
376	}	385	}
377		386
		387	static inline void
		388	hash_netport6_data_reset_flags(struct hash_netport6_elem dst, u32 flags)
		389	{
		390	if (dst->nomatch) {
		391	*flags = IPSET_FLAG_NOMATCH;
		392	dst->nomatch = 0;
		393	}
		394	}
		395
378	static inline int	396	static inline int
379	hash_netport6_data_match(const struct hash_netport6_elem *elem)	397	hash_netport6_data_match(const struct hash_netport6_elem *elem)
380	{	398	{