netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces

If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2011-07-21 06:06:18 -0400
committer: Patrick McHardy <kaber@trash.net> 2011-07-21 06:06:18 -0400
commit: 89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 (patch)
tree: 24ebd4da0fe7e239e45cbc5a4ec599ee1abba94d /net
parent: a6a7b759ba62e62542308e091f7fc9cfac4f978e (diff)
7 files changed, 56 insertions, 20 deletions
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index fa80bb9b9c81..f2d576e6b769 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -53,7 +53,8 @@ struct hash_ip4_telem {
 static inline bool
 hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
-                    const struct hash_ip4_elem *ip2)
+                    const struct hash_ip4_elem *ip2,
+                    u32 *multi)
 {
        return ip1->ip == ip2->ip;
 }
@@ -225,7 +226,8 @@ struct hash_ip6_telem {
 static inline bool
 hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
-                    const struct hash_ip6_elem *ip2)
+                    const struct hash_ip6_elem *ip2,
+                    u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
 }
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index bbf51b67b170..6ee10f5d59bd 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -60,7 +60,8 @@ struct hash_ipport4_telem {
 static inline bool
 hash_ipport4_data_equal(const struct hash_ipport4_elem *ip1,
-                        const struct hash_ipport4_elem *ip2)
+                        const struct hash_ipport4_elem *ip2,
+                        u32 *multi)
 {
        return ip1->ip == ip2->ip &&
               ip1->port == ip2->port &&
@@ -276,7 +277,8 @@ struct hash_ipport6_telem {
 static inline bool
 hash_ipport6_data_equal(const struct hash_ipport6_elem *ip1,
-                        const struct hash_ipport6_elem *ip2)
+                        const struct hash_ipport6_elem *ip2,
+                        u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ip1->port == ip2->port &&
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 96525f529a54..fb90e344e907 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -62,7 +62,8 @@ struct hash_ipportip4_telem {
 static inline bool
 hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
-                          const struct hash_ipportip4_elem *ip2)
+                          const struct hash_ipportip4_elem *ip2,
+                          u32 *multi)
 {
        return ip1->ip == ip2->ip &&
               ip1->ip2 == ip2->ip2 &&
@@ -286,7 +287,8 @@ struct hash_ipportip6_telem {
 static inline bool
 hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1,
-                          const struct hash_ipportip6_elem *ip2)
+                          const struct hash_ipportip6_elem *ip2,
+                          u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index d2d6ab89f087..deb3e3dfa5fc 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -62,7 +62,8 @@ struct hash_ipportnet4_telem {
 static inline bool
 hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
-                           const struct hash_ipportnet4_elem *ip2)
+                           const struct hash_ipportnet4_elem *ip2,
+                           u32 *multi)
 {
        return ip1->ip == ip2->ip &&
               ip1->ip2 == ip2->ip2 &&
@@ -335,7 +336,8 @@ struct hash_ipportnet6_telem {
 static inline bool
 hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
-                           const struct hash_ipportnet6_elem *ip2)
+                           const struct hash_ipportnet6_elem *ip2,
+                           u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 2d4b1f48e8c9..60d016541c58 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -58,7 +58,8 @@ struct hash_net4_telem {
 static inline bool
 hash_net4_data_equal(const struct hash_net4_elem *ip1,
-                    const struct hash_net4_elem *ip2)
+                     const struct hash_net4_elem *ip2,
+                     u32 *multi)
 {
        return ip1->ip == ip2->ip && ip1->cidr == ip2->cidr;
 }
@@ -249,7 +250,8 @@ struct hash_net6_telem {
 static inline bool
 hash_net6_data_equal(const struct hash_net6_elem *ip1,
-                     const struct hash_net6_elem *ip2)
+                     const struct hash_net6_elem *ip2,
+                     u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ip1->cidr == ip2->cidr;
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 3d6c53b6211a..e13095deb50d 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -99,7 +99,7 @@ iface_test(struct rb_root *root, const char **iface)
        while (n) {
                const char *d = iface_data(n);
-                int res = ifname_compare(*iface, d);
+                long res = ifname_compare(*iface, d);
                if (res < 0)
                        n = n->rb_left;
@@ -121,7 +121,7 @@ iface_add(struct rb_root *root, const char **iface)
        while (*n) {
                char *ifname = iface_data(*n);
-                int res = ifname_compare(*iface, ifname);
+                long res = ifname_compare(*iface, ifname);
                p = *n;
                if (res < 0)
@@ -159,31 +159,42 @@ hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b);
 /* The type variant functions: IPv4 */
+struct hash_netiface4_elem_hashed {
+        __be32 ip;
+        u8 physdev;
+        u8 cidr;
+        u16 padding;
+};
+#define HKEY_DATALEN    sizeof(struct hash_netiface4_elem_hashed)
 /* Member elements without timeout */
 struct hash_netiface4_elem {
        __be32 ip;
-        const char *iface;
        u8 physdev;
        u8 cidr;
        u16 padding;
+        const char *iface;
 };
 /* Member elements with timeout support */
 struct hash_netiface4_telem {
        __be32 ip;
-        const char *iface;
        u8 physdev;
        u8 cidr;
        u16 padding;
+        const char *iface;
        unsigned long timeout;
 };
 static inline bool
 hash_netiface4_data_equal(const struct hash_netiface4_elem *ip1,
-                          const struct hash_netiface4_elem *ip2)
+                          const struct hash_netiface4_elem *ip2,
+                          u32 *multi)
 {
        return ip1->ip == ip2->ip &&
               ip1->cidr == ip2->cidr &&
+               (++*multi) &&
               ip1->physdev == ip2->physdev &&
               ip1->iface == ip2->iface;
 }
@@ -257,6 +268,7 @@ nla_put_failure:
 #define IP_SET_HASH_WITH_NETS
 #define IP_SET_HASH_WITH_RBTREE
+#define IP_SET_HASH_WITH_MULTI
 #define PF              4
 #define HOST_MASK       32
@@ -424,29 +436,40 @@ hash_netiface_same_set(const struct ip_set *a, const struct ip_set *b)
 /* The type variant functions: IPv6 */
+struct hash_netiface6_elem_hashed {
+        union nf_inet_addr ip;
+        u8 physdev;
+        u8 cidr;
+        u16 padding;
+};
+#define HKEY_DATALEN    sizeof(struct hash_netiface6_elem_hashed)
 struct hash_netiface6_elem {
        union nf_inet_addr ip;
-        const char *iface;
        u8 physdev;
        u8 cidr;
        u16 padding;
+        const char *iface;
 };
 struct hash_netiface6_telem {
        union nf_inet_addr ip;
-        const char *iface;
        u8 physdev;
        u8 cidr;
        u16 padding;
+        const char *iface;
        unsigned long timeout;
 };
 static inline bool
 hash_netiface6_data_equal(const struct hash_netiface6_elem *ip1,
-                          const struct hash_netiface6_elem *ip2)
+                          const struct hash_netiface6_elem *ip2,
+                          u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ip1->cidr == ip2->cidr &&
+               (++*multi) &&
               ip1->physdev == ip2->physdev &&
               ip1->iface == ip2->iface;
 }
@@ -681,6 +704,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        h->maxelem = maxelem;
        get_random_bytes(&h->initval, sizeof(h->initval));
        h->timeout = IPSET_NO_TIMEOUT;
+        h->ahash_max = AHASH_MAX_SIZE;
        hbits = htable_bits(hashsize);
        h->table = ip_set_alloc(
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index fe203d12f56b..8f9de7207ec9 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -59,7 +59,8 @@ struct hash_netport4_telem {
 static inline bool
 hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
-                         const struct hash_netport4_elem *ip2)
+                         const struct hash_netport4_elem *ip2,
+                         u32 *multi)
 {
        return ip1->ip == ip2->ip &&
               ip1->port == ip2->port &&
@@ -300,7 +301,8 @@ struct hash_netport6_telem {
 static inline bool
 hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
-                         const struct hash_netport6_elem *ip2)
+                         const struct hash_netport6_elem *ip2,
+                         u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
               ip1->port == ip2->port &&
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2011-07-21 06:06:18 -0400
committer	Patrick McHardy <kaber@trash.net>	2011-07-21 06:06:18 -0400
commit	89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 (patch)
tree	24ebd4da0fe7e239e45cbc5a4ec599ee1abba94d /net
parent	a6a7b759ba62e62542308e091f7fc9cfac4f978e (diff)