diff options
author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2011-07-21 14:06:18 +0400 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2011-07-21 14:06:18 +0400 |
commit | 89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 (patch) | |
tree | 24ebd4da0fe7e239e45cbc5a4ec599ee1abba94d /net/netfilter/ipset/ip_set_hash_netport.c | |
parent | a6a7b759ba62e62542308e091f7fc9cfac4f978e (diff) | |
download | linux-89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8.tar.xz |
netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces
If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example
ipset create test hash:net,iface
ipset add test 192.168.0.0/16,eth0
ipset add test 192.168.0.0/24,eth1
Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.
In the patch the algorithm is fixed in order to correctly handle
overlapping networks.
Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter/ipset/ip_set_hash_netport.c')
-rw-r--r-- | net/netfilter/ipset/ip_set_hash_netport.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c index fe203d12f56b..8f9de7207ec9 100644 --- a/net/netfilter/ipset/ip_set_hash_netport.c +++ b/net/netfilter/ipset/ip_set_hash_netport.c @@ -59,7 +59,8 @@ struct hash_netport4_telem { static inline bool hash_netport4_data_equal(const struct hash_netport4_elem *ip1, - const struct hash_netport4_elem *ip2) + const struct hash_netport4_elem *ip2, + u32 *multi) { return ip1->ip == ip2->ip && ip1->port == ip2->port && @@ -300,7 +301,8 @@ struct hash_netport6_telem { static inline bool hash_netport6_data_equal(const struct hash_netport6_elem *ip1, - const struct hash_netport6_elem *ip2) + const struct hash_netport6_elem *ip2, + u32 *multi) { return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 && ip1->port == ip2->port && |