From patchwork Wed Jun 6 12:09:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jozsef Kadlecsik X-Patchwork-Id: 925813 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=blackhole.kfki.hu Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu header.b="UAqI2ukm"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4116sx2hSrzB3sg for ; Wed, 6 Jun 2018 22:09:25 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752141AbeFFMJV (ORCPT ); Wed, 6 Jun 2018 08:09:21 -0400 Received: from smtp-in.kfki.hu ([148.6.0.25]:53339 "EHLO smtp0.kfki.hu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751991AbeFFMJT (ORCPT ); Wed, 6 Jun 2018 08:09:19 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp0.kfki.hu (Postfix) with ESMTP id 79FCD674015A; Wed, 6 Jun 2018 14:09:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= blackhole.kfki.hu; h=references:in-reply-to:x-mailer:message-id :date:date:from:from:received:received:received; s=20151130; t= 1528286956; x=1530101357; bh=HUFeYpCIwVS4fdGiVpLXSXBauqDz6XOFt1W ZnKJGsp0=; b=UAqI2ukmr37yv+HDD2ycqUu6eNWzWk2ijAoRw/2ISRgZj/ACsKi WUA9ow887B9HANSFzIv5B7xLqdnhp+plabuENmLPtvdLD8/u5VDZK0exwOakb7Lr Vb/O2AsAneD9GOmUvvGimmLKZh9PSL+mWGWS3WDvzsGn8998Eh5Lqtos= X-Virus-Scanned: Debian amavisd-new at smtp0.kfki.hu Received: from smtp0.kfki.hu ([127.0.0.1]) by localhost (smtp0.kfki.hu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP; Wed, 6 Jun 2018 14:09:16 +0200 (CEST) Received: from blackhole.kfki.hu (blackhole.szhk.kfki.hu [IPv6:2001:738:5001:1::240:2]) by smtp0.kfki.hu (Postfix) with ESMTP id 90FF567401C5; Wed, 6 Jun 2018 14:09:16 +0200 (CEST) Received: by blackhole.kfki.hu (Postfix, from userid 1000) id 7E405208C6; Wed, 6 Jun 2018 14:09:16 +0200 (CEST) From: Jozsef Kadlecsik To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso Subject: [PATCH 4/4] netfilter: ipset: forbid family for hash:mac sets Date: Wed, 6 Jun 2018 14:09:16 +0200 Message-Id: <1528286956-20386-5-git-send-email-kadlec@blackhole.kfki.hu> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1528286956-20386-1-git-send-email-kadlec@blackhole.kfki.hu> References: <1528286956-20386-1-git-send-email-kadlec@blackhole.kfki.hu> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Florent Fourcot Userspace `ipset` command forbids family option for hash:mac type: ipset create test hash:mac family inet4 ipset v6.30: Unknown argument: `family' However, this check is not done in kernel itself. When someone use external netlink applications (pyroute2 python library for example), one can create hash:mac with invalid family and inconsistant results from userspace (`ipset` command cannot read set content anymore). This patch enforce the logic in kernel, and forbids insertion of hash:mac with a family set. Since IP_SET_PROTO_UNDEF is defined only for hash:mac, this patch has no impact on other hash:* sets Signed-off-by: Florent Fourcot Signed-off-by: Victorien Molle Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_gen.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h index bbad940..8a33dac 100644 --- a/net/netfilter/ipset/ip_set_hash_gen.h +++ b/net/netfilter/ipset/ip_set_hash_gen.h @@ -1234,7 +1234,10 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set, pr_debug("Create set %s with family %s\n", set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6"); -#ifndef IP_SET_PROTO_UNDEF +#ifdef IP_SET_PROTO_UNDEF + if (set->family != NFPROTO_UNSPEC) + return -IPSET_ERR_INVALID_FAMILY; +#else if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6)) return -IPSET_ERR_INVALID_FAMILY; #endif