summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2010-12-14 17:45:49 +0100
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2010-12-14 17:45:49 +0100
commit1532d1c64528e9ff57c304b00736e93e60130e21 (patch)
tree7773a8d403bc3915aab0d445cff0edae30d7a08b
parentd5125000ff9d5af0f3b4b4c1dde9230c2438b110 (diff)
Document which elements cannot be stored in the different hash types.
And enforce from kernel side as well...
-rw-r--r--kernel/include/linux/netfilter/ipset/ip_set_getport.h4
-rw-r--r--src/ipset.817
2 files changed, 15 insertions, 6 deletions
diff --git a/kernel/include/linux/netfilter/ipset/ip_set_getport.h b/kernel/include/linux/netfilter/ipset/ip_set_getport.h
index 1597fa9..8be8ecf 100644
--- a/kernel/include/linux/netfilter/ipset/ip_set_getport.h
+++ b/kernel/include/linux/netfilter/ipset/ip_set_getport.h
@@ -77,7 +77,7 @@ get_ip4_port(const struct sk_buff *skb, bool src, u16 *port, u8 *proto)
int protocol = iph->protocol;
/* See comments at tcp_match in ip_tables.c */
- if (ntohs(iph->frag_off) & IP_OFFSET)
+ if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET))
return false;
return get_port(skb, protocol, protooff, src, port, proto);
@@ -91,7 +91,7 @@ get_ip6_port(const struct sk_buff *skb, bool src, u16 *port, u8 *proto)
unsigned short fragoff;
protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff);
- if (protocol < 0 || fragoff)
+ if (protocol <= 0 || fragoff)
return false;
return get_port(skb, protocol, protooff, src, port, proto);
diff --git a/src/ipset.8 b/src/ipset.8
index 91c58ce..a74f8dc 100644
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -339,7 +339,8 @@ ipset add foo 80
ipset test foo 80
.SS hash:ip
The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or
-network addresses.
+network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR
+type of set.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
@@ -388,6 +389,7 @@ ipset add foo 192.168.1.1
ipset test foo 192.168.1.2
.SS hash:net
The \fBhash:net\fR set type uses a hash to store different sized IP network addresses.
+Network address with zero prefix size cannot be stored in this type of sets.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
@@ -438,6 +440,8 @@ ipset add foo 10.1.0.0/16
ipset test foo 192.168.0/24
.SS hash:ip,port
The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs.
+The port number is interpreted together with a protocol (default TCP) and zero
+protocol number cannot be used.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
@@ -505,7 +509,9 @@ ipset add foo 192.168.1.1,ospf:0
ipset test foo 192.168.1.1,80
.SS hash:net,port
The \fBhash:net,port\fR set type uses a hash to store different sized IP network
-address and port pairs.
+address and port pairs. The port number is interpreted together with a protocol
+(default TCP) and zero protocol number cannot be used. Network
+address with zero prefix size cannot be stored either.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
@@ -562,7 +568,8 @@ ipset add foo 10.1.0.0/16,80
ipset test foo 192.168.0/24,25
.SS hash:ip,port,ip
The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number
-and a second IP address triples.
+and a second IP address triples. The port number is interpreted together with a
+protocol (default TCP) and zero protocol number cannot be used.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP
@@ -606,7 +613,9 @@ ipset add foo 192.168.1.1,80,10.0.0.1
ipset test foo 192.168.1.1,udp:53,10.0.0.1
.SS hash:ip,port,net
The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number
-and IP network address triples.
+and IP network address triples. The port number is interpreted together with a
+protocol (default TCP) and zero protocol number cannot be used. Network
+address with zero prefix size cannot be stored either.
.PP
\fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ]
.PP