6 files changed, 127 insertions, 5 deletions

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_gen.h b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
index 8244d17..2949645 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
@@ -152,9 +152,13 @@ htable_bits(u32 hashsize)
 	DCIDR_PUT(((cidr) ? NCIDR_GET(cidr) : host_mask))
 
 #ifdef IP_SET_HASH_WITH_NET0
+/* cidr from 0 to HOST_MASK value and c = cidr + 1 */
 #define NLEN			(HOST_MASK + 1)
+#define CIDR_POS(c)		((c) - 1)
 #else
+/* cidr from 1 to HOST_MASK value and c = cidr + 1 */
 #define NLEN			HOST_MASK
+#define CIDR_POS(c)		((c) - 2)
 #endif
 
 #else
@@ -308,7 +312,7 @@ mtype_add_cidr(struct htype *h, u8 cidr, u8 n)
 		} else if (h->nets[i].cidr[n] < cidr) {
 			j = i;
 		} else if (h->nets[i].cidr[n] == cidr) {
-			h->nets[cidr - 1].nets[n]++;
+			h->nets[CIDR_POS(cidr)].nets[n]++;
 			return;
 		}
 	}
@@ -317,7 +321,7 @@ mtype_add_cidr(struct htype *h, u8 cidr, u8 n)
 			h->nets[i].cidr[n] = h->nets[i - 1].cidr[n];
 	}
 	h->nets[i].cidr[n] = cidr;
-	h->nets[cidr - 1].nets[n] = 1;
+	h->nets[CIDR_POS(cidr)].nets[n] = 1;
 }
 
 static void
@@ -328,8 +332,8 @@ mtype_del_cidr(struct htype *h, u8 cidr, u8 n)
 	for (i = 0; i < NLEN; i++) {
 		if (h->nets[i].cidr[n] != cidr)
 			continue;
-		h->nets[cidr - 1].nets[n]--;
-		if (h->nets[cidr - 1].nets[n] > 0)
+		h->nets[CIDR_POS(cidr)].nets[n]--;
+		if (h->nets[CIDR_POS(cidr)].nets[n] > 0)
 			return;
 		for (j = i; j < net_end && h->nets[j].cidr[n]; j++)
 			h->nets[j].cidr[n] = h->nets[j + 1].cidr[n];
diff --git a/tests/cidr.sh b/tests/cidr.sh
new file mode 100755
index 0000000..b7d695a
--- /dev/null
+++ b/tests/cidr.sh
@@ -0,0 +1,112 @@
+#!/bin/bash
+
+set -e
+
+NETS="0.0.0.0/1
+128.0.0.0/2
+192.0.0.0/3
+224.0.0.0/4
+240.0.0.0/5
+248.0.0.0/6
+252.0.0.0/7
+254.0.0.0/8
+255.0.0.0/9
+255.128.0.0/10
+255.192.0.0/11
+255.224.0.0/12
+255.240.0.0/13
+255.248.0.0/14
+255.252.0.0/15
+255.254.0.0/16
+255.255.0.0/17
+255.255.128.0/18
+255.255.192.0/19
+255.255.224.0/20
+255.255.240.0/21
+255.255.248.0/22
+255.255.252.0/23
+255.255.254.0/24
+255.255.255.0/25
+255.255.255.128/26
+255.255.255.192/27
+255.255.255.224/28
+255.255.255.240/29
+255.255.255.248/30
+255.255.255.252/31
+255.255.255.254/32"
+
+ipset="../src/ipset"
+
+case "$1" in
+net)
+    $ipset n test hash:net
+
+    while IFS= read x; do
+    	$ipset add test $x
+    done <<<"$NETS"
+
+    while IFS= read x; do
+    	first=`netmask -r $x | cut -d - -f 1`
+    	$ipset test test $first >/dev/null 2>&1
+    	last=`netmask -r $x | cut -d - -f 2 | cut -d ' ' -f 1`
+    	$ipset test test $last >/dev/null 2>&1
+    done <<<"$NETS"
+
+    while IFS= read x; do
+    	$ipset del test $x
+    done <<<"$NETS"
+    ;;
+net,port)
+    $ipset n test hash:net,port
+
+    n=1
+    while IFS= read x; do
+    	$ipset add test $x,$n
+    	n=$((n+1))
+    done <<<"$NETS"
+
+    n=1
+    while IFS= read x; do
+    	first=`netmask -r $x | cut -d - -f 1`
+    	$ipset test test $first,$n >/dev/null 2>&1
+    	last=`netmask -r $x | cut -d - -f 2 | cut -d ' ' -f 1`
+    	$ipset test test $last,$n >/dev/null 2>&1
+    	n=$((n+1))
+    done <<<"$NETS"
+
+    n=1
+    while IFS= read x; do
+    	$ipset del test $x,$n
+    	n=$((n+1))
+    done <<<"$NETS"
+    ;;
+net,iface)
+    $ipset n test hash:net,iface
+
+    $ipset add test 0.0.0.0/0,eth0
+    n=1
+    while IFS= read x; do
+    	$ipset add test $x,eth$n
+    	n=$((n+1))
+    done <<<"$NETS"
+
+    $ipset test test 0.0.0.0/0,eth0
+    n=1
+    while IFS= read x; do
+    	$ipset test test $x,eth$n >/dev/null 2>&1
+    	n=$((n+1))
+    done <<<"$NETS"
+
+    $ipset del test 0.0.0.0/0,eth0
+    n=1
+    while IFS= read x; do
+    	$ipset del test $x,eth$n
+    	n=$((n+1))
+    done <<<"$NETS"
+    ;;
+*)
+    echo "Usage: $0 net|net,port|net,iface"
+    exit 1
+    ;;
+esac
+$ipset x test
diff --git a/tests/hash:net,iface.t b/tests/hash:net,iface.t
index c19de2b..a847357 100644
--- a/tests/hash:net,iface.t
+++ b/tests/hash:net,iface.t
@@ -134,6 +134,8 @@
 0 n=`ipset list test | grep -v Revision: | wc -l` && test $n -eq 71
 # Delete test set
 0 ipset destroy test
+# Check all possible CIDR values
+0 ./cidr.sh net,iface
 # Create test set with timeout support
 0 ipset create test hash:net,iface timeout 30
 # Add a non-matching IP address entry
diff --git a/tests/hash:net,port.t b/tests/hash:net,port.t
index abe565f..d51d27f 100644
--- a/tests/hash:net,port.t
+++ b/tests/hash:net,port.t
@@ -114,6 +114,8 @@
 0 ipset -T test 1.1.1.3,80
 # Delete test set
 0 ipset destroy test
+# Check all possible CIDR values
+0 ./cidr.sh net,port
 # Timeout: Check that resizing keeps timeout values
 0 ./resizet.sh -4 netport
 # Nomatch: Check that resizing keeps the nomatch flag
diff --git a/tests/hash:net.t b/tests/hash:net.t
index f43e7a4..6f54c25 100644
--- a/tests/hash:net.t
+++ b/tests/hash:net.t
@@ -114,6 +114,8 @@
 0 ipset destroy test
 # Check CIDR book-keeping
 0 ./check_cidrs.sh
+# Check all possible CIDR values
+0 ./cidr.sh net
 # Timeout: Check that resizing keeps timeout values
 0 ./resizet.sh -4 net
 # Nomatch: Check that resizing keeps the nomatch flag
diff --git a/tests/iptables.sh b/tests/iptables.sh
index 7273066..7ea90e0 100755
--- a/tests/iptables.sh
+++ b/tests/iptables.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-set -x
+# set -x
 set -e
 
 ipset=${IPSET_BIN:-../src/ipset}