From 1532d1c64528e9ff57c304b00736e93e60130e21 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 14 Dec 2010 17:45:49 +0100 Subject: Document which elements cannot be stored in the different hash types. And enforce from kernel side as well... --- kernel/include/linux/netfilter/ipset/ip_set_getport.h | 4 ++-- src/ipset.8 | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/kernel/include/linux/netfilter/ipset/ip_set_getport.h b/kernel/include/linux/netfilter/ipset/ip_set_getport.h index 1597fa9..8be8ecf 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_getport.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_getport.h @@ -77,7 +77,7 @@ get_ip4_port(const struct sk_buff *skb, bool src, u16 *port, u8 *proto) int protocol = iph->protocol; /* See comments at tcp_match in ip_tables.c */ - if (ntohs(iph->frag_off) & IP_OFFSET) + if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET)) return false; return get_port(skb, protocol, protooff, src, port, proto); @@ -91,7 +91,7 @@ get_ip6_port(const struct sk_buff *skb, bool src, u16 *port, u8 *proto) unsigned short fragoff; protocol = ipv6_find_hdr(skb, &protooff, -1, &fragoff); - if (protocol < 0 || fragoff) + if (protocol <= 0 || fragoff) return false; return get_port(skb, protocol, protooff, src, port, proto); diff --git a/src/ipset.8 b/src/ipset.8 index 91c58ce..a74f8dc 100644 --- a/src/ipset.8 +++ b/src/ipset.8 @@ -339,7 +339,8 @@ ipset add foo 80 ipset test foo 80 .SS hash:ip The \fBhash:ip\fR set type uses a hash to store IP host addresses (default) or -network addresses. +network addresses. Zero valued IP address cannot be stored in a \fBhash:ip\fR +type of set. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBnetmask\fP \fIcidr\fP ] [ \fBtimeout\fR \fIvalue\fR ] .PP @@ -388,6 +389,7 @@ ipset add foo 192.168.1.1 ipset test foo 192.168.1.2 .SS hash:net The \fBhash:net\fR set type uses a hash to store different sized IP network addresses. +Network address with zero prefix size cannot be stored in this type of sets. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP @@ -438,6 +440,8 @@ ipset add foo 10.1.0.0/16 ipset test foo 192.168.0/24 .SS hash:ip,port The \fBhash:ip,port\fR set type uses a hash to store IP address and port number pairs. +The port number is interpreted together with a protocol (default TCP) and zero +protocol number cannot be used. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP @@ -505,7 +509,9 @@ ipset add foo 192.168.1.1,ospf:0 ipset test foo 192.168.1.1,80 .SS hash:net,port The \fBhash:net,port\fR set type uses a hash to store different sized IP network -address and port pairs. +address and port pairs. The port number is interpreted together with a protocol +(default TCP) and zero protocol number cannot be used. Network +address with zero prefix size cannot be stored either. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP @@ -562,7 +568,8 @@ ipset add foo 10.1.0.0/16,80 ipset test foo 192.168.0/24,25 .SS hash:ip,port,ip The \fBhash:ip,port,ip\fR set type uses a hash to store IP address, port number -and a second IP address triples. +and a second IP address triples. The port number is interpreted together with a +protocol (default TCP) and zero protocol number cannot be used. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP @@ -606,7 +613,9 @@ ipset add foo 192.168.1.1,80,10.0.0.1 ipset test foo 192.168.1.1,udp:53,10.0.0.1 .SS hash:ip,port,net The \fBhash:ip,port,net\fR set type uses a hash to store IP address, port number -and IP network address triples. +and IP network address triples. The port number is interpreted together with a +protocol (default TCP) and zero protocol number cannot be used. Network +address with zero prefix size cannot be stored either. .PP \fICREATE\-OPTIONS\fR := [ \fBfamily\fR { \fBinet\fR | \fBinet6\fR } ] | [ \fBhashsize\fR \fIvalue\fR ] [ \fBmaxelem\fR \fIvalue\fR ] [ \fBtimeout\fR \fIvalue\fR ] .PP -- cgit v1.2.3