From 76f6727dd65d2c3c188b11100257277736e99817 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Fri, 8 Jul 2011 11:06:40 +0200 Subject: hash:net,iface fixed to handle overlapping nets behind different interfaces If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. --- tests/hash:net,iface.t | 48 ++++++++++++++++++++++++++++++++++++++++++++ tests/hash:net,iface.t.list1 | 33 ++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 tests/hash:net,iface.t.list1 (limited to 'tests') diff --git a/tests/hash:net,iface.t b/tests/hash:net,iface.t index 7c73264..ca0ddea 100644 --- a/tests/hash:net,iface.t +++ b/tests/hash:net,iface.t @@ -54,4 +54,52 @@ 0 diff -u -I 'Size in memory.*' .foo hash:net,iface.t.list2 # Delete test set 0 ipset destroy test +# Create test set +0 ipset new test hash:net,iface +# Add a /16 network with eth0 +0 ipset add test 10.0.0.0/16,eth0 +# Add an overlapping /24 network with eth1 +0 ipset add test 10.0.0.0/24,eth1 +# Add an overlapping /28 network with eth2 +0 ipset add test 10.0.0.0/28,eth2 +# Check matching element: from /28, with eth2 +0 ipset test test 10.0.0.1,eth2 +# Check non-matching element: from /28, with eth1 +1 ipset test test 10.0.0.2,eth1 +# Check non-matching element: from /28, with eth0 +1 ipset test test 10.0.0.3,eth0 +# Check matching element from: /24, with eth1 +0 ipset test test 10.0.0.16,eth1 +# Check non-matching element: from /24, with eth2 +1 ipset test test 10.0.0.17,eth2 +# Check non-matching element: from /24, with eth0 +1 ipset test test 10.0.0.18,eth0 +# Check matching element: from /16, with eth0 +0 ipset test test 10.0.1.1,eth0 +# Check non-matching element: from /16, with eth1 +1 ipset test test 10.0.1.2,eth1 +# Check non-matching element: from /16, with eth2 +1 ipset test test 10.0.1.3,eth2 +# Flush test set +0 ipset flush test +# Add overlapping networks from /4 to /30 +0 (set -e; for x in `seq 4 30`; do ipset add test 192.0.0.0/$x,eth$x; done) +# List test set +0 ipset -L test 2>/dev/null > .foo0 && ./sort.sh .foo0 +# Check listing +0 diff -u -I 'Size in memory.*' .foo hash:net,iface.t.list1 +# Test matching elements in all added networks from /30 to /24 +0 (set -e; y=2; for x in `seq 24 30 | tac`; do ipset test test 192.0.0.$y,eth$x; y=$((y*2)); done) +# Test non-matching elements in all added networks from /30 to /24 +0 (y=2; for x in `seq 24 30 | tac`; do z=$((x-1)); ipset test test 192.0.0.$y,eth$z; ret=$?; test $ret -eq 0 && exit 1; y=$((y*2)); done) +# Delete test set +0 ipset destroy test +# Create test set with minimal hash size +0 ipset create test hash:net,iface hashsize 64 +# Add clashing elements +0 (set -e; for x in `seq 0 63`; do ipset add test 10.0.0.0/16,eth$x; done) +# Check listing +0 n=`ipset list test | wc -l` && test $n -eq 70 +# Delete test set +0 ipset destroy test # eof diff --git a/tests/hash:net,iface.t.list1 b/tests/hash:net,iface.t.list1 new file mode 100644 index 0000000..4a298e2 --- /dev/null +++ b/tests/hash:net,iface.t.list1 @@ -0,0 +1,33 @@ +Name: test +Type: hash:net,iface +Header: family inet hashsize 1024 maxelem 65536 +Size in memory: 18512 +References: 0 +Members: +192.0.0.0/10,eth10 +192.0.0.0/11,eth11 +192.0.0.0/12,eth12 +192.0.0.0/13,eth13 +192.0.0.0/14,eth14 +192.0.0.0/15,eth15 +192.0.0.0/16,eth16 +192.0.0.0/17,eth17 +192.0.0.0/18,eth18 +192.0.0.0/19,eth19 +192.0.0.0/20,eth20 +192.0.0.0/21,eth21 +192.0.0.0/22,eth22 +192.0.0.0/23,eth23 +192.0.0.0/24,eth24 +192.0.0.0/25,eth25 +192.0.0.0/26,eth26 +192.0.0.0/27,eth27 +192.0.0.0/28,eth28 +192.0.0.0/29,eth29 +192.0.0.0/30,eth30 +192.0.0.0/4,eth4 +192.0.0.0/5,eth5 +192.0.0.0/6,eth6 +192.0.0.0/7,eth7 +192.0.0.0/8,eth8 +192.0.0.0/9,eth9 -- cgit v1.2.3