mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets
There doesn't seem to be any reason to restrict MAC address
matching to source MAC addresses in set types bitmap:ipmac,
hash:ipmac and hash:mac. With this patch, and this setup:
  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up
  ip netns exec A ipset create test hash:mac
  dst=$(ip netns exec A cat /sys/class/net/veth2/address)
  ip netns exec A ipset add test ${dst}
  ip netns exec A iptables -P INPUT DROP
  ip netns exec A iptables -I INPUT -m set --match-set test dst -j ACCEPT
ipset will match packets based on destination MAC address:
  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
			
			
This commit is contained in:
		
							parent
							
								
									af510ebd89
								
							
						
					
					
						commit
						8cc4ccf583
					
				| @ -219,10 +219,6 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, | ||||
| 	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); | ||||
| 	u32 ip; | ||||
| 
 | ||||
| 	/* MAC can be src only */ | ||||
| 	if (!(opt->flags & IPSET_DIM_TWO_SRC)) | ||||
| 		return 0; | ||||
| 
 | ||||
| 	ip = ntohl(ip4addr(skb, opt->flags & IPSET_DIM_ONE_SRC)); | ||||
| 	if (ip < map->first_ip || ip > map->last_ip) | ||||
| 		return -IPSET_ERR_BITMAP_RANGE; | ||||
| @ -233,7 +229,11 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
| 	e.id = ip_to_id(map, ip); | ||||
| 	memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); | ||||
| 
 | ||||
| 	if (opt->flags & IPSET_DIM_ONE_SRC) | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source); | ||||
| 	else | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); | ||||
| 
 | ||||
| 	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); | ||||
| } | ||||
|  | ||||
| @ -103,7 +103,11 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb, | ||||
| 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data) | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
| 	memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); | ||||
| 	if (opt->flags & IPSET_DIM_ONE_SRC) | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source); | ||||
| 	else | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); | ||||
| 
 | ||||
| 	if (ether_addr_equal(e.ether, invalid_ether)) | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
| @ -211,15 +215,15 @@ hash_ipmac6_kadt(struct ip_set *set, const struct sk_buff *skb, | ||||
| 	}; | ||||
| 	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); | ||||
| 
 | ||||
| 	 /* MAC can be src only */ | ||||
| 	if (!(opt->flags & IPSET_DIM_TWO_SRC)) | ||||
| 		return 0; | ||||
| 
 | ||||
| 	if (skb_mac_header(skb) < skb->head || | ||||
| 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data) | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
| 	memcpy(e.ether, eth_hdr(skb)->h_source, ETH_ALEN); | ||||
| 	if (opt->flags & IPSET_DIM_ONE_SRC) | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source); | ||||
| 	else | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); | ||||
| 
 | ||||
| 	if (ether_addr_equal(e.ether, invalid_ether)) | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
|  | ||||
| @ -81,15 +81,15 @@ hash_mac4_kadt(struct ip_set *set, const struct sk_buff *skb, | ||||
| 	struct hash_mac4_elem e = { { .foo[0] = 0, .foo[1] = 0 } }; | ||||
| 	struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); | ||||
| 
 | ||||
| 	 /* MAC can be src only */ | ||||
| 	if (!(opt->flags & IPSET_DIM_ONE_SRC)) | ||||
| 		return 0; | ||||
| 
 | ||||
| 	if (skb_mac_header(skb) < skb->head || | ||||
| 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data) | ||||
| 		return -EINVAL; | ||||
| 
 | ||||
| 	if (opt->flags & IPSET_DIM_ONE_SRC) | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source); | ||||
| 	else | ||||
| 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); | ||||
| 
 | ||||
| 	if (is_zero_ether_addr(e.ether)) | ||||
| 		return -EINVAL; | ||||
| 	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags); | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Stefano Brivio
						Stefano Brivio