git.baikalelectronics.ru Git - kernel.git/commit

author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Thu, 21 Jul 2011 10:06:18 +0000 (12:06 +0200)
committer	Patrick McHardy <kaber@trash.net>
	Thu, 21 Jul 2011 10:06:18 +0000 (12:06 +0200)
commit	c4151fd52c9f497a9f7176a001bc12477bcaf633
tree	24ebd4da0fe7e239e45cbc5a4ec599ee1abba94d	tree \| snapshot
parent	90ade9a962040df60e28191f9b9e8614f707894d	commit \| diff

netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces

If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

include/linux/netfilter/ipset/ip_set_ahash.h		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ip.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipport.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipportip.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipportnet.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_net.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_netiface.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_netport.c		diff \| blob \| history