git.baikalelectronics.ru Git - kernel.git/commit

author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Thu, 21 Jul 2011 10:06:18 +0000 (12:06 +0200)
committer	Patrick McHardy <kaber@trash.net>
	Thu, 21 Jul 2011 10:06:18 +0000 (12:06 +0200)
commit	644a1806af51df0a9e4033f3ed303805345b7d40
tree	24ebd4da0fe7e239e45cbc5a4ec599ee1abba94d	tree \| snapshot
parent	d6b089a1ca5abb46c84996e613df2a4ba851c519	commit \| diff

netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces

If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

include/linux/netfilter/ipset/ip_set_ahash.h		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ip.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipport.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipportip.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_ipportnet.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_net.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_netiface.c		diff \| blob \| history
net/netfilter/ipset/ip_set_hash_netport.c		diff \| blob \| history