releases/4.19.5/netfilter-ipset-actually-allow-allowable-cidr-0-in-h.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 5361d4011cf0dc629fc991ce1366ce0dd1584919 Mon Sep 17 00:00:00 2001
 From: Eric Westbrook <eric@westbrook.io>
 Date: Tue, 28 Aug 2018 15:14:42 -0600
 Subject: netfilter: ipset: actually allow allowable CIDR 0 in
  hash:net,port,net

 [ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ]

 Allow /0 as advertised for hash:net,port,net sets.

 For "hash:net,port,net", ipset(8) says that "either subnet
 is permitted to be a /0 should you wish to match port
 between all destinations."

 Make that statement true.

 Before:

     # ipset create cidrzero hash:net,port,net
     # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
     ipset v6.34: The value of the CIDR parameter of the IP address is invalid

     # ipset create cidrzero6 hash:net,port,net family inet6
     # ipset add cidrzero6 ::/0,12345,::/0
     ipset v6.34: The value of the CIDR parameter of the IP address is invalid

 After:

     # ipset create cidrzero hash:net,port,net
     # ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
     # ipset test cidrzero 192.168.205.129,12345,172.16.205.129
     192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero.

     # ipset create cidrzero6 hash:net,port,net family inet6
     # ipset add cidrzero6 ::/0,12345,::/0
     # ipset test cidrzero6 fe80::1,12345,ff00::1
     fe80::1,tcp:12345,ff00::1 is in set cidrzero6.

 See also:

   https://bugzilla.kernel.org/show_bug.cgi?id=200897
   https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c

 Signed-off-by: Eric Westbrook <linux@westbrook.io>
 Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  net/netfilter/ipset/ip_set_hash_netportnet.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
 index d391485a6acd..613e18e720a4 100644
 --- a/net/netfilter/ipset/ip_set_hash_netportnet.c
 +++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
 @@ -213,13 +213,13 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],

  	if (tb[IPSET_ATTR_CIDR]) {
  		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 -		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
 +		if (e.cidr[0] > HOST_MASK)
  			return -IPSET_ERR_INVALID_CIDR;
  	}

  	if (tb[IPSET_ATTR_CIDR2]) {
  		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
 -		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
 +		if (e.cidr[1] > HOST_MASK)
  			return -IPSET_ERR_INVALID_CIDR;
  	}

 @@ -493,13 +493,13 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],

  	if (tb[IPSET_ATTR_CIDR]) {
  		e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 -		if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
 +		if (e.cidr[0] > HOST_MASK)
  			return -IPSET_ERR_INVALID_CIDR;
  	}

  	if (tb[IPSET_ATTR_CIDR2]) {
  		e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
 -		if (!e.cidr[1] || e.cidr[1] > HOST_MASK)
 +		if (e.cidr[1] > HOST_MASK)
  			return -IPSET_ERR_INVALID_CIDR;
  	}

 --
 2.17.1
	From 5361d4011cf0dc629fc991ce1366ce0dd1584919 Mon Sep 17 00:00:00 2001
	From: Eric Westbrook <eric@westbrook.io>
	Date: Tue, 28 Aug 2018 15:14:42 -0600
	Subject: netfilter: ipset: actually allow allowable CIDR 0 in
	hash:net,port,net

	[ Upstream commit 886503f34d63e681662057448819edb5b1057a97 ]

	Allow /0 as advertised for hash:net,port,net sets.

	For "hash:net,port,net", ipset(8) says that "either subnet
	is permitted to be a /0 should you wish to match port
	between all destinations."

	Make that statement true.

	Before:

	# ipset create cidrzero hash:net,port,net
	# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
	ipset v6.34: The value of the CIDR parameter of the IP address is invalid

	# ipset create cidrzero6 hash:net,port,net family inet6
	# ipset add cidrzero6 ::/0,12345,::/0
	ipset v6.34: The value of the CIDR parameter of the IP address is invalid

	After:

	# ipset create cidrzero hash:net,port,net
	# ipset add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
	# ipset test cidrzero 192.168.205.129,12345,172.16.205.129
	192.168.205.129,tcp:12345,172.16.205.129 is in set cidrzero.

	# ipset create cidrzero6 hash:net,port,net family inet6
	# ipset add cidrzero6 ::/0,12345,::/0
	# ipset test cidrzero6 fe80::1,12345,ff00::1
	fe80::1,tcp:12345,ff00::1 is in set cidrzero6.

	See also:

	https://bugzilla.kernel.org/show_bug.cgi?id=200897
	https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c

	Signed-off-by: Eric Westbrook <linux@westbrook.io>
	Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	net/netfilter/ipset/ip_set_hash_netportnet.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
	index d391485a6acd..613e18e720a4 100644
	--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
	+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
	@@ -213,13 +213,13 @@ hash_netportnet4_uadt(struct ip_set set, struct nlattr tb[],

	if (tb[IPSET_ATTR_CIDR]) {
	e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
	- if (!e.cidr[0] \|\| e.cidr[0] > HOST_MASK)
	+ if (e.cidr[0] > HOST_MASK)
	return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_CIDR2]) {
	e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
	- if (!e.cidr[1] \|\| e.cidr[1] > HOST_MASK)
	+ if (e.cidr[1] > HOST_MASK)
	return -IPSET_ERR_INVALID_CIDR;
	}

	@@ -493,13 +493,13 @@ hash_netportnet6_uadt(struct ip_set set, struct nlattr tb[],

	if (tb[IPSET_ATTR_CIDR]) {
	e.cidr[0] = nla_get_u8(tb[IPSET_ATTR_CIDR]);
	- if (!e.cidr[0] \|\| e.cidr[0] > HOST_MASK)
	+ if (e.cidr[0] > HOST_MASK)
	return -IPSET_ERR_INVALID_CIDR;
	}

	if (tb[IPSET_ATTR_CIDR2]) {
	e.cidr[1] = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
	- if (!e.cidr[1] \|\| e.cidr[1] > HOST_MASK)
	+ if (e.cidr[1] > HOST_MASK)
	return -IPSET_ERR_INVALID_CIDR;
	}

	--
	2.17.1