tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: ipset: use unified from/to address masking and check the usage

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Jozsef Kadlecsik and committed by
Patrick McHardy e6146e86 f3dfd153

+15 -17
+6
include/linux/netfilter/ipset/pfxlen.h
··· 35 35 36 36 extern u32 ip_set_range_to_cidr(u32 from, u32 to, u8 *cidr); 37 37 38 + #define ip_set_mask_from_to(from, to, cidr) \ 39 + do { \ 40 + from &= ip_set_hostmask(cidr); \ 41 + to = from | ~ip_set_hostmask(cidr); \ 42 + } while (0) 43 + 38 44 #endif /*_PFXLEN_H */
+2 -4
net/netfilter/ipset/ip_set_bitmap_ip.c
··· 283 283 284 284 if (cidr > 32) 285 285 return -IPSET_ERR_INVALID_CIDR; 286 - ip &= ip_set_hostmask(cidr); 287 - ip_to = ip | ~ip_set_hostmask(cidr); 286 + ip_set_mask_from_to(ip, ip_to, cidr); 288 287 } else 289 288 ip_to = ip; 290 289 ··· 477 478 478 479 if (cidr >= 32) 479 480 return -IPSET_ERR_INVALID_CIDR; 480 - first_ip &= ip_set_hostmask(cidr); 481 - last_ip = first_ip | ~ip_set_hostmask(cidr); 481 + ip_set_mask_from_to(first_ip, last_ip, cidr); 482 482 } else 483 483 return -IPSET_ERR_PROTOCOL; 484 484
+1 -1
net/netfilter/ipset/ip_set_bitmap_ipmac.c
··· 578 578 579 579 if (cidr >= 32) 580 580 return -IPSET_ERR_INVALID_CIDR; 581 - last_ip = first_ip | ~ip_set_hostmask(cidr); 581 + ip_set_mask_from_to(first_ip, last_ip, cidr); 582 582 } else 583 583 return -IPSET_ERR_PROTOCOL; 584 584
+1 -2
net/netfilter/ipset/ip_set_hash_ip.c
··· 177 177 178 178 if (cidr > 32) 179 179 return -IPSET_ERR_INVALID_CIDR; 180 - ip &= ip_set_hostmask(cidr); 181 - ip_to = ip | ~ip_set_hostmask(cidr); 180 + ip_set_mask_from_to(ip, ip_to, cidr); 182 181 } else 183 182 ip_to = ip; 184 183
+1 -2
net/netfilter/ipset/ip_set_hash_ipport.c
··· 216 216 217 217 if (cidr > 32) 218 218 return -IPSET_ERR_INVALID_CIDR; 219 - ip &= ip_set_hostmask(cidr); 220 - ip_to = ip | ~ip_set_hostmask(cidr); 219 + ip_set_mask_from_to(ip, ip_to, cidr); 221 220 } else 222 221 ip_to = ip; 223 222
+1 -2
net/netfilter/ipset/ip_set_hash_ipportip.c
··· 224 224 225 225 if (cidr > 32) 226 226 return -IPSET_ERR_INVALID_CIDR; 227 - ip &= ip_set_hostmask(cidr); 228 - ip_to = ip | ~ip_set_hostmask(cidr); 227 + ip_set_mask_from_to(ip, ip_to, cidr); 229 228 } else 230 229 ip_to = ip; 231 230
+2 -4
net/netfilter/ipset/ip_set_hash_ipportnet.c
··· 254 254 255 255 if (cidr > 32) 256 256 return -IPSET_ERR_INVALID_CIDR; 257 - ip &= ip_set_hostmask(cidr); 258 - ip_to = ip | ~ip_set_hostmask(cidr); 257 + ip_set_mask_from_to(ip, ip_to, cidr); 259 258 } 260 259 261 260 port_to = port = ntohs(data.port); ··· 272 273 if (ip2_from + UINT_MAX == ip2_to) 273 274 return -IPSET_ERR_HASH_RANGE; 274 275 } else { 275 - ip2_from &= ip_set_hostmask(data.cidr); 276 - ip2_to = ip2_from | ~ip_set_hostmask(data.cidr); 276 + ip_set_mask_from_to(ip2_from, ip2_to, data.cidr); 277 277 } 278 278 279 279 if (retried)
+1 -2
net/netfilter/ipset/ip_set_hash_netport.c
··· 245 245 if (ip + UINT_MAX == ip_to) 246 246 return -IPSET_ERR_HASH_RANGE; 247 247 } else { 248 - ip &= ip_set_hostmask(data.cidr); 249 - ip_to = ip | ~ip_set_hostmask(data.cidr); 248 + ip_set_mask_from_to(ip, ip_to, data.cidr); 250 249 } 251 250 252 251 if (retried)