| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jun 2013 15:09:53 +0300 From: Sergey Popovich <popovich_sergei@...l.ru> To: netdev@...r.kernel.org Subject: ipset: hash:*net* doesnt match after entry removal (both inet, inet6 families) Hello! Deploying ip6?tables filtering rules on one of our server we spot following issue using Linux kernel 3.9.6 and ipset 6.19 as userlang and hash:*set* set type: Deleting previously added network prefix longer than any prefix, that already in set, causes future lookups on remaining prefixes not to match (both using ipset(8) test command and ip6?tables(8) "set" match, on any hash:*net* set type). Tested on the following configurations: 1. v3.9.6, ipset 6.19 (also 6.12.1) : reproduced 2. v3.8.13(EOL), ipset 6.12.1 : reproduced 3. v3.2.46, ipset 6.12.1 : not reproducable Both IPv4 and IPv6 are affected. Steps to reproduce (using ipset(8) test command for simplicity): -------------------------------------------------------------------------------- #!/bin/bash -v ## Create ipset for inet AFI ipset create set-v4 hash:net family inet ## Add 192.168.1.0/24 prefix to set and check ipset add set-v4 192.168.1.0/24 ipset test set-v4 192.168.1.0 192.168.1.0 is in set set-v4. ipset test set-v4 192.168.1.255 192.168.1.255 is in set set-v4. ## Add 172.16.1.0/25 prefix to set and check ipset add set-v4 172.16.1.0/25 ipset test set-v4 192.168.1.0 192.168.1.0 is in set set-v4. ipset test set-v4 192.168.1.255 192.168.1.255 is in set set-v4. ipset test set-v4 172.16.1.0 172.16.1.0 is in set set-v4. ipset test set-v4 172.16.1.127 172.16.1.127 is in set set-v4. ## List set-v4 contents ipset list set-v4 Name: set-v4 Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16824 References: 0 Members: 172.16.1.0/25 192.168.1.0/24 ## Delete longer (more specific) prefix from the set ipset del set-v4 172.16.1.0/25 ## And test again remaining prefixes ipset test set-v4 192.168.1.0 192.168.1.0 is NOT in set set-v4. ipset test set-v4 192.168.1.255 192.168.1.255 is NOT in set set-v4. ## List set-v4 contents ipset list set-v4 Name: set-v4 Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16824 References: 0 Members: 192.168.1.0/24 ## Destroy set-v4 ipset destroy set-v4 -- SP5474-RIPE Sergey Popovich -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists